Malware Analysis Report

2025-01-22 19:30

Sample ID 240807-1ndsqsvcjm
Target 2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat
SHA256 de9bad680e02891cedcc3fbd0cd11d8bb088f17481020dd52b4d5d6af58bf6cd
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

de9bad680e02891cedcc3fbd0cd11d8bb088f17481020dd52b4d5d6af58bf6cd

Threat Level: Known bad

The file 2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

Cobaltstrike

Xmrig family

Cobalt Strike reflective loader

Cobaltstrike family

XMRig Miner payload

xmrig

XMRig Miner payload

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-07 21:47

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-07 21:47

Reported

2024-08-07 21:49

Platform

win7-20240708-en

Max time kernel

142s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\GCZPhhx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\asJxJsN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KZnJwtN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\loRsXEs.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OySaTXJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cLIUFQt.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EtlwrkE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\Ulouvvt.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bPwgeWz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hwsoDlA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NJDvNsZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vPyMEIZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ipHImRk.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SnAkFQI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VDAWoBo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DjemAUK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oQOswPx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\faikVMY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tlnylwz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BLXYJgY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wwoHycb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2308 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GCZPhhx.exe
PID 2308 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GCZPhhx.exe
PID 2308 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GCZPhhx.exe
PID 2308 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\asJxJsN.exe
PID 2308 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\asJxJsN.exe
PID 2308 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\asJxJsN.exe
PID 2308 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Ulouvvt.exe
PID 2308 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Ulouvvt.exe
PID 2308 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Ulouvvt.exe
PID 2308 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tlnylwz.exe
PID 2308 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tlnylwz.exe
PID 2308 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tlnylwz.exe
PID 2308 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DjemAUK.exe
PID 2308 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DjemAUK.exe
PID 2308 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DjemAUK.exe
PID 2308 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bPwgeWz.exe
PID 2308 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bPwgeWz.exe
PID 2308 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bPwgeWz.exe
PID 2308 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KZnJwtN.exe
PID 2308 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KZnJwtN.exe
PID 2308 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KZnJwtN.exe
PID 2308 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hwsoDlA.exe
PID 2308 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hwsoDlA.exe
PID 2308 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hwsoDlA.exe
PID 2308 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BLXYJgY.exe
PID 2308 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BLXYJgY.exe
PID 2308 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BLXYJgY.exe
PID 2308 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NJDvNsZ.exe
PID 2308 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NJDvNsZ.exe
PID 2308 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NJDvNsZ.exe
PID 2308 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vPyMEIZ.exe
PID 2308 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vPyMEIZ.exe
PID 2308 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vPyMEIZ.exe
PID 2308 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ipHImRk.exe
PID 2308 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ipHImRk.exe
PID 2308 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ipHImRk.exe
PID 2308 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SnAkFQI.exe
PID 2308 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SnAkFQI.exe
PID 2308 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SnAkFQI.exe
PID 2308 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\loRsXEs.exe
PID 2308 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\loRsXEs.exe
PID 2308 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\loRsXEs.exe
PID 2308 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EtlwrkE.exe
PID 2308 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EtlwrkE.exe
PID 2308 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EtlwrkE.exe
PID 2308 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wwoHycb.exe
PID 2308 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wwoHycb.exe
PID 2308 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wwoHycb.exe
PID 2308 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OySaTXJ.exe
PID 2308 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OySaTXJ.exe
PID 2308 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OySaTXJ.exe
PID 2308 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VDAWoBo.exe
PID 2308 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VDAWoBo.exe
PID 2308 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VDAWoBo.exe
PID 2308 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oQOswPx.exe
PID 2308 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oQOswPx.exe
PID 2308 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oQOswPx.exe
PID 2308 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\faikVMY.exe
PID 2308 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\faikVMY.exe
PID 2308 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\faikVMY.exe
PID 2308 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cLIUFQt.exe
PID 2308 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cLIUFQt.exe
PID 2308 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cLIUFQt.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\GCZPhhx.exe

C:\Windows\System\GCZPhhx.exe

C:\Windows\System\asJxJsN.exe

C:\Windows\System\asJxJsN.exe

C:\Windows\System\Ulouvvt.exe

C:\Windows\System\Ulouvvt.exe

C:\Windows\System\tlnylwz.exe

C:\Windows\System\tlnylwz.exe

C:\Windows\System\DjemAUK.exe

C:\Windows\System\DjemAUK.exe

C:\Windows\System\bPwgeWz.exe

C:\Windows\System\bPwgeWz.exe

C:\Windows\System\KZnJwtN.exe

C:\Windows\System\KZnJwtN.exe

C:\Windows\System\hwsoDlA.exe

C:\Windows\System\hwsoDlA.exe

C:\Windows\System\BLXYJgY.exe

C:\Windows\System\BLXYJgY.exe

C:\Windows\System\NJDvNsZ.exe

C:\Windows\System\NJDvNsZ.exe

C:\Windows\System\vPyMEIZ.exe

C:\Windows\System\vPyMEIZ.exe

C:\Windows\System\ipHImRk.exe

C:\Windows\System\ipHImRk.exe

C:\Windows\System\SnAkFQI.exe

C:\Windows\System\SnAkFQI.exe

C:\Windows\System\loRsXEs.exe

C:\Windows\System\loRsXEs.exe

C:\Windows\System\EtlwrkE.exe

C:\Windows\System\EtlwrkE.exe

C:\Windows\System\wwoHycb.exe

C:\Windows\System\wwoHycb.exe

C:\Windows\System\OySaTXJ.exe

C:\Windows\System\OySaTXJ.exe

C:\Windows\System\VDAWoBo.exe

C:\Windows\System\VDAWoBo.exe

C:\Windows\System\oQOswPx.exe

C:\Windows\System\oQOswPx.exe

C:\Windows\System\faikVMY.exe

C:\Windows\System\faikVMY.exe

C:\Windows\System\cLIUFQt.exe

C:\Windows\System\cLIUFQt.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2308-0-0x000000013FFC0000-0x0000000140311000-memory.dmp

