Malware Analysis Report

2025-01-22 19:17

Sample ID 240806-n6jqgsycnl
Target 2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat
SHA256 1687f481bc6bc1e38bb20624a3f29846ddb452a1bdf290ac4205156554a3d145
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1687f481bc6bc1e38bb20624a3f29846ddb452a1bdf290ac4205156554a3d145

Threat Level: Known bad

The file 2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Cobaltstrike

xmrig

XMRig Miner payload

Cobaltstrike family

Xmrig family

Cobalt Strike reflective loader

XMRig Miner payload

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-06 12:00

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-06 12:00

Reported

2024-08-06 12:03

Platform

win7-20240704-en

Max time kernel

140s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\rIFzjYC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mDdADZL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CtirIxG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TbKMUcK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OudiRvi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FFKMBgX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\REjWmFV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qpsmFDZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iOWWzyI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DBDDgMU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zBKzqIV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JfDmBvb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uYcJWIT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BqzbECA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mLptLwy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ibJeYqF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lGMAfEr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zNqtRVa.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zUFZCYq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HRLAFqv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rOjsCfV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2104 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ibJeYqF.exe
PID 2104 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ibJeYqF.exe
PID 2104 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ibJeYqF.exe
PID 2104 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FFKMBgX.exe
PID 2104 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FFKMBgX.exe
PID 2104 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FFKMBgX.exe
PID 2104 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\REjWmFV.exe
PID 2104 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\REjWmFV.exe
PID 2104 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\REjWmFV.exe
PID 2104 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lGMAfEr.exe
PID 2104 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lGMAfEr.exe
PID 2104 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lGMAfEr.exe
PID 2104 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zNqtRVa.exe
PID 2104 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zNqtRVa.exe
PID 2104 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zNqtRVa.exe
PID 2104 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rIFzjYC.exe
PID 2104 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rIFzjYC.exe
PID 2104 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rIFzjYC.exe
PID 2104 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mDdADZL.exe
PID 2104 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mDdADZL.exe
PID 2104 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mDdADZL.exe
PID 2104 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CtirIxG.exe
PID 2104 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CtirIxG.exe
PID 2104 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CtirIxG.exe
PID 2104 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zUFZCYq.exe
PID 2104 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zUFZCYq.exe
PID 2104 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zUFZCYq.exe
PID 2104 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zBKzqIV.exe
PID 2104 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zBKzqIV.exe
PID 2104 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zBKzqIV.exe
PID 2104 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TbKMUcK.exe
PID 2104 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TbKMUcK.exe
PID 2104 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TbKMUcK.exe
PID 2104 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qpsmFDZ.exe
PID 2104 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qpsmFDZ.exe
PID 2104 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qpsmFDZ.exe
PID 2104 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HRLAFqv.exe
PID 2104 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HRLAFqv.exe
PID 2104 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HRLAFqv.exe
PID 2104 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rOjsCfV.exe
PID 2104 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rOjsCfV.exe
PID 2104 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rOjsCfV.exe
PID 2104 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iOWWzyI.exe
PID 2104 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iOWWzyI.exe
PID 2104 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iOWWzyI.exe
PID 2104 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OudiRvi.exe
PID 2104 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OudiRvi.exe
PID 2104 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OudiRvi.exe
PID 2104 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JfDmBvb.exe
PID 2104 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JfDmBvb.exe
PID 2104 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JfDmBvb.exe
PID 2104 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uYcJWIT.exe
PID 2104 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uYcJWIT.exe
PID 2104 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uYcJWIT.exe
PID 2104 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BqzbECA.exe
PID 2104 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BqzbECA.exe
PID 2104 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BqzbECA.exe
PID 2104 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DBDDgMU.exe
PID 2104 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DBDDgMU.exe
PID 2104 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DBDDgMU.exe
PID 2104 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mLptLwy.exe
PID 2104 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mLptLwy.exe
PID 2104 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mLptLwy.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\ibJeYqF.exe

C:\Windows\System\ibJeYqF.exe

C:\Windows\System\FFKMBgX.exe

C:\Windows\System\FFKMBgX.exe

C:\Windows\System\REjWmFV.exe

C:\Windows\System\REjWmFV.exe

C:\Windows\System\lGMAfEr.exe

C:\Windows\System\lGMAfEr.exe

C:\Windows\System\zNqtRVa.exe

C:\Windows\System\zNqtRVa.exe

C:\Windows\System\rIFzjYC.exe

C:\Windows\System\rIFzjYC.exe

C:\Windows\System\mDdADZL.exe

C:\Windows\System\mDdADZL.exe

C:\Windows\System\CtirIxG.exe

C:\Windows\System\CtirIxG.exe

C:\Windows\System\zUFZCYq.exe

C:\Windows\System\zUFZCYq.exe

C:\Windows\System\zBKzqIV.exe

C:\Windows\System\zBKzqIV.exe

C:\Windows\System\TbKMUcK.exe

C:\Windows\System\TbKMUcK.exe

C:\Windows\System\qpsmFDZ.exe

C:\Windows\System\qpsmFDZ.exe

C:\Windows\System\HRLAFqv.exe

C:\Windows\System\HRLAFqv.exe

C:\Windows\System\rOjsCfV.exe

C:\Windows\System\rOjsCfV.exe

C:\Windows\System\iOWWzyI.exe

C:\Windows\System\iOWWzyI.exe

C:\Windows\System\OudiRvi.exe

C:\Windows\System\OudiRvi.exe

C:\Windows\System\JfDmBvb.exe

C:\Windows\System\JfDmBvb.exe

C:\Windows\System\uYcJWIT.exe

C:\Windows\System\uYcJWIT.exe

C:\Windows\System\BqzbECA.exe

C:\Windows\System\BqzbECA.exe

C:\Windows\System\DBDDgMU.exe

C:\Windows\System\DBDDgMU.exe

C:\Windows\System\mLptLwy.exe

C:\Windows\System\mLptLwy.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2104-0-0x000000013F150000-0x000000013F4A1000-memory.dmp

