Malware Analysis Report

2025-01-22 19:17

Sample ID 240806-n7tbbaycqr
Target 2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat
SHA256 8f11c7567bfda2f3264a945aea810f715c7230e6705308fa71a7a1ad411c13f5
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8f11c7567bfda2f3264a945aea810f715c7230e6705308fa71a7a1ad411c13f5

Threat Level: Known bad

The file 2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

Cobaltstrike family

Xmrig family

xmrig

Cobalt Strike reflective loader

Cobaltstrike

XMRig Miner payload

XMRig Miner payload

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-06 12:02

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-06 12:02

Reported

2024-08-06 12:05

Platform

win7-20240704-en

Max time kernel

138s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\QOmlqYV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xfWUJyy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\STVJbTE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uqSbHht.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OljorXm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ixfyFov.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GIaqaDo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LhUpaEb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SYLQlfj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hwAahOZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xhEsWZW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jSOzIVz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yhNcYVz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kxwkWrd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FNAXAuo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zqZuBAv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IKFdvhU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AtAwWVt.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xJgYQKE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LGzeNAD.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mDUafCW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 308 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xJgYQKE.exe
PID 308 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xJgYQKE.exe
PID 308 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xJgYQKE.exe
PID 308 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FNAXAuo.exe
PID 308 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FNAXAuo.exe
PID 308 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FNAXAuo.exe
PID 308 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LGzeNAD.exe
PID 308 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LGzeNAD.exe
PID 308 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LGzeNAD.exe
PID 308 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zqZuBAv.exe
PID 308 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zqZuBAv.exe
PID 308 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zqZuBAv.exe
PID 308 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OljorXm.exe
PID 308 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OljorXm.exe
PID 308 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OljorXm.exe
PID 308 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mDUafCW.exe
PID 308 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mDUafCW.exe
PID 308 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mDUafCW.exe
PID 308 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IKFdvhU.exe
PID 308 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IKFdvhU.exe
PID 308 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IKFdvhU.exe
PID 308 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SYLQlfj.exe
PID 308 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SYLQlfj.exe
PID 308 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SYLQlfj.exe
PID 308 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AtAwWVt.exe
PID 308 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AtAwWVt.exe
PID 308 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AtAwWVt.exe
PID 308 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jSOzIVz.exe
PID 308 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jSOzIVz.exe
PID 308 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jSOzIVz.exe
PID 308 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ixfyFov.exe
PID 308 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ixfyFov.exe
PID 308 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ixfyFov.exe
PID 308 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GIaqaDo.exe
PID 308 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GIaqaDo.exe
PID 308 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GIaqaDo.exe
PID 308 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QOmlqYV.exe
PID 308 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QOmlqYV.exe
PID 308 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QOmlqYV.exe
PID 308 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hwAahOZ.exe
PID 308 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hwAahOZ.exe
PID 308 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hwAahOZ.exe
PID 308 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yhNcYVz.exe
PID 308 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yhNcYVz.exe
PID 308 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yhNcYVz.exe
PID 308 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kxwkWrd.exe
PID 308 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kxwkWrd.exe
PID 308 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kxwkWrd.exe
PID 308 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xhEsWZW.exe
PID 308 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xhEsWZW.exe
PID 308 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xhEsWZW.exe
PID 308 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xfWUJyy.exe
PID 308 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xfWUJyy.exe
PID 308 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xfWUJyy.exe
PID 308 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LhUpaEb.exe
PID 308 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LhUpaEb.exe
PID 308 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LhUpaEb.exe
PID 308 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\STVJbTE.exe
PID 308 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\STVJbTE.exe
PID 308 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\STVJbTE.exe
PID 308 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uqSbHht.exe
PID 308 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uqSbHht.exe
PID 308 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uqSbHht.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\xJgYQKE.exe

C:\Windows\System\xJgYQKE.exe

C:\Windows\System\FNAXAuo.exe

C:\Windows\System\FNAXAuo.exe

C:\Windows\System\LGzeNAD.exe

C:\Windows\System\LGzeNAD.exe

C:\Windows\System\zqZuBAv.exe

C:\Windows\System\zqZuBAv.exe

C:\Windows\System\OljorXm.exe

C:\Windows\System\OljorXm.exe

C:\Windows\System\mDUafCW.exe

C:\Windows\System\mDUafCW.exe

C:\Windows\System\IKFdvhU.exe

C:\Windows\System\IKFdvhU.exe

C:\Windows\System\SYLQlfj.exe

C:\Windows\System\SYLQlfj.exe

C:\Windows\System\AtAwWVt.exe

C:\Windows\System\AtAwWVt.exe

C:\Windows\System\jSOzIVz.exe

C:\Windows\System\jSOzIVz.exe

C:\Windows\System\ixfyFov.exe

C:\Windows\System\ixfyFov.exe

C:\Windows\System\GIaqaDo.exe

C:\Windows\System\GIaqaDo.exe

C:\Windows\System\QOmlqYV.exe

C:\Windows\System\QOmlqYV.exe

C:\Windows\System\hwAahOZ.exe

C:\Windows\System\hwAahOZ.exe

C:\Windows\System\yhNcYVz.exe

C:\Windows\System\yhNcYVz.exe

C:\Windows\System\kxwkWrd.exe

C:\Windows\System\kxwkWrd.exe

C:\Windows\System\xhEsWZW.exe

C:\Windows\System\xhEsWZW.exe

C:\Windows\System\xfWUJyy.exe

C:\Windows\System\xfWUJyy.exe

C:\Windows\System\LhUpaEb.exe

C:\Windows\System\LhUpaEb.exe

C:\Windows\System\STVJbTE.exe

C:\Windows\System\STVJbTE.exe

C:\Windows\System\uqSbHht.exe

C:\Windows\System\uqSbHht.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/308-0-0x000000013FEC0000-0x0000000140214000-memory.dmp

