Malware Analysis Report

2025-01-22 19:24

Sample ID 240806-tk6k1sxdmc
Target 2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat
SHA256 8481973295a21ac14ec47d6a59edbcc591cdfd71f00213ed11a0505d1f975c6c
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8481973295a21ac14ec47d6a59edbcc591cdfd71f00213ed11a0505d1f975c6c

Threat Level: Known bad

The file 2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Cobalt Strike reflective loader

Xmrig family

xmrig

Cobaltstrike

Cobaltstrike family

XMRig Miner payload

XMRig Miner payload

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-06 16:08

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-06 16:07

Reported

2024-08-06 16:10

Platform

win7-20240708-en

Max time kernel

140s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\oBgfhJY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iJVOaZR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tCnrlAm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LAypFag.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LEmLQMO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DJkVKWX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\guuajPL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VTbVLio.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PGzrNNZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sIthCXr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aZhSKjV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pdrpFTh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LaXUrJJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IoeKcpI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aLmYkpK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\effSxQt.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tgNwWps.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iCRbKdU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qaheBRC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tfkZMCp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RwYrTVI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3032 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pdrpFTh.exe
PID 3032 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pdrpFTh.exe
PID 3032 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pdrpFTh.exe
PID 3032 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LaXUrJJ.exe
PID 3032 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LaXUrJJ.exe
PID 3032 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LaXUrJJ.exe
PID 3032 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oBgfhJY.exe
PID 3032 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oBgfhJY.exe
PID 3032 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oBgfhJY.exe
PID 3032 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IoeKcpI.exe
PID 3032 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IoeKcpI.exe
PID 3032 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IoeKcpI.exe
PID 3032 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iJVOaZR.exe
PID 3032 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iJVOaZR.exe
PID 3032 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iJVOaZR.exe
PID 3032 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VTbVLio.exe
PID 3032 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VTbVLio.exe
PID 3032 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VTbVLio.exe
PID 3032 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aLmYkpK.exe
PID 3032 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aLmYkpK.exe
PID 3032 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aLmYkpK.exe
PID 3032 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PGzrNNZ.exe
PID 3032 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PGzrNNZ.exe
PID 3032 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PGzrNNZ.exe
PID 3032 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\effSxQt.exe
PID 3032 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\effSxQt.exe
PID 3032 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\effSxQt.exe
PID 3032 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tgNwWps.exe
PID 3032 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tgNwWps.exe
PID 3032 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tgNwWps.exe
PID 3032 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iCRbKdU.exe
PID 3032 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iCRbKdU.exe
PID 3032 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iCRbKdU.exe
PID 3032 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qaheBRC.exe
PID 3032 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qaheBRC.exe
PID 3032 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qaheBRC.exe
PID 3032 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sIthCXr.exe
PID 3032 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sIthCXr.exe
PID 3032 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sIthCXr.exe
PID 3032 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aZhSKjV.exe
PID 3032 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aZhSKjV.exe
PID 3032 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aZhSKjV.exe
PID 3032 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tCnrlAm.exe
PID 3032 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tCnrlAm.exe
PID 3032 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tCnrlAm.exe
PID 3032 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RwYrTVI.exe
PID 3032 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RwYrTVI.exe
PID 3032 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RwYrTVI.exe
PID 3032 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LAypFag.exe
PID 3032 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LAypFag.exe
PID 3032 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LAypFag.exe
PID 3032 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LEmLQMO.exe
PID 3032 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LEmLQMO.exe
PID 3032 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LEmLQMO.exe
PID 3032 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tfkZMCp.exe
PID 3032 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tfkZMCp.exe
PID 3032 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tfkZMCp.exe
PID 3032 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DJkVKWX.exe
PID 3032 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DJkVKWX.exe
PID 3032 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DJkVKWX.exe
PID 3032 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\guuajPL.exe
PID 3032 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\guuajPL.exe
PID 3032 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\guuajPL.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\pdrpFTh.exe

C:\Windows\System\pdrpFTh.exe

C:\Windows\System\LaXUrJJ.exe

C:\Windows\System\LaXUrJJ.exe

C:\Windows\System\oBgfhJY.exe

C:\Windows\System\oBgfhJY.exe

C:\Windows\System\IoeKcpI.exe

C:\Windows\System\IoeKcpI.exe

C:\Windows\System\iJVOaZR.exe

C:\Windows\System\iJVOaZR.exe

C:\Windows\System\VTbVLio.exe

C:\Windows\System\VTbVLio.exe

C:\Windows\System\aLmYkpK.exe

C:\Windows\System\aLmYkpK.exe

C:\Windows\System\PGzrNNZ.exe

C:\Windows\System\PGzrNNZ.exe

C:\Windows\System\effSxQt.exe

C:\Windows\System\effSxQt.exe

C:\Windows\System\tgNwWps.exe

C:\Windows\System\tgNwWps.exe

C:\Windows\System\iCRbKdU.exe

C:\Windows\System\iCRbKdU.exe

C:\Windows\System\qaheBRC.exe

C:\Windows\System\qaheBRC.exe

C:\Windows\System\sIthCXr.exe

C:\Windows\System\sIthCXr.exe

C:\Windows\System\aZhSKjV.exe

C:\Windows\System\aZhSKjV.exe

C:\Windows\System\tCnrlAm.exe

C:\Windows\System\tCnrlAm.exe

C:\Windows\System\RwYrTVI.exe

C:\Windows\System\RwYrTVI.exe

C:\Windows\System\LAypFag.exe

C:\Windows\System\LAypFag.exe

C:\Windows\System\LEmLQMO.exe

C:\Windows\System\LEmLQMO.exe

C:\Windows\System\tfkZMCp.exe

C:\Windows\System\tfkZMCp.exe

C:\Windows\System\DJkVKWX.exe

C:\Windows\System\DJkVKWX.exe

C:\Windows\System\guuajPL.exe

C:\Windows\System\guuajPL.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3032-1-0x000000013F370000-0x000000013F6C1000-memory.dmp