memory/2104-1-0x00000000000F0000-0x0000000000100000-memory.dmp

C:\Windows\system\ibJeYqF.exe

MD5 387995a934c78b068c66b50f7a8f819f
SHA1 cf23b8fa11ca67f0f0f9e31908be013e8bb6aa10
SHA256 7b5ccb3125b68834632f4347df05753e363da350e4fd0f4804643925aab822e5
SHA512 5f8b419527645d793b7f9fa76b83b23c7f503befdde87e0e3726da37a84b5e5d6b723877434a3992f52ab55329e437c6fc3d44dc3ecab70c184b2f2897ffd273

C:\Windows\system\FFKMBgX.exe

MD5 64f42424b4c4e84698545b223367d9d5
SHA1 fcd38bd8aad5cb40980181494d6e5d3f0977d814
SHA256 c571b101c352e7a1fa0757a5441d772d314c5083934eedb887a4dd2c91996b42
SHA512 dd1a4cb217554fd868065c84a15275cb35b9abccb94fceb32bdaf891008d7a334cd93bace3df2627ab3914d883cb7eda61f3e0b38359dd87f62aec2b8167144f

\Windows\system\REjWmFV.exe

MD5 0c73e0ee0b7e01846c9b29a7e107794f
SHA1 d645e45a21180823d83c978f5f539461e6e05c4a
SHA256 08f08fde3c21cc9d1506e6cacdddc2c567a69ee65aef3cd9d2c5604dcfad1859
SHA512 a1bb0c9419483c7d390aa03193caab7bcdbb58bc3c326981a370a12c62a2e0fa69ca4c076a9675d41d39df8bf4932dd0e16ac58f6e269241970cb9558f1cbddd

\Windows\system\zNqtRVa.exe

MD5 047c6422775135bf805aee678306e6e1
SHA1 941fa0660e2da8fcc9b34bb157193ac129fe35f3
SHA256 25cc937575b28279e41f4313bd88bbbce445ac1a97ea29c446a02e8ccb593652
SHA512 7821b4f14604de0da22eb7a7c98c70204c39fa5ab7c8fb6fd02667ea4ed81cc4c54bfd75b7aa31474d2fea09dc3a51177cde94d29fd2673701dfedb16781c4bd

C:\Windows\system\lGMAfEr.exe

MD5 3dacec48a6a54cd90aa44a6f01680f5c
SHA1 58485155955ade6770a7cc1e2e3d2ea892e2de8b
SHA256 371665b7d95533bcef7d04091a3d54a2ed7342964fc3bb2c26a19492269c3970
SHA512 eb9d1f1145a13ebb5645c22dc9425c0b0ec59137eee7fa9eda8298e1d78bae03fc315dc4a69b3fafcbfde6816c53d7fa1775940fc29fa571652f4259ea6f3ad1

\Windows\system\qpsmFDZ.exe

MD5 4d118c536ef1cf30b7742b63e3365c8a
SHA1 db7efe76138b93115c833832d29dd32c6a6775cc
SHA256 f4ffeeaea238021981faa3bcca163f67cb37f10638d193c22b4af144b8b567a5
SHA512 5292e21b96ef06cd0f880ac8e1d6bab0014702baf3434530dca888af02b0818b3f7e0c10f080b2b3de11b78cc3d4102889ba5ad74342c759f6da5cd2dba890a1

memory/2104-122-0x000000013FEA0000-0x00000001401F1000-memory.dmp

\Windows\system\rOjsCfV.exe

MD5 ab48cd7bec2c7e660e7e8c80300ddf62
SHA1 2f89f7397046cee4824b1283b01785e60ee5198d
SHA256 52bede377855abd85477eb6ab5509abf63f5eb026b461e159592eab5fadae0fd
SHA512 d088daeb795da50cb241f330807bde557469ae471c087482c9aa19f475dd0d6aaba880c3f1de63eff14498f1801eb390d2f408cac12eec4116cd7fb3a646ffd2

C:\Windows\system\BqzbECA.exe

MD5 ab959076112238f01207510de628fb95
SHA1 03925df3b7d7310c9ba286c19aa2f29f41921478
SHA256 bb0ac2b3ecf803d2c3f35771fd220e8e993c102c6c6eaef8b597a4bad7b99157
SHA512 7466a6f171994b21d17eda2b191e5e0a1f119463e73e787b00bb5e4c94b85cc6a74d54224b11bf7a10d1032d825d89165cb6c37af0753f7f696d0700ccbf7ba8

C:\Windows\system\JfDmBvb.exe

MD5 7253bf50e025480926e531d7d5e8b2d8
SHA1 4f1688ebf0c5a9afebf110a0a67bd72e6716a170
SHA256 595203a28029ea35c77d7ea5b38122768a5b25a9f9048db40828670b143dc8c5
SHA512 b6f5979e482eded6b1cb1fe2f6e71fbb6d77db4728ee48ad2de9a263b84b006a0937ea26949e03b017697a81cc0b72a2aa51404208ba4f59d6a64d0200edbfff