memory/308-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\xJgYQKE.exe

MD5 dbbc4e3b9e7783c13ad92f66dbfe1ff1
SHA1 be098ffd539767415e2855b67ddb5a9e74441f45
SHA256 a13b30d42ff3eb65b5cf95af547199984c4f3b1137a8b4faf4fa360d52fb8fc9
SHA512 a575b0056eda28e32f3c746846e311c24b432d281fb43a544ceb64bc8dfeaf5387256063dd1c08706d2fa524caf113711293bcf8d348d43db3e87610072267b2

memory/308-8-0x000000013FA70000-0x000000013FDC4000-memory.dmp

C:\Windows\system\FNAXAuo.exe

MD5 30122cd2588388aaece550b13d854ca2
SHA1 30c2f6aac6244751a81da3c81afe9dd3d9ab4dee
SHA256 67bec11bf57b4b4f88717f7c212abe31d110cdd215d1bcf7b92cc6b3d8d792eb
SHA512 821b078203c5553c0070be1241d19082d28f885466fef0da5e4273ff031e1e288147aaae1528d2ab20c81c41db660aa5b90450cd607c5696594cda09d7ff7aa3

C:\Windows\system\zqZuBAv.exe

MD5 a684651659246d8c320b588d5d67e467
SHA1 98f2c8e38692849e81abdbbd16db92430ab111d1
SHA256 6f4109f89c02419fc02431faaeccb933ba51d966decfe6bfe30aa00f9f5d4d6f
SHA512 7e63405882612dc358050130e0af5323a9120025b012557f05f6774ea68b369fba92691f92bf68f8a69a97745a9528fea33a4e5898a106a9aec435fc119cfd62

C:\Windows\system\LGzeNAD.exe

MD5 546c64dc46cb30a2cd2b5e5a4f44cb97
SHA1 6744dcc765cf3aca8a6825e1d4dcc2bc5924d725
SHA256 3e868bf983445de8fe4b290271b2d0cd4122105e3c32c22ebc606f81028b0bcb
SHA512 ee834802fe7858d4e4c4e218f3d5ded5a6c726b4ad6030a86d011692e20193b4d7b8599b62da25c608088c4de842e2eb4d7b6cb6004c2a0478c22137d9f7b161

memory/2232-25-0x000000013FB70000-0x000000013FEC4000-memory.dmp

memory/2324-14-0x000000013FA70000-0x000000013FDC4000-memory.dmp

memory/1832-28-0x000000013FB00000-0x000000013FE54000-memory.dmp

memory/308-24-0x0000000002270000-0x00000000025C4000-memory.dmp

memory/308-22-0x0000000002270000-0x00000000025C4000-memory.dmp

memory/1352-19-0x000000013FC20000-0x000000013FF74000-memory.dmp

C:\Windows\system\OljorXm.exe

MD5 a725e5e4b0788b246c21d33e631aa9f5
SHA1 3455f6f0bda176d5b8ddaebcf08c801b486be4e3
SHA256 e9c2ec05a74511c7272e9c44329eccd328506a9cb4bcd56339036af0b4c544bb
SHA512 9be196b5758232628bb04acfd8bf450beea5f148df4b9783f58b153e016275ca1fb6491a43b8923ba6ace7fb7e86c0298e81e6b2fa750d0e5291c79bb8acd4d0

C:\Windows\system\mDUafCW.exe

MD5 5406c04d7a83900841a190c9c7a522b7
SHA1 889103b5cc18662e84448702634a60022d1dade9
SHA256 3c14a83bd6dfeac54827589790cb42e3fc60ab21d7f273e6b39a6c38c7e3eed5
SHA512 68d4f4b6df0de18ab48c82c8d523a372a97d555dbd57c5a521afc4d0562fdecdbb40595d75e6e817c608f6298a6d199510c49d4f6be8198f142f51040af1c9cc

C:\Windows\system\IKFdvhU.exe

MD5 9b5d46faf128787768f966776d387179
SHA1 2836b1db2d1286caf011af6ef760c214a3f6d82d
SHA256 599e7c048fad460aa9f5a085f70b5eb85d404bbcd09962f2f844932d5e28a74d
SHA512 8cbdbc575d46c0e931913a49efd91b26dbd0a1350704b62a26f995ae4326bd0daa03e6e58e5926aa593f3a4f76f936798b9db8ad5ec5667fd51d5223d9726bba

