Malware Analysis Report

2025-03-15 08:00

Sample ID 240812-prhejsvgqa
Target 2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat
SHA256 0700987e21904a3591ab0f1ccf04ed672bae034b3664a28a784ca1f1fd1578fc
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0700987e21904a3591ab0f1ccf04ed672bae034b3664a28a784ca1f1fd1578fc

Threat Level: Known bad

The file 2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Cobaltstrike family

Cobalt Strike reflective loader

XMRig Miner payload

xmrig

Xmrig family

Cobaltstrike

XMRig Miner payload

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-12 12:33

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-12 12:33

Reported

2024-08-12 12:36

Platform

win7-20240708-en

Max time kernel

141s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\RpadWjF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EXrNPUH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NrmYKjC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hvIddiX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\neQcFhZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aUxYlIa.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xeEOHvm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XbHHpWb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aSgduja.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GhszTtc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gcKuoqh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zldolEO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yEJNdKP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cLOrxKa.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sbEqAkF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EyFCwVN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QwzyLni.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iIHoTeD.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wNmqHsh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yhOzizr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rviJBmM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1988 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\neQcFhZ.exe
PID 1988 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\neQcFhZ.exe
PID 1988 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\neQcFhZ.exe
PID 1988 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sbEqAkF.exe
PID 1988 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sbEqAkF.exe
PID 1988 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sbEqAkF.exe
PID 1988 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GhszTtc.exe
PID 1988 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GhszTtc.exe
PID 1988 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GhszTtc.exe
PID 1988 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RpadWjF.exe
PID 1988 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RpadWjF.exe
PID 1988 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RpadWjF.exe
PID 1988 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EXrNPUH.exe
PID 1988 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EXrNPUH.exe
PID 1988 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EXrNPUH.exe
PID 1988 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EyFCwVN.exe
PID 1988 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EyFCwVN.exe
PID 1988 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EyFCwVN.exe
PID 1988 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aUxYlIa.exe
PID 1988 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aUxYlIa.exe
PID 1988 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aUxYlIa.exe
PID 1988 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xeEOHvm.exe
PID 1988 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xeEOHvm.exe
PID 1988 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xeEOHvm.exe
PID 1988 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gcKuoqh.exe
PID 1988 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gcKuoqh.exe
PID 1988 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gcKuoqh.exe
PID 1988 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zldolEO.exe
PID 1988 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zldolEO.exe
PID 1988 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zldolEO.exe
PID 1988 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QwzyLni.exe
PID 1988 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QwzyLni.exe
PID 1988 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QwzyLni.exe
PID 1988 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XbHHpWb.exe
PID 1988 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XbHHpWb.exe
PID 1988 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XbHHpWb.exe
PID 1988 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aSgduja.exe
PID 1988 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aSgduja.exe
PID 1988 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aSgduja.exe
PID 1988 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iIHoTeD.exe
PID 1988 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iIHoTeD.exe
PID 1988 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iIHoTeD.exe
PID 1988 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yEJNdKP.exe
PID 1988 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yEJNdKP.exe
PID 1988 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yEJNdKP.exe
PID 1988 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wNmqHsh.exe
PID 1988 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wNmqHsh.exe
PID 1988 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wNmqHsh.exe
PID 1988 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NrmYKjC.exe
PID 1988 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NrmYKjC.exe
PID 1988 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NrmYKjC.exe
PID 1988 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yhOzizr.exe
PID 1988 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yhOzizr.exe
PID 1988 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yhOzizr.exe
PID 1988 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cLOrxKa.exe
PID 1988 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cLOrxKa.exe
PID 1988 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cLOrxKa.exe
PID 1988 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hvIddiX.exe
PID 1988 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hvIddiX.exe
PID 1988 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hvIddiX.exe
PID 1988 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rviJBmM.exe
PID 1988 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rviJBmM.exe
PID 1988 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rviJBmM.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\neQcFhZ.exe

C:\Windows\System\neQcFhZ.exe

C:\Windows\System\sbEqAkF.exe

C:\Windows\System\sbEqAkF.exe

C:\Windows\System\GhszTtc.exe

C:\Windows\System\GhszTtc.exe

C:\Windows\System\RpadWjF.exe

C:\Windows\System\RpadWjF.exe

C:\Windows\System\EXrNPUH.exe

C:\Windows\System\EXrNPUH.exe

C:\Windows\System\EyFCwVN.exe

C:\Windows\System\EyFCwVN.exe

C:\Windows\System\aUxYlIa.exe

C:\Windows\System\aUxYlIa.exe

C:\Windows\System\xeEOHvm.exe

C:\Windows\System\xeEOHvm.exe

C:\Windows\System\gcKuoqh.exe

C:\Windows\System\gcKuoqh.exe

C:\Windows\System\zldolEO.exe

C:\Windows\System\zldolEO.exe

C:\Windows\System\QwzyLni.exe

C:\Windows\System\QwzyLni.exe

C:\Windows\System\XbHHpWb.exe

C:\Windows\System\XbHHpWb.exe

C:\Windows\System\aSgduja.exe

C:\Windows\System\aSgduja.exe

C:\Windows\System\iIHoTeD.exe

C:\Windows\System\iIHoTeD.exe

C:\Windows\System\yEJNdKP.exe

C:\Windows\System\yEJNdKP.exe

C:\Windows\System\wNmqHsh.exe

C:\Windows\System\wNmqHsh.exe

C:\Windows\System\NrmYKjC.exe

C:\Windows\System\NrmYKjC.exe

C:\Windows\System\yhOzizr.exe

C:\Windows\System\yhOzizr.exe

C:\Windows\System\cLOrxKa.exe

C:\Windows\System\cLOrxKa.exe

C:\Windows\System\hvIddiX.exe

C:\Windows\System\hvIddiX.exe

C:\Windows\System\rviJBmM.exe

C:\Windows\System\rviJBmM.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1988-1-0x000000013F680000-0x000000013F9D4000-memory.dmp

