Malware Analysis Report

2025-01-22 19:26

Sample ID 240806-t7wdkaxhlb
Target 2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat
SHA256 f0c2c5a291a0eef2b7c9ba64bc7709db43bff9d84eef5fc3fc7c5bfbc54ca5b3
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f0c2c5a291a0eef2b7c9ba64bc7709db43bff9d84eef5fc3fc7c5bfbc54ca5b3

Threat Level: Known bad

The file 2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

XMRig Miner payload

Cobalt Strike reflective loader

Cobaltstrike

Xmrig family

Cobaltstrike family

xmrig

XMRig Miner payload

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-06 16:42

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-06 16:42

Reported

2024-08-06 16:45

Platform

win10v2004-20240802-en

Max time kernel

142s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\YIwWVsG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ppGOuvb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BQYMXSE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NAFOCYy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BkODxJD.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SEvcmBa.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mqKJzvy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vUGlsrn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JiMdntY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZVrlzHT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xDxOKPQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UyjYjxL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HxPwZmd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gVLDaho.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\apOudxx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MJiNklc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FmjStOZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xiHiUZo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\Umusmmr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uAKdPah.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TTgJglE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1216 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mqKJzvy.exe
PID 1216 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mqKJzvy.exe
PID 1216 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gVLDaho.exe
PID 1216 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gVLDaho.exe
PID 1216 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vUGlsrn.exe
PID 1216 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vUGlsrn.exe
PID 1216 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xiHiUZo.exe
PID 1216 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xiHiUZo.exe
PID 1216 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\apOudxx.exe
PID 1216 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\apOudxx.exe
PID 1216 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Umusmmr.exe
PID 1216 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Umusmmr.exe
PID 1216 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JiMdntY.exe
PID 1216 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JiMdntY.exe
PID 1216 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YIwWVsG.exe
PID 1216 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YIwWVsG.exe
PID 1216 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZVrlzHT.exe
PID 1216 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZVrlzHT.exe
PID 1216 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ppGOuvb.exe
PID 1216 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ppGOuvb.exe
PID 1216 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xDxOKPQ.exe
PID 1216 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xDxOKPQ.exe
PID 1216 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MJiNklc.exe
PID 1216 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MJiNklc.exe
PID 1216 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BQYMXSE.exe
PID 1216 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BQYMXSE.exe
PID 1216 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NAFOCYy.exe
PID 1216 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NAFOCYy.exe
PID 1216 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BkODxJD.exe
PID 1216 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BkODxJD.exe
PID 1216 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FmjStOZ.exe
PID 1216 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FmjStOZ.exe
PID 1216 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SEvcmBa.exe
PID 1216 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SEvcmBa.exe
PID 1216 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uAKdPah.exe
PID 1216 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uAKdPah.exe
PID 1216 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UyjYjxL.exe
PID 1216 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UyjYjxL.exe
PID 1216 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TTgJglE.exe
PID 1216 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TTgJglE.exe
PID 1216 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HxPwZmd.exe
PID 1216 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HxPwZmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\mqKJzvy.exe

C:\Windows\System\mqKJzvy.exe

C:\Windows\System\gVLDaho.exe

C:\Windows\System\gVLDaho.exe

C:\Windows\System\vUGlsrn.exe

C:\Windows\System\vUGlsrn.exe

C:\Windows\System\xiHiUZo.exe

C:\Windows\System\xiHiUZo.exe

C:\Windows\System\apOudxx.exe

C:\Windows\System\apOudxx.exe

C:\Windows\System\Umusmmr.exe

C:\Windows\System\Umusmmr.exe

C:\Windows\System\JiMdntY.exe

C:\Windows\System\JiMdntY.exe

C:\Windows\System\YIwWVsG.exe

C:\Windows\System\YIwWVsG.exe

C:\Windows\System\ZVrlzHT.exe

C:\Windows\System\ZVrlzHT.exe

C:\Windows\System\ppGOuvb.exe

C:\Windows\System\ppGOuvb.exe

C:\Windows\System\xDxOKPQ.exe

C:\Windows\System\xDxOKPQ.exe

C:\Windows\System\MJiNklc.exe

C:\Windows\System\MJiNklc.exe

C:\Windows\System\BQYMXSE.exe

C:\Windows\System\BQYMXSE.exe

C:\Windows\System\NAFOCYy.exe

C:\Windows\System\NAFOCYy.exe

C:\Windows\System\BkODxJD.exe

C:\Windows\System\BkODxJD.exe

C:\Windows\System\FmjStOZ.exe

C:\Windows\System\FmjStOZ.exe

C:\Windows\System\SEvcmBa.exe

C:\Windows\System\SEvcmBa.exe

C:\Windows\System\uAKdPah.exe

C:\Windows\System\uAKdPah.exe

C:\Windows\System\UyjYjxL.exe

C:\Windows\System\UyjYjxL.exe

C:\Windows\System\TTgJglE.exe

C:\Windows\System\TTgJglE.exe

C:\Windows\System\HxPwZmd.exe

C:\Windows\System\HxPwZmd.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 71.190.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1216-0-0x00007FF61BE60000-0x00007FF61C1B4000-memory.dmp

memory/1216-1-0x000001D3C3CA0000-0x000001D3C3CB0000-memory.dmp

C:\Windows\System\mqKJzvy.exe

MD5 7f17b6a891961e9369fdd4a78f8d74de
SHA1 426646bf0aff96445e8f6583fa8f90b2539a3536
SHA256 7762b5b9a3ef1dd08a2a90460ad635ee4a3a13f0af07e54a4333387b34086303
SHA512 ecfa5d5cac9e5b43339f6aa6a36c45939f6b8a66eeb7d3a320b499215b60f41c43c2098a689d0c21e8ab484a791bf434afb3dfa302b68bb5d14e26854515a73e