C:\Windows\system\SYLQlfj.exe

MD5 8fb0e86c5fa335ef95aacde9afa07998
SHA1 ec2587cabdf60f9ac9b90596c63214be997e37d8
SHA256 73fdf062b4840cc120f0517660919809e22fcb341d912db5ce48668d2af757c2
SHA512 74b266eb686c52fa32eacd4505bc5da1e556dd38272ee82ec8529d9b317c18bc350d1606651d4079b7d7918434a11d53cfa9d24ab5939a219376b4e16842d04b

memory/2824-48-0x000000013F270000-0x000000013F5C4000-memory.dmp

\Windows\system\AtAwWVt.exe

MD5 27c5839d4c6dca6d0cd3148117dbb60e
SHA1 e18b12d61c1c912797be9d289ad123882e1b6f55
SHA256 a4b47ab809519392c42a5f3fcd30fdbfb66e3469c656b625bebfbdfbee3ceecb
SHA512 455495108f2ae20551d99fdd81a3316ad7aa904ff8cd76d8fdd5584ade99129d35b49330024906ad95f79c5a034ad2b15fa3801f454dccfb9126d2a3ec3b3d21

C:\Windows\system\jSOzIVz.exe

MD5 334b16b589b412b9a43988f388d7727c
SHA1 2d1cc4df9e0c3afbddcf66884783750eaff1d2be
SHA256 eb2f135a0649bdbf959bdd7ab1d8759ba4c31bf229a392985fa4da07da2d1328
SHA512 db110d472eea7b98f7dcccb9108fd95b4f4d2d051bb00796b900b8f08db925b26c5aa121c0f69809c1c224799ed0dbb389823cf7d721035d8707e99c992a05b9

memory/2836-62-0x000000013F3B0000-0x000000013F704000-memory.dmp

memory/2872-69-0x000000013F750000-0x000000013FAA4000-memory.dmp

C:\Windows\system\hwAahOZ.exe

MD5 819bec9a8620ce96a6a2014b6740d4a1
SHA1 c2173f0ea0a3cbbb81016c18ea6505c8f7831f00
SHA256 805d8dc5ad80e934284f6d0e6a67c7acca2240540c50f9ef9a0400730ceff527
SHA512 35356f24049e68a546836931509938bd477537d9c690e697dc1f50802d5973d7746da466169a2d9faa37fa92ab5f7b02305308bc935774648ee6ab22af1e2156

memory/3064-101-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

C:\Windows\system\STVJbTE.exe

MD5 74ca7418a70c83988816a38002398be5
SHA1 17f5ec94227832cfc1ae74cca443b6dc487df8ce
SHA256 18ac7578b7f028b579890b32e8ef2da6633b9f3cc8b20b8a83f3e9a497bdd35c
SHA512 3fdc8443574e9428afd5ad4d19996d3a32d7655d5d2bec553c417e915a6fba5fa98474c495b170929c18b06af32f6eb04d9e3dd7b6b3f62344c8287f9ed86388

\Windows\system\uqSbHht.exe

MD5 f650aa1a4a8ccafa2e2092c97e5ee622
SHA1 3b94c015972a2ac26d7cf0bee98a6f60f3b0c150
SHA256 d306af1a5272984f8cda275a045656cd9fcbabc7e87ecad4e77200a0a76c15c4
SHA512 6af83ad8046462d78eafe6f17983f284572e2774b57b7276ab1c0d20806f40a3dad8622a29d9c1b031cec8a0b0a37144ee2af611b3d6df81b9a69e299accf6ec

C:\Windows\system\LhUpaEb.exe

MD5 c9e1f3db746b2ae8b8b39021e5c8d762
SHA1 c02e2bc33de4523fad93b80c3c116633013ac0f2
SHA256 05780493211f2a8278a598c22ef0ded813561c8b3ee23f0f0e12452d78591ed2
SHA512 c70c43f3ea1637e20c6f68575d2630972a7b39e487f2c671d2c5c2b788ea35ec16ef2e92b0df8388731ce270b8054231e045980fefd4eb58c98804709b9aa3e7

C:\Windows\system\xfWUJyy.exe

MD5 99352a68acfd021b5f1c4cbc086a0bae
SHA1 d7fae825f596ebcf654637a335b2093e16ac13fb
SHA256 411cb2936230e590b8a45c3d7f1089c1bb39cf0ae2798aee25130d899e7efb29
SHA512 d269fcea1abd4c76fb5d21b6fa0cc62fcdb769d32a4bed8f022bdb4be5ee271a283c976c889552a5e5717f3da6e590de1c0476bada9e5b3f4972df19bc56244d

C:\Windows\system\xhEsWZW.exe

MD5 9cdc933bb1f958889c241455e73ddef6
SHA1 7526afa31a026a386fc0985cd344540a839a2394
SHA256 1454af1d1bfd12449237015c904aca716a106e1ce89e0fbb302a75ee06749c84
SHA512 acbee2e73e7196ae56ffd426189ce507b8d99127255e8dcdc213fc6819416129c3c6381c04dab30991fa2cbb49a0e4ab8670f5aa09dcbaf7338a32afd130e2f1

