Malware Analysis Report

2025-01-22 19:25

Sample ID 240806-w1k1cswelm
Target 2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat
SHA256 e0d2cd648dbbe45e74cc6bfa96d9715dde44fa4fb4d351ab9616a56607a6b725
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e0d2cd648dbbe45e74cc6bfa96d9715dde44fa4fb4d351ab9616a56607a6b725

Threat Level: Known bad

The file 2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

xmrig

Xmrig family

Cobaltstrike

Cobalt Strike reflective loader

XMRig Miner payload

Cobaltstrike family

XMRig Miner payload

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-06 18:23

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-06 18:23

Reported

2024-08-06 18:25

Platform

win7-20240704-en

Max time kernel

140s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\vddEqId.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hUNslDI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pGXkXOz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\teaDfTX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mThPXxm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mtrURiD.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EKqpjgy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CiNnqnJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XkMZDkV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OKIOddb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fCcAuUI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\suQKIer.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SxXUAFz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JqMhbzQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sjAzCGy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pWnuemb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PgOxUlp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BpgHetA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\igAXafq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fvGfULo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YiNovJM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1916 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mtrURiD.exe
PID 1916 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mtrURiD.exe
PID 1916 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mtrURiD.exe
PID 1916 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EKqpjgy.exe
PID 1916 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EKqpjgy.exe
PID 1916 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EKqpjgy.exe
PID 1916 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XkMZDkV.exe
PID 1916 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XkMZDkV.exe
PID 1916 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XkMZDkV.exe
PID 1916 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\suQKIer.exe
PID 1916 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\suQKIer.exe
PID 1916 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\suQKIer.exe
PID 1916 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fvGfULo.exe
PID 1916 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fvGfULo.exe
PID 1916 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fvGfULo.exe
PID 1916 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vddEqId.exe
PID 1916 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vddEqId.exe
PID 1916 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vddEqId.exe
PID 1916 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hUNslDI.exe
PID 1916 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hUNslDI.exe
PID 1916 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hUNslDI.exe
PID 1916 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YiNovJM.exe
PID 1916 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YiNovJM.exe
PID 1916 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YiNovJM.exe
PID 1916 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JqMhbzQ.exe
PID 1916 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JqMhbzQ.exe
PID 1916 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JqMhbzQ.exe
PID 1916 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SxXUAFz.exe
PID 1916 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SxXUAFz.exe
PID 1916 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SxXUAFz.exe
PID 1916 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pGXkXOz.exe
PID 1916 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pGXkXOz.exe
PID 1916 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pGXkXOz.exe
PID 1916 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sjAzCGy.exe
PID 1916 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sjAzCGy.exe
PID 1916 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sjAzCGy.exe
PID 1916 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\teaDfTX.exe
PID 1916 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\teaDfTX.exe
PID 1916 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\teaDfTX.exe
PID 1916 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OKIOddb.exe
PID 1916 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OKIOddb.exe
PID 1916 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OKIOddb.exe
PID 1916 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pWnuemb.exe
PID 1916 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pWnuemb.exe
PID 1916 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pWnuemb.exe
PID 1916 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PgOxUlp.exe
PID 1916 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PgOxUlp.exe
PID 1916 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PgOxUlp.exe
PID 1916 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fCcAuUI.exe
PID 1916 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fCcAuUI.exe
PID 1916 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fCcAuUI.exe
PID 1916 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CiNnqnJ.exe
PID 1916 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CiNnqnJ.exe
PID 1916 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CiNnqnJ.exe
PID 1916 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BpgHetA.exe
PID 1916 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BpgHetA.exe
PID 1916 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BpgHetA.exe
PID 1916 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\igAXafq.exe
PID 1916 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\igAXafq.exe
PID 1916 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\igAXafq.exe
PID 1916 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mThPXxm.exe
PID 1916 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mThPXxm.exe
PID 1916 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mThPXxm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\mtrURiD.exe

C:\Windows\System\mtrURiD.exe

C:\Windows\System\EKqpjgy.exe

C:\Windows\System\EKqpjgy.exe

C:\Windows\System\XkMZDkV.exe

C:\Windows\System\XkMZDkV.exe

C:\Windows\System\suQKIer.exe

C:\Windows\System\suQKIer.exe

C:\Windows\System\fvGfULo.exe

C:\Windows\System\fvGfULo.exe

C:\Windows\System\vddEqId.exe

C:\Windows\System\vddEqId.exe

C:\Windows\System\hUNslDI.exe

C:\Windows\System\hUNslDI.exe

C:\Windows\System\YiNovJM.exe

C:\Windows\System\YiNovJM.exe

C:\Windows\System\JqMhbzQ.exe

C:\Windows\System\JqMhbzQ.exe

C:\Windows\System\SxXUAFz.exe

C:\Windows\System\SxXUAFz.exe

C:\Windows\System\pGXkXOz.exe

C:\Windows\System\pGXkXOz.exe

C:\Windows\System\sjAzCGy.exe

C:\Windows\System\sjAzCGy.exe

C:\Windows\System\teaDfTX.exe

C:\Windows\System\teaDfTX.exe

C:\Windows\System\OKIOddb.exe

C:\Windows\System\OKIOddb.exe

C:\Windows\System\pWnuemb.exe

C:\Windows\System\pWnuemb.exe

C:\Windows\System\PgOxUlp.exe

C:\Windows\System\PgOxUlp.exe

C:\Windows\System\fCcAuUI.exe

C:\Windows\System\fCcAuUI.exe

C:\Windows\System\CiNnqnJ.exe

C:\Windows\System\CiNnqnJ.exe

C:\Windows\System\BpgHetA.exe

C:\Windows\System\BpgHetA.exe

C:\Windows\System\igAXafq.exe

C:\Windows\System\igAXafq.exe

C:\Windows\System\mThPXxm.exe

C:\Windows\System\mThPXxm.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1916-0-0x000000013FE20000-0x0000000140171000-memory.dmp