C:\Windows\System\gVLDaho.exe

MD5 7756ccdab60a4530372d4b7946425ed0
SHA1 06163d8df161c4cf681ecdf8369fa4cc4d5f3185
SHA256 a8a98f77ac8b1730a4475bd941fc034693ee2ee9adab53677643cb7535956753
SHA512 4ebb0bf682ef20d33605fc4d9d83399f18e1d4323d10ac23509e05da4d9042ad5acd3ae36905a6a9bea55091e946c62a4cba8c66029dc6ecc1e586a8ca224dc9

C:\Windows\System\vUGlsrn.exe

MD5 89db5c441d948ace3ee2ca6c6803f177
SHA1 0c803250d6ece90267e68fd682074a3a9390bfa5
SHA256 21d5568751ea0a77f6da9c2ab8c91c5c793dddfee5b0fc8357ca7e0d2d5f2ccf
SHA512 567534fe37e340119e2727ff4a10c53e09fd3c12ded11464e4bd69432a54665e0a4d6676f8d94152d5ab7eafb5db3d0a60975174d4e47bbd2f84791a6b05d8c5

memory/2800-17-0x00007FF78DF40000-0x00007FF78E294000-memory.dmp

memory/3596-18-0x00007FF7974E0000-0x00007FF797834000-memory.dmp

memory/2092-15-0x00007FF731CB0000-0x00007FF732004000-memory.dmp

memory/3144-26-0x00007FF65E030000-0x00007FF65E384000-memory.dmp

C:\Windows\System\xiHiUZo.exe

MD5 87b48a38039548be22da200457663a3b
SHA1 998b73a3f4b6da419085720ce29cf6f992bcb341
SHA256 20109d09661221f3d66a484bf8be0575310295893b2bbff1d8f82597f7b36bef
SHA512 da64a17d23caa11ac0df7054d077db8a5706a6221db0834f123fc1ca3fd90a80931c86815e01aa15c56cade62960a1aaffe16aa937c66e9343bc23faf5158d7a

C:\Windows\System\apOudxx.exe

MD5 391299884784b540eb7c6581a3d1e544
SHA1 4f9a958344584c2763bc2d1d1111c76282a7cd4b
SHA256 a09704477041e556184cce1c482cfefd1562d1d0abc5994d9edf3ce7e643145e
SHA512 26df3914048822b7a6967092518d4e50669e947e477a327a90971151a50cc194cd731d688f7de0792eca58efba64cdc01fcf8837b5e4c090616bdbdd2c9532dd

memory/3692-32-0x00007FF67B900000-0x00007FF67BC54000-memory.dmp

C:\Windows\System\Umusmmr.exe

MD5 c1d313862ed45b2eb541a1ec97b7bc0e
SHA1 f5e64ebb5b67cf4896b4edf4d003e18b4475d0a2
SHA256 c4c0be30ab03be8187333db743e91e330731bf27b029af23211a2452c1f765e7
SHA512 3b1de4dcc897d880b612ae6529de28f9f935410fcac7bf7953d8c582020b21565a1603d93751c6b320edb53e00f49e493dfdd6bf8b7d90dc4b5419049b04ce4f

memory/3536-38-0x00007FF6F8900000-0x00007FF6F8C54000-memory.dmp

C:\Windows\System\JiMdntY.exe

MD5 96e3e606f11c98e7bda853171f721e9b
SHA1 30a2923ab12f347c0ad3a0a708b191258180ad5b
SHA256 8d234b7df7d5712875bc3c1f171c7f26a272545732efebd47eed27c61d02a15f
SHA512 aae3b2454c8ccf042a4a7e1b48c7b06e395843795a78b1812583c085a1cd4651bb8fbc33b5734e6803a78acfa5a3f06c4ecc8541dc7b6be990bb8bcdfcb10082

memory/4736-42-0x00007FF6C21A0000-0x00007FF6C24F4000-memory.dmp

C:\Windows\System\YIwWVsG.exe

MD5 2af3168450d031883db494eab577eae7
SHA1 828ff4f810a94d28ba459529d1816ef5d49409b6
SHA256 da7e71ee1361c9ce2ef525c99e2a88c59ed3641606a532d283349a988d498aab
SHA512 68c41d5c9ed66d6b513a51b7bb23c6cf0761668269fd82b99167124eb2a7098cb49d22b4e799c7c63cc32262debb9597f5f8d904107be3a1829c5ac4cb29d510

