Malware Analysis Report

2024-10-24 18:11

Sample ID 240630-ggvm5axfjp
Target 2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat
SHA256 7f87dcb6f51d354e36fa504751a4183cfd0343e14584ccf48e3b920203452275
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7f87dcb6f51d354e36fa504751a4183cfd0343e14584ccf48e3b920203452275

Threat Level: Known bad

The file 2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Cobaltstrike family

xmrig

Cobaltstrike

Cobalt Strike reflective loader

XMRig Miner payload

Xmrig family

XMRig Miner payload

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-30 05:47

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-30 05:47

Reported

2024-06-30 05:49

Platform

win7-20240508-en

Max time kernel

140s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\lGpEQsM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TIHvecm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YkiHnpQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bMfzcCC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wqwTTlg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DKiJEPZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SeUkslf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QzIURfO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VULROnn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zmoCGfM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tSLqIrp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jLFpJtj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ceHLElA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yqoKxLf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\Tivnwbf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pErQpRW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EZpNsZP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qLCvGgY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rnmGPKJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hZiNmDZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\okNtyzV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1956 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DKiJEPZ.exe
PID 1956 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DKiJEPZ.exe
PID 1956 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DKiJEPZ.exe
PID 1956 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SeUkslf.exe
PID 1956 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SeUkslf.exe
PID 1956 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SeUkslf.exe
PID 1956 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zmoCGfM.exe
PID 1956 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zmoCGfM.exe
PID 1956 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zmoCGfM.exe
PID 1956 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EZpNsZP.exe
PID 1956 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EZpNsZP.exe
PID 1956 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EZpNsZP.exe
PID 1956 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lGpEQsM.exe
PID 1956 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lGpEQsM.exe
PID 1956 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lGpEQsM.exe
PID 1956 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tSLqIrp.exe
PID 1956 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tSLqIrp.exe
PID 1956 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tSLqIrp.exe
PID 1956 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jLFpJtj.exe
PID 1956 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jLFpJtj.exe
PID 1956 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jLFpJtj.exe
PID 1956 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QzIURfO.exe
PID 1956 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QzIURfO.exe
PID 1956 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QzIURfO.exe
PID 1956 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qLCvGgY.exe
PID 1956 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qLCvGgY.exe
PID 1956 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qLCvGgY.exe
PID 1956 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TIHvecm.exe
PID 1956 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TIHvecm.exe
PID 1956 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TIHvecm.exe
PID 1956 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rnmGPKJ.exe
PID 1956 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rnmGPKJ.exe
PID 1956 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rnmGPKJ.exe
PID 1956 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YkiHnpQ.exe
PID 1956 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YkiHnpQ.exe
PID 1956 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YkiHnpQ.exe
PID 1956 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bMfzcCC.exe
PID 1956 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bMfzcCC.exe
PID 1956 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bMfzcCC.exe
PID 1956 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ceHLElA.exe
PID 1956 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ceHLElA.exe
PID 1956 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ceHLElA.exe
PID 1956 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VULROnn.exe
PID 1956 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VULROnn.exe
PID 1956 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VULROnn.exe
PID 1956 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wqwTTlg.exe
PID 1956 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wqwTTlg.exe
PID 1956 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wqwTTlg.exe
PID 1956 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hZiNmDZ.exe
PID 1956 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hZiNmDZ.exe
PID 1956 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hZiNmDZ.exe
PID 1956 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yqoKxLf.exe
PID 1956 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yqoKxLf.exe
PID 1956 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yqoKxLf.exe
PID 1956 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\okNtyzV.exe
PID 1956 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\okNtyzV.exe
PID 1956 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\okNtyzV.exe
PID 1956 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Tivnwbf.exe
PID 1956 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Tivnwbf.exe
PID 1956 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Tivnwbf.exe
PID 1956 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pErQpRW.exe
PID 1956 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pErQpRW.exe
PID 1956 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pErQpRW.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\DKiJEPZ.exe

