Malware Analysis Report

2025-03-15 08:03

Sample ID 240813-n4physwhpk
Target 2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat
SHA256 86d45530a1be1dc8460e81ea7210484b464b44cf3d13e9ea7f91256655583d25
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

86d45530a1be1dc8460e81ea7210484b464b44cf3d13e9ea7f91256655583d25

Threat Level: Known bad

The file 2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Cobaltstrike

Cobaltstrike family

XMRig Miner payload

Xmrig family

xmrig

Cobalt Strike reflective loader

XMRig Miner payload

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-13 11:57

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-13 11:57

Reported

2024-08-13 11:59

Platform

win7-20240704-en

Max time kernel

140s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\YvIpkUr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bqNnbEG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oHDwbaz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TLDDgLY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eSCUahq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IicdiXE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WNJSYLd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dpwLGKT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GerZKib.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OWgltwu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qvSrBEU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cmnuYoX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rkFPlqb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CCmkdRY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\thGkFMU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\quXMtmf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sWBuCMw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oDMqSBO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iQTjLMH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JerpdmK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XMBzkYc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2224 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XMBzkYc.exe
PID 2224 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XMBzkYc.exe
PID 2224 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XMBzkYc.exe
PID 2224 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qvSrBEU.exe
PID 2224 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qvSrBEU.exe
PID 2224 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qvSrBEU.exe
PID 2224 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sWBuCMw.exe
PID 2224 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sWBuCMw.exe
PID 2224 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sWBuCMw.exe
PID 2224 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\quXMtmf.exe
PID 2224 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\quXMtmf.exe
PID 2224 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\quXMtmf.exe
PID 2224 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oDMqSBO.exe
PID 2224 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oDMqSBO.exe
PID 2224 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oDMqSBO.exe
PID 2224 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cmnuYoX.exe
PID 2224 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cmnuYoX.exe
PID 2224 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cmnuYoX.exe
PID 2224 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rkFPlqb.exe
PID 2224 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rkFPlqb.exe
PID 2224 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rkFPlqb.exe
PID 2224 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CCmkdRY.exe
PID 2224 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CCmkdRY.exe
PID 2224 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CCmkdRY.exe
PID 2224 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IicdiXE.exe
PID 2224 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IicdiXE.exe
PID 2224 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IicdiXE.exe
PID 2224 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eSCUahq.exe
PID 2224 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eSCUahq.exe
PID 2224 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eSCUahq.exe
PID 2224 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YvIpkUr.exe
PID 2224 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YvIpkUr.exe
PID 2224 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YvIpkUr.exe
PID 2224 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bqNnbEG.exe
PID 2224 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bqNnbEG.exe
PID 2224 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bqNnbEG.exe
PID 2224 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WNJSYLd.exe
PID 2224 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WNJSYLd.exe
PID 2224 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WNJSYLd.exe
PID 2224 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\thGkFMU.exe
PID 2224 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\thGkFMU.exe
PID 2224 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\thGkFMU.exe
PID 2224 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iQTjLMH.exe
PID 2224 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iQTjLMH.exe
PID 2224 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iQTjLMH.exe
PID 2224 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dpwLGKT.exe
PID 2224 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dpwLGKT.exe
PID 2224 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dpwLGKT.exe
PID 2224 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JerpdmK.exe
PID 2224 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JerpdmK.exe
PID 2224 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JerpdmK.exe
PID 2224 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oHDwbaz.exe
PID 2224 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oHDwbaz.exe
PID 2224 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oHDwbaz.exe
PID 2224 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GerZKib.exe
PID 2224 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GerZKib.exe
PID 2224 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GerZKib.exe
PID 2224 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OWgltwu.exe
PID 2224 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OWgltwu.exe
PID 2224 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OWgltwu.exe
PID 2224 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TLDDgLY.exe
PID 2224 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TLDDgLY.exe
PID 2224 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TLDDgLY.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\XMBzkYc.exe

C:\Windows\System\XMBzkYc.exe

C:\Windows\System\qvSrBEU.exe

C:\Windows\System\qvSrBEU.exe

C:\Windows\System\sWBuCMw.exe

C:\Windows\System\sWBuCMw.exe

C:\Windows\System\quXMtmf.exe

C:\Windows\System\quXMtmf.exe

C:\Windows\System\oDMqSBO.exe

C:\Windows\System\oDMqSBO.exe

C:\Windows\System\cmnuYoX.exe

C:\Windows\System\cmnuYoX.exe

C:\Windows\System\rkFPlqb.exe

C:\Windows\System\rkFPlqb.exe

C:\Windows\System\CCmkdRY.exe

C:\Windows\System\CCmkdRY.exe

C:\Windows\System\IicdiXE.exe

C:\Windows\System\IicdiXE.exe

C:\Windows\System\eSCUahq.exe

C:\Windows\System\eSCUahq.exe

C:\Windows\System\YvIpkUr.exe

C:\Windows\System\YvIpkUr.exe

C:\Windows\System\bqNnbEG.exe

C:\Windows\System\bqNnbEG.exe

C:\Windows\System\WNJSYLd.exe

C:\Windows\System\WNJSYLd.exe

C:\Windows\System\thGkFMU.exe

C:\Windows\System\thGkFMU.exe

C:\Windows\System\iQTjLMH.exe

C:\Windows\System\iQTjLMH.exe

C:\Windows\System\dpwLGKT.exe

C:\Windows\System\dpwLGKT.exe

C:\Windows\System\JerpdmK.exe

C:\Windows\System\JerpdmK.exe

C:\Windows\System\oHDwbaz.exe

C:\Windows\System\oHDwbaz.exe

C:\Windows\System\GerZKib.exe

C:\Windows\System\GerZKib.exe

C:\Windows\System\OWgltwu.exe

C:\Windows\System\OWgltwu.exe

C:\Windows\System\TLDDgLY.exe

C:\Windows\System\TLDDgLY.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2224-0-0x000000013F060000-0x000000013F3B1000-memory.dmp

