Malware Analysis Report

2025-01-22 19:31

Sample ID 240806-nx186syanq
Target 2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat
SHA256 a0ac15c6f4cc4f2e2ee3e945b8204948b8e5f097d9a73902b481f73e4a74953d
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a0ac15c6f4cc4f2e2ee3e945b8204948b8e5f097d9a73902b481f73e4a74953d

Threat Level: Known bad

The file 2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Xmrig family

Cobalt Strike reflective loader

Cobaltstrike family

Cobaltstrike

XMRig Miner payload

xmrig

XMRig Miner payload

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-06 11:47

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-06 11:47

Reported

2024-08-06 11:49

Platform

win7-20240704-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\uwKOjHj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\opJIJpH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kRsaEfa.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SaOYmIw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UVdPgSP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GWvCsbc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TJKnymj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wTtmePu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UIYofZl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gTTOFTd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oKqZeCQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\COadeJQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EQQGFYw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PRHmlvw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kXnesIh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\womnHfH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LNojVpU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CqLjXpE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kWApIhJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PkEvXGe.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AtGQKPC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1760 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\COadeJQ.exe
PID 1760 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\COadeJQ.exe
PID 1760 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\COadeJQ.exe
PID 1760 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kXnesIh.exe
PID 1760 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kXnesIh.exe
PID 1760 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kXnesIh.exe
PID 1760 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EQQGFYw.exe
PID 1760 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EQQGFYw.exe
PID 1760 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EQQGFYw.exe
PID 1760 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TJKnymj.exe
PID 1760 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TJKnymj.exe
PID 1760 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TJKnymj.exe
PID 1760 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uwKOjHj.exe
PID 1760 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uwKOjHj.exe
PID 1760 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uwKOjHj.exe
PID 1760 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AtGQKPC.exe
PID 1760 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AtGQKPC.exe
PID 1760 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AtGQKPC.exe
PID 1760 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\opJIJpH.exe
PID 1760 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\opJIJpH.exe
PID 1760 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\opJIJpH.exe
PID 1760 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\womnHfH.exe
PID 1760 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\womnHfH.exe
PID 1760 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\womnHfH.exe
PID 1760 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wTtmePu.exe
PID 1760 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wTtmePu.exe
PID 1760 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wTtmePu.exe
PID 1760 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LNojVpU.exe
PID 1760 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LNojVpU.exe
PID 1760 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LNojVpU.exe
PID 1760 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UIYofZl.exe
PID 1760 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UIYofZl.exe
PID 1760 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UIYofZl.exe
PID 1760 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kRsaEfa.exe
PID 1760 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kRsaEfa.exe
PID 1760 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kRsaEfa.exe
PID 1760 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CqLjXpE.exe
PID 1760 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CqLjXpE.exe
PID 1760 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CqLjXpE.exe
PID 1760 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PRHmlvw.exe
PID 1760 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PRHmlvw.exe
PID 1760 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PRHmlvw.exe
PID 1760 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SaOYmIw.exe
PID 1760 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SaOYmIw.exe
PID 1760 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SaOYmIw.exe
PID 1760 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UVdPgSP.exe
PID 1760 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UVdPgSP.exe
PID 1760 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UVdPgSP.exe
PID 1760 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gTTOFTd.exe
PID 1760 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gTTOFTd.exe
PID 1760 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gTTOFTd.exe
PID 1760 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oKqZeCQ.exe
PID 1760 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oKqZeCQ.exe
PID 1760 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oKqZeCQ.exe
PID 1760 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GWvCsbc.exe
PID 1760 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GWvCsbc.exe
PID 1760 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GWvCsbc.exe
PID 1760 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kWApIhJ.exe
PID 1760 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kWApIhJ.exe
PID 1760 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kWApIhJ.exe
PID 1760 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PkEvXGe.exe
PID 1760 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PkEvXGe.exe
PID 1760 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PkEvXGe.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\COadeJQ.exe

