Malware Analysis Report

2025-03-15 08:03

Sample ID 240813-n6l6lsxanm
Target 2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat
SHA256 01163beabb86da264b02d1a1e6397870f547c03efec024bafdc90ce6b7c27dfa
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

01163beabb86da264b02d1a1e6397870f547c03efec024bafdc90ce6b7c27dfa

Threat Level: Known bad

The file 2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Cobalt Strike reflective loader

Cobaltstrike family

XMRig Miner payload

Cobaltstrike

xmrig

Xmrig family

XMRig Miner payload

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-13 12:00

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-13 12:00

Reported

2024-08-13 12:03

Platform

win7-20240708-en

Max time kernel

142s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\qsISCcJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DSAAZpx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vXESrBK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FADBjsj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\auduUjb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZKApZxV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tXVKTbc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WvmScha.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AokBrXx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FglVIKq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MhYHkNQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aYZYAPE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NFmWOiD.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vSIxXzU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hBacXIy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bAYnMGo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AFfmXef.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mUvoJYo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yzuZupD.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aiXjYJF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kNXQuCN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1592 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AFfmXef.exe
PID 1592 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AFfmXef.exe
PID 1592 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AFfmXef.exe
PID 1592 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FglVIKq.exe
PID 1592 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FglVIKq.exe
PID 1592 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FglVIKq.exe
PID 1592 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AokBrXx.exe
PID 1592 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AokBrXx.exe
PID 1592 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AokBrXx.exe
PID 1592 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MhYHkNQ.exe
PID 1592 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MhYHkNQ.exe
PID 1592 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MhYHkNQ.exe
PID 1592 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aYZYAPE.exe
PID 1592 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aYZYAPE.exe
PID 1592 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aYZYAPE.exe
PID 1592 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZKApZxV.exe
PID 1592 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZKApZxV.exe
PID 1592 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZKApZxV.exe
PID 1592 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NFmWOiD.exe
PID 1592 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NFmWOiD.exe
PID 1592 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NFmWOiD.exe
PID 1592 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qsISCcJ.exe
PID 1592 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qsISCcJ.exe
PID 1592 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qsISCcJ.exe
PID 1592 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kNXQuCN.exe
PID 1592 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kNXQuCN.exe
PID 1592 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kNXQuCN.exe
PID 1592 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tXVKTbc.exe
PID 1592 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tXVKTbc.exe
PID 1592 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tXVKTbc.exe
PID 1592 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mUvoJYo.exe
PID 1592 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mUvoJYo.exe
PID 1592 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mUvoJYo.exe
PID 1592 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vSIxXzU.exe
PID 1592 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vSIxXzU.exe
PID 1592 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vSIxXzU.exe
PID 1592 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WvmScha.exe
PID 1592 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WvmScha.exe
PID 1592 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WvmScha.exe
PID 1592 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yzuZupD.exe
PID 1592 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yzuZupD.exe
PID 1592 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yzuZupD.exe
PID 1592 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DSAAZpx.exe
PID 1592 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DSAAZpx.exe
PID 1592 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DSAAZpx.exe
PID 1592 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vXESrBK.exe
PID 1592 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vXESrBK.exe
PID 1592 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vXESrBK.exe
PID 1592 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FADBjsj.exe
PID 1592 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FADBjsj.exe
PID 1592 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FADBjsj.exe
PID 1592 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aiXjYJF.exe
PID 1592 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aiXjYJF.exe
PID 1592 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aiXjYJF.exe
PID 1592 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\auduUjb.exe
PID 1592 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\auduUjb.exe
PID 1592 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\auduUjb.exe
PID 1592 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hBacXIy.exe
PID 1592 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hBacXIy.exe
PID 1592 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hBacXIy.exe
PID 1592 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bAYnMGo.exe
PID 1592 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bAYnMGo.exe
PID 1592 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bAYnMGo.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\AFfmXef.exe

C:\Windows\System\AFfmXef.exe

C:\Windows\System\FglVIKq.exe

C:\Windows\System\FglVIKq.exe

C:\Windows\System\AokBrXx.exe

C:\Windows\System\AokBrXx.exe

C:\Windows\System\MhYHkNQ.exe

C:\Windows\System\MhYHkNQ.exe

C:\Windows\System\aYZYAPE.exe

C:\Windows\System\aYZYAPE.exe

C:\Windows\System\ZKApZxV.exe

C:\Windows\System\ZKApZxV.exe

C:\Windows\System\NFmWOiD.exe

C:\Windows\System\NFmWOiD.exe

C:\Windows\System\qsISCcJ.exe

C:\Windows\System\qsISCcJ.exe

C:\Windows\System\kNXQuCN.exe

C:\Windows\System\kNXQuCN.exe

C:\Windows\System\tXVKTbc.exe

C:\Windows\System\tXVKTbc.exe

C:\Windows\System\mUvoJYo.exe

C:\Windows\System\mUvoJYo.exe

C:\Windows\System\vSIxXzU.exe

C:\Windows\System\vSIxXzU.exe

C:\Windows\System\WvmScha.exe

C:\Windows\System\WvmScha.exe

C:\Windows\System\yzuZupD.exe

C:\Windows\System\yzuZupD.exe

C:\Windows\System\DSAAZpx.exe

C:\Windows\System\DSAAZpx.exe

C:\Windows\System\vXESrBK.exe

C:\Windows\System\vXESrBK.exe

C:\Windows\System\FADBjsj.exe

C:\Windows\System\FADBjsj.exe

C:\Windows\System\aiXjYJF.exe

C:\Windows\System\aiXjYJF.exe

C:\Windows\System\auduUjb.exe

C:\Windows\System\auduUjb.exe

C:\Windows\System\hBacXIy.exe

C:\Windows\System\hBacXIy.exe

C:\Windows\System\bAYnMGo.exe

C:\Windows\System\bAYnMGo.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1592-0-0x000000013FF10000-0x0000000140261000-memory.dmp

