Malware Analysis Report

2025-01-22 19:31

Sample ID 240806-n49twsycjq
Target 2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat
SHA256 69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20

Threat Level: Known bad

The file 2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Cobalt Strike reflective loader

xmrig

XMRig Miner payload

Xmrig family

Cobaltstrike

Cobaltstrike family

XMRig Miner payload

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-06 11:58

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-06 11:58

Reported

2024-08-06 12:00

Platform

win7-20240708-en

Max time kernel

134s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\xhgjvzF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IUqhrQa.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UGpoNlK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KlgGcYn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hDjrpmY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bSNBjsn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iVWFQgN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GzJAILh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QUMvCxF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uvkVfdV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SpxwlmZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\Lwcptkd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NGkVVkC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qsVFVmy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wlAEjtd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZvjiSlq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\djDjkqi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FetlVvE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LwWmkrT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zgdJTSN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GnQyWvg.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2652 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\djDjkqi.exe
PID 2652 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\djDjkqi.exe
PID 2652 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\djDjkqi.exe
PID 2652 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GzJAILh.exe
PID 2652 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GzJAILh.exe
PID 2652 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GzJAILh.exe
PID 2652 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QUMvCxF.exe
PID 2652 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QUMvCxF.exe
PID 2652 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QUMvCxF.exe
PID 2652 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FetlVvE.exe
PID 2652 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FetlVvE.exe
PID 2652 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FetlVvE.exe
PID 2652 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xhgjvzF.exe
PID 2652 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xhgjvzF.exe
PID 2652 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xhgjvzF.exe
PID 2652 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LwWmkrT.exe
PID 2652 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LwWmkrT.exe
PID 2652 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LwWmkrT.exe
PID 2652 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uvkVfdV.exe
PID 2652 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uvkVfdV.exe
PID 2652 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uvkVfdV.exe
PID 2652 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qsVFVmy.exe
PID 2652 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qsVFVmy.exe
PID 2652 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qsVFVmy.exe
PID 2652 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wlAEjtd.exe
PID 2652 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wlAEjtd.exe
PID 2652 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wlAEjtd.exe
PID 2652 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IUqhrQa.exe
PID 2652 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IUqhrQa.exe
PID 2652 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IUqhrQa.exe
PID 2652 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UGpoNlK.exe
PID 2652 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UGpoNlK.exe
PID 2652 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UGpoNlK.exe
PID 2652 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SpxwlmZ.exe
PID 2652 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SpxwlmZ.exe
PID 2652 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SpxwlmZ.exe
PID 2652 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KlgGcYn.exe
PID 2652 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KlgGcYn.exe
PID 2652 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KlgGcYn.exe
PID 2652 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hDjrpmY.exe
PID 2652 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hDjrpmY.exe
PID 2652 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hDjrpmY.exe
PID 2652 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zgdJTSN.exe
PID 2652 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zgdJTSN.exe
PID 2652 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zgdJTSN.exe
PID 2652 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bSNBjsn.exe
PID 2652 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bSNBjsn.exe
PID 2652 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bSNBjsn.exe
PID 2652 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Lwcptkd.exe
PID 2652 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Lwcptkd.exe
PID 2652 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Lwcptkd.exe
PID 2652 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iVWFQgN.exe
PID 2652 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iVWFQgN.exe
PID 2652 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iVWFQgN.exe
PID 2652 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GnQyWvg.exe
PID 2652 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GnQyWvg.exe
PID 2652 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GnQyWvg.exe
PID 2652 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZvjiSlq.exe
PID 2652 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZvjiSlq.exe
PID 2652 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZvjiSlq.exe
PID 2652 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NGkVVkC.exe
PID 2652 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NGkVVkC.exe
PID 2652 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NGkVVkC.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\djDjkqi.exe

C:\Windows\System\djDjkqi.exe

C:\Windows\System\GzJAILh.exe

C:\Windows\System\GzJAILh.exe

C:\Windows\System\QUMvCxF.exe

C:\Windows\System\QUMvCxF.exe

C:\Windows\System\FetlVvE.exe

C:\Windows\System\FetlVvE.exe

C:\Windows\System\xhgjvzF.exe

C:\Windows\System\xhgjvzF.exe

C:\Windows\System\LwWmkrT.exe

C:\Windows\System\LwWmkrT.exe

C:\Windows\System\uvkVfdV.exe

C:\Windows\System\uvkVfdV.exe

C:\Windows\System\qsVFVmy.exe

C:\Windows\System\qsVFVmy.exe

C:\Windows\System\wlAEjtd.exe

C:\Windows\System\wlAEjtd.exe

C:\Windows\System\IUqhrQa.exe

C:\Windows\System\IUqhrQa.exe

C:\Windows\System\UGpoNlK.exe

C:\Windows\System\UGpoNlK.exe

C:\Windows\System\SpxwlmZ.exe

C:\Windows\System\SpxwlmZ.exe

C:\Windows\System\KlgGcYn.exe

C:\Windows\System\KlgGcYn.exe

C:\Windows\System\hDjrpmY.exe

C:\Windows\System\hDjrpmY.exe

C:\Windows\System\zgdJTSN.exe

C:\Windows\System\zgdJTSN.exe

C:\Windows\System\bSNBjsn.exe

C:\Windows\System\bSNBjsn.exe

C:\Windows\System\Lwcptkd.exe

C:\Windows\System\Lwcptkd.exe

C:\Windows\System\iVWFQgN.exe

C:\Windows\System\iVWFQgN.exe

C:\Windows\System\GnQyWvg.exe

C:\Windows\System\GnQyWvg.exe

C:\Windows\System\ZvjiSlq.exe

C:\Windows\System\ZvjiSlq.exe

C:\Windows\System\NGkVVkC.exe

C:\Windows\System\NGkVVkC.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2652-0-0x000000013F340000-0x000000013F694000-memory.dmp