C:\Windows\System\COadeJQ.exe

C:\Windows\System\kXnesIh.exe

C:\Windows\System\kXnesIh.exe

C:\Windows\System\EQQGFYw.exe

C:\Windows\System\EQQGFYw.exe

C:\Windows\System\TJKnymj.exe

C:\Windows\System\TJKnymj.exe

C:\Windows\System\uwKOjHj.exe

C:\Windows\System\uwKOjHj.exe

C:\Windows\System\AtGQKPC.exe

C:\Windows\System\AtGQKPC.exe

C:\Windows\System\opJIJpH.exe

C:\Windows\System\opJIJpH.exe

C:\Windows\System\womnHfH.exe

C:\Windows\System\womnHfH.exe

C:\Windows\System\wTtmePu.exe

C:\Windows\System\wTtmePu.exe

C:\Windows\System\LNojVpU.exe

C:\Windows\System\LNojVpU.exe

C:\Windows\System\UIYofZl.exe

C:\Windows\System\UIYofZl.exe

C:\Windows\System\kRsaEfa.exe

C:\Windows\System\kRsaEfa.exe

C:\Windows\System\CqLjXpE.exe

C:\Windows\System\CqLjXpE.exe

C:\Windows\System\PRHmlvw.exe

C:\Windows\System\PRHmlvw.exe

C:\Windows\System\SaOYmIw.exe

C:\Windows\System\SaOYmIw.exe

C:\Windows\System\UVdPgSP.exe

C:\Windows\System\UVdPgSP.exe

C:\Windows\System\gTTOFTd.exe

C:\Windows\System\gTTOFTd.exe

C:\Windows\System\oKqZeCQ.exe

C:\Windows\System\oKqZeCQ.exe

C:\Windows\System\GWvCsbc.exe

C:\Windows\System\GWvCsbc.exe

C:\Windows\System\kWApIhJ.exe

C:\Windows\System\kWApIhJ.exe

C:\Windows\System\PkEvXGe.exe

C:\Windows\System\PkEvXGe.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

C:\Windows\system\LNojVpU.exe

MD5 92efcae111b95371daffe3c857918e1e
SHA1 249afece1ad1cfab570c95957f3ec7c0c404aeac
SHA256 16ebb2cfe4e5d969f4928e1e9e17f5dbffb823d092a17a707e678ce01ebf2717
SHA512 a82b55fb9d3b0bea03720b34e9cb1f94311770c3a3ad7c128dec6b80f02c0bcc09780f43a46f559e012b7c7c7da1afa103c3b4f8a303b99a0ad53d7abb035856

C:\Windows\system\CqLjXpE.exe

MD5 cc53cd7f49b6d4ba4fa23d18cc5faf32
SHA1 5b7abdd9c79c91117b395aed3f701137c8d31fe3
SHA256 04bf58b48da8bcfbcbf35a70bb23ba67280c10c50a48d153f7da51858240ccad
SHA512 a4aa0aa8f2201507298a0b6a960b07048dfe375b5394451c426f05be477d078da0bcd7acb76dff13cfc5078704c1805594ecda0ef43ad47d1b9454e8e0dca51c

C:\Windows\system\UVdPgSP.exe

MD5 b7f059e2051c6b93c3acee9100837107
SHA1 cf3eb10df1737e0599aa398024a24aaf4b7714eb
SHA256 a8c1d2f8260627dfe154e1201d94be67f930219db71f1784aa7a05ddae8e6864
SHA512 955ac52ac6635a9620f9b792bfdcc5789bc4ec965b25a39fdbb20f3de8e242ef0d9b92917e87f9905d88f2e1a4b8fcf0e075b6d82544dde75c4133b4d9298e7c

C:\Windows\system\kWApIhJ.exe

MD5 9e0128249ce87bbd0c0df0b7955d4dd7
SHA1 464c04a4b0e1a89b5c017e851a2163c1eabc9e2f
SHA256 32246554e3386fb8a788a33ed1ddc8b20cf38de6eec890ffea36b94dc6ae718b
SHA512 4a9a97612f66bf7c123c7e5fce0a32af541f0166d226f0730b1e68732ae6fde38d3363376a9c18db4361a88a9e7be03f7ea89cd7339f6b044cdf85630b7251ac

\Windows\system\PkEvXGe.exe

MD5 53f9b4bb8f455bf0add47d0c44855d09
SHA1 e0bc217b24d0b4b2a35bbd35438e157b2c9569f8
SHA256 2e7c32ebf18b66ae7d276b1492afb9a7c0f38aa770b69579dc1ffec4c3924afc
SHA512 a97af333a5d679f0a617e6429cd4945dfa48bfa020ed4713b12d918b4c7c19e7a58bad23470002d0d6fa01723270f21533df82af6dd3aefc3486128a702930d2

C:\Windows\system\GWvCsbc.exe

MD5 62226d53736e408e389c85366b9332d1
SHA1 ab90f625ff5ffdd596afbda131a140949f4f559c
SHA256 b27e478c7a6483e289b0caef0160e56f068592f39889c533721f3cdf5042bb2d
SHA512 371c3f94adc1591864230e93545d2f68b564fe8e4b90cfa1cf6c4110cb43317e9926a77611c46c91739736bd3d1e599f979ebb210a243299e5ae9f62851fccfa

C:\Windows\system\oKqZeCQ.exe

MD5 e15e8e7cbfc5270571fd910b60e68219
SHA1 f391203a0cbf64aa5de984d04a2959f9910770b4
SHA256 4b6f89f87a21c25625370268f2ca3686c8f4c20563c1194b4472c9e340c0d477
SHA512 52e3897e3b1bf2893f57dbc5d08addf4dcb8a1786128d936ebd938877197adffd404208daefe81f19435c5ee1ef279b47819317d135b552e550e6e0c35915b41

C:\Windows\system\gTTOFTd.exe

MD5 2d8ad74bc8aac7d50ee84145709e5d48
SHA1 8e5fda1463ff0ee11885dc25eb31a0157820c22f
SHA256 eb262e44a066fe8b9f754f7dab0580178f005a436029d8121ba297a37c180141
SHA512 2f400e8ef98db93c0c884daa0175ae4660a82b4015655c0710b1c37390a2d73c1e43cc74d05f3aa4ce3b091cd0f519ffcc155115a70ffe859f8812a70e454b46

C:\Windows\system\SaOYmIw.exe

MD5 526bf5e5cd7125c368325495ac737665
SHA1 f0e7b1c51bfecf4713ab35d2cb288b6f409ed70f
SHA256 1b3a8fcee0822b6ea86ebb5e8f730a19bd5ddd63658740f991a0a5cb89670f48
SHA512 d0be1cda89be8c8c7a166c79f32f44bb59290d344acbe6326debc1beb406b9dabdd3601576b62050d43f39bf668bc70d1fc1cb8e6e2b19e73e5b821f386a19e6