C:\Windows\System\ZVrlzHT.exe

MD5 9290b2cea8d5b0c95f6d8ef8d1b2e0f4
SHA1 8ab364c82de46cba77039be4fc90649b0805b842
SHA256 0c87b2ce759ff83eb91858df6146f9fb596a1bacdd450e760cf3b1c6c762d4a9
SHA512 10bf8057601293dd4429776ea032d1574a06db95e187f98ae8db07c96bdc66b36276c43839212ff2c97645e5df4954d376b26d586a4dea27ab13b0f428618d5c

memory/1288-52-0x00007FF6056F0000-0x00007FF605A44000-memory.dmp

memory/2952-54-0x00007FF725760000-0x00007FF725AB4000-memory.dmp

C:\Windows\System\ppGOuvb.exe

MD5 63c4bcf99e88796d5bacb536f98582fb
SHA1 e322e076da4eaf25ae703ef3c46afe086c8e44e6
SHA256 e8fc68d728743e4586660dd4935e37bf03c3363d01826cdab6264c95f9dc4fa4
SHA512 69d40871b604399d35f6bc37627e290473f57b1f14b9dcf4386432931513c2d09585451a5d765828a00493c1e38c08d72f67b3e7129629f5e9fa8f9c1fe14ca6

C:\Windows\System\xDxOKPQ.exe

MD5 ca4871dad3230711090338ab051d4a99
SHA1 ad38395f35aee3de2453fec055a30e792a2095c7
SHA256 18c98a97b08472039c7081823c434787074bd0b33e6680f3e21633a1a2480d42
SHA512 0a465da2e74d5781f5be10f584dfdfb7f2d51ddd300b0da7d8f9990c5eadbafc175f409721ed9bb390e547d4203d697bf0b5d25aee45f8f264ad3602188dd50c

memory/2052-60-0x00007FF693A90000-0x00007FF693DE4000-memory.dmp

memory/3920-69-0x00007FF6EC880000-0x00007FF6ECBD4000-memory.dmp

memory/1216-68-0x00007FF61BE60000-0x00007FF61C1B4000-memory.dmp

C:\Windows\System\MJiNklc.exe

MD5 e64fdda55fececf93782a3b997425a37
SHA1 9807ce360b46be91ec97434f0699454fb1586d42
SHA256 2c16b3b5bc68421fe67a9b6a87d3d00c2da1fe2b9d26c597f0deffd9b5ddada1
SHA512 9918f983f3ec0345a418d79002ff5e4319ddbf76deb649d02c56c2520d4e08e11fa4aa99d2c4706490cc059400c4fe4abf9fab10f592315ded8fa0318f6ec7f7

C:\Windows\System\BQYMXSE.exe

MD5 d11790cfa10e8751c9660e8d01b907ca
SHA1 ca11bddf3298a49f107276f78c11b21632dc4473
SHA256 5075226a4dfc2c6f66afbdd31b900b6b8146fdc1faa2cc49bc99414bb707376f
SHA512 8819175aac9c6b944afb1b561cacc21f2b558c723d4273e800a4f344bdf2dc06222bab416ea768570ba34d48a9759c0ca4606218ba402b08be6bfe063342ad32

memory/4064-79-0x00007FF7112C0000-0x00007FF711614000-memory.dmp

memory/4920-78-0x00007FF79F6A0000-0x00007FF79F9F4000-memory.dmp

memory/2800-75-0x00007FF78DF40000-0x00007FF78E294000-memory.dmp

C:\Windows\System\NAFOCYy.exe

MD5 e18c2960c6712e498364d88b59758a87
SHA1 b1fda43833408596a7b2841156f9b7327dfde470
SHA256 a237c6d610d3b2b5973a742faa857b548598d27bb4647d54886222b12c1f22df
SHA512 5fc1ad06c489f73b2345cbb34a8aa15546ba1978e7e38dac4d2feb3523cc4e5ad14638a97f2b83a5c3fa415257ca6c61791721c1b2f8112d236d9e59a305f9f2

memory/4148-89-0x00007FF6F72E0000-0x00007FF6F7634000-memory.dmp

C:\Windows\System\BkODxJD.exe

MD5 cec9b2329b08672bbdad2f779f147bfe
SHA1 cba7242c18df0604db1a3ec9ec2084c4908eb6cd
SHA256 bff25a4453243332619fc61ad4d8dd696e8748353181bd36d2d52862fa7636bc
SHA512 631f898d22b9b38a639cc2c4e4e5b68f05456edcd39ba927fc8e9831235710320320d7574c0c3a8f727e0dd95f02b494933ca7d7936d03446d29f45a6b085ccc

memory/692-96-0x00007FF67C0C0000-0x00007FF67C414000-memory.dmp

C:\Windows\System\FmjStOZ.exe

MD5 9cfa32fa3d7dd4f0ade60b8102e7ec3b
SHA1 5b2a9bb98c3a071687ef614bdebab920f306fb46
SHA256 fb12751ed7d5d4925ce1e67dc2e6162b554451100a5ff56b17ee0c95c5c79b0e
SHA512 537239e725544844b78c1a76c3d1e08f0d17449e5710352084e114c19cc7cea776567d8b60eeb0a64f13390fc26754c1f9935e13b0f44f539659852693e27a0d

