Malware Analysis Report

2025-01-22 19:22

Sample ID 240805-pxp2kswdqk
Target 2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat
SHA256 51cd37ff6337188ad601474243d43fa854b5d299b6b3c19a26751b281f4d664f
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

51cd37ff6337188ad601474243d43fa854b5d299b6b3c19a26751b281f4d664f

Threat Level: Known bad

The file 2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

XMRig Miner payload

xmrig

Cobaltstrike family

Xmrig family

Cobalt Strike reflective loader

Cobaltstrike

XMRig Miner payload

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-05 12:42

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-05 12:42

Reported

2024-08-05 12:45

Platform

win7-20240729-en

Max time kernel

141s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\GseQBBk.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SYAIKwk.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TEDhLPB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\deNJVtU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GSEjQud.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XpdNWbL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cAqfCMh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PiSXnIL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tpovEmE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SKaQsHR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qWrdvxd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\amAyrjH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wSfrXDs.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mSdpExi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QXQtrPo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AxFqRpA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kCEBmvw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wXrFXMm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cBExyJs.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ijkhlSq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PxnTuYe.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2208 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AxFqRpA.exe
PID 2208 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AxFqRpA.exe
PID 2208 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AxFqRpA.exe
PID 2208 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tpovEmE.exe
PID 2208 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tpovEmE.exe
PID 2208 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tpovEmE.exe
PID 2208 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SKaQsHR.exe
PID 2208 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SKaQsHR.exe
PID 2208 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SKaQsHR.exe
PID 2208 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kCEBmvw.exe
PID 2208 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kCEBmvw.exe
PID 2208 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kCEBmvw.exe
PID 2208 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qWrdvxd.exe
PID 2208 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qWrdvxd.exe
PID 2208 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qWrdvxd.exe
PID 2208 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\amAyrjH.exe
PID 2208 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\amAyrjH.exe
PID 2208 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\amAyrjH.exe
PID 2208 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\deNJVtU.exe
PID 2208 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\deNJVtU.exe
PID 2208 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\deNJVtU.exe
PID 2208 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GSEjQud.exe
PID 2208 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GSEjQud.exe
PID 2208 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GSEjQud.exe
PID 2208 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GseQBBk.exe
PID 2208 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GseQBBk.exe
PID 2208 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GseQBBk.exe
PID 2208 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wXrFXMm.exe
PID 2208 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wXrFXMm.exe
PID 2208 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wXrFXMm.exe
PID 2208 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cBExyJs.exe
PID 2208 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cBExyJs.exe
PID 2208 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cBExyJs.exe
PID 2208 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wSfrXDs.exe
PID 2208 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wSfrXDs.exe
PID 2208 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wSfrXDs.exe
PID 2208 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XpdNWbL.exe
PID 2208 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XpdNWbL.exe
PID 2208 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XpdNWbL.exe
PID 2208 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cAqfCMh.exe
PID 2208 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cAqfCMh.exe
PID 2208 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cAqfCMh.exe
PID 2208 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ijkhlSq.exe
PID 2208 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ijkhlSq.exe
PID 2208 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ijkhlSq.exe
PID 2208 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PxnTuYe.exe
PID 2208 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PxnTuYe.exe
PID 2208 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PxnTuYe.exe
PID 2208 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mSdpExi.exe
PID 2208 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mSdpExi.exe
PID 2208 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mSdpExi.exe
PID 2208 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QXQtrPo.exe
PID 2208 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QXQtrPo.exe
PID 2208 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QXQtrPo.exe
PID 2208 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SYAIKwk.exe
PID 2208 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SYAIKwk.exe
PID 2208 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SYAIKwk.exe
PID 2208 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PiSXnIL.exe
PID 2208 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PiSXnIL.exe
PID 2208 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PiSXnIL.exe
PID 2208 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TEDhLPB.exe
PID 2208 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TEDhLPB.exe
PID 2208 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TEDhLPB.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\AxFqRpA.exe

C:\Windows\System\AxFqRpA.exe

C:\Windows\System\tpovEmE.exe

C:\Windows\System\tpovEmE.exe

C:\Windows\System\SKaQsHR.exe

C:\Windows\System\SKaQsHR.exe

C:\Windows\System\kCEBmvw.exe

C:\Windows\System\kCEBmvw.exe

C:\Windows\System\qWrdvxd.exe

C:\Windows\System\qWrdvxd.exe

C:\Windows\System\amAyrjH.exe

C:\Windows\System\amAyrjH.exe

C:\Windows\System\deNJVtU.exe

C:\Windows\System\deNJVtU.exe

C:\Windows\System\GSEjQud.exe

C:\Windows\System\GSEjQud.exe

C:\Windows\System\GseQBBk.exe

C:\Windows\System\GseQBBk.exe

C:\Windows\System\wXrFXMm.exe

C:\Windows\System\wXrFXMm.exe

C:\Windows\System\cBExyJs.exe

C:\Windows\System\cBExyJs.exe

C:\Windows\System\wSfrXDs.exe

C:\Windows\System\wSfrXDs.exe

C:\Windows\System\XpdNWbL.exe

C:\Windows\System\XpdNWbL.exe

C:\Windows\System\cAqfCMh.exe

C:\Windows\System\cAqfCMh.exe

C:\Windows\System\ijkhlSq.exe

C:\Windows\System\ijkhlSq.exe

C:\Windows\System\PxnTuYe.exe

C:\Windows\System\PxnTuYe.exe

C:\Windows\System\mSdpExi.exe

C:\Windows\System\mSdpExi.exe

C:\Windows\System\QXQtrPo.exe

C:\Windows\System\QXQtrPo.exe

C:\Windows\System\SYAIKwk.exe

C:\Windows\System\SYAIKwk.exe

C:\Windows\System\PiSXnIL.exe

C:\Windows\System\PiSXnIL.exe

C:\Windows\System\TEDhLPB.exe

C:\Windows\System\TEDhLPB.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2208-0-0x000000013FBC0000-0x000000013FF11000-memory.dmp

