Malware Analysis Report

2025-03-15 08:01

Sample ID 240813-n1nggswgkn
Target 2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat
SHA256 d20a561983c4c7ab6b25e5f043686600ab197b2cc9082b6516940b1ca9acea31
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d20a561983c4c7ab6b25e5f043686600ab197b2cc9082b6516940b1ca9acea31

Threat Level: Known bad

The file 2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

xmrig

Cobaltstrike

Cobalt Strike reflective loader

Cobaltstrike family

XMRig Miner payload

Xmrig family

XMRig Miner payload

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-13 11:51

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-13 11:51

Reported

2024-08-13 11:54

Platform

win7-20240729-en

Max time kernel

141s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\nhsdoPz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UWWtRzU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DBYQJUd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZwhGzav.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VuyyHRY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NJwckaq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jDQJEmd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\Mvvdmxl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PEWrAVu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PQvLBXQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qvFhcZm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nCKcKvQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wSsTCqk.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oNnkLuE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JGliWmB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vzvRUDJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\heHiCmu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\THnYrzq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\edtwlSA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FCCzUJZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yKaAMEY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1724 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VuyyHRY.exe
PID 1724 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VuyyHRY.exe
PID 1724 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VuyyHRY.exe
PID 1724 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JGliWmB.exe
PID 1724 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JGliWmB.exe
PID 1724 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JGliWmB.exe
PID 1724 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vzvRUDJ.exe
PID 1724 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vzvRUDJ.exe
PID 1724 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vzvRUDJ.exe
PID 1724 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NJwckaq.exe
PID 1724 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NJwckaq.exe
PID 1724 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NJwckaq.exe
PID 1724 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FCCzUJZ.exe
PID 1724 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FCCzUJZ.exe
PID 1724 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FCCzUJZ.exe
PID 1724 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nhsdoPz.exe
PID 1724 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nhsdoPz.exe
PID 1724 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nhsdoPz.exe
PID 1724 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PQvLBXQ.exe
PID 1724 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PQvLBXQ.exe
PID 1724 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PQvLBXQ.exe
PID 1724 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yKaAMEY.exe
PID 1724 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yKaAMEY.exe
PID 1724 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yKaAMEY.exe
PID 1724 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qvFhcZm.exe
PID 1724 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qvFhcZm.exe
PID 1724 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qvFhcZm.exe
PID 1724 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jDQJEmd.exe
PID 1724 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jDQJEmd.exe
PID 1724 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jDQJEmd.exe
PID 1724 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\heHiCmu.exe
PID 1724 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\heHiCmu.exe
PID 1724 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\heHiCmu.exe
PID 1724 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\THnYrzq.exe
PID 1724 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\THnYrzq.exe
PID 1724 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\THnYrzq.exe
PID 1724 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UWWtRzU.exe
PID 1724 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UWWtRzU.exe
PID 1724 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UWWtRzU.exe
PID 1724 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\edtwlSA.exe
PID 1724 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\edtwlSA.exe
PID 1724 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\edtwlSA.exe
PID 1724 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DBYQJUd.exe
PID 1724 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DBYQJUd.exe
PID 1724 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DBYQJUd.exe
PID 1724 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Mvvdmxl.exe
PID 1724 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Mvvdmxl.exe
PID 1724 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Mvvdmxl.exe
PID 1724 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZwhGzav.exe
PID 1724 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZwhGzav.exe
PID 1724 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZwhGzav.exe
PID 1724 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nCKcKvQ.exe
PID 1724 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nCKcKvQ.exe
PID 1724 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nCKcKvQ.exe
PID 1724 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PEWrAVu.exe
PID 1724 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PEWrAVu.exe
PID 1724 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PEWrAVu.exe
PID 1724 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wSsTCqk.exe
PID 1724 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wSsTCqk.exe
PID 1724 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wSsTCqk.exe
PID 1724 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oNnkLuE.exe
PID 1724 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oNnkLuE.exe
PID 1724 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oNnkLuE.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\VuyyHRY.exe

C:\Windows\System\VuyyHRY.exe

C:\Windows\System\JGliWmB.exe

C:\Windows\System\JGliWmB.exe

C:\Windows\System\vzvRUDJ.exe

C:\Windows\System\vzvRUDJ.exe

C:\Windows\System\NJwckaq.exe

C:\Windows\System\NJwckaq.exe

C:\Windows\System\FCCzUJZ.exe

C:\Windows\System\FCCzUJZ.exe

C:\Windows\System\nhsdoPz.exe

C:\Windows\System\nhsdoPz.exe

C:\Windows\System\PQvLBXQ.exe

C:\Windows\System\PQvLBXQ.exe

C:\Windows\System\yKaAMEY.exe

C:\Windows\System\yKaAMEY.exe

C:\Windows\System\qvFhcZm.exe

C:\Windows\System\qvFhcZm.exe

C:\Windows\System\jDQJEmd.exe

C:\Windows\System\jDQJEmd.exe

C:\Windows\System\heHiCmu.exe

C:\Windows\System\heHiCmu.exe

C:\Windows\System\THnYrzq.exe

C:\Windows\System\THnYrzq.exe

C:\Windows\System\UWWtRzU.exe

C:\Windows\System\UWWtRzU.exe

C:\Windows\System\edtwlSA.exe

C:\Windows\System\edtwlSA.exe

C:\Windows\System\DBYQJUd.exe

C:\Windows\System\DBYQJUd.exe

C:\Windows\System\Mvvdmxl.exe

C:\Windows\System\Mvvdmxl.exe

C:\Windows\System\ZwhGzav.exe

C:\Windows\System\ZwhGzav.exe

C:\Windows\System\nCKcKvQ.exe

C:\Windows\System\nCKcKvQ.exe

C:\Windows\System\PEWrAVu.exe

C:\Windows\System\PEWrAVu.exe

C:\Windows\System\wSsTCqk.exe

C:\Windows\System\wSsTCqk.exe

C:\Windows\System\oNnkLuE.exe

C:\Windows\System\oNnkLuE.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1724-0-0x00000000000F0000-0x0000000000100000-memory.dmp