memory/2224-1-0x0000000000200000-0x0000000000210000-memory.dmp

\Windows\system\XMBzkYc.exe

MD5 a21c201e74edc1b56f46ce552d13b573
SHA1 44403174dbb6c880f6cda57e17311da4a65d6cbf
SHA256 b561c1e228deb22ec8e33e1511c55e704c630730882e3645e5d3cfb01b4e4795
SHA512 a97e419449e8c7173c44d0773fc13848df0800c6cd244f052a5098d118e55662a847f98f6314b37aa42cf9dd3144cbc21cfc4444aeafe70c67448fc59d126718

\Windows\system\sWBuCMw.exe

MD5 2e12a818a83d987ad35d6f1d1883104d
SHA1 d4783676179957eab87e0a3a1fc41a46e39ff51b
SHA256 de5a83e4365bbf3d984d75c8886a81976b5884cedffc6b2d70b80359966d11c9
SHA512 1de7f7b52e281ffa0d65e23a7d21a9f53e3e4a9efe514a46f4e1ff21c8230eaa6a7bc932ea1ac175a2e7e87f344cbb4bb5c524f811c6203811ff29773d2fc6d7

C:\Windows\system\qvSrBEU.exe

MD5 1d5cedb9690fb85892481ed781636993
SHA1 61596104535e0b16b9f40c1fb3b285101d1be9f1
SHA256 b749627373167fbeba2c77c28f8c323f8518c730e868b90bd153465280b5eb63
SHA512 c6f298171533b7b02d79ca75fcb441028b89d01fdd4823785bf302dd1ec2a95124d8680ce9d98c0afbdeac9a8be86b40844432b710b18118fc6fa1586afd0288

memory/2224-117-0x000000013F540000-0x000000013F891000-memory.dmp

C:\Windows\system\dpwLGKT.exe

MD5 56869f078350edaff2e9fc3aa0ea2b05
SHA1 2650f8e91aa4b07254f954c0a86781770d9f9a31
SHA256 2198c63790c28ec4a620643eb33c5d651218240623498ca188105e4a0e44fdbc
SHA512 e17cafcf1659aa58bea9a814ff25d2e90b1bb17a9a66c6dbd332acf5c586d66efb49777b89073249d83b67e95031821af5f199a5bc237efa43133e2978dba89f

memory/2224-83-0x000000013F640000-0x000000013F991000-memory.dmp

\Windows\system\OWgltwu.exe

MD5 d8c91db9cdca850ad7ce02de9257a266
SHA1 1ca1785668a097812e3586f3cf766c664748c1d9
SHA256 b973702b5d8d2c52cb69a9a38e4dacb049ade73306dab1560f3d94f20d7d4f67
SHA512 58960ecd17a9668b39bfa0acfb7d9ad90a4a7981526d7bcd21b18e2445601bce0b07f29f8b921e634b9a3e993e9cc565c368baa2809eb3f55ad532f024448c01

C:\Windows\system\cmnuYoX.exe

MD5 ade5c90b011c624e8613cd3133148f2a
SHA1 0f3c8969cebdb7482e5fd44e184c69dc0013b957
SHA256 e28ae7d9626fb067b23b1d03d4a5fcbaf8e6fe6b582ec6c6671533897cbac29c
SHA512 68e136b0dba68b4b43f04ce59dfcfa62a5d52ef4e0d836578ac65d948e85e44ac5cae4d05f9a5eb79be1344cdef24a8f8dba136253512812d2863d0da6bcf2cb

\Windows\system\oHDwbaz.exe

MD5 1b4d65862ab2b7c5623bdc9d8d6c10f6
SHA1 e354f67a525fae6273d3aced4bda6756ba26688f
SHA256 14a844324efa2ca443d994e452fb03ad76c661abb2e8a66711667fd535d1249b
SHA512 64af7fdfbf0884b6128dd3fcfc8fa1e0231fb33945666b0c9c5b1ff8581287a3b058cf56b15f2ec9b12820086c3e6c87565e23923b7ced94bbd6d67cdfe80504

memory/2224-70-0x000000013FFD0000-0x0000000140321000-memory.dmp

\Windows\system\thGkFMU.exe

MD5 e6fbdde19d5dc5715fbd07ad9b2f93e2
SHA1 794a95ccf9feb3b4f0cffcd0cd0ea42671bc769f
SHA256 8ae7ca1bb98bf102bf6bef0875e6f314415bc249b239d8e84c04f3e93e2247d6
SHA512 9cc483b95266d3a58d08e59e4e9a1fc61aee5e87ffa13063663636f84a4a4cd16aaead12b26625e842a125566053c85f26d60e99208ba1d9555bd49ef56c8892