memory/1592-1-0x00000000001F0000-0x0000000000200000-memory.dmp

\Windows\system\AFfmXef.exe

MD5 44be54cf5e3993486158a83bcdd02fd8
SHA1 c671496de78847f5bb1f5aa46ab88a01b1e12856
SHA256 7487be41c9f6c87aa53b1b619745be6fe21dc84eb780363c44f1f77bc487efba
SHA512 836f795b25a50ad094b11bb2090a69d3084d20d3a48cca0c0913782b76e862909de5aa54c9fa43f3933b332ae259672d6b2fcc90d408ac1a22e1b497102470de

\Windows\system\FglVIKq.exe

MD5 6cb3cc052ebcf79daa06d00de214dc84
SHA1 084776bf8308e55fd73f35699ad0e60c40f2673f
SHA256 a0a434a4de01427d4294ab441fd2ef798e5a0788ea76ec2ef38017dd288e8f70
SHA512 549fbcaa11bda25a876818db49df80b3ff3d8e6b03d590002d34d272fe0072281ed6235c089a3d74965a6d1785e4537392f77aae0719ed7b407b907f06a51d20

C:\Windows\system\AokBrXx.exe

MD5 9ca15290e0774b6ac9a7f20e1729edcb
SHA1 02c53e55418ce1b8b716a0fea8f44d164112cbb1
SHA256 4fd6160e87da724e4cb3c5a0223433ee255615b8595f3b894c0f0e82b6aa26e7
SHA512 7fbf700261a80fd960a22102b82b0c54eb0c3f478d119e59babdea02564c4e471b7e66842baebaac182827cfde6cdda466f9be3dbbaad95cc00809c63d9def70

\Windows\system\MhYHkNQ.exe

MD5 ebc80d979708920736c4ca6540e767f0
SHA1 816b9278cc7ab4d0a9e43d5bf29bb79b6ec92ba1
SHA256 ee8b1c56d681657983b52b11b82c5e903185e68774bdf087679e5ccc1d714ae7
SHA512 bc9331de69444d10e285ab308417daabacd2f55b4bf6bfea01421023dc256b9a563d5db5fbcbb13a72bfde637f0bb3cc4043a932cd83681be6505dc9b8e0dff1

C:\Windows\system\aYZYAPE.exe

MD5 f17b90f8833a11c62fd2b4b84966d140
SHA1 0d894ef09ff3dbe4ebc7bdbd475e034215023c67
SHA256 03926fd71030e0db874e0b8f53f77ae6d7b0da9de4619cd6f308d16c5a09062d
SHA512 664c16fc0656ae2f9f8ad719eebcb90f9f476e36816c357b61306c23abdba67f0f79331c11be575addb0b8a05f643c3e98615f446c896735a9740b964a0b8b9d

C:\Windows\system\NFmWOiD.exe

MD5 798bb166376852f97602e17363bd8a76
SHA1 18cd028c9b723b43dc472520e0667c65f88223f1
SHA256 4eac4b7e7383dd436514f593aa7aafe06dccc9abe31211931d11587ba106135e
SHA512 c4375d64920cbecc6767c63854053872efb33e84ffabb728e386275abb76c7cbf428f692302ac226d2f5c2e0b4203209eb61fe2c8931ad1c8af8c629172137b9

C:\Windows\system\kNXQuCN.exe

MD5 6eb7cfa6bd3c866cb3b7c8fb6a147dbd
SHA1 ce9172883f21f13e1217f767800e1ae9fe8d2d3b
SHA256 3aad1a406553df12ed188edbc4345de8195b82eb126592e60347eb3dd072166f
SHA512 ed1c5938c3c86de303d4426faf29aed2246ec1b2bb4c5dd7491052a9e5488d63db67e240abb4025cfe84423915987d52455691a9a79e4de2436ab81ac8cf9c18

C:\Windows\system\mUvoJYo.exe

MD5 d6a5c415f692412b77a3a210a46a179a
SHA1 3db00286291cf4775e915cc0fb1d82a67da2c97c
SHA256 dc09fd2948d51c7fe5f22572d1a33b685dddd15a39e8a2c2ce14578908c7b20d
SHA512 b76b2d74e4a63b77ac7f8da01f0763a56838c29c9aea095b3eff0f086078f85f895cac58d57e8394dc4ac8e854a74273823bc1aaea3da32adf40e1129eab865c