memory/2208-1-0x00000000000F0000-0x0000000000100000-memory.dmp

memory/2180-8-0x000000013F3C0000-0x000000013F711000-memory.dmp

memory/2208-12-0x0000000002480000-0x00000000027D1000-memory.dmp

memory/1264-14-0x000000013FAD0000-0x000000013FE21000-memory.dmp

C:\Windows\system\tpovEmE.exe

MD5 28d76122c5c11892f574cece62ae3bc9
SHA1 3d918635cbe8b76a8319fd9126dd8540b937da13
SHA256 71853efadda01f4da1035cb2f8913eb8f596570271e4de154cc64ea6a5964337
SHA512 5d9f44838017eb7aa8f49385e8c8b1350e9f348da2dedbdb3c5d3cbcc88d49473534cd898d63a76392a0d2350f67b7249bfc2de3a4bb719451cff6fd56dda8ff

C:\Windows\system\SKaQsHR.exe

MD5 c16f033f18a0f435e2d2b29e67196bd5
SHA1 2b6ed4c9092262926f3fc1fab71cd9b88cc32788
SHA256 84436d5c26f1417e4681bca77ae2146f21fbd32663d31d4d9e67bf251fdf51ba
SHA512 3f28f9f35abfe06bc7743a7d7ef12436de832a72077585fc6c334f3f0f13aaccf0b73393d7ed69a996dd94bfac66065cb4ecf1d29e73d170d857c4efd12f5eb5

C:\Windows\system\AxFqRpA.exe

MD5 303be004ca833c7889901ac36a1ed38d
SHA1 bfd3842511217218455c349f7028c2c1141a200e
SHA256 daf99014f205f218a35a6bb8f8bd082e7af4a9b90057780b7d0dbb62fbb75ec7
SHA512 8d95ce6ae34a78c2b6b0f3b2037d49b882047e80c2951aad30fa2a3486ab3cb4e2f04796486821a8a0f074a2c9284c27690559004a28e8393b7adbcf685d1fca

memory/2720-22-0x000000013F380000-0x000000013F6D1000-memory.dmp

memory/2208-19-0x000000013F380000-0x000000013F6D1000-memory.dmp

C:\Windows\system\XpdNWbL.exe

MD5 4ae06478e410d3478f4a17148e36e47b
SHA1 368bf265b2f0680659117f1f266b903519d813c3
SHA256 e50cf0efb815919876d20f67e01f3726a39d8a3953123635cff8a5c8cc643b12
SHA512 3521488c176a11cc734a4f9bc052e2d18403fd365f01c9d8f8c89e5ebbf62530e18bc0d60031fda707211e726989bc6b1cb9f962617afb9b95fde992bb98d56b

C:\Windows\system\wSfrXDs.exe

MD5 991435bd50a54cc69049355c40b169dd
SHA1 402ddbe9251de78eced31087c326488305aa3b51
SHA256 d852e945f13c772e8bed95ba520d65331629e832d745f5e4740d9505345565e5
SHA512 10e275940ecf23b0f94ec3d3d25d5bfd9d6d53e4d4cdd322cf5d829d79dce70b42c0f597a64e7a8400530a92ee05febfefa9aed3e42db9a492b64ca435af1ae3

C:\Windows\system\wXrFXMm.exe

MD5 881c41f351c8a04ea71cbe806cfb0f1a
SHA1 d2fff83801f456e9d8702e78cb8e5f8a99ff61e9
SHA256 e00d60b6551a315257723eade156eaa837cf9dccc81d6624ae0cffceb51451dc
SHA512 67815095258a1a49ef23489a22ce5befa60aa92f69e85d827a274be650694ab7a03610331876290ade0abee3d9911a442b72fe9c0f8ce5951bbd6b54844e79c0

C:\Windows\system\cBExyJs.exe

MD5 e004efe269a0ac57cdb6cf10b66fbe65
SHA1 eeb2f5e71ea4c8a36f6d56326c1c7285c317e8bc
SHA256 6e589746aa63ef6655cb31d75c134ebcb431b090c558714a7eee34d68d18f9c9
SHA512 276800c031d25b7ff7c2ab936050e6e22a4721d1781d41ba58f9cceb402d9592a759ba1cfe4d6745f2f7abf26aa8e592a9b9121418cf5dc3cd909e11e9636980

C:\Windows\system\GSEjQud.exe

MD5 b90c1d6329bd4f371de0d2ab5cf3df9a
SHA1 159f44a542fca1b668a26e2c780e8e36d514492b
SHA256 f2352968d24b0b1af160b4fd88bd59c30c8abcbba80fab29cb23b664bf624024
SHA512 02f2064e9998b651d883547610662267a0c6d7aa1a8fc435e0c4363b2bbe317bedf9963ae024a286ac342ae80ddb0bd7b316cea68156e8a5b4d4c3a6852a1db1