memory/2308-1-0x0000000000080000-0x0000000000090000-memory.dmp

C:\Windows\system\GCZPhhx.exe

MD5 4b2d2eb532cfb0b879fb04ce0e3c5a75
SHA1 28c72391744f094e8e6affe381eb95824d189b66
SHA256 7af48cccdacf7e17ab88a4f7ed0b86470f2428d97c3460600b81be8959fc12fa
SHA512 a18bf4573919a97cacc23232c44e880ec5467efc47fc71dcc0ca8ad09920adbedbd3b7975385f2b57c7ca8ab5a8314b1e609ec35033d2a1847cb93000b351a1c

memory/2308-7-0x000000013F2F0000-0x000000013F641000-memory.dmp

C:\Windows\system\asJxJsN.exe

MD5 3a362e7a2b8694ce0d74174127d185f9
SHA1 cab16443d264ed5a1ee719c774b9dea00934be13
SHA256 4a8cbec33ebc8e9389f5ce85349418b2af51ad834c69af783deb4442d520ff13
SHA512 2475fba8fcce78586a8ffff271f1a4c8de6492802e1704780bc7c5b041559c8e79c81d278c543739b17294163559c32c7d7cf25a26a1c907d98aaa9c76fff6e7

C:\Windows\system\Ulouvvt.exe

MD5 952d498252f8b7f38947828cf86842ad
SHA1 d0c54d4636b04e245fd45916f3bc5ad7d99ee73c
SHA256 eda408c41d618fe570309ab0b5dbdc8130d0b73c746425f09d2a2fab64644cc7
SHA512 42e566d9de3b8cfbbbfd9cec5c3a2d153e6e238300cb20c95ebc95b8c9621e41b6c4df50f614bf30a3961f70fa4044436c61081d150209c98495f2959fa049a8

C:\Windows\system\DjemAUK.exe

MD5 301deb742e25d53c1e4160bf758424ea
SHA1 1bd327f1b1fe4c625f93686b7f4a669ff5a98b7c
SHA256 fa6e10c6f7ba7910c8791a485caa79983c86b0640d0ac0203898fb094c605911
SHA512 74b2c88acc4bbb88ea6a4aefb1dcd36d6311e8bf83fd7e6f3c18233a3f3b4c9425a6d5b933e261c7e456068c55ce8dfc723b89bbc453fa11ae46af3aeaa8429f

memory/2308-25-0x00000000021B0000-0x0000000002501000-memory.dmp

\Windows\system\tlnylwz.exe

MD5 d07763b570bec0f346b373a0ad75603d
SHA1 33e097080582f17d2725cc2b0bc27493d9474b37
SHA256 b51b11d1911ecf3ec714a18c04f83816c07cab6f2b1f2baa03ff9e6455a1ceb1
SHA512 1e48eef3517691f52a4dbbb2b7e9dcd706e7d1c8a37bdba7f8ccc02a8f75285911e8150a8855728f9895450cc1b61108c619ce55d0804b09fdb78fdfb5738bd2

memory/2308-23-0x000000013F0C0000-0x000000013F411000-memory.dmp

memory/2708-22-0x000000013FCA0000-0x000000013FFF1000-memory.dmp

memory/2308-21-0x00000000021B0000-0x0000000002501000-memory.dmp

memory/2808-20-0x000000013F0C0000-0x000000013F411000-memory.dmp

memory/2664-19-0x000000013F2F0000-0x000000013F641000-memory.dmp

memory/2872-39-0x000000013F630000-0x000000013F981000-memory.dmp

memory/2308-38-0x000000013F630000-0x000000013F981000-memory.dmp

\Windows\system\SnAkFQI.exe

MD5 a779c7db743a653ce9d638beba72f1c3
SHA1 9c32c4c13b8eb1ab6534a814d86e7265378308e3
SHA256 4a0d3198b667377d1b6f472aaa336885ea7e16b1ea335f4162b2134a32dbf113
SHA512 dc84327e305a4991c7dc21b2359166b4056a3c7ea60bc96935371804049171ab2784a00623398b002ee7cec44dcbb48b950a8615cf1d851a7c35e279d264a01b

\Windows\system\vPyMEIZ.exe

MD5 d6ea440092951505619205c7b039b0ad
SHA1 bf64c2ed7eea3f43a7782f3040586e036a0d8aa9
SHA256 e46dafb0174832e48e892b9a4a76a643ae880a8d5cba9f51d0122cc3c754d2fe
SHA512 6714131f56621b5d2d521bff33e79a96526275cbe768e3fa65acf2217acb008b5e0e255787417e09194fd75e52f0e26dbe37c3a27791af451a442ec1500cfc35

