Malware Analysis Report

2025-03-15 07:59

Sample ID 240813-nv5tks1fkd
Target 2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat
SHA256 2d3d97108248501501a50bca14fe49033b01ea61000a986e247a74e19886641a
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2d3d97108248501501a50bca14fe49033b01ea61000a986e247a74e19886641a

Threat Level: Known bad

The file 2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Cobaltstrike

xmrig

Cobalt Strike reflective loader

Cobaltstrike family

XMRig Miner payload

Xmrig family

XMRig Miner payload

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-13 11:44

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-13 11:44

Reported

2024-08-13 11:46

Platform

win7-20240729-en

Max time kernel

140s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\HkioJEK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ympVetG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CjVDanh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cEOClmK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eCxigzf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rEeFuNX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wVCPLEw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DegmnkV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OLuwVwy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eoIwBqe.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OPuaPtE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kThslTw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dzaUaps.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IqmXrnA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qHiIMqW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hBtHmXL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mPwoeAE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hpbMBpO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yNERitU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lMNxWfo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ezNAFez.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2540 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hBtHmXL.exe
PID 2540 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hBtHmXL.exe
PID 2540 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hBtHmXL.exe
PID 2540 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cEOClmK.exe
PID 2540 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cEOClmK.exe
PID 2540 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cEOClmK.exe
PID 2540 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mPwoeAE.exe
PID 2540 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mPwoeAE.exe
PID 2540 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mPwoeAE.exe
PID 2540 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hpbMBpO.exe
PID 2540 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hpbMBpO.exe
PID 2540 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hpbMBpO.exe
PID 2540 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eCxigzf.exe
PID 2540 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eCxigzf.exe
PID 2540 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eCxigzf.exe
PID 2540 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eoIwBqe.exe
PID 2540 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eoIwBqe.exe
PID 2540 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eoIwBqe.exe
PID 2540 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OPuaPtE.exe
PID 2540 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OPuaPtE.exe
PID 2540 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OPuaPtE.exe
PID 2540 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kThslTw.exe
PID 2540 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kThslTw.exe
PID 2540 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kThslTw.exe
PID 2540 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HkioJEK.exe
PID 2540 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HkioJEK.exe
PID 2540 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HkioJEK.exe
PID 2540 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ympVetG.exe
PID 2540 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ympVetG.exe
PID 2540 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ympVetG.exe
PID 2540 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CjVDanh.exe
PID 2540 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CjVDanh.exe
PID 2540 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CjVDanh.exe
PID 2540 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dzaUaps.exe
PID 2540 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dzaUaps.exe
PID 2540 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dzaUaps.exe
PID 2540 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yNERitU.exe
PID 2540 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yNERitU.exe
PID 2540 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yNERitU.exe
PID 2540 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lMNxWfo.exe
PID 2540 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lMNxWfo.exe
PID 2540 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lMNxWfo.exe
PID 2540 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ezNAFez.exe
PID 2540 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ezNAFez.exe
PID 2540 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ezNAFez.exe
PID 2540 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IqmXrnA.exe
PID 2540 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IqmXrnA.exe
PID 2540 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IqmXrnA.exe
PID 2540 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qHiIMqW.exe
PID 2540 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qHiIMqW.exe
PID 2540 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qHiIMqW.exe
PID 2540 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rEeFuNX.exe
PID 2540 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rEeFuNX.exe
PID 2540 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rEeFuNX.exe
PID 2540 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wVCPLEw.exe
PID 2540 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wVCPLEw.exe
PID 2540 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wVCPLEw.exe
PID 2540 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DegmnkV.exe
PID 2540 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DegmnkV.exe
PID 2540 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DegmnkV.exe
PID 2540 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OLuwVwy.exe
PID 2540 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OLuwVwy.exe
PID 2540 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OLuwVwy.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\hBtHmXL.exe

C:\Windows\System\hBtHmXL.exe

C:\Windows\System\cEOClmK.exe

C:\Windows\System\cEOClmK.exe

C:\Windows\System\mPwoeAE.exe

C:\Windows\System\mPwoeAE.exe

C:\Windows\System\hpbMBpO.exe

C:\Windows\System\hpbMBpO.exe

C:\Windows\System\eCxigzf.exe

C:\Windows\System\eCxigzf.exe

C:\Windows\System\eoIwBqe.exe

C:\Windows\System\eoIwBqe.exe

C:\Windows\System\OPuaPtE.exe

C:\Windows\System\OPuaPtE.exe

C:\Windows\System\kThslTw.exe

C:\Windows\System\kThslTw.exe

C:\Windows\System\HkioJEK.exe

C:\Windows\System\HkioJEK.exe

C:\Windows\System\ympVetG.exe

C:\Windows\System\ympVetG.exe

C:\Windows\System\CjVDanh.exe

C:\Windows\System\CjVDanh.exe

C:\Windows\System\dzaUaps.exe

C:\Windows\System\dzaUaps.exe

C:\Windows\System\yNERitU.exe

C:\Windows\System\yNERitU.exe

C:\Windows\System\lMNxWfo.exe

C:\Windows\System\lMNxWfo.exe

C:\Windows\System\ezNAFez.exe

C:\Windows\System\ezNAFez.exe

C:\Windows\System\IqmXrnA.exe

C:\Windows\System\IqmXrnA.exe

C:\Windows\System\qHiIMqW.exe

C:\Windows\System\qHiIMqW.exe

C:\Windows\System\rEeFuNX.exe

C:\Windows\System\rEeFuNX.exe

C:\Windows\System\wVCPLEw.exe

C:\Windows\System\wVCPLEw.exe

C:\Windows\System\DegmnkV.exe

C:\Windows\System\DegmnkV.exe

C:\Windows\System\OLuwVwy.exe

C:\Windows\System\OLuwVwy.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2540-0-0x000000013F390000-0x000000013F6E1000-memory.dmp

