Malware Analysis Report

2025-03-15 08:08

Sample ID 240815-nhfc6azblg
Target 2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat
SHA256 333e58bb3a5a406fdf706e8be1fd15043bf203cd5e231af3b8d7e373909e3c60
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

333e58bb3a5a406fdf706e8be1fd15043bf203cd5e231af3b8d7e373909e3c60

Threat Level: Known bad

The file 2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

xmrig

Cobaltstrike

XMRig Miner payload

Xmrig family

Cobalt Strike reflective loader

Cobaltstrike family

XMRig Miner payload

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-15 11:23

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-15 11:23

Reported

2024-08-15 11:26

Platform

win7-20240729-en

Max time kernel

140s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\rdGkKPf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LBpMSrO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kkmuXsN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tPrWgFw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HQVrtQq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZlccSpd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kGvglmz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IvkwQek.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\STamACE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rJdgZDe.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZTqULSy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EUfjKUE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MnPRLEG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KkIQUuU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hTTORuX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NBMAhHK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TfzDYLj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OeJxhkx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OJpTrcv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DpDgasZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jWLlzyb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2264 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tPrWgFw.exe
PID 2264 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tPrWgFw.exe
PID 2264 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tPrWgFw.exe
PID 2264 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IvkwQek.exe
PID 2264 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IvkwQek.exe
PID 2264 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IvkwQek.exe
PID 2264 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OeJxhkx.exe
PID 2264 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OeJxhkx.exe
PID 2264 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OeJxhkx.exe
PID 2264 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OJpTrcv.exe
PID 2264 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OJpTrcv.exe
PID 2264 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OJpTrcv.exe
PID 2264 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZTqULSy.exe
PID 2264 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZTqULSy.exe
PID 2264 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZTqULSy.exe
PID 2264 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EUfjKUE.exe
PID 2264 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EUfjKUE.exe
PID 2264 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EUfjKUE.exe
PID 2264 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DpDgasZ.exe
PID 2264 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DpDgasZ.exe
PID 2264 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DpDgasZ.exe
PID 2264 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HQVrtQq.exe
PID 2264 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HQVrtQq.exe
PID 2264 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HQVrtQq.exe
PID 2264 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZlccSpd.exe
PID 2264 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZlccSpd.exe
PID 2264 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZlccSpd.exe
PID 2264 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jWLlzyb.exe
PID 2264 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jWLlzyb.exe
PID 2264 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jWLlzyb.exe
PID 2264 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hTTORuX.exe
PID 2264 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hTTORuX.exe
PID 2264 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hTTORuX.exe
PID 2264 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kGvglmz.exe
PID 2264 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kGvglmz.exe
PID 2264 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kGvglmz.exe
PID 2264 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rdGkKPf.exe
PID 2264 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rdGkKPf.exe
PID 2264 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rdGkKPf.exe
PID 2264 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LBpMSrO.exe
PID 2264 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LBpMSrO.exe
PID 2264 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LBpMSrO.exe
PID 2264 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NBMAhHK.exe
PID 2264 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NBMAhHK.exe
PID 2264 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NBMAhHK.exe
PID 2264 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MnPRLEG.exe
PID 2264 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MnPRLEG.exe
PID 2264 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MnPRLEG.exe
PID 2264 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\STamACE.exe
PID 2264 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\STamACE.exe
PID 2264 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\STamACE.exe
PID 2264 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TfzDYLj.exe
PID 2264 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TfzDYLj.exe
PID 2264 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TfzDYLj.exe
PID 2264 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kkmuXsN.exe
PID 2264 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kkmuXsN.exe
PID 2264 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kkmuXsN.exe
PID 2264 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KkIQUuU.exe
PID 2264 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KkIQUuU.exe
PID 2264 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KkIQUuU.exe
PID 2264 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rJdgZDe.exe
PID 2264 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rJdgZDe.exe
PID 2264 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rJdgZDe.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\tPrWgFw.exe

C:\Windows\System\tPrWgFw.exe

C:\Windows\System\IvkwQek.exe

C:\Windows\System\IvkwQek.exe

C:\Windows\System\OeJxhkx.exe

C:\Windows\System\OeJxhkx.exe

C:\Windows\System\OJpTrcv.exe

C:\Windows\System\OJpTrcv.exe

C:\Windows\System\ZTqULSy.exe

C:\Windows\System\ZTqULSy.exe

C:\Windows\System\EUfjKUE.exe

C:\Windows\System\EUfjKUE.exe

C:\Windows\System\DpDgasZ.exe

C:\Windows\System\DpDgasZ.exe

C:\Windows\System\HQVrtQq.exe

C:\Windows\System\HQVrtQq.exe

C:\Windows\System\ZlccSpd.exe

C:\Windows\System\ZlccSpd.exe

C:\Windows\System\jWLlzyb.exe

C:\Windows\System\jWLlzyb.exe

C:\Windows\System\hTTORuX.exe

C:\Windows\System\hTTORuX.exe

C:\Windows\System\kGvglmz.exe

C:\Windows\System\kGvglmz.exe

C:\Windows\System\rdGkKPf.exe

C:\Windows\System\rdGkKPf.exe

C:\Windows\System\LBpMSrO.exe

C:\Windows\System\LBpMSrO.exe

C:\Windows\System\NBMAhHK.exe

C:\Windows\System\NBMAhHK.exe

C:\Windows\System\MnPRLEG.exe

C:\Windows\System\MnPRLEG.exe

C:\Windows\System\STamACE.exe

C:\Windows\System\STamACE.exe

C:\Windows\System\TfzDYLj.exe

C:\Windows\System\TfzDYLj.exe

C:\Windows\System\kkmuXsN.exe

C:\Windows\System\kkmuXsN.exe

C:\Windows\System\KkIQUuU.exe

C:\Windows\System\KkIQUuU.exe

C:\Windows\System\rJdgZDe.exe

C:\Windows\System\rJdgZDe.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2264-0-0x000000013F990000-0x000000013FCE1000-memory.dmp