memory/3032-0-0x00000000001F0000-0x0000000000200000-memory.dmp

C:\Windows\system\pdrpFTh.exe

MD5 54d50439cdc4bf82bb32b9e61d3682d0
SHA1 1d94c5130d23d2e8015d18460fcc2309d330bdcb
SHA256 f48dc9029118877257a1ec1e9ebb00b47b4e662c7a67100bff625e02dace777a
SHA512 3d51f064f81fe64cd84ce2b2438a4213396224ede05ac32e5cc93e9b378e1f52824dc509b93579aa40ec0a2676a547bc58e4b037168271a3bc679f36ab76f60e

\Windows\system\LaXUrJJ.exe

MD5 f37e24c7c00544a5a9a4e3e70fcf6d30
SHA1 e74c061934dde9a3ed5f5ca56ad7f49c9a718a72
SHA256 a8ad9b9e432701d814b07e1a3d11417a960869dfaeb642acf381c3f1247fbefc
SHA512 b901aaf29c4333ad686c228d7adbad8c1cda6bed9ffac3ea70c499ce16d3689df4a6d3893c3b0e84e070e5f0e4f1ef228aabf96aed743a9f7f0c82522de2ffea

C:\Windows\system\oBgfhJY.exe

MD5 3ce846e8dee236dc4e14b2814831a4c9
SHA1 ddd8fbce9e2af97de996423bfcb951be7bd47aea
SHA256 6438e38d446bd9dabf06c44f6dd76d4b8fecd7e8c9e5b623f5e6a333de268bf1
SHA512 5196e73a889a85412276d3ad1ebc197112a90dd36999f0af58aaa537e3330d1bf2451e3eb4d2ef4d5f64176ac4b1534643f2106050d864d2de64ed80749c82ed

\Windows\system\PGzrNNZ.exe

MD5 c50071d55fc01abe11ad76fb4c4d23b8
SHA1 ac8cdcb479a79a230923f783a679b90962d080d8
SHA256 a6054efa64a9a34ee0c19474d3a25197a89f669eb970aecfc0f0ee21e001960a
SHA512 a21867c5eddb7c538b242fd9bccf539e2620fb6a9e4ef6852989bab68bd824c10355a26292ad1102b146de60c9e363a946becd5abba239a1caa731f494dfdfd9

memory/3032-29-0x000000013FC50000-0x000000013FFA1000-memory.dmp

\Windows\system\VTbVLio.exe

MD5 770c252d659ee85a3c03a17a86afbe88
SHA1 fa9f0f4202e648c97da4c73b69c9fc6c84706e9b
SHA256 d1e416ccaafe093076d5b71e77035a25e1c1cc28e81962cd2a22a69b5f6e52a1
SHA512 78566ed7acf47561d6b6b6aa2165d81b5c301e6b445199d504f0a390b0322d3c100b33d0744dfba7210166dc43ed777735682c7b1d4f2c39f8df4ab8690d9c80

\Windows\system\IoeKcpI.exe

MD5 9de6e6924a1f61bac8fb517b742d6f57
SHA1 1b041d109b782f1e014e7a8bf9505ba54a05d652
SHA256 61d652b355f8e50e06d72fc498edf47b2987f8d35b836a2a6af12446df506c33
SHA512 2c5472e4de8526f5c8e07fc1c98c3ac5cb35683b403337c2919274aa3a0f9c2a102e8598e1a6d0a8999effe69bd4e87f377703102e79ec88da9a791e582d84fd

memory/3008-62-0x000000013FF40000-0x0000000140291000-memory.dmp

memory/2288-61-0x000000013FC30000-0x000000013FF81000-memory.dmp

memory/2088-60-0x000000013FC50000-0x000000013FFA1000-memory.dmp

\Windows\system\tgNwWps.exe

MD5 4d5c8d522f90b2c82f73dc4f32ddf9fd
SHA1 f110bc689c9c8447093d203b9e0d3bff7ff1534b
SHA256 d7d902e31e6bc09df07797b9e36f4fa5fccc58f8b5055044a6c6a1b7617af2c7
SHA512 951513d81ab2676f2714b5422ffc578c3a5385e7d9454a9323658fde1184c47544018ccb827c1948809bd5d241bbd89ea71bcc2c0d01bf91430aa76c2b012584

C:\Windows\system\effSxQt.exe

MD5 1914d5f445c309c00f4d71ba35112bf7
SHA1 f203cf98e4a897d51e4caa8737b2661796a250aa
SHA256 0cec15f9ec62a85705a31182ed6f3a1c34d1d0ebea8e5eafeb0e37060f552c6d
SHA512 d3e34e7f8cfeb34a0d3edb014042e19963a9e7b6d20ddc462226aa294c8944bdb8f500628055061131b610cb51b280253174cc76cd8001c88a0162401402f045

