Malware Analysis Report

2025-01-22 19:21

Sample ID 240806-n7dwmasekg
Target 2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat
SHA256 783891f9badcd0dab4da8eb3baeb4ebd82bf0a197ff420218b9a46d7a6dac967
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

783891f9badcd0dab4da8eb3baeb4ebd82bf0a197ff420218b9a46d7a6dac967

Threat Level: Known bad

The file 2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Cobaltstrike family

XMRig Miner payload

Cobaltstrike

xmrig

Cobalt Strike reflective loader

Xmrig family

XMRig Miner payload

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-06 12:01

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-06 12:01

Reported

2024-08-06 12:04

Platform

win7-20240705-en

Max time kernel

138s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\iWEVvWv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iFdilAE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PSmevMm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wuEcThH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NzhTfSA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rxajomg.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KeXZBEg.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dxWTUIx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cyKtUds.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JjYOmSE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\Utbivbh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WqhGPwl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\Ozsyrhc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hQgEJwK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VINnNzD.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VOPEzDj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ywYCbDo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dVKoFES.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zyMHqsB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yluKqCg.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PvErwhz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 884 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JjYOmSE.exe
PID 884 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JjYOmSE.exe
PID 884 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JjYOmSE.exe
PID 884 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KeXZBEg.exe
PID 884 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KeXZBEg.exe
PID 884 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KeXZBEg.exe
PID 884 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yluKqCg.exe
PID 884 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yluKqCg.exe
PID 884 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yluKqCg.exe
PID 884 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PvErwhz.exe
PID 884 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PvErwhz.exe
PID 884 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PvErwhz.exe
PID 884 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dxWTUIx.exe
PID 884 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dxWTUIx.exe
PID 884 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dxWTUIx.exe
PID 884 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Utbivbh.exe
PID 884 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Utbivbh.exe
PID 884 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Utbivbh.exe
PID 884 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VINnNzD.exe
PID 884 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VINnNzD.exe
PID 884 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VINnNzD.exe
PID 884 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ywYCbDo.exe
PID 884 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ywYCbDo.exe
PID 884 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ywYCbDo.exe
PID 884 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iWEVvWv.exe
PID 884 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iWEVvWv.exe
PID 884 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iWEVvWv.exe
PID 884 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cyKtUds.exe
PID 884 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cyKtUds.exe
PID 884 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cyKtUds.exe
PID 884 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dVKoFES.exe
PID 884 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dVKoFES.exe
PID 884 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dVKoFES.exe
PID 884 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VOPEzDj.exe
PID 884 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VOPEzDj.exe
PID 884 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VOPEzDj.exe
PID 884 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zyMHqsB.exe
PID 884 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zyMHqsB.exe
PID 884 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zyMHqsB.exe
PID 884 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iFdilAE.exe
PID 884 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iFdilAE.exe
PID 884 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iFdilAE.exe
PID 884 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WqhGPwl.exe
PID 884 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WqhGPwl.exe
PID 884 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WqhGPwl.exe
PID 884 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Ozsyrhc.exe
PID 884 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Ozsyrhc.exe
PID 884 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Ozsyrhc.exe
PID 884 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PSmevMm.exe
PID 884 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PSmevMm.exe
PID 884 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PSmevMm.exe
PID 884 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wuEcThH.exe
PID 884 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wuEcThH.exe
PID 884 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wuEcThH.exe
PID 884 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NzhTfSA.exe
PID 884 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NzhTfSA.exe
PID 884 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NzhTfSA.exe
PID 884 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hQgEJwK.exe
PID 884 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hQgEJwK.exe
PID 884 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hQgEJwK.exe
PID 884 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rxajomg.exe
PID 884 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rxajomg.exe
PID 884 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rxajomg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\JjYOmSE.exe

C:\Windows\System\JjYOmSE.exe

C:\Windows\System\KeXZBEg.exe

C:\Windows\System\KeXZBEg.exe

C:\Windows\System\yluKqCg.exe

C:\Windows\System\yluKqCg.exe

C:\Windows\System\PvErwhz.exe

C:\Windows\System\PvErwhz.exe

C:\Windows\System\dxWTUIx.exe

C:\Windows\System\dxWTUIx.exe

C:\Windows\System\Utbivbh.exe

C:\Windows\System\Utbivbh.exe

C:\Windows\System\VINnNzD.exe

C:\Windows\System\VINnNzD.exe

C:\Windows\System\ywYCbDo.exe

C:\Windows\System\ywYCbDo.exe

C:\Windows\System\iWEVvWv.exe

C:\Windows\System\iWEVvWv.exe

C:\Windows\System\cyKtUds.exe

C:\Windows\System\cyKtUds.exe

C:\Windows\System\dVKoFES.exe

C:\Windows\System\dVKoFES.exe

C:\Windows\System\VOPEzDj.exe

C:\Windows\System\VOPEzDj.exe

C:\Windows\System\zyMHqsB.exe

C:\Windows\System\zyMHqsB.exe

C:\Windows\System\iFdilAE.exe

C:\Windows\System\iFdilAE.exe

C:\Windows\System\WqhGPwl.exe

C:\Windows\System\WqhGPwl.exe

C:\Windows\System\Ozsyrhc.exe

C:\Windows\System\Ozsyrhc.exe

C:\Windows\System\PSmevMm.exe

C:\Windows\System\PSmevMm.exe

C:\Windows\System\wuEcThH.exe

C:\Windows\System\wuEcThH.exe

C:\Windows\System\NzhTfSA.exe

C:\Windows\System\NzhTfSA.exe

C:\Windows\System\hQgEJwK.exe

C:\Windows\System\hQgEJwK.exe

C:\Windows\System\rxajomg.exe

C:\Windows\System\rxajomg.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/884-0-0x000000013F7D0000-0x000000013FB24000-memory.dmp

