Malware Analysis Report

2025-01-22 19:17

Sample ID 240806-n9r62aseqb
Target 2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat
SHA256 32bea1a93568beea3d28a9a57cb7c625f7aa8a84d756670959a8b37f6a8f066b
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

32bea1a93568beea3d28a9a57cb7c625f7aa8a84d756670959a8b37f6a8f066b

Threat Level: Known bad

The file 2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Xmrig family

XMRig Miner payload

Cobaltstrike family

xmrig

Cobaltstrike

Cobalt Strike reflective loader

XMRig Miner payload

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-06 12:06

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-06 12:06

Reported

2024-08-06 12:08

Platform

win7-20240705-en

Max time kernel

137s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\olIanOK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yrHxEXD.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cmERpLK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jlQPmhF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IENcHmi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wegBSYA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ASvRXOq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PtQZTzm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hnyOhwM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ukNtExt.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mtrflqS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ddEVjBV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JfKcxEW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GkcZDwI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RVfEpwi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\utVCfwk.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PZqwSKC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\garHjPg.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CtaXGKo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EhUYiGb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VsyWXoJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 580 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ASvRXOq.exe
PID 580 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ASvRXOq.exe
PID 580 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ASvRXOq.exe
PID 580 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EhUYiGb.exe
PID 580 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EhUYiGb.exe
PID 580 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EhUYiGb.exe
PID 580 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PtQZTzm.exe
PID 580 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PtQZTzm.exe
PID 580 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PtQZTzm.exe
PID 580 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ukNtExt.exe
PID 580 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ukNtExt.exe
PID 580 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ukNtExt.exe
PID 580 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\olIanOK.exe
PID 580 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\olIanOK.exe
PID 580 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\olIanOK.exe
PID 580 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JfKcxEW.exe
PID 580 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JfKcxEW.exe
PID 580 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JfKcxEW.exe
PID 580 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yrHxEXD.exe
PID 580 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yrHxEXD.exe
PID 580 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yrHxEXD.exe
PID 580 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GkcZDwI.exe
PID 580 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GkcZDwI.exe
PID 580 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GkcZDwI.exe
PID 580 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cmERpLK.exe
PID 580 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cmERpLK.exe
PID 580 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cmERpLK.exe
PID 580 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VsyWXoJ.exe
PID 580 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VsyWXoJ.exe
PID 580 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VsyWXoJ.exe
PID 580 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jlQPmhF.exe
PID 580 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jlQPmhF.exe
PID 580 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jlQPmhF.exe
PID 580 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RVfEpwi.exe
PID 580 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RVfEpwi.exe
PID 580 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RVfEpwi.exe
PID 580 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IENcHmi.exe
PID 580 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IENcHmi.exe
PID 580 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IENcHmi.exe
PID 580 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wegBSYA.exe
PID 580 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wegBSYA.exe
PID 580 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wegBSYA.exe
PID 580 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\utVCfwk.exe
PID 580 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\utVCfwk.exe
PID 580 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\utVCfwk.exe
PID 580 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mtrflqS.exe
PID 580 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mtrflqS.exe
PID 580 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mtrflqS.exe
PID 580 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PZqwSKC.exe
PID 580 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PZqwSKC.exe
PID 580 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PZqwSKC.exe
PID 580 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ddEVjBV.exe
PID 580 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ddEVjBV.exe
PID 580 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ddEVjBV.exe
PID 580 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\garHjPg.exe
PID 580 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\garHjPg.exe
PID 580 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\garHjPg.exe
PID 580 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CtaXGKo.exe
PID 580 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CtaXGKo.exe
PID 580 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CtaXGKo.exe
PID 580 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hnyOhwM.exe
PID 580 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hnyOhwM.exe
PID 580 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hnyOhwM.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\ASvRXOq.exe

C:\Windows\System\ASvRXOq.exe

C:\Windows\System\EhUYiGb.exe

C:\Windows\System\EhUYiGb.exe

C:\Windows\System\PtQZTzm.exe

C:\Windows\System\PtQZTzm.exe

C:\Windows\System\ukNtExt.exe

C:\Windows\System\ukNtExt.exe

C:\Windows\System\olIanOK.exe

C:\Windows\System\olIanOK.exe

C:\Windows\System\JfKcxEW.exe

C:\Windows\System\JfKcxEW.exe

C:\Windows\System\yrHxEXD.exe

C:\Windows\System\yrHxEXD.exe

C:\Windows\System\GkcZDwI.exe

C:\Windows\System\GkcZDwI.exe

C:\Windows\System\cmERpLK.exe

C:\Windows\System\cmERpLK.exe

C:\Windows\System\VsyWXoJ.exe

C:\Windows\System\VsyWXoJ.exe

C:\Windows\System\jlQPmhF.exe

C:\Windows\System\jlQPmhF.exe

C:\Windows\System\RVfEpwi.exe

C:\Windows\System\RVfEpwi.exe

C:\Windows\System\IENcHmi.exe

C:\Windows\System\IENcHmi.exe

C:\Windows\System\wegBSYA.exe

C:\Windows\System\wegBSYA.exe

C:\Windows\System\utVCfwk.exe

C:\Windows\System\utVCfwk.exe

C:\Windows\System\mtrflqS.exe

C:\Windows\System\mtrflqS.exe

C:\Windows\System\PZqwSKC.exe

C:\Windows\System\PZqwSKC.exe

C:\Windows\System\ddEVjBV.exe

C:\Windows\System\ddEVjBV.exe

C:\Windows\System\garHjPg.exe

C:\Windows\System\garHjPg.exe

C:\Windows\System\CtaXGKo.exe

C:\Windows\System\CtaXGKo.exe

C:\Windows\System\hnyOhwM.exe

C:\Windows\System\hnyOhwM.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/580-0-0x000000013F390000-0x000000013F6E4000-memory.dmp