memory/1988-0-0x0000000000080000-0x0000000000090000-memory.dmp

\Windows\system\neQcFhZ.exe

MD5 de9141aeb7c90d2e13d07da0fd62d805
SHA1 a39923eaab5fd672710f35d2986c676a56b70a7e
SHA256 ff882184643f58c9408112843a043585f5c65329cff6f651f5ff40e2c9546eda
SHA512 1fa4925b5b2e23babec2efe3f7b31caee2aa9769bd4753aef9849c815d371b240604c0a96c37cef7a754fdf85651618702629d596a2a274e0ef271a2eccc6ef6

memory/2208-9-0x000000013F700000-0x000000013FA54000-memory.dmp

memory/1988-8-0x0000000002490000-0x00000000027E4000-memory.dmp

\Windows\system\sbEqAkF.exe

MD5 3bf7c81a9a783b976c58b2c1002a96d7
SHA1 1ddc5ce4ff6a73464cf5d3de6e0429084f955725
SHA256 b3464f7fb8072fd35a3a2453550c7ec7244f4959751b5bc244d5977b2f8defee
SHA512 0bf079a85286cd3c1ea78376ef446d7bc0b315d690cf90984cf49da320f300249fcbb9ad037dd94658393dee23fe6eb675832261f1bae3503507efd50356709a

C:\Windows\system\RpadWjF.exe

MD5 dba992b3ebed4d0211bcfddb13b48cec
SHA1 087b907c9b54d839bd386ce351f3b179f573c41f
SHA256 f9f2a56c15e9b97967c7212da604448fe46c0575728c8000fedd30e14e9d91e1
SHA512 53719650940eeb7375de5aa0bd099c9d8be19f08d4ee211bf9bb33b58b05c0cdccf56220ada5983b774677e0e84f23fda609d30096275f6fc1e25259ea6a98d0

memory/2632-35-0x000000013F740000-0x000000013FA94000-memory.dmp

memory/1988-41-0x0000000002490000-0x00000000027E4000-memory.dmp

memory/1988-38-0x000000013FA10000-0x000000013FD64000-memory.dmp

memory/2620-50-0x000000013F840000-0x000000013FB94000-memory.dmp

memory/2536-57-0x000000013F5E0000-0x000000013F934000-memory.dmp

memory/2244-71-0x000000013F9F0000-0x000000013FD44000-memory.dmp

C:\Windows\system\QwzyLni.exe

MD5 0f8fb88407f1571387a83193e29b3613
SHA1 641923715a573cfd6df7438814e1be5c29de4c2e
SHA256 bdaace517afb1b0ec29907fb16b1aa0978581db2c6865f0939b59dc8b9879ad5
SHA512 2254875cd7dc2379bbf76e045335b04d27cb01760ffb64ac07480b1fabe2538e6aa8a3ca9b59fbcdf3a5b831f3292a60ce2f9cfaf835d48850f77a880f443bd8

C:\Windows\system\yEJNdKP.exe

MD5 881253e03528deefdace57795e81e851
SHA1 87b3a8339f1dd92a46890dcc19cce407733b7c24
SHA256 64b03f7ad109a7d48b209ddfa1f2124621814d36ff9c3b4ad574cd45b7bfc86b
SHA512 cc934560ec086f5189c4695d636a20082ee8a74b557739f944208a00157ee13a3e7d9e6ffdedcbc2b50d7bc61bc32fbe7d848badb9f68bfd367711cd353698d4

C:\Windows\system\yhOzizr.exe

MD5 4ee9f1a45bc640b84ef5cc6a6eba1f7a
SHA1 b07d860a00c0f46167dae1d20432d55aa3cd33f1
SHA256 eaf7b3cd4e3b393d789c0a2f0857b9b1fc8fabd45f6385f359e1c4b93b329a63
SHA512 a18cb0c1c324be8ee814b14ae6c3842130a0d271130ccbe9a841c0817b7ee3533d141d88721426a1c46575a4730d583931c93c112679df6ca3cc92dada93319c

C:\Windows\system\hvIddiX.exe

MD5 1603a50da2ac4e4184c3a5bd4ec26715
SHA1 426f063d7d41cf07cc1e98b299939d8832ee5ab0
SHA256 3e410edce4601f4158df4472852372b78c8503ad2c551fda8cc38935dc52a0ca
SHA512 6acdeac6158b8beba312076f45fcb3bec4d21823b500ecb243ca6e2caeaacedefebf04e5332bd20379814c5a399c7750763912ccf8e6ee533d1950c470e0a00f

