Malware Analysis Report

2025-03-15 08:07

Sample ID 240815-nljvrazbqf
Target 2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat
SHA256 0982f6db774f8549398f52a461dda8701963f9d3c9d3ec59c635e2ca6994632c
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0982f6db774f8549398f52a461dda8701963f9d3c9d3ec59c635e2ca6994632c

Threat Level: Known bad

The file 2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Xmrig family

Cobaltstrike

xmrig

Cobaltstrike family

Cobalt Strike reflective loader

XMRig Miner payload

XMRig Miner payload

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-15 11:29

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-15 11:29

Reported

2024-08-15 11:31

Platform

win7-20240705-en

Max time kernel

141s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\wSJURPA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YArcfJh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\grifmNx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qNivVtG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ygAAAVI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HPrEamr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JzahhfW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eroeGdX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PBBfqnp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\exhDQTx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KSDyqZp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\biDaVYe.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QKtcyYg.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UXNlubQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OTbTBIy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cPELJOm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zJnWWGR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WlLweSX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fegQgSL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AneVIkp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wLtExFK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1240 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OTbTBIy.exe
PID 1240 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OTbTBIy.exe
PID 1240 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OTbTBIy.exe
PID 1240 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AneVIkp.exe
PID 1240 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AneVIkp.exe
PID 1240 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AneVIkp.exe
PID 1240 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wLtExFK.exe
PID 1240 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wLtExFK.exe
PID 1240 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wLtExFK.exe
PID 1240 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zJnWWGR.exe
PID 1240 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zJnWWGR.exe
PID 1240 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zJnWWGR.exe
PID 1240 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JzahhfW.exe
PID 1240 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JzahhfW.exe
PID 1240 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JzahhfW.exe
PID 1240 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PBBfqnp.exe
PID 1240 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PBBfqnp.exe
PID 1240 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PBBfqnp.exe
PID 1240 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eroeGdX.exe
PID 1240 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eroeGdX.exe
PID 1240 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eroeGdX.exe
PID 1240 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cPELJOm.exe
PID 1240 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cPELJOm.exe
PID 1240 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cPELJOm.exe
PID 1240 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wSJURPA.exe
PID 1240 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wSJURPA.exe
PID 1240 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wSJURPA.exe
PID 1240 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\exhDQTx.exe
PID 1240 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\exhDQTx.exe
PID 1240 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\exhDQTx.exe
PID 1240 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KSDyqZp.exe
PID 1240 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KSDyqZp.exe
PID 1240 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KSDyqZp.exe
PID 1240 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\biDaVYe.exe
PID 1240 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\biDaVYe.exe
PID 1240 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\biDaVYe.exe
PID 1240 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QKtcyYg.exe
PID 1240 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QKtcyYg.exe
PID 1240 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QKtcyYg.exe
PID 1240 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YArcfJh.exe
PID 1240 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YArcfJh.exe
PID 1240 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YArcfJh.exe
PID 1240 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WlLweSX.exe
PID 1240 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WlLweSX.exe
PID 1240 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WlLweSX.exe
PID 1240 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\grifmNx.exe
PID 1240 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\grifmNx.exe
PID 1240 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\grifmNx.exe
PID 1240 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qNivVtG.exe
PID 1240 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qNivVtG.exe
PID 1240 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qNivVtG.exe
PID 1240 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UXNlubQ.exe
PID 1240 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UXNlubQ.exe
PID 1240 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UXNlubQ.exe
PID 1240 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ygAAAVI.exe
PID 1240 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ygAAAVI.exe
PID 1240 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ygAAAVI.exe
PID 1240 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HPrEamr.exe
PID 1240 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HPrEamr.exe
PID 1240 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HPrEamr.exe
PID 1240 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fegQgSL.exe
PID 1240 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fegQgSL.exe
PID 1240 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fegQgSL.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\OTbTBIy.exe

C:\Windows\System\OTbTBIy.exe

C:\Windows\System\AneVIkp.exe

C:\Windows\System\AneVIkp.exe

C:\Windows\System\wLtExFK.exe

C:\Windows\System\wLtExFK.exe

C:\Windows\System\zJnWWGR.exe

C:\Windows\System\zJnWWGR.exe

C:\Windows\System\JzahhfW.exe

C:\Windows\System\JzahhfW.exe

C:\Windows\System\PBBfqnp.exe

C:\Windows\System\PBBfqnp.exe

C:\Windows\System\eroeGdX.exe

C:\Windows\System\eroeGdX.exe

C:\Windows\System\cPELJOm.exe

C:\Windows\System\cPELJOm.exe

C:\Windows\System\wSJURPA.exe

C:\Windows\System\wSJURPA.exe

C:\Windows\System\exhDQTx.exe

C:\Windows\System\exhDQTx.exe

C:\Windows\System\KSDyqZp.exe

C:\Windows\System\KSDyqZp.exe

C:\Windows\System\biDaVYe.exe

C:\Windows\System\biDaVYe.exe

C:\Windows\System\QKtcyYg.exe

C:\Windows\System\QKtcyYg.exe

C:\Windows\System\YArcfJh.exe

C:\Windows\System\YArcfJh.exe

C:\Windows\System\WlLweSX.exe

C:\Windows\System\WlLweSX.exe

C:\Windows\System\grifmNx.exe

C:\Windows\System\grifmNx.exe

C:\Windows\System\qNivVtG.exe

C:\Windows\System\qNivVtG.exe

C:\Windows\System\UXNlubQ.exe

C:\Windows\System\UXNlubQ.exe

C:\Windows\System\ygAAAVI.exe

C:\Windows\System\ygAAAVI.exe

C:\Windows\System\HPrEamr.exe

C:\Windows\System\HPrEamr.exe

C:\Windows\System\fegQgSL.exe

C:\Windows\System\fegQgSL.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1240-0-0x000000013F280000-0x000000013F5D1000-memory.dmp

