Malware Analysis Report

2025-01-22 19:22

Sample ID 240806-nj3j3s1hnc
Target 2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat
SHA256 250a1742e24744b9dbb482c3a4d679d4aa507319af6b840077444d29cac88f4e
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

250a1742e24744b9dbb482c3a4d679d4aa507319af6b840077444d29cac88f4e

Threat Level: Known bad

The file 2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Cobalt Strike reflective loader

Cobaltstrike family

Cobaltstrike

XMRig Miner payload

xmrig

Xmrig family

XMRig Miner payload

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-06 11:26

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-06 11:26

Reported

2024-08-06 11:29

Platform

win7-20240705-en

Max time kernel

142s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\eqXGkou.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tlUCRAw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fScpPUL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SNnwgRb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dQToXbj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VGgpyQI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cNKuwjU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iyGzXnm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ssvRGYf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dngWqHB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vycKdpC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zkQlXFT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jTKKTQV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pZufMnU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lUBxmlJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JTvgmQU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BMCBPPB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\igRyAoJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yyjWhBX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fOkuxeS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gxAVuKG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3056 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SNnwgRb.exe
PID 3056 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SNnwgRb.exe
PID 3056 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SNnwgRb.exe
PID 3056 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dQToXbj.exe
PID 3056 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dQToXbj.exe
PID 3056 wrote to memory of 308 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dQToXbj.exe
PID 3056 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VGgpyQI.exe
PID 3056 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VGgpyQI.exe
PID 3056 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VGgpyQI.exe
PID 3056 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cNKuwjU.exe
PID 3056 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cNKuwjU.exe
PID 3056 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cNKuwjU.exe
PID 3056 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yyjWhBX.exe
PID 3056 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yyjWhBX.exe
PID 3056 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yyjWhBX.exe
PID 3056 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pZufMnU.exe
PID 3056 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pZufMnU.exe
PID 3056 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pZufMnU.exe
PID 3056 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lUBxmlJ.exe
PID 3056 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lUBxmlJ.exe
PID 3056 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lUBxmlJ.exe
PID 3056 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iyGzXnm.exe
PID 3056 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iyGzXnm.exe
PID 3056 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iyGzXnm.exe
PID 3056 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JTvgmQU.exe
PID 3056 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JTvgmQU.exe
PID 3056 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JTvgmQU.exe
PID 3056 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BMCBPPB.exe
PID 3056 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BMCBPPB.exe
PID 3056 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BMCBPPB.exe
PID 3056 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ssvRGYf.exe
PID 3056 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ssvRGYf.exe
PID 3056 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ssvRGYf.exe
PID 3056 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fOkuxeS.exe
PID 3056 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fOkuxeS.exe
PID 3056 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fOkuxeS.exe
PID 3056 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dngWqHB.exe
PID 3056 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dngWqHB.exe
PID 3056 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dngWqHB.exe
PID 3056 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eqXGkou.exe
PID 3056 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eqXGkou.exe
PID 3056 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eqXGkou.exe
PID 3056 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tlUCRAw.exe
PID 3056 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tlUCRAw.exe
PID 3056 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tlUCRAw.exe
PID 3056 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\igRyAoJ.exe
PID 3056 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\igRyAoJ.exe
PID 3056 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\igRyAoJ.exe
PID 3056 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vycKdpC.exe
PID 3056 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vycKdpC.exe
PID 3056 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vycKdpC.exe
PID 3056 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fScpPUL.exe
PID 3056 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fScpPUL.exe
PID 3056 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fScpPUL.exe
PID 3056 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zkQlXFT.exe
PID 3056 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zkQlXFT.exe
PID 3056 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zkQlXFT.exe
PID 3056 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jTKKTQV.exe
PID 3056 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jTKKTQV.exe
PID 3056 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jTKKTQV.exe
PID 3056 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gxAVuKG.exe
PID 3056 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gxAVuKG.exe
PID 3056 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gxAVuKG.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\SNnwgRb.exe

C:\Windows\System\SNnwgRb.exe

C:\Windows\System\dQToXbj.exe

C:\Windows\System\dQToXbj.exe

C:\Windows\System\VGgpyQI.exe

C:\Windows\System\VGgpyQI.exe

C:\Windows\System\cNKuwjU.exe

C:\Windows\System\cNKuwjU.exe

C:\Windows\System\yyjWhBX.exe

C:\Windows\System\yyjWhBX.exe

C:\Windows\System\pZufMnU.exe

C:\Windows\System\pZufMnU.exe

C:\Windows\System\lUBxmlJ.exe

C:\Windows\System\lUBxmlJ.exe

C:\Windows\System\iyGzXnm.exe

C:\Windows\System\iyGzXnm.exe

C:\Windows\System\JTvgmQU.exe

C:\Windows\System\JTvgmQU.exe

C:\Windows\System\BMCBPPB.exe

C:\Windows\System\BMCBPPB.exe

C:\Windows\System\ssvRGYf.exe

C:\Windows\System\ssvRGYf.exe

C:\Windows\System\fOkuxeS.exe

C:\Windows\System\fOkuxeS.exe

C:\Windows\System\dngWqHB.exe

C:\Windows\System\dngWqHB.exe

C:\Windows\System\eqXGkou.exe

C:\Windows\System\eqXGkou.exe

C:\Windows\System\tlUCRAw.exe

C:\Windows\System\tlUCRAw.exe

C:\Windows\System\igRyAoJ.exe

C:\Windows\System\igRyAoJ.exe

C:\Windows\System\vycKdpC.exe

C:\Windows\System\vycKdpC.exe

C:\Windows\System\fScpPUL.exe

C:\Windows\System\fScpPUL.exe

C:\Windows\System\zkQlXFT.exe

C:\Windows\System\zkQlXFT.exe

C:\Windows\System\jTKKTQV.exe

C:\Windows\System\jTKKTQV.exe

C:\Windows\System\gxAVuKG.exe

C:\Windows\System\gxAVuKG.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3056-0-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

