Malware Analysis Report

2025-01-22 19:19

Sample ID 240806-n97lqaseqh
Target 2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat
SHA256 24ae73feda96f01920850e38506ee05c8473f9ceb333483821ab28a60a9207bf
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

24ae73feda96f01920850e38506ee05c8473f9ceb333483821ab28a60a9207bf

Threat Level: Known bad

The file 2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Xmrig family

XMRig Miner payload

xmrig

Cobalt Strike reflective loader

Cobaltstrike

Cobaltstrike family

XMRig Miner payload

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-06 12:06

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-06 12:06

Reported

2024-08-06 12:09

Platform

win7-20240704-en

Max time kernel

139s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\IElrPPZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hSrERtG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YMgxckm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JzfsqDx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PmlKDUv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AhJVjkH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KpvAcWF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TQxNHHz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XNQatGW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ffujPBy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YmirsgI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lPbwqfx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FeFengD.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RoYgLyz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jICCvQU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RsFArWn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bMXlnMQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zUOFRZR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BbmZgii.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nhDXfNu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BWmOhfO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 696 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lPbwqfx.exe
PID 696 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lPbwqfx.exe
PID 696 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lPbwqfx.exe
PID 696 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nhDXfNu.exe
PID 696 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nhDXfNu.exe
PID 696 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nhDXfNu.exe
PID 696 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BWmOhfO.exe
PID 696 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BWmOhfO.exe
PID 696 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BWmOhfO.exe
PID 696 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FeFengD.exe
PID 696 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FeFengD.exe
PID 696 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FeFengD.exe
PID 696 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JzfsqDx.exe
PID 696 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JzfsqDx.exe
PID 696 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JzfsqDx.exe
PID 696 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RoYgLyz.exe
PID 696 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RoYgLyz.exe
PID 696 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RoYgLyz.exe
PID 696 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jICCvQU.exe
PID 696 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jICCvQU.exe
PID 696 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jICCvQU.exe
PID 696 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IElrPPZ.exe
PID 696 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IElrPPZ.exe
PID 696 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IElrPPZ.exe
PID 696 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AhJVjkH.exe
PID 696 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AhJVjkH.exe
PID 696 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AhJVjkH.exe
PID 696 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PmlKDUv.exe
PID 696 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PmlKDUv.exe
PID 696 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PmlKDUv.exe
PID 696 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RsFArWn.exe
PID 696 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RsFArWn.exe
PID 696 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RsFArWn.exe
PID 696 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KpvAcWF.exe
PID 696 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KpvAcWF.exe
PID 696 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KpvAcWF.exe
PID 696 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bMXlnMQ.exe
PID 696 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bMXlnMQ.exe
PID 696 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bMXlnMQ.exe
PID 696 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TQxNHHz.exe
PID 696 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TQxNHHz.exe
PID 696 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TQxNHHz.exe
PID 696 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XNQatGW.exe
PID 696 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XNQatGW.exe
PID 696 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XNQatGW.exe
PID 696 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zUOFRZR.exe
PID 696 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zUOFRZR.exe
PID 696 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zUOFRZR.exe
PID 696 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ffujPBy.exe
PID 696 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ffujPBy.exe
PID 696 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ffujPBy.exe
PID 696 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hSrERtG.exe
PID 696 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hSrERtG.exe
PID 696 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hSrERtG.exe
PID 696 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BbmZgii.exe
PID 696 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BbmZgii.exe
PID 696 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BbmZgii.exe
PID 696 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YMgxckm.exe
PID 696 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YMgxckm.exe
PID 696 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YMgxckm.exe
PID 696 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YmirsgI.exe
PID 696 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YmirsgI.exe
PID 696 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YmirsgI.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\lPbwqfx.exe

C:\Windows\System\lPbwqfx.exe

C:\Windows\System\nhDXfNu.exe

C:\Windows\System\nhDXfNu.exe

C:\Windows\System\BWmOhfO.exe

C:\Windows\System\BWmOhfO.exe

C:\Windows\System\FeFengD.exe

C:\Windows\System\FeFengD.exe

C:\Windows\System\JzfsqDx.exe

C:\Windows\System\JzfsqDx.exe

C:\Windows\System\RoYgLyz.exe

C:\Windows\System\RoYgLyz.exe

C:\Windows\System\jICCvQU.exe

C:\Windows\System\jICCvQU.exe

C:\Windows\System\IElrPPZ.exe

C:\Windows\System\IElrPPZ.exe

C:\Windows\System\AhJVjkH.exe

C:\Windows\System\AhJVjkH.exe

C:\Windows\System\PmlKDUv.exe

C:\Windows\System\PmlKDUv.exe

C:\Windows\System\RsFArWn.exe

C:\Windows\System\RsFArWn.exe

C:\Windows\System\KpvAcWF.exe

C:\Windows\System\KpvAcWF.exe

C:\Windows\System\bMXlnMQ.exe

C:\Windows\System\bMXlnMQ.exe

C:\Windows\System\TQxNHHz.exe

C:\Windows\System\TQxNHHz.exe

C:\Windows\System\XNQatGW.exe

C:\Windows\System\XNQatGW.exe

C:\Windows\System\zUOFRZR.exe

C:\Windows\System\zUOFRZR.exe

C:\Windows\System\ffujPBy.exe

C:\Windows\System\ffujPBy.exe

C:\Windows\System\hSrERtG.exe

C:\Windows\System\hSrERtG.exe

C:\Windows\System\BbmZgii.exe

C:\Windows\System\BbmZgii.exe

C:\Windows\System\YMgxckm.exe

C:\Windows\System\YMgxckm.exe

C:\Windows\System\YmirsgI.exe

C:\Windows\System\YmirsgI.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/696-56-0x0000000002280000-0x00000000025D4000-memory.dmp