C:\Windows\system\aLmYkpK.exe

MD5 5510a0c800c4688316144413030e1e93
SHA1 b0dcb2a566fc2911391d4d6708b15ce35f9d61f9
SHA256 9745cc7d67cdddcf257ce51556177099cbad6d88e8e71450eb8c89613f8183ef
SHA512 6805733e4c3e80d83adc74c129d5f209b60a88c6aa0a3ef75b90dc4f5dd65d49861181c8c0b4837b64a58b3f5fcadaf93953aa7d3b216617a1417000518999cb

C:\Windows\system\iJVOaZR.exe

MD5 394a2962e135341c0367ebe7042572f7
SHA1 db8ccdc7ccdb4733203a4c599caa51816a594b0f
SHA256 b80a9cc57fe6b6bd6480644951e27378251a671c41fc71c5e29e2183486f2c59
SHA512 34641ad4071c3105bfce37c42bec9bb50a16ed4ac3d603637e45f42ea70e9a6cd7137447a1e7c04f862d2771460e7cdb743ee24ea73e4ab0a478025acee98422

memory/2840-56-0x000000013F490000-0x000000013F7E1000-memory.dmp

memory/3032-55-0x0000000002390000-0x00000000026E1000-memory.dmp

memory/3032-54-0x000000013FC30000-0x000000013FF81000-memory.dmp

memory/3032-53-0x000000013FF40000-0x0000000140291000-memory.dmp

memory/2340-52-0x000000013FB40000-0x000000013FE91000-memory.dmp

memory/620-51-0x000000013F1A0000-0x000000013F4F1000-memory.dmp

memory/3032-50-0x000000013FB40000-0x000000013FE91000-memory.dmp

memory/3032-48-0x0000000002390000-0x00000000026E1000-memory.dmp

memory/3032-46-0x0000000002390000-0x00000000026E1000-memory.dmp

memory/3056-44-0x000000013F6A0000-0x000000013F9F1000-memory.dmp

memory/3032-34-0x0000000002390000-0x00000000026E1000-memory.dmp

memory/1716-25-0x000000013F1A0000-0x000000013F4F1000-memory.dmp

memory/1400-18-0x000000013F060000-0x000000013F3B1000-memory.dmp

memory/3032-17-0x0000000002390000-0x00000000026E1000-memory.dmp

memory/1684-69-0x000000013FE50000-0x00000001401A1000-memory.dmp

\Windows\system\iCRbKdU.exe

MD5 d27c4ca065095ba59df8fe2c636f9c43
SHA1 16da61a353076996a514ed68e1cea76e2ca3f42d
SHA256 3454c7d7f1f97eb78d6d199e41490c9768a2a1e942e7edd41d403af8de0a0d7b
SHA512 16ccbdf210e769a2c8c6d3f18788b29724c7a4a289a26f7efff06fcc223962bf150f2785ab92541841d0282db384324f67139a4584da430c5aeab1427dcef371

memory/3032-81-0x0000000002390000-0x00000000026E1000-memory.dmp

memory/2572-82-0x000000013F3B0000-0x000000013F701000-memory.dmp

C:\Windows\system\qaheBRC.exe

MD5 62cdc13d7f2e5e27eb81f5113d62899e
SHA1 85a03d36d32190c282017faf66e2f7b150fbf34b
SHA256 42b1325b02b71a758dd470f42fc9139b5a9ca6988af3dd19d67340a4dacb82e9
SHA512 01d71142bf04563a8c0289e1eb0a3fb502cfd69d33234f550e6cf0fd658fdfc63bc338725e4f671b0aae8e81b133f00691f7644444536695a677881db74eecfd

C:\Windows\system\sIthCXr.exe

MD5 708c92902289532bb53a7d164839d07c
SHA1 78932b3408377768a069c13344e86d3923c24941
SHA256 9a21df41e745f5017235789d01eaaa937f7d24fa6cf865887e6d8727af4a79a4
SHA512 7c56ce8a891aaa9f982c09380d18815eee306fa383ec01beca1ffb3ee925fcac2ec62146be13a4d769ac281408afb8e8f15a05c5783dd9b4e123e8b791dc0871

memory/1716-96-0x000000013F1A0000-0x000000013F4F1000-memory.dmp

\Windows\system\RwYrTVI.exe

MD5 7ba2cf39dfd50bcc564afd5b14994dc6
SHA1 aec3ae3361200a45cf1d3ccf99c58a12e34ffe2f
SHA256 c657b83abf1c691f216417046a4d6b1cbde3fa02d3b96bfa4e14181beb384c2c
SHA512 5d8c540454be99d75a19fd7067cbb8910455deb6e1719ee1ce3d80454160326bf02918d9eb9ac95521f940a6841f2fca4910251fc248ea85f116bb9e4faec40a

memory/568-89-0x000000013F760000-0x000000013FAB1000-memory.dmp

C:\Windows\system\tCnrlAm.exe

MD5 43212159d129b45c5986c07fdc8715af
SHA1 d6cd2af885664eb6a5e8ba12057cb48bacc81192
SHA256 89fb4d48c5368501c1c44db4ac1074c5215379e30a88d9098c6005ba829978cd
SHA512 92ca3812d784d9e29d832bea69affc0832156e004e9f2e87608cbcaf94d6831b47115ce12ebb4734b1d23442b41b7f3de168422061fb8f82b3ba2b55b407458b

