Malware Analysis Report

2025-01-22 19:20

Sample ID 240806-parlwssfjc
Target 2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat
SHA256 545e9f29d091b951c5a44edd6c32d9f008263eb9d1836ded2e0527bd93638bfd
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

545e9f29d091b951c5a44edd6c32d9f008263eb9d1836ded2e0527bd93638bfd

Threat Level: Known bad

The file 2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Cobaltstrike

xmrig

XMRig Miner payload

Cobaltstrike family

Xmrig family

Cobalt Strike reflective loader

XMRig Miner payload

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-06 12:07

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-06 12:07

Reported

2024-08-06 12:10

Platform

win7-20240708-en

Max time kernel

140s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\nDrxQnB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\geVJHMM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EbTiivP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fQLImec.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xAbwRIa.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fGzVXCG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SzBIfSf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dJtJKpF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xErHPfX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tQyQQaw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WMXZJXR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uSPFqAy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sDzEzSj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\baBasSK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XBQDjAl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CQEIEku.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bxmmAgE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\Oiwghhs.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HigMpnQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ekcQRQU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TNsSpNE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2092 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SzBIfSf.exe
PID 2092 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SzBIfSf.exe
PID 2092 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SzBIfSf.exe
PID 2092 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dJtJKpF.exe
PID 2092 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dJtJKpF.exe
PID 2092 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dJtJKpF.exe
PID 2092 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CQEIEku.exe
PID 2092 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CQEIEku.exe
PID 2092 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CQEIEku.exe
PID 2092 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nDrxQnB.exe
PID 2092 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nDrxQnB.exe
PID 2092 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nDrxQnB.exe
PID 2092 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bxmmAgE.exe
PID 2092 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bxmmAgE.exe
PID 2092 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bxmmAgE.exe
PID 2092 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\geVJHMM.exe
PID 2092 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\geVJHMM.exe
PID 2092 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\geVJHMM.exe
PID 2092 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xErHPfX.exe
PID 2092 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xErHPfX.exe
PID 2092 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xErHPfX.exe
PID 2092 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tQyQQaw.exe
PID 2092 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tQyQQaw.exe
PID 2092 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tQyQQaw.exe
PID 2092 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WMXZJXR.exe
PID 2092 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WMXZJXR.exe
PID 2092 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WMXZJXR.exe
PID 2092 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sDzEzSj.exe
PID 2092 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sDzEzSj.exe
PID 2092 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sDzEzSj.exe
PID 2092 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uSPFqAy.exe
PID 2092 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uSPFqAy.exe
PID 2092 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uSPFqAy.exe
PID 2092 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fGzVXCG.exe
PID 2092 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fGzVXCG.exe
PID 2092 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fGzVXCG.exe
PID 2092 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Oiwghhs.exe
PID 2092 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Oiwghhs.exe
PID 2092 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Oiwghhs.exe
PID 2092 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\baBasSK.exe
PID 2092 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\baBasSK.exe
PID 2092 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\baBasSK.exe
PID 2092 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EbTiivP.exe
PID 2092 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EbTiivP.exe
PID 2092 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EbTiivP.exe
PID 2092 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HigMpnQ.exe
PID 2092 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HigMpnQ.exe
PID 2092 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HigMpnQ.exe
PID 2092 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ekcQRQU.exe
PID 2092 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ekcQRQU.exe
PID 2092 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ekcQRQU.exe
PID 2092 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TNsSpNE.exe
PID 2092 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TNsSpNE.exe
PID 2092 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TNsSpNE.exe
PID 2092 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fQLImec.exe
PID 2092 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fQLImec.exe
PID 2092 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fQLImec.exe
PID 2092 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xAbwRIa.exe
PID 2092 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xAbwRIa.exe
PID 2092 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xAbwRIa.exe
PID 2092 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XBQDjAl.exe
PID 2092 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XBQDjAl.exe
PID 2092 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XBQDjAl.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\SzBIfSf.exe

