Malware Analysis Report

2025-03-15 08:04

Sample ID 240813-n13w6swgmm
Target 2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat
SHA256 2b2b37fe4f08e1f66f92b43439ff953bd8649984bd03abfec5f015f9a56372e7
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2b2b37fe4f08e1f66f92b43439ff953bd8649984bd03abfec5f015f9a56372e7

Threat Level: Known bad

The file 2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Xmrig family

Cobalt Strike reflective loader

Cobaltstrike family

XMRig Miner payload

xmrig

Cobaltstrike

XMRig Miner payload

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-13 11:52

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-13 11:52

Reported

2024-08-13 11:55

Platform

win7-20240729-en

Max time kernel

140s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\dxDyjSH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MTDUmYF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\negLpRC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gMTpWeH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZWSDSYj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pKllESA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SPaRWzM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zfkKZeq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cFJBxpv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YEoNTRJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DiHhCJc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SlymYIi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FrlcZig.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hcaGbrm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PuxTHjd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BPDJTBH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rjpMsfB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rFUhTtV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AqqYsYh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FqJlPyi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fMXMWmA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2012 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FrlcZig.exe
PID 2012 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FrlcZig.exe
PID 2012 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FrlcZig.exe
PID 2012 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rFUhTtV.exe
PID 2012 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rFUhTtV.exe
PID 2012 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rFUhTtV.exe
PID 2012 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hcaGbrm.exe
PID 2012 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hcaGbrm.exe
PID 2012 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hcaGbrm.exe
PID 2012 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YEoNTRJ.exe
PID 2012 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YEoNTRJ.exe
PID 2012 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YEoNTRJ.exe
PID 2012 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SPaRWzM.exe
PID 2012 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SPaRWzM.exe
PID 2012 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SPaRWzM.exe
PID 2012 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DiHhCJc.exe
PID 2012 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DiHhCJc.exe
PID 2012 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DiHhCJc.exe
PID 2012 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AqqYsYh.exe
PID 2012 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AqqYsYh.exe
PID 2012 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AqqYsYh.exe
PID 2012 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zfkKZeq.exe
PID 2012 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zfkKZeq.exe
PID 2012 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zfkKZeq.exe
PID 2012 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FqJlPyi.exe
PID 2012 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FqJlPyi.exe
PID 2012 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FqJlPyi.exe
PID 2012 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dxDyjSH.exe
PID 2012 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dxDyjSH.exe
PID 2012 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dxDyjSH.exe
PID 2012 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PuxTHjd.exe
PID 2012 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PuxTHjd.exe
PID 2012 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PuxTHjd.exe
PID 2012 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MTDUmYF.exe
PID 2012 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MTDUmYF.exe
PID 2012 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MTDUmYF.exe
PID 2012 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\negLpRC.exe
PID 2012 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\negLpRC.exe
PID 2012 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\negLpRC.exe
PID 2012 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BPDJTBH.exe
PID 2012 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BPDJTBH.exe
PID 2012 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BPDJTBH.exe
PID 2012 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gMTpWeH.exe
PID 2012 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gMTpWeH.exe
PID 2012 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gMTpWeH.exe
PID 2012 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZWSDSYj.exe
PID 2012 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZWSDSYj.exe
PID 2012 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZWSDSYj.exe
PID 2012 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pKllESA.exe
PID 2012 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pKllESA.exe
PID 2012 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pKllESA.exe
PID 2012 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rjpMsfB.exe
PID 2012 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rjpMsfB.exe
PID 2012 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rjpMsfB.exe
PID 2012 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cFJBxpv.exe
PID 2012 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cFJBxpv.exe
PID 2012 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cFJBxpv.exe
PID 2012 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SlymYIi.exe
PID 2012 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SlymYIi.exe
PID 2012 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SlymYIi.exe
PID 2012 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fMXMWmA.exe
PID 2012 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fMXMWmA.exe
PID 2012 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fMXMWmA.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\FrlcZig.exe

C:\Windows\System\FrlcZig.exe

C:\Windows\System\rFUhTtV.exe

C:\Windows\System\rFUhTtV.exe

C:\Windows\System\hcaGbrm.exe

C:\Windows\System\hcaGbrm.exe

C:\Windows\System\YEoNTRJ.exe

C:\Windows\System\YEoNTRJ.exe

C:\Windows\System\SPaRWzM.exe

C:\Windows\System\SPaRWzM.exe

C:\Windows\System\DiHhCJc.exe

C:\Windows\System\DiHhCJc.exe

C:\Windows\System\AqqYsYh.exe

C:\Windows\System\AqqYsYh.exe

C:\Windows\System\zfkKZeq.exe

C:\Windows\System\zfkKZeq.exe

C:\Windows\System\FqJlPyi.exe

C:\Windows\System\FqJlPyi.exe

C:\Windows\System\dxDyjSH.exe

C:\Windows\System\dxDyjSH.exe

C:\Windows\System\PuxTHjd.exe

C:\Windows\System\PuxTHjd.exe

C:\Windows\System\MTDUmYF.exe

C:\Windows\System\MTDUmYF.exe

C:\Windows\System\negLpRC.exe

C:\Windows\System\negLpRC.exe

C:\Windows\System\BPDJTBH.exe

C:\Windows\System\BPDJTBH.exe

C:\Windows\System\gMTpWeH.exe

C:\Windows\System\gMTpWeH.exe

C:\Windows\System\ZWSDSYj.exe

C:\Windows\System\ZWSDSYj.exe

C:\Windows\System\pKllESA.exe

C:\Windows\System\pKllESA.exe

C:\Windows\System\rjpMsfB.exe

C:\Windows\System\rjpMsfB.exe

C:\Windows\System\cFJBxpv.exe

C:\Windows\System\cFJBxpv.exe

C:\Windows\System\SlymYIi.exe

C:\Windows\System\SlymYIi.exe

C:\Windows\System\fMXMWmA.exe

C:\Windows\System\fMXMWmA.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2012-1-0x0000000000100000-0x0000000000110000-memory.dmp

