Malware Analysis Report

2025-03-15 08:08

Sample ID 240815-m4bfnatfmm
Target 2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat
SHA256 663e486d3adffcfcf63f008e7f6d79a5657b699393e770dbe7d86594800cfed8
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

663e486d3adffcfcf63f008e7f6d79a5657b699393e770dbe7d86594800cfed8

Threat Level: Known bad

The file 2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

Cobalt Strike reflective loader

xmrig

Xmrig family

Cobaltstrike

Cobaltstrike family

XMRig Miner payload

XMRig Miner payload

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-15 11:00

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-15 11:00

Reported

2024-08-15 11:03

Platform

win7-20240708-en

Max time kernel

143s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\RDrPIHG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QZhKLGE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BmIJUKm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yRudPDB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oiVgvxV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oJmqUEE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\szVbeFR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GltztZE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yvaIpBh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vPpejou.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PcssotQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zttRKXv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WqKphhj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LKVSTmT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rjASony.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RtjylDl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yLPirLN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ooAWzoG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ubYattX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bTQzGuJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VzrNtfo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2404 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RDrPIHG.exe
PID 2404 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RDrPIHG.exe
PID 2404 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RDrPIHG.exe
PID 2404 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QZhKLGE.exe
PID 2404 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QZhKLGE.exe
PID 2404 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QZhKLGE.exe
PID 2404 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yLPirLN.exe
PID 2404 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yLPirLN.exe
PID 2404 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yLPirLN.exe
PID 2404 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zttRKXv.exe
PID 2404 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zttRKXv.exe
PID 2404 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zttRKXv.exe
PID 2404 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oJmqUEE.exe
PID 2404 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oJmqUEE.exe
PID 2404 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oJmqUEE.exe
PID 2404 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WqKphhj.exe
PID 2404 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WqKphhj.exe
PID 2404 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WqKphhj.exe
PID 2404 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ooAWzoG.exe
PID 2404 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ooAWzoG.exe
PID 2404 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ooAWzoG.exe
PID 2404 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LKVSTmT.exe
PID 2404 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LKVSTmT.exe
PID 2404 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LKVSTmT.exe
PID 2404 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rjASony.exe
PID 2404 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rjASony.exe
PID 2404 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rjASony.exe
PID 2404 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\szVbeFR.exe
PID 2404 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\szVbeFR.exe
PID 2404 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\szVbeFR.exe
PID 2404 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GltztZE.exe
PID 2404 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GltztZE.exe
PID 2404 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GltztZE.exe
PID 2404 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yvaIpBh.exe
PID 2404 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yvaIpBh.exe
PID 2404 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yvaIpBh.exe
PID 2404 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ubYattX.exe
PID 2404 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ubYattX.exe
PID 2404 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ubYattX.exe
PID 2404 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RtjylDl.exe
PID 2404 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RtjylDl.exe
PID 2404 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RtjylDl.exe
PID 2404 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BmIJUKm.exe
PID 2404 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BmIJUKm.exe
PID 2404 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BmIJUKm.exe
PID 2404 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PcssotQ.exe
PID 2404 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PcssotQ.exe
PID 2404 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PcssotQ.exe
PID 2404 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yRudPDB.exe
PID 2404 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yRudPDB.exe
PID 2404 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yRudPDB.exe
PID 2404 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vPpejou.exe
PID 2404 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vPpejou.exe
PID 2404 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vPpejou.exe
PID 2404 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bTQzGuJ.exe
PID 2404 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bTQzGuJ.exe
PID 2404 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bTQzGuJ.exe
PID 2404 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oiVgvxV.exe
PID 2404 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oiVgvxV.exe
PID 2404 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oiVgvxV.exe
PID 2404 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VzrNtfo.exe
PID 2404 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VzrNtfo.exe
PID 2404 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VzrNtfo.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\RDrPIHG.exe

C:\Windows\System\RDrPIHG.exe

C:\Windows\System\QZhKLGE.exe

C:\Windows\System\QZhKLGE.exe

C:\Windows\System\yLPirLN.exe

C:\Windows\System\yLPirLN.exe

C:\Windows\System\zttRKXv.exe

C:\Windows\System\zttRKXv.exe

C:\Windows\System\oJmqUEE.exe

C:\Windows\System\oJmqUEE.exe

C:\Windows\System\WqKphhj.exe

C:\Windows\System\WqKphhj.exe

C:\Windows\System\ooAWzoG.exe

C:\Windows\System\ooAWzoG.exe

C:\Windows\System\LKVSTmT.exe

C:\Windows\System\LKVSTmT.exe

C:\Windows\System\rjASony.exe

C:\Windows\System\rjASony.exe

C:\Windows\System\szVbeFR.exe

C:\Windows\System\szVbeFR.exe

C:\Windows\System\GltztZE.exe

C:\Windows\System\GltztZE.exe

C:\Windows\System\yvaIpBh.exe

C:\Windows\System\yvaIpBh.exe

C:\Windows\System\ubYattX.exe

C:\Windows\System\ubYattX.exe

C:\Windows\System\RtjylDl.exe

C:\Windows\System\RtjylDl.exe

C:\Windows\System\BmIJUKm.exe

C:\Windows\System\BmIJUKm.exe

C:\Windows\System\PcssotQ.exe

C:\Windows\System\PcssotQ.exe

C:\Windows\System\yRudPDB.exe

C:\Windows\System\yRudPDB.exe

C:\Windows\System\vPpejou.exe

C:\Windows\System\vPpejou.exe

C:\Windows\System\bTQzGuJ.exe

C:\Windows\System\bTQzGuJ.exe

C:\Windows\System\oiVgvxV.exe

C:\Windows\System\oiVgvxV.exe

C:\Windows\System\VzrNtfo.exe

C:\Windows\System\VzrNtfo.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2404-0-0x000000013FD40000-0x0000000140091000-memory.dmp

