Malware Analysis Report

2025-01-22 19:23

Sample ID 240807-x7wk4ssfpk
Target 2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat
SHA256 e9fb559514d55c6bb2ce6b36ccc09456ccf22426ed927529157fe567e49cfc4b
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e9fb559514d55c6bb2ce6b36ccc09456ccf22426ed927529157fe567e49cfc4b

Threat Level: Known bad

The file 2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

XMRig Miner payload

xmrig

Cobalt Strike reflective loader

Cobaltstrike

Cobaltstrike family

Xmrig family

XMRig Miner payload

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-07 19:30

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-07 19:30

Reported

2024-08-07 19:32

Platform

win7-20240708-en

Max time kernel

140s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\zoJRFoO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xAcGxqH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qyBPtps.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ASMbOxh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sZcLFZB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jhWNstY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jbqiYgu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RlFFUuf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\swcZOBm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jCLdPQU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GYHYkWf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TlmMHXB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WCBkUHX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iezJDhd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cNRdwKz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\snlUMOA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YGWokiz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EhKaMZs.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JgVvdWD.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KgiWHZf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mcdIWnA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2072 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TlmMHXB.exe
PID 2072 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TlmMHXB.exe
PID 2072 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TlmMHXB.exe
PID 2072 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\snlUMOA.exe
PID 2072 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\snlUMOA.exe
PID 2072 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\snlUMOA.exe
PID 2072 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sZcLFZB.exe
PID 2072 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sZcLFZB.exe
PID 2072 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sZcLFZB.exe
PID 2072 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jhWNstY.exe
PID 2072 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jhWNstY.exe
PID 2072 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jhWNstY.exe
PID 2072 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zoJRFoO.exe
PID 2072 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zoJRFoO.exe
PID 2072 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zoJRFoO.exe
PID 2072 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jbqiYgu.exe
PID 2072 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jbqiYgu.exe
PID 2072 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jbqiYgu.exe
PID 2072 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RlFFUuf.exe
PID 2072 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RlFFUuf.exe
PID 2072 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RlFFUuf.exe
PID 2072 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\swcZOBm.exe
PID 2072 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\swcZOBm.exe
PID 2072 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\swcZOBm.exe
PID 2072 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YGWokiz.exe
PID 2072 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YGWokiz.exe
PID 2072 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YGWokiz.exe
PID 2072 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WCBkUHX.exe
PID 2072 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WCBkUHX.exe
PID 2072 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WCBkUHX.exe
PID 2072 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xAcGxqH.exe
PID 2072 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xAcGxqH.exe
PID 2072 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xAcGxqH.exe
PID 2072 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jCLdPQU.exe
PID 2072 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jCLdPQU.exe
PID 2072 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jCLdPQU.exe
PID 2072 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GYHYkWf.exe
PID 2072 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GYHYkWf.exe
PID 2072 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GYHYkWf.exe
PID 2072 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EhKaMZs.exe
PID 2072 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EhKaMZs.exe
PID 2072 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EhKaMZs.exe
PID 2072 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iezJDhd.exe
PID 2072 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iezJDhd.exe
PID 2072 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iezJDhd.exe
PID 2072 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qyBPtps.exe
PID 2072 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qyBPtps.exe
PID 2072 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qyBPtps.exe
PID 2072 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cNRdwKz.exe
PID 2072 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cNRdwKz.exe
PID 2072 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cNRdwKz.exe
PID 2072 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ASMbOxh.exe
PID 2072 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ASMbOxh.exe
PID 2072 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ASMbOxh.exe
PID 2072 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JgVvdWD.exe
PID 2072 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JgVvdWD.exe
PID 2072 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JgVvdWD.exe
PID 2072 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KgiWHZf.exe
PID 2072 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KgiWHZf.exe
PID 2072 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KgiWHZf.exe
PID 2072 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mcdIWnA.exe
PID 2072 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mcdIWnA.exe
PID 2072 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mcdIWnA.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\TlmMHXB.exe

C:\Windows\System\TlmMHXB.exe

C:\Windows\System\snlUMOA.exe

C:\Windows\System\snlUMOA.exe

C:\Windows\System\sZcLFZB.exe

C:\Windows\System\sZcLFZB.exe

C:\Windows\System\jhWNstY.exe

C:\Windows\System\jhWNstY.exe

C:\Windows\System\zoJRFoO.exe

C:\Windows\System\zoJRFoO.exe

C:\Windows\System\jbqiYgu.exe

C:\Windows\System\jbqiYgu.exe

C:\Windows\System\RlFFUuf.exe

C:\Windows\System\RlFFUuf.exe

C:\Windows\System\swcZOBm.exe

C:\Windows\System\swcZOBm.exe

C:\Windows\System\YGWokiz.exe

C:\Windows\System\YGWokiz.exe

C:\Windows\System\WCBkUHX.exe

C:\Windows\System\WCBkUHX.exe

C:\Windows\System\xAcGxqH.exe

C:\Windows\System\xAcGxqH.exe

C:\Windows\System\jCLdPQU.exe

C:\Windows\System\jCLdPQU.exe

C:\Windows\System\GYHYkWf.exe

C:\Windows\System\GYHYkWf.exe

C:\Windows\System\EhKaMZs.exe

C:\Windows\System\EhKaMZs.exe

C:\Windows\System\iezJDhd.exe

C:\Windows\System\iezJDhd.exe

C:\Windows\System\qyBPtps.exe

C:\Windows\System\qyBPtps.exe

C:\Windows\System\cNRdwKz.exe

C:\Windows\System\cNRdwKz.exe

C:\Windows\System\ASMbOxh.exe

C:\Windows\System\ASMbOxh.exe

C:\Windows\System\JgVvdWD.exe

C:\Windows\System\JgVvdWD.exe

C:\Windows\System\KgiWHZf.exe

C:\Windows\System\KgiWHZf.exe

C:\Windows\System\mcdIWnA.exe

C:\Windows\System\mcdIWnA.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2072-0-0x000000013FC90000-0x000000013FFE1000-memory.dmp

