Malware Analysis Report

2025-01-22 19:28

Sample ID 240806-tgyq1axcna
Target 2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat
SHA256 9c29ded5444dd83831866898b6ee7e58a714ede76802b7c69f675f5dbccae0ca
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9c29ded5444dd83831866898b6ee7e58a714ede76802b7c69f675f5dbccae0ca

Threat Level: Known bad

The file 2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Cobalt Strike reflective loader

Cobaltstrike family

Cobaltstrike

xmrig

Xmrig family

XMRig Miner payload

XMRig Miner payload

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-06 16:02

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-06 16:02

Reported

2024-08-06 16:04

Platform

win7-20240705-en

Max time kernel

141s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\hqwXULO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vGoIvtv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qBztODV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WmHcSDE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mDATkDT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GRlsDUp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WkRlczU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JWUvINU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OEjOlvT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UyhDJZR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HedKxpj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JvMAdxR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UYXtBJi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MZyWfAi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IStXkKR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tvOrjMZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rsiQRaQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EWsQOKG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kVxfUyS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EEkLAwG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZsVGAHy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2408 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kVxfUyS.exe
PID 2408 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kVxfUyS.exe
PID 2408 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kVxfUyS.exe
PID 2408 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hqwXULO.exe
PID 2408 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hqwXULO.exe
PID 2408 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hqwXULO.exe
PID 2408 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JWUvINU.exe
PID 2408 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JWUvINU.exe
PID 2408 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JWUvINU.exe
PID 2408 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IStXkKR.exe
PID 2408 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IStXkKR.exe
PID 2408 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IStXkKR.exe
PID 2408 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OEjOlvT.exe
PID 2408 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OEjOlvT.exe
PID 2408 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OEjOlvT.exe
PID 2408 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UyhDJZR.exe
PID 2408 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UyhDJZR.exe
PID 2408 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UyhDJZR.exe
PID 2408 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vGoIvtv.exe
PID 2408 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vGoIvtv.exe
PID 2408 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vGoIvtv.exe
PID 2408 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qBztODV.exe
PID 2408 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qBztODV.exe
PID 2408 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qBztODV.exe
PID 2408 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tvOrjMZ.exe
PID 2408 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tvOrjMZ.exe
PID 2408 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tvOrjMZ.exe
PID 2408 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rsiQRaQ.exe
PID 2408 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rsiQRaQ.exe
PID 2408 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rsiQRaQ.exe
PID 2408 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EEkLAwG.exe
PID 2408 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EEkLAwG.exe
PID 2408 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EEkLAwG.exe
PID 2408 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HedKxpj.exe
PID 2408 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HedKxpj.exe
PID 2408 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HedKxpj.exe
PID 2408 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JvMAdxR.exe
PID 2408 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JvMAdxR.exe
PID 2408 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JvMAdxR.exe
PID 2408 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WmHcSDE.exe
PID 2408 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WmHcSDE.exe
PID 2408 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WmHcSDE.exe
PID 2408 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UYXtBJi.exe
PID 2408 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UYXtBJi.exe
PID 2408 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UYXtBJi.exe
PID 2408 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mDATkDT.exe
PID 2408 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mDATkDT.exe
PID 2408 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mDATkDT.exe
PID 2408 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MZyWfAi.exe
PID 2408 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MZyWfAi.exe
PID 2408 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MZyWfAi.exe
PID 2408 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZsVGAHy.exe
PID 2408 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZsVGAHy.exe
PID 2408 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZsVGAHy.exe
PID 2408 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GRlsDUp.exe
PID 2408 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GRlsDUp.exe
PID 2408 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GRlsDUp.exe
PID 2408 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EWsQOKG.exe
PID 2408 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EWsQOKG.exe
PID 2408 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EWsQOKG.exe
PID 2408 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WkRlczU.exe
PID 2408 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WkRlczU.exe
PID 2408 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WkRlczU.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\kVxfUyS.exe

C:\Windows\System\kVxfUyS.exe

C:\Windows\System\hqwXULO.exe

C:\Windows\System\hqwXULO.exe

C:\Windows\System\JWUvINU.exe

C:\Windows\System\JWUvINU.exe

C:\Windows\System\IStXkKR.exe

C:\Windows\System\IStXkKR.exe

C:\Windows\System\OEjOlvT.exe

C:\Windows\System\OEjOlvT.exe

C:\Windows\System\UyhDJZR.exe

C:\Windows\System\UyhDJZR.exe

C:\Windows\System\vGoIvtv.exe

C:\Windows\System\vGoIvtv.exe

C:\Windows\System\qBztODV.exe

C:\Windows\System\qBztODV.exe

C:\Windows\System\tvOrjMZ.exe

C:\Windows\System\tvOrjMZ.exe

C:\Windows\System\rsiQRaQ.exe

C:\Windows\System\rsiQRaQ.exe

C:\Windows\System\EEkLAwG.exe

C:\Windows\System\EEkLAwG.exe

C:\Windows\System\HedKxpj.exe

C:\Windows\System\HedKxpj.exe

C:\Windows\System\JvMAdxR.exe

C:\Windows\System\JvMAdxR.exe

C:\Windows\System\WmHcSDE.exe

C:\Windows\System\WmHcSDE.exe

C:\Windows\System\UYXtBJi.exe

C:\Windows\System\UYXtBJi.exe

C:\Windows\System\mDATkDT.exe

C:\Windows\System\mDATkDT.exe

C:\Windows\System\MZyWfAi.exe

C:\Windows\System\MZyWfAi.exe

C:\Windows\System\ZsVGAHy.exe

C:\Windows\System\ZsVGAHy.exe

C:\Windows\System\GRlsDUp.exe

C:\Windows\System\GRlsDUp.exe

C:\Windows\System\EWsQOKG.exe

C:\Windows\System\EWsQOKG.exe

C:\Windows\System\WkRlczU.exe

C:\Windows\System\WkRlczU.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2408-0-0x000000013F2F0000-0x000000013F641000-memory.dmp