C:\Windows\system\GseQBBk.exe

MD5 e1abd9509725f05ed0a544f5026a3952
SHA1 13ebf8b39ef802d6936a5d0faa5e8c0b2e63cb2e
SHA256 5bd40ad12c66d727ab42bcf5c569d64d3709630b8afeb52cf7b099603645ee36
SHA512 1b5324ec3a80104385d25212adba5e913645e3376d24b98caec1de590a5ea053cce2e77c02ec5119eb5f49434ac6c400c68f6f5358600d4a8e24a2b80d4ac2b8

C:\Windows\system\deNJVtU.exe

MD5 9f7aef3cb0ccc37d6362a5b16ea1f1fa
SHA1 9692d7ef331b1c7cb66420098849c78977d88363
SHA256 a4d6c270c5982834f20e36133f41d19b032732fee86a4cdf75b1f072f9657b24
SHA512 ac202f9ce8e3ded8b45b9daf5064df3dd00a95ce7624a17bd186b7a6852b59bfbd5998f2b8a5fb3eb96d8ad0ca15de18a84ddbe71631778b11b213bad5c8a694

C:\Windows\system\amAyrjH.exe

MD5 3fdf3d256b10e97c52f98665fa057d00
SHA1 043b5fc5b9d6a22889014fefe9a0fda8f572f94c
SHA256 56177327393a5ec6f548e09fc095d3b3d48f7694cb21a0aa128cfc1cd4dbf36d
SHA512 daa58670e5730a7a62917cc68bf73172925cd1a79190453f507c75fefe32616668b8bc43e6e51c60cc68a21a272adaf7d45274b3877dea0292ee705f7e955b0f

C:\Windows\system\qWrdvxd.exe

MD5 d67c6ca6d35b377d57d0e633a98f4410
SHA1 4ddbfa10ce9ef73e41ceb764a4cbcf70e36734a2
SHA256 dc9c227b909e309e842487c064747523ce643966ca93af469608aeeaa4d34eb3
SHA512 442f94cfe89e6ff45499105d4b1ebdcc68de203868f7be011af1be54e2ba63f7408f020a11820a469817d23908eb7196eaa48f904c35dd65e85c9355c39794ff

memory/2780-28-0x000000013F670000-0x000000013F9C1000-memory.dmp

memory/2208-27-0x000000013F670000-0x000000013F9C1000-memory.dmp

C:\Windows\system\kCEBmvw.exe

MD5 84d92db4efb83c8fbc9a26bdf9dbf1ce
SHA1 7f82e446feaf0232c9f1ad56c3cdec6035ad3d42
SHA256 0ba5c858f28c9b8b8762be1bffaf0b99bb3aa53fe71f05192c5f7b4c588e2ee8
SHA512 6223b3a934dc815b5491013347ed9e0409dad5688cccb56be924e212726a4982620b089aa795e51289b3485fb9037757520886234d589e89237e19189de0d58e

memory/2844-86-0x000000013F7B0000-0x000000013FB01000-memory.dmp

memory/2208-85-0x000000013F7B0000-0x000000013FB01000-memory.dmp

memory/2628-98-0x000000013F540000-0x000000013F891000-memory.dmp

memory/2208-97-0x000000013F540000-0x000000013F891000-memory.dmp

memory/2208-106-0x0000000002480000-0x00000000027D1000-memory.dmp

memory/2916-105-0x000000013FD10000-0x0000000140061000-memory.dmp

memory/2208-104-0x0000000002480000-0x00000000027D1000-memory.dmp

memory/1972-103-0x000000013FF60000-0x00000001402B1000-memory.dmp

memory/2208-102-0x000000013FF60000-0x00000001402B1000-memory.dmp

memory/328-101-0x000000013F770000-0x000000013FAC1000-memory.dmp

memory/2208-100-0x000000013F770000-0x000000013FAC1000-memory.dmp

\Windows\system\PxnTuYe.exe

MD5 a431e3ab0439eff11b1da93924973e93
SHA1 847e9fb879a92130c6e13dc72cd921042536b066
SHA256 e046ba8f5636f02c36c72385d979581b33ca4bff21823638814f6b170bd536b7
SHA512 0c0569981497767b41e63ff6e25416ebf46669917eb54f469290ffcdc9a1ecdc729b1a6598f29c11d2f96a18bc5a7c227103845e41a8364290072e97c428da50

memory/2568-96-0x000000013FA90000-0x000000013FDE1000-memory.dmp

memory/2208-95-0x0000000002480000-0x00000000027D1000-memory.dmp

memory/2740-94-0x000000013F820000-0x000000013FB71000-memory.dmp

memory/2208-93-0x000000013F820000-0x000000013FB71000-memory.dmp

memory/2248-92-0x000000013FDA0000-0x00000001400F1000-memory.dmp

memory/2208-91-0x0000000002480000-0x00000000027D1000-memory.dmp

memory/2936-90-0x000000013F050000-0x000000013F3A1000-memory.dmp

memory/2208-89-0x000000013F050000-0x000000013F3A1000-memory.dmp

memory/2688-88-0x000000013F1A0000-0x000000013F4F1000-memory.dmp

memory/2208-87-0x000000013F1A0000-0x000000013F4F1000-memory.dmp

C:\Windows\system\ijkhlSq.exe

MD5 686aba5bee1ab1106d8475c8eaaadfb6
SHA1 3e65bd88f02d3efd50dbcbe9484c6e1e0ce1c48a
SHA256 b859f60ac1d20625bc882829e811f40552d7b9190bb7313f8ca787249b0abe9e
SHA512 ae5d0d6d2cce63e14e262fa0b07546da9232110b2b1a8b62a6df11c508bb816203895e16d2003ba96fa6dcd2cb66797a7e65932a382a3be081d48fbc5fba00cf