C:\Windows\system\KZnJwtN.exe

MD5 fa35d567a4ee924b68aec4c2777d9516
SHA1 4469ac3ce8a546418faae4ab6a07862dd3bdb178
SHA256 f7652e6471c64c8434453854117a5b719141fff2d2d34bb986ffd3a2b1883c2a
SHA512 f42a130724e8a3fcf4a73f221878e4217672593c89390ee9c2b0b26d70d2a7cbcf48238a7e4b07367aeceb026904b5bf6b895a4af86b01c4efeafe7e886a384c

\Windows\system\BLXYJgY.exe

MD5 afc553fa36742eccadc61ba14feefc86
SHA1 228253f2b44d48387c6b3c83f607f561438af528
SHA256 0d54ff0ce37ebc17911debd00296754cec1fe3f7b8b82c3f92b3a947f93a581a
SHA512 80221d57f215bb028eed3b630e50f9aa83be68f39632e6433358df3ec1923274867629ac7bff014c20ef61c7097b61f3bde3219938a8e4cfefee9440a195ce28

memory/2764-37-0x000000013FD20000-0x0000000140071000-memory.dmp

memory/2308-47-0x000000013F3F0000-0x000000013F741000-memory.dmp

memory/2172-46-0x000000013F580000-0x000000013F8D1000-memory.dmp

\Windows\system\bPwgeWz.exe

MD5 158e66c64bc3b83df73aa9acb7f6a7bb
SHA1 3396626c611981dbf30c6b34f100eb419550e1ae
SHA256 5d175114be87f8201368290f297f0f9ceeb633c76e0b1b28e360dfda3d20279a
SHA512 c82cd5180457c6816330862ff8d0b40b1107e202d17463745d4f7f54ee89929832baf4fab9eb431c22d9627c2706b7173d9fed7ba1a1a8adc2e579df0ca57799

C:\Windows\system\wwoHycb.exe

MD5 bf580d2d1a9f128c49b8ff69ea7c47b8
SHA1 69397f7c5936c2d58be955900747c1c79bb16b10
SHA256 5929ea534f7ad4a3ece2f746693a3b46811e2a3a262ac3fb39d7dd6bc3c95275
SHA512 08c8335e7476e19707e6e441c7e717630fcc986dbe0ab9c4bdd14a0acc9b21525c2d3e4ca613d0abf4c3c916da47fdfe28f179ccdfff03569ab84f068345c75e

\Windows\system\faikVMY.exe

MD5 46c374c1f296339623dd0cf3a4322bca
SHA1 9a7c6278027ad82cfc41de2016f4f92fe448c88f
SHA256 65856e86a90616e0d954cd4e2e1f72e238609b2a18c80df25414fad23a4c8d79
SHA512 deee64d2ce955473d2f7d93b852b8777884a8a7845beb04ad7210c8172282bd28ad5107b06f28a9d39a3377aedb0badc4e4fcebedbc9122773bd6636ae181b6d

\Windows\system\VDAWoBo.exe

MD5 14502f6d55f55de1af0415ae88325930
SHA1 8fcb1c549e2a8ec644ec9614b75727ce923c9890
SHA256 f7b1491fef69a1489ec69e25dde850aac5be41a30223b61cb62c3cb800a0edf2
SHA512 c77919835a30f5d8ae3dce5ea8c6a37f997347915b659f53cdc0c98b26383800955f09f407f730b36e4f9b5c8637ee7ac5a569138faba4a1fc9079a8b3d4cdbf

memory/2308-75-0x000000013FFC0000-0x0000000140311000-memory.dmp

\Windows\system\loRsXEs.exe

MD5 066346c9857ca5214ef81a9c66747deb
SHA1 ad0144021c8818d2d3a13ccc0ab15beec11a5bed
SHA256 5da5a1849871e98c7ca32b0da36eee87098506d7b66149fc6a991fe2821528f6
SHA512 40af8bddc6ce20e4aa103507d7e71b1deb36fea9679cb49a06299049b03e14b71523941baf332d18ca49c25717d6278d227b8074213e946595367de89664d58c

memory/2556-65-0x000000013F3F0000-0x000000013F741000-memory.dmp

\Windows\system\ipHImRk.exe

MD5 d24a3ca7bbaee238f4a5cf737fa9ba5a
SHA1 1c3187b27cc4d6a69562ee1f396920618e95b0f3
SHA256 5e1d889e54d7480d08e65897e019202f92493d8710d41aaf23230285b15e37f7
SHA512 d13dd7d39b62021f00c612885d9dde28cdc34410d00c3a6d9cc996e06e392b16497867e339549e5fffbd924a51f21f87ea53d0626ebc57336b3972e3813c8aec

memory/2308-58-0x000000013FC50000-0x000000013FFA1000-memory.dmp

\Windows\system\NJDvNsZ.exe

MD5 015549dd36644c335a25f28a81538498
SHA1 6514b7ae8901354fd1d70090f0b093525b449408
SHA256 9769232965e2e217be6d214220e7849126e064f99eec5b32475de74dd13c8939
SHA512 d1d37c735b254e97cf932581f7b850d70174a5654d11ef20ef256f09d6ae6d9cd74818e8d479b55edef0146c65d6cf940b51ebb2c4944938067aa5c88bd34d0b