memory/1724-1-0x000000013F880000-0x000000013FBD1000-memory.dmp

C:\Windows\system\VuyyHRY.exe

MD5 0895d5e87058333082e50fcadbded578
SHA1 af6767a1a1b7729e25602a19cdee2af2e13a8943
SHA256 3a5a25e7f799614579f91484bd9373a9f0f586ed60ea38173579f880da7745dd
SHA512 6ed7b15fbc659905c64e5cb24ec581d5d668c3660714300b96da2726c1a3058d31d823773840483d10144857c81911297c67c02888a62d64bacbbaf85045d66c

memory/1004-9-0x000000013F440000-0x000000013F791000-memory.dmp

memory/1724-8-0x000000013F440000-0x000000013F791000-memory.dmp

memory/1724-13-0x000000013F2B0000-0x000000013F601000-memory.dmp

memory/2572-15-0x000000013F2B0000-0x000000013F601000-memory.dmp

C:\Windows\system\JGliWmB.exe

MD5 864e6f681ad1ffa8d2412e2d6b8a1237
SHA1 27232655b52b660663bfac04c2b309a1bf0cfcf4
SHA256 7934bc0f0fe862dfc9aaac07ad67dd7b293783083f0c2eae51c01e3d3b614e6d
SHA512 a09333f63363b87b568cf9992ed3ec7c9ffba41820c6220c1331ed9ce8923e646a8222f5abe218c3a2a8798ade622f31ba79dc40f13694214e89ec918ede99ea

\Windows\system\vzvRUDJ.exe

MD5 79864d22f26357ce54839f4844cc22be
SHA1 9931fe3dfd9ec1a2edbc323a099d8bed453270ec
SHA256 312e447aea5aefa7dd0aec91f2c0fce1a17f716163210fbc5f9f83aa3557eb88
SHA512 f9eeee51ea2e3b6f1fb3d6b80379bea2c34e5e6ff502f6fdc519cf47f4e7a90c51a9bf2dbe154fa5bb705f66816d821f0514d34602722f11ea3f9035974c3556

memory/1724-17-0x00000000022C0000-0x0000000002611000-memory.dmp

memory/1284-22-0x000000013F7D0000-0x000000013FB21000-memory.dmp

C:\Windows\system\NJwckaq.exe

MD5 e76b4892bf906e45658c73a887217b0e
SHA1 309e3976edda8e872eb3a59cf5eb4b5ab146733e
SHA256 6ac6ae00060db8dc8aa139dbc5ed72abc7510d5b19ca1b82f73a255cc121d7a2
SHA512 3452357eabc5825ca4183e4d7b41b817cb69292c2d723d7e6385354961621be4cb4d366c3f936c9c04cf0b83958dc2f0cd30788d1c2d17bd730110a863357cbb

memory/2444-35-0x000000013F880000-0x000000013FBD1000-memory.dmp

memory/2768-40-0x000000013F120000-0x000000013F471000-memory.dmp

memory/1724-46-0x000000013F880000-0x000000013FBD1000-memory.dmp

C:\Windows\system\PQvLBXQ.exe

MD5 920680001fd539e32ff422bd40912113
SHA1 4cbad9eb9c18999e8bc3946fb9bc027842f58a53
SHA256 e907448ceb275197fac8d788b9c167db5aea356537f186d15c145a4609c35312
SHA512 0f5503dd24f5e9b30236f4c4ebedd822e44cd36cd87da5f2a73c3df74a6618047678dd4331636c9d102d688585ff2b201f7f6cdfd19f642ce31c91e1acc35a10

memory/1724-57-0x000000013F2B0000-0x000000013F601000-memory.dmp

\Windows\system\jDQJEmd.exe

MD5 e58fa42418b4ba3d340e3308ae17cd6f
SHA1 039c5b7d66d7942e09883d3718b5a940482f3427
SHA256 78112a3e6469feced4ee7d81e01eedd55eb46365dfad9de5e8251c7e7ea41bab
SHA512 c63135a0d9594fbc9fa7ed3780bcd125399c59b6de469e695db0bde8cdee9e6ef611fa8353def67e3dbee704b52c4409215f8dd017651444f89f863e7cae9eb7

\Windows\system\THnYrzq.exe

MD5 ba3290eb3ef882efc07df0770e25979f
SHA1 f068f9f7596af4d2e5c1e94ea575e313985a6e45
SHA256 99f5eb87cb410a76b932d09dbd87db15c3e0e55a1880de2fef4a0bd374dec792
SHA512 36857cae14543f76611dcf39e68ba320a88382dd7035f4b98658252a1fab764df5baacd54b7a031be422b19bb80b96d94505b1ddca567937ad77e1f710c5c0c2