memory/2072-1-0x00000000001F0000-0x0000000000200000-memory.dmp

\Windows\system\TlmMHXB.exe

MD5 db3f77d1ed8c4b9de8d5c16937426b3f
SHA1 93acd21a2fcaa53a838bf3a9b5d6783149fbe578
SHA256 b1914d7e7ab54a5c07c04cacc9b7ce38c736808538062ef1d152e478b42123e9
SHA512 bb6cb63072f7b734b7d7c1d940b7d6bedca1e03d4b642431b1a3cf4d068233b5f1cd7b1361dcc1750e765c48a3db77d37f112ff8a624d443299906143c9b76df

memory/2752-9-0x000000013FAE0000-0x000000013FE31000-memory.dmp

memory/2680-15-0x000000013F230000-0x000000013F581000-memory.dmp

memory/2072-14-0x000000013F230000-0x000000013F581000-memory.dmp

C:\Windows\system\snlUMOA.exe

MD5 34b4c482c48def4f5e43cddf5c9de526
SHA1 07da9eced39cee354d84e980695de1366c36f55f
SHA256 22bbf457080144cbd8fbf133226e187717db82beb84e70f7ce212ed11fca7a64
SHA512 e150e5dfd92c0e3a9c799329a1894634fab4f7b2dc2b7f0b6d440abe10c74b4eb6b20c04dc6e3e5122966ab6d1b4a3f2bacad6f4204d490a0c2f597b4ecddc03

C:\Windows\system\sZcLFZB.exe

MD5 5284293efa6a757e11a4128ae4068073
SHA1 ae2c4f64e582b7c685cdc3c2a888ebdaeae9244a
SHA256 d48e865fd3a74535daf6f66ea25c9be62118b5dc72a76110e6687e57dbffe195
SHA512 af33c9b1715c86faa145a80226c592180e4b2aaae6f8d5aea2f0318da6b43885632eb6908232c4d72b0ad444cdb93a8a3d6e9799cf03f7a7ed997ff3023caed8

memory/2944-22-0x000000013F520000-0x000000013F871000-memory.dmp

\Windows\system\zoJRFoO.exe

MD5 bf0eed1f5751ef377637e16ee9df795a
SHA1 09c1bfa54271e03e63869a29bf7028dc1a30049d
SHA256 aa262b38bbc6d5b9627af37ac328dd62f1ea2df4e23e35bf423cc7b7a082c283
SHA512 af5c4b4af6faa76ddeec84da0441fb86037867db14ecb462c8bcd7824a5707b81c656c6cb77e141581c829d62e76b244487787ae960b9bf863678e94a8c8c53b

C:\Windows\system\jhWNstY.exe

MD5 9ea7c2e255841b1fa632d3adff49dedc
SHA1 ff29411591b2169b9a2ce862744fc06925b4c312
SHA256 f892912f7e06ffffecf92d122647523ceb5894b7428c4410751e0ea4141a15db
SHA512 74a669b9e5035d33991957006409b260a7252362acd6d27196a4526d385afcd7d86c45fd952cd7391f19842dba2b3ba5207991a889614f3d57498e0bdc54e424

C:\Windows\system\jbqiYgu.exe

MD5 5c4225707482838f674e03ec5ed84c7a
SHA1 3ef9d380abee5ea52673a6423571ac18b2773a3a
SHA256 f1b58311cb4f8401e86bb48d4f895c25c210be4656afab5a091a1e679e53b02a
SHA512 0ea76fd5ff85a0b68b2c076d1b467d7f498c36196d9fdf6369b30d7cedec4c20752bdc5cd0bfa79b2d84f84ace226f201a5f3d61618b457d193ff1169d83cc27

C:\Windows\system\RlFFUuf.exe

MD5 7243b97f3a6891bc23c3c49a4ac90744
SHA1 84c2fab5bbee32a74b331113d98d193d49bd0afd
SHA256 c6e2ec5f70805dc6baf3d90ff52a68df4bcfd744af0a730469878cc5608b5a94
SHA512 4d4e6d91964f334685791b4ed47480ca6090eac382ae7f46f8d34ee46e91cb885570087ff9072054b2a9013db6fe03a3ec4a1cb6684a27fd1dabb18df8430552