\Windows\system\AhJVjkH.exe

MD5 f795886f73de56a6e4151dc8f4be324d
SHA1 9d26c03983b9b3a5a151fafcf7e5d68210ac77e0
SHA256 39c69a5a71bc5275bc511f45500a68b242d742d0388877da5b585cfebf8664b3
SHA512 352fd238b40eeaf92811d23c78fe04b6f8a0926b85a49b552034234cc936cc96455d3d8ca02e1b311b0d108ab28c4ca171b221447482d1b4e1d269dd051fb0dc

memory/2724-54-0x000000013FAA0000-0x000000013FDF4000-memory.dmp

memory/696-53-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

memory/696-52-0x000000013F410000-0x000000013F764000-memory.dmp

memory/2576-51-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

memory/696-59-0x000000013FC50000-0x000000013FFA4000-memory.dmp

memory/3000-50-0x000000013F410000-0x000000013F764000-memory.dmp

C:\Windows\system\IElrPPZ.exe

MD5 7f6682a0c72d1d5724052f2fde57f1fd
SHA1 e52fd401c034c56f5cebf425657169245e73470d
SHA256 24df30f99591ce986ec8b36129658cdba2c31b70c49275610383553a80f3b2c5
SHA512 db503f34560fb085fd80c5cef89b49ce6c3418cd9c220064acb994763c90c7347786b977fb10436ba5c41d3cbf6bd653e85aaa89b543db3c2748060bf7f6e610

C:\Windows\system\RoYgLyz.exe

MD5 528692f9f548805bdb3c8c4dd5454e30
SHA1 03fa9328a108bc56ceb718730649d7f2f1c9d031
SHA256 0956f3a48d17a0d9e2edbe4559c819a1a5633f3b1b53f12473478a712e1873f3
SHA512 21c58f5d5fde24a90ecdff60576042d1fd901131f4050f39dfb6b0aa4e7440451c73504ee4884a668415c031d01c26d662066563e4b183cb1ea30b1a4641ff23

C:\Windows\system\jICCvQU.exe

MD5 fe4ed8fbc693372e44052208856d4208
SHA1 88e6b33ab2d3aa81dd50795e1722b55141985925
SHA256 094c532509ae5a236db5562a9817e13f6289e20e3c979558b3bdd723ab6d3ec4
SHA512 49416604625a0c0651f93b43dd47ef69c0e5231dabc2db632939b3e2244f7bf6bbdbad47a59a71fb790e11f788303ec1160e8203f4d8c3ccdb531dc00bfeb662

memory/696-42-0x0000000002280000-0x00000000025D4000-memory.dmp

memory/2784-37-0x000000013FC50000-0x000000013FFA4000-memory.dmp

memory/1848-33-0x000000013FEB0000-0x0000000140204000-memory.dmp

C:\Windows\system\JzfsqDx.exe

MD5 a85bf9aafaf28da78c181db9632e348c
SHA1 03f58cebc11e880bfe3742de0f8031677abd9a38
SHA256 b8336fe6b6416abdaa64e8b85f1e6ed93d0059f2a3687821c1a2eebb6ef084d4
SHA512 8678e1890faf257a521c551089f33fa0f27da60e7da4525e0945cdac551a7164fa1647b6dd7789d73839c8df5e397b81d601f44898c07b3bca8cec1a96dc9568

C:\Windows\system\FeFengD.exe

MD5 2347581441d51024f53c00c39f8276a4
SHA1 e1618f79638eba02c3b24dc0f1cd54fd989193a3
SHA256 510cd8158b4fbf5cc1ee40bc467b290f1ee3d100d3ace00de67a3a65e940e6fe
SHA512 0f30776003c87fdaa818883897b2cd6e2b99653822a6d50c3623789fa595c31e0ebbd6b2599edb2e6721fbd2b82df99009f141737ba583573d1d423e168339ee

memory/2984-21-0x000000013FAE0000-0x000000013FE34000-memory.dmp

memory/696-23-0x0000000002280000-0x00000000025D4000-memory.dmp

memory/696-20-0x0000000002280000-0x00000000025D4000-memory.dmp

C:\Windows\system\BWmOhfO.exe

MD5 734b2a77432c5285cd811980a13f6c39
SHA1 ca164cdfd14a4fbf9d6f7c0551567ac7620fac0f
SHA256 600eaeb9cc4143720ab04553358d0b30e92d71a16cc19ec85c1d19a17e534ae6
SHA512 d02b72b11cdc9f86d4c2ef8e68718623e0f86f1ba81c130b865ede940e954dfbf2c62dcfd2b390b3f8dc66dbb394b4389762f8d694f3fee43d9f6dd19f374e65

memory/3064-14-0x000000013F040000-0x000000013F394000-memory.dmp

memory/696-13-0x000000013F040000-0x000000013F394000-memory.dmp

C:\Windows\system\nhDXfNu.exe

MD5 d24455962b1f9ce3e5d244c54ba8d334
SHA1 8f1b34988c66d6d57e58b6be008e6b3aebe7f3a0
SHA256 cbf1d166568f476e40a7557279f47fb118f8e680d49ebaf5c2c469413a58a31a
SHA512 d38510724fcb7c08b251eca4dea77cfea65a795857facfbed1539bb9acca3980a65697dfa639f7eec56c83623185699ee6d9f9d74766b4b63076021c5949b55f

