Malware Analysis Report

2025-01-22 19:30

Sample ID 240807-1ky99svbpn
Target 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat
SHA256 353b6fb0219aab7e8d52e3660c2f631f35331760da779259bdd02904b7d742a6
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

353b6fb0219aab7e8d52e3660c2f631f35331760da779259bdd02904b7d742a6

Threat Level: Known bad

The file 2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Cobaltstrike

xmrig

XMRig Miner payload

Xmrig family

Cobaltstrike family

Cobalt Strike reflective loader

XMRig Miner payload

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-07 21:43

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-07 21:43

Reported

2024-08-07 21:45

Platform

win7-20240705-en

Max time kernel

141s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\TxvQeVL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GyUSZAf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hquZEjj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qiDeCoa.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PiVvFkf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\muQVkcZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pcYwxyE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FkznUwC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pxgCrZv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qlkFcPl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gVZKfGj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JHOtLra.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xpXaodb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hCELsed.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DhfywGF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zfZqYfo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EkyyyzH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wQTsALv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mczeItP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gnKZinp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mpzikQM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2524 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JHOtLra.exe
PID 2524 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JHOtLra.exe
PID 2524 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JHOtLra.exe
PID 2524 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zfZqYfo.exe
PID 2524 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zfZqYfo.exe
PID 2524 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zfZqYfo.exe
PID 2524 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\muQVkcZ.exe
PID 2524 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\muQVkcZ.exe
PID 2524 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\muQVkcZ.exe
PID 2524 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xpXaodb.exe
PID 2524 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xpXaodb.exe
PID 2524 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xpXaodb.exe
PID 2524 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EkyyyzH.exe
PID 2524 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EkyyyzH.exe
PID 2524 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EkyyyzH.exe
PID 2524 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hCELsed.exe
PID 2524 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hCELsed.exe
PID 2524 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hCELsed.exe
PID 2524 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FkznUwC.exe
PID 2524 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FkznUwC.exe
PID 2524 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FkznUwC.exe
PID 2524 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gnKZinp.exe
PID 2524 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gnKZinp.exe
PID 2524 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gnKZinp.exe
PID 2524 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DhfywGF.exe
PID 2524 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DhfywGF.exe
PID 2524 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DhfywGF.exe
PID 2524 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pxgCrZv.exe
PID 2524 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pxgCrZv.exe
PID 2524 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pxgCrZv.exe
PID 2524 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pcYwxyE.exe
PID 2524 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pcYwxyE.exe
PID 2524 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pcYwxyE.exe
PID 2524 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mpzikQM.exe
PID 2524 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mpzikQM.exe
PID 2524 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mpzikQM.exe
PID 2524 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wQTsALv.exe
PID 2524 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wQTsALv.exe
PID 2524 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wQTsALv.exe
PID 2524 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TxvQeVL.exe
PID 2524 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TxvQeVL.exe
PID 2524 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TxvQeVL.exe
PID 2524 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qlkFcPl.exe
PID 2524 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qlkFcPl.exe
PID 2524 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qlkFcPl.exe
PID 2524 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GyUSZAf.exe
PID 2524 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GyUSZAf.exe
PID 2524 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GyUSZAf.exe
PID 2524 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hquZEjj.exe
PID 2524 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hquZEjj.exe
PID 2524 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hquZEjj.exe
PID 2524 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mczeItP.exe
PID 2524 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mczeItP.exe
PID 2524 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mczeItP.exe
PID 2524 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qiDeCoa.exe
PID 2524 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qiDeCoa.exe
PID 2524 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qiDeCoa.exe
PID 2524 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gVZKfGj.exe
PID 2524 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gVZKfGj.exe
PID 2524 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gVZKfGj.exe
PID 2524 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PiVvFkf.exe
PID 2524 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PiVvFkf.exe
PID 2524 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PiVvFkf.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\JHOtLra.exe

C:\Windows\System\JHOtLra.exe

C:\Windows\System\zfZqYfo.exe

C:\Windows\System\zfZqYfo.exe

C:\Windows\System\muQVkcZ.exe

C:\Windows\System\muQVkcZ.exe

C:\Windows\System\xpXaodb.exe

C:\Windows\System\xpXaodb.exe

C:\Windows\System\EkyyyzH.exe

C:\Windows\System\EkyyyzH.exe

C:\Windows\System\hCELsed.exe

C:\Windows\System\hCELsed.exe

C:\Windows\System\FkznUwC.exe

C:\Windows\System\FkznUwC.exe

C:\Windows\System\gnKZinp.exe

C:\Windows\System\gnKZinp.exe

C:\Windows\System\DhfywGF.exe

C:\Windows\System\DhfywGF.exe

C:\Windows\System\pxgCrZv.exe

C:\Windows\System\pxgCrZv.exe

C:\Windows\System\pcYwxyE.exe

C:\Windows\System\pcYwxyE.exe

C:\Windows\System\mpzikQM.exe

C:\Windows\System\mpzikQM.exe

C:\Windows\System\wQTsALv.exe

C:\Windows\System\wQTsALv.exe

C:\Windows\System\TxvQeVL.exe

C:\Windows\System\TxvQeVL.exe

C:\Windows\System\qlkFcPl.exe

C:\Windows\System\qlkFcPl.exe

C:\Windows\System\GyUSZAf.exe

C:\Windows\System\GyUSZAf.exe

C:\Windows\System\hquZEjj.exe

C:\Windows\System\hquZEjj.exe

C:\Windows\System\mczeItP.exe

C:\Windows\System\mczeItP.exe

C:\Windows\System\qiDeCoa.exe

C:\Windows\System\qiDeCoa.exe

C:\Windows\System\gVZKfGj.exe

C:\Windows\System\gVZKfGj.exe

C:\Windows\System\PiVvFkf.exe

C:\Windows\System\PiVvFkf.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2524-0-0x000000013FAF0000-0x000000013FE41000-memory.dmp