\Windows\system\LAypFag.exe

MD5 dad45da66f413bda5da9aa959445c9c2
SHA1 c0caaa6e22df8e6b9756c1f11084630853dc8939
SHA256 aae01339a375b777a106274f82cac1793c7e2f943052a5a58765fc55b2b24297
SHA512 246e333eb6a6cb0cb6820e407ea70958c94a5a1c8d85790a618ad7ce90e433f90f1a01232b805f727594feddd91ae159a8d62b74a839872b43b9c26329f67518

memory/1096-102-0x000000013F020000-0x000000013F371000-memory.dmp

memory/3032-88-0x000000013F370000-0x000000013F6C1000-memory.dmp

C:\Windows\system\aZhSKjV.exe

MD5 6475662bf96a858cdeba619f893bfd2c
SHA1 6862d23a102cd5bac2c1de8283f9aedd2887bc7d
SHA256 11e81af8ad43bd1973630a6645de6b9bb2ab75ba2a386fbbd032f152a460c9f8
SHA512 d9e5b58c363a8d2496fc013fead3ed47a81f26e6c897f2e98dbbaffae3096e65ef19785d7a8da7bf225cd83c55507f83b6f3be47b2c466fa4bd46aed48e4b94f

memory/2700-77-0x000000013F560000-0x000000013F8B1000-memory.dmp

memory/3032-73-0x0000000002390000-0x00000000026E1000-memory.dmp

memory/3032-117-0x0000000002390000-0x00000000026E1000-memory.dmp

\Windows\system\LEmLQMO.exe

MD5 49622b90596aa3d6fcc888d0d91c19a0
SHA1 63ac525e868b8c84991e14522f99598478f9fe7a
SHA256 a10bb2dbad7bf70976f60af845bebfe2721307061e4a8d6978bb8ffdb1f61802
SHA512 a572d98b3120342c7628bb00900c901ad3b75f88e1618d0e3e74b8ce51a850316c8ce5a7c92d64229df1c463beb0e5ba006a002e4d55134319ccef479858ec1b

memory/3032-121-0x000000013F940000-0x000000013FC91000-memory.dmp

C:\Windows\system\tfkZMCp.exe

MD5 fcdbfabc0fc4dccb014b424ecdad42da
SHA1 76c26ab52d3ad9ee9b59de3c9699cae6c95df528
SHA256 be38e6ae6a353433e698863b42b8259d43d3203fc53368d48d64ed69f3cab2d2
SHA512 9b74d788152182a473feb1fba040f79f1c4208577ad01822b296b1232a2d0b6bdeaba50e8a05e0ea21a80014f42b5e9289915db38209929213b7d274aa427760

\Windows\system\DJkVKWX.exe

MD5 7acc13c978d9ff82cc45b356c004fcb0
SHA1 f8fc331b938eb755015bdfae6d03a131937c6b35
SHA256 92fecb6b7edb3c430c757245fd5cad73f2573c906b0f8bd0c4aa8d9916743eb2
SHA512 e8b4d65be94c501538865c200f6ec909ef7dbee88b990110c469b584672f0fa87e69bba8761b22bdbfcacd5fe7d61eabb5cf0320b4a9549d1a155b7914463db0

C:\Windows\system\guuajPL.exe

MD5 1fdda3600139f114c50f44eb4b5ee1a6
SHA1 a959093b4920ab4088322d90e23768b8cacf6c4d
SHA256 a920ef25a6f21a82c8e7889d05c88fa12aa545e75e49c71c5c42d754381685f8
SHA512 fb4191fd75d0aea943233773dd862e29ad6e3a6e11d3fdb8126cafd8cd75ed164cbb87496140eee51490d161f398d63353668c0698f3332f3a8651c062a2d912

memory/3032-136-0x000000013F370000-0x000000013F6C1000-memory.dmp

memory/2288-143-0x000000013FC30000-0x000000013FF81000-memory.dmp

memory/2088-141-0x000000013FC50000-0x000000013FFA1000-memory.dmp

memory/3032-147-0x0000000002390000-0x00000000026E1000-memory.dmp

memory/3008-145-0x000000013FF40000-0x0000000140291000-memory.dmp

memory/1684-146-0x000000013FE50000-0x00000001401A1000-memory.dmp

memory/2572-149-0x000000013F3B0000-0x000000013F701000-memory.dmp

memory/2700-148-0x000000013F560000-0x000000013F8B1000-memory.dmp

memory/2888-152-0x000000013F940000-0x000000013FC91000-memory.dmp

memory/400-153-0x000000013FFA0000-0x00000001402F1000-memory.dmp

memory/568-150-0x000000013F760000-0x000000013FAB1000-memory.dmp

memory/2016-154-0x000000013F5F0000-0x000000013F941000-memory.dmp

memory/2000-157-0x000000013FD70000-0x00000001400C1000-memory.dmp

memory/1992-156-0x000000013FA20000-0x000000013FD71000-memory.dmp

memory/900-155-0x000000013F860000-0x000000013FBB1000-memory.dmp

memory/1468-158-0x000000013FD10000-0x0000000140061000-memory.dmp

memory/3032-159-0x000000013F370000-0x000000013F6C1000-memory.dmp

memory/3032-185-0x000000013F940000-0x000000013FC91000-memory.dmp

memory/1400-205-0x000000013F060000-0x000000013F3B1000-memory.dmp

memory/3056-207-0x000000013F6A0000-0x000000013F9F1000-memory.dmp

memory/2340-211-0x000000013FB40000-0x000000013FE91000-memory.dmp

memory/1716-210-0x000000013F1A0000-0x000000013F4F1000-memory.dmp

memory/620-213-0x000000013F1A0000-0x000000013F4F1000-memory.dmp

memory/2840-215-0x000000013F490000-0x000000013F7E1000-memory.dmp

memory/3008-219-0x000000013FF40000-0x0000000140291000-memory.dmp

memory/2288-218-0x000000013FC30000-0x000000013FF81000-memory.dmp

memory/2088-224-0x000000013FC50000-0x000000013FFA1000-memory.dmp

memory/1684-226-0x000000013FE50000-0x00000001401A1000-memory.dmp

memory/568-228-0x000000013F760000-0x000000013FAB1000-memory.dmp

memory/1096-230-0x000000013F020000-0x000000013F371000-memory.dmp

memory/2572-233-0x000000013F3B0000-0x000000013F701000-memory.dmp

memory/2700-234-0x000000013F560000-0x000000013F8B1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-06 16:07

