Malware Analysis Report

2025-01-22 19:21

Sample ID 240805-lqwzrswglh
Target 2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat
SHA256 f69aba3cc1df5434b224f2602793954ca6ef6ba9e3a6ecb9c52050da806bfb16
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f69aba3cc1df5434b224f2602793954ca6ef6ba9e3a6ecb9c52050da806bfb16

Threat Level: Known bad

The file 2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Cobaltstrike

Cobaltstrike family

XMRig Miner payload

xmrig

Cobalt Strike reflective loader

Xmrig family

XMRig Miner payload

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-05 09:44

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-05 09:44

Reported

2024-08-05 09:47

Platform

win7-20240704-en

Max time kernel

142s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\QHkIiis.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\olNFrMm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iATGiMj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QjVLuis.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FEXYgpA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aQEvfUT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EtOVdSV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WcWMrgA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IjkFwuX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zRzXVbh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sDJCNvX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xFTpXsG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YKyjprW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UmIZkIu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NRCEyAk.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oBYPivO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZDxcyje.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EWqBpVM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rKxWUNW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LzPlvBf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SFgfmoC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2388 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FEXYgpA.exe
PID 2388 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FEXYgpA.exe
PID 2388 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FEXYgpA.exe
PID 2388 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aQEvfUT.exe
PID 2388 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aQEvfUT.exe
PID 2388 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aQEvfUT.exe
PID 2388 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EtOVdSV.exe
PID 2388 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EtOVdSV.exe
PID 2388 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EtOVdSV.exe
PID 2388 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZDxcyje.exe
PID 2388 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZDxcyje.exe
PID 2388 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZDxcyje.exe
PID 2388 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QHkIiis.exe
PID 2388 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QHkIiis.exe
PID 2388 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QHkIiis.exe
PID 2388 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EWqBpVM.exe
PID 2388 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EWqBpVM.exe
PID 2388 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EWqBpVM.exe
PID 2388 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WcWMrgA.exe
PID 2388 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WcWMrgA.exe
PID 2388 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WcWMrgA.exe
PID 2388 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IjkFwuX.exe
PID 2388 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IjkFwuX.exe
PID 2388 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IjkFwuX.exe
PID 2388 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rKxWUNW.exe
PID 2388 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rKxWUNW.exe
PID 2388 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rKxWUNW.exe
PID 2388 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\olNFrMm.exe
PID 2388 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\olNFrMm.exe
PID 2388 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\olNFrMm.exe
PID 2388 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LzPlvBf.exe
PID 2388 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LzPlvBf.exe
PID 2388 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LzPlvBf.exe
PID 2388 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iATGiMj.exe
PID 2388 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iATGiMj.exe
PID 2388 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iATGiMj.exe
PID 2388 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xFTpXsG.exe
PID 2388 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xFTpXsG.exe
PID 2388 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xFTpXsG.exe
PID 2388 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SFgfmoC.exe
PID 2388 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SFgfmoC.exe
PID 2388 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SFgfmoC.exe
PID 2388 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UmIZkIu.exe
PID 2388 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UmIZkIu.exe
PID 2388 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UmIZkIu.exe
PID 2388 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QjVLuis.exe
PID 2388 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QjVLuis.exe
PID 2388 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QjVLuis.exe
PID 2388 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YKyjprW.exe
PID 2388 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YKyjprW.exe
PID 2388 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YKyjprW.exe
PID 2388 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NRCEyAk.exe
PID 2388 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NRCEyAk.exe
PID 2388 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NRCEyAk.exe
PID 2388 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zRzXVbh.exe
PID 2388 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zRzXVbh.exe
PID 2388 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zRzXVbh.exe
PID 2388 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oBYPivO.exe
PID 2388 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oBYPivO.exe
PID 2388 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oBYPivO.exe
PID 2388 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sDJCNvX.exe
PID 2388 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sDJCNvX.exe
PID 2388 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sDJCNvX.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\FEXYgpA.exe

C:\Windows\System\FEXYgpA.exe

C:\Windows\System\aQEvfUT.exe

C:\Windows\System\aQEvfUT.exe

C:\Windows\System\EtOVdSV.exe

C:\Windows\System\EtOVdSV.exe

C:\Windows\System\ZDxcyje.exe

C:\Windows\System\ZDxcyje.exe

C:\Windows\System\QHkIiis.exe

C:\Windows\System\QHkIiis.exe

C:\Windows\System\EWqBpVM.exe

C:\Windows\System\EWqBpVM.exe

C:\Windows\System\WcWMrgA.exe

C:\Windows\System\WcWMrgA.exe

C:\Windows\System\IjkFwuX.exe

C:\Windows\System\IjkFwuX.exe

C:\Windows\System\rKxWUNW.exe

C:\Windows\System\rKxWUNW.exe

C:\Windows\System\olNFrMm.exe

C:\Windows\System\olNFrMm.exe

C:\Windows\System\LzPlvBf.exe

C:\Windows\System\LzPlvBf.exe

C:\Windows\System\iATGiMj.exe

C:\Windows\System\iATGiMj.exe

C:\Windows\System\xFTpXsG.exe

C:\Windows\System\xFTpXsG.exe

C:\Windows\System\SFgfmoC.exe

C:\Windows\System\SFgfmoC.exe

C:\Windows\System\UmIZkIu.exe

C:\Windows\System\UmIZkIu.exe

C:\Windows\System\QjVLuis.exe

C:\Windows\System\QjVLuis.exe

C:\Windows\System\YKyjprW.exe

C:\Windows\System\YKyjprW.exe

C:\Windows\System\NRCEyAk.exe

C:\Windows\System\NRCEyAk.exe

C:\Windows\System\zRzXVbh.exe

C:\Windows\System\zRzXVbh.exe

C:\Windows\System\oBYPivO.exe

C:\Windows\System\oBYPivO.exe

C:\Windows\System\sDJCNvX.exe

C:\Windows\System\sDJCNvX.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2388-0-0x000000013F9C0000-0x000000013FD11000-memory.dmp