memory/2524-1-0x0000000000080000-0x0000000000090000-memory.dmp

\Windows\system\JHOtLra.exe

MD5 ef9b72f89ccfcae1542ad2487f4f490f
SHA1 4936cb5922f3667f28b3b39862213c408b6f11b6
SHA256 bc80634215b2019a170f0b80e50d5672a3f967fa2f98ad6391cb9cb1687d4b9d
SHA512 5b1c7e08bc369a1a1f2c683f3e0b9aebff65fc88fa85af2eb8ce5308bcede473f34f938ed86a3fed57a4380853b26f3d261508833ece5e77323e10a7027fdb40

memory/2524-23-0x0000000002300000-0x0000000002651000-memory.dmp

\Windows\system\wQTsALv.exe

MD5 ea6ae35fcf879e444591ff494baad5d3
SHA1 6be922624a3bb34a07544b15d8f8e207e870640f
SHA256 dccb3c4e235e86898ffcc9a7493d683ad8523cdfdff2225ff5e37222fcf09894
SHA512 b3502a8efb761b6d6176163e3b9c285cebcb10204fbbb915e98c913b52a6ba3685c70b6a31f5572b95794240117622b370971c68d2d517589c7cfd90c7a1a2c8

C:\Windows\system\pxgCrZv.exe

MD5 21986ce871d88e22e6bfcd86f240277e
SHA1 4d7e85696d8372c2ff2c80303c968887c493ea43
SHA256 2c4498eb46097582bf4d0279a3d6951a46fb4a72c640f0af5bce96823c83593d
SHA512 f7d2e329e852392a5c9afa7900b66e6de997eb62dc4f7b279cd4dcc618c8ae45d6e9a67c8edea5d87d4157d8a18a956c155489be5a0c91248c9b15f873445bbe

memory/2340-119-0x000000013FB50000-0x000000013FEA1000-memory.dmp

\Windows\system\qlkFcPl.exe

MD5 8eb3995bc074a32846c4fe098deeda30
SHA1 03ff968bb17a756e7e2d3c7ab6f790ef273673e8
SHA256 90d2013c9388a9d12449c3f10e7a1d820c701380f21da858e8939977cd00b87c
SHA512 486d53115ff602b77540a47f782711d3ea57a9966f3e4e711fbb7ff03cfc57d2df4acac4994e9abb4c657c2596968a727d5166b0c2f134b71e429abda0d83e9f

C:\Windows\system\PiVvFkf.exe

MD5 c15e8fd2287c39dd19d8c0930c694c5e
SHA1 6b44aa852c520fb2841494be1cd14bfdb411ead8
SHA256 09b9d2b2df8550184112f9d4282da645c38474ee363f88d0e534e78d92f84685
SHA512 c9fdb0e18f19362a78fa569d36896dbfae1362cc0f64daa688ea6729eda5d6a961d7df9e7737a89f02f185cc4ebda34787d01adba8a446b182a3433802d07cb1

\Windows\system\qiDeCoa.exe

MD5 187ce331885a0b436384bb9405837e55
SHA1 8a1c4a28b36bd23eb011691825851b134ee918bf
SHA256 6a99155df0d8a76fd61535ba1a7c73d603d0d168e9da6bf07bacd5c73198970c
SHA512 0cf6414c279e2fea85fd1bc2c7c949bb901f26bf05184a2349f99f3b986ead009807431ce824d5367c26dcff585b1bd8b4c76cca67321158087a09bdc970617b

memory/2524-68-0x000000013FAF0000-0x000000013FE41000-memory.dmp

\Windows\system\hquZEjj.exe

MD5 e226b0d3d1c8d5167e550d74c144a4de
SHA1 5314285144475db5dd6d2c17a890141fd6f88070
SHA256 380983f259ce20013a056046822fac868eec1fa91c47c142a435c37ca555fb81
SHA512 1c8142aba4e3547732e8afa48a1029e2ec04811a348f05fc51c9f781841f7085825f0b421698defbb0eaa33f073d6aba22ac65762a412b626417c19b4404e0e6

memory/2076-117-0x000000013FA50000-0x000000013FDA1000-memory.dmp

memory/2916-116-0x000000013F1B0000-0x000000013F501000-memory.dmp

memory/2720-114-0x000000013F580000-0x000000013F8D1000-memory.dmp

C:\Windows\system\pcYwxyE.exe

MD5 7d5d946fbeafc926ea5931534ed5fda9
SHA1 9238f7989dc6560bddb1b03fd190ab637b894d3a
SHA256 a37e99d6f5bd59f113be7c74f45c632352cde87134570dc42fcb47bc1f67190a
SHA512 20fc24cd1f665c92bb99c30f601b3059e96c7d63d6bbbdede7a2ef5de93bd6859c2fd772e1a85a741bd4955a669111e8f7b7e0a564e631e12bcb382c9bc6e9f4

memory/1544-105-0x000000013F7F0000-0x000000013FB41000-memory.dmp

C:\Windows\system\DhfywGF.exe

MD5 36457a1f0e991aaa986c4dc0c354a68e
SHA1 066bb234bd01f4d1b9341bb9825ed2449bf1ac83
SHA256 c4baeefeb95a76e7de1a2062a9a43eb313f8d754701758b5dec753f6be8896ae
SHA512 6bb66dce1650cdf6c2e737f07e76365200a941be6e3e7da6900cbbde2c197bc66a98ce02a3370ad78bd3bb96391681820d1fe5947fa74179c9cafb45af3392e0