memory/1240-1-0x00000000000F0000-0x0000000000100000-memory.dmp

C:\Windows\system\OTbTBIy.exe

MD5 69a07a11ce7a919cb85324bd4082ba6e
SHA1 6189db492f48f0886511a10d13ee83be47a3790a
SHA256 bfb9eb1cc33adfcc7d07fd3cecd1e723dbd8ebcd4859f90d427517a2fcf9bebf
SHA512 d12487f25a77c4ceae0a8eacdfac35fada048884041c7ace79cda7570e9dfc733feba6f7c65c2f480df51f5f0863263d263e0bd34acd0b20f0af70193c485a05

\Windows\system\AneVIkp.exe

MD5 e90417be32cd711df563188503c6905a
SHA1 018f3bb24deefb352c98456d2acf173da23d3cbe
SHA256 5a460bfa45866c8fb0442cbacb7455c1dba760d47420b2545d90df6110c9969c
SHA512 980d9b21db80b05d1905ba312c4eb66f74d9ce5c3bd56356f2588638b7c584d558d67a659d28e61da320f064ff871cd2e47d15ab35b6a6331768062b6f15ac90

C:\Windows\system\wLtExFK.exe

MD5 75c39046dbf7a27c5b6536c1a0b44485
SHA1 f888ce953fbbe919b8281239c577ce4c6bd43f52
SHA256 58bff3039ac6f10ac46e703196ff9f958c1eb5e87d625a35f3ab6ddeab6fbc3c
SHA512 17329427ba17971e11350d487d660526cb63af4605db1179635b62c084562bb2ed44b43fbf9a833658f6e08369f4cd4893c38ca7cd00c7fcfdeb5496b2dfe17e

C:\Windows\system\zJnWWGR.exe

MD5 87c88b1cad3cb6e1c191b6a0a641e771
SHA1 5558c13209f73d88480a1acb88154d9fd49bc337
SHA256 0b70c167ad0819a3354501670e061925b474975e044204631455beea4d1729e9
SHA512 4ca5fb69da362bae5b8d9f91d0d3ef7fae29ad6bb8f27d935011e646e462ee214d83c13820b9e73949a3301bb99f8db1a59692b1f431ca2c2284bbfd8614f1d4

C:\Windows\system\JzahhfW.exe

MD5 475f01fdac8328d4aa305e1b6b1ee269
SHA1 c36073afa06a32d03ff1da6cc879928cd22aedb3
SHA256 f0c845c2fba97fc3d009348d70f8fd4c581c2fb52620496aff0abf255a3b3459
SHA512 c1087ef157960ada6fdc80bfc0f11f623883b1e7c0dd90893e40b29f3ebfcfbdd1803d879294381f73c6e8fd72335da438ad73c9bf69f67559a6df9028f53dd5

C:\Windows\system\eroeGdX.exe

MD5 1ae6bb531f40a5a93bda5ddc4032d721
SHA1 6bbf1d7ad9dabb2ff83d5f63eed12fd21fe54a13
SHA256 9d1079bf2239d6950262788bd875c0064aa5956ccebed04523c26105c8286f24
SHA512 4713d6c444760a36122528d0c8563e9d066766a9203493800b33ce50d0512818490636e88abfbb9bdee58920a2ef2df0c875947523adb11dbd51642edf5647bf

C:\Windows\system\cPELJOm.exe

MD5 e5f28dfc080ce8fa225dcf57ff4b682f
SHA1 8c09b9bc2323b125daab41774c31d9e67422c69c
SHA256 f7576286e9509d0d920b97d68d07f06a69eed64788074438e8420997d4f3c9b6
SHA512 681246527fb24f0d359338dd000cb051bcfc862886011d2b98bf40b09bf8e81e02aa1b59d759904a8194ee30e7f645971b2c3b500d409b0df2bbf4d9cb455b8b

C:\Windows\system\wSJURPA.exe

MD5 676ff169429cc7eee96ceb144b689b8d
SHA1 9efaa7b7b757ed2d22cb1678bc00bf952e112fec
SHA256 f470596fdd30a2a55a7ed9ca4ee01a5c04d185bab900033ba1d2d1fa66bf6dee
SHA512 5c2172a9ca451aa0e817b958b8e668e0d9dc853bd9250f6b10dbcc54c6b5dcdd661c89d961cad6cbbf74df5fd492823225e46b4ee94f2890d967f1964d6f4d5b

C:\Windows\system\exhDQTx.exe

MD5 cb05cf88b8d14784763b970c28983b7c
SHA1 374133a337edd44883bf97e30bc57fc11ed7d18d
SHA256 cac6db0f3c070e21744e9d95ce59ebc1490c76e4da82827d6a9dffff3444b4e5
SHA512 12ce53a3b60912c5b7445ade2113f42f75ba7527b8c13102646f3605247e60d65dc0b6417135bcd75a3793ae792884841226fe46547b0836531d9789737b4db1

