Malware Analysis Report

2025-01-22 19:22

Sample ID 240806-nwkj2ayalj
Target 2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat
SHA256 e686be11c93288904aa18aa36f682f35bdb9890999a985cbc1e32924778ec40f
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e686be11c93288904aa18aa36f682f35bdb9890999a985cbc1e32924778ec40f

Threat Level: Known bad

The file 2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

XMRig Miner payload

Cobaltstrike family

Cobaltstrike

Xmrig family

Cobalt Strike reflective loader

xmrig

XMRig Miner payload

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-06 11:44

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-06 11:44

Reported

2024-08-06 11:47

Platform

win7-20240704-en

Max time kernel

145s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\iNEvjBQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pDaHrLk.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jWOkSGa.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DSOewGZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zVEqCQJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wQApehG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XsTOQYr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BvgPfAj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\npFDjOB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KMSXksP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZByVbaC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CCwTcbR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OrLNinI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AVqGMwS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QgQcOQT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kYZkrfW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kQdUlth.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OWyppdd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sdrLRfi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hddPrdm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pJHmlxa.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1864 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XsTOQYr.exe
PID 1864 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XsTOQYr.exe
PID 1864 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XsTOQYr.exe
PID 1864 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hddPrdm.exe
PID 1864 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hddPrdm.exe
PID 1864 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hddPrdm.exe
PID 1864 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BvgPfAj.exe
PID 1864 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BvgPfAj.exe
PID 1864 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BvgPfAj.exe
PID 1864 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QgQcOQT.exe
PID 1864 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QgQcOQT.exe
PID 1864 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QgQcOQT.exe
PID 1864 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pJHmlxa.exe
PID 1864 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pJHmlxa.exe
PID 1864 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pJHmlxa.exe
PID 1864 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kYZkrfW.exe
PID 1864 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kYZkrfW.exe
PID 1864 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kYZkrfW.exe
PID 1864 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iNEvjBQ.exe
PID 1864 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iNEvjBQ.exe
PID 1864 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iNEvjBQ.exe
PID 1864 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pDaHrLk.exe
PID 1864 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pDaHrLk.exe
PID 1864 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pDaHrLk.exe
PID 1864 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kQdUlth.exe
PID 1864 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kQdUlth.exe
PID 1864 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kQdUlth.exe
PID 1864 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KMSXksP.exe
PID 1864 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KMSXksP.exe
PID 1864 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KMSXksP.exe
PID 1864 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZByVbaC.exe
PID 1864 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZByVbaC.exe
PID 1864 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZByVbaC.exe
PID 1864 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CCwTcbR.exe
PID 1864 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CCwTcbR.exe
PID 1864 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CCwTcbR.exe
PID 1864 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\npFDjOB.exe
PID 1864 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\npFDjOB.exe
PID 1864 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\npFDjOB.exe
PID 1864 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jWOkSGa.exe
PID 1864 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jWOkSGa.exe
PID 1864 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jWOkSGa.exe
PID 1864 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OrLNinI.exe
PID 1864 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OrLNinI.exe
PID 1864 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OrLNinI.exe
PID 1864 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AVqGMwS.exe
PID 1864 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AVqGMwS.exe
PID 1864 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AVqGMwS.exe
PID 1864 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OWyppdd.exe
PID 1864 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OWyppdd.exe
PID 1864 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OWyppdd.exe
PID 1864 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DSOewGZ.exe
PID 1864 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DSOewGZ.exe
PID 1864 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DSOewGZ.exe
PID 1864 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zVEqCQJ.exe
PID 1864 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zVEqCQJ.exe
PID 1864 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zVEqCQJ.exe
PID 1864 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wQApehG.exe
PID 1864 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wQApehG.exe
PID 1864 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wQApehG.exe
PID 1864 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sdrLRfi.exe
PID 1864 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sdrLRfi.exe
PID 1864 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sdrLRfi.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\XsTOQYr.exe

C:\Windows\System\XsTOQYr.exe

C:\Windows\System\hddPrdm.exe

C:\Windows\System\hddPrdm.exe

C:\Windows\System\BvgPfAj.exe

C:\Windows\System\BvgPfAj.exe

C:\Windows\System\QgQcOQT.exe

C:\Windows\System\QgQcOQT.exe

C:\Windows\System\pJHmlxa.exe

C:\Windows\System\pJHmlxa.exe

C:\Windows\System\kYZkrfW.exe

C:\Windows\System\kYZkrfW.exe

C:\Windows\System\iNEvjBQ.exe

C:\Windows\System\iNEvjBQ.exe

C:\Windows\System\pDaHrLk.exe

C:\Windows\System\pDaHrLk.exe

C:\Windows\System\kQdUlth.exe

C:\Windows\System\kQdUlth.exe

C:\Windows\System\KMSXksP.exe

C:\Windows\System\KMSXksP.exe

C:\Windows\System\ZByVbaC.exe

C:\Windows\System\ZByVbaC.exe

C:\Windows\System\CCwTcbR.exe

C:\Windows\System\CCwTcbR.exe

C:\Windows\System\npFDjOB.exe

C:\Windows\System\npFDjOB.exe

C:\Windows\System\jWOkSGa.exe

C:\Windows\System\jWOkSGa.exe

C:\Windows\System\OrLNinI.exe

C:\Windows\System\OrLNinI.exe

C:\Windows\System\AVqGMwS.exe

C:\Windows\System\AVqGMwS.exe

C:\Windows\System\OWyppdd.exe

C:\Windows\System\OWyppdd.exe

C:\Windows\System\DSOewGZ.exe

C:\Windows\System\DSOewGZ.exe

C:\Windows\System\zVEqCQJ.exe

C:\Windows\System\zVEqCQJ.exe

C:\Windows\System\wQApehG.exe

C:\Windows\System\wQApehG.exe

C:\Windows\System\sdrLRfi.exe

C:\Windows\System\sdrLRfi.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1864-0-0x000000013FDF0000-0x0000000140141000-memory.dmp