C:\Windows\system\FkznUwC.exe

MD5 1391ddc7d1ddba53c168b6022fdb3583
SHA1 46921b0cd92131da1715018c7f9bfcaafd7ef386
SHA256 7692034f7ec5db23195fdec3d97f69bf9e5d4ad7efeac3f7f754adf1e8124ae6
SHA512 04b222afaf8f2a07ba821e377c8b4102310a0bcb9e3c5e26c642d8be5fdc8f08b0f0ccbcf8c5d3a91dbf3e6de50ce7e04fc9d4bbc6e08f87b6dc16ce2de5e3c0

memory/2380-97-0x000000013FF60000-0x00000001402B1000-memory.dmp

C:\Windows\system\gVZKfGj.exe

MD5 d21c48c998b4b5838b666a7c0b8d9995
SHA1 1454b8b5ef86a949ec99c58bd92b7bb349af51f1
SHA256 9e7dfc00327e5cecf7a51484d6ecda6beeca9c91504777be5e2ccb0d9626ff52
SHA512 13fb3cdfa65d3d700dfb6ef8b1978e39e52f33b0695039562442f35e8a5c768673cd8e4859bbd7852e406d1cac8ced6b014497eb052cae56a573ea71bb6d74b3

C:\Windows\system\mczeItP.exe

MD5 b92b87b037fc488ddc07ea15af6cc2d6
SHA1 36adc32e172c1f490e3623830e49bc015872c937
SHA256 4a6d51b284ad5ae1c41c2bf42c02493b481fd42c8aa7613722b9096865c72d92
SHA512 b8f15ac97fb1fc83954082239d5b90d52ced36aa1215d23b3602716d929c8016a7c554b12b175c324be424351a4f7dfea3ae5f194ceb576e1093823d6acaecb3

C:\Windows\system\GyUSZAf.exe

MD5 a8563224ac1046cc9b8730b709712476
SHA1 942345b6be2d2da493fb5a16731e432f65f651cc
SHA256 89dce75e7c569a74aecef52ff7d7f47dc577575c0df475bf5cddca978c2dc501
SHA512 efce7b10073ebc47a7d60306fb79eed800d9e9808d4f9a4a0155ef97960c74240d4645cac510b711c4b6cd34279b69cd303742a04acd5ffe05e044faf36aa4ce

C:\Windows\system\TxvQeVL.exe

MD5 19781a01a092d8b924d87e4df7cf112d
SHA1 82c00507b8c887f2b8aacca1ce6494b4a9d5607f
SHA256 c911ce0bb89900ba8e42e332ff48fb83424f209805c52d73d89f781306331a3e
SHA512 53ef87aa733826e724ea667ccea24e64e50fccc4e977327d8f86fbe2c4392f3f32523ff18404388104c73c0e12bad6ef0922bce14b1179288ab8763511d135f0

C:\Windows\system\mpzikQM.exe

MD5 76390b7e774ccde1904407735dd5edc8
SHA1 98d0676b8d6391512b6a708a1cbc8ba4da78c923
SHA256 8fb23a20861fd2a321a56557fc47209034abf26e7bd22ece1ec5a52d80480cdc
SHA512 4b369b6d24a3ff326b2d3eda20de8cbfb221d6a6231681677af0a90b9fe26b55a45588241f82975c52998b57adc167132221106c8e94bd977035147a3358dadd

C:\Windows\system\gnKZinp.exe

MD5 710df90c2dccd757a5dd0d8b8d0ea0a2
SHA1 dd286c0212274c31595a36154ad48bead1497ce4
SHA256 54800950ca7376ba115abee773cd7dc51edd114a9a681036ba1eae196a011804
SHA512 c651cb11d6aac8020d6d514ef8a72a88788817726b0d7359e653b7f2d905e4b271d68431cb4291acdb4c49f88392c54773fc38d9c123298a59c33b1c76a947c1

memory/2524-128-0x0000000002300000-0x0000000002651000-memory.dmp

memory/1984-129-0x000000013FF10000-0x0000000140261000-memory.dmp

C:\Windows\system\hCELsed.exe

MD5 8ffcabb9ad126cb507c6489e4e330955
SHA1 f35518511ad03f814812b7adebcf32a8aa76d71d
SHA256 d638a82423ca8254baae021937222626bc2e2ad1df5472a1c5b8b85f575f38f0
SHA512 cfc5cef1806662f4333dc277fc627d9d9ae365deb2d3e505c6545909a3170461b86862d67bc68ade24ca8ab6f42023abbfff068e6164cd961dae4ca81b5fe168