C:\Windows\system\PRHmlvw.exe

MD5 851435b935a74727d8eee1956e60115d
SHA1 9266fc275b8ce5f3c4bae298103a92ea5041da79
SHA256 03ed03fbe8518a6408f26225377be9cccd81cbdc290b42e5c788d0977355ca03
SHA512 d7d79bd03444febefb2959490734c8ee8a15dd769bb8d05e5b18a09bb2c8f7642557de95d78683a3fa000849d34dbcd92cc23b90fc4785d2dd9b01249e8f6614

C:\Windows\system\kRsaEfa.exe

MD5 6efcc4fdced7ef4370aca210f62cc460
SHA1 17de8beb67322e0d27b849c01af13c1abeb539d9
SHA256 fe245425345054594a0a247a38b66a5b7426ced4e3a19c8a4a66341be89c3e5a
SHA512 f9b776cb39fa5751ffcf91207681ae22d6715ae6c031f2034ac095f713b09422dfde71a87c5c00b77dd6d196e7524cb20a68e04b9183e5e811f052a5b477884c

C:\Windows\system\UIYofZl.exe

MD5 10c23e5086caf8fc9da5881ab3b4db1e
SHA1 1ff81bb588495d05e6728b6a628e980c34bd5868
SHA256 9162622ddf5bf07451320d05bd395bf769aebf9a36fcab42f3e562cd747eb956
SHA512 5a5113f757dee85bce234a72ee329c250bb9e3cbe2e270f6afb18ec65a20a4776b6ac411ef9be54a1ab579f4f815da274c56fce7b4335f5a3e5087711de2daa0

C:\Windows\system\wTtmePu.exe

MD5 493a75760540b17f553f1440f4b97fb3
SHA1 c25b87fddfdf975a017e5a0347e673eaa6726b76
SHA256 a99bff6d33a7b7bea8892f634353a0c66aa7aeda41225042b829f9402ea64204
SHA512 85549281c87b3785274ede2b944d9545d63ce33d7722470da48963985be5f583c4597f773a3a87dcde4857330626cad102aeac0830d3b11cf332123923c3e190

C:\Windows\system\womnHfH.exe

MD5 dbdca9385e64a13aba3d5bd6b51aa864
SHA1 18d86d39b19a275f321edf48fcb5dfc86b2fa589
SHA256 d0d8e112abb5a9e15f4146e403bb22d3c21813758a7a49ef32a8b5e0c4fd6e82
SHA512 0fd4095e8f3992c5b683e3ad13e75df8e53ba3d2d98475d5710c4665430d09b80c869e83edbf74fffbd416fc24b443dcff6f968e4d7ed9889452868edf3be848

C:\Windows\system\opJIJpH.exe

MD5 0761c22eaf9b2ec17fb1a48d34ad0b2f
SHA1 7d5ead77ce3d31bf15338f9e05677ae37dcce6ff
SHA256 edb6d0550d51040654867e8b15251220da6458adde5e97f3060a3404c3565435
SHA512 2d5c6abe95da5944b418eddb123c6ec9b0c936d8051a03319fc962f4c2f08923348695cb2017b12439d19504673793cf4efa41934eae06cf0fbc50b9ca959a92

C:\Windows\system\AtGQKPC.exe

MD5 b5626af693d795b510a358faa84b294a
SHA1 1e5b819676782b03170b7828cf51fb392ad41ab0
SHA256 6c04d43fb725e9563f13cb602ff34031d679d7609ee2d75bda692d0843dc3468
SHA512 93d378b3d1c4a61a63667e2e95d19f6b5a19b4aa7ecdebd39e41215d85ebba81ed30b8367d7c775489f4768387127c71c499f8ade98e350ad9bea335a72c782a

C:\Windows\system\uwKOjHj.exe

MD5 009fb79d2f4b3130faf6c0ce78322d95
SHA1 51c7376846d7970406061c685ab0c6974b414c42
SHA256 9fec5d36ea27508475258de7d6a0257fc1033cefda109728718cc4fcdfc4fc29
SHA512 23ff09e40a38257ecb41331164e1a7b3024102b869322e04626e0b0a57edd2b9f016c0dd60241c22d82d5b01c82dff9a25ac7cc5050308d78687fc645368dd6b

C:\Windows\system\TJKnymj.exe

MD5 9d30247feaf63f9be3d4a63520b3719f
SHA1 109e85a30d18032a4ba03431705a00666d7206f9
SHA256 6b6a8ea3e34d40e546bcdb68e9a34aed16fd85701c2d94cf6346aeb0380544ab
SHA512 ef20d2368266c31b45709dfd02b48e48b3ecb6682f55ef64128e5b9c35c4f71420cc348ab3cce7eba7637c80b25a53ee99810ccbf56e170338c7b2865c870cb9

