Malware Analysis Report

2025-01-22 19:22

Sample ID 240807-x6mxkswdke
Target 2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat
SHA256 8fc94c3007b1d914b5869e67db6211367e0b69c1c4ee1953ebb95fd6fd0491d3
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8fc94c3007b1d914b5869e67db6211367e0b69c1c4ee1953ebb95fd6fd0491d3

Threat Level: Known bad

The file 2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

Cobalt Strike reflective loader

XMRig Miner payload

xmrig

Cobaltstrike family

Cobaltstrike

Xmrig family

XMRig Miner payload

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-07 19:28

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-07 19:28

Reported

2024-08-07 19:30

Platform

win7-20240704-en

Max time kernel

130s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\vgNhZlV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fFnnosA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vhIQand.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tNnusPC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SIClXoE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sZekaFG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bUsNSNr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UOzoLbr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nDvlvJT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vTEWYLI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LcDDCpU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bRgOgVh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fFuCopx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dgPqKLz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZnLnbwP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YywOPzI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kRrhMwu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ltrsvHl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VFgAwcL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TvaVaNC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WSlFbcr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1996 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YywOPzI.exe
PID 1996 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YywOPzI.exe
PID 1996 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YywOPzI.exe
PID 1996 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vhIQand.exe
PID 1996 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vhIQand.exe
PID 1996 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vhIQand.exe
PID 1996 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kRrhMwu.exe
PID 1996 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kRrhMwu.exe
PID 1996 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kRrhMwu.exe
PID 1996 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tNnusPC.exe
PID 1996 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tNnusPC.exe
PID 1996 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tNnusPC.exe
PID 1996 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ltrsvHl.exe
PID 1996 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ltrsvHl.exe
PID 1996 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ltrsvHl.exe
PID 1996 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SIClXoE.exe
PID 1996 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SIClXoE.exe
PID 1996 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SIClXoE.exe
PID 1996 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vTEWYLI.exe
PID 1996 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vTEWYLI.exe
PID 1996 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vTEWYLI.exe
PID 1996 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sZekaFG.exe
PID 1996 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sZekaFG.exe
PID 1996 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sZekaFG.exe
PID 1996 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bUsNSNr.exe
PID 1996 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bUsNSNr.exe
PID 1996 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bUsNSNr.exe
PID 1996 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VFgAwcL.exe
PID 1996 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VFgAwcL.exe
PID 1996 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VFgAwcL.exe
PID 1996 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UOzoLbr.exe
PID 1996 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UOzoLbr.exe
PID 1996 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UOzoLbr.exe
PID 1996 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LcDDCpU.exe
PID 1996 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LcDDCpU.exe
PID 1996 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LcDDCpU.exe
PID 1996 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bRgOgVh.exe
PID 1996 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bRgOgVh.exe
PID 1996 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bRgOgVh.exe
PID 1996 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TvaVaNC.exe
PID 1996 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TvaVaNC.exe
PID 1996 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TvaVaNC.exe
PID 1996 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vgNhZlV.exe
PID 1996 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vgNhZlV.exe
PID 1996 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vgNhZlV.exe
PID 1996 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fFuCopx.exe
PID 1996 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fFuCopx.exe
PID 1996 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fFuCopx.exe
PID 1996 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dgPqKLz.exe
PID 1996 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dgPqKLz.exe
PID 1996 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dgPqKLz.exe
PID 1996 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fFnnosA.exe
PID 1996 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fFnnosA.exe
PID 1996 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fFnnosA.exe
PID 1996 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WSlFbcr.exe
PID 1996 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WSlFbcr.exe
PID 1996 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WSlFbcr.exe
PID 1996 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZnLnbwP.exe
PID 1996 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZnLnbwP.exe
PID 1996 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZnLnbwP.exe
PID 1996 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nDvlvJT.exe
PID 1996 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nDvlvJT.exe
PID 1996 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nDvlvJT.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\YywOPzI.exe

C:\Windows\System\YywOPzI.exe

C:\Windows\System\vhIQand.exe

C:\Windows\System\vhIQand.exe

C:\Windows\System\kRrhMwu.exe

C:\Windows\System\kRrhMwu.exe

C:\Windows\System\tNnusPC.exe

C:\Windows\System\tNnusPC.exe

C:\Windows\System\ltrsvHl.exe

C:\Windows\System\ltrsvHl.exe

C:\Windows\System\SIClXoE.exe

C:\Windows\System\SIClXoE.exe

C:\Windows\System\vTEWYLI.exe

C:\Windows\System\vTEWYLI.exe

C:\Windows\System\sZekaFG.exe

C:\Windows\System\sZekaFG.exe

C:\Windows\System\bUsNSNr.exe

C:\Windows\System\bUsNSNr.exe

C:\Windows\System\VFgAwcL.exe

C:\Windows\System\VFgAwcL.exe

C:\Windows\System\UOzoLbr.exe

C:\Windows\System\UOzoLbr.exe

C:\Windows\System\LcDDCpU.exe

C:\Windows\System\LcDDCpU.exe

C:\Windows\System\bRgOgVh.exe

C:\Windows\System\bRgOgVh.exe

C:\Windows\System\TvaVaNC.exe

C:\Windows\System\TvaVaNC.exe

C:\Windows\System\vgNhZlV.exe

C:\Windows\System\vgNhZlV.exe

C:\Windows\System\fFuCopx.exe

C:\Windows\System\fFuCopx.exe

C:\Windows\System\dgPqKLz.exe

C:\Windows\System\dgPqKLz.exe

C:\Windows\System\fFnnosA.exe

C:\Windows\System\fFnnosA.exe

C:\Windows\System\WSlFbcr.exe

C:\Windows\System\WSlFbcr.exe

C:\Windows\System\ZnLnbwP.exe

C:\Windows\System\ZnLnbwP.exe

C:\Windows\System\nDvlvJT.exe

C:\Windows\System\nDvlvJT.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1996-0-0x00000000001F0000-0x0000000000200000-memory.dmp