\Windows\system\swcZOBm.exe

MD5 8291a0452bba51a8002d3fd11bdeb26c
SHA1 7eb13325eaa27deda7f93f14d26b858b2485aeb7
SHA256 ecc62db3c7e82705d4f2fcc61b90cd42231d4a1325b80df787d3bff4ad3bc23c
SHA512 5d0533d8280f58791e56d4c419faa67c2e19a3229415dae72b107bfe66e128d7c4af496764fa94aa84d8867a6ad56069e2c53c319f3f48074f6d9aa0076a22cc

memory/2328-57-0x000000013FD00000-0x0000000140051000-memory.dmp

\Windows\system\WCBkUHX.exe

MD5 cc215099db9d718efbf262b0ef4585ea
SHA1 57b8d61a13c5e98e7f5fffa5c3b5a0a111e3a4d7
SHA256 317d138ccf2d9c29d3bd4d97f15dc950a7214f45e016abbf24b56e10544b2d36
SHA512 0eccd32119ae82639573867f962704fa8e6e6d787401261b78a293cffe656eafc94377a58d783640a51a83dcba4220547caa703d4bfa1646f3f96190044fa1cb

memory/2680-105-0x000000013F230000-0x000000013F581000-memory.dmp

C:\Windows\system\cNRdwKz.exe

MD5 2193ac0c16e874002a46ae5a3ebc24fa
SHA1 75980538685235ff51b297e074c53856fbbc2818
SHA256 6cbfc2cbd465e8a996fe981826ff463b2569c90c2cc10a5b2d9761f1096ffde8
SHA512 0994a7a9d2a55937a33db825f91e6418af6ad3523ed16121fff6c524a2d8f7c419035463cc11ecefa2b7dffbf197e0ad6c89edda0939ace2a620e0d55ff0f019

C:\Windows\system\mcdIWnA.exe

MD5 2245980d46bc289780ecf5a1b66cd112
SHA1 022e9ca1d1a32cca38f0123b9ae8cc68594793e4
SHA256 8d2c648c5f25f68be7d01749783a7e9fcbc53490ffa26a274d0c282e23c653b7
SHA512 9e24450097b5e35a076e0bd33ff9e9170aedbb1498c2fd1832cc039637e78a8bbf371d2b936b14c8f628ab887f1b2ed2b249c697373fd52fa324f7be4028a3e5

C:\Windows\system\KgiWHZf.exe

MD5 6ddd2bbd4f3baf9b32179d3bdf8e4c31
SHA1 70b70be99932ad4f22888dbc476787ed5d26ddcc
SHA256 c6cbb40161f4f9fc420b0d16e7d88fd1246570d1b282f28eef1403ccdaff1d80
SHA512 b5237d48383447d320ac621b8e55550c77756f65e056c6d0d36baeb26dd29e16818cb24c01eb1702e740ab2d4ef8a40eeff0d07698b2aaf23f10880cd6004ade

C:\Windows\system\JgVvdWD.exe

MD5 0c49e5e6972e97960c244e58b1e131f9
SHA1 02ce5d434819c5faddd1c35fbc9217e9fe674816
SHA256 ae4a4b686d7c1f517db2ed431ba4b4764403e4985cae55072b72350e44457e2e
SHA512 b3073ec65ad9dfbe4eb3374c200a8e82c738368a4201122705564205e8ea9d2969c1dfe41fd848ddb19312eb7213d0b60c02c983f0b233dda39181a5717fd884

C:\Windows\system\ASMbOxh.exe

MD5 c6d444ed2d6bc3f134fb4b869c47e714
SHA1 284aa8ca997c06a28290f386ae1836712a1b966b
SHA256 fef16139869b8b7b395e2729b73200117b4ff11a8531ebed58d70396eb600e6d
SHA512 47093a69de6dc2b92bbc4ecc51474974b21667445b8bc5610c1b2ee18a4e07ce4546fb1366d6741d62340f3862ca3e1fcf7bbc41bc982714f11ae4b88aea2617

C:\Windows\system\qyBPtps.exe

MD5 65ba19beb04cf0aa1fb0ca4dc91aa5cf
SHA1 799f81c34600699c14d02b633720d8f06ea70629
SHA256 ea530254011f4e25ed8e05af4bd0382d4aa1c46cd016fb9102ff8256bbcad095
SHA512 947f46591feb406015241ab31a340f51e0c69860d2efbb8f7193ce28754d53fb3a055150d98db938dfe4907bb274c2f3b01bdd8caf80b19a3a47a13ca086cc95

memory/2892-107-0x000000013FD10000-0x0000000140061000-memory.dmp

memory/1360-106-0x000000013F120000-0x000000013F471000-memory.dmp

C:\Windows\system\EhKaMZs.exe

MD5 cc80ad984a5afd8b894b99e9cd83c699
SHA1 7dd9a0c81b98ede59bbe041fa49eb64c77d4f305
SHA256 115cde702207256af1eddd4bf67b456effd71fb22df089fb20c734dd7d72c9b3
SHA512 b6bf60fc0e65f28cc58ee9e23a72821ca285eedb1cddb4fc2d619c5ab744a77d4775a22759ab8266150ebc84d7ac2fc7b86dc4165d3fd70d0c28e4848bc81381

memory/2832-81-0x000000013FB60000-0x000000013FEB1000-memory.dmp

C:\Windows\system\xAcGxqH.exe

MD5 00c48ef00661960e80bbe6b7decdc492
SHA1 b2243ef963ba01eb79236fae7210b4e8ba1f03e3
SHA256 a3c97c84dd89dce5e267ff678e249634922f0975e44857f0bf84326d6f2eee5c
SHA512 b5ac999955082d13b246158edccaf47b5523d8f9d50a6bd2b85e4961b63802c0e38ad2d2b552822f0a0ecc89353e8cbef3446db8aae63c1362f03231bd65f205