memory/1864-1-0x0000000000200000-0x0000000000210000-memory.dmp

C:\Windows\system\XsTOQYr.exe

MD5 ed4f39b7260b8bad9fd029327543420b
SHA1 6b2bdca5b4a94a57a23b7dbc050a26521ceae9b6
SHA256 339a1ffc37fe2937441cca6588e9687664c60868855b29e5a672d22d1ea92336
SHA512 a83adbd6b1609ef6a222b6eb18477859e0246b90c8dadd1f4bf902f39a9cf174397d3c84415e57e88c0edc24e16e4fc246c6d17b7ff49f4cf058803d81651cd8

C:\Windows\system\hddPrdm.exe

MD5 f7822ac5d0506a6581a34184d92e7578
SHA1 501cfe2315696c1f50bc6907af3965d9190e3bff
SHA256 65d0b0962fa733b832525a5153fc8531368c4ff9f2aecb8e2d86fff65153d269
SHA512 7f8565ef31d6799f8f2d15bd476f3f48afda07e853b82c58c4bac429dad256d4bd7858998c00de8d3dd541daea7e1ca0995a8a43343d6487350b3e4e3577ed7a

C:\Windows\system\BvgPfAj.exe

MD5 33a4f1d80d463de0bba968ec65f827ad
SHA1 9494ad1277b2bd231c9c7d6388ecd808c6435307
SHA256 7e9277cce875189cf47afba3388bb65e1db6dfd213f53eaafd9e2daacc00e8cf
SHA512 ee41c9af5e587cec42911692b843c410b7413159369ce4be9e491a2defd977275ae7e1dd75cf27205d722610de557588bb4d5b331a7ff41c9c450a3b5254f920

\Windows\system\kYZkrfW.exe

MD5 e3bd7f8aec73a397544fac1cbe290e3e
SHA1 879a23dd8b97f62ae4aff0e4b205f87aeed659f3
SHA256 7746b25f46071afa47e817901345af69248421e5a1cc4a44d77a372ec4ae16d9
SHA512 e3f06914354ef2e17131fa96826dd67f1e48a1d9464e2fcd3617fe58c6b64d0d1f83ed6452da9b3048a06a41dd3b2e85c97a1790007ccfbb95b50bcabfeedc6e

\Windows\system\QgQcOQT.exe

MD5 3c94ae648b377f8147e716d71f9a9458
SHA1 ccbf3ec4baae74ee2acaa230a3463464bb368c39
SHA256 aee77c3cf599ac7e52890daa77ca16c0f7a8e216a180b64790e19b02e152442c
SHA512 38f9546308f848559ded0aee3fe6ae564a139d22ce411482642186b84c1e5667151d70e2159e5b6ef46a933efc21d4679a08f42eed105abc7289418cb6b45509

memory/2268-119-0x000000013FCC0000-0x0000000140011000-memory.dmp

\Windows\system\wQApehG.exe

MD5 61f9ec2db5ed3e64db19590d4dff0631
SHA1 89916b5ecee960a9754e4c5771a1d9f7baae7da8
SHA256 c30300f551baeda2773856e723fb5ff06ed914c0b9a6ff022cac030a8f261ac6
SHA512 60e69eecc0b3e9d65083adda9c2e2a4be988dcae773b8641c3392ea5212924e173fc9f25c9cd2cc77475d595b7e6f4fb512b28d760277e3821a96574a9d0993c

memory/1864-74-0x000000013F600000-0x000000013F951000-memory.dmp

\Windows\system\DSOewGZ.exe

MD5 063dfc94f2eb4b876cf77815ec511573
SHA1 18a9b091cfb1b5d3164025998b08a8d7402ec342
SHA256 16b845f3f9df91d5656db02946856f137cffb9864d4ca3b7ba6103021591cd66
SHA512 210ba3b95ddb068258613f8c9a8f87049baad12cc3e984438188dfa586d774d456e5d21454daf0cd9e485ee55cfe5ad68ac156c3ac0fc802b64cbc86d69c4dd4