C:\Windows\System\SzBIfSf.exe

C:\Windows\System\dJtJKpF.exe

C:\Windows\System\dJtJKpF.exe

C:\Windows\System\CQEIEku.exe

C:\Windows\System\CQEIEku.exe

C:\Windows\System\nDrxQnB.exe

C:\Windows\System\nDrxQnB.exe

C:\Windows\System\bxmmAgE.exe

C:\Windows\System\bxmmAgE.exe

C:\Windows\System\geVJHMM.exe

C:\Windows\System\geVJHMM.exe

C:\Windows\System\xErHPfX.exe

C:\Windows\System\xErHPfX.exe

C:\Windows\System\tQyQQaw.exe

C:\Windows\System\tQyQQaw.exe

C:\Windows\System\WMXZJXR.exe

C:\Windows\System\WMXZJXR.exe

C:\Windows\System\sDzEzSj.exe

C:\Windows\System\sDzEzSj.exe

C:\Windows\System\uSPFqAy.exe

C:\Windows\System\uSPFqAy.exe

C:\Windows\System\fGzVXCG.exe

C:\Windows\System\fGzVXCG.exe

C:\Windows\System\Oiwghhs.exe

C:\Windows\System\Oiwghhs.exe

C:\Windows\System\baBasSK.exe

C:\Windows\System\baBasSK.exe

C:\Windows\System\EbTiivP.exe

C:\Windows\System\EbTiivP.exe

C:\Windows\System\HigMpnQ.exe

C:\Windows\System\HigMpnQ.exe

C:\Windows\System\ekcQRQU.exe

C:\Windows\System\ekcQRQU.exe

C:\Windows\System\TNsSpNE.exe

C:\Windows\System\TNsSpNE.exe

C:\Windows\System\fQLImec.exe

C:\Windows\System\fQLImec.exe

C:\Windows\System\xAbwRIa.exe

C:\Windows\System\xAbwRIa.exe

C:\Windows\System\XBQDjAl.exe

C:\Windows\System\XBQDjAl.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2092-0-0x000000013FBF0000-0x000000013FF44000-memory.dmp

memory/2092-1-0x00000000000F0000-0x0000000000100000-memory.dmp

C:\Windows\system\SzBIfSf.exe

MD5 ff7d784bbdc4ddfa1a90a3c9e85fb29d
SHA1 47aaf04d4fe7150a83d962e37ea6fd7a8393c513
SHA256 9d1a7aa4c6c6d9013c05db3366f6d46e6926b209c57bbb2a3484e3c9e9d3d132
SHA512 21007b6cd04cc5ce31fc3f1c11dae2e5db969e179daa6d44a3d6383a7aff9f4dac5237f9d191a000d5509ce2ccf4f16be3aade215adb8c18f087368313f35734

\Windows\system\dJtJKpF.exe

MD5 48c435fdd8f51bc0c75d339c5430ade9
SHA1 6c3cf7dbcf7f05514d654b598aae521ec8957c94
SHA256 ef060705e285b3f6e8680c1bc080891ca1f44d4c35b0893f8b1c7431549d102f
SHA512 5627da95550629e034e89207b7cfd96875152bfb84a8ab5b1a58c327afbd4533e0beffc4a34ed1988824741c91e3841bdcc56f2134ea87029fca79ae35edf300

memory/2092-13-0x000000013F490000-0x000000013F7E4000-memory.dmp

memory/2668-16-0x000000013FAE0000-0x000000013FE34000-memory.dmp

memory/2092-15-0x0000000002490000-0x00000000027E4000-memory.dmp

memory/3008-14-0x000000013F490000-0x000000013F7E4000-memory.dmp

C:\Windows\system\CQEIEku.exe

MD5 febd6ed17c1ee7aa0be72e33efbcf94f
SHA1 5d2bedfc5fe33853318a45291d98179f69f42341
SHA256 80813ad667ca60c01e0f107afc09eace2bf6315bf9641f3cef23ab3a30fd0306
SHA512 d43fa29270e19fbad26eceb5a30a9bc17d9df3e8b55d11c27ac950c00d4032461d526196d0aa65ace76569e66dae17dc414a563738b1e05708642dde657756ce

memory/2092-18-0x000000013FF70000-0x00000001402C4000-memory.dmp

memory/2704-23-0x000000013FF70000-0x00000001402C4000-memory.dmp

\Windows\system\nDrxQnB.exe

MD5 2588e5eae93cb64402cb649e87f4550e
SHA1 eeb56276cb4e9bc736e795d0f93ad0efef726918
SHA256 61619f6874a13b708e20279c2f873f3de72b4dd47fa4604e6db75628117e85c2
SHA512 d331699dee02219a8e6e85511999e3b086b775ca7f23917b33373f2ba1017a4b8679d4079cb7c3f743e32b65ffd90e1d31decc8c709b41117415b7b2eb84706d

C:\Windows\system\bxmmAgE.exe

MD5 cdeb10f27fe9b4fffeadcbeded83f5b0
SHA1 e0c1f5aa359ac72353962131ee0252177b80a71b
SHA256 b1bd5b3cdf98787e7667f21ecc6b8574e413aa78943ec5a94bade94dcea3692c
SHA512 2766bfac1b263948fc12d60fa2ba2d21773665f1a48ea78c4958e3d9fa463dc98935bd7530eb5aa98f9141274240961e50cc9677f19747fc3f8f43f776e275b3

C:\Windows\system\geVJHMM.exe

MD5 6559a58454ec33769b5316ddba5077a9
SHA1 44423c7e420f54f188be4fcbaa741f22a5babc24
SHA256 b0a9c8cb1ead6c745909abd86ee24983742d25a10db9d96f092eb8cbea71467d
SHA512 468d8ed949bef0d7324f77a4b53b4de22a0044a986dcff3549f337c348c72469388f18cdf5788164f2a2057147fde04807a1de64d53b7a4523208d7a907e927d

\Windows\system\WMXZJXR.exe

MD5 1a0f5ff1a6be89caaecb8cc725499bec
SHA1 9b6219d8cc1c746cf94db123f0e48471215e35e9
SHA256 61cdc318d6f45ec31a899b23037e13e1fc7a6c8eaff919ffd9e0d7b98e770499
SHA512 b0fa18ea69a980aace4ce5f5b2db8175c2c38b0d0a644c999ebe377c34ea5da8276c8df74d00274b8b545d8ebdc39c6b009d5144b91a0961da94c0a4282044a8