memory/1916-1-0x0000000000080000-0x0000000000090000-memory.dmp

C:\Windows\system\mtrURiD.exe

MD5 c87b7bc74a1e6987fb6030586384667f
SHA1 9c07cffce92243211c566a82adfe55c521cab15b
SHA256 8c0ca9d5f13f37b5616d56d483f386f82f1b689dd68e751d96495a0a5a0d58e1
SHA512 f161396c5121958eb3b83d6ade932e022fcd654fd68d9bb5ed13fc299ac4e46d0cc4552637793e05882c99e75981f657b8aedf278889c51c0f510ea0a5f3529a

memory/2896-18-0x000000013F960000-0x000000013FCB1000-memory.dmp

memory/1916-14-0x000000013F960000-0x000000013FCB1000-memory.dmp

memory/2844-30-0x000000013FA10000-0x000000013FD61000-memory.dmp

memory/1620-29-0x000000013F920000-0x000000013FC71000-memory.dmp

C:\Windows\system\fvGfULo.exe

MD5 1f7715bfe6aef91d81ca80318547c77c
SHA1 b7bdfeec7d1bdf4a9c16832b7731458d488c3daf
SHA256 06193d91bd8de15011629d9dd41f892cb66a9361d963eb6f7eb5f054e8db413a
SHA512 2f48e115e145bdbb5ab99da46f764c31bdcc5f95d8dc339bfd9df8a2afd6a376e58b6b4f146d17286fbf0a94cde74eff4d7dcdbda9d51d5b240ce54afa3cf663

memory/1916-60-0x000000013F970000-0x000000013FCC1000-memory.dmp

\Windows\system\pGXkXOz.exe

MD5 e2907721f959cbc77f20b3a69bb64644
SHA1 afd68bd7fcac1884415ec065fae090f342dbdbe0
SHA256 5adb688c2dbb1f2665378d533b9979e2ffe8178d063e5da5dcc95a17995479e7
SHA512 2e7044f8c1b3f23b22b5a4d903f2cdf7b95c8166af3e8cb038f7360726f25296b36322ae2d29ffcd4d045702af244c59008cb424445fc7364fcebf1a15ddde5f

memory/1916-54-0x000000013F7A0000-0x000000013FAF1000-memory.dmp

\Windows\system\JqMhbzQ.exe

MD5 3034d6abd20a8bea2e1d45f9c7d00897
SHA1 834fa9107a7fdfaebaae6db6aa4d14cdb247ad50
SHA256 d07e540f523caa138dce26eae400a89ba6b16a93f6fafa2fe5509ff422a66356
SHA512 379d62b47e52e341c4caa6454d22944ef134e3ecc963675f33dc0712bffb6ed8ffc5908d8d518944ba432fdb1b92acdc10f55e7612048ef052ba134778aeeeb4

C:\Windows\system\hUNslDI.exe

MD5 f4e2a781063b007318fc28134d3c25ea
SHA1 e82e6b7557dbe490248cb0935aa6eea2d4008400
SHA256 443e296e04c4696fd20b8b6430afb1cc44e1a60ecfbf7c783af22de41ae3240a
SHA512 3a45969f0b62c61691dbd512a9773d6b1dda515d122d1b75f89bbde2db9c17acfdb80cec564d84079373e628452d1e0b75b526bc88e6a7d62b2350217da3744f

memory/2912-37-0x000000013F720000-0x000000013FA71000-memory.dmp

memory/1916-36-0x000000013F720000-0x000000013FA71000-memory.dmp

memory/1916-27-0x000000013F920000-0x000000013FC71000-memory.dmp

memory/2564-26-0x000000013FB30000-0x000000013FE81000-memory.dmp

C:\Windows\system\suQKIer.exe

MD5 669751d7aef2506c46976cbfffe055d8
SHA1 06a2719bdd6aa6a4e163145a0aef5ccc528a4dec
SHA256 a9286a3a2f2940a64a666d0eb46e97ba571d7f5d0ee13e463d4555ce4b04919e
SHA512 6b935ff966df3a1cac8b08c98056ba0b70dec8d6bb004c758db6768754555cc20aa3d88b55d66c53c4ab7dae1ec2be249afafcc9f6128360b11ca4046f38a9f3

memory/1916-24-0x000000013FA10000-0x000000013FD61000-memory.dmp

memory/1916-21-0x0000000002240000-0x0000000002591000-memory.dmp

C:\Windows\system\XkMZDkV.exe

MD5 fab44f5c2b859254f160d5815a6ea2f1
SHA1 6c37e36ce505d19c77f2cc34288c823a1e75ecb8
SHA256 3c47822e381340953f6c8e6a363ff38a39c45923ae13ad8b9757ce3b0ccb66f6
SHA512 e70516d71295b11b2466e2f0a57db7702f76a4acc0dd238ce9a131ec7883bf21a37aaba68137703dea7e1327980a5e089b9904db2908e5acf4e2831cbf403de6