memory/884-1-0x00000000003F0000-0x0000000000400000-memory.dmp

C:\Windows\system\JjYOmSE.exe

MD5 8d293678e5e499315421cd60e368a328
SHA1 1c35bb2f01fed11c72d1ee01552e15d94d035082
SHA256 c956708c95003215fe5ee4a81e518c95e3768e93b411a754662f04f9be445267
SHA512 2d7efe8a84012d335579fccdbfe1cc8d6eeff8f6cbe3fb545723c659ef0879f3694e09eb92c4da99903cf03096f7367c048680a168de0bdf6dfea99102b7c8b3

memory/884-8-0x000000013F440000-0x000000013F794000-memory.dmp

\Windows\system\KeXZBEg.exe

MD5 9a18d609321c991ba5269e0f55de0b6f
SHA1 37bde00060ad595cc797e7c120eef01766cb8dd2
SHA256 e40b98675c7cf6fbdef7ed794b8310cef3f29210fdc9cf212d8b564ecfdcb8b8
SHA512 bc4e3f31c55bd7d03493b132fb70c82ca874c1340205b3bf0f8eedd47925a7cdb2f0c8051e5ebf342671802031890448320d700bf65321eb75b05e9ce728a2a7

memory/1924-12-0x000000013F440000-0x000000013F794000-memory.dmp

memory/2796-14-0x000000013FEA0000-0x00000001401F4000-memory.dmp

C:\Windows\system\yluKqCg.exe

MD5 29da39d1777611b5b7c42bf5170aa9f3
SHA1 c5fcdbb0c372c55dfd419deea57adc8d7c52f76c
SHA256 3f80cf41e30c5e77ab68bf18f8f2d849072f46b15bcdac54b6771b05a79ef3ff
SHA512 47d1e0855f803a5695997a7ccf3df54fc4e06ea0049d6f814ab812bfe46806c273ae615045af43cbc05359cf82b70ca6a645213afe4aa00416477f099cf60ad1

\Windows\system\PvErwhz.exe

MD5 f8992f9b27144d775d217cf7854963ea
SHA1 f234e3bc0c27c1ae49591c3f293d59a435753054
SHA256 4e1f4e71e3abe0bdb3659eb40142dee9be29f37cc919b4f8f1a2f0cb41effd39
SHA512 e761727df9ee3d8012721a6ef961917668c7089ceeee3e2762b5907ee41409ed2b6962700fd853f0c7a8b6dcca66199222c250a64eb80d53dd5f1e692970679c

memory/2764-33-0x000000013F8A0000-0x000000013FBF4000-memory.dmp

C:\Windows\system\Utbivbh.exe

MD5 048744e267de33e5460091e91715f461
SHA1 05840aa99c3a9db4ddbd9d5004fb57d6221fa3e2
SHA256 180da5d5c5d61574710f494cec7f7ce004d902e47e6f1d70edac325f14d1e219
SHA512 5462649950c9beefe2d5dc6d21a0b41f53f844a27d4e8f3e8198ba1d632aa7be284d2acf54e558d20822a91151e777d4e36ec0228b4fba26bf194a947d4bb660

memory/2960-40-0x000000013F910000-0x000000013FC64000-memory.dmp

C:\Windows\system\VINnNzD.exe

MD5 99951c41a29ede0f03a17f562e66afd3
SHA1 cdcd1f6eeb938268376c134ec7601c1c5c52250a
SHA256 a3466b504dd9b655ec64fdee44d5d3decb8a99265eb76f50fb50792016eeeb93
SHA512 561e0203c01d2530f06050071ff75b7328cc16029c69b7ec771ef745adbac3cbac5758c38eb73c919df174961c20f218b295989f0e22f29c8520a12ea97f49e8

C:\Windows\system\iWEVvWv.exe

MD5 dd91a2fd2e1d1c560ba7f70dd56403b4
SHA1 dfa85bb02e85e751f53d1877d742204b4ba15ae8
SHA256 aa9d28f10d715e0fd0346dd41eb830069506283dc44448671e0cb38e33beca16
SHA512 11a57d10df9a95ec31b3ea5417d6ee8639d11ef9f0d71c89380858128c2eb310eba97025f5f8bb337fe41b2139361f9b22ac53ebbf87671d429a47711cf144f5

C:\Windows\system\PSmevMm.exe

MD5 afbf1d9a0b1edb6163efb15413714962
SHA1 7e56f9b8618ff02792939879cbef53e4ce94944f
SHA256 d90f069382dd3d5c906a5030ec5eb9ebd4d31b664e28e322d80b190af55f9934
SHA512 b085d5dde808b1121cce7c5662287ee62bb1ad13e7d2c95fd01d28e2c1c616af21487b2ecc61f57f512fa3e53087299002c3adb9c9c3f0bf7c3d07003eb7c4b4