memory/3056-1-0x0000000000300000-0x0000000000310000-memory.dmp

C:\Windows\system\SNnwgRb.exe

MD5 080554788b196ca902850dd9f8ce5e77
SHA1 50f594765122370b031fa217d7ff71c1f179d785
SHA256 b17b8397980b98a0387789a0d72a9e5491deb31b84ab92cb6f2ce8a637813242
SHA512 6c8f274ac6953ee6d92ad04961a9f35246fa064d75766941ead7c4909e0f094291e5827a10f0f054299f7bad5da32333dbc0689a455ef4ba9537736063de6886

memory/2524-8-0x000000013F700000-0x000000013FA51000-memory.dmp

C:\Windows\system\dQToXbj.exe

MD5 4f0bc2118d7ea94fcff182c8aa675b58
SHA1 4c2c8074ae019aafd0454e0cbcf02c401b8a480a
SHA256 9d3023de29bf585e4634e6072b8b4db212e50ccefa478ab97bc5b795d589e8b5
SHA512 a9169d368663373d2087c9752919dedf39fae8c96f1c73024530fd6508189388f70e4200154b726aff8d960678fde87b722a1e51859651c08f9bce9be9c43155

memory/308-14-0x000000013FC40000-0x000000013FF91000-memory.dmp

memory/3056-13-0x0000000002170000-0x00000000024C1000-memory.dmp

C:\Windows\system\VGgpyQI.exe

MD5 4f307baabd41761aa554bb9772b9c2b3
SHA1 e6d4b5912ad5d88453693230fcd8edfe47acceaa
SHA256 1ffceecfca95e2dd2374b8fbd2f9cb91dd4215ffc3ed39bb983bca10e4322a60
SHA512 9222de1fd58d75187fac52678237657619fc539e5da2d516f38f3a7c25e1f77997ecaa5f2695d4674c1ce7a6a7755b48d2b9896e438810a5f85389db559e708e

memory/3056-112-0x000000013FFF0000-0x0000000140341000-memory.dmp

C:\Windows\system\igRyAoJ.exe

MD5 df942960bfdf71276b4991cc4039ba2e
SHA1 577c4b4cfe5fd5217fd0c223a44df9ade6501f13
SHA256 00a685e18f176c1d78960e777f7bdd64c7cc568e85eab38218a78e063fde3dfd
SHA512 5ceff327aa1e5c234da8af1ba88d91e75720e13a20acdbaf419b66d765aca18ce010382c2bb219cd50801993fdc82b90615558c1849e89ce90e4f07072c522ff

memory/3064-98-0x000000013F690000-0x000000013F9E1000-memory.dmp

\Windows\system\jTKKTQV.exe

MD5 602103058cf28250aa0bfe9cbac21eb6
SHA1 7b1752dbd0cbaf756557d2ada70d3f9dcfc0acab
SHA256 5c5bafb73466d432b43237a84f6949c824210db855522a78d717b6a3bed13c6f
SHA512 fa6fde1fb1a4cf808bd641e44ee870d90056e4b2f89764c477ca4461fb95e59735897493c264219206175ed05f6a81bcaa361943c13e32b0f47836bfb042a845

C:\Windows\system\vycKdpC.exe

MD5 e06e5835ae6b2dd081b585664221a290
SHA1 d729b54eb484fe64d7b71941e6d547db3460f617
SHA256 536a2c979042570f26c668fe0d0492c2ad1fb041d9127ae6e1b5110fd8ca081a
SHA512 ac5688100f0b3ec97de6cc401a3ef67f7a1a72c4355db15f3ddd5ccd2e3b915e6f2e8e4630bd7f74212678eb31210e1d1be750481607035e34a405f1dbe88968

C:\Windows\system\tlUCRAw.exe

MD5 438592b4c446c3c253b97b2a7e718cd3
SHA1 a87512454e9078519c217558dc626a0e9c7841fc
SHA256 2fcb431cf2077529a352ee6c12fae94096190a49d3a20053129bcf09d95ab55c
SHA512 55d44f704ac278de65705413a16bd22b725be53cf164603d66dfbb66faf9a07c591d53ed00b786be7deec01d3b512871cfa835dc721f16a0788b4911beda1127