memory/1996-1-0x000000013FF30000-0x0000000140284000-memory.dmp

\Windows\system\YywOPzI.exe

MD5 e479b48d3dcf88d0b0197d0dae9dded1
SHA1 1e4732ed83d2604b0fc74f01bce86e3ceb9f2698
SHA256 abcce2d5a5467bbf24afe15e3998bd6e4c2f6c45120826361f61558da19e64c6
SHA512 42776f3097983c3da3ce306ea5b2fe25d7214a6848f2151a8e821bee2df78171ec80c0adc98d3fe68ea5b3b212e5f36c9370570fa8b6f3c819a0093e45a47c8e

memory/1996-6-0x00000000023D0000-0x0000000002724000-memory.dmp

memory/2476-9-0x000000013FCE0000-0x0000000140034000-memory.dmp

\Windows\system\vhIQand.exe

MD5 4385499fec743d4892273f2824229711
SHA1 6758e19646ad3d2aba83e1e9886d54899e2a8cb4
SHA256 e1e313430efdf218ddb6e9cdc5c3eb6dec315dc8f8709979ff7f7dea75923d1c
SHA512 7044adc64a88bc703eb0a1b894948b2ef3f25c025ee6e2966edbdae2ac6f6db2cff2e346c1880d18cab1d1bbec5cf7f10687ff867df072837df10bda955a5616

\Windows\system\kRrhMwu.exe

MD5 44c4d9473a6f2a1480e53a504bb17376
SHA1 6564ef2679a6cdd8389d719c758b55ad30afe613
SHA256 7b31d01feb24c647e5d084d50a1e8c83daf22ce9dafc93592971eb438a4eeef8
SHA512 298fff5182e34939365ff4e1de4ac21b47d16a63458a8f298f4891b5cb45c4f224d44a19b727fc76ae5ec5431fee2f172bc23e3192277a588d90d432616a4fff

memory/2808-19-0x000000013F090000-0x000000013F3E4000-memory.dmp

\Windows\system\tNnusPC.exe

MD5 8ef819f7011fa0ff6f2cd4d48d626c2a
SHA1 756c59eeca6b98403451657bf1624533ce7d5fb4
SHA256 6e1bb1c4220925260fd1fd88965071437311bc5caf7dbf1dd2c13880e642dd3d
SHA512 47391ba1539cc02f8e3558a5ef6fc42fbce1baf8d7ad54fb903b252b551668b7184d59adc4ee522620ee7af9087cabc9c44962f3c5c58e5aa229342443ab30c1

\Windows\system\ltrsvHl.exe

MD5 7eb430af02a995da37dd75132e2a1832
SHA1 de1c766a81c0daff6ad84f87758d76095a22af1e
SHA256 53225b48a938469b4cbc0fa5a55306cd9d4195c59cbf5aab3e94b8257359e520
SHA512 90c880c3f986886fb1ab1a73871331079c547cfe1c9fa2acce4c1c582384963f65b43ff7a88735d442b0c975e3f8ce58dec6675178a8b34ebe2db75f811aa90c

memory/2672-33-0x000000013FEB0000-0x0000000140204000-memory.dmp

memory/1996-29-0x000000013FAB0000-0x000000013FE04000-memory.dmp

memory/2216-24-0x000000013FAB0000-0x000000013FE04000-memory.dmp

memory/2756-35-0x000000013F450000-0x000000013F7A4000-memory.dmp

memory/1996-39-0x00000000023D0000-0x0000000002724000-memory.dmp

memory/2664-40-0x000000013FC20000-0x000000013FF74000-memory.dmp

C:\Windows\system\SIClXoE.exe

MD5 2d678a9af8bd15070cb04c1a8565d876
SHA1 c5d9ad361c3a5dad5ac72bd66dda3043b2274205
SHA256 14d2fc47e08704eb9d20181be59eb3ceec567bd580921c6ee7b080f133ad490a
SHA512 b1f1e6915ffafb443f8670bc3243d99b5b410bdb537a3c6e01023284e83f755a20a77ce83510eebde379246402002729c72fc90e58bb4299521053ebe5ff6a15

memory/1996-34-0x000000013F450000-0x000000013F7A4000-memory.dmp

C:\Windows\system\vTEWYLI.exe

MD5 3241450cea1bb087812986e23768c129
SHA1 feb104420c5082b06dfabfea4321889e957ec5f3
SHA256 78fe14da3b52df8cd98419313f16d6ad3b49b1377c50f603c821e2acc43879f4
SHA512 fc9ca57c9e80003d7e720d2113dda7a8503c1b4cb7d928cc119cf85285ad231cc9486b51b548f8fc114ac27a204c8423d21e23521d8f099d4de9970b5a00d2c9