memory/2652-1-0x00000000001F0000-0x0000000000200000-memory.dmp

\Windows\system\djDjkqi.exe

MD5 28614080dd86c9760e55acb375b74cf4
SHA1 ef55b89877222212e390911980612a1fb4c5249c
SHA256 1affb63d00ec0f1789cdc0cca5e942a79394eec5b15b279ad94e0072bd800226
SHA512 e4405bd85ebd0ceba66b54ed60624cc56efdee9659298c6d84d4bb94999e7f5e4fe841441b472204d41a0c973f06173fe2bb6fc542d4da15b600ed464a02a7e7

memory/2652-8-0x000000013F8F0000-0x000000013FC44000-memory.dmp

memory/2792-9-0x000000013F8F0000-0x000000013FC44000-memory.dmp

\Windows\system\GzJAILh.exe

MD5 1e0a9251d656326ceebddbe1969b994d
SHA1 8d6995bda5a3584faaf5df316761771e9a6647e0
SHA256 dbc0eff9648d4aaeb8d6a1a8be3516e3d26bb299081551b61c1f17e36871554a
SHA512 33e6c8ef6b428caafc11ff54b71be2f281d9b08d8e89f947a6faf8273ffa67504b1d78189b38b7777c4f16fb37548c5fa42d9758cc24cf2038776d6536fee6e0

C:\Windows\system\QUMvCxF.exe

MD5 c48c91721263eb92f0902b23e385bf4b
SHA1 8a73494aeab34e31e2adaaa7020e85db0cecec8b
SHA256 be734455387711764f8db6579aaa19580270bb95e254d718a53bf15a644a40a5
SHA512 02ec5c793f7959be086e0216147e6eaf71dc1ee76378c2a6e9044c293a2e928561c82f76980706b490a83bce44bec0878109793331ebfe15a620a45ffdbd5c7c

memory/2652-18-0x000000013FB80000-0x000000013FED4000-memory.dmp

\Windows\system\FetlVvE.exe

MD5 4fd7affdce14eb9fa50234cd678e276e
SHA1 9a86188db17a484160d662d8805292eb5839381e
SHA256 a3d0bd03ba245624ffc2f56159b7b97ba858808f0038c42ab010d746f70add73
SHA512 9b970ee4fc2e5ac6bd5b4c96f16a133c59e48999f6cc967a1d3fd5392212e1c6fb0296375a48a147d192758d08c5a83331ef4c7f582cf6df761e58974f7e392c

\Windows\system\xhgjvzF.exe

MD5 9cb75357943816a15c3f360bc28245fb
SHA1 8937688dee8c2580bfffca0fe537da1d407675c2
SHA256 d7b0af472b29387b095837b7b0d4041aa448eb413c4fe4be515926d9bc574ad7
SHA512 3d5abf704570323e445fd371450feeca9cc8db0ff3854e0820b760f4735d9cfc29bc4f540af559f4eaa099f183c5894af905343c0dd66d9c8d0f935c2851b725

C:\Windows\system\LwWmkrT.exe

MD5 e825c41122ba7d6a71aa62d586c22a50
SHA1 80aeef559a66493adf748171b8cde4aca654c0e5
SHA256 27dae262f98a41e3c8520f128c7079c91f7dbff04b0d039c772d52e060435311
SHA512 cf7a1f27d8ebd97902beb30c360d20b2917d9a6b3a453bbe92ee0744704f4b7aa7a419c511f3a216241fadfb8022593d24637a6591f55b22caccc752579c3032

C:\Windows\system\uvkVfdV.exe

MD5 ea707652831a0ce47b68cd946d9ade2a
SHA1 aff4574d9851b496c48b73c4c65e15f9c4b9538f
SHA256 e937f0eda2744eebdb23e21dc07df5e07936a1ae81b2271258270e57c4e19b88
SHA512 67196ecbac877161c2a6dfc61ee6c007bcb9020697d0b390a2a18dc24e0de972cf1cb119cb5499e7c859f396afb1260511dcd8f930f6044e1fbbae18e85b4f44

memory/2688-34-0x000000013FB80000-0x000000013FED4000-memory.dmp

C:\Windows\system\qsVFVmy.exe

MD5 160e3bc9b33847def1c20161671edb68
SHA1 6cfaa18280258f37c47429f4186da0751a412cf2
SHA256 d9896464505ac0b8e89cc360b9b8a6f721e1957ffd22180ae6aba9b5b9fcf044
SHA512 7231e7b241ddb5ac5854549ee258739b977bcd1e8955e4ea7830f2c39c30f0fd40a09c6944498cfa0ad51994824dfaa4f76916cd86f23179d541616f3118a261