\Windows\system\AVqGMwS.exe

MD5 7dde2c974e5c8803063860b7ecdd8cde
SHA1 de72d3e29d92d8bf9c93234fbd9c22f7f38c255f
SHA256 3818bd5fdeedede3dba495992f7c36d81a32b69c1c81f8f1a9b6060a4bd9019f
SHA512 ec36c4fe45e5b1269801af718e979168454396a607adfbf9213a40044e0abbff270f32a680df4238ff14703c1af6b8e77a42e445926483dd1f90fbb40e3f3f19

memory/1864-57-0x000000013FA10000-0x000000013FD61000-memory.dmp

\Windows\system\jWOkSGa.exe

MD5 0d142deacd1053c066c52bf26d9794a2
SHA1 7595e3f0f8d228dfa3a1ecb3ee047adb7a41d57f
SHA256 d7c7c8bcebf4bfaf73cb2c750ff074cf991a4d1bdb3711d947196340b8c62064
SHA512 ab1dae862227cf89ccf957fa3f04b0e04aa80ae407f1693eb9c0c14678256b4f5cd360b15649b4eca3123cfaafc1e62810579215d49f7a3fa199ff477c26a4b9

memory/1864-52-0x0000000002220000-0x0000000002571000-memory.dmp

memory/1864-51-0x000000013F5D0000-0x000000013F921000-memory.dmp

memory/1864-50-0x000000013FA90000-0x000000013FDE1000-memory.dmp

\Windows\system\CCwTcbR.exe

MD5 5014db3f1c2daae73a60b8f0d9b614a5
SHA1 5e4a044494cc7651b3a4d5004f552bbae31bd02e
SHA256 2f40b306560391f89270ca06daacb55a7871935f941fc0930ea239adce54d85d
SHA512 945a8292ad53947ef28af4f7dd1f0ab42b3820eeb1e6c24d5dc297785bd48b83cd3017b6eb909564d6509ba7d2c10c8bb646621c0551d962a87163aaf759d085

C:\Windows\system\KMSXksP.exe

MD5 8d6789060b560bf733436e7d237f616f
SHA1 d14d6734553c98b1715a1083873959fc86f53e87
SHA256 36932ded4abc98288d54b071400bd761a41f34bdef7c84114ae2e4c6526c2c04
SHA512 49914d8deba14cf361ab0702165c5bc301c9f52b6382d908197611f512ac055f2c2bf13d0538aa8f308aca2c8b2c523a32ca0c9229f1fc942108621b66aa701c

memory/2516-117-0x000000013FCA0000-0x000000013FFF1000-memory.dmp

memory/2924-116-0x000000013F600000-0x000000013F951000-memory.dmp

memory/2808-115-0x000000013F5F0000-0x000000013F941000-memory.dmp

C:\Windows\system\pDaHrLk.exe

MD5 b3bb048a1f94d7a264fd0f8f165f277e
SHA1 28af0d6ce0b2813f721de90c3498b2c458b6715d
SHA256 43bb0e74c5bf797a99cd949c94788154cbd1caf3dfd70c2e22af768ea75432cb
SHA512 62096ef708d43e37c292207a68a333a2b2fcfb69d580cacf5d92837f93cf95afe95c8476e753c9e0beef3f8baaf0e5b161d22a15e2afdd7a218db29cb003cc2f

memory/2308-103-0x000000013FA90000-0x000000013FDE1000-memory.dmp

memory/1864-100-0x000000013F9F0000-0x000000013FD41000-memory.dmp

C:\Windows\system\sdrLRfi.exe

MD5 ff0afebec3983550f50b84a4643aeba5
SHA1 cdf77aa37f6f309c8b618cc9d24958e5b60cf019
SHA256 219bce06b442dd2ac13cddc6b67cab1d5394eeefeb1e07efd3f40c39dbe34e97
SHA512 8004843f66bd9525b78dcf6100622413a332a041617725688618636a1cbf4cebe67418136b89960733bc4c664466edf4a10fa59e7197fac675e2b58b6883547f

C:\Windows\system\zVEqCQJ.exe

MD5 f75ecf1bfa9753a9ad3628554fb0f64b
SHA1 c3f8a323da4202d2e16dc783b349e8a288bb7d66
SHA256 177f1343d88e0fd4b7b95186a4a40d1af7f4b0a4c68aa22da15bd52fd1371c56
SHA512 4e7811ebea965681bade67acc5bdfdbf18ac6e296b564f56357e7bcad7ea7bbfc7a28fe920a630a1b7b01df99d1cf0a74fdc1254056040f95becaea74735e7ef

C:\Windows\system\OWyppdd.exe

MD5 e715d9be22b450dc47531f3744d733c4
SHA1 89b81cfa402bd9a357629248341fbcb05654c133
SHA256 8b2681e8a3d88dcc789913589925e545545737dff5ac8fff16458f9340cd9946
SHA512 69f49ed72ead64b6d2083a3c620e20fe86ea3f2e8c9adc451c202c684911b7195aaaeb8d269e544a413d71da2b9f2e1d38c5bf22775c094343913fae52e09225

C:\Windows\system\OrLNinI.exe

MD5 c4102702d7a612217893359c642b3066
SHA1 eec9442b25f7314171daeaa64bedf55bbaf25961
SHA256 25fd3fa3de080190991b2872330411b13425976895743a913ef05295e2807539
SHA512 455f9e392802d9208eec109ca3d05426d1a0d0838253fe5f9b30e06fa0ef052ee9c6b418ab347986912b4700678f48d29866359c7bf9bdcc28929f489fcb00be

C:\Windows\system\npFDjOB.exe

MD5 67fd5cb04d5515303f012905779f9638
SHA1 ab789f084f2d6917a8d2565e7bc75d6d7cfc105c
SHA256 b0110a35a45dec59d21fa98088a9b5d5003ea35b98184ba15d8da64c87fb983b
SHA512 2fd26bf56de044b58e3f063bb4b221e503a6ee33e281796681142dced4e3b07217623cdb5de5c7dedcc9e5c2f59161d733c83bce6da40ba2dbf01b8b92b5bcc6

