Malware Analysis Report

2025-01-22 19:22

Sample ID 240806-nmx4rssajb
Target 2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat
SHA256 66a69ebc97f02250ec5ea75d09c94499f38622bed0f7557fc168e199ef2789d5
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

66a69ebc97f02250ec5ea75d09c94499f38622bed0f7557fc168e199ef2789d5

Threat Level: Known bad

The file 2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Cobaltstrike

XMRig Miner payload

Xmrig family

xmrig

Cobaltstrike family

Cobalt Strike reflective loader

XMRig Miner payload

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-06 11:31

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-06 11:31

Reported

2024-08-06 11:34

Platform

win7-20240704-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\mxrQxJJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fFsAsjj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qfeHdwh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DTRbGvu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BhUexmU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WjCnXXJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OvkinUf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lFQAhKm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NKEKaGB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MWrbeco.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QhTSyta.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WUmSXBr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zTNGgHP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zyyoIoC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZzdLkZN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mmHulgj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LKHmiTC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WyViYrX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DOngHwe.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aVPDqVp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SEHGNAo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1656 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aVPDqVp.exe
PID 1656 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aVPDqVp.exe
PID 1656 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aVPDqVp.exe
PID 1656 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WUmSXBr.exe
PID 1656 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WUmSXBr.exe
PID 1656 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WUmSXBr.exe
PID 1656 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lFQAhKm.exe
PID 1656 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lFQAhKm.exe
PID 1656 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lFQAhKm.exe
PID 1656 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zTNGgHP.exe
PID 1656 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zTNGgHP.exe
PID 1656 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zTNGgHP.exe
PID 1656 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zyyoIoC.exe
PID 1656 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zyyoIoC.exe
PID 1656 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zyyoIoC.exe
PID 1656 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZzdLkZN.exe
PID 1656 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZzdLkZN.exe
PID 1656 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZzdLkZN.exe
PID 1656 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mmHulgj.exe
PID 1656 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mmHulgj.exe
PID 1656 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mmHulgj.exe
PID 1656 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mxrQxJJ.exe
PID 1656 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mxrQxJJ.exe
PID 1656 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mxrQxJJ.exe
PID 1656 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fFsAsjj.exe
PID 1656 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fFsAsjj.exe
PID 1656 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fFsAsjj.exe
PID 1656 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qfeHdwh.exe
PID 1656 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qfeHdwh.exe
PID 1656 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qfeHdwh.exe
PID 1656 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LKHmiTC.exe
PID 1656 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LKHmiTC.exe
PID 1656 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LKHmiTC.exe
PID 1656 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DTRbGvu.exe
PID 1656 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DTRbGvu.exe
PID 1656 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DTRbGvu.exe
PID 1656 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BhUexmU.exe
PID 1656 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BhUexmU.exe
PID 1656 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BhUexmU.exe
PID 1656 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WjCnXXJ.exe
PID 1656 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WjCnXXJ.exe
PID 1656 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WjCnXXJ.exe
PID 1656 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MWrbeco.exe
PID 1656 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MWrbeco.exe
PID 1656 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MWrbeco.exe
PID 1656 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NKEKaGB.exe
PID 1656 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NKEKaGB.exe
PID 1656 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NKEKaGB.exe
PID 1656 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WyViYrX.exe
PID 1656 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WyViYrX.exe
PID 1656 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WyViYrX.exe
PID 1656 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DOngHwe.exe
PID 1656 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DOngHwe.exe
PID 1656 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DOngHwe.exe
PID 1656 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SEHGNAo.exe
PID 1656 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SEHGNAo.exe
PID 1656 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SEHGNAo.exe
PID 1656 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OvkinUf.exe
PID 1656 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OvkinUf.exe
PID 1656 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OvkinUf.exe
PID 1656 wrote to memory of 264 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QhTSyta.exe
PID 1656 wrote to memory of 264 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QhTSyta.exe
PID 1656 wrote to memory of 264 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QhTSyta.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\aVPDqVp.exe

C:\Windows\System\aVPDqVp.exe

C:\Windows\System\WUmSXBr.exe

C:\Windows\System\WUmSXBr.exe

C:\Windows\System\lFQAhKm.exe

C:\Windows\System\lFQAhKm.exe

C:\Windows\System\zTNGgHP.exe

C:\Windows\System\zTNGgHP.exe

C:\Windows\System\zyyoIoC.exe

C:\Windows\System\zyyoIoC.exe

C:\Windows\System\ZzdLkZN.exe

C:\Windows\System\ZzdLkZN.exe

C:\Windows\System\mmHulgj.exe

C:\Windows\System\mmHulgj.exe

C:\Windows\System\mxrQxJJ.exe

C:\Windows\System\mxrQxJJ.exe

C:\Windows\System\fFsAsjj.exe

C:\Windows\System\fFsAsjj.exe

C:\Windows\System\qfeHdwh.exe

C:\Windows\System\qfeHdwh.exe

C:\Windows\System\LKHmiTC.exe

C:\Windows\System\LKHmiTC.exe

C:\Windows\System\DTRbGvu.exe

C:\Windows\System\DTRbGvu.exe

C:\Windows\System\BhUexmU.exe

C:\Windows\System\BhUexmU.exe

C:\Windows\System\WjCnXXJ.exe

C:\Windows\System\WjCnXXJ.exe

C:\Windows\System\MWrbeco.exe

C:\Windows\System\MWrbeco.exe

C:\Windows\System\NKEKaGB.exe

C:\Windows\System\NKEKaGB.exe

C:\Windows\System\WyViYrX.exe

C:\Windows\System\WyViYrX.exe

C:\Windows\System\DOngHwe.exe

C:\Windows\System\DOngHwe.exe

C:\Windows\System\SEHGNAo.exe

C:\Windows\System\SEHGNAo.exe

C:\Windows\System\OvkinUf.exe

C:\Windows\System\OvkinUf.exe

C:\Windows\System\QhTSyta.exe

C:\Windows\System\QhTSyta.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1656-0-0x000000013FDD0000-0x0000000140121000-memory.dmp