memory/2540-1-0x00000000000F0000-0x0000000000100000-memory.dmp

memory/2540-7-0x000000013FA70000-0x000000013FDC1000-memory.dmp

C:\Windows\system\mPwoeAE.exe

MD5 ad434914c43c247f4c6e70036211ef0b
SHA1 235a3ff62b8f6d70510fc12084ff6ed1482c8b34
SHA256 3a39d7ae7e720edb6a15f0cc2f01d448e94515a39472120757bc6399d6eddce0
SHA512 d9c346ad0f0737d0a82d1e38ed9c75c63332f556c64037caa8a19dc60d98d2fb09d572b49defee57184034fdd3c504b15f9cd677230823d5d322ad5cfa092556

C:\Windows\system\cEOClmK.exe

MD5 f4f5e23d01d8f276a6c7a3f3ad628b45
SHA1 a43c7025b02375792c9d91924544163ea3c7c115
SHA256 3e0e51e820950475d33c89d275f48c9d061e27587f5e1883bfd8803db7fbbfd0
SHA512 f677d83874ae3f12e6b40a8dd87c53bed88a37440fbcdaefba5d9bde55e7707ceee95a3195426f8ff45bfb6bdb67169044d740e0c33a0211db3f22ab86e2a369

memory/2892-18-0x000000013FA70000-0x000000013FDC1000-memory.dmp

memory/2100-21-0x000000013F420000-0x000000013F771000-memory.dmp

memory/2540-22-0x00000000021E0000-0x0000000002531000-memory.dmp

memory/2732-23-0x000000013F660000-0x000000013F9B1000-memory.dmp

memory/2540-20-0x00000000021E0000-0x0000000002531000-memory.dmp

C:\Windows\system\hpbMBpO.exe

MD5 8abd2415b60dd577eb7d4b2396389024
SHA1 a9bb4bce1a86076ce256bd1f39c2b1fe97629755
SHA256 7481c03147a2a6bda8d5bcaf91db01153017474f3af95be8fb1f953a5157cd08
SHA512 6a9dc6c42d8ea058900c7e1eda6780cdad359da24ac738ce21a29c7d9caaad84dbf635771a8a9a9b34a27a79188af874f9d5405bc1e2d27be4bff94d43c5df4e

\Windows\system\eCxigzf.exe

MD5 b7c140a8db3207c1e4a68ae2c53e4567
SHA1 f69b67a126f6509a4b0582062fba9df501fdb970
SHA256 a6eb6b476d7e73725c58e0794ca776122cf841a6d7b6a6077a9b499748bc6383
SHA512 ad374cd5f465ecdceb88f9725db8f2c01d8f9d468a1f09c69c5bc58b5acd36cb4d8888548bf373e37c7e5bc8c643bd3a4d967b3cdb46966f0fcb613ce3533822

C:\Windows\system\hBtHmXL.exe

MD5 414f8f9c1cf5d0668649c3e8387d29d7
SHA1 9be41e99cf066d8329d093076b071d3e3364ce7c
SHA256 1a281cb201fa9d96ed2268bc921f6f8501d947a288ff4adab9d54de374a95d79
SHA512 bf6507d1e116ce627db015d8c192967ef24c8671c3db059422bee0613a3d4dc64be7337d2350da1419ce1e75b248d50590f38726e1c630f8ebdd991fda1132ca

memory/2540-36-0x00000000021E0000-0x0000000002531000-memory.dmp

memory/2736-37-0x000000013F050000-0x000000013F3A1000-memory.dmp

memory/2812-34-0x000000013F280000-0x000000013F5D1000-memory.dmp

\Windows\system\eoIwBqe.exe

MD5 418f8d00470c201fb92240c5f73bf93f
SHA1 5cddf2011cf9cdff34a3748efc00546bc50d739b
SHA256 2ff0ea943009a72322627d4ba4d6a13916a5fcab3ad3e3c766138537306120fc
SHA512 2ba64f72eb6d0128d63d8897d1e360583fa9a536419d10211d2ce2b00ab8249e620b147143b464166169f9da90b924dfdbab3737016cef9b907f222243b1e35b

memory/2640-43-0x000000013F0E0000-0x000000013F431000-memory.dmp

memory/2916-50-0x000000013F600000-0x000000013F951000-memory.dmp

C:\Windows\system\kThslTw.exe

MD5 d816f657250f2fe7c6abeef512661cb3
SHA1 361ab5edec528c55a0f0faf1ae4ac72e5e6503b6
SHA256 cf003b7a581d232f45e1fd1278a4909fb83f3ffaf0cad1c0df0154b9e62b4965
SHA512 45b55fa6b17a084b396374da7721bf001d8ff6203da00995cf92f108b903f7816cd1bd21a19f928416a3bd0c1191db879b537b067c0dbda9eafee49230c878be