memory/1612-50-0x000000013F300000-0x000000013F654000-memory.dmp

memory/2652-49-0x00000000024D0000-0x0000000002824000-memory.dmp

memory/2584-55-0x000000013FB80000-0x000000013FED4000-memory.dmp

memory/2652-54-0x000000013FB80000-0x000000013FED4000-memory.dmp

memory/556-64-0x000000013FAE0000-0x000000013FE34000-memory.dmp

C:\Windows\system\IUqhrQa.exe

MD5 e52e3c3017e41e9d229053908efc37c7
SHA1 896a51eb6121c2cce4c0263a047c0c0127417c41
SHA256 1bb4fab5ea3318a4ef220e4b2579f59d65df867cb5e3b1bd6d8f32d76e0b4361
SHA512 c13cc03905bb0f1374fe61bece5e3731a16ae1d59a2363af3ef9c854fab3934d43b0558d76249077981eb920628144104a701b6bed2708edf6e67be0918e48a8

memory/1092-72-0x000000013F700000-0x000000013FA54000-memory.dmp

memory/2220-78-0x000000013FD80000-0x00000001400D4000-memory.dmp

\Windows\system\SpxwlmZ.exe

MD5 2ebe76f5ec8b7e3505a752722377e472
SHA1 38f1af921c81d447a662dc66df9d9a9c4f0c320f
SHA256 9296170a82df567483f8aae12727654e918ce43d3afadb9f111028d3f1fd1c4a
SHA512 0f35aed7d3f8b6e46f7eb0bac64521dceb8e4d66444e987c0399d6e72660e042dbd364667f701cb54f289ad431fd2fb3fe9e7271ff73e40b50165a943fef7e47

memory/2652-91-0x000000013F710000-0x000000013FA64000-memory.dmp

C:\Windows\system\NGkVVkC.exe

MD5 3a30ba1ec79ae77611d44fdfb0c44a9d
SHA1 539b7913cf5e5b4f99e73022d02c2bf9842dd3b1
SHA256 6dde1ae92262abcac724ba4148123a44ef3bdce56e313d6c37c9b1f7b6e5e58d
SHA512 78aaf022b68d2226b9436f5e8bdf2f34a9539df48356456696f6b38e5dd7ad5b05be3fa70b5ecec73ee6e90735ce5594a95cfe8aa08b12a7458482c37b4ccfb5

C:\Windows\system\hDjrpmY.exe

MD5 de16f949bb6ddaee8b14c6effb04c4f4
SHA1 8739759d58202f1c4b4665edd1ee2ed7c2bce177
SHA256 d6e5093a44b6e18fc8fd8c9126f7f8c0f729c6844838868101a847514a4e75bf
SHA512 7399c139262e9ded170af770d7d3d70cc669b80288562862c6b67f09290129a8023f898d3cf8538196b6d95ed8900245b5b5cbc06c2c90ef76f5cdb372cf0b8d

\Windows\system\ZvjiSlq.exe

MD5 83c5e64b3842bcf0fd4aa937f22a7a16
SHA1 d12c1fcbd5ef161e7213f3901356dba97ca30bd6
SHA256 c3bc29586863933a934e189a392e72ec19eb5df1142a151d96a2c8d354f362b8
SHA512 d57db60bb749401327a91ee0a8e4c035cb367b14ea409617a92c9a1cf92b900edb64090cfa3774150a5c97c2d2c8bf459e7ddbf5390c6b02ff9aedcd888c2948

C:\Windows\system\Lwcptkd.exe

MD5 f489de01f5da8cd037d47efca893be35
SHA1 a0058b1c51c5d162e8f8399b6bfe026e1f2b842a
SHA256 d19d4c27e53ec60e7c41da319a267089138261d4190fda63c9b7494dff546fd2
SHA512 69c7b8e79535e42362cd75b95262f308746b0ef95215ab0d225b8b04f07f6e0c526a9f1edc01705e126a1f10be61ac1832659460370f4da382b451a3d8913942

\Windows\system\iVWFQgN.exe

MD5 d76ca198e39a31d395db1f3d1d2704d8
SHA1 420a2583c10a5ade06cc7515ee7240af58e3ec7f
SHA256 bb714814e97dd4527d15e5a355aa4ffbbb77e23bfc3cbcc101d431bde1d7aaa4
SHA512 0fe2b83c8741e7c4d307c3be397392b3c5720d55d75238656493439a3de2374cd22c410beab82dc89cbcfc9e7948f2a216eb9f41c25952e953d0a8aa4844bf11

\Windows\system\bSNBjsn.exe

MD5 163e4871a5159bf528c46d7770ab2d94
SHA1 3add22d337aea706be8c78f88ab1404506f4b4bf
SHA256 18dcdaad937765e22a0ec2f7c36f31afa4154588d8c865158ef87b889e07f6e5
SHA512 5e93afbebd886d6883abe70209440ba9db8815b38faa0a0aa85afb2ddf96381967504f61945c507404e536f3f7a32846162631b581d7ade218a1a7e64ec5a6c1