memory/2012-0-0x000000013F320000-0x000000013F671000-memory.dmp

\Windows\system\FrlcZig.exe

MD5 70566d1c9b5f53b37d5ddbef32445fb2
SHA1 82c46d7a74cb3d72c1df8f2bba6ef9deb00decb5
SHA256 ca3e79e10e9c676dbbac7d3b1aabdbb46db8eac68c022a474ece13444792b9b6
SHA512 9b8471fa59f32d985237014c337f2fee4584e91358f2d9f5f53339d76a0c2c58df1d121e5be9cd1a76581bd820ab09b59cfcba9614971b055a664c4d40ea22fc

memory/2012-8-0x000000013F7E0000-0x000000013FB31000-memory.dmp

memory/1404-9-0x000000013F7E0000-0x000000013FB31000-memory.dmp

C:\Windows\system\rFUhTtV.exe

MD5 f099b082dd82db29ada53922f75b2a0f
SHA1 c6b65fe494929637ecc69342be96e9e408e74713
SHA256 96c1fc1830b27ae96b8538c39737058aca7977ab4c3a870cf69eefd74fba5eda
SHA512 f0400db71840c038b0057cb139ebda29fabfddf8321f8979851b50986ac560b20ff689626525a69b32a3a5e61fa06e1c1dc08e60d1319d3250dcad54b862df98

memory/2012-14-0x000000013F8C0000-0x000000013FC11000-memory.dmp

memory/2140-16-0x000000013F8C0000-0x000000013FC11000-memory.dmp

C:\Windows\system\hcaGbrm.exe

MD5 30ea3a087c8c982a3dc47178d0ad6a6a
SHA1 f5a52fd164a285e0cd800a14a0c99adaaeed3194
SHA256 44bc5355f1f0cd5c1c715b8f3c1c0d2bf89bf1488d38878c368cf8fd0d47629b
SHA512 1afe0f2d8816ca57af2b07f120868724e94529851294730922a841aa96efdad1ae9198d37acfa3b4518a5207c571907b30ebd88a44602201bd36c375df9d1e9f

memory/2716-23-0x000000013F130000-0x000000013F481000-memory.dmp

memory/2012-21-0x00000000022E0000-0x0000000002631000-memory.dmp

C:\Windows\system\YEoNTRJ.exe

MD5 39a508fe12b7aa31ebed8a1a68118e05
SHA1 14919890ad3979209cb62983c6617f3ec0af10c2
SHA256 cb7b46b7134a26f8a9ca905bd34dd54fa99a1541bcaacc8c90e17543f4afbe21
SHA512 0d6f31a95df567326d9ae2670f6365bfcb681d848989bf44a749f9904654688937d86c5c34482a3263941c2cc7254da1efdd0d87289b8f5d7aa73d21f81f1020

\Windows\system\SPaRWzM.exe

MD5 fd14b8ed43592fdf99104fb994efa457
SHA1 478b946f9cda9c59ce346536c39d6f13320619ec
SHA256 47b7506ece756a67a066ee2e31ca79bbd0c4cc639d6c930771819a4d359a15a1
SHA512 ce00e31b680fddb4252668128099013a8d3cd44a0fdade0813f68d2c5dc3341402dcb7cbb641ad17e742717a4f91ef74414556e3f7d0b6c8f7efea69dc486a4a

memory/2012-31-0x00000000022E0000-0x0000000002631000-memory.dmp

memory/2800-29-0x000000013F760000-0x000000013FAB1000-memory.dmp

memory/2012-28-0x000000013F760000-0x000000013FAB1000-memory.dmp

\Windows\system\DiHhCJc.exe

MD5 a6cd48026ad6a9f8f8cca95411c13abc
SHA1 f80d2425631d4888f2ad2f2b3e480b9fe578addf
SHA256 5a53bda370ff3f2c08666ab6619f568fab5d64055fd950dd1bd69ee0394ca019
SHA512 d0744baa149cbb1e302b9dea5ac4efb3eb3d30934ed6a1f01b2cc4b22855012b29d6002f65dd29dade31f0e4d529d4b4cc88c2183a64a9192ff9856284e717cd

\Windows\system\AqqYsYh.exe

MD5 4dec9a236c0a1afb905625a6257aff9c
SHA1 3483577b04bd60b4abc8b057dfa63470e3383902
SHA256 a44daaf71d1947603a32f82778f0ac0898b3aecafbf27618f2801fb6c4c1dccb
SHA512 78c44f345dc10a013dd8f03228270719914c7fd7d8c9819cde671e634265fb3d364495904320df3477845533c76188eded1dc16d65a1cc5bf68c07c46ec8a574