C:\Windows\system\cAqfCMh.exe

MD5 64a6582ca93681ca0b8d8b4658349f4f
SHA1 cdcc8c643fbdfcf005848999bf85585d488a479f
SHA256 a0229d5321f499d9285675babaddf7c94a05e6131b904733b050b964e01ab662
SHA512 7dc05ace00c29ef589549f6d2e88d842ac4136a7d41df242c42cb68c9e2a021c24d807b88fa645e4f8f88951513c7032dd6a473042d83cc6a61fb932bc65cdce

C:\Windows\system\mSdpExi.exe

MD5 ada2e921859b8461422731e10a6a66c1
SHA1 f7694f2d9ca490d6777ec22dbb5072e7f1b29c91
SHA256 34d62568cdc609453d3032797aa4c7ad9ab806b34a06a846e4ef090b7141bdd4
SHA512 1738f7874341bbd84c2513217edb4a6bbd8c41f56e6e11f00bfb2c1dac4db1a4a25965389138244035a60c7529771e241e78a03016b4cd26c528fd8a7ea3cd33

C:\Windows\system\SYAIKwk.exe

MD5 355399ae3dd1f3fc03e293b8f34b66c9
SHA1 f409926268a95bae42228f3402c9794c54dd8072
SHA256 e86df49d0f12eb862094f42e7384bc3d6a3e7ae785315affc27e11922a923ceb
SHA512 8c20e6adbff3e797129b3cbc3ede79e5dce45e49e7d0a35ae639e2a4aeedef7a88d547c0a86c5eebf033e16f8cdc8b2813f11ee48c3d5bcad93755c1f36019f6

C:\Windows\system\PiSXnIL.exe

MD5 5a8fd82b9eb585b3edfd9ebbe71c3d51
SHA1 d8035f3eb425ea391ac871e7989d35336eb417c4
SHA256 079fdf478f7448831a31a056bc3fe41f03da426eaa028a5e278d2582c82ec8f2
SHA512 3ef2bcc6d8b8c0f11d14ec3d0b2754914c3a66dbfd3d97fc4f45c5ac58edf922452f9e6c472c53ab781a166b653363642af6019cb0a662173845a100b3547458

C:\Windows\system\TEDhLPB.exe

MD5 5ad7a0a8bffa9b2d3f83cf2387fd94be
SHA1 6f543806e958c65e28ab2c6653d49a1647891c5d
SHA256 f14be995a1992b3a982e2af124d15bdb711f42b9f5e6528c6506bebc5516af70
SHA512 778d43c3461bb4915934b723f5b352573bf2838feee950158e458a2c51adbef82e38e598c431af2cd12c0d87d04db8e7071b707346785cda678b577f17dbed62

C:\Windows\system\QXQtrPo.exe

MD5 22d6bebd88004616a069496bb1d916ab
SHA1 016f8021f684b06bad822df63a1cb45ee83e818c
SHA256 8c8af0a6c3287691eb85b88da1d648b88cb1737d146021945aa1147941009e7a
SHA512 41800466376eac5b0b58cc25ae43cde9f93ad38a8ad0b2b416a4869e32792080082d959f0c812bc7835ce625fa445b1627fa4541e6c5f61cff3b69f725ed5e98

memory/2208-135-0x000000013FBC0000-0x000000013FF11000-memory.dmp

memory/2208-136-0x000000013FBC0000-0x000000013FF11000-memory.dmp

memory/2776-152-0x000000013F9C0000-0x000000013FD11000-memory.dmp

memory/2780-140-0x000000013F670000-0x000000013F9C1000-memory.dmp

memory/2720-139-0x000000013F380000-0x000000013F6D1000-memory.dmp

memory/2512-151-0x000000013FC20000-0x000000013FF71000-memory.dmp

memory/1264-138-0x000000013FAD0000-0x000000013FE21000-memory.dmp

memory/2208-153-0x0000000002480000-0x00000000027D1000-memory.dmp

memory/880-156-0x000000013F050000-0x000000013F3A1000-memory.dmp

memory/920-158-0x000000013F530000-0x000000013F881000-memory.dmp

memory/2184-155-0x000000013F720000-0x000000013FA71000-memory.dmp

memory/2908-154-0x000000013F560000-0x000000013F8B1000-memory.dmp

memory/2620-157-0x000000013FF80000-0x00000001402D1000-memory.dmp

memory/2208-159-0x000000013FBC0000-0x000000013FF11000-memory.dmp

memory/2180-207-0x000000013F3C0000-0x000000013F711000-memory.dmp

memory/1264-210-0x000000013FAD0000-0x000000013FE21000-memory.dmp

memory/2720-211-0x000000013F380000-0x000000013F6D1000-memory.dmp

memory/2780-213-0x000000013F670000-0x000000013F9C1000-memory.dmp

memory/2844-215-0x000000013F7B0000-0x000000013FB01000-memory.dmp

memory/2688-217-0x000000013F1A0000-0x000000013F4F1000-memory.dmp

memory/2936-219-0x000000013F050000-0x000000013F3A1000-memory.dmp

memory/2248-221-0x000000013FDA0000-0x00000001400F1000-memory.dmp

memory/2740-223-0x000000013F820000-0x000000013FB71000-memory.dmp

memory/2568-225-0x000000013FA90000-0x000000013FDE1000-memory.dmp

memory/2628-227-0x000000013F540000-0x000000013F891000-memory.dmp

memory/328-229-0x000000013F770000-0x000000013FAC1000-memory.dmp

memory/1972-231-0x000000013FF60000-0x00000001402B1000-memory.dmp

memory/2916-233-0x000000013FD10000-0x0000000140061000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-05 12:42