memory/2388-1-0x00000000000F0000-0x0000000000100000-memory.dmp

C:\Windows\system\FEXYgpA.exe

MD5 7aad44f2b25c3ccf5f0dba336ab22166
SHA1 fabbe946794e48bea55868b97bfb23b76d1947d0
SHA256 b5e882ae414987263ef40f0e9796350d82517987f4bc190f44e9945c8c6aa26e
SHA512 ed13dc0726f2e038ebfe02f02298a3794533b2202f2e13721675dd25513cdc83edc988d9464c236c966c3639cc3d0c9cb13901f193e56ae7a4f4a8ac2768c730

\Windows\system\aQEvfUT.exe

MD5 f6f22fe7b8de79d67bca21779a73d237
SHA1 fad6f2249399cfdbfe1ba1d2ea0aa81f4b89e782
SHA256 187e82deccc71fc5498f75408ca500142e91dd4c6a0bd48f1390e59cb12b6ec2
SHA512 231a5e1011f72478639964fa3118736ef74554cff57b4f3550223b0fff50f68f9ea7f1ab1154dff5bf5983283a067d1cc2fbea67deea3997e8abb2d3f3904763

memory/2388-20-0x000000013F3F0000-0x000000013F741000-memory.dmp

memory/2864-22-0x000000013F3F0000-0x000000013F741000-memory.dmp

memory/2388-15-0x0000000002340000-0x0000000002691000-memory.dmp

memory/2776-13-0x000000013FA10000-0x000000013FD61000-memory.dmp

\Windows\system\ZDxcyje.exe

MD5 54a1ebcb3da8e2af6759a337a11d8bf6
SHA1 2765277999e12357ffe7d78f2cfb0f97ed953b76
SHA256 28a623c241979c5ffa33df2ed1db1120230b302b88f0bc2e0a5cfeaa5e7a0319
SHA512 57267d5c252c10fe8705f82664deda60c2cc55b4db52a3cf233b922d199ef3c30e903e770a6480c1659740c8060f42dac005977f6e3699e163cc666ef5feca3f

memory/2780-28-0x000000013F160000-0x000000013F4B1000-memory.dmp

\Windows\system\EWqBpVM.exe

MD5 4b5ad1c33235cc9f502a9d38ccb9e7af
SHA1 36263cbb7973ac0cc7911707ce95b3d9f6280bc2
SHA256 061caeeaea04ec8b2dc78d51874866da8c2a3d17831fe9aaadbbf437ced0ddda
SHA512 e068a22f36995ecc009b9fce35d76c8b45bb3ff8e1edff5b162fd4fd3d60548fdeee3033b8271fbdc29fc229dbb59afb66e1c983b7d742491e54ebdfe6247534

\Windows\system\IjkFwuX.exe

MD5 96a43ee58d0cbb47d9d120a209be30cf
SHA1 1cfc675faa31f58e942e4c914444505c891f3538
SHA256 3aeb3cf98160223ac78889c3aae637fcb7cecb09b56ef56f3d9c10e35f8b2128
SHA512 374469411368915a19654cf20c415dadfa76c69ccf6ba7cbac1824d6c2a95f36b2f0de4fdd2fb88ce5f3963860bdf7cd8fa021e79e31ad3fd55ed704a2674090

memory/2708-56-0x000000013F430000-0x000000013F781000-memory.dmp

memory/2388-55-0x000000013F9C0000-0x000000013FD11000-memory.dmp

memory/2952-48-0x000000013F6D0000-0x000000013FA21000-memory.dmp

memory/2336-46-0x000000013FF10000-0x0000000140261000-memory.dmp

memory/2388-68-0x0000000002340000-0x0000000002691000-memory.dmp

C:\Windows\system\xFTpXsG.exe

MD5 afef1935d262682624b6bf7d706ee868
SHA1 66d953762383d1e4a1f58f37edddf7e3cc5c2925
SHA256 36d50709549dc7844f2580ff90912c3934dae9e9d57eb9a8185d86f9bec711bb
SHA512 4b3cb903006d2ea786d791ff3c11ea2ad6df4f170eb539dd4fa749a6ec5f0d20c62af9c7f2c43881224e52ccde94653035525dbd04640b778b435224cdd12cee

C:\Windows\system\iATGiMj.exe

MD5 ceea56cfb949804a69778b2a2a0212bb
SHA1 aca42026e4dc260dfe0050e4253ce20085e429a8
SHA256 f7d309c76c51dd73ae2a3e51814a4540d20929677fcdcd046d1630fd8df796cd
SHA512 05c04f66bbfb88c8166610dfc8d4477a7d220abd42e3497de20defb07f15a029a100970aad79a522536d6b8d6a9f4a179f0c01a5c8ccbccc6bf375ab17642c44

memory/2780-97-0x000000013F160000-0x000000013F4B1000-memory.dmp

\Windows\system\QjVLuis.exe

MD5 c13c90f8ec661de5963775a96b98343c
SHA1 3c21c99611d6f71f58c0541124e9722bebd30b5a
SHA256 3a383fa13814472f8d21af11cec1906d16875664de123b0eaba72661716a50b7
SHA512 f4116b2ecffc9e1a9715d4fbe7e0dca41aefdf939e15d9e11886c2c71e2667e00dea6a3cfb66fb73bdfcc110563cdf0f444984df499073bc3bb9bb770950bd3c