C:\Windows\system\biDaVYe.exe

MD5 aecb1343d3de3857e7c088ff2fbbd8a0
SHA1 890c325ae4c41344fab28ce6bcee32a5982cba61
SHA256 c1e437d569d12a8ef1c277ea894278bcda046efbcbb57b829799463fc6bb48a4
SHA512 d6b182abc861df213a323cbc27fc76c5625a4a6d2411576964f17690ba7f1b60c6a5c8c1ae8995dd409783e929882c0e69f27f43b72545952abf6128bb04e819

C:\Windows\system\WlLweSX.exe

MD5 483b49990dff74cfc382116be40a093e
SHA1 8236406e87009c9d0527f126b1984237c5439715
SHA256 ec8593258cbf5650f9038fd0ac8cfd3ccfd3057e5f0df5baef4b3b7c0f049f3d
SHA512 b9017a2618c5b963448ae559fe9e94aa4087d037423193feb0ec3ea3947883523b5a4c2cadedd90af418ae384bf888e0f38501d38897074996b4437d3f72f39c

C:\Windows\system\UXNlubQ.exe

MD5 825c35dc2e54af5497116c807710fc39
SHA1 5339da8c4ae611a0c8bb76d22fe15f1e09208c5c
SHA256 e8cf1b9358c28525ac1ca2e103e3c8977058b41303bdd9d5b5e36db0cfe89922
SHA512 6d200841c86e05a9eb6f0ab7cb95975450424b57398a27745ad0edfee3e40ed472cb53c7d67baac913eea80845320d53a1649bce9a9978e7a770524f2859bdaa

C:\Windows\system\fegQgSL.exe

MD5 bd102341ab5f1b01934a3b57badcb9b8
SHA1 18567166fa2c36daf427c27b52ce082bc36834a4
SHA256 366c2a4ae075c44390ab4dd0581422af2b9358c3b81eb241ed0ff07c57fce03f
SHA512 5c054e8776c8611947ff2506a68b0ccc854c6ded270b0fbdc3d52b737d919d55935b5e3bdc3a51bd760801537acc364f949b392c387c89e8d37fda06bd6af863

C:\Windows\system\HPrEamr.exe

MD5 7d5b9e99133e5b91e6e8ddc418904738
SHA1 a59c579c386a6ff2eb187998a4287716017182ca
SHA256 20c91a7449e1c523567276f5a2e825486e6d521feecb584d457f31e1c75ae964
SHA512 25b2b1c29cb1a3104d161c5e4f2c512a01bcf5662f6596bed351cda71ee51adca780ed1aca9eab39fadeb713ae8e1c8444e137e7a24b4ece2494f0eb4f07176a

C:\Windows\system\ygAAAVI.exe

MD5 5a799185050f7230f9bb4060d5099300
SHA1 06a9d1e2cdf3dbc91c5e0aef42e5eb2b3f2a3c8a
SHA256 e7fc1eaff0337fecc573373809d7f4c42fa0cf7e974933a094556b49180a0e1a
SHA512 3de049b4404223a473a94379b561881f55fb3017ace818597a2e2003c21854b7b798e242e74c6cd7162acda17ebe65cdb8cc201d68e21e27af2d37d49d005ab3

memory/2164-110-0x000000013F9B0000-0x000000013FD01000-memory.dmp

memory/1240-114-0x000000013F9A0000-0x000000013FCF1000-memory.dmp

memory/1240-113-0x000000013FCC0000-0x0000000140011000-memory.dmp

memory/1684-112-0x000000013FFF0000-0x0000000140341000-memory.dmp

memory/1240-111-0x000000013FFF0000-0x0000000140341000-memory.dmp

memory/1240-109-0x000000013F9B0000-0x000000013FD01000-memory.dmp

memory/1160-108-0x000000013F9E0000-0x000000013FD31000-memory.dmp

memory/1240-107-0x000000013F9E0000-0x000000013FD31000-memory.dmp

memory/2420-106-0x000000013F270000-0x000000013F5C1000-memory.dmp

memory/2600-105-0x000000013F620000-0x000000013F971000-memory.dmp

memory/1240-104-0x000000013F620000-0x000000013F971000-memory.dmp

memory/888-103-0x000000013F640000-0x000000013F991000-memory.dmp

memory/1240-102-0x000000013F640000-0x000000013F991000-memory.dmp

memory/2744-101-0x000000013FD40000-0x0000000140091000-memory.dmp

memory/1240-100-0x000000013FD40000-0x0000000140091000-memory.dmp

memory/2604-99-0x000000013FDA0000-0x00000001400F1000-memory.dmp

memory/1240-98-0x000000013FDA0000-0x00000001400F1000-memory.dmp

memory/2844-97-0x000000013FD70000-0x00000001400C1000-memory.dmp

memory/1240-96-0x000000013FD70000-0x00000001400C1000-memory.dmp

memory/2696-95-0x000000013F550000-0x000000013F8A1000-memory.dmp

memory/2172-94-0x000000013F0A0000-0x000000013F3F1000-memory.dmp

memory/1240-92-0x0000000002410000-0x0000000002761000-memory.dmp

memory/2020-91-0x000000013F650000-0x000000013F9A1000-memory.dmp

memory/1240-90-0x000000013F650000-0x000000013F9A1000-memory.dmp

memory/2876-89-0x000000013F9A0000-0x000000013FCF1000-memory.dmp

memory/2852-88-0x000000013FCD0000-0x0000000140021000-memory.dmp

C:\Windows\system\qNivVtG.exe

MD5 12bbcce03353e3071aa93f4838241916
SHA1 ff9e5e5c173f5985c3214c9c674a3159e9eceec5
SHA256 eb9e83f12eb4309b58a318c51877faf202436400f329b270a0f9717f5aab5844
SHA512 4dd3a36a618e54d05f719543d946b9ab74fe72b7d8df39d02fc77e43b36341334d091da0e3bbb8bef376858c5933c24ed6958a227bd96b4c28795ec212f1694d