memory/580-1-0x00000000002F0000-0x0000000000300000-memory.dmp

C:\Windows\system\ASvRXOq.exe

MD5 7c83f353d6dc5058ca5ddae197b470f9
SHA1 e362d2f3f21deabbf3a2206cb2d08145a9ef0908
SHA256 e5f4c4d7a7c8096bbdbc727c1b2828264b78ced1ddf0d138961f6d8deae926f5
SHA512 6778a27113b8090b6211c7a32d17ace17fbd85adf4ca6cd21f84870740050e27f1cd7e6bf59934727054dfba6a0e2b130bddace2b61fcb5d29b31be4bfe5f36c

C:\Windows\system\EhUYiGb.exe

MD5 ae69e6aa8225c49404439e691027c83d
SHA1 4f6bd4fccc6aaedcfa7817c16caac94f30322976
SHA256 7d7e861fbb6e39dab5e81187228fe8bb9e757c052f195bb1bf33276b9defda37
SHA512 f95a555564d37db7eafb71815882fa474e95ec154092a76e618428d14beda37f26f61ca623e64d38b553d0c6cca7fe369e4eb544d41bd1272c59532ba9373e99

\Windows\system\PtQZTzm.exe

MD5 50b70111e3dbe93d51a2416346b5e21a
SHA1 14733ab9b1ca2ac9cde946b23ced833d96c48b3c
SHA256 f941c35e7ffb960c95783f38f7366c3943c90397b95a5ab79c56425eec37712b
SHA512 bd04cfa61ad1e98d9e6e1b4fda4ebde8dbb297c8d1bf605dbd0d38e3f0ebe98592caa93f3c15cb988e0734d6bbc4d38feb343ee86b4d9138ac4579af769c6392

C:\Windows\system\ukNtExt.exe

MD5 2f7787620b9f92d80e4e2d7666f8ee8c
SHA1 add5f2427b10b823e04c4bfdfaef2058e40deffb
SHA256 9a42abf7afc2ed18b797fab03e50c3bcee4afdd10b4f2704f7b9e0cca1ffed66
SHA512 92ab0043b6f49895bda68a7cd2461fe59e18065f443b7d28e72d3fb9d7dc7bc846482c0b61b4086e363164f42e914154c31be9343ec9b03208cdbe7c559a5391

C:\Windows\system\olIanOK.exe

MD5 2cb5a8e79f1dca0403b47c884f58a7f9
SHA1 9d7937e461eddbf19d9342d85f025c01a36cb042
SHA256 3c363f36cfbe60fadce8b2aba6795925c0e81c114b5fb7ffb7ef80add356d2af
SHA512 68969ddedb67420c323c23b849f5a8555db5c63638d64ef359ed89d9df2853746361a6c5a5dde1f1ce6b7eed78596faf2e4a996b5d78ac49afcbaa33d327cebe

C:\Windows\system\JfKcxEW.exe

MD5 93ca485934cbc377bbd92ec2654623bb
SHA1 475bc6d013d367c3eb1ebb433b79f8a76b5106bd
SHA256 f82a770dea355660e9d08ff45de4929673da45760270565ca5ac7aaff24507cb
SHA512 b1b3f02a810959865312fac706e305df1552933d0202e1e486925507d2754540f936a211166df4c96a1a3431658c062373545f93ff678597ef0c909a670641c1

C:\Windows\system\yrHxEXD.exe

MD5 6f07594b617371f3c99c6aa9a7eeb9bf
SHA1 6b6821936856d719cc3b3710f818f6ebff149812
SHA256 751e6d7985c1e120356f0beb3075bd297e41305bf040e46f9211110a116b7275
SHA512 5fe8bc1a7f0c59cda145b0cc6786f490e3dfdc16087fac6714d87fa279a6bfcacfb267b7cc25913ffe231ee0c712cb35f3b5889bc718705639a6b975e1776008

C:\Windows\system\cmERpLK.exe

MD5 c0ca1cb139a08d15bbae934e8e725735
SHA1 ba62cfaa25621ae2c5cee34172cd722b695d30b1
SHA256 eb4689c6ac6fce946308d9b6a3f48d79c6600dc111da578c2a2b124ca23fed99
SHA512 008b2f6f9dd668202610e92e8aa2af68ecf1d340bb27ec13dc9765e45cd1f54f55ba11fd26fd747d8bf85dbafd0fb3feff819c56c8b9430e3b9c5f341af7d909