C:\Windows\System\SEvcmBa.exe

MD5 b8f302f55a133cf53dded5abc02c6a36
SHA1 40d70527f7c3aef29e1da16a5b7beecf1843232d
SHA256 0f21c85d8d6495f57652acee946e2517eeae7ccc6a2e30c8cac5cb0ba257d413
SHA512 38b05fa562c6115c78974f8813d99fc58ca958bce006a3db1842bd20b93ae0d96ff70b58e8b93e38faeab1ba772d27cbcced6459a330f0aa19293fddfdec0a5d

memory/3536-103-0x00007FF6F8900000-0x00007FF6F8C54000-memory.dmp

memory/2256-110-0x00007FF7E5440000-0x00007FF7E5794000-memory.dmp

C:\Windows\System\UyjYjxL.exe

MD5 ae1ee25bc9b182c1b5cfd8f0ccb50d51
SHA1 0ca269c7ee7ae4e208fb4a28eec525de6dc8738d
SHA256 16aded408dd3b0e2f04ac95c6b3ac23d03b8e162da3ee64a301c16c3b3fab0b4
SHA512 4f42b6389de1da15a5c560719431c06f8c1c78c4e9238e510673c8776c0eaaa1564e50dc7678f5cee2107125926ce8da1e5588efe0ee5fd3db3067de16a074ec

C:\Windows\System\uAKdPah.exe

MD5 262af9a28c0b50e8e3b6ea964f21e42b
SHA1 d64486a76b4c69378164321a85af993e1c076ecd
SHA256 d35af4a3154cae85dfe3b56419eb9cf0f0bba8264bdb0ba69b3ed3499064edaf
SHA512 af7396b45d4e744a14eb8be73e9eb4b4007b0d412fe00948d5cfee5e0d91a870ae6572e981ee23dc7c7d856e434affa521a6b1394a623b4ba65451f61ed8acb5

memory/4736-111-0x00007FF6C21A0000-0x00007FF6C24F4000-memory.dmp

C:\Windows\System\TTgJglE.exe

MD5 f930ba27f75af7e050273a980b822a7a
SHA1 487fd37faf28884350b894d890e5832637f8cc82
SHA256 4fb47d372c40d439703f08f5c0809f64ec9b240bf40735473e62cb22d7eef7cc
SHA512 563937e2204f944399ca2132dc3ad6d9be8de35dff66bcc34ee57caed047b6f1af00ccb441926dd4d50f3a23429d9d00facfdaa687499481af5ab5c0f5f08c65

C:\Windows\System\HxPwZmd.exe

MD5 107acf16443e5fa2bbb8ad2d4ed6ac11
SHA1 3468474fdfc7e9cdc39e22176cbb2e493338f7de
SHA256 2e766fe21ff3743ebec57c24e42377c811724b3639b725888b6c3e2b7c17f70d
SHA512 e3ebe7c20b58c611c74c60d41b41623a545994c4093e270fe77fcdee96868e0c7842be8e02fbe025b7215b02403f5074dc7cb83ddc4e36572d1e93a4e6a49dd0

memory/4072-109-0x00007FF791DD0000-0x00007FF792124000-memory.dmp

memory/2220-128-0x00007FF7AF130000-0x00007FF7AF484000-memory.dmp

memory/4952-130-0x00007FF7D2520000-0x00007FF7D2874000-memory.dmp

memory/3196-129-0x00007FF604A00000-0x00007FF604D54000-memory.dmp

memory/4768-131-0x00007FF6A2CA0000-0x00007FF6A2FF4000-memory.dmp

memory/2952-132-0x00007FF725760000-0x00007FF725AB4000-memory.dmp

memory/2052-133-0x00007FF693A90000-0x00007FF693DE4000-memory.dmp

memory/4064-134-0x00007FF7112C0000-0x00007FF711614000-memory.dmp

memory/2092-135-0x00007FF731CB0000-0x00007FF732004000-memory.dmp

memory/3596-136-0x00007FF7974E0000-0x00007FF797834000-memory.dmp

memory/2800-137-0x00007FF78DF40000-0x00007FF78E294000-memory.dmp

memory/3144-138-0x00007FF65E030000-0x00007FF65E384000-memory.dmp

memory/3692-139-0x00007FF67B900000-0x00007FF67BC54000-memory.dmp

memory/3536-140-0x00007FF6F8900000-0x00007FF6F8C54000-memory.dmp

memory/4736-141-0x00007FF6C21A0000-0x00007FF6C24F4000-memory.dmp

memory/1288-142-0x00007FF6056F0000-0x00007FF605A44000-memory.dmp

memory/2952-143-0x00007FF725760000-0x00007FF725AB4000-memory.dmp

memory/3920-144-0x00007FF6EC880000-0x00007FF6ECBD4000-memory.dmp

memory/2052-145-0x00007FF693A90000-0x00007FF693DE4000-memory.dmp

memory/4920-146-0x00007FF79F6A0000-0x00007FF79F9F4000-memory.dmp

memory/4064-147-0x00007FF7112C0000-0x00007FF711614000-memory.dmp

memory/4148-148-0x00007FF6F72E0000-0x00007FF6F7634000-memory.dmp

memory/692-149-0x00007FF67C0C0000-0x00007FF67C414000-memory.dmp

memory/4072-150-0x00007FF791DD0000-0x00007FF792124000-memory.dmp

memory/2256-151-0x00007FF7E5440000-0x00007FF7E5794000-memory.dmp

memory/2220-152-0x00007FF7AF130000-0x00007FF7AF484000-memory.dmp

memory/4768-153-0x00007FF6A2CA0000-0x00007FF6A2FF4000-memory.dmp

memory/4952-154-0x00007FF7D2520000-0x00007FF7D2874000-memory.dmp

memory/3196-155-0x00007FF604A00000-0x00007FF604D54000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-06 16:42