C:\Windows\system\EKqpjgy.exe

MD5 e8a95f578593f40006995ee532185e73
SHA1 fba1e039a5d71d4d34c3ec25d7428e272d40b1b5
SHA256 bcba9d3026f725c4c9808c962b02e65a8bc1079a828af163204cc6641f1b267e
SHA512 4bb84060862eefa95e6bf9a63170c90ef2b6df5ddb84c02a972346e82cdc4d3d1c7b4c5ffb0e8cb8d964916aff996a83a42c1245e9844d64b9475c0b29240a97

C:\Windows\system\vddEqId.exe

MD5 635423fdce09789137ebf616bc03ff02
SHA1 f58d394aec72e21ae90219458f78399e6d317e5f
SHA256 20a1dc490efdb94188cdc95e7c3b8b29b68e19d1507fc17359d37fc49a6e07c9
SHA512 0097648d1c064d45fca5ae3b02ad9ff6644f21c42b12e7e10f1eec78dd224e7f210282175e97d7e181bd9659dec06d17aad35016b998ba4ed657aeefeead55f2

memory/2268-57-0x000000013F7A0000-0x000000013FAF1000-memory.dmp

\Windows\system\igAXafq.exe

MD5 3800ed121c1b922740086826ae3f4ad3
SHA1 2fb385ba832e036644a1a29616f3d1cada5436df
SHA256 a7ad19f4419758a01fa6cd7c8d66d6c5de2472cc99f9a9e5b55d9dd10ad5cf8c
SHA512 8062c971e05a26501aa5ca1af72bf113b535ae06c3161815762ef7fa6fccc92ea2b31e4593cc9d5879c0d5e64e18a7314719e01abf9be9fc331e8da779f870eb

\Windows\system\CiNnqnJ.exe

MD5 a312b00ae5f0f1a73e7ee65971b2cfa7
SHA1 021c1f09290681912b154dca8217466237644820
SHA256 65a04bd9411af73e93f8d5272de36b3b2fe0865b458e7ab0acb4f46dd97f1b04
SHA512 43f7a0e23326eaff6096f7b662add338856d87c7bc8c7897da8ea259c689ad628ff8cdd44c4f690dfdcd109d0a4001a49e1aeb75cbb44f99e5cce811994731e4

C:\Windows\system\pWnuemb.exe

MD5 fafdfb9eb833b66acc69152e9da707e9
SHA1 630d8ca5e3048c86bfc599c7841331efa94fc6ee
SHA256 9e16c98dc2a5f1286d39f7d1e32cdd370e01812d2a9fdd180ffd31612634b4bc
SHA512 bb4e4c8d8596d89c1156dccdce0201663f6be9dbaca4cad801355547445aff4ba06fd3704d39983d2277a16b9a86ebdbb90b028273bcb991cd3cc4f7f15d1756

\Windows\system\PgOxUlp.exe

MD5 2ce5ec117e1982f30a7cb65a1c76fc4d
SHA1 853a011cd09ce7c51a9993e36c5bd8b31f6ba061
SHA256 872163696bdd2cda08a15c424565831240b1594e8ea18fdba8ef2c3469b110c2
SHA512 e57499666e9899af6cdb51f0d66c68cc92f60d1e18d0a628d4caad4df90cbdb81c912eddf638717a832eff88d848cd9eb86f0db8a1cc1da39c2a011913a0c587

\Windows\system\OKIOddb.exe

MD5 6f074f31b62caff05eaebe1600faca6f
SHA1 d37618d529ceb08e79eab84759c08574f191f1ff
SHA256 69304e1cd0a0f577253429408d7ca95a0354694244e6bb2b9fbab7f54450b942
SHA512 40c3c82fc8fc3d9ad1d921cfbd245bc94d36ec3c36beebfadcf10afafff72c25dd59143e0d70feb2cee3c8ee16ead518555b9fd1671f33bae7f0c617ab4c4f9a

memory/2112-76-0x000000013F090000-0x000000013F3E1000-memory.dmp

\Windows\system\sjAzCGy.exe

MD5 5fec9a1033eec2dde1d3fb9f978ad770
SHA1 1f492d83e1ef5d74bc1ae3ff8d74711350b1c08a
SHA256 45d51e682340dd7b497d9b5d0ce9610af08397a1aa52d52a29fddcec36d0ce7f
SHA512 0191be4e964a36746ad95e7d7e6ea5c6e67993ab984412175c5920d7e05445b6929d81989c32cd2a7a8c4d4c7528e04f759f71c5631fe349ba37598eab9d678f

\Windows\system\SxXUAFz.exe

MD5 54122b947c6ae6c7dd7c712703a80cf7
SHA1 6d5856ba0c3d11d45cc4bb3dc9b04dee5ee4cb88
SHA256 5f0f113373d75b7c02e7a0ddd15942e30dbf17e63325be8f1d8469a506590e2b
SHA512 d7c29cd2d8d0b4f8077a47de7ea6ff09d72dd5fe58633d0af0c6b140e0baa66387463cee53b30ec6fea9294deb1b8d333cc65717142ae3034d0283357f26e03e

memory/1916-120-0x0000000002240000-0x0000000002591000-memory.dmp

C:\Windows\system\mThPXxm.exe

MD5 790de10f988f54ca7a9d12e035e3053c
SHA1 69ef1ce2ba2dd813197846142d6f188e6bc54f9e
SHA256 97accd87e20433707b318391d73651cf726df760ddef7feec1f49ddf0c61c581
SHA512 40ab44b1870bb40b059cc3b20776fb30dd95e60c60d3973727f0235074207f35005f2f822a0dce38eaa2fc756a2da646905b45ab7cb6ff3ee217ddb89a457ee6

