Malware Analysis Report

2025-03-15 08:00

Sample ID 240814-zv4gasyhjn
Target 2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat
SHA256 82c38c205750229efeabc721f140d7431d9a30f6ec32ab849229e62b1a7fb563
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

82c38c205750229efeabc721f140d7431d9a30f6ec32ab849229e62b1a7fb563

Threat Level: Known bad

The file 2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

Xmrig family

xmrig

Cobaltstrike

Cobalt Strike reflective loader

Cobaltstrike family

XMRig Miner payload

XMRig Miner payload

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-14 21:03

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-14 21:03

Reported

2024-08-14 21:05

Platform

win7-20240704-en

Max time kernel

145s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\LSlLMmD.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eRNPxMg.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dGYLBgE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EXHddcI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YWCSlMd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TBvLJIR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PWeNykw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HWNtEhQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\obSuNTF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KJcCvkT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xalrQRq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wugqpND.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nCAgQJT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CFwvHdW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vhIKDYr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IUsjwKQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iHdIzRv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qPSFium.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jdIQbOG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pQUfErl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ksSsAhb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2336 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wugqpND.exe
PID 2336 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wugqpND.exe
PID 2336 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wugqpND.exe
PID 2336 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IUsjwKQ.exe
PID 2336 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IUsjwKQ.exe
PID 2336 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IUsjwKQ.exe
PID 2336 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LSlLMmD.exe
PID 2336 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LSlLMmD.exe
PID 2336 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LSlLMmD.exe
PID 2336 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iHdIzRv.exe
PID 2336 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iHdIzRv.exe
PID 2336 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iHdIzRv.exe
PID 2336 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qPSFium.exe
PID 2336 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qPSFium.exe
PID 2336 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qPSFium.exe
PID 2336 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nCAgQJT.exe
PID 2336 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nCAgQJT.exe
PID 2336 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nCAgQJT.exe
PID 2336 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jdIQbOG.exe
PID 2336 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jdIQbOG.exe
PID 2336 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jdIQbOG.exe
PID 2336 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TBvLJIR.exe
PID 2336 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TBvLJIR.exe
PID 2336 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TBvLJIR.exe
PID 2336 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PWeNykw.exe
PID 2336 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PWeNykw.exe
PID 2336 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PWeNykw.exe
PID 2336 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pQUfErl.exe
PID 2336 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pQUfErl.exe
PID 2336 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pQUfErl.exe
PID 2336 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eRNPxMg.exe
PID 2336 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eRNPxMg.exe
PID 2336 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eRNPxMg.exe
PID 2336 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dGYLBgE.exe
PID 2336 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dGYLBgE.exe
PID 2336 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dGYLBgE.exe
PID 2336 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EXHddcI.exe
PID 2336 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EXHddcI.exe
PID 2336 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EXHddcI.exe
PID 2336 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YWCSlMd.exe
PID 2336 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YWCSlMd.exe
PID 2336 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YWCSlMd.exe
PID 2336 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HWNtEhQ.exe
PID 2336 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HWNtEhQ.exe
PID 2336 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HWNtEhQ.exe
PID 2336 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\obSuNTF.exe
PID 2336 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\obSuNTF.exe
PID 2336 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\obSuNTF.exe
PID 2336 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ksSsAhb.exe
PID 2336 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ksSsAhb.exe
PID 2336 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ksSsAhb.exe
PID 2336 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CFwvHdW.exe
PID 2336 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CFwvHdW.exe
PID 2336 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CFwvHdW.exe
PID 2336 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KJcCvkT.exe
PID 2336 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KJcCvkT.exe
PID 2336 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KJcCvkT.exe
PID 2336 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xalrQRq.exe
PID 2336 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xalrQRq.exe
PID 2336 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xalrQRq.exe
PID 2336 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vhIKDYr.exe
PID 2336 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vhIKDYr.exe
PID 2336 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vhIKDYr.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\wugqpND.exe

C:\Windows\System\wugqpND.exe

C:\Windows\System\IUsjwKQ.exe

C:\Windows\System\IUsjwKQ.exe

C:\Windows\System\LSlLMmD.exe

C:\Windows\System\LSlLMmD.exe

C:\Windows\System\iHdIzRv.exe

C:\Windows\System\iHdIzRv.exe

C:\Windows\System\qPSFium.exe

C:\Windows\System\qPSFium.exe

C:\Windows\System\nCAgQJT.exe

C:\Windows\System\nCAgQJT.exe

C:\Windows\System\jdIQbOG.exe

C:\Windows\System\jdIQbOG.exe

C:\Windows\System\TBvLJIR.exe

C:\Windows\System\TBvLJIR.exe

C:\Windows\System\PWeNykw.exe

C:\Windows\System\PWeNykw.exe

C:\Windows\System\pQUfErl.exe

C:\Windows\System\pQUfErl.exe

C:\Windows\System\eRNPxMg.exe

C:\Windows\System\eRNPxMg.exe

C:\Windows\System\dGYLBgE.exe

C:\Windows\System\dGYLBgE.exe

C:\Windows\System\EXHddcI.exe

C:\Windows\System\EXHddcI.exe

C:\Windows\System\YWCSlMd.exe

C:\Windows\System\YWCSlMd.exe

C:\Windows\System\HWNtEhQ.exe

C:\Windows\System\HWNtEhQ.exe

C:\Windows\System\obSuNTF.exe

C:\Windows\System\obSuNTF.exe

C:\Windows\System\ksSsAhb.exe

C:\Windows\System\ksSsAhb.exe

C:\Windows\System\CFwvHdW.exe

C:\Windows\System\CFwvHdW.exe

C:\Windows\System\KJcCvkT.exe

C:\Windows\System\KJcCvkT.exe

C:\Windows\System\xalrQRq.exe

C:\Windows\System\xalrQRq.exe

C:\Windows\System\vhIKDYr.exe

C:\Windows\System\vhIKDYr.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2336-0-0x000000013F630000-0x000000013F981000-memory.dmp