Reported

2024-08-06 16:45

Platform

win7-20240708-en

Max time kernel

140s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\BkODxJD.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FmjStOZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HxPwZmd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vUGlsrn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\apOudxx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YIwWVsG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZVrlzHT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uAKdPah.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mqKJzvy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ppGOuvb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BQYMXSE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NAFOCYy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\Umusmmr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MJiNklc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UyjYjxL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TTgJglE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SEvcmBa.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gVLDaho.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xiHiUZo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JiMdntY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xDxOKPQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2000 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mqKJzvy.exe
PID 2000 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mqKJzvy.exe
PID 2000 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mqKJzvy.exe
PID 2000 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gVLDaho.exe
PID 2000 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gVLDaho.exe
PID 2000 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gVLDaho.exe
PID 2000 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vUGlsrn.exe
PID 2000 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vUGlsrn.exe
PID 2000 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vUGlsrn.exe
PID 2000 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xiHiUZo.exe
PID 2000 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xiHiUZo.exe
PID 2000 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xiHiUZo.exe
PID 2000 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\apOudxx.exe
PID 2000 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\apOudxx.exe
PID 2000 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\apOudxx.exe
PID 2000 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Umusmmr.exe
PID 2000 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Umusmmr.exe
PID 2000 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Umusmmr.exe
PID 2000 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JiMdntY.exe
PID 2000 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JiMdntY.exe
PID 2000 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JiMdntY.exe
PID 2000 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YIwWVsG.exe
PID 2000 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YIwWVsG.exe
PID 2000 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YIwWVsG.exe
PID 2000 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZVrlzHT.exe
PID 2000 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZVrlzHT.exe
PID 2000 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZVrlzHT.exe
PID 2000 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ppGOuvb.exe
PID 2000 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ppGOuvb.exe
PID 2000 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ppGOuvb.exe
PID 2000 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xDxOKPQ.exe
PID 2000 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xDxOKPQ.exe
PID 2000 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xDxOKPQ.exe
PID 2000 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MJiNklc.exe
PID 2000 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MJiNklc.exe
PID 2000 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MJiNklc.exe
PID 2000 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BQYMXSE.exe
PID 2000 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BQYMXSE.exe
PID 2000 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BQYMXSE.exe
PID 2000 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NAFOCYy.exe
PID 2000 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NAFOCYy.exe
PID 2000 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NAFOCYy.exe
PID 2000 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BkODxJD.exe
PID 2000 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BkODxJD.exe
PID 2000 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BkODxJD.exe
PID 2000 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FmjStOZ.exe
PID 2000 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FmjStOZ.exe
PID 2000 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FmjStOZ.exe
PID 2000 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SEvcmBa.exe
PID 2000 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SEvcmBa.exe
PID 2000 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SEvcmBa.exe
PID 2000 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uAKdPah.exe
PID 2000 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uAKdPah.exe
PID 2000 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uAKdPah.exe
PID 2000 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UyjYjxL.exe
PID 2000 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UyjYjxL.exe
PID 2000 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UyjYjxL.exe
PID 2000 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TTgJglE.exe
PID 2000 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TTgJglE.exe
PID 2000 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TTgJglE.exe
PID 2000 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HxPwZmd.exe
PID 2000 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HxPwZmd.exe
PID 2000 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HxPwZmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\mqKJzvy.exe

C:\Windows\System\mqKJzvy.exe

C:\Windows\System\gVLDaho.exe

C:\Windows\System\gVLDaho.exe

C:\Windows\System\vUGlsrn.exe

C:\Windows\System\vUGlsrn.exe

C:\Windows\System\xiHiUZo.exe

C:\Windows\System\xiHiUZo.exe

C:\Windows\System\apOudxx.exe

C:\Windows\System\apOudxx.exe

C:\Windows\System\Umusmmr.exe

C:\Windows\System\Umusmmr.exe

C:\Windows\System\JiMdntY.exe

C:\Windows\System\JiMdntY.exe

C:\Windows\System\YIwWVsG.exe

C:\Windows\System\YIwWVsG.exe

C:\Windows\System\ZVrlzHT.exe

C:\Windows\System\ZVrlzHT.exe

C:\Windows\System\ppGOuvb.exe

C:\Windows\System\ppGOuvb.exe

C:\Windows\System\xDxOKPQ.exe

C:\Windows\System\xDxOKPQ.exe

C:\Windows\System\MJiNklc.exe

C:\Windows\System\MJiNklc.exe

C:\Windows\System\BQYMXSE.exe

C:\Windows\System\BQYMXSE.exe

C:\Windows\System\NAFOCYy.exe

C:\Windows\System\NAFOCYy.exe

C:\Windows\System\BkODxJD.exe

C:\Windows\System\BkODxJD.exe

C:\Windows\System\FmjStOZ.exe

C:\Windows\System\FmjStOZ.exe

C:\Windows\System\SEvcmBa.exe

C:\Windows\System\SEvcmBa.exe

C:\Windows\System\uAKdPah.exe

C:\Windows\System\uAKdPah.exe

C:\Windows\System\UyjYjxL.exe

C:\Windows\System\UyjYjxL.exe

C:\Windows\System\TTgJglE.exe

C:\Windows\System\TTgJglE.exe

C:\Windows\System\HxPwZmd.exe

C:\Windows\System\HxPwZmd.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2000-0-0x000000013F430000-0x000000013F784000-memory.dmp