memory/2264-1-0x0000000000180000-0x0000000000190000-memory.dmp

C:\Windows\system\tPrWgFw.exe

MD5 5d41029c52f9d89ebdad3ecba2d0c8ac
SHA1 c109ce6934bef3b6ef1687ea7f2520213b58d659
SHA256 57621c848398d9d5bfefe1d39d8941967eadf1743723f74300766b5d8bb0e423
SHA512 7992ddca5ae0dab359381ab4b92c81374c21fa990e05826f05d2544e0dd0497e957a1112ff65ac29d31d7f19602d5c5d03e9e9c7a0905295344b3e8d5c7f0d33

C:\Windows\system\OeJxhkx.exe

MD5 f49af44c2e415beb8e1a4de6e2e2bbf5
SHA1 7163f3541e0d6ae64f15f3c4c71cc6c0aaf11fc3
SHA256 402ca1741b5070390b06c8d2bcd713ab38161cfa18ad18f8412af32e62818b14
SHA512 01ce54511d2c3e9633742c8dd24e14920e7ca3d9adfd20e205ec7e5da7ee57371835fdae3045e98fd1187e9a36aa8d95fb1cf091989e0587755e21e9b18dbc41

C:\Windows\system\IvkwQek.exe

MD5 c0c44ab615ec0e91723012716cf89273
SHA1 254902238888c292637dbdc7795755a694c3de91
SHA256 8b73310621345d7e20738ea98eaaaf2aa2a25696e8e65fe746fabe3c98baf8dc
SHA512 14e89e9433b551bd394b4332c80308e1b86139930abce43caec9b3fda89d5f2c2b913c4d27480f777d023ee1f92b209732e72876c51736940756824346e621a5

C:\Windows\system\OJpTrcv.exe

MD5 65e3b17f9c381909246bf7dab6073905
SHA1 32b269026aacf9dedf4af0b378cb4972900b5eb3
SHA256 918433469013f96519f6d8ebe0ab81265f18beb8c0a117c8367169fa51c5d837
SHA512 1a46fc11fe5eb2877d188806dd24599934af6790bfac810b65729c55767196b712aa0f0b0d0900ebfeeab3d76a280e6fb5ea8fe2bd10b6f96673dace218e2cbc

C:\Windows\system\ZTqULSy.exe

MD5 80a20d3042b0a01e4a8ccf996b8a6814
SHA1 3fe34bb28c82b116d97090d51e5c36c12d6a0d59
SHA256 f860fae510cc6ceaf3eac188c67f47c48a954788f48fbc8bb87d7b09a79b1209
SHA512 6744873e8899a952caebf5649ea62892358113b92ad2f3baa75cc65623e1ac9c2b605067cc62ea3de0d46e66a17f8b3055139c5f1b52c7d2ed6ae70baec41392

\Windows\system\EUfjKUE.exe

MD5 0b9e4acfd618dcf75fa843e2a1853995
SHA1 db8f320a20f2af1937bf88226e7fc8a4b516322e
SHA256 210926fac8be432a623d699e4469aa11a8d46e997c9c97d8aa67b266b7b0889f
SHA512 1e4e2d018a041fe5567edbec0f9925d03e8ce2e8f5d6f35f007a902aa6964921cb72721df9db236356075eacd30e7cf998675e33508193cfaa040b83c8352893

C:\Windows\system\hTTORuX.exe

MD5 c5223c181b5441b9c6934767898bad0b
SHA1 a1ba0208c9096617dda46526211caaa7c9452fe4
SHA256 1dda0265e3cc2580e3d71e84e113aa493d5d84743747f2ef5de16e85ca95de8a
SHA512 f2058a2fb0495238ba2c13f3a1d0fd949065ec57f27d9213098ebba2867fbab4aca5cf5f5cfd462428739eaf7a05c83842eb027222811fcd04a03b482a0c422c

C:\Windows\system\kGvglmz.exe

MD5 1369d3046ed58f8295dbe627d881664d
SHA1 f10239fd32cd487bc3407511251021b6f49433c9
SHA256 de355de287e1616fb264fc6c954f3e8109bf749bb09f43aaf8c36ae27d053e0c
SHA512 674e7de1fbccbec36606767f348d2b9465c67a5fa5b5bbd65ddf3056e7816a892f0795888f33a8fc3fcbbf15593307d5fa8b9be812242f4ca143191adb0df5ff

C:\Windows\system\KkIQUuU.exe

MD5 43e5ed40a4295b178c93b5b2b9490763
SHA1 5e995b9876e6e8a08624798f61b0cd4bfc40a144
SHA256 e0c04fe5160ba82c477745b742aa0820a7faaab92f83c9063189e9f12dbfacbe
SHA512 eb1306e832024d633d993d111f82f10fcdff79c7ec54f0967dc69d34d3731915ce3fd127d432d1100abc0df17abe9afd4b11cd3523082c1fe66d66011e2176b8