C:\Windows\system\grifmNx.exe

MD5 fad28099352f8040deb465e9975c3154
SHA1 03c838b7fa40b9d43739c3901605ed7aca0dd710
SHA256 8d56c66b5e355aeacbf6c1e467826722a130afbe535a0cd2501e73d31bf6219b
SHA512 baa5d40a3cfd1ec7e635ea896efbfee3d29ebb805a2a3ae321a64943f19675a03e8fb56f378019128d69d76674c9f914e83f046f87eed9e175f5aeacaa56d775

C:\Windows\system\YArcfJh.exe

MD5 7564318b7f346f3affb4060cce664bbe
SHA1 18958334231c5dd4f198bfca9fd37773c71cd8b5
SHA256 2182a855ed92446ce53ed242392ca92c6083577e78700e9d6b842fd8aeee53af
SHA512 a1e48eed57edebd80de7ddf32eae9691e4673f5d729988d37a082e9fb33a2e6122d97903acbab2fa1af73a938b0a985d81364678a0bbff74223b8a9d943d5eb7

C:\Windows\system\QKtcyYg.exe

MD5 3d9c75ae44aa52251c6d21bda49f453b
SHA1 228fe30c193a62361b2621a0701655772bd055f2
SHA256 c645ae438b3573180a80321fa29e5c74577d4f563f9de38c8735cb7f24b072a9
SHA512 43b9c84f659756059936fb73138b3d74d6b987adffdf209338a0d9ce83cb4e29da589756bb432c817d9dafbf371ede87060acc7e8aa53a7d136eb75d20c4157a

C:\Windows\system\KSDyqZp.exe

MD5 a4dba1adabeb197d46ff27c2fbfd44b8
SHA1 91592e678f7d04156be59d8fb6aca22fdb9fb932
SHA256 5d511d97dcdd28d2fcda23940f752ee6c237740e7ea952831f5ab4c1d5702c19
SHA512 c73f0ae815a70e72804fd74524b205ee99add95bb675d2bff686def96e98fcfec776b331f6b20ee27a6bd91b44fe34260cb5a3f520db2f88cba4740b26dae242

C:\Windows\system\PBBfqnp.exe

MD5 51d318a1e6360cb524ba0afca8111be4
SHA1 3c03c9279e8f145a4bc75f697e3658d502ab4597
SHA256 844bd8870dcaf99f66a7b9b1426842e1eb9209674f47857ff34ad6c4f4b6a6f0
SHA512 1c97d2580a2f14ba969a1ad4aa5555947f0bbe2bd49c4e6542e6752574252bcc72f3ba338e0f95167b03bbd42c08b18a6b2c0bffec015fa97aabb10c3a0b4df7

memory/1240-133-0x000000013F280000-0x000000013F5D1000-memory.dmp

memory/1240-134-0x000000013F280000-0x000000013F5D1000-memory.dmp

memory/1240-135-0x000000013FCD0000-0x0000000140021000-memory.dmp

memory/2876-137-0x000000013F9A0000-0x000000013FCF1000-memory.dmp

memory/2020-138-0x000000013F650000-0x000000013F9A1000-memory.dmp

memory/1672-156-0x000000013F650000-0x000000013F9A1000-memory.dmp

memory/1632-155-0x000000013F7A0000-0x000000013FAF1000-memory.dmp

memory/2184-154-0x000000013F100000-0x000000013F451000-memory.dmp

memory/2228-153-0x000000013FE30000-0x0000000140181000-memory.dmp

memory/2560-152-0x000000013FBF0000-0x000000013FF41000-memory.dmp

memory/1520-151-0x000000013FBE0000-0x000000013FF31000-memory.dmp

memory/2400-150-0x000000013FCC0000-0x0000000140011000-memory.dmp

memory/1684-149-0x000000013FFF0000-0x0000000140341000-memory.dmp

memory/2164-148-0x000000013F9B0000-0x000000013FD01000-memory.dmp

memory/1160-147-0x000000013F9E0000-0x000000013FD31000-memory.dmp

memory/2420-146-0x000000013F270000-0x000000013F5C1000-memory.dmp

memory/2600-145-0x000000013F620000-0x000000013F971000-memory.dmp

memory/888-144-0x000000013F640000-0x000000013F991000-memory.dmp

memory/2744-143-0x000000013FD40000-0x0000000140091000-memory.dmp

memory/2604-142-0x000000013FDA0000-0x00000001400F1000-memory.dmp

memory/2844-141-0x000000013FD70000-0x00000001400C1000-memory.dmp

memory/2696-140-0x000000013F550000-0x000000013F8A1000-memory.dmp

memory/1240-157-0x000000013F280000-0x000000013F5D1000-memory.dmp

memory/2852-224-0x000000013FCD0000-0x0000000140021000-memory.dmp

memory/2172-226-0x000000013F0A0000-0x000000013F3F1000-memory.dmp

memory/2876-228-0x000000013F9A0000-0x000000013FCF1000-memory.dmp

memory/2844-233-0x000000013FD70000-0x00000001400C1000-memory.dmp

memory/2696-232-0x000000013F550000-0x000000013F8A1000-memory.dmp

memory/1160-240-0x000000013F9E0000-0x000000013FD31000-memory.dmp

memory/1684-243-0x000000013FFF0000-0x0000000140341000-memory.dmp

memory/2164-254-0x000000013F9B0000-0x000000013FD01000-memory.dmp

memory/2420-252-0x000000013F270000-0x000000013F5C1000-memory.dmp

memory/2600-238-0x000000013F620000-0x000000013F971000-memory.dmp

memory/888-249-0x000000013F640000-0x000000013F991000-memory.dmp

memory/2744-236-0x000000013FD40000-0x0000000140091000-memory.dmp

memory/2020-235-0x000000013F650000-0x000000013F9A1000-memory.dmp

memory/2604-248-0x000000013FDA0000-0x00000001400F1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-15 11:29