\Windows\system\rxajomg.exe

MD5 83bacaf4b115381c1d44d1fb9294c954
SHA1 cce056c439dae38a08954c6a0cf52a91ed0d308d
SHA256 679dbdbf39c1a0127d04c7302a9dc33aa4497736aa9d6474139109094f6d719b
SHA512 1b5c5587116c2d0a5b29943f6bb77db0d3a6c7357084fb5cf5551f526ade421cfc49d61f292f505e7bb400fe1c287147fe98694d7e59379d2fb8e61674394066

C:\Windows\system\hQgEJwK.exe

MD5 cbd543e219b0730a23cc39a1abf91a18
SHA1 f4258e7a7c0d7ae4cd50cd829e48801e1ed457f0
SHA256 1511858d7f59167a0b5a6a3d21791f0a7b289b2e9660211afe84b30918fc2945
SHA512 62e90639cce6d053eefb7c6b66fe7f4bade74ecf25b33409311f4b4522cb4a1e21d809ec51e409e59f1d942aa58a478f40d4b8719c95b2e35a5729e31e61c450

C:\Windows\system\NzhTfSA.exe

MD5 2e8c03d1e17f1c4cbe874455866372d0
SHA1 40fff09d07d6f4611b19d6a5896454b4add58f0c
SHA256 49061d2e30cb8f7020a3a9fa083ab34d54e1eeb652c13aa1d2e8be91e65b409e
SHA512 2ab3e3d3756f88405055b71d6bd182202fd32ba16bf3bb0392d5af56006c057f6d92c95cb52012abc89297ad321db8c354e7d9612115bf601c491ab43dab4ae3

C:\Windows\system\wuEcThH.exe

MD5 90698bde0b11305bba84ad7bdb5ce7df
SHA1 122dbc0036534e824558e661b23ef4d411db2147
SHA256 086f9951bf23779c8a9114198bca6fee7f0ab0cdda7527dfeaa1f1c9c00aba38
SHA512 fa861b5d8923f1a274dbf6b1f23f4152465f5e5e8b93230132c5bb72ae2cf6049e2d796731e5586570784ffebbc0e838bc935e59a31473eb3e016fddb0d2324d

memory/2656-107-0x000000013FF00000-0x0000000140254000-memory.dmp

C:\Windows\system\WqhGPwl.exe

MD5 f5b237b27da5362376c96508e754b56e
SHA1 bbfccfdb5a6d2dad2a39841c9d015e6d5227c0c5
SHA256 af8d9f87fe5420a09a9a86e1ca9afaadde64eba5fc0cdcaa0d5920bf0aa9c5b9
SHA512 8a83329e5ca25bedf8e776e2fd1694e2a82e9e4a15f0910240efcff8178926f958326b662654117662c3764d48eedfbe163ac85c14334b79be24a825c24bbd4e

C:\Windows\system\zyMHqsB.exe

MD5 37215013fb11553905d34005ce71734b
SHA1 ee56c47d4fb2da8b7907aa863db5433f27edc75f
SHA256 2973e61d26caaa70be73131e05755b070b9e92f254280aa6b6519ecba6f61d30
SHA512 2f20586461b8775485d3bc227a60750ee74b193004b189575a0c367984b22cba0c3a041be6fdafcfc0cd33a6c27959c394aa0522392e53455a90fe8fb6b29a4c

C:\Windows\system\dVKoFES.exe

MD5 0f1e5a736e02f760c44c3a396f133ae0
SHA1 b2a4e98fe037e8c95d6532cc08a53cd9d01ca8cf
SHA256 6fc217fd889807158accbf5161ed03fd120315b99ebd94381183a5b7fe97a527
SHA512 5ad52b263e18da9ecf8f9fb338718eeb35f4efb0aac03daacc8818aca6caf2eca6020b48582ab6b3ad192d6f3bffd369500a97f6f1a0e218b2072bff1178f6e7

memory/884-77-0x0000000002330000-0x0000000002684000-memory.dmp

memory/884-54-0x000000013FD30000-0x0000000140084000-memory.dmp

memory/2700-98-0x000000013FCD0000-0x0000000140024000-memory.dmp

memory/884-97-0x000000013F200000-0x000000013F554000-memory.dmp

memory/2796-96-0x000000013FEA0000-0x00000001401F4000-memory.dmp

memory/884-95-0x000000013FC10000-0x000000013FF64000-memory.dmp

memory/2420-94-0x000000013F410000-0x000000013F764000-memory.dmp

memory/2204-93-0x000000013FF60000-0x00000001402B4000-memory.dmp

memory/1984-87-0x000000013FBD0000-0x000000013FF24000-memory.dmp

memory/2876-86-0x000000013F200000-0x000000013F554000-memory.dmp

C:\Windows\system\Ozsyrhc.exe

MD5 16f2add5a7bd8a78226c3c7d6000aa83
SHA1 fb0585238b40b5b3ee9535327cc63d55c37b64e9
SHA256 afa83733218d3ef1deec55b92ce6ec7e3fa6c6eb73f10678915a9ca2364a43b2
SHA512 34cc773c713a2475946c5e95a8ca240f5c4a98eee7e8a85a6dbd36d3d120d146f607c2fa486f3cca72fafaa44c78c9efddd9bb7075fa3ecc45af90b4271a90c1