\Windows\system\hwsoDlA.exe

MD5 bbf54077c1eabf314b0359998f1036ad
SHA1 213a81e48bf7d0f429b6dfb944377cab1a712406
SHA256 5ebe07808f329d2a4632210a3738c2239ffc0b56dc89d5e3b0830448bd6ed2da
SHA512 dc27cf17973a11f483c0e3beb2cc38c4279385df5252a3b2bc40ce778b14db8050d72e67e6044fbd0a356d9d774afcc37f5a0bf45665ae28a9842682b4ed5466

memory/2308-118-0x000000013FA60000-0x000000013FDB1000-memory.dmp

memory/2308-117-0x000000013F640000-0x000000013F991000-memory.dmp

memory/2308-116-0x000000013F8A0000-0x000000013FBF1000-memory.dmp

memory/2308-115-0x000000013F790000-0x000000013FAE1000-memory.dmp

memory/2308-114-0x00000000021B0000-0x0000000002501000-memory.dmp

memory/2308-113-0x000000013F0D0000-0x000000013F421000-memory.dmp

memory/2888-112-0x000000013F640000-0x000000013F991000-memory.dmp

memory/2308-111-0x000000013FAF0000-0x000000013FE41000-memory.dmp

memory/3056-110-0x000000013FD00000-0x0000000140051000-memory.dmp

C:\Windows\system\cLIUFQt.exe

MD5 15752b24422404316c5020ad28004880
SHA1 2aefb465f5e3a2c89f14b5f12db46ba59fbac49a
SHA256 7635d32c161132fe9f9de33832f878942ba5f32a2480db7c064fd39d18d2ab2f
SHA512 22da87fdd2ce7a41f6e856b61c8547fec8aaf080617a0028521e5898106eb51570800e55f4f796ef80a71477f9e84bcbf698b9884fe563ef111edc28b4234195

C:\Windows\system\oQOswPx.exe

MD5 66130f00482bac899b26a32bf837fbed
SHA1 5450fa305cdf2cfcf1d77d1b56fd11d4c6cdcaf4
SHA256 a625e8b3e835146eb67b260f8761e3b6a200bbcb1281f7a05575d778aa60462d
SHA512 6f098119147730cfe1c30b30701240922bf287ffcc886de881b24f6942d0da5d92777d12e35efb8f3ef11c3268938a188290f1836486546c72bafaf64bef50f9

C:\Windows\system\OySaTXJ.exe

MD5 dabc9787818df944141cf4eb490c24f6
SHA1 8c8577e84bb87ad3da88ceaee208a44c36f5c075
SHA256 f2283f372b62d8b59253f09eebefec127114074b70f0e11260c4f7e6b710bdfc
SHA512 7e02cb7a31339cd9767958e4bbfc33c9c2f0c841dfcaad51ee5087a36333087c8df35126d876bf88f316e9ab5f9706799311f9a752673a757486482b741e53ce

C:\Windows\system\EtlwrkE.exe

MD5 2d13e88985e10c6ad036908c6ae59b31
SHA1 002e1fbd8741ce5a1dd12f73f42f01e33e576a19
SHA256 f5e8c0a4eca72bdd09cd5c120741e6f4eef9d051da18cb34a525951e2315d75d
SHA512 916b3adebb2a5072e00a7a4d1d1012dce7e9a41b6552ab9b85d3c4d86820b0e1d8aba0662dd9b27d994b59cff8c25a45d9c04e2fe5c8df653eda32aa83e30954

memory/2532-100-0x000000013F790000-0x000000013FAE1000-memory.dmp

memory/2308-40-0x000000013F580000-0x000000013F8D1000-memory.dmp

memory/2664-133-0x000000013F2F0000-0x000000013F641000-memory.dmp

memory/2308-134-0x000000013FFC0000-0x0000000140311000-memory.dmp

memory/2604-142-0x000000013FC50000-0x000000013FFA1000-memory.dmp

memory/636-146-0x000000013FA40000-0x000000013FD91000-memory.dmp

memory/3008-149-0x000000013FA60000-0x000000013FDB1000-memory.dmp

memory/1616-154-0x000000013F4F0000-0x000000013F841000-memory.dmp

memory/1716-153-0x000000013FF90000-0x00000001402E1000-memory.dmp

memory/2656-152-0x000000013FC90000-0x000000013FFE1000-memory.dmp

memory/2836-151-0x000000013FEF0000-0x0000000140241000-memory.dmp

memory/2156-150-0x000000013F0D0000-0x000000013F421000-memory.dmp

memory/2912-148-0x000000013FAF0000-0x000000013FE41000-memory.dmp

memory/3036-144-0x000000013F8A0000-0x000000013FBF1000-memory.dmp

memory/2532-143-0x000000013F790000-0x000000013FAE1000-memory.dmp

memory/2556-141-0x000000013F3F0000-0x000000013F741000-memory.dmp

memory/2172-140-0x000000013F580000-0x000000013F8D1000-memory.dmp

memory/2360-155-0x000000013F1F0000-0x000000013F541000-memory.dmp

memory/2308-156-0x000000013FFC0000-0x0000000140311000-memory.dmp

memory/2664-201-0x000000013F2F0000-0x000000013F641000-memory.dmp

memory/2708-203-0x000000013FCA0000-0x000000013FFF1000-memory.dmp

memory/2808-205-0x000000013F0C0000-0x000000013F411000-memory.dmp

memory/2764-226-0x000000013FD20000-0x0000000140071000-memory.dmp

memory/2872-228-0x000000013F630000-0x000000013F981000-memory.dmp

memory/2172-232-0x000000013F580000-0x000000013F8D1000-memory.dmp

memory/3056-231-0x000000013FD00000-0x0000000140051000-memory.dmp

memory/2532-234-0x000000013F790000-0x000000013FAE1000-memory.dmp

memory/2556-238-0x000000013F3F0000-0x000000013F741000-memory.dmp

memory/2888-236-0x000000013F640000-0x000000013F991000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-07 21:47

