Malware Analysis Report

2025-03-15 08:05

Sample ID 240813-n698faxaqr
Target 2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat
SHA256 08354515e8c11421ec627eabae2cab21baa3a62a5f25ee79f2284b478f69daf8
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

08354515e8c11421ec627eabae2cab21baa3a62a5f25ee79f2284b478f69daf8

Threat Level: Known bad

The file 2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Cobaltstrike

XMRig Miner payload

Cobaltstrike family

Cobalt Strike reflective loader

xmrig

Xmrig family

XMRig Miner payload

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-13 12:01

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-13 12:01

Reported

2024-08-13 12:04

Platform

win7-20240705-en

Max time kernel

140s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\pglVahh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ySQSrSR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TxcGbYV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YucjItb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UdjiDRS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oeraTSo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YiKUzFk.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zyobLnr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wMCSNQH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nNaqgyj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yUEjRCs.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YGHnnzL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tcCmVVg.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BeYByjX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gOAcGig.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PhWSHkP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CtFZysH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GioaETr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZeFDnPf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kcTcFwc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zOFIEZQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3056 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UdjiDRS.exe
PID 3056 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UdjiDRS.exe
PID 3056 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UdjiDRS.exe
PID 3056 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tcCmVVg.exe
PID 3056 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tcCmVVg.exe
PID 3056 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tcCmVVg.exe
PID 3056 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZeFDnPf.exe
PID 3056 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZeFDnPf.exe
PID 3056 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZeFDnPf.exe
PID 3056 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kcTcFwc.exe
PID 3056 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kcTcFwc.exe
PID 3056 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kcTcFwc.exe
PID 3056 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BeYByjX.exe
PID 3056 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BeYByjX.exe
PID 3056 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BeYByjX.exe
PID 3056 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gOAcGig.exe
PID 3056 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gOAcGig.exe
PID 3056 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gOAcGig.exe
PID 3056 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pglVahh.exe
PID 3056 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pglVahh.exe
PID 3056 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pglVahh.exe
PID 3056 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ySQSrSR.exe
PID 3056 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ySQSrSR.exe
PID 3056 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ySQSrSR.exe
PID 3056 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PhWSHkP.exe
PID 3056 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PhWSHkP.exe
PID 3056 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PhWSHkP.exe
PID 3056 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wMCSNQH.exe
PID 3056 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wMCSNQH.exe
PID 3056 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wMCSNQH.exe
PID 3056 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nNaqgyj.exe
PID 3056 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nNaqgyj.exe
PID 3056 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nNaqgyj.exe
PID 3056 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yUEjRCs.exe
PID 3056 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yUEjRCs.exe
PID 3056 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yUEjRCs.exe
PID 3056 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TxcGbYV.exe
PID 3056 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TxcGbYV.exe
PID 3056 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TxcGbYV.exe
PID 3056 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YucjItb.exe
PID 3056 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YucjItb.exe
PID 3056 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YucjItb.exe
PID 3056 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zOFIEZQ.exe
PID 3056 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zOFIEZQ.exe
PID 3056 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zOFIEZQ.exe
PID 3056 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YGHnnzL.exe
PID 3056 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YGHnnzL.exe
PID 3056 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YGHnnzL.exe
PID 3056 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oeraTSo.exe
PID 3056 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oeraTSo.exe
PID 3056 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oeraTSo.exe
PID 3056 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CtFZysH.exe
PID 3056 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CtFZysH.exe
PID 3056 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CtFZysH.exe
PID 3056 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GioaETr.exe
PID 3056 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GioaETr.exe
PID 3056 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GioaETr.exe
PID 3056 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YiKUzFk.exe
PID 3056 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YiKUzFk.exe
PID 3056 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YiKUzFk.exe
PID 3056 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zyobLnr.exe
PID 3056 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zyobLnr.exe
PID 3056 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zyobLnr.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\UdjiDRS.exe

C:\Windows\System\UdjiDRS.exe

C:\Windows\System\tcCmVVg.exe

C:\Windows\System\tcCmVVg.exe

C:\Windows\System\ZeFDnPf.exe

C:\Windows\System\ZeFDnPf.exe

C:\Windows\System\kcTcFwc.exe

C:\Windows\System\kcTcFwc.exe

C:\Windows\System\BeYByjX.exe

C:\Windows\System\BeYByjX.exe

C:\Windows\System\gOAcGig.exe

C:\Windows\System\gOAcGig.exe

C:\Windows\System\pglVahh.exe

C:\Windows\System\pglVahh.exe

C:\Windows\System\ySQSrSR.exe

C:\Windows\System\ySQSrSR.exe

C:\Windows\System\PhWSHkP.exe

C:\Windows\System\PhWSHkP.exe

C:\Windows\System\wMCSNQH.exe

C:\Windows\System\wMCSNQH.exe

C:\Windows\System\nNaqgyj.exe

C:\Windows\System\nNaqgyj.exe

C:\Windows\System\yUEjRCs.exe

C:\Windows\System\yUEjRCs.exe

C:\Windows\System\TxcGbYV.exe

C:\Windows\System\TxcGbYV.exe

C:\Windows\System\YucjItb.exe

C:\Windows\System\YucjItb.exe

C:\Windows\System\zOFIEZQ.exe

C:\Windows\System\zOFIEZQ.exe

C:\Windows\System\YGHnnzL.exe

C:\Windows\System\YGHnnzL.exe

C:\Windows\System\oeraTSo.exe

C:\Windows\System\oeraTSo.exe

C:\Windows\System\CtFZysH.exe

C:\Windows\System\CtFZysH.exe

C:\Windows\System\GioaETr.exe

C:\Windows\System\GioaETr.exe

C:\Windows\System\YiKUzFk.exe

C:\Windows\System\YiKUzFk.exe

C:\Windows\System\zyobLnr.exe

C:\Windows\System\zyobLnr.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3056-0-0x000000013F430000-0x000000013F781000-memory.dmp