C:\Windows\system\xpXaodb.exe

MD5 29b703740e5166968a950cfd66b39df4
SHA1 6a3e907e029124285afa8003918c70239161f335
SHA256 85b529f42333daba4b5012d840d441a4ed6d48a277c6a136ba78d08c146f97b5
SHA512 e03516a20eb950ace84c63e2303148d54aa10ecb14de629c27c8c11265ea14b301eb737e2ace4ae63d64d2d82d06037dda02fa9257f1ae1e232c9fae9c70aa9a

C:\Windows\system\zfZqYfo.exe

MD5 aa0993cdee237f3ba1bfaca6d76ad704
SHA1 16729b73c6bd77ed625ea914cff3c74b95263114
SHA256 e086102dbc03515d985449bd13a00afc2e5cf2ca97d6d919bce2d44d89bb9872
SHA512 73dd3df4eba8006d9d771866268f906948024b940bf220209d025e21a789c644fb13d45aa8ac274572a8b1d4300390f76ba511ed8d481917102d95aea45654bc

memory/2784-86-0x000000013FE00000-0x0000000140151000-memory.dmp

memory/2524-85-0x000000013F0D0000-0x000000013F421000-memory.dmp

memory/2524-84-0x000000013F550000-0x000000013F8A1000-memory.dmp

memory/2524-82-0x000000013F740000-0x000000013FA91000-memory.dmp

memory/2524-79-0x000000013FFA0000-0x00000001402F1000-memory.dmp

C:\Windows\system\EkyyyzH.exe

MD5 5ad199d468eecb9aec1b53e86827590a
SHA1 c526f25369a79f4a30787758026b82372321c9ab
SHA256 473a12a90ff0463443e61f65617a3b046597ef7670a51ff37ff630a9d44fa8d4
SHA512 59e8bc9b16fd69738b53f1fb6af791c804b70ab88ee9fdebb4aee98a27cf1f5cde6e7afa89644d028179f6aac11bd57f76570f9fd810bce3c0dfcece91c7335d

memory/2524-56-0x000000013F300000-0x000000013F651000-memory.dmp

memory/2524-42-0x000000013F1B0000-0x000000013F501000-memory.dmp

memory/2524-29-0x000000013F580000-0x000000013F8D1000-memory.dmp

C:\Windows\system\muQVkcZ.exe

MD5 22381b981a21324df9ce8015e38c046d
SHA1 2e4cadb009c9dde8874af0f72d3e5964a2ba739c
SHA256 49db7d633d1ba2c235a42e8ee171e14c0ee31315a28a84d6386f8a744b7da9cd
SHA512 672b98c6a1b059656fcdc5f8dd161f1ccda85778db6fe09674ca613b7650115d228e84256908261222c8dbe92c63a7624a6ec36b95dbd8958a5bc288400fe372

memory/2524-27-0x0000000002300000-0x0000000002651000-memory.dmp

memory/2524-46-0x0000000002300000-0x0000000002651000-memory.dmp

memory/1984-32-0x000000013FF10000-0x0000000140261000-memory.dmp

memory/2380-20-0x000000013FF60000-0x00000001402B1000-memory.dmp

memory/2524-14-0x000000013FF10000-0x0000000140261000-memory.dmp

memory/2524-6-0x000000013FF60000-0x00000001402B1000-memory.dmp

memory/2524-131-0x000000013FAF0000-0x000000013FE41000-memory.dmp

memory/2696-140-0x000000013FC20000-0x000000013FF71000-memory.dmp

memory/2464-138-0x000000013FD50000-0x00000001400A1000-memory.dmp

memory/3068-142-0x000000013F300000-0x000000013F651000-memory.dmp

memory/2904-143-0x000000013F720000-0x000000013FA71000-memory.dmp

memory/2876-147-0x000000013F570000-0x000000013F8C1000-memory.dmp

memory/2224-151-0x000000013F120000-0x000000013F471000-memory.dmp

memory/1432-150-0x000000013F0D0000-0x000000013F421000-memory.dmp

memory/1532-149-0x000000013F740000-0x000000013FA91000-memory.dmp

memory/2588-148-0x000000013FFA0000-0x00000001402F1000-memory.dmp

memory/2896-146-0x000000013F540000-0x000000013F891000-memory.dmp

memory/2616-145-0x000000013F820000-0x000000013FB71000-memory.dmp

memory/3032-144-0x000000013FC30000-0x000000013FF81000-memory.dmp

memory/680-152-0x000000013F550000-0x000000013F8A1000-memory.dmp

memory/2524-153-0x000000013F540000-0x000000013F891000-memory.dmp

memory/2524-154-0x000000013FAF0000-0x000000013FE41000-memory.dmp

memory/2380-221-0x000000013FF60000-0x00000001402B1000-memory.dmp

memory/1984-223-0x000000013FF10000-0x0000000140261000-memory.dmp

memory/2784-225-0x000000013FE00000-0x0000000140151000-memory.dmp

memory/1544-229-0x000000013F7F0000-0x000000013FB41000-memory.dmp

memory/2720-231-0x000000013F580000-0x000000013F8D1000-memory.dmp

memory/2916-233-0x000000013F1B0000-0x000000013F501000-memory.dmp

memory/2340-239-0x000000013FB50000-0x000000013FEA1000-memory.dmp

memory/2076-237-0x000000013FA50000-0x000000013FDA1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-07 21:43