C:\Windows\system\quXMtmf.exe

MD5 1809b6e16980cd93e7123f0e99882fdc
SHA1 3b50b155d8c2ceb3551d77a995b012d227853aac
SHA256 21ef6a8e23e4d94dcad6d06e30cb9bf52fad22f695c9fd201ec8219d43d1d648
SHA512 f6f1b1b295f1c9cac3a7fcae7f1a542a212abb2c696ef54fa07ebbd6d593f97775889f90fdbdcdd329522172ba869db103e63b8b123c3b20f690f4aaac590ee7

\Windows\system\bqNnbEG.exe

MD5 3eec7493c0f4743c9586f525791acde8
SHA1 0224450fd0156a5a02756b1bce06f81e0e1ec51c
SHA256 d03bcf6e80ea97cb321f2584333a000d75fb5485e65bac8d7844f2970a77dc3f
SHA512 793da045cec3b668f8774c3d487a464c75833b5eacf21ed1785305bc8a806888014a216bfcc669c09c6436e68e29682dd399d72436f5f0f00d8172473f9ef2aa

\Windows\system\eSCUahq.exe

MD5 a9c37c3c1e2feb6e1ec58fdcf9fa8cc1
SHA1 c35170ab33fc21f799ecc293a254e97cac452d74
SHA256 169d4d9061ffde75e8fafa492ec53fe251d45b434f51553dbd0af8335aa8f8b4
SHA512 6e05c7ca969a0c6a533cdbfd2b80eef8755f949cbcc090bcccf7242bad8640205258290f38dcff7860806aba453c78de8bdd0e62b7352e47cb412f05978220e2

memory/2224-120-0x000000013F410000-0x000000013F761000-memory.dmp

memory/2136-119-0x000000013FEB0000-0x0000000140201000-memory.dmp

memory/2224-118-0x000000013F7B0000-0x000000013FB01000-memory.dmp

memory/1916-116-0x000000013F640000-0x000000013F991000-memory.dmp

memory/2224-115-0x000000013F950000-0x000000013FCA1000-memory.dmp

memory/2224-114-0x000000013FAF0000-0x000000013FE41000-memory.dmp

memory/2224-113-0x000000013F490000-0x000000013F7E1000-memory.dmp

memory/2224-112-0x000000013F9C0000-0x000000013FD11000-memory.dmp

memory/2224-111-0x000000013FAD0000-0x000000013FE21000-memory.dmp

memory/2388-110-0x000000013FFD0000-0x0000000140321000-memory.dmp

memory/2224-109-0x000000013FBC0000-0x000000013FF11000-memory.dmp

memory/1204-108-0x000000013F260000-0x000000013F5B1000-memory.dmp

memory/2256-107-0x000000013F6A0000-0x000000013F9F1000-memory.dmp

memory/2224-105-0x0000000002250000-0x00000000025A1000-memory.dmp

memory/2224-104-0x000000013FDC0000-0x0000000140111000-memory.dmp

memory/2224-103-0x000000013F6A0000-0x000000013F9F1000-memory.dmp

C:\Windows\system\TLDDgLY.exe

MD5 563c3ce55a2304674de902342caf8eaf
SHA1 58374bac1d9491fbf8e4024031004deca6bbd416
SHA256 c083df831b869bb3947d85d3fd6cf81300b434acec4fa701e3e2aea7015d41d8
SHA512 b52a28b56aeaddd1f592b3b73c26020047a253074d9511560cf307cde043d44306243e7d7bef7c278c8264b24d8fa79641e19771fcda812c5b334c1c5805104f

memory/2224-99-0x000000013FF90000-0x00000001402E1000-memory.dmp

memory/1920-98-0x000000013F7B0000-0x000000013FB01000-memory.dmp

C:\Windows\system\CCmkdRY.exe

MD5 978c8e734a7b24c2321d064dfbbeb838
SHA1 d3a7064c3337a9e3553ec315b5815b60421e439f
SHA256 e7ba9785a27de23cc76a95b0246cabcaf7b6a2fe8891333ba1aa984ee441af0f
SHA512 e2b955073dacdec77f1cf0c1fb04b165fcb229b8572a3c9cd252d0cbc2b8020638c7c51ec50766f1ef4a9c4512084fca8dfdcb5d25f19a1966e0b940bda7211b

memory/672-94-0x000000013F0E0000-0x000000013F431000-memory.dmp

C:\Windows\system\GerZKib.exe

MD5 e5005322fc1bf280308c14a76f0ef006
SHA1 5ad2035cf079f24eddf3e538bb530c911cfe2379
SHA256 e172252fb5ae901dce54e1a2eb1fa38b2f1eace86f007766481a3b24024bfe08
SHA512 43547397ec9c8c08b1ba5bd4fb16352c4ad7dc62da2c4d292780490f593547a8502e18434f89248dd6c2808914c68f6be4fa5b7c20a0f5c1f598075f67ab1434

C:\Windows\system\JerpdmK.exe

MD5 8bf42fd6283c7b202fbe9671b92d8f9e
SHA1 4304527101787930f90e57698b5a3dc64264a569
SHA256 18f86791c2934d36f62859a2aaddeafe78de52724a8bcbce4b0782beea8466f9
SHA512 82a15252dc5af138c0af98d183d7402a39ba0dc994edd3545ce72a8d6746f9d9b1cb0f1f04f5778ae3c1b773c13f273a0220ec924710273f2d8c4e45422b7f94

