Malware Analysis Report

2025-03-15 08:05

Sample ID 240813-nys9yswflp
Target 2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat
SHA256 da546be39afefac19381843da07b48a75351d54012a615c3d01ac49cb075e44e
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

da546be39afefac19381843da07b48a75351d54012a615c3d01ac49cb075e44e

Threat Level: Known bad

The file 2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

Cobalt Strike reflective loader

Cobaltstrike

Cobaltstrike family

Xmrig family

XMRig Miner payload

xmrig

XMRig Miner payload

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-13 11:48

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-13 11:48

Reported

2024-08-13 11:51

Platform

win7-20240705-en

Max time kernel

142s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\cvlVZkk.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xtRRxBY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\osZAJSs.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ILgcBpl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iuwqlxB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qIsVdXR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AUyGpcG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kdLWyMv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kspvCuc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SckhVTK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QacaVvW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zsYRnVP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wSgxCXv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CtpEjgB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UnDfvDn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HlFdHWe.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hkdaMJj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\okashqQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\acYnYtf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rxXCPLB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sVdHZMV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1908 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ILgcBpl.exe
PID 1908 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ILgcBpl.exe
PID 1908 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ILgcBpl.exe
PID 1908 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cvlVZkk.exe
PID 1908 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cvlVZkk.exe
PID 1908 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cvlVZkk.exe
PID 1908 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xtRRxBY.exe
PID 1908 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xtRRxBY.exe
PID 1908 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xtRRxBY.exe
PID 1908 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iuwqlxB.exe
PID 1908 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iuwqlxB.exe
PID 1908 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iuwqlxB.exe
PID 1908 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\okashqQ.exe
PID 1908 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\okashqQ.exe
PID 1908 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\okashqQ.exe
PID 1908 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SckhVTK.exe
PID 1908 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SckhVTK.exe
PID 1908 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SckhVTK.exe
PID 1908 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qIsVdXR.exe
PID 1908 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qIsVdXR.exe
PID 1908 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qIsVdXR.exe
PID 1908 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AUyGpcG.exe
PID 1908 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AUyGpcG.exe
PID 1908 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AUyGpcG.exe
PID 1908 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QacaVvW.exe
PID 1908 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QacaVvW.exe
PID 1908 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QacaVvW.exe
PID 1908 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zsYRnVP.exe
PID 1908 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zsYRnVP.exe
PID 1908 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zsYRnVP.exe
PID 1908 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\acYnYtf.exe
PID 1908 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\acYnYtf.exe
PID 1908 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\acYnYtf.exe
PID 1908 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rxXCPLB.exe
PID 1908 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rxXCPLB.exe
PID 1908 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rxXCPLB.exe
PID 1908 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sVdHZMV.exe
PID 1908 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sVdHZMV.exe
PID 1908 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sVdHZMV.exe
PID 1908 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CtpEjgB.exe
PID 1908 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CtpEjgB.exe
PID 1908 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CtpEjgB.exe
PID 1908 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UnDfvDn.exe
PID 1908 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UnDfvDn.exe
PID 1908 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UnDfvDn.exe
PID 1908 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\osZAJSs.exe
PID 1908 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\osZAJSs.exe
PID 1908 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\osZAJSs.exe
PID 1908 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HlFdHWe.exe
PID 1908 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HlFdHWe.exe
PID 1908 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HlFdHWe.exe
PID 1908 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wSgxCXv.exe
PID 1908 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wSgxCXv.exe
PID 1908 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wSgxCXv.exe
PID 1908 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hkdaMJj.exe
PID 1908 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hkdaMJj.exe
PID 1908 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hkdaMJj.exe
PID 1908 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kdLWyMv.exe
PID 1908 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kdLWyMv.exe
PID 1908 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kdLWyMv.exe
PID 1908 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kspvCuc.exe
PID 1908 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kspvCuc.exe
PID 1908 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kspvCuc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\ILgcBpl.exe