C:\Windows\system\cLOrxKa.exe

MD5 9b536f8e6b408fc5d8fd381b6dd6bbb6
SHA1 29175b2cb441f8f8d6d26df6ca9e8f8f6c0f2110
SHA256 8bd80903e1e1ecd7e570dd96d76827dd0b24aa60226b1e482c18ebef5e3ae408
SHA512 e5d3ffaa6d08367e7d91ad1b7584d19b45fdc453512e6a3e12a7f254f9b5a7a857a1364a75617fdb31b92d55c2c8ad9b5a634c3981ed02baed2291a3b7d13a03

\Windows\system\rviJBmM.exe

MD5 8e3a7a36267ab153f8ee547ba09cac20
SHA1 d44554d88a71d76899b949b7d565086179ea36d4
SHA256 c65f932da44e810a2cc04a1d9896abe8332c71d0b7d50b751e80a780efc376d6
SHA512 f6339413bf71ee8d2b73b40c74bf62360e729643b445d3fddecaecdeab2899de43f3d46d18e5c2506a9836099a5680e9a74c0cbe5f7757d7d8d4d613b9035174

C:\Windows\system\NrmYKjC.exe

MD5 df628d41112e15fe14856e2a829d78f8
SHA1 eda9674e3e3997feba37b7974572d6b0cb6f7f83
SHA256 fb28f8fff7c3d88d6e6216887d537e3222a31c13a31c7b7f85c1b718f8bacbbb
SHA512 80b48fc60d2731595e0778088e2b2404ded3ae52b5ce371b5866112f7ef1e9967902f857737c6cc15d9ccf68c1d86bc439a854d274cc0653d15b4321f40983c0

C:\Windows\system\wNmqHsh.exe

MD5 de87307eacda07044aaf1c36aa8ba551
SHA1 d01cf78dd5c54b3f0a2b2b4106658a2550fabc95
SHA256 8d70de62f2eefb3a611a984d47e5c5ec8c4ee149060c1d8d11f5f139cebe34b2
SHA512 f76ec3bea43afc8933557a650137c79a269f627b20209874c4d82db43554cc247e9c4d864416f3a022e1a5d509626b6dd78878e97bf59a344707404a012012c2

memory/1988-106-0x000000013F2C0000-0x000000013F614000-memory.dmp

memory/1780-93-0x000000013F0D0000-0x000000013F424000-memory.dmp

memory/1988-92-0x000000013F0D0000-0x000000013F424000-memory.dmp

memory/1988-91-0x000000013FA10000-0x000000013FD64000-memory.dmp

memory/2792-90-0x000000013F4C0000-0x000000013F814000-memory.dmp

memory/1892-99-0x000000013F260000-0x000000013F5B4000-memory.dmp

memory/1988-98-0x000000013F260000-0x000000013F5B4000-memory.dmp

C:\Windows\system\aSgduja.exe

MD5 777495f34695890be140146dc19b49a2
SHA1 f3c4aadac67c4333307830db7feb67d01627d006
SHA256 902bda784111a3aa8a802e743b4ebebe5dfcd5c0ebee952c77ad22283b21a6cc
SHA512 5547b569bcbda265885600b46b3f988cb6201c426cf967be79f0b002875d05f445c12cfe52e927aa76ac5931e48d4df420ae3a270d0cb6deb7b8b67bcb1e1340

C:\Windows\system\iIHoTeD.exe

MD5 81cf1f4fb587d625113f5b855ca827ec
SHA1 d7932b6d28df6b47ce562061a4c79b81ebf06193
SHA256 3f6df06acb7e3218bf1bed8deb36401d2bd2c21ce34536ebc997451a4396975e
SHA512 cbc54504363d7719138acd767c43e6ff00df038e1f65cf209f767c967eb5ac925bf6bf22e175bec2aa3e723ffaf76626873d70504f425fe1ab8e7c33f2c684ea

memory/2996-84-0x000000013F0E0000-0x000000013F434000-memory.dmp

memory/2844-78-0x000000013F460000-0x000000013F7B4000-memory.dmp

memory/1988-77-0x000000013F680000-0x000000013F9D4000-memory.dmp

C:\Windows\system\XbHHpWb.exe

MD5 ccff7e3ccfc028e6b77a946be770e27d
SHA1 d6ee6cc6dfeae3c4f519f28161f32c9a2b22c956
SHA256 bc7483d7a82ce7d00a06d24ce67e985c46d02e21a4395388f7ed45a243558c8e
SHA512 d5b377f45c9a381deae26d1005caba0a53514f76fd1e8b490982c3535bf24300c014c98bb2c612556fc6b7d643ba0265a545ffb7143cd52c63a320a5e07ea515

memory/1988-70-0x000000013F9F0000-0x000000013FD44000-memory.dmp

C:\Windows\system\zldolEO.exe

MD5 14114cd50a95d31b85b42cf12e8708d4
SHA1 45e1d3f1f5d896e919014bbc65b71b986186ac34
SHA256 3814e06753982e034266eeba9727681a4f7dd59d2361ce3bdc24b5a2dfabfe80
SHA512 16dffded411ffcc3af863b4491eed9d9b62e353428337ba7960834370e6f12d225924697d371ab5784cb85c12ba8ba996567fedc4866d4ae21c032bceb5dfae9