C:\Windows\system\iQTjLMH.exe

MD5 ab07ce3a7906bc18484647a47e99e0fb
SHA1 e136eef2c895f2107c274b504bda3fa4d8dabd56
SHA256 4394a4962fcaf5ca5bb278b0af391687b631fc2e5a29d962ed4544fcf915e073
SHA512 401e31635ed9021ce5f75444bafe85d21c4be488bcd5831d19c4204ef1a584a25b25339e558f929c242ba3b0be088d5d04a53b5abc2112434b58580714ee2230

C:\Windows\system\WNJSYLd.exe

MD5 66f6bce2941ec57b0a5b858579d4df3e
SHA1 8ed262ff7e169fed019528c244b9472c9eedd401
SHA256 44cc3c086bd5ca1b5a876f8b48961c3df9e3974a3b5ca3434081b6b2d0b925b3
SHA512 fc6e32d2fd27b815f60c3a2e2e8e5f34c86e69900bbb0682c5e44bfc1d3d54c61167f0cf924271dc321b70353de5420db2535cef59d067c4d387ef72f51e4e1d

C:\Windows\system\YvIpkUr.exe

MD5 a5b14997566b4eeb0378e81b3c206a3b
SHA1 da1ca67caca246304772113af4b1104369b09b7b
SHA256 e38213811181d4302d0286d3c99a262d13675c194e20a73cd70434f609c55418
SHA512 ff80e231ff26eb8da8da0f6ced764e21e9285114aaf0292e3c1d483c2237a1d0a78be78427f29e625398ef6d31632667a044e0811cbbc6788614ca95e5159ab6

C:\Windows\system\IicdiXE.exe

MD5 21ba07279c080aec43ab9f06f8fba70b
SHA1 2d42b171c0bd5dd4e266cbb712cb7c7d5bb9f850
SHA256 f0ee6b280ad503566090a5240afa9338eb785f5d491de6a03f175a82970da2ac
SHA512 9d32c5aeccc7bcc409606111a65c3710f2099b2017cb616beae461c072b425dada8854eb9d579dcb6c6152f935819edc71a614ab104e6f10c70997574d16eb94

C:\Windows\system\rkFPlqb.exe

MD5 2d20c66401a9540fa51e56d00716b3d9
SHA1 a981a40b18275e1cebe021784332a759f82c2b0d
SHA256 bbe32ce326b32fd475822fd3e3a1d72e05c2e3d8b82b5f3497228c68cebf4ae2
SHA512 78db423befce9e142762bbdbf66b8321e77956b6616dc049e061e59061ca9a867b4f68937780fe13956dc81cc713feda39a67e3380e2e24a1473ad0e1fd5ec52

memory/2276-23-0x000000013F240000-0x000000013F591000-memory.dmp

memory/2164-45-0x000000013F6C0000-0x000000013FA11000-memory.dmp

memory/2224-44-0x000000013F6C0000-0x000000013FA11000-memory.dmp

C:\Windows\system\oDMqSBO.exe

MD5 53cd3f67a7519cd26977cd9458b9244b
SHA1 ac466ae8c62920e56f2473290a9d3dac7b2049e1
SHA256 66c4d9771833fb333eea2db4aa067b78ce960b497013c83f17116a60be0f8eb1
SHA512 d91b13695c105f92d41486646fda758ce99d5155a81a2a85572e1f0f0ee23bf93962585e31b0cd359d07e8e4108943748bab7c7553a0f4be0083cbc69fe67830

memory/2224-132-0x000000013F060000-0x000000013F3B1000-memory.dmp

memory/2720-146-0x000000013F9C0000-0x000000013FD11000-memory.dmp

memory/1960-153-0x000000013F5D0000-0x000000013F921000-memory.dmp

memory/2556-152-0x000000013F0A0000-0x000000013F3F1000-memory.dmp

memory/2144-150-0x000000013F950000-0x000000013FCA1000-memory.dmp

memory/2764-149-0x000000013F410000-0x000000013F761000-memory.dmp

memory/2772-147-0x000000013F490000-0x000000013F7E1000-memory.dmp

memory/2664-145-0x000000013FAD0000-0x000000013FE21000-memory.dmp

memory/2544-151-0x000000013F540000-0x000000013F891000-memory.dmp

memory/2640-148-0x000000013FAF0000-0x000000013FE41000-memory.dmp

memory/1048-144-0x000000013FBC0000-0x000000013FF11000-memory.dmp

memory/564-142-0x000000013FDC0000-0x0000000140111000-memory.dmp

memory/1896-140-0x000000013FF90000-0x00000001402E1000-memory.dmp

memory/2224-154-0x000000013F060000-0x000000013F3B1000-memory.dmp

memory/2224-155-0x000000013F060000-0x000000013F3B1000-memory.dmp

memory/2276-200-0x000000013F240000-0x000000013F591000-memory.dmp

memory/2164-202-0x000000013F6C0000-0x000000013FA11000-memory.dmp

memory/1920-204-0x000000013F7B0000-0x000000013FB01000-memory.dmp

memory/672-206-0x000000013F0E0000-0x000000013F431000-memory.dmp

memory/2136-210-0x000000013FEB0000-0x0000000140201000-memory.dmp

memory/2256-208-0x000000013F6A0000-0x000000013F9F1000-memory.dmp

memory/1204-212-0x000000013F260000-0x000000013F5B1000-memory.dmp

memory/2388-214-0x000000013FFD0000-0x0000000140321000-memory.dmp

memory/1916-222-0x000000013F640000-0x000000013F991000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-13 11:57