Reported

2024-08-05 12:45

Platform

win10v2004-20240802-en

Max time kernel

141s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\TEDhLPB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cAqfCMh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ijkhlSq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mSdpExi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\deNJVtU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wSfrXDs.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PxnTuYe.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tpovEmE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kCEBmvw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qWrdvxd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GSEjQud.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wXrFXMm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SYAIKwk.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GseQBBk.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cBExyJs.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XpdNWbL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QXQtrPo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PiSXnIL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AxFqRpA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SKaQsHR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\amAyrjH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1900 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AxFqRpA.exe
PID 1900 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AxFqRpA.exe
PID 1900 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tpovEmE.exe
PID 1900 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tpovEmE.exe
PID 1900 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SKaQsHR.exe
PID 1900 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SKaQsHR.exe
PID 1900 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kCEBmvw.exe
PID 1900 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kCEBmvw.exe
PID 1900 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qWrdvxd.exe
PID 1900 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qWrdvxd.exe
PID 1900 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\amAyrjH.exe
PID 1900 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\amAyrjH.exe
PID 1900 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\deNJVtU.exe
PID 1900 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\deNJVtU.exe
PID 1900 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GSEjQud.exe
PID 1900 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GSEjQud.exe
PID 1900 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GseQBBk.exe
PID 1900 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GseQBBk.exe
PID 1900 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wXrFXMm.exe
PID 1900 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wXrFXMm.exe
PID 1900 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cBExyJs.exe
PID 1900 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cBExyJs.exe
PID 1900 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wSfrXDs.exe
PID 1900 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wSfrXDs.exe
PID 1900 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XpdNWbL.exe
PID 1900 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XpdNWbL.exe
PID 1900 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cAqfCMh.exe
PID 1900 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cAqfCMh.exe
PID 1900 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ijkhlSq.exe
PID 1900 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ijkhlSq.exe
PID 1900 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PxnTuYe.exe
PID 1900 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PxnTuYe.exe
PID 1900 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mSdpExi.exe
PID 1900 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mSdpExi.exe
PID 1900 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QXQtrPo.exe
PID 1900 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QXQtrPo.exe
PID 1900 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SYAIKwk.exe
PID 1900 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SYAIKwk.exe
PID 1900 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PiSXnIL.exe
PID 1900 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PiSXnIL.exe
PID 1900 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TEDhLPB.exe
PID 1900 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TEDhLPB.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\AxFqRpA.exe

C:\Windows\System\AxFqRpA.exe

C:\Windows\System\tpovEmE.exe

C:\Windows\System\tpovEmE.exe

C:\Windows\System\SKaQsHR.exe

C:\Windows\System\SKaQsHR.exe

C:\Windows\System\kCEBmvw.exe

C:\Windows\System\kCEBmvw.exe

C:\Windows\System\qWrdvxd.exe

C:\Windows\System\qWrdvxd.exe

C:\Windows\System\amAyrjH.exe

C:\Windows\System\amAyrjH.exe

C:\Windows\System\deNJVtU.exe

C:\Windows\System\deNJVtU.exe

C:\Windows\System\GSEjQud.exe

C:\Windows\System\GSEjQud.exe

C:\Windows\System\GseQBBk.exe

C:\Windows\System\GseQBBk.exe

C:\Windows\System\wXrFXMm.exe

C:\Windows\System\wXrFXMm.exe

C:\Windows\System\cBExyJs.exe

C:\Windows\System\cBExyJs.exe

C:\Windows\System\wSfrXDs.exe

C:\Windows\System\wSfrXDs.exe

C:\Windows\System\XpdNWbL.exe

C:\Windows\System\XpdNWbL.exe

C:\Windows\System\cAqfCMh.exe

C:\Windows\System\cAqfCMh.exe

C:\Windows\System\ijkhlSq.exe

C:\Windows\System\ijkhlSq.exe

C:\Windows\System\PxnTuYe.exe

C:\Windows\System\PxnTuYe.exe

C:\Windows\System\mSdpExi.exe

C:\Windows\System\mSdpExi.exe

C:\Windows\System\QXQtrPo.exe

C:\Windows\System\QXQtrPo.exe

C:\Windows\System\SYAIKwk.exe

C:\Windows\System\SYAIKwk.exe

C:\Windows\System\PiSXnIL.exe

C:\Windows\System\PiSXnIL.exe

C:\Windows\System\TEDhLPB.exe

C:\Windows\System\TEDhLPB.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1900-0-0x00007FF687200000-0x00007FF687551000-memory.dmp

memory/1900-1-0x0000014E64A00000-0x0000014E64A10000-memory.dmp

C:\Windows\System\AxFqRpA.exe

MD5 303be004ca833c7889901ac36a1ed38d
SHA1 bfd3842511217218455c349f7028c2c1141a200e
SHA256 daf99014f205f218a35a6bb8f8bd082e7af4a9b90057780b7d0dbb62fbb75ec7
SHA512 8d95ce6ae34a78c2b6b0f3b2037d49b882047e80c2951aad30fa2a3486ab3cb4e2f04796486821a8a0f074a2c9284c27690559004a28e8393b7adbcf685d1fca