\Windows\system\xErHPfX.exe

MD5 7c91349cb932a3a5d4874ddb2181019a
SHA1 5f94ac16e4553b990d95f054ed1332d276b9fa5e
SHA256 07ffdf4ddf50b6ef515fb75a64e3cdecf1349b54f0c1dc2844facfd48d097731
SHA512 09eccade6f082a8f46faa8ec3de33075128ab5c5d127bf4df5cc87938e21a3c9902d88d5bbdd477769f98f9e94779262c1641dfc444fcc1a51fc346a98a45c4a

memory/2092-42-0x000000013F1B0000-0x000000013F504000-memory.dmp

memory/2092-70-0x000000013F1B0000-0x000000013F504000-memory.dmp

memory/2732-83-0x000000013F1B0000-0x000000013F504000-memory.dmp

memory/2868-92-0x000000013FE10000-0x0000000140164000-memory.dmp

memory/2092-97-0x000000013FBF0000-0x000000013FF44000-memory.dmp

memory/1556-98-0x000000013F410000-0x000000013F764000-memory.dmp

C:\Windows\system\TNsSpNE.exe

MD5 24f8a89896ee93514d05ec83cda28ab2
SHA1 496f4d5bb27d76f5b3ab924cec618de1960c4fd0
SHA256 c027f9368c064eb6deab9cbce9cc7ddfb1b748c8b440acb9e088e5cbf29d9ec9
SHA512 c1faef8e4652687b42c45b0e85e1addb1e4ece956ebce5373668051d8c4ed682a0c22a2fc8fa6d11c744d17581c006fb5393b8c4cb9ff1525fdd98da5e161545

C:\Windows\system\XBQDjAl.exe

MD5 a1bbf869eb43375ee4fd08121549f580
SHA1 ac1b29ef48313a6dde1d2bc268291986b2abbf53
SHA256 450883bc0f6a88613f08eb1ad0ae5e01ba07cb9d9b203ad571ac9762fc9ec3a0
SHA512 978b866b94ef7d7eb2f9f0c13cec0dbe679221cfa0dfff387b46041790f7e2d13d845e71b55e4377e2758340c25587de4504f79bbcd61300b92fd09dd859d3b4

C:\Windows\system\xAbwRIa.exe

MD5 e364123ea6c9688ab3c08fc4c8fa3517
SHA1 fa2bdb9bdcb095b8461cf9dfc3a0a4437c2031a4
SHA256 0a77866a4ad18b9dcb91bce7e2d15fe397f1eddd33da8ed22ae046912aa0de87
SHA512 ca58c978029c567bd4e93b7893a29587a9b159114af723758524927c00dee226aae8ef6fd09538d0191b6bd944b4f606d44f5253a622ee7c36ba7c889bfd2d14

C:\Windows\system\fQLImec.exe

MD5 7722c073b3146f7c210e5e51773b264d
SHA1 ef1887d3578267b489a84bfac04ec7cf08354b2a
SHA256 4f52ca9a9a9836f0b27e48a131aa12a4f492ac565626fed728f3d5d41d729a8c
SHA512 b1b51d9868ce73c58efcf4e17f9a99fbfe379377cf1c7c2ec7f86e2cba04df907e5cba41d57937d8aac064863c84feccf80f67c2b25412f140ca40126c1e56d8

C:\Windows\system\ekcQRQU.exe

MD5 0bdaa6043d33f3204f18fab319ff815d
SHA1 c4365e1e57a5a9cb6bb3b642d70e997cde398718
SHA256 cabd7dfb3bb275e4d403e4cfa268401f220a1696b535718f2430147843a12dae
SHA512 197f502f8490da20b8cd147f734d4f1262fd01b9c593562b0085ce1933aebddb5817ecee460c92a871d0d82a475caf67392b6c2305e65bc22e4648eda02370ea

C:\Windows\system\HigMpnQ.exe

MD5 7d5b2432930ca07beb295c50c0184b42
SHA1 5e024a77b7b800f0d7abf933a5057c3394c6e9aa
SHA256 7880974e062e1ce67df8feeac70e482d972bbd3607778310681ba6d0438e0f77
SHA512 a545751d63cc696f710419503e3961e6e2cd407402e17c8b4e31648fafb0f0b84cdae851e24c1c6e3e348caf4d0b827cfcc976709fbf0fe08b1839d3b0111d22

memory/2092-106-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

memory/2092-105-0x000000013F490000-0x000000013F7E4000-memory.dmp

C:\Windows\system\EbTiivP.exe

MD5 f7a787aeb40f9e3bdbac2a03f4279276
SHA1 ad3a8ab00e6d876f9fddd0698f24e7d6e95cf36e
SHA256 45383a22d9666f9e72a01115706690db99daa28eacee909234b4c0398bbe4d80
SHA512 1bba278d8376971bbd6b66de01d3e23c84690697e372fde6059db118412dc567c0ee6c1313de871a13990d1283dd9a656a2019e0281f8ab445dde48861b72cf0