\Windows\system\fScpPUL.exe

MD5 f482c9128535bb5712982ef6addaf9ce
SHA1 1304e51a944dafe3d0ba3182deac6c15fff31251
SHA256 4d93657c5e1799988576e807f582c9f092eebb1768cf9a7e785d8a587df2f174
SHA512 a45d0bdb8f687a1074f74917d0583c37cf8c355393752a631ae2da2f4b45a6cceb9ef23ad08c2c8b52fa4899b362d6a4ab060444b318d2ec9b810363ca59298f

memory/2864-79-0x000000013F7A0000-0x000000013FAF1000-memory.dmp

memory/3056-72-0x000000013F320000-0x000000013F671000-memory.dmp

memory/3056-71-0x0000000002170000-0x00000000024C1000-memory.dmp

memory/3056-70-0x000000013F2B0000-0x000000013F601000-memory.dmp

C:\Windows\system\dngWqHB.exe

MD5 4f3377628bff0a2c8ca173fb04f9b796
SHA1 1bd959ce22bc7bfe88886b663dafd5980fa5c2a4
SHA256 90e67a35f1459d77c04bebcc06ac1dca598867892dbe3370fface65f349e97a6
SHA512 06d937883e2f513f2d4db1ed09ce657052166291efd298a5ac4b530c820be1ae39bfac742e04e54311597867b8efbdb18b37d4db54d91ea30d083ee243b6a329

C:\Windows\system\ssvRGYf.exe

MD5 1929b6547aee47533af69f2d7a1ff3a5
SHA1 83e0122d6644c89d65443896a1023cb5b9978747
SHA256 a81fa0074048f7814dc7fd1e8273c8e7d5f781ce1e90e06645fa7ffbeca80aa5
SHA512 029a65dfeade96fb088c3797f617141775fba635ff68788c386a73b0e6ea39df47470aa2e80c9f6dd52ac307a07fbb16e18aca1ee7b8f54b28c3b6134f31d0d5

C:\Windows\system\JTvgmQU.exe

MD5 5974023ea5aed022df75fdab5f077151
SHA1 b02c140b5ccb3efa24bd4f14ca5d2685dd40fbb5
SHA256 c6032087d6216956348748741d9e0eefe51f689694e736cf45b6d907608337b1
SHA512 1f64f62e90cf0153647e35c8b356f1b068dcf071a7ea6eab0c1614e8c0c19c9045a3fdb28d6fc1ba03681f745ba14ddf4f9cd729ffdf2dd3664fcddc316085f2

C:\Windows\system\lUBxmlJ.exe

MD5 d3efa1f6870a66542c2276d0ee6a2b82
SHA1 9c260ceb986ecdd24a657a1f15aa8b3a65ddd583
SHA256 bf552c53149918b11483f43c003a637d753a878b2ce51ec065f5295a89e02679
SHA512 088f7019ae89ec9ad8e8d48b0c82bf5f84816c00632d5c57f53077a0eb3f6e379328d7686a547ee925fff575e4c0bca1d005e95ad50699e27223d376193273f9

\Windows\system\eqXGkou.exe

MD5 1c8cfb733d5eb878db6dbb4f2024a41f
SHA1 8c7f69ece54092c6648d9292f71aef6bd2270234
SHA256 78d2b8709d43683220ee92d857815a438a794dabc7f76000e617fed1edc99b32
SHA512 a2d9223a4865245ef23f721a0414c9a61d3970a8292c715c4660ef90cae82473ea661514fdee54d4b8acb2ef8226b51230cc91470c0968d3f2314985abbf70cd

\Windows\system\fOkuxeS.exe

MD5 fd557cfb97248ad9fbdc8b2dd39a1a61
SHA1 f711818bacba9da2a49c3bba5153144fe2371e1d
SHA256 6d197c7e1667a546b795f095c95a70b32480b0b6607edcffe19e6dacf4edc323
SHA512 247168c4941c622536e59e08b91ab8ee8a4f0e1c2fdae3fb27468b9023015b9f943b630c79db9205d4aee493d593756fc67eab23236cad3428ae1d07ace189e8

\Windows\system\BMCBPPB.exe

MD5 69da40ac5de323ba3969ad726911cd17
SHA1 d8cd0921e0b62ae625aee9a7cded347785fada27
SHA256 52c925806b62713f5ba8b5d2bb924c7628de5edfa261f7b9d8e180cc2d851fd9
SHA512 2858c07ebe086f5755230a8953bc070440b4338665bf6629c1b2b2a791a37dea5b3357728ad0cfdcaab44e9961fc3dd2aabbb49b644aa18008c7c3d44fb3a6a9

\Windows\system\iyGzXnm.exe

MD5 f8273ff2c54939aa677fe0a980bb7f2e
SHA1 53d378d33cd57925e108df2d65696bf5b61db9c1
SHA256 5107893544369258f3695fea98999d0fcfc7522b9e6cc0568f4646273281f1e1
SHA512 9c02b52215482eba21f694801e695749139555d989fea8db7d84e3fe3a3f792ef2eea851ef8dbf71a12a18fc0110bb7728bd26c8794efeb125ebdcf36287fc5a

memory/3056-33-0x0000000002170000-0x00000000024C1000-memory.dmp

memory/3056-31-0x0000000002170000-0x00000000024C1000-memory.dmp

\Windows\system\pZufMnU.exe

MD5 fab367808ed88074fdf2cd69db128790
SHA1 47557e96ac778388b2328c57e132d07699b88c84
SHA256 a9be96e609218538babc9f7cbf7f70af25f6b700a1bfa5bc2b5679d275d527fe
SHA512 af3c2e7229841c5c59887ff659384ed6a5e38afc025738064cc9f1a0ad95e77aa18eaba5188fb82c4fbd94a5095835408a08f4c6ef505e637b4fa28355bf7606