C:\Windows\system\YiNovJM.exe

MD5 0e52c0ea08755d506e0347183db6a99b
SHA1 a8b25c9152a4df2f405b2f877c68b20c9c72e7f0
SHA256 4ed49782c55e9ab14cea93004e6835dede68f4e8606495804f150382c16366ce
SHA512 1a4dc37a363da70232899433dff36e6121f1eb75d22085ef155cabc0dd22d73a6738ac6b7bde84f72a726feb2aba38ebf0b990c4903639b5e32c902c594b7a34

memory/1916-111-0x000000013F860000-0x000000013FBB1000-memory.dmp

memory/1916-110-0x000000013F5C0000-0x000000013F911000-memory.dmp

C:\Windows\system\BpgHetA.exe

MD5 1c19eb27e9f53e1869ad0004477cec1b
SHA1 a80173c2e779b563581837cd977796ea18b2a280
SHA256 5ca5a70a541d06dbb88c30ebc2c1da018df944a30e924f9c6dfb123c21339d96
SHA512 58ef2f2360dbebc34a24949416bcfc9bbd5a13d97e5831374e0cc0c1a89327ae6be61b7546c1b60064e0278aec4119c05d98004616eae3a57967abd5ffed7669

C:\Windows\system\fCcAuUI.exe

MD5 f3554866ca93a06516043eaa9bb9b4f1
SHA1 02bc0c79e2f8315126549cdacf93d396d158ffa6
SHA256 8f9d5444dcc4eab91577157d56751bc44e907c1fe08b8892162f608ae2e1eba3
SHA512 23655ff00be7303a67f573dd099f09df16fdb628a3858c2740476479ff561c1ab7a3338f4534a79f31fcc6941ca7776335affabb2b631fbea726a14b60726a13

memory/2520-102-0x000000013F860000-0x000000013FBB1000-memory.dmp

memory/2344-95-0x000000013FC90000-0x000000013FFE1000-memory.dmp

memory/1916-87-0x0000000002240000-0x0000000002591000-memory.dmp

C:\Windows\system\teaDfTX.exe

MD5 a7feaaf3848fcd29347f45e3e72b837e
SHA1 a7a50cf14aa5e74289af81c3b457cf2dde9a55c3
SHA256 3699a4b43ec1d711a2a167c1e4946f3cf308c9e97b4e7c5ac2098f37317ba869
SHA512 1aba99efc3d5f7ca54fb5a42b19f0d85f8abb232061af8184d21af0ae522d583c36d835312c901eb8718b9ef9540f209eface5e4992a456672b0f46f9e5bb960

memory/1916-72-0x0000000002240000-0x0000000002591000-memory.dmp

memory/1916-71-0x0000000002240000-0x0000000002591000-memory.dmp

memory/1916-70-0x000000013F090000-0x000000013F3E1000-memory.dmp

memory/2592-69-0x000000013FB70000-0x000000013FEC1000-memory.dmp

memory/1916-66-0x0000000002240000-0x0000000002591000-memory.dmp

memory/3024-65-0x000000013F970000-0x000000013FCC1000-memory.dmp

memory/1916-134-0x0000000002240000-0x0000000002591000-memory.dmp

memory/1916-133-0x000000013FE20000-0x0000000140171000-memory.dmp

memory/1916-135-0x000000013FE20000-0x0000000140171000-memory.dmp

memory/1880-145-0x000000013FD00000-0x0000000140051000-memory.dmp

memory/816-143-0x000000013FE40000-0x0000000140191000-memory.dmp

memory/2608-147-0x000000013F3D0000-0x000000013F721000-memory.dmp

memory/2964-156-0x000000013F3B0000-0x000000013F701000-memory.dmp

memory/2496-154-0x000000013FAD0000-0x000000013FE21000-memory.dmp

memory/1420-153-0x000000013F5C0000-0x000000013F911000-memory.dmp

memory/2772-152-0x000000013F8A0000-0x000000013FBF1000-memory.dmp

memory/2724-151-0x000000013FB00000-0x000000013FE51000-memory.dmp

memory/2520-150-0x000000013F860000-0x000000013FBB1000-memory.dmp

memory/2600-149-0x000000013FE70000-0x00000001401C1000-memory.dmp

memory/2344-148-0x000000013FC90000-0x000000013FFE1000-memory.dmp

memory/2560-155-0x000000013FF90000-0x00000001402E1000-memory.dmp

memory/1916-157-0x000000013FE20000-0x0000000140171000-memory.dmp

memory/1916-179-0x000000013F5C0000-0x000000013F911000-memory.dmp

memory/2896-203-0x000000013F960000-0x000000013FCB1000-memory.dmp

memory/2564-206-0x000000013FB30000-0x000000013FE81000-memory.dmp

memory/1620-207-0x000000013F920000-0x000000013FC71000-memory.dmp

memory/2844-210-0x000000013FA10000-0x000000013FD61000-memory.dmp

memory/2912-211-0x000000013F720000-0x000000013FA71000-memory.dmp

memory/2268-213-0x000000013F7A0000-0x000000013FAF1000-memory.dmp

memory/2592-216-0x000000013FB70000-0x000000013FEC1000-memory.dmp

memory/3024-217-0x000000013F970000-0x000000013FCC1000-memory.dmp

memory/2112-224-0x000000013F090000-0x000000013F3E1000-memory.dmp

memory/2520-235-0x000000013F860000-0x000000013FBB1000-memory.dmp

memory/2344-238-0x000000013FC90000-0x000000013FFE1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-06 18:23