memory/2956-64-0x000000013F740000-0x000000013FA94000-memory.dmp

memory/1988-63-0x0000000002490000-0x00000000027E4000-memory.dmp

C:\Windows\system\gcKuoqh.exe

MD5 c2010f1403050ee6d161a53e5fc3fb05
SHA1 a143ea9d302f6682831db13bbcffc4a9929c00f8
SHA256 cdf1e4969dbb98965fa12c985341503740c0f08f042a4b62845344309b34e017
SHA512 230fbe0bf085ad1bcc1b919fe51ae449285246fbdf0fbccd0ff6f4756e4b92a03ae4df549b73f90adf2a9e3267b887a4da28cda9a0a22ce860d5f17959efd265

memory/1988-56-0x0000000002490000-0x00000000027E4000-memory.dmp

C:\Windows\system\xeEOHvm.exe

MD5 3fa3af31427933e0a49f62fe7d887811
SHA1 22334a44dc39f83b86e0329405daed35a2ed8b53
SHA256 8fc1ee820d8b8e915adbe1e990b1f6eb40da6b5991f27ad73877ef76cc1cb65a
SHA512 dda0ae5f92c07b66d86b31d268cdee457ba332afa0d5e305d61a9cb98de718d93fbb02c20036a02acf2e9c16d50b94a2a6fe0894d63e3df16c683c9dd9c70916

C:\Windows\system\aUxYlIa.exe

MD5 b2a2aea60e31190bd38ec28677852545
SHA1 0dd8c430546603059fce9ca9973a4e5b49208b8e
SHA256 d05bf37ce1d756d87e63bb6c6eb05c284e4209923fb80047ef860223fb316c70
SHA512 97f91bc3aebddbba4dc2b40d327d220d4164b6862406967ba20e1939dba67c70fb86cbd764adf2af53b4ac09d3636c1cbbf4038cfa40d91058347dcea504b6c8

memory/1988-48-0x0000000002490000-0x00000000027E4000-memory.dmp

memory/2756-47-0x000000013FA10000-0x000000013FD64000-memory.dmp

memory/2800-46-0x000000013F810000-0x000000013FB64000-memory.dmp

memory/1988-45-0x0000000002490000-0x00000000027E4000-memory.dmp

memory/2620-137-0x000000013F840000-0x000000013FB94000-memory.dmp

C:\Windows\system\EyFCwVN.exe

MD5 a05c0f5513051e9bebfe5b7701bd6c82
SHA1 02fa1d530e7637baf5c0d976d6933c19a1e3b850
SHA256 feaa03bbcf83c6520129b777e907b053bfc9a17339c95f4f8bbe4ac0af7fe307
SHA512 7745652331bf03dcba4933c0ab41a91dabf72335b767cd7aaa6323f98dd00ab00035c227a117c42e6a9332d9356412533d510701c230cb29013cc6575a2d33ba

C:\Windows\system\EXrNPUH.exe

MD5 b2439c13507ad9c1044743c890160aa2
SHA1 65b9c3e15c133cb7fa73b3f0e81072ac11c1c900
SHA256 17771bec588e143a02a02963ae7bb149f821b29e0d08d452691efd6be3b2483e
SHA512 121a460d1456bffaefcb409747da6ec28ce8e21441a3ef6c53b9799d102ee3e88113bb48c55796d25c5069d5427f952e9b8400381e77ad7dbdba4cdb80cf754a

memory/2792-30-0x000000013F4C0000-0x000000013F814000-memory.dmp

memory/1988-24-0x0000000002490000-0x00000000027E4000-memory.dmp

memory/2716-20-0x000000013F900000-0x000000013FC54000-memory.dmp

C:\Windows\system\GhszTtc.exe

MD5 0767435a98d235abbb7d3ea6fbff7545
SHA1 40ad8f8f64f84f67102db288e0d85a8094c74954
SHA256 465445dc0fbd9b1f333f07e65d93c7b909a1f222c8dae119e92c65c647a26ce0
SHA512 785bf2cfe536251716d2b5e3d4765b99c24964cb1d88591f5ee40042bdf08721b65880b7c8876cfff7f0d54cbbc71326ac1e0fd8823c29a21fbd8bbbfde3ff28