C:\Windows\System\DKiJEPZ.exe

C:\Windows\System\SeUkslf.exe

C:\Windows\System\SeUkslf.exe

C:\Windows\System\zmoCGfM.exe

C:\Windows\System\zmoCGfM.exe

C:\Windows\System\EZpNsZP.exe

C:\Windows\System\EZpNsZP.exe

C:\Windows\System\lGpEQsM.exe

C:\Windows\System\lGpEQsM.exe

C:\Windows\System\tSLqIrp.exe

C:\Windows\System\tSLqIrp.exe

C:\Windows\System\jLFpJtj.exe

C:\Windows\System\jLFpJtj.exe

C:\Windows\System\QzIURfO.exe

C:\Windows\System\QzIURfO.exe

C:\Windows\System\qLCvGgY.exe

C:\Windows\System\qLCvGgY.exe

C:\Windows\System\TIHvecm.exe

C:\Windows\System\TIHvecm.exe

C:\Windows\System\rnmGPKJ.exe

C:\Windows\System\rnmGPKJ.exe

C:\Windows\System\YkiHnpQ.exe

C:\Windows\System\YkiHnpQ.exe

C:\Windows\System\bMfzcCC.exe

C:\Windows\System\bMfzcCC.exe

C:\Windows\System\ceHLElA.exe

C:\Windows\System\ceHLElA.exe

C:\Windows\System\VULROnn.exe

C:\Windows\System\VULROnn.exe

C:\Windows\System\wqwTTlg.exe

C:\Windows\System\wqwTTlg.exe

C:\Windows\System\hZiNmDZ.exe

C:\Windows\System\hZiNmDZ.exe

C:\Windows\System\yqoKxLf.exe

C:\Windows\System\yqoKxLf.exe

C:\Windows\System\okNtyzV.exe

C:\Windows\System\okNtyzV.exe

C:\Windows\System\Tivnwbf.exe

C:\Windows\System\Tivnwbf.exe

C:\Windows\System\pErQpRW.exe

C:\Windows\System\pErQpRW.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1956-0-0x0000000000080000-0x0000000000090000-memory.dmp

memory/1956-1-0x000000013FAE0000-0x000000013FE34000-memory.dmp

\Windows\system\DKiJEPZ.exe

MD5 3fcc0f73c57d800540c3a1ed9a2e88e7
SHA1 e3b24b9ac3b50e52646ba1b662551bc941fceef5
SHA256 8b0aa8db42ed2c815321c534df513b33eeb97cc3cfbd4002250a24052f2376db
SHA512 e8d9f4ea6efb00216d0bfa2c45deea8d04c820b753f9cd4cc99bbc2c700a4e9019754cbabd6ee18a7b1e3d8ad2767aa097d546b4df7075e86cd28a5ec8e1c6b2

\Windows\system\zmoCGfM.exe

MD5 fd798ca64dc57d6bbe7a53f4bf3e7f6f
SHA1 857ff95ee24aaf11c9bfe54201ba34f142675284
SHA256 3630de0a92c7444f3d689c66a7b180d0b38db1a31828457ecd4eb471fbbc52a9
SHA512 91c657471fe0fdc81b45ad6cc554b95f768deefd7202f71bcc1c8912becd40e3fee0924ba6bfadc6f1b6c5e017a121bdd760c08d9d291e536bd3832c1ddefc0b

C:\Windows\system\SeUkslf.exe

MD5 6a81a9b1b6fbca8f507bc25685c05578
SHA1 0c9d81b3f5cbebdd06be05fd0c81638216ab3e0e
SHA256 cdf2a482e06328b6f3e04c7e66aee5cf9077d1ba64353b26fb1350ddbe72705f
SHA512 846439089dc5efa652b45e42d53266e06bcfb59ea71f87a6053c40f2dcdc5af4d0eb8048a4fda9470afabbacc5aa50b96ac5751e0653d8e1f2b855ef61acc03d

memory/2140-17-0x000000013F920000-0x000000013FC74000-memory.dmp

memory/2640-23-0x000000013F7F0000-0x000000013FB44000-memory.dmp

memory/1956-21-0x0000000002430000-0x0000000002784000-memory.dmp

memory/2160-19-0x000000013FE60000-0x00000001401B4000-memory.dmp

memory/1956-18-0x000000013FE60000-0x00000001401B4000-memory.dmp

memory/1956-6-0x0000000002430000-0x0000000002784000-memory.dmp

\Windows\system\EZpNsZP.exe

MD5 389c8e6d4add397df4acfb501d9250ce
SHA1 c0ec71ec3324a33e4994f6af5242a324df9a429e
SHA256 e8d890c20b15f2f87a23890b9623275d9a8e671ded559ce087421fd549608eda
SHA512 dba35f0782dc17716f30c750acddc0a518e29035585347da2f7a968f39715638c949e352b982b902f20141ebaf8e87668e258d001ef17a35a4075849bdde2d47

memory/2664-29-0x000000013F930000-0x000000013FC84000-memory.dmp

\Windows\system\lGpEQsM.exe

MD5 47a4093ff9dc29c2494ecaf3b54b82e0
SHA1 610825bbb07d1f084eecbf668c87efbe8fb7205c
SHA256 44ea8186fbc6acc915fadee10d4d98ef276a1dc2c3c88eae58419d5bab4b9185
SHA512 8d9cdb9d42962d22bf6f372d664439840cbfd8dcc878ca11300845eaef9fe9b55527d8f6e9396fca8f2b960bb0eb60cd59b88586742a9c1461d230a5ce1dc649

memory/1692-35-0x000000013F3C0000-0x000000013F714000-memory.dmp

\Windows\system\tSLqIrp.exe

MD5 615af330ff5ec1b65fe706dd4acea65e
SHA1 84742128debe0bc72084f95ef26d607085a07beb
SHA256 5ec495f66f10ffdf6287acd9193c3000f3541ef0d7090dfae3a492002b33409c
SHA512 7908a2de12857e20e1231f50bbc64a41d97a8780e0bf2312f194449f9411f0782d9ba22dac3d9ecaa08417b7c83603fc5a912005e23742432f93a5b281f568b3

memory/2792-43-0x000000013F310000-0x000000013F664000-memory.dmp

C:\Windows\system\QzIURfO.exe

MD5 f19ed57d2cebbfa4decd75c4f5678df7
SHA1 f120fe6e0bd5fda02a29a5e95d46ea7c2e04ea1e
SHA256 0f91e6685253bdac2b51032e80c090324d826adb0ad82f01143fd127ee36129c
SHA512 bec46d567386c6fef4a7e10c4d0ccaeeccb2e4407d0b458816ea468f72539780f84f816f8a911bdcbe4eca59e2c7f327795f9a76f7c85b06513ba60a65906bc1