C:\Windows\system\HkioJEK.exe

MD5 ab38d7657185ebcc1fdaf3fc94bb3d93
SHA1 53ea8db85b99e685cdd6f383a951bd17374d9f08
SHA256 4025663b7335d63ba70ace5148b3b32e6fa8f08187e4bcb67a88686ac72dc87d
SHA512 3e321b1fc520920de1632e380c832de655e78e26db6682e7f5025e6fbcb7a2debca3db22a2fc21064c55ac42d915f5a64daf3b911d0ce581a32d7b81dc5cf5fd

memory/2616-64-0x000000013FA60000-0x000000013FDB1000-memory.dmp

memory/2540-62-0x000000013FA60000-0x000000013FDB1000-memory.dmp

C:\Windows\system\ympVetG.exe

MD5 69cab82c97808e48b098e3c4ecb5288f
SHA1 a670e3431988ac207d45a52ab363df8e8bf565d2
SHA256 c84855d94f1c634244b6236c4e39fde39e7a83f704ffe0c4b7f3975107bfaa86
SHA512 87c0cdd38665e5a0921b7802973923e39449e0321b62e49f1d742a33ae4a0ef0992777347b2cd87f19598bb4dec8f598af87fae8dab41eeb9cb43a1a1e1da737

\Windows\system\CjVDanh.exe

MD5 9d16a521b0e2520205fe3e30c3a59499
SHA1 a458c486bdcdf5cce3fdf9141b319469f11b231e
SHA256 0cd31327914d2f38c79598d3f6dde2270017a7e104bdb72a5ffbac68a2be5dd7
SHA512 b6ba071bc5bfcddea1726adb4fc26c4204c34edd7c045e67f49dceab91e06998cb1d7be177f0bb18557a07e34ce3154f373e415910199f0b94bc62f4a0d02bdf

memory/2540-77-0x000000013F7B0000-0x000000013FB01000-memory.dmp

memory/2540-93-0x000000013F860000-0x000000013FBB1000-memory.dmp

memory/2272-99-0x000000013FE40000-0x0000000140191000-memory.dmp

memory/1444-100-0x000000013FC50000-0x000000013FFA1000-memory.dmp

memory/2540-97-0x000000013FC50000-0x000000013FFA1000-memory.dmp

memory/2540-105-0x000000013F7B0000-0x000000013FB01000-memory.dmp

C:\Windows\system\ezNAFez.exe

MD5 e6e4a705146e3aed32b9b65434b54e40
SHA1 f3f5b2bfdd32d03fc4a2357c0a6b3d7555a284a5
SHA256 7e339e25a583a6dba5638a3188bff507247febcf97bcca7727c97f4c84bc8919
SHA512 78e594eef0c4af479d0556cc7ac6d4820f02f246232eeb3dcb59dadcf97b426503104b8e9032bd85b53d5aea9b2a5000f7e3414d8e172598429b436c609ca5fd

\Windows\system\IqmXrnA.exe

MD5 6ad9209fd7f0d90e319602fdae3d3365
SHA1 4b151bdf5912ff47459e2fd229490482d1ac476b
SHA256 3efaa0e7eb3cfce3c8e3d307a7b2a7c93dbd753719d74d8d49874953ace34924
SHA512 aac3f5bb3d8494c59142cf363584cad8541775bfcf772667100d4fb70e9ab4a8dd0420fb8cc0cbca595b32070061a60b8ebebfe852a339ae7694224d4bbd5575

memory/2540-96-0x000000013FED0000-0x0000000140221000-memory.dmp

C:\Windows\system\yNERitU.exe

MD5 8e512c4c6f23ccf8932fd8f70c1e3b6b
SHA1 5a41ec1f49d0231e9825b74c8f1f919786cea9af
SHA256 a05321107582b3a8e90b29f2a6af98a548ce12c3d77ad4e7fac43a6f4b1bc0df
SHA512 5d3e9d756b4922a1a0f48c9633413234432b5a857c587a41fb3be54e94974878c1b0a2186ecc048f7d334be8de37014e1a19211e29da7a7ca1b5d5fe835af0e7

memory/1640-83-0x000000013F7B0000-0x000000013FB01000-memory.dmp

C:\Windows\system\rEeFuNX.exe

MD5 976df66c7e2e6f99211f1b6f89e51be7
SHA1 8a3560cf2586b3db576a3fa87876c179e90abadf
SHA256 7e02a1801842bef0c82ab3e90b407742785dc8c47fc3e680d462063589de26aa
SHA512 55e2bb1c502fba1dd4d4d2e908536f36d90911bc7fee74d6e5ad21a23f6d6c30402356d1bdc71a11c1cee210c2e8db2ed04ac1de4d7d61ccf07701ed40be445c

C:\Windows\system\OLuwVwy.exe

MD5 f4095d6fc6c7a07ef423be209d677d60
SHA1 18b6d1522193755c5a41599d3aec6abfbcd0d438
SHA256 83585e76ba49d562bea372f0d887471cea71cf56b07dd99038364504528e94f8
SHA512 fb14d6eae48ad708fca11f29344219f8ffbf6ac8c0e57d86f0b5a564d300db77a095b8310694b54362f7763493fc1d63b3ad8b01fc66c48c312544ce75b23a82

C:\Windows\system\wVCPLEw.exe

MD5 fc96566b6cdaafbd372cffe8860b3d5a
SHA1 6f11fd1e761b3e376d29c8f7f1bd8299cacbc62e
SHA256 52afed3063ace2bf9fca6973f62193008520d833d9f567567d9452da937a5cd0
SHA512 05f03e3827a7c46e4fac42dd4eccce2973c0a027df674fff210a9d0f140400af3a550679b358393b0b466c06d5c3052e4b1b59a2a970dfa4d8569f60167f5099