C:\Windows\system\baBasSK.exe

MD5 5c5a15c0b0004014ffed8b6e885d5705
SHA1 dd0deace0919f706cdfad81385acfd922a5bb782
SHA256 884bdd1ff0ec849977e00c4a22d5240f8acd1ab1d224cacd2ffb9cc2998e9665
SHA512 f7a2d70f4f67055d6b095503c8c4bd9005b81f3fb3d62f85fffda92b2cb9d859ea97bb31dc0fe8b63d250d9f369d2646e2981e79457420a74395d96a106c910e

memory/2092-91-0x0000000002490000-0x00000000027E4000-memory.dmp

memory/2504-84-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

C:\Windows\system\Oiwghhs.exe

MD5 f34fe16614740424b43521bf1d1258a1
SHA1 32e5c3add7579922e5d183e48eba4ce81d863e6e
SHA256 dfa1204eea98c057590a48d02d7a53b4d78416800beec225c619b7d4e9c5b8ca
SHA512 fadbe90fe8ed1a40896da665abcbed087c71a2789f50f19a3dd1878171db7e29404b8d22e8402bfd18508af58e0d36db10eefdc07bd8efcbc834db3cfd5dec08

C:\Windows\system\fGzVXCG.exe

MD5 5fa996e780651991de5dd77920275113
SHA1 e3a49f990b786f72766e35d881f8949f87dcba38
SHA256 3e3ab15fb9914580816ead6ab81de25ba1230928c3844a889b413d6530924dcd
SHA512 2b719ef61169c4c8ae777ad638f40b8c808729c16ebadf86accfd27411c9113241dccb10ab8a61b144dc8892307d2c5e43855531f0f105b09a2f73a8e90d508d

C:\Windows\system\sDzEzSj.exe

MD5 56a379f91df4a800f863f3c1b746676c
SHA1 b68c6334ffb47d7ba54f0b617bec1d6eb11aaaec
SHA256 7a5904f7be0cea1716407cff1511a0c45b27594c9d99cb3b6677a367c7866141
SHA512 e267adc5c70e0758d1ea4078be027f33599cd49650627bbf68ae7f71d52ae8f2dbe856c579a56e6bd4415d631269a1b560bc7572d9fdf11ae5b638b3be8793a1

memory/2160-79-0x000000013F280000-0x000000013F5D4000-memory.dmp

memory/2376-78-0x000000013FF40000-0x0000000140294000-memory.dmp

memory/2092-76-0x000000013F7C0000-0x000000013FB14000-memory.dmp

memory/2092-75-0x0000000002490000-0x00000000027E4000-memory.dmp

memory/2092-74-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

C:\Windows\system\tQyQQaw.exe

MD5 04c0addbcd25cef03aa354bdb3b62d47
SHA1 cf6b161293ecb6c5126b222672c5e9f9f0f7e57a
SHA256 10ad63255d68d05032a4bf05b670c1a2742fc433216be25a4227ffba9226f26c
SHA512 660ddf96bb8b512f213d40b0e77c6b435a64df23b62bf8f18525d71c81ff0b42d57eac8a548b4f643c0b764680e363f20b8ea9f9816827ebe631ba2f76140b0f

memory/2092-72-0x0000000002490000-0x00000000027E4000-memory.dmp

memory/2264-71-0x000000013F7C0000-0x000000013FB14000-memory.dmp

memory/2112-69-0x000000013F940000-0x000000013FC94000-memory.dmp

C:\Windows\system\uSPFqAy.exe

MD5 9301335cb4ae11bd3f8ac1115f463df8
SHA1 fab5b62788fb69d0a1f3b92b80621f49a92edc64
SHA256 058b7d1754ca926dc50d154d46a3abe8bb00277d0d610a3f7fe399aa8fb1aee2
SHA512 9940fd16cf66a7546e162310a711a1b85f8a070418f11fb908064dcddbb1f7b172f6241d930534e6a1f483905b7738a57b8c61c05fd4b4c6c7b9b2b532216ac0

memory/2604-66-0x000000013FE40000-0x0000000140194000-memory.dmp

memory/2092-65-0x000000013F280000-0x000000013F5D4000-memory.dmp

memory/2092-62-0x0000000002490000-0x00000000027E4000-memory.dmp

memory/2544-59-0x000000013F1B0000-0x000000013F504000-memory.dmp

memory/2712-28-0x000000013F790000-0x000000013FAE4000-memory.dmp

memory/2704-136-0x000000013FF70000-0x00000001402C4000-memory.dmp

memory/2092-137-0x000000013F790000-0x000000013FAE4000-memory.dmp

memory/2092-139-0x000000013F1B0000-0x000000013F504000-memory.dmp

memory/2712-138-0x000000013F790000-0x000000013FAE4000-memory.dmp

memory/2092-140-0x0000000002490000-0x00000000027E4000-memory.dmp

memory/2504-141-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

memory/1556-142-0x000000013F410000-0x000000013F764000-memory.dmp

memory/3008-143-0x000000013F490000-0x000000013F7E4000-memory.dmp

memory/2668-144-0x000000013FAE0000-0x000000013FE34000-memory.dmp

memory/2704-145-0x000000013FF70000-0x00000001402C4000-memory.dmp

memory/2544-147-0x000000013F1B0000-0x000000013F504000-memory.dmp

memory/2712-146-0x000000013F790000-0x000000013FAE4000-memory.dmp

memory/2264-150-0x000000013F7C0000-0x000000013FB14000-memory.dmp

memory/2604-149-0x000000013FE40000-0x0000000140194000-memory.dmp

memory/2112-148-0x000000013F940000-0x000000013FC94000-memory.dmp

memory/2376-151-0x000000013FF40000-0x0000000140294000-memory.dmp

memory/2160-152-0x000000013F280000-0x000000013F5D4000-memory.dmp

memory/2732-153-0x000000013F1B0000-0x000000013F504000-memory.dmp

memory/2504-155-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

memory/2868-154-0x000000013FE10000-0x0000000140164000-memory.dmp

memory/1556-156-0x000000013F410000-0x000000013F764000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-06 12:07