C:\Windows\system\DSAAZpx.exe

MD5 cab065fa8d210ef46ff2cb0e07e4b9c6
SHA1 a3b01caa121f6d9f9ee3f75fb2193d5609356866
SHA256 f5fd9be516fb2dde3fa33e13c1c75c2632fc273d85b29ce94037af65bbe55e25
SHA512 9f20fe8fb5435967c5e30577ac4677a701a3eb23ed130228d87967e6a4b82afd2f67b3ef8b32db9d29bf42f87507619bd073d2f3f6036b321c43955ca0c14e76

C:\Windows\system\bAYnMGo.exe

MD5 da1cc3dba2743c36a0258b9da53d6581
SHA1 f627bbb4c6560314f7d658c28a48fb7f9a42853b
SHA256 bbb089c45e37ccb18a4a937d42b9f6900103442b9308783731c5e8b587abe718
SHA512 e657ca4db7ffd40ac9f250f8d0758500cb186c9c17519f3185f08822f337753886abf94607e9698ebe634427efcf1639c430c1ca10dc5e9dc7bf7e7a3673e287

C:\Windows\system\aiXjYJF.exe

MD5 d1af2125c91b60fef4f727e39a7c9f75
SHA1 98082b7289eb847fc163927bc051790da95bd081
SHA256 e3b9778900b527a6759747816e101fd20cb06ed4180d5f10207667e853a38ee2
SHA512 9dae5755da968b52923786287037bd879f105cffc18f94a36d2735baa465f6319894f88b71c6808d6f59ce4be993c36e2e940cb6fc0c5bb36d5dd3db89e22be4

\Windows\system\hBacXIy.exe

MD5 17c53dfc1752d0cc0730eade523bee92
SHA1 055a87ee27dc39929f2e985ae909edaf71f72b56
SHA256 feeb320e8511b124a705a1e7e877a3cbd23b2bf6c632d2da6bac64df2b365ed4
SHA512 cd7a90c0957be4e3933e33cb3442cc0df696821ad569323dee732cfcd36b0d7660031419f0ca0f2d6dba9370727021c9143fc3ef88505c20412eb22be40e3603

C:\Windows\system\auduUjb.exe

MD5 beb6148c4567acc04f045abedb0c298b
SHA1 537011d4dc8d3574d47c31984cb4a26fe6c370ca
SHA256 f9b9571045e1371954c3fcdcaf992c2362c9acfdd092251d44495e8844a408b3
SHA512 945f3b7e6d119a4527ea98f3bac02c9ddeedaca4605aba099d65e2ba6e1ec70af090e2cc78bc557b736b6aa188d29d37ac3a4ce9350866ee7e44374215444d02

memory/1592-107-0x000000013F650000-0x000000013F9A1000-memory.dmp

C:\Windows\system\FADBjsj.exe

MD5 e14b55ac4f2f43b551be38d1d0f1bac3
SHA1 0b9b2533f15b162ea5864aa834cde1f04b95e579
SHA256 9b0756cf70de48dd768a78bed3b07ae8a3994b91d6f6b07e0c5026f7069f8f3a
SHA512 94d260bcdcbddaa858a0406be7ab97395b47ab801f94997afc256b8ac8b90432378397eaa843b57c9ab1340d9bec6d620609e2918bcff0ef1f63390ece16981a

C:\Windows\system\vXESrBK.exe

MD5 1d897d965d68efe75eafb3a272cc29dc
SHA1 0559c55a612e5761c6b904cc0a318e3297ad2676
SHA256 32e79b72ff470930207c33e9d0123f8d5b0035d3222775313b3847fc2afbc791
SHA512 7f0967301fdefd8c15104e21b49abdac9104ebe0218a989fecfc961746b974442688b397e3b4e7e5b58fca7c0d35725c872a94e918de9e176f0a4ebebaef0d90

C:\Windows\system\yzuZupD.exe

MD5 3d4c709f28b2ab19785d449107b2964d
SHA1 d8906771414188c80c9192d2e3166a2a210e6e01
SHA256 e5df40e4047ad83f188056932a61d7797b56b2c0048a5a6b18f68f28cac1ec67
SHA512 23604281696f14f9052166de88302da6f1aa295caec368e080090d716d665c42da8f2da8ae009371330f1a72385e2f2cbc3508b709e6c05b689e6e22ff84ab52

C:\Windows\system\WvmScha.exe

MD5 8dae645ac54beca8fc05ac0e864a17e6
SHA1 e9a2728104c0e36371d30f45ded27e5df20cb179
SHA256 51e4ace5f0b497190d0087a61c707df308b247fc8c2324ac7b36ccdb2a716eb9
SHA512 fbaa512454c42398fbcef5a3085715cdddfdfa083c13f1ade630e290a5eb4fc823c8c8109d43eef6c92e725a52d95a51dcdd4a4c7e5eeb984b26b21cb2f5b236

C:\Windows\system\vSIxXzU.exe

MD5 ff87b2a48486499a006cebee03adc9cb
SHA1 6b0213840e48e333eeb9d1814717a90ad8082923
SHA256 1f63402c79fe87dd5053e568d03c1f5ad06c6339630526b94fe7db0bc2ba5575
SHA512 18c9de5e45556603bd50f6f970b63d91ce0893b14343e287500258c0886566b412cdbc801f259d475b6e820be7f9f4ea95302fef65fa08eed3f8b4e36b2e0ad8