memory/2336-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\IUsjwKQ.exe

MD5 eb6eb36b337c5ec6df418bba314868c9
SHA1 a9fa05234ee6cd4449ced6a4840ce88dfaed0768
SHA256 2f0529e4ec1241385c35bc73d8788d5de7cb2505f25afba2ec4d4b3d91daa06b
SHA512 53bb1c56ddecad6467395017f6cf0d540feb416f80c16deaf0d03ec8abf2c393a52c42482908e97d854123626097edfb87d39e9f2b8ee10bcc128445ca69edb2

C:\Windows\system\wugqpND.exe

MD5 68fbd4722f58f0b22cc3be1ff8feb506
SHA1 1c78876f4000022b57d8320d26f8549c3411e9b9
SHA256 faae7fc97367c141c34038659eea9522eda6583f948fc197ce22ff938300cf9d
SHA512 7ab0379d1ef698b96c259d266865e0c22072f42bdb39906225e8544ae87876cd2e9ecbcb308be1874233873edb1b69720d45025590acf0601697e846b3a6a456

C:\Windows\system\LSlLMmD.exe

MD5 8bef8b58d847416a52afef7e20562182
SHA1 13d10a2767f44d640579dde643786d9597d55ec6
SHA256 d4deb4930be144d2549d140a0b52f548335c97aba6f7b98c9553556d5a32464e
SHA512 50c328bcd95d19da393bb4a096957123cdd8f0ad8264ee56b5c4f36f2e7a9971888ece0629cd1e09973035b964cf6d4be737271f50c5053ac3b72282b36d924a

memory/2240-22-0x000000013FD90000-0x00000001400E1000-memory.dmp

memory/2336-23-0x000000013F200000-0x000000013F551000-memory.dmp

memory/2720-21-0x000000013FB50000-0x000000013FEA1000-memory.dmp

memory/2336-20-0x000000013FB50000-0x000000013FEA1000-memory.dmp

memory/2236-19-0x000000013F200000-0x000000013F551000-memory.dmp

memory/2336-17-0x000000013FD90000-0x00000001400E1000-memory.dmp

memory/2336-33-0x000000013FC60000-0x000000013FFB1000-memory.dmp

C:\Windows\system\iHdIzRv.exe

MD5 3fe212ea6e48e52eb4dc53ab27f1195b
SHA1 f8aa2cf3019d77305f18b3c782de506b7366e36d
SHA256 1b66c02bd24e18dd742c243febc9f39c0703438bd1553dff74ac2c7ce8195c5a
SHA512 f6da09a4509f38a31f3d119babec48c530f3c27d831d505dd27e7a707ad0c9f6b8eb7be05877e1681e197cb737cc9511f411d77318eb0afb0d9f624786c19e98

memory/2852-42-0x000000013FE30000-0x0000000140181000-memory.dmp

memory/2660-59-0x000000013F680000-0x000000013F9D1000-memory.dmp

C:\Windows\system\TBvLJIR.exe

MD5 a695b92fb3ff7bf994ab5c1570194891
SHA1 d4b42c15833f03f84e486b03cc0ac1b7da5f66f0
SHA256 8d8aba2b5d9d029f2258ab6e297504b68624aa48df1ca12d98d93b8279102e85
SHA512 bb17240aee6c9042a4fedc6b3ab2109024486020ca7705032df466595f9fc2debe8accd6eb1737f18cdf4b6efc0777d0617d0d175531f2a15e1c3a7b33c53905

C:\Windows\system\pQUfErl.exe

MD5 bfdc1263f67ff7b3152dfe30ee5c8a71
SHA1 751a89587d0675a72b28bcfbee1f238e399fdfa4
SHA256 3c6e668afed18d97b328166f883a8749f405611213899c466c713d2e412df7b5
SHA512 bf66a2eab6503d848e55b92d6b6b977088be742f530425984fb3d0f3fd119f8e971c52343e0c0df380c3e206770ec81930164be89b4d22c3e034d87a40c3c626

C:\Windows\system\dGYLBgE.exe

MD5 44c225fe82725a93f7f94841b58acbc4
SHA1 877a6b47ed0e6cfbc5dd9d90630d1999171e3d8c
SHA256 0fa3deb7b4c09d50022f98920de9184b4bdf13dcf820236902cab2cb0c7290e8
SHA512 825a678fa6245cc1fc7a2a29b0fc422d58b27aea61e30c62401fc82063ff11b27c49d187ca92d66fa3a1c9f093660729e31a17fe3b069b709a9522a6769ae334

C:\Windows\system\KJcCvkT.exe

MD5 b6b4ba1a764d52037e7c3661b0166dc1
SHA1 533a3035d8c00cdbd96841880065bede4a1cc7a2
SHA256 c6a091937c72532e545b5b2c3b13a43ecbdd9921d6eb8d73dc30979201d5f50a
SHA512 c3d4c9ce25c27f1788bad78d71b9542e7541cb97f303f3baeb6e64c07d6aa3d1a0c6ced6955723c4120056c6f1d5809f9055e9ff66e6596c1632b407bc60d4e2