Reported

2024-08-13 11:59

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\oDMqSBO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CCmkdRY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eSCUahq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\thGkFMU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dpwLGKT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oHDwbaz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qvSrBEU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sWBuCMw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GerZKib.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OWgltwu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iQTjLMH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TLDDgLY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cmnuYoX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WNJSYLd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YvIpkUr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XMBzkYc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IicdiXE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bqNnbEG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JerpdmK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\quXMtmf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rkFPlqb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1172 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XMBzkYc.exe
PID 1172 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XMBzkYc.exe
PID 1172 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qvSrBEU.exe
PID 1172 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qvSrBEU.exe
PID 1172 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sWBuCMw.exe
PID 1172 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sWBuCMw.exe
PID 1172 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\quXMtmf.exe
PID 1172 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\quXMtmf.exe
PID 1172 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oDMqSBO.exe
PID 1172 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oDMqSBO.exe
PID 1172 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cmnuYoX.exe
PID 1172 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cmnuYoX.exe
PID 1172 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rkFPlqb.exe
PID 1172 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rkFPlqb.exe
PID 1172 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CCmkdRY.exe
PID 1172 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CCmkdRY.exe
PID 1172 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IicdiXE.exe
PID 1172 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IicdiXE.exe
PID 1172 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eSCUahq.exe
PID 1172 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eSCUahq.exe
PID 1172 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YvIpkUr.exe
PID 1172 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YvIpkUr.exe
PID 1172 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bqNnbEG.exe
PID 1172 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bqNnbEG.exe
PID 1172 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WNJSYLd.exe
PID 1172 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WNJSYLd.exe
PID 1172 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\thGkFMU.exe
PID 1172 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\thGkFMU.exe
PID 1172 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iQTjLMH.exe
PID 1172 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iQTjLMH.exe
PID 1172 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dpwLGKT.exe
PID 1172 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dpwLGKT.exe
PID 1172 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JerpdmK.exe
PID 1172 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JerpdmK.exe
PID 1172 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oHDwbaz.exe
PID 1172 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oHDwbaz.exe
PID 1172 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GerZKib.exe
PID 1172 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GerZKib.exe
PID 1172 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OWgltwu.exe
PID 1172 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OWgltwu.exe
PID 1172 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TLDDgLY.exe
PID 1172 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TLDDgLY.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\XMBzkYc.exe

C:\Windows\System\XMBzkYc.exe

C:\Windows\System\qvSrBEU.exe

C:\Windows\System\qvSrBEU.exe

C:\Windows\System\sWBuCMw.exe

C:\Windows\System\sWBuCMw.exe

C:\Windows\System\quXMtmf.exe

C:\Windows\System\quXMtmf.exe

C:\Windows\System\oDMqSBO.exe

C:\Windows\System\oDMqSBO.exe

C:\Windows\System\cmnuYoX.exe

C:\Windows\System\cmnuYoX.exe

C:\Windows\System\rkFPlqb.exe

C:\Windows\System\rkFPlqb.exe

C:\Windows\System\CCmkdRY.exe

C:\Windows\System\CCmkdRY.exe

C:\Windows\System\IicdiXE.exe

C:\Windows\System\IicdiXE.exe

C:\Windows\System\eSCUahq.exe

C:\Windows\System\eSCUahq.exe

C:\Windows\System\YvIpkUr.exe

C:\Windows\System\YvIpkUr.exe

C:\Windows\System\bqNnbEG.exe

C:\Windows\System\bqNnbEG.exe

C:\Windows\System\WNJSYLd.exe

C:\Windows\System\WNJSYLd.exe

C:\Windows\System\thGkFMU.exe

C:\Windows\System\thGkFMU.exe

C:\Windows\System\iQTjLMH.exe

C:\Windows\System\iQTjLMH.exe

C:\Windows\System\dpwLGKT.exe

C:\Windows\System\dpwLGKT.exe

C:\Windows\System\JerpdmK.exe

C:\Windows\System\JerpdmK.exe

C:\Windows\System\oHDwbaz.exe

C:\Windows\System\oHDwbaz.exe

C:\Windows\System\GerZKib.exe

C:\Windows\System\GerZKib.exe

C:\Windows\System\OWgltwu.exe

C:\Windows\System\OWgltwu.exe

C:\Windows\System\TLDDgLY.exe

C:\Windows\System\TLDDgLY.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 22.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1172-0-0x00007FF7E0770000-0x00007FF7E0AC1000-memory.dmp

memory/1172-1-0x000001D6129A0000-0x000001D6129B0000-memory.dmp

C:\Windows\System\XMBzkYc.exe

MD5 a21c201e74edc1b56f46ce552d13b573
SHA1 44403174dbb6c880f6cda57e17311da4a65d6cbf
SHA256 b561c1e228deb22ec8e33e1511c55e704c630730882e3645e5d3cfb01b4e4795
SHA512 a97e419449e8c7173c44d0773fc13848df0800c6cd244f052a5098d118e55662a847f98f6314b37aa42cf9dd3144cbc21cfc4444aeafe70c67448fc59d126718