C:\Windows\system\iFdilAE.exe

MD5 df544bcc7e997e34df3bb591b26e7c7f
SHA1 f2942225212ad739a9e5ccc0822a587482e2a8de
SHA256 9536f476a3a275d9c6289da112ee81b4bfb21e64d4f07c3143a6be8e37d977a3
SHA512 1ede233c80191ce0ea6359c63ee7b5bfef622bf288b249505f981fc704ffb834dfed74e24cc67ac56e380557feec9c599ecd78d773b5e37479c255141f096200

C:\Windows\system\VOPEzDj.exe

MD5 b85906160cf8faecf630cb9163c884c5
SHA1 ec8099d5a5e8c77b2a740a444f7dfdccea1e3a5b
SHA256 2527752898b50cb194b8fbe25754283f04a49757d30ad119d2150a512c94b69a
SHA512 d68f54ea3e9f15b10af3381e598af8f75fca436ba19a6e4671279a621c73a592e3016158bf6ea42378b3adeb52798ad0f6255afb5fbd578d6be07993041d2fc1

C:\Windows\system\cyKtUds.exe

MD5 881a694db364502f526517c39aa4b31d
SHA1 31ba055fd170bda4d92ed1aff2c31660f9f5feaa
SHA256 d4032f95989e9af9a0c9dff4e4854145c70ec51f340162743f65f102147ba53b
SHA512 018992395f1616c3cce3491ac1823a111418eae92757c58e2c5f61c99a588b5d334b7497672cc4117d121decfcaa30edaa91b7850de3ae15e00879736a786d36

memory/884-81-0x000000013FF60000-0x00000001402B4000-memory.dmp

memory/884-73-0x000000013FBD0000-0x000000013FF24000-memory.dmp

memory/884-60-0x000000013F7D0000-0x000000013FB24000-memory.dmp

memory/2832-58-0x000000013FD30000-0x0000000140084000-memory.dmp

memory/2976-50-0x000000013F280000-0x000000013F5D4000-memory.dmp

C:\Windows\system\ywYCbDo.exe

MD5 3f261bc893b1c3d879c2ffabcddcea39
SHA1 d5f43db8fb151a50ae9962827991ab2e0c61e9d0
SHA256 1922b18651444f1738816666369503ec8ef2e8ba7f31a1ba203e47f3f25ce7c0
SHA512 16c4e8e8134ea0ab651317ff1c851701d7f66cc48b89a0139a9b2278d77186724fe43711f15f9379d9f4f62829a061264c48b6c96d99758b4ee435c56c501f90

memory/884-39-0x0000000002330000-0x0000000002684000-memory.dmp

memory/2816-31-0x000000013FB70000-0x000000013FEC4000-memory.dmp

C:\Windows\system\dxWTUIx.exe

MD5 bf8efa01e41d04057c0506aacd88f64f
SHA1 d3cc22da2c35b95d1f45b8cdf1acd83cc7e4ad25
SHA256 5aae3d89b95ee00a3c525bf85319f4f2b077a9dbd57cefd3297609cbc763510d
SHA512 00754c5853071cfebfe03d9362980d46d27922f85104eb71cb74641fa9a8beb9e08b617b1569a8595b52ebee23d77087074c13fab7b80019877eb7e66a639d0a

memory/884-27-0x000000013FB70000-0x000000013FEC4000-memory.dmp

memory/2876-25-0x000000013F200000-0x000000013F554000-memory.dmp

memory/2960-133-0x000000013F910000-0x000000013FC64000-memory.dmp

memory/2764-132-0x000000013F8A0000-0x000000013FBF4000-memory.dmp

memory/2832-134-0x000000013FD30000-0x0000000140084000-memory.dmp

memory/884-135-0x0000000002330000-0x0000000002684000-memory.dmp

memory/884-136-0x000000013FF60000-0x00000001402B4000-memory.dmp

memory/1984-137-0x000000013FBD0000-0x000000013FF24000-memory.dmp

memory/2204-138-0x000000013FF60000-0x00000001402B4000-memory.dmp

memory/884-139-0x000000013F410000-0x000000013F764000-memory.dmp

memory/2656-140-0x000000013FF00000-0x0000000140254000-memory.dmp

memory/1924-141-0x000000013F440000-0x000000013F794000-memory.dmp

memory/2796-142-0x000000013FEA0000-0x00000001401F4000-memory.dmp

memory/2816-143-0x000000013FB70000-0x000000013FEC4000-memory.dmp

memory/2876-144-0x000000013F200000-0x000000013F554000-memory.dmp

memory/2764-145-0x000000013F8A0000-0x000000013FBF4000-memory.dmp

memory/2960-146-0x000000013F910000-0x000000013FC64000-memory.dmp

memory/2976-147-0x000000013F280000-0x000000013F5D4000-memory.dmp

memory/1984-151-0x000000013FBD0000-0x000000013FF24000-memory.dmp

memory/2204-150-0x000000013FF60000-0x00000001402B4000-memory.dmp

memory/2700-149-0x000000013FCD0000-0x0000000140024000-memory.dmp

memory/2420-148-0x000000013F410000-0x000000013F764000-memory.dmp

memory/2832-152-0x000000013FD30000-0x0000000140084000-memory.dmp

memory/2656-153-0x000000013FF00000-0x0000000140254000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-06 12:01