memory/2536-22-0x000000013F860000-0x000000013FBB4000-memory.dmp

memory/1760-20-0x00000000024F0000-0x0000000002844000-memory.dmp

\Windows\system\EQQGFYw.exe

MD5 175c7a15a5631ef1185a0e1ade11921a
SHA1 271cb9522a8be074bff95d1d2acadff6f9d95056
SHA256 9878fadeca4fe3b4f9442fb4ddb5eec400ecda494b60c4712c646a1c7757e444
SHA512 bafc128b5e7c12d2440cbd19772ff270336799518d4765105b14aabe22b16af5cfb0d5549d5aa80541644373173497a101bfdacfdb7d0aed5de6ae2a6f506630

memory/2636-15-0x000000013F160000-0x000000013F4B4000-memory.dmp

memory/1760-13-0x000000013F160000-0x000000013F4B4000-memory.dmp

C:\Windows\system\kXnesIh.exe

MD5 31770f2ef263e3d262f52d109cc72942
SHA1 beb9eb89addf50764477f1349cec588c89d619f7
SHA256 0c7372f37b599e77c325d8c2853f5c83b96bffbf2533226ac0da8fde767dcc44
SHA512 4f7d0c650d879c91162a98773f383a602b7ab6b055eafc132429f6f635519b389193c3b5ca935bb3fa8651fa4228a21e7149b756b7c47d7740d1b88db2ad943a

C:\Windows\system\COadeJQ.exe

MD5 4444aa22ed2eb790e6a8747279e87c5e
SHA1 d1d4b70d01ddaba17790d93dbac8c28fc096341b
SHA256 c5633aee73c1b154a08c3f97e5547341147300805a994798a5dda8f20d3caeaa
SHA512 92f2e1cbdbb1682dd24ec0ab0deb4c166b4b093c5b365ef0f356ce3a4dd750110959af0b5dd508dd529d5798fbb0e71f46d0f2e5b24efb76128ed6f5a1870460

memory/1760-6-0x000000013F450000-0x000000013F7A4000-memory.dmp

memory/1760-1-0x0000000000200000-0x0000000000210000-memory.dmp

memory/1760-0-0x000000013FB30000-0x000000013FE84000-memory.dmp

memory/1760-98-0x000000013FF00000-0x0000000140254000-memory.dmp

memory/2556-96-0x000000013F270000-0x000000013F5C4000-memory.dmp

memory/1760-95-0x000000013F0D0000-0x000000013F424000-memory.dmp

memory/2464-107-0x000000013FF00000-0x0000000140254000-memory.dmp

memory/1760-116-0x00000000024F0000-0x0000000002844000-memory.dmp

memory/2424-117-0x000000013FCB0000-0x0000000140004000-memory.dmp

memory/1760-118-0x000000013FED0000-0x0000000140224000-memory.dmp

memory/1760-121-0x000000013F060000-0x000000013F3B4000-memory.dmp

memory/1540-124-0x000000013F6B0000-0x000000013FA04000-memory.dmp

memory/1760-131-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

memory/1760-133-0x000000013F270000-0x000000013F5C4000-memory.dmp

memory/2596-132-0x000000013F0D0000-0x000000013F424000-memory.dmp

memory/2788-130-0x000000013F350000-0x000000013F6A4000-memory.dmp

memory/1760-129-0x000000013F350000-0x000000013F6A4000-memory.dmp

memory/2520-128-0x000000013F260000-0x000000013F5B4000-memory.dmp

memory/1760-127-0x000000013F260000-0x000000013F5B4000-memory.dmp

memory/540-126-0x000000013F190000-0x000000013F4E4000-memory.dmp

memory/1760-125-0x000000013F190000-0x000000013F4E4000-memory.dmp

memory/1760-123-0x000000013F6B0000-0x000000013FA04000-memory.dmp

memory/1496-122-0x000000013F060000-0x000000013F3B4000-memory.dmp

memory/2924-120-0x000000013FE20000-0x0000000140174000-memory.dmp

memory/2484-119-0x000000013FED0000-0x0000000140224000-memory.dmp

memory/1760-134-0x000000013FB30000-0x000000013FE84000-memory.dmp

memory/1760-135-0x000000013F450000-0x000000013F7A4000-memory.dmp

memory/2296-136-0x000000013F450000-0x000000013F7A4000-memory.dmp

memory/2636-137-0x000000013F160000-0x000000013F4B4000-memory.dmp

memory/1760-138-0x000000013F160000-0x000000013F4B4000-memory.dmp

memory/2536-139-0x000000013F860000-0x000000013FBB4000-memory.dmp

memory/2556-140-0x000000013F270000-0x000000013F5C4000-memory.dmp

memory/1760-141-0x000000013FF00000-0x0000000140254000-memory.dmp

memory/2464-142-0x000000013FF00000-0x0000000140254000-memory.dmp

memory/2296-143-0x000000013F450000-0x000000013F7A4000-memory.dmp

memory/2536-145-0x000000013F860000-0x000000013FBB4000-memory.dmp

memory/2636-144-0x000000013F160000-0x000000013F4B4000-memory.dmp

memory/2596-146-0x000000013F0D0000-0x000000013F424000-memory.dmp

memory/2556-148-0x000000013F270000-0x000000013F5C4000-memory.dmp

memory/2424-147-0x000000013FCB0000-0x0000000140004000-memory.dmp

memory/1540-149-0x000000013F6B0000-0x000000013FA04000-memory.dmp

memory/2520-151-0x000000013F260000-0x000000013F5B4000-memory.dmp

memory/2924-150-0x000000013FE20000-0x0000000140174000-memory.dmp

memory/1496-155-0x000000013F060000-0x000000013F3B4000-memory.dmp

memory/540-154-0x000000013F190000-0x000000013F4E4000-memory.dmp

memory/2484-153-0x000000013FED0000-0x0000000140224000-memory.dmp

memory/2464-152-0x000000013FF00000-0x0000000140254000-memory.dmp

memory/2788-156-0x000000013F350000-0x000000013F6A4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-06 11:47