C:\Windows\system\rJdgZDe.exe

MD5 401f2fb55ce595ce08c7419beadace52
SHA1 db12dc2562e574016117d5e7ef889aaa880116bf
SHA256 eec82db48ada329685a6f3e17a31f672b9965e8e609a3d98941d83af86674c72
SHA512 67ab0889cd141cd70817301fd64660d1147b01eb49763a7fd08bde3c7a806bf5d318e45b991e6b9d675c8e8bd5e07d6f355e892bd65eb76cedda600e1b4dc06c

C:\Windows\system\kkmuXsN.exe

MD5 b0d66ccb2a27567d4fb01c0ffd9f7684
SHA1 39b6097353363bc27fb12371dbc8e5f49b713483
SHA256 4a80fed3c67413a74a464fe819b7325adb220d361ed573e8d76bf2781bfc0cae
SHA512 9232df1612b9c3bac5bc4c9f35f11f8973ecb65ed3eeaa8e7d7932dd6357a45fc0320d10dd8e097c4f08dda64342ac1e15f39fd0504901fd0a95821d66de06ef

C:\Windows\system\TfzDYLj.exe

MD5 9141c92a83680540d1a3a3d82f974197
SHA1 3a77899ddec09a0e4dff6a323271c90d65a77fa7
SHA256 ed2132ca749606fe422a99b04088f6f1dc84b04d89600720c5c03d243cbee3cf
SHA512 7f810f1c6ce2f9165077749764d2bea26b72e138c23dcf2868b36fa0ebc0fbd33eff263b70992b08ea81b9f4918f149a6cd8237192becebce60af9116cc7a8b6

C:\Windows\system\STamACE.exe

MD5 c8f19219e5a1fb6da0e9149ab2b220dd
SHA1 ffdb0d9a12aabd5c72659a6bb4be391c4a5e2ebe
SHA256 69d60500726f5ee4afef955198e55f54dd05084fd7aa73aefd62bfaa7f414571
SHA512 5b2f2ab44816f7095f0540f2937e027417f882e075bc5004f573ee9b532e3bea5e0d57bc03e94f47c81a09e5d2062ea1063b005dd3f2c3281b1c204ec1cf4719

C:\Windows\system\MnPRLEG.exe

MD5 8cc9153783101b195b631c01440ff403
SHA1 c6ac40eb0d6423ea26e316c742775ab1e8395a0a
SHA256 947d565b0b2447aa453125aab166b8b851940ae08f625276e0a0494a8132e3cb
SHA512 d64b3a73032effd4e674789e054c27fae7992c29ce62268d68f74ceea6af130f764d89c1ea6c42e9ad8e985f13a217cea0c0d7175d072483afa705ffa21acc91

C:\Windows\system\NBMAhHK.exe

MD5 886c14d95c225da203f6fbb45cb65167
SHA1 cda8cfc3668bd7e675120aa9b6e90459662feae0
SHA256 a785ba223bd2ce649cfa5f1caf452a91fb2c2e3b5402db89be45369ebc49d478
SHA512 b214b13daba2dee15b4def94007a3699fd2611c4045c46bb8e7dee9ce14ee60772df29ee03cc74444aa15dbf6f7dc216150ef45fd20617057ad2368f21b0e41b

C:\Windows\system\LBpMSrO.exe

MD5 234b79e6d4b6280d071b1e186f9bf8d0
SHA1 29834e66c6ae1066583421851be8be3a5aa2ca52
SHA256 865fdb491386aec2e35cf44b7d3aff9e06f451567530700d4364dd0819586423
SHA512 faabd200290df708d9e790c5a55f07776c321bf4b5f4047e2ea6765ff93ebef9836f743e77aa22bb81e3547f55a74933c45f268b0eff92df05e1d015d3af51d1

C:\Windows\system\rdGkKPf.exe

MD5 8777d6a21a9fb429aac1f09cf33888b3
SHA1 92f7631d7ac5de8f97f20ad1c746229baf858411
SHA256 fc1a445ce5963913f7c4114a8739050bf6c192c80165809fb13c7997de07cbf8
SHA512 eb5ee9ebcff3cd5b1518115e1ea60fa5068e64f3e049536623e357e41409100477452e3eceb89ff4af63739cfb8750b9c8c6af8db835c98b87db678fdf929036

C:\Windows\system\jWLlzyb.exe

MD5 1a02d8cb8f42a067d6bbcd797f4e4eb8
SHA1 eead1203cda02612dc78b9494dec8564c35a71e3
SHA256 ef27a608102ef761b1f2d800fd959d6126077e7dbd142bd8e6b93983c7309d8d
SHA512 a6f6d17557c012fb27896063f7809b9da0f6c166c7fca846b89962029d5cc6506bbe3e214a1d4c3bff8010e6908ee1046e4be96c72be75144b44d3aa8245dfc7

C:\Windows\system\ZlccSpd.exe

MD5 c2dea86499d92bd42f892d09f2e4d183
SHA1 cc3a1aeab2ef6d7062b06a5417b7e333373e5a0f
SHA256 a0e7369970883d0159a0fc676a923795339cf6294c3c3b4d0666ab0458246e6e
SHA512 6716f8f9dbeb879bd42ed7d06da16b7312b0c8b551a2171f672a136b285cdca7d912e1a8bb153c33c45ec678b6c8f0cc2d848193d6834baed80355dc0de2b0fa