C:\Windows\system\tXVKTbc.exe

MD5 195283c0c24222d2cd57f66fbe241f0c
SHA1 00f786fea1c69213173c080a7d46dc2db19f8a38
SHA256 e1c3ca5f863019995076500bbfc1d302063e1f331efefb69804711f153652ed3
SHA512 656840a39b6f26b58d24b8e9a02690d16e43ad6dffecfd27625260ded036fb568bdaf50d398c28f9066dc8fbbe8dd9081c572d0acc40f462e68ab2448c742403

C:\Windows\system\qsISCcJ.exe

MD5 7118df1574cced2c8d3f62fa2873dfa7
SHA1 49fc8a65cfcc148ea8092a8a6c2f41268c9fa63a
SHA256 afd9c9c134f48d9116fd27800cd4060b106a8293200b895c08ea5b3c56e4f561
SHA512 1462aa0bfeeffe0aa485c7d92cc3c03b9c203217a9151b9fec475015a64ace50c26fc37c596b21df6fd26054c6a3bbecb3f909ff0c9951948d0a4ef0077cb131

C:\Windows\system\ZKApZxV.exe

MD5 49e510881b1d1c3995b90c232dd31532
SHA1 b85d2f3939a8859bc02227700b71cdbe5269f30b
SHA256 5120f14edc54ffe34a4add44c113b28df29e9d26a2ba11198bb4ac7cb970be08
SHA512 9a1afc35287c2e16003ebdb914852c7250853e074e3c5e8ceeddc16b296f0c8c121667e5a6b1e31971aaaf81adf6ab78eea7740732b695812bcc4b96acefea5c

memory/2132-108-0x000000013F650000-0x000000013F9A1000-memory.dmp

memory/1592-110-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

memory/2196-109-0x000000013F760000-0x000000013FAB1000-memory.dmp

memory/2952-113-0x000000013F100000-0x000000013F451000-memory.dmp

memory/1592-112-0x000000013F100000-0x000000013F451000-memory.dmp

memory/2856-111-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

memory/2840-117-0x000000013FD90000-0x00000001400E1000-memory.dmp

memory/1592-116-0x0000000002320000-0x0000000002671000-memory.dmp

memory/2916-119-0x000000013FD20000-0x0000000140071000-memory.dmp

memory/2160-118-0x000000013FBE0000-0x000000013FF31000-memory.dmp

memory/812-115-0x000000013FB90000-0x000000013FEE1000-memory.dmp

memory/1592-122-0x000000013F930000-0x000000013FC81000-memory.dmp

memory/2888-125-0x000000013F7D0000-0x000000013FB21000-memory.dmp

memory/1592-124-0x000000013F7D0000-0x000000013FB21000-memory.dmp

memory/2836-130-0x000000013F360000-0x000000013F6B1000-memory.dmp

memory/1592-132-0x000000013F760000-0x000000013FAB1000-memory.dmp

memory/1592-131-0x000000013FA30000-0x000000013FD81000-memory.dmp

memory/1592-129-0x000000013F360000-0x000000013F6B1000-memory.dmp

memory/2736-128-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

memory/1592-127-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

memory/2992-126-0x000000013FEE0000-0x0000000140231000-memory.dmp

memory/1988-123-0x000000013F930000-0x000000013FC81000-memory.dmp

memory/2164-121-0x000000013F430000-0x000000013F781000-memory.dmp

memory/1592-120-0x000000013F430000-0x000000013F781000-memory.dmp

memory/1592-114-0x000000013FB90000-0x000000013FEE1000-memory.dmp

memory/1592-133-0x000000013FF10000-0x0000000140261000-memory.dmp

memory/2760-148-0x000000013FA30000-0x000000013FD81000-memory.dmp

memory/1928-154-0x000000013FD30000-0x0000000140081000-memory.dmp

memory/1868-153-0x000000013F640000-0x000000013F991000-memory.dmp

memory/1040-151-0x000000013F0A0000-0x000000013F3F1000-memory.dmp

memory/936-150-0x000000013F680000-0x000000013F9D1000-memory.dmp

memory/1460-149-0x000000013FCA0000-0x000000013FFF1000-memory.dmp

memory/2580-152-0x000000013FA40000-0x000000013FD91000-memory.dmp

memory/1592-155-0x000000013FF10000-0x0000000140261000-memory.dmp

memory/1592-177-0x000000013FF10000-0x0000000140261000-memory.dmp

memory/2132-223-0x000000013F650000-0x000000013F9A1000-memory.dmp

memory/2160-225-0x000000013FBE0000-0x000000013FF31000-memory.dmp

memory/2856-227-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

memory/2164-229-0x000000013F430000-0x000000013F781000-memory.dmp

memory/2888-231-0x000000013F7D0000-0x000000013FB21000-memory.dmp

memory/812-233-0x000000013FB90000-0x000000013FEE1000-memory.dmp

memory/2736-237-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

memory/2840-245-0x000000013FD90000-0x00000001400E1000-memory.dmp

memory/2836-253-0x000000013F360000-0x000000013F6B1000-memory.dmp

memory/2992-251-0x000000013FEE0000-0x0000000140231000-memory.dmp

memory/1988-249-0x000000013F930000-0x000000013FC81000-memory.dmp

memory/2916-247-0x000000013FD20000-0x0000000140071000-memory.dmp

memory/2952-243-0x000000013F100000-0x000000013F451000-memory.dmp

memory/2196-241-0x000000013F760000-0x000000013FAB1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-13 12:00