C:\Windows\system\lPbwqfx.exe

MD5 c9d50a8cc9610503e475a09fd02df996
SHA1 aa7c532f9108743b190fb526df9f4b4effe5db03
SHA256 f4e49cd76631a739f9d42359f890807a281147cd5a860d792dbe0387d2bcad0f
SHA512 067349ca4a8b2302065e97039d3484d5467fe0a66ff0fea83c065fe6668c1cdf30bf941f872b6aecae4cba96ce3dc9a47a5785f9fe190c0a753a9d1d48618110

memory/696-6-0x000000013F830000-0x000000013FB84000-memory.dmp

memory/696-1-0x00000000000F0000-0x0000000000100000-memory.dmp

memory/696-0-0x000000013FC50000-0x000000013FFA4000-memory.dmp

\Windows\system\bMXlnMQ.exe

MD5 6f3f900d3492b4556edbd97c970ccfdb
SHA1 176922d6a28466e9fd602e2af324407f5c9c2a52
SHA256 4e72baf6b4771cd38b91cf79148c14b9d05bf63b23a2d733caec6228342bc2f6
SHA512 8c2a82a83495bd1a0e527e16823c9244b604f417cb94d5a267be0b1433af8bee3375f9723056e7b9ae9224fb8d45bf20062822fdddd60a772a3e8e44a6298d8a

memory/696-89-0x0000000002280000-0x00000000025D4000-memory.dmp

C:\Windows\system\YMgxckm.exe

MD5 0b1d475d6ae8e3cdcecd3dad52a198c8
SHA1 78734acd7312df43ccc59834d5c3cdae29a75f03
SHA256 f6a595d8eec241d976f692c2932a0bb12c68aa8c022874ce1fd52cd1d96563a2
SHA512 fc1a9523a9a804ab61eeac4b7a8849c2d9b478b42c482981e10a29d8d426502f9a416f29af472080552110de9b300d4993fd54056b49540ac03a53bedb5e1d73

C:\Windows\system\hSrERtG.exe

MD5 1a9985a395f675a3f8b142db77c5f8cc
SHA1 51b8e0e628403f9519ef7e36b73ec93e2a5fa222
SHA256 7d619afd7b051a526257d3128cecda94b8670fcc9ff68a5a76df37d9bb01d612
SHA512 fa6380ad6b8caeba9bdb0a8e93fa8601449ed705093b397dfc013ee6e51b78d6d8c640515133bda74fa337eed6e019c08ade24658e58ad81b98d7e800c2c734f

C:\Windows\system\ffujPBy.exe

MD5 5322be8fb45832c905d21e15baad3d40
SHA1 c931fea182a22e3a3e92b7f39ca2e09b462e4b3a
SHA256 042b25481d2945382aaeacff3301d843b6372e01e61ee796cd0cd04d7c2557af
SHA512 02603d8650aa2ccb282146f8534facaa72146e327d5feb70a2bc6bc311ebe3c6ebadc75ebb22931f63c2ba85af3ca1850135afbb7b37a825346934252d095fc5

C:\Windows\system\BbmZgii.exe

MD5 672e55b19eb3172f1c5394139b976b17
SHA1 708d0b99d0f2e7ac8c6674779205af81709a9bb2
SHA256 5cc55d938d1eb7de6c549227ddcdb14f00826c3177439eab62c58be5761b944d
SHA512 1b7844bfe97b4d1c16dfde11cb280f1e69decefb7d1e1072e5b7697f20a4c7df2791d1247d1843101a65974f023c8487fad93c31b5580a9c4166be20d18423ff

\Windows\system\YmirsgI.exe

MD5 e6f74d27e7321e92fd1e0f141a21714b
SHA1 fed7cb1a0033ca887b3249e013cabbe742aac4dc
SHA256 7aae7867a8749a468627f770a515d515e2fe0ec953d08ff46f12ea5a7b412bb9
SHA512 2cc8cffaf2b7c28a350596fad92ec7a1d80e8b6b12b069d6501f7d0de0335ee83416a522838617e735548cd7d67f4ecde981f1e69099eeb51689bc56d59324e3

memory/696-103-0x0000000002280000-0x00000000025D4000-memory.dmp

C:\Windows\system\zUOFRZR.exe

MD5 999976ee2acd53430a472f1d844995c0
SHA1 b94deaead82da0b222581d7b194c46efa5ccf35f
SHA256 143f0464863880a0f30bd89f71055aded9342f92dc2b3786395607f53ade7f58
SHA512 94f28f88d602b214c9dcfabfa89566321a2e146cbf339b5954449694e774275daa13bd1baea33642f952c8df38dd1db20a3c13346b399cb14d1753fdc2e53021