Reported

2024-08-06 11:49

Platform

win10v2004-20240802-en

Max time kernel

140s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\GkwBPGB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RvYUWuz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NTwTvpR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UQgmHLP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\McbnRwK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PwKOsMm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TRqpVsk.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wBcCDzu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WXxZyFf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kSbgkwR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GjyGjyT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JSjbmqC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GPOmBkx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YjkaOWQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bQZlWBt.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TZnfDDw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tboFmSV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OQyuRVW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YCdFRIS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\veGOxAG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lDugKpu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1460 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PwKOsMm.exe
PID 1460 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PwKOsMm.exe
PID 1460 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GPOmBkx.exe
PID 1460 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GPOmBkx.exe
PID 1460 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YjkaOWQ.exe
PID 1460 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YjkaOWQ.exe
PID 1460 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bQZlWBt.exe
PID 1460 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bQZlWBt.exe
PID 1460 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OQyuRVW.exe
PID 1460 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OQyuRVW.exe
PID 1460 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RvYUWuz.exe
PID 1460 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RvYUWuz.exe
PID 1460 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TRqpVsk.exe
PID 1460 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TRqpVsk.exe
PID 1460 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TZnfDDw.exe
PID 1460 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TZnfDDw.exe
PID 1460 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wBcCDzu.exe
PID 1460 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wBcCDzu.exe
PID 1460 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WXxZyFf.exe
PID 1460 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WXxZyFf.exe
PID 1460 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NTwTvpR.exe
PID 1460 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NTwTvpR.exe
PID 1460 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kSbgkwR.exe
PID 1460 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kSbgkwR.exe
PID 1460 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UQgmHLP.exe
PID 1460 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UQgmHLP.exe
PID 1460 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YCdFRIS.exe
PID 1460 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YCdFRIS.exe
PID 1460 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GjyGjyT.exe
PID 1460 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GjyGjyT.exe
PID 1460 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\McbnRwK.exe
PID 1460 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\McbnRwK.exe
PID 1460 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\veGOxAG.exe
PID 1460 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\veGOxAG.exe
PID 1460 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lDugKpu.exe
PID 1460 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lDugKpu.exe
PID 1460 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GkwBPGB.exe
PID 1460 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GkwBPGB.exe
PID 1460 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tboFmSV.exe
PID 1460 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tboFmSV.exe
PID 1460 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JSjbmqC.exe
PID 1460 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JSjbmqC.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\PwKOsMm.exe

C:\Windows\System\PwKOsMm.exe

C:\Windows\System\GPOmBkx.exe

C:\Windows\System\GPOmBkx.exe

C:\Windows\System\YjkaOWQ.exe

C:\Windows\System\YjkaOWQ.exe

C:\Windows\System\bQZlWBt.exe

C:\Windows\System\bQZlWBt.exe

C:\Windows\System\OQyuRVW.exe

C:\Windows\System\OQyuRVW.exe

C:\Windows\System\RvYUWuz.exe

C:\Windows\System\RvYUWuz.exe

C:\Windows\System\TRqpVsk.exe

C:\Windows\System\TRqpVsk.exe

C:\Windows\System\TZnfDDw.exe

C:\Windows\System\TZnfDDw.exe

C:\Windows\System\wBcCDzu.exe

C:\Windows\System\wBcCDzu.exe

C:\Windows\System\WXxZyFf.exe

C:\Windows\System\WXxZyFf.exe

C:\Windows\System\NTwTvpR.exe

C:\Windows\System\NTwTvpR.exe

C:\Windows\System\kSbgkwR.exe

C:\Windows\System\kSbgkwR.exe

C:\Windows\System\UQgmHLP.exe

C:\Windows\System\UQgmHLP.exe

C:\Windows\System\YCdFRIS.exe

C:\Windows\System\YCdFRIS.exe

C:\Windows\System\GjyGjyT.exe

C:\Windows\System\GjyGjyT.exe

C:\Windows\System\McbnRwK.exe

C:\Windows\System\McbnRwK.exe

C:\Windows\System\veGOxAG.exe

C:\Windows\System\veGOxAG.exe

C:\Windows\System\lDugKpu.exe

C:\Windows\System\lDugKpu.exe

C:\Windows\System\GkwBPGB.exe

C:\Windows\System\GkwBPGB.exe

C:\Windows\System\tboFmSV.exe

C:\Windows\System\tboFmSV.exe

C:\Windows\System\JSjbmqC.exe

C:\Windows\System\JSjbmqC.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1460-0-0x00007FF71BBF0000-0x00007FF71BF44000-memory.dmp

memory/1460-1-0x000002C450D10000-0x000002C450D20000-memory.dmp

C:\Windows\System\PwKOsMm.exe

MD5 2e21b84d3cc96211c09c21a0ad4d4f4a
SHA1 b708cbdd6c1ca1c167b1fa2856bfdbcec49f9514
SHA256 37bfe3df6e2b0bb4c62e6e1343ff51a5594333263e2748d39fa1b407ca1ec1a3
SHA512 469e1c624f5edfdf3d7e8314bce6c40c7c6ebed593754f760b309603a848ad0b7b020231b8e07d48b291e56b45c919f8ffd728f4667d67700392b6c3db7404e4