Reported

2024-08-07 21:50

Platform

win10v2004-20240802-en

Max time kernel

141s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\CDykOFa.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HSwFOCr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nvKCmqP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fDoHBjo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\npFIGmX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\enidYYX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\STPoFxy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ihygGaC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qHcBjGd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CxHkpFQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OrRPNuY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vHdALOT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mVzEdQz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BlDTbzW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PwJeMzI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KXOSlIf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yXGLWYU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tKeMXAf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zzYGMmi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NXWaKia.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ktYcrbz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3564 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NXWaKia.exe
PID 3564 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NXWaKia.exe
PID 3564 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HSwFOCr.exe
PID 3564 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HSwFOCr.exe
PID 3564 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mVzEdQz.exe
PID 3564 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mVzEdQz.exe
PID 3564 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BlDTbzW.exe
PID 3564 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BlDTbzW.exe
PID 3564 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ktYcrbz.exe
PID 3564 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ktYcrbz.exe
PID 3564 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\npFIGmX.exe
PID 3564 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\npFIGmX.exe
PID 3564 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\enidYYX.exe
PID 3564 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\enidYYX.exe
PID 3564 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\STPoFxy.exe
PID 3564 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\STPoFxy.exe
PID 3564 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yXGLWYU.exe
PID 3564 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yXGLWYU.exe
PID 3564 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tKeMXAf.exe
PID 3564 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tKeMXAf.exe
PID 3564 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nvKCmqP.exe
PID 3564 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nvKCmqP.exe
PID 3564 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ihygGaC.exe
PID 3564 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ihygGaC.exe
PID 3564 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fDoHBjo.exe
PID 3564 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fDoHBjo.exe
PID 3564 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qHcBjGd.exe
PID 3564 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qHcBjGd.exe
PID 3564 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CxHkpFQ.exe
PID 3564 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CxHkpFQ.exe
PID 3564 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OrRPNuY.exe
PID 3564 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OrRPNuY.exe
PID 3564 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vHdALOT.exe
PID 3564 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vHdALOT.exe
PID 3564 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PwJeMzI.exe
PID 3564 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PwJeMzI.exe
PID 3564 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KXOSlIf.exe
PID 3564 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KXOSlIf.exe
PID 3564 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CDykOFa.exe
PID 3564 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CDykOFa.exe
PID 3564 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zzYGMmi.exe
PID 3564 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zzYGMmi.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\NXWaKia.exe

C:\Windows\System\NXWaKia.exe

C:\Windows\System\HSwFOCr.exe

C:\Windows\System\HSwFOCr.exe

C:\Windows\System\mVzEdQz.exe

C:\Windows\System\mVzEdQz.exe

C:\Windows\System\BlDTbzW.exe

C:\Windows\System\BlDTbzW.exe

C:\Windows\System\ktYcrbz.exe

C:\Windows\System\ktYcrbz.exe

C:\Windows\System\npFIGmX.exe

C:\Windows\System\npFIGmX.exe

C:\Windows\System\enidYYX.exe

C:\Windows\System\enidYYX.exe

C:\Windows\System\STPoFxy.exe

C:\Windows\System\STPoFxy.exe

C:\Windows\System\yXGLWYU.exe

C:\Windows\System\yXGLWYU.exe

C:\Windows\System\tKeMXAf.exe

C:\Windows\System\tKeMXAf.exe

C:\Windows\System\nvKCmqP.exe

C:\Windows\System\nvKCmqP.exe

C:\Windows\System\ihygGaC.exe

C:\Windows\System\ihygGaC.exe

C:\Windows\System\fDoHBjo.exe

C:\Windows\System\fDoHBjo.exe

C:\Windows\System\qHcBjGd.exe

C:\Windows\System\qHcBjGd.exe

C:\Windows\System\CxHkpFQ.exe

C:\Windows\System\CxHkpFQ.exe

C:\Windows\System\OrRPNuY.exe

C:\Windows\System\OrRPNuY.exe

C:\Windows\System\vHdALOT.exe

C:\Windows\System\vHdALOT.exe

C:\Windows\System\PwJeMzI.exe

C:\Windows\System\PwJeMzI.exe

C:\Windows\System\KXOSlIf.exe

C:\Windows\System\KXOSlIf.exe

C:\Windows\System\CDykOFa.exe

C:\Windows\System\CDykOFa.exe

C:\Windows\System\zzYGMmi.exe

C:\Windows\System\zzYGMmi.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 71.190.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3564-0-0x00007FF7C9500000-0x00007FF7C9851000-memory.dmp

memory/3564-1-0x0000025A2ADE0000-0x0000025A2ADF0000-memory.dmp

C:\Windows\System\NXWaKia.exe

MD5 b2c386ddf4b19a2421a347cda55df4d8
SHA1 9ea08eedd57fab4e7f003376169f10c02b285abe
SHA256 3b8fa17dce4bf2a92302a1df4b7c436fe3c8e8ffd1d4571f491ac5976ec7b6cc
SHA512 926e27db7b4074a90cdc637de382793df0199b43255e885c24bfb42eea642d369f3922f88c2b8cc28fa70754f24fe98e53a43aad44ed3a912a8ed5c72df953d2