memory/1128-72-0x000000013FB10000-0x000000013FE61000-memory.dmp

memory/2768-135-0x000000013F9B0000-0x000000013FD01000-memory.dmp

memory/2944-134-0x000000013F520000-0x000000013F871000-memory.dmp

\Windows\system\jCLdPQU.exe

MD5 190cf2b771836f7b6c2b75a6150bb87c
SHA1 681e7c9e6290783e7ccfb1382da9e2d16a0f1d24
SHA256 4da9bfe743548dc134a7154376703ff409967bac6da3f11005fa80827df098e2
SHA512 1c1ec3f973c8a3c51e80440d11ff61023513dba74c00b5eb23d5e6c9641128ad1ac661df6e9ecbb24582df1e5bf34c0bcb67384516e7c0f66213be2e8d94f2ac

memory/2904-95-0x000000013FB30000-0x000000013FE81000-memory.dmp

memory/2072-56-0x0000000002210000-0x0000000002561000-memory.dmp

memory/2288-94-0x000000013F7B0000-0x000000013FB01000-memory.dmp

memory/2072-93-0x000000013F7B0000-0x000000013FB01000-memory.dmp

memory/2072-92-0x000000013F2F0000-0x000000013F641000-memory.dmp

memory/2072-91-0x0000000002210000-0x0000000002561000-memory.dmp

memory/2072-89-0x000000013FC90000-0x000000013FFE1000-memory.dmp

C:\Windows\system\iezJDhd.exe

MD5 cdb7f11557d9c97e9abceb977834c2ea
SHA1 87c836476bd3a68cc399979bfd6a505ff30c3196
SHA256 03a63a85028c09dee08fa2e082d72238315c5ec82c1feeb45f87e9e11c24baf1
SHA512 a062611f9f7c24f13f8f99260c9cbfdec088cebe301827558efc77bd33fe98a04d9a1340192f5caeafa34f5d1b14d570891fe0745d6b51a48c04f0aadd546b09

C:\Windows\system\GYHYkWf.exe

MD5 21cc04cf7eb8ea255a906e997fd19cae
SHA1 88736e6858c35a19d5d1843def102f09ec52d2bc
SHA256 a941bfc43a5f21182804d7de740c455f70c7edfa2ee827cb2f83e29dfee037a0
SHA512 a388f918e51f46ab92990c59ea5e849357cc12490fba5ff36696bd2cc48459fdfb68678239fb0fb025c1632015440ac0bf8315c3957a83893b9ad70491ba928e

memory/2072-77-0x000000013F120000-0x000000013F471000-memory.dmp

C:\Windows\system\YGWokiz.exe

MD5 2303032176c134abb2de347f7649adc4
SHA1 abf07fefe1c9b927cd10a7356ebf8219ee6136c2
SHA256 7c03e0553a5ee465059c0a1a8d47a745ca7928d34e34d1631ea20387560e8c8f
SHA512 ae6e1793ff6de165771ee521b6caddcac8ecc1622ba5ab5b30686b0eda97d85b2501d542648887249b193d5437cf331390741c489000103b5cf82a7242e40206

memory/2544-50-0x000000013FF50000-0x00000001402A1000-memory.dmp

memory/2072-49-0x0000000002210000-0x0000000002561000-memory.dmp

memory/2668-42-0x000000013F870000-0x000000013FBC1000-memory.dmp

memory/2776-136-0x000000013FEA0000-0x00000001401F1000-memory.dmp

memory/2776-39-0x000000013FEA0000-0x00000001401F1000-memory.dmp

memory/2072-37-0x000000013F870000-0x000000013FBC1000-memory.dmp

memory/2768-36-0x000000013F9B0000-0x000000013FD01000-memory.dmp

memory/2072-27-0x0000000002210000-0x0000000002561000-memory.dmp

memory/2072-20-0x000000013F520000-0x000000013F871000-memory.dmp

memory/2072-8-0x0000000002210000-0x0000000002561000-memory.dmp

memory/2072-137-0x000000013FC90000-0x000000013FFE1000-memory.dmp

memory/2668-143-0x000000013F870000-0x000000013FBC1000-memory.dmp

memory/2832-148-0x000000013FB60000-0x000000013FEB1000-memory.dmp

memory/2928-151-0x000000013F2F0000-0x000000013F641000-memory.dmp

memory/2072-159-0x0000000002210000-0x0000000002561000-memory.dmp

memory/1312-157-0x000000013F4D0000-0x000000013F821000-memory.dmp

memory/548-156-0x000000013FE80000-0x00000001401D1000-memory.dmp

memory/2500-155-0x000000013FB40000-0x000000013FE91000-memory.dmp

memory/300-154-0x000000013F790000-0x000000013FAE1000-memory.dmp

memory/620-153-0x000000013F9D0000-0x000000013FD21000-memory.dmp

memory/2228-158-0x000000013F970000-0x000000013FCC1000-memory.dmp

memory/2072-160-0x000000013FC90000-0x000000013FFE1000-memory.dmp

memory/2752-205-0x000000013FAE0000-0x000000013FE31000-memory.dmp

memory/2680-207-0x000000013F230000-0x000000013F581000-memory.dmp

memory/2944-209-0x000000013F520000-0x000000013F871000-memory.dmp

memory/2776-212-0x000000013FEA0000-0x00000001401F1000-memory.dmp

memory/2768-213-0x000000013F9B0000-0x000000013FD01000-memory.dmp

memory/2668-215-0x000000013F870000-0x000000013FBC1000-memory.dmp

memory/2544-217-0x000000013FF50000-0x00000001402A1000-memory.dmp

memory/2328-219-0x000000013FD00000-0x0000000140051000-memory.dmp

memory/1128-223-0x000000013FB10000-0x000000013FE61000-memory.dmp

memory/2904-241-0x000000013FB30000-0x000000013FE81000-memory.dmp

memory/2288-239-0x000000013F7B0000-0x000000013FB01000-memory.dmp

memory/2832-237-0x000000013FB60000-0x000000013FEB1000-memory.dmp

memory/1360-243-0x000000013F120000-0x000000013F471000-memory.dmp

memory/2892-247-0x000000013FD10000-0x0000000140061000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-07 19:30