memory/3056-1-0x00000000000F0000-0x0000000000100000-memory.dmp

C:\Windows\system\UdjiDRS.exe

MD5 5f7c8b950482997d895009d2a9d50b44
SHA1 e054ecf3ea38e351ddebf87474ed74678d8d6636
SHA256 beeeba0f3779d0f337298b10d9b788bb5b9a2cb437c1208cf16b406e52460ed3
SHA512 15ad582d523bcaf9621cc98829772a72e91df5760e780992c7a86368a4ec4e4568ee69a097b7ad3b5ee8fbebd43c1db019bb9fae0054cb60babadcdd78f9d1c0

\Windows\system\ZeFDnPf.exe

MD5 ed1e3ca4ed2845ba32263d00ec35849a
SHA1 eab8f51c7bdecc97ba9022a382de6c7cca262505
SHA256 6440cb8d5d65876daa03c57a5e2a5c9698af42574a999266d48c646b1551803a
SHA512 2f25c985e178defc7995dd95650ed8cbbd30b17efaa927f5e4d3bcf0478a5017f968f4cc799a0e509aee76db84500b9f92c54ec8b389c0b5bc48e6159df2ece1

C:\Windows\system\tcCmVVg.exe

MD5 6797827bbb1a58d8311a04c6f2ab9c2e
SHA1 95f7de7b2539bfc10d301d3225d92de5a1fafa01
SHA256 aa526cad22f711d568b7dce8569559431df96aa632cdfb18436892d1bce834e0
SHA512 175da9de7fee708eef471d1ea367510a9093abb61bfeceb1eab3590ddcc2c05de17bb64e5b4c8439c82f5e29c8029d85db779850bc0a8a91af79d12b25815f03

\Windows\system\kcTcFwc.exe

MD5 e3f838df37c4f11095c217b5daedae69
SHA1 de1bdc77f30f7d6de75b70acaa23f89a2280f9aa
SHA256 604f9acc0f7a07f65e3ac84ce7ffe886ac2d81c5d8737e38524ce84b4faee75b
SHA512 da2d6bdced3c531b817eb06fff474c2d4234380352cad731fc62cf12ff3ff27ed647f6d4b554b8f596e99001bcc3be13daab9f86e51ec546e65ea49aaf082d6a

memory/3056-14-0x000000013FD90000-0x00000001400E1000-memory.dmp

memory/2692-116-0x000000013F120000-0x000000013F471000-memory.dmp

\Windows\system\wMCSNQH.exe

MD5 aee410f15801b4a956d1d5bd04b1ff62
SHA1 21763740670d2d21ae8d3a0d951cea9eaa54b471
SHA256 9a116c5997264127b901bf2e44be38978dbfdaafbe8e9d1095458bdcc010a3de
SHA512 8c9c8dba7dd7ebfda715281841df25bad8d806fbe6c49f9b610bb3531d6a2f03da0625af0eeb8fa83e2daa7bc741c897c107d94021fbd3e924165b4c877d1bef

\Windows\system\YiKUzFk.exe

MD5 63dfb68794a722f093bd233c641cf676
SHA1 50ca7a740dda84ab5821621330ceec3b92d5af34
SHA256 a0034f4fa1a2b01a799fcdf8da78993da776b7f6bd99963326549f914565c77e
SHA512 63b38aae6011c2035e1dc6c68d32411c7b03c59813f64fffbeb8b789c88046993a0b191829220e89fafdcc6e9d11b62c7f564e8ceaf0e439511124d9f6fdabfd

\Windows\system\CtFZysH.exe

MD5 b180a8837805502d6c647626d6f2cb4d
SHA1 20e99b0e16cf013405ddf17cfdcca4515dd505d0
SHA256 57d179165377d6776fb736e58d6153bda7441b31decc94e1eeaab0558a1c1ec8
SHA512 27ac0bfa90184df859a8c9b10bb79fc8e15424c745edb8a83cfeba3cfbc0ebd8064a15ebff67336004ecb8b4ffab43ab861ec8914e49c90d932f7bcd6c3e185d

memory/3056-71-0x0000000002210000-0x0000000002561000-memory.dmp

\Windows\system\YGHnnzL.exe

MD5 a96f203dcfe333f757d22f3fa6c4db47
SHA1 10f915aa302f39f588bfe167fef49765c5aa81ad
SHA256 5e9ea27955e0cc6caf4f2ae346a20ea211d049c77ee763e0a199877c72ea1961
SHA512 2f98915591865931865e1bc35ba99429cf3934f458153515c113556a3e64aeaefb8bea9cdb8266899c795e34362919ef7fd573257247d13f58756e8b1ebf1769