C:\Windows\system\UWWtRzU.exe

MD5 f1220da14fedc0b886da562614c8a412
SHA1 8ab8613f059097d73c07b87904a9dc4a65ca3eb5
SHA256 2429cdd8c1f528957e83874db05112ff5af48bb3f605e3feb1cd471a3b9ad1aa
SHA512 db0a6d07ea7b63bc5630767fd6275d3cd12cd629320f922b5e011b66b4e753c15602201ab96e550b5709cd88745630d6b5fa86116dde86cdc0b9e1fb9b62168e

memory/2172-91-0x000000013FFD0000-0x0000000140321000-memory.dmp

C:\Windows\system\DBYQJUd.exe

MD5 51f85f9a7846154619b8042baf63dd77
SHA1 136db2694d0d57c3d6ed32d0ed51868baf5ee860
SHA256 a714576a2f1ea364df5586deab9d67f794dde70883d378bfbfcaf3960e236f29
SHA512 8ed7e05444a4bca6263491618981aeb068f07afc3b4c927b75beccdd1d28e86155822ef1c397d9ddf4d19870e41bd93e23e3b6b40fbc2be1cc466ec41988ddbd

memory/2840-110-0x000000013F790000-0x000000013FAE1000-memory.dmp

C:\Windows\system\oNnkLuE.exe

MD5 818ad38e5d8c1326b4bb36677b001ed2
SHA1 640586995d8361fd402092beb46cfa7c0e0ab0b1
SHA256 e9354970960cc1efdab242c56cfdb6f2863f0632af6c78efdb1866befa08ca99
SHA512 b08bbbaf930eb2ef8908fd51bfb043702ebce3a0a200379273925a11b30cf11d79dd1ec5392f21c0c3123fade74b1dae8d975532ac269d487e148ef5bbef8d8d

\Windows\system\wSsTCqk.exe

MD5 c9b6b35bc1a3f32f6d13c20e0f5f731a
SHA1 8dd26b9a0e1c163a54cc54b4ae2972bf760fe761
SHA256 91997c90936e87aed537d3b1abe51d33d4619f96c0d78a7c2b570b8c8e449588
SHA512 ca5932df231b83a9657d9ea9ecab99eb5b530d02ceec1afcb97d31ec08ec1ebda6425d1b101d8cf95dab1332e0121f5ddf7a06f366cba48b1de7b0587f4d1a70

C:\Windows\system\nCKcKvQ.exe

MD5 bfb8441723e923ba5695c19ab1057013
SHA1 dc8e6a8c99dbb8e320b86bc9f7c9f7b23d4b9658
SHA256 f1d63fd138b6eeebe282eb1ddcfc9cc63e0645de4a3f9701babb8ff48fcc0265
SHA512 a3de0f91d823f259839579602c5703bc1e4f1857744b5efc34d82c1b1295fd9333527bf72752af373a0c94ed1704d52fd711ce3dc894a411d4e0d434b96b5a69

C:\Windows\system\Mvvdmxl.exe

MD5 5fb2c39b4672e2d973c0bdc9dcce2a0e
SHA1 f5114067318aa599f7fa52b9f94c2372347223ac
SHA256 2a506a602e7c15377c2791903ebebffd9b7061dee9c2b6ddbf9ef9153dbd0b8e
SHA512 f83b6f3eef9eb2ed2ac8302b85fc21df375d6e7ed2f8738d8fd5077b43001fef1c3a5107f0e736d0703833bb2e795cd1e60e1e9e11985c97e5f84918d53d0018

C:\Windows\system\PEWrAVu.exe

MD5 4c7088cb7c56d110ddbbf7426bf30f8e
SHA1 9897cd224b1bce2145cc5731f4fb674791e34e62
SHA256 a80e6ce95e06dbe49c43b6e2de72969fc5b9b743679854b60611629a11889168
SHA512 02ac2bd8930dbfb49727c889dd05d302afba9db0b2982948dfb86806a150fb5182a8a9e1f2fabc5cefedf0d93ff7fe707edb8e06162f7a175b0c4e554fc8e4c2

C:\Windows\system\ZwhGzav.exe

MD5 72d00262355b5541e8485fccca3984ae
SHA1 693ad467abda44d6bd7baefbe3c8bc59e16a1701
SHA256 3e7f736e4747c275aef321c9e690725697a44ddf78f8a530549bc2b1aa58538b
SHA512 116f5ca44465596e78a52a1ae9149344c9dff638de43226fec8863af0d0da51c00f1b43a18fe2d7424da65e35f48745146ddfa66dbb00af0d1cca94c4e2ef95d

memory/1764-99-0x000000013FA40000-0x000000013FD91000-memory.dmp

memory/1724-98-0x00000000022C0000-0x0000000002611000-memory.dmp

memory/2768-97-0x000000013F120000-0x000000013F471000-memory.dmp

memory/2444-96-0x000000013F880000-0x000000013FBD1000-memory.dmp

C:\Windows\system\edtwlSA.exe

MD5 3c39722b8c6eeac0e9576215dcea5c9e
SHA1 42a8100ab751eb735702f97914b64a164089373b
SHA256 6cc9ac2a689a26efaa7f4aa8aac26840b3ec4edeee15deb720d2d3e46501577f
SHA512 b776649896640904d66aec34f20098ee5ff4ad2d81b1d8002719613022fb2e6a28bf7f279b9f57774c09c67c4a654056bb6d36faa48dc55119ad8051a3e6f145