C:\Windows\System\ILgcBpl.exe

C:\Windows\System\cvlVZkk.exe

C:\Windows\System\cvlVZkk.exe

C:\Windows\System\xtRRxBY.exe

C:\Windows\System\xtRRxBY.exe

C:\Windows\System\iuwqlxB.exe

C:\Windows\System\iuwqlxB.exe

C:\Windows\System\okashqQ.exe

C:\Windows\System\okashqQ.exe

C:\Windows\System\SckhVTK.exe

C:\Windows\System\SckhVTK.exe

C:\Windows\System\qIsVdXR.exe

C:\Windows\System\qIsVdXR.exe

C:\Windows\System\AUyGpcG.exe

C:\Windows\System\AUyGpcG.exe

C:\Windows\System\QacaVvW.exe

C:\Windows\System\QacaVvW.exe

C:\Windows\System\zsYRnVP.exe

C:\Windows\System\zsYRnVP.exe

C:\Windows\System\acYnYtf.exe

C:\Windows\System\acYnYtf.exe

C:\Windows\System\rxXCPLB.exe

C:\Windows\System\rxXCPLB.exe

C:\Windows\System\sVdHZMV.exe

C:\Windows\System\sVdHZMV.exe

C:\Windows\System\CtpEjgB.exe

C:\Windows\System\CtpEjgB.exe

C:\Windows\System\UnDfvDn.exe

C:\Windows\System\UnDfvDn.exe

C:\Windows\System\osZAJSs.exe

C:\Windows\System\osZAJSs.exe

C:\Windows\System\HlFdHWe.exe

C:\Windows\System\HlFdHWe.exe

C:\Windows\System\wSgxCXv.exe

C:\Windows\System\wSgxCXv.exe

C:\Windows\System\hkdaMJj.exe

C:\Windows\System\hkdaMJj.exe

C:\Windows\System\kdLWyMv.exe

C:\Windows\System\kdLWyMv.exe

C:\Windows\System\kspvCuc.exe

C:\Windows\System\kspvCuc.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1908-0-0x000000013F100000-0x000000013F451000-memory.dmp

memory/1908-1-0x0000000000080000-0x0000000000090000-memory.dmp

C:\Windows\system\ILgcBpl.exe

MD5 e29eb385cdf8d14c36bdca8a8883883f
SHA1 10b17292f2a936f3be54f9d67f2773324e318ccb
SHA256 769c2f89f220b407ada5ecf115014dd3b52e8c1c6c5c7d616104143dbea0b873
SHA512 a7077fa15b938e64cf3ba53244371035f85aac2c4a0591a2200355c4a93e6f655556f82005dc669a325a29ad23d764a3cb5c94163538c0cb1434fc103bcdf8a7

\Windows\system\cvlVZkk.exe

MD5 3458b619aa322ddb18e57b9c5f8008f7
SHA1 5d2ed0f9ca6d7a8767e3861a413551a0631c2baa
SHA256 d9a651c809386b01f45e099b783ab7fec43b76c76a6871d5189c9bd6799ae393
SHA512 a17d0abe4250839b128836026be967094d73e18dc73695496e933c250ba5347f6c73ce9953e2b2b464ca62127f57be09d9cb936d7a6ffc58d52dd77135bd00d8

C:\Windows\system\xtRRxBY.exe

MD5 d257112bfd594846c8b689cb6830b235
SHA1 00afe84b30f11f4f029c44cbcc8ac5d06ce98a6b
SHA256 f12d0f83d17487f1c1d048e0e366a951b1cc613d56b71d2f1354c4e62f03fc32
SHA512 f2ac1fc6dffab7db1b5d6342609c33a02be582dbace08d93bb33fa4f0c5ce4cba41c88a148a417354570ff1b8e61b971ff76260810ead08593624827c8ed833f