memory/2408-1-0x0000000000710000-0x0000000000720000-memory.dmp

\Windows\system\kVxfUyS.exe

MD5 20d68370ff0844bc2d7dc0e1753e2573
SHA1 0a77b6b3c0b922314b61d44a9ec09fc477034dae
SHA256 1034116a6a190c2ae8b6e2c9c824b33ca6450b37e3079a86087cf40dc6526019
SHA512 ae55e5a203fa4235f4570915bfc0a40682bd93b064493322337f2e35f5511684840a55248e3b20727967fc99da46860a64e2a8bcaf006ce36e2b47c05a48b5d9

\Windows\system\hqwXULO.exe

MD5 ca00304dff9a999b957108ef2109ed93
SHA1 223c93310b5595837fb8494fe584934361a4cba7
SHA256 174a7912cba95c2b3b466c74b85f107d9032aa5beacbf7b050a37c49357a7302
SHA512 a38d81f7b5e3ed539940e9d72bc8afb42e02cbf6810b31a6df2d1fec5b333dd737150586d2a8742efbb63027a9ab521b5ee02a6c3a81d5f99c0ac9615cf440d8

memory/2784-12-0x000000013F980000-0x000000013FCD1000-memory.dmp

memory/2408-14-0x000000013FDD0000-0x0000000140121000-memory.dmp

memory/2992-13-0x000000013FDD0000-0x0000000140121000-memory.dmp

C:\Windows\system\JWUvINU.exe

MD5 f9c1fbf0cc979424ad8427843dc68694
SHA1 1337418acc65b953754563d3fdc94c1ca9e8d8b7
SHA256 7d366d20c7f79417ef4be63f8c64696003edd985cf533206350b3ee76944cfed
SHA512 bc1fe595b19828c405e0b694623a1d831fe4bc2ec29c7eb079c49f774a8c3216bb5676f964cc5a64c7b4f83535b653aaf71fc2811c1bfd24eabf016239a53601

C:\Windows\system\IStXkKR.exe

MD5 51b9d70268e9db1272174c637442241c
SHA1 3aeffc2621a120177317972cc7e442db1bc004c1
SHA256 791afcf7809f37c26370501961262e0a45a8011675a929cf1373cb2f61ed93a5
SHA512 d2dd428a30314ee5e587283d05a80ea40ef349dc50d8420498270b2c467ff0762fe2c74ad37abe0b0e48b74c0bd165343937cf856b749aa70bd0bd829a2b421a

memory/2408-18-0x00000000022B0000-0x0000000002601000-memory.dmp

memory/2248-29-0x000000013FC40000-0x000000013FF91000-memory.dmp

memory/2408-28-0x000000013FC40000-0x000000013FF91000-memory.dmp

memory/2712-26-0x000000013F370000-0x000000013F6C1000-memory.dmp

C:\Windows\system\OEjOlvT.exe

MD5 600beba4c32cb5145eca717e76c048a9
SHA1 bd328f08d0a7c61df4c25bf45fa83d5bcede090a
SHA256 2dfcb049bfe39a5349d5ab0ac92dfffcdd7b0e51b9df000bbcdcbaff60827a09
SHA512 a51164fbcf50d32c83a0191bb08d470dbfb935af264f550f91525228d37d0a64154504b16c6a1bbc0f9fd59107c77f384b07382cf6526b7df25b223d7c55bf99

C:\Windows\system\UyhDJZR.exe

MD5 a31abb84d2192a8d285101108f27dfe6
SHA1 e56091475b2c3d29e96033b322143af9fb0a558e
SHA256 ab9c9b50e87debeb2ef34e233bf5fde383cbc736cef46b2e74917b8a3370e46b
SHA512 e9250dadd5e00c7a8f1d23d529ecfc5d8cf7f2e97422a585073c2a6b1a41c78d9cc1937f78cba4c00938994e439968cf8e565025900494a46d6cb98678305972

memory/2576-43-0x000000013F490000-0x000000013F7E1000-memory.dmp

C:\Windows\system\qBztODV.exe

MD5 423457533f687fa50cfc3a94dd7a2c2d
SHA1 e74baa3b3a05c1cbe796fa5e9a5b7bda7d35acbd
SHA256 d3335a2e87f25e7363c2e17e1aa4e47a0d7aae55404aa593ee51a3a32d037894
SHA512 08e674759f4b9a892e4cebc2893dda240168acc5f4acce4c2c503339b23147cca6951f0724528e68b7a716358eb55b9bd0289d28838800825860f3b0c4e512c3