memory/1656-1-0x0000000000080000-0x0000000000090000-memory.dmp

\Windows\system\aVPDqVp.exe

MD5 25dc1e8dabfed0a46ecae43d7f0055cf
SHA1 e00469e014c080635d1eccd4376b2ad686c8cf4f
SHA256 70bc746293e4ba24f7d7aba33502d2a82f2db47c7c20b7c7a565c9122bcb3e18
SHA512 9f79ddaf29aaefbc785f64eb01d8011779ebabb86a25ab914dfa6dac953fc1ef5fb73d0a3647c148c5e126f55572f7530071aa8f731c10c1f4572776249df3ad

memory/2308-7-0x000000013FD80000-0x00000001400D1000-memory.dmp

\Windows\system\WUmSXBr.exe

MD5 7e97cd3d97c078bbbca64f4f1dbd29ec
SHA1 2ca72f3644c619b08c664a62a075a71dde207edb
SHA256 c3d3ab64ea0cd60b4a106149dbeb847e892cc4455a4ae6bf53b248d891cf38cc
SHA512 0f75cb82f0f8f13d68d9b085498b0cec11007a11d0752e6f7db388f72169adfd125ecbbc472f71f6706d41193238e0740c8ec565fafc49fc21eda00ecbbe01da

memory/2648-14-0x000000013F6B0000-0x000000013FA01000-memory.dmp

C:\Windows\system\lFQAhKm.exe

MD5 eda91a5c119f3f5f4de8f75f1841757d
SHA1 7ef772f9b0ed7baa5517908e7bf2b5c908bf9d3d
SHA256 ea17f72f148fd1e6479bb682cb1b3aa493619922db1c06d9f8786ea130cdfd3a
SHA512 d5948630c3c036ff91fde3bfe6d7edd9bcb067da92adc166fcaafecc18a7bc413ef9f2161ffcd048df587ed3dc9a0290e1ff5eb328bb96ff67b849bebab015c7

memory/2360-24-0x000000013F960000-0x000000013FCB1000-memory.dmp

memory/1656-19-0x000000013F960000-0x000000013FCB1000-memory.dmp

C:\Windows\system\zyyoIoC.exe

MD5 e7927186b0a39dc5b33f916e90c5c0d1
SHA1 33ce3e2c54421f9e4e4cbb4f9050f6acbb1bd354
SHA256 b3e1725341ccb04726faef4f579853880d2c71718a5d954db47b42fc1f925493
SHA512 e4cfcebef6026aef174f0883e5a424c8c97128cca28bb31c484ca4fbd31fd581a88ac7a8e01b1db94134d3c597cfffa3f52a8c80a585feea524cbd95f862b3d7

\Windows\system\ZzdLkZN.exe

MD5 81c91efa1ba113080877936247e7fb45
SHA1 61bab46171d2647d7805a12e4f27b8b304255ad6
SHA256 93a28400e3fb3afb29461e5e64b91f21cd908085eb13517abba0f7a552a828c4
SHA512 3c1d2272d62666de759fca3fd5a2d841afa35a9daf2d263e731b6abe466e8461bcb06d37e394e23ed37b39d4394ebdc785c5eaa45051d47b3dd5d0d389ab722e

memory/1656-36-0x000000013FDD0000-0x0000000140121000-memory.dmp

memory/2760-39-0x000000013F390000-0x000000013F6E1000-memory.dmp

memory/2564-34-0x000000013F640000-0x000000013F991000-memory.dmp

memory/1656-32-0x000000013F640000-0x000000013F991000-memory.dmp

memory/2796-30-0x000000013FEE0000-0x0000000140231000-memory.dmp

\Windows\system\mxrQxJJ.exe

MD5 ce6462880f9fe0d23db6af0116d6fb3b
SHA1 5b7c03893a0dcb171987b5685caca2a20c80dd85
SHA256 a8074f7eddf504d01ba08c73809e1c851d5edb56aac709d2b3e68006ddf773f9
SHA512 5559854e1ecac73b7bf54e66475daecaf01223d63357e8b6a81c6417ca6fcabc8796ded2dd88dd0e0c7e5dd1d6320f6125bda2f4362ebff9a8a4dda2dd583ad6

memory/2648-50-0x000000013F6B0000-0x000000013FA01000-memory.dmp

memory/1656-52-0x000000013F0E0000-0x000000013F431000-memory.dmp

memory/2604-53-0x000000013F0E0000-0x000000013F431000-memory.dmp

memory/2768-48-0x000000013FC50000-0x000000013FFA1000-memory.dmp

C:\Windows\system\mmHulgj.exe

MD5 b530c05c6b18656f52611ffd36bb753f
SHA1 327b412e4c07ff3048d09f69157d6495dc1a1bdd
SHA256 dcd906ec74d3b9b615d0c70123061c566fc736e9432038a8070e61fadc119727
SHA512 a3ef37b75a1d4761d29554f508639a7d7b2d30a49512ae2b244012e7eedd45624088d78cf5e756386a0c347826bc37c861db5f54ac79683aaf98d503e687451a

memory/2308-46-0x000000013FD80000-0x00000001400D1000-memory.dmp

memory/1656-26-0x0000000002380000-0x00000000026D1000-memory.dmp

C:\Windows\system\zTNGgHP.exe

MD5 b064b87e484ddf40819b435e1647abed
SHA1 77c230b2565599857c5172ee4986fab4430edc83
SHA256 5a01aa458d3fbaac4eab2bcf06633a99996d0660c66424164370430705da1495
SHA512 4ee8be2e760a374a043c867d0912d7570f13f98a145dc3c4af44d1ff3b7adf754bc61404c3ec194fe522589801afb313f4455b238712dca66f48c4f9acbdc6b2