C:\Windows\system\yhNcYVz.exe

MD5 ecf96477c516a5e5998c8d598b160c5a
SHA1 f6567bcd536039da7496a2f269fafcb27d53acd4
SHA256 69ade744a3d0184002ec505a08227912a35f3b94cbc735dac46dd1969308d6f1
SHA512 ad8a91c366b1785001cb2c8c33f70beacca648269218728611831ac66a6243f82d8d5359321b1f50ca3513349f820def2af47df3962295393a06d929725d94cd

memory/308-105-0x000000013F420000-0x000000013F774000-memory.dmp

C:\Windows\system\kxwkWrd.exe

MD5 8a5c8dfcacab7b6a3f1b61d887fbfe3c
SHA1 7ef85f974917eba1442e65af74a881b46ec65759
SHA256 a95577a6de47b8ba972875b8d9df5dd45d5e636dfb9db5fc70daaae177e89639
SHA512 a29bbcbca3644b8312b2dca31eaab462d7bc260eafe0339c4f09da9cf4c1629dcbb2a5a42bbee20dc67d0bbec9a09d8b3c3d7af67e143096828b2f444ab3d5a9

memory/308-100-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

memory/2660-94-0x000000013F640000-0x000000013F994000-memory.dmp

memory/308-93-0x000000013F640000-0x000000013F994000-memory.dmp

memory/1832-92-0x000000013FB00000-0x000000013FE54000-memory.dmp

C:\Windows\system\QOmlqYV.exe

MD5 2d2f2632a58e7f3c89d21ec3e6ca1706
SHA1 f63cdfd9ab0d6ef957655d00c6c60bf042b8c90b
SHA256 45d633dac34a634f0ba181cc2140e9f93aa37d77bc62712ca2fe3bbb1c3d49b0
SHA512 1eb0272b3fdfd222badc150fd6403ec70a967f59a1edb54e4adbcd46e73e768fc3d802ed235e327e2dcf4e54bea2c7eee4c96f56a392805485aeb01062f6e370

memory/2556-86-0x000000013F680000-0x000000013F9D4000-memory.dmp

memory/308-85-0x000000013F680000-0x000000013F9D4000-memory.dmp

memory/2232-84-0x000000013FB70000-0x000000013FEC4000-memory.dmp

C:\Windows\system\GIaqaDo.exe

MD5 67b960c6e6ab7a080402e15458680177
SHA1 67c7920e660a9affc1d9e3ccf161355de3de0139
SHA256 0c28241373d8e1f89e354556a489aded11d5517f1be0aeed41b7192bf8613ab5
SHA512 74a4158fd898a65b3eaf0d6f51eb955df90ff98de9362dcf2d4365cd97693b425beaf9dafa630d8f74e321fea61a4eb14ebf0bc276e132b468e49cf437dbb88c

memory/2824-138-0x000000013F270000-0x000000013F5C4000-memory.dmp

memory/2676-76-0x000000013F920000-0x000000013FC74000-memory.dmp

memory/308-75-0x000000013F920000-0x000000013FC74000-memory.dmp

C:\Windows\system\ixfyFov.exe

MD5 347b62ca0286fda8106b225fbab3b46e
SHA1 e9f6b0ba232b1395410e267abe72b0bfcc5b174d
SHA256 0d47c3f5183f961751f000fa8ccfe01e2d86c50040bede6ee97329ad44d5d8ae
SHA512 5ad6fc51469219a01ceea85469365b7dc098a1fd3f1dca528fa2dfc15802f66ba8b8095f721f8cd6198ae9b36a006fa3652db230a23212971a2954822a544aa4

memory/308-68-0x000000013F750000-0x000000013FAA4000-memory.dmp

memory/1352-61-0x000000013FC20000-0x000000013FF74000-memory.dmp

memory/308-60-0x000000013FEC0000-0x0000000140214000-memory.dmp

memory/308-56-0x000000013F3B0000-0x000000013F704000-memory.dmp

memory/2668-54-0x000000013F420000-0x000000013F774000-memory.dmp

memory/308-53-0x000000013F420000-0x000000013F774000-memory.dmp

memory/308-47-0x000000013F270000-0x000000013F5C4000-memory.dmp

memory/2684-42-0x000000013F6E0000-0x000000013FA34000-memory.dmp

memory/308-41-0x000000013F6E0000-0x000000013FA34000-memory.dmp

memory/2632-35-0x000000013FFC0000-0x0000000140314000-memory.dmp

memory/308-34-0x0000000002270000-0x00000000025C4000-memory.dmp

memory/2668-140-0x000000013F420000-0x000000013F774000-memory.dmp

memory/2836-141-0x000000013F3B0000-0x000000013F704000-memory.dmp

memory/308-142-0x000000013F750000-0x000000013FAA4000-memory.dmp

memory/2872-143-0x000000013F750000-0x000000013FAA4000-memory.dmp

memory/308-144-0x000000013F920000-0x000000013FC74000-memory.dmp

memory/2676-145-0x000000013F920000-0x000000013FC74000-memory.dmp

memory/308-146-0x000000013F680000-0x000000013F9D4000-memory.dmp

memory/2556-147-0x000000013F680000-0x000000013F9D4000-memory.dmp

memory/308-148-0x000000013F640000-0x000000013F994000-memory.dmp

memory/2660-149-0x000000013F640000-0x000000013F994000-memory.dmp

memory/308-150-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

memory/3064-151-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

memory/308-152-0x000000013F420000-0x000000013F774000-memory.dmp

memory/2324-153-0x000000013FA70000-0x000000013FDC4000-memory.dmp

memory/1352-154-0x000000013FC20000-0x000000013FF74000-memory.dmp

memory/2232-155-0x000000013FB70000-0x000000013FEC4000-memory.dmp

memory/2632-156-0x000000013FFC0000-0x0000000140314000-memory.dmp

memory/2684-157-0x000000013F6E0000-0x000000013FA34000-memory.dmp

memory/2668-158-0x000000013F420000-0x000000013F774000-memory.dmp

memory/2872-159-0x000000013F750000-0x000000013FAA4000-memory.dmp

memory/1832-160-0x000000013FB00000-0x000000013FE54000-memory.dmp

memory/2676-162-0x000000013F920000-0x000000013FC74000-memory.dmp

memory/2836-161-0x000000013F3B0000-0x000000013F704000-memory.dmp

memory/2556-163-0x000000013F680000-0x000000013F9D4000-memory.dmp

memory/2660-164-0x000000013F640000-0x000000013F994000-memory.dmp

memory/3064-165-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

memory/2824-166-0x000000013F270000-0x000000013F5C4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-06 12:02