C:\Windows\system\DegmnkV.exe

MD5 33ed798948a73eb5d37f6a7805a16c78
SHA1 cd2b21b0f83b97b1e983e2acb22f4b390c5bac3c
SHA256 b62fa44aa2106e0d1320197ba67c6a6d30f9a42b3c50d4369ba35990f9de2267
SHA512 3195c3bfc994701067bbc388c0c66e126b105e908761c9b550ec64f00b3e44b242584da79824a9889a95a729ec4ad8192f31accf01580cfeaac7d0afb16dc4c8

C:\Windows\system\qHiIMqW.exe

MD5 284b2e869505ad4387fe3cbd7c40d665
SHA1 afa3c9ab597f12b82ea09a27e85d261deec886b1
SHA256 2f58cda68e12a19811cef6df4e41fe30f9a04dbc5c4355899212460102ad7a48
SHA512 399784869775636eeabb89c39d93435cdb5918b1a763c809b262d2d8a41f82c609105445bb4d175d1cbdf15f657cc1581779c2d49f835eb03b31fdd179de3476

memory/2540-92-0x000000013FE40000-0x0000000140191000-memory.dmp

C:\Windows\system\lMNxWfo.exe

MD5 efa4bd61c88856affa934959b56ddbf5
SHA1 668e32b2837b02f5d4b5afa15a409b5db04db1ec
SHA256 0c1e88c84839e09ea528338fa53556bad548b89d71e8fa4cc768139677c49cec
SHA512 75bd624734a150198c65aae4a0c6c463594e68954576c6068b75348b747f85a5f642490ff8c8a6fff6c3cedb9400bee0bb6af35e80eb1d8a91ac657296aa8389

C:\Windows\system\dzaUaps.exe

MD5 2bbf3191965739a3fae2e6e138620866
SHA1 e5e177ef95c91559eb08f9588083c1146d634ea2
SHA256 9f9865c96b6cfd609712386fee2759535ab1df116883e5b47b8f0165f46fd948
SHA512 9cdc53c4f2ea1416360626d8b407d2026937015de9af14034dfaeee1facfd9d2d4564c425246000f89a1215dc75aedd55107106681122bc6fef14a48031e685a

memory/2656-90-0x000000013F860000-0x000000013FBB1000-memory.dmp

memory/2212-88-0x000000013FED0000-0x0000000140221000-memory.dmp

memory/2540-70-0x000000013F390000-0x000000013F6E1000-memory.dmp

memory/2716-57-0x000000013F190000-0x000000013F4E1000-memory.dmp

memory/2540-56-0x00000000021E0000-0x0000000002531000-memory.dmp

memory/2540-48-0x00000000021E0000-0x0000000002531000-memory.dmp

C:\Windows\system\OPuaPtE.exe

MD5 3040b46c05f60f2fdd6f8c4a88f9ca05
SHA1 f800b5cb7f56e86cbed82546a87a0e46ee6dea57
SHA256 2a90ebbbae387a6ffb9c499a1420fd3333b69a90e701569452b2b5940299883a
SHA512 0b1d168fadce3fd900cbaab7e63a1d5da2cb96327dee6fe119723cb7f1180c81f368c7911b0ee21ba8609a30cde02cc5af253b0b1f3f3071e86773986ec3b846

memory/2540-32-0x00000000021E0000-0x0000000002531000-memory.dmp

memory/2640-136-0x000000013F0E0000-0x000000013F431000-memory.dmp

memory/2540-137-0x000000013F390000-0x000000013F6E1000-memory.dmp

memory/2656-150-0x000000013F860000-0x000000013FBB1000-memory.dmp

memory/2916-149-0x000000013F600000-0x000000013F951000-memory.dmp

memory/2540-148-0x00000000021E0000-0x0000000002531000-memory.dmp

memory/2664-155-0x000000013FAD0000-0x000000013FE21000-memory.dmp

memory/1364-160-0x000000013F630000-0x000000013F981000-memory.dmp

memory/956-159-0x000000013F830000-0x000000013FB81000-memory.dmp

memory/844-158-0x000000013FDF0000-0x0000000140141000-memory.dmp

memory/2792-156-0x000000013F200000-0x000000013F551000-memory.dmp

memory/1676-154-0x000000013F7B0000-0x000000013FB01000-memory.dmp

memory/2864-157-0x000000013FD50000-0x00000001400A1000-memory.dmp

memory/2540-161-0x000000013FA60000-0x000000013FDB1000-memory.dmp

memory/2540-162-0x000000013FED0000-0x0000000140221000-memory.dmp

memory/2540-163-0x000000013F390000-0x000000013F6E1000-memory.dmp

memory/2540-169-0x000000013FC50000-0x000000013FFA1000-memory.dmp

memory/2892-209-0x000000013FA70000-0x000000013FDC1000-memory.dmp

memory/2100-213-0x000000013F420000-0x000000013F771000-memory.dmp

memory/2732-212-0x000000013F660000-0x000000013F9B1000-memory.dmp

memory/2812-215-0x000000013F280000-0x000000013F5D1000-memory.dmp

memory/2736-217-0x000000013F050000-0x000000013F3A1000-memory.dmp

memory/2640-219-0x000000013F0E0000-0x000000013F431000-memory.dmp

memory/2916-221-0x000000013F600000-0x000000013F951000-memory.dmp

memory/2716-233-0x000000013F190000-0x000000013F4E1000-memory.dmp

memory/2616-235-0x000000013FA60000-0x000000013FDB1000-memory.dmp

memory/1640-237-0x000000013F7B0000-0x000000013FB01000-memory.dmp

memory/2212-239-0x000000013FED0000-0x0000000140221000-memory.dmp

memory/2656-241-0x000000013F860000-0x000000013FBB1000-memory.dmp

memory/2272-243-0x000000013FE40000-0x0000000140191000-memory.dmp

memory/1444-245-0x000000013FC50000-0x000000013FFA1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-13 11:44