Reported

2024-08-15 11:31

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\qNivVtG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UXNlubQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AneVIkp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wSJURPA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YArcfJh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WlLweSX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\exhDQTx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KSDyqZp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HPrEamr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PBBfqnp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\grifmNx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fegQgSL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eroeGdX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cPELJOm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\biDaVYe.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QKtcyYg.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OTbTBIy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wLtExFK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zJnWWGR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JzahhfW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ygAAAVI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4512 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OTbTBIy.exe
PID 4512 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OTbTBIy.exe
PID 4512 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AneVIkp.exe
PID 4512 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AneVIkp.exe
PID 4512 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wLtExFK.exe
PID 4512 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wLtExFK.exe
PID 4512 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zJnWWGR.exe
PID 4512 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zJnWWGR.exe
PID 4512 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JzahhfW.exe
PID 4512 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JzahhfW.exe
PID 4512 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PBBfqnp.exe
PID 4512 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PBBfqnp.exe
PID 4512 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eroeGdX.exe
PID 4512 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eroeGdX.exe
PID 4512 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cPELJOm.exe
PID 4512 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cPELJOm.exe
PID 4512 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wSJURPA.exe
PID 4512 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wSJURPA.exe
PID 4512 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\exhDQTx.exe
PID 4512 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\exhDQTx.exe
PID 4512 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KSDyqZp.exe
PID 4512 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KSDyqZp.exe
PID 4512 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\biDaVYe.exe
PID 4512 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\biDaVYe.exe
PID 4512 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QKtcyYg.exe
PID 4512 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QKtcyYg.exe
PID 4512 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YArcfJh.exe
PID 4512 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YArcfJh.exe
PID 4512 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WlLweSX.exe
PID 4512 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WlLweSX.exe
PID 4512 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\grifmNx.exe
PID 4512 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\grifmNx.exe
PID 4512 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qNivVtG.exe
PID 4512 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qNivVtG.exe
PID 4512 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UXNlubQ.exe
PID 4512 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UXNlubQ.exe
PID 4512 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ygAAAVI.exe
PID 4512 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ygAAAVI.exe
PID 4512 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HPrEamr.exe
PID 4512 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HPrEamr.exe
PID 4512 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fegQgSL.exe
PID 4512 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fegQgSL.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\OTbTBIy.exe

C:\Windows\System\OTbTBIy.exe

C:\Windows\System\AneVIkp.exe

C:\Windows\System\AneVIkp.exe

C:\Windows\System\wLtExFK.exe

C:\Windows\System\wLtExFK.exe

C:\Windows\System\zJnWWGR.exe

C:\Windows\System\zJnWWGR.exe

C:\Windows\System\JzahhfW.exe

C:\Windows\System\JzahhfW.exe

C:\Windows\System\PBBfqnp.exe

C:\Windows\System\PBBfqnp.exe

C:\Windows\System\eroeGdX.exe

C:\Windows\System\eroeGdX.exe

C:\Windows\System\cPELJOm.exe

C:\Windows\System\cPELJOm.exe

C:\Windows\System\wSJURPA.exe

C:\Windows\System\wSJURPA.exe

C:\Windows\System\exhDQTx.exe

C:\Windows\System\exhDQTx.exe

C:\Windows\System\KSDyqZp.exe

C:\Windows\System\KSDyqZp.exe

C:\Windows\System\biDaVYe.exe

C:\Windows\System\biDaVYe.exe

C:\Windows\System\QKtcyYg.exe

C:\Windows\System\QKtcyYg.exe

C:\Windows\System\YArcfJh.exe

C:\Windows\System\YArcfJh.exe

C:\Windows\System\WlLweSX.exe

C:\Windows\System\WlLweSX.exe

C:\Windows\System\grifmNx.exe

C:\Windows\System\grifmNx.exe

C:\Windows\System\qNivVtG.exe

C:\Windows\System\qNivVtG.exe

C:\Windows\System\UXNlubQ.exe

C:\Windows\System\UXNlubQ.exe

C:\Windows\System\ygAAAVI.exe

C:\Windows\System\ygAAAVI.exe

C:\Windows\System\HPrEamr.exe

C:\Windows\System\HPrEamr.exe

C:\Windows\System\fegQgSL.exe

C:\Windows\System\fegQgSL.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/4512-0-0x00007FF6C82C0000-0x00007FF6C8611000-memory.dmp

memory/4512-1-0x000002D785C00000-0x000002D785C10000-memory.dmp

C:\Windows\System\OTbTBIy.exe

MD5 69a07a11ce7a919cb85324bd4082ba6e
SHA1 6189db492f48f0886511a10d13ee83be47a3790a
SHA256 bfb9eb1cc33adfcc7d07fd3cecd1e723dbd8ebcd4859f90d427517a2fcf9bebf
SHA512 d12487f25a77c4ceae0a8eacdfac35fada048884041c7ace79cda7570e9dfc733feba6f7c65c2f480df51f5f0863263d263e0bd34acd0b20f0af70193c485a05