C:\Windows\System\sWBuCMw.exe

MD5 2e12a818a83d987ad35d6f1d1883104d
SHA1 d4783676179957eab87e0a3a1fc41a46e39ff51b
SHA256 de5a83e4365bbf3d984d75c8886a81976b5884cedffc6b2d70b80359966d11c9
SHA512 1de7f7b52e281ffa0d65e23a7d21a9f53e3e4a9efe514a46f4e1ff21c8230eaa6a7bc932ea1ac175a2e7e87f344cbb4bb5c524f811c6203811ff29773d2fc6d7

memory/2220-10-0x00007FF7D7690000-0x00007FF7D79E1000-memory.dmp

memory/516-27-0x00007FF778120000-0x00007FF778471000-memory.dmp

memory/4436-35-0x00007FF62AFF0000-0x00007FF62B341000-memory.dmp

memory/3512-42-0x00007FF7EF2D0000-0x00007FF7EF621000-memory.dmp

C:\Windows\System\CCmkdRY.exe

MD5 978c8e734a7b24c2321d064dfbbeb838
SHA1 d3a7064c3337a9e3553ec315b5815b60421e439f
SHA256 e7ba9785a27de23cc76a95b0246cabcaf7b6a2fe8891333ba1aa984ee441af0f
SHA512 e2b955073dacdec77f1cf0c1fb04b165fcb229b8572a3c9cd252d0cbc2b8020638c7c51ec50766f1ef4a9c4512084fca8dfdcb5d25f19a1966e0b940bda7211b

C:\Windows\System\IicdiXE.exe

MD5 21ba07279c080aec43ab9f06f8fba70b
SHA1 2d42b171c0bd5dd4e266cbb712cb7c7d5bb9f850
SHA256 f0ee6b280ad503566090a5240afa9338eb785f5d491de6a03f175a82970da2ac
SHA512 9d32c5aeccc7bcc409606111a65c3710f2099b2017cb616beae461c072b425dada8854eb9d579dcb6c6152f935819edc71a614ab104e6f10c70997574d16eb94

memory/4792-60-0x00007FF6D8E30000-0x00007FF6D9181000-memory.dmp

memory/716-62-0x00007FF6530C0000-0x00007FF653411000-memory.dmp

C:\Windows\System\YvIpkUr.exe

MD5 a5b14997566b4eeb0378e81b3c206a3b
SHA1 da1ca67caca246304772113af4b1104369b09b7b
SHA256 e38213811181d4302d0286d3c99a262d13675c194e20a73cd70434f609c55418
SHA512 ff80e231ff26eb8da8da0f6ced764e21e9285114aaf0292e3c1d483c2237a1d0a78be78427f29e625398ef6d31632667a044e0811cbbc6788614ca95e5159ab6

memory/2724-66-0x00007FF70D3F0000-0x00007FF70D741000-memory.dmp

C:\Windows\System\eSCUahq.exe

MD5 a9c37c3c1e2feb6e1ec58fdcf9fa8cc1
SHA1 c35170ab33fc21f799ecc293a254e97cac452d74
SHA256 169d4d9061ffde75e8fafa492ec53fe251d45b434f51553dbd0af8335aa8f8b4
SHA512 6e05c7ca969a0c6a533cdbfd2b80eef8755f949cbcc090bcccf7242bad8640205258290f38dcff7860806aba453c78de8bdd0e62b7352e47cb412f05978220e2

memory/2264-63-0x00007FF70B800000-0x00007FF70BB51000-memory.dmp

memory/4452-61-0x00007FF7B8F30000-0x00007FF7B9281000-memory.dmp

C:\Windows\System\cmnuYoX.exe

MD5 ade5c90b011c624e8613cd3133148f2a
SHA1 0f3c8969cebdb7482e5fd44e184c69dc0013b957
SHA256 e28ae7d9626fb067b23b1d03d4a5fcbaf8e6fe6b582ec6c6671533897cbac29c
SHA512 68e136b0dba68b4b43f04ce59dfcfa62a5d52ef4e0d836578ac65d948e85e44ac5cae4d05f9a5eb79be1344cdef24a8f8dba136253512812d2863d0da6bcf2cb

C:\Windows\System\rkFPlqb.exe

MD5 2d20c66401a9540fa51e56d00716b3d9
SHA1 a981a40b18275e1cebe021784332a759f82c2b0d
SHA256 bbe32ce326b32fd475822fd3e3a1d72e05c2e3d8b82b5f3497228c68cebf4ae2
SHA512 78db423befce9e142762bbdbf66b8321e77956b6616dc049e061e59061ca9a867b4f68937780fe13956dc81cc713feda39a67e3380e2e24a1473ad0e1fd5ec52

C:\Windows\System\quXMtmf.exe

MD5 1809b6e16980cd93e7123f0e99882fdc
SHA1 3b50b155d8c2ceb3551d77a995b012d227853aac
SHA256 21ef6a8e23e4d94dcad6d06e30cb9bf52fad22f695c9fd201ec8219d43d1d648
SHA512 f6f1b1b295f1c9cac3a7fcae7f1a542a212abb2c696ef54fa07ebbd6d593f97775889f90fdbdcdd329522172ba869db103e63b8b123c3b20f690f4aaac590ee7