Reported

2024-08-13 11:46

Platform

win10v2004-20240802-en

Max time kernel

141s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\epEkggv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DxZSWwG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KetoWEA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qXYHqpZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vzGyEVL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KMrYXGc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hHDtgce.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lyCikKo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jPRYlFL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\idouzYO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\evQvwCL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dARtmxR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\atPnGyF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XJtiMhh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SluoAxm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oOpSYZw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JeBKqxo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qwrpqsl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vHhAIVX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UDanDHL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\txnNSDr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4856 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oOpSYZw.exe
PID 4856 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oOpSYZw.exe
PID 4856 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JeBKqxo.exe
PID 4856 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JeBKqxo.exe
PID 4856 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vzGyEVL.exe
PID 4856 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vzGyEVL.exe
PID 4856 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qwrpqsl.exe
PID 4856 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qwrpqsl.exe
PID 4856 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KMrYXGc.exe
PID 4856 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KMrYXGc.exe
PID 4856 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jPRYlFL.exe
PID 4856 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jPRYlFL.exe
PID 4856 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\idouzYO.exe
PID 4856 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\idouzYO.exe
PID 4856 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\epEkggv.exe
PID 4856 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\epEkggv.exe
PID 4856 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DxZSWwG.exe
PID 4856 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DxZSWwG.exe
PID 4856 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\evQvwCL.exe
PID 4856 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\evQvwCL.exe
PID 4856 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vHhAIVX.exe
PID 4856 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vHhAIVX.exe
PID 4856 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dARtmxR.exe
PID 4856 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dARtmxR.exe
PID 4856 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KetoWEA.exe
PID 4856 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KetoWEA.exe
PID 4856 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qXYHqpZ.exe
PID 4856 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qXYHqpZ.exe
PID 4856 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UDanDHL.exe
PID 4856 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UDanDHL.exe
PID 4856 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\atPnGyF.exe
PID 4856 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\atPnGyF.exe
PID 4856 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XJtiMhh.exe
PID 4856 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XJtiMhh.exe
PID 4856 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\txnNSDr.exe
PID 4856 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\txnNSDr.exe
PID 4856 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SluoAxm.exe
PID 4856 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SluoAxm.exe
PID 4856 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hHDtgce.exe
PID 4856 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hHDtgce.exe
PID 4856 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lyCikKo.exe
PID 4856 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lyCikKo.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-13_076a093e82332ec47de2a53e1c882259_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\oOpSYZw.exe

C:\Windows\System\oOpSYZw.exe

C:\Windows\System\JeBKqxo.exe

C:\Windows\System\JeBKqxo.exe

C:\Windows\System\vzGyEVL.exe

C:\Windows\System\vzGyEVL.exe

C:\Windows\System\qwrpqsl.exe

C:\Windows\System\qwrpqsl.exe

C:\Windows\System\KMrYXGc.exe

C:\Windows\System\KMrYXGc.exe

C:\Windows\System\jPRYlFL.exe

C:\Windows\System\jPRYlFL.exe

C:\Windows\System\idouzYO.exe

C:\Windows\System\idouzYO.exe

C:\Windows\System\epEkggv.exe

C:\Windows\System\epEkggv.exe

C:\Windows\System\DxZSWwG.exe

C:\Windows\System\DxZSWwG.exe

C:\Windows\System\evQvwCL.exe

C:\Windows\System\evQvwCL.exe

C:\Windows\System\vHhAIVX.exe

C:\Windows\System\vHhAIVX.exe

C:\Windows\System\dARtmxR.exe

C:\Windows\System\dARtmxR.exe

C:\Windows\System\KetoWEA.exe

C:\Windows\System\KetoWEA.exe

C:\Windows\System\qXYHqpZ.exe

C:\Windows\System\qXYHqpZ.exe

C:\Windows\System\UDanDHL.exe

C:\Windows\System\UDanDHL.exe

C:\Windows\System\atPnGyF.exe

C:\Windows\System\atPnGyF.exe

C:\Windows\System\XJtiMhh.exe

C:\Windows\System\XJtiMhh.exe

C:\Windows\System\txnNSDr.exe

C:\Windows\System\txnNSDr.exe

C:\Windows\System\SluoAxm.exe

C:\Windows\System\SluoAxm.exe

C:\Windows\System\hHDtgce.exe

C:\Windows\System\hHDtgce.exe

C:\Windows\System\lyCikKo.exe

C:\Windows\System\lyCikKo.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/4856-0-0x00007FF717A70000-0x00007FF717DC1000-memory.dmp

memory/4856-1-0x000002063F7C0000-0x000002063F7D0000-memory.dmp

C:\Windows\System\oOpSYZw.exe

MD5 947ba0e3a178fb84df0fbb2932411fb1
SHA1 3e8811409dc97fe583f12a30d415e8b669496fd8
SHA256 caea069ea7532806f46c988056f163124ce3b440b12f3e850f575976cb1115ae
SHA512 9b727ef23aef24ff9e34cca2f149211178472f623dadcdb3b3d7d0a40eadd43f2198e97f4d94a0ce023aa8c8ec226cc2d3457df318182e17e30dcad698bbe4b2