C:\Windows\system\zfkKZeq.exe

MD5 23f22f9993df2c72ab4a3cc78347fce8
SHA1 b435b9d5ce58a3622017bf7f58bafd6b7df2c347
SHA256 a7ea7513f97241383264778c7639e2cacb843494a07431e268ccb58d378fd65f
SHA512 2f241bd70b76878a3f5092a2638a27fd69b8cb07e4c95bab6145d563c9929a0090f15e5cb0981e42ed5c4fea0f38de532e1dbb7b261f11e66bf97d696775a270

memory/2744-63-0x000000013FC10000-0x000000013FF61000-memory.dmp

memory/2600-64-0x000000013F3B0000-0x000000013F701000-memory.dmp

C:\Windows\system\dxDyjSH.exe

MD5 55da92ad849aac3f1d4fe998e033617c
SHA1 193a68f28202fb2ef7cd7791bda4db117e114ee8
SHA256 9f96467e5060d3101335dc11ad5a9426067384af1eb4dfd87054333f787b1378
SHA512 3286811767b353e9578e3d81f1aeaec90ff15a26317329971aa9631c96934f261fe6856b024dace5f7044d436f3c19449115a542dc62c4d81d7041c9e767b68d

memory/2012-77-0x000000013F320000-0x000000013F671000-memory.dmp

memory/1604-78-0x000000013FA00000-0x000000013FD51000-memory.dmp

\Windows\system\MTDUmYF.exe

MD5 b9c908f33d2bceb0f705297f9c27b430
SHA1 81d2509e5f6bd8d459008a2a1fa7142f5b287c9e
SHA256 601465db9f1e63a23b69e26031a4e4e068f3f80e8587c3e4d7ac8e3d87730abc
SHA512 091a8c83669c309d92f30d5ad32b65751bbb6aa7665991bc86e6e884f7ed3949516cff6167113de330d502b96ce9ec9efab3abb91b813710e0698bf7ec086ddc

C:\Windows\system\PuxTHjd.exe

MD5 4d5fb8eb3347eb710349c799691e45b1
SHA1 75b67e0db2272afce87a2eff15319669b7d024f5
SHA256 7762adc24a281cb123b80242b18b61472a673f1dfb11ea85fea158965a134a10
SHA512 6bcec92f32dca4dbce15958752b1c46fda4b8f321f0349cf5beaf24853a8a7243dcaa1a5fbfea0e263055014a8c44aefbe8987b2f9202e2de8401f481a6a6429

memory/1016-70-0x000000013FC30000-0x000000013FF81000-memory.dmp

memory/2012-69-0x000000013FC30000-0x000000013FF81000-memory.dmp

memory/2012-61-0x00000000022E0000-0x0000000002631000-memory.dmp

memory/2012-60-0x000000013FC10000-0x000000013FF61000-memory.dmp

memory/2608-58-0x000000013FBB0000-0x000000013FF01000-memory.dmp

memory/2012-57-0x000000013FBB0000-0x000000013FF01000-memory.dmp

memory/2944-56-0x000000013F970000-0x000000013FCC1000-memory.dmp

\Windows\system\FqJlPyi.exe

MD5 9e2981adc3cd94521f0782def6e3e7ce
SHA1 f8f2abda06afc676bd27a1d0c3bf142637082888
SHA256 5e793bf6760dc4ebcfa498181a797dbd944911a98f47f93771a59b7b024b6375
SHA512 fef3e1fbf40b11e5fbbc179875e87f2358d2b68d8b200559e80cda9551ac4b28fb0740dbee92272b39cf62fc36c2f9bea51279cd634a34b3bb10371ebe1535d0

memory/3012-36-0x000000013F2E0000-0x000000013F631000-memory.dmp

memory/2140-82-0x000000013F8C0000-0x000000013FC11000-memory.dmp

memory/2716-94-0x000000013F130000-0x000000013F481000-memory.dmp

memory/2800-91-0x000000013F760000-0x000000013FAB1000-memory.dmp

C:\Windows\system\negLpRC.exe

MD5 63c092ed3874a52655364e6d75661896
SHA1 a30090056ee0bd6aa432e2d8a29d44d1cd7eea03
SHA256 b04e311d329e00209c8bb6c38a93cc22c71ea22e0797385b7565eb263a3cb763
SHA512 28ff3d3d99f6bcee627b96330955d32cbfc9c01bee858cbad33b80981fbd0eeb49fab3d669ab8c628f000f6057dd8d02e1575aeb5bda906cbf41176aceb2a7ec

\Windows\system\BPDJTBH.exe

MD5 2402688db30d31a3c56188135691ad78
SHA1 ceac992ba6457591a1bcbe7d491ebc305cee91ce
SHA256 c219f684525391da6b627a71cb4e712f038dd8c4c4ed2473c69e556366aef495
SHA512 f6b1865d0cba9b20c8e5da6d9b0eaa06a5bc7501fc2a1ee8cabdbfe80dd06d52c2fefb9e6e2bfb25f72bc7c718736480883c95c5f988260de2c9d08c0f23e584

memory/1280-97-0x000000013F670000-0x000000013F9C1000-memory.dmp

memory/2136-101-0x000000013FB20000-0x000000013FE71000-memory.dmp

memory/2012-103-0x00000000022E0000-0x0000000002631000-memory.dmp

\Windows\system\gMTpWeH.exe

MD5 051981c482c1dd9f3a2e51511f5a3115
SHA1 ea1e9394585b9b2196465812c275b661960908df
SHA256 3f8bf0315bbc7ec9537ea44a65863ea970c84331cc0d17de659d7130089db6e0
SHA512 ac460e0dcf5fd8105ca3dac02b636355217c3d999f4976bc27ec73d04c95e0ab64f6d39358eb54e618ff91e4869a651477914238ed18f09e65f189f9b2632fba

