Malware Analysis Report

2025-01-22 19:23

Sample ID 240807-z7zzmsthrj
Target 2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat
SHA256 14ebc34fc109c6babd8231811e7371077e82a5cd36276c7ab389c84504b23a79
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

14ebc34fc109c6babd8231811e7371077e82a5cd36276c7ab389c84504b23a79

Threat Level: Known bad

The file 2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

Xmrig family

XMRig Miner payload

Cobaltstrike

xmrig

Cobalt Strike reflective loader

Cobaltstrike family

XMRig Miner payload

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-07 21:22

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-07 21:22

Reported

2024-08-07 21:24

Platform

win10v2004-20240802-en

Max time kernel

144s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\GtXpmaL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VisaCuv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QhhBMzn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RwpkHIl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gvRdjoO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jXFIDzq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DkZEdNl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hequdPE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XMngTdt.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iWLkdOJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xVDUbGI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\Zxelqwc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fFuMtzc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DPrTxtD.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UMwZQxG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MJIBtWh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lckuBDC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kxYOpSR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fSbfqpv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZFbFNrl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ImQywtv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2008 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZFbFNrl.exe
PID 2008 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZFbFNrl.exe
PID 2008 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jXFIDzq.exe
PID 2008 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jXFIDzq.exe
PID 2008 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DkZEdNl.exe
PID 2008 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DkZEdNl.exe
PID 2008 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GtXpmaL.exe
PID 2008 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GtXpmaL.exe
PID 2008 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ImQywtv.exe
PID 2008 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ImQywtv.exe
PID 2008 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VisaCuv.exe
PID 2008 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VisaCuv.exe
PID 2008 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DPrTxtD.exe
PID 2008 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DPrTxtD.exe
PID 2008 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Zxelqwc.exe
PID 2008 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Zxelqwc.exe
PID 2008 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QhhBMzn.exe
PID 2008 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QhhBMzn.exe
PID 2008 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fFuMtzc.exe
PID 2008 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fFuMtzc.exe
PID 2008 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UMwZQxG.exe
PID 2008 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UMwZQxG.exe
PID 2008 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hequdPE.exe
PID 2008 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hequdPE.exe
PID 2008 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XMngTdt.exe
PID 2008 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XMngTdt.exe
PID 2008 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iWLkdOJ.exe
PID 2008 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iWLkdOJ.exe
PID 2008 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RwpkHIl.exe
PID 2008 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RwpkHIl.exe
PID 2008 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MJIBtWh.exe
PID 2008 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MJIBtWh.exe
PID 2008 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xVDUbGI.exe
PID 2008 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xVDUbGI.exe
PID 2008 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lckuBDC.exe
PID 2008 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lckuBDC.exe
PID 2008 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kxYOpSR.exe
PID 2008 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kxYOpSR.exe
PID 2008 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fSbfqpv.exe
PID 2008 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fSbfqpv.exe
PID 2008 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gvRdjoO.exe
PID 2008 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gvRdjoO.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\ZFbFNrl.exe

C:\Windows\System\ZFbFNrl.exe

C:\Windows\System\jXFIDzq.exe

C:\Windows\System\jXFIDzq.exe

C:\Windows\System\DkZEdNl.exe

C:\Windows\System\DkZEdNl.exe

C:\Windows\System\GtXpmaL.exe

C:\Windows\System\GtXpmaL.exe

C:\Windows\System\ImQywtv.exe

C:\Windows\System\ImQywtv.exe

C:\Windows\System\VisaCuv.exe

C:\Windows\System\VisaCuv.exe

C:\Windows\System\DPrTxtD.exe

C:\Windows\System\DPrTxtD.exe

C:\Windows\System\Zxelqwc.exe

C:\Windows\System\Zxelqwc.exe

C:\Windows\System\QhhBMzn.exe

C:\Windows\System\QhhBMzn.exe

C:\Windows\System\fFuMtzc.exe

C:\Windows\System\fFuMtzc.exe

C:\Windows\System\UMwZQxG.exe

C:\Windows\System\UMwZQxG.exe

C:\Windows\System\hequdPE.exe

C:\Windows\System\hequdPE.exe

C:\Windows\System\XMngTdt.exe

C:\Windows\System\XMngTdt.exe

C:\Windows\System\iWLkdOJ.exe

C:\Windows\System\iWLkdOJ.exe

C:\Windows\System\RwpkHIl.exe

C:\Windows\System\RwpkHIl.exe

C:\Windows\System\MJIBtWh.exe

C:\Windows\System\MJIBtWh.exe

C:\Windows\System\xVDUbGI.exe

C:\Windows\System\xVDUbGI.exe

C:\Windows\System\lckuBDC.exe

C:\Windows\System\lckuBDC.exe

C:\Windows\System\kxYOpSR.exe

C:\Windows\System\kxYOpSR.exe

C:\Windows\System\fSbfqpv.exe

C:\Windows\System\fSbfqpv.exe

C:\Windows\System\gvRdjoO.exe

C:\Windows\System\gvRdjoO.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 71.190.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2008-0-0x00007FF74B6C0000-0x00007FF74BA11000-memory.dmp

memory/2008-1-0x000001A403090000-0x000001A4030A0000-memory.dmp

C:\Windows\System\ZFbFNrl.exe

MD5 4d193580b617c1de6ba11b4a0eaa7600
SHA1 5c7bbef2d295557284ac8f66d5f3d89a0ee7652a
SHA256 60a2149ea81d502e5c2a6df2f40ec68d6fb7b42bab75f463bcada2d345d5f344
SHA512 0eebf8491fe4882b42ea2a90fc2eb5d5967a100535ae6f7f9c0b3d1efc7ae05a2e5694373b2c6499d973499ed9f67050a816b1c123cc55ba7f565dada7be282a