Reported

2024-08-07 19:32

Platform

win10v2004-20240802-en

Max time kernel

142s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\JitgnOx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aNMWkHT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ccEwGue.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CWqbGgc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QIKgowQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CbjcLDv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zQqMQJl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\haNLeGp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MMLmagT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ajelOck.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HAIVcMV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZhrdRrR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WWfZEQx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jcPujhd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QzUinEm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XwrUKnL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JhsCXJn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hRLuKzi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bgwhKvM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jFXLITt.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DnAsLca.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3408 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QIKgowQ.exe
PID 3408 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QIKgowQ.exe
PID 3408 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XwrUKnL.exe
PID 3408 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XwrUKnL.exe
PID 3408 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JitgnOx.exe
PID 3408 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JitgnOx.exe
PID 3408 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JhsCXJn.exe
PID 3408 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JhsCXJn.exe
PID 3408 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aNMWkHT.exe
PID 3408 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aNMWkHT.exe
PID 3408 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hRLuKzi.exe
PID 3408 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hRLuKzi.exe
PID 3408 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HAIVcMV.exe
PID 3408 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HAIVcMV.exe
PID 3408 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZhrdRrR.exe
PID 3408 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZhrdRrR.exe
PID 3408 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WWfZEQx.exe
PID 3408 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WWfZEQx.exe
PID 3408 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CbjcLDv.exe
PID 3408 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CbjcLDv.exe
PID 3408 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bgwhKvM.exe
PID 3408 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bgwhKvM.exe
PID 3408 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jcPujhd.exe
PID 3408 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jcPujhd.exe
PID 3408 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zQqMQJl.exe
PID 3408 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zQqMQJl.exe
PID 3408 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ccEwGue.exe
PID 3408 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ccEwGue.exe
PID 3408 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jFXLITt.exe
PID 3408 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jFXLITt.exe
PID 3408 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\haNLeGp.exe
PID 3408 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\haNLeGp.exe
PID 3408 wrote to memory of 720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MMLmagT.exe
PID 3408 wrote to memory of 720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MMLmagT.exe
PID 3408 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CWqbGgc.exe
PID 3408 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CWqbGgc.exe
PID 3408 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QzUinEm.exe
PID 3408 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QzUinEm.exe
PID 3408 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DnAsLca.exe
PID 3408 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DnAsLca.exe
PID 3408 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ajelOck.exe
PID 3408 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ajelOck.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\QIKgowQ.exe

C:\Windows\System\QIKgowQ.exe

C:\Windows\System\XwrUKnL.exe

C:\Windows\System\XwrUKnL.exe

C:\Windows\System\JitgnOx.exe

C:\Windows\System\JitgnOx.exe

C:\Windows\System\JhsCXJn.exe

C:\Windows\System\JhsCXJn.exe

C:\Windows\System\aNMWkHT.exe

C:\Windows\System\aNMWkHT.exe

C:\Windows\System\hRLuKzi.exe

C:\Windows\System\hRLuKzi.exe

C:\Windows\System\HAIVcMV.exe

C:\Windows\System\HAIVcMV.exe

C:\Windows\System\ZhrdRrR.exe

C:\Windows\System\ZhrdRrR.exe

C:\Windows\System\WWfZEQx.exe

C:\Windows\System\WWfZEQx.exe

C:\Windows\System\CbjcLDv.exe

C:\Windows\System\CbjcLDv.exe

C:\Windows\System\bgwhKvM.exe

C:\Windows\System\bgwhKvM.exe

C:\Windows\System\jcPujhd.exe

C:\Windows\System\jcPujhd.exe

C:\Windows\System\zQqMQJl.exe

C:\Windows\System\zQqMQJl.exe

C:\Windows\System\ccEwGue.exe

C:\Windows\System\ccEwGue.exe

C:\Windows\System\jFXLITt.exe

C:\Windows\System\jFXLITt.exe

C:\Windows\System\haNLeGp.exe

C:\Windows\System\haNLeGp.exe

C:\Windows\System\MMLmagT.exe

C:\Windows\System\MMLmagT.exe

C:\Windows\System\CWqbGgc.exe

C:\Windows\System\CWqbGgc.exe

C:\Windows\System\QzUinEm.exe

C:\Windows\System\QzUinEm.exe

C:\Windows\System\DnAsLca.exe

C:\Windows\System\DnAsLca.exe

C:\Windows\System\ajelOck.exe

C:\Windows\System\ajelOck.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3408-0-0x00007FF7963E0000-0x00007FF796731000-memory.dmp

memory/3408-1-0x000002F5088C0000-0x000002F5088D0000-memory.dmp

C:\Windows\System\QIKgowQ.exe

MD5 f887a65160bee2c568a9b2dfe9e18754
SHA1 301ca044d404e2f8a7c740ea4e3e45209d8a026a
SHA256 e37a1c5fb1ccc56dd5ac195dcca818ca7f357da71888209541d6d95d560a7a7e
SHA512 984638b8075a3ca8e2a8376a7de85a37986db2a6e77ee4d09a0a6c2e341ce77b79d1625db492194b7390a89080a8c3eb2c4516a11864acd6c2e07c35ff91df3d

