Malware Analysis Report

2025-03-15 08:01

Sample ID 240813-n3fjnawhjr
Target 2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat
SHA256 7682d382c2a8bd112c73a6b7658e16222c7f454ac17e66f88ab6740b92ab7baf
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7682d382c2a8bd112c73a6b7658e16222c7f454ac17e66f88ab6740b92ab7baf

Threat Level: Known bad

The file 2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

xmrig

XMRig Miner payload

Cobaltstrike family

Xmrig family

Cobalt Strike reflective loader

Cobaltstrike

XMRig Miner payload

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-13 11:55

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-13 11:55

Reported

2024-08-13 11:57

Platform

win7-20240704-en

Max time kernel

142s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\sADGxsH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fFaXdPS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JmgVCIv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LxaYmeZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LGytLeV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KXdgDRz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hMURsjR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CSoUsRN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\llwSedC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LQxAHjp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fEDhpBe.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JdFjhDA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RJSWJwb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iEotxIi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hVXQnqR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GwwQulG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yOQqNZw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FmuHxtZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PcIdIhp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YtTcvuA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XTikjmu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1968 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LGytLeV.exe
PID 1968 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LGytLeV.exe
PID 1968 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LGytLeV.exe
PID 1968 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KXdgDRz.exe
PID 1968 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KXdgDRz.exe
PID 1968 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KXdgDRz.exe
PID 1968 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hMURsjR.exe
PID 1968 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hMURsjR.exe
PID 1968 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hMURsjR.exe
PID 1968 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CSoUsRN.exe
PID 1968 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CSoUsRN.exe
PID 1968 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CSoUsRN.exe
PID 1968 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yOQqNZw.exe
PID 1968 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yOQqNZw.exe
PID 1968 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yOQqNZw.exe
PID 1968 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sADGxsH.exe
PID 1968 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sADGxsH.exe
PID 1968 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sADGxsH.exe
PID 1968 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fFaXdPS.exe
PID 1968 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fFaXdPS.exe
PID 1968 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fFaXdPS.exe
PID 1968 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FmuHxtZ.exe
PID 1968 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FmuHxtZ.exe
PID 1968 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FmuHxtZ.exe
PID 1968 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JmgVCIv.exe
PID 1968 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JmgVCIv.exe
PID 1968 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JmgVCIv.exe
PID 1968 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PcIdIhp.exe
PID 1968 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PcIdIhp.exe
PID 1968 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PcIdIhp.exe
PID 1968 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YtTcvuA.exe
PID 1968 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YtTcvuA.exe
PID 1968 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YtTcvuA.exe
PID 1968 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LxaYmeZ.exe
PID 1968 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LxaYmeZ.exe
PID 1968 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LxaYmeZ.exe
PID 1968 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LQxAHjp.exe
PID 1968 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LQxAHjp.exe
PID 1968 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LQxAHjp.exe
PID 1968 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fEDhpBe.exe
PID 1968 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fEDhpBe.exe
PID 1968 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fEDhpBe.exe
PID 1968 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JdFjhDA.exe
PID 1968 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JdFjhDA.exe
PID 1968 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JdFjhDA.exe
PID 1968 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RJSWJwb.exe
PID 1968 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RJSWJwb.exe
PID 1968 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RJSWJwb.exe
PID 1968 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\llwSedC.exe
PID 1968 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\llwSedC.exe
PID 1968 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\llwSedC.exe
PID 1968 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iEotxIi.exe
PID 1968 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iEotxIi.exe
PID 1968 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iEotxIi.exe
PID 1968 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hVXQnqR.exe
PID 1968 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hVXQnqR.exe
PID 1968 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hVXQnqR.exe
PID 1968 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GwwQulG.exe
PID 1968 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GwwQulG.exe
PID 1968 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GwwQulG.exe
PID 1968 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XTikjmu.exe
PID 1968 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XTikjmu.exe
PID 1968 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XTikjmu.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\LGytLeV.exe

C:\Windows\System\LGytLeV.exe

C:\Windows\System\KXdgDRz.exe

C:\Windows\System\KXdgDRz.exe

C:\Windows\System\hMURsjR.exe

C:\Windows\System\hMURsjR.exe

C:\Windows\System\CSoUsRN.exe

C:\Windows\System\CSoUsRN.exe

C:\Windows\System\yOQqNZw.exe

C:\Windows\System\yOQqNZw.exe

C:\Windows\System\sADGxsH.exe

C:\Windows\System\sADGxsH.exe

C:\Windows\System\fFaXdPS.exe

C:\Windows\System\fFaXdPS.exe

C:\Windows\System\FmuHxtZ.exe

C:\Windows\System\FmuHxtZ.exe

C:\Windows\System\JmgVCIv.exe

C:\Windows\System\JmgVCIv.exe

C:\Windows\System\PcIdIhp.exe

C:\Windows\System\PcIdIhp.exe

C:\Windows\System\YtTcvuA.exe

C:\Windows\System\YtTcvuA.exe

C:\Windows\System\LxaYmeZ.exe

C:\Windows\System\LxaYmeZ.exe

C:\Windows\System\LQxAHjp.exe

C:\Windows\System\LQxAHjp.exe

C:\Windows\System\fEDhpBe.exe

C:\Windows\System\fEDhpBe.exe

C:\Windows\System\JdFjhDA.exe

C:\Windows\System\JdFjhDA.exe

C:\Windows\System\RJSWJwb.exe

C:\Windows\System\RJSWJwb.exe

C:\Windows\System\llwSedC.exe

C:\Windows\System\llwSedC.exe

C:\Windows\System\iEotxIi.exe

C:\Windows\System\iEotxIi.exe

C:\Windows\System\hVXQnqR.exe

C:\Windows\System\hVXQnqR.exe

C:\Windows\System\GwwQulG.exe

C:\Windows\System\GwwQulG.exe

C:\Windows\System\XTikjmu.exe

C:\Windows\System\XTikjmu.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1968-0-0x000000013FA30000-0x000000013FD81000-memory.dmp