memory/1988-17-0x0000000002490000-0x00000000027E4000-memory.dmp

memory/2536-138-0x000000013F5E0000-0x000000013F934000-memory.dmp

memory/2956-139-0x000000013F740000-0x000000013FA94000-memory.dmp

memory/2244-140-0x000000013F9F0000-0x000000013FD44000-memory.dmp

memory/1988-141-0x0000000002490000-0x00000000027E4000-memory.dmp

memory/2844-142-0x000000013F460000-0x000000013F7B4000-memory.dmp

memory/2996-143-0x000000013F0E0000-0x000000013F434000-memory.dmp

memory/1988-144-0x000000013F0D0000-0x000000013F424000-memory.dmp

memory/1780-145-0x000000013F0D0000-0x000000013F424000-memory.dmp

memory/1988-146-0x000000013F260000-0x000000013F5B4000-memory.dmp

memory/1892-147-0x000000013F260000-0x000000013F5B4000-memory.dmp

memory/1988-148-0x000000013F2C0000-0x000000013F614000-memory.dmp

memory/2208-149-0x000000013F700000-0x000000013FA54000-memory.dmp

memory/2716-150-0x000000013F900000-0x000000013FC54000-memory.dmp

memory/2632-151-0x000000013F740000-0x000000013FA94000-memory.dmp

memory/2756-153-0x000000013FA10000-0x000000013FD64000-memory.dmp

memory/2792-152-0x000000013F4C0000-0x000000013F814000-memory.dmp

memory/2620-155-0x000000013F840000-0x000000013FB94000-memory.dmp

memory/2800-154-0x000000013F810000-0x000000013FB64000-memory.dmp

memory/2536-156-0x000000013F5E0000-0x000000013F934000-memory.dmp

memory/2956-157-0x000000013F740000-0x000000013FA94000-memory.dmp

memory/2244-158-0x000000013F9F0000-0x000000013FD44000-memory.dmp

memory/2844-159-0x000000013F460000-0x000000013F7B4000-memory.dmp

memory/2996-160-0x000000013F0E0000-0x000000013F434000-memory.dmp

memory/1892-161-0x000000013F260000-0x000000013F5B4000-memory.dmp

memory/1780-162-0x000000013F0D0000-0x000000013F424000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-12 12:33

Reported

2024-08-12 12:36

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\QwzyLni.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XbHHpWb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aSgduja.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hvIddiX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sbEqAkF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EXrNPUH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zldolEO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iIHoTeD.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yEJNdKP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wNmqHsh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yhOzizr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RpadWjF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EyFCwVN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gcKuoqh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NrmYKjC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rviJBmM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GhszTtc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aUxYlIa.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cLOrxKa.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\neQcFhZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xeEOHvm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3092 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\neQcFhZ.exe
PID 3092 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\neQcFhZ.exe
PID 3092 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sbEqAkF.exe
PID 3092 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sbEqAkF.exe
PID 3092 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GhszTtc.exe
PID 3092 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GhszTtc.exe
PID 3092 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RpadWjF.exe
PID 3092 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RpadWjF.exe
PID 3092 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EXrNPUH.exe
PID 3092 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EXrNPUH.exe
PID 3092 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EyFCwVN.exe
PID 3092 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EyFCwVN.exe
PID 3092 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aUxYlIa.exe
PID 3092 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aUxYlIa.exe
PID 3092 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xeEOHvm.exe
PID 3092 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xeEOHvm.exe
PID 3092 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gcKuoqh.exe
PID 3092 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gcKuoqh.exe
PID 3092 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zldolEO.exe
PID 3092 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zldolEO.exe
PID 3092 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QwzyLni.exe
PID 3092 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QwzyLni.exe
PID 3092 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XbHHpWb.exe
PID 3092 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XbHHpWb.exe
PID 3092 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aSgduja.exe
PID 3092 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aSgduja.exe
PID 3092 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iIHoTeD.exe
PID 3092 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iIHoTeD.exe
PID 3092 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yEJNdKP.exe
PID 3092 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yEJNdKP.exe
PID 3092 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wNmqHsh.exe
PID 3092 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wNmqHsh.exe
PID 3092 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NrmYKjC.exe
PID 3092 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NrmYKjC.exe
PID 3092 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yhOzizr.exe
PID 3092 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yhOzizr.exe
PID 3092 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cLOrxKa.exe
PID 3092 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cLOrxKa.exe
PID 3092 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hvIddiX.exe
PID 3092 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hvIddiX.exe
PID 3092 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rviJBmM.exe
PID 3092 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rviJBmM.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-12_91eb1276cac64e7854e4b8238219be99_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\neQcFhZ.exe

C:\Windows\System\neQcFhZ.exe

C:\Windows\System\sbEqAkF.exe

C:\Windows\System\sbEqAkF.exe

C:\Windows\System\GhszTtc.exe

C:\Windows\System\GhszTtc.exe

C:\Windows\System\RpadWjF.exe

C:\Windows\System\RpadWjF.exe

C:\Windows\System\EXrNPUH.exe

C:\Windows\System\EXrNPUH.exe

C:\Windows\System\EyFCwVN.exe

C:\Windows\System\EyFCwVN.exe

C:\Windows\System\aUxYlIa.exe

C:\Windows\System\aUxYlIa.exe

C:\Windows\System\xeEOHvm.exe

C:\Windows\System\xeEOHvm.exe

C:\Windows\System\gcKuoqh.exe

C:\Windows\System\gcKuoqh.exe

C:\Windows\System\zldolEO.exe

C:\Windows\System\zldolEO.exe

C:\Windows\System\QwzyLni.exe

C:\Windows\System\QwzyLni.exe

C:\Windows\System\XbHHpWb.exe

C:\Windows\System\XbHHpWb.exe

C:\Windows\System\aSgduja.exe

C:\Windows\System\aSgduja.exe

C:\Windows\System\iIHoTeD.exe

C:\Windows\System\iIHoTeD.exe

C:\Windows\System\yEJNdKP.exe

C:\Windows\System\yEJNdKP.exe

C:\Windows\System\wNmqHsh.exe

C:\Windows\System\wNmqHsh.exe

C:\Windows\System\NrmYKjC.exe

C:\Windows\System\NrmYKjC.exe

C:\Windows\System\yhOzizr.exe

C:\Windows\System\yhOzizr.exe

C:\Windows\System\cLOrxKa.exe

C:\Windows\System\cLOrxKa.exe

C:\Windows\System\hvIddiX.exe

C:\Windows\System\hvIddiX.exe

C:\Windows\System\rviJBmM.exe

C:\Windows\System\rviJBmM.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3092-0-0x00007FF6FE9D0000-0x00007FF6FED24000-memory.dmp