Reported

2024-08-06 12:10

Platform

win10v2004-20240802-en

Max time kernel

140s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\NDNmvDP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dVrVtez.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\Fvqlmgn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NkWhvvo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LHIgbpU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TYddnar.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uiKwwMD.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nbCWXpN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LWprezB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UcgKVxP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YUinyOG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ffDnrTP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iItSVMV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\POgcVrn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aBNULYa.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QyjgDFD.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IZfUNTG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GNwvmvv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yKzIiLN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VQNShoy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ISAJHOQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1636 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\POgcVrn.exe
PID 1636 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\POgcVrn.exe
PID 1636 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ISAJHOQ.exe
PID 1636 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ISAJHOQ.exe
PID 1636 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TYddnar.exe
PID 1636 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TYddnar.exe
PID 1636 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NDNmvDP.exe
PID 1636 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NDNmvDP.exe
PID 1636 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LWprezB.exe
PID 1636 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LWprezB.exe
PID 1636 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dVrVtez.exe
PID 1636 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dVrVtez.exe
PID 1636 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nbCWXpN.exe
PID 1636 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nbCWXpN.exe
PID 1636 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aBNULYa.exe
PID 1636 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aBNULYa.exe
PID 1636 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UcgKVxP.exe
PID 1636 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UcgKVxP.exe
PID 1636 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YUinyOG.exe
PID 1636 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YUinyOG.exe
PID 1636 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QyjgDFD.exe
PID 1636 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QyjgDFD.exe
PID 1636 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ffDnrTP.exe
PID 1636 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ffDnrTP.exe
PID 1636 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IZfUNTG.exe
PID 1636 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IZfUNTG.exe
PID 1636 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GNwvmvv.exe
PID 1636 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GNwvmvv.exe
PID 1636 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Fvqlmgn.exe
PID 1636 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Fvqlmgn.exe
PID 1636 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yKzIiLN.exe
PID 1636 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yKzIiLN.exe
PID 1636 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NkWhvvo.exe
PID 1636 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NkWhvvo.exe
PID 1636 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VQNShoy.exe
PID 1636 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VQNShoy.exe
PID 1636 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uiKwwMD.exe
PID 1636 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uiKwwMD.exe
PID 1636 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iItSVMV.exe
PID 1636 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iItSVMV.exe
PID 1636 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LHIgbpU.exe
PID 1636 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LHIgbpU.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\POgcVrn.exe

C:\Windows\System\POgcVrn.exe

C:\Windows\System\ISAJHOQ.exe

C:\Windows\System\ISAJHOQ.exe

C:\Windows\System\TYddnar.exe

C:\Windows\System\TYddnar.exe

C:\Windows\System\NDNmvDP.exe

C:\Windows\System\NDNmvDP.exe

C:\Windows\System\LWprezB.exe

C:\Windows\System\LWprezB.exe

C:\Windows\System\dVrVtez.exe

C:\Windows\System\dVrVtez.exe

C:\Windows\System\nbCWXpN.exe

C:\Windows\System\nbCWXpN.exe

C:\Windows\System\aBNULYa.exe

C:\Windows\System\aBNULYa.exe

C:\Windows\System\UcgKVxP.exe

C:\Windows\System\UcgKVxP.exe

C:\Windows\System\YUinyOG.exe

C:\Windows\System\YUinyOG.exe

C:\Windows\System\QyjgDFD.exe

C:\Windows\System\QyjgDFD.exe

C:\Windows\System\ffDnrTP.exe

C:\Windows\System\ffDnrTP.exe

C:\Windows\System\IZfUNTG.exe

C:\Windows\System\IZfUNTG.exe

C:\Windows\System\GNwvmvv.exe

C:\Windows\System\GNwvmvv.exe

C:\Windows\System\Fvqlmgn.exe

C:\Windows\System\Fvqlmgn.exe

C:\Windows\System\yKzIiLN.exe

C:\Windows\System\yKzIiLN.exe

C:\Windows\System\NkWhvvo.exe

C:\Windows\System\NkWhvvo.exe

C:\Windows\System\VQNShoy.exe

C:\Windows\System\VQNShoy.exe

C:\Windows\System\uiKwwMD.exe

C:\Windows\System\uiKwwMD.exe

C:\Windows\System\iItSVMV.exe

C:\Windows\System\iItSVMV.exe

C:\Windows\System\LHIgbpU.exe

C:\Windows\System\LHIgbpU.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1636-0-0x00007FF710E30000-0x00007FF711184000-memory.dmp