memory/1968-100-0x000000013F4E0000-0x000000013F831000-memory.dmp

memory/2012-98-0x000000013FB20000-0x000000013FE71000-memory.dmp

memory/2012-95-0x00000000022E0000-0x0000000002631000-memory.dmp

\Windows\system\ZWSDSYj.exe

MD5 216fb34e5b47b366fe3391e4221a833f
SHA1 d63c69fe1e8fcf06dde5bdb96231ac9b8501d2fc
SHA256 f860af7ef4e7a8a2974e48ca3df82a2485ba465392a5f0f46f11ea2d646cc14e
SHA512 217702f7d989cf9974091c6c3d561ea1323e353b0a17fb92f2a1f5929c4607d9bc6f1b5e26273072fe49af3755b9e05e512aef3597f1c0c1a7ec4dfde82858c1

C:\Windows\system\pKllESA.exe

MD5 a95943fb167eddd75e5de976a6818cef
SHA1 fd889370cfe40d4217ffa5da7251fba92e8618ee
SHA256 d5d63f3156e97669e616677cef7ebb9f3389ba336452b3d761108ac1843eaaf6
SHA512 1f3a9a5cc17fbebd5f30206722264c1b117a9d21d7a0bbc14df7453fc906231eacb79761199a158cdce502a82cb36bf4766b4303f4b237365f6846cc71a022dc

C:\Windows\system\cFJBxpv.exe

MD5 ca9cda74ed3cddd211e1c05a322d4730
SHA1 e549ce158ddb94421551e8bd612af32e7d6986e8
SHA256 9d2ec7bf2cebe0e5259a5056a7ff4f2883f0629abc32e4d248787ef4fd1138a9
SHA512 92814e875f3599888f2de0e487b04f3f0f79cb912fe5b537fb7c3a92158d2770f30f0ec1d120e1dc426e241b16d26225f899af01b5ecbfe7572e7e678e1d352a

C:\Windows\system\fMXMWmA.exe

MD5 12b8cb80f5eedfbce2fad815f0fd88c0
SHA1 c2b5846446be02c8b81f44df3a527bc1cb916958
SHA256 759ee949a011a2ade15c164d23386516a26fe07bfc9e28a02b749af3947bf6ef
SHA512 ea9c9e55c007f65c5acd46c9c1aa37bbaebf585d1e1628bcee6a935ac6df0c240c0d759573c657c74f5985c6910eace08084cdfdf6aa99443f0bef6e025f0910

C:\Windows\system\SlymYIi.exe

MD5 f4e1315b960aa1984f0d2a0b85a36c16
SHA1 1d11553a287db209b62194af52d22f84887e7fee
SHA256 bdef4ba8c2fc00fa9e1417214ba89e590446372a08871d0cdc55c94c89b5b412
SHA512 760363a6491221a71731ba94f9db24479c95bfdf78cb4debe6ccc8dfa02079afaa4a683f038c3cf55ac84b516ccd71fca71cd5adfe5d6d30501b03f8eb2d93d4

C:\Windows\system\rjpMsfB.exe

MD5 c1d055bc866eb218fd3daf5972d9fcbd
SHA1 7464a329676c2d60b7d4f0d0e4fde27ee5901728
SHA256 bfe1e18e9760e3ee51127e810964c0f7822b9f0c62ef7018cf4297f05667590e
SHA512 4d7ae0ed5b0fe4e537a0d578b7944a5fc63513e5532a76b2733b4d3c66f0d3c3ed583819e4a5bbf26b2f19582234c31e7427d43dc002912db5ad9fbd3a081da5

memory/3012-137-0x000000013F2E0000-0x000000013F631000-memory.dmp

memory/2012-138-0x000000013F320000-0x000000013F671000-memory.dmp

memory/2012-147-0x00000000022E0000-0x0000000002631000-memory.dmp

memory/1016-149-0x000000013FC30000-0x000000013FF81000-memory.dmp

memory/2208-154-0x000000013F580000-0x000000013F8D1000-memory.dmp

memory/2888-157-0x000000013F750000-0x000000013FAA1000-memory.dmp

memory/2236-160-0x000000013FE90000-0x00000001401E1000-memory.dmp

memory/2952-158-0x000000013F320000-0x000000013F671000-memory.dmp

memory/2864-156-0x000000013F220000-0x000000013F571000-memory.dmp

memory/2256-159-0x000000013F5F0000-0x000000013F941000-memory.dmp

memory/2900-155-0x000000013F2F0000-0x000000013F641000-memory.dmp

memory/2012-161-0x000000013F320000-0x000000013F671000-memory.dmp

memory/2012-177-0x000000013FB20000-0x000000013FE71000-memory.dmp

memory/1404-207-0x000000013F7E0000-0x000000013FB31000-memory.dmp

memory/2140-209-0x000000013F8C0000-0x000000013FC11000-memory.dmp

memory/2716-211-0x000000013F130000-0x000000013F481000-memory.dmp

memory/2800-223-0x000000013F760000-0x000000013FAB1000-memory.dmp

memory/2944-225-0x000000013F970000-0x000000013FCC1000-memory.dmp

memory/3012-227-0x000000013F2E0000-0x000000013F631000-memory.dmp

memory/2608-229-0x000000013FBB0000-0x000000013FF01000-memory.dmp

memory/2744-231-0x000000013FC10000-0x000000013FF61000-memory.dmp

memory/2600-233-0x000000013F3B0000-0x000000013F701000-memory.dmp

memory/1016-235-0x000000013FC30000-0x000000013FF81000-memory.dmp

memory/1604-237-0x000000013FA00000-0x000000013FD51000-memory.dmp

memory/1280-242-0x000000013F670000-0x000000013F9C1000-memory.dmp

memory/1968-244-0x000000013F4E0000-0x000000013F831000-memory.dmp

memory/2136-246-0x000000013FB20000-0x000000013FE71000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-13 11:52