Reported

2024-08-06 12:05

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\wnUnLzl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xUkCAzW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kOhzYiz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rNEbGDi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zRxVmcp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qgMHuTc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FWRRFHf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PQyEfOC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CKTcjWv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\owfsvHT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LnbXTGJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ctwbrke.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NbsopgK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qxaDtqr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FXjuISG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yaFfuKN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FdMAuCY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WJvlfBb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ODoyCqn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lciEWEb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iJiCuJV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3436 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NbsopgK.exe
PID 3436 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NbsopgK.exe
PID 3436 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wnUnLzl.exe
PID 3436 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wnUnLzl.exe
PID 3436 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WJvlfBb.exe
PID 3436 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WJvlfBb.exe
PID 3436 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qxaDtqr.exe
PID 3436 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qxaDtqr.exe
PID 3436 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qgMHuTc.exe
PID 3436 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qgMHuTc.exe
PID 3436 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FWRRFHf.exe
PID 3436 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FWRRFHf.exe
PID 3436 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FXjuISG.exe
PID 3436 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FXjuISG.exe
PID 3436 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PQyEfOC.exe
PID 3436 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PQyEfOC.exe
PID 3436 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CKTcjWv.exe
PID 3436 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CKTcjWv.exe
PID 3436 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ODoyCqn.exe
PID 3436 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ODoyCqn.exe
PID 3436 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xUkCAzW.exe
PID 3436 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xUkCAzW.exe
PID 3436 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yaFfuKN.exe
PID 3436 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yaFfuKN.exe
PID 3436 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\owfsvHT.exe
PID 3436 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\owfsvHT.exe
PID 3436 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LnbXTGJ.exe
PID 3436 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LnbXTGJ.exe
PID 3436 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kOhzYiz.exe
PID 3436 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kOhzYiz.exe
PID 3436 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lciEWEb.exe
PID 3436 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lciEWEb.exe
PID 3436 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ctwbrke.exe
PID 3436 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ctwbrke.exe
PID 3436 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rNEbGDi.exe
PID 3436 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rNEbGDi.exe
PID 3436 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FdMAuCY.exe
PID 3436 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FdMAuCY.exe
PID 3436 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iJiCuJV.exe
PID 3436 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iJiCuJV.exe
PID 3436 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zRxVmcp.exe
PID 3436 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zRxVmcp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\NbsopgK.exe

C:\Windows\System\NbsopgK.exe

C:\Windows\System\wnUnLzl.exe

C:\Windows\System\wnUnLzl.exe

C:\Windows\System\WJvlfBb.exe

C:\Windows\System\WJvlfBb.exe

C:\Windows\System\qxaDtqr.exe

C:\Windows\System\qxaDtqr.exe

C:\Windows\System\qgMHuTc.exe

C:\Windows\System\qgMHuTc.exe

C:\Windows\System\FWRRFHf.exe

C:\Windows\System\FWRRFHf.exe

C:\Windows\System\FXjuISG.exe

C:\Windows\System\FXjuISG.exe

C:\Windows\System\PQyEfOC.exe

C:\Windows\System\PQyEfOC.exe

C:\Windows\System\CKTcjWv.exe

C:\Windows\System\CKTcjWv.exe

C:\Windows\System\ODoyCqn.exe

C:\Windows\System\ODoyCqn.exe

C:\Windows\System\xUkCAzW.exe

C:\Windows\System\xUkCAzW.exe

C:\Windows\System\yaFfuKN.exe

C:\Windows\System\yaFfuKN.exe

C:\Windows\System\owfsvHT.exe

C:\Windows\System\owfsvHT.exe

C:\Windows\System\LnbXTGJ.exe

C:\Windows\System\LnbXTGJ.exe

C:\Windows\System\kOhzYiz.exe

C:\Windows\System\kOhzYiz.exe

C:\Windows\System\lciEWEb.exe

C:\Windows\System\lciEWEb.exe

C:\Windows\System\ctwbrke.exe

C:\Windows\System\ctwbrke.exe

C:\Windows\System\rNEbGDi.exe

C:\Windows\System\rNEbGDi.exe

C:\Windows\System\FdMAuCY.exe

C:\Windows\System\FdMAuCY.exe

C:\Windows\System\iJiCuJV.exe

C:\Windows\System\iJiCuJV.exe

C:\Windows\System\zRxVmcp.exe

C:\Windows\System\zRxVmcp.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 235.17.178.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp

Files

memory/3436-0-0x00007FF65D110000-0x00007FF65D464000-memory.dmp

memory/3436-1-0x000002BD7D260000-0x000002BD7D270000-memory.dmp

C:\Windows\System\NbsopgK.exe

MD5 89436a0fef3be3cd8f6b67421b1cb5ee
SHA1 beafa9369ac9b1426810ad5739164eb94877c29a
SHA256 2c74a5461bf0997fb164703deca914c9624b51aea14c5a19c7e7e3ecd9a91182
SHA512 bda4d0e16c15002826521bca21f82a804b693d865fc20be589bb03476d2b597adf0b97aeb178d9fa43dd5eb6caa693e929954f8304ac8969ea65619bce303d0c