C:\Windows\system\HQVrtQq.exe

MD5 cb08f1a6b85061ee2d77e17e3f15df7e
SHA1 cfab0cbcd1515ec507362694b69d89afc1ea9bd6
SHA256 c0ce06d29bd4ca8ab666ed8a240b2e55000ba97385dd6f723fb224f4c0ed5e21
SHA512 fce13373dd080432066c13913302b43e5f8ffafd642f91a63a5318af471755f7532455a7fc880c6de0469bc82c9f48835fab252fc30442ca12cec3dcb5fa23b3

C:\Windows\system\DpDgasZ.exe

MD5 e7f7adfd90765bd087ef0c248b46be5d
SHA1 0cb662125c4dafe3d2ba84dc079781b2f8888018
SHA256 dfbe6e78253e7d3254ba1d87f27edfeb4568848a4a96e9e62d72ed2e043a023c
SHA512 d17d1aad7cb23dd9ebb0acea3a14790034fa725a089c81c02754a19bdac843243b7b110887424146c209948b636bfafef12effa0e8e2c3966452e93d6fe4221a

memory/2532-87-0x000000013F390000-0x000000013F6E1000-memory.dmp

memory/2344-98-0x000000013F990000-0x000000013FCE1000-memory.dmp

memory/2796-93-0x000000013FBB0000-0x000000013FF01000-memory.dmp

memory/2264-92-0x0000000002290000-0x00000000025E1000-memory.dmp

memory/548-91-0x000000013F0E0000-0x000000013F431000-memory.dmp

memory/2548-89-0x000000013F6A0000-0x000000013F9F1000-memory.dmp

memory/2836-106-0x000000013F680000-0x000000013F9D1000-memory.dmp

memory/2816-104-0x000000013FD80000-0x00000001400D1000-memory.dmp

memory/2264-109-0x000000013F1A0000-0x000000013F4F1000-memory.dmp

memory/2948-108-0x000000013F8C0000-0x000000013FC11000-memory.dmp

memory/2152-110-0x000000013F1A0000-0x000000013F4F1000-memory.dmp

memory/2776-118-0x000000013F500000-0x000000013F851000-memory.dmp

memory/2264-120-0x000000013F0E0000-0x000000013F431000-memory.dmp

memory/2264-119-0x000000013FD50000-0x00000001400A1000-memory.dmp

memory/2264-117-0x000000013F500000-0x000000013F851000-memory.dmp

memory/2632-115-0x000000013F920000-0x000000013FC71000-memory.dmp

memory/2784-114-0x000000013F5E0000-0x000000013F931000-memory.dmp

memory/2264-113-0x000000013F5E0000-0x000000013F931000-memory.dmp

memory/2840-112-0x000000013FBC0000-0x000000013FF11000-memory.dmp

memory/2264-103-0x000000013FD80000-0x00000001400D1000-memory.dmp

memory/2744-102-0x000000013F690000-0x000000013F9E1000-memory.dmp

memory/2532-129-0x000000013F390000-0x000000013F6E1000-memory.dmp

memory/2548-131-0x000000013F6A0000-0x000000013F9F1000-memory.dmp

memory/2344-133-0x000000013F990000-0x000000013FCE1000-memory.dmp

memory/2796-132-0x000000013FBB0000-0x000000013FF01000-memory.dmp

memory/548-130-0x000000013F0E0000-0x000000013F431000-memory.dmp

memory/2264-128-0x000000013F990000-0x000000013FCE1000-memory.dmp

memory/2152-138-0x000000013F1A0000-0x000000013F4F1000-memory.dmp

memory/2836-136-0x000000013F680000-0x000000013F9D1000-memory.dmp

memory/2348-149-0x000000013F480000-0x000000013F7D1000-memory.dmp

memory/644-148-0x000000013F600000-0x000000013F951000-memory.dmp

memory/1652-147-0x000000013F2C0000-0x000000013F611000-memory.dmp

memory/1072-146-0x000000013FCA0000-0x000000013FFF1000-memory.dmp

memory/1892-145-0x000000013F560000-0x000000013F8B1000-memory.dmp

memory/2624-144-0x000000013F500000-0x000000013F851000-memory.dmp

memory/2784-140-0x000000013F5E0000-0x000000013F931000-memory.dmp

memory/2664-143-0x000000013FD50000-0x00000001400A1000-memory.dmp

memory/2744-134-0x000000013F690000-0x000000013F9E1000-memory.dmp

memory/2264-150-0x000000013F990000-0x000000013FCE1000-memory.dmp

memory/2264-151-0x000000013F500000-0x000000013F851000-memory.dmp

memory/2264-152-0x000000013F990000-0x000000013FCE1000-memory.dmp

memory/2532-218-0x000000013F390000-0x000000013F6E1000-memory.dmp

memory/2948-221-0x000000013F8C0000-0x000000013FC11000-memory.dmp

memory/2816-223-0x000000013FD80000-0x00000001400D1000-memory.dmp

memory/2548-225-0x000000013F6A0000-0x000000013F9F1000-memory.dmp

memory/2840-227-0x000000013FBC0000-0x000000013FF11000-memory.dmp

memory/2344-230-0x000000013F990000-0x000000013FCE1000-memory.dmp

memory/2632-234-0x000000013F920000-0x000000013FC71000-memory.dmp

memory/2836-236-0x000000013F680000-0x000000013F9D1000-memory.dmp

memory/2776-240-0x000000013F500000-0x000000013F851000-memory.dmp

memory/548-244-0x000000013F0E0000-0x000000013F431000-memory.dmp

memory/2152-245-0x000000013F1A0000-0x000000013F4F1000-memory.dmp

memory/2796-252-0x000000013FBB0000-0x000000013FF01000-memory.dmp

memory/2784-247-0x000000013F5E0000-0x000000013F931000-memory.dmp

memory/2744-251-0x000000013F690000-0x000000013F9E1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-15 11:23