Reported

2024-08-07 21:45

Platform

win10v2004-20240802-en

Max time kernel

142s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\zfZqYfo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\muQVkcZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gnKZinp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mpzikQM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TxvQeVL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PiVvFkf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xpXaodb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FkznUwC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DhfywGF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pcYwxyE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wQTsALv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gVZKfGj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JHOtLra.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EkyyyzH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qlkFcPl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hquZEjj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mczeItP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hCELsed.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pxgCrZv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GyUSZAf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qiDeCoa.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2896 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JHOtLra.exe
PID 2896 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JHOtLra.exe
PID 2896 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zfZqYfo.exe
PID 2896 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zfZqYfo.exe
PID 2896 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\muQVkcZ.exe
PID 2896 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\muQVkcZ.exe
PID 2896 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xpXaodb.exe
PID 2896 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xpXaodb.exe
PID 2896 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EkyyyzH.exe
PID 2896 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EkyyyzH.exe
PID 2896 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hCELsed.exe
PID 2896 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hCELsed.exe
PID 2896 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FkznUwC.exe
PID 2896 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FkznUwC.exe
PID 2896 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gnKZinp.exe
PID 2896 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gnKZinp.exe
PID 2896 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DhfywGF.exe
PID 2896 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DhfywGF.exe
PID 2896 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pxgCrZv.exe
PID 2896 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pxgCrZv.exe
PID 2896 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pcYwxyE.exe
PID 2896 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pcYwxyE.exe
PID 2896 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mpzikQM.exe
PID 2896 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mpzikQM.exe
PID 2896 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wQTsALv.exe
PID 2896 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wQTsALv.exe
PID 2896 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TxvQeVL.exe
PID 2896 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TxvQeVL.exe
PID 2896 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qlkFcPl.exe
PID 2896 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qlkFcPl.exe
PID 2896 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GyUSZAf.exe
PID 2896 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GyUSZAf.exe
PID 2896 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hquZEjj.exe
PID 2896 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hquZEjj.exe
PID 2896 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mczeItP.exe
PID 2896 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mczeItP.exe
PID 2896 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qiDeCoa.exe
PID 2896 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qiDeCoa.exe
PID 2896 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gVZKfGj.exe
PID 2896 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gVZKfGj.exe
PID 2896 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PiVvFkf.exe
PID 2896 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PiVvFkf.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-07_57e09187c49574ec42bf2d3c5d963c35_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\JHOtLra.exe

C:\Windows\System\JHOtLra.exe

C:\Windows\System\zfZqYfo.exe

C:\Windows\System\zfZqYfo.exe

C:\Windows\System\muQVkcZ.exe

C:\Windows\System\muQVkcZ.exe

C:\Windows\System\xpXaodb.exe

C:\Windows\System\xpXaodb.exe

C:\Windows\System\EkyyyzH.exe

C:\Windows\System\EkyyyzH.exe

C:\Windows\System\hCELsed.exe

C:\Windows\System\hCELsed.exe

C:\Windows\System\FkznUwC.exe

C:\Windows\System\FkznUwC.exe

C:\Windows\System\gnKZinp.exe

C:\Windows\System\gnKZinp.exe

C:\Windows\System\DhfywGF.exe

C:\Windows\System\DhfywGF.exe

C:\Windows\System\pxgCrZv.exe

C:\Windows\System\pxgCrZv.exe

C:\Windows\System\pcYwxyE.exe

C:\Windows\System\pcYwxyE.exe

C:\Windows\System\mpzikQM.exe

C:\Windows\System\mpzikQM.exe

C:\Windows\System\wQTsALv.exe

C:\Windows\System\wQTsALv.exe

C:\Windows\System\TxvQeVL.exe

C:\Windows\System\TxvQeVL.exe

C:\Windows\System\qlkFcPl.exe

C:\Windows\System\qlkFcPl.exe

C:\Windows\System\GyUSZAf.exe

C:\Windows\System\GyUSZAf.exe

C:\Windows\System\hquZEjj.exe

C:\Windows\System\hquZEjj.exe

C:\Windows\System\mczeItP.exe

C:\Windows\System\mczeItP.exe

C:\Windows\System\qiDeCoa.exe

C:\Windows\System\qiDeCoa.exe

C:\Windows\System\gVZKfGj.exe

C:\Windows\System\gVZKfGj.exe

C:\Windows\System\PiVvFkf.exe

C:\Windows\System\PiVvFkf.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2896-0-0x00007FF6832A0000-0x00007FF6835F1000-memory.dmp

memory/2896-1-0x0000025F48D80000-0x0000025F48D90000-memory.dmp

C:\Windows\System\muQVkcZ.exe

MD5 22381b981a21324df9ce8015e38c046d
SHA1 2e4cadb009c9dde8874af0f72d3e5964a2ba739c
SHA256 49db7d633d1ba2c235a42e8ee171e14c0ee31315a28a84d6386f8a744b7da9cd
SHA512 672b98c6a1b059656fcdc5f8dd161f1ccda85778db6fe09674ca613b7650115d228e84256908261222c8dbe92c63a7624a6ec36b95dbd8958a5bc288400fe372