C:\Windows\system\GnQyWvg.exe

MD5 a965b329c5b9fb8892941202bd2e0440
SHA1 df3cac5d1f44b35fd54d25b20d85789ffda45a72
SHA256 d8a714a07365bcff68bb51b1a3791ba9e53214fec73f73e96f81d24f2f0fdf3c
SHA512 1fac8ae97cc4227d1129ff0b134fc39fa2103401b2fccca6cd2b06d4cfa0d07ea1d73eff550dc111ddf449534d5551f6914f30328063f04f186f4a7686e8a9c7

memory/2688-125-0x000000013FB80000-0x000000013FED4000-memory.dmp

memory/2620-124-0x000000013F140000-0x000000013F494000-memory.dmp

memory/2652-109-0x00000000024D0000-0x0000000002824000-memory.dmp

C:\Windows\system\zgdJTSN.exe

MD5 f772e1d29700950f02bbf65a91a12689
SHA1 ea48345e50aa260c87ea6cc5dce8e7f7a75303f7
SHA256 d8e34c7062b3977df214e0cd183bb16832d32c428250c118ae51982d4ef166d4
SHA512 0bf56caf55482e699058b30489dc7c5eb94615cf584fa8acece7c6a7109cf2e8d23a3c9c69e9ef1af0bc69a8979b439349250eaab9b1cda0e32e7f4dbe70d479

memory/2652-136-0x00000000024D0000-0x0000000002824000-memory.dmp

memory/2652-137-0x000000013FB80000-0x000000013FED4000-memory.dmp

memory/1520-93-0x000000013F710000-0x000000013FA64000-memory.dmp

memory/2652-88-0x000000013F340000-0x000000013F694000-memory.dmp

C:\Windows\system\KlgGcYn.exe

MD5 3c0aa76d1df26098ebf6a58f7ae08004
SHA1 89b8ee3280cfb81a0c715e1a2f4972feea10c417
SHA256 0322153adc5f690baa2f4a9320ab8e626543ef10cf748c7acb7273b62c8bf1a1
SHA512 1e8fc39a2c6aa2707c30afa2fe0579862a04578083ec38dc3026d477e37c604bab80a22a7f69bdb128ac2b93d050dcf3a28ff0a3b6653ae7c1655ff44fc2dee6

memory/2652-82-0x000000013FAE0000-0x000000013FE34000-memory.dmp

memory/2652-77-0x000000013FD80000-0x00000001400D4000-memory.dmp

C:\Windows\system\UGpoNlK.exe

MD5 11c6e527d4803456c8da92f8538ddd1f
SHA1 5065300cbb661c711d7cbd1bb536a8fe333c8df2
SHA256 7a2ae9ed3ca31a049d317d4e038d8246ef10083e52db2d407c2a6e2566754555
SHA512 1e489cfd5917c14caa2dc617a3a2bc1909e01541b95b5f424f4b712a6559543e723ad45e95842800915654df1928c8c59feea463091013d121a352f6ac01b2b8

memory/2652-70-0x000000013F700000-0x000000013FA54000-memory.dmp

memory/2652-65-0x000000013FAE0000-0x000000013FE34000-memory.dmp

C:\Windows\system\wlAEjtd.exe

MD5 aebbb9521345e8745b4942f3f4d43e92
SHA1 d650f6c2ae3bbf28e0c8852bc983d94ad643d2bb
SHA256 beda9c0cfb3df5aed16c09fc1c85970b70a2a8b033f8a83865828c8ac944857c
SHA512 7980ad1c9126bd1ff5e66d01a2590d7ed091ae8f877509bdf375a1ed9420956fff1073a4d0b6618fe7c3367f1d10c0ac075e1ef3c361c772cb83207358696d0a

memory/2652-57-0x000000013F880000-0x000000013FBD4000-memory.dmp

memory/2652-56-0x000000013FF00000-0x0000000140254000-memory.dmp

memory/2652-61-0x000000013F8C0000-0x000000013FC14000-memory.dmp

memory/2536-53-0x000000013F8C0000-0x000000013FC14000-memory.dmp

memory/2576-52-0x000000013F890000-0x000000013FBE4000-memory.dmp

memory/2652-51-0x000000013F890000-0x000000013FBE4000-memory.dmp

memory/2300-48-0x000000013F880000-0x000000013FBD4000-memory.dmp

memory/2148-47-0x000000013FF00000-0x0000000140254000-memory.dmp

memory/556-138-0x000000013FAE0000-0x000000013FE34000-memory.dmp

memory/1092-139-0x000000013F700000-0x000000013FA54000-memory.dmp

memory/2220-140-0x000000013FD80000-0x00000001400D4000-memory.dmp

memory/2244-141-0x000000013FAE0000-0x000000013FE34000-memory.dmp

memory/2620-142-0x000000013F140000-0x000000013F494000-memory.dmp

memory/2652-143-0x000000013FF60000-0x00000001402B4000-memory.dmp

memory/2792-144-0x000000013F8F0000-0x000000013FC44000-memory.dmp

memory/2148-145-0x000000013FF00000-0x0000000140254000-memory.dmp

memory/2688-146-0x000000013FB80000-0x000000013FED4000-memory.dmp

memory/2300-147-0x000000013F880000-0x000000013FBD4000-memory.dmp

memory/1612-148-0x000000013F300000-0x000000013F654000-memory.dmp

memory/2576-150-0x000000013F890000-0x000000013FBE4000-memory.dmp

memory/2536-149-0x000000013F8C0000-0x000000013FC14000-memory.dmp

memory/2584-151-0x000000013FB80000-0x000000013FED4000-memory.dmp

memory/556-152-0x000000013FAE0000-0x000000013FE34000-memory.dmp

memory/1092-153-0x000000013F700000-0x000000013FA54000-memory.dmp

memory/2220-154-0x000000013FD80000-0x00000001400D4000-memory.dmp

memory/1520-155-0x000000013F710000-0x000000013FA64000-memory.dmp

memory/2244-156-0x000000013FAE0000-0x000000013FE34000-memory.dmp

memory/2620-157-0x000000013F140000-0x000000013F494000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-06 11:58