memory/2752-7-0x00007FF70BDD0000-0x00007FF70C121000-memory.dmp

C:\Windows\System\DkZEdNl.exe

MD5 73f0047721e0be9a36849fae85e039d9
SHA1 3fe0e0c9511b8288c1ff5f77aacd3402c3977e43
SHA256 7846d056ed6e1e8d7c671afb3a45ec23dbf0d629f5f031914e5a92d8c32bc5ba
SHA512 d6c5e98b35c832d59c460f735371dc9b220d2d6ac196c64d166171a591dd3522cfc5914e4054f40a7c9f7d3b6d092e239206fa9ebb2970be3a143598d4620791

memory/3576-19-0x00007FF6E5940000-0x00007FF6E5C91000-memory.dmp

memory/1404-20-0x00007FF630520000-0x00007FF630871000-memory.dmp

C:\Windows\System\jXFIDzq.exe

MD5 4020b7920e6009f7c29f838ac2b2c246
SHA1 63b2ff9881bff23fb55debb6d022f1634066ace9
SHA256 db1beff56ea84827d84a2419f2c588e208084a1b62857e5eba72104cc6c52048
SHA512 3524aae439ef5e4fe0b13446aec3ec4fbe5f38676ac4f57898f09084fa6217d5d11b5b23e3f9a7faed31954b0ad80ab59e22647bec925693d0d6c499b01671e2

C:\Windows\System\GtXpmaL.exe

MD5 1639eb65276d348242ef8fee0e2a3b95
SHA1 c4368aeda51da192dd1ea0915f94baed85437d30
SHA256 ee33b86605addf9dedf913418af20de9a42581ac73127952db72512b070d632b
SHA512 c257c8661ca91f332d0faf0849496df03750921a751fb3d2c3af2b90cc17fe0cd8c30c47a328ca19d6b45a32dacf01e7ce7be6876b6e82568222ed610657818f

C:\Windows\System\ImQywtv.exe

MD5 8749afb3ea2cb91bc797d60f0cb77aa9
SHA1 495ac99c37986c3939ae0fa7aa11e00ce8dc6d4d
SHA256 3c03b05cef5e2e467bbbb34b879c75f0bb5c22aec09a7d63111de09cc6379213
SHA512 1f339befc66bad599656f572d639a8220f9265cb11b9f1b34735e12e447342c02315ac4ad3cff3908c64048cd26bdef7da3cf91f59ad31f2cf831df46bb5b976

C:\Windows\System\VisaCuv.exe

MD5 d04f2edd39c43fde6492386eefaa38c8
SHA1 95ac8aa19fddd1c9d81519322f93a409a36a6473
SHA256 7be557e728350f78ac8885eb899bf0c14f498fd19a169c90735541ce4cc58427
SHA512 307f2417209daee873979428c26e8a16e470b84726235732b6c36ef56306ec09df3a50986356281662bf193ac48a35dc10d49e7a9ae0aa766f2207933851a1b7

C:\Windows\System\Zxelqwc.exe

MD5 2921b808845b4ee9938f96927e7dc62a
SHA1 d5de6a867935c5dcfcf82d360efa380eb579f2d9
SHA256 cd304366d95802c52e527b35c4613a941c83c9bd1631d1fe4c1d09148e9af3dc
SHA512 7a6fabd05b1fa4a370781fcd05d4103eda75efc90021da64b3c131781136e7d5ea10cc66da77db5fff310bb2974848da26767498c497b85c728f3062fb9c177b

C:\Windows\System\UMwZQxG.exe

MD5 1c5f921255913e606bf38f2cd2f6da58
SHA1 67bbb749c48c66c76301db64a3edc81bd92fd3df
SHA256 73be29e6e0ff28dbfcb54b6cabe99db2bd9af2e2103dd4983c49fc99ba183167
SHA512 babb52c36d603c5fa7a1a2f214419108cdc9ca7051926a363f4f767bb14d40f5baaeb59bf4e4fb272b61776dc4e88cb75e3be319c58fd1c574d8f43692b06008

C:\Windows\System\QhhBMzn.exe

MD5 69a4d4d426608f627b37b076dceff9f9
SHA1 65ffb49f6fb8422d9c7f1abf9190b5c8c126c83c
SHA256 ea82641be57f1810a0fe5f90f74749bbf864998162a3c82e2def63f3ed0cdfae
SHA512 cac9d79f64995409283af54177ae387da887ad0c777551195df8a8ad58b703b3715e0cb7b070712b56f0bdff5abcf52c63b576fe1d4ea47bf5d8924cc726b921

C:\Windows\System\fFuMtzc.exe

MD5 015e1f1c478c927a7ecc93e1a3a6fc8e
SHA1 3358cba6ea64a6d8f2850b42da23fa787530c4d0
SHA256 609c31cd4d0209369066619ca44b29761090f9701718a61a2f05c19007c4d4c5
SHA512 15e1afed3dcb717e7d4282b0daa4e095945c44289276ae216c765b997ef64b2580625e5eb865acee861d6cea6955cc877ca2d4614dd414ae2a974e1e8ad1474e