memory/2848-48-0x000000013F610000-0x000000013F964000-memory.dmp

memory/1996-46-0x000000013F610000-0x000000013F964000-memory.dmp

memory/1996-50-0x000000013FF30000-0x0000000140284000-memory.dmp

\Windows\system\sZekaFG.exe

MD5 a7e935f1ac005c1d3f0d8776c1e2a909
SHA1 dc0a200ffb2a8fa26c1bb9e808450b5375fdec9f
SHA256 51b5351570b642e7654b83c762780939ad888433ebb5514b828027c6eace5d6c
SHA512 bd108d53f3f35d9ff435d1fd528b240e55e9aab01607cb776eb9e272f9f9517edc2a6fd6f67c6dfeef9394e350ad69204ee049cb7667a76abb165624c7a56b2b

memory/1996-56-0x000000013F670000-0x000000013F9C4000-memory.dmp

memory/2588-57-0x000000013F670000-0x000000013F9C4000-memory.dmp

memory/2564-63-0x000000013F350000-0x000000013F6A4000-memory.dmp

memory/1996-62-0x000000013F350000-0x000000013F6A4000-memory.dmp

C:\Windows\system\bUsNSNr.exe

MD5 c6502c7cd2f82e3d246f97378aa2a3ca
SHA1 21f72af27383ecfb4c09583e7f37203598ee795d
SHA256 e0d128a709c6eaa210d950f8f98cb885a3f2ec2932f4fd6daed7a33b98ec06b4
SHA512 e290042112d97ae90042989963a8ec6f4c4df23b9a1daa554817005ad6555469df9e40a7bfbd913d4a1f99c9c5af171f416726073be3cbd804028e82b09f6574

C:\Windows\system\VFgAwcL.exe

MD5 c701c6c26e7f34b5714f89324970a615
SHA1 591b55cf63a5430d64835b892e654838c7e97ef3
SHA256 d541b1f3b8863fb59968a7cf8738316e3176789eb60d11934dde6a0e0ac65b4c
SHA512 192d5b47ed2fc0dfae7c45261bf4fb5edb0f2a86d95746cb910dd840dd4baf6ccfc165f7e3a0f022c5a24876254bad40a9fb9d6296fd4ed06784be7434583b9b

C:\Windows\system\LcDDCpU.exe

MD5 a9dbc60b23a18d03beb9efb0ed61ac7e
SHA1 67192516a8dd0a2e79d3ae6a86da14d436822530
SHA256 5fa07db1ebfc4fd200b91e92ba66a2e0645496a5c6c4021ec9c0ebd251e26888
SHA512 680ee111fbd951d30786f53230796032a1a903c103565f9d852643deb10ea2952757f591445e9bb1cf7a961c46e7446ec3bcc01409934c0bcbf4c2279715c2ff

\Windows\system\UOzoLbr.exe

MD5 c145b89bc25832d84d993172aec66296
SHA1 60e065d9dce170640809dbf59e8f4e427443cb27
SHA256 dba87f8948394d890ebdd2bc5dbcaf58527638d48aaccb4606aea71917d9f0da
SHA512 170d936b079681351fd5b437a35ce2c0a7966247dfe696ae9909b51ff879d22febca380e4d06288e263e2ddf0e1897735136cf6e2447cbb49e79a275b054f271

memory/2216-81-0x000000013FAB0000-0x000000013FE04000-memory.dmp

memory/2988-82-0x000000013F4F0000-0x000000013F844000-memory.dmp

memory/1996-83-0x000000013F400000-0x000000013F754000-memory.dmp

memory/1996-85-0x000000013FBC0000-0x000000013FF14000-memory.dmp

memory/2212-84-0x000000013F400000-0x000000013F754000-memory.dmp

memory/1496-86-0x000000013FBC0000-0x000000013FF14000-memory.dmp

memory/2476-74-0x000000013FCE0000-0x0000000140034000-memory.dmp

C:\Windows\system\bRgOgVh.exe

MD5 2b213ed69e846d364681442262e27ff1
SHA1 01ad5ff1e942e070c2f9a5404763845f84992309
SHA256 916d3dde2d0d368ec2f51c2d62a807d557771e65460fc4980ed383a37d90dd22
SHA512 9b589d3b2a49ea5380884c78762f5f20277226d42ad7bc6a61c14c941a6b2a8d7f3c8aee29268a38bf096fa6d8d7ec041e3c9b3fc47bb9e8fbbd24d4c14b7f21

memory/2176-91-0x000000013FD10000-0x0000000140064000-memory.dmp

memory/1996-90-0x00000000023D0000-0x0000000002724000-memory.dmp

memory/1996-98-0x000000013FB50000-0x000000013FEA4000-memory.dmp

\Windows\system\TvaVaNC.exe

MD5 dc4a5df702801be85ea65e6c59bdf5e6
SHA1 6ffe80d6d3f23203fbfe2ac879177d9143164d21
SHA256 f58001e4096c70402d71c8e4be50b2c7e722a22f0d842a4a111e9d2d77b77e64
SHA512 c561b70aa2fb644f75191fae7ef79708faeb8adb630cc1d98bf87a3995380e554d428a93c23e50c26024b32edaa77b29332b917d08158b7d01d3cc7bc3e9e468

memory/2868-100-0x000000013FB50000-0x000000013FEA4000-memory.dmp

memory/1996-106-0x000000013F5B0000-0x000000013F904000-memory.dmp

C:\Windows\system\fFnnosA.exe

MD5 113e93373e95e4b39fc93c09d05bd182
SHA1 b4f60badc0bdc6f4feb83ffd4995be8a5108f598
SHA256 1f9ff63e3150395e2bddc4c45d9a117a6af5b672fd9a1be2c4bc0b5f7012d0ea
SHA512 7fe56555821a4c1011ab929dbf499e7deba7a1c9dc3a0ed8c91a7d2bc99ac758ac33b8ff8954b4cbf10f5da5e9a4fd67f44e567630d256d0544d105963895e51