C:\Windows\System\zfZqYfo.exe

MD5 aa0993cdee237f3ba1bfaca6d76ad704
SHA1 16729b73c6bd77ed625ea914cff3c74b95263114
SHA256 e086102dbc03515d985449bd13a00afc2e5cf2ca97d6d919bce2d44d89bb9872
SHA512 73dd3df4eba8006d9d771866268f906948024b940bf220209d025e21a789c644fb13d45aa8ac274572a8b1d4300390f76ba511ed8d481917102d95aea45654bc

memory/2084-15-0x00007FF6C8950000-0x00007FF6C8CA1000-memory.dmp

memory/3912-20-0x00007FF7E1720000-0x00007FF7E1A71000-memory.dmp

C:\Windows\System\EkyyyzH.exe

MD5 5ad199d468eecb9aec1b53e86827590a
SHA1 c526f25369a79f4a30787758026b82372321c9ab
SHA256 473a12a90ff0463443e61f65617a3b046597ef7670a51ff37ff630a9d44fa8d4
SHA512 59e8bc9b16fd69738b53f1fb6af791c804b70ab88ee9fdebb4aee98a27cf1f5cde6e7afa89644d028179f6aac11bd57f76570f9fd810bce3c0dfcece91c7335d

C:\Windows\System\hCELsed.exe

MD5 8ffcabb9ad126cb507c6489e4e330955
SHA1 f35518511ad03f814812b7adebcf32a8aa76d71d
SHA256 d638a82423ca8254baae021937222626bc2e2ad1df5472a1c5b8b85f575f38f0
SHA512 cfc5cef1806662f4333dc277fc627d9d9ae365deb2d3e505c6545909a3170461b86862d67bc68ade24ca8ab6f42023abbfff068e6164cd961dae4ca81b5fe168

memory/2684-37-0x00007FF6E10D0000-0x00007FF6E1421000-memory.dmp

memory/2756-38-0x00007FF6E4DD0000-0x00007FF6E5121000-memory.dmp

memory/2880-36-0x00007FF79B5A0000-0x00007FF79B8F1000-memory.dmp

C:\Windows\System\xpXaodb.exe

MD5 29b703740e5166968a950cfd66b39df4
SHA1 6a3e907e029124285afa8003918c70239161f335
SHA256 85b529f42333daba4b5012d840d441a4ed6d48a277c6a136ba78d08c146f97b5
SHA512 e03516a20eb950ace84c63e2303148d54aa10ecb14de629c27c8c11265ea14b301eb737e2ace4ae63d64d2d82d06037dda02fa9257f1ae1e232c9fae9c70aa9a

memory/3348-10-0x00007FF755160000-0x00007FF7554B1000-memory.dmp

C:\Windows\System\JHOtLra.exe

MD5 ef9b72f89ccfcae1542ad2487f4f490f
SHA1 4936cb5922f3667f28b3b39862213c408b6f11b6
SHA256 bc80634215b2019a170f0b80e50d5672a3f967fa2f98ad6391cb9cb1687d4b9d
SHA512 5b1c7e08bc369a1a1f2c683f3e0b9aebff65fc88fa85af2eb8ce5308bcede473f34f938ed86a3fed57a4380853b26f3d261508833ece5e77323e10a7027fdb40

C:\Windows\System\FkznUwC.exe

MD5 1391ddc7d1ddba53c168b6022fdb3583
SHA1 46921b0cd92131da1715018c7f9bfcaafd7ef386
SHA256 7692034f7ec5db23195fdec3d97f69bf9e5d4ad7efeac3f7f754adf1e8124ae6
SHA512 04b222afaf8f2a07ba821e377c8b4102310a0bcb9e3c5e26c642d8be5fdc8f08b0f0ccbcf8c5d3a91dbf3e6de50ce7e04fc9d4bbc6e08f87b6dc16ce2de5e3c0

C:\Windows\System\gnKZinp.exe

MD5 710df90c2dccd757a5dd0d8b8d0ea0a2
SHA1 dd286c0212274c31595a36154ad48bead1497ce4
SHA256 54800950ca7376ba115abee773cd7dc51edd114a9a681036ba1eae196a011804
SHA512 c651cb11d6aac8020d6d514ef8a72a88788817726b0d7359e653b7f2d905e4b271d68431cb4291acdb4c49f88392c54773fc38d9c123298a59c33b1c76a947c1

C:\Windows\System\DhfywGF.exe

MD5 36457a1f0e991aaa986c4dc0c354a68e
SHA1 066bb234bd01f4d1b9341bb9825ed2449bf1ac83
SHA256 c4baeefeb95a76e7de1a2062a9a43eb313f8d754701758b5dec753f6be8896ae
SHA512 6bb66dce1650cdf6c2e737f07e76365200a941be6e3e7da6900cbbde2c197bc66a98ce02a3370ad78bd3bb96391681820d1fe5947fa74179c9cafb45af3392e0