C:\Windows\system\fFsAsjj.exe

MD5 54efdb073a2b504652da6f2ab3a84504
SHA1 7e11a88fe5ab84bff487a3e1051ade1ef2c6b054
SHA256 a0d067cdc7c9d951d6d34208de3a5756484c37298ace53b942d25d0bd39cb56f
SHA512 1e274afc0559150b2b653a5aec8a186508100938cfa93a8f8d2e165751fb8142254d072879e68cb2af3994e2ef2a2a060f37edb89090d72e9ee2fc334a3c1ce2

\Windows\system\qfeHdwh.exe

MD5 c845350836aa16a2737c4aed289dd0fd
SHA1 ed2729018f173bf8a5829c1db179c46bc4eb8b64
SHA256 11a9eaaa155c4af21b9e9424f538528bd55a1a64c0c59147bc1a6142d5b38f9c
SHA512 cc188bef2d9ac8da3212a8effdd7e5c418215eeafd9feed27b3b700a864cc8a82a85bf2f313414bced18b0720dc8da2ae4b804a1c91f381c3ebe5362d7b63191

\Windows\system\LKHmiTC.exe

MD5 4d8ebdc019bf0d85bc91f2a9cd9ee7c8
SHA1 c82e56c2e48b347698c659ddfa2c3a7c6f3dfcb0
SHA256 b28cab80a7f6b79371b099969cbf8712885105e313ab749e50495293e9644b43
SHA512 d47417a0c9d0936bf9238163bb42423716fefcfe0e860e9d446d7aa8e024fcc7873226bbece3867e07b823dd19b72a2ff42cf9fc25f37c1e219efd5a8ba0604b

memory/2628-73-0x000000013FA80000-0x000000013FDD1000-memory.dmp

memory/1656-76-0x000000013F960000-0x000000013FCB1000-memory.dmp

memory/1656-69-0x0000000002380000-0x00000000026D1000-memory.dmp

memory/2796-65-0x000000013FEE0000-0x0000000140231000-memory.dmp

memory/2564-80-0x000000013F640000-0x000000013F991000-memory.dmp

memory/1656-79-0x000000013F400000-0x000000013F751000-memory.dmp

memory/1752-78-0x000000013F400000-0x000000013F751000-memory.dmp

memory/2972-77-0x000000013F960000-0x000000013FCB1000-memory.dmp

C:\Windows\system\DTRbGvu.exe

MD5 57a66529afbfcc0908104b1e61055ab0
SHA1 0a90a1072561b7b556181fba22608394834b77df
SHA256 c54cb381f8be6f925631943edc606f3e84f301a0fa69f86824bab3ddc47a7a6b
SHA512 12a63bccf65dd14df9cf47db3953fea1ae9f32f8aec12178de375d534ecc9fea615e7bcf47920f94783b2e06b4651e218fdb96fb9521f76f03bcb628f823e330

memory/2388-86-0x000000013F530000-0x000000013F881000-memory.dmp

C:\Windows\system\BhUexmU.exe

MD5 b05b4bfbdc98b2d655f44359d56a59fb
SHA1 0135ff5c224bbfc4f99e84bde2ed1af2dacc112f
SHA256 4e41b78e4f8bff15ab21541c431aa0e6c9224c1fb36aca8e68b7185972d8ca2e
SHA512 76788795913f21d673ccc560ab28ab4bdef431a2c900b5a9b648f3dacfee0a351ff4fb63e80b403fac2171f92d04c5a686b4c2f59142007baad37d3e02ee9255

\Windows\system\WjCnXXJ.exe

MD5 d231fc69ecef80bdc22ac23829e63696
SHA1 7d6906015dc4d7515396fa9505d5df2c699f2e02
SHA256 c137ce056034478b5a36879193af284e12e826045ec941c259ac5dc712467ce5
SHA512 3e99e81516176d1dc954301c49848582c61257d86bd202c80b59fe4f3e7f06134b2657ae146ab5382396625179bae5b855c4972cc8df4b887f1dd85ff420f6c5

memory/1696-100-0x000000013F9D0000-0x000000013FD21000-memory.dmp

memory/1656-102-0x0000000002380000-0x00000000026D1000-memory.dmp

memory/1232-101-0x000000013FBE0000-0x000000013FF31000-memory.dmp

memory/1656-99-0x000000013F9D0000-0x000000013FD21000-memory.dmp

memory/2760-97-0x000000013F390000-0x000000013F6E1000-memory.dmp

memory/2768-113-0x000000013FC50000-0x000000013FFA1000-memory.dmp

\Windows\system\DOngHwe.exe

MD5 515d1113ba74b896c3886a97179e05b0
SHA1 6372aa98e069d53e3e46d4c45c3d6a615daaa042
SHA256 51a91c7a277be72b7a49890596482b416e07cb26fbeff763ed5ecee430973849
SHA512 0baac81fa10e00f5ae4a5f77ddd0ae2f4b94e02c0523c725ff64810e5fe624e042061f1a1bf423f3bac8dd476e8cfd1d6fc032e190c84e73908ed85413b715a2