C:\Windows\system\ZnLnbwP.exe

MD5 c53e7318e647f9e28e12906cb8fa4696
SHA1 c4b35254c618d8039a309b29610aaeb5bff76afa
SHA256 e90983e5c082fd97eb22c14c1c3aa062ddde6f0d06b0f86577dde41fe4f0dbf1
SHA512 9e4254fed04c670450f762604a0c46798bba900550a8d1333ea91c0daf2f346f79b90b29108ad30ddafc2d1c91a9707383f7861edb4e7596769671d9c69e2c1a

\Windows\system\nDvlvJT.exe

MD5 4257531dab5691e0b07e1f6a3d3c1aeb
SHA1 76a9aa6c116baa1d28489a3a21eb0178274f71c1
SHA256 a5fb93071c7796f8e6d3a0943eabbe14dfa38f7ee4043417acdfacfdc1884c7c
SHA512 19307a001f520f2f4ad7cf56fce4e175e2d53d69b0dce3472b57380e11b6cc0c48a6d2e19c5136179e4e0d5e001dadc0d2c535d5ab788dbf05125d29df0d5d0f

C:\Windows\system\WSlFbcr.exe

MD5 13d53bffa7aee823f8edb5f34b90d2bf
SHA1 e1089afff0f10aa61518604c8828cd2e80f7b495
SHA256 69c79c5c6898f168ca5134d40d1b8bc1abde3c3ba00e451a32427232407c2d86
SHA512 846e189c23125646abc0e2f1f218b87b254049c8c75f405febf128f91a04173ea621841ad86c698110710bddc1c4865f1157fa3494e0146e1898e5667001ef00

C:\Windows\system\dgPqKLz.exe

MD5 5b7224f8243f3ac77d9e5ee51975df90
SHA1 3c68e5f55f181ae61735108c744858519c2f6796
SHA256 8a81aa76ce9918c792b4425425dddf3798899605a57b0634cc5ab27f921364ee
SHA512 8b43de436c71c45101da9bef181fa8fa3a94f9941c4d39a947ce21bf21440d8b4c31ca02bb0a4fb061c23997a6db087cedfdea5bdc14f94ac754e6d14a43f547

C:\Windows\system\fFuCopx.exe

MD5 1421fb68c97f2062ea2f957dc2a1401b
SHA1 29ac0d5cd3d862b67829110663f45707c5247e81
SHA256 a49315c803544e45d1fa9a430c175b5acea1d033cdf3d4f5106acb03190e0e72
SHA512 d65c5d9dbcdb47314c380265f5e4dbc877ac06f83a0d8c6cd4aefc96ca284aded7855f835522179d5d0ebfe4e433d0952628ad15392c3eb2949a1540c7f01f4a

memory/2664-105-0x000000013FC20000-0x000000013FF74000-memory.dmp

C:\Windows\system\vgNhZlV.exe

MD5 c5582723954ab85e5c48134b76c567e0
SHA1 3dad44f869eab35c637d62ea1952a0877ba0846e
SHA256 7dbc217d5cbc49b3cabb6d134c31b8daf7282432851a19686ff4a1adefd6fddf
SHA512 87f5180d6a69660d340ff2147ea55502d12342b972ecabc09644f0f7ea5475be2417c4134c426d2680da6204b1676758529fcdee5f9833f7688362af21e8229d

memory/2848-137-0x000000013F610000-0x000000013F964000-memory.dmp

memory/1996-138-0x000000013F350000-0x000000013F6A4000-memory.dmp

memory/2564-139-0x000000013F350000-0x000000013F6A4000-memory.dmp

memory/1996-140-0x000000013F4F0000-0x000000013F844000-memory.dmp

memory/1996-141-0x00000000023D0000-0x0000000002724000-memory.dmp

memory/2176-142-0x000000013FD10000-0x0000000140064000-memory.dmp

memory/1996-143-0x000000013FB50000-0x000000013FEA4000-memory.dmp

memory/1996-144-0x000000013F5B0000-0x000000013F904000-memory.dmp

memory/2476-145-0x000000013FCE0000-0x0000000140034000-memory.dmp

memory/2808-146-0x000000013F090000-0x000000013F3E4000-memory.dmp

memory/2216-147-0x000000013FAB0000-0x000000013FE04000-memory.dmp

memory/2672-148-0x000000013FEB0000-0x0000000140204000-memory.dmp

memory/2756-149-0x000000013F450000-0x000000013F7A4000-memory.dmp

memory/2664-150-0x000000013FC20000-0x000000013FF74000-memory.dmp

memory/2848-151-0x000000013F610000-0x000000013F964000-memory.dmp

memory/2588-152-0x000000013F670000-0x000000013F9C4000-memory.dmp

memory/2564-153-0x000000013F350000-0x000000013F6A4000-memory.dmp

memory/2988-154-0x000000013F4F0000-0x000000013F844000-memory.dmp

memory/1496-156-0x000000013FBC0000-0x000000013FF14000-memory.dmp

memory/2212-155-0x000000013F400000-0x000000013F754000-memory.dmp

memory/2176-157-0x000000013FD10000-0x0000000140064000-memory.dmp

memory/2868-158-0x000000013FB50000-0x000000013FEA4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-07 19:28