C:\Windows\System\pxgCrZv.exe

MD5 21986ce871d88e22e6bfcd86f240277e
SHA1 4d7e85696d8372c2ff2c80303c968887c493ea43
SHA256 2c4498eb46097582bf4d0279a3d6951a46fb4a72c640f0af5bce96823c83593d
SHA512 f7d2e329e852392a5c9afa7900b66e6de997eb62dc4f7b279cd4dcc618c8ae45d6e9a67c8edea5d87d4157d8a18a956c155489be5a0c91248c9b15f873445bbe

memory/3464-60-0x00007FF639740000-0x00007FF639A91000-memory.dmp

C:\Windows\System\pcYwxyE.exe

MD5 7d5d946fbeafc926ea5931534ed5fda9
SHA1 9238f7989dc6560bddb1b03fd190ab637b894d3a
SHA256 a37e99d6f5bd59f113be7c74f45c632352cde87134570dc42fcb47bc1f67190a
SHA512 20fc24cd1f665c92bb99c30f601b3059e96c7d63d6bbbdede7a2ef5de93bd6859c2fd772e1a85a741bd4955a669111e8f7b7e0a564e631e12bcb382c9bc6e9f4

memory/4524-57-0x00007FF657EA0000-0x00007FF6581F1000-memory.dmp

memory/3328-55-0x00007FF618E10000-0x00007FF619161000-memory.dmp

memory/868-43-0x00007FF78B9F0000-0x00007FF78BD41000-memory.dmp

C:\Windows\System\mpzikQM.exe

MD5 76390b7e774ccde1904407735dd5edc8
SHA1 98d0676b8d6391512b6a708a1cbc8ba4da78c923
SHA256 8fb23a20861fd2a321a56557fc47209034abf26e7bd22ece1ec5a52d80480cdc
SHA512 4b369b6d24a3ff326b2d3eda20de8cbfb221d6a6231681677af0a90b9fe26b55a45588241f82975c52998b57adc167132221106c8e94bd977035147a3358dadd

memory/4520-68-0x00007FF680540000-0x00007FF680891000-memory.dmp

memory/2896-74-0x00007FF6832A0000-0x00007FF6835F1000-memory.dmp

memory/412-76-0x00007FF75F5F0000-0x00007FF75F941000-memory.dmp

memory/3348-75-0x00007FF755160000-0x00007FF7554B1000-memory.dmp

C:\Windows\System\wQTsALv.exe

MD5 ea6ae35fcf879e444591ff494baad5d3
SHA1 6be922624a3bb34a07544b15d8f8e207e870640f
SHA256 dccb3c4e235e86898ffcc9a7493d683ad8523cdfdff2225ff5e37222fcf09894
SHA512 b3502a8efb761b6d6176163e3b9c285cebcb10204fbbb915e98c913b52a6ba3685c70b6a31f5572b95794240117622b370971c68d2d517589c7cfd90c7a1a2c8

memory/528-81-0x00007FF6315C0000-0x00007FF631911000-memory.dmp

C:\Windows\System\TxvQeVL.exe

MD5 19781a01a092d8b924d87e4df7cf112d
SHA1 82c00507b8c887f2b8aacca1ce6494b4a9d5607f
SHA256 c911ce0bb89900ba8e42e332ff48fb83424f209805c52d73d89f781306331a3e
SHA512 53ef87aa733826e724ea667ccea24e64e50fccc4e977327d8f86fbe2c4392f3f32523ff18404388104c73c0e12bad6ef0922bce14b1179288ab8763511d135f0

C:\Windows\System\qlkFcPl.exe

MD5 8eb3995bc074a32846c4fe098deeda30
SHA1 03ff968bb17a756e7e2d3c7ab6f790ef273673e8
SHA256 90d2013c9388a9d12449c3f10e7a1d820c701380f21da858e8939977cd00b87c
SHA512 486d53115ff602b77540a47f782711d3ea57a9966f3e4e711fbb7ff03cfc57d2df4acac4994e9abb4c657c2596968a727d5166b0c2f134b71e429abda0d83e9f

memory/4556-95-0x00007FF6246C0000-0x00007FF624A11000-memory.dmp

memory/2840-89-0x00007FF7D6AD0000-0x00007FF7D6E21000-memory.dmp

memory/2084-80-0x00007FF6C8950000-0x00007FF6C8CA1000-memory.dmp

C:\Windows\System\GyUSZAf.exe

MD5 a8563224ac1046cc9b8730b709712476
SHA1 942345b6be2d2da493fb5a16731e432f65f651cc
SHA256 89dce75e7c569a74aecef52ff7d7f47dc577575c0df475bf5cddca978c2dc501
SHA512 efce7b10073ebc47a7d60306fb79eed800d9e9808d4f9a4a0155ef97960c74240d4645cac510b711c4b6cd34279b69cd303742a04acd5ffe05e044faf36aa4ce

memory/3556-103-0x00007FF6CB6D0000-0x00007FF6CBA21000-memory.dmp

memory/868-104-0x00007FF78B9F0000-0x00007FF78BD41000-memory.dmp

C:\Windows\System\mczeItP.exe

MD5 b92b87b037fc488ddc07ea15af6cc2d6
SHA1 36adc32e172c1f490e3623830e49bc015872c937
SHA256 4a6d51b284ad5ae1c41c2bf42c02493b481fd42c8aa7613722b9096865c72d92
SHA512 b8f15ac97fb1fc83954082239d5b90d52ced36aa1215d23b3602716d929c8016a7c554b12b175c324be424351a4f7dfea3ae5f194ceb576e1093823d6acaecb3

memory/3836-119-0x00007FF721150000-0x00007FF7214A1000-memory.dmp

memory/4024-120-0x00007FF76C1C0000-0x00007FF76C511000-memory.dmp

memory/2900-125-0x00007FF731300000-0x00007FF731651000-memory.dmp

C:\Windows\System\PiVvFkf.exe

MD5 c15e8fd2287c39dd19d8c0930c694c5e
SHA1 6b44aa852c520fb2841494be1cd14bfdb411ead8
SHA256 09b9d2b2df8550184112f9d4282da645c38474ee363f88d0e534e78d92f84685
SHA512 c9fdb0e18f19362a78fa569d36896dbfae1362cc0f64daa688ea6729eda5d6a961d7df9e7737a89f02f185cc4ebda34787d01adba8a446b182a3433802d07cb1