Reported

2024-08-13 12:03

Platform

win10v2004-20240802-en

Max time kernel

147s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\DpzRpFX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XijGyQN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uylyUEZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MDkWzcN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nugCURF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jfLgIhA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bcfdnWq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IztOzef.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vsEnLhC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\feBqgaT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wlIGUMD.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SPfVKuf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ugCRFpK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FyeTdfF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WBRkNNW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LcdHSCB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yzOTVxz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mqXfacP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JgbNwLj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dEKewnM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aFAEAUa.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2972 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DpzRpFX.exe
PID 2972 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DpzRpFX.exe
PID 2972 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SPfVKuf.exe
PID 2972 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SPfVKuf.exe
PID 2972 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jfLgIhA.exe
PID 2972 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jfLgIhA.exe
PID 2972 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ugCRFpK.exe
PID 2972 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ugCRFpK.exe
PID 2972 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yzOTVxz.exe
PID 2972 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yzOTVxz.exe
PID 2972 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bcfdnWq.exe
PID 2972 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bcfdnWq.exe
PID 2972 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XijGyQN.exe
PID 2972 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XijGyQN.exe
PID 2972 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IztOzef.exe
PID 2972 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IztOzef.exe
PID 2972 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mqXfacP.exe
PID 2972 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mqXfacP.exe
PID 2972 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FyeTdfF.exe
PID 2972 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FyeTdfF.exe
PID 2972 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JgbNwLj.exe
PID 2972 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JgbNwLj.exe
PID 2972 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vsEnLhC.exe
PID 2972 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vsEnLhC.exe
PID 2972 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dEKewnM.exe
PID 2972 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dEKewnM.exe
PID 2972 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aFAEAUa.exe
PID 2972 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aFAEAUa.exe
PID 2972 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uylyUEZ.exe
PID 2972 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uylyUEZ.exe
PID 2972 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MDkWzcN.exe
PID 2972 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MDkWzcN.exe
PID 2972 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WBRkNNW.exe
PID 2972 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WBRkNNW.exe
PID 2972 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\feBqgaT.exe
PID 2972 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\feBqgaT.exe
PID 2972 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LcdHSCB.exe
PID 2972 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LcdHSCB.exe
PID 2972 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wlIGUMD.exe
PID 2972 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wlIGUMD.exe
PID 2972 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nugCURF.exe
PID 2972 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nugCURF.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\DpzRpFX.exe

C:\Windows\System\DpzRpFX.exe

C:\Windows\System\SPfVKuf.exe

C:\Windows\System\SPfVKuf.exe

C:\Windows\System\jfLgIhA.exe

C:\Windows\System\jfLgIhA.exe

C:\Windows\System\ugCRFpK.exe

C:\Windows\System\ugCRFpK.exe

C:\Windows\System\yzOTVxz.exe

C:\Windows\System\yzOTVxz.exe

C:\Windows\System\bcfdnWq.exe

C:\Windows\System\bcfdnWq.exe

C:\Windows\System\XijGyQN.exe

C:\Windows\System\XijGyQN.exe

C:\Windows\System\IztOzef.exe

C:\Windows\System\IztOzef.exe

C:\Windows\System\mqXfacP.exe

C:\Windows\System\mqXfacP.exe

C:\Windows\System\FyeTdfF.exe

C:\Windows\System\FyeTdfF.exe

C:\Windows\System\JgbNwLj.exe

C:\Windows\System\JgbNwLj.exe

C:\Windows\System\vsEnLhC.exe

C:\Windows\System\vsEnLhC.exe

C:\Windows\System\dEKewnM.exe

C:\Windows\System\dEKewnM.exe

C:\Windows\System\aFAEAUa.exe

C:\Windows\System\aFAEAUa.exe

C:\Windows\System\uylyUEZ.exe

C:\Windows\System\uylyUEZ.exe

C:\Windows\System\MDkWzcN.exe

C:\Windows\System\MDkWzcN.exe

C:\Windows\System\WBRkNNW.exe

C:\Windows\System\WBRkNNW.exe

C:\Windows\System\feBqgaT.exe

C:\Windows\System\feBqgaT.exe

C:\Windows\System\LcdHSCB.exe

C:\Windows\System\LcdHSCB.exe

C:\Windows\System\wlIGUMD.exe

C:\Windows\System\wlIGUMD.exe

C:\Windows\System\nugCURF.exe

C:\Windows\System\nugCURF.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 148.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 22.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2972-0-0x00007FF792A70000-0x00007FF792DC1000-memory.dmp

memory/2972-1-0x000001B91B110000-0x000001B91B120000-memory.dmp

C:\Windows\System\DpzRpFX.exe

MD5 556455919c95b65d1824b7fefce232d6
SHA1 5c410cd1784cdf175049ad85b51a2bdcd0172f9e
SHA256 573782662f953c6965c5811a22daef913e02ffa0c36b49685367cf7db1313aaa
SHA512 7aa2b1b8efb1fff5e0a43ef7e550049f385e94ebb80a7946fe1fa00e15614d91faf9271438ab55b126ac1ba6d7d3d7dc8b1043d76a111aff14e664c0b28b6050