C:\Windows\System\wnUnLzl.exe

MD5 b6ff8c395d11b9fefefed7477ba4cc8c
SHA1 c72e68b759eea6ce32ec5622a3d1f9746f3c40a8
SHA256 ad1a61aad4af419a12244688a688cd4e917edca492ebba50490cc8bf18afbdd3
SHA512 c420020f26787a82e89fa75ebdc712ade1c284766a6c0a0652d58119b215d2678f91ee33ecd3db501820f602f98abe9ba118421bafa0889a9c0879a9c72812ca

memory/2536-14-0x00007FF777980000-0x00007FF777CD4000-memory.dmp

C:\Windows\System\WJvlfBb.exe

MD5 fcdfdbb028c8ea3af770f74536662407
SHA1 6c9445de65fa2f87ea71ed53baa2ebce97805be9
SHA256 4444b1d5dc9662de6f677a7038a238c90881ca998a7438c603fb12f014a3b02a
SHA512 5326c23a25407301128e593a4f7ebfde9b69fe81e47bf5e03e4d9f207f751fc56edc9d6328aecb0e740d214118568d9dd11a9824d12ef5117e176526b49453ec

memory/988-21-0x00007FF783940000-0x00007FF783C94000-memory.dmp

C:\Windows\System\qxaDtqr.exe

MD5 0bd86a7dd09cf621ccb55f2d28ad3d48
SHA1 486127bbeba4bac79f6e2697d57138e5d5aecd30
SHA256 a80885c45bb704839a1bf62200e842a56c9b71a453281902570ad14641f46668
SHA512 7706035a811c864c8bf9763cf5cccd47311bf0494434b71a03ee2007a1b0e23b850dd8aa08031db89fb33e3e2b664ccdc10b4606f1e67c5d366c3f34d4aa5fd5

C:\Windows\System\FWRRFHf.exe

MD5 82cb0d10ded7367ab3c5e0e8f243187a
SHA1 dfc82900a667b5aadca3c82063454e129bf8c2d6
SHA256 e331ca6ba7a18358157b9cbf165576a88a4e2ac05a55211b8a5928e06387f383
SHA512 a3cb1a95c5a13a1901dfa8485b1c0e6bdac0e1b069eac547324d9ed5666090ce3594b85af7e44467c2f24c0bf91fe3396c8c4f30c9a9baeb384b887cf516accc

memory/1380-35-0x00007FF712880000-0x00007FF712BD4000-memory.dmp

memory/4836-38-0x00007FF614410000-0x00007FF614764000-memory.dmp

C:\Windows\System\PQyEfOC.exe

MD5 10c121d011d13d4d14906b6712f43f96
SHA1 a9d7ccb31b25d89efcfcf8c984fc6ebd19fb41a4
SHA256 89cc0954b41a2fe9d969952f62dcf362ff702952c2317118a09d73d95610d79f
SHA512 61b78bf06c434d8237dfe5e4bc7734bf3368538973d09e6c1828c25896502a4926f88fdd33b307181d179910fc3ce3711465d1a00dfaa0d2551b611e51fd2706

memory/1132-49-0x00007FF641F50000-0x00007FF6422A4000-memory.dmp

memory/1876-50-0x00007FF67B820000-0x00007FF67BB74000-memory.dmp

C:\Windows\System\FXjuISG.exe

MD5 5a6e8f0014f5f318a9d659dcb82dda34
SHA1 330bd8e9f2218986c554486ad801e67036ace11d
SHA256 27711f006d58f9aec17361621714a4a3f20b9e8cf28998bc6dc3fbb5c7c6f474
SHA512 ca3acf1d4e403bcc617bcd7a3c201114bf801f9740a815c3b775945170955f582902d2cec0c1be753b13f2f53e97cfec09c4d5d58ff2d6229924ea39caae1aae

memory/3612-33-0x00007FF63C2D0000-0x00007FF63C624000-memory.dmp

C:\Windows\System\qgMHuTc.exe

MD5 65202c5111f43a521bd43c268d592360
SHA1 c5bf07d109d195f944cc108c657ddec3c96ab905
SHA256 b1293b8ba6386a5c713e6df216d20bc2fb8dd3852780a16306bd6d1db1486009
SHA512 8754ba7df690dfc7a62f46da8428af2d8f10de75283ab19036b7ecd77395132cd2ba31799382c578ddff055fffdce981ff0a6c5ecd53d7221d79d4b551a338a6

memory/4412-9-0x00007FF725FC0000-0x00007FF726314000-memory.dmp

C:\Windows\System\CKTcjWv.exe

MD5 1bc0d339e86c173d0bc613726fd6a9e9
SHA1 e5972c8e0aeec22d89a70e4a25bc3c6c183843bb
SHA256 dd31fc92c34cc2951621112f840e26b042f02bd95b905c9167d776359580549a
SHA512 eb3888721fa3e5aba6ce83f9742abbba0200f2835e4bf48f6bcd5190d50b0a8681427167e0dd88261d841b899e58ab2550c2ddf707929f2f5ca7b0c14b0a3afe