\Windows\system\DBDDgMU.exe

MD5 f4912b12e14bab6f0ba0cce587183221
SHA1 e3bf36dcbe3fa9e472b081e8107fe27dd251cab0
SHA256 9a6c8d378b510f6ca013e934cf40c6c02863d8f2248cc4ae498a83b2a5e4e529
SHA512 3f5f778d9a0f0037a7c92301a51d9fab702fc7481d8627a7952247bbb0088dd7392e177111eb113630d42b09d5b15c2bb0bc4895e592a8bc2f48348976a9a2bc

memory/2104-97-0x000000013F510000-0x000000013F861000-memory.dmp

\Windows\system\uYcJWIT.exe

MD5 149d10538a602877c2d83d7969b824a4
SHA1 e34d35e68fe4d64c709f958242edac1001e860e3
SHA256 f312ee7585f9c0a2b4d732a4a19430d74cde2b430fd35283737be96ebf3f8db6
SHA512 925bd1e6c93c496b2f324ec05a97b3652d55f5f46b7e3623030c13db13f30d0373d1d197a88679e9922d1975a83fe1e2544c95c0efdf88185cea2b03083206a6

\Windows\system\OudiRvi.exe

MD5 d3a0099cb4f890083fb3de35e3dd7eb1
SHA1 1e5fcbcc3214e032e72812d60de41e3a54e79309
SHA256 2cb9d88f9b18c5b34e8aae7d1c36f1920011a03fdb853c3e3cc4905e7931616d
SHA512 c3c37297801041d7cd61fb3e3f01de29aeaebe1c051d863c62ba752c06ca022aa312e5631a6ace95e56c61c33b0de0921884e0744578af7a34a2743344eea8b9

memory/2964-124-0x000000013FEA0000-0x00000001401F1000-memory.dmp

memory/2264-123-0x000000013F280000-0x000000013F5D1000-memory.dmp

memory/2104-121-0x000000013F7E0000-0x000000013FB31000-memory.dmp

memory/2104-120-0x000000013F5E0000-0x000000013F931000-memory.dmp

memory/2104-119-0x00000000022A0000-0x00000000025F1000-memory.dmp

memory/2104-118-0x000000013F970000-0x000000013FCC1000-memory.dmp

memory/2104-117-0x000000013FE60000-0x00000001401B1000-memory.dmp

memory/2104-116-0x000000013FBC0000-0x000000013FF11000-memory.dmp

memory/2152-115-0x000000013F0E0000-0x000000013F431000-memory.dmp

memory/2860-114-0x000000013F7E0000-0x000000013FB31000-memory.dmp

C:\Windows\system\mLptLwy.exe

MD5 48e8ce1131fa2dbb4d85105e9d9bdaa0
SHA1 4d2ea17beff5c9572a3cfcd8eddb52a15eb3e42d
SHA256 e1c7090ec449d90af79a6ce9ef2f0430b1805469d404ab2476a0727c4e230bae
SHA512 c4b215e11fd8ad5820a448e06c41f9dbc535bd5bff9ca8934ffb3a151c5d66f53ea675924ac69a181a1619d80b8c49949882c0257d8f81bfcf2e722a68d6a9ac

memory/2640-111-0x000000013F3A0000-0x000000013F6F1000-memory.dmp

memory/2832-109-0x000000013FDA0000-0x00000001400F1000-memory.dmp

memory/2156-93-0x000000013F0F0000-0x000000013F441000-memory.dmp

memory/2104-86-0x000000013FDA0000-0x00000001400F1000-memory.dmp

memory/2948-85-0x000000013FE60000-0x00000001401B1000-memory.dmp

memory/2104-83-0x00000000022A0000-0x00000000025F1000-memory.dmp

C:\Windows\system\zBKzqIV.exe

MD5 07de194ae8da32318c7e30b2ff3a34b3
SHA1 d731277c8d87faeb3cede633c0bd50188bc134e5
SHA256 33c46154a246aa9db75e98c1fcd1150e55853504e0f946eda92d60579e2a111a
SHA512 a28a1083fb6563e4e24c6e5c9f068a4af01b0ceff8bb1e91e3ecd43e69edae0aac93ea300628d0145b1080c435e832f0f15c83a32cddba509407d3769ea0ba57

C:\Windows\system\iOWWzyI.exe

MD5 d85cf9b056ec8ce5b331ea0a2e42705b
SHA1 aa3bc198272108977401ca7bece698e2b2fe9af7
SHA256 dd5e9049b7c0a4735e85139c44e33c37d7ea4b8e2aef9e1b0923bf088cde00fb
SHA512 eead0e633ba5c6a2a717127e7f0a2ff52d186d39363d9f27fe9ee3f4561cc6a74a2221f657a8b6cc78bfa4abe1e557ee0082802fdfb6d11eaf19a0b22dfa42c9

C:\Windows\system\HRLAFqv.exe

MD5 32a898a1491ff30daa50286fd44de3f3
SHA1 fbd75357c255e8232f86895313ed77efde0f878a
SHA256 d89324fd7c5adedb71da98789b38f91cb10b96f6d0c5f56f845052bb0ff05e28
SHA512 2866df3b05c7741ed39586575a1577a7c47988c056bce8f5c8b14eaae7a91986cf37485985f7dd3148fe71ee3ee85d4838a9744945e31d8e68815b2234500a50