\Windows\system\ceHLElA.exe

MD5 87d248df6cf95a11d0bfb437b64dce20
SHA1 b57a6ab7f7fe0a5a26d51ef723e0743df5e51cc1
SHA256 eb021ce7b33b52b5479491333f2090f5e42452acd2129de291c8f621a9bbe6bb
SHA512 f6d98fb5b1e94da262afbe5f13f565d9ddd293c54152573948458bebae115744224e538c4de5479699832d768f033cef415e549b8d1d727aba693589711ac56e

memory/1956-89-0x0000000002430000-0x0000000002784000-memory.dmp

\Windows\system\Tivnwbf.exe

MD5 81db55f1fd72cf64f918c2d9329f1323
SHA1 e3b94904ca19cd7394d371909d9b164999492417
SHA256 5ecff1996d38ee8e592dc1090d1039fcba2c501097fcbb216397bb3bd248d159
SHA512 61b07a65829b1f47cff4434b3824f32db5535ef324b03673f7418cc3e8a6bd89543d36087be20d3a24de624ff3109cec480dd48ce9061315038e17471175766b

memory/1956-115-0x0000000002430000-0x0000000002784000-memory.dmp

C:\Windows\system\bMfzcCC.exe

MD5 cf85f04119122963d26a831c5d8b2d65
SHA1 88c8581394632ec9b67cc887d7f5713506bc15ed
SHA256 037e4ebc1d548c09e866e8df965d711319bbc09c25f22f95fae0d1a7639a1be5
SHA512 26f29db6a37cd6569b1c2fcad32ce4c6089c5bcacf1dc432dbd54fabf66814a4e08e8c2a046343293b1f35a935ab8672c06050aaac009f19fae778830bf8b2cd

C:\Windows\system\hZiNmDZ.exe

MD5 57860a71703203ff62422c4d26157dad
SHA1 a5a6e5e5a4348a026f7072057ed806bdc67d822f
SHA256 56e2cfd008133228d64bb5a9e587f52deaae1189509ff5e3b0283fa3a6232264
SHA512 81f6631069b595ba88bdc159508f8c57721af7ed8f6ce2dfd0ef3f3b0920913785bfc0a726336a6b36db2c208cafcbe83f406a9b03306eebd6878d43087f60ad

C:\Windows\system\pErQpRW.exe

MD5 107d72b1e49fbe2e4c2fbd4dfaf9bb85
SHA1 b0989f6122fc533f371fbbd0bf28e92d5313d611
SHA256 1e694b8beca079c9335421e24e6e93881652d69679fec242c5e29b36034196c3
SHA512 b407b1b69958f04894ceacc3e77e1f5eaac4acea12d0646576f516e03a4c0764251bca32384669dbe2e75f06811d74b37bdfec7eb8791053a1d2c5248bcb7912

memory/1956-106-0x000000013F460000-0x000000013F7B4000-memory.dmp

\Windows\system\okNtyzV.exe

MD5 db9eb8fbf595864b00b0e4fee5988cd3
SHA1 659c240bc4f992bc92b6437b18516e28b6f67669
SHA256 abd519ba004d2d84554ad6c99d42751bf18fc8f5c23840027de7498d4ab1c2e6
SHA512 e39c5bbb3947615338531635954100685671dfa9dba7cde82edea52fb7c4e1e5f4064a4827c5e4a6ce819046a8defefc299ef08620f4d72a3e01927a440a21ac

memory/1956-95-0x000000013FED0000-0x0000000140224000-memory.dmp

memory/2524-94-0x000000013F040000-0x000000013F394000-memory.dmp

C:\Windows\system\wqwTTlg.exe

MD5 e135a6fbae413d0713e52a96449130a9
SHA1 d1bd2a1109d8547e9efb25f85bd34c6dd135c0c6
SHA256 27c0b94426c6cd61387919c7ffb9cd620450f2020f7cb69139793cf739ed55a3
SHA512 a56673f921c0a6e2ff41ebf3a5096c0fe2ef61c54be06fdb96795e6d01ce977984e026f6aba0f20ca70ca3bb2619338a212f2a3e07df8acb3d18dc0c9546a5e5

\Windows\system\VULROnn.exe

MD5 a868c95d50102abf094f1f009003c709
SHA1 b8610ed2f5589aa40904d02f7ee94ac76a9ede08
SHA256 c5e7eabb01aabd0cacb0e4de93d5896ea934fea0baa8715ccc03d7314cfe21d7
SHA512 73db015ce3ea3c399dcb50a48816e2e77e9fe47d49b1e4b4f2968808c10650ca3dafd2faf3406d86bc91330858aaa2ac45a89dd96f9e55986a8707d445fc7692