memory/2404-1-0x00000000001F0000-0x0000000000200000-memory.dmp

\Windows\system\RDrPIHG.exe

MD5 a8841e7e0f192a5a4ec4de636cd41dcc
SHA1 e9b1c7d919ad963aa6fcf4b8c8157ce4da33c443
SHA256 5042f9d745d601e5eae0565ee02de657011fc56a7900f319ab8a2eb118973115
SHA512 53a2ae43a45682174fc7a66658c22d85c1ea1e1b8843b316c4972a9d96a2164b8cbb093a2afc8f8cc210bb1ec6ad4a6a20d67ae31a3b0a7f7561092f39bb7f0f

C:\Windows\system\QZhKLGE.exe

MD5 d122d0750f0df2a8a3c962511dd51eaa
SHA1 a5f869d7efa08437c238d8ac7c0f80fbeac462d7
SHA256 2ccc129e8e2a9f24cadf92acb4f2d6947c98cd07e013e90f4bee5eeffcce3699
SHA512 4a01470176a467bc3051fd3cdf3885f4599a86d2905ec7a0b4cf4b8a293dc51821eca1954cb53b46a9790aa9cd49431a0a373ea1fba1d81e24e84aa1b9abf83e

C:\Windows\system\yLPirLN.exe

MD5 f77686cc1293b0731898d78430f53f5c
SHA1 573bcc8690488bde8b68e730e60d430f671b06d4
SHA256 a8eff2795054055487921d9ebaffe2dd77ad53b44ca971576d751375488609b3
SHA512 fb1aff3e98ef051a63ba10909b3c27d365746acd9936d96a0493d429da6d9e701553605c784219c389f6d98fda6b842a64075e151be9b8670137cd595db29f86

C:\Windows\system\zttRKXv.exe

MD5 e42b937872904d4fb29d0891c242621f
SHA1 887d7d5954a02bd482d008b7a750bd24c9d5750e
SHA256 b2a6c1f0590b897bd9a46fd8017acd3bc78247c1aa286d8c08c2bf945dc1a45f
SHA512 159d2de6ee819325832548254e702fccb1f46aac777209287eb9add776e884db5032ff632fecc27f4d2b4000258e19544c1ec5803a34de11d2021495284058ec

C:\Windows\system\oJmqUEE.exe

MD5 911a83d9534c794dfeec9b5e301bfff3
SHA1 895e1f206035109d5386b6de0a36000c03014851
SHA256 37771b8c125dbc24e6acf283d41baf8c81ff15c516ab501cd9aecb7e44af8e24
SHA512 0ffbb27c6111628313fd13555703b8398f1d9374b0839985ea5e5356776705cdd57fa104c1686aab80890a42fa509f32f2307becae3f3ad1cb25e8ca1d8fdfe4

C:\Windows\system\rjASony.exe

MD5 442fc3a90090a3957c34c5affb0bb437
SHA1 de69417a1011d41e1af9d179a4d99b4d642c1425
SHA256 fed54ce439da5f05e7ad8a36e09215d246f4283b5aa8901d7fd134a45ca4f1a2
SHA512 e6232cc6b44a2230d95e34cd09900f1a6ecdc8a60d641e45d5138beee9e120d83b095e4cc76fe7de995df7163682e9f69e18ef77f1bbd44f0454581dd26ceb5c

C:\Windows\system\yvaIpBh.exe

MD5 887ce42ee4ca6095ec831f286b673d37
SHA1 c21d2fbf50d841b030178eb64dacdda04ce69dcf
SHA256 464e0df29c157d8e5df673945a53e86d0351f0d14f6256ee7b0b64b48d95a9c7
SHA512 51ef19f962ee2ffb65a44511a8d4c4ee2fe57c598b14ab7e277b47eb7ae1a0af365d9d87b64c3c7e428e7d2149ad9de8d8a96491bbaf7b2ff12b388119bbdfce

C:\Windows\system\PcssotQ.exe

MD5 b89867cd27dd89d18f07fae6bcfa5222
SHA1 bbec310011d3dd38b865b789c9b625cb6dac9b21
SHA256 7f6ae08901cb5003291e9f4b20f8039c921f8eb9488a6d21b9bb056126e8eab1
SHA512 0d73008890b1179b52f0008382ff352ba977bee892b3a4d7f672f8ca38c4b16a8bc2f7225e118da148acf679d2e0ad9da4b31a6ead1fedaf6a77d5bc53f12709

C:\Windows\system\vPpejou.exe

MD5 1bc42e4079d769bc40dfd895202a9c66
SHA1 0d8253cf60de1a8ff37bc78176ab0eeb8c86b0ae
SHA256 20b0ef1a899b74047edc5ef20ee0526809bdf3044eaa8df0e60ff3df23d7d9a7
SHA512 44d3e1ab823e11f51a6728720be09c9eb01aabe8959414372848aa780c634efe8a0637ab25345f9d7dfc5720fd15f863258c9a6f517dd8318fa0daf198afd059

C:\Windows\system\VzrNtfo.exe

MD5 7e0343856ac9827b2d68d2cc7dc0b977
SHA1 fdb59f446ea82fb05e7208418251ef04450abd8a
SHA256 452f54598755fae343d6460545db91ec0d9abedb658958a349315fb3ca718daa
SHA512 699adf11b92080950f45de2291cab91bed48e1294570a2768db1932223c1fcc26e0eaf45e2d467caa92eef833b45fad8b5f62568e02ce5eb6cb18497e9a85b4c