C:\Windows\system\NRCEyAk.exe

MD5 ca370c0216070e2f9bbd689f336f2235
SHA1 dd5b62c670ea8cd49eda18d62f388abcb0a906bc
SHA256 5c851f82b9a60acde0f549a585982a94b1c9a39a8224d4e3b04d11dfc57d9051
SHA512 89e81806b5c9cce6592d8fac54355c45ef9f382ad82a71e3d0ca2f966d553101daea60adb5250ef09dd0952669a2496258b56583b8698d5f8defcc1d412caee9

C:\Windows\system\sDJCNvX.exe

MD5 da80a776ea3a844f94b17ea22eca1557
SHA1 16866bbb0d8e980812fd8a59e47b26adc6a4fafb
SHA256 94854d814480acb2db3fd6d2f1e07203ee9ff8a8ff4b9b890df6d8024792850d
SHA512 299345891914aec2c2f81e8ebad60d0c6bf5fc4fa01b78175a764ba09efc7c83f6eff2c317407d89f0d41192845ab4c726457a7843e2a2e748bebbc435ae40eb

C:\Windows\system\oBYPivO.exe

MD5 0bc971f49c53eb8ffdbd958192e17ae2
SHA1 5e8543efa5d040f8e798dc531190b28557c768bb
SHA256 eceaf7670758854ee1a5336afd09201361d735d2b123b486e0635e78f9fc08ad
SHA512 ebacc52373cc61e461aa840a9b69afd14810b141e98b13aacaea61971491fdf89a9f6cf618d7804c28af8e43571135eafeae853381c8e334c2a9a1151e5d4eb1

C:\Windows\system\zRzXVbh.exe

MD5 ab99eadfe25a053b181806505e75b6ce
SHA1 9d0e4acfac2ca01ada44c422bdc6d1b3cc5cc5dd
SHA256 1888e5705a89073ea72dc29562caa37b3c5ce36730dbb081d79f6963f1272c62
SHA512 2dad3fab562beb3ef806f806ecc51efdd0d9665049584a55feb2b1b2ae4326691ce6d4d73f45bdcc8f2b267f539d7c6ec0d80bf0374ad2622b4f3648483ce980

memory/2388-98-0x0000000002340000-0x0000000002691000-memory.dmp

C:\Windows\system\YKyjprW.exe

MD5 5a4a4fd82e320b47dad2777d150afb41
SHA1 a0ef0dad2a43c3d71a95d3d9469fb6bf24749b39
SHA256 693b73073a8d1b37d8437204e4eed3a01d3c7a98660fcafb704a1853d543c1d6
SHA512 e62590937c5b3d008f07e5c3a6afc2416fbe8344c4cde98ce089b90c719a228db7b0ea98d286c8b16fce888676346b7d05605bae2ab771824c447b0cc3bbde90

memory/2388-104-0x0000000002340000-0x0000000002691000-memory.dmp

memory/2952-135-0x000000013F6D0000-0x000000013FA21000-memory.dmp

C:\Windows\system\UmIZkIu.exe

MD5 af39bb29d427d99c22e952c1fedf2abc
SHA1 823738910e45f2cbfdf0a05abd8adf077b900921
SHA256 c73c0fffddf9cdd280d662a148d67c6642b50d7b61543b532c23f27b1f710343
SHA512 5f37ab6765a209e2128115f4d20c6ef85749be0a9a79af1ae1b5894fb2e02bfd14c22adaf1ab67d2b395da1fb582a3fbcba8b26241b9e6f368536c589e756fda

C:\Windows\system\SFgfmoC.exe

MD5 eb58a6e8d76972e174efdbd2ef8102a0
SHA1 6b1410e562c5c792b59230edc52d92d2471e7c9f
SHA256 c55c88d270d534b6d0890218799a837c9eeb9209213c2e6008540dc55c24fada
SHA512 b994a488dd9dcb35a4f2bfbae3f167978e834b7f207f9bab5776b511acaec8f6cfa15c8f386061d679114c796341512d1de2aff834b2582701933b099d25e472