memory/3092-1-0x00000187306B0000-0x00000187306C0000-memory.dmp

C:\Windows\System\neQcFhZ.exe

MD5 de9141aeb7c90d2e13d07da0fd62d805
SHA1 a39923eaab5fd672710f35d2986c676a56b70a7e
SHA256 ff882184643f58c9408112843a043585f5c65329cff6f651f5ff40e2c9546eda
SHA512 1fa4925b5b2e23babec2efe3f7b31caee2aa9769bd4753aef9849c815d371b240604c0a96c37cef7a754fdf85651618702629d596a2a274e0ef271a2eccc6ef6

memory/3400-8-0x00007FF70B6D0000-0x00007FF70BA24000-memory.dmp

C:\Windows\System\sbEqAkF.exe

MD5 3bf7c81a9a783b976c58b2c1002a96d7
SHA1 1ddc5ce4ff6a73464cf5d3de6e0429084f955725
SHA256 b3464f7fb8072fd35a3a2453550c7ec7244f4959751b5bc244d5977b2f8defee
SHA512 0bf079a85286cd3c1ea78376ef446d7bc0b315d690cf90984cf49da320f300249fcbb9ad037dd94658393dee23fe6eb675832261f1bae3503507efd50356709a

memory/5044-14-0x00007FF7FEAA0000-0x00007FF7FEDF4000-memory.dmp

C:\Windows\System\GhszTtc.exe

MD5 0767435a98d235abbb7d3ea6fbff7545
SHA1 40ad8f8f64f84f67102db288e0d85a8094c74954
SHA256 465445dc0fbd9b1f333f07e65d93c7b909a1f222c8dae119e92c65c647a26ce0
SHA512 785bf2cfe536251716d2b5e3d4765b99c24964cb1d88591f5ee40042bdf08721b65880b7c8876cfff7f0d54cbbc71326ac1e0fd8823c29a21fbd8bbbfde3ff28

C:\Windows\System\RpadWjF.exe

MD5 dba992b3ebed4d0211bcfddb13b48cec
SHA1 087b907c9b54d839bd386ce351f3b179f573c41f
SHA256 f9f2a56c15e9b97967c7212da604448fe46c0575728c8000fedd30e14e9d91e1
SHA512 53719650940eeb7375de5aa0bd099c9d8be19f08d4ee211bf9bb33b58b05c0cdccf56220ada5983b774677e0e84f23fda609d30096275f6fc1e25259ea6a98d0

memory/4124-21-0x00007FF6C9D70000-0x00007FF6CA0C4000-memory.dmp

memory/620-26-0x00007FF6A60B0000-0x00007FF6A6404000-memory.dmp

C:\Windows\System\EXrNPUH.exe

MD5 b2439c13507ad9c1044743c890160aa2
SHA1 65b9c3e15c133cb7fa73b3f0e81072ac11c1c900
SHA256 17771bec588e143a02a02963ae7bb149f821b29e0d08d452691efd6be3b2483e
SHA512 121a460d1456bffaefcb409747da6ec28ce8e21441a3ef6c53b9799d102ee3e88113bb48c55796d25c5069d5427f952e9b8400381e77ad7dbdba4cdb80cf754a

C:\Windows\System\EyFCwVN.exe

MD5 a05c0f5513051e9bebfe5b7701bd6c82
SHA1 02fa1d530e7637baf5c0d976d6933c19a1e3b850
SHA256 feaa03bbcf83c6520129b777e907b053bfc9a17339c95f4f8bbe4ac0af7fe307
SHA512 7745652331bf03dcba4933c0ab41a91dabf72335b767cd7aaa6323f98dd00ab00035c227a117c42e6a9332d9356412533d510701c230cb29013cc6575a2d33ba

memory/1992-32-0x00007FF676CB0000-0x00007FF677004000-memory.dmp

memory/1052-37-0x00007FF773380000-0x00007FF7736D4000-memory.dmp

C:\Windows\System\aUxYlIa.exe

MD5 b2a2aea60e31190bd38ec28677852545
SHA1 0dd8c430546603059fce9ca9973a4e5b49208b8e
SHA256 d05bf37ce1d756d87e63bb6c6eb05c284e4209923fb80047ef860223fb316c70
SHA512 97f91bc3aebddbba4dc2b40d327d220d4164b6862406967ba20e1939dba67c70fb86cbd764adf2af53b4ac09d3636c1cbbf4038cfa40d91058347dcea504b6c8

memory/2124-44-0x00007FF7D1AE0000-0x00007FF7D1E34000-memory.dmp

C:\Windows\System\xeEOHvm.exe

MD5 3fa3af31427933e0a49f62fe7d887811
SHA1 22334a44dc39f83b86e0329405daed35a2ed8b53
SHA256 8fc1ee820d8b8e915adbe1e990b1f6eb40da6b5991f27ad73877ef76cc1cb65a
SHA512 dda0ae5f92c07b66d86b31d268cdee457ba332afa0d5e305d61a9cb98de718d93fbb02c20036a02acf2e9c16d50b94a2a6fe0894d63e3df16c683c9dd9c70916