Reported

2024-08-06 12:04

Platform

win10v2004-20240802-en

Max time kernel

137s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\IVEUQXm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DHAfmDZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jGZsULr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DlwMupT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QwUZQUp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JHIJKPu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hWzAxWN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kLvCWPn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mioHQOr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IzsTmtp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gCNGGra.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rwKZFXK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gTkKfiF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UuDBOZx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OkqVEAO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PDLUetW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WBWdnmI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NOGcTMI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mYosFKp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xTGwuLF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rnOkjfT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4444 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QwUZQUp.exe
PID 4444 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QwUZQUp.exe
PID 4444 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rwKZFXK.exe
PID 4444 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rwKZFXK.exe
PID 4444 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IVEUQXm.exe
PID 4444 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IVEUQXm.exe
PID 4444 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PDLUetW.exe
PID 4444 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PDLUetW.exe
PID 4444 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JHIJKPu.exe
PID 4444 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JHIJKPu.exe
PID 4444 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gTkKfiF.exe
PID 4444 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gTkKfiF.exe
PID 4444 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hWzAxWN.exe
PID 4444 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hWzAxWN.exe
PID 4444 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kLvCWPn.exe
PID 4444 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kLvCWPn.exe
PID 4444 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mioHQOr.exe
PID 4444 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mioHQOr.exe
PID 4444 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IzsTmtp.exe
PID 4444 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IzsTmtp.exe
PID 4444 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WBWdnmI.exe
PID 4444 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WBWdnmI.exe
PID 4444 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NOGcTMI.exe
PID 4444 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NOGcTMI.exe
PID 4444 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DHAfmDZ.exe
PID 4444 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DHAfmDZ.exe
PID 4444 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mYosFKp.exe
PID 4444 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mYosFKp.exe
PID 4444 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UuDBOZx.exe
PID 4444 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UuDBOZx.exe
PID 4444 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gCNGGra.exe
PID 4444 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gCNGGra.exe
PID 4444 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xTGwuLF.exe
PID 4444 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xTGwuLF.exe
PID 4444 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rnOkjfT.exe
PID 4444 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rnOkjfT.exe
PID 4444 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jGZsULr.exe
PID 4444 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jGZsULr.exe
PID 4444 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DlwMupT.exe
PID 4444 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DlwMupT.exe
PID 4444 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OkqVEAO.exe
PID 4444 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OkqVEAO.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\QwUZQUp.exe

C:\Windows\System\QwUZQUp.exe

C:\Windows\System\rwKZFXK.exe

C:\Windows\System\rwKZFXK.exe

C:\Windows\System\IVEUQXm.exe

C:\Windows\System\IVEUQXm.exe

C:\Windows\System\PDLUetW.exe

C:\Windows\System\PDLUetW.exe

C:\Windows\System\JHIJKPu.exe

C:\Windows\System\JHIJKPu.exe

C:\Windows\System\gTkKfiF.exe

C:\Windows\System\gTkKfiF.exe

C:\Windows\System\hWzAxWN.exe

C:\Windows\System\hWzAxWN.exe

C:\Windows\System\kLvCWPn.exe

C:\Windows\System\kLvCWPn.exe

C:\Windows\System\mioHQOr.exe

C:\Windows\System\mioHQOr.exe

C:\Windows\System\IzsTmtp.exe

C:\Windows\System\IzsTmtp.exe

C:\Windows\System\WBWdnmI.exe

C:\Windows\System\WBWdnmI.exe

C:\Windows\System\NOGcTMI.exe

C:\Windows\System\NOGcTMI.exe

C:\Windows\System\DHAfmDZ.exe

C:\Windows\System\DHAfmDZ.exe

C:\Windows\System\mYosFKp.exe

C:\Windows\System\mYosFKp.exe

C:\Windows\System\UuDBOZx.exe

C:\Windows\System\UuDBOZx.exe

C:\Windows\System\gCNGGra.exe

C:\Windows\System\gCNGGra.exe

C:\Windows\System\xTGwuLF.exe

C:\Windows\System\xTGwuLF.exe

C:\Windows\System\rnOkjfT.exe

C:\Windows\System\rnOkjfT.exe

C:\Windows\System\jGZsULr.exe

C:\Windows\System\jGZsULr.exe

C:\Windows\System\DlwMupT.exe

C:\Windows\System\DlwMupT.exe

C:\Windows\System\OkqVEAO.exe

C:\Windows\System\OkqVEAO.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 71.190.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/4444-0-0x00007FF660D10000-0x00007FF661064000-memory.dmp

memory/4444-1-0x000001E395E60000-0x000001E395E70000-memory.dmp

C:\Windows\System\QwUZQUp.exe

MD5 da3b7293109d31143a81538335e5aeb1
SHA1 166c3fd2dbb753d5c16551252bbf29b5823b55dc
SHA256 91490d2c94721d32b3afbd88e7aba2b6a8e0f91125b87e8b06ab85028e7f3a11
SHA512 3333fc9fc17aacd7a53701772146d3b578b45ab833e94623dfce45394fc47e070d98255d9f83cfe4c60510f1b95e609e11a5c882e5a64a51d72cf6e9f767d7c6