Reported

2024-08-15 11:26

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\nOvrYXl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QcdCgjo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZdquIqY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DDkCgOv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oJTeMEp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\chrXRUp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VTEVSgJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NaBRSai.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xVscyvA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GlKXYCQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aXHnyaT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DnznMpS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xlWwmUY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MhwycNl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VKeGVLe.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wsMBrgo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qCnPgrt.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TVcrzHf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CxcBICE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jToVWfj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dedwTNZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1216 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wsMBrgo.exe
PID 1216 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wsMBrgo.exe
PID 1216 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dedwTNZ.exe
PID 1216 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dedwTNZ.exe
PID 1216 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xVscyvA.exe
PID 1216 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xVscyvA.exe
PID 1216 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oJTeMEp.exe
PID 1216 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oJTeMEp.exe
PID 1216 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qCnPgrt.exe
PID 1216 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qCnPgrt.exe
PID 1216 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GlKXYCQ.exe
PID 1216 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GlKXYCQ.exe
PID 1216 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NaBRSai.exe
PID 1216 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NaBRSai.exe
PID 1216 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aXHnyaT.exe
PID 1216 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aXHnyaT.exe
PID 1216 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TVcrzHf.exe
PID 1216 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TVcrzHf.exe
PID 1216 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CxcBICE.exe
PID 1216 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CxcBICE.exe
PID 1216 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DnznMpS.exe
PID 1216 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DnznMpS.exe
PID 1216 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\chrXRUp.exe
PID 1216 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\chrXRUp.exe
PID 1216 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xlWwmUY.exe
PID 1216 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xlWwmUY.exe
PID 1216 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nOvrYXl.exe
PID 1216 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nOvrYXl.exe
PID 1216 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MhwycNl.exe
PID 1216 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MhwycNl.exe
PID 1216 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VTEVSgJ.exe
PID 1216 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VTEVSgJ.exe
PID 1216 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jToVWfj.exe
PID 1216 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jToVWfj.exe
PID 1216 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QcdCgjo.exe
PID 1216 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QcdCgjo.exe
PID 1216 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VKeGVLe.exe
PID 1216 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VKeGVLe.exe
PID 1216 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZdquIqY.exe
PID 1216 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZdquIqY.exe
PID 1216 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DDkCgOv.exe
PID 1216 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DDkCgOv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\wsMBrgo.exe

C:\Windows\System\wsMBrgo.exe

C:\Windows\System\dedwTNZ.exe

C:\Windows\System\dedwTNZ.exe

C:\Windows\System\xVscyvA.exe

C:\Windows\System\xVscyvA.exe

C:\Windows\System\oJTeMEp.exe

C:\Windows\System\oJTeMEp.exe

C:\Windows\System\qCnPgrt.exe

C:\Windows\System\qCnPgrt.exe

C:\Windows\System\GlKXYCQ.exe

C:\Windows\System\GlKXYCQ.exe

C:\Windows\System\NaBRSai.exe

C:\Windows\System\NaBRSai.exe

C:\Windows\System\aXHnyaT.exe

C:\Windows\System\aXHnyaT.exe

C:\Windows\System\TVcrzHf.exe

C:\Windows\System\TVcrzHf.exe

C:\Windows\System\CxcBICE.exe

C:\Windows\System\CxcBICE.exe

C:\Windows\System\DnznMpS.exe

C:\Windows\System\DnznMpS.exe

C:\Windows\System\chrXRUp.exe

C:\Windows\System\chrXRUp.exe

C:\Windows\System\xlWwmUY.exe

C:\Windows\System\xlWwmUY.exe

C:\Windows\System\nOvrYXl.exe

C:\Windows\System\nOvrYXl.exe

C:\Windows\System\MhwycNl.exe

C:\Windows\System\MhwycNl.exe

C:\Windows\System\VTEVSgJ.exe

C:\Windows\System\VTEVSgJ.exe

C:\Windows\System\jToVWfj.exe

C:\Windows\System\jToVWfj.exe

C:\Windows\System\QcdCgjo.exe

C:\Windows\System\QcdCgjo.exe

C:\Windows\System\VKeGVLe.exe

C:\Windows\System\VKeGVLe.exe

C:\Windows\System\ZdquIqY.exe

C:\Windows\System\ZdquIqY.exe

C:\Windows\System\DDkCgOv.exe

C:\Windows\System\DDkCgOv.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 28.73.42.20.in-addr.arpa udp

Files

memory/1216-0-0x00007FF611910000-0x00007FF611C61000-memory.dmp

memory/1216-1-0x000001CDE5F20000-0x000001CDE5F30000-memory.dmp

C:\Windows\System\wsMBrgo.exe

MD5 2e59b4098d40170192657a26b52055bc
SHA1 a1b6981df224a60526cd40dc46ae0d6d59e78b05
SHA256 eb6454ba708a81f50b1277e84094ddd9b36635890e9518b7fee0af6d90116c69
SHA512 62a22c6768096f31b8ba01d99588a7dce02ab7ca49c3856da908df23f286c66a6b3e0a9abd41ef8291f2ecf896c3ba6ade0426f789ac91f2cd666aa361e8b14a