C:\Windows\System\hequdPE.exe

MD5 9d0175ebd669b70f6eae311b8d16021d
SHA1 77b0b976a2d8609a2791f8a1aee9c13ef0824dc1
SHA256 61d6d663482b3d86e53976a1d081bad717d16a511742c3c9906d0799329d324a
SHA512 b154f4bc9525e8a525dc3d7aa72cd828f5b0840802fece11a47b8bc397644a1df3d61aeb2da31eb5603ee9d921f66d95c993df7d1f82c8e004b87603acc540e4

memory/1172-66-0x00007FF6DEC20000-0x00007FF6DEF71000-memory.dmp

memory/5048-58-0x00007FF640720000-0x00007FF640A71000-memory.dmp

memory/2496-59-0x00007FF625320000-0x00007FF625671000-memory.dmp

memory/380-56-0x00007FF6BA6D0000-0x00007FF6BAA21000-memory.dmp

memory/1960-50-0x00007FF7C7BC0000-0x00007FF7C7F11000-memory.dmp

memory/3040-46-0x00007FF6411E0000-0x00007FF641531000-memory.dmp

C:\Windows\System\DPrTxtD.exe

MD5 6d0941990005e8c64a31ad8620deda23
SHA1 7b981ede1daff462084e0214fcda617177d31964
SHA256 18ce9427726240370e338b4c45ebb33a10ce665d7e26ecd6c6c5b1a15343d9c5
SHA512 d02ddaa1d343ef825060cc9affbcf4f5ef662977a70176f543a08047e1f6868524e813bf8742465c8ea3e7b91065e520e3518679caa561cd7e6504ed54cc3925

memory/5072-38-0x00007FF6F4D00000-0x00007FF6F5051000-memory.dmp

memory/116-31-0x00007FF710140000-0x00007FF710491000-memory.dmp

C:\Windows\System\XMngTdt.exe

MD5 d3eda531576c79d599d7d2700f3dabcc
SHA1 04f90fc2eb785d32df275b94ab58cf4b58f6d708
SHA256 19ba6b6d4599d1cdbf58643a4957eaa50d2acace4a33247913376d54cd5b56d9
SHA512 19cc61e1aea3da15e42b4b4b95fee3a42063e53170db35a8ec64d6815f9546b4e709f2546cc8c892bceae20980e10e2d1afe96f6e32e524669b445ef1286f1ea

memory/1848-76-0x00007FF73DCC0000-0x00007FF73E011000-memory.dmp

memory/3576-88-0x00007FF6E5940000-0x00007FF6E5C91000-memory.dmp

C:\Windows\System\MJIBtWh.exe

MD5 19c4cc5735b1810bd9519d28f3d03dd9
SHA1 cb1193971ef414f7bad9985e8d4a252f91be3db0
SHA256 8c340ffd6487640f3fd6bb4cdcd2b8b2e70d4a21faeb2ecbd4caceddccdefc25
SHA512 fcd56c2f0ffbe39e5e7872325a0ff1be7d50308678e8967b226605115e06438fa12f38a24e78836af47363cdfbe44a82ee4c2e5058010070fe88ac1f5630561d

memory/1232-104-0x00007FF7E84F0000-0x00007FF7E8841000-memory.dmp

memory/2680-106-0x00007FF7F81C0000-0x00007FF7F8511000-memory.dmp

C:\Windows\System\xVDUbGI.exe

MD5 2dbf276a0d06a88b7f88d9ef8fe846b6
SHA1 25b89236f64cfbc307131fec2d674b948daa49ae
SHA256 46c05c5a77619af4689ddef84e4fba1bdd005088d60ec44be463013eb0d89e4e
SHA512 b575d6b6614f06ca65f95ef8dca6caae6e2d81b77ba0921ce63bce050a94a4c828e433367563dcc3f83bfb9d2f46ec168e635fabfb68d02137d93b3f78bd231c

C:\Windows\System\lckuBDC.exe

MD5 e2a1f04c6a0136452da90f738f591a82
SHA1 433811576548d9cf19b702ea7358713f5a2710cf
SHA256 0d7cee4f161bb97714ca5b764fc016e2df63e12a2d39bf581ad7ebc4cd2e0712
SHA512 97ab06f9108f69ccb4384ccb819989a800bf23432c057ac215eee7ef252000cfb6cfe5e541f0e01c7ba0f633817e8d08651cdd9816f7b28e1dda39deb7aca9a5

C:\Windows\System\RwpkHIl.exe

MD5 b5803e9c79e1e77cd95193f8abb500fd
SHA1 e0fe3c83f8dc572fb45350a9193d602df6da4a6a
SHA256 0516409a63464f86280c56e43262bdbfa97ccd0e33a21842f8223e9c87e75960
SHA512 33b379ccc431e51f16acd6280ae42f59eac9824bc2bdf9d1c989f0a7f49d376d16f040af38691c672f89e37b987223cf918fade2e821ddc28f9b8c2e8584246f

memory/3588-108-0x00007FF7A5DF0000-0x00007FF7A6141000-memory.dmp

memory/5072-107-0x00007FF6F4D00000-0x00007FF6F5051000-memory.dmp

memory/3648-105-0x00007FF6116D0000-0x00007FF611A21000-memory.dmp

memory/2620-95-0x00007FF744ED0000-0x00007FF745221000-memory.dmp

memory/2752-87-0x00007FF70BDD0000-0x00007FF70C121000-memory.dmp

memory/4364-86-0x00007FF7FA860000-0x00007FF7FABB1000-memory.dmp

C:\Windows\System\iWLkdOJ.exe

MD5 2b5ba4cec4d8181dec77af1f41496736
SHA1 8aa2b5d9b36a6500dc4f25f43ec2e0cf5a0aeb76
SHA256 69fc56de00a44cd3d8c58e924d5687a7dd8258bf93f2c378585f61a083e526b8
SHA512 95f518a081d5d1e44cd9832852055572915035e2334d4bbd866266f3ac21806b97566e5a49efb9a144eefd80df892957f71981a45112852864b9fd86085df8f3