memory/1956-76-0x000000013F410000-0x000000013F764000-memory.dmp

C:\Windows\system\rnmGPKJ.exe

MD5 a585666b674daa660921b6f619487077
SHA1 3a5c84ccd1c08bad0b21a9da293df47b79e39982
SHA256 eac1ecfbb02b3dbf5fb16dc34eb757924e9f4cdd53bced17b0dfc07cad788d55
SHA512 de2acd7fdc6033a0826d3807fa066485588db4ab087c4bd31bc799a128f807ed4672a0fa9d7e4061746730fa77a6bd8eea4e37e61da722efeefc4d4995dc6955

memory/2140-73-0x000000013F920000-0x000000013FC74000-memory.dmp

memory/1956-121-0x0000000002430000-0x0000000002784000-memory.dmp

memory/1956-120-0x0000000002430000-0x0000000002784000-memory.dmp

memory/1956-119-0x0000000002430000-0x0000000002784000-memory.dmp

memory/2984-118-0x000000013FED0000-0x0000000140224000-memory.dmp

memory/2568-116-0x000000013F410000-0x000000013F764000-memory.dmp

memory/316-114-0x000000013F460000-0x000000013F7B4000-memory.dmp

memory/1956-112-0x000000013F290000-0x000000013F5E4000-memory.dmp

memory/2680-110-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

memory/2576-109-0x000000013F6F0000-0x000000013FA44000-memory.dmp

C:\Windows\system\yqoKxLf.exe

MD5 22ccc44f86ec456eed054863832c1f11
SHA1 df7e9c0c3172e372743431c7c9b8da3aae7c35d0
SHA256 2b4387d1615bab8de16f31db50eeb3f1bc1dd7abf859e263df82949674c0919f
SHA512 7edd77f718dfd5b9047c7f273f9c8f1c385f5d94dca6da3bd229ab821e53a49e89a7076d62848b6b1ff683863b68b1966d1e3ee8587f4ba744c589b9caf08adf

memory/1956-80-0x000000013F6F0000-0x000000013FA44000-memory.dmp

memory/1956-79-0x000000013F040000-0x000000013F394000-memory.dmp

C:\Windows\system\YkiHnpQ.exe

MD5 5246ddaff439d6fd1b0ea6fd76d6c4b7
SHA1 80bccd97f3e138639db1777310cb0ccd2c1ed60e
SHA256 f11ed2d465dec9fd1124db74997cd5fe359ce06c2c1e4f58b989172fa29f4ec3
SHA512 f5c85e06f0b52300b3745e8c09e781cc1be70f90ed12d76f1b0cc6290befc4ea866bd3898a2874d2b11dd4ee69e1095f8f11e3a5c7dd88bc729b879fc7a87f52

C:\Windows\system\TIHvecm.exe

MD5 dd51a95e71e8d91046b2fa98771ab541
SHA1 dcf6e5eb64b2633c19c0ede6380c3b42aaa2561c
SHA256 a587b653f7c779e3aaa0b7e1f904d681a7667d376e21b9d959e3865a4a34bd48
SHA512 bbba9dbf0aae97a0ed2fdff02e18a74a0b98d0529f89cddd49fe7a5d202647c736b3b4cd32891341bc6e5846111be17d184cbb0b319b583ae486733f9c493f22

C:\Windows\system\qLCvGgY.exe

MD5 91f7dc9d3d5494f2b5923cef1b7d9409
SHA1 cd85d01d59bc40696d0e7491aff9034c602651cc
SHA256 917d545c5f07512a23214da2ef661a5589d183e9851073f0f1dda0c58c2263aa
SHA512 5695f7cddb294f734a5c5005b7c20aecbafe126d9b64d41b309a201d23b4fc3eb9b67ed220ae96ccb565289ae5e41fa9773e66f51b67b82ba58879544553b8b2

C:\Windows\system\jLFpJtj.exe

MD5 43119b90f69fa967c6853262389f9317
SHA1 28be7ae2e11e555001cf9f871873c6909ac97243
SHA256 ffc829659135f25cbfe87cf3b3968b4263b7f04361f40c2bff3e1109adbd994d
SHA512 d1d9eec03232101725b7fd2ed8a474d2500fdf97c7cc5bbc0e2b4c4abe21bb3faa6db7d22cd8e1ed0da3300f9a852b90a497b533201521bd72e91e8612dc19f9

memory/1956-41-0x000000013FAE0000-0x000000013FE34000-memory.dmp

memory/1956-40-0x000000013F310000-0x000000013F664000-memory.dmp

memory/2640-136-0x000000013F7F0000-0x000000013FB44000-memory.dmp

memory/2664-137-0x000000013F930000-0x000000013FC84000-memory.dmp

memory/1956-138-0x0000000002430000-0x0000000002784000-memory.dmp

memory/2160-139-0x000000013FE60000-0x00000001401B4000-memory.dmp

memory/2140-140-0x000000013F920000-0x000000013FC74000-memory.dmp

memory/2640-141-0x000000013F7F0000-0x000000013FB44000-memory.dmp

memory/2664-142-0x000000013F930000-0x000000013FC84000-memory.dmp

memory/1692-143-0x000000013F3C0000-0x000000013F714000-memory.dmp

memory/2792-144-0x000000013F310000-0x000000013F664000-memory.dmp

memory/2568-146-0x000000013F410000-0x000000013F764000-memory.dmp

memory/2524-145-0x000000013F040000-0x000000013F394000-memory.dmp

memory/2680-147-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

memory/2576-148-0x000000013F6F0000-0x000000013FA44000-memory.dmp

memory/2984-149-0x000000013FED0000-0x0000000140224000-memory.dmp

memory/316-150-0x000000013F460000-0x000000013F7B4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-30 05:47