C:\Windows\System\dedwTNZ.exe

MD5 7570553c76ffbc3539dbbaee8529588a
SHA1 e7b8d355347dde3c80b054d98de4147f4de02060
SHA256 4efb899923b8552ff67e98099e5f31a7a2c5f52c51e871f5b9f3b9ca192f5441
SHA512 bba4d990235e3e9fe7bbe1a3550fd6ab59c79d2328445f1cffd22003a2d0b2ca6e2506becfe2276fcaf5a51a339b327c2c83472f01367b1508981a3a282a9ad0

C:\Windows\System\xVscyvA.exe

MD5 1062a3bd5d15910607c211b102b0968f
SHA1 bcac530b9b7273887d07fa5883d01e8b0e027208
SHA256 1482f69e17eca98cb3e019fcc1afbe18d2c41b3a147279fd06d3e42fbd29f4b6
SHA512 ab446dab2062442134e03bb5c474dc248d6a3afc91fcd3fbbe635f38da5e0f5f0975a76e26dbc7763b7741c8c48c5983ab7ce22fe51380098b335e224eb4ec75

memory/2528-8-0x00007FF79A980000-0x00007FF79ACD1000-memory.dmp

C:\Windows\System\oJTeMEp.exe

MD5 2732feb1173e8f79828e102c7ea6ad05
SHA1 cad90a5fb9752c6f4dcf4d2ee2a0513a33d28af8
SHA256 8b2e807dfed5439e7da30a0e2cc9e605ca2507a5b343fee5037189e7f15962fb
SHA512 09c43e4df28aa3783fc247eec822a288f2f6a3cb5418414ff81a100c68732e2da4d1ee854dc402462cd7d7604a54703116bc54d6ef7c4c9846993e70a8359c40

C:\Windows\System\qCnPgrt.exe

MD5 88247d1704873da7a8ba22d82ec2b277
SHA1 6b22df343c3175fc1332478c7abbfc985ab3050d
SHA256 edf8ccbf2d9300be602b49dfe85cfa7ad854860393d97ef20d85355a17480f02
SHA512 798eba54c1b5b83a65fce56cd154cae5a14e81b0b0b72604514df59c8a43d9a721ed42a2edcf60b87eac98e920bf70491e34ed10726dc9c9d7123a65b6044824

memory/2008-18-0x00007FF775BC0000-0x00007FF775F11000-memory.dmp

memory/3264-28-0x00007FF6CCFE0000-0x00007FF6CD331000-memory.dmp

C:\Windows\System\CxcBICE.exe

MD5 1e88355934e1c76f8faf24a85e911d78
SHA1 c7ee8166629e6436578f72462ec2938f3540da01
SHA256 4391def8227ad136c3d1855628e47552e062a61f614765d6f71c01ec3628fbad
SHA512 e059f34bdaf6ce9d5bea7a62d89d6ec93bcee240043873f83b7626da863b96fc9f8d04b10462efbf4ca30e9ca954078b78218eaec0374eaf8682c65548353e30

C:\Windows\System\DnznMpS.exe

MD5 9a317a1ae20db8b82588bcd5d3021112
SHA1 5080e0904a07a89a76873153a313eefb62ae308d
SHA256 5e17c68636816639df46296189e316418a43480dbc3b381a3e67970167aa148e
SHA512 4852cc255b2e7c1e4ce48452e7e8e073396863668419d5c44cd587c43cdbb857b9a9ecfef26f826795b8f05bd9883edae7e185e9a5f9a6d9fb15b04358e135ed

C:\Windows\System\nOvrYXl.exe

MD5 8794f2f1ff6aacbbb8e14e27ed353c8d
SHA1 f9db2c0b5f2d48d91d3279ebb7eaebfd9de2be3b
SHA256 088f06caa3de2cf9d7662d03707ace4896ef2de3695013f3aaf38c590ca27004
SHA512 0dd8755bdbac5971bfeff4bf200f8581e5a221cd0b6deb1081df1bad900516b2dddf4f1e61fefbe575d98caa0e779f5d5430ca7943f58a429144e8b891f67595

memory/644-89-0x00007FF723820000-0x00007FF723B71000-memory.dmp

C:\Windows\System\VTEVSgJ.exe

MD5 bc1d12d545efc32b237588db87e5b8cd
SHA1 1e89a9300d4bd41cbb7cabf4fe71c9ea5b8c82d5
SHA256 5a4f293e41484899bc2eb3e7054218a15137308719b34ae7de88421843a6ee21
SHA512 e8a209088fad31ceb1af28c16a16a15d1735cb4d210f7d2dbfacdaae443f3353c4d70aa44e3270767e184dc06ff44bee88e2c7a4ebed574daf9002c573237c7d

memory/1792-105-0x00007FF6DE660000-0x00007FF6DE9B1000-memory.dmp

C:\Windows\System\QcdCgjo.exe

MD5 4a249fa5e484239e3d88101e637c8842
SHA1 143ccc518c2b924a9c7bcea74a85092731141861
SHA256 27ad84f6e0d1068fb23a8c2c6077492aeb8abf54658a0963c9a35ba4cd74e6a9
SHA512 ecc1818f8e4612306fe6adfcb37405aa2e4b2f4885e1ca72502332819fadc3a4e67d931970b7d04481e66ab5a0c93c1fd3410b9c654d67dc5563f434f08a753e