C:\Windows\system\TbKMUcK.exe

MD5 89b1f7618abce711d7fb023735150725
SHA1 2858b32778186df920c1e98d09ab6aee4b7f0ce5
SHA256 b77f04830ed79bb941784fb78145fe5b16c8be329508676c7c0b795b803fc4b1
SHA512 227bb8e20b6b14c4cb415e3907cd8dcc2ed0db0f291e671262c00f44cef38275d759be1a5a19d6f429bd3880b3a3ec433559e52e828b23702718e4f116f266e2

memory/2864-72-0x000000013F5E0000-0x000000013F931000-memory.dmp

memory/2492-71-0x000000013F470000-0x000000013F7C1000-memory.dmp

C:\Windows\system\CtirIxG.exe

MD5 8914bb8cdee7e14b8efb1387c351df9f
SHA1 25b3f62ce1126f86a4d174a64281b91fddf4adc5
SHA256 f2d0c8bc0c215f56c67cf2ddb8c46bc948ab8428e0185437bcf5d6a143d2f61e
SHA512 c76988e0bddacaa637f824065af7231333f50282e118bde7fde47ce11e6618e0205bc721e69c4d563700a5fed0bb058943ee468fb41c6589cbec60fe27ffbd06

memory/2104-66-0x00000000022A0000-0x00000000025F1000-memory.dmp

C:\Windows\system\rIFzjYC.exe

MD5 2e6f5320eee8d8735841813a1ce3cfc1
SHA1 fa2ca61e2346a3faf9c0060e32f7fc245b3dae53
SHA256 cbd6e0a50f793d262321b470d90bcf6426197224f3e50ddb828f1c09ce688388
SHA512 b2e5f3bc4141200ba75b9fbf4f63f5df5a6e409869c5440f897e3e8e6cbee808c491e453fe0ed35eb5fbc69977955673e0ba315c187663cfa43e9f971fbcab9e

C:\Windows\system\zUFZCYq.exe

MD5 7937b267a6a1f461f037c0baa9dfe3ce
SHA1 0b013f935cf06785f7d14d1d4be7af90b5698acf
SHA256 2b7605d025d9670e63595ec69e78804d8e1f4b4078239cd7b7d32a913e26e530
SHA512 297167c53b48cb606b278bce97c193723eb398b8c225ebcc9602352581b8b2d0c35837dd91b7d6b1db10a3ae2dc9669af79170cfd31412240e004578f1bad775

C:\Windows\system\mDdADZL.exe

MD5 347ee0ac7193382923e76d5da3985d86
SHA1 f4ec52730d34e16c76a3b6c933e47d23adb9310d
SHA256 16134bd437b1c74354c21d27fd3f16534c9af92f100dabcced14cbd251787121
SHA512 07d9bc3776cf2fe25843a3efa258a39f8b24b0d0b57f12fc5b482f4e21b7567fd732a804002f3a8a8d2d48305ec921aebe58664ea67c56f856de03ea1bbca0c3

memory/2180-45-0x000000013F970000-0x000000013FCC1000-memory.dmp

memory/2080-34-0x000000013FB00000-0x000000013FE51000-memory.dmp

memory/2676-23-0x000000013FBC0000-0x000000013FF11000-memory.dmp

memory/2096-19-0x000000013FBC0000-0x000000013FF11000-memory.dmp

memory/2104-17-0x000000013FBC0000-0x000000013FF11000-memory.dmp

memory/2104-133-0x000000013F150000-0x000000013F4A1000-memory.dmp

memory/1484-152-0x000000013F120000-0x000000013F471000-memory.dmp

memory/1380-154-0x000000013F090000-0x000000013F3E1000-memory.dmp

memory/2496-153-0x000000013F780000-0x000000013FAD1000-memory.dmp

memory/1320-151-0x000000013F910000-0x000000013FC61000-memory.dmp

memory/3044-150-0x000000013FD30000-0x0000000140081000-memory.dmp

memory/2552-149-0x000000013F280000-0x000000013F5D1000-memory.dmp

memory/2924-147-0x000000013F510000-0x000000013F861000-memory.dmp

memory/2104-155-0x000000013F150000-0x000000013F4A1000-memory.dmp

memory/2104-158-0x000000013F150000-0x000000013F4A1000-memory.dmp

memory/2104-178-0x000000013FBC0000-0x000000013FF11000-memory.dmp

memory/2096-202-0x000000013FBC0000-0x000000013FF11000-memory.dmp

memory/2676-204-0x000000013FBC0000-0x000000013FF11000-memory.dmp

memory/2080-206-0x000000013FB00000-0x000000013FE51000-memory.dmp

memory/2180-208-0x000000013F970000-0x000000013FCC1000-memory.dmp

memory/2864-210-0x000000013F5E0000-0x000000013F931000-memory.dmp

memory/2492-212-0x000000013F470000-0x000000013F7C1000-memory.dmp

memory/2948-214-0x000000013FE60000-0x00000001401B1000-memory.dmp

memory/2832-216-0x000000013FDA0000-0x00000001400F1000-memory.dmp

memory/2640-222-0x000000013F3A0000-0x000000013F6F1000-memory.dmp

memory/2860-226-0x000000013F7E0000-0x000000013FB31000-memory.dmp

memory/2152-228-0x000000013F0E0000-0x000000013F431000-memory.dmp

memory/2156-221-0x000000013F0F0000-0x000000013F441000-memory.dmp

memory/2264-219-0x000000013F280000-0x000000013F5D1000-memory.dmp

memory/2964-224-0x000000013FEA0000-0x00000001401F1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-06 12:00