C:\Windows\system\oiVgvxV.exe

MD5 c23edfc23d12f632b37f9b2cc241fdd2
SHA1 066d387b03105e1e1ffd3bf58e8bfb6d4bcd50bf
SHA256 a10e523d0fc04c1e059bc79147cc56a51a1e0e48ea8d6825883794c5c9599f36
SHA512 3b365fe8400cb10856ddd610af1145527247d9b3211b82b60287e9a9dd17e2273021d0cc0ce96e38b0b5011c7298ff90ab72567b059998afbeef69c6423634f4

C:\Windows\system\bTQzGuJ.exe

MD5 bef60f92efa033f2de87fa7292bbaadf
SHA1 e7d50d6f8840cf02c9868bfcdbb0e68236e748c0
SHA256 6ddd58b0cf3a203e63fa25851c2398d4046cccf85b2b71708410e05d6543595d
SHA512 a48e63e9c52c2cc44fb5f91da29cba108c20e6d66b3dcf92c777b37ce7b3c2fef8f2382dbd150ec0ac434f63158f3feb1f9cb653d2c5620a37cf20763c1ed90e

memory/584-88-0x000000013F040000-0x000000013F391000-memory.dmp

memory/2336-92-0x000000013F2A0000-0x000000013F5F1000-memory.dmp

memory/2748-94-0x000000013F260000-0x000000013F5B1000-memory.dmp

memory/2404-98-0x000000013F8A0000-0x000000013FBF1000-memory.dmp

memory/2804-101-0x000000013F160000-0x000000013F4B1000-memory.dmp

memory/1940-106-0x000000013F400000-0x000000013F751000-memory.dmp

memory/2080-107-0x000000013F9F0000-0x000000013FD41000-memory.dmp

memory/2404-105-0x000000013F400000-0x000000013F751000-memory.dmp

memory/2744-104-0x000000013FC20000-0x000000013FF71000-memory.dmp

memory/2404-103-0x00000000023B0000-0x0000000002701000-memory.dmp

memory/2920-102-0x000000013F390000-0x000000013F6E1000-memory.dmp

memory/2404-100-0x000000013F160000-0x000000013F4B1000-memory.dmp

memory/2980-99-0x000000013F8A0000-0x000000013FBF1000-memory.dmp

memory/2732-97-0x000000013FEC0000-0x0000000140211000-memory.dmp

memory/2992-96-0x000000013F520000-0x000000013F871000-memory.dmp

memory/2404-95-0x000000013F520000-0x000000013F871000-memory.dmp

memory/2404-93-0x000000013F260000-0x000000013F5B1000-memory.dmp

memory/1148-91-0x000000013F240000-0x000000013F591000-memory.dmp

memory/2404-90-0x000000013F240000-0x000000013F591000-memory.dmp

memory/2060-89-0x000000013FFC0000-0x0000000140311000-memory.dmp

memory/2404-87-0x000000013F040000-0x000000013F391000-memory.dmp

C:\Windows\system\yRudPDB.exe

MD5 f1008295165c33711ac78817813e517d
SHA1 3cd603e5ed9e6f4d7356ba60b48130860cdc8d4b
SHA256 b5f92d0dee40f3785faff5dd45a08e69177a44e0ed47fc6885093010aed3aa14
SHA512 072fbcd808858e8d869840d76e59dfe91a6015aff5f563bf9a10e023ec63bf51a02446abb5850e14b8e31ef10a9d24a6a2fcab8aa01f0ab3d7645c3613e1750d

C:\Windows\system\BmIJUKm.exe

MD5 cd7ed7159eca816818ddb678c103dcbb
SHA1 f018f81d9c388f0dad446b8b8d68fcf7720b4439
SHA256 a4e802306cafb4db8c15ad16f155c954aeb33c572018c9318639ecb5c1c1f620
SHA512 db331f34e3b302054045c8f2e5775fa62b702524b37761cf361d581bb0964bd246f7e6d6ddd96f36c93906aeddfaeb94d9015c7e46f1ba0ee53f4e50fa8d385f

C:\Windows\system\RtjylDl.exe

MD5 761e277c885a34657ccbe55914a75a09
SHA1 b7a0051768567410642afc0762efa353bc0ff5cc
SHA256 9c80c1a2ad355328c4aa943b3ee6c7b1062fdd5b0e61fc1bd29e7dad7519e07f
SHA512 fd4704645527c6ba65f745eded9dcfb25dc6c4d6333e735c7fa087eb2939d0ecd1e0b2cdfded3b1651a892933f7a087698f63657de3ac9493c41ffb87c9f47a1

C:\Windows\system\ubYattX.exe

MD5 b9923bce94e49319210703f3bcc07b88
SHA1 ad45e5a32fd15ac179a88a75162777e1ff6b423b
SHA256 a4c7001dcfde9ec6b8b1da0144d6be2dbf9b43782f554820b0837b36097a9c63
SHA512 8333afdffe0ca018ed4f0a3e5cd509690464c54f0d81b26434e67560a96c62fbdb0918339562fbb343e10a73c2247cab8841419a9b1afee73b6933bf3487562f

C:\Windows\system\GltztZE.exe

MD5 94ede26822b5b3a6e050f1bc44338d4b
SHA1 0cc9e78fd910891222ea4c3226e43532a6d7c2a6
SHA256 c22a2965b288fd418ae4c588ca37732e0b07ce95acc8ed5c5f4edfaca2b50a60
SHA512 9b178a320a2902822c3cc0420705eff67d3f90027dad6f4af71bc65f4ea010b4cb6e921ae95007cb2b44f967098d2fe120e737459e8d62db74bd6944a08b7c91