C:\Windows\system\kspvCuc.exe

MD5 4b3bb2b166c8172afeedb466436baadd
SHA1 1b8b744a032aa248a85b965b59030ffbbcd601c4
SHA256 9b61936bc990afa59cd072686a65e7cecaf29038882bf0fb094c4b503e7fb6f1
SHA512 68d7d87de389a88d7fe69d9e6f4fc8ee8de0d95a756d72a76e077f38cc95b65fc686af1c8d1e21f0145ea22e2a96d7a22f6cd945c1522ae8145589e64d3d9d36

\Windows\system\kdLWyMv.exe

MD5 b046dbc9edba326bc5ebdf10b12ca7be
SHA1 3463d7c03aa7154cb4b97590aedac8929e9550e3
SHA256 e75c538432454ce5ead117627036568120368543044d0a8bca73245bc88cf8e8
SHA512 30f44c5cec73aed8e9f2b98680099ac1f89ae211b831fbcf7428d7a193b5c045e1ab383a0670a113e5e88c468913f9893f79138012d219cdce5b30a2a196cd31

memory/2100-77-0x000000013FFC0000-0x0000000140311000-memory.dmp

C:\Windows\system\hkdaMJj.exe

MD5 b6292bb2a997669475b1d7591c8d95e6
SHA1 9f21b93322d7b194c2ddc3181689a01d9a0e10ba
SHA256 c83cbf1cf4273533b1c4cd3d36daf9da68e840a6de2cddfa89a1b6518546bbb1
SHA512 d62463ac85b352a94d6a13ce4234ba496414e04452b86e2af172410f657f7e2bc8939a9b7c1ddbf0416ad2ed92f205392daa918fd0ef26d116b3f7d91ba53124

C:\Windows\system\HlFdHWe.exe

MD5 b7eb250642de8ac458c58aae45f11fa1
SHA1 0a887cc56f52b3765afe8858d45ea0b78d1ca726
SHA256 163fcd30dcbad9ca5db1b450c1313e61143af43b621b2834d1e8d3d4d72ea410
SHA512 8732a48ec9d87a92289911794edfd147bd06238fdad940a07c00a867a31479c903ce12bfe907d3a90ce3490ddb92d6589cdca8bf4ad8992c7d023467c19e4e5c

C:\Windows\system\UnDfvDn.exe

MD5 eb0bec7eba81a1fab0bd600233d6a4ea
SHA1 00df82b0d56735836df88569290813a3a6ad8ede
SHA256 622d7131496686587ff2e1e808b59f33e73a49af9b1da550be2791c08630f67b
SHA512 7eabef3a6590efb92e7f96b05a4572b5ddc496552b09a12bab3ce8874bc1b02d19960fcb3a9a2c6712fdfd0a9268ed712ca0e4244a8061a1291321846790d1b7

C:\Windows\system\sVdHZMV.exe

MD5 d11ab0cc9252485c12005af1f745561a
SHA1 330bf2d92f0db31855771cda457a122ef88401de
SHA256 a307b60f9d273d01f04806b9b153929548d76c1b7239ee5811236b867f6f3718
SHA512 8b9748d9c450e993f8529b3dfd48a292a4be3290e7f5fd173c920c9a5a6e4b879720fa50746cd194202cd35dd1781f70657064854dacb872abc21edffb2af5d8

C:\Windows\system\acYnYtf.exe

MD5 ea3fad7ec9ff98e2a480d27ee7b7a3d2
SHA1 f4fc2d7c398ec5a06ed368249b0693e697b3ef7d
SHA256 7daa996c3885279267c54ffa264cab3824d8903f6d617cb9dc9188374bfd592b
SHA512 6fea39fdbec30dfea5ff59807bcfbe79d654fe829eb03bfdb000cc833e5f72df18c71c256a79311208ffe28eacb926594a23236d66a69b841961960a1d7ddcba