\Windows\system\YucjItb.exe

MD5 880a144a97f19029ed9f0a7b95b212c0
SHA1 f0c40667eb474975b6fa84764cf099be66cf38d6
SHA256 e4544e5f30679eceb9fb286bd9e5d06945af36864e3f37a92996b4bd57ee40a0
SHA512 ad54eb1fd28f667a30b49be828561ce048d79b5daea4b1435fbc9c4c9c711cf64c89cbcf009b7e9e20ab018d611c1df23c9624232ad791fda2c72a05087a7227

\Windows\system\yUEjRCs.exe

MD5 18fb8b20f53b5638ac9eeab11a201084
SHA1 8964bfa3cd3f52e2e14f7537e82a57965f454e21
SHA256 87901544896c725cb9a7b215d0a60d972a6e796a980508b0a5e55d42116791c3
SHA512 f6644a66efad3b5eb6fdd34cfb92fa627c62f985f3cc1c5bf290e27cac594e43cc03913be925899b99a3e00d3e07d93837f1dfff6946138715f760ebc3e43e2c

memory/3056-118-0x000000013F060000-0x000000013F3B1000-memory.dmp

memory/3056-117-0x000000013FE40000-0x0000000140191000-memory.dmp

memory/2932-115-0x000000013F650000-0x000000013F9A1000-memory.dmp

memory/3056-114-0x000000013FFA0000-0x00000001402F1000-memory.dmp

memory/3056-113-0x000000013FB90000-0x000000013FEE1000-memory.dmp

memory/2732-112-0x000000013F470000-0x000000013F7C1000-memory.dmp

memory/2592-111-0x000000013FD20000-0x0000000140071000-memory.dmp

memory/2788-110-0x000000013F7E0000-0x000000013FB31000-memory.dmp

memory/2852-109-0x000000013FA70000-0x000000013FDC1000-memory.dmp

memory/2944-108-0x000000013FA10000-0x000000013FD61000-memory.dmp

memory/2844-107-0x000000013F5D0000-0x000000013F921000-memory.dmp

memory/3056-106-0x000000013FD20000-0x0000000140071000-memory.dmp

memory/3056-105-0x000000013F7E0000-0x000000013FB31000-memory.dmp

memory/3056-104-0x000000013FA70000-0x000000013FDC1000-memory.dmp

memory/3056-103-0x0000000002210000-0x0000000002561000-memory.dmp

C:\Windows\system\ySQSrSR.exe

MD5 d2a63e747ff2da9253dc489e18781a64
SHA1 4371adc7ab0b57048548232732a9e6424547fa2a
SHA256 6ec713c2350ecd5f1b39400e43bcfc35bc7f95fe65184f90e5ab1b62554d1be0
SHA512 ee21335f36ce42b6b92fff9c7cd2010c0fefd59e1c9087ab3730189d9d0071bd808dd3e95aeb857442319e8190da353cf378b7192207f52feb5e4fece989e355

memory/3056-101-0x000000013FA10000-0x000000013FD61000-memory.dmp

memory/3056-98-0x000000013FBE0000-0x000000013FF31000-memory.dmp

C:\Windows\system\zyobLnr.exe

MD5 52bcc09b76467b6c18de46b568fc6bbb
SHA1 32f2645d087f2afaac348b48c07def1a7207af07
SHA256 8b8e5be5c2428ce62bf6c21a6efdd09cbb95057d955ed11e8faedf19856a43c5
SHA512 5075fafb2249cfb28370269d719d18e469e46e3d724ccf47869f2134de141075b4e3102b2108aab1237258b4f957c68d1089cf7db5846c3ea2c8d2afe93f6a56

C:\Windows\system\GioaETr.exe

MD5 0b69607c497436d0f76b4885619f195a
SHA1 98c72a65bbd54784d4f189210c543541ad1a82d5
SHA256 34e184b200b42f20a22f9456fbc69f3a4b766378b574809189ee44bf0346bf5b
SHA512 86027f2faceba9a0a80d28f4a2938917f80ae52b983bf729d7dde324209c250bea8c37584efaa67d915f9a5c98fc867eeb4a78fe279e892ab6e0085950857a54

C:\Windows\system\oeraTSo.exe

MD5 5babeb4ae73fc08717a834c7f6c87d96
SHA1 cf5e2149093c827ba62cc18b97f37eb2955f4eae
SHA256 9b52333e59e2f87c1ff6810c6f0149b681547b615b54faeddc1f599037b409ea
SHA512 aa7c43ee1ea2c746165ae87c30a68ed59280de77d7e03ab75c43017615c83e229628021a9f8d7089f67afc0d7c5d4c0f9b6e561c30fa3251a153e0664cc151bc

memory/2268-93-0x000000013F150000-0x000000013F4A1000-memory.dmp

C:\Windows\system\gOAcGig.exe

MD5 60ba1acd297fa5ca38a70e48e534cc78
SHA1 436fd17bc53f2608fb8de5135ce1654b1827cef8
SHA256 e9cbeaafe7309396a90b4a50fa8f66662f33ba0181b2505cfbd74bfadfbbc17e
SHA512 12feb958aed0babb3486a08abd4d8ddaa3a55a76a107146e81712d880099d5f475700780f348b4e2074a742cb8ef56a432d79ad84597115fa428c9fd497e1c8e

memory/3056-67-0x0000000002210000-0x0000000002561000-memory.dmp

C:\Windows\system\zOFIEZQ.exe

MD5 15a4a100a497cdc0019b2f5ac69d9aa8
SHA1 4375091ad92ae11b38d939782b792742335bc806
SHA256 eedd1c0c962121e8f4f8d20a79d878be84f6502b4fd5912e9dccf8b218a9f091
SHA512 b358989746e3ce3e02439f9d6fe517040378774fc92ecc87015fd7380f5f742430789d464af07d5f118edeaaa3cb0b8482c6059898f57487e7d4ee5ed0a48762