memory/4740-56-0x00007FF79A260000-0x00007FF79A5B4000-memory.dmp

C:\Windows\System\ODoyCqn.exe

MD5 604ed7b8c01ea0027a578cbe2af1790f
SHA1 17aad30d26e1399629245ca92305122a75091530
SHA256 b6f02e68798549d77fd956b0f2482d3abdfa18fc529a97d84b8a024fcbbf8d15
SHA512 e04fc57c4fdd7205d8b17802927ff6277bee7f1eaea3267f6b7c10cc0fd932e6b2c23447e74b69996dbc06d46e15e588c748d98d3a706467a75c8a10e4f97809

memory/5008-61-0x00007FF7ACAB0000-0x00007FF7ACE04000-memory.dmp

C:\Windows\System\yaFfuKN.exe

MD5 b6493aff2f3f2e4fabd751d051ec9843
SHA1 29c2f2614efdf0224e407d98aabf77e3a0ef7c6b
SHA256 0a8b6473f4ddc48600ae5aea50b911feb1777b5ed96b825b04479cd84dedf5a5
SHA512 5b736b273bd171fe8e2a49d0d311078bd61f356f4878a3a8c6e8d3a7516c630e14df54f923841e5176e7cb6dd98758f233bed3df76e4a6b70da892089e3d0053

memory/4412-73-0x00007FF725FC0000-0x00007FF726314000-memory.dmp

memory/3444-74-0x00007FF6E9040000-0x00007FF6E9394000-memory.dmp

memory/3436-72-0x00007FF65D110000-0x00007FF65D464000-memory.dmp

C:\Windows\System\xUkCAzW.exe

MD5 c492f9f0dff5aef16b509f455eff4160
SHA1 ba0019dc23fac14acce15e5f4c7aa67a48741832
SHA256 b8e9fbaeea30f4731e536f71120f464652e458ae240459c9e4b6d3b526bce313
SHA512 a9f8f3fc6274023c14c65f91bb0c698a0f9ac72926e0b868a7034fcc075072dcb69d324b6aa92919aa79809a2735046e1298ec16bddd17694f8a4c38e3b477c0

memory/1488-66-0x00007FF6D4400000-0x00007FF6D4754000-memory.dmp

C:\Windows\System\owfsvHT.exe

MD5 66f9e2a79fd38ebfa26fa20406047ce0
SHA1 d95f1f650e99ac0d24c35697796f042891903b69
SHA256 6883214ab3520fe4eea5e25b279b5e3e545d875b83cca1458f7de47b56df7e5b
SHA512 75ea60ef5f9296e9133f75a5758bf67948a1fb4ffc26ad0ebcb3f5c1d4b7a1683198e33485f0a84ea01f12deeb23f07ea42497ae669a79845e5c13cf26a7543b

C:\Windows\System\LnbXTGJ.exe

MD5 4b5e6d073c607989bd0de0297a339a1a
SHA1 b314a96b23f0e4c8ae11708ad27ca9d374340e27
SHA256 a20be4a19c01a3e47e4c8a820d20aedbf20d6eea608ab36d67e72e3044a27570
SHA512 7371b17976b509076756ec1b755532c5bc9270f75a11b5c0ebaa1e080572f645fbfc3a00f90cde6dbb5268c7350b8a6c2b72d54e698c7e66ee690ae13395cf1b

memory/1884-86-0x00007FF786250000-0x00007FF7865A4000-memory.dmp

memory/4660-81-0x00007FF7B5FA0000-0x00007FF7B62F4000-memory.dmp

C:\Windows\System\kOhzYiz.exe

MD5 875c8e0f4f664bf32393e272a30bca78
SHA1 ad81aec16c18f16822268f7411e526be408cffa4
SHA256 86ed3b2e7ff08ea90767435c27e74aa875ed1ef9d3aa9c7271465b85fa84b60a
SHA512 4e6a26fb0d58bcdc09bffae5abe4818ade1ba76362da39b964dad8b0ea0ff754ee852f6155fc7404d082003f4d496196cc09a37427dfed7f8d5677ada1d2ce57

memory/808-93-0x00007FF75B730000-0x00007FF75BA84000-memory.dmp

C:\Windows\System\lciEWEb.exe

MD5 a4dafe466e0e1cfa2ead34538e209cd9
SHA1 6d3adc6937a6285ff5770ba37c4aaac534a785b9
SHA256 fa50998655af451ccd443335948cf342a703794e769b4b85d0557790a12898ad
SHA512 dc910b83018186c51f9b58246cfc2ba48535aed41e7ae23f645483ca284d8b6600bbc744dd868c87bb2b43d61f918611a00ab8d1baed61e4ade8ab96f2593dbb

C:\Windows\System\ctwbrke.exe

MD5 7c53bb8ea51d7fa9f3ceb4a3d59264e1
SHA1 cc320c2410403374f5fcf6344736b5b6f9e4adb8
SHA256 e13df45dd8dad0882c62bb95c2ef559cb4ecb64b2cd0e64dc400d07995bb9711
SHA512 00f6032ae266c1a3b1ef8d05ec953df62c1aff592a84ec3a9339f36a7f93e1aad6e14c74c783b80b22a5b735b5d62458aeb19754df8596826ba4eea33ae19848