C:\Windows\system\QacaVvW.exe

MD5 73d6bccf023cde3001d3c447bbbc4c9e
SHA1 4ae3e627b2c3d03d130c1cab1eaafca8bfc6f4db
SHA256 b82b93eca314efc65a4a55e8ab1602caf8f194621c7a358bbb8c1f1ff0128b89
SHA512 e0ff09f88f3d4dfb23d82ad71e673ffccf7c083c076ed8442784331496238f9981b285788009ce300711de3c0a4f397d79a39eb8cf010fd94a20993821f0306e

C:\Windows\system\qIsVdXR.exe

MD5 d4002232188fea13653c673732b16a6f
SHA1 5220a0ec702d37de1aee7c96b21d13fc1d7a639b
SHA256 bb548a4a02d4cdabb661b6afa02b195c871a7e31a44694c9239770e8577a4618
SHA512 cbe288923a9472fe71f3121a339abfc32dc067bccedff18a253e808ff92e7150ca48af3ffcdaf541701c13fbc823bbdf2871d8dc59468102a8e928140fec5604

C:\Windows\system\okashqQ.exe

MD5 cc548279809476507f0c6011190c6cc5
SHA1 512fa037be83ffac48b6c0402e153a4985293a8b
SHA256 53cf89630887f57dce68aa5c82a6f9fd2ba50168c94a4f127604b82b7df9ea8c
SHA512 50faf7ea84a5f98d669b1d9b5c0e3c2aef4e1afc9a1938da2f9c1f3bbadbd3f00e434ca1ab9b0e31c7757d512a2a08e72217af6219b67b866d4c8e03137628c6

memory/2844-110-0x000000013FFD0000-0x0000000140321000-memory.dmp

memory/2908-108-0x000000013FA50000-0x000000013FDA1000-memory.dmp

C:\Windows\system\wSgxCXv.exe

MD5 f2cd354debf5fcd35b0ee6750ce6b43f
SHA1 4339b40ef82d4e8dac3dada9f09e41bd463e77a6
SHA256 7b9569ebe275c3e86a41481c7ddecc6bd0f1c6c6052a4713a724a9ac41fa622b
SHA512 44bf97748236da0688df7f1fa8724863d3c3ace3ef4b940e4c5d393d0193627061d8f2897902ab691faafec6844c75ce8b3cf8f5e73c94dcf13cc59a039ac61b

memory/2760-106-0x000000013FF80000-0x00000001402D1000-memory.dmp

memory/2756-105-0x000000013F570000-0x000000013F8C1000-memory.dmp

memory/1908-103-0x0000000002360000-0x00000000026B1000-memory.dmp

memory/1908-102-0x000000013FD70000-0x00000001400C1000-memory.dmp

C:\Windows\system\osZAJSs.exe

MD5 2a6a49b56078caf376896d1d3166daac
SHA1 13944aa4e4aae65dea0a1aafcd2a539c7556bd9c
SHA256 662a406a2e37b8fceaa187653f0e949d81a6bc867849cfd44909effb9902fc12
SHA512 e79eaa0a22f6d9d9b0278bb62dba2302ba6034c333ae6b54fa2b917ebeee47aece07126b8677da86c04b5d2a7268278c3f39895202a60cde87acc603cd270c65

memory/1908-99-0x000000013F900000-0x000000013FC51000-memory.dmp

C:\Windows\system\CtpEjgB.exe

MD5 2f2e57bd872477210a7340c3f1888a91
SHA1 bc9065295839298f674f3435eb519af95151afae
SHA256 6de66c748a29b813e32eb1f34d9a8823c067a38b2b7cc6762dabb2220172ae4d
SHA512 d1af978cb7fbf316c8d958e931d3346b6b2551708e4d2ebe570d320671e5cc5e90b6c8bc461bc6d3e42399c5fabe3081b5711f2979f824242efc33368f264276