C:\Windows\system\TQxNHHz.exe

MD5 124ec58acbe899143de4ac477169c759
SHA1 d72ed9d1e71fab50fa97caeb1fa51e7a224062c5
SHA256 13594b9285092c111adb5cb17383f76efe1f79f338327c181e9063761fcbe4d8
SHA512 a5b91d17a5f710ef4f03231f84ffca4ab5a9be1332875c8c803bcc2c19ab9cad97c5cbbd1f58e1d691d2a23a560d53e4adbb126814a9d921725e66fd1cbf0887

C:\Windows\system\KpvAcWF.exe

MD5 1e7018bd6c78d4cfc652dd1b82e19d3c
SHA1 680249006b9cbd1e70f990cace3146f02395ee8b
SHA256 13b190549d93c6280dbba58d9b81019dcbe62a67b4b598bd28c51e99d4d43ca6
SHA512 a21964bc5b2892d46d0d11dd12e4360bb96ce9adb60e71bccd4a7b9f48a7214f85927ff1a00d3638beca7497ae7c6938410d30a51ac56cc875b2f0d973f7ffd2

C:\Windows\system\XNQatGW.exe

MD5 a29d70108fcf8113984064a0b25e5466
SHA1 f433c0e4b2e7313e26342ca8a879702698e94dfc
SHA256 660bf8f67b0f995d5defb5039b9f274ae9be418b171a41d35d4631a11d8a6516
SHA512 6bcc0ae87918c2a16f86643fd0030188cedd029bcec65a104fda4a632ca23e51afc514c104e20804a82548baca5e0698913631b2e8cde1489cb00289e518e10c

C:\Windows\system\PmlKDUv.exe

MD5 77bed8be487f800e199e1afe365d65de
SHA1 c3b78844c1f208afaee0f092239d2685378cb2ee
SHA256 62ad222be711072240dae9c72c54687f84f238b69f9a1fb2e2468d0e338cffe5
SHA512 a66aa1dff234c909cd09357a4f4a8debe825aa784501941e5a3663d6b8fea703b115acca4bd0f3825bc85cbf31420b51d6bdde89d02de5f230f82a3da191be09

memory/696-116-0x000000013F840000-0x000000013FB94000-memory.dmp

memory/3000-115-0x000000013F410000-0x000000013F764000-memory.dmp

C:\Windows\system\RsFArWn.exe

MD5 694df583b091a24dce91045ef6019bde
SHA1 8880d728fae3cb6cb4d472d155863bed901e8877
SHA256 cc15ff8dd631ff527552bdacfffe621f83cfe69507f83bc25c5fb80979352890
SHA512 541c885d2d9a5b708e0dc2dbdd816d4e8c51214c74799ef008d2714179938cf018adafabe87fe4ec4ea8d9e229b5412fb0fcae19826535aed4fb83e7b2c5c4da

memory/696-112-0x000000013F2C0000-0x000000013F614000-memory.dmp

memory/696-111-0x0000000002280000-0x00000000025D4000-memory.dmp

memory/696-108-0x000000013F490000-0x000000013F7E4000-memory.dmp

memory/696-94-0x0000000002280000-0x00000000025D4000-memory.dmp

memory/2784-92-0x000000013FC50000-0x000000013FFA4000-memory.dmp

memory/2984-85-0x000000013FAE0000-0x000000013FE34000-memory.dmp

memory/696-83-0x000000013F8F0000-0x000000013FC44000-memory.dmp

memory/2724-138-0x000000013FAA0000-0x000000013FDF4000-memory.dmp

memory/696-77-0x000000013F1F0000-0x000000013F544000-memory.dmp

memory/3064-74-0x000000013F040000-0x000000013F394000-memory.dmp

memory/696-72-0x000000013F040000-0x000000013F394000-memory.dmp

memory/2852-69-0x000000013FB80000-0x000000013FED4000-memory.dmp

memory/3040-63-0x000000013F830000-0x000000013FB84000-memory.dmp

memory/696-139-0x0000000002280000-0x00000000025D4000-memory.dmp

memory/2852-141-0x000000013FB80000-0x000000013FED4000-memory.dmp

memory/696-142-0x000000013F1F0000-0x000000013F544000-memory.dmp

memory/696-143-0x000000013F8F0000-0x000000013FC44000-memory.dmp

memory/696-144-0x000000013F840000-0x000000013FB94000-memory.dmp

memory/3040-145-0x000000013F830000-0x000000013FB84000-memory.dmp

memory/3064-146-0x000000013F040000-0x000000013F394000-memory.dmp

memory/2984-147-0x000000013FAE0000-0x000000013FE34000-memory.dmp

memory/1848-148-0x000000013FEB0000-0x0000000140204000-memory.dmp

memory/2784-149-0x000000013FC50000-0x000000013FFA4000-memory.dmp

memory/2576-150-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

memory/2724-151-0x000000013FAA0000-0x000000013FDF4000-memory.dmp

memory/3000-152-0x000000013F410000-0x000000013F764000-memory.dmp

memory/2852-153-0x000000013FB80000-0x000000013FED4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-06 12:06