C:\Windows\System\YjkaOWQ.exe

MD5 216e10383a49dbccd5eb3dd0639635ba
SHA1 9efda0e8649339c0e32f6a74a916d34f9e2e2b0d
SHA256 9edc21daef7d0afe48d38f526c2ad9a8763c4c82dc34fa3009acf90107ffc725
SHA512 512aea7fa294efbc789f28daf57757a3d00b21e2082e662a20540392eaff0cf4dc1ad0f161a317e5f740b71f915798793fc10e5b5de265da6ed0e671180525f0

C:\Windows\System\GPOmBkx.exe

MD5 1d8d974d5b60552b049aad12ca4fefd6
SHA1 a4af8ce3e9fdef7b1abc78adcb02caa12ab0d888
SHA256 e9833432c566fd44bd3a827425108e7cf6e12dd1a06742882d82f2af5ab6e64a
SHA512 8b2a5000fc85a43f4cdb28fb9b61213d8727e30d56cb20a99b2a42551495303ad8eab0619ebaea2ba60e434a7b28b9bdb6fd25e7c352f8faa58493c79510bf82

memory/3776-14-0x00007FF6C8230000-0x00007FF6C8584000-memory.dmp

C:\Windows\System\bQZlWBt.exe

MD5 b4395e21d7ae5b7179ffe953d54bfeca
SHA1 1079fcb38403f6b0186ca4a6b84ce7b5546b222e
SHA256 12ca0678d766d5d6c08d8dd498afcc7c4ffe64c8736d5f425f59271a9af658d5
SHA512 940e76d41829b97cb85afb025a624747b374d5a1a6a4d29a10c7cbb12f91fd84334fe579297747fd79920f906871a8474f1abd68b561f2fad912b0dc62b203c2

C:\Windows\System\OQyuRVW.exe

MD5 16ca5030fa5931edfac6853b73c36afb
SHA1 2b57921123b39811b601d8c475b5a0e13c8373df
SHA256 1b8dfe33801a54be4e2fc3842d2f453bd376150129d89566ea3209fa4db2a05a
SHA512 c6557bb6bc61c4287f65637bde52e34434a92928dcba50d63f73a76f1f6a27fdd8155c3cf51ab9b139b0a89873c8d06a7c9ea7d1ced64b3d58ce4f15de92aa17

C:\Windows\System\RvYUWuz.exe

MD5 05de024a93cb27fcb32d4d35ae395494
SHA1 675f84fcc8100b6d2c632b56cc61dc9ed484b63e
SHA256 ad6dbf296dec183ae0ddfd60df687e68eb14f365ff358054d0cb627f17989dd4
SHA512 b79676c296bbf87708068db4301f9a39619e714967691aa88e2e2825127f55d1ba175eba317f978da8a541208cf4650bccc889634fe92bdbefdf926e972573b0

C:\Windows\System\TRqpVsk.exe

MD5 e5ee0899bc29d0c755297d986e1d43b0
SHA1 183883be95e96d15305f2064a673c1bdaeb2d8bb
SHA256 ca53562c6d5363de6f5c1a3604a3d6a5dd8502604c7577014a534d2fcdb24529
SHA512 626fb7a4f4d19cc531d6fadc947e0f5dd255934160f5ac7d3cec7f9e145dbf88a2431acbdb11556a8db8b2008abc6071e3a8122754ce3bd72f77bcccf99da802

memory/1032-42-0x00007FF797900000-0x00007FF797C54000-memory.dmp

memory/4688-39-0x00007FF66FC90000-0x00007FF66FFE4000-memory.dmp

memory/1504-33-0x00007FF699380000-0x00007FF6996D4000-memory.dmp

memory/4020-30-0x00007FF670960000-0x00007FF670CB4000-memory.dmp

memory/632-21-0x00007FF6512C0000-0x00007FF651614000-memory.dmp

memory/1552-6-0x00007FF744BA0000-0x00007FF744EF4000-memory.dmp

C:\Windows\System\TZnfDDw.exe

MD5 80c8a233b4d9b92e71b1e1eb20990b4b
SHA1 39ecc7b3d7b67e3577b0643ac882f756be03c108
SHA256 e706be6e8269ccf6059e342d5799842f5ea7e4676b95c47c34ed6ac88f78affe
SHA512 5ae1546991dae09365eafb0eb778165a2828ccc75a350c7b8152329f963253bb25bceebe55469a471c08e87903585b56de85b7a6938db55b1cc36619e461dc4a