\Windows\system\RVfEpwi.exe

MD5 657f677173fa13dd31f89eee55db4753
SHA1 fc99fd7cb52d69675f3d659b4bdc1ccbb873087a
SHA256 948b76066a31d3b2ae077a667dbc292fb99e5309c6622e4cda3888deaaf89dd3
SHA512 b647b8ef39a1ea165cfb00e6f9fb7e1f2ee9ea32accde697981a0247be6ce003dacec9c2ca41d006bbc0240c89f0d9e5b9ce1cbc7f09a27c793cb74d324fbda0

C:\Windows\system\wegBSYA.exe

MD5 29a658535231f3d16a4b0c88de809d50
SHA1 7ef6db8ec6ce0368c174f6821554709eb6334e64
SHA256 d369992c76f9742aa4ee432561b83297a998a46e1c2045187f625ac8066bd300
SHA512 99b3e64b23e374508c1bc85018796701762b2241aa96ce123c935fd760c42f24b26d59be2c8a60a5bafae8e0c38d1e542eaa9f37b994853d10f69ad6bb530fbd

C:\Windows\system\mtrflqS.exe

MD5 4b68e6f3144dba8b8498a107b8ed37e9
SHA1 62f61955d691e7eb4199fb3468f1799a6646bb76
SHA256 298d21c2aaf8afdafe5225ec7b2ddb5288be0c1ce5cdf41c2e42aa546cfdd4a2
SHA512 66087a61b36d2b6b9c51fa9749037fcadb917867ea01830560984f2453442fef83833f1c7a48f40439e9626e7899e06b22f3b489dd7c1b51b9d7243e8666c4a7

C:\Windows\system\ddEVjBV.exe

MD5 734b98f4d4998854eb433f8a24c6e1b0
SHA1 d4cbad53cd4dd966665597461080de0e36010af4
SHA256 f46d7734af46456ae89f3d3a22f1b4bb2cc260134984e8edfe01453c0867fb61
SHA512 0083a58495f94b63fe6456f0cf7c9187ddcbf12022fbe723f3952d4b74f2c308d5c50139c5b5206767fb869eaeb05dfe46b5504abf277e404679c0ef8b6dd931

C:\Windows\system\hnyOhwM.exe

MD5 569419634d0be927c0cfb8b80fcf5cb3
SHA1 dfbe0b2858d4aedff9d49fe54f75b25d69dac5f7
SHA256 d97c199b5b1e0228f60226666cd75fbc8ca4245247c14c23f9ade9ab3c7b8544
SHA512 6b8473f18585928aef31e177a88df20effecab7b2596a2498fc1f6ece87e852903c1c2444d9d6f4a7e973087b527ceab70b6c6aef52abae599720d0b38caa86b

C:\Windows\system\CtaXGKo.exe

MD5 52ad15e1e582efcc301a18a922f4119b
SHA1 d20229daffca6c56a9b977ba037afc71075fa6c0
SHA256 cf6ee595cef2fc141df9c127ee56b6fbe5d2d74cdfab44d721d19699773dda2c
SHA512 2ba7bf9bcfcf0aaef698cdddcf0edff360bd724b96235db73c30eeb4cc02ebc970132215f80f28e891e7c772d707a224368187c43ab0eedc7076fc812b95148e

C:\Windows\system\garHjPg.exe

MD5 c5bb27618f206066ce0061259a68ad23
SHA1 bd03e9c41747688c726105e1fd8f31fc0e361bcd
SHA256 98cf7ec8b457cc4388406fbe174f2cf3392d15566bdca33d83a53b4680b8aed1
SHA512 8d48653beed9b16aac0cbc4dbdb15af2a2b055632031fcc9c43e87e506b265dc8dc8803bd60ecd3f04f3148a7c57b475ac41e4ac572a79aa92ca407510758eee

C:\Windows\system\PZqwSKC.exe

MD5 a72f851113baac2b17a2364dcddd3fc6
SHA1 07e693ee433466b5ea4fe23c3f1f10a691cbd35b
SHA256 30022aeb2839ccb3422204ce06acc337a5155a97f55031116c78a40a46818951
SHA512 592e06c267dac3f585e32453b6f70807c74b21821cba07f511e1dd8de9409960cfcd2d764e043021894f14d74b37d3836e87b1bc4f34dd7a284ff3b03319f4a5

memory/2208-111-0x000000013FF90000-0x00000001402E4000-memory.dmp

memory/580-110-0x000000013FF90000-0x00000001402E4000-memory.dmp

memory/1204-109-0x000000013FCF0000-0x0000000140044000-memory.dmp

memory/2444-108-0x000000013FE80000-0x00000001401D4000-memory.dmp

memory/580-107-0x000000013FE80000-0x00000001401D4000-memory.dmp

C:\Windows\system\utVCfwk.exe

MD5 7b5d27a6e78f149d973b6bf2fb59fb63
SHA1 2a4e3c72ac223e651b0cce47dac6ac52c4a9673e
SHA256 d10b92570141431b66d8a7880c874e69578f9362a8c0ba5d78605ea7cc296ab9
SHA512 875d1cc0c28b35945f69e88e6a63d15819609155f2b3a99810bf059ce5cf3a0e89f198d0141282fdedc5a3b61d8b1c8797bd91ac8ed469f3e2366ab610f619a6