C:\Windows\system\TxcGbYV.exe

MD5 ad2886c42b48a6d3cce5f00ce7636321
SHA1 fdf3ad3fe6480baa79dcf64a8b43697eacc1e94f
SHA256 db43d05d17d04af3f94e0ea6e7ea35aa40caef8e67c1a0c343d1d03419f23d4d
SHA512 6e78aee95ee5fd2b8fa52a922f510838dd4fb310fb31996ef0466f02fe67b9658e37f0230479aec6e6841e59468046145c1b239571f458a3a5c6ad4b6b57bcdc

C:\Windows\system\nNaqgyj.exe

MD5 1cd9de47ee39cc00dc82cc03a3683dce
SHA1 6f7ccb4c467365c3a24147f75a1b9cce6ae7a2a1
SHA256 51d11bbd4546a37bb56d3a8b96cd8e90948dd24bd166ae75d280f60f6ff97c44
SHA512 10d82736c3d9d12e0283b0247d750a092584feb66f33ef72b040344a86540e5988e252ce5dd7ac92fc1963388c2b0a20fa6f9fa41da3b8b5688ce60014ebc961

C:\Windows\system\PhWSHkP.exe

MD5 b6fb1f84e785c6e53a1a6d033340935b
SHA1 3b66985b8fac8b58c82ce1ca1b82257a24954576
SHA256 ad08c66a664b4f18c999c4bed3f2e501dbef2dcbb58805319966b1a276ee476c
SHA512 8f33e498cf2a3f4c594aeecbd66217c9ba7559aa08827d02b7a15f94d28471b0df87a8112d31a12cb0ce8e301091e46288fda96029a5283ee13e31cf249dadd7

C:\Windows\system\pglVahh.exe

MD5 1026e44863dbeedd53e648150d9cd37d
SHA1 0587abf1ef557eabeb266d454505cf583ac7ac9e
SHA256 07f3a2270d80e63aef89b06c5f236fb3f826d7ad49aa1420969b0939fa029907
SHA512 22dd6c307fb73ddc4d9676f35870681aadafce6ab7557d29c0b83a542c545af1826063839743353bfdf15d6a1aff6e29052c798e7b21d3f4c451abd04f3ed046

C:\Windows\system\BeYByjX.exe

MD5 8aa36a7634dd0ea851463774a28c30f7
SHA1 b5cc32abe06243d824e82761303e294d2263421e
SHA256 a4d8a6faf70b7f63ee97f38b3d4e55bf454dc04a5c5a603b0ea12318927461da
SHA512 b74019c7e3b3287e55ceef2db6a650fd2eeab20f46b78afe7c052a06621e91c3cc31b020bea638ce13883f2058610a16504c0859d15bbebf9caf2180b9940722

memory/2936-30-0x000000013FFA0000-0x00000001402F1000-memory.dmp

memory/3056-48-0x0000000002210000-0x0000000002561000-memory.dmp

memory/2524-27-0x000000013FD90000-0x00000001400E1000-memory.dmp

memory/3056-132-0x000000013F430000-0x000000013F781000-memory.dmp

memory/1732-153-0x000000013F150000-0x000000013F4A1000-memory.dmp

memory/1780-152-0x000000013FF20000-0x0000000140271000-memory.dmp

memory/856-151-0x000000013F080000-0x000000013F3D1000-memory.dmp

memory/2200-149-0x000000013F060000-0x000000013F3B1000-memory.dmp

memory/1744-148-0x000000013FE40000-0x0000000140191000-memory.dmp

memory/2700-146-0x000000013F5E0000-0x000000013F931000-memory.dmp

memory/2924-144-0x000000013F500000-0x000000013F851000-memory.dmp

memory/2824-142-0x000000013F580000-0x000000013F8D1000-memory.dmp

memory/2712-140-0x000000013FBE0000-0x000000013FF31000-memory.dmp

memory/2044-150-0x000000013FB90000-0x000000013FEE1000-memory.dmp

memory/3056-154-0x000000013F430000-0x000000013F781000-memory.dmp

memory/3056-168-0x000000013F430000-0x000000013F781000-memory.dmp

memory/2524-200-0x000000013FD90000-0x00000001400E1000-memory.dmp

memory/2936-202-0x000000013FFA0000-0x00000001402F1000-memory.dmp

memory/2932-204-0x000000013F650000-0x000000013F9A1000-memory.dmp

memory/2268-206-0x000000013F150000-0x000000013F4A1000-memory.dmp

memory/2692-208-0x000000013F120000-0x000000013F471000-memory.dmp

memory/2844-212-0x000000013F5D0000-0x000000013F921000-memory.dmp

memory/2732-211-0x000000013F470000-0x000000013F7C1000-memory.dmp

memory/2788-218-0x000000013F7E0000-0x000000013FB31000-memory.dmp

memory/2852-220-0x000000013FA70000-0x000000013FDC1000-memory.dmp

memory/2592-216-0x000000013FD20000-0x0000000140071000-memory.dmp

memory/2944-215-0x000000013FA10000-0x000000013FD61000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-13 12:01