memory/2008-80-0x00007FF74B6C0000-0x00007FF74BA11000-memory.dmp

C:\Windows\System\kxYOpSR.exe

MD5 c02b04321826a3eeb7e7f48a7fc37582
SHA1 125f12e98a27e0b64a6efa9710dabcc55a86c818
SHA256 43b5d3657ab4fbc90650afcd77ea978ab1c99093ece772a79d37589d4b38682d
SHA512 aa9c1543e4f68643870fa788c6083df5889592c54cc60bb240010a694b92c80c0be855604159c7988ef99924bbf9978c2baeeb0088ac5fb3420ccfd1a9b8be0a

memory/116-123-0x00007FF710140000-0x00007FF710491000-memory.dmp

memory/2284-127-0x00007FF7219D0000-0x00007FF721D21000-memory.dmp

C:\Windows\System\gvRdjoO.exe

MD5 31deb27eff3bf54ed665142c13ead7ff
SHA1 9c9715e162b19db70e8268c33d4be66e7f47047d
SHA256 36da9bad3e9f2dd6fe2e0972bd95bed9540a52b57ff778fb74611035f7fe410d
SHA512 0163887544f8b4d76a9f13aa6187e3e302f511bdd8ac57e265f69137cc019731e5ca036fe7251c78eb45ed8562876222a9e110534cb6891aa4e2746f74c546b1

C:\Windows\System\fSbfqpv.exe

MD5 06d761d6f637513a15223d31f02b53d3
SHA1 0b755cff50f4feaaab82641a227a1848fd407931
SHA256 692c3e00cee9b42cea9f52fc846e641d8af7c93020badd521849ea8bab69f7f8
SHA512 5c5f3a0973b31a7e07235941018a1443be48451709907d632d3885114f26dc42899ac8080b396a555f1b53c81d5f895d7050ccdc3ab5098271d5fd4cf8223b89

memory/1416-136-0x00007FF78C320000-0x00007FF78C671000-memory.dmp

memory/3456-138-0x00007FF7A2DC0000-0x00007FF7A3111000-memory.dmp

memory/3040-135-0x00007FF6411E0000-0x00007FF641531000-memory.dmp

memory/2496-143-0x00007FF625320000-0x00007FF625671000-memory.dmp

memory/1172-145-0x00007FF6DEC20000-0x00007FF6DEF71000-memory.dmp

memory/5048-144-0x00007FF640720000-0x00007FF640A71000-memory.dmp

memory/380-142-0x00007FF6BA6D0000-0x00007FF6BAA21000-memory.dmp

memory/2680-149-0x00007FF7F81C0000-0x00007FF7F8511000-memory.dmp

memory/2620-148-0x00007FF744ED0000-0x00007FF745221000-memory.dmp

memory/3648-151-0x00007FF6116D0000-0x00007FF611A21000-memory.dmp

memory/3588-152-0x00007FF7A5DF0000-0x00007FF7A6141000-memory.dmp

memory/2008-153-0x00007FF74B6C0000-0x00007FF74BA11000-memory.dmp

memory/2284-158-0x00007FF7219D0000-0x00007FF721D21000-memory.dmp

memory/1416-159-0x00007FF78C320000-0x00007FF78C671000-memory.dmp

memory/2008-175-0x00007FF74B6C0000-0x00007FF74BA11000-memory.dmp

memory/2752-203-0x00007FF70BDD0000-0x00007FF70C121000-memory.dmp

memory/3576-205-0x00007FF6E5940000-0x00007FF6E5C91000-memory.dmp

memory/1404-207-0x00007FF630520000-0x00007FF630871000-memory.dmp

memory/116-209-0x00007FF710140000-0x00007FF710491000-memory.dmp

memory/5072-211-0x00007FF6F4D00000-0x00007FF6F5051000-memory.dmp

memory/1960-224-0x00007FF7C7BC0000-0x00007FF7C7F11000-memory.dmp

memory/3040-226-0x00007FF6411E0000-0x00007FF641531000-memory.dmp

memory/2496-236-0x00007FF625320000-0x00007FF625671000-memory.dmp

memory/5048-235-0x00007FF640720000-0x00007FF640A71000-memory.dmp

memory/380-233-0x00007FF6BA6D0000-0x00007FF6BAA21000-memory.dmp

memory/1172-231-0x00007FF6DEC20000-0x00007FF6DEF71000-memory.dmp

memory/1848-229-0x00007FF73DCC0000-0x00007FF73E011000-memory.dmp

memory/4364-242-0x00007FF7FA860000-0x00007FF7FABB1000-memory.dmp

memory/2620-244-0x00007FF744ED0000-0x00007FF745221000-memory.dmp

memory/1232-246-0x00007FF7E84F0000-0x00007FF7E8841000-memory.dmp

memory/2680-249-0x00007FF7F81C0000-0x00007FF7F8511000-memory.dmp

memory/3648-250-0x00007FF6116D0000-0x00007FF611A21000-memory.dmp

memory/3588-252-0x00007FF7A5DF0000-0x00007FF7A6141000-memory.dmp

memory/3456-260-0x00007FF7A2DC0000-0x00007FF7A3111000-memory.dmp

memory/2284-259-0x00007FF7219D0000-0x00007FF721D21000-memory.dmp

memory/1416-262-0x00007FF78C320000-0x00007FF78C671000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-07 21:22