Reported

2024-06-30 05:49

Platform

win10v2004-20240508-en

Max time kernel

139s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\VzSXKFE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MAwHRuP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wnTKFkl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eVOkuUU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iePhXpQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EkpeWZC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\toCZBjl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YKeqTXz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ibdQlYk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\Axzfpcn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GvCoWqR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NOkXaVb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yiwEQYF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZSNFoSm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wjMqKIO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BhmzlRO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jOtQOpr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kwCLuyS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\frQEngP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iVvLEIo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eZSfNAA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4804 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GvCoWqR.exe
PID 4804 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GvCoWqR.exe
PID 4804 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eVOkuUU.exe
PID 4804 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eVOkuUU.exe
PID 4804 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iePhXpQ.exe
PID 4804 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iePhXpQ.exe
PID 4804 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eZSfNAA.exe
PID 4804 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eZSfNAA.exe
PID 4804 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BhmzlRO.exe
PID 4804 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BhmzlRO.exe
PID 4804 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EkpeWZC.exe
PID 4804 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EkpeWZC.exe
PID 4804 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\toCZBjl.exe
PID 4804 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\toCZBjl.exe
PID 4804 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jOtQOpr.exe
PID 4804 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jOtQOpr.exe
PID 4804 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kwCLuyS.exe
PID 4804 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kwCLuyS.exe
PID 4804 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\frQEngP.exe
PID 4804 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\frQEngP.exe
PID 4804 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VzSXKFE.exe
PID 4804 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VzSXKFE.exe
PID 4804 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YKeqTXz.exe
PID 4804 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YKeqTXz.exe
PID 4804 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iVvLEIo.exe
PID 4804 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iVvLEIo.exe
PID 4804 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wjMqKIO.exe
PID 4804 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wjMqKIO.exe
PID 4804 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MAwHRuP.exe
PID 4804 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MAwHRuP.exe
PID 4804 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NOkXaVb.exe
PID 4804 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NOkXaVb.exe
PID 4804 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yiwEQYF.exe
PID 4804 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yiwEQYF.exe
PID 4804 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wnTKFkl.exe
PID 4804 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wnTKFkl.exe
PID 4804 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZSNFoSm.exe
PID 4804 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZSNFoSm.exe
PID 4804 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ibdQlYk.exe
PID 4804 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ibdQlYk.exe
PID 4804 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Axzfpcn.exe
PID 4804 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Axzfpcn.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\GvCoWqR.exe

C:\Windows\System\GvCoWqR.exe

C:\Windows\System\eVOkuUU.exe

C:\Windows\System\eVOkuUU.exe

C:\Windows\System\iePhXpQ.exe

C:\Windows\System\iePhXpQ.exe

C:\Windows\System\eZSfNAA.exe

C:\Windows\System\eZSfNAA.exe

C:\Windows\System\BhmzlRO.exe

C:\Windows\System\BhmzlRO.exe

C:\Windows\System\EkpeWZC.exe

C:\Windows\System\EkpeWZC.exe

C:\Windows\System\toCZBjl.exe

C:\Windows\System\toCZBjl.exe

C:\Windows\System\jOtQOpr.exe

C:\Windows\System\jOtQOpr.exe

C:\Windows\System\kwCLuyS.exe

C:\Windows\System\kwCLuyS.exe

C:\Windows\System\frQEngP.exe

C:\Windows\System\frQEngP.exe

C:\Windows\System\VzSXKFE.exe

C:\Windows\System\VzSXKFE.exe

C:\Windows\System\YKeqTXz.exe

C:\Windows\System\YKeqTXz.exe

C:\Windows\System\iVvLEIo.exe

C:\Windows\System\iVvLEIo.exe

C:\Windows\System\wjMqKIO.exe

C:\Windows\System\wjMqKIO.exe

C:\Windows\System\MAwHRuP.exe

C:\Windows\System\MAwHRuP.exe

C:\Windows\System\NOkXaVb.exe

C:\Windows\System\NOkXaVb.exe

C:\Windows\System\yiwEQYF.exe

C:\Windows\System\yiwEQYF.exe

C:\Windows\System\wnTKFkl.exe

C:\Windows\System\wnTKFkl.exe

C:\Windows\System\ZSNFoSm.exe

C:\Windows\System\ZSNFoSm.exe

C:\Windows\System\ibdQlYk.exe

C:\Windows\System\ibdQlYk.exe

C:\Windows\System\Axzfpcn.exe

C:\Windows\System\Axzfpcn.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/4804-0-0x00007FF71FCC0000-0x00007FF720014000-memory.dmp

memory/4804-1-0x0000015A60780000-0x0000015A60790000-memory.dmp

C:\Windows\System\GvCoWqR.exe

MD5 1f4a49b60707576a87dfc2dc308b5fc8
SHA1 185daf4779408600eb0655f5d28586f9355a4807
SHA256 57313050f1782c77af45c81436d829aea642e5b6ee2dac90aa0134b38bae28cc
SHA512 0e20a1d453d6c6362c7c4d426f4617b4e5976aaa6e95094612f18b97101415568f1c6285c90be3a19bff5ae2e478013f3a815b46f25f5f6e8214870c38584186

memory/396-8-0x00007FF695E10000-0x00007FF696164000-memory.dmp

C:\Windows\System\eVOkuUU.exe

MD5 fb7d12f019f93f59c257560ff893067b
SHA1 b70d12374e87d5a1da760d1b25e6431908063cdb
SHA256 beaa9bb07459aa01cfde88a40720592a10328ea48b7bd0d24ccb40241dd0f9ab
SHA512 522db0642422a174b3ec3c5352b991a02749aa7a550a2ef62facab835db704e9c38f14d9f80e878d7cacbc694f562f57ddcfb859496cedc227fdc58050632d8e