Reported

2024-08-13 12:04

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\UdjiDRS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ySQSrSR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PhWSHkP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YucjItb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zOFIEZQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oeraTSo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GioaETr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tcCmVVg.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kcTcFwc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BeYByjX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wMCSNQH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nNaqgyj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YiKUzFk.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zyobLnr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZeFDnPf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TxcGbYV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gOAcGig.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pglVahh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yUEjRCs.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YGHnnzL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CtFZysH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3920 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UdjiDRS.exe
PID 3920 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UdjiDRS.exe
PID 3920 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tcCmVVg.exe
PID 3920 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tcCmVVg.exe
PID 3920 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZeFDnPf.exe
PID 3920 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZeFDnPf.exe
PID 3920 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kcTcFwc.exe
PID 3920 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kcTcFwc.exe
PID 3920 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BeYByjX.exe
PID 3920 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BeYByjX.exe
PID 3920 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gOAcGig.exe
PID 3920 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gOAcGig.exe
PID 3920 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pglVahh.exe
PID 3920 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pglVahh.exe
PID 3920 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ySQSrSR.exe
PID 3920 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ySQSrSR.exe
PID 3920 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PhWSHkP.exe
PID 3920 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PhWSHkP.exe
PID 3920 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wMCSNQH.exe
PID 3920 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wMCSNQH.exe
PID 3920 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nNaqgyj.exe
PID 3920 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nNaqgyj.exe
PID 3920 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yUEjRCs.exe
PID 3920 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yUEjRCs.exe
PID 3920 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TxcGbYV.exe
PID 3920 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TxcGbYV.exe
PID 3920 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YucjItb.exe
PID 3920 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YucjItb.exe
PID 3920 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zOFIEZQ.exe
PID 3920 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zOFIEZQ.exe
PID 3920 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YGHnnzL.exe
PID 3920 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YGHnnzL.exe
PID 3920 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oeraTSo.exe
PID 3920 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oeraTSo.exe
PID 3920 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CtFZysH.exe
PID 3920 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CtFZysH.exe
PID 3920 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GioaETr.exe
PID 3920 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GioaETr.exe
PID 3920 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YiKUzFk.exe
PID 3920 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YiKUzFk.exe
PID 3920 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zyobLnr.exe
PID 3920 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zyobLnr.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\UdjiDRS.exe

C:\Windows\System\UdjiDRS.exe

C:\Windows\System\tcCmVVg.exe

C:\Windows\System\tcCmVVg.exe

C:\Windows\System\ZeFDnPf.exe

C:\Windows\System\ZeFDnPf.exe

C:\Windows\System\kcTcFwc.exe

C:\Windows\System\kcTcFwc.exe

C:\Windows\System\BeYByjX.exe

C:\Windows\System\BeYByjX.exe

C:\Windows\System\gOAcGig.exe

C:\Windows\System\gOAcGig.exe

C:\Windows\System\pglVahh.exe

C:\Windows\System\pglVahh.exe

C:\Windows\System\ySQSrSR.exe

C:\Windows\System\ySQSrSR.exe

C:\Windows\System\PhWSHkP.exe

C:\Windows\System\PhWSHkP.exe

C:\Windows\System\wMCSNQH.exe

C:\Windows\System\wMCSNQH.exe

C:\Windows\System\nNaqgyj.exe

C:\Windows\System\nNaqgyj.exe

C:\Windows\System\yUEjRCs.exe

C:\Windows\System\yUEjRCs.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3840,i,8231329449558834090,4540802069600791165,262144 --variations-seed-version --mojo-platform-channel-handle=4128 /prefetch:8

C:\Windows\System\TxcGbYV.exe

C:\Windows\System\TxcGbYV.exe

C:\Windows\System\YucjItb.exe

C:\Windows\System\YucjItb.exe

C:\Windows\System\zOFIEZQ.exe

C:\Windows\System\zOFIEZQ.exe

C:\Windows\System\YGHnnzL.exe

C:\Windows\System\YGHnnzL.exe

C:\Windows\System\oeraTSo.exe

C:\Windows\System\oeraTSo.exe

C:\Windows\System\CtFZysH.exe

C:\Windows\System\CtFZysH.exe

C:\Windows\System\GioaETr.exe

C:\Windows\System\GioaETr.exe

C:\Windows\System\YiKUzFk.exe

C:\Windows\System\YiKUzFk.exe

C:\Windows\System\zyobLnr.exe

C:\Windows\System\zyobLnr.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 209.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3920-0-0x00007FF634B90000-0x00007FF634EE1000-memory.dmp

memory/3920-1-0x000002CD80F90000-0x000002CD80FA0000-memory.dmp

C:\Windows\System\UdjiDRS.exe

MD5 5f7c8b950482997d895009d2a9d50b44
SHA1 e054ecf3ea38e351ddebf87474ed74678d8d6636
SHA256 beeeba0f3779d0f337298b10d9b788bb5b9a2cb437c1208cf16b406e52460ed3
SHA512 15ad582d523bcaf9621cc98829772a72e91df5760e780992c7a86368a4ec4e4568ee69a097b7ad3b5ee8fbebd43c1db019bb9fae0054cb60babadcdd78f9d1c0

C:\Windows\System\ZeFDnPf.exe

MD5 ed1e3ca4ed2845ba32263d00ec35849a
SHA1 eab8f51c7bdecc97ba9022a382de6c7cca262505
SHA256 6440cb8d5d65876daa03c57a5e2a5c9698af42574a999266d48c646b1551803a
SHA512 2f25c985e178defc7995dd95650ed8cbbd30b17efaa927f5e4d3bcf0478a5017f968f4cc799a0e509aee76db84500b9f92c54ec8b389c0b5bc48e6159df2ece1