C:\Windows\System\vzGyEVL.exe

MD5 4183f84c33107649217859d2b5e9a704
SHA1 a6fc5e5b5cbe4ce74cb7100db24d22334bc2e61c
SHA256 f5fcb960d5a6de3d1af9f7530303dc81ba36b13a8f375ef5d183425fee6d21fa
SHA512 d3df58262a8baf8c89d1988f574f1d1971620863b57b544af18123744e2b91b2b048ed918bfa1148784562ba923e7a0eca294476a76e7cc9faf45615ad60aa44

C:\Windows\System\JeBKqxo.exe

MD5 b2fed549cc0c22278124368f5e31236b
SHA1 8c7dafcfb7141623b52aa3c4b839510a53d2ba64
SHA256 f9cec5e8cdfbaef2108273b26d85aa79dddf0c8020a76e1e2c304c961f45e1c6
SHA512 9701e67fe1714f55389be0e656a26216db7287af6add7820eeadf177f9fa1b88fe798afe42af70f924cf858d45510a771e5c036702f17f8b9756cc8ddb7c1746

C:\Windows\System\jPRYlFL.exe

MD5 770d8cf925b16b29f349e5ab4c86cf7e
SHA1 074e454cf1245ac8ec0d9df850b0fed4016a1571
SHA256 7b4b79614555ce8262f5c4426412f301d7c50b11eec69b4540860ab1044edbe3
SHA512 24bed5f483fabe7412cf0afe93a862fac33909d27f7d6be7fd4da0e0e461ca6b970fc4060963ecec427f57f9635924bdf734c3d0b121e58f1ded90c8cdeaa47d

C:\Windows\System\epEkggv.exe

MD5 2015a7e02975f1d8243943456e92c518
SHA1 6132c15f1a4eb440c53d2120f2da945741a94906
SHA256 fb26f7e6fe45a037f312860abe7f4a6035a05d0ed9ba32df5a862ae2416dd109
SHA512 2aea8e0f49f4281987a26842ca255a776f4696d4cc82ed65661ce8fd107efcf0f2c1c781a8dd8eec026b96f2fde5fa125696481d87b8a0b3a4b20bce010f6096

memory/4508-42-0x00007FF792EE0000-0x00007FF793231000-memory.dmp

C:\Windows\System\DxZSWwG.exe

MD5 770a54dbd2b912b78df5f8ae4309ef6f
SHA1 d461a75433ce07231e4532684ca9665d8763c308
SHA256 ebf4331486ed2defec8cb779f8d76c39511941bb31cdc11ae636b41b1fd3bf25
SHA512 4780da02564f718a3e484da4fc6cf032674364acec2695c48cb4af1bc4932e3f5171dbffe55610bb8fc9033f649edb499f2f1ca42cd72c2364bee3592e267b96

memory/588-49-0x00007FF64DD80000-0x00007FF64E0D1000-memory.dmp

C:\Windows\System\idouzYO.exe

MD5 18799fc71e981bc7b15bce205b4e5c92
SHA1 cdb4e0cd97587e8ddc3e742962ba52705bceb411
SHA256 729433c8c892a45675d0e4a0786c2ef4711e59dba731b9989e0656c65e2ef76e
SHA512 105533d007614cd254636cd321bb06568e407957b96d9da8b2f7abe9e5cbb551dc46b061d86edaf2d048a18c74a391b8e74f8658d22352d4a4dea1c5215cc511

memory/2780-45-0x00007FF67E2D0000-0x00007FF67E621000-memory.dmp

C:\Windows\System\KMrYXGc.exe

MD5 9b1783ba63d183a438273c1ca267711b
SHA1 2e010dfdd1848e62ce558c76cbbb595197940fb0
SHA256 3745be322781d17f97ff44148544466b5f03e7a1c8a8ea9e1a95a43e0cd13d0c
SHA512 c929d13556d243287036000f8cb9a3357226427ebab4e20ab6cb42a2d704b1a43ef1bfcc1e5ce91264d211cf57f80344d8e73894ce78efb322828f4a51be051b

memory/8-35-0x00007FF70DAA0000-0x00007FF70DDF1000-memory.dmp

memory/3500-28-0x00007FF671080000-0x00007FF6713D1000-memory.dmp

memory/4640-26-0x00007FF654F60000-0x00007FF6552B1000-memory.dmp

C:\Windows\System\qwrpqsl.exe

MD5 d209e85a4eb031bbdf2b092d11e44404
SHA1 7909abe4987a2146d24ae4310ac1a7f70d6f6894
SHA256 240892ec48da5d5b8b352bd0183dd07989c92ed2a6103a15753f0ffeca2d5797
SHA512 77bff062da5b36a318bbd1ceec887189376d8b60da5dc7259bee401661018aab89bdadc7bf9ec80447e4067892d3e41e8bae6119b0b4f35a443631f9f26b4c86

memory/3204-12-0x00007FF71EB60000-0x00007FF71EEB1000-memory.dmp

memory/1188-9-0x00007FF6151D0000-0x00007FF615521000-memory.dmp

memory/3588-58-0x00007FF746A50000-0x00007FF746DA1000-memory.dmp

memory/1336-65-0x00007FF756430000-0x00007FF756781000-memory.dmp

memory/3680-74-0x00007FF7E19F0000-0x00007FF7E1D41000-memory.dmp

memory/1188-80-0x00007FF6151D0000-0x00007FF615521000-memory.dmp

C:\Windows\System\qXYHqpZ.exe

MD5 98e7e8246f70e9ba97c6070b2a043e9b
SHA1 68658e92075a94bf6071377dbb1272fb5751e5b9
SHA256 dd12dce5f6653d73a234db00ce2fed0468dcb5eea3007a2d7574e2cec73f223b
SHA512 d7c806f455e104b0315a69fad88212b22b0cd75922b4f45d35bd087a43dbd6c69bbe1690409d2b66015db84cdee51e594daaf001df73d502e7455e693319b9fd