Reported

2024-08-13 11:55

Platform

win10v2004-20240802-en

Max time kernel

142s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\qFfbWpR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JcFIkJY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EwNpWcK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IMBtsBp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FAlVQqo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HSJAvQk.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lFdsueY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GLyUanf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SmWGWhL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dVInZgV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VmJNoHU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GERYotu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qqXMrgP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KTnIkOi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MtzKSHn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iuHHZIe.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hVgQUNe.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pgUGsek.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\umEXRWo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fsEmStr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ogUMADG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4804 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JcFIkJY.exe
PID 4804 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JcFIkJY.exe
PID 4804 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EwNpWcK.exe
PID 4804 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EwNpWcK.exe
PID 4804 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IMBtsBp.exe
PID 4804 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IMBtsBp.exe
PID 4804 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GERYotu.exe
PID 4804 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GERYotu.exe
PID 4804 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qqXMrgP.exe
PID 4804 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qqXMrgP.exe
PID 4804 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FAlVQqo.exe
PID 4804 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FAlVQqo.exe
PID 4804 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KTnIkOi.exe
PID 4804 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KTnIkOi.exe
PID 4804 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SmWGWhL.exe
PID 4804 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SmWGWhL.exe
PID 4804 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HSJAvQk.exe
PID 4804 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HSJAvQk.exe
PID 4804 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pgUGsek.exe
PID 4804 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pgUGsek.exe
PID 4804 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lFdsueY.exe
PID 4804 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lFdsueY.exe
PID 4804 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MtzKSHn.exe
PID 4804 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MtzKSHn.exe
PID 4804 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\umEXRWo.exe
PID 4804 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\umEXRWo.exe
PID 4804 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dVInZgV.exe
PID 4804 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dVInZgV.exe
PID 4804 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fsEmStr.exe
PID 4804 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fsEmStr.exe
PID 4804 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iuHHZIe.exe
PID 4804 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iuHHZIe.exe
PID 4804 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GLyUanf.exe
PID 4804 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GLyUanf.exe
PID 4804 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ogUMADG.exe
PID 4804 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ogUMADG.exe
PID 4804 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VmJNoHU.exe
PID 4804 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VmJNoHU.exe
PID 4804 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hVgQUNe.exe
PID 4804 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hVgQUNe.exe
PID 4804 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qFfbWpR.exe
PID 4804 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qFfbWpR.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\JcFIkJY.exe

C:\Windows\System\JcFIkJY.exe

C:\Windows\System\EwNpWcK.exe

C:\Windows\System\EwNpWcK.exe

C:\Windows\System\IMBtsBp.exe

C:\Windows\System\IMBtsBp.exe

C:\Windows\System\GERYotu.exe

C:\Windows\System\GERYotu.exe

C:\Windows\System\qqXMrgP.exe

C:\Windows\System\qqXMrgP.exe

C:\Windows\System\FAlVQqo.exe

C:\Windows\System\FAlVQqo.exe

C:\Windows\System\KTnIkOi.exe

C:\Windows\System\KTnIkOi.exe

C:\Windows\System\SmWGWhL.exe

C:\Windows\System\SmWGWhL.exe

C:\Windows\System\HSJAvQk.exe

C:\Windows\System\HSJAvQk.exe

C:\Windows\System\pgUGsek.exe

C:\Windows\System\pgUGsek.exe

C:\Windows\System\lFdsueY.exe

C:\Windows\System\lFdsueY.exe

C:\Windows\System\MtzKSHn.exe

C:\Windows\System\MtzKSHn.exe

C:\Windows\System\umEXRWo.exe

C:\Windows\System\umEXRWo.exe

C:\Windows\System\dVInZgV.exe

C:\Windows\System\dVInZgV.exe

C:\Windows\System\fsEmStr.exe

C:\Windows\System\fsEmStr.exe

C:\Windows\System\iuHHZIe.exe

C:\Windows\System\iuHHZIe.exe

C:\Windows\System\GLyUanf.exe

C:\Windows\System\GLyUanf.exe

C:\Windows\System\ogUMADG.exe

C:\Windows\System\ogUMADG.exe

C:\Windows\System\VmJNoHU.exe

C:\Windows\System\VmJNoHU.exe

C:\Windows\System\hVgQUNe.exe

C:\Windows\System\hVgQUNe.exe

C:\Windows\System\qFfbWpR.exe

C:\Windows\System\qFfbWpR.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 83.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/4804-0-0x00007FF724310000-0x00007FF724661000-memory.dmp

memory/4804-1-0x0000017850A50000-0x0000017850A60000-memory.dmp

C:\Windows\System\JcFIkJY.exe

MD5 00eb0704e235dbb1c88684ad0b768e21
SHA1 83296e8ba83255b631d611d2e0c835c56bbf4da9
SHA256 5a1c3609e33edcb217cebc9f98ceb67ea526a5deae65ba727d45a38221566c72
SHA512 d0f582e3e712acba685b2b5906d1c29a685745f4821058732a3f6d2e3243b2c720846d4e5142912de00f1863bd662da0009ba0ff94d0e7883438c77bcfce5c32