C:\Windows\system\vhIKDYr.exe

MD5 d43619922d8238b43977dce63696c72f
SHA1 ab71a9cf2cb970d6bf36d4855bf7e1fe42c1159b
SHA256 7794882c36a4af70cef1dfd25bf8a8576a96fa53a86687d241f657c7811c4881
SHA512 61a780c393d6232a63170637f922998cc39a8617dbdd29d4c749bac76897251a492838a6582fd86f715aaddcd6c58ac24651b0eb09f96edda519d6ad54d29e38

C:\Windows\system\xalrQRq.exe

MD5 0643f6a8e4df20e1d6b7dfaa12988d30
SHA1 ac47979e54582a32441d00dd368a3bbcd917fd37
SHA256 50d1a2673b220fd1f073d92354a76ef3a065a5a74ce6b1c494b0d50478d4b2f9
SHA512 412d5e4b91f9548c28afbcfe0b53749f530ded70226b16c8a9ca07ce2502c164a0bfb6355a745cf57577b6fba1a7ba5581b9a42e84e1a65d39ba04c68be2e370

C:\Windows\system\CFwvHdW.exe

MD5 2533b54d521a7d19f867d4d56899bcbd
SHA1 80442dc2565c9ea174daaa85ec72654dbebe0220
SHA256 07326aaafb79a1ebe0a99e00b506c0a06e90142add8a87bb6de532d58e228dd0
SHA512 6c0b4c0baddbbe6e1e6d413ac729ea1b59439d57311d790d888e55bca0c29457c2c4ae84f80702996561460332d9b45877bad03b0695253724c6ce7b451f05e9

C:\Windows\system\ksSsAhb.exe

MD5 61374f59258163eb29464139ec57854d
SHA1 71ffcef2cd01974076af05929020b9e3e586ff9b
SHA256 664a7d7c96ed3683de343f5ac31933dd4073419494ccf2f8469c613891c7869c
SHA512 d55158ef17a8fa4205ddca968be895b06d89d93d6027de5fb0785bd2463648ae5715cbda24e0b8eb69ed1e2a7e26be8c04b7d16607b40d9529b6ebd52d40047b

C:\Windows\system\obSuNTF.exe

MD5 eff20c0d2b5320a47c774c4bb3058478
SHA1 c58537d400088091c59873469a81c4a104702f51
SHA256 705fc80ce28a699488ed605c0431d631affb32ef926b7a49ce5d67dfdd481788
SHA512 82e9d71a3b1206f5cad0147191205b44763819e7aef763f70600162400c23a2b01017570e25b82ecc8dff8cfbe1a37be352eac8035a1e917ede60907b2a0eab1

C:\Windows\system\YWCSlMd.exe

MD5 e5c804151b81e8113e078b5aee822730
SHA1 704e405bdb6b6e4b8450cd279b0ea47c77469530
SHA256 30b7b2a3af6d50403df96411428e273ec0c4b7e3e24eabc2bfefe6b4562eaaaa
SHA512 b20274d85e477b2ffcc6cb42ff502aee173b37a8bfb1ca0854b5b920c16be3612fcb0abd8105a5b9585c337f0a809fdaf1b58eca8172649ed9acbe210ae32336

C:\Windows\system\EXHddcI.exe

MD5 b7c583c1f5f77b91d93282d4d08b12cd
SHA1 d3c692394a0a2f832654a84c7446a46c454daf8c
SHA256 c427a31f28c7ae6692f7a9bace6922ce9dc54ce467e7eb088e232f1551caee0c
SHA512 c9bfa9a24a6949a4321c148828fdac896cccd2bcfe06a665b33ad4c05a52e374bcb74109e3da7262d13d621d63887a5361c7eb700643825843c1c9f1bc174b77

memory/2336-93-0x0000000002340000-0x0000000002691000-memory.dmp

memory/2336-92-0x000000013FC30000-0x000000013FF81000-memory.dmp

memory/2336-91-0x000000013F2D0000-0x000000013F621000-memory.dmp

memory/2484-90-0x000000013F770000-0x000000013FAC1000-memory.dmp

memory/2852-135-0x000000013FE30000-0x0000000140181000-memory.dmp

memory/472-89-0x000000013F2D0000-0x000000013F621000-memory.dmp

memory/2000-88-0x000000013F800000-0x000000013FB51000-memory.dmp

memory/2336-87-0x0000000002340000-0x0000000002691000-memory.dmp

C:\Windows\system\HWNtEhQ.exe

MD5 87e23d25334520d20d58a8f58bb55369
SHA1 f7c061582f0712e2591e672ccee3a970a8e7e107
SHA256 05177ad3d0be44e94b8366452cf1b830d5e8452ca87dd4bfd8aaf325579ae302
SHA512 cbcf462679761c9723a2922f8cb59bbe37877f0f65fa1e4b9290951fa74f3e2989feb8187cda285aea0f8b207f0b85dbbc25ab398168861766d3e0df5810b3b6

memory/1832-71-0x000000013FBB0000-0x000000013FF01000-memory.dmp

memory/2640-66-0x000000013FEE0000-0x0000000140231000-memory.dmp

C:\Windows\system\eRNPxMg.exe

MD5 839179d085188ae3c56fb129ef3d4cd1
SHA1 1059458551ac69e08a142accae02720902026b25
SHA256 0e8b7813ae57e2c62fac595fae4f9f0d2dbd136ccf706b09106998d7a468cc76
SHA512 fc46c79558f754e9162aa8885045dea5e04497e86c14867eadf39b22dc11896ab3f2d526562e4a5cb0a7d3e276f83380dfc51cea95825acb8d84a9c71b0f900c