memory/1968-1-0x00000000001F0000-0x0000000000200000-memory.dmp

\Windows\system\LGytLeV.exe

MD5 02934d2af270ffd28f8b88d1fd06d0ea
SHA1 359fc2b56e34b6934e709901019e5e67ab6dd5b7
SHA256 4af56679706f37d4396c12f084444650b400c70bc0d97bfdefafe8dc65928281
SHA512 8fd8fa4dfc919f4aaeae848ad7cb2ca0dba920c24af65be4c90531456c1dd37d333b34f20f0d314e25050b26fdfe1588338893cf1ad374a9db184feda6f23e72

memory/1968-6-0x000000013F0B0000-0x000000013F401000-memory.dmp

\Windows\system\CSoUsRN.exe

MD5 20dfc2403ffe5f7fe1e8123d7a0a8f8d
SHA1 7075ad7fcb7cf155e4b1891410d801eb9af970a2
SHA256 72dfbee0db1d9b064a743764203e2159073ea4563da68070ea1d25990c3b1973
SHA512 0957eeaa7ba3f01f99fe3f38b0fbcded79a02a4ea8905ead8daf095842dfa884563a3b1a92b8450c6addf17dbfb8cc34e70c3fc82c2fe12e476ce038588aaa85

\Windows\system\yOQqNZw.exe

MD5 8ebe511d08488c4bd5f43c9b26247009
SHA1 028583736a8760d4f9066da7ba56564204884269
SHA256 185c0e9309e2a3337b117e3f635ce3be476ea808ca4ea1e1d5d2f1b2fd27ce08
SHA512 5ca8b783e25f6c154622818e613b63438e036ec73ccdc59ca02bc5ec6baa259d36689256263468ad51824e91697963522162ba903435b0c8f1c5dcdaee8ea20b

memory/2736-38-0x000000013F840000-0x000000013FB91000-memory.dmp

C:\Windows\system\LxaYmeZ.exe

MD5 b1c17becd1dbab04a3023f69c749652a
SHA1 27d90a75fb54e4880e9c446445dfe81be10fb10e
SHA256 a11bcf02d9f5a5b947f261258c6929bd41b38accfab7aa2ea680ee5e29586068
SHA512 bebbee2b005fd3ce963cb6551833fdc5d4b97a45907d260fb138d0f3bbaff95ad1c307d963a404df9a1b79215c99265f9aa4ac927d3046a3469300967bd52c2c

\Windows\system\fFaXdPS.exe

MD5 c067c3660032bd43f88e83b8a921ace7
SHA1 35db09bc128319123c70a23b269cd2f325a677c3
SHA256 b5d68491c96c57058466826ba0a3ccb91e79eec0d19da29ec444a85ef2c8ac04
SHA512 5a84725431984da0ca0b456c96cddb09fff48ff67976147fef3cc88bca1a5bbfbd80ffbcffdfe8400c244680e7fdabd92bb0001c68fc8e09e8e5dcbc2fd8f8fe

C:\Windows\system\fEDhpBe.exe

MD5 98b863fe92457c790f50fa270a4b8ee6
SHA1 158117c31e10d25859078215c9e96422d099bb3e
SHA256 1e24cdba875120127f652e4d0106e875840c20b5da7780ddf6ad69fb0246d002
SHA512 ed50fe40fc5c53c5ea3c0b8418bc31de377f8cec2d627cbbcdade22eeca987f2cd2ffadf266621f798423b8576225836c6771cf75b08afa6e5cb40099f414031

memory/1968-83-0x0000000002180000-0x00000000024D1000-memory.dmp

memory/2624-82-0x000000013F5F0000-0x000000013F941000-memory.dmp

memory/1968-79-0x000000013F5F0000-0x000000013F941000-memory.dmp

C:\Windows\system\FmuHxtZ.exe

MD5 efd00603dc36609eb90828fa465a5afb
SHA1 3a8683395774a9d211d011735e5a5ebe598e8d8b
SHA256 d78e60ad2b1b7f2ed53ce32406f583043b0b9a0e2fd1ca7b985e9cf987927be0
SHA512 6cfa19b853ae15536e227da3be0e56c4ce9adb1d5c1ee6fcb6b566939303dba440c06e5e98c7f8e5095833b3199824930b2208607a6ace6a159db15d16b604f0

memory/1228-96-0x000000013FAF0000-0x000000013FE41000-memory.dmp

C:\Windows\system\LQxAHjp.exe

MD5 3e99e829806316df677524f6f2cb1c2f
SHA1 1a4fa92e80ac8735d885599ceb8fd8f200e0cdca
SHA256 5f9ce6324bd95d58ba15f38364e9b288d5a36f2036a2da8732bec1dc7637e3f5
SHA512 545fcbc9cf05af7d22e16935b676e9b4dc4624adb5f94e4317472be2eee86f67ea3f74923459d9250468bd44918801c92d2ae5f7c47cbdd275b284fccbb68beb