memory/1836-7-0x00007FF66C6D0000-0x00007FF66CA21000-memory.dmp

C:\Windows\System\jfLgIhA.exe

MD5 a7b8ef72b439c325fee8926449f51017
SHA1 937c00e099464f7646c93929441da01ff5454d51
SHA256 aef9a0982c5da146fcf15a58ec8afa85536d35acab5ab2d78007a58036350760
SHA512 8ed1d2d2f83eb71f7841dbafba78b6090b1493cd6c9934c948c7fcfd986156287976820bb79bb92854407845b72f47f0c6de7b638edc9ac81fd67f387b14e7b7

memory/752-17-0x00007FF6F7DF0000-0x00007FF6F8141000-memory.dmp

memory/1664-18-0x00007FF6D3960000-0x00007FF6D3CB1000-memory.dmp

C:\Windows\System\ugCRFpK.exe

MD5 74e3bd1e09680c13ed9c824807d8685f
SHA1 ad9971158333aafc6743d8d60cbec0de43574490
SHA256 6d458f5ac8b39b3cb214e987dcb1a41fd2e4f43efb62aef7487de7623f222cd8
SHA512 fb0118715e4b210f4ba479370d3f61c8d46cbbfd564653795b9c295109c517dbf4e5bdd6b44a0165c44b8611bb2d203ab4d14a0d6be946dd467d25f28d76dd20

memory/3712-25-0x00007FF625700000-0x00007FF625A51000-memory.dmp

C:\Windows\System\yzOTVxz.exe

MD5 70d1314b4acb271c9b0f1d057a69c9e3
SHA1 4ab2c9f431acd90f0e5394607e4bd30648eb1a3b
SHA256 a2ab6a52848522b0638a1237f455fbb048ab320bae9d97cd38edf25cae80c4cf
SHA512 f93a3aead4617a1d42a6efe6b769ff2ef8bfcbdf4dff86775513106ba54ccfe3de06e3b761ce76fc570ce0939ce59efeec0f2538a380641bf1a6f796b122980a

C:\Windows\System\bcfdnWq.exe

MD5 f1b586fef9bc6fdc1557c5c2496e956d
SHA1 b285326f7d73249e054e4bc0f1d362008aeaa52c
SHA256 7120d9d00bbb5df2a84dfea9815deb7fa233132d1bc30cd5eb08a47eda6b46cd
SHA512 c4f8b7d31e1825825ae9b27a2cccfa9d1830eae626939c6d0fdb52a61dfb6f8934dd8e7c493dd224824281a2179d257c7496b6003f977cae13d40ad9f5aa850a

C:\Windows\System\XijGyQN.exe

MD5 40f9c3b248f644b0a0426586656c9e5e
SHA1 f8bbdd9e2183c4bad83c26f7bd7e5ed2235924e5
SHA256 73f96b957cdf4380f9c6dd9ff2189e251fef782d7f82226f5196c949f674d59f
SHA512 f80557e7dc7005763c9dbe5eec6249ef7557f74d512025b68ec5af5e69b5be612829bcf697146bcb96fa3c9d436b99a41d9913e27e90c87cabd39da48f650207

memory/644-44-0x00007FF774FB0000-0x00007FF775301000-memory.dmp

memory/3132-36-0x00007FF66DC60000-0x00007FF66DFB1000-memory.dmp

memory/4244-35-0x00007FF6F7350000-0x00007FF6F76A1000-memory.dmp

C:\Windows\System\SPfVKuf.exe

MD5 b64f186d85e377c60dedb6abe0991887
SHA1 6160f13676a96d8b7f32061c75f3badc2b4583d5
SHA256 f971680ad5b64e95132ca9b7c93c7ab3a18c6a786991df35ef22fa21a54cde84
SHA512 df1134f4e83aa5b7a068dfbb11758244dffd87fcaf54c2d2f17c6fd41c44b77574cfc9922391c476b14b41f40261b931ea52e57c04fdba24da8aa5f2fc9d06b5

C:\Windows\System\mqXfacP.exe

MD5 cff0485935e3fec1347c10b6644260ea
SHA1 f79db998fb0c74ba7cfdf15469556ae3c61bb399
SHA256 5997738c6f8dc8137ee8eaf14bd1baf5ebb2eb1cb6dda3489d040d9bd58ac2d5
SHA512 03a8ce8fe7fb2a0c7f0b67f4196292e6c5520193699a67d335f0afe99140370ffec5bab8c8e296c3d4f8d9c6e9d34472673cccfc6e59211fbefe00160a8e3461

C:\Windows\System\FyeTdfF.exe

MD5 91eb368eaa5963565ef4dccf76255e3e
SHA1 5be292ae6863a86569ffa5f10bd02588a19e686a
SHA256 14263d8a00d7b250d914e67f48a4fe033a7e95d53be97e6d4bca571d053679f1
SHA512 12b258123537cac0b5c835cfa4947efb767cf76aedd20b55d1ba2ac063a58137813c65da5356b6ed1f59729e332042cd79d4d58a859b7ff94d8652a43c838275

memory/1036-60-0x00007FF6BBA60000-0x00007FF6BBDB1000-memory.dmp

memory/2888-58-0x00007FF6459C0000-0x00007FF645D11000-memory.dmp

C:\Windows\System\JgbNwLj.exe

MD5 4938a25f0581fa6030005ea1b5a47428
SHA1 c66643cda141e8cd797e5537e3e0556d5d7e412d
SHA256 4812132626fc47ecbeaf2a986f3c029c97cd14117b81c827f63b26c6239341a9
SHA512 6360d403dee70145905e8b18026aebd35349182bbf1e163d65e15747aa6be46a5e8ebe30e1bc33e4001c8f63dab6eac3e877139621a43bb8cb0a6cfc326ec160