memory/2336-64-0x000000013FEE0000-0x0000000140231000-memory.dmp

memory/2336-63-0x000000013F630000-0x000000013F981000-memory.dmp

memory/2336-58-0x0000000002340000-0x0000000002691000-memory.dmp

memory/2600-57-0x000000013F3C0000-0x000000013F711000-memory.dmp

C:\Windows\system\PWeNykw.exe

MD5 b1f09c73e35b019f1a02193981d051aa
SHA1 9cefc4c9b16c233829086850c72140c8e5504ac3
SHA256 46189d6c84102bbe518d3d273dfdedf9337f444dc7e65fdf6ca84d49f15b44be
SHA512 fb3dc2a349221b74317113a8902a89fdc1c1520c8f0204aa1b6918b0c4b4f21e9aad0a71b583311c79198d434f6aef6ebc4beb17670ed066ca325f51bfe26059

memory/2704-143-0x000000013F440000-0x000000013F791000-memory.dmp

memory/2600-145-0x000000013F3C0000-0x000000013F711000-memory.dmp

memory/2836-141-0x000000013F2C0000-0x000000013F611000-memory.dmp

memory/2336-136-0x000000013F630000-0x000000013F981000-memory.dmp

memory/2704-48-0x000000013F440000-0x000000013F791000-memory.dmp

memory/2336-47-0x0000000002340000-0x0000000002691000-memory.dmp

C:\Windows\system\nCAgQJT.exe

MD5 516b5ad186938ff604edfddcf9b5092a
SHA1 f43daf784b421e2dcdb98c21f3dd01b965781ce3
SHA256 041b76189227543c3d4958cd6e9ef59d9e075f284a85f7f68d45bcf381a00690
SHA512 100d076ac646d05b806c9e43b1eb2fc335f6b1bd767b88751b0ae67d651070ca9dda39a228e9d7a32d04fb8b9622517634eb5dcce8a2afce814fd6e2b89209a9

C:\Windows\system\jdIQbOG.exe

MD5 91e3368e964201b70921fe7c3ed3718b
SHA1 eaf5050346842e74f7e9c07df149765d89fc5210
SHA256 f0a0ff956e00a0c5779fe0dc49a1d7b35dcae393aa09df6293cb0d03e36443eb
SHA512 a8149557aea33b6107ab201bad5058b31ee937e27fe4127635c1f75448e039235b1da7a2ba4311305224d46d89413e43aacc4568a20c1f01f917a80929564bcd

memory/2336-40-0x000000013FE30000-0x0000000140181000-memory.dmp

memory/2836-39-0x000000013F2C0000-0x000000013F611000-memory.dmp

memory/2336-38-0x000000013F2C0000-0x000000013F611000-memory.dmp

memory/2296-36-0x000000013FC60000-0x000000013FFB1000-memory.dmp

C:\Windows\system\qPSFium.exe

MD5 cb2bc6610b6ae9f03d494b3366b6f5fd
SHA1 97d1dd4dd984a92fbc5714c96d01d1bdca428462
SHA256 c056f7d2e320305fee0646fcecbdddc05a368bfcdc183bf8bac2b2e7d048ed2b
SHA512 8980696ab94ee59144808ddeb405d1d7d167f0b6e6cc49e3ef36c47241abe8d00696b1662728183ba41803178729685738f397551cb94fd7c5bb7e69781bfb98

memory/2000-150-0x000000013F800000-0x000000013FB51000-memory.dmp

memory/1832-149-0x000000013FBB0000-0x000000013FF01000-memory.dmp

memory/2640-148-0x000000013FEE0000-0x0000000140231000-memory.dmp

memory/2660-147-0x000000013F680000-0x000000013F9D1000-memory.dmp

memory/2104-155-0x000000013FB70000-0x000000013FEC1000-memory.dmp

memory/1948-159-0x000000013F160000-0x000000013F4B1000-memory.dmp

memory/1628-158-0x000000013FBD0000-0x000000013FF21000-memory.dmp

memory/536-157-0x000000013FBC0000-0x000000013FF11000-memory.dmp

memory/1792-156-0x000000013F920000-0x000000013FC71000-memory.dmp

memory/1944-154-0x000000013FB50000-0x000000013FEA1000-memory.dmp

memory/2484-153-0x000000013F770000-0x000000013FAC1000-memory.dmp

memory/2464-152-0x000000013FC30000-0x000000013FF81000-memory.dmp

memory/472-151-0x000000013F2D0000-0x000000013F621000-memory.dmp

memory/2336-160-0x0000000002340000-0x0000000002691000-memory.dmp

memory/2336-161-0x000000013FEE0000-0x0000000140231000-memory.dmp

memory/2336-162-0x000000013F630000-0x000000013F981000-memory.dmp

memory/2336-184-0x0000000002340000-0x0000000002691000-memory.dmp

memory/2336-185-0x0000000002340000-0x0000000002691000-memory.dmp

memory/2240-209-0x000000013FD90000-0x00000001400E1000-memory.dmp

memory/2236-211-0x000000013F200000-0x000000013F551000-memory.dmp

memory/2720-213-0x000000013FB50000-0x000000013FEA1000-memory.dmp

memory/2296-219-0x000000013FC60000-0x000000013FFB1000-memory.dmp

memory/2836-236-0x000000013F2C0000-0x000000013F611000-memory.dmp

memory/2704-238-0x000000013F440000-0x000000013F791000-memory.dmp

memory/1832-241-0x000000013FBB0000-0x000000013FF01000-memory.dmp

memory/2484-246-0x000000013F770000-0x000000013FAC1000-memory.dmp

memory/2660-244-0x000000013F680000-0x000000013F9D1000-memory.dmp

memory/2000-257-0x000000013F800000-0x000000013FB51000-memory.dmp

memory/2600-253-0x000000013F3C0000-0x000000013F711000-memory.dmp

memory/2640-255-0x000000013FEE0000-0x0000000140231000-memory.dmp

memory/2852-251-0x000000013FE30000-0x0000000140181000-memory.dmp

memory/472-243-0x000000013F2D0000-0x000000013F621000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-14 21:03