C:\Windows\System\HSwFOCr.exe

MD5 91e4115c33dcb82b2fd97ae6c6c09b3c
SHA1 f0fe10838b3bc4fe9ff91caa8154f44b8ce9dfe0
SHA256 90fa58e2d75aa75bf4f6e7bea0fcdaa57bb4e4a610d7cc9ac1258745577aec90
SHA512 50f6a0b786d98dd6eb313b24cd6c64ce9c440e58cec2f64848b9461caa9722804bad1656f9fafa0941fde8b5b5ab2487970007ebc3cbcde03bd5faabc2c4ccd8

C:\Windows\System\BlDTbzW.exe

MD5 aa8d1cd263dbffe27ba626b80d68bb5d
SHA1 a3adfa9f2bde39438a9cb4ddb729cc23b6566eb6
SHA256 52451d4ff464ef822a44b71b9184d77e6ec608b5aa7f5ee72a95d3ff6d0c5aa8
SHA512 273bbb0647e4285512f5dbc23c4e33d50b614b6cf2f78262b8c6b6c76389682621e07d55c33173ca37b1c0bc251a6c1e1adbe22705da451393b541c1079fec8b

C:\Windows\System\STPoFxy.exe

MD5 03ff789df2ee08c7bfe254c48b934834
SHA1 e1a18f95ca49ba46d06771239e902d3f7667073f
SHA256 f7ea4c1eb19767e1a60dd3109e473ebe39f385592f8a3a0eef57fdd4ccb8b5b1
SHA512 d87023ca8e5b419854ffb5ced6afc2ae9395600806f0c933cb690407c442847b6d06e4bc95f1a33fe7ae595f5703d1bef3bc93a3087be957b847c333157c75e5

C:\Windows\System\tKeMXAf.exe

MD5 7fbf6a21784a5e99718e39d9097be355
SHA1 ff8bba0fa540e41643f451ae6ac81da9e0a9ada4
SHA256 1f51d37d307c735e8394a5ceb48f0fd1e72737d1f029322ebddd28653d5f87eb
SHA512 becbf513fd0e678d85536d3dd3b3400c823f156092efea8b7ab8babd72eefd184e06bbd9e3babcd2104592ad1e86b5f73c85d57a3f8892993f8e624a736b7710

C:\Windows\System\fDoHBjo.exe

MD5 d1a0523ced9ec8aa1488dea9432be190
SHA1 3aeb573fb4f681e07d9351bb7d5cab8255bd7f02
SHA256 29d5e2340467ef7da9a192e19abb987859d1f7e032c48354f80f1d5ec219dbff
SHA512 fb0f5c9a757a5b0d5829b1e3ded80435b86b7609ecdb330f351776651251a72c10900998484138e21d5c849ffadbea5a8b34210d0fc3d524c2f68e563402bed9

C:\Windows\System\nvKCmqP.exe

MD5 53d32abe752558c98d681441f387ac1c
SHA1 386c9490b7d8057a069595ba9dfdfa6d2e4a62fa
SHA256 ad56b3488629028083178fff32b054d2078fcc9dfeed7798de6b47424e095627
SHA512 61ffb1d04488738b1372db75da82299df105b5a625033bafa2acdf6284033a8523e393f7f2898afcf2c6106f1cb154010e994cb951dda34342212139072ba380

C:\Windows\System\CxHkpFQ.exe

MD5 1aff857f098422f78139b11fd766cfc2
SHA1 de22036521d2a80583329d07dcdfd8088a63418d
SHA256 2444bbec67cacd9acc7fd9e6c3a25d374a5890dec83c04fed0a952e8be2f0334
SHA512 4f92df8f787fda12ee5a307cf6a15f47e84c04c95d17063555fbde230b3a4a77d7e2582a7ffd0661ec24712c68d06c4326b76efa0986dc8d945f5a1e2f403036

C:\Windows\System\OrRPNuY.exe

MD5 8e222c1604c6adc3f41c65d7e4c8def0
SHA1 c29e81dad714632d506801e323630434aae996f2
SHA256 ede62ef4f04006564e960a61897443b27c00fb3e50a7e4c1a94c492a04e38019
SHA512 72f9cb3195a0b26a7d4c6de225ded94d9e28ff1a03cd76ad1458f6a0731b80eefdde489e12350cbaaec8994a6a6840294b3065523338bf6a37fa39c2e17fb19a

memory/1436-98-0x00007FF77E6E0000-0x00007FF77EA31000-memory.dmp

C:\Windows\System\KXOSlIf.exe

MD5 c1c708f28c7edc5076ed05f317bb47f7
SHA1 4a995467bcc26af495ae705106c9056fb02dc95f
SHA256 2e37d398e2799df94779939f2e31c7195039e36bc1ecf4c7db245a87b0e6ca4c
SHA512 192f6592b2a87ba9d539bdca6d16744fca8bf29283d876e9a6dd2593f191712d07a840880ecc4216882d83ae5079b5a0210df70410b8d0dacba0cfbb2cc12ac3

memory/60-116-0x00007FF6CBBC0000-0x00007FF6CBF11000-memory.dmp

memory/884-115-0x00007FF7D4BC0000-0x00007FF7D4F11000-memory.dmp

memory/2760-112-0x00007FF784A80000-0x00007FF784DD1000-memory.dmp

C:\Windows\System\vHdALOT.exe

MD5 6101c30bfae01ae04ea1052cb9065719
SHA1 85c0f536457b109ebb78c3270f8acc295ca9b4a8
SHA256 7605fc0ff80ec13d585575a07fc8088f6c648357ad815a6c1ccc599e8168c117
SHA512 752a09365a2723ac3372fbd43c56df2ee2f76412b13b83eb8d4be7196fb7564a78da57ae4a896db748580051ea9b65b7e4d3398079ea133995b2e3b665c9d3dd