memory/2408-53-0x00000000022B0000-0x0000000002601000-memory.dmp

memory/2204-54-0x000000013F370000-0x000000013F6C1000-memory.dmp

memory/2700-48-0x000000013FD60000-0x00000001400B1000-memory.dmp

memory/2408-70-0x000000013F6C0000-0x000000013FA11000-memory.dmp

memory/1260-71-0x000000013F6C0000-0x000000013FA11000-memory.dmp

C:\Windows\system\EEkLAwG.exe

MD5 e1d6a1db990971b96ece3b04f8b71b23
SHA1 8bed818d78b512f66b7b8fe6ac3c631b1186c75d
SHA256 4f1a264da437d2e319e4a507f9b74aee660cb09ffac0cade9ea14edeaaf2f867
SHA512 e52e8a52e9215e7ef9a32bfc228982b6d37f0f8d236928ff4c20f8c018296767138118ba594d5bbca003f706b27a1d1ce81d3fac06cb2ee98657348f38f091f4

memory/2408-85-0x000000013FE20000-0x0000000140171000-memory.dmp

C:\Windows\system\ZsVGAHy.exe

MD5 eece682655de1abaaa6eeb92ce23c4f7
SHA1 0a182048b83a4a7edf63c872daff4cc6afeb3c74
SHA256 2a2ba7b8a1f8eba613af5a64283b3928220efc5851df6d1f31bb77280ce621f2
SHA512 fa442d26b881e0618a77a5c9e1fd764192428d50fb0eb69c323942d6127752492a0eda4f969c0bf59494a0fbffa4163ca8e20fb05da7c1d640f4643f028c36ed

C:\Windows\system\WkRlczU.exe

MD5 f849eaca2addad4bd30a2a6a2929157a
SHA1 e599144d7fa8fd871e313077cdc32c6b1ef57b24
SHA256 77fede436cab7e80aca3afc24aa6d63096ddb07d419536997920e4e7bf4ca76a
SHA512 c1863eb7df6624b96f9fdedd2319fcfc8f28c2417bd31d0bbabfa798f60d0db9cb2879f762329924ca1ad3ac3c74027c37baa8945040d8d4436287a397da108c

C:\Windows\system\EWsQOKG.exe

MD5 2c6a793fd579b289aa27f8821d0736fa
SHA1 7c2517f2c682789157d25c3aeb73371cca2a972c
SHA256 49ffa2dd35a5ffbad0c21ae82d9ea2fa4edff7cb44fae4733610bb15428ccfa5
SHA512 4afa237e33e07700912db38de1b4618f0674e0af3d00005bab074858f0da733fe9dbc44f7496b45c0be468c23f99293775f3cab1e55d65af6ae185866cf38184

C:\Windows\system\GRlsDUp.exe

MD5 556fc68c466b06168c101bef6f9ab119
SHA1 8f4d7b66890a5f3bcbaa4f68a7dee029d4b7d485
SHA256 694b3bb6c14b592288595083db49c4e9e828e31ea8ea605518b500e938c2d028
SHA512 0fbdc229eed265d779436b47a975cb4e83501c6a9b3dea39a359a1f14365c41c1e87e4584887a4db53552f821ec830b51e892bc7b8d3fe3be2753ad48979015e

C:\Windows\system\MZyWfAi.exe

MD5 0ca94011f7e7683d81af180844bfd53c
SHA1 9e068b66711f61ce71ce44285272c01a335fabf2
SHA256 84b91fd1089804a501b38a49a22b728f3ba60c84b8b628ae19fd9b64351eabcd
SHA512 5730341c07af4b64ef4a40487f9cd098d0dc833c6ae190a640a9f0fb3bfb1abc33cd95e04dd6a5cd80e5cf341b031273ff6bef7f16ddc36e3a284115570e1e51

C:\Windows\system\mDATkDT.exe

MD5 4b2b811b26adf3739db37fdcd22c1681
SHA1 88321800d24c1ae507cf2d01f6d9f31852d1692f
SHA256 9b2afdda1db4e793d28a9bcb6a10e7b1e43bedb44fca408ea255ee4f8ea40581
SHA512 7b02352c407462bbcca09a7ee5bf3a93c9c585ccbe4bce842bfaed00d04f76cc97b7c3d80403da00393f30cbac1b6297aa43d48ce950dad82c46c5de9f9b0c80

C:\Windows\system\UYXtBJi.exe

MD5 068e203de6ec08f13264d439da310c13
SHA1 a918a27acc273f71bee26ab96b45bcf6b5d93c2b
SHA256 4702269ce0589c2de40e007d275c7eea552b8bf1eb94555d84f818242109565c
SHA512 a860bd722583655247aa41dc72faaee96df501f01177c67cf0c72fb2cda544e10113e6a81b09bec8384adeccc622ad7eaae314b11c15ff0b701c7b55d482d3e1

memory/2700-137-0x000000013FD60000-0x00000001400B1000-memory.dmp

memory/2164-101-0x000000013FE80000-0x00000001401D1000-memory.dmp

memory/2408-100-0x000000013FE80000-0x00000001401D1000-memory.dmp

C:\Windows\system\WmHcSDE.exe

MD5 9aa4fa2a7b077cb6d2a2958880d6ddfb
SHA1 744a77a8948d9304ffc9836318a0b853b77ebdac
SHA256 4a44598ffc5a246af0dcd13e83e00c4e6fb16d1d1091d38386d4b060cdf01d8a
SHA512 842177085ec8e28b872667796bc32bc2e66848ff9b4498ee556df808efcf996645fe974e63e42e9303f08204f3e4dd0e98a55dae85013727fc0291aa6231223d