memory/3060-102-0x000000013FB00000-0x000000013FE51000-memory.dmp

memory/2388-136-0x000000013F9C0000-0x000000013FD11000-memory.dmp

memory/2080-91-0x000000013F500000-0x000000013F851000-memory.dmp

memory/2388-90-0x000000013F500000-0x000000013F851000-memory.dmp

memory/2136-89-0x000000013FEC0000-0x0000000140211000-memory.dmp

memory/2388-81-0x000000013FEC0000-0x0000000140211000-memory.dmp

memory/2616-80-0x000000013F930000-0x000000013FC81000-memory.dmp

memory/2988-79-0x000000013F4A0000-0x000000013F7F1000-memory.dmp

memory/2924-155-0x000000013FC50000-0x000000013FFA1000-memory.dmp

memory/2476-156-0x000000013FAA0000-0x000000013FDF1000-memory.dmp

memory/2696-154-0x000000013FD50000-0x00000001400A1000-memory.dmp

memory/3040-153-0x000000013F480000-0x000000013F7D1000-memory.dmp

memory/2984-152-0x000000013FA80000-0x000000013FDD1000-memory.dmp

memory/2904-151-0x000000013FB80000-0x000000013FED1000-memory.dmp

memory/1632-65-0x000000013F490000-0x000000013F7E1000-memory.dmp

\Windows\system\olNFrMm.exe

MD5 58f0f78fae64e9a8e3002e1a95da3f91
SHA1 66a27c613f4bcdde39142d3d1e64372efb452a9a
SHA256 24f74d62f5846f27da93c0e44ca389a34bbbb8db92da65d09d04c6c7ea94862a
SHA512 3fb88645090fb971a32511d2f2d225c4e93c2fc4e4953201e88165f666a38e05e04c9f52800aa65803129170f0dc414c3decf3315c5d0373fbcd18237a59bd21

C:\Windows\system\LzPlvBf.exe

MD5 48bea2ca9552bcc69a8980a378d6031a
SHA1 3773c91abf3861c9aba2bbe484514e0913e48481
SHA256 4f0fbce8ac66b96d73239c0cd2bc177cb05c8454a00799fde05dde2f8106dc2e
SHA512 e404feafa410126d93c97a8583be9ade5da74ff735735dbc23faa8ef8402fd8413ec23356c3bf67265cad8641b8d9d9e10bcdd1394d886b6bcf86e18f461b1ac

memory/2776-69-0x000000013FA10000-0x000000013FD61000-memory.dmp

memory/1056-67-0x000000013F890000-0x000000013FBE1000-memory.dmp

C:\Windows\system\rKxWUNW.exe

MD5 7bb1e3a04bc3da9b15dda044a4992e4e
SHA1 3ede41d7389b275105ccaa32c6e182b0b4699e23
SHA256 d55f6348621bddd751154c460cb9353914194bcba232268dee870fa6d4b624b0
SHA512 e744852b8cd0c21667e27e7d83cada38357b3d5c81aa691b0008aad7a05050e4b2f282a9945577e94e2f511ed62f0cd0ed60f00c169f7c0fabf9db082931431a

memory/2388-45-0x000000013FF10000-0x0000000140261000-memory.dmp

memory/2388-44-0x0000000002340000-0x0000000002691000-memory.dmp

memory/2852-42-0x000000013FE20000-0x0000000140171000-memory.dmp

memory/2388-158-0x000000013F4A0000-0x000000013F7F1000-memory.dmp

memory/2408-157-0x000000013FF70000-0x00000001402C1000-memory.dmp

C:\Windows\system\WcWMrgA.exe

MD5 55051fbfd9b07dda56687b621bfd8572
SHA1 2e537dd08400c76fba861d06583f4ce7413411a4
SHA256 f5cb5752c5c12fb1e932446bcb5a71016bbc4d144d2a2cf862edcc0aa7879c42
SHA512 eddd77d7403f4b950a3ab9f7d4c9d0cd659ba2b3079bed47cd7ad2d138a6bde088886722d06f2c2edd95b745373500c7948a7ca21547072bb45cc6bc7d25968a

C:\Windows\system\QHkIiis.exe

MD5 571999f71ad992f2e36dcae1f368f606
SHA1 02cb8851d553d9c82d6f0924c850e1f773aff9f0
SHA256 3ad0f6b3dd24ec25c519fd8b9c4a4294b20ad2f6e9cfe68daeb24b7234b7b780
SHA512 a8f676c95c9bc51607738f73f4f79ed8f44b7aca47e2de2d877eeb789a06b97a38c3d0bb59f38f1e854965068af483555560c5511844921561239a6092b6e4fc

memory/2388-26-0x000000013F160000-0x000000013F4B1000-memory.dmp

memory/1632-12-0x000000013F490000-0x000000013F7E1000-memory.dmp

C:\Windows\system\EtOVdSV.exe

MD5 f9264d3d2f2219a7a07363b7140eff12
SHA1 d8fd8370d64be2b64597bb37fd583d62ea8aff77
SHA256 f6a112150edc828bf9fd7e1f4d4b865e2e2a4ae0f7b53485efc270df476d9adb
SHA512 887d388584e334fc60749dc52370350a33a57be2700e1fd9bf94a54f2441cb6f14401e48c137df301d4c5ff4851a1e0efa9ae759be3293f7c64d0fba16166a9e

memory/2388-159-0x000000013F9C0000-0x000000013FD11000-memory.dmp

memory/2388-168-0x000000013FEC0000-0x0000000140211000-memory.dmp

memory/2388-182-0x0000000002340000-0x0000000002691000-memory.dmp

memory/2388-184-0x0000000002340000-0x0000000002691000-memory.dmp

memory/1632-207-0x000000013F490000-0x000000013F7E1000-memory.dmp

memory/2776-209-0x000000013FA10000-0x000000013FD61000-memory.dmp

memory/2864-211-0x000000013F3F0000-0x000000013F741000-memory.dmp

memory/2780-221-0x000000013F160000-0x000000013F4B1000-memory.dmp

memory/2852-220-0x000000013FE20000-0x0000000140171000-memory.dmp

memory/2336-223-0x000000013FF10000-0x0000000140261000-memory.dmp

memory/2708-225-0x000000013F430000-0x000000013F781000-memory.dmp

memory/2952-227-0x000000013F6D0000-0x000000013FA21000-memory.dmp

memory/1056-229-0x000000013F890000-0x000000013FBE1000-memory.dmp

memory/2616-233-0x000000013F930000-0x000000013FC81000-memory.dmp

memory/2988-232-0x000000013F4A0000-0x000000013F7F1000-memory.dmp

memory/2136-237-0x000000013FEC0000-0x0000000140211000-memory.dmp

memory/2080-244-0x000000013F500000-0x000000013F851000-memory.dmp

memory/3060-246-0x000000013FB00000-0x000000013FE51000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-05 09:44