C:\Windows\System\aFAEAUa.exe

MD5 f8285ea6b476611c3bd204e25bf67feb
SHA1 2f0d8b74aa6c19bb54e719ea07412f159571cc48
SHA256 ac6144b0a697ca554503ed39698392e6b817872b63f9d031940fd416a5c74270
SHA512 fdaa0494186a58a93631317f086b09c8645a06425d7430ec51ca7da192000f45e46fb993a249ac36de77dca7585c88c3ffbd09795f232e479e280fe178cab4d8

C:\Windows\System\uylyUEZ.exe

MD5 bc8d31d5c93799387cd2a4e1ff657544
SHA1 02a1f5de3c23f48e156bf14efc852bece7e1b5b3
SHA256 f1ea55643a508251177ffa3f9ed8db74e32de11b47ade6eccfecc2849824f821
SHA512 b24c82abed74d55de97d59cad15ebbb30f0b1df35dc4d6f0e18a17d2a25e44c1c59f90df75724299a0b0c50aa8ac5f4917d6c4401fad0e4e68adc7df9df53ffc

C:\Windows\System\MDkWzcN.exe

MD5 10fe68d1fd6cb0e086de6b06095d4adb
SHA1 f3eeb2d52a525c70b3d101adae47ee85a0668b17
SHA256 185c24c293b1002314e6ec852b88ecf9f3ee23705eb213e3385d24f1c80f8ca6
SHA512 f59bec2ad985b6dd05953249d44c26d0984f9c0f00c2239ca6ae889305db4da4d0ddc56f163cff3c1ce7391e61b7d1c6a6290849b4c88f68e84826d6dd0a9af5

C:\Windows\System\LcdHSCB.exe

MD5 7b8c6ea6c26cbfb34d05f121d1359e98
SHA1 8c34c5e48e82a0829ff854cb53672119d8dd054d
SHA256 013c7a05db82ddd25afcecc47542a2ecc5275892c0190fd109097f5241ac2567
SHA512 9b0bca63d3ba7c375d808f2aa908d981833fb840c044e209c8940142b0b7fd8c945cafe4ba44e4eed1b27b9ac8b639376cee31f90c314d9f44c2ca81b1596c88

C:\Windows\System\wlIGUMD.exe

MD5 0da105070592c1d1253d25e17938ad47
SHA1 6829331063b2b23e22721aad4cc0a0c5efe21e8c
SHA256 35e36c9b3746202121953bdd21096a7c1bd31999274c226f246842735e30165a
SHA512 4cbf5d20dfea95484f3902ae5c65e25c665e12f844fdfb37bac01b05640f82c72d5f47fe2f3057cf7cadd5e744ed5fb5c673905194417b5581e29496a153f465

C:\Windows\System\nugCURF.exe

MD5 b242330e1d73f666804e19cab94b7cb6
SHA1 4df34bcc3bda769151a0d57ea343f0ca4b46f85a
SHA256 a02274c55ba8e511e7f8f23305bf55c61cc1a956a0d55f348a45a70a590f1c45
SHA512 bbdb8597c69ddc8d8c1ce3a930792c2fb077eb7e51a451862b13a99653c57939f43ec67910999fc5c982efe5c020f5ed5dd5ee22e680ca2520c50e1453e0a9eb

C:\Windows\System\feBqgaT.exe

MD5 f41b460c2d5243463fff8c1855343428
SHA1 05a461a493cb0e7518f2935d81513e075d2795cb
SHA256 f823836439ff5b4c9194944040a74557d533b95c7b482729bfaccb911a18a6e5
SHA512 2a05cbb7ee9041c09dd73016e55666dd29eb9d6a3bb971780d50cc0cd056657816090f0a4b9792fc4461ee5703d5b0c7fb8aba3b4bfe2f30137e51e1ae02fefb

C:\Windows\System\WBRkNNW.exe

MD5 799ae0c559e44d60aa0c2592e83468dc
SHA1 8e40bed6898688ea6f8a8d5ce6bb4fe49746ca58
SHA256 6610113afa28c74d19b9efb80cab1c3991c17ef33ab4f64c4c76c54bd88cc5cb
SHA512 0a4cbc547f7dfd06f616b8ca8917ffd3c2be25e0da1ac0be1f965e393cacb73d1cc08be8c26a7c820c3a293f281b75a74564454d969240f2fd797287e810ebae

C:\Windows\System\dEKewnM.exe

MD5 08e8813a3131889b136db4cf542654d4
SHA1 70b2168539abc7967826321b63bfc673d0d0be75
SHA256 3b9c71697178b1900db69991c6a10a389c6b302dee19ad6b581ae80f5f2122ff
SHA512 8e64e39e686a481600d591ef394cb45ff0cb5c32cc6afdf6443112d48afdb1caf0d827451d2ba1d00d9c31af36b878cbd972294e245c9c80cd268a3bafb94cc7