Reported

2024-08-06 12:00

Platform

win10v2004-20240802-en

Max time kernel

141s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\neXwqWq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yVrTXTf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rVQLNOx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YzssdvT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rMnaTHI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EghFXLe.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SPsfQUI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yEGHWhx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kxBFycq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ooRMOiv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bqDIKmW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OOBaGRf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RzGBSwc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cvHqAUD.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QtwSweZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cxqgXFI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fRANYFa.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OIdeQhA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qSVMAYF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JJpWvRm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gTfOuQb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4552 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gTfOuQb.exe
PID 4552 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gTfOuQb.exe
PID 4552 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bqDIKmW.exe
PID 4552 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bqDIKmW.exe
PID 4552 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rMnaTHI.exe
PID 4552 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rMnaTHI.exe
PID 4552 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\neXwqWq.exe
PID 4552 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\neXwqWq.exe
PID 4552 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OIdeQhA.exe
PID 4552 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OIdeQhA.exe
PID 4552 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OOBaGRf.exe
PID 4552 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OOBaGRf.exe
PID 4552 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EghFXLe.exe
PID 4552 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EghFXLe.exe
PID 4552 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RzGBSwc.exe
PID 4552 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RzGBSwc.exe
PID 4552 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yVrTXTf.exe
PID 4552 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yVrTXTf.exe
PID 4552 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cvHqAUD.exe
PID 4552 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cvHqAUD.exe
PID 4552 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qSVMAYF.exe
PID 4552 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qSVMAYF.exe
PID 4552 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SPsfQUI.exe
PID 4552 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SPsfQUI.exe
PID 4552 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QtwSweZ.exe
PID 4552 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QtwSweZ.exe
PID 4552 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JJpWvRm.exe
PID 4552 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JJpWvRm.exe
PID 4552 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yEGHWhx.exe
PID 4552 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yEGHWhx.exe
PID 4552 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kxBFycq.exe
PID 4552 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kxBFycq.exe
PID 4552 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cxqgXFI.exe
PID 4552 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cxqgXFI.exe
PID 4552 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fRANYFa.exe
PID 4552 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fRANYFa.exe
PID 4552 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rVQLNOx.exe
PID 4552 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rVQLNOx.exe
PID 4552 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ooRMOiv.exe
PID 4552 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ooRMOiv.exe
PID 4552 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YzssdvT.exe
PID 4552 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YzssdvT.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\gTfOuQb.exe

C:\Windows\System\gTfOuQb.exe

C:\Windows\System\bqDIKmW.exe

C:\Windows\System\bqDIKmW.exe

C:\Windows\System\rMnaTHI.exe

C:\Windows\System\rMnaTHI.exe

C:\Windows\System\neXwqWq.exe

C:\Windows\System\neXwqWq.exe

C:\Windows\System\OIdeQhA.exe

C:\Windows\System\OIdeQhA.exe

C:\Windows\System\OOBaGRf.exe

C:\Windows\System\OOBaGRf.exe

C:\Windows\System\EghFXLe.exe

C:\Windows\System\EghFXLe.exe

C:\Windows\System\RzGBSwc.exe

C:\Windows\System\RzGBSwc.exe

C:\Windows\System\yVrTXTf.exe

C:\Windows\System\yVrTXTf.exe

C:\Windows\System\cvHqAUD.exe

C:\Windows\System\cvHqAUD.exe

C:\Windows\System\qSVMAYF.exe

C:\Windows\System\qSVMAYF.exe

C:\Windows\System\SPsfQUI.exe

C:\Windows\System\SPsfQUI.exe

C:\Windows\System\QtwSweZ.exe

C:\Windows\System\QtwSweZ.exe

C:\Windows\System\JJpWvRm.exe

C:\Windows\System\JJpWvRm.exe

C:\Windows\System\yEGHWhx.exe

C:\Windows\System\yEGHWhx.exe

C:\Windows\System\kxBFycq.exe

C:\Windows\System\kxBFycq.exe

C:\Windows\System\cxqgXFI.exe

C:\Windows\System\cxqgXFI.exe

C:\Windows\System\fRANYFa.exe

C:\Windows\System\fRANYFa.exe

C:\Windows\System\rVQLNOx.exe

C:\Windows\System\rVQLNOx.exe

C:\Windows\System\ooRMOiv.exe

C:\Windows\System\ooRMOiv.exe

C:\Windows\System\YzssdvT.exe

C:\Windows\System\YzssdvT.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/4552-0-0x00007FF7C8740000-0x00007FF7C8A94000-memory.dmp

memory/4552-1-0x000002364E910000-0x000002364E920000-memory.dmp

C:\Windows\System\gTfOuQb.exe

MD5 d1f220f3c6a1123abc253acf5adc70f7
SHA1 23e7a4b686b15ff51a7ab44635356b118536c334
SHA256 96ccaeb1bba7c5ce4a43df91dd5cfdab3fe9fff1634b5467ccc8cbd96b53103a
SHA512 56d7e16d09e318c0707da5bc4f9bba7a5aaca7c171d93a170c5a05fae34b6c0911e0092c34c2f0fb7cfb35ba6d56c93750fbce2fcc9b93be9d15aebe5e5c2382