Reported

2024-08-06 18:26

Platform

win10v2004-20240802-en

Max time kernel

142s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\UDxFyCZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rSYwqYK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aOVirIt.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\czdYmOQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rQECDpN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GibwJNQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JYIwbNC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dsYsEil.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xBodAHQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kCWUqWw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wUDVcfE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RHcNUUu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EAdnFOT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zmtWhTx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HNesAtO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kXgJIdb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JtZsobg.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sXSiCNz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bXjXAcK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HEeUqwe.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eczpgOA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3376 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JYIwbNC.exe
PID 3376 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JYIwbNC.exe
PID 3376 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UDxFyCZ.exe
PID 3376 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UDxFyCZ.exe
PID 3376 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sXSiCNz.exe
PID 3376 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sXSiCNz.exe
PID 3376 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rSYwqYK.exe
PID 3376 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rSYwqYK.exe
PID 3376 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EAdnFOT.exe
PID 3376 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EAdnFOT.exe
PID 3376 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bXjXAcK.exe
PID 3376 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bXjXAcK.exe
PID 3376 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zmtWhTx.exe
PID 3376 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zmtWhTx.exe
PID 3376 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HEeUqwe.exe
PID 3376 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HEeUqwe.exe
PID 3376 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HNesAtO.exe
PID 3376 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HNesAtO.exe
PID 3376 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dsYsEil.exe
PID 3376 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dsYsEil.exe
PID 3376 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xBodAHQ.exe
PID 3376 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xBodAHQ.exe
PID 3376 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kCWUqWw.exe
PID 3376 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kCWUqWw.exe
PID 3376 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eczpgOA.exe
PID 3376 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eczpgOA.exe
PID 3376 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wUDVcfE.exe
PID 3376 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wUDVcfE.exe
PID 3376 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RHcNUUu.exe
PID 3376 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RHcNUUu.exe
PID 3376 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aOVirIt.exe
PID 3376 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aOVirIt.exe
PID 3376 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kXgJIdb.exe
PID 3376 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kXgJIdb.exe
PID 3376 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rQECDpN.exe
PID 3376 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rQECDpN.exe
PID 3376 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JtZsobg.exe
PID 3376 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JtZsobg.exe
PID 3376 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\czdYmOQ.exe
PID 3376 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\czdYmOQ.exe
PID 3376 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GibwJNQ.exe
PID 3376 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GibwJNQ.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\JYIwbNC.exe

C:\Windows\System\JYIwbNC.exe

C:\Windows\System\UDxFyCZ.exe

C:\Windows\System\UDxFyCZ.exe

C:\Windows\System\sXSiCNz.exe

C:\Windows\System\sXSiCNz.exe

C:\Windows\System\rSYwqYK.exe

C:\Windows\System\rSYwqYK.exe

C:\Windows\System\EAdnFOT.exe

C:\Windows\System\EAdnFOT.exe

C:\Windows\System\bXjXAcK.exe

C:\Windows\System\bXjXAcK.exe

C:\Windows\System\zmtWhTx.exe

C:\Windows\System\zmtWhTx.exe

C:\Windows\System\HEeUqwe.exe

C:\Windows\System\HEeUqwe.exe

C:\Windows\System\HNesAtO.exe

C:\Windows\System\HNesAtO.exe

C:\Windows\System\dsYsEil.exe

C:\Windows\System\dsYsEil.exe

C:\Windows\System\xBodAHQ.exe

C:\Windows\System\xBodAHQ.exe

C:\Windows\System\kCWUqWw.exe

C:\Windows\System\kCWUqWw.exe

C:\Windows\System\eczpgOA.exe

C:\Windows\System\eczpgOA.exe

C:\Windows\System\wUDVcfE.exe

C:\Windows\System\wUDVcfE.exe

C:\Windows\System\RHcNUUu.exe

C:\Windows\System\RHcNUUu.exe

C:\Windows\System\aOVirIt.exe

C:\Windows\System\aOVirIt.exe

C:\Windows\System\kXgJIdb.exe

C:\Windows\System\kXgJIdb.exe

C:\Windows\System\rQECDpN.exe

C:\Windows\System\rQECDpN.exe

C:\Windows\System\JtZsobg.exe

C:\Windows\System\JtZsobg.exe

C:\Windows\System\czdYmOQ.exe

C:\Windows\System\czdYmOQ.exe

C:\Windows\System\GibwJNQ.exe

C:\Windows\System\GibwJNQ.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 24.58.20.217.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3376-0-0x00007FF6ED5A0000-0x00007FF6ED8F1000-memory.dmp

memory/3376-1-0x00000294FB070000-0x00000294FB080000-memory.dmp

C:\Windows\System\JYIwbNC.exe

MD5 3238f91bbdf4c6e1505921bb0d933c36
SHA1 2ee4d5fd2ea34a60ff91e46cef87ebf223eb9fa7
SHA256 abda749655a535a0b12d87f5a30f555ea83a968985e82904629c0c750c419fa5
SHA512 3b136c4e0825e054db4f25071e41d94795f661d14c27daa0c307e181afe3f76a050dd13d03614c74cf652194b6d24f0ae97ea9455fd09ffa491e73feda28bfaa