memory/1656-129-0x0000000002380000-0x00000000026D1000-memory.dmp

C:\Windows\system\WyViYrX.exe

MD5 b9361660637fad7d33d10ce7195bfbdf
SHA1 211529ce26410bf2a697f740e9c845bba893675a
SHA256 eeca3a0291ea8732dfae87ec1c078971e480404b1d0b2924c8a3d9dabaae6456
SHA512 0112a93b97ee0c1c254d4b76275b014278fc6b32f13a6eba330e8b4db2a6405eab6d2aeb6c97cd54013b554200701b638fe94c8488df3618f555b9f6f0b39954

memory/1656-122-0x000000013F0E0000-0x000000013F431000-memory.dmp

C:\Windows\system\NKEKaGB.exe

MD5 197bc82219efc8d04d47109e7447f958
SHA1 accf51657431067228ce2845fa31aaa3041679d1
SHA256 7ec74a6d96ed1e740fdea430d41fd5570616bc4af028c82553c02799d6b5aec5
SHA512 99dd3f9152bca375742cb57def3b8e8dfc36b4acea77033cbc1a97c2c777f939bdaae22bd85dba8af86a2a5bc8ace83612d7dd3666bb177716f443629e91fecd

C:\Windows\system\MWrbeco.exe

MD5 991821574f03526b41c54f0d50a4a897
SHA1 f600a5b2e34bf4b1df250a89d4ddf1f7e6b58840
SHA256 0cdd5e692634a0723291c65d5a9fa0ee4e29a9c9a9deb86e2b46ce089d708c9a
SHA512 4f3cb52fa47731b57c925b9fcd47d568baf80191acd2032be5f9ff1f24d2d9b81bf672043a15892b00cfe1716bf7bc900c475c881916cb2f66c3d10d8fde2982

C:\Windows\system\OvkinUf.exe

MD5 9c8d070a2b59b77b22df8abfffcae6a1
SHA1 8c6292a04510c33613a1e5e2f8abc4ef6888ecf0
SHA256 1c55a3943779c7c78ffcac45335dcb111c2db214a07e5842b98ea52bc1cda0b9
SHA512 4fcf4bdde64b487b3362992f58f269a2417b7af89dcd0d7235d4d24c5839d54661d127f783fb0095cb3a0fe8b2d8360ae988d4ea38522b99fef9143484c89e59

C:\Windows\system\SEHGNAo.exe

MD5 84cec9d3cee2e62e1762b9ed48066ba5
SHA1 ff34fbd5ef3424adaba94703eac277188b67455a
SHA256 cd56a7499f2e6ca56fd3e80691cd987029da9bd39c9d78082bf256f00a54aee3
SHA512 7f8786f0c9b0aa5b6c65737a51b793e35a88fe7290768b5d170a194e6355b49358e0be49a99d67914077e13ec9595f548422bf016a6ad3a88c00082432657ad4

C:\Windows\system\QhTSyta.exe

MD5 a6261a60e67f7a5d36033df34e7102b0
SHA1 47a3b79d679b0746ebe13491877a3b9e6d993ee9
SHA256 057748c09c5c404569679b41b7211e889231f6c3f667525930b37a172a90f0d9
SHA512 4eceda0481dff57ea5ed40b44ac79474d7504d31e0fb1c2171cfc4f59d5aa9eea7b923221d102da4889fabf35eabd93f0a038d0c4ee3df22fec953b7e4c54d74

memory/2604-147-0x000000013F0E0000-0x000000013F431000-memory.dmp

memory/1656-152-0x0000000002380000-0x00000000026D1000-memory.dmp

memory/1656-153-0x000000013FDD0000-0x0000000140121000-memory.dmp

memory/2848-162-0x000000013F920000-0x000000013FC71000-memory.dmp

memory/2868-163-0x000000013F350000-0x000000013F6A1000-memory.dmp

memory/2992-161-0x000000013FF60000-0x00000001402B1000-memory.dmp

memory/564-160-0x000000013FD60000-0x00000001400B1000-memory.dmp

memory/1260-168-0x000000013FCD0000-0x0000000140021000-memory.dmp

memory/1656-171-0x000000013F960000-0x000000013FCB1000-memory.dmp

memory/264-170-0x000000013F860000-0x000000013FBB1000-memory.dmp

memory/556-169-0x000000013F0F0000-0x000000013F441000-memory.dmp

memory/1656-176-0x000000013FDD0000-0x0000000140121000-memory.dmp

memory/1656-194-0x0000000002380000-0x00000000026D1000-memory.dmp

memory/1656-195-0x0000000002380000-0x00000000026D1000-memory.dmp

memory/2308-205-0x000000013FD80000-0x00000001400D1000-memory.dmp

memory/2648-207-0x000000013F6B0000-0x000000013FA01000-memory.dmp

memory/2360-209-0x000000013F960000-0x000000013FCB1000-memory.dmp

memory/2796-211-0x000000013FEE0000-0x0000000140231000-memory.dmp

memory/2760-213-0x000000013F390000-0x000000013F6E1000-memory.dmp

memory/2564-215-0x000000013F640000-0x000000013F991000-memory.dmp

memory/2768-226-0x000000013FC50000-0x000000013FFA1000-memory.dmp

memory/2604-228-0x000000013F0E0000-0x000000013F431000-memory.dmp

memory/2628-230-0x000000013FA80000-0x000000013FDD1000-memory.dmp

memory/2972-232-0x000000013F960000-0x000000013FCB1000-memory.dmp

memory/1752-234-0x000000013F400000-0x000000013F751000-memory.dmp

memory/2388-237-0x000000013F530000-0x000000013F881000-memory.dmp

memory/1696-242-0x000000013F9D0000-0x000000013FD21000-memory.dmp

memory/1232-244-0x000000013FBE0000-0x000000013FF31000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-06 11:31