memory/1724-90-0x000000013FFD0000-0x0000000140321000-memory.dmp

memory/2136-85-0x000000013F600000-0x000000013F951000-memory.dmp

memory/1724-83-0x00000000022C0000-0x0000000002611000-memory.dmp

memory/2780-82-0x000000013FC40000-0x000000013FF91000-memory.dmp

memory/2572-68-0x000000013F2B0000-0x000000013F601000-memory.dmp

memory/2624-77-0x000000013F9E0000-0x000000013FD31000-memory.dmp

memory/1724-76-0x00000000022C0000-0x0000000002611000-memory.dmp

memory/1060-58-0x000000013FAF0000-0x000000013FE41000-memory.dmp

C:\Windows\system\heHiCmu.exe

MD5 da22b0c195749ad4926e2fd35cdd0b4a
SHA1 57699324acd5fbb1caf76c958023ecc71751f6fa
SHA256 eb4ec967d7d7f333745fd1edd32e4839737b5e34e41d07ecba7339d1007dbe80
SHA512 a02e254c815549033bc276de8a635e561b03da599c2276c03ed51bfff1320e44a60df1818a7e7f3b5ee5a95214baf0edd2732aee74bb6bbad5aa730c1ddfda83

memory/1724-74-0x000000013FC40000-0x000000013FF91000-memory.dmp

memory/2644-73-0x000000013F350000-0x000000013F6A1000-memory.dmp

memory/1724-72-0x000000013F350000-0x000000013F6A1000-memory.dmp

C:\Windows\system\qvFhcZm.exe

MD5 fb434e22726971e87a97aa0b3d723b37
SHA1 a4a61add8cd025259a14022a52192413f8242c4c
SHA256 1f985205b06332043cfb1b022a2c63b1713efcc48f672cf39ede4eaf3626ec03
SHA512 2e3ebfa47653325a1bbdd5224cc17391d320cc324fa5bae2238e258e302df9d392f75cb6347fe80af4273bd1406cee58b77fe19def1369ab47c8ae1b9393f086

C:\Windows\system\yKaAMEY.exe

MD5 7f70f0925a90f415ad6fff6dc4bb758c
SHA1 930a7c213bd70768ead4a418a2980ab5e09e08c9
SHA256 a60571908d7ed0bbe163ee93ee024a7d12385febe887742f740300226a007263
SHA512 ad7dd19597bc886c15f87b9397dfdf79b9e9316d5b875b95719fcec656947246c2536737b525b40377669b57bb707c5edaa784d205953fd7bad68a732aa5509a

memory/1724-52-0x00000000022C0000-0x0000000002611000-memory.dmp

memory/2840-50-0x000000013F790000-0x000000013FAE1000-memory.dmp

memory/1724-39-0x000000013F120000-0x000000013F471000-memory.dmp

C:\Windows\system\nhsdoPz.exe

MD5 671675705005fc706780d2f7bf4db180
SHA1 480eb913309d81fbdf64fe977e860818240441be
SHA256 6e7c180a0bae068a572d56ff752f5954dde214fec7f4c0a016f7d416f617cf98
SHA512 e378743de4e76eadfb5ffc5290cc2c0ed0a6bf732e935794b01e36e8225ca152d034b9992d84f261a6d9c9201d4528959e343e577d71f235cd9347ec450bf32f

C:\Windows\system\FCCzUJZ.exe

MD5 14af74318a26af11e4ecd79ebc587d19
SHA1 d16fbcbb97f560915ac09122e2c73ea63807f7dc
SHA256 de6f6b13558c52f1c6429e84a7698de951cc97c95d8a76efb8b2665cc74cb894
SHA512 47fcdab8555aa470e27fcbc7c25dd4ae015339622297b1c8180bf0662b0c8cdc7499112547675559f588cb9b7d6df1eb92b14d9618add362eeffebf51a937e7a

memory/1724-31-0x00000000022C0000-0x0000000002611000-memory.dmp

memory/1632-29-0x000000013F8C0000-0x000000013FC11000-memory.dmp

memory/1724-28-0x00000000022C0000-0x0000000002611000-memory.dmp

memory/1724-140-0x00000000022C0000-0x0000000002611000-memory.dmp

memory/1060-141-0x000000013FAF0000-0x000000013FE41000-memory.dmp

memory/1724-142-0x000000013F880000-0x000000013FBD1000-memory.dmp

memory/2780-152-0x000000013FC40000-0x000000013FF91000-memory.dmp

memory/2136-154-0x000000013F600000-0x000000013F951000-memory.dmp

memory/2624-153-0x000000013F9E0000-0x000000013FD31000-memory.dmp

memory/824-160-0x000000013F2B0000-0x000000013F601000-memory.dmp

memory/2172-155-0x000000013FFD0000-0x0000000140321000-memory.dmp

memory/1724-164-0x00000000022C0000-0x0000000002611000-memory.dmp

memory/380-163-0x000000013FC00000-0x000000013FF51000-memory.dmp

memory/2932-162-0x000000013FEC0000-0x0000000140211000-memory.dmp

memory/1204-161-0x000000013FFE0000-0x0000000140331000-memory.dmp

memory/2860-159-0x000000013FBD0000-0x000000013FF21000-memory.dmp

memory/2456-158-0x000000013F190000-0x000000013F4E1000-memory.dmp

memory/2216-157-0x000000013FC00000-0x000000013FF51000-memory.dmp

memory/1764-156-0x000000013FA40000-0x000000013FD91000-memory.dmp

memory/1724-165-0x000000013F880000-0x000000013FBD1000-memory.dmp

memory/1724-171-0x000000013FFD0000-0x0000000140321000-memory.dmp

memory/1004-212-0x000000013F440000-0x000000013F791000-memory.dmp

memory/1284-214-0x000000013F7D0000-0x000000013FB21000-memory.dmp

memory/1632-216-0x000000013F8C0000-0x000000013FC11000-memory.dmp

memory/2572-218-0x000000013F2B0000-0x000000013F601000-memory.dmp

memory/2444-220-0x000000013F880000-0x000000013FBD1000-memory.dmp

memory/2840-227-0x000000013F790000-0x000000013FAE1000-memory.dmp

memory/2644-243-0x000000013F350000-0x000000013F6A1000-memory.dmp

memory/1060-241-0x000000013FAF0000-0x000000013FE41000-memory.dmp

memory/2768-223-0x000000013F120000-0x000000013F471000-memory.dmp

memory/2172-246-0x000000013FFD0000-0x0000000140321000-memory.dmp

memory/2624-247-0x000000013F9E0000-0x000000013FD31000-memory.dmp

memory/1764-251-0x000000013FA40000-0x000000013FD91000-memory.dmp

memory/2780-249-0x000000013FC40000-0x000000013FF91000-memory.dmp

memory/2136-258-0x000000013F600000-0x000000013F951000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-13 11:51