memory/1608-8-0x00007FF766390000-0x00007FF7666E1000-memory.dmp

C:\Windows\System\sXSiCNz.exe

MD5 590d26adcc8a9a116ba7585c5b44e3e7
SHA1 9714589b2b7de2986ab1260153b46c3b1fe79546
SHA256 bec7931aee1203e9916560313b7eb26b964010e6dbf5bdb04e6f9284d6a7c33d
SHA512 541d32bd76e67b638571d64bf2e35d242e51e72a6dff8378a248a2c8e1e3784fc0fe70469b7fbf020d70604e2fcf2fee12b9b705105be21e2a3f8bee1988082c

C:\Windows\System\rSYwqYK.exe

MD5 a46c38f8698e8fdd435ade347e8a5e78
SHA1 f8302b7162999ba90b2759cfb42044bbf980eef8
SHA256 a7936580fae35c1ce76409d5ab370c8a422cc96f9563187030982a651ee9981f
SHA512 85a0ec8ee31101d86c1f43d9a4b3e0b61a65a73c2b05079e0460cec424b512203cd8bcd20effcb99bd83b95a74bff87d4392f1dd7d6b8af8f82f12a8c675f9a1

C:\Windows\System\EAdnFOT.exe

MD5 1d44dbfd48a5f3bcaa9e4afff3785b4e
SHA1 2372cec5f791837d0c396f0a134ce49d30e12925
SHA256 057e8401c864df9bf740727cca97dff1f18513ff8d11ec04d846ee4c2dd3c99b
SHA512 75477ec76e54bbd12206278573b9b654538e298823467c5f204a71b5a77c219360c8b2712f6128fe44ef629090067ef7768c4a7f9d5197de49d8d70b16dea297

memory/1824-32-0x00007FF60F610000-0x00007FF60F961000-memory.dmp

memory/4984-26-0x00007FF7CB1F0000-0x00007FF7CB541000-memory.dmp

C:\Windows\System\bXjXAcK.exe

MD5 682146361d9646d7c3d7cf9c04ea60a5
SHA1 caaf9a4c335395fdfc4141fbb8615587ff4f2921
SHA256 32112da82dd91172ee252c2d5985ed42e9a0a573641fbeb02b90c6f8b8ed7d70
SHA512 09ec31edd953e30c980f3e41d0a00090394fd8b763843fb482e4765055a9b73905cca59a822138aa325c4b1b80f272c35b0bda60703649335b3348cab514dc33

C:\Windows\System\zmtWhTx.exe

MD5 3b38ad6a8df5ae125c341921c6e5399b
SHA1 3e71541062bf3887feb35f0f0065770f7815641c
SHA256 4ad2419ddc436313d8c673ddd2aa1f1c0cca29265e5240de33285cb0c24fa062
SHA512 44dea1e83cfd255e4562dae2b72c2b757995de52d34283ec926dd5e81a161d47d77e0ec5ad457a299fcf9543e5d1cf58584c48b2cfd2c263f43280a99f57b2cf

C:\Windows\System\HEeUqwe.exe

MD5 0b6a821cde2084526c4e71a65b39bcee
SHA1 75674f3a6b63ced62cafded1d3f28b6b60d60ac7
SHA256 946a64d655c2089a3c2c8a4bcdcfde26f8a96729e877a1d60a1d138885e5ca80
SHA512 48c3ae6d15f9ac47546f8cb0216fffc8e5ae34b0d0a0960725d45fa7485b22223d982d48fa1d036ad54325925eb2018fb15de4303c5757ebb1498919486bfd7b

memory/1220-46-0x00007FF7AD260000-0x00007FF7AD5B1000-memory.dmp

memory/4996-40-0x00007FF791B30000-0x00007FF791E81000-memory.dmp

memory/3240-21-0x00007FF725D80000-0x00007FF7260D1000-memory.dmp

memory/2756-14-0x00007FF7C3E10000-0x00007FF7C4161000-memory.dmp

C:\Windows\System\UDxFyCZ.exe

MD5 abdc0056fd3f4cc92d08b8de401fc9f8
SHA1 ab51be67a161795a8c494ea1fca3b645de065918
SHA256 2e406907bccfc8351cfc67cb8d93ff3dba60ad070bfac88165449b9aedd998ac
SHA512 e3570eb4ed190ead0c9a3e249fd30e0a677516c4b0e45a82384061d405b570d4ce2408234eb13aabffa17acc0b410f9270cf8154332ea3609d92658710200808

C:\Windows\System\HNesAtO.exe

MD5 17d617087d8a9f35d5f66d020df2ae62
SHA1 421a4e65e17efbba6c5ef62885a9a1b1a6c73230
SHA256 3ecfe0097212ebb6f1d0df97d782cf6621ec39a8bfc7d1edbf4dbcefb3320570
SHA512 6a6452c3eb223302398ab7515cb51ba766eaca780018d14e903d815027117242a0b5f0d1770b668ec1b080abb678851ffa48ab68ddb28b5ef521efb32af255bb