memory/2688-94-0x000000013FCE0000-0x0000000140031000-memory.dmp

C:\Windows\system\YtTcvuA.exe

MD5 c20626b1a915d3ad3ac725d7ed1cd205
SHA1 ac2ee15b6a82486952aabadb197522aa8526e703
SHA256 3d76e289e69ee6242590aba78e251990ce53a66aeea831da1b89f9ef9268a61d
SHA512 815456445e3b85857c59f20fd9b1993580043b0062e8cc78fd1b40e0317c9289752a2602ebf520ad8aa6408c7f0db56ee65d03c55cace0bc062c301ab4cb88e7

memory/2664-91-0x000000013FE60000-0x00000001401B1000-memory.dmp

C:\Windows\system\JmgVCIv.exe

MD5 049d85702ddb746a35799c911da70d9d
SHA1 8bf8d381a54b077153987e357c082c3d75eeb9e1
SHA256 4219696a6752f4ad3413ed213e6114cb5dc741a9d6e4420dd4e869170db3fac4
SHA512 f6d20e71dc61bbad45ccfc3f62ab6e83f4a3b8808817a0c263a78bb351e912cca2395e88f4875c92796b377fdd9ffb3d3ba58701d34ebc4f466717c1deb27420

memory/1968-88-0x0000000002180000-0x00000000024D1000-memory.dmp

\Windows\system\JdFjhDA.exe

MD5 46f7bf0ff5da9577006a1d11fbf4644b
SHA1 8445fd824b8fa4ba01732553b9baa62548cb79e3
SHA256 a6c9ae09752e266a0076e34a42f6cd52053e1fe8e6e2053f489f36512349a02e
SHA512 8d143dd05bdd1533b064e1f201d62c216bd0e0301ba8082480b9ee32a569e0ca29299cfc1899dee6a305b675f7b2663009792896337949fad47356ce16c6a2ec

memory/2964-86-0x000000013F060000-0x000000013F3B1000-memory.dmp

memory/2120-85-0x000000013FA10000-0x000000013FD61000-memory.dmp

memory/1968-84-0x0000000002180000-0x00000000024D1000-memory.dmp

memory/1968-70-0x000000013F5F0000-0x000000013F941000-memory.dmp

memory/2772-54-0x000000013F3B0000-0x000000013F701000-memory.dmp

C:\Windows\system\sADGxsH.exe

MD5 c20f5c028076bdc065142eeb5d8862aa
SHA1 9b9ecf8d14c0b048a73dc17e8aedf434ef796c80
SHA256 bddce79b201d387637c15e1ce43c7c75db4e97c56b21c31b087567a181ed639f
SHA512 765120eb464b81e1999eb8b25ea65341176859f8c48c2f26810ea457a1e52f610f34228ce28b865fae85beba443830c5c4b6de7d3accdef6e6202ea83095ca98

memory/1968-35-0x0000000002180000-0x00000000024D1000-memory.dmp

memory/1968-78-0x000000013FE60000-0x00000001401B1000-memory.dmp

memory/1968-76-0x0000000002180000-0x00000000024D1000-memory.dmp

memory/1968-73-0x000000013F3B0000-0x000000013F701000-memory.dmp

memory/2824-67-0x000000013F4A0000-0x000000013F7F1000-memory.dmp

memory/2896-25-0x000000013F520000-0x000000013F871000-memory.dmp

memory/3068-66-0x000000013FD00000-0x0000000140051000-memory.dmp

memory/1968-65-0x0000000002180000-0x00000000024D1000-memory.dmp

memory/2616-62-0x000000013F5F0000-0x000000013F941000-memory.dmp

C:\Windows\system\PcIdIhp.exe

MD5 8d88d7b07f2b3a5c3e8414c1ab6a713d
SHA1 12c3629a0643fc0cb57aea7bef2999fc21b9139e
SHA256 9259205d84b46b078358bf643401046a15c0f9dde8f9fb615ab1d92332a79249
SHA512 5a9c6da4a15314ee2c05cdf6206c0c8326731904e42949b39009452f6e2270e1fcb43f08c49223b96e2abd1104203dc461c713aae45d16a7f9ba981120adde84

memory/2748-58-0x000000013FC20000-0x000000013FF71000-memory.dmp

memory/1968-98-0x000000013FA30000-0x000000013FD81000-memory.dmp

memory/1968-18-0x000000013F4A0000-0x000000013F7F1000-memory.dmp

C:\Windows\system\hMURsjR.exe

MD5 882c63efaf95ca4f6be1a5fc10700ab4
SHA1 e2bd5282a9e747ef518d14887636fd276f466e43
SHA256 80a2efce25a34457eac79c7d64cfb73a0467be32813cb7470ca01bb8186ac1ac
SHA512 04bf54f7f5c0c2190935a6f835a6e778668a06c26f3a2a598a2b0884f47fdd4a5002d59db3929c8b4d533d38e7a4e80ce197d77626b263b157952b978f845230