C:\Windows\System\KetoWEA.exe

MD5 888567e89e3c8d3bce5dfd542d1d30cd
SHA1 3574e1e3009989d04ac6b6a136df72993fb30d9f
SHA256 e3a12b5233a8c9b3a4623fa0b12bc3ae385f1a171da7b14444a9a63244624dbd
SHA512 ae151dd82dcfb2f3308d5e8aa4451ca9c730887948b3838cacd7d9ed9745d3fb7d259578fe8ee9e92bb47fa53cf541df83224108c2eecbb08ac2e9d4de8e6689

memory/5020-83-0x00007FF7282D0000-0x00007FF728621000-memory.dmp

memory/4856-82-0x00007FF717A70000-0x00007FF717DC1000-memory.dmp

memory/2724-81-0x00007FF6FD190000-0x00007FF6FD4E1000-memory.dmp

memory/1100-79-0x00007FF711FD0000-0x00007FF712321000-memory.dmp

C:\Windows\System\dARtmxR.exe

MD5 992d3d3a66fd1db6745b00348e049cfb
SHA1 1d27ce188c83ab6af4cf1b2cbd1c0cb9584d82e0
SHA256 fc7ecaf6a060cf7cb436c4c90e88a6769de5ca15d513c552af8ff891e3632aa0
SHA512 9b035795668bd137700c9a76946eb55967f4b5ed116a08becc26f54dbe38eb1cfeb595fc932123abdf379a0cfb6119e1edb98d02eafc3a3ccbf436d8bbcddffa

C:\Windows\System\evQvwCL.exe

MD5 82ab964bcef6e64a51ae5b7577ae4893
SHA1 65c7dba3553ab5ce728f78b075d8dd927ebf65ed
SHA256 6b4f2293cffa5c5672782657400f63be86f498141c2d5be23b42892887e2aed4
SHA512 a7dcdd24efb965c0b4438b615b72a5896d75f326459bd8cffdf4b3e01809ada862a536ff709458c5e69c3d0ecf2bf500a08602b699e18c4f96334d8347ca8e9a

C:\Windows\System\vHhAIVX.exe

MD5 6f53f48512c28b18e837b459c3b8e6ac
SHA1 ab5fa6ce3685a35a9a86f0796a60695d7ac47c4b
SHA256 ba89079a3e904ecd490a024f33644ddf7dc69c6801ffb63974af271900dd5dd4
SHA512 6bb1d9d2e0770f03c0b37f1cc04f1d7c4df87182edea2119482a7c29daca2b35f0f158861e7d0c6ebcbcc21d088ed43b2d3c89491d59daf379772e88531bb60a

C:\Windows\System\UDanDHL.exe

MD5 b8c402fe23d84e1ca25a71f97b21af52
SHA1 3d2a2ece3a5e90e7ac19b82ebb8c9c3e62ad05ea
SHA256 d59e9ec61f914d238f11a6af0f9b3916e49ada0705192deb4d73917d703134ac
SHA512 7685f769b26af634103d7158a838f858a7971f43b07e3bd6cd8c4bb79f9e840d8fe30853d804bedd8a533a9716ebb575ba801c9006a5f5dd4832b1efb87645e0

memory/3500-92-0x00007FF671080000-0x00007FF6713D1000-memory.dmp

memory/3204-101-0x00007FF71EB60000-0x00007FF71EEB1000-memory.dmp

C:\Windows\System\atPnGyF.exe

MD5 f26e6b8229b774d7a6b565f0954a184c
SHA1 4bbb4cea2565484c60f790477da3584f24466556
SHA256 616c0355d827b60f7958d06676ef4c2fab75b0d6aee2407c80654559005ccc73
SHA512 b1e4d3130c136406bbddd41cda30f6523fb26833f597734e1f8f726746528d4ce6d327810d87d27c2e06a2f4a1ec163d2272464d1ec0e1035fed49f96b722e7b

memory/4640-102-0x00007FF654F60000-0x00007FF6552B1000-memory.dmp

memory/1356-108-0x00007FF677600000-0x00007FF677951000-memory.dmp

C:\Windows\System\txnNSDr.exe

MD5 1fbae89e9cc76699413634612ace85c9
SHA1 527072f5d8ff1cacdcf0678a8425d1f22fe9b5b8
SHA256 5a42c978ad88ca8950b2cc70d10237f2b332b9a77dd7d8a82840176ade8fab47
SHA512 dbbb708ff8b6d6a0493af34675e59822c32e275a0d79db22e008a304a6945a87d5e3af9638fc39b4142073be720f7e193c6c84cb46a20a16835092b7907bae3e