C:\Windows\System\EwNpWcK.exe

MD5 937e967edc3f1f19bc478c17ca3c174c
SHA1 8045d352cffe49ddc0dbdbb217eeee746caebc8f
SHA256 20e2789a6df932f4d2292afc3ca39b01a59092cac029152a73f054fad58cef18
SHA512 2a08144e6b0dbea6568725cdafc1b45192b529e983bd77acde35ae37cf2a917c484dfa4932b197eb2bb25c27f656d543ca1262b61cefaf9d77ce5aac3a7ee8be

memory/2256-13-0x00007FF6DF650000-0x00007FF6DF9A1000-memory.dmp

C:\Windows\System\IMBtsBp.exe

MD5 088e5ed643badaf5759fd2c2d7992a38
SHA1 9f45dc7c6c0694c4361db7ad35974ea56d719adf
SHA256 3a37480a81d7448dd54ee8f67c600edf882a0d9b751af88a31f818c9f28e46f8
SHA512 5cc397266201ae3bea83bb734124c594c9755c9b9112c7a4ece3954b5d3b145f2d858676a0f4716e7da461fc5141be67b8c418428ece16329f130f315e9bc74e

C:\Windows\System\GERYotu.exe

MD5 129a2570bdecd0d23cee10f401572622
SHA1 43bf489ecfc371f06d7b47727edf35f2057f8975
SHA256 de44c222e03aa411997cff4581840a18d6e92fdc31d08d6f9d74275a3b6ea4ce
SHA512 021dd2260f784b8251eea2981e643c6f7c4da691341717731bb11702cba1f6f6d52930bde84d71e584bf4a69241f23bae783791715ca6467e5a31ced4a1f74d9

C:\Windows\System\qqXMrgP.exe

MD5 275d77479b33a406c9b784f37221617e
SHA1 5de5d14f060c46d2312e1343f7378a524bfc939e
SHA256 69da0170f0d4a3bdf5b1e98794ba69c503b24e2defc7de5ffe7954ded65a53bc
SHA512 595851a3ab374c73cc8079fda7166d2372f4efd9b8c5589ef0827fc25036f1757fb22bba61ad1a65554a9e67b37f61c3fd6590bcc340f24fcffe3793a2aa6537

memory/5000-44-0x00007FF681CE0000-0x00007FF682031000-memory.dmp

C:\Windows\System\SmWGWhL.exe

MD5 ad44026df132e084eb57933d11b587c5
SHA1 539f036e6c2f773aa3ebe936c70fd12880cf6d62
SHA256 4b9f6eb446e32cd6dd6ac526985e3106427e68a9b269edc1db1e49c52b10d103
SHA512 ffb705394fed5a8d2b8451516d0253fce88691084f6d28a6130be2200b4717ae15e32b2b146cbfba5428885ed8919dd635c1950cfaadf97e7c41e8c262f90931

C:\Windows\System\HSJAvQk.exe

MD5 0ad1f9b24ab5d9358b859ed8f25646e4
SHA1 75120392eed343210493711ab8024f0e432024a2
SHA256 30734776d87282805e42e43d39020872fde0de78d3b579957ec81eaaa75b76b1
SHA512 9dcb32345d88ca46b584d584603af351d545afe8a6b81be949a4076e5bf32639220e018a579d59ad840228449d5b22e2add885ad04bac81e48dd23715a80c91d

C:\Windows\System\KTnIkOi.exe

MD5 b7772be43632ec2d2dfc25f2715bfe6e
SHA1 2f8b41bdf3131bdb7eb5716bd9f4f5508dac882f
SHA256 769fa8dbd80e6d337bfd0bc43a5e7115178871c996c241cf24c36a48f7c60ce5
SHA512 db41d53a1c14f21a54075f7b840ef0261922dbf8cd538510acf875d6ed843a1531f10408a5989bec1de90952e96c71f61e473bace83019e85b1ff25ecd10c625

C:\Windows\System\lFdsueY.exe

MD5 b1f1ea069bcc0c9a1656c0525937cfcd
SHA1 ed4be8313dffdf17610d783cb67815aff0479de8
SHA256 865a8bb19d248f8a5d64f19c4496c93f01afeca0b5aa75b731b47cf715919646
SHA512 711e4381100ba728af89745cc2cf0c52e293c582f43f70445c8ea201a14a502fb39a2f900dfe898382608e5afe9bc805613f6c8dc960afcaf6a65ebbc29e5644