C:\Windows\system\KXdgDRz.exe

MD5 563c55cba0376deb462f7c873ec79ba9
SHA1 84a2a2a1bc3ef5ecdc4d454b8c0ecaf7bf55b942
SHA256 559573e20150619076ace539c86da9b230a17bf78945fa7d508b73ad2e13aff6
SHA512 337d42338aa39a79084e266b77daf02d4a92249eb2f80d4b1805678bd09db2b610d7e8a4747d398283dfec751a177269535728763437e5e8dff9605a445947ac

memory/2896-99-0x000000013F520000-0x000000013F871000-memory.dmp

\Windows\system\iEotxIi.exe

MD5 21d8c87d83e1a653c0c94b2434b522de
SHA1 b2b7a5044d237905a13c69cc04fae929b1a79b84
SHA256 4de9e1d44b425dd67e0ecc58a0fade26d260d217e68cac9a6c23215acd94b4dd
SHA512 fd88675cc0f23fbb0d143d85e3e4950b831cdb9e600fabd8ab9991165bb5b5c2ae169db5dd866978a2aafd964d4816f4d237ce7b2fbdb1afb529fb25556d33e3

C:\Windows\system\GwwQulG.exe

MD5 455436a85947a66a5f7ef66bbc570d67
SHA1 084a4b3b26e03da61c4acab46187ef028d60430d
SHA256 074ac376199bcc0cff2074da7798bb2c17524a219dc18752128bea9d269d64f8
SHA512 63f5ff8fad567e08e4666731bc21702265d5f35d965e55ceeda3ef36dac9e75156eb018a73845aa1a6e3beda6655f6fc046ec6adf89b7568c474879f6a4dbcf4

C:\Windows\system\hVXQnqR.exe

MD5 9032e2784273d4a81d1ac429d754e0ca
SHA1 58bf0e67f9cddc7d5169014abd6e2805eaa93ea3
SHA256 3375be35685c5b14c0c57067ca27c665a9baceba416ee4c1ac4a421dd2d517d4
SHA512 c5fc3e019bb1435aaf53e1207ea228fb5331031866b44bc0b12f47d2a880c53917e4a511daa5731755aaee82762e73d8ce4f22024e7cc5b5b357a5293d008f5c

\Windows\system\llwSedC.exe

MD5 cf84e9a2392a391da6478752da4ba42c
SHA1 c497922988774e038d1d465b891018984d24262c
SHA256 7cebd7a6ce091a4e67e7158ea27edd49d761192982c548b3425f7db623f77257
SHA512 36dc68310daaa87d076202fe4ae39c9eb8e80dfdf7475816173cb880ce6097c98cf05490f22e91c475940cfd782c199ef47c3c82215683b496fab2f1f8f6da7d

C:\Windows\system\RJSWJwb.exe

MD5 e4124fded732031a7a316d7337d22b7e
SHA1 dd63d12d47029e4ed2261b1f79c9f16b78aac39b
SHA256 8e79f664c1cbfc9211b3408ee6009383999e545c7bd437a1f4f5da3a184d397e
SHA512 fb231f367d1b915495a55c7674186e0e606d76e81e09c366f9aac366e20de201c1ca47769971d63b7db6a821f12738a69493e5855f87554bd588f197dcc79846

C:\Windows\system\XTikjmu.exe

MD5 fb8d4cd2022143d049b6fe1247981ff9
SHA1 d4cdb874b6779db585fc15b844c8c343204d9346
SHA256 bd1f8b13a3836ba248406a2dffb5f258bc407cbaf8ea614d039e609bd4a8f200
SHA512 a03e64abbe6f72e7255b2267f28c8d4614337fa6b93215114a37fe9bcf01b7d758d83c7288990a161c743990fc88567496bc601e07de857f6350e5db05cfa708

memory/2336-134-0x000000013F0B0000-0x000000013F401000-memory.dmp

memory/2772-135-0x000000013F3B0000-0x000000013F701000-memory.dmp

memory/1968-136-0x000000013FA30000-0x000000013FD81000-memory.dmp

memory/2664-145-0x000000013FE60000-0x00000001401B1000-memory.dmp

memory/2964-143-0x000000013F060000-0x000000013F3B1000-memory.dmp

memory/1228-149-0x000000013FAF0000-0x000000013FE41000-memory.dmp

memory/1968-151-0x0000000002180000-0x00000000024D1000-memory.dmp

memory/2076-152-0x000000013F720000-0x000000013FA71000-memory.dmp

memory/2920-155-0x000000013F280000-0x000000013F5D1000-memory.dmp

memory/1292-158-0x000000013F870000-0x000000013FBC1000-memory.dmp

memory/1720-157-0x000000013FAD0000-0x000000013FE21000-memory.dmp

memory/2800-156-0x000000013FD90000-0x00000001400E1000-memory.dmp

memory/1484-154-0x000000013F650000-0x000000013F9A1000-memory.dmp

memory/2160-153-0x000000013F0F0000-0x000000013F441000-memory.dmp

memory/1968-159-0x000000013FA30000-0x000000013FD81000-memory.dmp

memory/2336-204-0x000000013F0B0000-0x000000013F401000-memory.dmp

memory/2824-206-0x000000013F4A0000-0x000000013F7F1000-memory.dmp

memory/2896-208-0x000000013F520000-0x000000013F871000-memory.dmp

memory/2736-210-0x000000013F840000-0x000000013FB91000-memory.dmp

memory/2772-226-0x000000013F3B0000-0x000000013F701000-memory.dmp

memory/2748-219-0x000000013FC20000-0x000000013FF71000-memory.dmp

memory/2624-230-0x000000013F5F0000-0x000000013F941000-memory.dmp

memory/2616-232-0x000000013F5F0000-0x000000013F941000-memory.dmp

memory/3068-228-0x000000013FD00000-0x0000000140051000-memory.dmp

memory/2120-234-0x000000013FA10000-0x000000013FD61000-memory.dmp

memory/2964-236-0x000000013F060000-0x000000013F3B1000-memory.dmp

memory/2688-238-0x000000013FCE0000-0x0000000140031000-memory.dmp

memory/1228-240-0x000000013FAF0000-0x000000013FE41000-memory.dmp

memory/2664-242-0x000000013FE60000-0x00000001401B1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-13 11:55