Reported

2024-08-06 16:10

Platform

win10v2004-20240802-en

Max time kernel

141s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\CenwQOk.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tOTUXua.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ysSJvHM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XkGJZQA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iVknKXu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FOxsxYP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YQXhdiv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yRJtWdl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\saYogPO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bTMDbED.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eNkmDdO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ioIdxQC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kvbAcXM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\isdMhrl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SBRzGTU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rnCxrac.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YJRcusy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WsHKycb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NHeFftV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cAMYjvM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IBQLYlb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 552 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tOTUXua.exe
PID 552 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tOTUXua.exe
PID 552 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YJRcusy.exe
PID 552 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YJRcusy.exe
PID 552 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WsHKycb.exe
PID 552 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WsHKycb.exe
PID 552 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ioIdxQC.exe
PID 552 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ioIdxQC.exe
PID 552 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ysSJvHM.exe
PID 552 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ysSJvHM.exe
PID 552 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XkGJZQA.exe
PID 552 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XkGJZQA.exe
PID 552 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kvbAcXM.exe
PID 552 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kvbAcXM.exe
PID 552 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iVknKXu.exe
PID 552 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iVknKXu.exe
PID 552 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YQXhdiv.exe
PID 552 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YQXhdiv.exe
PID 552 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NHeFftV.exe
PID 552 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NHeFftV.exe
PID 552 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FOxsxYP.exe
PID 552 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FOxsxYP.exe
PID 552 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\isdMhrl.exe
PID 552 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\isdMhrl.exe
PID 552 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yRJtWdl.exe
PID 552 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yRJtWdl.exe
PID 552 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CenwQOk.exe
PID 552 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CenwQOk.exe
PID 552 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\saYogPO.exe
PID 552 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\saYogPO.exe
PID 552 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bTMDbED.exe
PID 552 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bTMDbED.exe
PID 552 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cAMYjvM.exe
PID 552 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cAMYjvM.exe
PID 552 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IBQLYlb.exe
PID 552 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IBQLYlb.exe
PID 552 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eNkmDdO.exe
PID 552 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eNkmDdO.exe
PID 552 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SBRzGTU.exe
PID 552 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SBRzGTU.exe
PID 552 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rnCxrac.exe
PID 552 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rnCxrac.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_d644ab00850ecebef2dde714f18bab25_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\tOTUXua.exe

C:\Windows\System\tOTUXua.exe

C:\Windows\System\YJRcusy.exe

C:\Windows\System\YJRcusy.exe

C:\Windows\System\WsHKycb.exe

C:\Windows\System\WsHKycb.exe

C:\Windows\System\ioIdxQC.exe

C:\Windows\System\ioIdxQC.exe

C:\Windows\System\ysSJvHM.exe

C:\Windows\System\ysSJvHM.exe

C:\Windows\System\XkGJZQA.exe

C:\Windows\System\XkGJZQA.exe

C:\Windows\System\kvbAcXM.exe

C:\Windows\System\kvbAcXM.exe

C:\Windows\System\iVknKXu.exe

C:\Windows\System\iVknKXu.exe

C:\Windows\System\YQXhdiv.exe

C:\Windows\System\YQXhdiv.exe

C:\Windows\System\NHeFftV.exe

C:\Windows\System\NHeFftV.exe

C:\Windows\System\FOxsxYP.exe

C:\Windows\System\FOxsxYP.exe

C:\Windows\System\isdMhrl.exe

C:\Windows\System\isdMhrl.exe

C:\Windows\System\yRJtWdl.exe

C:\Windows\System\yRJtWdl.exe

C:\Windows\System\CenwQOk.exe

C:\Windows\System\CenwQOk.exe

C:\Windows\System\saYogPO.exe

C:\Windows\System\saYogPO.exe

C:\Windows\System\bTMDbED.exe

C:\Windows\System\bTMDbED.exe

C:\Windows\System\cAMYjvM.exe

C:\Windows\System\cAMYjvM.exe

C:\Windows\System\IBQLYlb.exe

C:\Windows\System\IBQLYlb.exe

C:\Windows\System\eNkmDdO.exe

C:\Windows\System\eNkmDdO.exe

C:\Windows\System\SBRzGTU.exe

C:\Windows\System\SBRzGTU.exe

C:\Windows\System\rnCxrac.exe

C:\Windows\System\rnCxrac.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/552-0-0x00007FF653AB0000-0x00007FF653E01000-memory.dmp

memory/552-1-0x000002BC3B0A0000-0x000002BC3B0B0000-memory.dmp

C:\Windows\System\tOTUXua.exe

MD5 b3f8752e6a9c69e690fa25c6bfd137b2
SHA1 cf8604ae25e172914b8042d5b9dac6dc5f0bffd5
SHA256 9b01da328875ecaab6ff4f05f94f132fc7a57229aed8a9465fe493e191fad03b
SHA512 633437c9997d6201cc40bb0357aab79c8622b550d0af436e14b2c86c4f640bc6ff755a1245170c4884329eb03fe158d44e1e42ceda479d53867129198c7cb444