memory/2000-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\mqKJzvy.exe

MD5 7f17b6a891961e9369fdd4a78f8d74de
SHA1 426646bf0aff96445e8f6583fa8f90b2539a3536
SHA256 7762b5b9a3ef1dd08a2a90460ad635ee4a3a13f0af07e54a4333387b34086303
SHA512 ecfa5d5cac9e5b43339f6aa6a36c45939f6b8a66eeb7d3a320b499215b60f41c43c2098a689d0c21e8ab484a791bf434afb3dfa302b68bb5d14e26854515a73e

C:\Windows\system\gVLDaho.exe

MD5 7756ccdab60a4530372d4b7946425ed0
SHA1 06163d8df161c4cf681ecdf8369fa4cc4d5f3185
SHA256 a8a98f77ac8b1730a4475bd941fc034693ee2ee9adab53677643cb7535956753
SHA512 4ebb0bf682ef20d33605fc4d9d83399f18e1d4323d10ac23509e05da4d9042ad5acd3ae36905a6a9bea55091e946c62a4cba8c66029dc6ecc1e586a8ca224dc9

C:\Windows\system\vUGlsrn.exe

MD5 89db5c441d948ace3ee2ca6c6803f177
SHA1 0c803250d6ece90267e68fd682074a3a9390bfa5
SHA256 21d5568751ea0a77f6da9c2ab8c91c5c793dddfee5b0fc8357ca7e0d2d5f2ccf
SHA512 567534fe37e340119e2727ff4a10c53e09fd3c12ded11464e4bd69432a54665e0a4d6676f8d94152d5ab7eafb5db3d0a60975174d4e47bbd2f84791a6b05d8c5

\Windows\system\xiHiUZo.exe

MD5 87b48a38039548be22da200457663a3b
SHA1 998b73a3f4b6da419085720ce29cf6f992bcb341
SHA256 20109d09661221f3d66a484bf8be0575310295893b2bbff1d8f82597f7b36bef
SHA512 da64a17d23caa11ac0df7054d077db8a5706a6221db0834f123fc1ca3fd90a80931c86815e01aa15c56cade62960a1aaffe16aa937c66e9343bc23faf5158d7a

C:\Windows\system\apOudxx.exe

MD5 391299884784b540eb7c6581a3d1e544
SHA1 4f9a958344584c2763bc2d1d1111c76282a7cd4b
SHA256 a09704477041e556184cce1c482cfefd1562d1d0abc5994d9edf3ce7e643145e
SHA512 26df3914048822b7a6967092518d4e50669e947e477a327a90971151a50cc194cd731d688f7de0792eca58efba64cdc01fcf8837b5e4c090616bdbdd2c9532dd

C:\Windows\system\JiMdntY.exe

MD5 96e3e606f11c98e7bda853171f721e9b
SHA1 30a2923ab12f347c0ad3a0a708b191258180ad5b
SHA256 8d234b7df7d5712875bc3c1f171c7f26a272545732efebd47eed27c61d02a15f
SHA512 aae3b2454c8ccf042a4a7e1b48c7b06e395843795a78b1812583c085a1cd4651bb8fbc33b5734e6803a78acfa5a3f06c4ecc8541dc7b6be990bb8bcdfcb10082

C:\Windows\system\YIwWVsG.exe

MD5 2af3168450d031883db494eab577eae7
SHA1 828ff4f810a94d28ba459529d1816ef5d49409b6
SHA256 da7e71ee1361c9ce2ef525c99e2a88c59ed3641606a532d283349a988d498aab
SHA512 68c41d5c9ed66d6b513a51b7bb23c6cf0761668269fd82b99167124eb2a7098cb49d22b4e799c7c63cc32262debb9597f5f8d904107be3a1829c5ac4cb29d510

C:\Windows\system\ZVrlzHT.exe

MD5 9290b2cea8d5b0c95f6d8ef8d1b2e0f4
SHA1 8ab364c82de46cba77039be4fc90649b0805b842
SHA256 0c87b2ce759ff83eb91858df6146f9fb596a1bacdd450e760cf3b1c6c762d4a9
SHA512 10bf8057601293dd4429776ea032d1574a06db95e187f98ae8db07c96bdc66b36276c43839212ff2c97645e5df4954d376b26d586a4dea27ab13b0f428618d5c