C:\Windows\System\VKeGVLe.exe

MD5 89ddad8765e18382e8e32cdccb473436
SHA1 4018a9d2099d1c7611aa43eeae99dc0743b247a3
SHA256 2a46391c0990656cb2b2a8deb0bbc858f0a557eb3eba4441fe80d9e8d50a7f92
SHA512 9e6e7ead8c9ae1fed03b67ab88ea473d89f724df48c30564e7f70ca33873222d5544059de2543a883d9a1d053a4d39d95611b73f5057d98cdb049977406a6d5e

memory/536-113-0x00007FF770E70000-0x00007FF7711C1000-memory.dmp

C:\Windows\System\jToVWfj.exe

MD5 7018e80488fbb8ac55e14b0e02bcfde6
SHA1 138b74352f71ba303a6eaa2b3be3ebdf5f0ee1ad
SHA256 bfc85b276edae863350917aa95ec9a1caf639328019df17a0f835e7516ea270e
SHA512 b9bb73de958745f70ca4208666c31f517e522babe008eadf46d67e446c9ca60ab5351b0c25cf1d9e3ddc549742d8e27fb64c9fe2d240ca394c76324566705935

memory/3604-109-0x00007FF7EC040000-0x00007FF7EC391000-memory.dmp

memory/4968-108-0x00007FF6E4600000-0x00007FF6E4951000-memory.dmp

memory/1824-107-0x00007FF712330000-0x00007FF712681000-memory.dmp

memory/4468-99-0x00007FF68B5C0000-0x00007FF68B911000-memory.dmp

C:\Windows\System\MhwycNl.exe

MD5 550828611639ef63a2ed46e238470c07
SHA1 c3a6f823f29fd821c124d98744c0110c481d0d8b
SHA256 09c3f6c2d14f90d10b515b7479ad0dd335bd3b6a0691234be51470ebe06e9eaf
SHA512 1efecf95430f69769abc92712ea893f4b489ec53232daef9e156640298903030db8e4c8e6038677b4796fc0e362b6ffa9c406f72bb412a520fd7c10f803f36e4

memory/5048-90-0x00007FF660EB0000-0x00007FF661201000-memory.dmp

memory/3364-84-0x00007FF72E2B0000-0x00007FF72E601000-memory.dmp

C:\Windows\System\chrXRUp.exe

MD5 d9d65dfb5d567e77e662899ffff5d99d
SHA1 edb3439b1fa8d168ef14134487ec513e51361e7a
SHA256 9b0aea51c5f2c7b46c70d20a06914ef6e4174f0d482cce4514fa8e05dcc873aa
SHA512 d3870737f98127191525e0a49417571c0a489c9ae31dd9219febfd8af76027fa5bdee6af3b5ec9613606e0f93bbebeb763c909466d43984624b586a8a98127de

C:\Windows\System\xlWwmUY.exe

MD5 98e255a984fbe0ff4ec969f7d2c7a1b2
SHA1 c71acb8f9e48323577df65ccf99aeea42524ac3c
SHA256 a0607b199aefe1fcd0690692edc17f03866269610d61fa9940c14deb0cbc1fa3
SHA512 41b58b70f6f2ed912022ab3ad9ebe363a80fad053c71b2f2e9e159942088262c5b3a897b247c3265846153a576a649ba3e44b281e0495f9ccca764f8efd8c040

memory/3996-78-0x00007FF6A9440000-0x00007FF6A9791000-memory.dmp

memory/1268-77-0x00007FF668320000-0x00007FF668671000-memory.dmp

memory/1388-66-0x00007FF6E7240000-0x00007FF6E7591000-memory.dmp

C:\Windows\System\NaBRSai.exe

MD5 d44c3c5653147f3ed9ed15d152a5d0c6
SHA1 56feff4e041cda6fe8722c3586899b43e2859acf
SHA256 5cc06c5366ff7fbeb6ec030e063ad6d639db9a9fc4bd2877b80b2e21f939eb03
SHA512 e0501c284878dac9ce748f687ff295f1c334de8f2a1c4b6bf27169968e63a883774745ee222ffca6b241b243574961f5ac0f7682fedd6a9d65c894d7817cddbb

memory/4576-53-0x00007FF7E9120000-0x00007FF7E9471000-memory.dmp

C:\Windows\System\TVcrzHf.exe

MD5 ff4eb7a43c5b64b04f659fb44017a589
SHA1 8c410fb5aefa9646f501d837aa7d81728ce7d613
SHA256 b432719d3aec341f75ea4be2c232d8d504e603fffdc9935c0f2dce211db6179c
SHA512 dec50b8a429cacdc9ceb73bc9bb830c47ee6bfe1a404237a2b5767f51f6ce00c6cbe46190bdf7c8b699103b0818e31df50fd45b824f569a06ddf819e508f4bd9