Reported

2024-08-07 21:24

Platform

win7-20240708-en

Max time kernel

141s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\PoLAAQB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sDbDaTs.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TQNmgNj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\teujFDu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qAQBdKL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hDvEphV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WVHaDQt.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QEXUrYH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SQFmEtJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oMxdFld.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gutXRzS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\Oxiefhl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ngFulew.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zPYJqsA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UBJGbdq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\csxZMCi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TWkDkvz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NQGFXjv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DdTxmnf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PatBCtr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\Hilptlz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2052 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WVHaDQt.exe
PID 2052 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WVHaDQt.exe
PID 2052 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WVHaDQt.exe
PID 2052 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PoLAAQB.exe
PID 2052 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PoLAAQB.exe
PID 2052 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PoLAAQB.exe
PID 2052 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\csxZMCi.exe
PID 2052 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\csxZMCi.exe
PID 2052 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\csxZMCi.exe
PID 2052 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gutXRzS.exe
PID 2052 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gutXRzS.exe
PID 2052 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gutXRzS.exe
PID 2052 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sDbDaTs.exe
PID 2052 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sDbDaTs.exe
PID 2052 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sDbDaTs.exe
PID 2052 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TQNmgNj.exe
PID 2052 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TQNmgNj.exe
PID 2052 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TQNmgNj.exe
PID 2052 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\teujFDu.exe
PID 2052 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\teujFDu.exe
PID 2052 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\teujFDu.exe
PID 2052 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Hilptlz.exe
PID 2052 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Hilptlz.exe
PID 2052 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Hilptlz.exe
PID 2052 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Oxiefhl.exe
PID 2052 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Oxiefhl.exe
PID 2052 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Oxiefhl.exe
PID 2052 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TWkDkvz.exe
PID 2052 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TWkDkvz.exe
PID 2052 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TWkDkvz.exe
PID 2052 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qAQBdKL.exe
PID 2052 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qAQBdKL.exe
PID 2052 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qAQBdKL.exe
PID 2052 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hDvEphV.exe
PID 2052 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hDvEphV.exe
PID 2052 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hDvEphV.exe
PID 2052 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QEXUrYH.exe
PID 2052 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QEXUrYH.exe
PID 2052 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QEXUrYH.exe
PID 2052 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NQGFXjv.exe
PID 2052 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NQGFXjv.exe
PID 2052 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NQGFXjv.exe
PID 2052 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SQFmEtJ.exe
PID 2052 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SQFmEtJ.exe
PID 2052 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SQFmEtJ.exe
PID 2052 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DdTxmnf.exe
PID 2052 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DdTxmnf.exe
PID 2052 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DdTxmnf.exe
PID 2052 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oMxdFld.exe
PID 2052 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oMxdFld.exe
PID 2052 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oMxdFld.exe
PID 2052 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ngFulew.exe
PID 2052 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ngFulew.exe
PID 2052 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ngFulew.exe
PID 2052 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zPYJqsA.exe
PID 2052 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zPYJqsA.exe
PID 2052 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zPYJqsA.exe
PID 2052 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PatBCtr.exe
PID 2052 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PatBCtr.exe
PID 2052 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PatBCtr.exe
PID 2052 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UBJGbdq.exe
PID 2052 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UBJGbdq.exe
PID 2052 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UBJGbdq.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\WVHaDQt.exe

C:\Windows\System\WVHaDQt.exe

C:\Windows\System\PoLAAQB.exe

C:\Windows\System\PoLAAQB.exe

C:\Windows\System\csxZMCi.exe

C:\Windows\System\csxZMCi.exe

C:\Windows\System\gutXRzS.exe

C:\Windows\System\gutXRzS.exe

C:\Windows\System\sDbDaTs.exe

C:\Windows\System\sDbDaTs.exe

C:\Windows\System\TQNmgNj.exe

C:\Windows\System\TQNmgNj.exe

C:\Windows\System\teujFDu.exe

C:\Windows\System\teujFDu.exe

C:\Windows\System\Hilptlz.exe

C:\Windows\System\Hilptlz.exe

C:\Windows\System\Oxiefhl.exe

C:\Windows\System\Oxiefhl.exe

C:\Windows\System\TWkDkvz.exe

C:\Windows\System\TWkDkvz.exe

C:\Windows\System\qAQBdKL.exe

C:\Windows\System\qAQBdKL.exe

C:\Windows\System\hDvEphV.exe

C:\Windows\System\hDvEphV.exe

C:\Windows\System\QEXUrYH.exe

C:\Windows\System\QEXUrYH.exe

C:\Windows\System\NQGFXjv.exe

C:\Windows\System\NQGFXjv.exe

C:\Windows\System\SQFmEtJ.exe

C:\Windows\System\SQFmEtJ.exe

C:\Windows\System\DdTxmnf.exe

C:\Windows\System\DdTxmnf.exe

C:\Windows\System\oMxdFld.exe

C:\Windows\System\oMxdFld.exe

C:\Windows\System\ngFulew.exe

C:\Windows\System\ngFulew.exe

C:\Windows\System\zPYJqsA.exe

C:\Windows\System\zPYJqsA.exe

C:\Windows\System\PatBCtr.exe

C:\Windows\System\PatBCtr.exe

C:\Windows\System\UBJGbdq.exe

C:\Windows\System\UBJGbdq.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2052-0-0x000000013F760000-0x000000013FAB1000-memory.dmp

memory/2052-1-0x00000000002F0000-0x0000000000300000-memory.dmp

\Windows\system\WVHaDQt.exe

MD5 c5f0b58971cf3b26a14478c69b64fa9d
SHA1 91fc4147d2b590cdbb60fb9babd439704fa9d74f
SHA256 73c239d137b39a1550e5c38310a61deb51b391485ca5261c4429a2bfffb11c31
SHA512 619f15cd37894d11aa4010c27b01a7d538d8c0991d992813499cea053656abb49c4d7b015f2fc1b6123ddc66dbd7ec72d397da127ecc7a0ff84c79de25d4f5d7