Reported

2024-08-13 11:54

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\LCZxyno.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YeSdZsR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WpeiYVq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\Dynzphp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TZjOfhZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GjzbrxW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ChJOMiF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yyXRCxL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pwnpdva.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kzhcSLW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AlOEzoL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\erfwdVN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vRinFKk.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZBsvtNZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QZMwROu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kgEwIrg.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aWuNtEG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VdzupqU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\veiRNyy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VTkiCYg.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zGvHLFV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2388 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YeSdZsR.exe
PID 2388 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YeSdZsR.exe
PID 2388 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WpeiYVq.exe
PID 2388 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WpeiYVq.exe
PID 2388 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\erfwdVN.exe
PID 2388 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\erfwdVN.exe
PID 2388 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vRinFKk.exe
PID 2388 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vRinFKk.exe
PID 2388 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VdzupqU.exe
PID 2388 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VdzupqU.exe
PID 2388 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yyXRCxL.exe
PID 2388 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yyXRCxL.exe
PID 2388 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZBsvtNZ.exe
PID 2388 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZBsvtNZ.exe
PID 2388 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QZMwROu.exe
PID 2388 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QZMwROu.exe
PID 2388 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kgEwIrg.exe
PID 2388 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kgEwIrg.exe
PID 2388 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\veiRNyy.exe
PID 2388 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\veiRNyy.exe
PID 2388 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Dynzphp.exe
PID 2388 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Dynzphp.exe
PID 2388 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TZjOfhZ.exe
PID 2388 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TZjOfhZ.exe
PID 2388 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aWuNtEG.exe
PID 2388 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aWuNtEG.exe
PID 2388 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GjzbrxW.exe
PID 2388 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GjzbrxW.exe
PID 2388 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ChJOMiF.exe
PID 2388 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ChJOMiF.exe
PID 2388 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VTkiCYg.exe
PID 2388 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VTkiCYg.exe
PID 2388 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pwnpdva.exe
PID 2388 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pwnpdva.exe
PID 2388 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kzhcSLW.exe
PID 2388 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kzhcSLW.exe
PID 2388 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AlOEzoL.exe
PID 2388 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AlOEzoL.exe
PID 2388 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LCZxyno.exe
PID 2388 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LCZxyno.exe
PID 2388 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zGvHLFV.exe
PID 2388 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zGvHLFV.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\YeSdZsR.exe

C:\Windows\System\YeSdZsR.exe

C:\Windows\System\WpeiYVq.exe

C:\Windows\System\WpeiYVq.exe

C:\Windows\System\erfwdVN.exe

C:\Windows\System\erfwdVN.exe

C:\Windows\System\vRinFKk.exe

C:\Windows\System\vRinFKk.exe

C:\Windows\System\VdzupqU.exe

C:\Windows\System\VdzupqU.exe

C:\Windows\System\yyXRCxL.exe

C:\Windows\System\yyXRCxL.exe

C:\Windows\System\ZBsvtNZ.exe

C:\Windows\System\ZBsvtNZ.exe

C:\Windows\System\QZMwROu.exe

C:\Windows\System\QZMwROu.exe

C:\Windows\System\kgEwIrg.exe

C:\Windows\System\kgEwIrg.exe

C:\Windows\System\veiRNyy.exe

C:\Windows\System\veiRNyy.exe

C:\Windows\System\Dynzphp.exe

C:\Windows\System\Dynzphp.exe

C:\Windows\System\TZjOfhZ.exe

C:\Windows\System\TZjOfhZ.exe

C:\Windows\System\aWuNtEG.exe

C:\Windows\System\aWuNtEG.exe

C:\Windows\System\GjzbrxW.exe

C:\Windows\System\GjzbrxW.exe

C:\Windows\System\ChJOMiF.exe

C:\Windows\System\ChJOMiF.exe

C:\Windows\System\VTkiCYg.exe

C:\Windows\System\VTkiCYg.exe

C:\Windows\System\pwnpdva.exe

C:\Windows\System\pwnpdva.exe

C:\Windows\System\kzhcSLW.exe

C:\Windows\System\kzhcSLW.exe

C:\Windows\System\AlOEzoL.exe

C:\Windows\System\AlOEzoL.exe

C:\Windows\System\LCZxyno.exe

C:\Windows\System\LCZxyno.exe

C:\Windows\System\zGvHLFV.exe

C:\Windows\System\zGvHLFV.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 17.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp
DE 3.120.209.58:8080 tcp