C:\Windows\System\iePhXpQ.exe

MD5 3328b7b82713033f765c51bcc14960a5
SHA1 2243698451d6b354d3dda0f1d86d1a36d72adfd9
SHA256 a78ecd3e477a912bce8b4eb3ab94111ece3d45de9dd1cd73d8c9eab7b0d98ce5
SHA512 7854a7b227e2cab4d703e07a4be940158b33fb553147007f4ea50ce54a7af4a6c2a4ebc7b3e701be9a3516c7e13e17b1647d11da9f70f33036a5c978d0223399

memory/1476-14-0x00007FF726E80000-0x00007FF7271D4000-memory.dmp

C:\Windows\System\eZSfNAA.exe

MD5 f6b6d47d4383e57072085e05f7bfb992
SHA1 dedf48f3d7b362adc370692507383523b673e522
SHA256 4c2fa74cc905ba8984297261792624bfcb25a8b3d6f72426df1fe0a028e4b417
SHA512 0b98798e17984a7744fb29d26c5053924efa42ccdf1f07d3b2b8475a6270c2769165e72a1a716410f1b01ab9797292c621230393701d5ecaba701443840e2774

C:\Windows\System\BhmzlRO.exe

MD5 09c7c14f7cd82f84465bc971e2a3f3b1
SHA1 395bb0518cde0f9019114d38c5edfe3c3189330f
SHA256 a8b9fafa6d324e800af7e24137bc69c2e07310327b3ce5887c450fb6f7aecf94
SHA512 b36706484d01ec6f39b6f4858e26c944661c2e8710270edafb30f38be27dc2683ff91918d17cbb7e4c92ef50156dbb049c044ea982a658664d7e2eadb5ee865c

memory/1808-34-0x00007FF73FD20000-0x00007FF740074000-memory.dmp

memory/996-41-0x00007FF6809D0000-0x00007FF680D24000-memory.dmp

C:\Windows\System\toCZBjl.exe

MD5 d8291c425ef892b8f40b181ed5576de3
SHA1 8080a1622d73f2aa3eeddd7cd30270c2d6eba7dd
SHA256 247d46d99c875460e054f3363894e74ce053b5151fbe3eea7e0a8a03a004a904
SHA512 6667559107ffc8f25f55475f6a740211707fee0d2f126781e0bc428bdf65870e512508337187baebdee99a96fecd785d5d82e954cdf7ad905c6e8b2ba86f1965

C:\Windows\System\kwCLuyS.exe

MD5 5e545ac31846fabce0dc18f2d526fd78
SHA1 eb86c99e6e58e35638bb11ab9e31181cc10882ec
SHA256 025521ebd603f10a3e80d049e8b1bf0f51d286161bc8bb1ea95ca991471dd13b
SHA512 d275994844bbdde60adcc36e24d3f4d4c66c95d004dbff8dd60403dedb2a08dd40e8c20dac0691b684ecf0c358b74b11df244f81d0e8aa2735708a9ce939a0ed

memory/4244-57-0x00007FF76DA00000-0x00007FF76DD54000-memory.dmp

C:\Windows\System\VzSXKFE.exe

MD5 a33db2cbbf41db87243393d097b213b5
SHA1 b7e95077e126b8c7dc618067a277153df4411121
SHA256 2dadc05301b47023797153cf9ef9be2c6438b16143028f2e3569a9cc3ec67444
SHA512 bbc0294f02abbb0e1a43d286c1665a470cdcf1c467faacec228964094680b37254cef3685ac0800d55c7ca21793ad2f106a7836eaa4ee87ff7be062a90575044

memory/3740-68-0x00007FF778EA0000-0x00007FF7791F4000-memory.dmp

C:\Windows\System\frQEngP.exe

MD5 83f7d92391fff78217b059e6b23f31f6
SHA1 cffad3f969dea5d7ed5e30b8b8214f60a9cce22f
SHA256 c8cf18d8b350c6ef476e3a8c24b2519b044b3bd11424fa2a8afeb87e90244e2a
SHA512 ae71adce2f099d2289b056c95a61f9078c884248a7c676b75b3e6900be9fb930b2985082d169ec73ae63b620a30f7807a114837b6a84510958c66ba3bd11d58e