C:\Windows\System\kCWUqWw.exe

MD5 9c4b7e0239a0d39abc34263fdf6c630f
SHA1 8062aa7ee2e196d3d655de65710d9fe67af02da4
SHA256 f34dece0b0ad7f4abad7bbf70982d154eaa74bdc649f49add660327904609d0b
SHA512 c73dd350779bd460c262d518350866125686b794cbf9dba0adb0705789f5c6bc2eb7400ad5701028d85e053fab050d42150c349be16b045bd738daf77a8a34a0

memory/3604-75-0x00007FF628E20000-0x00007FF629171000-memory.dmp

memory/2756-87-0x00007FF7C3E10000-0x00007FF7C4161000-memory.dmp

C:\Windows\System\wUDVcfE.exe

MD5 8b6313065757921c796a31d14de5c267
SHA1 20f42b8b3481f4638c2594a0307de187c5dcc202
SHA256 8802e169989d72d53f70448728426ca41f0b3e66138089a3d5f60305c801ef8c
SHA512 a90e73b44fe87269f0f0d5cfbb04ed3ee4801cb085ff5be3534b2a5076ddc158b6d5fe2e47b4b840853a49e76a7f9fbb2b0c87c4af1988657170017fd6c077d8

memory/4884-95-0x00007FF79B220000-0x00007FF79B571000-memory.dmp

C:\Windows\System\rQECDpN.exe

MD5 1e63688b60517e5d0d53e691ff72ce75
SHA1 939bea3c28f0f72cc88105adb440ccaca9961b97
SHA256 2fab89726baccba9d74adebc903687ad52e23348e33e93d4e3bb318dd7a6a80b
SHA512 82ca1919f40559d816b8a848316ea71b639528d5752e87e231ccff0f18857d3c218908dbf39e992cbfbd2c81e40ccb8fff0d186b1a7290472db85f1163c01b0e

C:\Windows\System\czdYmOQ.exe

MD5 b0d5a0f17bcc4367bb2a73496dabbf94
SHA1 39baa5fd60643aedc90ff99b4fd105d60fbb8ace
SHA256 3ec05ccaa24c9913285b6d6f12a1a9a64c00194aa6b2bd20979f442ed244bab3
SHA512 a66ce1ef2f626452d10f21c7002be9d827bb234646f3475ec917c03021dd3331b2d561b8d62f19f4afea7d879690fed44815edbf8c08d0a976218087cb221ba0

C:\Windows\System\GibwJNQ.exe

MD5 ae5a49602256a74f8bf2c3daef2be8a3
SHA1 07ca1e88cf0029ebb0c0751ead657132ef368d27
SHA256 8f2a5cae062b29b9c76ad75fdca0cd4997611ec1c1dcec6a4d2b0a42183c398e
SHA512 a85f2ec92d64278b079fcd473806f9fcbbf250cd086db1174ff7b0190106be0e9a5f21c959c5a7ec9896f007c8986ec5728f60b33ce389628e7a6b803653ff82

C:\Windows\System\JtZsobg.exe

MD5 99b14b039097b43c530888a427df63f2
SHA1 dbd4cf60aea2d7a466849689241413e590a6d6ec
SHA256 e4e636aabca60cced47465c4e0b0a671e0b31368bcf8fd46453dec9700156b97
SHA512 58efcf7e99257b32491021d8b49cf74cefb9dfc389306bd20f3f30e60517cb229d4c600a9b010112a01720321290af649813c42cccf8e109d2beaf11ce2f659b

C:\Windows\System\kXgJIdb.exe

MD5 4662e9ad53de035088eccbdbd5043aa6
SHA1 d1f4c6bc0f0047e33220edf99e06b0e53c9b26ce
SHA256 20c3bd8912d177aa97c2054af7413216901266f17bdc9d2963fbdf2353a2289d
SHA512 3815bd8999777f51bc6f601a987ee72a79b4ebb7e64cade061718d8eee99e6f242f57a885402ff97193b15d78a3f01bb4c07a8f3c8099739c955ebc31fbc2d9f

memory/1624-106-0x00007FF6B8020000-0x00007FF6B8371000-memory.dmp

C:\Windows\System\RHcNUUu.exe

MD5 0b108248eaed9c4b8df9b5d19027d276
SHA1 5bcd7e59b27b49e061be5979e7ffa71cb02750e0
SHA256 1eba6b8b9ed94c7ea57594c91feda0c8c09a5516c1d3fd732d9d7355bdf00ba3
SHA512 00abfe0bc558fbcdba215cbdc0709518b52d4ec1ad7de0c07235277467866540a18c471aac75b3d4749755c8d577a5492affb6683f858b388c2245a6c8d11e35

C:\Windows\System\aOVirIt.exe

MD5 7d5140c11983910208f16a3d394abb51
SHA1 8d6798c2e2d7cf49112ccf23829eb138c6b5d555
SHA256 20c117ca79dbddb0b1199b4a9b920cae2c7bff34b5a1e5c6563ddd7e0c1c26b0
SHA512 f97044c54d49ef25574b2969053d6b42ede3404a509b8a0a771b5f95a65bfdcea2ad99619154711ec726e7f24765563f8aaa2596d68a6ff2a2ad8b51cc51fbf8