C:\Windows\System\JitgnOx.exe

MD5 7eabb126773092fe6347077c790ba92d
SHA1 f57f7f506fc084836b38f5f99a4f32bced7f844f
SHA256 fcc854561da09770546af99ff42da3efda9e34fc97e7e610662b1fe0118e814f
SHA512 23282894eae29b0d491a474fd75c9a87daa11d7f89fb10fe8f088296d69766e5b3f08753c4b09942e4605e596243bb2dd15034a64883e3ee93dfaba46f8f72a4

C:\Windows\System\XwrUKnL.exe

MD5 eea0c16b5dc489c6a0bfb6731f9b6972
SHA1 a75cb7003cb2ebbfcc3c14524b045b722f20e675
SHA256 ed48aa5d2a7e6b059ad4111163384ccc7fd7ab7405086dd9d863061e4859c06a
SHA512 a74f9e6b6b78c78281f2c0efd3702b77842b56c992223b21730ea1b49ccc4d560498c3879f458f34dd8e5cf269fcb95bd97769bcc74bc3e4137395641eb153f2

C:\Windows\System\JhsCXJn.exe

MD5 e32db90ef70c420474453a83c53d1685
SHA1 9628a05882830dcb11008a25f701f816a1a5cac0
SHA256 0dc922838d64ab9589f62419ab086537f6c56791de82d4546ac322f76e2776ae
SHA512 89207d336192f020b3da88669a661654c4ffa6766a56c44010d75184263834986e1d2e7e02af3be1b3436b86206acf2306c0ddd6a34a0d40454f117270412725

C:\Windows\System\HAIVcMV.exe

MD5 54bc07f41732ab080d26a717865db82f
SHA1 3ed07533832eec22f56c101cf243f245b9af4f6f
SHA256 cbdf49236f880ec6d7e16548c9c5d9d0da13930d073c77a443a91c6e7dc7263b
SHA512 1a573dddf8741ecfc1107c2cee416881ed76febffcc8e05a32e6696f36fee43503349aed7552e22d34ed60d257f60348606e72cabec7e4403870d5c625820ed2

memory/2140-18-0x00007FF6E4D20000-0x00007FF6E5071000-memory.dmp

memory/5100-10-0x00007FF697670000-0x00007FF6979C1000-memory.dmp

C:\Windows\System\aNMWkHT.exe

MD5 16229302870618d17562966a7fe2773b
SHA1 1b23caa2d7069db1c9bc0dce5e89df71e8dffc23
SHA256 b176be0a0067cd33cfcc98a1f4fe3c962b82cf2dda077066eb6f83bedc616b7b
SHA512 45703d2f539384d50cdca84a3e152bfdb08dd13f5f09cb01713009babaad2a452ce7041d52a2f7b73ad62b744fc751e3ee23ade8d5b66b26baea737e142f464f

memory/1932-45-0x00007FF6BF0B0000-0x00007FF6BF401000-memory.dmp

C:\Windows\System\ZhrdRrR.exe

MD5 d77c4550c0af27021fd2812d70672ccd
SHA1 251cccca63df4f13f7c5ec1efb20305f2b41f56e
SHA256 53742b0b640ced8c2ad3ed5b38823f90f60288188eda5a91366fb81bcfa67c0d
SHA512 347649a34df173af60841dde878f4185abbec8a2f04250d3a8fb8c46e2b86bad3f5a29a07017ecf27a780c7bf0099ac3c7551bc586c465ecdc470ae19751e48b

memory/2672-46-0x00007FF738AB0000-0x00007FF738E01000-memory.dmp

memory/2324-36-0x00007FF6E4650000-0x00007FF6E49A1000-memory.dmp

C:\Windows\System\hRLuKzi.exe

MD5 5fa02a25e58184598b781000e25d873b
SHA1 0ff63fa571680ec996335683f138546f9c093702
SHA256 af72051d8cbd64302a3881eb3c78564de8a785110966f410559a8cbf591a4d43
SHA512 fd9a67e1b5c7b3a9a191b2a4b5f0a917d810d4b310f37d4a21bbc24f64fd3854322a13363c6ace5a284f5af5c99f4ac72c1a45b9756d90727fd939b4ec04f221

memory/5008-31-0x00007FF676010000-0x00007FF676361000-memory.dmp

memory/452-30-0x00007FF76ED40000-0x00007FF76F091000-memory.dmp

C:\Windows\System\WWfZEQx.exe

MD5 85648fc112d4d0fa74517b8e3a57901a
SHA1 60a3a074f1e6821c913cffdbcf7cf9c6f2a644d1
SHA256 290c77b248d883e2676bea62a88f24e7b2e8d42127d00a48746d448ad36c63fd
SHA512 813d46353c676df1218ac30b3314f7beab80be4f38a597502f72782ea2e359a35bca3594139e85768b72217d39e67c5b2e3af971a7191fbd257ccf9149c0e27e