C:\Windows\system\IENcHmi.exe

MD5 7a6025f2e07abd5c1882cb4230576d27
SHA1 ef59ce8576611562a3af74a0474c956fbf82f202
SHA256 f593f9ab5ad44c57cefde3810afbd376804c8e7cf981b57cba0595b5d57c1d27
SHA512 cf24b70636e279c88569d9b8dc3b93ba06bc472b3931a0ed1a695cfabe78e090201d01fe5ca5f721b8c4b6f6943a43142ff5fc936a2e62c881339fc95858b688

C:\Windows\system\jlQPmhF.exe

MD5 1cf70adec0dbf8f532de4ca496e7eaa5
SHA1 b15f28382dbbc1e93738505b46576e4c86dec30b
SHA256 d839ec372cf53208bc0a06af07cd318bd9b246c6cc9570d527d15aa0c8e8129a
SHA512 551bf6211e9c2899c41c51fa9daa8dfe21a8b4bf293e03451ef664963c93f52ba6d4d4afda1f71b7882096fe6c6bac176f92f72be493363d20b9a8b2005f34e6

C:\Windows\system\VsyWXoJ.exe

MD5 3787967d1659281201d717f9b89c193b
SHA1 dfa2fbc728ad81cb79fe49dbb705b157f4dcb399
SHA256 5ef97ebd77d883f2a1a26327d2fd617b74dd664746c1ef4ee10e0f27f1e7b401
SHA512 edc52f57e3455486a1de3284b7f780cd18a5fa3ff54380bb34e1528946f3a95834e8b216991384994f16c8939a617a77c0e10181aa53af712dc773be7e9a5656

C:\Windows\system\GkcZDwI.exe

MD5 1cfdeaf77c5e6a0a577ecdeda629914e
SHA1 61a7b08e6158348a04e78c285173c705468b24c2
SHA256 43150abccf42a17fa5835d110df78087b406e471d54e0a4c1fcb48c60bff0d94
SHA512 664e54d8df9cb820c118cbd0707b8e3e4227c088f8ff660c848cef396da2da0305c82d9e816e2127f19f4ab8ad407f07d71c3260efd8e4b77299b1b43e96f354

memory/580-112-0x000000013F760000-0x000000013FAB4000-memory.dmp

memory/1388-113-0x000000013F760000-0x000000013FAB4000-memory.dmp

memory/2380-114-0x000000013FD80000-0x00000001400D4000-memory.dmp

memory/2344-115-0x000000013FD60000-0x00000001400B4000-memory.dmp

memory/580-116-0x000000013FE00000-0x0000000140154000-memory.dmp

memory/580-118-0x0000000002270000-0x00000000025C4000-memory.dmp

memory/2628-121-0x000000013F870000-0x000000013FBC4000-memory.dmp

memory/580-124-0x000000013F8A0000-0x000000013FBF4000-memory.dmp

memory/2652-123-0x000000013FC50000-0x000000013FFA4000-memory.dmp

memory/580-132-0x000000013FCF0000-0x0000000140044000-memory.dmp

memory/2796-131-0x000000013FBD0000-0x000000013FF24000-memory.dmp

memory/580-130-0x000000013FBD0000-0x000000013FF24000-memory.dmp

memory/2672-129-0x000000013F720000-0x000000013FA74000-memory.dmp

memory/580-128-0x000000013F720000-0x000000013FA74000-memory.dmp

memory/2756-127-0x000000013FC40000-0x000000013FF94000-memory.dmp

memory/580-126-0x000000013FC40000-0x000000013FF94000-memory.dmp

memory/2996-125-0x000000013F8A0000-0x000000013FBF4000-memory.dmp

memory/580-122-0x000000013FC50000-0x000000013FFA4000-memory.dmp

memory/580-120-0x000000013F870000-0x000000013FBC4000-memory.dmp

memory/2232-119-0x000000013F0C0000-0x000000013F414000-memory.dmp

memory/2156-117-0x000000013FE00000-0x0000000140154000-memory.dmp

memory/580-133-0x000000013F390000-0x000000013F6E4000-memory.dmp

memory/2444-134-0x000000013FE80000-0x00000001401D4000-memory.dmp

memory/2796-146-0x000000013FBD0000-0x000000013FF24000-memory.dmp

memory/2756-145-0x000000013FC40000-0x000000013FF94000-memory.dmp

memory/2652-144-0x000000013FC50000-0x000000013FFA4000-memory.dmp

memory/2344-143-0x000000013FD60000-0x00000001400B4000-memory.dmp

memory/1388-142-0x000000013F760000-0x000000013FAB4000-memory.dmp

memory/1204-141-0x000000013FCF0000-0x0000000140044000-memory.dmp

memory/2672-140-0x000000013F720000-0x000000013FA74000-memory.dmp

memory/2996-139-0x000000013F8A0000-0x000000013FBF4000-memory.dmp

memory/2628-138-0x000000013F870000-0x000000013FBC4000-memory.dmp

memory/2208-137-0x000000013FF90000-0x00000001402E4000-memory.dmp

memory/2156-136-0x000000013FE00000-0x0000000140154000-memory.dmp

memory/2380-135-0x000000013FD80000-0x00000001400D4000-memory.dmp

memory/2232-147-0x000000013F0C0000-0x000000013F414000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-06 12:06