Reported

2024-08-13 11:57

Platform

win10v2004-20240802-en

Max time kernel

142s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\apyaQgd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fGXgFAo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LXYliax.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LPWPaMQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IDDwBuU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HJJMvgB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IJpgkRc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fATtFhn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SCPceJq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VgeuqhL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iMqHrxL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kSRnNBG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CFzAihv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SYOMjob.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pqXHVFb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YufDuvu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bDZlRlS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CmCJAyh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OjaYdFO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OxNljGq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uShuLZb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1676 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OjaYdFO.exe
PID 1676 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OjaYdFO.exe
PID 1676 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fGXgFAo.exe
PID 1676 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fGXgFAo.exe
PID 1676 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IDDwBuU.exe
PID 1676 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IDDwBuU.exe
PID 1676 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kSRnNBG.exe
PID 1676 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kSRnNBG.exe
PID 1676 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OxNljGq.exe
PID 1676 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OxNljGq.exe
PID 1676 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uShuLZb.exe
PID 1676 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uShuLZb.exe
PID 1676 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pqXHVFb.exe
PID 1676 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pqXHVFb.exe
PID 1676 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YufDuvu.exe
PID 1676 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YufDuvu.exe
PID 1676 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LXYliax.exe
PID 1676 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LXYliax.exe
PID 1676 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bDZlRlS.exe
PID 1676 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bDZlRlS.exe
PID 1676 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CFzAihv.exe
PID 1676 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CFzAihv.exe
PID 1676 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LPWPaMQ.exe
PID 1676 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LPWPaMQ.exe
PID 1676 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SYOMjob.exe
PID 1676 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SYOMjob.exe
PID 1676 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HJJMvgB.exe
PID 1676 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HJJMvgB.exe
PID 1676 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IJpgkRc.exe
PID 1676 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IJpgkRc.exe
PID 1676 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\apyaQgd.exe
PID 1676 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\apyaQgd.exe
PID 1676 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CmCJAyh.exe
PID 1676 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CmCJAyh.exe
PID 1676 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fATtFhn.exe
PID 1676 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fATtFhn.exe
PID 1676 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SCPceJq.exe
PID 1676 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SCPceJq.exe
PID 1676 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VgeuqhL.exe
PID 1676 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VgeuqhL.exe
PID 1676 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iMqHrxL.exe
PID 1676 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iMqHrxL.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\OjaYdFO.exe

C:\Windows\System\OjaYdFO.exe

C:\Windows\System\fGXgFAo.exe

C:\Windows\System\fGXgFAo.exe

C:\Windows\System\IDDwBuU.exe

C:\Windows\System\IDDwBuU.exe

C:\Windows\System\kSRnNBG.exe

C:\Windows\System\kSRnNBG.exe

C:\Windows\System\OxNljGq.exe

C:\Windows\System\OxNljGq.exe

C:\Windows\System\uShuLZb.exe

C:\Windows\System\uShuLZb.exe

C:\Windows\System\pqXHVFb.exe

C:\Windows\System\pqXHVFb.exe

C:\Windows\System\YufDuvu.exe

C:\Windows\System\YufDuvu.exe

C:\Windows\System\LXYliax.exe

C:\Windows\System\LXYliax.exe

C:\Windows\System\bDZlRlS.exe

C:\Windows\System\bDZlRlS.exe

C:\Windows\System\CFzAihv.exe

C:\Windows\System\CFzAihv.exe

C:\Windows\System\LPWPaMQ.exe

C:\Windows\System\LPWPaMQ.exe

C:\Windows\System\SYOMjob.exe

C:\Windows\System\SYOMjob.exe

C:\Windows\System\HJJMvgB.exe

C:\Windows\System\HJJMvgB.exe

C:\Windows\System\IJpgkRc.exe

C:\Windows\System\IJpgkRc.exe

C:\Windows\System\apyaQgd.exe

C:\Windows\System\apyaQgd.exe

C:\Windows\System\CmCJAyh.exe

C:\Windows\System\CmCJAyh.exe

C:\Windows\System\fATtFhn.exe

C:\Windows\System\fATtFhn.exe

C:\Windows\System\SCPceJq.exe

C:\Windows\System\SCPceJq.exe

C:\Windows\System\VgeuqhL.exe

C:\Windows\System\VgeuqhL.exe

C:\Windows\System\iMqHrxL.exe

C:\Windows\System\iMqHrxL.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1676-0-0x00007FF6F1F90000-0x00007FF6F22E1000-memory.dmp

memory/1676-1-0x0000029B87930000-0x0000029B87940000-memory.dmp

C:\Windows\System\OjaYdFO.exe

MD5 cdfe6b2e432d9c1a0bbf2f6a228f93f1
SHA1 f0d4a1b5ad0e9c773b4436ceefc6471294427c21
SHA256 ad612d41bd10df60463a9800787b34821bc78744787b1f6c24c10c2257bb7b82
SHA512 9e903ba2b6e76dbfa684a8ffe8c7d1bca6957cc7422f31f19a6edb7fdeb5c6f8c2c052e14e92a54c67d4a9ae6e23326534052f7624dc319302f4b38d83e31389

memory/3808-7-0x00007FF69E100000-0x00007FF69E451000-memory.dmp

C:\Windows\System\IDDwBuU.exe

MD5 dbeaa316fedf1a4d60c5715aa5468d36
SHA1 ab72a88833166a1966068c3adf978d02f514c87f
SHA256 baa2c6474fdb682a467018cef659ff4276dc8480d1426f873244118625fbf31b
SHA512 19e1497dd66f5bec196d45a3663ca8954999417f9e9cfdbe3fadb95f0f79b84dfdbd06ecc874b4b875eb34b3ba119f8f5fdbf4d159ac85e11c3590e6439c4d28