C:\Windows\System\gcKuoqh.exe

MD5 c2010f1403050ee6d161a53e5fc3fb05
SHA1 a143ea9d302f6682831db13bbcffc4a9929c00f8
SHA256 cdf1e4969dbb98965fa12c985341503740c0f08f042a4b62845344309b34e017
SHA512 230fbe0bf085ad1bcc1b919fe51ae449285246fbdf0fbccd0ff6f4756e4b92a03ae4df549b73f90adf2a9e3267b887a4da28cda9a0a22ce860d5f17959efd265

C:\Windows\System\zldolEO.exe

MD5 14114cd50a95d31b85b42cf12e8708d4
SHA1 45e1d3f1f5d896e919014bbc65b71b986186ac34
SHA256 3814e06753982e034266eeba9727681a4f7dd59d2361ce3bdc24b5a2dfabfe80
SHA512 16dffded411ffcc3af863b4491eed9d9b62e353428337ba7960834370e6f12d225924697d371ab5784cb85c12ba8ba996567fedc4866d4ae21c032bceb5dfae9

C:\Windows\System\QwzyLni.exe

MD5 0f8fb88407f1571387a83193e29b3613
SHA1 641923715a573cfd6df7438814e1be5c29de4c2e
SHA256 bdaace517afb1b0ec29907fb16b1aa0978581db2c6865f0939b59dc8b9879ad5
SHA512 2254875cd7dc2379bbf76e045335b04d27cb01760ffb64ac07480b1fabe2538e6aa8a3ca9b59fbcdf3a5b831f3292a60ce2f9cfaf835d48850f77a880f443bd8

C:\Windows\System\aSgduja.exe

MD5 777495f34695890be140146dc19b49a2
SHA1 f3c4aadac67c4333307830db7feb67d01627d006
SHA256 902bda784111a3aa8a802e743b4ebebe5dfcd5c0ebee952c77ad22283b21a6cc
SHA512 5547b569bcbda265885600b46b3f988cb6201c426cf967be79f0b002875d05f445c12cfe52e927aa76ac5931e48d4df420ae3a270d0cb6deb7b8b67bcb1e1340

memory/3868-81-0x00007FF754140000-0x00007FF754494000-memory.dmp

memory/4524-80-0x00007FF65C870000-0x00007FF65CBC4000-memory.dmp

memory/2180-77-0x00007FF732CA0000-0x00007FF732FF4000-memory.dmp

memory/3092-76-0x00007FF6FE9D0000-0x00007FF6FED24000-memory.dmp

memory/2884-75-0x00007FF7D1A50000-0x00007FF7D1DA4000-memory.dmp

C:\Windows\System\XbHHpWb.exe

MD5 ccff7e3ccfc028e6b77a946be770e27d
SHA1 d6ee6cc6dfeae3c4f519f28161f32c9a2b22c956
SHA256 bc7483d7a82ce7d00a06d24ce67e985c46d02e21a4395388f7ed45a243558c8e
SHA512 d5b377f45c9a381deae26d1005caba0a53514f76fd1e8b490982c3535bf24300c014c98bb2c612556fc6b7d643ba0265a545ffb7143cd52c63a320a5e07ea515

memory/4624-59-0x00007FF751BE0000-0x00007FF751F34000-memory.dmp

memory/4804-55-0x00007FF6669A0000-0x00007FF666CF4000-memory.dmp

C:\Windows\System\iIHoTeD.exe

MD5 81cf1f4fb587d625113f5b855ca827ec
SHA1 d7932b6d28df6b47ce562061a4c79b81ebf06193
SHA256 3f6df06acb7e3218bf1bed8deb36401d2bd2c21ce34536ebc997451a4396975e
SHA512 cbc54504363d7719138acd767c43e6ff00df038e1f65cf209f767c967eb5ac925bf6bf22e175bec2aa3e723ffaf76626873d70504f425fe1ab8e7c33f2c684ea

C:\Windows\System\yEJNdKP.exe

MD5 881253e03528deefdace57795e81e851
SHA1 87b3a8339f1dd92a46890dcc19cce407733b7c24
SHA256 64b03f7ad109a7d48b209ddfa1f2124621814d36ff9c3b4ad574cd45b7bfc86b
SHA512 cc934560ec086f5189c4695d636a20082ee8a74b557739f944208a00157ee13a3e7d9e6ffdedcbc2b50d7bc61bc32fbe7d848badb9f68bfd367711cd353698d4

memory/1240-105-0x00007FF60F420000-0x00007FF60F774000-memory.dmp

memory/4224-104-0x00007FF64C8E0000-0x00007FF64CC34000-memory.dmp

C:\Windows\System\NrmYKjC.exe

MD5 df628d41112e15fe14856e2a829d78f8
SHA1 eda9674e3e3997feba37b7974572d6b0cb6f7f83
SHA256 fb28f8fff7c3d88d6e6216887d537e3222a31c13a31c7b7f85c1b718f8bacbbb
SHA512 80b48fc60d2731595e0778088e2b2404ded3ae52b5ce371b5866112f7ef1e9967902f857737c6cc15d9ccf68c1d86bc439a854d274cc0653d15b4321f40983c0