C:\Windows\System\SKaQsHR.exe

MD5 c16f033f18a0f435e2d2b29e67196bd5
SHA1 2b6ed4c9092262926f3fc1fab71cd9b88cc32788
SHA256 84436d5c26f1417e4681bca77ae2146f21fbd32663d31d4d9e67bf251fdf51ba
SHA512 3f28f9f35abfe06bc7743a7d7ef12436de832a72077585fc6c334f3f0f13aaccf0b73393d7ed69a996dd94bfac66065cb4ecf1d29e73d170d857c4efd12f5eb5

memory/1996-13-0x00007FF76DA80000-0x00007FF76DDD1000-memory.dmp

C:\Windows\System\qWrdvxd.exe

MD5 d67c6ca6d35b377d57d0e633a98f4410
SHA1 4ddbfa10ce9ef73e41ceb764a4cbcf70e36734a2
SHA256 dc9c227b909e309e842487c064747523ce643966ca93af469608aeeaa4d34eb3
SHA512 442f94cfe89e6ff45499105d4b1ebdcc68de203868f7be011af1be54e2ba63f7408f020a11820a469817d23908eb7196eaa48f904c35dd65e85c9355c39794ff

C:\Windows\System\kCEBmvw.exe

MD5 84d92db4efb83c8fbc9a26bdf9dbf1ce
SHA1 7f82e446feaf0232c9f1ad56c3cdec6035ad3d42
SHA256 0ba5c858f28c9b8b8762be1bffaf0b99bb3aa53fe71f05192c5f7b4c588e2ee8
SHA512 6223b3a934dc815b5491013347ed9e0409dad5688cccb56be924e212726a4982620b089aa795e51289b3485fb9037757520886234d589e89237e19189de0d58e

C:\Windows\System\cBExyJs.exe

MD5 e004efe269a0ac57cdb6cf10b66fbe65
SHA1 eeb2f5e71ea4c8a36f6d56326c1c7285c317e8bc
SHA256 6e589746aa63ef6655cb31d75c134ebcb431b090c558714a7eee34d68d18f9c9
SHA512 276800c031d25b7ff7c2ab936050e6e22a4721d1781d41ba58f9cceb402d9592a759ba1cfe4d6745f2f7abf26aa8e592a9b9121418cf5dc3cd909e11e9636980

memory/1000-63-0x00007FF72A4E0000-0x00007FF72A831000-memory.dmp

C:\Windows\System\ijkhlSq.exe

MD5 686aba5bee1ab1106d8475c8eaaadfb6
SHA1 3e65bd88f02d3efd50dbcbe9484c6e1e0ce1c48a
SHA256 b859f60ac1d20625bc882829e811f40552d7b9190bb7313f8ca787249b0abe9e
SHA512 ae5d0d6d2cce63e14e262fa0b07546da9232110b2b1a8b62a6df11c508bb816203895e16d2003ba96fa6dcd2cb66797a7e65932a382a3be081d48fbc5fba00cf

C:\Windows\System\XpdNWbL.exe

MD5 4ae06478e410d3478f4a17148e36e47b
SHA1 368bf265b2f0680659117f1f266b903519d813c3
SHA256 e50cf0efb815919876d20f67e01f3726a39d8a3953123635cff8a5c8cc643b12
SHA512 3521488c176a11cc734a4f9bc052e2d18403fd365f01c9d8f8c89e5ebbf62530e18bc0d60031fda707211e726989bc6b1cb9f962617afb9b95fde992bb98d56b

C:\Windows\System\PxnTuYe.exe

MD5 a431e3ab0439eff11b1da93924973e93
SHA1 847e9fb879a92130c6e13dc72cd921042536b066
SHA256 e046ba8f5636f02c36c72385d979581b33ca4bff21823638814f6b170bd536b7
SHA512 0c0569981497767b41e63ff6e25416ebf46669917eb54f469290ffcdc9a1ecdc729b1a6598f29c11d2f96a18bc5a7c227103845e41a8364290072e97c428da50

C:\Windows\System\cAqfCMh.exe

MD5 64a6582ca93681ca0b8d8b4658349f4f
SHA1 cdcc8c643fbdfcf005848999bf85585d488a479f
SHA256 a0229d5321f499d9285675babaddf7c94a05e6131b904733b050b964e01ab662
SHA512 7dc05ace00c29ef589549f6d2e88d842ac4136a7d41df242c42cb68c9e2a021c24d807b88fa645e4f8f88951513c7032dd6a473042d83cc6a61fb932bc65cdce

memory/5100-106-0x00007FF663730000-0x00007FF663A81000-memory.dmp

C:\Windows\System\QXQtrPo.exe

MD5 22d6bebd88004616a069496bb1d916ab
SHA1 016f8021f684b06bad822df63a1cb45ee83e818c
SHA256 8c8af0a6c3287691eb85b88da1d648b88cb1737d146021945aa1147941009e7a
SHA512 41800466376eac5b0b58cc25ae43cde9f93ad38a8ad0b2b416a4869e32792080082d959f0c812bc7835ce625fa445b1627fa4541e6c5f61cff3b69f725ed5e98