memory/4124-62-0x00007FF71C640000-0x00007FF71C994000-memory.dmp

memory/1992-54-0x00007FF7680E0000-0x00007FF768434000-memory.dmp

C:\Windows\System\jOtQOpr.exe

MD5 a09b23ff570d1f2263c1272915a9d822
SHA1 fe956549ff25d5d55e6e44bd61797f1383d22c41
SHA256 2b856d39cc8f6d8483e317acb918619637cef7e243818926f52efbc71e9b4afa
SHA512 e52edc49677f0e46478802a225d4a96ea821c931a9683a037d80e5fe89887eeff810ee692541034f2b24d69a863b085335b9546ea90b1b5be33f1e6c232d8d27

memory/3140-42-0x00007FF601690000-0x00007FF6019E4000-memory.dmp

C:\Windows\System\EkpeWZC.exe

MD5 29b084df434b83fd7c8cabfa93582fe6
SHA1 66c3669c9ed94229373b49c82cd6e916729487d0
SHA256 1d305b5871ba79943cc6d8b3ecd0461dd6302c2d2d263453832f6a5c967bd80a
SHA512 c4e6e8dc5e61c913d292d6b12ce2cc7bc21895f09f9c3e5b3c3b9b669a3a5fcdd6cca74a72b57187d7078f2fd51ccec62c0216582103df10bc635dcfb3ab884e

memory/1440-35-0x00007FF6D9860000-0x00007FF6D9BB4000-memory.dmp

memory/4560-20-0x00007FF7F2A40000-0x00007FF7F2D94000-memory.dmp

memory/4804-74-0x00007FF71FCC0000-0x00007FF720014000-memory.dmp

memory/5016-75-0x00007FF7F9800000-0x00007FF7F9B54000-memory.dmp

C:\Windows\System\iVvLEIo.exe

MD5 dacc4dd5f0ec810e6fddc357074a675b
SHA1 a5c0932d3aa7967f43ad8c03f6e46f4e77b67bf6
SHA256 4d50c61fea19fea877defa60ffb9b70ee7215a3149d1e5bcbd7c1f687d7e7fb7
SHA512 4f26b582fb5614454d6a8977e2cec29182b66f27a4224a7e6bbc5c06dfef1cc0c418b7bd08c0c85f1f1b46fe375bccff568df859d465c4ef83604eb55a998f43

C:\Windows\System\wjMqKIO.exe

MD5 50ca8a5e39f2b3b71a331bca7b437df3
SHA1 a58b30bad57799fa24697705156909a0a594b726
SHA256 61a281e3277f01ca7f71b7e82a73ff79f3ac070e4f3e584467a9437ac9fb2169
SHA512 1e06bcad48f4a2d70fc9566c7918a349a2d047d58997bb428776ba31ad5f65f07402c1776fa298432c32b2619cac955c474147e22a45d6afcf3941da6ebf0c55

C:\Windows\System\MAwHRuP.exe

MD5 daae171eec1bd62b10824da2c16c1b53
SHA1 5945146ada9bc3b68aacfb3a23059b694d83239f
SHA256 1cd0e27717cade15eae20eaae8e29beb1b6d1aac11ef89100b91bca32f72a28c
SHA512 2253d70bc21fade4cdda7dbfb0b477167aa1ff8d11e6a09521c219edc36f5389c6535235f14c3e06cf810db999f6be329fc9deb20323f14a79b93be9eace44ed

memory/1476-88-0x00007FF726E80000-0x00007FF7271D4000-memory.dmp

memory/904-84-0x00007FF7E7740000-0x00007FF7E7A94000-memory.dmp

memory/396-83-0x00007FF695E10000-0x00007FF696164000-memory.dmp

C:\Windows\System\yiwEQYF.exe

MD5 cba46e58b11c73c3a4f0fb457610affd
SHA1 df46387adae779a16aa63066e43f37c40aa5946e
SHA256 c0a26bf4a4175f7f571c9e21c489c64f0e0ec3c54afb7397936b4d504ea629b2
SHA512 fc2e4ea813f50decc3ee6573ebd1bd6089671fa646180bdf2f56385c3e4ca859bfba571adc40e29ea9467fdf902f7751818131573d1330ac0d71c15f4e49dd78

C:\Windows\System\wnTKFkl.exe

MD5 f8872188489f59784d23b8abea4b1ed8
SHA1 0697f539d03a203a3b2d7c4b7a8c177d28cfbe90
SHA256 6888ef34e2a0b64c16dab0d946903432e8c7ce7e66f83e09fc656e0bb23c9b3b
SHA512 f2b70bb5a79ac63826dd6831e6a61ba2ff2ec1a0002ade4f18c7c35ac5e73d89ec6975eee6f57979a79bd0ddc2a1458e7b1fa3bfbce4388541e9c2b271fd8641

C:\Windows\System\Axzfpcn.exe

MD5 606ea2f6025c724dbbc0e1d29cbae871
SHA1 7670264e18e6d69b5d89766ac6df368cbf718601
SHA256 d5c000c476489809ef9377935818bc183457ef72fb36aab28320ed53c965b0c2
SHA512 f3be7e82a5b85905e95b54da60ef520f0de41fadb337be4943891a55109b64a87c6daa134553b5404abd9f1fa550d538f51f0bace19e822cf918831066cccfba