memory/1620-94-0x000000013FC40000-0x000000013FF91000-memory.dmp

memory/2408-93-0x000000013FC40000-0x000000013FF91000-memory.dmp

memory/2604-92-0x000000013F300000-0x000000013F651000-memory.dmp

C:\Windows\system\JvMAdxR.exe

MD5 7e89903065575d513d12e235e4b3674f
SHA1 4b46bb5817ebe8a798adf0fb3444030c05bcb996
SHA256 583fb8ad54217148bb0e484b64d46d60e8542efa65fc273466543c280357ec35
SHA512 81d5291b72a2aaeec82860bdb427661ff32b72be2e3db4994736b262f8c252ae91e6eaa2d55f3edff39ffab86c1a7c8676bb7bf0c5baea03141ae046316f0bb1

memory/2564-86-0x000000013FE20000-0x0000000140171000-memory.dmp

memory/2712-84-0x000000013F370000-0x000000013F6C1000-memory.dmp

memory/1736-78-0x000000013F8F0000-0x000000013FC41000-memory.dmp

memory/2408-77-0x000000013F8F0000-0x000000013FC41000-memory.dmp

C:\Windows\system\HedKxpj.exe

MD5 39e950c439181df88d681cdf0cf3cac3
SHA1 6395496a928b0bc7b824ba6c020bac8c4ab4c6cd
SHA256 1463bbb3863274d1dee1ab5f4998740de384ee11b8cbcc0c65f27827ddeb1dfc
SHA512 8f7efdc4cdbb1e3620c58d8431b6d4f0c926c0204c9d15b1193b6bb6f79cec14dec96fbcd3f8c6293bc85bb1eb3a3ee4dc5a37500ea9639427a63142a5540584

memory/2204-138-0x000000013F370000-0x000000013F6C1000-memory.dmp

memory/2476-65-0x000000013F270000-0x000000013F5C1000-memory.dmp

memory/2992-64-0x000000013FDD0000-0x0000000140121000-memory.dmp

C:\Windows\system\tvOrjMZ.exe

MD5 c52e4a4ab5d171d8a01dc90d7e26463a
SHA1 2bb0ba6a7d392e1e6121c682d41399a54b2de552
SHA256 eee10ee462046d955cc5c09a4ec527eda0950d4090f0ed0a7e583cfda077435c
SHA512 e0219078080b3d8f6bf5fe54fc8ecd57053d39b72e2e1350febfd2bdf9209fbfc96d5487ad0475d6bdb514736f2277d9ffdfa5e7155ed1fb29c53b82d726aed3

memory/2784-60-0x000000013F980000-0x000000013FCD1000-memory.dmp

memory/2408-59-0x000000013F2F0000-0x000000013F641000-memory.dmp

C:\Windows\system\rsiQRaQ.exe

MD5 e7a551fa7d4d3c81776fa85b02d95ea6
SHA1 9fb1dfe75160e17fe116902f73ef5ae58e27b302
SHA256 316bfb6c363940b935f11c78bd06a99e4d710789aea8b7233b6112efcfd6bd19
SHA512 f58182e3389dc81551acca66b478f2d4d43ec7747a889491c2f82f0e37e298b2699680923bb2f20c2747fa9f7c466bd2b92b97d0bb88cb47c8f5a724ee990231

C:\Windows\system\vGoIvtv.exe

MD5 24fb0f43258a3134ca7703df736458ca
SHA1 15df7ad17884248aac8a8fe398536e3495e8ee93
SHA256 35a250c7e5c21ce3e4771d1691ee910aec064b42a443e47f0376c40c15b29738
SHA512 56aa81a5a11aee6396f6fbaf13c4459820a9cc9a7b394aaa84f88fb79c48d44d2600288f7298a64fd0b9d74ded80289327b565bd0ef0004a3c37a0b297369b13