C:\Windows\System\rNEbGDi.exe

MD5 2556b7fb0633872091d3697a5d37a1b4
SHA1 d779c3fc710f6942f3713d7242f679f6caf26b50
SHA256 3338dbd8041d4eda8aca85e72c073a5d4049ea31a51bab69231351458be3bdd4
SHA512 9591e42c3f208b3f80da00e92de84d66b504063a1fce8030e368f21f1cc16ac07aa58320be0e8e86876720d11af142fdc6cb9e3a5ce686f7502a2160158d52c4

memory/2512-107-0x00007FF60BE90000-0x00007FF60C1E4000-memory.dmp

memory/4312-116-0x00007FF7E1E20000-0x00007FF7E2174000-memory.dmp

C:\Windows\System\FdMAuCY.exe

MD5 bbdd7bfb6072bd2e34beac4fbcf3508f
SHA1 5bac0865ba397f2d1da578d476665f18ffe5c48b
SHA256 88a2b2aa4ad4f6ccb133875202a5b9f355e793a4d50e19896e2c35325a2ea8df
SHA512 de69efced213bcedec5e8242d69ab552cf274e21e5080cf99480f235ba725da3e59685d613675f163b77d6660fe5375d218b3d8c071e90db67ce1433f80968be

memory/3416-117-0x00007FF77D870000-0x00007FF77DBC4000-memory.dmp

memory/764-102-0x00007FF672CE0000-0x00007FF673034000-memory.dmp

memory/1380-100-0x00007FF712880000-0x00007FF712BD4000-memory.dmp

C:\Windows\System\iJiCuJV.exe

MD5 f11d2e189dceda4807cef9d50804568d
SHA1 653970629115f4dd26670ad3b58c219d147bc22d
SHA256 6336f53dcc7e17c78baada8af531c825adcba9a077c6244ede121caeeaf58ab6
SHA512 64bc8a3e8c17c4e987aa09bcee718e738981ffb4f40356b6351931c29e36cc511c9d28b50125bc1dbdadcb872f9d564f24ff43572d473de07ed038d30c266bfc

memory/464-124-0x00007FF7091E0000-0x00007FF709534000-memory.dmp

memory/5008-123-0x00007FF7ACAB0000-0x00007FF7ACE04000-memory.dmp

C:\Windows\System\zRxVmcp.exe

MD5 2b15f80c61ce97541c9c590e6093c16e
SHA1 6bc21af4299c349f2decdd931406aff100475f94
SHA256 fd5b86d0ec244a713e6e192fdec8719b031bfe6588bfefabce57606aa7cdc9b1
SHA512 50eab5ac2c4ba65f37a871d419c540ee0021df8e8ddc57befed5ff400dcda78559df90774b91f2ca6ff1256a4cf8f97f3b8bbd83cc58712c5a0857594c14c611

memory/832-132-0x00007FF697950000-0x00007FF697CA4000-memory.dmp

memory/1488-131-0x00007FF6D4400000-0x00007FF6D4754000-memory.dmp

memory/3444-133-0x00007FF6E9040000-0x00007FF6E9394000-memory.dmp

memory/4660-134-0x00007FF7B5FA0000-0x00007FF7B62F4000-memory.dmp

memory/1884-135-0x00007FF786250000-0x00007FF7865A4000-memory.dmp

memory/808-136-0x00007FF75B730000-0x00007FF75BA84000-memory.dmp

memory/3416-137-0x00007FF77D870000-0x00007FF77DBC4000-memory.dmp

memory/464-138-0x00007FF7091E0000-0x00007FF709534000-memory.dmp

memory/4412-139-0x00007FF725FC0000-0x00007FF726314000-memory.dmp

memory/2536-140-0x00007FF777980000-0x00007FF777CD4000-memory.dmp

memory/988-141-0x00007FF783940000-0x00007FF783C94000-memory.dmp

memory/3612-142-0x00007FF63C2D0000-0x00007FF63C624000-memory.dmp

memory/4836-143-0x00007FF614410000-0x00007FF614764000-memory.dmp

memory/1132-144-0x00007FF641F50000-0x00007FF6422A4000-memory.dmp

memory/1380-145-0x00007FF712880000-0x00007FF712BD4000-memory.dmp

memory/1876-146-0x00007FF67B820000-0x00007FF67BB74000-memory.dmp

memory/4740-147-0x00007FF79A260000-0x00007FF79A5B4000-memory.dmp

memory/5008-148-0x00007FF7ACAB0000-0x00007FF7ACE04000-memory.dmp

memory/1488-149-0x00007FF6D4400000-0x00007FF6D4754000-memory.dmp

memory/3444-150-0x00007FF6E9040000-0x00007FF6E9394000-memory.dmp

memory/4660-151-0x00007FF7B5FA0000-0x00007FF7B62F4000-memory.dmp

memory/1884-152-0x00007FF786250000-0x00007FF7865A4000-memory.dmp

memory/808-153-0x00007FF75B730000-0x00007FF75BA84000-memory.dmp

memory/764-154-0x00007FF672CE0000-0x00007FF673034000-memory.dmp

memory/2512-155-0x00007FF60BE90000-0x00007FF60C1E4000-memory.dmp

memory/4312-156-0x00007FF7E1E20000-0x00007FF7E2174000-memory.dmp

memory/3416-157-0x00007FF77D870000-0x00007FF77DBC4000-memory.dmp

memory/464-158-0x00007FF7091E0000-0x00007FF709534000-memory.dmp

memory/832-159-0x00007FF697950000-0x00007FF697CA4000-memory.dmp