Reported

2024-08-05 09:47

Platform

win10v2004-20240802-en

Max time kernel

142s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\VKzxgqr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ykbGDoP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lqRnaKp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zvhZFGo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CPkAHJq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TTDvNTp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OuVWaeR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qgAvXPu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KZIHpDE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IcegZDh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\Wivmmna.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rBnJpsD.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TZsFaKR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mJELDxH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZDpHQgG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\npGsAVS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qAciOvS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VQtQGhi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cxqTrbD.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PNFNCiY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\swnJjZa.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2848 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ykbGDoP.exe
PID 2848 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ykbGDoP.exe
PID 2848 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lqRnaKp.exe
PID 2848 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lqRnaKp.exe
PID 2848 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mJELDxH.exe
PID 2848 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mJELDxH.exe
PID 2848 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZDpHQgG.exe
PID 2848 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZDpHQgG.exe
PID 2848 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cxqTrbD.exe
PID 2848 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cxqTrbD.exe
PID 2848 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zvhZFGo.exe
PID 2848 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zvhZFGo.exe
PID 2848 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CPkAHJq.exe
PID 2848 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CPkAHJq.exe
PID 2848 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PNFNCiY.exe
PID 2848 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PNFNCiY.exe
PID 2848 wrote to memory of 3760 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\npGsAVS.exe
PID 2848 wrote to memory of 3760 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\npGsAVS.exe
PID 2848 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IcegZDh.exe
PID 2848 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IcegZDh.exe
PID 2848 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TTDvNTp.exe
PID 2848 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TTDvNTp.exe
PID 2848 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qAciOvS.exe
PID 2848 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qAciOvS.exe
PID 2848 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\swnJjZa.exe
PID 2848 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\swnJjZa.exe
PID 2848 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OuVWaeR.exe
PID 2848 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OuVWaeR.exe
PID 2848 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Wivmmna.exe
PID 2848 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Wivmmna.exe
PID 2848 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qgAvXPu.exe
PID 2848 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qgAvXPu.exe
PID 2848 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rBnJpsD.exe
PID 2848 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rBnJpsD.exe
PID 2848 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TZsFaKR.exe
PID 2848 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TZsFaKR.exe
PID 2848 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VKzxgqr.exe
PID 2848 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VKzxgqr.exe
PID 2848 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KZIHpDE.exe
PID 2848 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KZIHpDE.exe
PID 2848 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VQtQGhi.exe
PID 2848 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VQtQGhi.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\ykbGDoP.exe

C:\Windows\System\ykbGDoP.exe

C:\Windows\System\lqRnaKp.exe

C:\Windows\System\lqRnaKp.exe

C:\Windows\System\mJELDxH.exe

C:\Windows\System\mJELDxH.exe

C:\Windows\System\ZDpHQgG.exe

C:\Windows\System\ZDpHQgG.exe

C:\Windows\System\cxqTrbD.exe

C:\Windows\System\cxqTrbD.exe

C:\Windows\System\zvhZFGo.exe

C:\Windows\System\zvhZFGo.exe

C:\Windows\System\CPkAHJq.exe

C:\Windows\System\CPkAHJq.exe

C:\Windows\System\PNFNCiY.exe

C:\Windows\System\PNFNCiY.exe

C:\Windows\System\npGsAVS.exe

C:\Windows\System\npGsAVS.exe

C:\Windows\System\IcegZDh.exe

C:\Windows\System\IcegZDh.exe

C:\Windows\System\TTDvNTp.exe

C:\Windows\System\TTDvNTp.exe

C:\Windows\System\qAciOvS.exe

C:\Windows\System\qAciOvS.exe

C:\Windows\System\swnJjZa.exe

C:\Windows\System\swnJjZa.exe

C:\Windows\System\OuVWaeR.exe

C:\Windows\System\OuVWaeR.exe

C:\Windows\System\Wivmmna.exe

C:\Windows\System\Wivmmna.exe

C:\Windows\System\qgAvXPu.exe

C:\Windows\System\qgAvXPu.exe

C:\Windows\System\rBnJpsD.exe

C:\Windows\System\rBnJpsD.exe

C:\Windows\System\TZsFaKR.exe

C:\Windows\System\TZsFaKR.exe

C:\Windows\System\VKzxgqr.exe

C:\Windows\System\VKzxgqr.exe

C:\Windows\System\KZIHpDE.exe

C:\Windows\System\KZIHpDE.exe

C:\Windows\System\VQtQGhi.exe

C:\Windows\System\VQtQGhi.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.237:443 g.bing.com tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2848-0-0x00007FF6B5080000-0x00007FF6B53D1000-memory.dmp

memory/2848-1-0x0000020B82E80000-0x0000020B82E90000-memory.dmp

C:\Windows\System\ykbGDoP.exe

MD5 1cb192f7cb5e133aa7a08513b5afa937
SHA1 701817ac15e214ac18f886a1802ee8b2e84df38b
SHA256 b59f505939fe3aea85bab42989eee3f722d358ece36c1d21981555c5a4e6f65d
SHA512 76bb59dc1291b9a09f0de743a674b9c1c8788ea98f9782a60d98c1155e52afaf71609a99a655f2caab8e3da7954fac43fe212ad8af8ce3a076294e8b88bba6e1