Reported

2024-08-06 11:34

Platform

win10v2004-20240802-en

Max time kernel

142s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\FyFTJiM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JmEgZUR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IxSIYvQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yLaNRdG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YNIsheQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SybGavX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SqOHreP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WHvucKu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\Noeajab.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HNyYBcU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eYRkTzj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fUNRBfV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kzAjMII.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GUbYSIz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IcMKOYj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rMpIIBN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eeSIbaH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MbiVaeE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VxgVrKo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VLGuhdy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HnihhCu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4048 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Noeajab.exe
PID 4048 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Noeajab.exe
PID 4048 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IcMKOYj.exe
PID 4048 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IcMKOYj.exe
PID 4048 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JmEgZUR.exe
PID 4048 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JmEgZUR.exe
PID 4048 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rMpIIBN.exe
PID 4048 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rMpIIBN.exe
PID 4048 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eeSIbaH.exe
PID 4048 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eeSIbaH.exe
PID 4048 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IxSIYvQ.exe
PID 4048 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IxSIYvQ.exe
PID 4048 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yLaNRdG.exe
PID 4048 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yLaNRdG.exe
PID 4048 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HNyYBcU.exe
PID 4048 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HNyYBcU.exe
PID 4048 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eYRkTzj.exe
PID 4048 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eYRkTzj.exe
PID 4048 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fUNRBfV.exe
PID 4048 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fUNRBfV.exe
PID 4048 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SybGavX.exe
PID 4048 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SybGavX.exe
PID 4048 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MbiVaeE.exe
PID 4048 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MbiVaeE.exe
PID 4048 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kzAjMII.exe
PID 4048 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kzAjMII.exe
PID 4048 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VxgVrKo.exe
PID 4048 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VxgVrKo.exe
PID 4048 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YNIsheQ.exe
PID 4048 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YNIsheQ.exe
PID 4048 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VLGuhdy.exe
PID 4048 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VLGuhdy.exe
PID 4048 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HnihhCu.exe
PID 4048 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HnihhCu.exe
PID 4048 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GUbYSIz.exe
PID 4048 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GUbYSIz.exe
PID 4048 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SqOHreP.exe
PID 4048 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SqOHreP.exe
PID 4048 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FyFTJiM.exe
PID 4048 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FyFTJiM.exe
PID 4048 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WHvucKu.exe
PID 4048 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WHvucKu.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_c5c371dc27e90300edd07bdbd426ef36_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\Noeajab.exe

C:\Windows\System\Noeajab.exe

C:\Windows\System\IcMKOYj.exe

C:\Windows\System\IcMKOYj.exe

C:\Windows\System\JmEgZUR.exe

C:\Windows\System\JmEgZUR.exe

C:\Windows\System\rMpIIBN.exe

C:\Windows\System\rMpIIBN.exe

C:\Windows\System\eeSIbaH.exe

C:\Windows\System\eeSIbaH.exe

C:\Windows\System\IxSIYvQ.exe

C:\Windows\System\IxSIYvQ.exe

C:\Windows\System\yLaNRdG.exe

C:\Windows\System\yLaNRdG.exe

C:\Windows\System\HNyYBcU.exe

C:\Windows\System\HNyYBcU.exe

C:\Windows\System\eYRkTzj.exe

C:\Windows\System\eYRkTzj.exe

C:\Windows\System\fUNRBfV.exe

C:\Windows\System\fUNRBfV.exe

C:\Windows\System\SybGavX.exe

C:\Windows\System\SybGavX.exe

C:\Windows\System\MbiVaeE.exe

C:\Windows\System\MbiVaeE.exe

C:\Windows\System\kzAjMII.exe

C:\Windows\System\kzAjMII.exe

C:\Windows\System\VxgVrKo.exe

C:\Windows\System\VxgVrKo.exe

C:\Windows\System\YNIsheQ.exe

C:\Windows\System\YNIsheQ.exe

C:\Windows\System\VLGuhdy.exe

C:\Windows\System\VLGuhdy.exe

C:\Windows\System\HnihhCu.exe

C:\Windows\System\HnihhCu.exe

C:\Windows\System\GUbYSIz.exe

C:\Windows\System\GUbYSIz.exe

C:\Windows\System\SqOHreP.exe

C:\Windows\System\SqOHreP.exe

C:\Windows\System\FyFTJiM.exe

C:\Windows\System\FyFTJiM.exe

C:\Windows\System\WHvucKu.exe

C:\Windows\System\WHvucKu.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 71.190.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/4048-0-0x00007FF769580000-0x00007FF7698D1000-memory.dmp