C:\Windows\System\fGXgFAo.exe

MD5 8ef24090b7dd3ee81d1edd7d01b1f707
SHA1 51db7492fe444834c05238172cdcdbfa4570157a
SHA256 53193870216154cf65b6f5cbd422ba2ebf0378703df340240e05504240ca6f6d
SHA512 42cd47a1f167a7b16c50f837046bc181bede5d3ff37a032f34a7ca4726a6487a1cdd5a793a8ee95fddb46a9e61f1f6ddb44624fa728af3742ee8d86818afd900

memory/4344-13-0x00007FF6AD1B0000-0x00007FF6AD501000-memory.dmp

memory/2760-20-0x00007FF78ED40000-0x00007FF78F091000-memory.dmp

C:\Windows\System\kSRnNBG.exe

MD5 f9ce7edc9e292f2e24233bb036eb39b2
SHA1 8bd5dd086a7797e475392f2dafb7064b0295f57b
SHA256 2eba3902f4c1144d275ade8347a2ae96ca7dcdc5e96a78c56e6d132c8d06c5eb
SHA512 4f0ed1e17e1f1613f9af62dd7230d12c24df85b134151f421af87d021604bc8cd0b1e1be61109ae382ee897220bfa59a2c1686672e48d3e74842fd8f8ae4be51

memory/3096-26-0x00007FF721B90000-0x00007FF721EE1000-memory.dmp

C:\Windows\System\OxNljGq.exe

MD5 3bdd69ba3ed76617ce3fe6faa3c0a34a
SHA1 4c5782abeddebfd298a693b614b0be2ab7346fa3
SHA256 3966cde1d16da12f93c0d733f35ac5b93940929cc519929fb48be960896f35b3
SHA512 60d2ad4ed82a4482d10e13c6e5379b90a69804ebadb29b844d698ffc2faa57a6924da403b06f0af689cde35a8a84e46e59776a7cb11d6c792c92016d7d4dcb9e

C:\Windows\System\uShuLZb.exe

MD5 625ff0a8d6dc96fce2592fa102807057
SHA1 cc04172b34b51e4bae1d9c04fa1ebdda01f9170f
SHA256 d1b4d8924bf40b1f683c25caefeb077d01c5a82e05acc4c6db9d78d20120c824
SHA512 73b1c001a1cc9dc020399be3c2d038508c79493a5b67c7e3aa0a10f45b6f9ebaff70f062a63aa6d5353ed8860d1c2b43fd713fe608f0ab1cbbb890b3189c3f73

memory/3376-32-0x00007FF708080000-0x00007FF7083D1000-memory.dmp

memory/4604-39-0x00007FF7C04E0000-0x00007FF7C0831000-memory.dmp

C:\Windows\System\pqXHVFb.exe

MD5 c637480e8f18a756cee4fbb30f45c854
SHA1 6d50b2bf4a0ffdce3c17207cdeb0afc9b42167e3
SHA256 0816340da5322867542a6fbbb297cee9cd45089e59604c72ec46224d8f59f3e8
SHA512 b8086e9911b7efec5cd43239ca0e789047cd4d4f7db395764edf50229597197cd0e3181bf84ce4bdfd96e4aef98585d7b47fa8b1603c825118659e06b41f0fa1

memory/1364-44-0x00007FF69EF50000-0x00007FF69F2A1000-memory.dmp

C:\Windows\System\YufDuvu.exe

MD5 a623d9488a52d7b47d2fdae82fe8bff0
SHA1 79e0663fd7e812ce44b47b4b93d8db4021c6f35e
SHA256 35c0a5bca86fafdfc514fa7abd23c1475d1fb5b4e4951440ef0865884395284f
SHA512 45e016eda9b7424a66097eeddea17952eb7651e28203ca951aba5a655076ac91f463fb69424ac4591fa08a8ca02d226f7ec5bfd28fcf561955932b74f1121b2a

C:\Windows\System\bDZlRlS.exe

MD5 1447766fc7d10d8eff880eb16877e3b1
SHA1 79a720bccaca25491d8dfe6951b28ff5c5a70724
SHA256 cd74f8ae16a5348d7ed6ec39e9ba2920130de07508cd70e471484efc19f8ec87
SHA512 b118a7368c1957e2d5f66b4033e88fa97320291c47ee0bca219ceb5e197a92d7916ee3d5074c8f163a36654c7c977c555db741fc8a85033db5d932531c2e9129