Reported

2024-08-06 12:09

Platform

win10v2004-20240802-en

Max time kernel

139s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\WlBYoVy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\woIStWd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nEObYgj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TxDUhfL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HQwfhxj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kONtrxR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\neioIIx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aUnxHRK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wdDsNmV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mImleBH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ozDbAGq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aLXnNRu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CHrrQwn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eOWEZSL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kgqGArZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZaUnLls.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uJAsPKJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jUCTMgY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oMlZeRi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IrDJYIT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ttzmnGV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5088 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ozDbAGq.exe
PID 5088 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ozDbAGq.exe
PID 5088 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HQwfhxj.exe
PID 5088 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HQwfhxj.exe
PID 5088 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kONtrxR.exe
PID 5088 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kONtrxR.exe
PID 5088 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\neioIIx.exe
PID 5088 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\neioIIx.exe
PID 5088 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZaUnLls.exe
PID 5088 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZaUnLls.exe
PID 5088 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TxDUhfL.exe
PID 5088 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TxDUhfL.exe
PID 5088 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ttzmnGV.exe
PID 5088 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ttzmnGV.exe
PID 5088 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aLXnNRu.exe
PID 5088 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aLXnNRu.exe
PID 5088 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uJAsPKJ.exe
PID 5088 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uJAsPKJ.exe
PID 5088 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jUCTMgY.exe
PID 5088 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jUCTMgY.exe
PID 5088 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oMlZeRi.exe
PID 5088 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oMlZeRi.exe
PID 5088 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CHrrQwn.exe
PID 5088 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CHrrQwn.exe
PID 5088 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aUnxHRK.exe
PID 5088 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aUnxHRK.exe
PID 5088 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wdDsNmV.exe
PID 5088 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wdDsNmV.exe
PID 5088 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WlBYoVy.exe
PID 5088 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WlBYoVy.exe
PID 5088 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IrDJYIT.exe
PID 5088 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IrDJYIT.exe
PID 5088 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\woIStWd.exe
PID 5088 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\woIStWd.exe
PID 5088 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eOWEZSL.exe
PID 5088 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eOWEZSL.exe
PID 5088 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mImleBH.exe
PID 5088 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mImleBH.exe
PID 5088 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nEObYgj.exe
PID 5088 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nEObYgj.exe
PID 5088 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kgqGArZ.exe
PID 5088 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kgqGArZ.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\ozDbAGq.exe

C:\Windows\System\ozDbAGq.exe

C:\Windows\System\HQwfhxj.exe

C:\Windows\System\HQwfhxj.exe

C:\Windows\System\kONtrxR.exe

C:\Windows\System\kONtrxR.exe

C:\Windows\System\neioIIx.exe

C:\Windows\System\neioIIx.exe

C:\Windows\System\ZaUnLls.exe

C:\Windows\System\ZaUnLls.exe

C:\Windows\System\TxDUhfL.exe

C:\Windows\System\TxDUhfL.exe

C:\Windows\System\ttzmnGV.exe

C:\Windows\System\ttzmnGV.exe

C:\Windows\System\aLXnNRu.exe

C:\Windows\System\aLXnNRu.exe

C:\Windows\System\uJAsPKJ.exe

C:\Windows\System\uJAsPKJ.exe

C:\Windows\System\jUCTMgY.exe

C:\Windows\System\jUCTMgY.exe

C:\Windows\System\oMlZeRi.exe

C:\Windows\System\oMlZeRi.exe

C:\Windows\System\CHrrQwn.exe

C:\Windows\System\CHrrQwn.exe

C:\Windows\System\aUnxHRK.exe

C:\Windows\System\aUnxHRK.exe

C:\Windows\System\wdDsNmV.exe

C:\Windows\System\wdDsNmV.exe

C:\Windows\System\WlBYoVy.exe

C:\Windows\System\WlBYoVy.exe

C:\Windows\System\IrDJYIT.exe

C:\Windows\System\IrDJYIT.exe

C:\Windows\System\woIStWd.exe

C:\Windows\System\woIStWd.exe

C:\Windows\System\eOWEZSL.exe

C:\Windows\System\eOWEZSL.exe

C:\Windows\System\mImleBH.exe

C:\Windows\System\mImleBH.exe

C:\Windows\System\nEObYgj.exe

C:\Windows\System\nEObYgj.exe

C:\Windows\System\kgqGArZ.exe

C:\Windows\System\kgqGArZ.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 3.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 71.190.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/5088-0-0x00007FF718560000-0x00007FF7188B4000-memory.dmp

memory/5088-1-0x000001B5D6D80000-0x000001B5D6D90000-memory.dmp

C:\Windows\System\HQwfhxj.exe

MD5 46ff3292092eec90a0b7bbf397fd0568
SHA1 6c3f5eebe4fa7481fc56871cd3668444ad6e69d4
SHA256 78fad050bdd67eccd9fa1a29bf61edc113c85ad40ae15720e76cf19d22a8d6a9
SHA512 5c509c46e5f16c46c26bc683a3e2d28cbdf17bb68486c957d0e127607cd5951257cfe000d3644da98202b66d633eaca292dbe9f5b30c1ba834a1af453e10c5bc