memory/4048-1-0x000001C29EAE0000-0x000001C29EAF0000-memory.dmp

C:\Windows\System\Noeajab.exe

MD5 d5fbf7ced76bb08e2475b5cd3f67df17
SHA1 40b09ac1d1bf9d139815eba70a66086bef0f1ec8
SHA256 0fa2b6c6bc519f0345fe3656c668fac4fd7ced4c959bf3e6d268be83618c28b5
SHA512 3da0b4b0970fb105416c3e516b5aa3301908ec19a83f0457688c1a01c6dfe23114bcdfcbcbc0c6d0f0fb5dedd6890ad69823ab149fe02f0d16928d09daa1f76a

memory/2384-7-0x00007FF793F90000-0x00007FF7942E1000-memory.dmp

C:\Windows\System\IcMKOYj.exe

MD5 428dda6c66ff83d9cb1fd135bd74d263
SHA1 79e16fa4a8a52d619af5209317160c2a1ae9817d
SHA256 7b93a40aa5160a39086438192f02a5796ed62ab92ad1303e2b6ade41e85a112c
SHA512 43c35c27d67d5d2aebeadd7db5446509924c30f1f060ccbcb484c4e70e9031d1a051c7e3f7ff1ca3dce80f26a77cb3cd9150a092c777e68e807d414ccba7ee8a

C:\Windows\System\JmEgZUR.exe

MD5 34626525b7068d8005cf716369494829
SHA1 efd7180a70aed4cd2e89001ecffe5ec76a03bef8
SHA256 329deb7bfaad3ee73dd350d762d0f3b073aa896ae545ba1c1c54d3920f250b3e
SHA512 3e8b56bfa3da8ed11acaa2df4b363e6b4957119e51ed92b0474a7fb027a0499e60f1c7387c6fcb92bbb53ce23a6d8af1c5d89d259628f271c16dcd989a383699

memory/2020-14-0x00007FF720FD0000-0x00007FF721321000-memory.dmp

memory/1516-22-0x00007FF794540000-0x00007FF794891000-memory.dmp

C:\Windows\System\rMpIIBN.exe

MD5 a7a6bdde304c976e4785d0a99317ce95
SHA1 28fe67c7b00aecdec9de764a865ef490877a8287
SHA256 6c703f710f4b250a602bbcbe62d9c32a1cb700eb3e9552f64ada571be01ba43a
SHA512 36a150a503011696dd2e2592d25b376bdebc0a607a887119006d7637c37ff169662d6f6124cb2a04c9f41e747b1276d4aee8eed396407bf01d29a4d2a874f62d

memory/2856-26-0x00007FF7A28F0000-0x00007FF7A2C41000-memory.dmp

C:\Windows\System\eeSIbaH.exe

MD5 1959cc53966b525bc5ed34fca8ad3724
SHA1 51a3c79bc834b222bbd7a9ea2b73177dd1d9e080
SHA256 fa9ae51723009529eac7a72b5ac520ab124dc1607945196c473ae8cd56df8f81
SHA512 654e10a94bdb086cce2cecf0310f78a809904972f84fd5d64337557f211dc2f450b5a50b6abd138971dcdae9c2f57c1646f9f6cb96f30d1dfa672fb143583230

C:\Windows\System\SybGavX.exe

MD5 0c29c7afce3e1b340c5f9e5f20d4c8a1
SHA1 a2891067ab90dff6e7e4a7e331a6666fa186c28a
SHA256 2323e43b633517be3e19fb45b13b2b4bfe1ce7d6873d7a2ea4de5d09e4ba7668
SHA512 ce2882f55552765b17ec12e4d839836a37b219553681680a08836dbfaf9ab7d5d75cae0c3ecf411d2112cbb4a9627c9c910b1fb017d7b844b24af42a2e4a0b48

C:\Windows\System\MbiVaeE.exe

MD5 c7a4580a69acfc2cb61965892d852b34
SHA1 89704995ec1f552ce3aa88d2f9e7aa8878720f64
SHA256 f390ff39be174c0a3a03ddf15d6b878d62b3ad47c59af8be034d51b60a9b608a
SHA512 9f850f24448549134858de50c82a15d9207a1a8da5a1c07e0d853e92d71aaa13a7317f3d31a7bf6a310370526a9fc84b68a409ac66714a9bbb37b9171c9e6130

C:\Windows\System\VLGuhdy.exe

MD5 6240aad2f0507557ffb7cd847c062182
SHA1 6a2cbb3f651d3edba17f4929d8ee6d498221558b
SHA256 517c112674d3831d3f0db16d532043babaeac4ae74424bc56d9832a48d5fe829
SHA512 1f5ab08529036660431daba4e8332b7049b3abbc725f917ac3a81a9573cf51db180735d86dca8c354ba33050923cff1eb5f254afc7bca6126789bbfc1c57d625

memory/1104-102-0x00007FF722B00000-0x00007FF722E51000-memory.dmp

memory/5052-105-0x00007FF726160000-0x00007FF7264B1000-memory.dmp

memory/4680-113-0x00007FF730AC0000-0x00007FF730E11000-memory.dmp

C:\Windows\System\WHvucKu.exe

MD5 1bedef3f7b8489332f74a6a15b4ed4a9
SHA1 7fcb6ce215d3cb6b04b59675befccf96266937d4
SHA256 9129e3d75d4a1e2b6fb2492bc837b51258d98005900c5bcd704eddd7f6fd59d9
SHA512 984445ff2494863033f5115e3ce716aaad98a264eb6b0917930a009ab6b38a7d06f03d8157d25b19db774ea1fe125fae7bdf440d33ae6744db1f4fe636c4a681