memory/2408-42-0x00000000022B0000-0x0000000002601000-memory.dmp

memory/2604-35-0x000000013F300000-0x000000013F651000-memory.dmp

memory/2408-34-0x00000000022B0000-0x0000000002601000-memory.dmp

memory/2408-139-0x000000013F2F0000-0x000000013F641000-memory.dmp

memory/1260-149-0x000000013F6C0000-0x000000013FA11000-memory.dmp

memory/1736-150-0x000000013F8F0000-0x000000013FC41000-memory.dmp

memory/2360-159-0x000000013F8A0000-0x000000013FBF1000-memory.dmp

memory/2620-157-0x000000013F1E0000-0x000000013F531000-memory.dmp

memory/2408-161-0x000000013F6C0000-0x000000013FA11000-memory.dmp

memory/2860-160-0x000000013F9D0000-0x000000013FD21000-memory.dmp

memory/2412-158-0x000000013FFE0000-0x0000000140331000-memory.dmp

memory/2832-156-0x000000013F260000-0x000000013F5B1000-memory.dmp

memory/2568-155-0x000000013F1B0000-0x000000013F501000-memory.dmp

memory/2904-154-0x000000013F0C0000-0x000000013F411000-memory.dmp

memory/2164-153-0x000000013FE80000-0x00000001401D1000-memory.dmp

memory/1620-152-0x000000013FC40000-0x000000013FF91000-memory.dmp

memory/2564-151-0x000000013FE20000-0x0000000140171000-memory.dmp

memory/2408-162-0x000000013F8F0000-0x000000013FC41000-memory.dmp

memory/2408-163-0x000000013FE20000-0x0000000140171000-memory.dmp

memory/2408-164-0x000000013F2F0000-0x000000013F641000-memory.dmp

memory/2408-172-0x000000013FC40000-0x000000013FF91000-memory.dmp

memory/2408-187-0x000000013FE80000-0x00000001401D1000-memory.dmp

memory/2408-188-0x00000000022B0000-0x0000000002601000-memory.dmp

memory/2784-213-0x000000013F980000-0x000000013FCD1000-memory.dmp

memory/2992-215-0x000000013FDD0000-0x0000000140121000-memory.dmp

memory/2712-219-0x000000013F370000-0x000000013F6C1000-memory.dmp

memory/2248-218-0x000000013FC40000-0x000000013FF91000-memory.dmp

memory/2604-221-0x000000013F300000-0x000000013F651000-memory.dmp

memory/2576-223-0x000000013F490000-0x000000013F7E1000-memory.dmp

memory/2204-225-0x000000013F370000-0x000000013F6C1000-memory.dmp

memory/2700-227-0x000000013FD60000-0x00000001400B1000-memory.dmp

memory/2476-229-0x000000013F270000-0x000000013F5C1000-memory.dmp

memory/1260-243-0x000000013F6C0000-0x000000013FA11000-memory.dmp

memory/1736-245-0x000000013F8F0000-0x000000013FC41000-memory.dmp

memory/2564-247-0x000000013FE20000-0x0000000140171000-memory.dmp

memory/1620-249-0x000000013FC40000-0x000000013FF91000-memory.dmp

memory/2164-251-0x000000013FE80000-0x00000001401D1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-06 16:02

Reported

2024-08-06 16:04

Platform

win10v2004-20240802-en

Max time kernel

141s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\nxZTmZK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uZpXWmD.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sODaZYX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iSXiFmC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\engJGUW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DazZaet.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LEIrwXK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DbofsnW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rrlEumG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ieZIjKl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yAUHYib.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TGauCGL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WPLrXHd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\Frltnbw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IQspLFr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vXGGPeb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\daMNIWW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aQQkvjA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zFYAlXS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PDcUxCD.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WpsOIfM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5012 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nxZTmZK.exe
PID 5012 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nxZTmZK.exe
PID 5012 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uZpXWmD.exe
PID 5012 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uZpXWmD.exe
PID 5012 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sODaZYX.exe
PID 5012 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sODaZYX.exe
PID 5012 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iSXiFmC.exe
PID 5012 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iSXiFmC.exe
PID 5012 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\engJGUW.exe
PID 5012 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\engJGUW.exe
PID 5012 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WPLrXHd.exe
PID 5012 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WPLrXHd.exe
PID 5012 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Frltnbw.exe
PID 5012 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Frltnbw.exe
PID 5012 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IQspLFr.exe
PID 5012 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IQspLFr.exe
PID 5012 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vXGGPeb.exe
PID 5012 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vXGGPeb.exe
PID 5012 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DazZaet.exe
PID 5012 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DazZaet.exe
PID 5012 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aQQkvjA.exe
PID 5012 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aQQkvjA.exe
PID 5012 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zFYAlXS.exe
PID 5012 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zFYAlXS.exe
PID 5012 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PDcUxCD.exe
PID 5012 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PDcUxCD.exe
PID 5012 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yAUHYib.exe
PID 5012 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yAUHYib.exe
PID 5012 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LEIrwXK.exe
PID 5012 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LEIrwXK.exe
PID 5012 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DbofsnW.exe
PID 5012 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DbofsnW.exe
PID 5012 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\daMNIWW.exe
PID 5012 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\daMNIWW.exe
PID 5012 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WpsOIfM.exe
PID 5012 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WpsOIfM.exe
PID 5012 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rrlEumG.exe
PID 5012 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rrlEumG.exe
PID 5012 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TGauCGL.exe
PID 5012 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TGauCGL.exe
PID 5012 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ieZIjKl.exe
PID 5012 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ieZIjKl.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\nxZTmZK.exe

C:\Windows\System\nxZTmZK.exe

C:\Windows\System\uZpXWmD.exe

C:\Windows\System\uZpXWmD.exe

C:\Windows\System\sODaZYX.exe

C:\Windows\System\sODaZYX.exe

C:\Windows\System\iSXiFmC.exe

C:\Windows\System\iSXiFmC.exe

C:\Windows\System\engJGUW.exe

C:\Windows\System\engJGUW.exe

C:\Windows\System\WPLrXHd.exe

C:\Windows\System\WPLrXHd.exe

C:\Windows\System\Frltnbw.exe

C:\Windows\System\Frltnbw.exe

C:\Windows\System\IQspLFr.exe

C:\Windows\System\IQspLFr.exe

C:\Windows\System\vXGGPeb.exe

C:\Windows\System\vXGGPeb.exe

C:\Windows\System\DazZaet.exe

C:\Windows\System\DazZaet.exe

C:\Windows\System\aQQkvjA.exe

C:\Windows\System\aQQkvjA.exe

C:\Windows\System\zFYAlXS.exe

C:\Windows\System\zFYAlXS.exe

C:\Windows\System\PDcUxCD.exe

C:\Windows\System\PDcUxCD.exe

C:\Windows\System\yAUHYib.exe

C:\Windows\System\yAUHYib.exe

C:\Windows\System\LEIrwXK.exe

C:\Windows\System\LEIrwXK.exe

C:\Windows\System\DbofsnW.exe

C:\Windows\System\DbofsnW.exe

C:\Windows\System\daMNIWW.exe

C:\Windows\System\daMNIWW.exe

C:\Windows\System\WpsOIfM.exe

C:\Windows\System\WpsOIfM.exe

C:\Windows\System\rrlEumG.exe

C:\Windows\System\rrlEumG.exe

C:\Windows\System\TGauCGL.exe

C:\Windows\System\TGauCGL.exe

C:\Windows\System\ieZIjKl.exe

C:\Windows\System\ieZIjKl.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/5012-0-0x00007FF6C4B80000-0x00007FF6C4ED1000-memory.dmp