memory/3736-98-0x00007FF682B70000-0x00007FF682EC1000-memory.dmp

memory/3240-97-0x00007FF725D80000-0x00007FF7260D1000-memory.dmp

memory/4576-94-0x00007FF686CB0000-0x00007FF687001000-memory.dmp

memory/3992-81-0x00007FF648600000-0x00007FF648951000-memory.dmp

C:\Windows\System\eczpgOA.exe

MD5 d961055c338356fd08c9992ef4133f15
SHA1 7d87f60491efa64e9eb40c1a7dec4768aa40149f
SHA256 bfa74e9158bb3ea152f0ab828f5c05f2182a750ce91e7a17a30617a0048a7f43
SHA512 43f97d994231b66cef98884c0c7ccb9e8a910863e687742eda4f915421994026d9eaaf52ba8af4cac01f2bd82ce528d87b7192f42e76a58db645b4decfef2551

memory/1608-69-0x00007FF766390000-0x00007FF7666E1000-memory.dmp

C:\Windows\System\xBodAHQ.exe

MD5 2ee6318297b5e63ed9051db4f8b08547
SHA1 a54a2bf58c647c9bf1c1d27284071c761eae9f25
SHA256 3cb3931a92f46fe2c540e58b46799bd3265ad5b959ca42b7ce2d9e3f6ba81357
SHA512 49f7aa6eac0c62a522b579b8088627b5748c62d1bffee69016358c41fba030b030cf9cadccdda854aaffa5508deeb200ef374255d874db4a0a65c70d43aaf91d

memory/2128-67-0x00007FF7C4B10000-0x00007FF7C4E61000-memory.dmp

memory/3376-62-0x00007FF6ED5A0000-0x00007FF6ED8F1000-memory.dmp

memory/4444-60-0x00007FF728870000-0x00007FF728BC1000-memory.dmp

C:\Windows\System\dsYsEil.exe

MD5 9df0228467e54fa0fc9ae366b1e6f5a0
SHA1 670a64cedb33b546522a385e505262b12c92e77a
SHA256 e8a06aed229f4288ff089824416070865c9a56782754fed122226f4eba9a9736
SHA512 d3e43e361e57c29efab90e68b9b7ad0b8f57d642219f12279a6e7acbceb62646b1db87476a683e6fc1afadd7c331e1831d6ac8f72461d98bb369fda2a202571c

memory/1116-52-0x00007FF7BCE80000-0x00007FF7BD1D1000-memory.dmp

memory/3308-129-0x00007FF7C1B80000-0x00007FF7C1ED1000-memory.dmp

memory/3872-130-0x00007FF6BECC0000-0x00007FF6BF011000-memory.dmp

memory/5076-131-0x00007FF7B5790000-0x00007FF7B5AE1000-memory.dmp

memory/4388-128-0x00007FF7E65B0000-0x00007FF7E6901000-memory.dmp

memory/3364-127-0x00007FF6C5FE0000-0x00007FF6C6331000-memory.dmp

memory/3992-144-0x00007FF648600000-0x00007FF648951000-memory.dmp

memory/4444-141-0x00007FF728870000-0x00007FF728BC1000-memory.dmp

memory/1624-148-0x00007FF6B8020000-0x00007FF6B8371000-memory.dmp

memory/3736-147-0x00007FF682B70000-0x00007FF682EC1000-memory.dmp

memory/4576-146-0x00007FF686CB0000-0x00007FF687001000-memory.dmp

memory/3604-143-0x00007FF628E20000-0x00007FF629171000-memory.dmp

memory/1824-137-0x00007FF60F610000-0x00007FF60F961000-memory.dmp

memory/3376-132-0x00007FF6ED5A0000-0x00007FF6ED8F1000-memory.dmp

memory/3376-154-0x00007FF6ED5A0000-0x00007FF6ED8F1000-memory.dmp

memory/1608-209-0x00007FF766390000-0x00007FF7666E1000-memory.dmp

memory/2756-211-0x00007FF7C3E10000-0x00007FF7C4161000-memory.dmp

memory/3240-213-0x00007FF725D80000-0x00007FF7260D1000-memory.dmp

memory/4984-216-0x00007FF7CB1F0000-0x00007FF7CB541000-memory.dmp

memory/4996-218-0x00007FF791B30000-0x00007FF791E81000-memory.dmp

memory/1824-219-0x00007FF60F610000-0x00007FF60F961000-memory.dmp

memory/1220-223-0x00007FF7AD260000-0x00007FF7AD5B1000-memory.dmp

memory/1116-222-0x00007FF7BCE80000-0x00007FF7BD1D1000-memory.dmp

memory/2128-225-0x00007FF7C4B10000-0x00007FF7C4E61000-memory.dmp

memory/4444-227-0x00007FF728870000-0x00007FF728BC1000-memory.dmp

memory/4884-229-0x00007FF79B220000-0x00007FF79B571000-memory.dmp

memory/3604-231-0x00007FF628E20000-0x00007FF629171000-memory.dmp

memory/3992-233-0x00007FF648600000-0x00007FF648951000-memory.dmp

memory/4576-235-0x00007FF686CB0000-0x00007FF687001000-memory.dmp

memory/1624-239-0x00007FF6B8020000-0x00007FF6B8371000-memory.dmp

memory/3872-238-0x00007FF6BECC0000-0x00007FF6BF011000-memory.dmp

memory/4388-248-0x00007FF7E65B0000-0x00007FF7E6901000-memory.dmp

memory/3364-249-0x00007FF6C5FE0000-0x00007FF6C6331000-memory.dmp

memory/5076-245-0x00007FF7B5790000-0x00007FF7B5AE1000-memory.dmp

memory/3308-244-0x00007FF7C1B80000-0x00007FF7C1ED1000-memory.dmp

memory/3736-241-0x00007FF682B70000-0x00007FF682EC1000-memory.dmp