C:\Windows\System\SYAIKwk.exe

MD5 355399ae3dd1f3fc03e293b8f34b66c9
SHA1 f409926268a95bae42228f3402c9794c54dd8072
SHA256 e86df49d0f12eb862094f42e7384bc3d6a3e7ae785315affc27e11922a923ceb
SHA512 8c20e6adbff3e797129b3cbc3ede79e5dce45e49e7d0a35ae639e2a4aeedef7a88d547c0a86c5eebf033e16f8cdc8b2813f11ee48c3d5bcad93755c1f36019f6

C:\Windows\System\mSdpExi.exe

MD5 ada2e921859b8461422731e10a6a66c1
SHA1 f7694f2d9ca490d6777ec22dbb5072e7f1b29c91
SHA256 34d62568cdc609453d3032797aa4c7ad9ab806b34a06a846e4ef090b7141bdd4
SHA512 1738f7874341bbd84c2513217edb4a6bbd8c41f56e6e11f00bfb2c1dac4db1a4a25965389138244035a60c7529771e241e78a03016b4cd26c528fd8a7ea3cd33

memory/2824-108-0x00007FF7512F0000-0x00007FF751641000-memory.dmp

memory/5004-107-0x00007FF6C2770000-0x00007FF6C2AC1000-memory.dmp

memory/512-105-0x00007FF7A6E50000-0x00007FF7A71A1000-memory.dmp

memory/4836-104-0x00007FF74CFD0000-0x00007FF74D321000-memory.dmp

memory/1180-103-0x00007FF7195E0000-0x00007FF719931000-memory.dmp

memory/3880-97-0x00007FF79A0D0000-0x00007FF79A421000-memory.dmp

memory/4292-96-0x00007FF6B6870000-0x00007FF6B6BC1000-memory.dmp

memory/1620-87-0x00007FF6F4FB0000-0x00007FF6F5301000-memory.dmp

memory/376-81-0x00007FF61B050000-0x00007FF61B3A1000-memory.dmp

memory/4856-80-0x00007FF764430000-0x00007FF764781000-memory.dmp

memory/3780-75-0x00007FF7B2DE0000-0x00007FF7B3131000-memory.dmp

C:\Windows\System\deNJVtU.exe

MD5 9f7aef3cb0ccc37d6362a5b16ea1f1fa
SHA1 9692d7ef331b1c7cb66420098849c78977d88363
SHA256 a4d6c270c5982834f20e36133f41d19b032732fee86a4cdf75b1f072f9657b24
SHA512 ac202f9ce8e3ded8b45b9daf5064df3dd00a95ce7624a17bd186b7a6852b59bfbd5998f2b8a5fb3eb96d8ad0ca15de18a84ddbe71631778b11b213bad5c8a694

C:\Windows\System\wSfrXDs.exe

MD5 991435bd50a54cc69049355c40b169dd
SHA1 402ddbe9251de78eced31087c326488305aa3b51
SHA256 d852e945f13c772e8bed95ba520d65331629e832d745f5e4740d9505345565e5
SHA512 10e275940ecf23b0f94ec3d3d25d5bfd9d6d53e4d4cdd322cf5d829d79dce70b42c0f597a64e7a8400530a92ee05febfefa9aed3e42db9a492b64ca435af1ae3

C:\Windows\System\wXrFXMm.exe

MD5 881c41f351c8a04ea71cbe806cfb0f1a
SHA1 d2fff83801f456e9d8702e78cb8e5f8a99ff61e9
SHA256 e00d60b6551a315257723eade156eaa837cf9dccc81d6624ae0cffceb51451dc
SHA512 67815095258a1a49ef23489a22ce5befa60aa92f69e85d827a274be650694ab7a03610331876290ade0abee3d9911a442b72fe9c0f8ce5951bbd6b54844e79c0

memory/1328-55-0x00007FF68A270000-0x00007FF68A5C1000-memory.dmp

C:\Windows\System\GSEjQud.exe

MD5 b90c1d6329bd4f371de0d2ab5cf3df9a
SHA1 159f44a542fca1b668a26e2c780e8e36d514492b
SHA256 f2352968d24b0b1af160b4fd88bd59c30c8abcbba80fab29cb23b664bf624024
SHA512 02f2064e9998b651d883547610662267a0c6d7aa1a8fc435e0c4363b2bbe317bedf9963ae024a286ac342ae80ddb0bd7b316cea68156e8a5b4d4c3a6852a1db1

memory/2292-49-0x00007FF69AFF0000-0x00007FF69B341000-memory.dmp

memory/4156-48-0x00007FF73A520000-0x00007FF73A871000-memory.dmp

C:\Windows\System\GseQBBk.exe

MD5 e1abd9509725f05ed0a544f5026a3952
SHA1 13ebf8b39ef802d6936a5d0faa5e8c0b2e63cb2e
SHA256 5bd40ad12c66d727ab42bcf5c569d64d3709630b8afeb52cf7b099603645ee36
SHA512 1b5324ec3a80104385d25212adba5e913645e3376d24b98caec1de590a5ea053cce2e77c02ec5119eb5f49434ac6c400c68f6f5358600d4a8e24a2b80d4ac2b8