C:\Windows\System\CbjcLDv.exe

MD5 14a59ac47de077fdea64ca9cb01d7ac0
SHA1 3f8a41ea8ac1472de06ab2544ed925fc17286a1b
SHA256 741b99f0bce6531cc1714bf1b7ec475e14a94e3cada1194aab6b9b41f39ab5a9
SHA512 ba3bb114c84f09368a74aca15b1ee3d0de855350da63dcf0173f7e54e7c1d13869eb784d12ae2dbfac86f4585b1d9b523a59075165044429963537039e87cdaa

C:\Windows\System\bgwhKvM.exe

MD5 d0b4cf86bb8cefc4e718197568713b8d
SHA1 b42c6ac94e2be575023129163c74f084fe4a0c9e
SHA256 c7a618cfa5251ab10a51fc06367c869b7bfdb3c59c06f872197f8d15ba0146c0
SHA512 c3a7d31fe664b2c9711adb8900f8f3874550d651e5b08ac22adfea67130775d7c24a0c87d6e02b25b53901369ef55c95458850da9e88e0f389969edcde16cdf2

C:\Windows\System\ccEwGue.exe

MD5 63242d87e44e003390554346c9e87220
SHA1 4828439b770332cd6240ffbd349c969753246d87
SHA256 3443ef6e07c80f74a5097af5b8daae675ebfb6e467f9a5a144bb649d17cd04ff
SHA512 3b98976b0f71342963dba759c8d9c0729e84826fc3a302f42cc6ca9c1bf64b8d709eab699d62f4863b6490a1bb41a71e0dc1222227a25c0de3f7107a07cf8776

C:\Windows\System\QzUinEm.exe

MD5 77e1701230589b5a3933910f5fb15a13
SHA1 64bef1d09837032d759aeedf53372f47392d9fad
SHA256 3067aa7ce078b109c285a8c87fccd54e9c3bb2d5500109ba47252806dc39fe04
SHA512 3783cc1930b7c7bf8306c99cf58f6e4407939ca7dc2b32c94194bce27b25e24c17197962d489447216501fe54e1ce89610b5dfd0cb4073ed6842757163d36d32

C:\Windows\System\DnAsLca.exe

MD5 b699da9b91fa47aae69f04bcdf85fd8c
SHA1 26c550bd561db542702b0567799c2584af44c27f
SHA256 1619d9e0d32f58e402ad357568ae7464e713d9ed543f4fc9dbb169b85eb632f4
SHA512 61eedcb62ce8c4842c61089254c988e12b6578d2f581b6c0ba0749f0b72340a884ae1056c9ea2901b117839f32ba6b1f15fbf8fe01cf1ccbaf92e2b570b3a036

C:\Windows\System\ajelOck.exe

MD5 5ead9ac738cab2df3b64e142bb800974
SHA1 9a5c922d1ab140b7e601b8486e57a67a7b1b9508
SHA256 24e7219a8e793da422d8cdf5c5be529d3310ad88938ff8bd4dd1541b34bd98cc
SHA512 d42bf2c9eeb46d8603f2b017f096f691d62e1b13721c4ee3fa9dda6a6f344329f28af636b398d7030bc60e3108540b5b242dffbfc9f7300ccc35136e16920248

C:\Windows\System\CWqbGgc.exe

MD5 a9a14d660f9aba714e9b8a87a3164539
SHA1 e6374a5f0d9ad684833e7495b692905791a2994f
SHA256 4a73e2d1f3d2c4c0e77cbb10043eb64c1bb65d8883effc5c85b22d0f63fbafba
SHA512 2ce7aec3eb02107f2765eeb4981dbf728f7b3e1246dbab454d6ed5a4b111aa3935456f2e9b560c8749d30f83176f01410b895f7498e9b076b4c66a56bdae0d0a

C:\Windows\System\MMLmagT.exe

MD5 5bf58294b75f82e889ec2257910bfb0a
SHA1 d954bd7311bcb87a593cdcd630e87192c7dce3bb
SHA256 8db6f459fce2e3a1083c447d641c467b512fbd79285f589cf00ddb92d9608526
SHA512 2c9a2a53842c7eefce560741d85d8a996d236178124056f2264f2bebaaead5c3062be1929299bca9ec5a2edaa968085de8e3bca0865307f8b25206ac9f461f5c

C:\Windows\System\jFXLITt.exe

MD5 61def9f0192db5b9d3065852e85866f8
SHA1 4a9481346bcfbf5679f6d030940809917ab90e63
SHA256 183cabcbaf1f9a4fd72b67b0598677bd0e3e197c0c09d0ae4b0b50b85515f9c0
SHA512 de84cac51d112b170c6592085edce33a1ff6261cc83160b22607ca524d92f0d94a1f92bd01432cf113f3640c854ec987202da01711ef81fe6d3453424febd59b