C:\Windows\System\bqDIKmW.exe

MD5 6a0a96c3bd03576b32479fb70d5c2055
SHA1 d29c3197359305e43ad52548144544770bf56265
SHA256 346d14f8744558295548d2dbb92de8c4f3318e0711e5a4b6d9e06f18b83759be
SHA512 7047b702fdbccbae2a2b6526d5132fcce3bfbbd2602acb7aeda982fcc98dae090be8622a6fba8cad704afbad0a7e7ac1b08918bb5f8c223ecb765175a4499120

C:\Windows\System\rMnaTHI.exe

MD5 c027cd478d9938d3ca86fc687e719cd5
SHA1 a52bfdd20f0c4b7a0b8375dd45b44e66db50a566
SHA256 c27effcb919f84475097c39d2688f07c6857de64870af8f561dd6ad5443f1b1d
SHA512 2b32d7c614ac46e192a04392505c3352a06b929cfb3770e74966cf66c34bdca373bfeefe7d0c0794597422a46e58f010a5a85c727e3bdfb1b63de3234d8004c3

memory/3424-16-0x00007FF7B02E0000-0x00007FF7B0634000-memory.dmp

memory/3600-10-0x00007FF6B0040000-0x00007FF6B0394000-memory.dmp

C:\Windows\System\neXwqWq.exe

MD5 dbb95c24481944a34aecc7e290efe3b8
SHA1 492a35583206bed53853157726842a648e8aac26
SHA256 814c77129569ebf639d748904db057c214ca61c5c121210e1559c0b3ac213cfd
SHA512 6ce1e3febee2fc8ec288a821cd19462fb8dd666175fea84e3fb65d68d10bd866f6d3ffbf4680d317c681a98adad028eba00ac15542ce0cca97d55f731fd7fb86

memory/2064-27-0x00007FF7CC240000-0x00007FF7CC594000-memory.dmp

memory/2988-23-0x00007FF78F720000-0x00007FF78FA74000-memory.dmp

C:\Windows\System\OIdeQhA.exe

MD5 cd288708c12dbfa1d0245dceca8ceb64
SHA1 8b703f8f4923a65c360936abc10bde7340941ef3
SHA256 68894877a848d26cfd54f00e240da1e38f3eb927040008cfd95657797b2d8979
SHA512 9c28c84fb327cf65ddf07c7b8b04321a64b47a214e92f7ea48b5d841dbb55bf145e8aaef141a08f982f690bdad41fde2df64e625993c9608d12d87c27c803780

C:\Windows\System\EghFXLe.exe

MD5 6fd50fab9d6f20512122d04e9e6fde03
SHA1 3ea51b898666fc9e49f5786d3f44768a5a51e550
SHA256 f52499671c675f5e751ed24c573054031db2e7a11bca9ef908900285d480e481
SHA512 97926a071f8ea917c9ffc6887635ea8a51221b4531d2e0bc3e38e0bf042dd1a90e0069fa153b0af1a2d2c7d86d04af8cc4720d363feeb1a513bf81b892e68b65

C:\Windows\System\RzGBSwc.exe

MD5 252bbfb5cfd91a80efef476d8e8befcd
SHA1 cf09c5d6e5054c94fdf19394a15da7c254e37359
SHA256 881584869b6bd17d7ec864f788ffd1a80c25dcfe8353075920cf49c8fc53887c
SHA512 50d0d8744dd985076cc8e03807c16144cc5066c7c9109422300ed986e660bc3eb5d63fa658bc60fa4410e7f5592243876fb193e626317383fbeeae8109021b22

memory/2116-50-0x00007FF7CF760000-0x00007FF7CFAB4000-memory.dmp

memory/1500-52-0x00007FF66F1B0000-0x00007FF66F504000-memory.dmp

C:\Windows\System\cvHqAUD.exe

MD5 87489dfec207491a20fd5332afe5f702
SHA1 65878f5201fd482ede4d66692d80a28ac9d80b9c
SHA256 1c0a9edb2ca7836d91476fd93b7321ed85e292f83bab7a548e743b04b6c771b8
SHA512 5bf8df295718d3a26668f355378918e8277c10585f6c2aacead7380de24654c6a0eddb04e25788b00fd772c37e99a8d54d15e31027b3dc10c6b3538fafacb632

C:\Windows\System\qSVMAYF.exe

MD5 6b3122789f80af2ab0cd6dd7c205db0c
SHA1 a8f1bb3e345523cd61e79e1bd62687fbb4318d2a
SHA256 279b82aca635f7704c9ff2e0d62066dcb90f87533fe9ca4f31211b15b9842a65
SHA512 69f143045a585d4ebd8a58ccda199bfa784436cb5f7b19460ea9caa47407f37ea9423d6f26dbad7a9e4b4247360f39b25663e08f37fba853e9de13c9ff8bf10b