Reported

2024-08-07 19:30

Platform

win10v2004-20240802-en

Max time kernel

140s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\QskeQFP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wWkiKnw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oaOBtHB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OAgQTXn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZcMZEyp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ovOwjie.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dXJTRDl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HvHwXCi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EXYkgcM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tgcITuK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DFCGhcl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pIzHjTt.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fWpgprB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GelTvQj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rqxsVRc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DXPWZrL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eVpSUPc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GWHaqyG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LCQnuyM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uXKhIfv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oIGfIdb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2008 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OAgQTXn.exe
PID 2008 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OAgQTXn.exe
PID 2008 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tgcITuK.exe
PID 2008 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tgcITuK.exe
PID 2008 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rqxsVRc.exe
PID 2008 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rqxsVRc.exe
PID 2008 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DFCGhcl.exe
PID 2008 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DFCGhcl.exe
PID 2008 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pIzHjTt.exe
PID 2008 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pIzHjTt.exe
PID 2008 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DXPWZrL.exe
PID 2008 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DXPWZrL.exe
PID 2008 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZcMZEyp.exe
PID 2008 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZcMZEyp.exe
PID 2008 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ovOwjie.exe
PID 2008 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ovOwjie.exe
PID 2008 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dXJTRDl.exe
PID 2008 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dXJTRDl.exe
PID 2008 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eVpSUPc.exe
PID 2008 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eVpSUPc.exe
PID 2008 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GWHaqyG.exe
PID 2008 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GWHaqyG.exe
PID 2008 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LCQnuyM.exe
PID 2008 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LCQnuyM.exe
PID 2008 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QskeQFP.exe
PID 2008 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QskeQFP.exe
PID 2008 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uXKhIfv.exe
PID 2008 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uXKhIfv.exe
PID 2008 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HvHwXCi.exe
PID 2008 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HvHwXCi.exe
PID 2008 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wWkiKnw.exe
PID 2008 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wWkiKnw.exe
PID 2008 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fWpgprB.exe
PID 2008 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fWpgprB.exe
PID 2008 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oIGfIdb.exe
PID 2008 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oIGfIdb.exe
PID 2008 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GelTvQj.exe
PID 2008 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GelTvQj.exe
PID 2008 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oaOBtHB.exe
PID 2008 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oaOBtHB.exe
PID 2008 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EXYkgcM.exe
PID 2008 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EXYkgcM.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\OAgQTXn.exe

C:\Windows\System\OAgQTXn.exe

C:\Windows\System\tgcITuK.exe

C:\Windows\System\tgcITuK.exe

C:\Windows\System\rqxsVRc.exe

C:\Windows\System\rqxsVRc.exe

C:\Windows\System\DFCGhcl.exe

C:\Windows\System\DFCGhcl.exe

C:\Windows\System\pIzHjTt.exe

C:\Windows\System\pIzHjTt.exe

C:\Windows\System\DXPWZrL.exe

C:\Windows\System\DXPWZrL.exe

C:\Windows\System\ZcMZEyp.exe

C:\Windows\System\ZcMZEyp.exe

C:\Windows\System\ovOwjie.exe

C:\Windows\System\ovOwjie.exe

C:\Windows\System\dXJTRDl.exe

C:\Windows\System\dXJTRDl.exe

C:\Windows\System\eVpSUPc.exe

C:\Windows\System\eVpSUPc.exe

C:\Windows\System\GWHaqyG.exe

C:\Windows\System\GWHaqyG.exe

C:\Windows\System\LCQnuyM.exe

C:\Windows\System\LCQnuyM.exe

C:\Windows\System\QskeQFP.exe

C:\Windows\System\QskeQFP.exe

C:\Windows\System\uXKhIfv.exe

C:\Windows\System\uXKhIfv.exe

C:\Windows\System\HvHwXCi.exe

C:\Windows\System\HvHwXCi.exe

C:\Windows\System\wWkiKnw.exe

C:\Windows\System\wWkiKnw.exe

C:\Windows\System\fWpgprB.exe

C:\Windows\System\fWpgprB.exe

C:\Windows\System\oIGfIdb.exe

C:\Windows\System\oIGfIdb.exe

C:\Windows\System\GelTvQj.exe

C:\Windows\System\GelTvQj.exe

C:\Windows\System\oaOBtHB.exe

C:\Windows\System\oaOBtHB.exe

C:\Windows\System\EXYkgcM.exe

C:\Windows\System\EXYkgcM.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2008-0-0x00007FF612BC0000-0x00007FF612F14000-memory.dmp

memory/2008-1-0x000001863F1C0000-0x000001863F1D0000-memory.dmp

C:\Windows\System\OAgQTXn.exe

MD5 5a92b9fb9fc2c479338bcab78a5431e8
SHA1 3d1b359ea90b29b3aff0865581150f4c1598495b
SHA256 9079a14e02c79d1222cd2954fe3d8dac5886a19d6d455d64e4c48d5a331de254
SHA512 626f356d06cf4a41d1bf7fef4136106a37375ba4a25e558d26f808f52f746c5eacc4cd8b795db78178b33dce7d1f745d3313a210edb841b9d27d5c73dde54b2a

memory/3636-8-0x00007FF730AD0000-0x00007FF730E24000-memory.dmp

C:\Windows\System\tgcITuK.exe

MD5 800d32925377b10e467591595a25f275
SHA1 95340a112ad3e44e00c0a58e4a8e3cfcaca73b25
SHA256 a062c9bf248993438250cb2219d16667dbfc41a373caf5d31b8592e52c4fab97
SHA512 3e19271d1b211246dd468e594a87ee44c6b7e09fd67e1f611c4e0157e3f45c7434be00bfe534f145340850cbbf9f4c15dcf3f7be88106aaaa609c3433e0b0bb0