Reported

2024-08-14 21:05

Platform

win10v2004-20240802-en

Max time kernel

145s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\lglwBpx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rymeSXV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NtlBozk.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mwQBlli.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FmRUHBn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PXnPKtx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xgcGkfC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NsJakZE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LNoGiUj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HLLbpQx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YKMRSVa.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QZvLFSq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HZUBkjv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uitjfVl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CUbQPYM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TzrWMHt.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\szkVpee.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uejUWFu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lyCtNEr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KuHIDxc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CQQobPF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3472 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mwQBlli.exe
PID 3472 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mwQBlli.exe
PID 3472 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HLLbpQx.exe
PID 3472 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HLLbpQx.exe
PID 3472 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TzrWMHt.exe
PID 3472 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TzrWMHt.exe
PID 3472 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\szkVpee.exe
PID 3472 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\szkVpee.exe
PID 3472 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uejUWFu.exe
PID 3472 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uejUWFu.exe
PID 3472 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YKMRSVa.exe
PID 3472 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YKMRSVa.exe
PID 3472 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FmRUHBn.exe
PID 3472 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FmRUHBn.exe
PID 3472 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PXnPKtx.exe
PID 3472 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PXnPKtx.exe
PID 3472 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QZvLFSq.exe
PID 3472 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QZvLFSq.exe
PID 3472 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xgcGkfC.exe
PID 3472 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xgcGkfC.exe
PID 3472 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HZUBkjv.exe
PID 3472 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HZUBkjv.exe
PID 3472 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lglwBpx.exe
PID 3472 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lglwBpx.exe
PID 3472 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lyCtNEr.exe
PID 3472 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lyCtNEr.exe
PID 3472 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rymeSXV.exe
PID 3472 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rymeSXV.exe
PID 3472 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KuHIDxc.exe
PID 3472 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KuHIDxc.exe
PID 3472 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NsJakZE.exe
PID 3472 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NsJakZE.exe
PID 3472 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uitjfVl.exe
PID 3472 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uitjfVl.exe
PID 3472 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CQQobPF.exe
PID 3472 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CQQobPF.exe
PID 3472 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CUbQPYM.exe
PID 3472 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CUbQPYM.exe
PID 3472 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LNoGiUj.exe
PID 3472 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LNoGiUj.exe
PID 3472 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NtlBozk.exe
PID 3472 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NtlBozk.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\mwQBlli.exe

C:\Windows\System\mwQBlli.exe

C:\Windows\System\HLLbpQx.exe

C:\Windows\System\HLLbpQx.exe

C:\Windows\System\TzrWMHt.exe

C:\Windows\System\TzrWMHt.exe

C:\Windows\System\szkVpee.exe

C:\Windows\System\szkVpee.exe

C:\Windows\System\uejUWFu.exe

C:\Windows\System\uejUWFu.exe

C:\Windows\System\YKMRSVa.exe

C:\Windows\System\YKMRSVa.exe

C:\Windows\System\FmRUHBn.exe

C:\Windows\System\FmRUHBn.exe

C:\Windows\System\PXnPKtx.exe

C:\Windows\System\PXnPKtx.exe

C:\Windows\System\QZvLFSq.exe

C:\Windows\System\QZvLFSq.exe

C:\Windows\System\xgcGkfC.exe

C:\Windows\System\xgcGkfC.exe

C:\Windows\System\HZUBkjv.exe

C:\Windows\System\HZUBkjv.exe

C:\Windows\System\lglwBpx.exe

C:\Windows\System\lglwBpx.exe

C:\Windows\System\lyCtNEr.exe

C:\Windows\System\lyCtNEr.exe

C:\Windows\System\rymeSXV.exe

C:\Windows\System\rymeSXV.exe

C:\Windows\System\KuHIDxc.exe

C:\Windows\System\KuHIDxc.exe

C:\Windows\System\NsJakZE.exe

C:\Windows\System\NsJakZE.exe

C:\Windows\System\uitjfVl.exe

C:\Windows\System\uitjfVl.exe

C:\Windows\System\CQQobPF.exe

C:\Windows\System\CQQobPF.exe

C:\Windows\System\CUbQPYM.exe

C:\Windows\System\CUbQPYM.exe

C:\Windows\System\LNoGiUj.exe

C:\Windows\System\LNoGiUj.exe

C:\Windows\System\NtlBozk.exe

C:\Windows\System\NtlBozk.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 52.111.227.11:443 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3472-0-0x00007FF789310000-0x00007FF789661000-memory.dmp