C:\Windows\System\PwJeMzI.exe

MD5 b24aa4f151fec7a0ad61c274c238ca11
SHA1 5f25708372b434361e9820e019023f66aa979228
SHA256 64cb20d7f6b0de0f98cfbe48d4d53369f2713d229654a4f0945bcbef957bc883
SHA512 16906a6105a2634af424921f520ab4b7ea5c6e389c2388d87feaae2fb712d43f864049adf2d216ebddf926f9fd927f0c2295ec36dfe76fd23632b8f54a3e8b0a

memory/640-107-0x00007FF77FCC0000-0x00007FF780011000-memory.dmp

memory/2884-106-0x00007FF61ABC0000-0x00007FF61AF11000-memory.dmp

memory/1428-104-0x00007FF6CBA70000-0x00007FF6CBDC1000-memory.dmp

memory/4000-88-0x00007FF64B8C0000-0x00007FF64BC11000-memory.dmp

C:\Windows\System\qHcBjGd.exe

MD5 3c9088d0ec5712346713919f55ef34a4
SHA1 2bf2ad0a191081b54726cfa8db9e4f3474f6ad10
SHA256 98ae8be8dfd99c3c0e55d1e12ccdb487410937eb9266c38a7594986c5cfbbd96
SHA512 dce26d4a8d149534e9d5819d748da0e595f8b19dae11606c442062322e3ec4327757a84ec514fc0d233ea4887b187dfad1859183ee8ff4aa298ba3cbb7691c6b

memory/4672-82-0x00007FF7D10F0000-0x00007FF7D1441000-memory.dmp

C:\Windows\System\ihygGaC.exe

MD5 d21695cf5a1c53854f7c2b50d3f931a2
SHA1 303b11d9f9295b576755813c9ff1c1399fa6804f
SHA256 620e098eae02fa2fb76e4820f5c42a095cfa5b43763750f87f14c24d938e4305
SHA512 3ad1f01bf262e403bc1191f9fdb20e1fdde345b089d0c3039bcd93b75c39933cf7f9698f0566aa54884282f3ac68026fc9a6feb56af171cd5226da667b6a14da

memory/3600-74-0x00007FF6C0340000-0x00007FF6C0691000-memory.dmp

memory/1640-73-0x00007FF63D390000-0x00007FF63D6E1000-memory.dmp

C:\Windows\System\yXGLWYU.exe

MD5 f1616348aef8005d0322f379ceed148f
SHA1 87ff4e1460339cc5e3694f457b0e669da6f655de
SHA256 23a45676c836473a8d9b70d5a555bf3ae26333cb759756c17b79d29cec165bed
SHA512 2dee0c4278d5d40ae8b2d8708a8abc528828edb126f3999032b75db07cec2471aa5e3bcc8fc513636648b66b243385dff34a656bfb95725bd312bf84f19f1bd3

memory/1520-60-0x00007FF640DE0000-0x00007FF641131000-memory.dmp

C:\Windows\System\enidYYX.exe

MD5 0cd1e939c25274ae366b0f73668203eb
SHA1 ad3d2547fd34389faab335ccc633197b701fb2df
SHA256 bb4f68b2f9884e4e98cf3262ac5cea388c6ad46e394ad45cf240c43ba97c3808
SHA512 1ea74f25422f98445efbca3de54c669a83934a76695444e3804516d9a825c5f85961c5e1ea7424fa93e6b0b6433e5f251338bc9a0f790824e7aaaa7d317ee7e5

memory/1980-45-0x00007FF617670000-0x00007FF6179C1000-memory.dmp

memory/320-41-0x00007FF6D8AA0000-0x00007FF6D8DF1000-memory.dmp

C:\Windows\System\npFIGmX.exe

MD5 f3181d1bed8708610394d49ec2cf268a
SHA1 5b69eddfa881ea00f30c008087ecc4844c281c45
SHA256 d81a84b3892d1910a3fa911b241a465d050a064cb7a21d8e6de2b4206b28d03b
SHA512 e6220898f7934068c31beaf56b84eca354540aeb5d4581cc1faafb8bd3583993030873d081417338ffd76737e4e36200d8517d07886968fab8abb6c6b8d5f902

memory/2204-37-0x00007FF77BA40000-0x00007FF77BD91000-memory.dmp

memory/5084-35-0x00007FF6CC530000-0x00007FF6CC881000-memory.dmp

C:\Windows\System\ktYcrbz.exe

MD5 073ad5911a2c624fcdac33527c90026a
SHA1 0d3b6674043b3f16299892c30916d999b1848c49
SHA256 63cd3a683c7efad340df2aefc4eae560137c8eeb1998d80d169c8e2f607cc8f9
SHA512 618c72d8c1c9db89026aa6284568acdee212b9ff020279e727975a37f5c5daaa0fa50c2fbcd52eb8813173ee08eaf32607fdaa21b34bf54f0ea8e097ffbcd499