C:\Windows\System\SPsfQUI.exe

MD5 06aa1956221f319ed0ec2873c323a932
SHA1 bfe18d03f8e29912e4ee1dfdefd826f3e76b4e46
SHA256 a0e6b38e6781bf4c62e871b318fd5f67f810d6fe9c1024e82f24e190647cc108
SHA512 3edb3ed6172842270af538ce059c05d52d3c1d349a922510a42f79fb49e7af8ca05f8191e06a2ccec57ce2ca6910207edf6efe02efc23a45a076b8ecc30e07be

memory/5084-73-0x00007FF689230000-0x00007FF689584000-memory.dmp

memory/540-74-0x00007FF6CDB10000-0x00007FF6CDE64000-memory.dmp

memory/3056-70-0x00007FF6A0F90000-0x00007FF6A12E4000-memory.dmp

C:\Windows\System\yVrTXTf.exe

MD5 c0b8c2f6ec8cf5a2e368106935c3d80a
SHA1 5916e42f8acec2bfe69aaae295b259ffd8cdbde3
SHA256 552dd12763bbda352d519693512fd4e5fb1bee996b29186cace1d4e23b8ce75c
SHA512 44f37da350f062b5488408ea02c6f18ef602dbb14da30c796d704d7663534131e1edc84d6777af79550d490c35e2ea81be30b338378b996bec768e49449ddcec

memory/1048-56-0x00007FF6FE7B0000-0x00007FF6FEB04000-memory.dmp

C:\Windows\System\OOBaGRf.exe

MD5 7f906050f8fd504d453e2b6dd9c78424
SHA1 5eab83f7f69760c77ac26f2e1b5440782f069c0a
SHA256 073484edf17dfc9aa1e9f4f4473a60fda5266690c2008a91cae3b148736690da
SHA512 c86f0c2d193740ba54ed14af53d87208f8ee56cd790f3e67acf28dcd1472a2d33eb80ab798c3b87313d085cb92141a90afdff0c0947db2e5169670cc8a055c5d

memory/1452-43-0x00007FF603AB0000-0x00007FF603E04000-memory.dmp

memory/3564-37-0x00007FF6CFB40000-0x00007FF6CFE94000-memory.dmp

C:\Windows\System\QtwSweZ.exe

MD5 b273f45720d48f5a47d4a2097efe89c4
SHA1 52f9b7a04c09b75b34f0a6d82d096d8cadaac454
SHA256 23b0773a062f85457cb57a3480ffd8c10868ee181d54a701ed19815c522884ba
SHA512 5c2bd94e889a716bdb93344b847baaceb18473fecacd7292e4b13d57ccba7ac4021b485ab6bce0103fe25a2ec6c0c55a69b3335ebfb39e5c920aee07f51293cd

memory/1252-78-0x00007FF78F700000-0x00007FF78FA54000-memory.dmp

C:\Windows\System\JJpWvRm.exe

MD5 e8c9e2e28ae4bb11060a9b8eec5d119a
SHA1 7e28f246a6976a961f850e6d8063ba6588443bbd
SHA256 1582bc585cd78d686a16f22e3999daa140cc2ee28dd98ddebdc271747362252e
SHA512 35a4733a3592eac921d26e76ab59ccd24f28874d5b2e6b30a4f93cc5ec20adabbde06de34d9d8c308ff207ad6c51cecb6ca8f4db42a7972faff04b44f7152ee4

C:\Windows\System\yEGHWhx.exe

MD5 6f2fa7a532e2075918302d6a01ac66ab
SHA1 bd99397a0f9f3c49501443814b7075278a22bd7a
SHA256 0539e4722ccde0714f6086e4ee2470fa70d9d073eb2ff6163bcb5e7872070e39
SHA512 753cc1e4c902f42928b456415f1fae81a254189cfde16a067b9e3c75db6f258b461459d2624cb4f67f145508d2c796976d84bd7562df06d944589786c288c0b0

memory/4812-87-0x00007FF718700000-0x00007FF718A54000-memory.dmp

memory/4552-86-0x00007FF7C8740000-0x00007FF7C8A94000-memory.dmp

C:\Windows\System\kxBFycq.exe

MD5 035636f5bdee513f6d667b810be24f87
SHA1 52c1fc6626c21bc3b5d6738612b2ebedf02889fb
SHA256 63325d33ba37ed1bdfa6e616df5bf55ac10a899df23b95666cffe36b3fff1add
SHA512 ea7178e96d3de35d717aee66660aa6016739bdf2d6caeb0a52093684e3cf913612aef1182eb220abd866df9b50dbb8bad3b1459b399dc2f68a4a2dc86a3a9614

memory/4720-89-0x00007FF7EE7F0000-0x00007FF7EEB44000-memory.dmp

memory/4824-97-0x00007FF692980000-0x00007FF692CD4000-memory.dmp

C:\Windows\System\cxqgXFI.exe

MD5 b58cb7a76b41dfa21f6292a49de7e113
SHA1 10b2d8fa269819775538e37475d87286c95993ac
SHA256 60e4e9dabf372dfbc1d3e76513f6df947db50afaaf1d4c0d18bc332dd2e33061
SHA512 cd56289464e250810bc5c7bdbae66f2d3992be4b36424a26a9b264d8d1a92be34a4715d91faee48f80fad85fb2dbafe228e653fd3cd09b44cdafe000c842845e

C:\Windows\System\rVQLNOx.exe

MD5 4aebb7b92ff3de0e534596f7c7430d46
SHA1 3b7eff1f46bfb18722d3764a91d720dd61a5561f
SHA256 e2d9d231c66ca70c312eda556215f9f814d3d75d1f0ff562124f1ae152a51bae
SHA512 3e1176bdad823ea0de13a9843c8266ef555226fb93ee34296259913f3a0f396af97d61c2302b61c7c6c860c4e7e16cb8d6b724a80dee0a066fa16a0c6e1a3ab9