memory/3056-116-0x000000013F320000-0x000000013F671000-memory.dmp

memory/3056-115-0x000000013F030000-0x000000013F381000-memory.dmp

memory/3056-114-0x0000000002170000-0x00000000024C1000-memory.dmp

memory/3056-113-0x000000013F690000-0x000000013F9E1000-memory.dmp

memory/3056-111-0x000000013FF40000-0x0000000140291000-memory.dmp

C:\Windows\system\cNKuwjU.exe

MD5 b273d0ac61ff8e38331da5a56003d651
SHA1 6c155c9a8ad172df608447918edb741fed0b25ff
SHA256 23bb25f1037bb14b25eb74120f92f032f77271e2d20bc806d23dde2b034d8c60
SHA512 2dc0189c971821bdf2df3063957c78de30480f4bb07c1981daf1abb5f0e5c4ba214c3ee7a83f23ca407040cc376847432fa30f8567a72c79292dd3420b719592

memory/3056-108-0x000000013F640000-0x000000013F991000-memory.dmp

memory/3056-107-0x000000013F360000-0x000000013F6B1000-memory.dmp

C:\Windows\system\gxAVuKG.exe

MD5 a5ede32fe7142faa33ccdc8f5c827045
SHA1 db0a61df4f78baadf3ec31b1f02a3ef1c47846ab
SHA256 41b00556d0b366e099418304a6dbfec86a506f0d67e051a8c0433b2b80d0b0ad
SHA512 b5d9db60ec36061eea0812e18fa265491f452d1655a6239f7fdd37962b644171914ca1ae9e4099c21a55aec1d4b3173e1611237210a23ba6022bae9eeceb6598

C:\Windows\system\zkQlXFT.exe

MD5 a3efec4ccafd32cbda28282ae4fe84a0
SHA1 3c8067e3e725b3bc99628f2a86308ba781cfbfa0
SHA256 167e879cb967198150771b80e2970d4f72e6e873652601ec72d3736bdefc18bf
SHA512 6df11e2ad579e687fbd5323f3a30744be02c2b1b522a3b7ad7e82b166ea498926817667f3ad8f17f179cf3e098ef82ec3ab6eeef3e88731736ba21fef8d0ac2d

memory/3056-103-0x000000013F0C0000-0x000000013F411000-memory.dmp

memory/1944-102-0x000000013F030000-0x000000013F381000-memory.dmp

memory/2756-94-0x000000013F320000-0x000000013F671000-memory.dmp

memory/2884-84-0x000000013FE80000-0x00000001401D1000-memory.dmp

memory/2960-76-0x000000013F360000-0x000000013F6B1000-memory.dmp

memory/2948-51-0x000000013FD10000-0x0000000140061000-memory.dmp

memory/3056-38-0x000000013FFB0000-0x0000000140301000-memory.dmp

C:\Windows\system\yyjWhBX.exe

MD5 3484fece33b0a2490288252e4a060c6d
SHA1 46a3ffa2ce8b9476fac5800b9ad27331f6999e57
SHA256 7e633fb0362e1ff5db75534adba6bab65dc2c5366410755bd7ef5fa1a88a227b
SHA512 104449c8fb654503f4a88350e8a3d6607afc71b3194128f0ba418412e9e1a37a3347d0f913fbeee608bb8838411eddc60b805304f2a1e49fb4ab94724563f791

memory/2876-28-0x000000013FCF0000-0x0000000140041000-memory.dmp

memory/3056-19-0x0000000002170000-0x00000000024C1000-memory.dmp

memory/3056-134-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

memory/2524-135-0x000000013F700000-0x000000013FA51000-memory.dmp

memory/2772-148-0x000000013FFF0000-0x0000000140341000-memory.dmp

memory/1592-146-0x000000013FF40000-0x0000000140291000-memory.dmp

memory/2144-144-0x000000013F2B0000-0x000000013F601000-memory.dmp

memory/2160-142-0x000000013F640000-0x000000013F991000-memory.dmp

memory/2808-140-0x000000013FFB0000-0x0000000140301000-memory.dmp

memory/2948-139-0x000000013FD10000-0x0000000140061000-memory.dmp

memory/1496-138-0x000000013FE40000-0x0000000140191000-memory.dmp

memory/2876-137-0x000000013FCF0000-0x0000000140041000-memory.dmp

memory/308-136-0x000000013FC40000-0x000000013FF91000-memory.dmp

memory/2320-155-0x000000013F5E0000-0x000000013F931000-memory.dmp

memory/1948-154-0x000000013FFA0000-0x00000001402F1000-memory.dmp

memory/856-152-0x000000013F320000-0x000000013F671000-memory.dmp

memory/3028-150-0x000000013FB50000-0x000000013FEA1000-memory.dmp

memory/3064-149-0x000000013F690000-0x000000013F9E1000-memory.dmp

memory/2576-153-0x000000013F0C0000-0x000000013F411000-memory.dmp

memory/3056-156-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

memory/3056-157-0x000000013F2B0000-0x000000013F601000-memory.dmp

memory/2524-202-0x000000013F700000-0x000000013FA51000-memory.dmp

memory/308-204-0x000000013FC40000-0x000000013FF91000-memory.dmp

memory/2876-206-0x000000013FCF0000-0x0000000140041000-memory.dmp

memory/2948-208-0x000000013FD10000-0x0000000140061000-memory.dmp

memory/2864-210-0x000000013F7A0000-0x000000013FAF1000-memory.dmp

memory/2884-233-0x000000013FE80000-0x00000001401D1000-memory.dmp

memory/2756-232-0x000000013F320000-0x000000013F671000-memory.dmp

memory/2960-229-0x000000013F360000-0x000000013F6B1000-memory.dmp

memory/1944-235-0x000000013F030000-0x000000013F381000-memory.dmp

memory/3064-237-0x000000013F690000-0x000000013F9E1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-06 11:26