memory/1636-1-0x00000204CF320000-0x00000204CF330000-memory.dmp

C:\Windows\System\POgcVrn.exe

MD5 34e41bb1e73b9965e46c23c7d68448af
SHA1 32d7965773e3295a4064a611c0cdd053736c5eb6
SHA256 54138f160544b3dd4da68bbed36e20625028c694d0bcd5f22da0e21a388a7051
SHA512 e4cd6a6b6c1d3a2112d29f618eac0d71d186c708cb2187ba364adbe4b6d7f2837b610462521534b0c1b40477677d58a14e6c9db7798b8928a57605bc2046bf79

memory/2672-8-0x00007FF706EC0000-0x00007FF707214000-memory.dmp

C:\Windows\System\ISAJHOQ.exe

MD5 05bfaa94ddc8330190fa116fdde9cef8
SHA1 6e1b1407f81ee70f13aa47183dc571898211ea04
SHA256 8f03038cf9184e7b3cebaff405063278ea1b9f8c85b8cb9e5b03ff56aeba0669
SHA512 7c14c028d9e8931d515de36d1003db6aa6b95e1341cc51172d32704a02e5353b21a9cc2256637a4a496b2124165eb145f207c6247cbbd5fe2b61ed90f02c3580

C:\Windows\System\TYddnar.exe

MD5 84d764b897e956c9b88d5405b86d200d
SHA1 5ff57c4629d5c2f8f17fb8c6bc39a9b578fc3c4d
SHA256 dffac55a490924332c666ba56c9c8136a7d42537370d2f921cd349284b6a724c
SHA512 9952e4cba6104310279e4c422b4d48c18ec5c14ebdc8837f4e61701aec7555c4df251c60637a3d131f8234e23c23cf115bcab7c51f26fe81092b810475c55d08

memory/1744-19-0x00007FF749C10000-0x00007FF749F64000-memory.dmp

C:\Windows\System\NDNmvDP.exe

MD5 a38587a7a2bfe25b9a809989426da386
SHA1 7311ff02a07562c0d057b4b35b2dce905c4bd05a
SHA256 12147afb70c53b89859b2136dfd714a3359d546c515d61ff835caa4200004031
SHA512 8ba666d1a3b9bde26d0b33b84ff41bd5f6d87b32bcfa9122bf5946452810a7a293a2e1f38893bc03a3744b936c0e6ba31e2b374e4ae46893f9520a196fab1977

memory/4808-22-0x00007FF7615C0000-0x00007FF761914000-memory.dmp

C:\Windows\System\LWprezB.exe

MD5 98c316770defe78194bfbec4d1fe1751
SHA1 0416a1b6858bffaba04f8c1bdf1897787479c459
SHA256 ca3f79f638b9f2d2073cb73751389c32ee0ba1eee20d808360c043b36e82d399
SHA512 dc7314b0f561cbd88fdf5dd4b37a05b171638245dc514ec0294a5ec72b404fa1a01fe13d53ee8967947a1eaa67b628fcb710c3fcc3ad1ec080d53714bf488560

C:\Windows\System\dVrVtez.exe

MD5 03b7ff1d8bba66af01cb9f580242fc8c
SHA1 6ab0edc919c3b7ac8669dd781c3eef141a8712e0
SHA256 7c32003ac6b1b800b23d3835c98a52b403c7c33b5a34b6c19739b2501ff0fbf1
SHA512 b471821b2367cc84eb1a9fed26f87f326af8480e09c5335f4b17967de4991f5ab030bebf8345e98bcc373a5f6a769e80af28bfaa1bfdd2c471572f4246e1fad5

C:\Windows\System\nbCWXpN.exe

MD5 ab8df944a0b9b8dbf8eba4049739cc2b
SHA1 0bb05a72176891a2a60ee8af0e9e012ec2a1c9c8
SHA256 38f838182ad776286ccf9490ad2df9b56214d714e8b2bbf2d796fb1049befaf6
SHA512 89db4e66d6dbdd410380e29fd76830916d2306879ceea7360e9f647e37d03756173416f82f01528bb182a461f3edec24ef64615f9201b9c9ab93fc18c9580a17

memory/4136-44-0x00007FF66F150000-0x00007FF66F4A4000-memory.dmp

memory/4976-43-0x00007FF636890000-0x00007FF636BE4000-memory.dmp

memory/2392-40-0x00007FF7CA0F0000-0x00007FF7CA444000-memory.dmp

memory/2668-37-0x00007FF6F8CD0000-0x00007FF6F9024000-memory.dmp

C:\Windows\System\aBNULYa.exe

MD5 bed34fc6987cb64403297d9d474c3a4e
SHA1 c06c4d560759bcdad5759768179ac0543b926a01
SHA256 9227020ef6f55a3094349f12ef9b2106b58c44ad75ff72c6146d9a876ee0d7ec
SHA512 d6d8bec6dd951d4b14815a0b6802ff5507ba6e56dcb5217dc4011b10974620b869425bb9fda7e86f0313545f309634f7e03ddc91959b612168c14f8e0f184adb