C:\Windows\System\oDMqSBO.exe

MD5 53cd3f67a7519cd26977cd9458b9244b
SHA1 ac466ae8c62920e56f2473290a9d3dac7b2049e1
SHA256 66c4d9771833fb333eea2db4aa067b78ce960b497013c83f17116a60be0f8eb1
SHA512 d91b13695c105f92d41486646fda758ce99d5155a81a2a85572e1f0f0ee23bf93962585e31b0cd359d07e8e4108943748bab7c7553a0f4be0083cbc69fe67830

memory/4772-25-0x00007FF60ADD0000-0x00007FF60B121000-memory.dmp

memory/4152-19-0x00007FF62A7A0000-0x00007FF62AAF1000-memory.dmp

C:\Windows\System\qvSrBEU.exe

MD5 1d5cedb9690fb85892481ed781636993
SHA1 61596104535e0b16b9f40c1fb3b285101d1be9f1
SHA256 b749627373167fbeba2c77c28f8c323f8518c730e868b90bd153465280b5eb63
SHA512 c6f298171533b7b02d79ca75fcb441028b89d01fdd4823785bf302dd1ec2a95124d8680ce9d98c0afbdeac9a8be86b40844432b710b18118fc6fa1586afd0288

C:\Windows\System\bqNnbEG.exe

MD5 3eec7493c0f4743c9586f525791acde8
SHA1 0224450fd0156a5a02756b1bce06f81e0e1ec51c
SHA256 d03bcf6e80ea97cb321f2584333a000d75fb5485e65bac8d7844f2970a77dc3f
SHA512 793da045cec3b668f8774c3d487a464c75833b5eacf21ed1785305bc8a806888014a216bfcc669c09c6436e68e29682dd399d72436f5f0f00d8172473f9ef2aa

C:\Windows\System\thGkFMU.exe

MD5 e6fbdde19d5dc5715fbd07ad9b2f93e2
SHA1 794a95ccf9feb3b4f0cffcd0cd0ea42671bc769f
SHA256 8ae7ca1bb98bf102bf6bef0875e6f314415bc249b239d8e84c04f3e93e2247d6
SHA512 9cc483b95266d3a58d08e59e4e9a1fc61aee5e87ffa13063663636f84a4a4cd16aaead12b26625e842a125566053c85f26d60e99208ba1d9555bd49ef56c8892

memory/4080-88-0x00007FF654F40000-0x00007FF655291000-memory.dmp

C:\Windows\System\iQTjLMH.exe

MD5 ab07ce3a7906bc18484647a47e99e0fb
SHA1 e136eef2c895f2107c274b504bda3fa4d8dabd56
SHA256 4394a4962fcaf5ca5bb278b0af391687b631fc2e5a29d962ed4544fcf915e073
SHA512 401e31635ed9021ce5f75444bafe85d21c4be488bcd5831d19c4204ef1a584a25b25339e558f929c242ba3b0be088d5d04a53b5abc2112434b58580714ee2230

C:\Windows\System\dpwLGKT.exe

MD5 56869f078350edaff2e9fc3aa0ea2b05
SHA1 2650f8e91aa4b07254f954c0a86781770d9f9a31
SHA256 2198c63790c28ec4a620643eb33c5d651218240623498ca188105e4a0e44fdbc
SHA512 e17cafcf1659aa58bea9a814ff25d2e90b1bb17a9a66c6dbd332acf5c586d66efb49777b89073249d83b67e95031821af5f199a5bc237efa43133e2978dba89f

C:\Windows\System\oHDwbaz.exe

MD5 1b4d65862ab2b7c5623bdc9d8d6c10f6
SHA1 e354f67a525fae6273d3aced4bda6756ba26688f
SHA256 14a844324efa2ca443d994e452fb03ad76c661abb2e8a66711667fd535d1249b
SHA512 64af7fdfbf0884b6128dd3fcfc8fa1e0231fb33945666b0c9c5b1ff8581287a3b058cf56b15f2ec9b12820086c3e6c87565e23923b7ced94bbd6d67cdfe80504

C:\Windows\System\TLDDgLY.exe

MD5 563c3ce55a2304674de902342caf8eaf
SHA1 58374bac1d9491fbf8e4024031004deca6bbd416
SHA256 c083df831b869bb3947d85d3fd6cf81300b434acec4fa701e3e2aea7015d41d8
SHA512 b52a28b56aeaddd1f592b3b73c26020047a253074d9511560cf307cde043d44306243e7d7bef7c278c8264b24d8fa79641e19771fcda812c5b334c1c5805104f

C:\Windows\System\OWgltwu.exe

MD5 d8c91db9cdca850ad7ce02de9257a266
SHA1 1ca1785668a097812e3586f3cf766c664748c1d9
SHA256 b973702b5d8d2c52cb69a9a38e4dacb049ade73306dab1560f3d94f20d7d4f67
SHA512 58960ecd17a9668b39bfa0acfb7d9ad90a4a7981526d7bcd21b18e2445601bce0b07f29f8b921e634b9a3e993e9cc565c368baa2809eb3f55ad532f024448c01

C:\Windows\System\GerZKib.exe

MD5 e5005322fc1bf280308c14a76f0ef006
SHA1 5ad2035cf079f24eddf3e538bb530c911cfe2379
SHA256 e172252fb5ae901dce54e1a2eb1fa38b2f1eace86f007766481a3b24024bfe08
SHA512 43547397ec9c8c08b1ba5bd4fb16352c4ad7dc62da2c4d292780490f593547a8502e18434f89248dd6c2808914c68f6be4fa5b7c20a0f5c1f598075f67ab1434