Reported

2024-08-06 12:03

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\zBKzqIV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TbKMUcK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OudiRvi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JfDmBvb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BqzbECA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ibJeYqF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rIFzjYC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FFKMBgX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rOjsCfV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CtirIxG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iOWWzyI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DBDDgMU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mLptLwy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\REjWmFV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zNqtRVa.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zUFZCYq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qpsmFDZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HRLAFqv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uYcJWIT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lGMAfEr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mDdADZL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3672 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ibJeYqF.exe
PID 3672 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ibJeYqF.exe
PID 3672 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FFKMBgX.exe
PID 3672 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FFKMBgX.exe
PID 3672 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\REjWmFV.exe
PID 3672 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\REjWmFV.exe
PID 3672 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lGMAfEr.exe
PID 3672 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lGMAfEr.exe
PID 3672 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zNqtRVa.exe
PID 3672 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zNqtRVa.exe
PID 3672 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rIFzjYC.exe
PID 3672 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rIFzjYC.exe
PID 3672 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mDdADZL.exe
PID 3672 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mDdADZL.exe
PID 3672 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CtirIxG.exe
PID 3672 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CtirIxG.exe
PID 3672 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zUFZCYq.exe
PID 3672 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zUFZCYq.exe
PID 3672 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zBKzqIV.exe
PID 3672 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zBKzqIV.exe
PID 3672 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TbKMUcK.exe
PID 3672 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TbKMUcK.exe
PID 3672 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qpsmFDZ.exe
PID 3672 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qpsmFDZ.exe
PID 3672 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HRLAFqv.exe
PID 3672 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HRLAFqv.exe
PID 3672 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rOjsCfV.exe
PID 3672 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rOjsCfV.exe
PID 3672 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iOWWzyI.exe
PID 3672 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iOWWzyI.exe
PID 3672 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OudiRvi.exe
PID 3672 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OudiRvi.exe
PID 3672 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JfDmBvb.exe
PID 3672 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JfDmBvb.exe
PID 3672 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uYcJWIT.exe
PID 3672 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uYcJWIT.exe
PID 3672 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BqzbECA.exe
PID 3672 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BqzbECA.exe
PID 3672 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DBDDgMU.exe
PID 3672 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DBDDgMU.exe
PID 3672 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mLptLwy.exe
PID 3672 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mLptLwy.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_a2a70371a61ff2799dc0813b899073d0_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\ibJeYqF.exe

C:\Windows\System\ibJeYqF.exe

C:\Windows\System\FFKMBgX.exe

C:\Windows\System\FFKMBgX.exe

C:\Windows\System\REjWmFV.exe

C:\Windows\System\REjWmFV.exe

C:\Windows\System\lGMAfEr.exe

C:\Windows\System\lGMAfEr.exe

C:\Windows\System\zNqtRVa.exe

C:\Windows\System\zNqtRVa.exe

C:\Windows\System\rIFzjYC.exe

C:\Windows\System\rIFzjYC.exe

C:\Windows\System\mDdADZL.exe

C:\Windows\System\mDdADZL.exe

C:\Windows\System\CtirIxG.exe

C:\Windows\System\CtirIxG.exe

C:\Windows\System\zUFZCYq.exe

C:\Windows\System\zUFZCYq.exe

C:\Windows\System\zBKzqIV.exe

C:\Windows\System\zBKzqIV.exe

C:\Windows\System\TbKMUcK.exe

C:\Windows\System\TbKMUcK.exe

C:\Windows\System\qpsmFDZ.exe

C:\Windows\System\qpsmFDZ.exe

C:\Windows\System\HRLAFqv.exe

C:\Windows\System\HRLAFqv.exe

C:\Windows\System\rOjsCfV.exe

C:\Windows\System\rOjsCfV.exe

C:\Windows\System\iOWWzyI.exe

C:\Windows\System\iOWWzyI.exe

C:\Windows\System\OudiRvi.exe

C:\Windows\System\OudiRvi.exe

C:\Windows\System\JfDmBvb.exe

C:\Windows\System\JfDmBvb.exe

C:\Windows\System\uYcJWIT.exe

C:\Windows\System\uYcJWIT.exe

C:\Windows\System\BqzbECA.exe

C:\Windows\System\BqzbECA.exe

C:\Windows\System\DBDDgMU.exe

C:\Windows\System\DBDDgMU.exe

C:\Windows\System\mLptLwy.exe

C:\Windows\System\mLptLwy.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 149.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3672-0-0x00007FF725DC0000-0x00007FF726111000-memory.dmp

memory/3672-1-0x0000017F00490000-0x0000017F004A0000-memory.dmp

C:\Windows\System\ibJeYqF.exe

MD5 387995a934c78b068c66b50f7a8f819f
SHA1 cf23b8fa11ca67f0f0f9e31908be013e8bb6aa10
SHA256 7b5ccb3125b68834632f4347df05753e363da350e4fd0f4804643925aab822e5
SHA512 5f8b419527645d793b7f9fa76b83b23c7f503befdde87e0e3726da37a84b5e5d6b723877434a3992f52ab55329e437c6fc3d44dc3ecab70c184b2f2897ffd273