C:\Windows\System\pgUGsek.exe

MD5 2b57ad36978af623bb32848ee3a6e9f9
SHA1 64a59b27c322b9fb6a6ec37e5d7e10e0361197a4
SHA256 775d17c1440046053e4020c99526770712a2280045a053ee5763fb7a7809e8d3
SHA512 190ef9425bb68be138e34c276a57124548706450ca1dd2193f69d6cd4c75cf97aaff21849befe42647b942993add8184f3731bb5c03827da337bf960681efadc

memory/3284-60-0x00007FF67E100000-0x00007FF67E451000-memory.dmp

memory/5056-54-0x00007FF6CE170000-0x00007FF6CE4C1000-memory.dmp

memory/1076-46-0x00007FF6AE2E0000-0x00007FF6AE631000-memory.dmp

memory/936-45-0x00007FF7BC360000-0x00007FF7BC6B1000-memory.dmp

memory/464-39-0x00007FF78A6A0000-0x00007FF78A9F1000-memory.dmp

C:\Windows\System\FAlVQqo.exe

MD5 1d782fdb6eddaf88f9c544c7ad2c2208
SHA1 6159992bd0b057f386cffe7225382042a1f29da1
SHA256 d3dd859e8bdf2cbb807fb8f47f905b7cd56468742b76c5981ed8f7188d4d2971
SHA512 ffd52f557f4df0854278f2b1aec8be76e0049754fb63906650af0c5075a13267a3a8d3b086aacc697dffe2235f2e899b938035d959f684317f9aec69b6a6f80a

memory/552-30-0x00007FF600690000-0x00007FF6009E1000-memory.dmp

memory/1412-20-0x00007FF61C9A0000-0x00007FF61CCF1000-memory.dmp

memory/4008-19-0x00007FF6E63D0000-0x00007FF6E6721000-memory.dmp

memory/3712-68-0x00007FF7646A0000-0x00007FF7649F1000-memory.dmp

C:\Windows\System\MtzKSHn.exe

MD5 dc070a8a15a0bca992d6dfb9ae3ed86b
SHA1 049f02a0cc856036ff2613cb14c806cb7f5a93a0
SHA256 bba07ede3ec898b9de8e4904b38936d2a5238ce826e4989a7f06beadc1ac6052
SHA512 edce6c894b9bf6bd9bb45b3837c4709340a6b82080c774d8a669174cfbd03b2dc397768b6aa036c395e388ab1690637f2447394d791cd4970de5374875932149

memory/4804-73-0x00007FF724310000-0x00007FF724661000-memory.dmp

C:\Windows\System\umEXRWo.exe

MD5 63d8365938e257f1e50f50c734eeba6e
SHA1 a01e3f8e008bb9775ad166f01b367ef3240d88db
SHA256 1e5495e77114e32746eecfd905d2bf78da4c97d12c04ac2ff125c3bbab584305
SHA512 d05fa725115fe2085294de92d1ee62880ebcee25509d9445d62f02c909a3f4677fd1d6732c41371adcece91b9f2d4beaace628d3852d157c830463d7d3a17a58

C:\Windows\System\dVInZgV.exe

MD5 60a788fa5498e109b2fd3b1e443e3458
SHA1 2b7f46959042f32fc69529fbb1f7cdb727900af5
SHA256 77fc0680aff40979322c48359b444c976419ef6f2be55e3b400191dba3dd622d
SHA512 bd9354c529509001351600daaa89779d3fc4de960f7af693408bf546c6fb34950331bb1f3356649966277e4ae3034b077baf04d6f6d0459b6f59b5fcf583fb0f

C:\Windows\System\fsEmStr.exe

MD5 188044b45797bf681408639d90de6697
SHA1 77bdb60614709de730b2c71cfa20665db7727aaa
SHA256 ef5aa4acd7cfcdd9afabbe96254a4380df3a9e25f45fa65f8b2ed66d4effe5d1
SHA512 d68274e9eba5f989517730322fdb608aaca37f9b386f6a352a0883a401255d63d6ecb13b1aabe4e7490cbe6adfd021854afd9271dd671ed695ad1facacb23ea1

memory/5036-90-0x00007FF7C8C40000-0x00007FF7C8F91000-memory.dmp

C:\Windows\System\iuHHZIe.exe

MD5 8b09f378364610e0a668621aaf44895f
SHA1 18fcab6301d894306021e3fb8d94dbfa9a81a91c
SHA256 73169f3af567153f7714a0a0fb02ca6b6ef9574cc22e4e498080704e32d5734a
SHA512 acd21be82e41831ab488eb80c297b20b2528cc96c3dee690a43acf3b5e58fe593d2f272963a655c79c8015a67f6c37b4517d8b8882b281d75e447f1ad8ca7648

C:\Windows\System\VmJNoHU.exe

MD5 3eab51e29cb7f1879b4d8ccf1d074d6c
SHA1 b94756e9d3a2d82a1db1ee90e9431fdb21bc8705
SHA256 1d0ba2546cb273596758997dc5952f434e0743eec19f3eb882ae0be59e4a98a8
SHA512 549f9386e3e6aff6c2a98f34011ed6fa80e77d725a75b4d6593950d664c0971faf4504f193eb2559e807d1e9200247dc8895ebe8e9ee38fedf3a25777a617011

C:\Windows\System\qFfbWpR.exe

MD5 f4b0aa068edbeb6faefd1d810a32e770
SHA1 9e58a57b2f5dce2a6c18b4d236b7fa48e386bade
SHA256 f9b21c3c148c731d4c1fa9335552ae5d710300e9780a702afd114bdff4952b46
SHA512 bc85c2de8665e071279b4dc74f40a3d11c1f3c7ef6be6a9a21d4c52f6c0e362f1e8ce0a48607449b9e469d16dc5a346fc533eb511aa2230f5ac3d1a638b86de1