C:\Windows\System\JerpdmK.exe

MD5 8bf42fd6283c7b202fbe9671b92d8f9e
SHA1 4304527101787930f90e57698b5a3dc64264a569
SHA256 18f86791c2934d36f62859a2aaddeafe78de52724a8bcbce4b0782beea8466f9
SHA512 82a15252dc5af138c0af98d183d7402a39ba0dc994edd3545ce72a8d6746f9d9b1cb0f1f04f5778ae3c1b773c13f273a0220ec924710273f2d8c4e45422b7f94

memory/2716-108-0x00007FF633C90000-0x00007FF633FE1000-memory.dmp

memory/1980-100-0x00007FF717010000-0x00007FF717361000-memory.dmp

memory/4820-96-0x00007FF644D00000-0x00007FF645051000-memory.dmp

memory/3496-82-0x00007FF7D01E0000-0x00007FF7D0531000-memory.dmp

C:\Windows\System\WNJSYLd.exe

MD5 66f6bce2941ec57b0a5b858579d4df3e
SHA1 8ed262ff7e169fed019528c244b9472c9eedd401
SHA256 44cc3c086bd5ca1b5a876f8b48961c3df9e3974a3b5ca3434081b6b2d0b925b3
SHA512 fc6e32d2fd27b815f60c3a2e2e8e5f34c86e69900bbb0682c5e44bfc1d3d54c61167f0cf924271dc321b70353de5420db2535cef59d067c4d387ef72f51e4e1d

memory/2524-72-0x00007FF641970000-0x00007FF641CC1000-memory.dmp

memory/4492-125-0x00007FF793DF0000-0x00007FF794141000-memory.dmp

memory/3744-124-0x00007FF6CF270000-0x00007FF6CF5C1000-memory.dmp

memory/1172-127-0x00007FF7E0770000-0x00007FF7E0AC1000-memory.dmp

memory/2220-128-0x00007FF7D7690000-0x00007FF7D79E1000-memory.dmp

memory/1448-126-0x00007FF6593A0000-0x00007FF6596F1000-memory.dmp

memory/2592-129-0x00007FF661370000-0x00007FF6616C1000-memory.dmp

memory/1172-130-0x00007FF7E0770000-0x00007FF7E0AC1000-memory.dmp

memory/4436-134-0x00007FF62AFF0000-0x00007FF62B341000-memory.dmp

memory/3512-137-0x00007FF7EF2D0000-0x00007FF7EF621000-memory.dmp

memory/2264-141-0x00007FF70B800000-0x00007FF70BB51000-memory.dmp

memory/716-140-0x00007FF6530C0000-0x00007FF653411000-memory.dmp

memory/516-135-0x00007FF778120000-0x00007FF778471000-memory.dmp

memory/4152-133-0x00007FF62A7A0000-0x00007FF62AAF1000-memory.dmp

memory/3496-143-0x00007FF7D01E0000-0x00007FF7D0531000-memory.dmp

memory/4080-144-0x00007FF654F40000-0x00007FF655291000-memory.dmp

memory/2524-142-0x00007FF641970000-0x00007FF641CC1000-memory.dmp

memory/1980-147-0x00007FF717010000-0x00007FF717361000-memory.dmp

memory/2716-146-0x00007FF633C90000-0x00007FF633FE1000-memory.dmp

memory/4820-145-0x00007FF644D00000-0x00007FF645051000-memory.dmp

memory/1172-152-0x00007FF7E0770000-0x00007FF7E0AC1000-memory.dmp

memory/2220-197-0x00007FF7D7690000-0x00007FF7D79E1000-memory.dmp

memory/4772-199-0x00007FF60ADD0000-0x00007FF60B121000-memory.dmp

memory/4152-201-0x00007FF62A7A0000-0x00007FF62AAF1000-memory.dmp

memory/3512-214-0x00007FF7EF2D0000-0x00007FF7EF621000-memory.dmp

memory/4792-216-0x00007FF6D8E30000-0x00007FF6D9181000-memory.dmp

memory/516-218-0x00007FF778120000-0x00007FF778471000-memory.dmp

memory/4436-213-0x00007FF62AFF0000-0x00007FF62B341000-memory.dmp

memory/2264-222-0x00007FF70B800000-0x00007FF70BB51000-memory.dmp

memory/4452-226-0x00007FF7B8F30000-0x00007FF7B9281000-memory.dmp

memory/716-225-0x00007FF6530C0000-0x00007FF653411000-memory.dmp

memory/2724-221-0x00007FF70D3F0000-0x00007FF70D741000-memory.dmp

memory/2524-233-0x00007FF641970000-0x00007FF641CC1000-memory.dmp

memory/3496-235-0x00007FF7D01E0000-0x00007FF7D0531000-memory.dmp

memory/4820-238-0x00007FF644D00000-0x00007FF645051000-memory.dmp

memory/4080-239-0x00007FF654F40000-0x00007FF655291000-memory.dmp

memory/2716-249-0x00007FF633C90000-0x00007FF633FE1000-memory.dmp

memory/1980-251-0x00007FF717010000-0x00007FF717361000-memory.dmp

memory/3744-248-0x00007FF6CF270000-0x00007FF6CF5C1000-memory.dmp

memory/2592-246-0x00007FF661370000-0x00007FF6616C1000-memory.dmp

memory/1448-242-0x00007FF6593A0000-0x00007FF6596F1000-memory.dmp

memory/4492-244-0x00007FF793DF0000-0x00007FF794141000-memory.dmp