Reported

2024-08-06 12:08

Platform

win10v2004-20240802-en

Max time kernel

137s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\utVCfwk.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mtrflqS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EhUYiGb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ukNtExt.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yrHxEXD.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cmERpLK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VsyWXoJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ASvRXOq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GkcZDwI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RVfEpwi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ddEVjBV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hnyOhwM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CtaXGKo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\olIanOK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jlQPmhF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IENcHmi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wegBSYA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PZqwSKC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PtQZTzm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JfKcxEW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\garHjPg.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2076 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ASvRXOq.exe
PID 2076 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ASvRXOq.exe
PID 2076 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EhUYiGb.exe
PID 2076 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EhUYiGb.exe
PID 2076 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PtQZTzm.exe
PID 2076 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PtQZTzm.exe
PID 2076 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ukNtExt.exe
PID 2076 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ukNtExt.exe
PID 2076 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\olIanOK.exe
PID 2076 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\olIanOK.exe
PID 2076 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JfKcxEW.exe
PID 2076 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JfKcxEW.exe
PID 2076 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yrHxEXD.exe
PID 2076 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yrHxEXD.exe
PID 2076 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GkcZDwI.exe
PID 2076 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GkcZDwI.exe
PID 2076 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cmERpLK.exe
PID 2076 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cmERpLK.exe
PID 2076 wrote to memory of 100 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VsyWXoJ.exe
PID 2076 wrote to memory of 100 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VsyWXoJ.exe
PID 2076 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jlQPmhF.exe
PID 2076 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jlQPmhF.exe
PID 2076 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RVfEpwi.exe
PID 2076 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RVfEpwi.exe
PID 2076 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IENcHmi.exe
PID 2076 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IENcHmi.exe
PID 2076 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wegBSYA.exe
PID 2076 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wegBSYA.exe
PID 2076 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\utVCfwk.exe
PID 2076 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\utVCfwk.exe
PID 2076 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mtrflqS.exe
PID 2076 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mtrflqS.exe
PID 2076 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PZqwSKC.exe
PID 2076 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PZqwSKC.exe
PID 2076 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ddEVjBV.exe
PID 2076 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ddEVjBV.exe
PID 2076 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\garHjPg.exe
PID 2076 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\garHjPg.exe
PID 2076 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CtaXGKo.exe
PID 2076 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CtaXGKo.exe
PID 2076 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hnyOhwM.exe
PID 2076 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hnyOhwM.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\ASvRXOq.exe

C:\Windows\System\ASvRXOq.exe

C:\Windows\System\EhUYiGb.exe

C:\Windows\System\EhUYiGb.exe

C:\Windows\System\PtQZTzm.exe

C:\Windows\System\PtQZTzm.exe

C:\Windows\System\ukNtExt.exe

C:\Windows\System\ukNtExt.exe

C:\Windows\System\olIanOK.exe

C:\Windows\System\olIanOK.exe

C:\Windows\System\JfKcxEW.exe

C:\Windows\System\JfKcxEW.exe

C:\Windows\System\yrHxEXD.exe

C:\Windows\System\yrHxEXD.exe

C:\Windows\System\GkcZDwI.exe

C:\Windows\System\GkcZDwI.exe

C:\Windows\System\cmERpLK.exe

C:\Windows\System\cmERpLK.exe

C:\Windows\System\VsyWXoJ.exe

C:\Windows\System\VsyWXoJ.exe

C:\Windows\System\jlQPmhF.exe

C:\Windows\System\jlQPmhF.exe

C:\Windows\System\RVfEpwi.exe

C:\Windows\System\RVfEpwi.exe

C:\Windows\System\IENcHmi.exe

C:\Windows\System\IENcHmi.exe

C:\Windows\System\wegBSYA.exe

C:\Windows\System\wegBSYA.exe

C:\Windows\System\utVCfwk.exe

C:\Windows\System\utVCfwk.exe

C:\Windows\System\mtrflqS.exe

C:\Windows\System\mtrflqS.exe

C:\Windows\System\PZqwSKC.exe

C:\Windows\System\PZqwSKC.exe

C:\Windows\System\ddEVjBV.exe

C:\Windows\System\ddEVjBV.exe

C:\Windows\System\garHjPg.exe

C:\Windows\System\garHjPg.exe

C:\Windows\System\CtaXGKo.exe

C:\Windows\System\CtaXGKo.exe

C:\Windows\System\hnyOhwM.exe

C:\Windows\System\hnyOhwM.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 37.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2076-0-0x00007FF6728A0000-0x00007FF672BF4000-memory.dmp

memory/2076-1-0x000001D267C70000-0x000001D267C80000-memory.dmp

C:\Windows\System\ASvRXOq.exe

MD5 7c83f353d6dc5058ca5ddae197b470f9
SHA1 e362d2f3f21deabbf3a2206cb2d08145a9ef0908
SHA256 e5f4c4d7a7c8096bbdbc727c1b2828264b78ced1ddf0d138961f6d8deae926f5
SHA512 6778a27113b8090b6211c7a32d17ace17fbd85adf4ca6cd21f84870740050e27f1cd7e6bf59934727054dfba6a0e2b130bddace2b61fcb5d29b31be4bfe5f36c