C:\Windows\system\szVbeFR.exe

MD5 dad7b9a486c0fccc5ec4ca730a10631e
SHA1 e317b57f910b97c64dd92e64446f4c42f30da7cb
SHA256 0c47d804d159f84d1cc2838d0e848ba2bda423eaf9316718640f1fbec0c1e92a
SHA512 bea0de541ed243b7e64b1f07c9e5dcb91240062df879285336cb15850e007adeb49437546030fe081bd96231d23ce101c7c29f6f732b2a542c5d0fa45ea9e001

C:\Windows\system\LKVSTmT.exe

MD5 f7073ba9a6fecebe5cc12753c6a55957
SHA1 89039db3f61f8de1937374d214bc7b657c8328ae
SHA256 0e0263f762271b943962a644de4113cd26868de047d83c08aca7389b8c6c8a85
SHA512 7093ccfe217499097ec411d1cda03e3bdc1dd3a451fe312413c27fd1c190daf0430102cc4d95ba080a4e7ca368b3d098c195edffff892fb78f2b1b86a10b5352

C:\Windows\system\ooAWzoG.exe

MD5 8476a10bad893aad73edb6a2af5e18a1
SHA1 64192d6121606f33149a437647bd4924f9c882fc
SHA256 00cebcb9b3f76af19abcb145bf75151b50b98644f093af6981542d20fe1110d6
SHA512 ba7c6861b11a9c67f12fd6f10e7004daa9a86ad9e6e91bb67e0e583375ae42b170af824855a0e8ddd2616ba26221d5104cb9f71582ad6f517a15c2373563658c

C:\Windows\system\WqKphhj.exe

MD5 5dc4a25ed12a51c39716e8159299f572
SHA1 e4f8308726a48f0cc6975237b15a62fd747ab588
SHA256 9b93beefd6e818e31f7d8bdd8e19905673fdb78b55bfe9d59aab4cc6340ea162
SHA512 07ce3a090ded1f19eadbbc463d88d65a7936894b5516a86c066b363a1dc08cde646b16c949d7ce1bfe8bb1db141f68f88b46cd6826d80a102e67e4cd8981923b