C:\Windows\System\WsHKycb.exe

MD5 b94b99ca46fdc26030f67ef4cc5812eb
SHA1 1ccf9c9aee4e4d09da24838d74dfdb068fb885a2
SHA256 6ac7b88fbc9b8a1d63eb7e53db99478e56dbc5aef6f31bf50e78a8be73725976
SHA512 4bd8353ca0ed996529a84bb97148bb51ecc2258e15433061ab6481ccbcc07bbb057fb51914bb4288f2829bea98dcf432f5d636cce6810c968097d397701fd603

C:\Windows\System\YJRcusy.exe

MD5 efa7e60e4a046279a621f98b8853e0f8
SHA1 9a88260d122d651579dfe04570474d0c8dfa5fa0
SHA256 7eb1e6044157ae5c899f94c73125bd13395ee7fd9a0142788ede4913ebcbe7e6
SHA512 f7b0e9aa9dd3c1b5bce0fd3c551ceae7f6bd52b3becebae1c011828d0f037c29eedf01cc2fccfdbf32d416af39b5394e5cb4973d98b5efea0d885a761d5cb78e

memory/1876-19-0x00007FF789040000-0x00007FF789391000-memory.dmp

memory/2432-18-0x00007FF645C00000-0x00007FF645F51000-memory.dmp

memory/1092-8-0x00007FF693210000-0x00007FF693561000-memory.dmp

C:\Windows\System\ioIdxQC.exe

MD5 e065b8e938b57e2d41c5e6ee4250615d
SHA1 9490e574786d7aa1d70cb4c326c5b33c3dda015e
SHA256 965b59fa9d63cfd4a105f3265bdecb71403e84e64795d59e88584aa9d5e0fd9f
SHA512 20d5bc39f4b084b309b427c1c896fe7052aa6fc3455d55eaafdfb458d9e0112657c34c2b98d5d645004cbeab3b186f9567d6f4b787639a0da041a3cf512656d5

C:\Windows\System\ysSJvHM.exe

MD5 ad5a1129f1e49cd2b7da5e87c0d6375a
SHA1 93e90f6b484e500542e1b6691dc9afcbe77bc040
SHA256 86087ca5e902eed7b10d3c0415c7a342ce565f59959d43d643d33ed2725d336f
SHA512 d73e29658e3f24e1de71bdcf0d6b2682f7d78b6d09fe94c8b655525921acbec672df9550ddfc8582e83cf16d4ccefec3de689f3067e0c31cca072813fbd084cf

C:\Windows\System\iVknKXu.exe

MD5 75d6587bde63648ca7902cc5673d18e3
SHA1 74cd12221bc282f5861edac953c42e4ce12676f4
SHA256 520c6c6da2786fdba67ba3ec8034f7a2aba1591aadfbc808f4c59f15020371e6
SHA512 cc434c0499b9f5c5d6aba7577b0751e324fc729cf5f0dac88efe3d37da1fd3956838fe4642b0be6f1d16b2e3ffaebb6498f9b3196de461c3a98b98156e457831

C:\Windows\System\NHeFftV.exe

MD5 d7f6d868a970a1b4526f9903caa0f7f4
SHA1 6a3869bcc19dae695835e817b25682675eca8fa2
SHA256 111a55ce721709a7eda46319e20f419d03a78d483939b920290d2a546bf3f610
SHA512 e15f986361b1800dede2b80dacb7fc4f85f067daa5d8d914fc2c97b1e3002ec16f868d67eed1a0bb4a1c9f54d3150d97da1f3f84aa3cef35017097584f635559

memory/4160-56-0x00007FF64F290000-0x00007FF64F5E1000-memory.dmp

C:\Windows\System\saYogPO.exe

MD5 151c76a64b1c1f4a8218b901dc160825
SHA1 93e248ce90ba277b38f98dc0c5eef1cf57ce6b99
SHA256 b5a87b5361f29200db55105bcfebf6d547682805d234270bb52bd36e5ea51139
SHA512 e3197ce7162fb7ee8fb20f6a08fe0ec88043b77af830510a244fb03ea3f3721e51a9af90dd2294f279ffb10f181048ebe01a86887d35538ce7a5bbf1dfb67c88

C:\Windows\System\CenwQOk.exe

MD5 8869ae23dc7fc6fe97d1666ebcfd8041
SHA1 13e4f5ce81787f92302decac77a3d3b112872820
SHA256 09103d23ec04dae647466ba5ca301288799112df2701eeacbcdaf1501a0a1f3f
SHA512 67bf9e618a9300a8ab999bb55103adc31c521f06e79b677ebdb8f6a7ae211a3a50717b995876df3813ee95981510ab1e728b8f12d608c5c99b61962d6fbeedab