C:\Windows\System\vsEnLhC.exe

MD5 6411cf12469b9584cbb3fdf8f0420fcb
SHA1 382fdf03f9fcf0002a4427eb44503b1f8339e27d
SHA256 4f1e1932aab5409ee8614648fb37c3bb97d6d858b97123ff6ca60cbad6db50e7
SHA512 6fe1ac897805b38755512b0665963eaab6c3cb63636a01815b4dc08ed3060f5a9ff0c5a8221e01637c29cf1bc0ad731c20ce83eb626544349171b45760680a08

C:\Windows\System\IztOzef.exe

MD5 9c87b2f45a8fd895598fa64b724fc0a1
SHA1 0b539192c9f2135803e227db532b60c0bfa6cdfa
SHA256 b3c8a9ef8ef4c8a15e14fb54cb92933d00506a6c7fdb9133f05f85ea1557cc94
SHA512 016aa0b7a1c294810d6217d4681f9e65acfea9c290bd8203305ccb84aa85d08152d0aaef6b72368d5cd8ba54f4945c9ed0e930e4d56a332f2c2df12d28616858

memory/1708-48-0x00007FF7BCA60000-0x00007FF7BCDB1000-memory.dmp

memory/2972-117-0x00007FF792A70000-0x00007FF792DC1000-memory.dmp

memory/4412-120-0x00007FF75D3C0000-0x00007FF75D711000-memory.dmp

memory/2604-124-0x00007FF6285F0000-0x00007FF628941000-memory.dmp

memory/32-123-0x00007FF754750000-0x00007FF754AA1000-memory.dmp

memory/3700-125-0x00007FF6F82D0000-0x00007FF6F8621000-memory.dmp

memory/1252-122-0x00007FF72A4D0000-0x00007FF72A821000-memory.dmp

memory/1292-126-0x00007FF7981A0000-0x00007FF7984F1000-memory.dmp

memory/4216-127-0x00007FF640560000-0x00007FF6408B1000-memory.dmp

memory/2420-121-0x00007FF68D880000-0x00007FF68DBD1000-memory.dmp

memory/2644-118-0x00007FF764120000-0x00007FF764471000-memory.dmp

memory/3488-119-0x00007FF7A5F80000-0x00007FF7A62D1000-memory.dmp

memory/4652-128-0x00007FF7326C0000-0x00007FF732A11000-memory.dmp

memory/1664-132-0x00007FF6D3960000-0x00007FF6D3CB1000-memory.dmp

memory/1708-137-0x00007FF7BCA60000-0x00007FF7BCDB1000-memory.dmp

memory/3132-135-0x00007FF66DC60000-0x00007FF66DFB1000-memory.dmp

memory/3712-133-0x00007FF625700000-0x00007FF625A51000-memory.dmp

memory/752-131-0x00007FF6F7DF0000-0x00007FF6F8141000-memory.dmp

memory/1836-130-0x00007FF66C6D0000-0x00007FF66CA21000-memory.dmp

memory/2972-129-0x00007FF792A70000-0x00007FF792DC1000-memory.dmp

memory/1036-139-0x00007FF6BBA60000-0x00007FF6BBDB1000-memory.dmp

memory/2972-151-0x00007FF792A70000-0x00007FF792DC1000-memory.dmp

memory/1836-199-0x00007FF66C6D0000-0x00007FF66CA21000-memory.dmp

memory/752-201-0x00007FF6F7DF0000-0x00007FF6F8141000-memory.dmp

memory/1664-203-0x00007FF6D3960000-0x00007FF6D3CB1000-memory.dmp

memory/4244-205-0x00007FF6F7350000-0x00007FF6F76A1000-memory.dmp

memory/3132-208-0x00007FF66DC60000-0x00007FF66DFB1000-memory.dmp

memory/3712-209-0x00007FF625700000-0x00007FF625A51000-memory.dmp

memory/644-211-0x00007FF774FB0000-0x00007FF775301000-memory.dmp

memory/1708-213-0x00007FF7BCA60000-0x00007FF7BCDB1000-memory.dmp

memory/2888-215-0x00007FF6459C0000-0x00007FF645D11000-memory.dmp

memory/2644-218-0x00007FF764120000-0x00007FF764471000-memory.dmp

memory/1036-219-0x00007FF6BBA60000-0x00007FF6BBDB1000-memory.dmp

memory/4412-224-0x00007FF75D3C0000-0x00007FF75D711000-memory.dmp

memory/3488-225-0x00007FF7A5F80000-0x00007FF7A62D1000-memory.dmp

memory/2420-223-0x00007FF68D880000-0x00007FF68DBD1000-memory.dmp

memory/3700-234-0x00007FF6F82D0000-0x00007FF6F8621000-memory.dmp

memory/32-238-0x00007FF754750000-0x00007FF754AA1000-memory.dmp

memory/4652-239-0x00007FF7326C0000-0x00007FF732A11000-memory.dmp

memory/2604-236-0x00007FF6285F0000-0x00007FF628941000-memory.dmp

memory/1292-232-0x00007FF7981A0000-0x00007FF7984F1000-memory.dmp

memory/4216-229-0x00007FF640560000-0x00007FF6408B1000-memory.dmp

memory/1252-228-0x00007FF72A4D0000-0x00007FF72A821000-memory.dmp