C:\Windows\System\hVgQUNe.exe

MD5 bbad2f7a3350055ddde5f106420aa153
SHA1 869f5b8dd660b0876e2ac7c5c54248f300b29230
SHA256 13713216c32aa60c2c00ec645c5fbbe72665e03dfddf95d535aafee5e90ca122
SHA512 085018a4659ef2dcaa268b93fcd545526080c394d68a8353bc711ce99fadcf856a684dd5966e066501b2e1caa1778473bdb703d0cd0109988f4ef2f213f265eb

memory/3576-118-0x00007FF75CA30000-0x00007FF75CD81000-memory.dmp

memory/4856-115-0x00007FF7E1AC0000-0x00007FF7E1E11000-memory.dmp

memory/844-114-0x00007FF661130000-0x00007FF661481000-memory.dmp

C:\Windows\System\ogUMADG.exe

MD5 8e2767cfb9742b86bb3032311d2a0398
SHA1 a0cce5df80fefe66a3322799ee4c3c1c931f859e
SHA256 cac5f3fca28164b215e7e5042d7e1d8a0ad114fa78de4745d0a1e8dab20a8a4f
SHA512 5444c26caea28c9c078760e616d2836b20c89ba21737e1217670d6ee6f3f0bca86b97a7ccaa4745cac700fe962ce151ad918e9114392d4b7ca32740b5209bbf6

C:\Windows\System\GLyUanf.exe

MD5 b225aba1c864e7c391ec5ee098a0db97
SHA1 0393fa26ee2e8cfd8958c5ed457e9b55ad0d9d69
SHA256 01bacaa91632582ab104836a3148bc022d70394018c19ac9d5f78e7bc5ddf686
SHA512 29bec3ebc620d2e61fd8013a1e74eb1b1188b715d33ca9e33ec0001048aa72b88cb2ed3e422e5cb2f1c8700387f9f497cec1ad05a5bbeb92e90acc8b563c2b1a

memory/2624-98-0x00007FF693620000-0x00007FF693971000-memory.dmp

memory/1872-81-0x00007FF711AC0000-0x00007FF711E11000-memory.dmp

memory/1968-80-0x00007FF671DE0000-0x00007FF672131000-memory.dmp

memory/5000-126-0x00007FF681CE0000-0x00007FF682031000-memory.dmp

memory/4764-127-0x00007FF7C0B00000-0x00007FF7C0E51000-memory.dmp

memory/1392-128-0x00007FF60FA70000-0x00007FF60FDC1000-memory.dmp

memory/1092-129-0x00007FF73B550000-0x00007FF73B8A1000-memory.dmp

memory/936-130-0x00007FF7BC360000-0x00007FF7BC6B1000-memory.dmp

memory/1076-131-0x00007FF6AE2E0000-0x00007FF6AE631000-memory.dmp

memory/4804-132-0x00007FF724310000-0x00007FF724661000-memory.dmp

memory/5056-141-0x00007FF6CE170000-0x00007FF6CE4C1000-memory.dmp

memory/3284-142-0x00007FF67E100000-0x00007FF67E451000-memory.dmp

memory/2624-147-0x00007FF693620000-0x00007FF693971000-memory.dmp

memory/844-148-0x00007FF661130000-0x00007FF661481000-memory.dmp

memory/4856-150-0x00007FF7E1AC0000-0x00007FF7E1E11000-memory.dmp

memory/5036-146-0x00007FF7C8C40000-0x00007FF7C8F91000-memory.dmp

memory/1872-145-0x00007FF711AC0000-0x00007FF711E11000-memory.dmp

memory/4804-154-0x00007FF724310000-0x00007FF724661000-memory.dmp

memory/2256-199-0x00007FF6DF650000-0x00007FF6DF9A1000-memory.dmp

memory/4008-208-0x00007FF6E63D0000-0x00007FF6E6721000-memory.dmp

memory/1412-215-0x00007FF61C9A0000-0x00007FF61CCF1000-memory.dmp

memory/552-217-0x00007FF600690000-0x00007FF6009E1000-memory.dmp

memory/464-219-0x00007FF78A6A0000-0x00007FF78A9F1000-memory.dmp

memory/5000-221-0x00007FF681CE0000-0x00007FF682031000-memory.dmp

memory/1076-223-0x00007FF6AE2E0000-0x00007FF6AE631000-memory.dmp

memory/3712-231-0x00007FF7646A0000-0x00007FF7649F1000-memory.dmp

memory/5056-229-0x00007FF6CE170000-0x00007FF6CE4C1000-memory.dmp

memory/936-226-0x00007FF7BC360000-0x00007FF7BC6B1000-memory.dmp

memory/3284-228-0x00007FF67E100000-0x00007FF67E451000-memory.dmp

memory/1968-233-0x00007FF671DE0000-0x00007FF672131000-memory.dmp

memory/1872-235-0x00007FF711AC0000-0x00007FF711E11000-memory.dmp

memory/5036-237-0x00007FF7C8C40000-0x00007FF7C8F91000-memory.dmp

memory/2624-239-0x00007FF693620000-0x00007FF693971000-memory.dmp

memory/844-241-0x00007FF661130000-0x00007FF661481000-memory.dmp

memory/3576-243-0x00007FF75CA30000-0x00007FF75CD81000-memory.dmp

memory/1092-249-0x00007FF73B550000-0x00007FF73B8A1000-memory.dmp

memory/4764-246-0x00007FF7C0B00000-0x00007FF7C0E51000-memory.dmp

memory/1392-251-0x00007FF60FA70000-0x00007FF60FDC1000-memory.dmp

memory/4856-248-0x00007FF7E1AC0000-0x00007FF7E1E11000-memory.dmp