C:\Windows\System\mJELDxH.exe

MD5 8a73bb49f9d9c815bad950f18c8358dd
SHA1 3bdf6aef9f3936d34d416d17eae8a41496e59406
SHA256 50482c8b532543149cd8af4c3bf2ce4133907c6e43f542229f1a092e8f610592
SHA512 ff7a123baca145f74158773266a9f1209c2999c26307e8a0f5f7ab8cc041617e11f11cf1197d321e7425f45bfbf50f90ef7b9ce79e2ca4a0e130cc188a2e40a8

memory/1876-13-0x00007FF65ADE0000-0x00007FF65B131000-memory.dmp

C:\Windows\System\lqRnaKp.exe

MD5 49c13ab17085298fb4fabacb9c37c1dd
SHA1 5cea1166537ea5367c8d6a322b0bdbd9f99ac412
SHA256 3703f9af2b6eed8dc4e0eb46ce9f87d5de72f7d42440d40bcd9c934a88059a7b
SHA512 b9a2ac96662871cc1b34e9d5c7a9109e46b2615b55ecf8e6fa1351eb0df3eb8173d36f369c094d437edd9d152b2802a23fba461c4f66958ac7a3da4c7b80e92a

memory/3120-6-0x00007FF7D4280000-0x00007FF7D45D1000-memory.dmp

C:\Windows\System\ZDpHQgG.exe

MD5 80aec512a017098c978a56dc7cae0788
SHA1 cfd6f42b03bad952acb2d87131cd971cd5317360
SHA256 4117288a85448fa79539d501795f8fba83ce1e279d9bc843456b5ca0411b688c
SHA512 d18632340a344193cea7e801f248f5b41e3449943be319bebbc667285462b5d93863f4fe20095910c4b526cb7e84d466d777bc72d54949c6c9de1ea96712a7af

memory/2252-26-0x00007FF61D4C0000-0x00007FF61D811000-memory.dmp

memory/2384-20-0x00007FF79D600000-0x00007FF79D951000-memory.dmp

C:\Windows\System\cxqTrbD.exe

MD5 941fccc414edec7b624233d88dc1bc62
SHA1 3577e4c3c039056b8b48f9fde1e20ed26e89516a
SHA256 4b6fc16b11619a594a8cdde6565ebaead55dcce7fb04ac8ba18a635c6ac01b6c
SHA512 975803435cee1eb9b3a538818edf1dfbd71eabcbae38ebc79529c687349caa938ef2ca5e47cf4a22679175b9214b185d9de161697e0056060a74c8bc5a7e7bd6

C:\Windows\System\zvhZFGo.exe

MD5 260c2b0a3b7ec0b5c948b79ca00a1894
SHA1 c5b38d990102e41525c247e11a289b02b26647b8
SHA256 f9cedd2717971712bda857e16cc2cb18dbf5a6457c43434fa47f7831975cbbfb
SHA512 746a0b37520f30f5fa2d649fe3c18950844cab9f82aed96a18d4e501b8a377a0a00be2af06424f86e6f5cfd33f40bc8a08f5c38dea4eadf91944a8f6e7a4520d

memory/984-37-0x00007FF665E20000-0x00007FF666171000-memory.dmp

C:\Windows\System\CPkAHJq.exe

MD5 9551a480fb43190406a79db01bab220c
SHA1 27d8b13319de7fbee533d7a14af9a9d8d5f98052
SHA256 524350829db41fc9bccb49af162067a357ce9fd9d0fdb1369491b6e1c33804fd
SHA512 685a4a0401f336a8785f7b266ff92428fdbbf6f24c518b86617e88a6470e3d881901d31148b2ded3016f8395caa819cf27ac1daa0db924e2272bba007e819a2f

memory/3968-41-0x00007FF7C01D0000-0x00007FF7C0521000-memory.dmp

C:\Windows\System\PNFNCiY.exe

MD5 644427979e1680abfa3d32838669c0f8
SHA1 819e5aad4ca42009cb2e6577bd7d51d13a467f4d
SHA256 cabb8667675cac1d65f0304b928503af37e76934e4cbb985d275aaeca81b2b12
SHA512 323a9520b6893dc0d1d4f7bdc7e4e5e7bc18bd8c734724ab8a9594e6ac8779ebf0c52f4651bf719b1a3cece5d313fdff7d3a3899e10d0a9b6326262808f3f0be

C:\Windows\System\npGsAVS.exe

MD5 3361b232136718c52273d51618dc56a7
SHA1 cf682b17cd9aa0cfed9b4a0528d4ec213e891a14
SHA256 0deb3afaaf16fba0664dce6595fd05d31550a8188eb67249981c1b8cdfd46023
SHA512 64de56a3d38c4050d5eb7ebfd41c03c78292d4264aaab6645ab02f391ed80d0318a25ce02c57b8463dde2310c0432630b772d9a43812b1adadc4f6e7259d8dee