C:\Windows\System\rqxsVRc.exe

MD5 24e2c2bb757ffc13782b60955eab1cdb
SHA1 372b4a30d7e3a333159262bc262e474bd46f5f89
SHA256 660bf25f96bc80c3bf1af6fc1c5a6f5b025673981e76a2020a5f1cfbd6f4757d
SHA512 eaba697eb49b6a8a535917b46135bbb825b95d38cc7af5079daca0bda30a2002b60934e815bad3405fe14d3fa4607f79af0c9c7da6b83a86506ae1393f57d57c

memory/3380-14-0x00007FF67ABC0000-0x00007FF67AF14000-memory.dmp

memory/2028-19-0x00007FF703FA0000-0x00007FF7042F4000-memory.dmp

C:\Windows\System\DFCGhcl.exe

MD5 d522b87082c42c7ec9e5c59d8de8260c
SHA1 00e7b32e8d1b41ad45f3946634c17b74e5eb8c60
SHA256 755b8dd881ef898c8fd8d23bb83fe3b342cd1e51569d7f3414d650be8c18c86a
SHA512 335640324571c9f68b94e80a362985d61b03c6bf677761d17e19bd1258d8cb36a1c0868ee2ba71a414e5de4e82470851f8f3a3e6e17753ecc4f2f1b0586caadb

C:\Windows\System\DXPWZrL.exe

MD5 53e203444b147dc93c08beabf16a389f
SHA1 fe57fa8c4a5ff0e7e9ecf155d81df69b7cebbaac
SHA256 bfa6bb481ff876f79fb25bb866991c8aa190062e42c9a367a47d1f4ed9b051bb
SHA512 267250aae653dd3afd7d966a5858d331d946025323340736a234e0d675b1122dc423181f3466debcf0d1548969f43fba622fa244d4da200f71bd10ba282842df

memory/1040-31-0x00007FF6B8F30000-0x00007FF6B9284000-memory.dmp

C:\Windows\System\pIzHjTt.exe

MD5 1d953d87db81e5e5e7bcd1335defd200
SHA1 4d10657bad5b13dbf878f8d9006a035e2c915e7b
SHA256 656c7b9e9b134f42839303aea1a49c9d2f6c2fd97bc78601183ed9a5e57ada81
SHA512 c8d19538034b69b9b1fbfa6a1a5b92444b7f1dc1886f9e10267ce7167c0ad925dd126e16c715084166760f33b0e721e3c3727ba68083cf60dc05b79c613998a3

memory/556-43-0x00007FF6BA610000-0x00007FF6BA964000-memory.dmp

C:\Windows\System\ovOwjie.exe

MD5 d4d6ca982226d2371e49b819c4e4444a
SHA1 58a75583ea2d551f404e25c90c050c5863a6d759
SHA256 80bc16bdb3de6bedd10e1339ca6a929cf8f6fd8ad337f132720113e0a6511a73
SHA512 bf673445696e4c6574702054e876fc19728301356269a3aaf31a9bebe40a253063d26c346f65e306eb593686463b5622a3962ee18a32438844aefe8fa99ace92

memory/4260-49-0x00007FF68EEF0000-0x00007FF68F244000-memory.dmp

C:\Windows\System\ZcMZEyp.exe

MD5 c342490e0af9db6cbaa8ca2dcd264539
SHA1 69b61a9a82c4f74cfd808e325b50536f2f35c25a
SHA256 e665d45a91673f73dc201fa97b85817bd2af09efaa1be2e4a716f5c5e1dd0f59
SHA512 85fa7c0fe4b274af813d7e62414f5f08cf20b64fc668eae420fea3cf2bb4947ce942513b74f21ed534befe50aa099c2685fec6389cdad1e69979f6b439fae564

memory/1652-45-0x00007FF733FD0000-0x00007FF734324000-memory.dmp

memory/4396-41-0x00007FF63D540000-0x00007FF63D894000-memory.dmp

C:\Windows\System\dXJTRDl.exe

MD5 0410c1305766d8a68f6958224db38969
SHA1 229dd25e7c8d0ac3a78c0e3846c5de66160a0ec6
SHA256 aa388b52ac9b680cc2b25d0dcd77b3b45a2696afabb055a08d4d0ac2feaa2738
SHA512 95a026f5d6900fecb061f3673bedbea16f4f1739a96ee47c63d66f28e2fe936574f9eaf892a46871829a32d9dc7126d9d79fbe773f7c3385c8be8b8c56ebfe52