C:\Windows\System\tcCmVVg.exe

MD5 6797827bbb1a58d8311a04c6f2ab9c2e
SHA1 95f7de7b2539bfc10d301d3225d92de5a1fafa01
SHA256 aa526cad22f711d568b7dce8569559431df96aa632cdfb18436892d1bce834e0
SHA512 175da9de7fee708eef471d1ea367510a9093abb61bfeceb1eab3590ddcc2c05de17bb64e5b4c8439c82f5e29c8029d85db779850bc0a8a91af79d12b25815f03

memory/4704-21-0x00007FF759310000-0x00007FF759661000-memory.dmp

C:\Windows\System\BeYByjX.exe

MD5 8aa36a7634dd0ea851463774a28c30f7
SHA1 b5cc32abe06243d824e82761303e294d2263421e
SHA256 a4d8a6faf70b7f63ee97f38b3d4e55bf454dc04a5c5a603b0ea12318927461da
SHA512 b74019c7e3b3287e55ceef2db6a650fd2eeab20f46b78afe7c052a06621e91c3cc31b020bea638ce13883f2058610a16504c0859d15bbebf9caf2180b9940722

C:\Windows\System\kcTcFwc.exe

MD5 e3f838df37c4f11095c217b5daedae69
SHA1 de1bdc77f30f7d6de75b70acaa23f89a2280f9aa
SHA256 604f9acc0f7a07f65e3ac84ce7ffe886ac2d81c5d8737e38524ce84b4faee75b
SHA512 da2d6bdced3c531b817eb06fff474c2d4234380352cad731fc62cf12ff3ff27ed647f6d4b554b8f596e99001bcc3be13daab9f86e51ec546e65ea49aaf082d6a

memory/2960-23-0x00007FF7610F0000-0x00007FF761441000-memory.dmp

memory/2508-12-0x00007FF604910000-0x00007FF604C61000-memory.dmp

memory/4716-10-0x00007FF7990C0000-0x00007FF799411000-memory.dmp

memory/2812-31-0x00007FF6293A0000-0x00007FF6296F1000-memory.dmp

C:\Windows\System\gOAcGig.exe

MD5 60ba1acd297fa5ca38a70e48e534cc78
SHA1 436fd17bc53f2608fb8de5135ce1654b1827cef8
SHA256 e9cbeaafe7309396a90b4a50fa8f66662f33ba0181b2505cfbd74bfadfbbc17e
SHA512 12feb958aed0babb3486a08abd4d8ddaa3a55a76a107146e81712d880099d5f475700780f348b4e2074a742cb8ef56a432d79ad84597115fa428c9fd497e1c8e

memory/1944-37-0x00007FF7CA700000-0x00007FF7CAA51000-memory.dmp

C:\Windows\System\pglVahh.exe

MD5 1026e44863dbeedd53e648150d9cd37d
SHA1 0587abf1ef557eabeb266d454505cf583ac7ac9e
SHA256 07f3a2270d80e63aef89b06c5f236fb3f826d7ad49aa1420969b0939fa029907
SHA512 22dd6c307fb73ddc4d9676f35870681aadafce6ab7557d29c0b83a542c545af1826063839743353bfdf15d6a1aff6e29052c798e7b21d3f4c451abd04f3ed046

C:\Windows\System\ySQSrSR.exe

MD5 d2a63e747ff2da9253dc489e18781a64
SHA1 4371adc7ab0b57048548232732a9e6424547fa2a
SHA256 6ec713c2350ecd5f1b39400e43bcfc35bc7f95fe65184f90e5ab1b62554d1be0
SHA512 ee21335f36ce42b6b92fff9c7cd2010c0fefd59e1c9087ab3730189d9d0071bd808dd3e95aeb857442319e8190da353cf378b7192207f52feb5e4fece989e355

C:\Windows\System\PhWSHkP.exe

MD5 b6fb1f84e785c6e53a1a6d033340935b
SHA1 3b66985b8fac8b58c82ce1ca1b82257a24954576
SHA256 ad08c66a664b4f18c999c4bed3f2e501dbef2dcbb58805319966b1a276ee476c
SHA512 8f33e498cf2a3f4c594aeecbd66217c9ba7559aa08827d02b7a15f94d28471b0df87a8112d31a12cb0ce8e301091e46288fda96029a5283ee13e31cf249dadd7

memory/4576-57-0x00007FF6FB1C0000-0x00007FF6FB511000-memory.dmp

memory/4948-54-0x00007FF70D950000-0x00007FF70DCA1000-memory.dmp

memory/1500-48-0x00007FF6B7A40000-0x00007FF6B7D91000-memory.dmp

C:\Windows\System\wMCSNQH.exe

MD5 aee410f15801b4a956d1d5bd04b1ff62
SHA1 21763740670d2d21ae8d3a0d951cea9eaa54b471
SHA256 9a116c5997264127b901bf2e44be38978dbfdaafbe8e9d1095458bdcc010a3de
SHA512 8c9c8dba7dd7ebfda715281841df25bad8d806fbe6c49f9b610bb3531d6a2f03da0625af0eeb8fa83e2daa7bc741c897c107d94021fbd3e924165b4c877d1bef