Reported

2024-08-06 11:29

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\LDvvTiW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NnTJYTe.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kPHpXlQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wyHUQbL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rrYTaUg.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nxzZebL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sJFAMPg.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kSRyVYk.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ryAsBNe.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WyHczkU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CNoNQLF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HvclqLJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OMbqtTa.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jvEqKMv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rLGKHQM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\foYcdEB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MGhtyLi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yMsoPUa.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pHNoZKY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OhgRCaa.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BFrDUpP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4924 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WyHczkU.exe
PID 4924 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WyHczkU.exe
PID 4924 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pHNoZKY.exe
PID 4924 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pHNoZKY.exe
PID 4924 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wyHUQbL.exe
PID 4924 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wyHUQbL.exe
PID 4924 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CNoNQLF.exe
PID 4924 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CNoNQLF.exe
PID 4924 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OhgRCaa.exe
PID 4924 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OhgRCaa.exe
PID 4924 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rrYTaUg.exe
PID 4924 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rrYTaUg.exe
PID 4924 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nxzZebL.exe
PID 4924 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nxzZebL.exe
PID 4924 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BFrDUpP.exe
PID 4924 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BFrDUpP.exe
PID 4924 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LDvvTiW.exe
PID 4924 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LDvvTiW.exe
PID 4924 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NnTJYTe.exe
PID 4924 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NnTJYTe.exe
PID 4924 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OMbqtTa.exe
PID 4924 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OMbqtTa.exe
PID 4924 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\foYcdEB.exe
PID 4924 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\foYcdEB.exe
PID 4924 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jvEqKMv.exe
PID 4924 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jvEqKMv.exe
PID 4924 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HvclqLJ.exe
PID 4924 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HvclqLJ.exe
PID 4924 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sJFAMPg.exe
PID 4924 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sJFAMPg.exe
PID 4924 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rLGKHQM.exe
PID 4924 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rLGKHQM.exe
PID 4924 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MGhtyLi.exe
PID 4924 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MGhtyLi.exe
PID 4924 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kPHpXlQ.exe
PID 4924 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kPHpXlQ.exe
PID 4924 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kSRyVYk.exe
PID 4924 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kSRyVYk.exe
PID 4924 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yMsoPUa.exe
PID 4924 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yMsoPUa.exe
PID 4924 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ryAsBNe.exe
PID 4924 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ryAsBNe.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\WyHczkU.exe

C:\Windows\System\WyHczkU.exe

C:\Windows\System\pHNoZKY.exe

C:\Windows\System\pHNoZKY.exe

C:\Windows\System\wyHUQbL.exe

C:\Windows\System\wyHUQbL.exe

C:\Windows\System\CNoNQLF.exe

C:\Windows\System\CNoNQLF.exe

C:\Windows\System\OhgRCaa.exe

C:\Windows\System\OhgRCaa.exe

C:\Windows\System\rrYTaUg.exe

C:\Windows\System\rrYTaUg.exe

C:\Windows\System\nxzZebL.exe

C:\Windows\System\nxzZebL.exe

C:\Windows\System\BFrDUpP.exe

C:\Windows\System\BFrDUpP.exe

C:\Windows\System\LDvvTiW.exe

C:\Windows\System\LDvvTiW.exe

C:\Windows\System\NnTJYTe.exe

C:\Windows\System\NnTJYTe.exe

C:\Windows\System\OMbqtTa.exe

C:\Windows\System\OMbqtTa.exe

C:\Windows\System\foYcdEB.exe

C:\Windows\System\foYcdEB.exe

C:\Windows\System\jvEqKMv.exe

C:\Windows\System\jvEqKMv.exe

C:\Windows\System\HvclqLJ.exe

C:\Windows\System\HvclqLJ.exe

C:\Windows\System\sJFAMPg.exe

C:\Windows\System\sJFAMPg.exe

C:\Windows\System\rLGKHQM.exe

C:\Windows\System\rLGKHQM.exe

C:\Windows\System\MGhtyLi.exe

C:\Windows\System\MGhtyLi.exe

C:\Windows\System\kPHpXlQ.exe

C:\Windows\System\kPHpXlQ.exe

C:\Windows\System\kSRyVYk.exe

C:\Windows\System\kSRyVYk.exe

C:\Windows\System\yMsoPUa.exe

C:\Windows\System\yMsoPUa.exe

C:\Windows\System\ryAsBNe.exe

C:\Windows\System\ryAsBNe.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 3.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp

Files

memory/4924-0-0x00007FF698B90000-0x00007FF698EE1000-memory.dmp

memory/4924-1-0x000001C9E3CB0000-0x000001C9E3CC0000-memory.dmp

C:\Windows\System\wyHUQbL.exe

MD5 8935561dba725b19731f1d9ee4d6215e
SHA1 3ec1aaa6ab202c77f2d3df1bbb0bb423b8b61f89
SHA256 b1f2619d498665aa20c3f41d20081969a5bb216491c98f67fe44fbb51559fe10
SHA512 6b83ff20581c4ad9738e970b28a520398c9b92b62b913c3986b01c1763dd7eaf22b14bfa17673d2ecb0575d28b62fce1955b6752f9f7129e884ef9c895ad8411