memory/5048-7-0x00007FF6342A0000-0x00007FF6345F4000-memory.dmp

C:\Windows\System\rwKZFXK.exe

MD5 fb76903dad601ef591bf88126615389e
SHA1 ece4af8976565a914620398e5d0cda9094e004c9
SHA256 14dab2acf10166f05d0289d19fe3b69b81d1e80bf0880df8897d703fb9964cc7
SHA512 9acb7d85a8dbaa310fc2b96d30070332eba5f7ea37439bc0513e882859565bde17726a1ba027774e45fbe18433930d6c5afeb0cc6ea57fdfd6ad79b5c58623d3

memory/3980-13-0x00007FF7DE950000-0x00007FF7DECA4000-memory.dmp

C:\Windows\System\IVEUQXm.exe

MD5 5ef16353ea88176ef495fd2a7a23f9d9
SHA1 4bc2e7259eac5e5d8cf7a798384433fcbdb5d391
SHA256 c23f7e5cdad52164b13c98694833e62322ab73bb899d092a8e1680eea49bdcc8
SHA512 1e14ab3302a3705e9a1a973e199f6905f3f73eb95c07d23c7503be3c60783443a3718c9fc34966c30e03003c5bc2cf916aaaa56bc63e9cd852128091b600d8ea

C:\Windows\System\JHIJKPu.exe

MD5 2f61d8e77fd716b6163ac85cc6edcaad
SHA1 1481a80cb5eca3149e113407c6c74ee1b0967b3d
SHA256 fa6957fda8d22398725575f823cbf92f36b841378eb3b6cefe9a1625ba87a053
SHA512 8a352f5200c431a870cde577d632d018364cb9b29fb25671376d2cc131096ceb1bb4facd616e9723ef3cf2f688dee428eb3ebe6a1cae6777c84859161a082381

memory/2596-27-0x00007FF7EAF00000-0x00007FF7EB254000-memory.dmp

C:\Windows\System\gTkKfiF.exe

MD5 d6dcff3280b646656907380a66dd410a
SHA1 c7911d74ba461bd5d49f56a2224b812614fb251a
SHA256 df1c0de1b7a258e727d4248bca1203bcf5f6d015368055e5e1e5cdf71a0a350f
SHA512 3a26bdaa22e781a3c5bf1be8b3311e1bed1a9ea965c4a06ec142904475647a8a8b7ec1b361e2dcdba28f84b84ed4f94770d9674238ada30950bb1b2a5fcaeb84

C:\Windows\System\kLvCWPn.exe

MD5 0d28aa660a7c0924f0cd5d2bb4d9afa5
SHA1 35398dfc8f83bf8f59b87ad101a736c07af3fc45
SHA256 917ee15588037aae810890c10f20b1faedd567f87aaa53b76b46fcbfe17ad7bc
SHA512 60d07c10e24c1988c071737893a0d30fc9f4d7f6815d39e0180f722f934b3914e52246ad3d94268a7e713281bc51ba24261c8ac243d2335a4fb93f7ab4d99757

C:\Windows\System\hWzAxWN.exe

MD5 6a579ed048f7161cc42432e7116958e7
SHA1 8578e6f828e8fae90ea10371ea84e2cde213b96e
SHA256 8ea409d6b10c40b2e6f7de36f6afc10bf1752635dc17a931c0e1b261e45861fc
SHA512 5b153cfe99f5b89b29ef90675263b2e524a424d9fecb55726b2a2a04bf87df059ad79b8af62eb8396a700b314ce9470ac1b868d1ad7c6dd377ea2d906811fc56

C:\Windows\System\mioHQOr.exe

MD5 7ea0ae496c25e7676040c17390e29a16
SHA1 6f011d038a14537b7d46e70e42571e75213625aa
SHA256 77a72d7f56ddcba5b1c69c1b6ef0ac8a26ae1600471fa33bcbf56c57bcc3a6d3
SHA512 e82081dd9f35d1484a6e4893c316e88068a22a6c36915364d7f20eb983ce539576871df70e1f92a9bda09e0f79e77f3a1deaad06eee627f54c51100d5a287a20

C:\Windows\System\IzsTmtp.exe

MD5 8020c10ff4427d31e3dd0a92163217e4
SHA1 04a12ac684e49752c3c1b2c6666ee2d6287502ec
SHA256 762e75a44e677fd271726dbd803c356a4042641725dd006da0c858dab562b28f
SHA512 95ca6d62aaa993bda2592c86b53b536acbda847843c4dbd58d77fd7b1364bf60f768fc6ff96c576568e63a9875e9c5277f6de49aae2fbf2432f6507835cfa872

C:\Windows\System\WBWdnmI.exe

MD5 1997992bc9be8b6c464775c25e86b587
SHA1 52ac7fe42bc9320443cce3b783b6bf11c7ec5432
SHA256 180d9d0c3b836909dc9c47d366155d0cabebb65d28c9309f3ef4c4f783794aa6
SHA512 639a41cbbda970dbc3a08a93746c85113f33af701c083ec57fb815c9bf5dfe03eec0e69d18f7fdd4d3a65761f6dcf5182e51aba0023b22f7a886b95f8a71cfcd

memory/1920-65-0x00007FF70E6B0000-0x00007FF70EA04000-memory.dmp

C:\Windows\System\DHAfmDZ.exe

MD5 b50ffe168aad1599dc128ff13c8224f7
SHA1 6079a3c350446bf2e99d51268c317f31eea4179c
SHA256 b014492c25a3d237e75a70638bdf86e9e925e3327b9ad7af4fee407f5617a20e
SHA512 02a0b986acfbfbbcbe364e1c1cb2e5b111b78a7ebdd09937335c7ad62e7ef50e6d43a6f54442d27c3850f8106922065379c8168dbef76e57bd4cfcc57d371f23