memory/116-56-0x00007FF71DAF0000-0x00007FF71DE44000-memory.dmp

C:\Windows\System\eVpSUPc.exe

MD5 b02518c920c76c90489020b47a770e50
SHA1 8f8fbea12e38df1e96784f7955a735bbe5664eb5
SHA256 2d98325eb4b9f707b96781e000f07d6810551a3b0af671b5fec9a7dca23b6a82
SHA512 b62e5489e1cb901afbc71865f507d20bd95a46e21243da885cc74f48814d49347315eb1d5cd92e5188ba7943675b02e077a11505826af44f209dab6eb2d53b16

memory/2160-61-0x00007FF6E9E10000-0x00007FF6EA164000-memory.dmp

C:\Windows\System\GWHaqyG.exe

MD5 52ede3b3f80ae88246ef55c23ac4d5e0
SHA1 f0b32207bec8f18c3c4075ae76a8579d21a46957
SHA256 e5693f85c6127a27413acffc6555af0c62bbd63aa63b92e6db2129ac9031e92a
SHA512 ecf4b7b3a206498ab86e85ebde2a754a135b21c3e8670e57e447de5b2db1ead4e325f268e49d8d24321692a5b144d37f6cb95c404e340e8352b91ef7bae75ec9

memory/2008-65-0x00007FF612BC0000-0x00007FF612F14000-memory.dmp

C:\Windows\System\LCQnuyM.exe

MD5 54d78b30f845d7a127c57521c8d51a14
SHA1 ef13f3be28b92081bc357e54a702e3cf2994c316
SHA256 8ba49001eac18d986064a2bfef60f251a461bdeb18b4a699289f54c84386788c
SHA512 caa45aef9450f449fbfc493165e846ce64e4c8641f79b5ec13f8d0de44cd6baaa3f917efc82071e34c03ecc8d5ec71534a4a89a47b277359dc05c0ce804d24f5

memory/1712-69-0x00007FF7A7A90000-0x00007FF7A7DE4000-memory.dmp

memory/3636-75-0x00007FF730AD0000-0x00007FF730E24000-memory.dmp

memory/1612-78-0x00007FF606510000-0x00007FF606864000-memory.dmp

C:\Windows\System\QskeQFP.exe

MD5 17ebe891c61c938d243760a3e7aef802
SHA1 3f702dfbe5889e465367469fdd7e0f1b69d510b3
SHA256 a6b4678103302fab862643f2309e6c3236f10bed082391fb84e6949b0a1f30f3
SHA512 d1d50991f2e465434a1aa1048bded3b907004a0ff1dfbe1b65232ec61826b07b5bf7af4aebc5da5c61fdb9fb3c1359aa6985fba5b81e166a1f55830aa3510641

C:\Windows\System\HvHwXCi.exe

MD5 8de180bf23094ccab6b763a23271dca1
SHA1 54d165e9f33959ce0ea08da028233765eba4d916
SHA256 0e807769981a231c6050372ab3266633ece1349ffaab02c605af532d75ab592f
SHA512 81264e6fdf2732732ea27a34783f47106f468f817f38bec38cfd7eb3c5ccf65cc9a4d69edec02688d34a9f95033478ab66ac8318b055bd8fbada9731ea2ba98b

C:\Windows\System\fWpgprB.exe

MD5 12e94d95dcb12880ac2fad246a193aa1
SHA1 a71db75a85faa43a14f07939d48773bbfe12c713
SHA256 a57ee6f5d5ccad29a181acd91bf360804a4debf26c97e884aafe3c0a6fd9a18e
SHA512 5b974fc12cacef85eb4a427406c49a9419e3a1d345241db89ec2f44e99d29d29cc8a588e7dcb52b818f51d69e9f887cd6a7b0b67985b272db9efb6ca67a4e642

C:\Windows\System\uXKhIfv.exe

MD5 aa6663faaff56865384db2edebd53e69
SHA1 780611c6c26952f885e80b31a78c1f50d6155191
SHA256 b7dd86a091d22c62db9171df9b0d80df34d576d2537db0b98fd5e1b124fc97bf
SHA512 27fed9d3bea2380e0d10db2f337fa4c4304987ac3024fb2c95aac6e45980df99ee87cb765ffcc4c83cf84da3da829ab60b83b5eb1817187076416edb58ea8e98

C:\Windows\System\wWkiKnw.exe

MD5 c7f63ce5b1068030aaf237da1295f4c0
SHA1 c8d1732316de052e9ddc4173fbdf5e1eac48d806
SHA256 34fe8e29c46857d6e06a39f755453850d62a6234fd80e6be6b8d90eb0bc7fa19
SHA512 e9cb97ab66fe4d968a6f1ee0946df16ca753bacca17f23229f07a43b9cbd779e5c5aee72c2e7449184bbef94cf3369d709c24be95bd3900d982ba2444bdcbed2

C:\Windows\System\oaOBtHB.exe

MD5 08ce73603c171eb9e301f71b1aae4605
SHA1 98f2a42be9061bb5881096bb378a1d46a66d14b9
SHA256 fed57448d240c200a55ec69d96a80ddff4dd4e998d7587354d3314325c4a44af
SHA512 5334d03c0322adf39677d5e3be8dd2ad54e603d63dd8735590be7a675e95988a44d7e0db0c675d332da766b71264c4529c59693d0b63362d985da535ffce2f7f