C:\Windows\System\pHNoZKY.exe

MD5 00eb485ed9af0524672eb0ca740e043c
SHA1 91e5349dfaa527ecaf9df0537608b36fa5ee99a9
SHA256 3e21bab0c2dadece159db45cb515850ca41d15080cae9bbe0a1e606d60e23c33
SHA512 452393978d9ae4a71d7e87d573e04cb3c33534ec2680dd375e792503a6e1b3079cf45f0f413ffac291f37253bd6336037e7e4cbabb21d4657b4c612bd97b3b08

memory/2980-29-0x00007FF62BA90000-0x00007FF62BDE1000-memory.dmp

C:\Windows\System\nxzZebL.exe

MD5 20648eb00f5b1c4b7965ad23d75c5757
SHA1 e09ce8a92056590b6c2b5ef5f1b11ea0d7292fed
SHA256 0ee91aaf5cedf2b9a7762b91cc0a730b8af3f83ba550d36aaa7a8850722fa731
SHA512 65d2f41f5da22872f1df2f40bade60711790df6f10e7fe6552deedd027dde13456eb2f9dedbf56f998a5c8ca556e4143935f72342fa30969b56670b95c3df6b0

C:\Windows\System\BFrDUpP.exe

MD5 369e0c52d2f099f2367c9b9a93c1dc5e
SHA1 5f2f4b3efe5b64b57e247ac6849e0dfe2552ddf1
SHA256 a6f1232222219322f900a2fef90a2613e7ff93fb85f138df65422a203d2c818c
SHA512 a5c13875cbb75d48d8463438cff39ecc085d3d90053ef374f0eb1ae80169f2a71641c6c782b7474cf405b7c37426337774af8b7fd9e9362193792cf6975bcd3c

memory/3024-52-0x00007FF6232A0000-0x00007FF6235F1000-memory.dmp

memory/4428-49-0x00007FF6BBD50000-0x00007FF6BC0A1000-memory.dmp

C:\Windows\System\LDvvTiW.exe

MD5 6f72f7d3b737833cfe3fbc77011e12c2
SHA1 ee591bfcee4947474d7aa54c7c5a5cf5dfa73b70
SHA256 effa77b1b4f6cc08c2508375957afe0de7eb0831d97ecd3f543f1259bc41c0cc
SHA512 c961215d62a7d1c35f18bdc2ee9a9e8da6d9a447b1c40ec6706b88e0f331661da6b9c315d1d34aad6bab710f8fee182e484847c5894296687302f315bffd0694

C:\Windows\System\OMbqtTa.exe

MD5 08fac665b71039afc8efd8f6d8ab2fb1
SHA1 5578ac583362f367568ed9da66e16a791aaa34a7
SHA256 5e046dc6cff850bf0cb42d2945f159a9f0026d46146d67a286a8becd622c2e0f
SHA512 e01eb99598c2a98b6a016e74be8b83ccf14322d14465ce8a8fc37ba17cd639bd2db581b9d3ad5277b340190006dbf7024e6638a0a0d22e44775ce732b3f648af

C:\Windows\System\HvclqLJ.exe

MD5 4fc3ac3ea57ceb6cb9c5ce6f8a19dfb1
SHA1 0a138cc30a83da1d77897190b12b8e34b4dacd85
SHA256 e3235b262a8b40f23a52c1ba8037ca81e8e2ccbf5eea34600a9e36b3d598f7ee
SHA512 3253538f6c698459fc0c86634a70481a73ae0301eff5c6d42c56ee3aa14ba6335b7387ac25f27b962a6b746972bf8818a77d1a4c161c01e74ecb1ee5334bf065

C:\Windows\System\foYcdEB.exe

MD5 73632738d2c4ee4dbc05f5a0734bcf59
SHA1 3e8ff84ee1d81811be169883a188b46f99d821fd
SHA256 380e8fb142107669c690f09f1a8c555b094a91c2b5fdba5150a19657401b035a
SHA512 2bc0ef809667267393339f6523b8418abd24e66e01eeb1a7971400cf977bfc179d471beba3a86dc6d15afd8f8c559a34376ea077c5a93b0b756e914b36c34109

C:\Windows\System\rLGKHQM.exe

MD5 d8d6082f8f2b1d8201791e33cab3baa9
SHA1 e7c527a96c63300b69047273a1d9fea1d4d30a48
SHA256 751d287bd75efbea9c5cb5e1abeefe115646cfc45bdae2b8b2a46874dc641c8b
SHA512 dbaad63c9d138cb4036f3e0787dcdfaf4578d3961ca0e2fe364081da6bb93f2b598a2b957b40775f33b2288f56199f137a4136991bb3e92b2fc6bb7bd0867414

C:\Windows\System\yMsoPUa.exe

MD5 64f0bc4f60016cbf265aa0ebd99228dc
SHA1 df60301c4f5eb03aaa0ce9b8c4557d4bb2f6ad5d
SHA256 047d2804afc1ca94ae357be2b52f300bff767c39008e69ca6ba2d4c635a6594a
SHA512 273273f90fa5ccca0967cc0e564f25bb23ccaf143efdb12423801ecf121d0bb875ac7781605dbdf47aa513fa788b993c671e47b8d59f4a957a282482436d8031