C:\Windows\System\gCNGGra.exe

MD5 067ee2b530fecd1cb38dbe566141b5a2
SHA1 ad42a7f3fb405d5dfcaeea1fe7813dd0f63c0048
SHA256 e58b1dcf8f649cd446b9311c659b1688b608040c3b33b52a310aa87a61fea013
SHA512 e6bad5a57c951ec46cdd0934aa26889f7081d2ccb09aab0f38000797026cfdeda686f1bdab5f0a5574bd0f73c0f0e1d02427eccb7c7e57aee82a91ff12b403ed

memory/4012-87-0x00007FF743AF0000-0x00007FF743E44000-memory.dmp

memory/3000-97-0x00007FF638440000-0x00007FF638794000-memory.dmp

memory/2952-96-0x00007FF6A39D0000-0x00007FF6A3D24000-memory.dmp

C:\Windows\System\UuDBOZx.exe

MD5 41875c24ac3fd4323589d24a105eb82a
SHA1 f09baaa3b65062a98187ceb762e42e5c6edfc259
SHA256 9205d3565fd1b97c7c26840b382e98e3c42f0ae498b7bc910f984cdee54bb310
SHA512 79731c7b9d2d3321bd88aec42c200b04957bf62dcd179a1fa2a6611bc7331c14c9c734b7440ab4a831e087f50195043eb97b06ff8f2135e596382a039f37a4e5

C:\Windows\System\mYosFKp.exe

MD5 18ddfea6a4bac9600a4c122ec1bae9c6
SHA1 d685840b9f7fd0eb76708ed41fcac5be51f366a2
SHA256 f2206fd70f0d1155aa0d01e4d15c566aff9e25b406722a40c83d71fee573c6a4
SHA512 13f3f9986c69c10ec1d2c1188ec5a574f0d0a246bab36c41c5c9924c07b0e344085ea70527983327758f0a66a86b3826260c7138daab252565942fccf08b801c

C:\Windows\System\NOGcTMI.exe

MD5 78ddbfcaf0a667d014c5fc13d6a1c6fb
SHA1 62c184921e53acb946e5ec6659c7b4a7059296a8
SHA256 9c215f24fd83dfa7fed19996d03bde4ee8e4c4bd22015e6e50d0be9ed2d11232
SHA512 a5abeffced0c88cf4adde055244b800d3b412a24a26dd7f653c69c404f85e24c93064fb960c8861af1a08840c92df8f22e6f95bdd4239dfb00b04fbcf9d1b065

memory/1556-82-0x00007FF622780000-0x00007FF622AD4000-memory.dmp

memory/3936-81-0x00007FF622BB0000-0x00007FF622F04000-memory.dmp

memory/2420-76-0x00007FF6D3080000-0x00007FF6D33D4000-memory.dmp

memory/1840-75-0x00007FF6C89F0000-0x00007FF6C8D44000-memory.dmp

memory/3048-69-0x00007FF773B40000-0x00007FF773E94000-memory.dmp

memory/2708-60-0x00007FF6AF100000-0x00007FF6AF454000-memory.dmp

memory/1988-37-0x00007FF6328C0000-0x00007FF632C14000-memory.dmp

memory/1492-32-0x00007FF794E00000-0x00007FF795154000-memory.dmp

C:\Windows\System\PDLUetW.exe

MD5 2be69c80c539fa53cf2040ac9c62f941
SHA1 05038a85150112b76bc159675f8a743945a455b7
SHA256 0e8b84c3c3f29d69f5f8dfa60825a8a8d929078d475beafb74b553288ef96c0b
SHA512 b5449e9f742e40f6058b27663455b45a2a12b75dc159f464b591ac25182b6db7b0ef67439792bd921e2158982358993f3885095442d709a9c5bacb558803a121

memory/4820-25-0x00007FF667650000-0x00007FF6679A4000-memory.dmp

C:\Windows\System\xTGwuLF.exe

MD5 27dc4dd753f886423ddc84e63c017086
SHA1 d9c28bf34344249eea4f9e1d3fae503ff0bdab64
SHA256 901636e0f24a15e1cee83a052e95125376b5c889bc25ea0691b0bfd7d8d01b47
SHA512 22bbcfc53889f2f18f88cf6d5a82a0698fa2a67e7ffd2983d84a32eff1b108fa51bc6caaca08129f8edf9e4df2ef3c9e3a65e69a5bffefa16d95c8315a6ae9c1