C:\Windows\system\ppGOuvb.exe

MD5 63c4bcf99e88796d5bacb536f98582fb
SHA1 e322e076da4eaf25ae703ef3c46afe086c8e44e6
SHA256 e8fc68d728743e4586660dd4935e37bf03c3363d01826cdab6264c95f9dc4fa4
SHA512 69d40871b604399d35f6bc37627e290473f57b1f14b9dcf4386432931513c2d09585451a5d765828a00493c1e38c08d72f67b3e7129629f5e9fa8f9c1fe14ca6

C:\Windows\system\xDxOKPQ.exe

MD5 ca4871dad3230711090338ab051d4a99
SHA1 ad38395f35aee3de2453fec055a30e792a2095c7
SHA256 18c98a97b08472039c7081823c434787074bd0b33e6680f3e21633a1a2480d42
SHA512 0a465da2e74d5781f5be10f584dfdfb7f2d51ddd300b0da7d8f9990c5eadbafc175f409721ed9bb390e547d4203d697bf0b5d25aee45f8f264ad3602188dd50c

C:\Windows\system\TTgJglE.exe

MD5 f930ba27f75af7e050273a980b822a7a
SHA1 487fd37faf28884350b894d890e5832637f8cc82
SHA256 4fb47d372c40d439703f08f5c0809f64ec9b240bf40735473e62cb22d7eef7cc
SHA512 563937e2204f944399ca2132dc3ad6d9be8de35dff66bcc34ee57caed047b6f1af00ccb441926dd4d50f3a23429d9d00facfdaa687499481af5ab5c0f5f08c65

C:\Windows\system\HxPwZmd.exe

MD5 107acf16443e5fa2bbb8ad2d4ed6ac11
SHA1 3468474fdfc7e9cdc39e22176cbb2e493338f7de
SHA256 2e766fe21ff3743ebec57c24e42377c811724b3639b725888b6c3e2b7c17f70d
SHA512 e3ebe7c20b58c611c74c60d41b41623a545994c4093e270fe77fcdee96868e0c7842be8e02fbe025b7215b02403f5074dc7cb83ddc4e36572d1e93a4e6a49dd0

C:\Windows\system\UyjYjxL.exe

MD5 ae1ee25bc9b182c1b5cfd8f0ccb50d51
SHA1 0ca269c7ee7ae4e208fb4a28eec525de6dc8738d
SHA256 16aded408dd3b0e2f04ac95c6b3ac23d03b8e162da3ee64a301c16c3b3fab0b4
SHA512 4f42b6389de1da15a5c560719431c06f8c1c78c4e9238e510673c8776c0eaaa1564e50dc7678f5cee2107125926ce8da1e5588efe0ee5fd3db3067de16a074ec

memory/2932-107-0x000000013F7B0000-0x000000013FB04000-memory.dmp

memory/2872-121-0x000000013F570000-0x000000013F8C4000-memory.dmp

memory/2740-124-0x000000013F680000-0x000000013F9D4000-memory.dmp

memory/2772-123-0x000000013F8F0000-0x000000013FC44000-memory.dmp

memory/2000-122-0x000000013F8F0000-0x000000013FC44000-memory.dmp

memory/2744-120-0x000000013FFF0000-0x0000000140344000-memory.dmp

memory/2000-119-0x000000013FFF0000-0x0000000140344000-memory.dmp

memory/1912-118-0x000000013F6B0000-0x000000013FA04000-memory.dmp

memory/2000-117-0x00000000023B0000-0x0000000002704000-memory.dmp

memory/2508-116-0x000000013F810000-0x000000013FB64000-memory.dmp

memory/2000-115-0x000000013F810000-0x000000013FB64000-memory.dmp

memory/2332-114-0x000000013F050000-0x000000013F3A4000-memory.dmp

memory/2000-113-0x000000013F050000-0x000000013F3A4000-memory.dmp

memory/2560-112-0x000000013F050000-0x000000013F3A4000-memory.dmp

memory/2000-111-0x000000013F050000-0x000000013F3A4000-memory.dmp

memory/2324-110-0x000000013FE60000-0x00000001401B4000-memory.dmp

memory/2000-109-0x000000013FE60000-0x00000001401B4000-memory.dmp

memory/2132-108-0x000000013F0F0000-0x000000013F444000-memory.dmp

C:\Windows\system\uAKdPah.exe

MD5 262af9a28c0b50e8e3b6ea964f21e42b
SHA1 d64486a76b4c69378164321a85af993e1c076ecd
SHA256 d35af4a3154cae85dfe3b56419eb9cf0f0bba8264bdb0ba69b3ed3499064edaf
SHA512 af7396b45d4e744a14eb8be73e9eb4b4007b0d412fe00948d5cfee5e0d91a870ae6572e981ee23dc7c7d856e434affa521a6b1394a623b4ba65451f61ed8acb5

C:\Windows\system\SEvcmBa.exe

MD5 b8f302f55a133cf53dded5abc02c6a36
SHA1 40d70527f7c3aef29e1da16a5b7beecf1843232d
SHA256 0f21c85d8d6495f57652acee946e2517eeae7ccc6a2e30c8cac5cb0ba257d413
SHA512 38b05fa562c6115c78974f8813d99fc58ca958bce006a3db1842bd20b93ae0d96ff70b58e8b93e38faeab1ba772d27cbcced6459a330f0aa19293fddfdec0a5d