memory/1172-67-0x00007FF6F4DE0000-0x00007FF6F5131000-memory.dmp

memory/3444-69-0x00007FF7AB1B0000-0x00007FF7AB501000-memory.dmp

memory/1980-74-0x00007FF62FFE0000-0x00007FF630331000-memory.dmp

C:\Windows\System\TxcGbYV.exe

MD5 ad2886c42b48a6d3cce5f00ce7636321
SHA1 fdf3ad3fe6480baa79dcf64a8b43697eacc1e94f
SHA256 db43d05d17d04af3f94e0ea6e7ea35aa40caef8e67c1a0c343d1d03419f23d4d
SHA512 6e78aee95ee5fd2b8fa52a922f510838dd4fb310fb31996ef0466f02fe67b9658e37f0230479aec6e6841e59468046145c1b239571f458a3a5c6ad4b6b57bcdc

memory/1208-85-0x00007FF710EF0000-0x00007FF711241000-memory.dmp

memory/4704-90-0x00007FF759310000-0x00007FF759661000-memory.dmp

C:\Windows\System\oeraTSo.exe

MD5 5babeb4ae73fc08717a834c7f6c87d96
SHA1 cf5e2149093c827ba62cc18b97f37eb2955f4eae
SHA256 9b52333e59e2f87c1ff6810c6f0149b681547b615b54faeddc1f599037b409ea
SHA512 aa7c43ee1ea2c746165ae87c30a68ed59280de77d7e03ab75c43017615c83e229628021a9f8d7089f67afc0d7c5d4c0f9b6e561c30fa3251a153e0664cc151bc

memory/2568-112-0x00007FF6358B0000-0x00007FF635C01000-memory.dmp

C:\Windows\System\GioaETr.exe

MD5 0b69607c497436d0f76b4885619f195a
SHA1 98c72a65bbd54784d4f189210c543541ad1a82d5
SHA256 34e184b200b42f20a22f9456fbc69f3a4b766378b574809189ee44bf0346bf5b
SHA512 86027f2faceba9a0a80d28f4a2938917f80ae52b983bf729d7dde324209c250bea8c37584efaa67d915f9a5c98fc867eeb4a78fe279e892ab6e0085950857a54

memory/8-119-0x00007FF653AB0000-0x00007FF653E01000-memory.dmp

C:\Windows\System\CtFZysH.exe

MD5 b180a8837805502d6c647626d6f2cb4d
SHA1 20e99b0e16cf013405ddf17cfdcca4515dd505d0
SHA256 57d179165377d6776fb736e58d6153bda7441b31decc94e1eeaab0558a1c1ec8
SHA512 27ac0bfa90184df859a8c9b10bb79fc8e15424c745edb8a83cfeba3cfbc0ebd8064a15ebff67336004ecb8b4ffab43ab861ec8914e49c90d932f7bcd6c3e185d

memory/440-114-0x00007FF649A60000-0x00007FF649DB1000-memory.dmp

memory/2916-113-0x00007FF68A1B0000-0x00007FF68A501000-memory.dmp

C:\Windows\System\YGHnnzL.exe

MD5 a96f203dcfe333f757d22f3fa6c4db47
SHA1 10f915aa302f39f588bfe167fef49765c5aa81ad
SHA256 5e9ea27955e0cc6caf4f2ae346a20ea211d049c77ee763e0a199877c72ea1961
SHA512 2f98915591865931865e1bc35ba99429cf3934f458153515c113556a3e64aeaefb8bea9cdb8266899c795e34362919ef7fd573257247d13f58756e8b1ebf1769

C:\Windows\System\zOFIEZQ.exe

MD5 15a4a100a497cdc0019b2f5ac69d9aa8
SHA1 4375091ad92ae11b38d939782b792742335bc806
SHA256 eedd1c0c962121e8f4f8d20a79d878be84f6502b4fd5912e9dccf8b218a9f091
SHA512 b358989746e3ce3e02439f9d6fe517040378774fc92ecc87015fd7380f5f742430789d464af07d5f118edeaaa3cb0b8482c6059898f57487e7d4ee5ed0a48762

C:\Windows\System\YucjItb.exe

MD5 880a144a97f19029ed9f0a7b95b212c0
SHA1 f0c40667eb474975b6fa84764cf099be66cf38d6
SHA256 e4544e5f30679eceb9fb286bd9e5d06945af36864e3f37a92996b4bd57ee40a0
SHA512 ad54eb1fd28f667a30b49be828561ce048d79b5daea4b1435fbc9c4c9c711cf64c89cbcf009b7e9e20ab018d611c1df23c9624232ad791fda2c72a05087a7227

memory/3732-91-0x00007FF6E82F0000-0x00007FF6E8641000-memory.dmp

memory/2508-87-0x00007FF604910000-0x00007FF604C61000-memory.dmp

memory/3924-86-0x00007FF718440000-0x00007FF718791000-memory.dmp

C:\Windows\System\yUEjRCs.exe

MD5 18fb8b20f53b5638ac9eeab11a201084
SHA1 8964bfa3cd3f52e2e14f7537e82a57965f454e21
SHA256 87901544896c725cb9a7b215d0a60d972a6e796a980508b0a5e55d42116791c3
SHA512 f6644a66efad3b5eb6fdd34cfb92fa627c62f985f3cc1c5bf290e27cac594e43cc03913be925899b99a3e00d3e07d93837f1dfff6946138715f760ebc3e43e2c