C:\Windows\System\hquZEjj.exe

MD5 e226b0d3d1c8d5167e550d74c144a4de
SHA1 5314285144475db5dd6d2c17a890141fd6f88070
SHA256 380983f259ce20013a056046822fac868eec1fa91c47c142a435c37ca555fb81
SHA512 1c8142aba4e3547732e8afa48a1029e2ec04811a348f05fc51c9f781841f7085825f0b421698defbb0eaa33f073d6aba22ac65762a412b626417c19b4404e0e6

C:\Windows\System\gVZKfGj.exe

MD5 d21c48c998b4b5838b666a7c0b8d9995
SHA1 1454b8b5ef86a949ec99c58bd92b7bb349af51f1
SHA256 9e7dfc00327e5cecf7a51484d6ecda6beeca9c91504777be5e2ccb0d9626ff52
SHA512 13fb3cdfa65d3d700dfb6ef8b1978e39e52f33b0695039562442f35e8a5c768673cd8e4859bbd7852e406d1cac8ced6b014497eb052cae56a573ea71bb6d74b3

C:\Windows\System\qiDeCoa.exe

MD5 187ce331885a0b436384bb9405837e55
SHA1 8a1c4a28b36bd23eb011691825851b134ee918bf
SHA256 6a99155df0d8a76fd61535ba1a7c73d603d0d168e9da6bf07bacd5c73198970c
SHA512 0cf6414c279e2fea85fd1bc2c7c949bb901f26bf05184a2349f99f3b986ead009807431ce824d5367c26dcff585b1bd8b4c76cca67321158087a09bdc970617b

memory/3328-112-0x00007FF618E10000-0x00007FF619161000-memory.dmp

memory/2792-107-0x00007FF71AE40000-0x00007FF71B191000-memory.dmp

memory/2896-132-0x00007FF6832A0000-0x00007FF6835F1000-memory.dmp

memory/3464-136-0x00007FF639740000-0x00007FF639A91000-memory.dmp

memory/3336-138-0x00007FF75E2B0000-0x00007FF75E601000-memory.dmp

memory/2792-151-0x00007FF71AE40000-0x00007FF71B191000-memory.dmp

memory/2900-153-0x00007FF731300000-0x00007FF731651000-memory.dmp

memory/3836-152-0x00007FF721150000-0x00007FF7214A1000-memory.dmp

memory/4024-154-0x00007FF76C1C0000-0x00007FF76C511000-memory.dmp

memory/3556-150-0x00007FF6CB6D0000-0x00007FF6CBA21000-memory.dmp

memory/528-147-0x00007FF6315C0000-0x00007FF631911000-memory.dmp

memory/2896-155-0x00007FF6832A0000-0x00007FF6835F1000-memory.dmp

memory/2896-175-0x00007FF6832A0000-0x00007FF6835F1000-memory.dmp

memory/3348-201-0x00007FF755160000-0x00007FF7554B1000-memory.dmp

memory/2084-203-0x00007FF6C8950000-0x00007FF6C8CA1000-memory.dmp

memory/3912-205-0x00007FF7E1720000-0x00007FF7E1A71000-memory.dmp

memory/2880-207-0x00007FF79B5A0000-0x00007FF79B8F1000-memory.dmp

memory/2684-209-0x00007FF6E10D0000-0x00007FF6E1421000-memory.dmp

memory/2756-211-0x00007FF6E4DD0000-0x00007FF6E5121000-memory.dmp

memory/868-215-0x00007FF78B9F0000-0x00007FF78BD41000-memory.dmp

memory/4524-217-0x00007FF657EA0000-0x00007FF6581F1000-memory.dmp

memory/3328-219-0x00007FF618E10000-0x00007FF619161000-memory.dmp

memory/4520-222-0x00007FF680540000-0x00007FF680891000-memory.dmp

memory/3464-223-0x00007FF639740000-0x00007FF639A91000-memory.dmp

memory/412-226-0x00007FF75F5F0000-0x00007FF75F941000-memory.dmp

memory/528-232-0x00007FF6315C0000-0x00007FF631911000-memory.dmp

memory/2840-234-0x00007FF7D6AD0000-0x00007FF7D6E21000-memory.dmp

memory/4556-236-0x00007FF6246C0000-0x00007FF624A11000-memory.dmp

memory/3556-238-0x00007FF6CB6D0000-0x00007FF6CBA21000-memory.dmp

memory/2900-240-0x00007FF731300000-0x00007FF731651000-memory.dmp

memory/2792-242-0x00007FF71AE40000-0x00007FF71B191000-memory.dmp

memory/3836-244-0x00007FF721150000-0x00007FF7214A1000-memory.dmp

memory/4024-246-0x00007FF76C1C0000-0x00007FF76C511000-memory.dmp

memory/3336-248-0x00007FF75E2B0000-0x00007FF75E601000-memory.dmp