C:\Windows\System\ibdQlYk.exe

MD5 5253520e9f8977a20226035712c2ac7b
SHA1 dce71fb886bb49ccc7a0f5c2906c889b88ea31b9
SHA256 c74a5478066c637ed73a4ee34bf9b76da667abf1133572acb7736a939ed62d2e
SHA512 2a731395a65ad7eded8e77491323240393e07042e84ac82afaae2c77927d01c465166d13d0164741fd7d1939e57fb888d53ab63e27f6724198d8436cc5204566

C:\Windows\System\ZSNFoSm.exe

MD5 b5b7dbec1e1c751e614978a49eec1a59
SHA1 484e3416dbfdb92339d627a6c327cff14666210d
SHA256 0ea3043005de97c431484e577def089d7f03e38d1c710e0c13771b3b8570be96
SHA512 e92a0e48ded429b8db2e6c13d4b4f82afe186ab8d801e8a56d1693a146182f8b97e3be785cba14ba08123e7b3ec84ad3c330481801c80eff282179b9f880d0a7

C:\Windows\System\NOkXaVb.exe

MD5 4e5f82a7dd34d5d6cf566853d8a53084
SHA1 8309f933e9754794959529f1d8972c4c6f069d9d
SHA256 3906e0085b1a7cec0a77082790607ea4cd40c1a546173627f5285cc10a045444
SHA512 bcb55b8bd8ee76447fcf4775e21cd8efb472428e9139e484fb50d8612e1eb883ff2419370eb259ce21978e25035fc2fe972f4978d8cad562cc869abfef0571a5

C:\Windows\System\YKeqTXz.exe

MD5 4ea2c12075c85933a393825fafb6f4a4
SHA1 c681dd9d8fbc096e784cf11f4adde765abe33663
SHA256 ff915efa4dfed7f33a5a8151847364bb2a0e42fd8b1fe07e84e3f67efcfd7183
SHA512 e0ca2dcb1702eeaaea0760ce5e46019241282c51b416835229b367e8eddef5350494dfdfba5e08b2e1bdea9150c6c095a7376e50f1dfb83064c52e0f32d63299

memory/3820-123-0x00007FF605E80000-0x00007FF6061D4000-memory.dmp

memory/2880-125-0x00007FF7A9540000-0x00007FF7A9894000-memory.dmp

memory/5012-124-0x00007FF7C2C00000-0x00007FF7C2F54000-memory.dmp

memory/3100-126-0x00007FF62A020000-0x00007FF62A374000-memory.dmp

memory/5080-127-0x00007FF6D6540000-0x00007FF6D6894000-memory.dmp

memory/1560-130-0x00007FF6319E0000-0x00007FF631D34000-memory.dmp

memory/2088-129-0x00007FF6F5080000-0x00007FF6F53D4000-memory.dmp

memory/456-128-0x00007FF7FC800000-0x00007FF7FCB54000-memory.dmp

memory/1440-131-0x00007FF6D9860000-0x00007FF6D9BB4000-memory.dmp

memory/4244-133-0x00007FF76DA00000-0x00007FF76DD54000-memory.dmp

memory/3140-132-0x00007FF601690000-0x00007FF6019E4000-memory.dmp

memory/4124-134-0x00007FF71C640000-0x00007FF71C994000-memory.dmp

memory/3740-135-0x00007FF778EA0000-0x00007FF7791F4000-memory.dmp

memory/396-136-0x00007FF695E10000-0x00007FF696164000-memory.dmp

memory/1476-137-0x00007FF726E80000-0x00007FF7271D4000-memory.dmp

memory/4560-138-0x00007FF7F2A40000-0x00007FF7F2D94000-memory.dmp

memory/1808-139-0x00007FF73FD20000-0x00007FF740074000-memory.dmp

memory/996-140-0x00007FF6809D0000-0x00007FF680D24000-memory.dmp

memory/1440-141-0x00007FF6D9860000-0x00007FF6D9BB4000-memory.dmp

memory/3140-142-0x00007FF601690000-0x00007FF6019E4000-memory.dmp

memory/1992-143-0x00007FF7680E0000-0x00007FF768434000-memory.dmp

memory/4244-144-0x00007FF76DA00000-0x00007FF76DD54000-memory.dmp

memory/3740-145-0x00007FF778EA0000-0x00007FF7791F4000-memory.dmp

memory/4124-146-0x00007FF71C640000-0x00007FF71C994000-memory.dmp

memory/5016-147-0x00007FF7F9800000-0x00007FF7F9B54000-memory.dmp

memory/904-148-0x00007FF7E7740000-0x00007FF7E7A94000-memory.dmp

memory/3820-150-0x00007FF605E80000-0x00007FF6061D4000-memory.dmp

memory/1560-149-0x00007FF6319E0000-0x00007FF631D34000-memory.dmp

memory/5012-151-0x00007FF7C2C00000-0x00007FF7C2F54000-memory.dmp

memory/2880-152-0x00007FF7A9540000-0x00007FF7A9894000-memory.dmp

memory/3100-153-0x00007FF62A020000-0x00007FF62A374000-memory.dmp

memory/5080-154-0x00007FF6D6540000-0x00007FF6D6894000-memory.dmp

memory/2088-155-0x00007FF6F5080000-0x00007FF6F53D4000-memory.dmp

memory/456-156-0x00007FF7FC800000-0x00007FF7FCB54000-memory.dmp