C:\Windows\System\kONtrxR.exe

MD5 cd925b4514239c2511eaad5ae0759baa
SHA1 8c95812e1b5cff8785eca306503d302dc022847f
SHA256 78dbe2d6ed1d7f390eff3ddb6474206d788fcfc8dc88c6db6447df90cf22d138
SHA512 cbc02777b399184b89b32d5a43e6f1a67ed01fee6eb63c6fb78acf4d6a397eaff00ef3bf0f08d157f4b94680c470bcdd6a7d8c36d4da3167d1aecfcc8cd5c810

memory/1044-14-0x00007FF703410000-0x00007FF703764000-memory.dmp

memory/1404-6-0x00007FF77D810000-0x00007FF77DB64000-memory.dmp

memory/3520-20-0x00007FF610650000-0x00007FF6109A4000-memory.dmp

C:\Windows\System\ozDbAGq.exe

MD5 236135708a2f90a28f836ad5242e00b9
SHA1 a9ca361bbb418bf8df228f023d9cb3a1a64062e7
SHA256 7c55608f2356d16838719a9a3e57800c1854e789fb5fcac72964ab0d9bd0e274
SHA512 5df321679555c150abd274f5ecaff80d495563c01cc75100f2e7d7e05704196ccfb71e56f8305cbeecf967babf2cdbb895d67b3e4bfa0d1e85dca41db1044da2

C:\Windows\System\neioIIx.exe

MD5 d0fb26280d4fb4a6616f69033581ef6f
SHA1 a03ecd16f7811a6a8e75adbdb753069278c8de72
SHA256 13b97b72d6f5701451341910aab97aad2463f39a5881f6d80c6c1ed779248a35
SHA512 e1494291da2d1dd4dec0cc794bb116d27f231aa3e3a6680622320f46a8fb8bd238b1a7ff3ec0d276078cb99b54284fee717a71f9c200945e7406e75fdf94c769

C:\Windows\System\ZaUnLls.exe

MD5 fa7be5a49e60f5aa1a2e6b443ea13bca
SHA1 8b0aabe8bb17fe3dadb4a9de3efa476d6151bfad
SHA256 77b83ba5fed587f53e2a78da34bd1798620a203e44136233d3a6cafdaf518220
SHA512 ec0550a09cbe181c25ead301204e8fbe04be1e0b8e9ad8f7aec7d86da1b8303f2dd716f6903d743af48a3118b988a5e381d69f96e3aca14a48d041ac44ea8980

memory/3644-37-0x00007FF616C90000-0x00007FF616FE4000-memory.dmp

C:\Windows\System\TxDUhfL.exe

MD5 9f764fed658fc54f13e84b0317dc4ad3
SHA1 a593b84612a39e659cae92c8760debedacefaa38
SHA256 fcfc316b97b6a5337952c01b3e217b72e9e6b75584061d4c389b5f6c4282212a
SHA512 0c4af0a2e9fe153317e26b3e53a00f08152c750365322980c59060008a11f9aec6efc9bf7f6d86746648bcdc4ed4eabe966e45b9f229d49a3b75b6e48aedefe7

C:\Windows\System\ttzmnGV.exe

MD5 eb6e200fed610f4d341174d6b84f815b
SHA1 ce8f81a02036aba1ef0f3485f3673adef3cf1f8c
SHA256 6a3cf2b9e51ad35eb436b49a39149a99f848bb7d69a45fb6d4517ecc503cc885
SHA512 9483382d7f60d570224b62bd6463acaf1dbc9db81cfa6c061c74fdb5d2e943bd78be3f3879b1e913ff9741dc0a87cb6a90e058962023dc3414c69413f7333a6a

C:\Windows\System\aLXnNRu.exe

MD5 7e83a03ab5697b3fa84f87e7d6612090
SHA1 d9d9ae6db9405ecb40b4a23d5b6fd101b5516271
SHA256 c1197d9628afbd88d3cf206ae1c067cde41674308935fc6ecdc43c2cf9f12b62
SHA512 780401b24ed4223c6e8d5b9343cdabaed8fd0243619e1b7231b4efe4f79e49de023aef8afd5879163ab548a6840b2f0ca3294fbca7d40888f41ada7c03b292e6

memory/2860-44-0x00007FF701080000-0x00007FF7013D4000-memory.dmp

memory/1016-39-0x00007FF6EF290000-0x00007FF6EF5E4000-memory.dmp

memory/1872-26-0x00007FF735E70000-0x00007FF7361C4000-memory.dmp

C:\Windows\System\uJAsPKJ.exe

MD5 56354a5d74d6f0ae62eeb106b5f5b79b
SHA1 6df46d5e93b1b76460e56055bbce3a8f051febd3
SHA256 8c8bde2b5aa5683a2beec01d2e65760b5d672b8189e4cf1b56516dc3049d3248
SHA512 bd069b7f097c92013c73c4dcc34faa601a302998af0f8f99b48e5ea728bbf4ed05756baad44c862bcfdeae27a57b62f9e3c9bdd3407872fc2674a683b317bb2b