memory/1908-97-0x000000013FA50000-0x000000013FDA1000-memory.dmp

memory/1908-96-0x000000013FF80000-0x00000001402D1000-memory.dmp

memory/1908-95-0x000000013F570000-0x000000013F8C1000-memory.dmp

memory/2080-93-0x000000013FC10000-0x000000013FF61000-memory.dmp

C:\Windows\system\rxXCPLB.exe

MD5 7a642943fae4d17210fe9c3727d7e09c
SHA1 3f1fcb8fc51fc964dcd876d0f0c267c25a94b26a
SHA256 b4358efb6325b68a3cb22dae8bfff1615fa32d7957bf5dceb298c0b890e4b205
SHA512 10e2534bfe383f03b49daab3ada67fb78216d8e4806f77dd4cd40c07c94da24d13b48b5e4fb7f5985341979e345a2a639aa6849e896dc61ea77b0d7a057c6ddd

memory/1908-91-0x000000013F740000-0x000000013FA91000-memory.dmp

memory/1160-90-0x000000013F520000-0x000000013F871000-memory.dmp

memory/1908-89-0x000000013F480000-0x000000013F7D1000-memory.dmp

memory/1908-87-0x000000013F7A0000-0x000000013FAF1000-memory.dmp

memory/1908-86-0x000000013F620000-0x000000013F971000-memory.dmp

C:\Windows\system\zsYRnVP.exe

MD5 62f1d23cbfe8b9a960983c459d69149d
SHA1 707eba6cf5d9e094196b83d27dd587e4c113a45a
SHA256 35e906a64f0622d5ac5f0fe1fa5e9e55f92d7500dd01909754b631c397885853
SHA512 d56468853002f12dd5fbd405094a8479bfdd3e74e1dd8560ac022c15fabf42add4e049de81a616ec4468ce73aed6a1d9bbc08fa2736b432b04f73d94e58f37af

memory/1908-84-0x000000013FFD0000-0x0000000140321000-memory.dmp

memory/1908-82-0x000000013F7C0000-0x000000013FB11000-memory.dmp

C:\Windows\system\AUyGpcG.exe

MD5 ffdfe9ca1aedcdbda5b63d166d3a6cc0
SHA1 7d6a28b9b6e542e8a5da425360384a8331c9d6fc
SHA256 705c9ca0aa6f832f9e7daa9a75653ab244f7396b63443d825d685d67d0e5e775
SHA512 cd7ae8d1be34541154c58624e0a8112319b4289a477945c923e599f04afa276a79e49f7d380d3b60c83e44f4c1461d1ad4b7bce6d674aec9eaac995939bd32ec

memory/1908-80-0x000000013F610000-0x000000013F961000-memory.dmp

memory/1908-45-0x000000013FAA0000-0x000000013FDF1000-memory.dmp

memory/1908-38-0x000000013FC10000-0x000000013FF61000-memory.dmp

C:\Windows\system\iuwqlxB.exe

MD5 032edffb03c0091d4ad8af933d978183
SHA1 c966b12582fc0498e9c80ba15175844b0248c8d3
SHA256 079eee493c62338c8f3e67ae0996bb92b4bc8efc07beb14cd36fa03269e1af3b
SHA512 bf7f819b70f520178968c4af28a75455843a201076b45ce6a66602934da2ae54469026d8cb4270989c1f5ba1cd6362cfaba35d4b44c55518e324b1f271403641

memory/1908-29-0x000000013F520000-0x000000013F871000-memory.dmp

memory/2544-21-0x000000013FFC0000-0x0000000140311000-memory.dmp

memory/1908-70-0x0000000002360000-0x00000000026B1000-memory.dmp

memory/1908-63-0x000000013FFC0000-0x0000000140311000-memory.dmp

C:\Windows\system\SckhVTK.exe

MD5 941f0dc772223b9bd0b8c609ef0309ad
SHA1 bcfd52d1f29f7d0c700508c964348ee5e3ffd649
SHA256 92bf98b86fed3272ad2d5fccb94e74e369a52d066fb76a1f9433d683101296bc
SHA512 4073c05d30811efe9d5ca4ae734e8bfd6fd726bdfe6e48a4a79a35a012967ebeece8f8e97b333a9a0ad35e4f1ef3277f39c57a2a779b8e1b8b489401e42b42ab