memory/3472-1-0x00000278ABC70000-0x00000278ABC80000-memory.dmp

C:\Windows\System\mwQBlli.exe

MD5 f973c39cff17192d0ab0fb8bbc8f9f35
SHA1 12d2194b4be1c98e54297e47bb2ae702a6fd1b56
SHA256 0e04a15986c1df4d9a169d6a9bd7fe5ab13fb78d3117132ae00cc6043bb406a4
SHA512 4905b59d91f55a1d4671de18984100f71116f1fbead5473e4a99963885ba8a4226750013a57ddc7f2deb85fe9a2d1b8f2f89e36c452aae61e387a99efbbbc90a

memory/396-8-0x00007FF799990000-0x00007FF799CE1000-memory.dmp

C:\Windows\System\TzrWMHt.exe

MD5 d4a0f75d8ee05fe4b6abf6b82fdb0df5
SHA1 fff090ef6fc1c4364d1ea4cc405f8a411f910a36
SHA256 53d6cf478642649a79b8b78886d018660202c5ca987c07492ff710d682c26173
SHA512 7cec15f837134472b5b87342f3d83b794b1a0f316db80cd65db8bc02ab6a79e4e939c4525986c45888500d83b27353551f857c40f9045cac0378433cf8783f17

C:\Windows\System\HLLbpQx.exe

MD5 595165e9cd769c4b9e79172efd28a759
SHA1 4cc2d8acd87fa677a697518b30d75eba981adb2b
SHA256 7826daf96df272750b70f70b785375d34207d246e3c7d8d798ad04c3cf7050e2
SHA512 479d9c0bf97ee3e562ab809a6059f4466fccb21708bd87bc67535958adbf05f6d975e651279045b4f4f0da7600c0c9f4176e5cd96620285fead14092fe09dc6e

memory/4828-19-0x00007FF6511E0000-0x00007FF651531000-memory.dmp

memory/4020-14-0x00007FF7CE2B0000-0x00007FF7CE601000-memory.dmp

C:\Windows\System\szkVpee.exe

MD5 c00d07a6eacae9664a33f016020e6d78
SHA1 28caf9ac2df36dc91852d9dffcd24bea4685ebe0
SHA256 974c9039c0122cb8603d42dfc64a37dd61b405694a380ea00d5852bca9bce893
SHA512 4f5f5e2128ebaabd0947b38e1339364364bb5244467dc2797842ee7599dfdf7c4175c660d3832aa0e2e43670ce387144f94cb9d7357476eb396a06b6c7fbd993

C:\Windows\System\uejUWFu.exe

MD5 d9b9d4698130d0829d7b602524416afd
SHA1 0e0fd48e1cff5207a748977289698219ca285846
SHA256 1db286300ecb11113d5b01e5a2ff7bb26f1db309d039b4195d0f303d8be0ca0d
SHA512 8482870afcf5e031853671df3f940d7f025c67e3cd6e6b33f38d508e728c01e61de48fd8b65e84f7c79f50b31a8aabba5806fef4207a17c9854998d2d192f19a

memory/1332-26-0x00007FF7FE500000-0x00007FF7FE851000-memory.dmp

memory/1796-32-0x00007FF7075E0000-0x00007FF707931000-memory.dmp

C:\Windows\System\YKMRSVa.exe

MD5 f84077c8b787cb34c2e07667d83dd5ec
SHA1 cf02b1dd32d96fde41c7b37ae7e12ab852a6806e
SHA256 035a29131aee24e9a0f00a986609bac30dbf547c7207ef699fd1cc47b6ca1948
SHA512 de2807ee1ab9b212ebec28705c52c20801ef3ae912c61cfc90474c345eb95efbec137e98572a93233ab73f7f936d5714ede409dd6a40c2e89779e88a16c8c145

C:\Windows\System\FmRUHBn.exe

MD5 cee7355e698c91f82c32d787db9ee749
SHA1 dc685d194c447103989364345136728a31b95e78
SHA256 ae203794201cd7d968b3b2629b863024e8977a23ef492ac21801838d258f589a
SHA512 e02048a6802a8ac3eec9ab4abb85d1f9973b45f9cbcbe97c6f144f022a05b97e73e2cc105ab27dcf52c54e849dfe46ce9e6d7a48874aa6c3e9bcba5ff4b2e4de

C:\Windows\System\PXnPKtx.exe

MD5 aeedee60f6db31c36167b7282dbabbff
SHA1 47ba1b65ffefb58ab043f1a27adfe39b7e14d2f7
SHA256 f23355b948b5fe16e9ae05dacd0f8d72f0be74d375c54251df9f6325a390fdef
SHA512 45e420a4ed8ebb68dc9352c07920d5960a3e43bdaadd9345c269c048a058221d5aa75049e87333c3a2798823e0873fca72fa833f1d38698020431b1c9d5065db

memory/3384-50-0x00007FF738310000-0x00007FF738661000-memory.dmp

C:\Windows\System\QZvLFSq.exe

MD5 21fd2534ade111f221f8d68436d84755
SHA1 eba680d07a7e73ed464c507f2fe002cbcd577dd8
SHA256 15c2ed95e57cec8b143f10712ee37ad1f63d9b84f55d006c8437755b5cd744c8
SHA512 830145554eb3f7a3476e8b0694c405913e1e56f697c06fab2d8bb2957a21914ddd8c65f6f8d51177fd4ff4887546a1ffdea2b2739635c87f43d3125b5c6e81a0

memory/4916-56-0x00007FF6E7650000-0x00007FF6E79A1000-memory.dmp

C:\Windows\System\xgcGkfC.exe

MD5 210688f8c669bbbdd79b120cd0003bb6
SHA1 36bfe17971bbf7fb9a11dc07d2e74bb94c1f0470
SHA256 23af2e466ce12e151219a075647ec05eddf8ed6049da4ee9067d40f00b22ee37
SHA512 fffca7dd4234eff6f46ee71e46db4c49559029164fb8d2e970b83bb8c4674f85b7b4aa70bab72f540f5fdf7583883aa244c1e84dd50473432ae5599a97959058