Files

memory/2388-0-0x00007FF7F0F30000-0x00007FF7F1281000-memory.dmp

memory/2388-1-0x0000020E72F10000-0x0000020E72F20000-memory.dmp

C:\Windows\System\YeSdZsR.exe

MD5 a64646c9e1ba10b94b529e95b521ede3
SHA1 31fe13189d7ee2def1a119d59c30f26a484397e0
SHA256 c20862b5be2fb45b524473e5b0bdedcbc400fa277c87474e9b6d53c8b5d32fe3
SHA512 4602f25f53fbadb81fcad9fe696a28763d3f978e1f680837ac37c7ea781339110d5020b45548874a54fc286af8987dc0a63378ae3f80c7413a7c3640b8d54839

memory/2784-8-0x00007FF6F1FC0000-0x00007FF6F2311000-memory.dmp

C:\Windows\System\WpeiYVq.exe

MD5 ff739484bcab299ce9b9f544981ac630
SHA1 329d7427e9ef84a5a3dc78f72d87d88f84e98686
SHA256 26387a34799c9fe4f8e05e4aae01d14c068e789c9894fbf60cdec7234e82d646
SHA512 99e038e0bab695e193349b65191b52d82b8a066c233c75abaeeba6c778c237fdbf1119d3b3bb0f739ee8349b616e1b35d03268723b39b4ee01f2465be54e26e5

C:\Windows\System\erfwdVN.exe

MD5 f05f55965642ba8d9e37dbfe68515609
SHA1 5e4a87e7589a8ed9ebbbc40003478c8578e8a875
SHA256 b62b647e77f4262009d1a06b4f124f614a400ce6bc7d07c032d8e74c5a75c577
SHA512 634e5576b6dade86a8cf3c85135e0d4cb083fd806536e0b203526076bfe90775c2a5f089546a38edf8a1adc5990b05ce3a757e9cc37846c06ad91b6b7cf580b0

C:\Windows\System\vRinFKk.exe

MD5 8796be25808dae19f783456654954d63
SHA1 c96763c5a0da672b866682cf08075a70ba46d2d7
SHA256 41abf91a65750cb0b0265467c4e84b202152efdbb6639d93b7eabf95c7a3ba05
SHA512 fe02f382cdf83388639225f2a6ca6854539cc717c4ee002f6a571d30b101f92de80c1aecb1960f4d76158e1b3a3cd7cf3e081fe2649e5d3829d05cbb5d274630

C:\Windows\System\VdzupqU.exe

MD5 b8987ae7d8d260a207d9d5f5d7cb0d44
SHA1 a031346430ebfdf271fe8e7f89a3cd574ae2e13b
SHA256 fe721a47625508953ca3351f462302d02bab47cd58fd6d545622d1ad41cf3705
SHA512 b74e084fd7f7464dfa41042441516e1c79496a5610d9b211be661811a452ab38c56796f9de485bf4b415d0edd8388bd75ab6b03bf1828ce9919df844b90bbec3

memory/4780-31-0x00007FF685600000-0x00007FF685951000-memory.dmp

memory/408-24-0x00007FF7C6A10000-0x00007FF7C6D61000-memory.dmp

memory/2400-21-0x00007FF72CE60000-0x00007FF72D1B1000-memory.dmp

memory/3520-13-0x00007FF7FF360000-0x00007FF7FF6B1000-memory.dmp

C:\Windows\System\yyXRCxL.exe

MD5 442e52750c55d00d0710d7f0086dcf52
SHA1 34e93c8babb3ab253f47ade192c5de15258bb65a
SHA256 ac0c41f7a5d9cadfa6a789fed38147988f0e4875c881cd0a7373a0d851660c58
SHA512 0b240ee92695dbb8c2c6615e6ca86ea2728ce8120c01e45aa593c7fb8da7119091c0ea28dea244ea8639f16b777b1871dacc4995ff1c0c554b006680dbc64a96

memory/1148-38-0x00007FF6B8F30000-0x00007FF6B9281000-memory.dmp

C:\Windows\System\ZBsvtNZ.exe

MD5 32fc3a7fd13fa164afe18a7c9384dfa3
SHA1 16399d7fb1fa7e0cabdd488939073eb738c2596e
SHA256 9402e7b0950f1cce6dd36734d9622b831ff85939fdb4a8388e117bfa7837268d
SHA512 7e6255a66190574b43d9d4fa443d22490fc15a13e764df803ee39be2eff1d8c7328c17c2d582ceaf857468409859edf4088c6b285e91714b9dcc949a6baba12a

C:\Windows\System\QZMwROu.exe

MD5 818b225947a8b0d92ffabded390be04f
SHA1 6f3a5741af5c535fc900786eea57974ded4900d3
SHA256 f1e41629957953ecf0e2c716b30fd46105c4344f5a8f0f3f5d069f1c578cc83b
SHA512 f42936d7749a5821540065a19b13a33091e47258faab0bf457aeb6c015d95769f56b4116aaf241619b37e0dc7b10fd77c9c7ea56fcb28f89928192314ad04f73

memory/1724-53-0x00007FF672100000-0x00007FF672451000-memory.dmp

C:\Windows\System\veiRNyy.exe

MD5 9645d3112ec9dde78370d9d8c0b8b6b0
SHA1 fc87f19cc91a8aae0f1e32ea56e08cba29758ab2
SHA256 60941f6d21878a3c609cb631d626cfd0aadc1a1ac38fb50da021926d177e8aec
SHA512 ec87a8320425ed3b1eef9774768c1f671423ad3a8ecefdd2ee3a0ba19fee7ff2bb6fd1de013a58db7c70df0af510fa98dc6e7072177cf33b0597056ce41e1380