C:\Windows\System\AneVIkp.exe

MD5 e90417be32cd711df563188503c6905a
SHA1 018f3bb24deefb352c98456d2acf173da23d3cbe
SHA256 5a460bfa45866c8fb0442cbacb7455c1dba760d47420b2545d90df6110c9969c
SHA512 980d9b21db80b05d1905ba312c4eb66f74d9ce5c3bd56356f2588638b7c584d558d67a659d28e61da320f064ff871cd2e47d15ab35b6a6331768062b6f15ac90

C:\Windows\System\JzahhfW.exe

MD5 475f01fdac8328d4aa305e1b6b1ee269
SHA1 c36073afa06a32d03ff1da6cc879928cd22aedb3
SHA256 f0c845c2fba97fc3d009348d70f8fd4c581c2fb52620496aff0abf255a3b3459
SHA512 c1087ef157960ada6fdc80bfc0f11f623883b1e7c0dd90893e40b29f3ebfcfbdd1803d879294381f73c6e8fd72335da438ad73c9bf69f67559a6df9028f53dd5

C:\Windows\System\wLtExFK.exe

MD5 75c39046dbf7a27c5b6536c1a0b44485
SHA1 f888ce953fbbe919b8281239c577ce4c6bd43f52
SHA256 58bff3039ac6f10ac46e703196ff9f958c1eb5e87d625a35f3ab6ddeab6fbc3c
SHA512 17329427ba17971e11350d487d660526cb63af4605db1179635b62c084562bb2ed44b43fbf9a833658f6e08369f4cd4893c38ca7cd00c7fcfdeb5496b2dfe17e

C:\Windows\System\exhDQTx.exe

MD5 cb05cf88b8d14784763b970c28983b7c
SHA1 374133a337edd44883bf97e30bc57fc11ed7d18d
SHA256 cac6db0f3c070e21744e9d95ce59ebc1490c76e4da82827d6a9dffff3444b4e5
SHA512 12ce53a3b60912c5b7445ade2113f42f75ba7527b8c13102646f3605247e60d65dc0b6417135bcd75a3793ae792884841226fe46547b0836531d9789737b4db1

C:\Windows\System\KSDyqZp.exe

MD5 a4dba1adabeb197d46ff27c2fbfd44b8
SHA1 91592e678f7d04156be59d8fb6aca22fdb9fb932
SHA256 5d511d97dcdd28d2fcda23940f752ee6c237740e7ea952831f5ab4c1d5702c19
SHA512 c73f0ae815a70e72804fd74524b205ee99add95bb675d2bff686def96e98fcfec776b331f6b20ee27a6bd91b44fe34260cb5a3f520db2f88cba4740b26dae242

memory/4064-75-0x00007FF76B550000-0x00007FF76B8A1000-memory.dmp

C:\Windows\System\YArcfJh.exe

MD5 7564318b7f346f3affb4060cce664bbe
SHA1 18958334231c5dd4f198bfca9fd37773c71cd8b5
SHA256 2182a855ed92446ce53ed242392ca92c6083577e78700e9d6b842fd8aeee53af
SHA512 a1e48eed57edebd80de7ddf32eae9691e4673f5d729988d37a082e9fb33a2e6122d97903acbab2fa1af73a938b0a985d81364678a0bbff74223b8a9d943d5eb7

C:\Windows\System\WlLweSX.exe

MD5 483b49990dff74cfc382116be40a093e
SHA1 8236406e87009c9d0527f126b1984237c5439715
SHA256 ec8593258cbf5650f9038fd0ac8cfd3ccfd3057e5f0df5baef4b3b7c0f049f3d
SHA512 b9017a2618c5b963448ae559fe9e94aa4087d037423193feb0ec3ea3947883523b5a4c2cadedd90af418ae384bf888e0f38501d38897074996b4437d3f72f39c

C:\Windows\System\ygAAAVI.exe

MD5 5a799185050f7230f9bb4060d5099300
SHA1 06a9d1e2cdf3dbc91c5e0aef42e5eb2b3f2a3c8a
SHA256 e7fc1eaff0337fecc573373809d7f4c42fa0cf7e974933a094556b49180a0e1a
SHA512 3de049b4404223a473a94379b561881f55fb3017ace818597a2e2003c21854b7b798e242e74c6cd7162acda17ebe65cdb8cc201d68e21e27af2d37d49d005ab3

C:\Windows\System\fegQgSL.exe

MD5 bd102341ab5f1b01934a3b57badcb9b8
SHA1 18567166fa2c36daf427c27b52ce082bc36834a4
SHA256 366c2a4ae075c44390ab4dd0581422af2b9358c3b81eb241ed0ff07c57fce03f
SHA512 5c054e8776c8611947ff2506a68b0ccc854c6ded270b0fbdc3d52b737d919d55935b5e3bdc3a51bd760801537acc364f949b392c387c89e8d37fda06bd6af863

memory/2468-125-0x00007FF795140000-0x00007FF795491000-memory.dmp

C:\Windows\System\HPrEamr.exe

MD5 7d5b9e99133e5b91e6e8ddc418904738
SHA1 a59c579c386a6ff2eb187998a4287716017182ca
SHA256 20c91a7449e1c523567276f5a2e825486e6d521feecb584d457f31e1c75ae964
SHA512 25b2b1c29cb1a3104d161c5e4f2c512a01bcf5662f6596bed351cda71ee51adca780ed1aca9eab39fadeb713ae8e1c8444e137e7a24b4ece2494f0eb4f07176a