memory/5012-1-0x0000013F801B0000-0x0000013F801C0000-memory.dmp

C:\Windows\System\nxZTmZK.exe

MD5 5a190d4cf7c861bd5e7b7db57fa49b99
SHA1 4350e8479850413cf42d60858c9f3cdbff9f21a4
SHA256 013bc8312d2c60df13e74b44204fb2433b56129fbaa266176b9eb478daa3498f
SHA512 a8ea684c6e5d33e2472ff339fb8867cb0dc9e0f1dfa91fe74acf06d41f9a90c75c021acca307615504924894bbb79fcca747a72d6566daa42aacc97e2b059c97

C:\Windows\System\sODaZYX.exe

MD5 9fea3947d0ad5879c11a82967282cad9
SHA1 8135477234096cdbca507a5b4b63e01af4281f9e
SHA256 c6c872a8ecfb3f0267c4e406bfb118e7204578d757409826fed9a8ab02462926
SHA512 7b0c74de32119c3cca6c8923c1c4fa2329285409a21e74c30ab4e0422e6422afa29a548307772a4f34454d01e21f3e286b8c9d86e5d65355b6a048efc7650de9

C:\Windows\System\uZpXWmD.exe

MD5 0505fb9eede7b503b16149e268284568
SHA1 203e72fbe248bb276a6d6ad004019b66cb007e78
SHA256 aae896e1b88e971c4abf7a45b94184925cbab5d91148917ab1a65add77908a6e
SHA512 7a176a52946ae70b5f2c5d62b5250b029d555b4d9c774ca0bd082bf6b8a7a2d50422d6703b76fea66810e784b907aefc1fb512d799f8b53328d6eba9ead0a7ec

memory/3924-15-0x00007FF645F50000-0x00007FF6462A1000-memory.dmp

C:\Windows\System\iSXiFmC.exe

MD5 de039882dad10373cde0d0c52b4d783b
SHA1 9cd6a0ac72479f1f75bd21681c04f9734463f85b
SHA256 3e91b6f6844254ee6712bb927f80c3571a300ef62a19f5aea5c451db65dd1a9b
SHA512 bdfb9de2e6515ea8686698766a80adbe28062a9472b438366c5fbb0795c16cf936f5aed97aa4387d7aa155eedaf881505f5fb04b69c67b8e7fe54d1fd31b58ff

memory/916-24-0x00007FF62A7F0000-0x00007FF62AB41000-memory.dmp

memory/4316-23-0x00007FF621470000-0x00007FF6217C1000-memory.dmp

C:\Windows\System\engJGUW.exe

MD5 9d69c89ac54f13ae83f71676b0e8e841
SHA1 1a36012dfbf11dc2c7f99cdbedfda612adf736ce
SHA256 cb46dbf65df089d7255ad82ab839f7bb58c56726de6d25191a358fa2283c4977
SHA512 225823004a77887a604721ad075cf7624406c9e5cc7ec6f00312183aeebfbc77593eb455e2eb36a7f6ac96f5223af80d5e82868472dcd41eced78e8e9788b1a7

C:\Windows\System\WPLrXHd.exe

MD5 cefa834d453c5cac380da72ddee8538b
SHA1 eea9d2454052da88b67bad0852a0f2bc0c371af4
SHA256 97d179b47a9695ed76d3069e3db90430a7b1c29ce8915bbd9f38eb51602fa448
SHA512 4188abfe2c91e5e229775e6b11fedcd7ec5eaf3094be37556952d6170e1b9ef88f4610b3f1d0b223058c010a0591e3765efce7faddd42dbe2c95b9b260b9d0d8

memory/4716-43-0x00007FF6EF560000-0x00007FF6EF8B1000-memory.dmp

C:\Windows\System\vXGGPeb.exe

MD5 62e062569d5477a7b9f640a7583ef345
SHA1 76874e597acef69d433457d8361c2cc06e1264c6
SHA256 a98da941ef6013d8ce43ae27dea8e65aad37ec006ff1cf8846c48fc207fe9f7a
SHA512 918efddbc4af0f584418b5bde8eddbb5b34934173aaf3e5a15000826de94dfd6d41c2125d8a2121fe4a1ad348a39ec1ddc1751cd3c822ed2f4ee94eeaa973d0a

C:\Windows\System\IQspLFr.exe

MD5 1979cd5a891dcc12a120dffe7e308532
SHA1 c93c30298ca2c9060326f857ab90f4bb10d09d23
SHA256 a6064d938a33c80edc9f8cc59268f5c759b26344b096fefbdd6d3e7020f7acd7
SHA512 1acd7defb75a13f22127562261074ecdf0b3838ae8aa1c8eb1034470244ee89fc12a4040cfe590677dd9600bded43a42b9c5dd9bf18cede3a8babd99a6ad9ab7

C:\Windows\System\aQQkvjA.exe

MD5 7bbf3ee684d5e81915828440a896f854
SHA1 df6d881a21916cd8ee8fc33f7ca5ed045618fcce
SHA256 a48dca318f662d6eeee7c95f2fbcc564cac083da1c207cd9e5662817dc87b17f
SHA512 2c194b6dd218a914d8cd0724955a5a56e9bf1f73a90f088a3ad3c0918d0804213c8f572c5e5474a0e7f0092e317126d89450b2b58270427f7d4ec9a4f5f19a1b