C:\Windows\system\PoLAAQB.exe

MD5 47cfb92a306004984eeaabc176c956ab
SHA1 21de25a117f89ab0a70ce763e232a35761eb22ec
SHA256 e2a76aa2d527108e0c43e7b885c5f755741a33cd5e7d1855ace976ee76d47113
SHA512 e4a4ed02932a2e1660b05ba06be141176c5b0e14fafc85be2275ed70396829f458cdd004b195eb9e4b744c09f578dfb4be9ab329250285a27cbf14baef35497b

C:\Windows\system\csxZMCi.exe

MD5 0bbca82190adcecac7ff87d629321317
SHA1 a6c3fa0a316bcb9da1b6726aaea7468bf29e74be
SHA256 72b363e36d6fcfaa4f2e38cf094c9e31f28edb9ae09718c93a0ccdc2f8840436
SHA512 febceeea33ac622dc335080aa487a7110889e7b9384e67758f972e5db54b4a98b8a40b455f24cf45a194e4c400ba3af76b942609c48d0daa84307c8b28501bb9

memory/2052-12-0x00000000021C0000-0x0000000002511000-memory.dmp

memory/2360-14-0x000000013F810000-0x000000013FB61000-memory.dmp

memory/2960-21-0x000000013F1F0000-0x000000013F541000-memory.dmp

\Windows\system\gutXRzS.exe

MD5 f9fc120c322580050396855ef69e6d73
SHA1 21e386d0ed61c46f4dbde064d4b08fc7d4b2eefa
SHA256 2ecbf8744dd032ce84cbb03bd5a69ac05148711c1465c32d8fb3a534bcff6a70
SHA512 2b4c8f8c16ad0d5bcb9f5ce04f0fe1425b4caf3ccd4110c8629d4ccb1cd29ece7498603958bc6fd8d28958f1e228fd695b5f19f5109e9f9ef97f5535dbf20dde

memory/2052-19-0x000000013F1F0000-0x000000013F541000-memory.dmp

memory/2984-28-0x000000013FA60000-0x000000013FDB1000-memory.dmp

memory/2052-30-0x00000000021C0000-0x0000000002511000-memory.dmp

\Windows\system\sDbDaTs.exe

MD5 17fc0e0ac290c86f673ef69dc4f5c2ab
SHA1 e9630b93342b208c18ff203a60a345c3dbb9b3ee
SHA256 a94af87f88450e5338280b79ee6a5c1b7e9dc9e0525be5fd25a306e6abfccdbd
SHA512 81568501f94ff82606c318fe0c8a37e70396fdd79e8664cb825c283f500b6016661ea77814f3a1fd6e0f465f2717c7a4092f20fde1e35374b4046897d1292292

memory/2052-26-0x00000000021C0000-0x0000000002511000-memory.dmp

memory/2844-18-0x000000013FF40000-0x0000000140291000-memory.dmp

\Windows\system\TQNmgNj.exe

MD5 a6e5355a9982d3ff1bdfbc2318ea1c90
SHA1 61b1d3db1aa27c6ae59e6d744afbb3bc42016461
SHA256 a5c82f986b90244713a2983c2541fb3688b84c914fab80f468f4764c851eed3d
SHA512 f6f847378a87d95d894e71a0582e42c67fc5e4bcaef808b89042d679194918f326d9d6cfc4912a2566107ebfe9b3dcdee4bc4406aa83924a17615fe69692818a

C:\Windows\system\Hilptlz.exe

MD5 8da69db9400807ff97a013c1b62d09b7
SHA1 df1527aa8997970315aa697f0d49cd16a1aa29e1
SHA256 95f2374f8891ae455553ed25c8d0e951c21d9f8c85ce3ca2c49413c3e4cb05ca
SHA512 d6d029ae46849e076e502c813421f60a197e2082cacec4ac0671eed79abca04af3e799e4fa8f453f0d1f813b9685efad81846d952c33a7ce40ade889f815e037

C:\Windows\system\Oxiefhl.exe

MD5 c689ffcfbf20e31dec2af24f8e7d1d59
SHA1 71f3f073f6e09044b8ce14b5fae3cace559cc291
SHA256 ac524514ea808bf2f740008c4c9140c3992a58d41e4835f1e6dc1446dee23e1f
SHA512 d8452cd5e7e3d6e00463aaf1dfdaa9808897d5e0c9aab4480eca17b40c601e73d427d10807577fc81ab2c5f2568c40ad8e481a3c7e474c8520fcc3f40538a53a