C:\Windows\System\FFKMBgX.exe

MD5 64f42424b4c4e84698545b223367d9d5
SHA1 fcd38bd8aad5cb40980181494d6e5d3f0977d814
SHA256 c571b101c352e7a1fa0757a5441d772d314c5083934eedb887a4dd2c91996b42
SHA512 dd1a4cb217554fd868065c84a15275cb35b9abccb94fceb32bdaf891008d7a334cd93bace3df2627ab3914d883cb7eda61f3e0b38359dd87f62aec2b8167144f

memory/2420-12-0x00007FF6B78C0000-0x00007FF6B7C11000-memory.dmp

C:\Windows\System\lGMAfEr.exe

MD5 3dacec48a6a54cd90aa44a6f01680f5c
SHA1 58485155955ade6770a7cc1e2e3d2ea892e2de8b
SHA256 371665b7d95533bcef7d04091a3d54a2ed7342964fc3bb2c26a19492269c3970
SHA512 eb9d1f1145a13ebb5645c22dc9425c0b0ec59137eee7fa9eda8298e1d78bae03fc315dc4a69b3fafcbfde6816c53d7fa1775940fc29fa571652f4259ea6f3ad1

C:\Windows\System\rIFzjYC.exe

MD5 2e6f5320eee8d8735841813a1ce3cfc1
SHA1 fa2ca61e2346a3faf9c0060e32f7fc245b3dae53
SHA256 cbd6e0a50f793d262321b470d90bcf6426197224f3e50ddb828f1c09ce688388
SHA512 b2e5f3bc4141200ba75b9fbf4f63f5df5a6e409869c5440f897e3e8e6cbee808c491e453fe0ed35eb5fbc69977955673e0ba315c187663cfa43e9f971fbcab9e

memory/228-34-0x00007FF638230000-0x00007FF638581000-memory.dmp

C:\Windows\System\mDdADZL.exe

MD5 347ee0ac7193382923e76d5da3985d86
SHA1 f4ec52730d34e16c76a3b6c933e47d23adb9310d
SHA256 16134bd437b1c74354c21d27fd3f16534c9af92f100dabcced14cbd251787121
SHA512 07d9bc3776cf2fe25843a3efa258a39f8b24b0d0b57f12fc5b482f4e21b7567fd732a804002f3a8a8d2d48305ec921aebe58664ea67c56f856de03ea1bbca0c3

memory/2300-43-0x00007FF79B510000-0x00007FF79B861000-memory.dmp

C:\Windows\System\zNqtRVa.exe

MD5 047c6422775135bf805aee678306e6e1
SHA1 941fa0660e2da8fcc9b34bb157193ac129fe35f3
SHA256 25cc937575b28279e41f4313bd88bbbce445ac1a97ea29c446a02e8ccb593652
SHA512 7821b4f14604de0da22eb7a7c98c70204c39fa5ab7c8fb6fd02667ea4ed81cc4c54bfd75b7aa31474d2fea09dc3a51177cde94d29fd2673701dfedb16781c4bd

C:\Windows\System\CtirIxG.exe

MD5 8914bb8cdee7e14b8efb1387c351df9f
SHA1 25b3f62ce1126f86a4d174a64281b91fddf4adc5
SHA256 f2d0c8bc0c215f56c67cf2ddb8c46bc948ab8428e0185437bcf5d6a143d2f61e
SHA512 c76988e0bddacaa637f824065af7231333f50282e118bde7fde47ce11e6618e0205bc721e69c4d563700a5fed0bb058943ee468fb41c6589cbec60fe27ffbd06

C:\Windows\System\zBKzqIV.exe

MD5 07de194ae8da32318c7e30b2ff3a34b3
SHA1 d731277c8d87faeb3cede633c0bd50188bc134e5
SHA256 33c46154a246aa9db75e98c1fcd1150e55853504e0f946eda92d60579e2a111a
SHA512 a28a1083fb6563e4e24c6e5c9f068a4af01b0ceff8bb1e91e3ecd43e69edae0aac93ea300628d0145b1080c435e832f0f15c83a32cddba509407d3769ea0ba57

C:\Windows\System\TbKMUcK.exe

MD5 89b1f7618abce711d7fb023735150725
SHA1 2858b32778186df920c1e98d09ab6aee4b7f0ce5
SHA256 b77f04830ed79bb941784fb78145fe5b16c8be329508676c7c0b795b803fc4b1
SHA512 227bb8e20b6b14c4cb415e3907cd8dcc2ed0db0f291e671262c00f44cef38275d759be1a5a19d6f429bd3880b3a3ec433559e52e828b23702718e4f116f266e2

C:\Windows\System\zUFZCYq.exe

MD5 7937b267a6a1f461f037c0baa9dfe3ce
SHA1 0b013f935cf06785f7d14d1d4be7af90b5698acf
SHA256 2b7605d025d9670e63595ec69e78804d8e1f4b4078239cd7b7d32a913e26e530
SHA512 297167c53b48cb606b278bce97c193723eb398b8c225ebcc9602352581b8b2d0c35837dd91b7d6b1db10a3ae2dc9669af79170cfd31412240e004578f1bad775