memory/1076-56-0x00007FF653880000-0x00007FF653BD4000-memory.dmp

memory/4572-50-0x00007FF6FA460000-0x00007FF6FA7B4000-memory.dmp

memory/2436-63-0x00007FF64EA80000-0x00007FF64EDD4000-memory.dmp

memory/5088-62-0x00007FF718560000-0x00007FF7188B4000-memory.dmp

C:\Windows\System\CHrrQwn.exe

MD5 54e87bf79b843ebaff7989bde1fd595c
SHA1 acf9ce1a5fad6a9d6a412b631ede062181b5fc38
SHA256 d8f49a08e2e66c909e444148283a1b1c204883ee765b5fd6a950f08d44f6f052
SHA512 c3e95f1a73fc23601931c4f136eea0d6b797858175a6ce0fe55541ad04e5dea2a130dcb75923c0092ef4b71f40fa884d4c99fb5c86740c788b4afbc727f5949d

memory/2244-71-0x00007FF7F12C0000-0x00007FF7F1614000-memory.dmp

memory/1404-69-0x00007FF77D810000-0x00007FF77DB64000-memory.dmp

C:\Windows\System\oMlZeRi.exe

MD5 e0aa3f52d8fd44754f196aa3008c6679
SHA1 747ac58f21210df4462a04cde82abc9b2f7bacd5
SHA256 99f1b4e55db9efa3576ff253b7a25a581a2111149b77f6f66a10ed67f662ee4f
SHA512 ad7cfeaf4251655b9836f09a6440553f9ffea4525fa6237fb5fe88afd5ab33348fa6618eb7ccb7618b702bc853a5d3696df804b9f01e005d8048a2657f1ff33f

C:\Windows\System\jUCTMgY.exe

MD5 aa9cb28b5993c40dc41ac3b1029128ea
SHA1 ef8ccb0a8d87b054d5ce96d45171ec1b94007f7c
SHA256 320c677a8f015818c7d2b4ec8e663adf2fda5ce14646d8736c05051fb119f905
SHA512 7106fca0905c229313d9232f045d293fa0a6115a18fe7d2a7a8696655a5a34106133616eb188009582ca38611ca6a4f845688f05ac36e30473d0cf3752f74e6a

memory/3488-76-0x00007FF65DE10000-0x00007FF65E164000-memory.dmp

C:\Windows\System\aUnxHRK.exe

MD5 3c20e2f09329685c00e4ac2fb1696aab
SHA1 cbab31cb01fb38f270c48f218afbf24a04fca987
SHA256 e9a05b02d3d95660bfd72a9ed880b7432386442aae555cbdb85516e31d44d0ed
SHA512 dbbe38a5dfd044f3ce91cb69a68ff92055cdb323a4023a661b4f4d593bd7bd1ecfca34dd43419653fea0b996b8b4b55a2ecdebb8af539079b3a8f3902238f55b

memory/2748-82-0x00007FF64CDC0000-0x00007FF64D114000-memory.dmp

C:\Windows\System\wdDsNmV.exe

MD5 acd0c0796bc8ff2e5c10b3d64e43d925
SHA1 b6561480c60a4c0dcdfc647077f366f7d6e52b76
SHA256 b5102e5dc16b9e2466d417e7768cb84764d03c7e89c3e788f5f9c8c53b84bcd9
SHA512 b544a05c40f0fdbc723b078142c5283bef3de24e2b41e2d63251da527c3154c93c1f18ccbdbe91077b01e12b1fd6481b55e70d4bf90d30fabf980a887accc085

C:\Windows\System\woIStWd.exe

MD5 b5025848cd045d759170a76e2d303429
SHA1 8a0fba43623247abd20388b66928d5c625add531
SHA256 6fd74edb93af36626678d5bbbf91c8ea93249428fc6951e0610b1efc49e75841
SHA512 287ffe33772f5b6587fc0119797d50f060def7e1663517f7453b13a5bbab495882bb5d6c7d89386dc9b26f22c0bb9652ff7e95b0ff38d17d2fa5be5f086da365

memory/1548-102-0x00007FF6C7DF0000-0x00007FF6C8144000-memory.dmp

C:\Windows\System\IrDJYIT.exe

MD5 2ca4cfdf458f59dc6ed71bc9b1b28e4c
SHA1 f2cdaf0194db2ce17c7f982ed720eabd4c50eb24
SHA256 e7b9a486ae43b4cd3f50012ab7019d8e58345df156421e029f64376382d7938b
SHA512 0ea3a3fc4a49371d1cf7a7fa2292086ed922142cd88ff5aabe2b2f7caa792eb09abb4882afd02af5abd8ca8767134a04284f040de8956bc717b39940d6ef4fe7

memory/5020-97-0x00007FF64E3C0000-0x00007FF64E714000-memory.dmp

C:\Windows\System\WlBYoVy.exe

MD5 a27cc97bf70a72454341be51915948eb
SHA1 97d3d4327270771df5f6bc3bb253a90edc7f94c5
SHA256 2b7295960cf2907d73cb902f90db6b504943f3fe4cc9c88f3a33d3dc7d1e5d94
SHA512 c7f1331da0066e29f9985adfebeb213cc2429703dfe631a2338073e6d156750dde8fbcdfa8d9e0deaf2c5ad9cd57cb345be19e3d5569577da0ad2364d5bf28b3

memory/1364-87-0x00007FF7E1A50000-0x00007FF7E1DA4000-memory.dmp

C:\Windows\System\eOWEZSL.exe

MD5 19ed8af8abfcb20aaeb827845ee40100
SHA1 243e420ec474cebdccf8434e93d87e3d26b40b76
SHA256 4701cc4dfa185709173cc33128ef380b6b56e833691dbc40e04c3ed18f9eff11
SHA512 387186e259e78c80266361b24d4718e5462937508a2baf4bfcb3322e6740570fb020e37aea951d2396424eaa396207fc8a344884504605d91817a95d0e397b6a