C:\Windows\system\ZByVbaC.exe

MD5 9afbabf5cc96c7c36b5477b39d479b86
SHA1 2c51a9c9c2f45f95324616872b55671ada7dd8a7
SHA256 391c32a24770506b4a9f6c976e97aebb149e006fe712b452095de3cc67c204ac
SHA512 54373e3cdc71067c6bec2e5e7798102a477c32a454057142f5a8a37d42ef03cf62137b9a99d3e76c4f002ab985c0d2780ebab2273c00ed0da62cab255a9a7fab

C:\Windows\system\kQdUlth.exe

MD5 02fab31e0c85abac2f53051c1c91002b
SHA1 15766e38ec45f74cc255d771111d65bab67febb8
SHA256 5df917f57df7eaafb10f6b444bf31b1b9da5a10e469b649346e7245af9da0c04
SHA512 800c535e9c23418c509d50bcdbf071488bef4bb62bae720c13f66bad47cec6dc6cf86f320ea8205ba1ed8613af1132f669f6f34f42ed89829ac8e8f419b34307

C:\Windows\system\iNEvjBQ.exe

MD5 7eb370f43dde0a7e9f75813420eab6d8
SHA1 793dd3d6d6ff25fd19c58d122c3f1c10b75de7cb
SHA256 7c6a0b94bc668227f070d2ddbf4aed8a9fbdf5fae2e546ba2f344c7ebb0e9ec8
SHA512 e8e3c5f327d47dc40554af43b5be9bbbc37ab3b1657723eb6eebd6b678d3cdb01f143b37d519411afcfab62479266723f8d2189540baba7fad7537692b717b49

C:\Windows\system\pJHmlxa.exe

MD5 96ab3219b51cc1e7f55bb1bb279ea8a9
SHA1 06efadb6a9a047ab7c784b834e130145c14f6f8e
SHA256 18e2883ca71ff29c6882f9648c597110c19ba61b005e3e012af9199d8f27e122
SHA512 636c3ea1b1b04c4de9f9695f786b0d3ff88eb7bb0dde71ad233f46a0f752c3425540e3c61f4de4870cbf96bb3a89d1ad43fe9e208459003cf41be118f23ef37d

memory/1864-89-0x000000013F420000-0x000000013F771000-memory.dmp

memory/1864-87-0x0000000002220000-0x0000000002571000-memory.dmp

memory/1864-86-0x000000013FA50000-0x000000013FDA1000-memory.dmp

memory/1864-85-0x000000013F070000-0x000000013F3C1000-memory.dmp

memory/1864-84-0x000000013F330000-0x000000013F681000-memory.dmp

memory/1864-83-0x000000013F970000-0x000000013FCC1000-memory.dmp

memory/1864-68-0x000000013F3A0000-0x000000013F6F1000-memory.dmp

memory/1864-62-0x000000013F5F0000-0x000000013F941000-memory.dmp

memory/1864-46-0x0000000002220000-0x0000000002571000-memory.dmp

memory/2228-38-0x000000013FF00000-0x0000000140251000-memory.dmp

memory/3068-31-0x000000013F5D0000-0x000000013F921000-memory.dmp

memory/2252-21-0x000000013F0C0000-0x000000013F411000-memory.dmp

memory/1864-35-0x0000000002220000-0x0000000002571000-memory.dmp

memory/2252-126-0x000000013F0C0000-0x000000013F411000-memory.dmp

memory/2956-135-0x000000013F3A0000-0x000000013F6F1000-memory.dmp

memory/596-133-0x000000013FA10000-0x000000013FD61000-memory.dmp

memory/2980-131-0x000000013FF10000-0x0000000140261000-memory.dmp

memory/1864-125-0x000000013FDF0000-0x0000000140141000-memory.dmp

memory/2816-146-0x000000013FB40000-0x000000013FE91000-memory.dmp

memory/2316-151-0x000000013F330000-0x000000013F681000-memory.dmp

memory/1888-150-0x000000013F9F0000-0x000000013FD41000-memory.dmp

memory/2724-149-0x000000013F420000-0x000000013F771000-memory.dmp

memory/2660-148-0x000000013FC70000-0x000000013FFC1000-memory.dmp

memory/2868-145-0x000000013FA50000-0x000000013FDA1000-memory.dmp

memory/2160-144-0x000000013F970000-0x000000013FCC1000-memory.dmp

memory/2964-147-0x000000013FA60000-0x000000013FDB1000-memory.dmp

memory/2908-143-0x000000013F070000-0x000000013F3C1000-memory.dmp

memory/1864-152-0x000000013FDF0000-0x0000000140141000-memory.dmp

memory/1864-153-0x000000013FDF0000-0x0000000140141000-memory.dmp

memory/2956-163-0x000000013F3A0000-0x000000013F6F1000-memory.dmp

memory/2900-165-0x000000013F680000-0x000000013F9D1000-memory.dmp

memory/2252-198-0x000000013F0C0000-0x000000013F411000-memory.dmp

memory/2228-200-0x000000013FF00000-0x0000000140251000-memory.dmp

memory/3068-202-0x000000013F5D0000-0x000000013F921000-memory.dmp

memory/2924-228-0x000000013F600000-0x000000013F951000-memory.dmp

memory/2516-235-0x000000013FCA0000-0x000000013FFF1000-memory.dmp

memory/2268-224-0x000000013FCC0000-0x0000000140011000-memory.dmp

memory/2808-226-0x000000013F5F0000-0x000000013F941000-memory.dmp

memory/2308-204-0x000000013FA90000-0x000000013FDE1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-06 11:44