C:\Windows\System\fRANYFa.exe

MD5 e413d690bce36fee9a2f9ecac924db8d
SHA1 c2c1f86571452c836f31e7549086df2282a8edb1
SHA256 a83f3c660c3d1d1879f5a61ca5536a8183fd394e0219f00b39b1c3e12ddb50f1
SHA512 bbb7d1aba4c8a3695e5e56c203e5cd7287a618ec63b422bc5455e4447074c7cf832a55e24028806da564672ca60639ae1fd11ef55cf64dec01b0a244d5ba15de

memory/832-112-0x00007FF73D770000-0x00007FF73DAC4000-memory.dmp

memory/712-106-0x00007FF706E80000-0x00007FF7071D4000-memory.dmp

C:\Windows\System\YzssdvT.exe

MD5 ee9796ae201353f63d0f28c59cbe95c4
SHA1 61371a4e99f1eddad73655d42b9741bc4a6ec8a0
SHA256 0c38d25a4b709f0fd9d90c562b4d9b328200c748790f308a9ede7daa9a2a72a6
SHA512 8e9320afc23ea30f216f7eae17ca163df114880d38abfaeeeeb1d316c68a4d2321bcaafffd9c31ec927aabc9fc6e0156a3e9c6a1f07f258ad96f31676856d8b4

C:\Windows\System\ooRMOiv.exe

MD5 8b665d2ee7b26c53c4cc6c584c27c12b
SHA1 ba7a0bcdb61f8f38e2f8974c6e4717b26d42482a
SHA256 4d6d35f1571918e5d66efb48e0a91e664dcc22e5581d51e6930c8f7224e43741
SHA512 38353cdcd9785e2d9f3c3b4752a1ed400745f9ef5ccbac5b46a85803b7ccd815f95f19400344c20de18cd9af9cd8f4c4de6c1587caa82763f7d9ca95870c36d0

memory/2064-103-0x00007FF7CC240000-0x00007FF7CC594000-memory.dmp

memory/1452-127-0x00007FF603AB0000-0x00007FF603E04000-memory.dmp

memory/2116-128-0x00007FF7CF760000-0x00007FF7CFAB4000-memory.dmp

memory/1612-130-0x00007FF7408D0000-0x00007FF740C24000-memory.dmp

memory/1472-129-0x00007FF6BB260000-0x00007FF6BB5B4000-memory.dmp

memory/4840-131-0x00007FF7FF6C0000-0x00007FF7FFA14000-memory.dmp

memory/1048-132-0x00007FF6FE7B0000-0x00007FF6FEB04000-memory.dmp

memory/1252-133-0x00007FF78F700000-0x00007FF78FA54000-memory.dmp

memory/4812-134-0x00007FF718700000-0x00007FF718A54000-memory.dmp

memory/4720-135-0x00007FF7EE7F0000-0x00007FF7EEB44000-memory.dmp

memory/4824-136-0x00007FF692980000-0x00007FF692CD4000-memory.dmp

memory/712-137-0x00007FF706E80000-0x00007FF7071D4000-memory.dmp

memory/832-138-0x00007FF73D770000-0x00007FF73DAC4000-memory.dmp

memory/3600-139-0x00007FF6B0040000-0x00007FF6B0394000-memory.dmp

memory/3424-140-0x00007FF7B02E0000-0x00007FF7B0634000-memory.dmp

memory/2988-141-0x00007FF78F720000-0x00007FF78FA74000-memory.dmp

memory/2064-143-0x00007FF7CC240000-0x00007FF7CC594000-memory.dmp

memory/3564-142-0x00007FF6CFB40000-0x00007FF6CFE94000-memory.dmp

memory/1500-144-0x00007FF66F1B0000-0x00007FF66F504000-memory.dmp

memory/2116-145-0x00007FF7CF760000-0x00007FF7CFAB4000-memory.dmp

memory/1452-146-0x00007FF603AB0000-0x00007FF603E04000-memory.dmp

memory/3056-147-0x00007FF6A0F90000-0x00007FF6A12E4000-memory.dmp

memory/1048-148-0x00007FF6FE7B0000-0x00007FF6FEB04000-memory.dmp

memory/5084-149-0x00007FF689230000-0x00007FF689584000-memory.dmp

memory/540-150-0x00007FF6CDB10000-0x00007FF6CDE64000-memory.dmp

memory/1252-151-0x00007FF78F700000-0x00007FF78FA54000-memory.dmp

memory/4720-153-0x00007FF7EE7F0000-0x00007FF7EEB44000-memory.dmp

memory/4812-152-0x00007FF718700000-0x00007FF718A54000-memory.dmp

memory/4824-154-0x00007FF692980000-0x00007FF692CD4000-memory.dmp

memory/712-155-0x00007FF706E80000-0x00007FF7071D4000-memory.dmp

memory/832-156-0x00007FF73D770000-0x00007FF73DAC4000-memory.dmp

memory/1472-157-0x00007FF6BB260000-0x00007FF6BB5B4000-memory.dmp

memory/4840-158-0x00007FF7FF6C0000-0x00007FF7FFA14000-memory.dmp

memory/1612-159-0x00007FF7408D0000-0x00007FF740C24000-memory.dmp