C:\Windows\System\kPHpXlQ.exe

MD5 24e3cfaa07f5855186c785b8c4a5a50a
SHA1 0f93b708601d6d7dd060d0bf45b4952fc6f527c1
SHA256 ab6b913be64b2fdbf50598e9386ae28a970c2f3f05bd2ddaa6346d7a02ad1f9e
SHA512 f19e3b6ec2e738bdd4b9b20ca338b611e315e32b3814299899c23dfcddda15232f42290510947f10fd3043bdf7f8e70750ffe00370895377d811072882c6bae6

memory/4712-122-0x00007FF60BFD0000-0x00007FF60C321000-memory.dmp

C:\Windows\System\kSRyVYk.exe

MD5 ccb243695bf11ee5bfb1ffb67da83293
SHA1 10931d09bf972ec0ee27c3fd483b9b10700f0f30
SHA256 a3b6680621def7bc79c1869c908c9deac739d50dde7c9941c611f0b2e5dd6ae1
SHA512 b1bc1d4e94f9f9751ba82508abfdaf572cf396c70300a594ffe56a54004992a5eb84adac9be54e3c5284908b858a4f0a94b666934305fb5da1f7c1720ac9da61

memory/2256-117-0x00007FF6225F0000-0x00007FF622941000-memory.dmp

memory/3380-116-0x00007FF747190000-0x00007FF7474E1000-memory.dmp

memory/3872-113-0x00007FF62DDB0000-0x00007FF62E101000-memory.dmp

memory/4556-112-0x00007FF6BBC00000-0x00007FF6BBF51000-memory.dmp

memory/3512-111-0x00007FF73A940000-0x00007FF73AC91000-memory.dmp

memory/3676-110-0x00007FF7D96A0000-0x00007FF7D99F1000-memory.dmp

C:\Windows\System\MGhtyLi.exe

MD5 32a11ca6570ab40efa3ab7ef41494140
SHA1 6aa53818421495d7a5ca898fe18b69fca6be025e
SHA256 bb3c694bc9e7d5ce7fb0c343e88e9af9b33dc074428626b27a4f89e77ab1901c
SHA512 dbc058ebb5e4a0a0c58168ae48f08f5c8caacd90cac407377e1fdd76a1a9566dfa464b02089c4ab7d27a954fcdcb99ab6c9a88cb89ce8fd0bc20c500a7da8f03

memory/2112-105-0x00007FF775440000-0x00007FF775791000-memory.dmp

C:\Windows\System\sJFAMPg.exe

MD5 7241d1de1d69e4914c45b231f1b75179
SHA1 7aad44f63cd2beb1114d082e11ead3ce089e5981
SHA256 aff1af68bcebb28ea5b27b6512f42575cc61c078c0ad9eb51ecd1ac2b9d86225
SHA512 e2ec81ef4b3ec0cdd119ad6108bcf21f55cfc2b3c985ffd78065d942384e4d1707f1281eb5626bede71c6ef8b68153c4fbc27592d0482bb4380ab532da3eb301

memory/2132-90-0x00007FF6D7890000-0x00007FF6D7BE1000-memory.dmp

memory/4836-93-0x00007FF6D0140000-0x00007FF6D0491000-memory.dmp

memory/1524-83-0x00007FF6545C0000-0x00007FF654911000-memory.dmp

C:\Windows\System\NnTJYTe.exe

MD5 a901b0355d93152da1dd53f7d13687b2
SHA1 b839671a643d045519319fc5643534599071d971
SHA256 298ce07ea24fcfe5815b4691a9e5f5851965c390b61475f61cc1cfbb3fcd550d
SHA512 884b4ed85030bf811e5f620972b02e19d026f35959e1e9132e3f9e55c6da825c8a84e3b2d2f006197758e767c01e49f9259f92c06a43818b181b9e5e34ee6c5f

memory/1916-73-0x00007FF7F9C00000-0x00007FF7F9F51000-memory.dmp

C:\Windows\System\jvEqKMv.exe

MD5 ae0ceab403ecad335802f0b8811b59b8
SHA1 b3bbbd462e73d593e24dca9cd21ff8072196a055
SHA256 2ece3a1014a8981a857ed2c88131b54eb330396f29cd6538278efb982c15dc58
SHA512 9d24fcb55481602407c504f09e789e6ea77305d7c093061c5703be9e3e4cea400ba9eaee8a567786a25ab67a97edb8f9fe9d45e08906987567b76db6d2e33698

memory/4972-61-0x00007FF7C8E70000-0x00007FF7C91C1000-memory.dmp

memory/4732-42-0x00007FF776390000-0x00007FF7766E1000-memory.dmp

C:\Windows\System\rrYTaUg.exe

MD5 4255e5906f4923ccdc2cc09bc8a530e6
SHA1 2213ce38eebc3713d28b42c5352fac2d057cef9d
SHA256 9a86146b671ab0f23120e0b1109f723e13e7f9fa30bcaa7391839f9aac627326
SHA512 221a015535cba18a61b2ca424e0a1269dbfd1fa647cece74e71c58c1b849e624f8e258081116c91f708984992f42b3d6800a1fc02d9501af789c6a3aa0656702