C:\Windows\System\rnOkjfT.exe

MD5 d9d78378c9b3463d9b2c5260f45e7e42
SHA1 a0f7b8f4a914168e2dafd3cccae36ba575b3b674
SHA256 d92b5376f2e7de41f76e148b2e04897d46f22dfbd518d384f084e62e861d70a9
SHA512 cb4f07a990b6dcf99bb9f0e7482faa383b098ea1b979078e2f223afb33a1ad9ee994b7837ca502c5430da4fa827e0e37e398f4711932f0d89833b30aa0dfa762

memory/4908-106-0x00007FF792290000-0x00007FF7925E4000-memory.dmp

memory/4444-104-0x00007FF660D10000-0x00007FF661064000-memory.dmp

memory/4008-111-0x00007FF6A8A10000-0x00007FF6A8D64000-memory.dmp

memory/5048-110-0x00007FF6342A0000-0x00007FF6345F4000-memory.dmp

C:\Windows\System\jGZsULr.exe

MD5 d3a3b04238e067567320a80bc36f43ba
SHA1 10ce618f69353a2ecd2519277a92d65c252b6930
SHA256 29afb86af27584cc294c3b822e595e8ea0d7f8cb5a299a5fe8a7b3a8822508e1
SHA512 4c3a917e38743f9972f1623392709f3e869e708f1aebd216e7bffe8771e823ffdf76810221d1163d1b494f2f42b81229723f5791dc4bb5ee75460f8ce6678f34

C:\Windows\System\OkqVEAO.exe

MD5 4806d329b908c9447024e532c454d463
SHA1 deb5c6b9e15ccf754a51d3696d9a7aaee11e99d2
SHA256 3c5f2658c1d20e42498e5c0d55de4151db041ceed70a0447d0dad2fc564f08bf
SHA512 ab4033d30ba06624a074089676181fd241bd5f02ef39875bd95f00fcbcad04dddd4436d59fb39f9644253b6594dabe3e25e0bc465dcc0d38bb980a48afd5370e

memory/4820-124-0x00007FF667650000-0x00007FF6679A4000-memory.dmp

memory/1836-128-0x00007FF6A3150000-0x00007FF6A34A4000-memory.dmp

memory/436-127-0x00007FF6CF020000-0x00007FF6CF374000-memory.dmp

C:\Windows\System\DlwMupT.exe

MD5 224827431e8c012e66b967654a967fd6
SHA1 994ce50d24ec8a3b20869817ed6aca6f4c4974c0
SHA256 0e71fa2dea1ee33e477a9120159a7b8dd2120803b1f08eeb2c9376cb797cd77e
SHA512 f93c96b66463017a913ce8cfab3a7ebcac327ea79e65799f101f9c1cc07ab17af660c25051edf7b408c2c721b29145f8fdd7ce00dc651bb04f1a27bb38b86e3d

memory/3980-116-0x00007FF7DE950000-0x00007FF7DECA4000-memory.dmp

memory/2596-131-0x00007FF7EAF00000-0x00007FF7EB254000-memory.dmp

memory/696-132-0x00007FF6C0020000-0x00007FF6C0374000-memory.dmp

memory/1492-133-0x00007FF794E00000-0x00007FF795154000-memory.dmp

memory/1988-134-0x00007FF6328C0000-0x00007FF632C14000-memory.dmp

memory/2708-135-0x00007FF6AF100000-0x00007FF6AF454000-memory.dmp

memory/3936-136-0x00007FF622BB0000-0x00007FF622F04000-memory.dmp

memory/2420-137-0x00007FF6D3080000-0x00007FF6D33D4000-memory.dmp

memory/1556-138-0x00007FF622780000-0x00007FF622AD4000-memory.dmp

memory/4012-139-0x00007FF743AF0000-0x00007FF743E44000-memory.dmp

memory/5048-140-0x00007FF6342A0000-0x00007FF6345F4000-memory.dmp

memory/3980-141-0x00007FF7DE950000-0x00007FF7DECA4000-memory.dmp

memory/4820-142-0x00007FF667650000-0x00007FF6679A4000-memory.dmp

memory/2596-143-0x00007FF7EAF00000-0x00007FF7EB254000-memory.dmp

memory/1988-144-0x00007FF6328C0000-0x00007FF632C14000-memory.dmp

memory/1492-145-0x00007FF794E00000-0x00007FF795154000-memory.dmp

memory/1840-147-0x00007FF6C89F0000-0x00007FF6C8D44000-memory.dmp

memory/2708-146-0x00007FF6AF100000-0x00007FF6AF454000-memory.dmp

memory/1920-148-0x00007FF70E6B0000-0x00007FF70EA04000-memory.dmp

memory/3048-149-0x00007FF773B40000-0x00007FF773E94000-memory.dmp

memory/1556-152-0x00007FF622780000-0x00007FF622AD4000-memory.dmp

memory/3936-153-0x00007FF622BB0000-0x00007FF622F04000-memory.dmp

memory/4012-151-0x00007FF743AF0000-0x00007FF743E44000-memory.dmp

memory/3000-154-0x00007FF638440000-0x00007FF638794000-memory.dmp

memory/2420-150-0x00007FF6D3080000-0x00007FF6D33D4000-memory.dmp

memory/2952-155-0x00007FF6A39D0000-0x00007FF6A3D24000-memory.dmp

memory/4908-156-0x00007FF792290000-0x00007FF7925E4000-memory.dmp

memory/4008-157-0x00007FF6A8A10000-0x00007FF6A8D64000-memory.dmp

memory/436-158-0x00007FF6CF020000-0x00007FF6CF374000-memory.dmp

memory/1836-159-0x00007FF6A3150000-0x00007FF6A34A4000-memory.dmp

memory/696-160-0x00007FF6C0020000-0x00007FF6C0374000-memory.dmp