C:\Windows\System\IcegZDh.exe

MD5 3623a9dd2f93a721836f7546ea16c61e
SHA1 013c5bf59b5c5e948e73837eca104694e14bd41e
SHA256 b18b19c2de6e3a71a99fff6941a6682fb14bfa6f9d28dec86e22c124e96369ab
SHA512 3cd2659c8a72c16179e8f550804e9e13004463ae5bbc1e61cb76e57ca5b6c39fecb034ec155a04c54e613d83545d4ba0600b53bcd11d238c812173952341a596

memory/3760-59-0x00007FF6C9780000-0x00007FF6C9AD1000-memory.dmp

memory/2848-63-0x00007FF6B5080000-0x00007FF6B53D1000-memory.dmp

memory/692-62-0x00007FF77F550000-0x00007FF77F8A1000-memory.dmp

C:\Windows\System\TTDvNTp.exe

MD5 8d25de9c918eb51dfb0cb227e80959d2
SHA1 423a77eac957ff9073c50a4c8c32a4b1e090311a
SHA256 27a1d9114f0a9ac1e6aefeb9599376ad821c5551aecd339a08eb4d51c568001e
SHA512 f3c42f1fe666e0de08a4c4aa12542d375e9a181a81f2658997668036a4bad19dcb8fb7b8e9f547721acb21f0797381321eb3c27879ac402a87f0c4bb63f53c56

memory/2072-48-0x00007FF602130000-0x00007FF602481000-memory.dmp

memory/4628-31-0x00007FF7A5830000-0x00007FF7A5B81000-memory.dmp

C:\Windows\System\qAciOvS.exe

MD5 f6e4e7093fd5f45a61fc20d13e980e6c
SHA1 c31d457acc8e585c8ea15ee465e567abb0e5fe92
SHA256 65ab68eab9e16df9d9b1b5a75aedd559e3184fabdcca2458f3931a0b91a16473
SHA512 d0b4d010047bd3e700aaf8e4472c5bb3ff90e4bc6734f021a783a2aee9871f7820e23bb975eb3ca8ee8fe7f86d17bf42be7141531031560240a4429954d7116a

memory/4064-76-0x00007FF7E0640000-0x00007FF7E0991000-memory.dmp

C:\Windows\System\Wivmmna.exe

MD5 3e7937c4268800eb0d4afc4b8d0b0589
SHA1 515013db83f8918b155ee389150ce9b386f2d732
SHA256 cf2dd6d29c23d4fda6defa0f8d121ad96c3e60a62b72eaa50bf0427642bf4d7d
SHA512 b877193e28ca36c28866db8d2b871531791bf30c27e47900da0e01c6624c7eb1c0cea46eedcc252294983b1ccbdc52c6a7ef915b8c329552c6ddee01ec73f64a

C:\Windows\System\qgAvXPu.exe

MD5 a4ee5ab0411c9874935141f29e6fad76
SHA1 6849736d16c88af749fc35222540bf1c97a93278
SHA256 64dccfda534a4fcf060f784b04105ccb8141e7535c8caf0e8708ac1622388612
SHA512 0f615c85730b715125823b192bc3634e238c66912b821476303d2e481d82a29524305bbf524006befdb113c0bd2180a2b450d6f21fd7cca4d2944361d07e11e1

C:\Windows\System\VKzxgqr.exe

MD5 29db618456ab3621d9973b77628917ce
SHA1 7846b23bfad21cfc6229ba2723ba78e140268bdd
SHA256 851b408482fd4e276a7342597c74f55a35a0af9cf3b4146a5cbe36130abaf6f3
SHA512 8c5e1968a759046e83d0ece574adde1b033c992b6b9dd1b9fa6ce8f9b945c5b943554ae4e5d9baab8e6bb5b76471eb255e68454e854608e965046274f888640e

C:\Windows\System\KZIHpDE.exe

MD5 246b1ce140e1a4be4b95934bbb7c313e
SHA1 db65da43ae0203dcaa7cc99e387b837799643f81
SHA256 fba44a57056d9b2124f00de1d7ec59e5b068716878c78ecd1fa79e8313fe2da5
SHA512 049befe81f7ac7813f0505332fe5d0dd1c57d82be63a8e69d3d5bdb08ea1707f175aac92c1f9969a5836e9337dd3632fe6583e98877da441126041d6e0a91a6e

C:\Windows\System\VQtQGhi.exe

MD5 99bf477cafea2ff3cf1457808ae79e33
SHA1 c11f568d2bac66f96dce02f27cbeec5f56300358
SHA256 36a3233477c848addaaa91b3aad21856c3990075d8ee6e7e181b4e30892df476
SHA512 93f47040162b9101e837f20dd9c73b6a25eb99a13cf526c398e8b0cd6e840921708883dad5ae0711bb73ee6a4bd6c104fb41828c3e6d8432031afb9329ee987c

C:\Windows\System\TZsFaKR.exe

MD5 67014197f9f86b3aab605ec234bf360e
SHA1 c2a013febc6a4067de38bc551fc1aed93881c826
SHA256 b7c217d77bdde170d32892b9b705b45b6c53752b290c943615395e67ef6ace16
SHA512 f8989232d5c663981cf38b66c842967a6c141c901508510b37d10ee9f7c680d15f4b4f0d092838db2b3a6bbc62ee7dd3365baca0e2cb479ae7311aa674129bc7