C:\Windows\System\YUinyOG.exe

MD5 4fe01e378e5e796a22feb405ac0301a0
SHA1 cdf48428c62b9bcd201106b7f12624ff0abefa58
SHA256 e1af910b2382f1d90041bce41520f5b8d1ba2a054b55974325b8c9a414a3b6cb
SHA512 6953fa1bac5b6242d5015f42c60459f1e4a852b1ef696aa63b235c5042f4a30c90a66f9d0b2ecfeea8d602b222fd89f29bf6350d5d15ae95290e0fcf65990abe

C:\Windows\System\QyjgDFD.exe

MD5 0eb1f57bc9828b3f944a4769a875f4d5
SHA1 3d3c145e4145538a5269486fa484af149bc735e9
SHA256 e529e20756afb20567f4675cc7438b348fbaf355b1e771c79bc6af6519124dc6
SHA512 603d3143dd76b9f6fbb62493a79125763ca0671de32a1c31efcd4c5e351fe5f641cdbfc75f5822cb2d5ae9c62b83037f38df927def8574e9f6f650c06a028bee

C:\Windows\System\ffDnrTP.exe

MD5 999c4d1b18303c51a576bf8221ed8aed
SHA1 0f503fef70b7c0e79f2b2f1c9f7f4e2ff30ff419
SHA256 d2d61094eaa14225f7d175604821118756f0feb8dc3a4052ac22e6f629a63a2a
SHA512 79447d81c84e3abe9c1a26e5c00ec6710ba897e2ffa7c77959a9fdcdce3b279f97b5a257483061dfb2635d16c986aade2e3893bfd9746f30738f6a622d2affa6

C:\Windows\System\IZfUNTG.exe

MD5 d535adc5ba9aedbbfd74bfeb7b3831fb
SHA1 fc9498897e79f8690171e7691f83464a4b96b1f3
SHA256 7db56ca5248d65c368e03961aac54a1129351b92e3d2fe8638d471e654ad4a73
SHA512 76cea7f08d6dc710a91da877db34a11e42f0bd721e2e7c21c0762e350d1e3a45081fcbf7b4b881864f451f984477fcfaeb4e5ca278baa921dd5456327cdaa984

C:\Windows\System\Fvqlmgn.exe

MD5 78c127578f713084d2e4539a990b54a8
SHA1 01c3b8f6bbf009e9efb9c684900b3359ed36e54a
SHA256 e429bb5f9ff5df761fa1b08e9d17c24d6ea4166589b866bec023beefb6be6e14
SHA512 84024cca950179845c28adc5d20a572dae0d10964be0b922ea3c78e641e1fe08dd5b90f53bdb9821f6fcb646f0ecc210f6b3c1e14b429bf9963a39a64335c2fc

C:\Windows\System\NkWhvvo.exe

MD5 79b55654584db2886862fbdf8732509f
SHA1 56f5d8e5d06662404df0f96e82a92135e80a7b78
SHA256 068fd95a5448726cd56e13f24f5cd0070b80af8b9497f0c4edc96e010a8c0cf4
SHA512 fcc53e05ddf6540fec69128b9d23dcd74caff95a02d9525ee05dd273c052e563595067ed29afc598b0ed771ca7feb0c2b22b8af76170cbb3c166d58223abd2a4

C:\Windows\System\uiKwwMD.exe

MD5 2501ca8e5d83991d1b9c8ab8929c3e2e
SHA1 5c77f5c58d4bbe877f3a7e5aed16ea61b5dd7f70
SHA256 900896aca97294c3e8e27e06444b59d66a07bb1a427181779ecfbf571a6ecd83
SHA512 6322cb91c1627ddfce0db8f45e96e0b64c3deb06221302ce7ad626e6fabbd6829bf65e7218b547480bc612f28319123f53541fe76fcec53ef1380b602da7aaac

C:\Windows\System\LHIgbpU.exe

MD5 f8530c994a8675a0d5a3be577e97807f
SHA1 160336df742cc4c8afaa20ce6bb4fb4f3458eab8
SHA256 25ed62f408fc70eae6a1ca73548cff187196e27e87187cbfd9ef83a6cccf8044
SHA512 d79d9c919fef4e078bea2ee33811df2594c2ca7ac0e1d183ab15b567ab3dda36f0b7cbec5d419a64d2d602300bc03b60093ed3845a43ab367abae47e6372f349

C:\Windows\System\iItSVMV.exe

MD5 09e2a93443b8f0d7a42bbd31ae09187e
SHA1 82f3db96c382bc24aa7e5e99202b6702de7dbf32
SHA256 52929b02b2b3421236480f21c5d8a441a48b1cee8b77d2c525a81e6a7cf8a18f
SHA512 86426365578d9c6b42595c71f107e1a37d267eaeba22e1de703a82f437befbf711d567852f38dbd74db2a692b60ac829e3e628a502750c5347cf4b4225cf5f11

C:\Windows\System\VQNShoy.exe

MD5 89a926e89c54727a2572a355449fd7ea
SHA1 e696c44bd4d027f6de5aba0249bd3ce5dba82211
SHA256 fe08092248f4ab2dbfda5ee3d945ccbb3f6810da000bafd3fec93bd5190a5e46
SHA512 cb9c531fab80c6d38d02ade96f14adf50257720b97e97c19ea6cad27b91dac3edfc7bc591741eff82c3812fe8895de8c9468e59da8bbac6b0233f72a9e7e254c