C:\Windows\System\wBcCDzu.exe

MD5 2fb5c8364218d2c7ee8b1fae25ea1cba
SHA1 950a2d09849809854f93d5c7c2218a7a6bb6bbda
SHA256 65f1a67a9b72ca0f4f652647bc7c87de5cfc1704f1cdd824bf6e7c17629c47d6
SHA512 01cc88e769c37b3eeb3f3dfbbdabbb1db0885a66f8940cd462c3dc93e844ae61e58d11316b3e7c19bf606ba6e9b25b0320d1a1a605ca279e2aeec32c6dea7100

memory/536-50-0x00007FF6B3B80000-0x00007FF6B3ED4000-memory.dmp

C:\Windows\System\WXxZyFf.exe

MD5 dda112edbc9584c9374623a25e8e93e6
SHA1 a4ba748c304124e0e1ffbd9d4c6e410665985724
SHA256 fadce2364421817d307f5092326934c390aeceae22310c44081653f406affa76
SHA512 f77c0917eb625d26d2abdb4db5a2530fcf27986afec5e8656c2e24acb7c084e25cc1faf477ff25133b8f5fc14fe6567ed51330c6d8b79de5537215cedae33c51

C:\Windows\System\NTwTvpR.exe

MD5 b3ece425c5e99a9ca1e47ddcf7cfaa0a
SHA1 a46308aa53accf4920462fce461077c208ccfd3e
SHA256 8cf38c23a30a9615f3393beda6988b8f0acebdedebd97475439fb059afa02b0d
SHA512 c9dbb5af0945424fc81be5e4e5a9325e36022c41f963628d061dc0f46d73039131f720e7d00f1e3c6a00c6502928a375269e78a0398be6834622b986b9c17fb2

memory/1460-69-0x00007FF71BBF0000-0x00007FF71BF44000-memory.dmp

C:\Windows\System\UQgmHLP.exe

MD5 38ad174bf159478b5969f4b693c8bf1a
SHA1 b5164ca35ab2a89e87e32420b88b180ad2e53dfe
SHA256 7db91e1ebef7e3704677d69db3bb594a96a9ccd5c996d3b1edfc7eeb15225714
SHA512 9c00762f522cb541c42979d3a0f3cf53f2b1c59b17bba7953c05985c43fc1c5c109fb5cfc4b50d661e207a635293cbe35ef616b2299d480fe222f63a7db76410

C:\Windows\System\kSbgkwR.exe

MD5 3d5cb7a8f6b787f0be437e0a7829b264
SHA1 8e05d9e674abee20c4f27b28b297b00de38f5f1d
SHA256 2bbdc0e4cf07d4eb810636998bc29bbc946c4acbc0da73bdb0aee89b39f99d3d
SHA512 a348b1222dc46478b3aab01363c38996b55f79733a5252bab4e787f5b0670a0876383cbe168cf20df6dbfecdade0a29febad3c271e5464c66ab12aa0a4fdc98f

C:\Windows\System\YCdFRIS.exe

MD5 a4da1ff89ed8b73824f2f4439b6832d3
SHA1 4c96669983fcae521d82ecc222fefa5eeec4620a
SHA256 554fd4fe2f8e131aa4e907b57cef1b8199aaa285140c297a3be9418cfbd89512
SHA512 58036afa8b958b6d2dd6f9ec97feeafbf1b9da8e946e08ec1681e1d6e8bdb3206c128b9abda30bcc508bac416f64df56bb1285680b5e0916a0bb20420d0c4f54

C:\Windows\System\McbnRwK.exe

MD5 87af2bb6303134236cefe5c0900b5d9e
SHA1 2a585ddd2db57163c0bf3d118d3ca1eb794210ae
SHA256 bd45b232d250551eb0b40e21cf273ce9e42391592451ab0b1d7594a6d557d92b
SHA512 745b75d0a8fb8929895e43ba7569f762e5a5e1e1ca12ebbd8ac1daacebebf85b96ce4d3737b206e64388745d1ebdcdcf141a804d2e3fcdc2a236aa3f7790f4bf

C:\Windows\System\veGOxAG.exe

MD5 e16f9af15eba820fa8f88f08cbe6790c
SHA1 7652442b5e23b4c668c026dbbe4d276a9452ff51
SHA256 c15bd02ddcf226eada134de5ff18898e663bc3493a72852142fdcf9d7d1f6741
SHA512 dd21b56d4569e3924d13637027e0b59490bcb716ed6c75d752c6beae51d17859b921eee2b5856bd2ab0be4e2479c9f80ecab01b151c7e7e51377c28e06752e98

C:\Windows\System\lDugKpu.exe

MD5 87f8b9ee953d7b7309bf600f389da366
SHA1 75bf7d838fa72ec6aa79bc48782fe318d50bc03b
SHA256 eee61f021bcaaa173eb4d1d83c02ad63df3072a42b28338b836a5d4bb2244da0
SHA512 41f51e77734e28e3dda978cbdb6838ca2644904645e0cbb41f013a5b3feb621d7ffca2a4374a9d3e09b0d7b4e5df8c21c5ba41789d72059cc13a9efb6276c99f

C:\Windows\System\GkwBPGB.exe

MD5 906236d7df43406eea6ab3b8b0d42b77
SHA1 fefef29475b6f2886bb131f3dff210fefa4a713b
SHA256 1460e52b819542e87a1a75fd283e8f10822ac2e5a995854872688f333630bc5c
SHA512 aa8e8aeb267298bb7957fd778c6368fc4d687fa389a1512a1de61cf0bd807a2719802b6fedf7fed01865e1ec3e66d5e8332f3364565d99ebd0c51d59696f3282