C:\Windows\System\rBnJpsD.exe

MD5 c51d87c88dea7d2515810cee96dd9519
SHA1 e6618471d26b0bd222bdba1c35344ae2d30ad1cd
SHA256 2d86cb3caed4d8ba893dc8cc06798d4859331212f128b0c6946e2d68f5223047
SHA512 aeb78a1bff8ade2c20e2ff3af626b6710a0092a59f6773e46c182526e8a2a76fb489f97da13b821a6cda460a3f5b134cbdeeb59c52ce3b845874beb802eb669a

C:\Windows\System\OuVWaeR.exe

MD5 aaca7a20da9c7163e31e86c18c14cde5
SHA1 5be32936551357d38b4e6ed14c2d7e44d4cb4e7c
SHA256 76c92159581f7b55ca66f92bb2328e333af23c881771e0f94024886ea065ffbe
SHA512 b3c12979fb3653c651f3d90a756e3246cdb262b5affc3e4bc05213064bad14af699b2888817ce42e7b02faffb41d9c5e734664bec94ec9dbc5c33a0d65257814

C:\Windows\System\swnJjZa.exe

MD5 c0828a3344a0686e1c50605587ddd05c
SHA1 31c79eb2d77c614ada9a769ff92ced9c2a42970d
SHA256 c643f473a2e281738f4e049dfe64ea9b37bf67a22220993f24ca4f863f645ee5
SHA512 ada13fb0ca02fb80df19c522d3d29f50d6131c3e2b05d8a63e8fe8bec95860d6d90ea16297e40b45c0132c44f7d072e17b85fb2d92d819f5769603658a023d24

memory/3120-75-0x00007FF7D4280000-0x00007FF7D45D1000-memory.dmp

memory/4208-69-0x00007FF6D3CE0000-0x00007FF6D4031000-memory.dmp

memory/1876-121-0x00007FF65ADE0000-0x00007FF65B131000-memory.dmp

memory/5032-123-0x00007FF6C8870000-0x00007FF6C8BC1000-memory.dmp

memory/3524-124-0x00007FF61F7B0000-0x00007FF61FB01000-memory.dmp

memory/3372-122-0x00007FF7F1F30000-0x00007FF7F2281000-memory.dmp

memory/2892-126-0x00007FF728BE0000-0x00007FF728F31000-memory.dmp

memory/3996-125-0x00007FF705080000-0x00007FF7053D1000-memory.dmp

memory/5108-127-0x00007FF69D020000-0x00007FF69D371000-memory.dmp

memory/2848-128-0x00007FF6B5080000-0x00007FF6B53D1000-memory.dmp

memory/2968-132-0x00007FF6600C0000-0x00007FF660411000-memory.dmp

memory/4860-130-0x00007FF668A40000-0x00007FF668D91000-memory.dmp

memory/4528-133-0x00007FF72E960000-0x00007FF72ECB1000-memory.dmp

memory/4628-136-0x00007FF7A5830000-0x00007FF7A5B81000-memory.dmp

memory/3968-138-0x00007FF7C01D0000-0x00007FF7C0521000-memory.dmp

memory/692-141-0x00007FF77F550000-0x00007FF77F8A1000-memory.dmp

memory/2072-139-0x00007FF602130000-0x00007FF602481000-memory.dmp

memory/984-137-0x00007FF665E20000-0x00007FF666171000-memory.dmp

memory/4208-142-0x00007FF6D3CE0000-0x00007FF6D4031000-memory.dmp

memory/2848-153-0x00007FF6B5080000-0x00007FF6B53D1000-memory.dmp

memory/3120-198-0x00007FF7D4280000-0x00007FF7D45D1000-memory.dmp

memory/1876-200-0x00007FF65ADE0000-0x00007FF65B131000-memory.dmp

memory/2384-202-0x00007FF79D600000-0x00007FF79D951000-memory.dmp

memory/2252-204-0x00007FF61D4C0000-0x00007FF61D811000-memory.dmp

memory/4628-208-0x00007FF7A5830000-0x00007FF7A5B81000-memory.dmp

memory/984-210-0x00007FF665E20000-0x00007FF666171000-memory.dmp

memory/2072-212-0x00007FF602130000-0x00007FF602481000-memory.dmp

memory/3760-214-0x00007FF6C9780000-0x00007FF6C9AD1000-memory.dmp

memory/3968-216-0x00007FF7C01D0000-0x00007FF7C0521000-memory.dmp

memory/692-218-0x00007FF77F550000-0x00007FF77F8A1000-memory.dmp

memory/4208-222-0x00007FF6D3CE0000-0x00007FF6D4031000-memory.dmp

memory/4064-221-0x00007FF7E0640000-0x00007FF7E0991000-memory.dmp

memory/5032-229-0x00007FF6C8870000-0x00007FF6C8BC1000-memory.dmp

memory/3372-230-0x00007FF7F1F30000-0x00007FF7F2281000-memory.dmp

memory/3524-227-0x00007FF61F7B0000-0x00007FF61FB01000-memory.dmp

memory/3996-225-0x00007FF705080000-0x00007FF7053D1000-memory.dmp

memory/2892-233-0x00007FF728BE0000-0x00007FF728F31000-memory.dmp

memory/5108-235-0x00007FF69D020000-0x00007FF69D371000-memory.dmp

memory/4528-236-0x00007FF72E960000-0x00007FF72ECB1000-memory.dmp

memory/4860-240-0x00007FF668A40000-0x00007FF668D91000-memory.dmp

memory/2968-238-0x00007FF6600C0000-0x00007FF660411000-memory.dmp