C:\Windows\system\TWkDkvz.exe

MD5 fb96b22dad8e68ce11152a54ad66949b
SHA1 7474db7d1f72a65892738ef4fbbed51ee3d466c6
SHA256 48932979eb57c4a51cdf25b24a6c602622a0a9747e339eb4102f912686985592
SHA512 49ca2e1d177c301fd082abe050da5bce7d777327cd30ecdbac342dcae0d1e1da647cb2e934d82f3ec688bc1137043faa53d70288e113f2c6003eb20ffcd84690

C:\Windows\system\qAQBdKL.exe

MD5 4efb70834ff39aff196cc9ce00d90d24
SHA1 34fb31ed375215fa596d83b9e92df56a735656fe
SHA256 b0c44fdc23f9d6d267328960f6113cefd7ef25154bc8e96652272ab9ea3b5d64
SHA512 3a201cccadaf495e86c1a7a84927528525fb891afaac21e6819db6575e0e25e405975101ab12ab6c53dc6baa674e482314c85f4ae87a0b7e317ec528f63929de

C:\Windows\system\QEXUrYH.exe

MD5 3a8411f33dda34aaa668e77a23c1f354
SHA1 a29cd2c81f424ccaf85588926af24925d3b46475
SHA256 3583d8b9d74fda31965ffd92111aacd7c9bfb09ab1bb6e973765b93f4f4c73c1
SHA512 a73a5286c9705831f13b0f33ad428163fb12caa4b50e04f8ee5bf7c2c65503a2b332d897b68bd126feb7f092f593f0f3562ad548595e15f2a43d9167538897f2

C:\Windows\system\NQGFXjv.exe

MD5 fcc0d7a162dcf222f7c9a29ad4468dda
SHA1 a9d45d5aa6727cb20244aedf0dee7bd9aae03a07
SHA256 4d896ed17ad7f082c61b3db299c0fad213f237b6b8935d89d5d97cb036911ec3
SHA512 097ca18acc25633a94b4ec3445fee5b75c245684c0544922503245d14380b49dd1d58df317367030ac1bd327a8deb72c13fd4bd8647a87f824e864f040ca8416

C:\Windows\system\SQFmEtJ.exe

MD5 c20299de3fb4a5995b7a6fd11e5c6084
SHA1 82d54e332065b8a7392ac6a72e0fc8099c466023
SHA256 82e7f5fda8a3a48a926617e794cc8b39f16877053b3501268ba379487ac73dd0
SHA512 4ff46f2cff67df10207f9a4d3919811293cbc2fab18d4f8c60bc79b8b01fd28698b6bfcf3edb1a56bea85797e7ceda4adca00bd17e7e34f592f09d9cc04fb129

memory/2740-94-0x000000013F390000-0x000000013F6E1000-memory.dmp

memory/2052-95-0x00000000021C0000-0x0000000002511000-memory.dmp

memory/2976-109-0x000000013F2F0000-0x000000013F641000-memory.dmp

memory/2052-108-0x000000013FF20000-0x0000000140271000-memory.dmp

memory/2464-106-0x000000013FAC0000-0x000000013FE11000-memory.dmp

memory/2052-105-0x000000013FAC0000-0x000000013FE11000-memory.dmp

memory/3016-104-0x000000013F220000-0x000000013F571000-memory.dmp

memory/2052-103-0x000000013F220000-0x000000013F571000-memory.dmp

memory/2144-102-0x000000013FB20000-0x000000013FE71000-memory.dmp

memory/2052-101-0x000000013FB20000-0x000000013FE71000-memory.dmp

memory/2732-100-0x000000013FA70000-0x000000013FDC1000-memory.dmp

memory/2052-99-0x00000000021C0000-0x0000000002511000-memory.dmp

memory/2256-98-0x000000013F6C0000-0x000000013FA11000-memory.dmp

memory/2052-97-0x00000000021C0000-0x0000000002511000-memory.dmp

\Windows\system\oMxdFld.exe

MD5 16e0daea9ed33c35077870bbda8752c8
SHA1 5532487335242078e06a6445851ab195a5447d52
SHA256 bacd1e53ab55a37e6c80209a6baaf5809e599fd67e72f8083ef919c73c4c3630
SHA512 7b4399e3d76c92ee4a6ec6c99830948f09db849e1927e1e0153b5b2b4a1e996eeeee5ee922591fd1686e1e3f4559d3ec0234f5231593fcd1d67619849a0a7377

memory/2724-96-0x000000013FA10000-0x000000013FD61000-memory.dmp

memory/2052-84-0x000000013F390000-0x000000013F6E1000-memory.dmp

memory/2868-82-0x000000013F880000-0x000000013FBD1000-memory.dmp

memory/2052-81-0x00000000021C0000-0x0000000002511000-memory.dmp

\Windows\system\DdTxmnf.exe

MD5 f709cf51e079bbde1ae012f998b7cf40
SHA1 bda575b6e4e344f32c8fc1fbc4495028ab3f82c4
SHA256 e3639f9a0f8ddb7d1d64db12ba6a2bfa6b1e7cf362f9acee1d619d786d08d73e
SHA512 25fe9b8e65ce8837585f477f4ba4b64568ad718153f578b4061ce234185a0ed4016b6b624d57f1b807a1941b518c811354d89a3e878ea548a31c2bb1399221a5