C:\Windows\System\aXHnyaT.exe

MD5 a9986172ee94db607030aa289d6b7f57
SHA1 4df515f237f1a50bfea56c5818f7238cb925dc4f
SHA256 1e1b1bb14254c89bb81d34e05c31e924e539d4d01d3fcaa274cd1edec6fcd585
SHA512 6ec15482013435c35c72806576d2da6e5485cbf9a59695d13aa1309707471d09231a0aaa8f5b085ffb778633fee75cc58b00d1655c77492869ca570939941048

memory/1828-46-0x00007FF79B2C0000-0x00007FF79B611000-memory.dmp

memory/4972-45-0x00007FF728240000-0x00007FF728591000-memory.dmp

C:\Windows\System\GlKXYCQ.exe

MD5 c778f52e77dac06597d248bb4a7a9c31
SHA1 f050c1a5115e09de219bd2e461f536fa55672d93
SHA256 0d8768a396e71c2ffa513643e3ca1c2a37dd98c1bc09f61243f0bb61d6e4aa05
SHA512 45edd6af20e5dd13e9fe01607344ac91ff4922dbf36cecc69a75af483b652e16ff497b5897b5af4ae50a37355d07f6b86bca90961aacc60af505c7d6b0581901

memory/3352-37-0x00007FF718C90000-0x00007FF718FE1000-memory.dmp

memory/3264-121-0x00007FF6CCFE0000-0x00007FF6CD331000-memory.dmp

memory/3364-134-0x00007FF72E2B0000-0x00007FF72E601000-memory.dmp

C:\Windows\System\DDkCgOv.exe

MD5 f367131435f778c259e37beda3a41be7
SHA1 01a23fe7c1b8a669310ed23e5353a440c8722639
SHA256 7aa0c19175dc23fcb695df50b166c30b1af9dcdd8a1e25c95b5eb3ad9c6c70e4
SHA512 d44aaeaff99b3d3c3a2b9d06ee09dce49a3f715bf999a3f71ce7b402387672328a4b1b2ca95fb7f16388e40e4a795e6e424d02e6f86defdbdb21bad089a66b6e

memory/4468-128-0x00007FF68B5C0000-0x00007FF68B911000-memory.dmp

memory/1828-126-0x00007FF79B2C0000-0x00007FF79B611000-memory.dmp

memory/4972-124-0x00007FF728240000-0x00007FF728591000-memory.dmp

memory/2008-119-0x00007FF775BC0000-0x00007FF775F11000-memory.dmp

memory/2528-118-0x00007FF79A980000-0x00007FF79ACD1000-memory.dmp

memory/1216-117-0x00007FF611910000-0x00007FF611C61000-memory.dmp

memory/4004-141-0x00007FF62B5D0000-0x00007FF62B921000-memory.dmp

memory/1416-142-0x00007FF645250000-0x00007FF6455A1000-memory.dmp

memory/1216-146-0x00007FF611910000-0x00007FF611C61000-memory.dmp

memory/3604-144-0x00007FF7EC040000-0x00007FF7EC391000-memory.dmp

C:\Windows\System\ZdquIqY.exe

MD5 ab55e4466cccc10f93a3df772a927cab
SHA1 5ab99800143c178591410a12530ba5ad1ab13068
SHA256 9c7ec379a92c7550b705768270dc99a7d00e61b104c4688f77fe2ee56e6001fe
SHA512 6883c1f87deac79442ad7fede593fcf629ee26f7dff0fe051b4abd485bce451705823437671d1207bc90b28506bf15f36ae9b4d76a966714cc70e74ee9ea25c3

memory/644-140-0x00007FF723820000-0x00007FF723B71000-memory.dmp

memory/3996-130-0x00007FF6A9440000-0x00007FF6A9791000-memory.dmp

memory/1268-125-0x00007FF668320000-0x00007FF668671000-memory.dmp

memory/4968-147-0x00007FF6E4600000-0x00007FF6E4951000-memory.dmp

memory/536-148-0x00007FF770E70000-0x00007FF7711C1000-memory.dmp

memory/1216-149-0x00007FF611910000-0x00007FF611C61000-memory.dmp

memory/1416-160-0x00007FF645250000-0x00007FF6455A1000-memory.dmp

memory/2528-208-0x00007FF79A980000-0x00007FF79ACD1000-memory.dmp

memory/2008-210-0x00007FF775BC0000-0x00007FF775F11000-memory.dmp

memory/3352-212-0x00007FF718C90000-0x00007FF718FE1000-memory.dmp

memory/3264-214-0x00007FF6CCFE0000-0x00007FF6CD331000-memory.dmp

memory/4576-216-0x00007FF7E9120000-0x00007FF7E9471000-memory.dmp

memory/1388-218-0x00007FF6E7240000-0x00007FF6E7591000-memory.dmp

memory/4972-231-0x00007FF728240000-0x00007FF728591000-memory.dmp

memory/1268-233-0x00007FF668320000-0x00007FF668671000-memory.dmp

memory/1828-230-0x00007FF79B2C0000-0x00007FF79B611000-memory.dmp

memory/5048-235-0x00007FF660EB0000-0x00007FF661201000-memory.dmp

memory/1792-237-0x00007FF6DE660000-0x00007FF6DE9B1000-memory.dmp

memory/3996-239-0x00007FF6A9440000-0x00007FF6A9791000-memory.dmp

memory/3364-245-0x00007FF72E2B0000-0x00007FF72E601000-memory.dmp

memory/1824-244-0x00007FF712330000-0x00007FF712681000-memory.dmp

memory/4468-247-0x00007FF68B5C0000-0x00007FF68B911000-memory.dmp

memory/644-242-0x00007FF723820000-0x00007FF723B71000-memory.dmp

memory/4968-253-0x00007FF6E4600000-0x00007FF6E4951000-memory.dmp

memory/3604-251-0x00007FF7EC040000-0x00007FF7EC391000-memory.dmp

memory/536-250-0x00007FF770E70000-0x00007FF7711C1000-memory.dmp

memory/4004-258-0x00007FF62B5D0000-0x00007FF62B921000-memory.dmp

memory/1416-260-0x00007FF645250000-0x00007FF6455A1000-memory.dmp