C:\Windows\System\PDcUxCD.exe

MD5 2b3340029b56a640cf8b7d1a5ae5c1e5
SHA1 6fdf5db68c669dbaa12aa7b54ab079341f431050
SHA256 8614a99585c7bca6852cad6c9e126ee04ac1423c611331ec23e5f42c83b6a154
SHA512 806d870f5981d5b24a20d2ce84263afff41fc1474992e594c7f2d428904ad9e4876e0bbccb0bcb1bbcfa48b58dadcc1b3ea906204b43dd282a870f0bd81efaa4

C:\Windows\System\LEIrwXK.exe

MD5 4a7a9dd7f2608d1d60fdb5c0b799cea6
SHA1 5cf39f65f1392990d29a37140de5fc292482b9d6
SHA256 240b70c46de908f7fea8364e63ec1394890a09df19fdcd2e12d17fb63a813c4a
SHA512 a4349412967b36aa540750171a8cb0087e051c92f23999099d7493aaf3a4f923af94153367bc547814af81de83fc871d8bb75f00011e837f5e115317e4d6103d

C:\Windows\System\WpsOIfM.exe

MD5 96c43aafbb39b50218fdb94375a13bba
SHA1 205d9a32c030e7621657fdf5d32ff5c0ab59b6ff
SHA256 24e2fda8c72fa979ec95d1dc149160cc11e635182fb86056ac5cd0ba61a07f4c
SHA512 2013f1ccc965ac2d8f04d884aa84774af437f74196863dc644cb5e822750a5a8a9d59ce12d5d227382ba018f8b7cfb8ff3e1f4e4431d754375184bbb200a5960

memory/2896-117-0x00007FF6833D0000-0x00007FF683721000-memory.dmp

memory/4924-120-0x00007FF6F6490000-0x00007FF6F67E1000-memory.dmp

memory/3020-125-0x00007FF798780000-0x00007FF798AD1000-memory.dmp

memory/4812-126-0x00007FF6268B0000-0x00007FF626C01000-memory.dmp

memory/5000-124-0x00007FF62EC30000-0x00007FF62EF81000-memory.dmp

memory/4976-123-0x00007FF7D0100000-0x00007FF7D0451000-memory.dmp

memory/3008-122-0x00007FF6F38C0000-0x00007FF6F3C11000-memory.dmp

memory/4200-121-0x00007FF6EF040000-0x00007FF6EF391000-memory.dmp

memory/4124-119-0x00007FF71EDF0000-0x00007FF71F141000-memory.dmp

memory/2784-118-0x00007FF733640000-0x00007FF733991000-memory.dmp

memory/3912-116-0x00007FF609150000-0x00007FF6094A1000-memory.dmp

memory/4424-115-0x00007FF77C2F0000-0x00007FF77C641000-memory.dmp

C:\Windows\System\ieZIjKl.exe

MD5 50123296165e7ae6149626b877a83a45
SHA1 ed6d163234b0c7700f5f289560489ccfd3a69ac8
SHA256 4a59198bb1e4b31f6344cd85c93f7b22516f227e540794ed76c793f337308e54
SHA512 5b9ee2c0a9c9da441c1b380bef9a2a38bf229470423825cd56a9ff446a7e4e9cd459e1d3ba3f6b4a01a589c9edd25ca0c2110e497402ac9e54c9da25ef6052ae

C:\Windows\System\TGauCGL.exe

MD5 a764473aa673ac1f9e81d71c903741c0
SHA1 990de874647501edb66f3d1df497a6536a108841
SHA256 a8c46bcc153f76f8b5cbd2dd5bcc8aa05e47f2ca945b45875c250c7631bb0a90
SHA512 669a767698314d5929fb1b6dc8d1e05ddf1381ab6161a900a70abbbe87becfb8d72ac1466dabe10e59fe1a9f712c12564805ec45fd8cfc079f93252671d8f587

C:\Windows\System\rrlEumG.exe

MD5 8828dd5c4715af829e7dded6339f3b23
SHA1 4686d8df9012ba5ea9cf86dca5f22668bb0aa6d9
SHA256 50573c219b80248f05f314b679636dceb5c18f85c5cc0b287bb595904769b4ff
SHA512 dd59b598ee75fa43a01906a38eff48a186533a39fde7449a5f1188f8c36e58518afb225d0387cb2e47c44f9cda4582447b6d1f853cc11082a8c51e09e368e71d

C:\Windows\System\daMNIWW.exe

MD5 6633be60bc589d80afb12bada41010c6
SHA1 6cc549a9a5a439a2b15d76426d3c7f7b96b3de58
SHA256 115155c7c33f86a5288e68e7790ffc2e6f93194a3c3d1f173965e77c16099c25
SHA512 7e5d5c1c97880ccc42b2930f507e467d22f1da1b2583ba6be6f7cfcd68452baa3de568ef50adfc6a7329f2f16e642f20d702f0ae56c9c7571c652e4f263ce6f4