C:\Windows\System\CFzAihv.exe

MD5 e711f619fdef3a5b41b147bb62a03f6f
SHA1 caea1becbbe89e1a75a51dfb110c84490c08fce6
SHA256 3e4048bf815019c6a060863e3fbf8686a226d38d63c0e02618f07b68a32fbd91
SHA512 bcdd6d7ef3b2bc4660ebef4ef25082aa7958ba7f121ec7b7b598e78ed2571bca18bc3fbd96f1e1363e50e32d193e6ac4f69990ff6b9d49be7890f749b1f78a03

memory/556-73-0x00007FF76CDF0000-0x00007FF76D141000-memory.dmp

memory/4288-81-0x00007FF7AA2E0000-0x00007FF7AA631000-memory.dmp

memory/1676-86-0x00007FF6F1F90000-0x00007FF6F22E1000-memory.dmp

memory/5000-88-0x00007FF763FF0000-0x00007FF764341000-memory.dmp

memory/1976-98-0x00007FF695290000-0x00007FF6955E1000-memory.dmp

memory/4996-104-0x00007FF6E1C80000-0x00007FF6E1FD1000-memory.dmp

C:\Windows\System\CmCJAyh.exe

MD5 38e183b70f4ca53783f108bd10575882
SHA1 a3d2cbad784cd65995b056bea59a47aff46a4508
SHA256 de01ed5a6e110e399fe27792efe306b14c3d16908390431c91c5e4eb8ff65d7b
SHA512 96c72b8e02ed73e36e05b83e69a3231f35a10c81326d817fe0c4ae859a006329bea102ff4f3bf1faa575ddbbca2e6c55ab666c287d16282008afec0bbadc84c1

C:\Windows\System\fATtFhn.exe

MD5 eb789def46ba84fbcb2132d0eac53d9d
SHA1 0bcfbc7bef7e03ae3deed1b2f433c00c2a335894
SHA256 878ec7117a1108558a240a54b471d5186ead4058d938cd469cd1d8cbdbacc1ca
SHA512 b989d475f50f81ac06b0d7c1de5b52311965fae8c89159d8ed611ddfaca1b99e866f3094f37c5127e720ad22fc04bfd8e248a61b1f5e180f3ebd0cd6cfedfdb1

C:\Windows\System\apyaQgd.exe

MD5 5444f528cc3772f42c0999b193e80476
SHA1 5fa24719b780f93ec1cf8cb12b2fe0dde4d8d099
SHA256 aaaabe86c259e73d1be4959fe7a0c258c2d6e4d449f7607481d4dc5d2c1365ee
SHA512 241ea84c23c60273021f8f94405ac93871d7292326debcb2d1ad03069f840e5a9899e108ff8b24c37ed070b150f4f21dcd073d583886c12119e782c99741ef23

memory/2036-107-0x00007FF6DE320000-0x00007FF6DE671000-memory.dmp

memory/4344-106-0x00007FF6AD1B0000-0x00007FF6AD501000-memory.dmp

memory/1252-105-0x00007FF68C860000-0x00007FF68CBB1000-memory.dmp

memory/3808-101-0x00007FF69E100000-0x00007FF69E451000-memory.dmp

C:\Windows\System\HJJMvgB.exe

MD5 dc0c2bd443900be383c1975e9e976981
SHA1 a9e703cd5191f7125649158f2682210a56dc799b
SHA256 75d306861ac387f94fe9f5154cf12ba03d437de417b953365304cc4ec7c48446
SHA512 bb6dab9a3f706abc10347d95880c63beda4cfddaa04cd1444fe1ea66d1cb64020093888fe6f84584d4fdb5fd05ec7cae38be41cbb87f7de0e58f3de54d1c3585

C:\Windows\System\IJpgkRc.exe

MD5 661644c8dc853161f43a45e341c1eee0
SHA1 dabfa52d8e19ce3ddb28753deaa9541e9320e93a
SHA256 18573e901f30715e04b6e661eb069f979ba3f4c550edd7bb852d2ae858df2a79
SHA512 9991f92bf8ce0aa4471e31bd7ed7a6ee14aebea0d0188276a688c09442a268c02cc15a27eac88a5dd1e372d83450e4164681528281085ed7fbaf5e1d3e32f8bf

memory/4552-85-0x00007FF604750000-0x00007FF604AA1000-memory.dmp

C:\Windows\System\SYOMjob.exe

MD5 27c567f6df177c657c6a6d03c4a95a93
SHA1 cba585a8ce8050050d86bfbe8b8100641e52f510
SHA256 a9418c10a642be62a764f4e1241f9154900371ea63985fb6769704b3bd41823f
SHA512 723a65fb5f4f2052cca5e38ebdb8969b09f88cde8ee6451b3d6be770f280819a0fe47c5d72b379e822d20124523c82e136b718afe95908f5a12ebb4529a7fb10

C:\Windows\System\LPWPaMQ.exe

MD5 1dfb0d6a38c11af8d9f297888c879754
SHA1 2822709815f0d8e05b60b0be925d758e89441037
SHA256 52820669d3902c47e1d5145c896f3ba78da5a6662d4e3c1700309371cc1ebf70
SHA512 6879877200f0079153f8e8de2bcc903d2e760d4177cca5fee63874d39341539f348e684e226957cc0424c41ac13c1ce0a649a2bf3132e6f6eb13146a43b9dd15

memory/4188-76-0x00007FF7F5B60000-0x00007FF7F5EB1000-memory.dmp

memory/2892-66-0x00007FF64B0C0000-0x00007FF64B411000-memory.dmp

memory/2384-60-0x00007FF71A640000-0x00007FF71A991000-memory.dmp

C:\Windows\System\LXYliax.exe

MD5 96a16ec19975ad26faada47325ca96f8
SHA1 6e8eb600f4acde53a1a30b445d71126c99a83807
SHA256 5f9d12e7195dbcbb9427f5abb2cf5d4dde025aedc657035616f6481066fab1b7
SHA512 1ed0bf590549b8cf3a6d35aad26cd1fe3a0ef35a1d5e5b94eb2a17bea92de9d3d3bf53134f2931bcd3a70f3ab36da0934bf84574f0d149b79a7091b4e8e559a7