C:\Windows\system\FmjStOZ.exe

MD5 9cfa32fa3d7dd4f0ade60b8102e7ec3b
SHA1 5b2a9bb98c3a071687ef614bdebab920f306fb46
SHA256 fb12751ed7d5d4925ce1e67dc2e6162b554451100a5ff56b17ee0c95c5c79b0e
SHA512 537239e725544844b78c1a76c3d1e08f0d17449e5710352084e114c19cc7cea776567d8b60eeb0a64f13390fc26754c1f9935e13b0f44f539659852693e27a0d

C:\Windows\system\BkODxJD.exe

MD5 cec9b2329b08672bbdad2f779f147bfe
SHA1 cba7242c18df0604db1a3ec9ec2084c4908eb6cd
SHA256 bff25a4453243332619fc61ad4d8dd696e8748353181bd36d2d52862fa7636bc
SHA512 631f898d22b9b38a639cc2c4e4e5b68f05456edcd39ba927fc8e9831235710320320d7574c0c3a8f727e0dd95f02b494933ca7d7936d03446d29f45a6b085ccc

C:\Windows\system\NAFOCYy.exe

MD5 e18c2960c6712e498364d88b59758a87
SHA1 b1fda43833408596a7b2841156f9b7327dfde470
SHA256 a237c6d610d3b2b5973a742faa857b548598d27bb4647d54886222b12c1f22df
SHA512 5fc1ad06c489f73b2345cbb34a8aa15546ba1978e7e38dac4d2feb3523cc4e5ad14638a97f2b83a5c3fa415257ca6c61791721c1b2f8112d236d9e59a305f9f2

C:\Windows\system\BQYMXSE.exe

MD5 d11790cfa10e8751c9660e8d01b907ca
SHA1 ca11bddf3298a49f107276f78c11b21632dc4473
SHA256 5075226a4dfc2c6f66afbdd31b900b6b8146fdc1faa2cc49bc99414bb707376f
SHA512 8819175aac9c6b944afb1b561cacc21f2b558c723d4273e800a4f344bdf2dc06222bab416ea768570ba34d48a9759c0ca4606218ba402b08be6bfe063342ad32

C:\Windows\system\MJiNklc.exe

MD5 e64fdda55fececf93782a3b997425a37
SHA1 9807ce360b46be91ec97434f0699454fb1586d42
SHA256 2c16b3b5bc68421fe67a9b6a87d3d00c2da1fe2b9d26c597f0deffd9b5ddada1
SHA512 9918f983f3ec0345a418d79002ff5e4319ddbf76deb649d02c56c2520d4e08e11fa4aa99d2c4706490cc059400c4fe4abf9fab10f592315ded8fa0318f6ec7f7

C:\Windows\system\Umusmmr.exe

MD5 c1d313862ed45b2eb541a1ec97b7bc0e
SHA1 f5e64ebb5b67cf4896b4edf4d003e18b4475d0a2
SHA256 c4c0be30ab03be8187333db743e91e330731bf27b029af23211a2452c1f765e7
SHA512 3b1de4dcc897d880b612ae6529de28f9f935410fcac7bf7953d8c582020b21565a1603d93751c6b320edb53e00f49e493dfdd6bf8b7d90dc4b5419049b04ce4f

memory/2000-125-0x000000013F950000-0x000000013FCA4000-memory.dmp

memory/2636-130-0x000000013FC80000-0x000000013FFD4000-memory.dmp

memory/2000-129-0x000000013FC80000-0x000000013FFD4000-memory.dmp

memory/2788-128-0x000000013F0C0000-0x000000013F414000-memory.dmp

memory/2000-127-0x000000013F0C0000-0x000000013F414000-memory.dmp

memory/3020-126-0x000000013F950000-0x000000013FCA4000-memory.dmp

memory/2000-131-0x000000013F430000-0x000000013F784000-memory.dmp

memory/2000-132-0x000000013F7B0000-0x000000013FB04000-memory.dmp

memory/2932-133-0x000000013F7B0000-0x000000013FB04000-memory.dmp

memory/2132-134-0x000000013F0F0000-0x000000013F444000-memory.dmp

memory/2560-136-0x000000013F050000-0x000000013F3A4000-memory.dmp

memory/2332-135-0x000000013F050000-0x000000013F3A4000-memory.dmp

memory/2508-137-0x000000013F810000-0x000000013FB64000-memory.dmp

memory/1912-138-0x000000013F6B0000-0x000000013FA04000-memory.dmp

memory/2744-139-0x000000013FFF0000-0x0000000140344000-memory.dmp

memory/2872-140-0x000000013F570000-0x000000013F8C4000-memory.dmp

memory/2772-141-0x000000013F8F0000-0x000000013FC44000-memory.dmp

memory/2740-142-0x000000013F680000-0x000000013F9D4000-memory.dmp

memory/2636-145-0x000000013FC80000-0x000000013FFD4000-memory.dmp

memory/2788-144-0x000000013F0C0000-0x000000013F414000-memory.dmp

memory/3020-143-0x000000013F950000-0x000000013FCA4000-memory.dmp

memory/2324-146-0x000000013FE60000-0x00000001401B4000-memory.dmp