C:\Windows\System\UXNlubQ.exe

MD5 825c35dc2e54af5497116c807710fc39
SHA1 5339da8c4ae611a0c8bb76d22fe15f1e09208c5c
SHA256 e8cf1b9358c28525ac1ca2e103e3c8977058b41303bdd9d5b5e36db0cfe89922
SHA512 6d200841c86e05a9eb6f0ab7cb95975450424b57398a27745ad0edfee3e40ed472cb53c7d67baac913eea80845320d53a1649bce9a9978e7a770524f2859bdaa

memory/1396-118-0x00007FF7C37D0000-0x00007FF7C3B21000-memory.dmp

memory/816-117-0x00007FF72D300000-0x00007FF72D651000-memory.dmp

memory/4008-115-0x00007FF676FD0000-0x00007FF677321000-memory.dmp

memory/880-104-0x00007FF62F8D0000-0x00007FF62FC21000-memory.dmp

C:\Windows\System\qNivVtG.exe

MD5 12bbcce03353e3071aa93f4838241916
SHA1 ff9e5e5c173f5985c3214c9c674a3159e9eceec5
SHA256 eb9e83f12eb4309b58a318c51877faf202436400f329b270a0f9717f5aab5844
SHA512 4dd3a36a618e54d05f719543d946b9ab74fe72b7d8df39d02fc77e43b36341334d091da0e3bbb8bef376858c5933c24ed6958a227bd96b4c28795ec212f1694d

C:\Windows\System\grifmNx.exe

MD5 fad28099352f8040deb465e9975c3154
SHA1 03c838b7fa40b9d43739c3901605ed7aca0dd710
SHA256 8d56c66b5e355aeacbf6c1e467826722a130afbe535a0cd2501e73d31bf6219b
SHA512 baa5d40a3cfd1ec7e635ea896efbfee3d29ebb805a2a3ae321a64943f19675a03e8fb56f378019128d69d76674c9f914e83f046f87eed9e175f5aeacaa56d775

memory/2656-99-0x00007FF762980000-0x00007FF762CD1000-memory.dmp

memory/5012-98-0x00007FF74D2D0000-0x00007FF74D621000-memory.dmp

memory/3064-93-0x00007FF7ACFA0000-0x00007FF7AD2F1000-memory.dmp

memory/892-92-0x00007FF648590000-0x00007FF6488E1000-memory.dmp

C:\Windows\System\QKtcyYg.exe

MD5 3d9c75ae44aa52251c6d21bda49f453b
SHA1 228fe30c193a62361b2621a0701655772bd055f2
SHA256 c645ae438b3573180a80321fa29e5c74577d4f563f9de38c8735cb7f24b072a9
SHA512 43b9c84f659756059936fb73138b3d74d6b987adffdf209338a0d9ce83cb4e29da589756bb432c817d9dafbf371ede87060acc7e8aa53a7d136eb75d20c4157a

memory/2724-83-0x00007FF6545F0000-0x00007FF654941000-memory.dmp

memory/2692-82-0x00007FF7534F0000-0x00007FF753841000-memory.dmp

C:\Windows\System\biDaVYe.exe

MD5 aecb1343d3de3857e7c088ff2fbbd8a0
SHA1 890c325ae4c41344fab28ce6bcee32a5982cba61
SHA256 c1e437d569d12a8ef1c277ea894278bcda046efbcbb57b829799463fc6bb48a4
SHA512 d6b182abc861df213a323cbc27fc76c5625a4a6d2411576964f17690ba7f1b60c6a5c8c1ae8995dd409783e929882c0e69f27f43b72545952abf6128bb04e819

C:\Windows\System\wSJURPA.exe

MD5 676ff169429cc7eee96ceb144b689b8d
SHA1 9efaa7b7b757ed2d22cb1678bc00bf952e112fec
SHA256 f470596fdd30a2a55a7ed9ca4ee01a5c04d185bab900033ba1d2d1fa66bf6dee
SHA512 5c2172a9ca451aa0e817b958b8e668e0d9dc853bd9250f6b10dbcc54c6b5dcdd661c89d961cad6cbbf74df5fd492823225e46b4ee94f2890d967f1964d6f4d5b

memory/2324-66-0x00007FF6C07D0000-0x00007FF6C0B21000-memory.dmp

memory/3328-65-0x00007FF65E550000-0x00007FF65E8A1000-memory.dmp

memory/2596-61-0x00007FF7AAE40000-0x00007FF7AB191000-memory.dmp

memory/1392-60-0x00007FF7BD2D0000-0x00007FF7BD621000-memory.dmp

C:\Windows\System\eroeGdX.exe

MD5 1ae6bb531f40a5a93bda5ddc4032d721
SHA1 6bbf1d7ad9dabb2ff83d5f63eed12fd21fe54a13
SHA256 9d1079bf2239d6950262788bd875c0064aa5956ccebed04523c26105c8286f24
SHA512 4713d6c444760a36122528d0c8563e9d066766a9203493800b33ce50d0512818490636e88abfbb9bdee58920a2ef2df0c875947523adb11dbd51642edf5647bf

C:\Windows\System\PBBfqnp.exe

MD5 51d318a1e6360cb524ba0afca8111be4
SHA1 3c03c9279e8f145a4bc75f697e3658d502ab4597
SHA256 844bd8870dcaf99f66a7b9b1426842e1eb9209674f47857ff34ad6c4f4b6a6f0
SHA512 1c97d2580a2f14ba969a1ad4aa5555947f0bbe2bd49c4e6542e6752574252bcc72f3ba338e0f95167b03bbd42c08b18a6b2c0bffec015fa97aabb10c3a0b4df7