C:\Windows\System\nNaqgyj.exe

MD5 1cd9de47ee39cc00dc82cc03a3683dce
SHA1 6f7ccb4c467365c3a24147f75a1b9cce6ae7a2a1
SHA256 51d11bbd4546a37bb56d3a8b96cd8e90948dd24bd166ae75d280f60f6ff97c44
SHA512 10d82736c3d9d12e0283b0247d750a092584feb66f33ef72b040344a86540e5988e252ce5dd7ac92fc1963388c2b0a20fa6f9fa41da3b8b5688ce60014ebc961

memory/3920-70-0x00007FF634B90000-0x00007FF634EE1000-memory.dmp

memory/1944-129-0x00007FF7CA700000-0x00007FF7CAA51000-memory.dmp

memory/4948-132-0x00007FF70D950000-0x00007FF70DCA1000-memory.dmp

memory/2960-135-0x00007FF7610F0000-0x00007FF761441000-memory.dmp

C:\Windows\System\YiKUzFk.exe

MD5 63dfb68794a722f093bd233c641cf676
SHA1 50ca7a740dda84ab5821621330ceec3b92d5af34
SHA256 a0034f4fa1a2b01a799fcdf8da78993da776b7f6bd99963326549f914565c77e
SHA512 63b38aae6011c2035e1dc6c68d32411c7b03c59813f64fffbeb8b789c88046993a0b191829220e89fafdcc6e9d11b62c7f564e8ceaf0e439511124d9f6fdabfd

C:\Windows\System\zyobLnr.exe

MD5 52bcc09b76467b6c18de46b568fc6bbb
SHA1 32f2645d087f2afaac348b48c07def1a7207af07
SHA256 8b8e5be5c2428ce62bf6c21a6efdd09cbb95057d955ed11e8faedf19856a43c5
SHA512 5075fafb2249cfb28370269d719d18e469e46e3d724ccf47869f2134de141075b4e3102b2108aab1237258b4f957c68d1089cf7db5846c3ea2c8d2afe93f6a56

memory/1524-143-0x00007FF6E3B50000-0x00007FF6E3EA1000-memory.dmp

memory/2964-137-0x00007FF687060000-0x00007FF6873B1000-memory.dmp

memory/1500-130-0x00007FF6B7A40000-0x00007FF6B7D91000-memory.dmp

memory/3444-136-0x00007FF7AB1B0000-0x00007FF7AB501000-memory.dmp

memory/2812-128-0x00007FF6293A0000-0x00007FF6296F1000-memory.dmp

memory/3732-146-0x00007FF6E82F0000-0x00007FF6E8641000-memory.dmp

memory/1208-145-0x00007FF710EF0000-0x00007FF711241000-memory.dmp

memory/1980-144-0x00007FF62FFE0000-0x00007FF630331000-memory.dmp

memory/8-151-0x00007FF653AB0000-0x00007FF653E01000-memory.dmp

memory/2964-152-0x00007FF687060000-0x00007FF6873B1000-memory.dmp

memory/440-150-0x00007FF649A60000-0x00007FF649DB1000-memory.dmp

memory/3924-147-0x00007FF718440000-0x00007FF718791000-memory.dmp

memory/3920-153-0x00007FF634B90000-0x00007FF634EE1000-memory.dmp

memory/1524-167-0x00007FF6E3B50000-0x00007FF6E3EA1000-memory.dmp

memory/4716-198-0x00007FF7990C0000-0x00007FF799411000-memory.dmp

memory/2508-200-0x00007FF604910000-0x00007FF604C61000-memory.dmp

memory/4704-202-0x00007FF759310000-0x00007FF759661000-memory.dmp

memory/2960-207-0x00007FF7610F0000-0x00007FF761441000-memory.dmp

memory/2812-209-0x00007FF6293A0000-0x00007FF6296F1000-memory.dmp

memory/1944-217-0x00007FF7CA700000-0x00007FF7CAA51000-memory.dmp

memory/1500-219-0x00007FF6B7A40000-0x00007FF6B7D91000-memory.dmp

memory/4576-221-0x00007FF6FB1C0000-0x00007FF6FB511000-memory.dmp

memory/4948-224-0x00007FF70D950000-0x00007FF70DCA1000-memory.dmp

memory/1172-225-0x00007FF6F4DE0000-0x00007FF6F5131000-memory.dmp

memory/3444-227-0x00007FF7AB1B0000-0x00007FF7AB501000-memory.dmp

memory/1980-229-0x00007FF62FFE0000-0x00007FF630331000-memory.dmp

memory/2916-234-0x00007FF68A1B0000-0x00007FF68A501000-memory.dmp

memory/2568-237-0x00007FF6358B0000-0x00007FF635C01000-memory.dmp

memory/3732-239-0x00007FF6E82F0000-0x00007FF6E8641000-memory.dmp

memory/3924-236-0x00007FF718440000-0x00007FF718791000-memory.dmp

memory/1208-231-0x00007FF710EF0000-0x00007FF711241000-memory.dmp

memory/440-243-0x00007FF649A60000-0x00007FF649DB1000-memory.dmp

memory/8-242-0x00007FF653AB0000-0x00007FF653E01000-memory.dmp

memory/2964-249-0x00007FF687060000-0x00007FF6873B1000-memory.dmp

memory/1524-250-0x00007FF6E3B50000-0x00007FF6E3EA1000-memory.dmp