C:\Windows\System\XJtiMhh.exe

MD5 7dc250de0428bf92b2a52e0b5e4c3ad0
SHA1 11a4379b32160c0b4709a64f20d338ca8201d0c4
SHA256 cd1205318b7af446d8dceeb7f2d515c35d4124bf546eba6fe26a1e9fba6ca1c2
SHA512 f47b74e450d1240a64ba450222aaf9e5a3c426b63bfb2869e513bb310666cf4d36acefdb002d5f4b06004f1ab90348c3476d79320db6b6ddc3b5abf797be95ed

memory/1628-113-0x00007FF7C91A0000-0x00007FF7C94F1000-memory.dmp

memory/1492-109-0x00007FF770E90000-0x00007FF7711E1000-memory.dmp

memory/1600-97-0x00007FF624D70000-0x00007FF6250C1000-memory.dmp

C:\Windows\System\SluoAxm.exe

MD5 694f2a52255719861f50ae1bb3fcb7df
SHA1 4bc028ff1e48bd8ca086817c5e5a5432a06052cc
SHA256 6af3e82edd2aa1ec9400d7d2cf6852c997b9614f81e1bcc0dc075d9fa5203f0c
SHA512 d938cbadc968a2f7798f84cd2129a3ae7a187ba5e44f8fc4b7c66f70aa77119a278b7f3ce23bb38cd692daea115e8cf57f50289660ab25f9891f1edacf4745f9

memory/2780-126-0x00007FF67E2D0000-0x00007FF67E621000-memory.dmp

memory/4744-130-0x00007FF75A1C0000-0x00007FF75A511000-memory.dmp

C:\Windows\System\hHDtgce.exe

MD5 77128e8df593d5666bf58ec8da2dd0ee
SHA1 d4815ef42adcdc40633b6a9a1f0475c4b43a263b
SHA256 3721eab9ddde01cba91daab96d8446c00bde796702cc6ba8219144d67876fda3
SHA512 4b778d7220cda53d13c2277608b05872717b7c4ca719f62a113c380b0a7088b3b705049b5db5aec707c7068a02c4c8c854c5b1730d192b8103bedc5987281874

memory/528-134-0x00007FF790790000-0x00007FF790AE1000-memory.dmp

memory/1336-133-0x00007FF756430000-0x00007FF756781000-memory.dmp

memory/588-131-0x00007FF64DD80000-0x00007FF64E0D1000-memory.dmp

memory/844-127-0x00007FF712000000-0x00007FF712351000-memory.dmp

C:\Windows\System\lyCikKo.exe

MD5 ed7f43b758061ad702db650446e733cd
SHA1 2a9d14027b2aecc96e9afc8f784519545ec28903
SHA256 b5dd0e6f95ee7e0e8bc12cb99c79bf722bbf2f5f7c227a874e76083658cd6228
SHA512 0f415facccda2b50bdae788a11b383c14acdf781b7ebbf58b5bb1da525f98f3f985180076e9b0aec51b01b4305f501c89ff0217c9f036bdfcca3b0db2e8855df

memory/4856-136-0x00007FF717A70000-0x00007FF717DC1000-memory.dmp

memory/5020-149-0x00007FF7282D0000-0x00007FF728621000-memory.dmp

memory/3588-151-0x00007FF746A50000-0x00007FF746DA1000-memory.dmp

memory/2724-150-0x00007FF6FD190000-0x00007FF6FD4E1000-memory.dmp

memory/1356-153-0x00007FF677600000-0x00007FF677951000-memory.dmp

memory/1600-152-0x00007FF624D70000-0x00007FF6250C1000-memory.dmp

memory/1492-154-0x00007FF770E90000-0x00007FF7711E1000-memory.dmp

memory/4856-157-0x00007FF717A70000-0x00007FF717DC1000-memory.dmp

memory/528-166-0x00007FF790790000-0x00007FF790AE1000-memory.dmp

memory/4744-167-0x00007FF75A1C0000-0x00007FF75A511000-memory.dmp

memory/1188-204-0x00007FF6151D0000-0x00007FF615521000-memory.dmp

memory/3204-206-0x00007FF71EB60000-0x00007FF71EEB1000-memory.dmp

memory/4640-210-0x00007FF654F60000-0x00007FF6552B1000-memory.dmp

memory/8-209-0x00007FF70DAA0000-0x00007FF70DDF1000-memory.dmp

memory/4508-214-0x00007FF792EE0000-0x00007FF793231000-memory.dmp

memory/3500-213-0x00007FF671080000-0x00007FF6713D1000-memory.dmp

memory/2780-216-0x00007FF67E2D0000-0x00007FF67E621000-memory.dmp

memory/588-221-0x00007FF64DD80000-0x00007FF64E0D1000-memory.dmp

memory/1336-219-0x00007FF756430000-0x00007FF756781000-memory.dmp

memory/3680-224-0x00007FF7E19F0000-0x00007FF7E1D41000-memory.dmp

memory/3588-223-0x00007FF746A50000-0x00007FF746DA1000-memory.dmp

memory/1100-227-0x00007FF711FD0000-0x00007FF712321000-memory.dmp

memory/5020-230-0x00007FF7282D0000-0x00007FF728621000-memory.dmp

memory/2724-228-0x00007FF6FD190000-0x00007FF6FD4E1000-memory.dmp

memory/1600-233-0x00007FF624D70000-0x00007FF6250C1000-memory.dmp

memory/1356-235-0x00007FF677600000-0x00007FF677951000-memory.dmp

memory/1628-237-0x00007FF7C91A0000-0x00007FF7C94F1000-memory.dmp

memory/1492-239-0x00007FF770E90000-0x00007FF7711E1000-memory.dmp

memory/844-242-0x00007FF712000000-0x00007FF712351000-memory.dmp

memory/4744-244-0x00007FF75A1C0000-0x00007FF75A511000-memory.dmp

memory/528-246-0x00007FF790790000-0x00007FF790AE1000-memory.dmp