C:\Windows\System\haNLeGp.exe

MD5 cabaa4888428bca4e90b3160a4006f5e
SHA1 3b3e1d3e2aaa7389566948eea2720c8efa24a5c6
SHA256 08e0bf66c2f8f01a65824745e90f3e0622dc437c1bd805ab7ed1463772307c0d
SHA512 ac2690a3968444637c695b0025b518512ce0ce09adf39aef31451d79e44d6217255572701d7732b4e1a01b7d74b1ebf471d0f4cb6264cbd160556172af49ef03

memory/4980-87-0x00007FF65C220000-0x00007FF65C571000-memory.dmp

memory/4056-89-0x00007FF6FA200000-0x00007FF6FA551000-memory.dmp

memory/3408-84-0x00007FF7963E0000-0x00007FF796731000-memory.dmp

C:\Windows\System\zQqMQJl.exe

MD5 0756988f8313a35c767de64e69d7fcf8
SHA1 a9e49358eb7b2c598f5b10493499684c4f215bba
SHA256 ec5138ed90184f54069e48ca3a1bd1f412bf8ed92aae1382827e1f9bb48feb81
SHA512 12b973699b8523b4ecb5b02395443b6edfb0f9ced150b3c2ada2a983bfd309f161ff6c96bad82d71b5e1820c65c0d3e54e60ab1250fae9250a4b897aa0101cf2

memory/2540-82-0x00007FF61D0D0000-0x00007FF61D421000-memory.dmp

memory/3204-76-0x00007FF603930000-0x00007FF603C81000-memory.dmp

C:\Windows\System\jcPujhd.exe

MD5 97ef5eb76a9869f8cb9cf6873497556e
SHA1 218594f749bfb5c61ef07cda0ac378ee8d0f4b38
SHA256 014122518a60e99e3b20343fdbc5709b435842b4553724b41423aed68ec22b39
SHA512 8a24ee8ab9b38adcd00f611c11f460091ffc600e32ff6cc4a10052a606e425d81146f0fbcea7d9a47bcf04f8e5c7ad47c21d1bfe4b71ba9d10422698c8049c44

memory/800-62-0x00007FF74ED40000-0x00007FF74F091000-memory.dmp

memory/4780-57-0x00007FF7BD210000-0x00007FF7BD561000-memory.dmp

memory/3588-52-0x00007FF69D620000-0x00007FF69D971000-memory.dmp

memory/2120-122-0x00007FF7C5C20000-0x00007FF7C5F71000-memory.dmp

memory/2380-123-0x00007FF6A6610000-0x00007FF6A6961000-memory.dmp

memory/436-124-0x00007FF70A540000-0x00007FF70A891000-memory.dmp

memory/2524-125-0x00007FF64DC40000-0x00007FF64DF91000-memory.dmp

memory/3228-126-0x00007FF7B0FB0000-0x00007FF7B1301000-memory.dmp

memory/3408-127-0x00007FF7963E0000-0x00007FF796731000-memory.dmp

memory/1932-132-0x00007FF6BF0B0000-0x00007FF6BF401000-memory.dmp

memory/2024-133-0x00007FF6EFE50000-0x00007FF6F01A1000-memory.dmp

memory/720-134-0x00007FF600D80000-0x00007FF6010D1000-memory.dmp

memory/2324-136-0x00007FF6E4650000-0x00007FF6E49A1000-memory.dmp

memory/4780-138-0x00007FF7BD210000-0x00007FF7BD561000-memory.dmp

memory/2120-144-0x00007FF7C5C20000-0x00007FF7C5F71000-memory.dmp

memory/4056-143-0x00007FF6FA200000-0x00007FF6FA551000-memory.dmp

memory/4980-142-0x00007FF65C220000-0x00007FF65C571000-memory.dmp

memory/800-139-0x00007FF74ED40000-0x00007FF74F091000-memory.dmp

memory/3408-151-0x00007FF7963E0000-0x00007FF796731000-memory.dmp

memory/5100-196-0x00007FF697670000-0x00007FF6979C1000-memory.dmp

memory/2140-198-0x00007FF6E4D20000-0x00007FF6E5071000-memory.dmp

memory/452-200-0x00007FF76ED40000-0x00007FF76F091000-memory.dmp

memory/5008-202-0x00007FF676010000-0x00007FF676361000-memory.dmp

memory/2672-205-0x00007FF738AB0000-0x00007FF738E01000-memory.dmp

memory/1932-207-0x00007FF6BF0B0000-0x00007FF6BF401000-memory.dmp

memory/2324-208-0x00007FF6E4650000-0x00007FF6E49A1000-memory.dmp

memory/3588-210-0x00007FF69D620000-0x00007FF69D971000-memory.dmp

memory/800-226-0x00007FF74ED40000-0x00007FF74F091000-memory.dmp

memory/4780-228-0x00007FF7BD210000-0x00007FF7BD561000-memory.dmp

memory/2540-232-0x00007FF61D0D0000-0x00007FF61D421000-memory.dmp

memory/3204-231-0x00007FF603930000-0x00007FF603C81000-memory.dmp

memory/4056-235-0x00007FF6FA200000-0x00007FF6FA551000-memory.dmp

memory/4980-238-0x00007FF65C220000-0x00007FF65C571000-memory.dmp

memory/2024-237-0x00007FF6EFE50000-0x00007FF6F01A1000-memory.dmp

memory/2120-240-0x00007FF7C5C20000-0x00007FF7C5F71000-memory.dmp

memory/720-242-0x00007FF600D80000-0x00007FF6010D1000-memory.dmp

memory/3228-250-0x00007FF7B0FB0000-0x00007FF7B1301000-memory.dmp

memory/2380-248-0x00007FF6A6610000-0x00007FF6A6961000-memory.dmp

memory/2524-247-0x00007FF64DC40000-0x00007FF64DF91000-memory.dmp

memory/436-245-0x00007FF70A540000-0x00007FF70A891000-memory.dmp