Reported

2024-08-06 11:47

Platform

win10v2004-20240802-en

Max time kernel

141s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\uMXPtMb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\knPuwKm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\Wnjntws.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\adntjyk.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\msVjRTj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BcrJQJI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lydOEcv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tCECsja.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qgumisE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sqBgciZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LbUOYlw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JsWLTXU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FsEhGXV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ISLDoVG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wNemOVx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FYvKdts.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fXDYLzI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AOteMff.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DAiSadL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DWziYqH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\npEYFMi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2216 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\adntjyk.exe
PID 2216 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\adntjyk.exe
PID 2216 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uMXPtMb.exe
PID 2216 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uMXPtMb.exe
PID 2216 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\knPuwKm.exe
PID 2216 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\knPuwKm.exe
PID 2216 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qgumisE.exe
PID 2216 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qgumisE.exe
PID 2216 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FsEhGXV.exe
PID 2216 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FsEhGXV.exe
PID 2216 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\npEYFMi.exe
PID 2216 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\npEYFMi.exe
PID 2216 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sqBgciZ.exe
PID 2216 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sqBgciZ.exe
PID 2216 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ISLDoVG.exe
PID 2216 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ISLDoVG.exe
PID 2216 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\msVjRTj.exe
PID 2216 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\msVjRTj.exe
PID 2216 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Wnjntws.exe
PID 2216 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Wnjntws.exe
PID 2216 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wNemOVx.exe
PID 2216 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wNemOVx.exe
PID 2216 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BcrJQJI.exe
PID 2216 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BcrJQJI.exe
PID 2216 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lydOEcv.exe
PID 2216 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lydOEcv.exe
PID 2216 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LbUOYlw.exe
PID 2216 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LbUOYlw.exe
PID 2216 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FYvKdts.exe
PID 2216 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FYvKdts.exe
PID 2216 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JsWLTXU.exe
PID 2216 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JsWLTXU.exe
PID 2216 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fXDYLzI.exe
PID 2216 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fXDYLzI.exe
PID 2216 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AOteMff.exe
PID 2216 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AOteMff.exe
PID 2216 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tCECsja.exe
PID 2216 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tCECsja.exe
PID 2216 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DAiSadL.exe
PID 2216 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DAiSadL.exe
PID 2216 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DWziYqH.exe
PID 2216 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DWziYqH.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\adntjyk.exe

C:\Windows\System\adntjyk.exe

C:\Windows\System\uMXPtMb.exe

C:\Windows\System\uMXPtMb.exe

C:\Windows\System\knPuwKm.exe

C:\Windows\System\knPuwKm.exe

C:\Windows\System\qgumisE.exe

C:\Windows\System\qgumisE.exe

C:\Windows\System\FsEhGXV.exe

C:\Windows\System\FsEhGXV.exe

C:\Windows\System\npEYFMi.exe

C:\Windows\System\npEYFMi.exe

C:\Windows\System\sqBgciZ.exe

C:\Windows\System\sqBgciZ.exe

C:\Windows\System\ISLDoVG.exe

C:\Windows\System\ISLDoVG.exe

C:\Windows\System\msVjRTj.exe

C:\Windows\System\msVjRTj.exe

C:\Windows\System\Wnjntws.exe

C:\Windows\System\Wnjntws.exe

C:\Windows\System\wNemOVx.exe

C:\Windows\System\wNemOVx.exe

C:\Windows\System\BcrJQJI.exe

C:\Windows\System\BcrJQJI.exe

C:\Windows\System\lydOEcv.exe

C:\Windows\System\lydOEcv.exe

C:\Windows\System\LbUOYlw.exe

C:\Windows\System\LbUOYlw.exe

C:\Windows\System\FYvKdts.exe

C:\Windows\System\FYvKdts.exe

C:\Windows\System\JsWLTXU.exe

C:\Windows\System\JsWLTXU.exe

C:\Windows\System\fXDYLzI.exe

C:\Windows\System\fXDYLzI.exe

C:\Windows\System\AOteMff.exe

C:\Windows\System\AOteMff.exe

C:\Windows\System\tCECsja.exe

C:\Windows\System\tCECsja.exe

C:\Windows\System\DAiSadL.exe

C:\Windows\System\DAiSadL.exe

C:\Windows\System\DWziYqH.exe

C:\Windows\System\DWziYqH.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2216-0-0x00007FF60C2E0000-0x00007FF60C631000-memory.dmp

memory/2216-1-0x000001F5CDAE0000-0x000001F5CDAF0000-memory.dmp

C:\Windows\System\adntjyk.exe

MD5 410fc4a9b83cf55efad5ffd45b77ffad
SHA1 8b92ec1f5597df8042db0ffffdb58ce08ebee34d
SHA256 5ce2f3f23fa96b74cc0336b54540091874cbde75a690a5742975c51b546ee31b
SHA512 1b7dc78d318d8d5eba98fbb8dc60c803a764ee235de85f309933eafd4acbf8be7f5e80d7c0a26bf03090df8e433b6aff29d385a6a434a1cbede3770cd91c1502

memory/2336-9-0x00007FF6BE280000-0x00007FF6BE5D1000-memory.dmp

C:\Windows\System\uMXPtMb.exe

MD5 e5e2bc7f2611ae08f2ea18c000681d62
SHA1 32c8731c9946494b80b89153b858dba7c6db8894
SHA256 965ba7500c4c7139aa72421838bf47a5e9e5b9bd31e501d7d876bbf2ab09a956
SHA512 693103e19970a365f68500fa5c6cb4c7c1d2e1a948885b59c9d3e753fb1979d7cfe54cf60b2f188af4fa54994bf80cac260674bcc7e8cc87988f773385d07cc1