C:\Windows\System\HZUBkjv.exe

MD5 e6c8a5f8d6034c8a1abe5229fae32870
SHA1 46812daddc1d02e19ae18f98769a8e57c740a608
SHA256 bada0577397ad0bd0adc8f689a7d446752da81ccbf049e5e6147bc07cebaa51b
SHA512 cc72902c8a2140b684d65338bb67448957e578622aaf45e079c1a2043f843f921087003437cddee53196d8e9bb09368dba5c96ca2e43b2ddb7b7ed6b57f66678

memory/3564-64-0x00007FF7B6ED0000-0x00007FF7B7221000-memory.dmp

memory/3472-60-0x00007FF789310000-0x00007FF789661000-memory.dmp

memory/3784-53-0x00007FF6B8EA0000-0x00007FF6B91F1000-memory.dmp

memory/5044-36-0x00007FF6D10C0000-0x00007FF6D1411000-memory.dmp

memory/396-69-0x00007FF799990000-0x00007FF799CE1000-memory.dmp

C:\Windows\System\lglwBpx.exe

MD5 e2891f837b2e8fc5dcbf10241353d13f
SHA1 671013a499a9b0a9f973ba69a6a66ee885e6c501
SHA256 fd564742b07c46d08645ca772b0e9ec1e05e963f94e4aadad4f62091d5d806ff
SHA512 b1d6392adb7ade9db05f1c62c7b79aa4a6d2f595481b9fe9249f8444f43f4c63ce3c31b70c3895fbc091291455dde5977e544ffcd0d5d48e690f35c0a66a0155

memory/4828-81-0x00007FF6511E0000-0x00007FF651531000-memory.dmp

memory/3428-80-0x00007FF609FA0000-0x00007FF60A2F1000-memory.dmp

C:\Windows\System\rymeSXV.exe

MD5 bb0f5186687052df37f3b7912cf90d49
SHA1 f776de2c5b5b5c8291060ef302d296b40442be22
SHA256 50a8ba1ecc3a13701f4b7dd7712441d05b50ea7cfa0ee02d24eb751c4e08f22a
SHA512 c1ed00c256eaf42280d12c27a32ccbf298034026e849d0e11d17162bf37cbb156d8b5c16dec2bb9fad0badc4b0cc46cbd3d524544a885db0584cdf36e080889a

C:\Windows\System\NsJakZE.exe

MD5 c540520ed43d90385598fb5991aed130
SHA1 d8e0a7f1a39efb721563eab25a3c6024bf8ce034
SHA256 e439904187958414ebf0a63f92b5d1567d0f085a2d3fb463cd385552caa9cd72
SHA512 651e3ddcbc7b63dcf75de4667db769484bc77186820b152ea2fddf9a42fbc341567077079940b2516cfb600205975d0be2f76b8966a8ba44db66ce3b3b058bac

C:\Windows\System\KuHIDxc.exe

MD5 4ef0004e81abc9144b64620ffc59d1e1
SHA1 e12ffa820e7881030118881d0820dc96249685cd
SHA256 326ea5c94c44128a497a1635ed200248966b4ceb065d38931a961cbba7ce1532
SHA512 590e51662845c56f3d63217f4a6d661ea280f3b47d2aaf70a6f77649d4fc76b59cc16fc138c58531a2e529a244f3df1a7eca4cd5c2923f85089a0a68969fafa8

memory/4784-98-0x00007FF67A300000-0x00007FF67A651000-memory.dmp

memory/1180-100-0x00007FF69A660000-0x00007FF69A9B1000-memory.dmp

memory/3664-99-0x00007FF713200000-0x00007FF713551000-memory.dmp

C:\Windows\System\lyCtNEr.exe

MD5 d35a30609466876de9543b1a90d23626
SHA1 d254780ef546d5c4bb6e0040add335eed347f4f4
SHA256 99ade9f1b3710a47fe2a662fb287bd4b922558c72e54fa1248a44538bc160509
SHA512 58ba87a47cb4ff28543fef244bed837bdc731e913181d4eeac8fb747f65e6c67230a6e52ff67b0d0d77a955da25ae53f4204efe39d00933cea7489d21b06206b

memory/800-82-0x00007FF6A0DF0000-0x00007FF6A1141000-memory.dmp

memory/4020-76-0x00007FF7CE2B0000-0x00007FF7CE601000-memory.dmp

memory/4340-70-0x00007FF6EC3C0000-0x00007FF6EC711000-memory.dmp

memory/1052-112-0x00007FF6A0760000-0x00007FF6A0AB1000-memory.dmp

C:\Windows\System\CUbQPYM.exe

MD5 9c8dd8b3b712f366070dc5b74f325fba
SHA1 d53ef0adbcd18e495c2ea4edb481e14811e8ddb1
SHA256 3362a9da72722de43e4b190b0fc09619e2b86ad6a39277a2c28a9db38ef14a28
SHA512 879cc9d3cb4e921fe595ed2ab416a15eaac53bc8d1ff090bf7ef01818d7320e3f8be5dc45196d981078807460bd40efcb6a62c682f8fc8495314fb65aa737d6c