memory/2404-108-0x000000013FD40000-0x0000000140091000-memory.dmp

memory/2404-129-0x000000013FD40000-0x0000000140091000-memory.dmp

memory/584-131-0x000000013F040000-0x000000013F391000-memory.dmp

memory/1504-150-0x000000013FC10000-0x000000013FF61000-memory.dmp

memory/584-151-0x000000013F040000-0x000000013F391000-memory.dmp

memory/944-149-0x000000013F110000-0x000000013F461000-memory.dmp

memory/2168-148-0x000000013F940000-0x000000013FC91000-memory.dmp

memory/2560-147-0x000000013F9C0000-0x000000013FD11000-memory.dmp

memory/3052-146-0x000000013F1E0000-0x000000013F531000-memory.dmp

memory/2612-144-0x000000013F030000-0x000000013F381000-memory.dmp

memory/1940-143-0x000000013F400000-0x000000013F751000-memory.dmp

memory/2744-142-0x000000013FC20000-0x000000013FF71000-memory.dmp

memory/2920-141-0x000000013F390000-0x000000013F6E1000-memory.dmp

memory/2980-139-0x000000013F8A0000-0x000000013FBF1000-memory.dmp

memory/2732-138-0x000000013FEC0000-0x0000000140211000-memory.dmp

memory/2992-137-0x000000013F520000-0x000000013F871000-memory.dmp

memory/2844-136-0x000000013FFC0000-0x0000000140311000-memory.dmp

memory/2336-134-0x000000013F2A0000-0x000000013F5F1000-memory.dmp

memory/1148-133-0x000000013F240000-0x000000013F591000-memory.dmp

memory/2060-132-0x000000013FFC0000-0x0000000140311000-memory.dmp

memory/2652-145-0x000000013F500000-0x000000013F851000-memory.dmp

memory/2804-140-0x000000013F160000-0x000000013F4B1000-memory.dmp

memory/2748-135-0x000000013F260000-0x000000013F5B1000-memory.dmp

memory/2060-152-0x000000013FFC0000-0x0000000140311000-memory.dmp

memory/2748-155-0x000000013F260000-0x000000013F5B1000-memory.dmp

memory/2992-156-0x000000013F520000-0x000000013F871000-memory.dmp

memory/2980-158-0x000000013F8A0000-0x000000013FBF1000-memory.dmp

memory/2744-161-0x000000013FC20000-0x000000013FF71000-memory.dmp

memory/1940-162-0x000000013F400000-0x000000013F751000-memory.dmp

memory/2920-160-0x000000013F390000-0x000000013F6E1000-memory.dmp

memory/2804-159-0x000000013F160000-0x000000013F4B1000-memory.dmp

memory/2732-157-0x000000013FEC0000-0x0000000140211000-memory.dmp

memory/2336-154-0x000000013F2A0000-0x000000013F5F1000-memory.dmp

memory/1148-153-0x000000013F240000-0x000000013F591000-memory.dmp

memory/2404-163-0x000000013FD40000-0x0000000140091000-memory.dmp

memory/2080-230-0x000000013F9F0000-0x000000013FD41000-memory.dmp

memory/2336-255-0x000000013F2A0000-0x000000013F5F1000-memory.dmp

memory/2744-261-0x000000013FC20000-0x000000013FF71000-memory.dmp

memory/2748-269-0x000000013F260000-0x000000013F5B1000-memory.dmp

memory/2992-275-0x000000013F520000-0x000000013F871000-memory.dmp

memory/1940-279-0x000000013F400000-0x000000013F751000-memory.dmp

memory/1148-284-0x000000013F240000-0x000000013F591000-memory.dmp

memory/584-282-0x000000013F040000-0x000000013F391000-memory.dmp

memory/2804-268-0x000000013F160000-0x000000013F4B1000-memory.dmp

memory/2060-277-0x000000013FFC0000-0x0000000140311000-memory.dmp

memory/2844-271-0x000000013FFC0000-0x0000000140311000-memory.dmp

memory/2920-263-0x000000013F390000-0x000000013F6E1000-memory.dmp

memory/2732-260-0x000000013FEC0000-0x0000000140211000-memory.dmp

memory/2980-266-0x000000013F8A0000-0x000000013FBF1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-15 11:00

Reported

2024-08-15 11:03

Platform

win10v2004-20240802-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\yvaIpBh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ubYattX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bTQzGuJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QZhKLGE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WqKphhj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\szVbeFR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vPpejou.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ooAWzoG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LKVSTmT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BmIJUKm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yRudPDB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RDrPIHG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GltztZE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oJmqUEE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rjASony.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RtjylDl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PcssotQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oiVgvxV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VzrNtfo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yLPirLN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zttRKXv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3316 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RDrPIHG.exe
PID 3316 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RDrPIHG.exe
PID 3316 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QZhKLGE.exe
PID 3316 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QZhKLGE.exe
PID 3316 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yLPirLN.exe
PID 3316 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yLPirLN.exe
PID 3316 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zttRKXv.exe
PID 3316 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zttRKXv.exe
PID 3316 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oJmqUEE.exe
PID 3316 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oJmqUEE.exe
PID 3316 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WqKphhj.exe
PID 3316 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WqKphhj.exe
PID 3316 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ooAWzoG.exe
PID 3316 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ooAWzoG.exe
PID 3316 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LKVSTmT.exe
PID 3316 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LKVSTmT.exe
PID 3316 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rjASony.exe
PID 3316 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rjASony.exe
PID 3316 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\szVbeFR.exe
PID 3316 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\szVbeFR.exe
PID 3316 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GltztZE.exe
PID 3316 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GltztZE.exe
PID 3316 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yvaIpBh.exe
PID 3316 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yvaIpBh.exe
PID 3316 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ubYattX.exe
PID 3316 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ubYattX.exe
PID 3316 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RtjylDl.exe
PID 3316 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RtjylDl.exe
PID 3316 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BmIJUKm.exe
PID 3316 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BmIJUKm.exe
PID 3316 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PcssotQ.exe
PID 3316 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PcssotQ.exe
PID 3316 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yRudPDB.exe
PID 3316 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yRudPDB.exe
PID 3316 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vPpejou.exe
PID 3316 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vPpejou.exe
PID 3316 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bTQzGuJ.exe
PID 3316 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bTQzGuJ.exe
PID 3316 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oiVgvxV.exe
PID 3316 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oiVgvxV.exe
PID 3316 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VzrNtfo.exe
PID 3316 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VzrNtfo.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\RDrPIHG.exe

C:\Windows\System\RDrPIHG.exe

C:\Windows\System\QZhKLGE.exe

C:\Windows\System\QZhKLGE.exe

C:\Windows\System\yLPirLN.exe

C:\Windows\System\yLPirLN.exe

C:\Windows\System\zttRKXv.exe

C:\Windows\System\zttRKXv.exe

C:\Windows\System\oJmqUEE.exe

C:\Windows\System\oJmqUEE.exe

C:\Windows\System\WqKphhj.exe

C:\Windows\System\WqKphhj.exe

C:\Windows\System\ooAWzoG.exe

C:\Windows\System\ooAWzoG.exe

C:\Windows\System\LKVSTmT.exe

C:\Windows\System\LKVSTmT.exe

C:\Windows\System\rjASony.exe

C:\Windows\System\rjASony.exe

C:\Windows\System\szVbeFR.exe

C:\Windows\System\szVbeFR.exe

C:\Windows\System\GltztZE.exe

C:\Windows\System\GltztZE.exe

C:\Windows\System\yvaIpBh.exe

C:\Windows\System\yvaIpBh.exe

C:\Windows\System\ubYattX.exe

C:\Windows\System\ubYattX.exe

C:\Windows\System\RtjylDl.exe

C:\Windows\System\RtjylDl.exe

C:\Windows\System\BmIJUKm.exe

C:\Windows\System\BmIJUKm.exe

C:\Windows\System\PcssotQ.exe

C:\Windows\System\PcssotQ.exe

C:\Windows\System\yRudPDB.exe

C:\Windows\System\yRudPDB.exe

C:\Windows\System\vPpejou.exe

C:\Windows\System\vPpejou.exe

C:\Windows\System\bTQzGuJ.exe

C:\Windows\System\bTQzGuJ.exe

C:\Windows\System\oiVgvxV.exe

C:\Windows\System\oiVgvxV.exe

C:\Windows\System\VzrNtfo.exe

C:\Windows\System\VzrNtfo.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3316-0-0x00007FF737080000-0x00007FF7373D1000-memory.dmp