C:\Windows\System\kgEwIrg.exe

MD5 c13ce50c59766d6b7321b1ec3dd9afcb
SHA1 5bbb59e57d15bd433e7f9ea61fc3d2c225786ca8
SHA256 78e33940b889de28b138451b9a89aa51e07fc5893bfd814bfa25e35bb236dffe
SHA512 4305318481f35c0934fddf637b7b84c82998475af06ac7ec500e705a4ca45d2c4c88ada9685b01e51366074cb0a00970539cf3794f44059f74ea86fc5407ebb9

memory/1992-60-0x00007FF676140000-0x00007FF676491000-memory.dmp

memory/2388-65-0x00007FF7F0F30000-0x00007FF7F1281000-memory.dmp

memory/5024-66-0x00007FF7EED60000-0x00007FF7EF0B1000-memory.dmp

memory/2784-69-0x00007FF6F1FC0000-0x00007FF6F2311000-memory.dmp

C:\Windows\System\TZjOfhZ.exe

MD5 c4d6b7ed58383a6a562327451edf5235
SHA1 8f65be5d69ade8c7d347342a1a45f374d922413b
SHA256 bc6dc68a7d824ffaf5c6a2f514ed4aa45611533063004ef50b42decb39e7202e
SHA512 949eb657202c2a16c4ca8d4af2b9302e37d58825af8616b98c5ee93bcb4262666e0987aae5dc04c0c5a17e727aaf4234be1d833d5db97549104708ef3d449cc7

C:\Windows\System\Dynzphp.exe

MD5 4e1a700fbe1aa7de215da340da1a2927
SHA1 996403fe5c12834ab201d2c9f93064ac7ea22d04
SHA256 cf92cba612aa8ad39ae9106551c8b4d91aa5bd2125e4d4da27632cfe031988ab
SHA512 17b9dbf6ade3abea11fc69fb462de7e10c011254e95ea12a614734e369d4323bb735c424833b7f61c3198ed1b519a8052141f46cfdd80939b56eba8588091859

memory/3160-67-0x00007FF7B3750000-0x00007FF7B3AA1000-memory.dmp

memory/5044-45-0x00007FF720DF0000-0x00007FF721141000-memory.dmp

memory/2400-77-0x00007FF72CE60000-0x00007FF72D1B1000-memory.dmp

memory/3788-78-0x00007FF6E8A50000-0x00007FF6E8DA1000-memory.dmp

memory/3520-76-0x00007FF7FF360000-0x00007FF7FF6B1000-memory.dmp

C:\Windows\System\aWuNtEG.exe

MD5 779144dccb59311e3aa05ee08b904ecb
SHA1 6b913d15d952813a6b6e03c31938bb0807009a0d
SHA256 150a124e34b7398994bee722d1325966f42df9ad5b8c46eb24913a6901124c0d
SHA512 836195271218a75b606cae86dab263148882c4cc25b65d42f340e2ff0a41b35e996c740879d43c1fe729001f4e597b61659b18c24f4af296be643d2c02ecd9d2

memory/408-89-0x00007FF7C6A10000-0x00007FF7C6D61000-memory.dmp

C:\Windows\System\ChJOMiF.exe

MD5 356103dc5095f914abfb52320ee85621
SHA1 e57136ddbd0883de524fb9f7709122a86635a569
SHA256 ebd6c6b524542325d28f86f00c2fdb239887e2664dd0703caecef69a330fc264
SHA512 72ab0111b4617a45225d268847ec5e2660a64e0050c2f70786783fc8d9fc49bddf084cd8552156ac4bf87e2af00641362112645be4e15cf794a956ccad70bdb0

memory/3064-93-0x00007FF6746C0000-0x00007FF674A11000-memory.dmp

memory/4780-100-0x00007FF685600000-0x00007FF685951000-memory.dmp

memory/4800-102-0x00007FF6CCB00000-0x00007FF6CCE51000-memory.dmp

memory/1052-101-0x00007FF755FA0000-0x00007FF7562F1000-memory.dmp

C:\Windows\System\pwnpdva.exe

MD5 41ef0c14d661f99af9379f26b68af983
SHA1 29b20980de01b3e1b63c90855c2e20b292ca1977
SHA256 54b40105de2e2605c70691cfee73f405eb1b3f022aca0d7d89ae4ce72449aaab
SHA512 b76493ffc912b49015e47a57db026fa1d0b3b03d0737b95aca9f25886c713e2a13375a1461538e4235dcf5a098f24554dbaba345d614102eb2e7c5b4e882c3a3

C:\Windows\System\kzhcSLW.exe

MD5 2c372040d905f7ce202e19722940e708
SHA1 57eb91cc27640dba35667b69b4dc3c00b3f601ec
SHA256 323ddf1d6909f867254fa312d88f29493ff02787e4e7f7a476339e3cf517f281
SHA512 643417429f23c21e4310de00107648a92940b10bc3df519b0b271ca4646474a0ceae10edb574e7b384bf0f5a4bbe7d827921e93225b4a7f58138649713517d36

memory/5040-112-0x00007FF79DE60000-0x00007FF79E1B1000-memory.dmp

C:\Windows\System\AlOEzoL.exe

MD5 4f56c46d69ecabe2677f4409df2faf39
SHA1 cafa69fa3a68e89f7639d9491cef89bdca4acb6a
SHA256 60d0764a3f988e57feaf71f287d616c686c244e5b212fa58b0cfd31d4f222027
SHA512 56ed3eb8bd1ee88237f162a2cc48f5d611c3eddf2d866c91cab1469d6a75db4140332efd16641ed9e845028f691e93fe40bc39101abe80032f9752a08b947cd8