C:\Windows\System\eNkmDdO.exe

MD5 4dc86ea4164153ef2eb882092e789581
SHA1 d69622f881c5a43e4b03d96a9480b559fa2c2993
SHA256 8d8bf90e37dcd93018aaa024d5fafd05338dde51fbb7749ae059bde87b82d461
SHA512 69ef95a6d81d033c2c81112107f8267335457dbc9978ffe7076f4e15c00033da35a0508d8d5de8435f31f3af37a3c2a1fdfb78fe363689ba2d1b109133c43e0c

memory/4312-119-0x00007FF631AE0000-0x00007FF631E31000-memory.dmp

memory/2928-125-0x00007FF65D6C0000-0x00007FF65DA11000-memory.dmp

memory/3644-124-0x00007FF6F50A0000-0x00007FF6F53F1000-memory.dmp

memory/744-123-0x00007FF78A590000-0x00007FF78A8E1000-memory.dmp

memory/2896-122-0x00007FF650CE0000-0x00007FF651031000-memory.dmp

memory/3920-121-0x00007FF66CD30000-0x00007FF66D081000-memory.dmp

memory/3656-120-0x00007FF72F980000-0x00007FF72FCD1000-memory.dmp

C:\Windows\System\rnCxrac.exe

MD5 7459f57f23f6be0245ba50155cdfd999
SHA1 1c9faad63dc69e8131e8b2ebaae0785a88c43831
SHA256 2cc83f8281a958deb9834438597d424311cab0a127c5a99d1ed2c0a008c09fc9
SHA512 2d53babf67002c5fd983a3e5e707568801ddabc9e080834edfb827c47091d8f305e8b934f9c3cdb38e64a2bc7ff632e381453d11ebd77ec5697b0bc9aac8a569

C:\Windows\System\SBRzGTU.exe

MD5 f0ff25ade8fccb979afe4dcb53f811a7
SHA1 6be86ee417480c67cd790c47ce4c88899e3319f8
SHA256 6342071fe1548edfcec45f346ac9a3d8af1f36324d1a0a04ce944349bc785f64
SHA512 35d95cb6d721b174dad5a914b8fee51b34f13625e1000e21042fa367beace5dadf62ceb636f596996fbb8df9526c17db9b89dff78b217a25cb718e5edc7dc27f

memory/2504-112-0x00007FF6FC680000-0x00007FF6FC9D1000-memory.dmp

memory/3900-111-0x00007FF6D3EA0000-0x00007FF6D41F1000-memory.dmp

memory/4292-110-0x00007FF749A60000-0x00007FF749DB1000-memory.dmp

memory/1880-102-0x00007FF643C90000-0x00007FF643FE1000-memory.dmp

C:\Windows\System\IBQLYlb.exe

MD5 ce5da741b8b1bad4eb5131572e04e370
SHA1 b8de246d5a8de926454d833e5cf39f1e18ea5a5e
SHA256 ea2f317e235957b3ba0c980f976133efc92d384bdc04035ef66c53c3a80f6d5d
SHA512 e0e35bf54db7e51c2199942bfecd2e81ffb44a78c6ffc965bfe7ffb66c7792962ac4eea4a87ecfedc3fc60d2c4f3a77d090dba713ca26dde44c4c49b1fae2955

C:\Windows\System\yRJtWdl.exe

MD5 36561894b863495430d5606949a9c9de
SHA1 8ef3e9b4e517209017fa1f2e7556deb02a87f3bf
SHA256 12f497429480bfbeb08d3c467c50450cb5194c12d320e084dd90d24e6438126a
SHA512 98a8ddd5a290ea37983b906b8f6478872c5ec4671809387d3fbb5abd738c62a6862bf7d0bc701cda27e500a5f28d94bedf8239d3604868e2eedd2a517ac31bc1

memory/3296-94-0x00007FF7561C0000-0x00007FF756511000-memory.dmp

C:\Windows\System\cAMYjvM.exe

MD5 4d4380ce737110b5313b79ba675b3bac
SHA1 32313fd7476d7df4b4af6bd821ea43507e156b6c
SHA256 dd933d451348d21ce415d84cf8653845d5587f5fd413ba9e0b89122cefb106b1
SHA512 926a2a6eb41e1156d444906b901ebfd06aa53f3ccc22b32bd03032443e256d8675caeabd4761c8bca3cc17e7feaf4bb36e2863fbaa0b00d97d1184d5239d8dd3

memory/5068-81-0x00007FF769010000-0x00007FF769361000-memory.dmp

C:\Windows\System\bTMDbED.exe

MD5 b38b43dedc4b24d14d469a8f5b8482d1
SHA1 57924d7ca426b55a772dfe90b974dbad63fe0829
SHA256 4cfbf49b7fc1a35adc554367ed918e6ee474f28541d40dea96e1a00db9272dcc
SHA512 3384312956819b0eac047795c19e36a327fe2f3827c71c7f15ecf49819598da6f23d882e650055116585846564f9228868e4357678be1ac7aefc74d31b66049b

C:\Windows\System\isdMhrl.exe

MD5 2bd5c3af523170e0c8f702b11cb531aa
SHA1 62698a84d8d23242c2ce17c1f292f4f7a20acd48
SHA256 95705646d407dd48feba60535a1aaa154a6e0c82dd713fc3c7ad902f0c6296f0
SHA512 4962e4201bab2cc2435ac21c98ad600026750491e29b57fd25804246deaee3daed2225501495a46a8c11d6055dda6599ff3bd4f87e009af0ce9ca05a4efb3435