C:\Windows\System\PtQZTzm.exe

MD5 50b70111e3dbe93d51a2416346b5e21a
SHA1 14733ab9b1ca2ac9cde946b23ced833d96c48b3c
SHA256 f941c35e7ffb960c95783f38f7366c3943c90397b95a5ab79c56425eec37712b
SHA512 bd04cfa61ad1e98d9e6e1b4fda4ebde8dbb297c8d1bf605dbd0d38e3f0ebe98592caa93f3c15cb988e0734d6bbc4d38feb343ee86b4d9138ac4579af769c6392

C:\Windows\System\EhUYiGb.exe

MD5 ae69e6aa8225c49404439e691027c83d
SHA1 4f6bd4fccc6aaedcfa7817c16caac94f30322976
SHA256 7d7e861fbb6e39dab5e81187228fe8bb9e757c052f195bb1bf33276b9defda37
SHA512 f95a555564d37db7eafb71815882fa474e95ec154092a76e618428d14beda37f26f61ca623e64d38b553d0c6cca7fe369e4eb544d41bd1272c59532ba9373e99

memory/3100-14-0x00007FF721290000-0x00007FF7215E4000-memory.dmp

memory/4148-7-0x00007FF6EA280000-0x00007FF6EA5D4000-memory.dmp

memory/3736-20-0x00007FF69FDD0000-0x00007FF6A0124000-memory.dmp

C:\Windows\System\ukNtExt.exe

MD5 2f7787620b9f92d80e4e2d7666f8ee8c
SHA1 add5f2427b10b823e04c4bfdfaef2058e40deffb
SHA256 9a42abf7afc2ed18b797fab03e50c3bcee4afdd10b4f2704f7b9e0cca1ffed66
SHA512 92ab0043b6f49895bda68a7cd2461fe59e18065f443b7d28e72d3fb9d7dc7bc846482c0b61b4086e363164f42e914154c31be9343ec9b03208cdbe7c559a5391

C:\Windows\System\olIanOK.exe

MD5 2cb5a8e79f1dca0403b47c884f58a7f9
SHA1 9d7937e461eddbf19d9342d85f025c01a36cb042
SHA256 3c363f36cfbe60fadce8b2aba6795925c0e81c114b5fb7ffb7ef80add356d2af
SHA512 68969ddedb67420c323c23b849f5a8555db5c63638d64ef359ed89d9df2853746361a6c5a5dde1f1ce6b7eed78596faf2e4a996b5d78ac49afcbaa33d327cebe

C:\Windows\System\JfKcxEW.exe

MD5 93ca485934cbc377bbd92ec2654623bb
SHA1 475bc6d013d367c3eb1ebb433b79f8a76b5106bd
SHA256 f82a770dea355660e9d08ff45de4929673da45760270565ca5ac7aaff24507cb
SHA512 b1b3f02a810959865312fac706e305df1552933d0202e1e486925507d2754540f936a211166df4c96a1a3431658c062373545f93ff678597ef0c909a670641c1

C:\Windows\System\yrHxEXD.exe

MD5 6f07594b617371f3c99c6aa9a7eeb9bf
SHA1 6b6821936856d719cc3b3710f818f6ebff149812
SHA256 751e6d7985c1e120356f0beb3075bd297e41305bf040e46f9211110a116b7275
SHA512 5fe8bc1a7f0c59cda145b0cc6786f490e3dfdc16087fac6714d87fa279a6bfcacfb267b7cc25913ffe231ee0c712cb35f3b5889bc718705639a6b975e1776008

C:\Windows\System\cmERpLK.exe

MD5 c0ca1cb139a08d15bbae934e8e725735
SHA1 ba62cfaa25621ae2c5cee34172cd722b695d30b1
SHA256 eb4689c6ac6fce946308d9b6a3f48d79c6600dc111da578c2a2b124ca23fed99
SHA512 008b2f6f9dd668202610e92e8aa2af68ecf1d340bb27ec13dc9765e45cd1f54f55ba11fd26fd747d8bf85dbafd0fb3feff819c56c8b9430e3b9c5f341af7d909

memory/3912-58-0x00007FF6AF350000-0x00007FF6AF6A4000-memory.dmp

memory/100-67-0x00007FF757A10000-0x00007FF757D64000-memory.dmp

C:\Windows\System\RVfEpwi.exe

MD5 657f677173fa13dd31f89eee55db4753
SHA1 fc99fd7cb52d69675f3d659b4bdc1ccbb873087a
SHA256 948b76066a31d3b2ae077a667dbc292fb99e5309c6622e4cda3888deaaf89dd3
SHA512 b647b8ef39a1ea165cfb00e6f9fb7e1f2ee9ea32accde697981a0247be6ce003dacec9c2ca41d006bbc0240c89f0d9e5b9ce1cbc7f09a27c793cb74d324fbda0

memory/4212-74-0x00007FF6CB9F0000-0x00007FF6CBD44000-memory.dmp

memory/4100-78-0x00007FF60F7F0000-0x00007FF60FB44000-memory.dmp

C:\Windows\System\IENcHmi.exe

MD5 7a6025f2e07abd5c1882cb4230576d27
SHA1 ef59ce8576611562a3af74a0474c956fbf82f202
SHA256 f593f9ab5ad44c57cefde3810afbd376804c8e7cf981b57cba0595b5d57c1d27
SHA512 cf24b70636e279c88569d9b8dc3b93ba06bc472b3931a0ed1a695cfabe78e090201d01fe5ca5f721b8c4b6f6943a43142ff5fc936a2e62c881339fc95858b688