memory/2548-127-0x00007FF6B1F80000-0x00007FF6B22D1000-memory.dmp

memory/404-126-0x00007FF60E540000-0x00007FF60E891000-memory.dmp

memory/1264-125-0x00007FF6F8700000-0x00007FF6F8A51000-memory.dmp

memory/4932-122-0x00007FF7D2800000-0x00007FF7D2B51000-memory.dmp

memory/4764-121-0x00007FF754B30000-0x00007FF754E81000-memory.dmp

memory/4048-120-0x00007FF769580000-0x00007FF7698D1000-memory.dmp

memory/4508-119-0x00007FF7D92E0000-0x00007FF7D9631000-memory.dmp

C:\Windows\System\FyFTJiM.exe

MD5 25e8ecf55d4e9d41ae8d0420f49d24b7
SHA1 a0908dba1c2e3661b598ca13b5d7d7d74d908ba1
SHA256 6cd71b5026d45713399b2722daf47083d3b474ff5edd95b8b0e8c5176a779fbb
SHA512 6bd25ada49264bcd2d266fa4359f8de64b8b2037814f22962435a6b8afe097231ed13ec17bd89559420835087d356cc3b3b59fde9ce611f499288dc23ba475bc

C:\Windows\System\SqOHreP.exe

MD5 10d0f37eced3d40dcd254f4fa6df14a1
SHA1 4bae8875c630c690df59fbd8198a632cdbee4d83
SHA256 a29092688ee815673fc5c0daaacca39cd2fdaca0db1612e6216dbe101e8731b5
SHA512 d3e97928ad2672f0c98d0e886e928b2f840bb9f7b07c5473236c1a4067b0516d8498ef4ed0c421c97074bd77482105696564844cbf983ccd5b4fbb159014beb7

C:\Windows\System\GUbYSIz.exe

MD5 894e28755441e93360ff99e6208a35f4
SHA1 65cb837b69226df37cddb250719aecf9282e36da
SHA256 f9a5cc049ee5330c3f8ed0efe2b8853ec8dcd122b0f81617f285ac97ceebe666
SHA512 863538b16f8d61ce527b1295e553ce96d7c1e8f117596a48de54714dc7900e06d3e44994181a7451b82fb2947c1ca9c9b8252da8d09b36b5e96b562bd1216113

C:\Windows\System\HnihhCu.exe

MD5 2dfbe017c58b422286e6812771b3d03d
SHA1 547bcaa2f6ec9cb1c3d8505ba3fcc438a35da28f
SHA256 643e917e18bebe77af8df6375b2af76b1801c6dd5e4fef015cf8de2618b00868
SHA512 bc0014d226d3860eb1aa6772119d24f747d642958a541a1c868dcedf821a192c07136896130040e61af840fe09c104dfe77706e6141432e817c6deb59fe1e234

memory/2224-100-0x00007FF71D9A0000-0x00007FF71DCF1000-memory.dmp

C:\Windows\System\kzAjMII.exe

MD5 66962293bafa9503810b032627b196d8
SHA1 52a2b4cf3320d86cd4932d60e1a43b0665889b5e
SHA256 10774c1fcc95e83c195308ebcb60d0081a820c800bedd45f4e945e792f792029
SHA512 f4f0bbc08e8352ee1cd92a1d464704600608cc7f29946e5d3a199d83fd5d7169276d7cdbcf80170d0744a7da2dc0d5a5ab471b507c620c000ffdc9534bb83542

C:\Windows\System\YNIsheQ.exe

MD5 4a01528502815da0d1e264d9dc89e2b4
SHA1 1405e6fd0eb88f861db3a1f65e09fb89733319f9
SHA256 01a43eff58e9d8214b17092125d03b476936dfd52444b9902f78887bae634059
SHA512 eeed6f8dcfb2197f3eabb75092db7b0c1047341ed798f112e83870ee747a4152e5fef205e456974ca933e3426575cec07e924487f66dc5caffbbca2eba8d45c9

memory/4560-86-0x00007FF796BB0000-0x00007FF796F01000-memory.dmp

C:\Windows\System\VxgVrKo.exe

MD5 5c1b3634e0f2c53a5f5d4d72533a4d10
SHA1 c03f62692d254baffbd42d34883f24e9a3e1dd48
SHA256 8f7ca71fe5fed028e111e1913ab34424c6a68ea5879f566487e2a9df7788d35d
SHA512 56ac46ebff7309b2f1c22162cb5ad4f9df7e083dd2f8fc8770147cc692c58bfa47365ff4680b99403b39c07adbe25bf7378130c9c2b5601aa44e08dcf2e7ebf1

C:\Windows\System\fUNRBfV.exe

MD5 ac0a8a1f03b2e16af8013058bc69f6ed
SHA1 008cb151c4cf04aead8f7f56d843ff1416acffde
SHA256 54be04d73fe9d49c954b6cc3da9823ab2252df7281c908613a7594e652618378
SHA512 47911e22c3034ba2cbce9ecc749d9585bf47298259506b83ed5abd7ce77cfd7205fc2866d698608e5261e113b58f60c2c35ca9e78007ad34d245ce4f08cb4550

memory/2428-68-0x00007FF7F8530000-0x00007FF7F8881000-memory.dmp

C:\Windows\System\HNyYBcU.exe

MD5 03b18cc73aa53d530e6507bd3a8c2c69
SHA1 a9e728b36113c89cc7835dc7c5b31c059f77943e
SHA256 f47e5b1e407ce736334e5e0d2189432d99a1583de1dd974f0fe6f32d9e771bf6
SHA512 b057d237a347b484034e310669bc7daf09318dc39236d4513280fea8025f0dd7b80cc7172403b2a641479c4fbed828777169963eaf734bc93b8aabdf45dd8dff