memory/3316-1-0x00000185C54F0000-0x00000185C5500000-memory.dmp

C:\Windows\System\RDrPIHG.exe

MD5 a8841e7e0f192a5a4ec4de636cd41dcc
SHA1 e9b1c7d919ad963aa6fcf4b8c8157ce4da33c443
SHA256 5042f9d745d601e5eae0565ee02de657011fc56a7900f319ab8a2eb118973115
SHA512 53a2ae43a45682174fc7a66658c22d85c1ea1e1b8843b316c4972a9d96a2164b8cbb093a2afc8f8cc210bb1ec6ad4a6a20d67ae31a3b0a7f7561092f39bb7f0f

memory/4340-8-0x00007FF7966D0000-0x00007FF796A21000-memory.dmp

memory/3020-18-0x00007FF6E2E20000-0x00007FF6E3171000-memory.dmp

C:\Windows\System\oJmqUEE.exe

MD5 911a83d9534c794dfeec9b5e301bfff3
SHA1 895e1f206035109d5386b6de0a36000c03014851
SHA256 37771b8c125dbc24e6acf283d41baf8c81ff15c516ab501cd9aecb7e44af8e24
SHA512 0ffbb27c6111628313fd13555703b8398f1d9374b0839985ea5e5356776705cdd57fa104c1686aab80890a42fa509f32f2307becae3f3ad1cb25e8ca1d8fdfe4

memory/4700-23-0x00007FF797B70000-0x00007FF797EC1000-memory.dmp

C:\Windows\System\yLPirLN.exe

MD5 f77686cc1293b0731898d78430f53f5c
SHA1 573bcc8690488bde8b68e730e60d430f671b06d4
SHA256 a8eff2795054055487921d9ebaffe2dd77ad53b44ca971576d751375488609b3
SHA512 fb1aff3e98ef051a63ba10909b3c27d365746acd9936d96a0493d429da6d9e701553605c784219c389f6d98fda6b842a64075e151be9b8670137cd595db29f86

C:\Windows\System\QZhKLGE.exe

MD5 d122d0750f0df2a8a3c962511dd51eaa
SHA1 a5f869d7efa08437c238d8ac7c0f80fbeac462d7
SHA256 2ccc129e8e2a9f24cadf92acb4f2d6947c98cd07e013e90f4bee5eeffcce3699
SHA512 4a01470176a467bc3051fd3cdf3885f4599a86d2905ec7a0b4cf4b8a293dc51821eca1954cb53b46a9790aa9cd49431a0a373ea1fba1d81e24e84aa1b9abf83e

C:\Windows\System\zttRKXv.exe

MD5 e42b937872904d4fb29d0891c242621f
SHA1 887d7d5954a02bd482d008b7a750bd24c9d5750e
SHA256 b2a6c1f0590b897bd9a46fd8017acd3bc78247c1aa286d8c08c2bf945dc1a45f
SHA512 159d2de6ee819325832548254e702fccb1f46aac777209287eb9add776e884db5032ff632fecc27f4d2b4000258e19544c1ec5803a34de11d2021495284058ec

C:\Windows\System\WqKphhj.exe

MD5 5dc4a25ed12a51c39716e8159299f572
SHA1 e4f8308726a48f0cc6975237b15a62fd747ab588
SHA256 9b93beefd6e818e31f7d8bdd8e19905673fdb78b55bfe9d59aab4cc6340ea162
SHA512 07ce3a090ded1f19eadbbc463d88d65a7936894b5516a86c066b363a1dc08cde646b16c949d7ce1bfe8bb1db141f68f88b46cd6826d80a102e67e4cd8981923b

memory/4936-39-0x00007FF6BAC40000-0x00007FF6BAF91000-memory.dmp

memory/1208-38-0x00007FF7C75D0000-0x00007FF7C7921000-memory.dmp

memory/4604-35-0x00007FF746160000-0x00007FF7464B1000-memory.dmp

C:\Windows\System\LKVSTmT.exe

MD5 f7073ba9a6fecebe5cc12753c6a55957
SHA1 89039db3f61f8de1937374d214bc7b657c8328ae
SHA256 0e0263f762271b943962a644de4113cd26868de047d83c08aca7389b8c6c8a85
SHA512 7093ccfe217499097ec411d1cda03e3bdc1dd3a451fe312413c27fd1c190daf0430102cc4d95ba080a4e7ca368b3d098c195edffff892fb78f2b1b86a10b5352

C:\Windows\System\ooAWzoG.exe

MD5 8476a10bad893aad73edb6a2af5e18a1
SHA1 64192d6121606f33149a437647bd4924f9c882fc
SHA256 00cebcb9b3f76af19abcb145bf75151b50b98644f093af6981542d20fe1110d6
SHA512 ba7c6861b11a9c67f12fd6f10e7004daa9a86ad9e6e91bb67e0e583375ae42b170af824855a0e8ddd2616ba26221d5104cb9f71582ad6f517a15c2373563658c

memory/4588-54-0x00007FF735390000-0x00007FF7356E1000-memory.dmp

C:\Windows\System\szVbeFR.exe

MD5 dad7b9a486c0fccc5ec4ca730a10631e
SHA1 e317b57f910b97c64dd92e64446f4c42f30da7cb
SHA256 0c47d804d159f84d1cc2838d0e848ba2bda423eaf9316718640f1fbec0c1e92a
SHA512 bea0de541ed243b7e64b1f07c9e5dcb91240062df879285336cb15850e007adeb49437546030fe081bd96231d23ce101c7c29f6f732b2a542c5d0fa45ea9e001