C:\Windows\System\wNmqHsh.exe

MD5 de87307eacda07044aaf1c36aa8ba551
SHA1 d01cf78dd5c54b3f0a2b2b4106658a2550fabc95
SHA256 8d70de62f2eefb3a611a984d47e5c5ec8c4ee149060c1d8d11f5f139cebe34b2
SHA512 f76ec3bea43afc8933557a650137c79a269f627b20209874c4d82db43554cc247e9c4d864416f3a022e1a5d509626b6dd78878e97bf59a344707404a012012c2

memory/1904-96-0x00007FF71E290000-0x00007FF71E5E4000-memory.dmp

memory/5044-94-0x00007FF7FEAA0000-0x00007FF7FEDF4000-memory.dmp

memory/2976-88-0x00007FF74D730000-0x00007FF74DA84000-memory.dmp

memory/3400-87-0x00007FF70B6D0000-0x00007FF70BA24000-memory.dmp

C:\Windows\System\yhOzizr.exe

MD5 4ee9f1a45bc640b84ef5cc6a6eba1f7a
SHA1 b07d860a00c0f46167dae1d20432d55aa3cd33f1
SHA256 eaf7b3cd4e3b393d789c0a2f0857b9b1fc8fabd45f6385f359e1c4b93b329a63
SHA512 a18cb0c1c324be8ee814b14ae6c3842130a0d271130ccbe9a841c0817b7ee3533d141d88721426a1c46575a4730d583931c93c112679df6ca3cc92dada93319c

C:\Windows\System\cLOrxKa.exe

MD5 9b536f8e6b408fc5d8fd381b6dd6bbb6
SHA1 29175b2cb441f8f8d6d26df6ca9e8f8f6c0f2110
SHA256 8bd80903e1e1ecd7e570dd96d76827dd0b24aa60226b1e482c18ebef5e3ae408
SHA512 e5d3ffaa6d08367e7d91ad1b7584d19b45fdc453512e6a3e12a7f254f9b5a7a857a1364a75617fdb31b92d55c2c8ad9b5a634c3981ed02baed2291a3b7d13a03

memory/2576-118-0x00007FF644DF0000-0x00007FF645144000-memory.dmp

memory/1824-119-0x00007FF688350000-0x00007FF6886A4000-memory.dmp

C:\Windows\System\hvIddiX.exe

MD5 1603a50da2ac4e4184c3a5bd4ec26715
SHA1 426f063d7d41cf07cc1e98b299939d8832ee5ab0
SHA256 3e410edce4601f4158df4472852372b78c8503ad2c551fda8cc38935dc52a0ca
SHA512 6acdeac6158b8beba312076f45fcb3bec4d21823b500ecb243ca6e2caeaacedefebf04e5332bd20379814c5a399c7750763912ccf8e6ee533d1950c470e0a00f

C:\Windows\System\rviJBmM.exe

MD5 8e3a7a36267ab153f8ee547ba09cac20
SHA1 d44554d88a71d76899b949b7d565086179ea36d4
SHA256 c65f932da44e810a2cc04a1d9896abe8332c71d0b7d50b751e80a780efc376d6
SHA512 f6339413bf71ee8d2b73b40c74bf62360e729643b445d3fddecaecdeab2899de43f3d46d18e5c2506a9836099a5680e9a74c0cbe5f7757d7d8d4d613b9035174

memory/3500-129-0x00007FF6F0F20000-0x00007FF6F1274000-memory.dmp

memory/5088-130-0x00007FF75B110000-0x00007FF75B464000-memory.dmp

memory/1240-131-0x00007FF60F420000-0x00007FF60F774000-memory.dmp

memory/2576-132-0x00007FF644DF0000-0x00007FF645144000-memory.dmp

memory/3400-133-0x00007FF70B6D0000-0x00007FF70BA24000-memory.dmp

memory/5044-134-0x00007FF7FEAA0000-0x00007FF7FEDF4000-memory.dmp

memory/4124-135-0x00007FF6C9D70000-0x00007FF6CA0C4000-memory.dmp

memory/620-136-0x00007FF6A60B0000-0x00007FF6A6404000-memory.dmp

memory/1992-137-0x00007FF676CB0000-0x00007FF677004000-memory.dmp

memory/1052-138-0x00007FF773380000-0x00007FF7736D4000-memory.dmp

memory/2124-139-0x00007FF7D1AE0000-0x00007FF7D1E34000-memory.dmp

memory/4804-140-0x00007FF6669A0000-0x00007FF666CF4000-memory.dmp

memory/4624-141-0x00007FF751BE0000-0x00007FF751F34000-memory.dmp

memory/2180-142-0x00007FF732CA0000-0x00007FF732FF4000-memory.dmp

memory/4524-143-0x00007FF65C870000-0x00007FF65CBC4000-memory.dmp

memory/2884-144-0x00007FF7D1A50000-0x00007FF7D1DA4000-memory.dmp

memory/3868-145-0x00007FF754140000-0x00007FF754494000-memory.dmp

memory/2976-146-0x00007FF74D730000-0x00007FF74DA84000-memory.dmp

memory/1904-147-0x00007FF71E290000-0x00007FF71E5E4000-memory.dmp

memory/4224-148-0x00007FF64C8E0000-0x00007FF64CC34000-memory.dmp

memory/1240-149-0x00007FF60F420000-0x00007FF60F774000-memory.dmp

memory/2576-150-0x00007FF644DF0000-0x00007FF645144000-memory.dmp

memory/1824-151-0x00007FF688350000-0x00007FF6886A4000-memory.dmp

memory/3500-152-0x00007FF6F0F20000-0x00007FF6F1274000-memory.dmp

memory/5088-153-0x00007FF75B110000-0x00007FF75B464000-memory.dmp