C:\Windows\System\OhgRCaa.exe

MD5 a3e158a2c5db34229f205cba3131db55
SHA1 8e8aa5c8ff5f06868024adb2b642faea04593b4f
SHA256 cc5b8fcab38e6ef257750b1e920512fcbad791be2c2b561f65379d1dea9826b4
SHA512 4cc4f64bde11bd61d49ef6fcd6e78dc74511feb5ed3f8103a3b111cd3333535bf3da5588e5448c7c009efec19186c5313fa5109a165983764e7d86b6a03a5c08

memory/1760-32-0x00007FF6B6200000-0x00007FF6B6551000-memory.dmp

C:\Windows\System\CNoNQLF.exe

MD5 a0ca952ef2cee2cbded9fa39be063b36
SHA1 2898888d04719ded5f61e81c80711d9689e89643
SHA256 3f8d9eab49f2ebd0b5e0cc1c8d3047a0241113f58ef92327ef7957ef575a400e
SHA512 8be1ffc2edb90cdc1c2427f30ae6678cf4d30a389128ad451f8c88dcc9c48004ea2ad481b61d8ec715b5dbc1637604569839f919d6397684433571c50744d00a

memory/5096-16-0x00007FF637750000-0x00007FF637AA1000-memory.dmp

memory/3232-10-0x00007FF62EA30000-0x00007FF62ED81000-memory.dmp

C:\Windows\System\WyHczkU.exe

MD5 8313c6be858109c22c184efa51961bce
SHA1 59a8b55cc96d50736b9cf4e3ff5814b1ff9535c7
SHA256 9ed9481e181abc9f9606277187b171898c05b0a94512891a09cc02c9985c5574
SHA512 72b8568595681b9b2791f5490e12e3f288ccb1ca492e30a0a1fd6eb11a47ba5493af766a5adf61961282988097b7c9bbfdfa0dd28e222a14f68e496294fb6f0c

memory/4620-127-0x00007FF7AC8B0000-0x00007FF7ACC01000-memory.dmp

C:\Windows\System\ryAsBNe.exe

MD5 11bba73bffe815e98c924c539dd2efcd
SHA1 1cffa527a7e4be684e7f1b33112546d0729514ed
SHA256 6b7ceab712a4f99ab7033abba3cb4d4a0f75a7fe09b8bc4dd9deac3f4c4754a6
SHA512 2274ed27e8737ffb999db99fe5cca206cc621927c58937898df2c7a37479a4fe06f32c572cbaa8837e2189f1786df02b5a272715d04d83dbe3ac96be67ce743a

memory/4924-125-0x00007FF698B90000-0x00007FF698EE1000-memory.dmp

memory/5096-131-0x00007FF637750000-0x00007FF637AA1000-memory.dmp

memory/1916-139-0x00007FF7F9C00000-0x00007FF7F9F51000-memory.dmp

memory/4556-148-0x00007FF6BBC00000-0x00007FF6BBF51000-memory.dmp

memory/4732-134-0x00007FF776390000-0x00007FF7766E1000-memory.dmp

memory/2980-130-0x00007FF62BA90000-0x00007FF62BDE1000-memory.dmp

memory/4972-137-0x00007FF7C8E70000-0x00007FF7C91C1000-memory.dmp

memory/4620-149-0x00007FF7AC8B0000-0x00007FF7ACC01000-memory.dmp

memory/4924-150-0x00007FF698B90000-0x00007FF698EE1000-memory.dmp

memory/4924-151-0x00007FF698B90000-0x00007FF698EE1000-memory.dmp

memory/3232-208-0x00007FF62EA30000-0x00007FF62ED81000-memory.dmp

memory/2980-210-0x00007FF62BA90000-0x00007FF62BDE1000-memory.dmp

memory/5096-214-0x00007FF637750000-0x00007FF637AA1000-memory.dmp

memory/1760-213-0x00007FF6B6200000-0x00007FF6B6551000-memory.dmp

memory/4428-217-0x00007FF6BBD50000-0x00007FF6BC0A1000-memory.dmp

memory/4732-220-0x00007FF776390000-0x00007FF7766E1000-memory.dmp

memory/3024-219-0x00007FF6232A0000-0x00007FF6235F1000-memory.dmp

memory/1524-224-0x00007FF6545C0000-0x00007FF654911000-memory.dmp

memory/4972-223-0x00007FF7C8E70000-0x00007FF7C91C1000-memory.dmp

memory/3872-232-0x00007FF62DDB0000-0x00007FF62E101000-memory.dmp

memory/3676-236-0x00007FF7D96A0000-0x00007FF7D99F1000-memory.dmp

memory/4836-231-0x00007FF6D0140000-0x00007FF6D0491000-memory.dmp

memory/2132-229-0x00007FF6D7890000-0x00007FF6D7BE1000-memory.dmp

memory/2112-227-0x00007FF775440000-0x00007FF775791000-memory.dmp

memory/1916-234-0x00007FF7F9C00000-0x00007FF7F9F51000-memory.dmp

memory/3512-239-0x00007FF73A940000-0x00007FF73AC91000-memory.dmp

memory/4712-242-0x00007FF60BFD0000-0x00007FF60C321000-memory.dmp

memory/3380-246-0x00007FF747190000-0x00007FF7474E1000-memory.dmp

memory/2256-244-0x00007FF6225F0000-0x00007FF622941000-memory.dmp

memory/4556-241-0x00007FF6BBC00000-0x00007FF6BBF51000-memory.dmp

memory/4620-250-0x00007FF7AC8B0000-0x00007FF7ACC01000-memory.dmp