C:\Windows\System\mImleBH.exe

MD5 2117e8ff3c598780e9474c730e1ac1ef
SHA1 fd0b3ba0e6ce2e6016ed49da2560640ff0bbcae0
SHA256 c668db16f120c232f0ae3e494722e25d48ccc667a37e8bfe5bd879d497878108
SHA512 ae00dd4dfeb74814f1223b710f7b25c6da53ee37abcd2324e7bedd3024d2ae23e54e974b43a7b991e81d56abaf9268a2df50990bb620c9826e649a216b983fd4

C:\Windows\System\nEObYgj.exe

MD5 12004a9e07bbf1f57a34d6edd2510d0a
SHA1 9c687a93eb94df545b223c2211ceb1d47e1a756c
SHA256 d2f3c07b8ca68ad377a1da5636239306e98d777d415118d415036804da23fb32
SHA512 a6b2c42fbde86af19f5a77e59236a5af0a839ee2aef261359528467d7d05046345af176b1b50d5e3b8d236b2e04f5c7de178e7ed3379f7aedc61f346de926b92

memory/3184-121-0x00007FF7CF450000-0x00007FF7CF7A4000-memory.dmp

memory/3624-120-0x00007FF6A4450000-0x00007FF6A47A4000-memory.dmp

memory/2584-112-0x00007FF74A860000-0x00007FF74ABB4000-memory.dmp

memory/1544-108-0x00007FF6F7A30000-0x00007FF6F7D84000-memory.dmp

C:\Windows\System\kgqGArZ.exe

MD5 39eeb67c60b5f755375a28c2423f4161
SHA1 e25dd5e504c930a0cd663536e7e78f2ae18ab94b
SHA256 425234893672113dcb20b04a5823d00805ee41e701e657943272fa56338ac6c3
SHA512 0c19dd82bdd0587630d2a07c4ac52fdda5302e7fb67097dc95702d735bd2e636fe8e8208298a6882f83ed8e3150e2aa66b2f30dc7fc143dc6fde2f33a695f658

memory/4700-129-0x00007FF6C7F10000-0x00007FF6C8264000-memory.dmp

memory/1364-130-0x00007FF7E1A50000-0x00007FF7E1DA4000-memory.dmp

memory/1548-131-0x00007FF6C7DF0000-0x00007FF6C8144000-memory.dmp

memory/2584-132-0x00007FF74A860000-0x00007FF74ABB4000-memory.dmp

memory/3184-133-0x00007FF7CF450000-0x00007FF7CF7A4000-memory.dmp

memory/1404-134-0x00007FF77D810000-0x00007FF77DB64000-memory.dmp

memory/1044-135-0x00007FF703410000-0x00007FF703764000-memory.dmp

memory/3520-136-0x00007FF610650000-0x00007FF6109A4000-memory.dmp

memory/1872-137-0x00007FF735E70000-0x00007FF7361C4000-memory.dmp

memory/3644-138-0x00007FF616C90000-0x00007FF616FE4000-memory.dmp

memory/1016-139-0x00007FF6EF290000-0x00007FF6EF5E4000-memory.dmp

memory/2860-140-0x00007FF701080000-0x00007FF7013D4000-memory.dmp

memory/4572-141-0x00007FF6FA460000-0x00007FF6FA7B4000-memory.dmp

memory/1076-142-0x00007FF653880000-0x00007FF653BD4000-memory.dmp

memory/2436-143-0x00007FF64EA80000-0x00007FF64EDD4000-memory.dmp

memory/2244-144-0x00007FF7F12C0000-0x00007FF7F1614000-memory.dmp

memory/3488-145-0x00007FF65DE10000-0x00007FF65E164000-memory.dmp

memory/2748-146-0x00007FF64CDC0000-0x00007FF64D114000-memory.dmp

memory/1364-147-0x00007FF7E1A50000-0x00007FF7E1DA4000-memory.dmp

memory/5020-148-0x00007FF64E3C0000-0x00007FF64E714000-memory.dmp

memory/1544-149-0x00007FF6F7A30000-0x00007FF6F7D84000-memory.dmp

memory/1548-150-0x00007FF6C7DF0000-0x00007FF6C8144000-memory.dmp

memory/2584-151-0x00007FF74A860000-0x00007FF74ABB4000-memory.dmp

memory/3624-152-0x00007FF6A4450000-0x00007FF6A47A4000-memory.dmp

memory/3184-153-0x00007FF7CF450000-0x00007FF7CF7A4000-memory.dmp

memory/4700-154-0x00007FF6C7F10000-0x00007FF6C8264000-memory.dmp