memory/2892-57-0x00007FF6F26F0000-0x00007FF6F2A41000-memory.dmp

C:\Windows\System\rjASony.exe

MD5 442fc3a90090a3957c34c5affb0bb437
SHA1 de69417a1011d41e1af9d179a4d99b4d642c1425
SHA256 fed54ce439da5f05e7ad8a36e09215d246f4283b5aa8901d7fd134a45ca4f1a2
SHA512 e6232cc6b44a2230d95e34cd09900f1a6ecdc8a60d641e45d5138beee9e120d83b095e4cc76fe7de995df7163682e9f69e18ef77f1bbd44f0454581dd26ceb5c

memory/1388-55-0x00007FF736040000-0x00007FF736391000-memory.dmp

memory/2188-50-0x00007FF7B7F70000-0x00007FF7B82C1000-memory.dmp

C:\Windows\System\GltztZE.exe

MD5 94ede26822b5b3a6e050f1bc44338d4b
SHA1 0cc9e78fd910891222ea4c3226e43532a6d7c2a6
SHA256 c22a2965b288fd418ae4c588ca37732e0b07ce95acc8ed5c5f4edfaca2b50a60
SHA512 9b178a320a2902822c3cc0420705eff67d3f90027dad6f4af71bc65f4ea010b4cb6e921ae95007cb2b44f967098d2fe120e737459e8d62db74bd6944a08b7c91

memory/3316-68-0x00007FF737080000-0x00007FF7373D1000-memory.dmp

memory/2692-71-0x00007FF724D30000-0x00007FF725081000-memory.dmp

C:\Windows\System\yvaIpBh.exe

MD5 887ce42ee4ca6095ec831f286b673d37
SHA1 c21d2fbf50d841b030178eb64dacdda04ce69dcf
SHA256 464e0df29c157d8e5df673945a53e86d0351f0d14f6256ee7b0b64b48d95a9c7
SHA512 51ef19f962ee2ffb65a44511a8d4c4ee2fe57c598b14ab7e277b47eb7ae1a0af365d9d87b64c3c7e428e7d2149ad9de8d8a96491bbaf7b2ff12b388119bbdfce

memory/1180-80-0x00007FF660320000-0x00007FF660671000-memory.dmp

C:\Windows\System\PcssotQ.exe

MD5 b89867cd27dd89d18f07fae6bcfa5222
SHA1 bbec310011d3dd38b865b789c9b625cb6dac9b21
SHA256 7f6ae08901cb5003291e9f4b20f8039c921f8eb9488a6d21b9bb056126e8eab1
SHA512 0d73008890b1179b52f0008382ff352ba977bee892b3a4d7f672f8ca38c4b16a8bc2f7225e118da148acf679d2e0ad9da4b31a6ead1fedaf6a77d5bc53f12709

C:\Windows\System\BmIJUKm.exe

MD5 cd7ed7159eca816818ddb678c103dcbb
SHA1 f018f81d9c388f0dad446b8b8d68fcf7720b4439
SHA256 a4e802306cafb4db8c15ad16f155c954aeb33c572018c9318639ecb5c1c1f620
SHA512 db331f34e3b302054045c8f2e5775fa62b702524b37761cf361d581bb0964bd246f7e6d6ddd96f36c93906aeddfaeb94d9015c7e46f1ba0ee53f4e50fa8d385f

memory/4604-104-0x00007FF746160000-0x00007FF7464B1000-memory.dmp

C:\Windows\System\oiVgvxV.exe

MD5 c23edfc23d12f632b37f9b2cc241fdd2
SHA1 066d387b03105e1e1ffd3bf58e8bfb6d4bcd50bf
SHA256 a10e523d0fc04c1e059bc79147cc56a51a1e0e48ea8d6825883794c5c9599f36
SHA512 3b365fe8400cb10856ddd610af1145527247d9b3211b82b60287e9a9dd17e2273021d0cc0ce96e38b0b5011c7298ff90ab72567b059998afbeef69c6423634f4

C:\Windows\System\VzrNtfo.exe

MD5 7e0343856ac9827b2d68d2cc7dc0b977
SHA1 fdb59f446ea82fb05e7208418251ef04450abd8a
SHA256 452f54598755fae343d6460545db91ec0d9abedb658958a349315fb3ca718daa
SHA512 699adf11b92080950f45de2291cab91bed48e1294570a2768db1932223c1fcc26e0eaf45e2d467caa92eef833b45fad8b5f62568e02ce5eb6cb18497e9a85b4c

memory/812-129-0x00007FF771ED0000-0x00007FF772221000-memory.dmp

C:\Windows\System\yRudPDB.exe

MD5 f1008295165c33711ac78817813e517d
SHA1 3cd603e5ed9e6f4d7356ba60b48130860cdc8d4b
SHA256 b5f92d0dee40f3785faff5dd45a08e69177a44e0ed47fc6885093010aed3aa14
SHA512 072fbcd808858e8d869840d76e59dfe91a6015aff5f563bf9a10e023ec63bf51a02446abb5850e14b8e31ef10a9d24a6a2fcab8aa01f0ab3d7645c3613e1750d

C:\Windows\System\bTQzGuJ.exe

MD5 bef60f92efa033f2de87fa7292bbaadf
SHA1 e7d50d6f8840cf02c9868bfcdbb0e68236e748c0
SHA256 6ddd58b0cf3a203e63fa25851c2398d4046cccf85b2b71708410e05d6543595d
SHA512 a48e63e9c52c2cc44fb5f91da29cba108c20e6d66b3dcf92c777b37ce7b3c2fef8f2382dbd150ec0ac434f63158f3feb1f9cb653d2c5620a37cf20763c1ed90e