C:\Windows\system\hDvEphV.exe

MD5 931cafea8d2ed6ebfb269da62fca1bab
SHA1 1afe3628418433931f54dfefc2a11aceb60e2f91
SHA256 920c1e49cd77b8043141798b993fb910cced0e6e817e9719d189c3954e2a9c44
SHA512 86bd25ab51dd289aea0859b210af7785304f0ad1ad28a411c2fcf277644fc6597e21313ff74cd69c5d1e6e027c6a3f4dcf8ec6b069c10e9a8184ca3295a59b8d

memory/2548-38-0x000000013F620000-0x000000013F971000-memory.dmp

C:\Windows\system\teujFDu.exe

MD5 6843e7dff61eb914b2a58c40cfae162a
SHA1 78c59c5aed1b0ceb1aaf09d4d7662f7c1e3e9f14
SHA256 7ab47ffeb1dd983af1673de7d8bff4619c9f82d81c073e0fc69037b107c1e954
SHA512 ec73df2897dfd4349876b1f4bf30f6c4bd122a4d709e63674faaa1c450c1f9802ebc9ea0d915e9b969462c0d45f6cb1c671b7711dddfdb86f7b9757c9421648a

C:\Windows\system\ngFulew.exe

MD5 1aa3d7d5702a87d22362e6a337b732b5
SHA1 8c1c1cbf7abb9c9144466cafe6cdca67760c01b3
SHA256 e0f954acbc95db1f18baa8da8c5cee87f6d2828715fd444e7a969e3bb2cba376
SHA512 8e737e11f7be1501ab1882bd8004bdd7aa9356dd646a46840f2a074547c85d00b4ec16a99a71ed09370e08edceaf0a7aecee51d89991952200ddcbff0f2ad606

C:\Windows\system\PatBCtr.exe

MD5 59beac1731ff67db66013d7ce515f6c1
SHA1 c699ac1f4d4237f9ae859aeac8563743fcb025a8
SHA256 9d28d798e0396d962e5a423ff5ea162fa960c993a000df61d7b899609690889d
SHA512 c90f19d579878ef228722130809cba7599b02113c1214137c7a31226bacf7f0c757dcaf4484478be4d1e58776f65f11670e89822e7904ddf72758d389252db5a

\Windows\system\UBJGbdq.exe

MD5 784af4c3429b445eceb70310e3cd381d
SHA1 688cc40698b88dff5abbcf5011a5bae1c92e5b69
SHA256 bff248741ff3491bc0e72beef1287819dd35f14e574ae7e6ea2337cd64d8340d
SHA512 20a8e555a6c8469fdeabd2fbdd5249de4add83e70e7660d0d7aa190b54ec515f6ac2cbed22a66c988c96623f45fde70af3ced98b4ef9afa2e93e802c9fcc62d3

C:\Windows\system\zPYJqsA.exe

MD5 d22dab7225eca05dab9c3b59170accbb
SHA1 28f86f35d639be5b1180ccc303f2c9135e9363d3
SHA256 56d9343bce2405447261dd50bcd414eb7f60599bf4e51c5a8d8fc63be6e22d5b
SHA512 1aa986ca9760fcd4875f0d57caa17b25a5c5cd328f42649ee60b8cc5a0769c6117530510c09ae51866bf995e450c89e38caa1cc1c0a78b2de2b2e8e5cd2c399c

memory/2052-134-0x000000013F760000-0x000000013FAB1000-memory.dmp

memory/2052-135-0x000000013F760000-0x000000013FAB1000-memory.dmp

memory/2252-151-0x000000013F900000-0x000000013FC51000-memory.dmp

memory/1140-150-0x000000013FF20000-0x0000000140271000-memory.dmp

memory/2740-143-0x000000013F390000-0x000000013F6E1000-memory.dmp

memory/2548-140-0x000000013F620000-0x000000013F971000-memory.dmp

memory/2984-139-0x000000013FA60000-0x000000013FDB1000-memory.dmp

memory/2960-138-0x000000013F1F0000-0x000000013F541000-memory.dmp

memory/2464-149-0x000000013FAC0000-0x000000013FE11000-memory.dmp

memory/1968-152-0x000000013F340000-0x000000013F691000-memory.dmp

memory/2052-157-0x00000000021C0000-0x0000000002511000-memory.dmp

memory/1204-156-0x000000013FF90000-0x00000001402E1000-memory.dmp

memory/2416-155-0x000000013F420000-0x000000013F771000-memory.dmp

memory/1280-154-0x000000013F6E0000-0x000000013FA31000-memory.dmp

memory/2636-153-0x000000013FB90000-0x000000013FEE1000-memory.dmp

memory/2052-158-0x000000013F760000-0x000000013FAB1000-memory.dmp

memory/2360-209-0x000000013F810000-0x000000013FB61000-memory.dmp

memory/2844-211-0x000000013FF40000-0x0000000140291000-memory.dmp

memory/2960-213-0x000000013F1F0000-0x000000013F541000-memory.dmp

memory/2984-215-0x000000013FA60000-0x000000013FDB1000-memory.dmp

memory/2548-217-0x000000013F620000-0x000000013F971000-memory.dmp

memory/2868-219-0x000000013F880000-0x000000013FBD1000-memory.dmp

memory/3016-225-0x000000013F220000-0x000000013F571000-memory.dmp

memory/2976-228-0x000000013F2F0000-0x000000013F641000-memory.dmp

memory/2740-230-0x000000013F390000-0x000000013F6E1000-memory.dmp

memory/2732-223-0x000000013FA70000-0x000000013FDC1000-memory.dmp

memory/2724-222-0x000000013FA10000-0x000000013FD61000-memory.dmp

memory/2256-232-0x000000013F6C0000-0x000000013FA11000-memory.dmp

memory/2144-234-0x000000013FB20000-0x000000013FE71000-memory.dmp

memory/2464-237-0x000000013FAC0000-0x000000013FE11000-memory.dmp