C:\Windows\System\YQXhdiv.exe

MD5 336e2b516e7fed28270bf4a0291a2783
SHA1 05404b1c75bcaebcd7334dafc81676c40c9681a7
SHA256 f294494d87b4b9b64fecb8a81c8b8b09f564ea3f2caac8108b711e28e561bd37
SHA512 1440758277c8e0b5ec10e0b73f878de5a4ce70446f54104d2ad6020b7c2e28bc9f5c992fc24fb000fac7ac21a0d96e922e5488bfad3197a0d11a04ee352b851f

memory/2800-69-0x00007FF6E8A10000-0x00007FF6E8D61000-memory.dmp

C:\Windows\System\FOxsxYP.exe

MD5 328c4a45be93cd2772e02d116fe7bc3e
SHA1 2a3a420c8ab8c3c108aaa1c1b452de019c2469f8
SHA256 7cb03eca153c4dd0ebc03674029980c52ac8e1d0813a7f30730169b82cd0e1c4
SHA512 04f01a98990dcfc272d159ee78055a40d7b1fd19fe05c4318fa3d5cd4301b0e536db526ce3978d6cd40716dab005aa5c1a7d3bf3137e912f5305a0e799561d21

memory/2388-55-0x00007FF7DA5D0000-0x00007FF7DA921000-memory.dmp

C:\Windows\System\kvbAcXM.exe

MD5 52e1033e9bba14d09ddc4a999e011896
SHA1 1e091541815d74edd28924e44aa74b9d881d2a5b
SHA256 2025468cd9d026a7c0cf14d25aec98826b79b452eaa5fbc51050d7e87c2d23be
SHA512 cd0616e353f0476e7667991a9177450488e993fe96b81c33473f440371b7fcd78766d2a3eaa31e462a69fb85b59b60d1a789e70fe7a08b7711f5dccaa33a1d63

C:\Windows\System\XkGJZQA.exe

MD5 77da39e3087648e4b3b1b16cc8b09b58
SHA1 dfb5fb246f1e668920b9e37f2cc427056338b29b
SHA256 048ffbc0d79c1bc74d9ab6c5ad87a6786780dad55f5694e4555e064205840760
SHA512 34b6648b82b80cce980852a6c66a043a12d0434b263a8ab95f1d8cd0599644225d8b544999d2b18d1a057c0fad746cbd5146d1e7322d0a521806d4c08d68221a

memory/4408-45-0x00007FF665D40000-0x00007FF666091000-memory.dmp

memory/3620-28-0x00007FF7D8B50000-0x00007FF7D8EA1000-memory.dmp

memory/1876-131-0x00007FF789040000-0x00007FF789391000-memory.dmp

memory/2388-134-0x00007FF7DA5D0000-0x00007FF7DA921000-memory.dmp

memory/2504-148-0x00007FF6FC680000-0x00007FF6FC9D1000-memory.dmp

memory/3900-147-0x00007FF6D3EA0000-0x00007FF6D41F1000-memory.dmp

memory/3644-144-0x00007FF6F50A0000-0x00007FF6F53F1000-memory.dmp

memory/3296-142-0x00007FF7561C0000-0x00007FF756511000-memory.dmp

memory/5068-140-0x00007FF769010000-0x00007FF769361000-memory.dmp

memory/2800-138-0x00007FF6E8A10000-0x00007FF6E8D61000-memory.dmp

memory/4160-135-0x00007FF64F290000-0x00007FF64F5E1000-memory.dmp

memory/4408-133-0x00007FF665D40000-0x00007FF666091000-memory.dmp

memory/3620-132-0x00007FF7D8B50000-0x00007FF7D8EA1000-memory.dmp

memory/2432-130-0x00007FF645C00000-0x00007FF645F51000-memory.dmp

memory/1092-129-0x00007FF693210000-0x00007FF693561000-memory.dmp

memory/1880-143-0x00007FF643C90000-0x00007FF643FE1000-memory.dmp

memory/552-128-0x00007FF653AB0000-0x00007FF653E01000-memory.dmp

memory/552-150-0x00007FF653AB0000-0x00007FF653E01000-memory.dmp

memory/2432-202-0x00007FF645C00000-0x00007FF645F51000-memory.dmp

memory/1876-205-0x00007FF789040000-0x00007FF789391000-memory.dmp

memory/1092-206-0x00007FF693210000-0x00007FF693561000-memory.dmp

memory/3620-208-0x00007FF7D8B50000-0x00007FF7D8EA1000-memory.dmp

memory/4408-210-0x00007FF665D40000-0x00007FF666091000-memory.dmp

memory/2388-212-0x00007FF7DA5D0000-0x00007FF7DA921000-memory.dmp

memory/3656-215-0x00007FF72F980000-0x00007FF72FCD1000-memory.dmp

memory/2896-216-0x00007FF650CE0000-0x00007FF651031000-memory.dmp

memory/4160-218-0x00007FF64F290000-0x00007FF64F5E1000-memory.dmp

memory/5068-221-0x00007FF769010000-0x00007FF769361000-memory.dmp

memory/3920-222-0x00007FF66CD30000-0x00007FF66D081000-memory.dmp

memory/3296-226-0x00007FF7561C0000-0x00007FF756511000-memory.dmp

memory/744-228-0x00007FF78A590000-0x00007FF78A8E1000-memory.dmp

memory/2800-225-0x00007FF6E8A10000-0x00007FF6E8D61000-memory.dmp

memory/2928-230-0x00007FF65D6C0000-0x00007FF65DA11000-memory.dmp

memory/4292-238-0x00007FF749A60000-0x00007FF749DB1000-memory.dmp

memory/1880-240-0x00007FF643C90000-0x00007FF643FE1000-memory.dmp

memory/2504-234-0x00007FF6FC680000-0x00007FF6FC9D1000-memory.dmp

memory/4312-233-0x00007FF631AE0000-0x00007FF631E31000-memory.dmp

memory/3900-237-0x00007FF6D3EA0000-0x00007FF6D41F1000-memory.dmp

memory/3644-243-0x00007FF6F50A0000-0x00007FF6F53F1000-memory.dmp