C:\Windows\System\yKzIiLN.exe

MD5 3587ac0a2086ad57ec9ea4a2ccb5ea6a
SHA1 8d2d230d13403de37df6a35aecf439daeda590b6
SHA256 b8814ae6e28bccefc3b21b9b30912bf859ea08537ca8a1aa7d58d9c4ffcfd7b6
SHA512 711c34c6bc10eda7e3a48191c972b2aec6fa3fb37b91a42d6ac4f38d0b4eed2d22ec064fdb46051119e4386806c5220d5d2cd020698ab4b53ec6cc67020e9037

C:\Windows\System\GNwvmvv.exe

MD5 01ad191c6c61d331100a12e9aece6d87
SHA1 39de47aeebdb9132ce1707f663ec213759c57de4
SHA256 d3e643ff443fb350f0c2bcb924c0d8653fd9996229c1fb4ecfcdf926f8920124
SHA512 7301c1cc3180b96e8a657612710dcb6f21ad3ed8ba2f63439d07a83390a0493e0d27d0a61a342abacb967c22ef3c2ae6523d60a6ec8e42cb0e8e43138124a510

C:\Windows\System\UcgKVxP.exe

MD5 3d6a7e4da34f3da864124f9e0dc01f12
SHA1 cd8b873fc46b547dd526d9b0823176e13f066a5e
SHA256 75873c7220d01b3838b5e961c5da9fd53c076bd0cf36c130dfbb2a56faa2781a
SHA512 f4471d8eb7e98a4e661cf0eff7a86af664c112c0fdeeae901b22460733c333af2622d7b90ff48a7de6a9d7423dc3d78e351d853d91cf3f51a4047865818fcf93

memory/1440-114-0x00007FF7E5DF0000-0x00007FF7E6144000-memory.dmp

memory/2108-116-0x00007FF62DF10000-0x00007FF62E264000-memory.dmp

memory/2928-115-0x00007FF7DECF0000-0x00007FF7DF044000-memory.dmp

memory/3080-117-0x00007FF665240000-0x00007FF665594000-memory.dmp

memory/5004-118-0x00007FF7C4760000-0x00007FF7C4AB4000-memory.dmp

memory/3620-119-0x00007FF663020000-0x00007FF663374000-memory.dmp

memory/3108-121-0x00007FF74E540000-0x00007FF74E894000-memory.dmp

memory/3872-120-0x00007FF6B5EB0000-0x00007FF6B6204000-memory.dmp

memory/1016-124-0x00007FF7E96B0000-0x00007FF7E9A04000-memory.dmp

memory/544-125-0x00007FF7D8D80000-0x00007FF7D90D4000-memory.dmp

memory/4324-123-0x00007FF7B4820000-0x00007FF7B4B74000-memory.dmp

memory/3320-122-0x00007FF690350000-0x00007FF6906A4000-memory.dmp

memory/3368-126-0x00007FF7BE790000-0x00007FF7BEAE4000-memory.dmp

memory/4080-127-0x00007FF6CA7E0000-0x00007FF6CAB34000-memory.dmp

memory/1636-128-0x00007FF710E30000-0x00007FF711184000-memory.dmp

memory/2672-129-0x00007FF706EC0000-0x00007FF707214000-memory.dmp

memory/1744-130-0x00007FF749C10000-0x00007FF749F64000-memory.dmp

memory/4808-131-0x00007FF7615C0000-0x00007FF761914000-memory.dmp

memory/2668-132-0x00007FF6F8CD0000-0x00007FF6F9024000-memory.dmp

memory/4976-133-0x00007FF636890000-0x00007FF636BE4000-memory.dmp

memory/2392-134-0x00007FF7CA0F0000-0x00007FF7CA444000-memory.dmp

memory/4136-135-0x00007FF66F150000-0x00007FF66F4A4000-memory.dmp

memory/1440-136-0x00007FF7E5DF0000-0x00007FF7E6144000-memory.dmp

memory/2108-138-0x00007FF62DF10000-0x00007FF62E264000-memory.dmp

memory/2928-137-0x00007FF7DECF0000-0x00007FF7DF044000-memory.dmp

memory/3620-139-0x00007FF663020000-0x00007FF663374000-memory.dmp

memory/5004-141-0x00007FF7C4760000-0x00007FF7C4AB4000-memory.dmp

memory/3080-140-0x00007FF665240000-0x00007FF665594000-memory.dmp

memory/4080-143-0x00007FF6CA7E0000-0x00007FF6CAB34000-memory.dmp

memory/3368-144-0x00007FF7BE790000-0x00007FF7BEAE4000-memory.dmp

memory/3108-149-0x00007FF74E540000-0x00007FF74E894000-memory.dmp

memory/3320-148-0x00007FF690350000-0x00007FF6906A4000-memory.dmp

memory/4324-147-0x00007FF7B4820000-0x00007FF7B4B74000-memory.dmp

memory/544-146-0x00007FF7D8D80000-0x00007FF7D90D4000-memory.dmp

memory/1016-145-0x00007FF7E96B0000-0x00007FF7E9A04000-memory.dmp

memory/3872-142-0x00007FF6B5EB0000-0x00007FF6B6204000-memory.dmp