C:\Windows\System\knPuwKm.exe

MD5 b64770bba9fe32ba3bc1b2b179a1b6be
SHA1 4f4722b6e561d56d84bc9a51825747111a6d32a3
SHA256 55f6767f4104c8df42f8639a974fc0a818c6da9501c280f39e747049084d9e03
SHA512 440cb76547fdb86b593a331175b3a06a1a508a3788627e60eb0dab1d23b660e384b456941f88e29c7b0e2c870edcdcc57f4e652791499faec0460ae7a1e869d8

C:\Windows\System\FsEhGXV.exe

MD5 3e945591524e7d6bfae0f65a153c1160
SHA1 2d5bbd53497bd85f1d7b32286412390526d1393f
SHA256 8c78762abd2e00df0e23bc09c8323dd43628ef20a4fa9300f8e7951b1ad6e9b5
SHA512 c1428ff72f1a7b72353bbc26e878ab840cc7c165c9556fbe978c2d4406218cde1ea053328c5ba5b3fe087f02e0748173c3919e62aeddbcccc2556cf974a39616

C:\Windows\System\sqBgciZ.exe

MD5 e2cf5ab29dee5cf7561038918e26cfac
SHA1 5836033651eb2f446336e33a8db0f457eb247eda
SHA256 b126a690bef31309610c73ca6606474c995547038303c47644eeaaa33971923e
SHA512 b42741e0bd69ddd7ddc6e3cd956359c04cc8a79d74763d0caacd7b495a8156d7b36692b1640297617a8e30deacae11796c6c3bdc5813c2c233f328ba0dbcac84

C:\Windows\System\npEYFMi.exe

MD5 4d1eed511c4491c8e15c698e3787cc04
SHA1 dd5e31523e0dc70cd3a5006fb30d07577cc6a31a
SHA256 2b2c10b721a02da5a7f2d298d2b7e00b158d826f605c6559a428f40b7e92bbf6
SHA512 ae490d1b0b37ffd1818997f3414c0d8a4494baeb164af17896e2106c326e40f063fe8ff7f67105c1d3384d16b1bbc3766b44b92e45d0cad05885cfa68c2d34ba

C:\Windows\System\ISLDoVG.exe

MD5 fc0f0360164a7f5eadb941db6e9a4f73
SHA1 8657b0a6d733d95f86ba9c7a6ed70e5eadbadddb
SHA256 e4ea66d16a54d937533ddcb30559c157fc3ebb52d1f5cf233dd5b050bbb2f9e8
SHA512 8dd0d1498218a392980c22926172f77db83b76b8bb6e1d4f8f475d28a7a3bda50b8bf6d0c7ad57f1d01e9c04e0738a7d5934fccf08d67a8e5319472743db2ea2

C:\Windows\System\Wnjntws.exe

MD5 8eb9b619081a38eaa530d5dd5e927283
SHA1 87324b30f56fff5a7fc05e1d3aaec3db70dfd15e
SHA256 8ad2926e146eed39eb9fb98749303f62ef102498cb5734329852663bb67d7e53
SHA512 bf42d01f7b5687598c2ce1eb6af5421e477f08345f95d8106f3550dd9cc1f7a254f7e3f3e1929ca5d37157d4a0080edea85037269c66264a1b87bb0e5fbde750

C:\Windows\System\lydOEcv.exe

MD5 39c98b4b684bfb6a61d9fa5660b5b6da
SHA1 cfec2ed06b6de2a58e410244ddc623b05c57f094
SHA256 da21b8fdfa7a726d890fc36c5de11a6e1277be8407f9b8cb8a356de0d4410b98
SHA512 2abc87cbd2f0086ffebcc4f99f981fa06fe4d525df05509303049a289c0b761947edecb83c8323193061e98402192b74af4940a870f49c3e2cae51797ed47a0b

memory/4964-75-0x00007FF747A00000-0x00007FF747D51000-memory.dmp

C:\Windows\System\LbUOYlw.exe

MD5 31f43a84fd4f81d3cbd3ecab90d965ad
SHA1 02c31d202590ed5c81acc79d0b48aaff0c6b0c91
SHA256 fd957e1b5312fdea2e490f176448bbb1407ee926059c00a852f1ee9ee7fda9e4
SHA512 dd12cd1b8bba0162e3b2461a1a75cce896f7472640f2e7bf0018a953ce99667c517f1e4bbdbc566e6e1a7436b7372cbf137462f2b3688c5a89445582a4d9ede9