memory/1640-61-0x00007FF7F6A50000-0x00007FF7F6DA1000-memory.dmp

C:\Windows\System\eYRkTzj.exe

MD5 0c2c04f579ed322e2b4ea1ebe0b45ee7
SHA1 f8b9fa6cb6ea1ec8d4b8236aec8bcd338cb05f2b
SHA256 9679438efabdf4348f48b2fefd5f69f5b092fcc79339c801224cadb07d7972a9
SHA512 de13d06cc611ff746ed6867a50ed79f7f2bf3fe7afe0d5db0b88e620da06d6ce5d8ba3b953c0f3cb6be715dc8f48fce81fe5dbae52214e9bc6c78da034ddb512

memory/3980-57-0x00007FF712D80000-0x00007FF7130D1000-memory.dmp

C:\Windows\System\yLaNRdG.exe

MD5 5234a8396b93a74cbb28e45109d10ad9
SHA1 045606f22d7c9ec7d71065ac821fa599a041c5ac
SHA256 66f2a29680f3c6b47630fb3a061617c790ed2e39a398c584cab6cdb9252dc3d5
SHA512 a1fac10cda3403960425f4c384a09fc6cc1ed8038a945831fde65ffccaf7f885119296743672a8ddccd63b51513c9ce6f1253e55f8dde1473a92eae8d40d88ba

memory/3508-42-0x00007FF6CA3F0000-0x00007FF6CA741000-memory.dmp

C:\Windows\System\IxSIYvQ.exe

MD5 65cba69b995e360cf8215de68ccc28d7
SHA1 847943868277cfbf36b43a27eeb9db9b882647c0
SHA256 e7e6a8485c969afff9ec743d7fea484a919fdca91a8e3f987265c7a20fd65f79
SHA512 57119580e154dd425150f209ac140fd68c4b585295c96615969b4e08c1f96196e5dbe79e794e2da58e0e5885d9636dbba5dc14f6007786510018cd72497b34ca

memory/1352-36-0x00007FF6A6DE0000-0x00007FF6A7131000-memory.dmp

memory/3056-28-0x00007FF66A2D0000-0x00007FF66A621000-memory.dmp

memory/3508-136-0x00007FF6CA3F0000-0x00007FF6CA741000-memory.dmp

memory/2224-141-0x00007FF71D9A0000-0x00007FF71DCF1000-memory.dmp

memory/4508-147-0x00007FF7D92E0000-0x00007FF7D9631000-memory.dmp

memory/4680-146-0x00007FF730AC0000-0x00007FF730E11000-memory.dmp

memory/1640-139-0x00007FF7F6A50000-0x00007FF7F6DA1000-memory.dmp

memory/3980-137-0x00007FF712D80000-0x00007FF7130D1000-memory.dmp

memory/1352-135-0x00007FF6A6DE0000-0x00007FF6A7131000-memory.dmp

memory/3056-134-0x00007FF66A2D0000-0x00007FF66A621000-memory.dmp

memory/2428-140-0x00007FF7F8530000-0x00007FF7F8881000-memory.dmp

memory/2856-133-0x00007FF7A28F0000-0x00007FF7A2C41000-memory.dmp

memory/2384-130-0x00007FF793F90000-0x00007FF7942E1000-memory.dmp

memory/4048-129-0x00007FF769580000-0x00007FF7698D1000-memory.dmp

memory/4048-151-0x00007FF769580000-0x00007FF7698D1000-memory.dmp

memory/2384-196-0x00007FF793F90000-0x00007FF7942E1000-memory.dmp

memory/2020-198-0x00007FF720FD0000-0x00007FF721321000-memory.dmp

memory/1516-213-0x00007FF794540000-0x00007FF794891000-memory.dmp

memory/2856-215-0x00007FF7A28F0000-0x00007FF7A2C41000-memory.dmp

memory/1352-217-0x00007FF6A6DE0000-0x00007FF6A7131000-memory.dmp

memory/3056-219-0x00007FF66A2D0000-0x00007FF66A621000-memory.dmp

memory/3508-221-0x00007FF6CA3F0000-0x00007FF6CA741000-memory.dmp

memory/4560-224-0x00007FF796BB0000-0x00007FF796F01000-memory.dmp

memory/3980-225-0x00007FF712D80000-0x00007FF7130D1000-memory.dmp

memory/2428-231-0x00007FF7F8530000-0x00007FF7F8881000-memory.dmp

memory/1640-229-0x00007FF7F6A50000-0x00007FF7F6DA1000-memory.dmp

memory/5052-233-0x00007FF726160000-0x00007FF7264B1000-memory.dmp

memory/1104-228-0x00007FF722B00000-0x00007FF722E51000-memory.dmp

memory/2224-236-0x00007FF71D9A0000-0x00007FF71DCF1000-memory.dmp

memory/4680-242-0x00007FF730AC0000-0x00007FF730E11000-memory.dmp

memory/4932-247-0x00007FF7D2800000-0x00007FF7D2B51000-memory.dmp

memory/404-246-0x00007FF60E540000-0x00007FF60E891000-memory.dmp

memory/4764-245-0x00007FF754B30000-0x00007FF754E81000-memory.dmp

memory/2548-244-0x00007FF6B1F80000-0x00007FF6B22D1000-memory.dmp

memory/1264-243-0x00007FF6F8700000-0x00007FF6F8A51000-memory.dmp

memory/4508-251-0x00007FF7D92E0000-0x00007FF7D9631000-memory.dmp