C:\Windows\System\vPpejou.exe

MD5 1bc42e4079d769bc40dfd895202a9c66
SHA1 0d8253cf60de1a8ff37bc78176ab0eeb8c86b0ae
SHA256 20b0ef1a899b74047edc5ef20ee0526809bdf3044eaa8df0e60ff3df23d7d9a7
SHA512 44d3e1ab823e11f51a6728720be09c9eb01aabe8959414372848aa780c634efe8a0637ab25345f9d7dfc5720fd15f863258c9a6f517dd8318fa0daf198afd059

memory/4588-112-0x00007FF735390000-0x00007FF7356E1000-memory.dmp

memory/1208-105-0x00007FF7C75D0000-0x00007FF7C7921000-memory.dmp

C:\Windows\System\RtjylDl.exe

MD5 761e277c885a34657ccbe55914a75a09
SHA1 b7a0051768567410642afc0762efa353bc0ff5cc
SHA256 9c80c1a2ad355328c4aa943b3ee6c7b1062fdd5b0e61fc1bd29e7dad7519e07f
SHA512 fd4704645527c6ba65f745eded9dcfb25dc6c4d6333e735c7fa087eb2939d0ecd1e0b2cdfded3b1651a892933f7a087698f63657de3ac9493c41ffb87c9f47a1

memory/2820-96-0x00007FF6EA5D0000-0x00007FF6EA921000-memory.dmp

memory/1500-95-0x00007FF733BF0000-0x00007FF733F41000-memory.dmp

memory/4700-94-0x00007FF797B70000-0x00007FF797EC1000-memory.dmp

memory/4496-89-0x00007FF72BD30000-0x00007FF72C081000-memory.dmp

memory/2940-87-0x00007FF7F6570000-0x00007FF7F68C1000-memory.dmp

C:\Windows\System\ubYattX.exe

MD5 b9923bce94e49319210703f3bcc07b88
SHA1 ad45e5a32fd15ac179a88a75162777e1ff6b423b
SHA256 a4c7001dcfde9ec6b8b1da0144d6be2dbf9b43782f554820b0837b36097a9c63
SHA512 8333afdffe0ca018ed4f0a3e5cd509690464c54f0d81b26434e67560a96c62fbdb0918339562fbb343e10a73c2247cab8841419a9b1afee73b6933bf3487562f

memory/3020-79-0x00007FF6E2E20000-0x00007FF6E3171000-memory.dmp

memory/4340-77-0x00007FF7966D0000-0x00007FF796A21000-memory.dmp

memory/4024-131-0x00007FF716CD0000-0x00007FF717021000-memory.dmp

memory/3316-132-0x00007FF737080000-0x00007FF7373D1000-memory.dmp

memory/2892-142-0x00007FF6F26F0000-0x00007FF6F2A41000-memory.dmp

memory/1680-144-0x00007FF72CAE0000-0x00007FF72CE31000-memory.dmp

memory/3428-145-0x00007FF72D640000-0x00007FF72D991000-memory.dmp

memory/3968-143-0x00007FF789E40000-0x00007FF78A191000-memory.dmp

memory/1388-141-0x00007FF736040000-0x00007FF736391000-memory.dmp

memory/4496-149-0x00007FF72BD30000-0x00007FF72C081000-memory.dmp

memory/812-153-0x00007FF771ED0000-0x00007FF772221000-memory.dmp

memory/2820-150-0x00007FF6EA5D0000-0x00007FF6EA921000-memory.dmp

memory/2940-148-0x00007FF7F6570000-0x00007FF7F68C1000-memory.dmp

memory/1500-151-0x00007FF733BF0000-0x00007FF733F41000-memory.dmp

memory/3316-157-0x00007FF737080000-0x00007FF7373D1000-memory.dmp

memory/4340-211-0x00007FF7966D0000-0x00007FF796A21000-memory.dmp

memory/3020-213-0x00007FF6E2E20000-0x00007FF6E3171000-memory.dmp

memory/4700-215-0x00007FF797B70000-0x00007FF797EC1000-memory.dmp

memory/4936-217-0x00007FF6BAC40000-0x00007FF6BAF91000-memory.dmp

memory/4604-221-0x00007FF746160000-0x00007FF7464B1000-memory.dmp

memory/2188-224-0x00007FF7B7F70000-0x00007FF7B82C1000-memory.dmp

memory/1208-225-0x00007FF7C75D0000-0x00007FF7C7921000-memory.dmp

memory/4588-227-0x00007FF735390000-0x00007FF7356E1000-memory.dmp

memory/2892-229-0x00007FF6F26F0000-0x00007FF6F2A41000-memory.dmp

memory/1388-231-0x00007FF736040000-0x00007FF736391000-memory.dmp

memory/2692-241-0x00007FF724D30000-0x00007FF725081000-memory.dmp

memory/1180-243-0x00007FF660320000-0x00007FF660671000-memory.dmp

memory/2940-245-0x00007FF7F6570000-0x00007FF7F68C1000-memory.dmp

memory/2820-247-0x00007FF6EA5D0000-0x00007FF6EA921000-memory.dmp

memory/4496-249-0x00007FF72BD30000-0x00007FF72C081000-memory.dmp

memory/1500-254-0x00007FF733BF0000-0x00007FF733F41000-memory.dmp

memory/4024-256-0x00007FF716CD0000-0x00007FF717021000-memory.dmp

memory/3428-259-0x00007FF72D640000-0x00007FF72D991000-memory.dmp

memory/812-264-0x00007FF771ED0000-0x00007FF772221000-memory.dmp

memory/3968-263-0x00007FF789E40000-0x00007FF78A191000-memory.dmp

memory/1680-261-0x00007FF72CAE0000-0x00007FF72CE31000-memory.dmp