C:\Windows\System\FYvKdts.exe

MD5 f15c3ab2061203fec1a8c4d04c82d93e
SHA1 9f61356eeaec0639d066e5576f51b829f99cb5d0
SHA256 94a2e3744f54a4a296d20f202992b51724be068d8a20ae60cae974de03debbf3
SHA512 1894ff7d7016a0be90eb5d8b4d7a5334425025ddfa31e990831a5493e889bcf42b78f847a97db6f128a27d5ad0c1bc45278e2dda5b33c2c6b8c20d77851816ec

C:\Windows\System\AOteMff.exe

MD5 8855924775eb4e165d57065a14862d7d
SHA1 c32fbf17d93402db7b49538921c0ad9af53987fc
SHA256 c034c5be66a98d60a955184a13e489a4c1600671383254eb20ee588708d4bbd0
SHA512 5216917633f9f45d0df7b1434cd2e51720db6cf69457953dff8fb805c0967df56916ca20d733fe376adc912420548bbfce00287bdc9b62b8b776b0d0d944d305

C:\Windows\System\DWziYqH.exe

MD5 842cc090d24a0e3d693176ff2cf14a53
SHA1 4e46f1e551543acf89812ff8e5bbe3870b200f93
SHA256 94a79bdb310bb6a7c4106401bf9878134b6363767c1c6e6a60b7e9878d0e9b81
SHA512 0b07db58ef4e1fea0e156b98c0e2d1e948d34ca81b40d2737fcda3a5df9384ad1070c46ec0577cfb87b15f945663abbe46fff35bd93ac934412093c5a8f08fa9

C:\Windows\System\DAiSadL.exe

MD5 70c3e94fc075c6fbeb20fa78e6e21a1d
SHA1 f576af4ad7479dfe944ea0f5ff8b870784296acc
SHA256 3c714f5f66fe2774bf4ce17a140972af55a91ef43792bbf4d588475888d1a5d5
SHA512 f20b623fd28a6b222b9afa94d7a292f4df7ea2c5350befbec6d6d4cf4bc21ed6fee0de6390817e654225fd3796c62bf46e8c229bfd1c4528622d4d53bead382d

C:\Windows\System\tCECsja.exe

MD5 ae178db46010c9d49f75fe1798cd7a40
SHA1 d763db8cfc2ff066fb752b6e1b714c1f78d1450c
SHA256 401814b80f51c88347efb23a299e4ada2cefaae147c4b40bc5387eb9b7309c4f
SHA512 6631bd0d68c868c9f42c5e2681fc42bcdca61a9d75aae49b06c20dd9b37241054e708fca2e56f597033d893b713cf343a015c8b44ae5fedd13f6159908fd3ac7

C:\Windows\System\fXDYLzI.exe

MD5 8d1ebc8fc893e7aac33c1a3273ad5e65
SHA1 dcb61b4e0dfeffa1fc343f7404e89b0cacccc486
SHA256 ada98ea04fbc2d979bfd90676291fb1e3e1b9a2ca891562a670b1b3bfa1eb9d2
SHA512 e05dbcfac700a8ebea2a731a500dd18635aa4206644d6400e7d38f161c8b6e9aca409ce5c6bc53a76bc814b06563dff3729e88bfb12489a4bcaa8688ddd2870a

C:\Windows\System\JsWLTXU.exe

MD5 d532a60c4cfdcdf6c675b7e630e4ddae
SHA1 6707f9b79972354b78950ba9743144d80cb0fd81
SHA256 151afd877a61e4d855843535938c9f09aa7d940d8523252d857852af281eaf2b
SHA512 07776aa8c0af3bec4ded64dae5338848d7997455cc07ac10a0d0417ed34e3cce94c660b4d9549470b2f93ef3ec73341d30deff06ca78cbcddfb6131a6293ec8f

memory/3312-82-0x00007FF7C07B0000-0x00007FF7C0B01000-memory.dmp

C:\Windows\System\BcrJQJI.exe

MD5 30ad1b3718eca09f261a3edcba7f99af
SHA1 cf0c43b879ca99d755c73176eac9f8bbfa4327ad
SHA256 75997d98db00333d1f6afefad4cbeb7cb790edd07be58a87f1bec9b3a44a83f7
SHA512 2823eadac81dfb3f7bc2b84dfafceeeef853d9a3878a288fb0f7a6ca740aea6d25398b885fe1d8c9f6255148b1d892ee484674a1e37a3d8905c818cee3d029f1

memory/1448-74-0x00007FF6F7220000-0x00007FF6F7571000-memory.dmp

C:\Windows\System\wNemOVx.exe

MD5 d76c8621c70b790df6d054a1b7f33c2a
SHA1 b1da446e8256892235bdc729303f0840d7ab2fa4
SHA256 0c9c987056b81d031bdcd67687a794c98f3bbce0707a5e661da6eca454371410
SHA512 b2eb579344dde3b8608c0d82f11d11bf64b1604a0a483fb2d3be4f2ed35520d69b8236b33861bff960b01292d6d8cf372378925741477744850eb6a7d59f01df

memory/116-71-0x00007FF6E17D0000-0x00007FF6E1B21000-memory.dmp

memory/372-69-0x00007FF634800000-0x00007FF634B51000-memory.dmp

memory/1196-68-0x00007FF619010000-0x00007FF619361000-memory.dmp

C:\Windows\System\msVjRTj.exe

MD5 520786dc8f35963ab0d76a61329a2bdb
SHA1 5652da51e358331eff08525fb25efd405ab35a6e
SHA256 f5cef3ef19388bc70ea7ed02f0ab81f477d96b837bdd6a6168b4b6150af2b716
SHA512 7e050af77cb609a04e6fc260046eeca3fde7425d471b9b58aef6c66b1916e05ca38e3711c16f9dee7a0c2b591fdebe36547d58b08e453645caab26400f8c5e60