memory/3856-115-0x00007FF74F630000-0x00007FF74F981000-memory.dmp

memory/5044-110-0x00007FF720DF0000-0x00007FF721141000-memory.dmp

memory/936-128-0x00007FF7F9530000-0x00007FF7F9881000-memory.dmp

C:\Windows\System\LCZxyno.exe

MD5 c0fdb42342f97197c3c610cce4d77941
SHA1 9fc7b616ae48f2a1b309ea34e7f8967857f0ab3e
SHA256 559341b989da7f991f8d537d41c35947e21585f76a29d057d8c1474f2e755b2c
SHA512 3395731f3fcc06cbddf822a857b57a5541e37e6dbebb2703a98861cca067356c44f2b65a7d7037eba1ac841c480a98bd805a181affcba0bfacd61810c6246901

memory/4844-129-0x00007FF6F0130000-0x00007FF6F0481000-memory.dmp

C:\Windows\System\zGvHLFV.exe

MD5 506160db51fed148f4654358fb8144a1
SHA1 ffeaa0911206870b62ba7e846f00ff9703333dae
SHA256 844503ff4d9fda49c693c5761216381ab678772be8fc686604b9f022b23b539e
SHA512 ee796eb265c04aa9c2d093d216e921c91ced9bf6d92f8f0f957bf298bddff07db247232d146b6c6cc3d3dd271e3d57434d7c02a71f2e4fd585bbc64db58bf9c1

memory/1992-124-0x00007FF676140000-0x00007FF676491000-memory.dmp

memory/1724-123-0x00007FF672100000-0x00007FF672451000-memory.dmp

C:\Windows\System\VTkiCYg.exe

MD5 be881284107e2269c4c168d2033f95df
SHA1 656eb3dd7620e73e3157ee8eaf1b441c32f66691
SHA256 05953cd1d3fbbb79a3c0d66ceb7ced24f08ac414ef337ce1b52bf0b47f96d19d
SHA512 cfd6ec5bb7bbe57507208ed6ed93f3b9be3b1008b270822e4e26c1f4176a0493a2a11302e8f8f3eb23ca001ff748f43fa2fbfaf434907a438b98a72953f0abc2

C:\Windows\System\GjzbrxW.exe

MD5 b3fd5121b83adf888e33e9003e8198c6
SHA1 015ffb1bf46230e1cda16f5629ba937836e0272e
SHA256 5dc169e2f08001478d3fa2f40ad527b0b14d820fef812d76a1e3b152774c3150
SHA512 c50612345b65a2823d7ea7b14144c8a85619363a841178d89566fb441d3959580465a68d9f9eb3dc37d4915a30a1b127e7fa9a64b5d82dd6c108262ae84b3cc4

memory/2588-87-0x00007FF6835F0000-0x00007FF683941000-memory.dmp

memory/2084-136-0x00007FF6050F0000-0x00007FF605441000-memory.dmp

memory/2388-137-0x00007FF7F0F30000-0x00007FF7F1281000-memory.dmp

memory/3160-144-0x00007FF7B3750000-0x00007FF7B3AA1000-memory.dmp

memory/4800-154-0x00007FF6CCB00000-0x00007FF6CCE51000-memory.dmp

memory/4844-158-0x00007FF6F0130000-0x00007FF6F0481000-memory.dmp

memory/3856-156-0x00007FF74F630000-0x00007FF74F981000-memory.dmp

memory/5040-155-0x00007FF79DE60000-0x00007FF79E1B1000-memory.dmp

memory/3064-152-0x00007FF6746C0000-0x00007FF674A11000-memory.dmp

memory/2388-160-0x00007FF7F0F30000-0x00007FF7F1281000-memory.dmp

memory/2784-205-0x00007FF6F1FC0000-0x00007FF6F2311000-memory.dmp

memory/3520-213-0x00007FF7FF360000-0x00007FF7FF6B1000-memory.dmp

memory/2400-215-0x00007FF72CE60000-0x00007FF72D1B1000-memory.dmp

memory/408-217-0x00007FF7C6A10000-0x00007FF7C6D61000-memory.dmp

memory/4780-219-0x00007FF685600000-0x00007FF685951000-memory.dmp

memory/1148-221-0x00007FF6B8F30000-0x00007FF6B9281000-memory.dmp

memory/5044-230-0x00007FF720DF0000-0x00007FF721141000-memory.dmp

memory/1724-232-0x00007FF672100000-0x00007FF672451000-memory.dmp

memory/1992-234-0x00007FF676140000-0x00007FF676491000-memory.dmp

memory/5024-236-0x00007FF7EED60000-0x00007FF7EF0B1000-memory.dmp

memory/3160-238-0x00007FF7B3750000-0x00007FF7B3AA1000-memory.dmp

memory/3788-240-0x00007FF6E8A50000-0x00007FF6E8DA1000-memory.dmp

memory/2588-243-0x00007FF6835F0000-0x00007FF683941000-memory.dmp

memory/3064-245-0x00007FF6746C0000-0x00007FF674A11000-memory.dmp

memory/1052-247-0x00007FF755FA0000-0x00007FF7562F1000-memory.dmp

memory/4800-249-0x00007FF6CCB00000-0x00007FF6CCE51000-memory.dmp

memory/5040-251-0x00007FF79DE60000-0x00007FF79E1B1000-memory.dmp

memory/3856-253-0x00007FF74F630000-0x00007FF74F981000-memory.dmp

memory/936-255-0x00007FF7F9530000-0x00007FF7F9881000-memory.dmp

memory/4844-257-0x00007FF6F0130000-0x00007FF6F0481000-memory.dmp

memory/2084-259-0x00007FF6050F0000-0x00007FF605441000-memory.dmp