C:\Windows\System\JSjbmqC.exe

MD5 2159980575147b77df57ea41d4774546
SHA1 344db4792d69d29bdea3e92dc0a47a77941f9852
SHA256 b23bc51ee9af44d73fe6ccfc63c10bcfa59c36f0136af6bd01c4dc0d889385fa
SHA512 71123d3ce557530ff6621c59b3180b1b25929b2f07b8f92be66e89a4c29aba9494b47e14f1afd8e11e25777c6a1e2f3708e69b0dd13ea76c28af3d199663fe37

memory/4768-117-0x00007FF712500000-0x00007FF712854000-memory.dmp

memory/2576-122-0x00007FF75B2F0000-0x00007FF75B644000-memory.dmp

memory/4208-124-0x00007FF693CB0000-0x00007FF694004000-memory.dmp

memory/3500-129-0x00007FF668660000-0x00007FF6689B4000-memory.dmp

memory/3776-130-0x00007FF6C8230000-0x00007FF6C8584000-memory.dmp

memory/4220-128-0x00007FF795330000-0x00007FF795684000-memory.dmp

memory/3256-127-0x00007FF7F4A60000-0x00007FF7F4DB4000-memory.dmp

memory/3272-126-0x00007FF75C280000-0x00007FF75C5D4000-memory.dmp

memory/2488-123-0x00007FF783030000-0x00007FF783384000-memory.dmp

C:\Windows\System\tboFmSV.exe

MD5 481342f1b9ca5f1a732e8cb96cf1e11d
SHA1 91df240a1336e2e4a36855da0d3ca337270a7f19
SHA256 bbf9d1895a6c0c7f9528ad6076b97f5f20fa880b73633a3ced2a19dee6e2a44b
SHA512 956cdc23b48a2ada9eb2cf95aa9593853e1eca4ad495806391402dc06ae99980e28265daddb77aec47185e6e9cb5956dc7a2f6eaf2b924d6f65d48ac71714e7f

memory/1100-118-0x00007FF66F4F0000-0x00007FF66F844000-memory.dmp

memory/1552-116-0x00007FF744BA0000-0x00007FF744EF4000-memory.dmp

memory/4008-112-0x00007FF6CA730000-0x00007FF6CAA84000-memory.dmp

C:\Windows\System\GjyGjyT.exe

MD5 0549512adf7629b1184e48b7cab0515f
SHA1 2173229ee1667082aa75fd239ac379149613f1a9
SHA256 fb6d605b0e19e423e0fba194ea78b1423b0aaf1015154e551a926c951b6ccc6f
SHA512 c1855ed68fc36c9b076aa0950fff7c8995d0814d89b5efeaeb95039a69914a8e427ad20f0ce9efaa95b77434cc85b272e0eaecf5a54c91e723964c7582f244bc

memory/948-77-0x00007FF6C0520000-0x00007FF6C0874000-memory.dmp

memory/4056-70-0x00007FF61BDC0000-0x00007FF61C114000-memory.dmp

memory/3972-62-0x00007FF6011F0000-0x00007FF601544000-memory.dmp

memory/1504-131-0x00007FF699380000-0x00007FF6996D4000-memory.dmp

memory/4688-132-0x00007FF66FC90000-0x00007FF66FFE4000-memory.dmp

memory/1032-133-0x00007FF797900000-0x00007FF797C54000-memory.dmp

memory/948-134-0x00007FF6C0520000-0x00007FF6C0874000-memory.dmp

memory/1552-135-0x00007FF744BA0000-0x00007FF744EF4000-memory.dmp

memory/3776-136-0x00007FF6C8230000-0x00007FF6C8584000-memory.dmp

memory/632-137-0x00007FF6512C0000-0x00007FF651614000-memory.dmp

memory/4020-138-0x00007FF670960000-0x00007FF670CB4000-memory.dmp

memory/1504-139-0x00007FF699380000-0x00007FF6996D4000-memory.dmp

memory/4688-140-0x00007FF66FC90000-0x00007FF66FFE4000-memory.dmp

memory/1032-141-0x00007FF797900000-0x00007FF797C54000-memory.dmp

memory/536-142-0x00007FF6B3B80000-0x00007FF6B3ED4000-memory.dmp

memory/3972-143-0x00007FF6011F0000-0x00007FF601544000-memory.dmp

memory/4056-144-0x00007FF61BDC0000-0x00007FF61C114000-memory.dmp

memory/4008-145-0x00007FF6CA730000-0x00007FF6CAA84000-memory.dmp

memory/948-146-0x00007FF6C0520000-0x00007FF6C0874000-memory.dmp

memory/3500-147-0x00007FF668660000-0x00007FF6689B4000-memory.dmp

memory/2576-150-0x00007FF75B2F0000-0x00007FF75B644000-memory.dmp

memory/1100-151-0x00007FF66F4F0000-0x00007FF66F844000-memory.dmp

memory/2488-149-0x00007FF783030000-0x00007FF783384000-memory.dmp

memory/4768-148-0x00007FF712500000-0x00007FF712854000-memory.dmp

memory/3272-152-0x00007FF75C280000-0x00007FF75C5D4000-memory.dmp

memory/4208-153-0x00007FF693CB0000-0x00007FF694004000-memory.dmp

memory/4220-154-0x00007FF795330000-0x00007FF795684000-memory.dmp

memory/3256-155-0x00007FF7F4A60000-0x00007FF7F4DB4000-memory.dmp