C:\Windows\System\SCPceJq.exe

MD5 c3930d16bfdf353f0a1d9a321265c3c5
SHA1 c634cac81ed1ecff2bd65e8445ccf65dc1d0c128
SHA256 9eead261b696e8a17dd47bf469ac7df053206980497b2a5b115041be4b894923
SHA512 f7bb4c99e8f5eab8c91837d0441a2f12fa35f001bddea8769dbf05d667347cf1c031ebfd506ef2a83d66978eddd2470c631f19d40b986dd77190db410399a1d4

memory/2760-119-0x00007FF78ED40000-0x00007FF78F091000-memory.dmp

C:\Windows\System\VgeuqhL.exe

MD5 55879d4b2ac3beff988d62204dbd9a51
SHA1 6824e4feded9dede7fde16cbb5a484117d737223
SHA256 a44369712c4df46291ae06d3f939ef16ad62b0e26fe61cbccb00d410f9724c0f
SHA512 a70dc8b2de6ef436d9845c9e879161a31033cb0c5c75caa77ecf3af26e837181fb7690e374ea82e3f275f62e56ca5384f81c13fe6de9fece1fa9a9113232e608

memory/432-129-0x00007FF708570000-0x00007FF7088C1000-memory.dmp

memory/4084-131-0x00007FF6E9FF0000-0x00007FF6EA341000-memory.dmp

C:\Windows\System\iMqHrxL.exe

MD5 c9eaa73046fdc804d553eed4e451c6ca
SHA1 768aac529ab6cd2350ffb3cf36752cbd99461950
SHA256 b90cab30e2959af10de5e3a68fb7f075114f2fbd31564a938c5b0f836f343e0d
SHA512 981df3e5f2ae01bad63c59b1b36a9f0f6718cd40b63f6650c50418b05c529af5339185a784cc27e8cb1e0698510227813d2e596acc288831bf440a5535269aed

memory/3376-127-0x00007FF708080000-0x00007FF7083D1000-memory.dmp

memory/4300-121-0x00007FF639280000-0x00007FF6395D1000-memory.dmp

memory/1676-133-0x00007FF6F1F90000-0x00007FF6F22E1000-memory.dmp

memory/4188-146-0x00007FF7F5B60000-0x00007FF7F5EB1000-memory.dmp

memory/5000-147-0x00007FF763FF0000-0x00007FF764341000-memory.dmp

memory/4552-145-0x00007FF604750000-0x00007FF604AA1000-memory.dmp

memory/556-143-0x00007FF76CDF0000-0x00007FF76D141000-memory.dmp

memory/4996-149-0x00007FF6E1C80000-0x00007FF6E1FD1000-memory.dmp

memory/1976-148-0x00007FF695290000-0x00007FF6955E1000-memory.dmp

memory/1252-151-0x00007FF68C860000-0x00007FF68CBB1000-memory.dmp

memory/2036-150-0x00007FF6DE320000-0x00007FF6DE671000-memory.dmp

memory/4084-154-0x00007FF6E9FF0000-0x00007FF6EA341000-memory.dmp

memory/1676-155-0x00007FF6F1F90000-0x00007FF6F22E1000-memory.dmp

memory/3808-205-0x00007FF69E100000-0x00007FF69E451000-memory.dmp

memory/4344-207-0x00007FF6AD1B0000-0x00007FF6AD501000-memory.dmp

memory/2760-209-0x00007FF78ED40000-0x00007FF78F091000-memory.dmp

memory/3096-211-0x00007FF721B90000-0x00007FF721EE1000-memory.dmp

memory/3376-213-0x00007FF708080000-0x00007FF7083D1000-memory.dmp

memory/4604-215-0x00007FF7C04E0000-0x00007FF7C0831000-memory.dmp

memory/1364-217-0x00007FF69EF50000-0x00007FF69F2A1000-memory.dmp

memory/2384-219-0x00007FF71A640000-0x00007FF71A991000-memory.dmp

memory/2892-221-0x00007FF64B0C0000-0x00007FF64B411000-memory.dmp

memory/4288-223-0x00007FF7AA2E0000-0x00007FF7AA631000-memory.dmp

memory/556-225-0x00007FF76CDF0000-0x00007FF76D141000-memory.dmp

memory/4188-227-0x00007FF7F5B60000-0x00007FF7F5EB1000-memory.dmp

memory/4552-236-0x00007FF604750000-0x00007FF604AA1000-memory.dmp

memory/1976-238-0x00007FF695290000-0x00007FF6955E1000-memory.dmp

memory/5000-240-0x00007FF763FF0000-0x00007FF764341000-memory.dmp

memory/4996-242-0x00007FF6E1C80000-0x00007FF6E1FD1000-memory.dmp

memory/2036-244-0x00007FF6DE320000-0x00007FF6DE671000-memory.dmp

memory/1252-246-0x00007FF68C860000-0x00007FF68CBB1000-memory.dmp

memory/4300-250-0x00007FF639280000-0x00007FF6395D1000-memory.dmp

memory/432-252-0x00007FF708570000-0x00007FF7088C1000-memory.dmp

memory/4084-254-0x00007FF6E9FF0000-0x00007FF6EA341000-memory.dmp