memory/4428-26-0x00007FF7E88F0000-0x00007FF7E8C41000-memory.dmp

memory/1920-19-0x00007FF6BDB30000-0x00007FF6BDE81000-memory.dmp

C:\Windows\System\mVzEdQz.exe

MD5 031f819429cce170fbbf447c099df792
SHA1 d13c4578670499437772a5dc7d138e7e274bde7b
SHA256 f66c44fded9d82aacb13312236c71da4f35457a7d1d75dc7e851071beac22c09
SHA512 c83cd440462b8b40c513d50b35dc450181f934ef9bef49b76553262322a584ff310cfba8a6998bbb1c8d98c902e8d38d7e392d0a98f7cd65c2c2c2d53b4c8f2c

memory/4292-7-0x00007FF6D3C80000-0x00007FF6D3FD1000-memory.dmp

C:\Windows\System\CDykOFa.exe

MD5 057c809964d300cf52566b843e6277e1
SHA1 a2882dd1499e95f0bfc1a98f53479935aafe860e
SHA256 f1f119b80429ba4437b588b3821de3c0fe586bea8d46a092037ca512b245b3fd
SHA512 da1e553692c82c586e79806acfa8c55cddd93d70d8d50609eae38095c1617009df391dcb94e1ee29d0cf2f1810926fe666bd4fef1671d53585e48218b8e42a7c

memory/4968-120-0x00007FF7BA8D0000-0x00007FF7BAC21000-memory.dmp

C:\Windows\System\zzYGMmi.exe

MD5 88a1ed4d9923cf6df29ffee0036127bd
SHA1 1c737c06de75e519a8f8bbbe88e764bb35b7467f
SHA256 d74eb943102a091e5076dd3133bfc1674f67e35961d6cae5405917932047c4dd
SHA512 bbaef8e0e89e2e40d3aed403954e0b168822f0d66dcc91dcda85bb9366bd34d839ec4a4351473d4ecf228f2070f285609b197251bfc98156de326228e32a1318

memory/2460-128-0x00007FF64F610000-0x00007FF64F961000-memory.dmp

memory/3564-127-0x00007FF7C9500000-0x00007FF7C9851000-memory.dmp

memory/5084-134-0x00007FF6CC530000-0x00007FF6CC881000-memory.dmp

memory/3564-129-0x00007FF7C9500000-0x00007FF7C9851000-memory.dmp

memory/1980-137-0x00007FF617670000-0x00007FF6179C1000-memory.dmp

memory/4000-143-0x00007FF64B8C0000-0x00007FF64BC11000-memory.dmp

memory/3600-141-0x00007FF6C0340000-0x00007FF6C0691000-memory.dmp

memory/4968-149-0x00007FF7BA8D0000-0x00007FF7BAC21000-memory.dmp

memory/1520-136-0x00007FF640DE0000-0x00007FF641131000-memory.dmp

memory/320-135-0x00007FF6D8AA0000-0x00007FF6D8DF1000-memory.dmp

memory/1920-131-0x00007FF6BDB30000-0x00007FF6BDE81000-memory.dmp

memory/4292-130-0x00007FF6D3C80000-0x00007FF6D3FD1000-memory.dmp

memory/1640-139-0x00007FF63D390000-0x00007FF63D6E1000-memory.dmp

memory/640-147-0x00007FF77FCC0000-0x00007FF780011000-memory.dmp

memory/3564-150-0x00007FF7C9500000-0x00007FF7C9851000-memory.dmp

memory/4292-197-0x00007FF6D3C80000-0x00007FF6D3FD1000-memory.dmp

memory/4428-199-0x00007FF7E88F0000-0x00007FF7E8C41000-memory.dmp

memory/1920-201-0x00007FF6BDB30000-0x00007FF6BDE81000-memory.dmp

memory/2204-203-0x00007FF77BA40000-0x00007FF77BD91000-memory.dmp

memory/5084-205-0x00007FF6CC530000-0x00007FF6CC881000-memory.dmp

memory/1520-207-0x00007FF640DE0000-0x00007FF641131000-memory.dmp

memory/320-209-0x00007FF6D8AA0000-0x00007FF6D8DF1000-memory.dmp

memory/1980-211-0x00007FF617670000-0x00007FF6179C1000-memory.dmp

memory/1640-217-0x00007FF63D390000-0x00007FF63D6E1000-memory.dmp

memory/3600-219-0x00007FF6C0340000-0x00007FF6C0691000-memory.dmp

memory/4672-221-0x00007FF7D10F0000-0x00007FF7D1441000-memory.dmp

memory/1436-216-0x00007FF77E6E0000-0x00007FF77EA31000-memory.dmp

memory/1428-214-0x00007FF6CBA70000-0x00007FF6CBDC1000-memory.dmp

memory/640-227-0x00007FF77FCC0000-0x00007FF780011000-memory.dmp

memory/4000-232-0x00007FF64B8C0000-0x00007FF64BC11000-memory.dmp

memory/2884-233-0x00007FF61ABC0000-0x00007FF61AF11000-memory.dmp

memory/2760-230-0x00007FF784A80000-0x00007FF784DD1000-memory.dmp

memory/884-226-0x00007FF7D4BC0000-0x00007FF7D4F11000-memory.dmp

memory/60-224-0x00007FF6CBBC0000-0x00007FF6CBF11000-memory.dmp

memory/4968-236-0x00007FF7BA8D0000-0x00007FF7BAC21000-memory.dmp

memory/2460-238-0x00007FF64F610000-0x00007FF64F961000-memory.dmp