C:\Windows\System\iOWWzyI.exe

MD5 d85cf9b056ec8ce5b331ea0a2e42705b
SHA1 aa3bc198272108977401ca7bece698e2b2fe9af7
SHA256 dd5e9049b7c0a4735e85139c44e33c37d7ea4b8e2aef9e1b0923bf088cde00fb
SHA512 eead0e633ba5c6a2a717127e7f0a2ff52d186d39363d9f27fe9ee3f4561cc6a74a2221f657a8b6cc78bfa4abe1e557ee0082802fdfb6d11eaf19a0b22dfa42c9

C:\Windows\System\rOjsCfV.exe

MD5 ab48cd7bec2c7e660e7e8c80300ddf62
SHA1 2f89f7397046cee4824b1283b01785e60ee5198d
SHA256 52bede377855abd85477eb6ab5509abf63f5eb026b461e159592eab5fadae0fd
SHA512 d088daeb795da50cb241f330807bde557469ae471c087482c9aa19f475dd0d6aaba880c3f1de63eff14498f1801eb390d2f408cac12eec4116cd7fb3a646ffd2

C:\Windows\System\OudiRvi.exe

MD5 d3a0099cb4f890083fb3de35e3dd7eb1
SHA1 1e5fcbcc3214e032e72812d60de41e3a54e79309
SHA256 2cb9d88f9b18c5b34e8aae7d1c36f1920011a03fdb853c3e3cc4905e7931616d
SHA512 c3c37297801041d7cd61fb3e3f01de29aeaebe1c051d863c62ba752c06ca022aa312e5631a6ace95e56c61c33b0de0921884e0744578af7a34a2743344eea8b9

memory/5092-97-0x00007FF6A1470000-0x00007FF6A17C1000-memory.dmp

memory/4000-108-0x00007FF72C970000-0x00007FF72CCC1000-memory.dmp

memory/4924-112-0x00007FF6297C0000-0x00007FF629B11000-memory.dmp

C:\Windows\System\BqzbECA.exe

MD5 ab959076112238f01207510de628fb95
SHA1 03925df3b7d7310c9ba286c19aa2f29f41921478
SHA256 bb0ac2b3ecf803d2c3f35771fd220e8e993c102c6c6eaef8b597a4bad7b99157
SHA512 7466a6f171994b21d17eda2b191e5e0a1f119463e73e787b00bb5e4c94b85cc6a74d54224b11bf7a10d1032d825d89165cb6c37af0753f7f696d0700ccbf7ba8

C:\Windows\System\mLptLwy.exe

MD5 48e8ce1131fa2dbb4d85105e9d9bdaa0
SHA1 4d2ea17beff5c9572a3cfcd8eddb52a15eb3e42d
SHA256 e1c7090ec449d90af79a6ce9ef2f0430b1805469d404ab2476a0727c4e230bae
SHA512 c4b215e11fd8ad5820a448e06c41f9dbc535bd5bff9ca8934ffb3a151c5d66f53ea675924ac69a181a1619d80b8c49949882c0257d8f81bfcf2e722a68d6a9ac

memory/2496-125-0x00007FF766680000-0x00007FF7669D1000-memory.dmp

memory/2296-126-0x00007FF699820000-0x00007FF699B71000-memory.dmp

memory/2024-124-0x00007FF6D1720000-0x00007FF6D1A71000-memory.dmp

memory/628-123-0x00007FF76CD10000-0x00007FF76D061000-memory.dmp

memory/2972-122-0x00007FF7E6430000-0x00007FF7E6781000-memory.dmp

memory/64-119-0x00007FF6C2F80000-0x00007FF6C32D1000-memory.dmp

C:\Windows\System\DBDDgMU.exe

MD5 f4912b12e14bab6f0ba0cce587183221
SHA1 e3bf36dcbe3fa9e472b081e8107fe27dd251cab0
SHA256 9a6c8d378b510f6ca013e934cf40c6c02863d8f2248cc4ae498a83b2a5e4e529
SHA512 3f5f778d9a0f0037a7c92301a51d9fab702fc7481d8627a7952247bbb0088dd7392e177111eb113630d42b09d5b15c2bb0bc4895e592a8bc2f48348976a9a2bc

memory/2896-117-0x00007FF6B5260000-0x00007FF6B55B1000-memory.dmp

C:\Windows\System\uYcJWIT.exe

MD5 149d10538a602877c2d83d7969b824a4
SHA1 e34d35e68fe4d64c709f958242edac1001e860e3
SHA256 f312ee7585f9c0a2b4d732a4a19430d74cde2b430fd35283737be96ebf3f8db6
SHA512 925bd1e6c93c496b2f324ec05a97b3652d55f5f46b7e3623030c13db13f30d0373d1d197a88679e9922d1975a83fe1e2544c95c0efdf88185cea2b03083206a6

C:\Windows\System\JfDmBvb.exe

MD5 7253bf50e025480926e531d7d5e8b2d8
SHA1 4f1688ebf0c5a9afebf110a0a67bd72e6716a170
SHA256 595203a28029ea35c77d7ea5b38122768a5b25a9f9048db40828670b143dc8c5
SHA512 b6f5979e482eded6b1cb1fe2f6e71fbb6d77db4728ee48ad2de9a263b84b006a0937ea26949e03b017697a81cc0b72a2aa51404208ba4f59d6a64d0200edbfff

memory/2164-92-0x00007FF61D1B0000-0x00007FF61D501000-memory.dmp

memory/4404-85-0x00007FF6868E0000-0x00007FF686C31000-memory.dmp

C:\Windows\System\HRLAFqv.exe

MD5 32a898a1491ff30daa50286fd44de3f3
SHA1 fbd75357c255e8232f86895313ed77efde0f878a
SHA256 d89324fd7c5adedb71da98789b38f91cb10b96f6d0c5f56f845052bb0ff05e28
SHA512 2866df3b05c7741ed39586575a1577a7c47988c056bce8f5c8b14eaae7a91986cf37485985f7dd3148fe71ee3ee85d4838a9744945e31d8e68815b2234500a50