C:\Windows\System\DbofsnW.exe

MD5 bbbdcfecc1b08496f453861cc638f8a1
SHA1 cbc47b98d91d56a79f4efca3b7dc63e1d2a932c4
SHA256 c13bc81625af74916197f5ddabca0d31ed537377345e73784dffd20bffe1cf58
SHA512 3973544fa788947d10b0eb77257f50a2aca40c27960047a2df74d17b5bac386b3a944312f5afca14e698c5fde038ad4ea218684f1d4691fc07dbdd95c1f08140

memory/1000-99-0x00007FF688A40000-0x00007FF688D91000-memory.dmp

memory/4504-90-0x00007FF793550000-0x00007FF7938A1000-memory.dmp

C:\Windows\System\yAUHYib.exe

MD5 c82b23bfcfcb797f1dbfb25d052b2cd7
SHA1 90ac861812eb89508592a8e4dd7d237a1798d30f
SHA256 aeb6f1dc797ee59aa4c23e3be2474d7c774f1514761d626220cf3d5b015d95a4
SHA512 e65af6f36a4365e3a5a57c89f0e2126d27b7bfc69b3ce959901201fc6c745a3a490f4a5a82f3e3876fc4cc6f612583faeeb853a2a4f022e3883b069049e5bf4e

C:\Windows\System\zFYAlXS.exe

MD5 ca67c682b57cec019d6839bcff4c3809
SHA1 4ae957e7e0477cecc4f0e9129935aaf3ad65359f
SHA256 accb83e9a773e5760cd37e5f1314054d3409dbdc7f1a17086ea2a04ece31fd0b
SHA512 d8a650d4e2482052b11b12293ebc1c4f0ab9c30b384cc387d237917e8c1f54c17a6b440417548fbb8c63f7c97e894895082a5dfb0addb875ec6c31cdc58e2f03

C:\Windows\System\DazZaet.exe

MD5 2fb9cc8606686324166e5adc41a727a9
SHA1 64f30fa3e0dd4562c7e01acc1bb087dfbaf39989
SHA256 730973aba8e7d35d2f557b083717be1583c92439b06fa20dc4ff206a409cc36a
SHA512 509aee4f31a5a3efd806c114fa82fe23d6f49cc1c27f49d2b4b5e2acef9227e38645106a0de3f8f2724d891a3fa0da68fe6677862a4136f80183a733b535d7d0

memory/1816-46-0x00007FF763110000-0x00007FF763461000-memory.dmp

C:\Windows\System\Frltnbw.exe

MD5 26efc6a19d39b1bd68b9f8fd44f1c2bb
SHA1 6c06d28cfb1fbf097cdd5d400f053d6c52d27971
SHA256 6975ebf66b394311e1ba1c7636749325ca08d74ab983df71d32407841b975e4b
SHA512 52eb3dbc7a2a3dcda368f1ccb2804043241ffd8a8998cd74513089787e4d94c357e1afce037675d30f62665445167361bd62a730d9cee1e28f85997916aa2347

memory/4300-35-0x00007FF6718F0000-0x00007FF671C41000-memory.dmp

memory/388-8-0x00007FF75F160000-0x00007FF75F4B1000-memory.dmp

memory/916-132-0x00007FF62A7F0000-0x00007FF62AB41000-memory.dmp

memory/4504-136-0x00007FF793550000-0x00007FF7938A1000-memory.dmp

memory/3924-130-0x00007FF645F50000-0x00007FF6462A1000-memory.dmp

memory/388-129-0x00007FF75F160000-0x00007FF75F4B1000-memory.dmp

memory/3008-149-0x00007FF6F38C0000-0x00007FF6F3C11000-memory.dmp

memory/5012-128-0x00007FF6C4B80000-0x00007FF6C4ED1000-memory.dmp

memory/5012-150-0x00007FF6C4B80000-0x00007FF6C4ED1000-memory.dmp

memory/388-195-0x00007FF75F160000-0x00007FF75F4B1000-memory.dmp

memory/3924-197-0x00007FF645F50000-0x00007FF6462A1000-memory.dmp

memory/4316-199-0x00007FF621470000-0x00007FF6217C1000-memory.dmp

memory/916-201-0x00007FF62A7F0000-0x00007FF62AB41000-memory.dmp

memory/4300-203-0x00007FF6718F0000-0x00007FF671C41000-memory.dmp

memory/4716-205-0x00007FF6EF560000-0x00007FF6EF8B1000-memory.dmp

memory/1816-207-0x00007FF763110000-0x00007FF763461000-memory.dmp

memory/1000-209-0x00007FF688A40000-0x00007FF688D91000-memory.dmp

memory/4504-211-0x00007FF793550000-0x00007FF7938A1000-memory.dmp

memory/5000-215-0x00007FF62EC30000-0x00007FF62EF81000-memory.dmp

memory/4976-214-0x00007FF7D0100000-0x00007FF7D0451000-memory.dmp

memory/4424-217-0x00007FF77C2F0000-0x00007FF77C641000-memory.dmp

memory/2784-220-0x00007FF733640000-0x00007FF733991000-memory.dmp

memory/3912-221-0x00007FF609150000-0x00007FF6094A1000-memory.dmp

memory/2896-223-0x00007FF6833D0000-0x00007FF683721000-memory.dmp

memory/4124-225-0x00007FF71EDF0000-0x00007FF71F141000-memory.dmp

memory/4924-229-0x00007FF6F6490000-0x00007FF6F67E1000-memory.dmp

memory/3020-227-0x00007FF798780000-0x00007FF798AD1000-memory.dmp

memory/4812-232-0x00007FF6268B0000-0x00007FF626C01000-memory.dmp

memory/4200-233-0x00007FF6EF040000-0x00007FF6EF391000-memory.dmp

memory/3008-237-0x00007FF6F38C0000-0x00007FF6F3C11000-memory.dmp