C:\Windows\System\LNoGiUj.exe

MD5 de5118013f0d7863309c9709ce5bb1f0
SHA1 8371b78d8ea53d4c8a612c941907c4ac6c3fb83b
SHA256 21e252d5e32b8c3644b05d3ff61ef1dc7f30c9b282c6aa35748994103f8b6fca
SHA512 57d715613b8c9717150c102b879a1adb5f2a5ac1fc3b9a043abb9154b2239c7ef788787ee6e4a89e5cd3affdd7833b04b2279d63665fe5c05ee568327facfbae

memory/1968-123-0x00007FF730AC0000-0x00007FF730E11000-memory.dmp

C:\Windows\System\CQQobPF.exe

MD5 b301bb4158fab377d259b776a2543b11
SHA1 12788b2238c70b65048f7d4f9cb918b077d23e86
SHA256 092fb1ee974765f83d389f949edd9be3dce3a8839661542756cd430cc28fff66
SHA512 fde3ea220333a2b5a02da33187f6654acb179e43c108913b4c9f0b52cb124c961b09cc7249420ab5ff2551d56771ea88b62e4801a2092e05c645f13258ba7098

memory/3484-113-0x00007FF635160000-0x00007FF6354B1000-memory.dmp

memory/5044-110-0x00007FF6D10C0000-0x00007FF6D1411000-memory.dmp

C:\Windows\System\uitjfVl.exe

MD5 6b7b6492fd97a19da134d77e3e718452
SHA1 c7f7e4b16a0b76c2113be6997522d004989236e9
SHA256 30692b303d0a2099a73ba16743a8cdcd9b2bce97e3bba91fbdbbad47f8dbd2e1
SHA512 f651c530576ddc0c0e191da85dc0a346b66e13dc73ce12a979e93f68f7bb5156691b31ae7f373d2dc7f78d97b75d06e462cfc129f01405e7e46c5c3051d1532d

C:\Windows\System\NtlBozk.exe

MD5 d231a9fdce2229dae78b77715a77e171
SHA1 8b786f15dcd1e4cdc10f9acb5bb6163fa7cc843d
SHA256 d5008cf516da7da61826e89f0ca0c22081fa7ec46535e6e482ffa5cdc6ad5be8
SHA512 c74b0c2fb43f03aa57794a95b6d13b0dc7a85084944bc8cd8bceefbe87da7a0bd5d267b9dd454fb5d6977fbe72ef29b16612ff220cc205f3c7c15ef08bd54b9d

memory/1580-128-0x00007FF7CAC30000-0x00007FF7CAF81000-memory.dmp

memory/4916-131-0x00007FF6E7650000-0x00007FF6E79A1000-memory.dmp

memory/1020-133-0x00007FF68D2A0000-0x00007FF68D5F1000-memory.dmp

memory/3564-141-0x00007FF7B6ED0000-0x00007FF7B7221000-memory.dmp

memory/3472-134-0x00007FF789310000-0x00007FF789661000-memory.dmp

memory/800-148-0x00007FF6A0DF0000-0x00007FF6A1141000-memory.dmp

memory/1180-151-0x00007FF69A660000-0x00007FF69A9B1000-memory.dmp

memory/3484-153-0x00007FF635160000-0x00007FF6354B1000-memory.dmp

memory/1020-156-0x00007FF68D2A0000-0x00007FF68D5F1000-memory.dmp

memory/3472-157-0x00007FF789310000-0x00007FF789661000-memory.dmp

memory/396-202-0x00007FF799990000-0x00007FF799CE1000-memory.dmp

memory/4020-204-0x00007FF7CE2B0000-0x00007FF7CE601000-memory.dmp

memory/4828-206-0x00007FF6511E0000-0x00007FF651531000-memory.dmp

memory/1332-208-0x00007FF7FE500000-0x00007FF7FE851000-memory.dmp

memory/1796-210-0x00007FF7075E0000-0x00007FF707931000-memory.dmp

memory/5044-219-0x00007FF6D10C0000-0x00007FF6D1411000-memory.dmp

memory/3784-223-0x00007FF6B8EA0000-0x00007FF6B91F1000-memory.dmp

memory/3384-222-0x00007FF738310000-0x00007FF738661000-memory.dmp

memory/4916-225-0x00007FF6E7650000-0x00007FF6E79A1000-memory.dmp

memory/3564-227-0x00007FF7B6ED0000-0x00007FF7B7221000-memory.dmp

memory/4340-229-0x00007FF6EC3C0000-0x00007FF6EC711000-memory.dmp

memory/3428-231-0x00007FF609FA0000-0x00007FF60A2F1000-memory.dmp

memory/800-233-0x00007FF6A0DF0000-0x00007FF6A1141000-memory.dmp

memory/4784-235-0x00007FF67A300000-0x00007FF67A651000-memory.dmp

memory/3664-237-0x00007FF713200000-0x00007FF713551000-memory.dmp

memory/1180-241-0x00007FF69A660000-0x00007FF69A9B1000-memory.dmp

memory/1052-243-0x00007FF6A0760000-0x00007FF6A0AB1000-memory.dmp

memory/3484-249-0x00007FF635160000-0x00007FF6354B1000-memory.dmp

memory/1968-251-0x00007FF730AC0000-0x00007FF730E11000-memory.dmp

memory/1580-253-0x00007FF7CAC30000-0x00007FF7CAF81000-memory.dmp

memory/1020-255-0x00007FF68D2A0000-0x00007FF68D5F1000-memory.dmp