memory/5072-57-0x00007FF60F6C0000-0x00007FF60FA11000-memory.dmp

memory/2784-46-0x00007FF7252E0000-0x00007FF725631000-memory.dmp

memory/4256-38-0x00007FF740970000-0x00007FF740CC1000-memory.dmp

memory/4140-32-0x00007FF7A0C50000-0x00007FF7A0FA1000-memory.dmp

C:\Windows\System\qgumisE.exe

MD5 6568f4f82658a74fb707a96b7720b139
SHA1 00c00f354ee0a07185a404410036d339812f7d01
SHA256 badc5c5068c0bbac3cf317a758ad3e104f3d21f765254bc4e641aa58c069b9fd
SHA512 d621b283e147175de90f94b9cc94036bfaf49d2cf945cd3641f4273a93f01ec36b26860c5987e50e6da3849c790efc4dd8aa1441cd0d4be33a01044e9b9ab5c6

memory/660-27-0x00007FF7D6770000-0x00007FF7D6AC1000-memory.dmp

memory/3424-16-0x00007FF675D20000-0x00007FF676071000-memory.dmp

memory/1648-121-0x00007FF6F9490000-0x00007FF6F97E1000-memory.dmp

memory/2668-122-0x00007FF6D1760000-0x00007FF6D1AB1000-memory.dmp

memory/4428-120-0x00007FF7E22E0000-0x00007FF7E2631000-memory.dmp

memory/2480-123-0x00007FF6EC980000-0x00007FF6ECCD1000-memory.dmp

memory/1364-124-0x00007FF730570000-0x00007FF7308C1000-memory.dmp

memory/4552-125-0x00007FF66E7F0000-0x00007FF66EB41000-memory.dmp

memory/3412-126-0x00007FF7E9C90000-0x00007FF7E9FE1000-memory.dmp

memory/2292-127-0x00007FF6A5670000-0x00007FF6A59C1000-memory.dmp

memory/4256-132-0x00007FF740970000-0x00007FF740CC1000-memory.dmp

memory/4140-133-0x00007FF7A0C50000-0x00007FF7A0FA1000-memory.dmp

memory/116-140-0x00007FF6E17D0000-0x00007FF6E1B21000-memory.dmp

memory/5072-134-0x00007FF60F6C0000-0x00007FF60FA11000-memory.dmp

memory/660-131-0x00007FF7D6770000-0x00007FF7D6AC1000-memory.dmp

memory/2336-129-0x00007FF6BE280000-0x00007FF6BE5D1000-memory.dmp

memory/2784-135-0x00007FF7252E0000-0x00007FF725631000-memory.dmp

memory/2216-128-0x00007FF60C2E0000-0x00007FF60C631000-memory.dmp

memory/3312-141-0x00007FF7C07B0000-0x00007FF7C0B01000-memory.dmp

memory/2216-150-0x00007FF60C2E0000-0x00007FF60C631000-memory.dmp

memory/2216-151-0x00007FF60C2E0000-0x00007FF60C631000-memory.dmp

memory/2336-196-0x00007FF6BE280000-0x00007FF6BE5D1000-memory.dmp

memory/3424-214-0x00007FF675D20000-0x00007FF676071000-memory.dmp

memory/660-216-0x00007FF7D6770000-0x00007FF7D6AC1000-memory.dmp

memory/4256-218-0x00007FF740970000-0x00007FF740CC1000-memory.dmp

memory/1196-220-0x00007FF619010000-0x00007FF619361000-memory.dmp

memory/4140-222-0x00007FF7A0C50000-0x00007FF7A0FA1000-memory.dmp

memory/5072-225-0x00007FF60F6C0000-0x00007FF60FA11000-memory.dmp

memory/2784-226-0x00007FF7252E0000-0x00007FF725631000-memory.dmp

memory/372-228-0x00007FF634800000-0x00007FF634B51000-memory.dmp

memory/1448-230-0x00007FF6F7220000-0x00007FF6F7571000-memory.dmp

memory/4964-232-0x00007FF747A00000-0x00007FF747D51000-memory.dmp

memory/116-234-0x00007FF6E17D0000-0x00007FF6E1B21000-memory.dmp

memory/3312-236-0x00007FF7C07B0000-0x00007FF7C0B01000-memory.dmp

memory/4428-238-0x00007FF7E22E0000-0x00007FF7E2631000-memory.dmp

memory/2480-241-0x00007FF6EC980000-0x00007FF6ECCD1000-memory.dmp

memory/1648-244-0x00007FF6F9490000-0x00007FF6F97E1000-memory.dmp

memory/2668-243-0x00007FF6D1760000-0x00007FF6D1AB1000-memory.dmp

memory/2292-247-0x00007FF6A5670000-0x00007FF6A59C1000-memory.dmp

memory/4552-252-0x00007FF66E7F0000-0x00007FF66EB41000-memory.dmp

memory/3412-251-0x00007FF7E9C90000-0x00007FF7E9FE1000-memory.dmp

memory/1364-248-0x00007FF730570000-0x00007FF7308C1000-memory.dmp