C:\Windows\System\cPELJOm.exe

MD5 e5f28dfc080ce8fa225dcf57ff4b682f
SHA1 8c09b9bc2323b125daab41774c31d9e67422c69c
SHA256 f7576286e9509d0d920b97d68d07f06a69eed64788074438e8420997d4f3c9b6
SHA512 681246527fb24f0d359338dd000cb051bcfc862886011d2b98bf40b09bf8e81e02aa1b59d759904a8194ee30e7f645971b2c3b500d409b0df2bbf4d9cb455b8b

memory/4648-45-0x00007FF730C20000-0x00007FF730F71000-memory.dmp

memory/1296-41-0x00007FF6E6E60000-0x00007FF6E71B1000-memory.dmp

C:\Windows\System\zJnWWGR.exe

MD5 87c88b1cad3cb6e1c191b6a0a641e771
SHA1 5558c13209f73d88480a1acb88154d9fd49bc337
SHA256 0b70c167ad0819a3354501670e061925b474975e044204631455beea4d1729e9
SHA512 4ca5fb69da362bae5b8d9f91d0d3ef7fae29ad6bb8f27d935011e646e462ee214d83c13820b9e73949a3301bb99f8db1a59692b1f431ca2c2284bbfd8614f1d4

memory/3144-30-0x00007FF7E4F60000-0x00007FF7E52B1000-memory.dmp

memory/4596-16-0x00007FF6B0960000-0x00007FF6B0CB1000-memory.dmp

memory/3040-6-0x00007FF6CCB80000-0x00007FF6CCED1000-memory.dmp

memory/4596-130-0x00007FF6B0960000-0x00007FF6B0CB1000-memory.dmp

memory/1296-131-0x00007FF6E6E60000-0x00007FF6E71B1000-memory.dmp

memory/3040-129-0x00007FF6CCB80000-0x00007FF6CCED1000-memory.dmp

memory/4512-128-0x00007FF6C82C0000-0x00007FF6C8611000-memory.dmp

memory/3328-137-0x00007FF65E550000-0x00007FF65E8A1000-memory.dmp

memory/2324-139-0x00007FF6C07D0000-0x00007FF6C0B21000-memory.dmp

memory/2656-145-0x00007FF762980000-0x00007FF762CD1000-memory.dmp

memory/4008-146-0x00007FF676FD0000-0x00007FF677321000-memory.dmp

memory/892-143-0x00007FF648590000-0x00007FF6488E1000-memory.dmp

memory/1392-136-0x00007FF7BD2D0000-0x00007FF7BD621000-memory.dmp

memory/880-144-0x00007FF62F8D0000-0x00007FF62FC21000-memory.dmp

memory/3144-132-0x00007FF7E4F60000-0x00007FF7E52B1000-memory.dmp

memory/4648-133-0x00007FF730C20000-0x00007FF730F71000-memory.dmp

memory/1396-148-0x00007FF7C37D0000-0x00007FF7C3B21000-memory.dmp

memory/2468-149-0x00007FF795140000-0x00007FF795491000-memory.dmp

memory/816-147-0x00007FF72D300000-0x00007FF72D651000-memory.dmp

memory/4512-150-0x00007FF6C82C0000-0x00007FF6C8611000-memory.dmp

memory/4596-209-0x00007FF6B0960000-0x00007FF6B0CB1000-memory.dmp

memory/3040-211-0x00007FF6CCB80000-0x00007FF6CCED1000-memory.dmp

memory/3144-213-0x00007FF7E4F60000-0x00007FF7E52B1000-memory.dmp

memory/1296-215-0x00007FF6E6E60000-0x00007FF6E71B1000-memory.dmp

memory/1392-218-0x00007FF7BD2D0000-0x00007FF7BD621000-memory.dmp

memory/2596-219-0x00007FF7AAE40000-0x00007FF7AB191000-memory.dmp

memory/4064-221-0x00007FF76B550000-0x00007FF76B8A1000-memory.dmp

memory/2692-223-0x00007FF7534F0000-0x00007FF753841000-memory.dmp

memory/4648-233-0x00007FF730C20000-0x00007FF730F71000-memory.dmp

memory/892-238-0x00007FF648590000-0x00007FF6488E1000-memory.dmp

memory/2724-244-0x00007FF6545F0000-0x00007FF654941000-memory.dmp

memory/2324-245-0x00007FF6C07D0000-0x00007FF6C0B21000-memory.dmp

memory/3328-241-0x00007FF65E550000-0x00007FF65E8A1000-memory.dmp

memory/5012-240-0x00007FF74D2D0000-0x00007FF74D621000-memory.dmp

memory/3064-236-0x00007FF7ACFA0000-0x00007FF7AD2F1000-memory.dmp

memory/880-256-0x00007FF62F8D0000-0x00007FF62FC21000-memory.dmp

memory/2656-254-0x00007FF762980000-0x00007FF762CD1000-memory.dmp

memory/4008-257-0x00007FF676FD0000-0x00007FF677321000-memory.dmp

memory/2468-250-0x00007FF795140000-0x00007FF795491000-memory.dmp

memory/1396-252-0x00007FF7C37D0000-0x00007FF7C3B21000-memory.dmp

memory/816-249-0x00007FF72D300000-0x00007FF72D651000-memory.dmp