C:\Windows\System\qpsmFDZ.exe

MD5 4d118c536ef1cf30b7742b63e3365c8a
SHA1 db7efe76138b93115c833832d29dd32c6a6775cc
SHA256 f4ffeeaea238021981faa3bcca163f67cb37f10638d193c22b4af144b8b567a5
SHA512 5292e21b96ef06cd0f880ac8e1d6bab0014702baf3434530dca888af02b0818b3f7e0c10f080b2b3de11b78cc3d4102889ba5ad74342c759f6da5cd2dba890a1

memory/4888-59-0x00007FF6031D0000-0x00007FF603521000-memory.dmp

memory/4184-56-0x00007FF7C9D20000-0x00007FF7CA071000-memory.dmp

memory/5028-52-0x00007FF6DB7D0000-0x00007FF6DBB21000-memory.dmp

memory/5032-32-0x00007FF7D69D0000-0x00007FF7D6D21000-memory.dmp

memory/1672-28-0x00007FF7EEB30000-0x00007FF7EEE81000-memory.dmp

C:\Windows\System\REjWmFV.exe

MD5 0c73e0ee0b7e01846c9b29a7e107794f
SHA1 d645e45a21180823d83c978f5f539461e6e05c4a
SHA256 08f08fde3c21cc9d1506e6cacdddc2c567a69ee65aef3cd9d2c5604dcfad1859
SHA512 a1bb0c9419483c7d390aa03193caab7bcdbb58bc3c326981a370a12c62a2e0fa69ca4c076a9675d41d39df8bf4932dd0e16ac58f6e269241970cb9558f1cbddd

memory/4428-15-0x00007FF629430000-0x00007FF629781000-memory.dmp

memory/2300-134-0x00007FF79B510000-0x00007FF79B861000-memory.dmp

memory/2496-148-0x00007FF766680000-0x00007FF7669D1000-memory.dmp

memory/4000-143-0x00007FF72C970000-0x00007FF72CCC1000-memory.dmp

memory/5092-142-0x00007FF6A1470000-0x00007FF6A17C1000-memory.dmp

memory/2164-141-0x00007FF61D1B0000-0x00007FF61D501000-memory.dmp

memory/5028-136-0x00007FF6DB7D0000-0x00007FF6DBB21000-memory.dmp

memory/4428-130-0x00007FF629430000-0x00007FF629781000-memory.dmp

memory/4404-139-0x00007FF6868E0000-0x00007FF686C31000-memory.dmp

memory/4888-137-0x00007FF6031D0000-0x00007FF603521000-memory.dmp

memory/3672-128-0x00007FF725DC0000-0x00007FF726111000-memory.dmp

memory/228-133-0x00007FF638230000-0x00007FF638581000-memory.dmp

memory/1672-131-0x00007FF7EEB30000-0x00007FF7EEE81000-memory.dmp

memory/3672-150-0x00007FF725DC0000-0x00007FF726111000-memory.dmp

memory/2420-205-0x00007FF6B78C0000-0x00007FF6B7C11000-memory.dmp

memory/4428-207-0x00007FF629430000-0x00007FF629781000-memory.dmp

memory/5032-209-0x00007FF7D69D0000-0x00007FF7D6D21000-memory.dmp

memory/1672-211-0x00007FF7EEB30000-0x00007FF7EEE81000-memory.dmp

memory/2300-213-0x00007FF79B510000-0x00007FF79B861000-memory.dmp

memory/228-217-0x00007FF638230000-0x00007FF638581000-memory.dmp

memory/4184-216-0x00007FF7C9D20000-0x00007FF7CA071000-memory.dmp

memory/5028-219-0x00007FF6DB7D0000-0x00007FF6DBB21000-memory.dmp

memory/4888-221-0x00007FF6031D0000-0x00007FF603521000-memory.dmp

memory/2896-223-0x00007FF6B5260000-0x00007FF6B55B1000-memory.dmp

memory/64-227-0x00007FF6C2F80000-0x00007FF6C32D1000-memory.dmp

memory/4404-226-0x00007FF6868E0000-0x00007FF686C31000-memory.dmp

memory/2164-229-0x00007FF61D1B0000-0x00007FF61D501000-memory.dmp

memory/5092-231-0x00007FF6A1470000-0x00007FF6A17C1000-memory.dmp

memory/4000-233-0x00007FF72C970000-0x00007FF72CCC1000-memory.dmp

memory/2972-237-0x00007FF7E6430000-0x00007FF7E6781000-memory.dmp

memory/4924-236-0x00007FF6297C0000-0x00007FF629B11000-memory.dmp

memory/2024-241-0x00007FF6D1720000-0x00007FF6D1A71000-memory.dmp

memory/2296-240-0x00007FF699820000-0x00007FF699B71000-memory.dmp

memory/628-243-0x00007FF76CD10000-0x00007FF76D061000-memory.dmp

memory/2496-246-0x00007FF766680000-0x00007FF7669D1000-memory.dmp