memory/4692-77-0x00007FF632CC0000-0x00007FF633014000-memory.dmp

memory/4548-70-0x00007FF61E0A0000-0x00007FF61E3F4000-memory.dmp

memory/1064-68-0x00007FF7698F0000-0x00007FF769C44000-memory.dmp

C:\Windows\System\VsyWXoJ.exe

MD5 3787967d1659281201d717f9b89c193b
SHA1 dfa2fbc728ad81cb79fe49dbb705b157f4dcb399
SHA256 5ef97ebd77d883f2a1a26327d2fd617b74dd664746c1ef4ee10e0f27f1e7b401
SHA512 edc52f57e3455486a1de3284b7f780cd18a5fa3ff54380bb34e1528946f3a95834e8b216991384994f16c8939a617a77c0e10181aa53af712dc773be7e9a5656

C:\Windows\System\jlQPmhF.exe

MD5 1cf70adec0dbf8f532de4ca496e7eaa5
SHA1 b15f28382dbbc1e93738505b46576e4c86dec30b
SHA256 d839ec372cf53208bc0a06af07cd318bd9b246c6cc9570d527d15aa0c8e8129a
SHA512 551bf6211e9c2899c41c51fa9daa8dfe21a8b4bf293e03451ef664963c93f52ba6d4d4afda1f71b7882096fe6c6bac176f92f72be493363d20b9a8b2005f34e6

memory/5056-53-0x00007FF644B00000-0x00007FF644E54000-memory.dmp

C:\Windows\System\GkcZDwI.exe

MD5 1cfdeaf77c5e6a0a577ecdeda629914e
SHA1 61a7b08e6158348a04e78c285173c705468b24c2
SHA256 43150abccf42a17fa5835d110df78087b406e471d54e0a4c1fcb48c60bff0d94
SHA512 664e54d8df9cb820c118cbd0707b8e3e4227c088f8ff660c848cef396da2da0305c82d9e816e2127f19f4ab8ad407f07d71c3260efd8e4b77299b1b43e96f354

memory/932-36-0x00007FF673C20000-0x00007FF673F74000-memory.dmp

memory/5000-31-0x00007FF7D8070000-0x00007FF7D83C4000-memory.dmp

C:\Windows\System\wegBSYA.exe

MD5 29a658535231f3d16a4b0c88de809d50
SHA1 7ef6db8ec6ce0368c174f6821554709eb6334e64
SHA256 d369992c76f9742aa4ee432561b83297a998a46e1c2045187f625ac8066bd300
SHA512 99b3e64b23e374508c1bc85018796701762b2241aa96ce123c935fd760c42f24b26d59be2c8a60a5bafae8e0c38d1e542eaa9f37b994853d10f69ad6bb530fbd

C:\Windows\System\utVCfwk.exe

MD5 7b5d27a6e78f149d973b6bf2fb59fb63
SHA1 2a4e3c72ac223e651b0cce47dac6ac52c4a9673e
SHA256 d10b92570141431b66d8a7880c874e69578f9362a8c0ba5d78605ea7cc296ab9
SHA512 875d1cc0c28b35945f69e88e6a63d15819609155f2b3a99810bf059ce5cf3a0e89f198d0141282fdedc5a3b61d8b1c8797bd91ac8ed469f3e2366ab610f619a6

memory/2076-90-0x00007FF6728A0000-0x00007FF672BF4000-memory.dmp

memory/804-84-0x00007FF658D70000-0x00007FF6590C4000-memory.dmp

C:\Windows\System\mtrflqS.exe

MD5 4b68e6f3144dba8b8498a107b8ed37e9
SHA1 62f61955d691e7eb4199fb3468f1799a6646bb76
SHA256 298d21c2aaf8afdafe5225ec7b2ddb5288be0c1ce5cdf41c2e42aa546cfdd4a2
SHA512 66087a61b36d2b6b9c51fa9749037fcadb917867ea01830560984f2453442fef83833f1c7a48f40439e9626e7899e06b22f3b489dd7c1b51b9d7243e8666c4a7

memory/4148-103-0x00007FF6EA280000-0x00007FF6EA5D4000-memory.dmp

memory/3588-105-0x00007FF67D7C0000-0x00007FF67DB14000-memory.dmp

C:\Windows\System\ddEVjBV.exe

MD5 734b98f4d4998854eb433f8a24c6e1b0
SHA1 d4cbad53cd4dd966665597461080de0e36010af4
SHA256 f46d7734af46456ae89f3d3a22f1b4bb2cc260134984e8edfe01453c0867fb61
SHA512 0083a58495f94b63fe6456f0cf7c9187ddcbf12022fbe723f3952d4b74f2c308d5c50139c5b5206767fb869eaeb05dfe46b5504abf277e404679c0ef8b6dd931