C:\Windows\System\amAyrjH.exe

MD5 3fdf3d256b10e97c52f98665fa057d00
SHA1 043b5fc5b9d6a22889014fefe9a0fda8f572f94c
SHA256 56177327393a5ec6f548e09fc095d3b3d48f7694cb21a0aa128cfc1cd4dbf36d
SHA512 daa58670e5730a7a62917cc68bf73172925cd1a79190453f507c75fefe32616668b8bc43e6e51c60cc68a21a272adaf7d45274b3877dea0292ee705f7e955b0f

memory/2036-33-0x00007FF681360000-0x00007FF6816B1000-memory.dmp

memory/4744-27-0x00007FF6460B0000-0x00007FF646401000-memory.dmp

C:\Windows\System\tpovEmE.exe

MD5 28d76122c5c11892f574cece62ae3bc9
SHA1 3d918635cbe8b76a8319fd9126dd8540b937da13
SHA256 71853efadda01f4da1035cb2f8913eb8f596570271e4de154cc64ea6a5964337
SHA512 5d9f44838017eb7aa8f49385e8c8b1350e9f348da2dedbdb3c5d3cbcc88d49473534cd898d63a76392a0d2350f67b7249bfc2de3a4bb719451cff6fd56dda8ff

C:\Windows\System\PiSXnIL.exe

MD5 5a8fd82b9eb585b3edfd9ebbe71c3d51
SHA1 d8035f3eb425ea391ac871e7989d35336eb417c4
SHA256 079fdf478f7448831a31a056bc3fe41f03da426eaa028a5e278d2582c82ec8f2
SHA512 3ef2bcc6d8b8c0f11d14ec3d0b2754914c3a66dbfd3d97fc4f45c5ac58edf922452f9e6c472c53ab781a166b653363642af6019cb0a662173845a100b3547458

memory/5072-121-0x00007FF798AC0000-0x00007FF798E11000-memory.dmp

C:\Windows\System\TEDhLPB.exe

MD5 5ad7a0a8bffa9b2d3f83cf2387fd94be
SHA1 6f543806e958c65e28ab2c6653d49a1647891c5d
SHA256 f14be995a1992b3a982e2af124d15bdb711f42b9f5e6528c6506bebc5516af70
SHA512 778d43c3461bb4915934b723f5b352573bf2838feee950158e458a2c51adbef82e38e598c431af2cd12c0d87d04db8e7071b707346785cda678b577f17dbed62

memory/1520-127-0x00007FF7450B0000-0x00007FF745401000-memory.dmp

memory/2036-132-0x00007FF681360000-0x00007FF6816B1000-memory.dmp

memory/4744-130-0x00007FF6460B0000-0x00007FF646401000-memory.dmp

memory/3780-140-0x00007FF7B2DE0000-0x00007FF7B3131000-memory.dmp

memory/5100-147-0x00007FF663730000-0x00007FF663A81000-memory.dmp

memory/5072-148-0x00007FF798AC0000-0x00007FF798E11000-memory.dmp

memory/512-146-0x00007FF7A6E50000-0x00007FF7A71A1000-memory.dmp

memory/2824-145-0x00007FF7512F0000-0x00007FF751641000-memory.dmp

memory/5004-144-0x00007FF6C2770000-0x00007FF6C2AC1000-memory.dmp

memory/376-142-0x00007FF61B050000-0x00007FF61B3A1000-memory.dmp

memory/4856-143-0x00007FF764430000-0x00007FF764781000-memory.dmp

memory/1328-136-0x00007FF68A270000-0x00007FF68A5C1000-memory.dmp

memory/1900-128-0x00007FF687200000-0x00007FF687551000-memory.dmp

memory/1520-149-0x00007FF7450B0000-0x00007FF745401000-memory.dmp

memory/1900-150-0x00007FF687200000-0x00007FF687551000-memory.dmp

memory/1900-151-0x00007FF687200000-0x00007FF687551000-memory.dmp

memory/1996-206-0x00007FF76DA80000-0x00007FF76DDD1000-memory.dmp

memory/4744-208-0x00007FF6460B0000-0x00007FF646401000-memory.dmp

memory/4156-210-0x00007FF73A520000-0x00007FF73A871000-memory.dmp

memory/2036-212-0x00007FF681360000-0x00007FF6816B1000-memory.dmp

memory/1000-215-0x00007FF72A4E0000-0x00007FF72A831000-memory.dmp

memory/2292-218-0x00007FF69AFF0000-0x00007FF69B341000-memory.dmp

memory/1620-216-0x00007FF6F4FB0000-0x00007FF6F5301000-memory.dmp

memory/4292-222-0x00007FF6B6870000-0x00007FF6B6BC1000-memory.dmp

memory/1328-230-0x00007FF68A270000-0x00007FF68A5C1000-memory.dmp

memory/4856-232-0x00007FF764430000-0x00007FF764781000-memory.dmp

memory/3880-228-0x00007FF79A0D0000-0x00007FF79A421000-memory.dmp

memory/4836-225-0x00007FF74CFD0000-0x00007FF74D321000-memory.dmp

memory/3780-227-0x00007FF7B2DE0000-0x00007FF7B3131000-memory.dmp

memory/1180-221-0x00007FF7195E0000-0x00007FF719931000-memory.dmp

memory/5100-237-0x00007FF663730000-0x00007FF663A81000-memory.dmp

memory/512-235-0x00007FF7A6E50000-0x00007FF7A71A1000-memory.dmp

memory/376-242-0x00007FF61B050000-0x00007FF61B3A1000-memory.dmp

memory/2824-240-0x00007FF7512F0000-0x00007FF751641000-memory.dmp

memory/5004-239-0x00007FF6C2770000-0x00007FF6C2AC1000-memory.dmp

memory/5072-246-0x00007FF798AC0000-0x00007FF798E11000-memory.dmp

memory/1520-248-0x00007FF7450B0000-0x00007FF745401000-memory.dmp