C:\Windows\System\GelTvQj.exe

MD5 ff93d06990ff393ba617fe890ecca3af
SHA1 6aa4dfe518dbf6830270dab4ac5bfd2d8dbcd9ff
SHA256 0ea6fda6d0db90814ce86bcd7e9e08e708919da9b02ffabda514ba0277988e56
SHA512 b45a14a1778fc23f5fc1a333473e088c2b8046d90d5886c7368939353a08100d849c57f669670f4512196810960a1e0c7dc97d824cabee4043444e99c870e27a

memory/556-113-0x00007FF6BA610000-0x00007FF6BA964000-memory.dmp

memory/2852-112-0x00007FF6D8D90000-0x00007FF6D90E4000-memory.dmp

C:\Windows\System\oIGfIdb.exe

MD5 75ce01334acd5ee61db58f89ed872784
SHA1 c609d4b507dbb5d434ca656aee37aa0be6b73b35
SHA256 95feb6978a3883413b801992af5a14b35bc14290fb3cc39af27c88b1de1b3e1e
SHA512 2df97d7f9de9a5ecd607f47f299f2c361e0e88c61d52df81e3bb71ad5993969ef8c0c0edaae0c9cbf6761ac09dce95780f0c0f94c023841ed15204e0ae364ecc

memory/1020-103-0x00007FF61DA50000-0x00007FF61DDA4000-memory.dmp

memory/1636-104-0x00007FF708F80000-0x00007FF7092D4000-memory.dmp

memory/2584-97-0x00007FF6A4700000-0x00007FF6A4A54000-memory.dmp

memory/2028-88-0x00007FF703FA0000-0x00007FF7042F4000-memory.dmp

memory/2164-87-0x00007FF7F3170000-0x00007FF7F34C4000-memory.dmp

C:\Windows\System\EXYkgcM.exe

MD5 775f2fb6dc8aa63ad19fd8cdba1b28a2
SHA1 682244e7e4bac2c253f102f608eb13ea3a025e11
SHA256 fbdf2b4a560cd3cebce3a55c0c91d0bebcde5a960aa0b0954dea10bc006db874
SHA512 c5dde9e8bfd438b40cc864bba62be9edafd691691a68cb99834f2137d3f787775de0c4e6030599cad94e4e159be52dfee33cea04adb4c22f7e9be54c4885331d

memory/4500-129-0x00007FF7A1640000-0x00007FF7A1994000-memory.dmp

memory/4292-125-0x00007FF6C8C10000-0x00007FF6C8F64000-memory.dmp

memory/2292-120-0x00007FF6C1560000-0x00007FF6C18B4000-memory.dmp

memory/2024-119-0x00007FF74C560000-0x00007FF74C8B4000-memory.dmp

memory/2160-132-0x00007FF6E9E10000-0x00007FF6EA164000-memory.dmp

memory/1712-133-0x00007FF7A7A90000-0x00007FF7A7DE4000-memory.dmp

memory/2584-134-0x00007FF6A4700000-0x00007FF6A4A54000-memory.dmp

memory/1636-135-0x00007FF708F80000-0x00007FF7092D4000-memory.dmp

memory/2852-136-0x00007FF6D8D90000-0x00007FF6D90E4000-memory.dmp

memory/4292-138-0x00007FF6C8C10000-0x00007FF6C8F64000-memory.dmp

memory/2292-137-0x00007FF6C1560000-0x00007FF6C18B4000-memory.dmp

memory/4500-139-0x00007FF7A1640000-0x00007FF7A1994000-memory.dmp

memory/3636-140-0x00007FF730AD0000-0x00007FF730E24000-memory.dmp

memory/3380-141-0x00007FF67ABC0000-0x00007FF67AF14000-memory.dmp

memory/2028-142-0x00007FF703FA0000-0x00007FF7042F4000-memory.dmp

memory/1040-143-0x00007FF6B8F30000-0x00007FF6B9284000-memory.dmp

memory/4396-144-0x00007FF63D540000-0x00007FF63D894000-memory.dmp

memory/1652-145-0x00007FF733FD0000-0x00007FF734324000-memory.dmp

memory/4260-146-0x00007FF68EEF0000-0x00007FF68F244000-memory.dmp

memory/556-147-0x00007FF6BA610000-0x00007FF6BA964000-memory.dmp

memory/116-148-0x00007FF71DAF0000-0x00007FF71DE44000-memory.dmp

memory/2160-149-0x00007FF6E9E10000-0x00007FF6EA164000-memory.dmp

memory/1612-150-0x00007FF606510000-0x00007FF606864000-memory.dmp

memory/1712-151-0x00007FF7A7A90000-0x00007FF7A7DE4000-memory.dmp

memory/2164-152-0x00007FF7F3170000-0x00007FF7F34C4000-memory.dmp

memory/1020-153-0x00007FF61DA50000-0x00007FF61DDA4000-memory.dmp

memory/2584-154-0x00007FF6A4700000-0x00007FF6A4A54000-memory.dmp

memory/1636-155-0x00007FF708F80000-0x00007FF7092D4000-memory.dmp

memory/2024-156-0x00007FF74C560000-0x00007FF74C8B4000-memory.dmp

memory/2852-157-0x00007FF6D8D90000-0x00007FF6D90E4000-memory.dmp

memory/2292-159-0x00007FF6C1560000-0x00007FF6C18B4000-memory.dmp

memory/4500-158-0x00007FF7A1640000-0x00007FF7A1994000-memory.dmp

memory/4292-160-0x00007FF6C8C10000-0x00007FF6C8F64000-memory.dmp