C:\Windows\System\CtaXGKo.exe

MD5 52ad15e1e582efcc301a18a922f4119b
SHA1 d20229daffca6c56a9b977ba037afc71075fa6c0
SHA256 cf6ee595cef2fc141df9c127ee56b6fbe5d2d74cdfab44d721d19699773dda2c
SHA512 2ba7bf9bcfcf0aaef698cdddcf0edff360bd724b96235db73c30eeb4cc02ebc970132215f80f28e891e7c772d707a224368187c43ab0eedc7076fc812b95148e

C:\Windows\System\hnyOhwM.exe

MD5 569419634d0be927c0cfb8b80fcf5cb3
SHA1 dfbe0b2858d4aedff9d49fe54f75b25d69dac5f7
SHA256 d97c199b5b1e0228f60226666cd75fbc8ca4245247c14c23f9ade9ab3c7b8544
SHA512 6b8473f18585928aef31e177a88df20effecab7b2596a2498fc1f6ece87e852903c1c2444d9d6f4a7e973087b527ceab70b6c6aef52abae599720d0b38caa86b

C:\Windows\System\garHjPg.exe

MD5 c5bb27618f206066ce0061259a68ad23
SHA1 bd03e9c41747688c726105e1fd8f31fc0e361bcd
SHA256 98cf7ec8b457cc4388406fbe174f2cf3392d15566bdca33d83a53b4680b8aed1
SHA512 8d48653beed9b16aac0cbc4dbdb15af2a2b055632031fcc9c43e87e506b265dc8dc8803bd60ecd3f04f3148a7c57b475ac41e4ac572a79aa92ca407510758eee

C:\Windows\System\PZqwSKC.exe

MD5 a72f851113baac2b17a2364dcddd3fc6
SHA1 07e693ee433466b5ea4fe23c3f1f10a691cbd35b
SHA256 30022aeb2839ccb3422204ce06acc337a5155a97f55031116c78a40a46818951
SHA512 592e06c267dac3f585e32453b6f70807c74b21821cba07f511e1dd8de9409960cfcd2d764e043021894f14d74b37d3836e87b1bc4f34dd7a284ff3b03319f4a5

memory/3628-109-0x00007FF6A1380000-0x00007FF6A16D4000-memory.dmp

memory/1392-95-0x00007FF682410000-0x00007FF682764000-memory.dmp

memory/2072-127-0x00007FF6AF190000-0x00007FF6AF4E4000-memory.dmp

memory/2460-128-0x00007FF674E90000-0x00007FF6751E4000-memory.dmp

memory/3876-130-0x00007FF6898A0000-0x00007FF689BF4000-memory.dmp

memory/3144-129-0x00007FF705C10000-0x00007FF705F64000-memory.dmp

memory/3736-126-0x00007FF69FDD0000-0x00007FF6A0124000-memory.dmp

memory/100-131-0x00007FF757A10000-0x00007FF757D64000-memory.dmp

memory/4692-132-0x00007FF632CC0000-0x00007FF633014000-memory.dmp

memory/4100-133-0x00007FF60F7F0000-0x00007FF60FB44000-memory.dmp

memory/804-134-0x00007FF658D70000-0x00007FF6590C4000-memory.dmp

memory/1392-135-0x00007FF682410000-0x00007FF682764000-memory.dmp

memory/3628-136-0x00007FF6A1380000-0x00007FF6A16D4000-memory.dmp

memory/4148-137-0x00007FF6EA280000-0x00007FF6EA5D4000-memory.dmp

memory/3100-138-0x00007FF721290000-0x00007FF7215E4000-memory.dmp

memory/3736-139-0x00007FF69FDD0000-0x00007FF6A0124000-memory.dmp

memory/5000-140-0x00007FF7D8070000-0x00007FF7D83C4000-memory.dmp

memory/932-141-0x00007FF673C20000-0x00007FF673F74000-memory.dmp

memory/5056-142-0x00007FF644B00000-0x00007FF644E54000-memory.dmp

memory/3912-143-0x00007FF6AF350000-0x00007FF6AF6A4000-memory.dmp

memory/1064-144-0x00007FF7698F0000-0x00007FF769C44000-memory.dmp

memory/4548-145-0x00007FF61E0A0000-0x00007FF61E3F4000-memory.dmp

memory/100-146-0x00007FF757A10000-0x00007FF757D64000-memory.dmp

memory/4212-147-0x00007FF6CB9F0000-0x00007FF6CBD44000-memory.dmp

memory/4100-148-0x00007FF60F7F0000-0x00007FF60FB44000-memory.dmp

memory/4692-149-0x00007FF632CC0000-0x00007FF633014000-memory.dmp

memory/804-150-0x00007FF658D70000-0x00007FF6590C4000-memory.dmp

memory/1392-151-0x00007FF682410000-0x00007FF682764000-memory.dmp

memory/3588-152-0x00007FF67D7C0000-0x00007FF67DB14000-memory.dmp

memory/2072-153-0x00007FF6AF190000-0x00007FF6AF4E4000-memory.dmp

memory/3628-154-0x00007FF6A1380000-0x00007FF6A16D4000-memory.dmp

memory/2460-155-0x00007FF674E90000-0x00007FF6751E4000-memory.dmp

memory/3876-156-0x00007FF6898A0000-0x00007FF689BF4000-memory.dmp

memory/3144-157-0x00007FF705C10000-0x00007FF705F64000-memory.dmp