memory/2568-138-0x000000013FAA0000-0x000000013FDF1000-memory.dmp

memory/2500-136-0x000000013F130000-0x000000013F481000-memory.dmp

memory/2924-144-0x000000013F610000-0x000000013F961000-memory.dmp

memory/2880-142-0x000000013F1E0000-0x000000013F531000-memory.dmp

memory/2272-140-0x000000013F740000-0x000000013FA91000-memory.dmp

memory/2544-134-0x000000013FFC0000-0x0000000140311000-memory.dmp

memory/1908-133-0x000000013F100000-0x000000013F451000-memory.dmp

memory/2892-149-0x000000013F7A0000-0x000000013FAF1000-memory.dmp

memory/2624-151-0x000000013FD70000-0x00000001400C1000-memory.dmp

memory/2204-154-0x000000013F390000-0x000000013F6E1000-memory.dmp

memory/2684-152-0x000000013F1E0000-0x000000013F531000-memory.dmp

memory/1984-150-0x000000013F900000-0x000000013FC51000-memory.dmp

memory/2632-148-0x000000013F620000-0x000000013F971000-memory.dmp

memory/2032-153-0x000000013F480000-0x000000013F7D1000-memory.dmp

memory/2916-146-0x000000013F7C0000-0x000000013FB11000-memory.dmp

memory/1908-155-0x000000013F100000-0x000000013F451000-memory.dmp

memory/1908-156-0x000000013F520000-0x000000013F871000-memory.dmp

memory/1908-157-0x000000013F100000-0x000000013F451000-memory.dmp

memory/1908-158-0x000000013FFD0000-0x0000000140321000-memory.dmp

memory/2544-203-0x000000013FFC0000-0x0000000140311000-memory.dmp

memory/1160-205-0x000000013F520000-0x000000013F871000-memory.dmp

memory/2080-207-0x000000013FC10000-0x000000013FF61000-memory.dmp

memory/2756-229-0x000000013F570000-0x000000013F8C1000-memory.dmp

memory/2100-209-0x000000013FFC0000-0x0000000140311000-memory.dmp

memory/2844-235-0x000000013FFD0000-0x0000000140321000-memory.dmp

memory/2760-231-0x000000013FF80000-0x00000001402D1000-memory.dmp

memory/2908-233-0x000000013FA50000-0x000000013FDA1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-13 11:48

Reported

2024-08-13 11:51

Platform

win10v2004-20240802-en

Max time kernel

142s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\FvfmdqU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dqIHfCC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZMXwTHu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OXLbWFU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jPKRPCJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PTjMnMs.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xZdMrVq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eEZdgdD.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MzkSFkl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wUQBtWI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JPJYpmi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\Lmiyqdm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jRGtBOI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SIFawRG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qUKGopp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sVJctfI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rUQzPix.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QBpevcS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EFGCoya.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nHNEimU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TYNERbj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3556 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SIFawRG.exe
PID 3556 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SIFawRG.exe
PID 3556 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eEZdgdD.exe
PID 3556 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eEZdgdD.exe
PID 3556 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qUKGopp.exe
PID 3556 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qUKGopp.exe
PID 3556 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QBpevcS.exe
PID 3556 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QBpevcS.exe
PID 3556 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sVJctfI.exe
PID 3556 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sVJctfI.exe
PID 3556 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZMXwTHu.exe
PID 3556 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZMXwTHu.exe
PID 3556 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MzkSFkl.exe
PID 3556 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MzkSFkl.exe
PID 3556 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EFGCoya.exe
PID 3556 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EFGCoya.exe
PID 3556 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OXLbWFU.exe
PID 3556 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OXLbWFU.exe
PID 3556 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rUQzPix.exe
PID 3556 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rUQzPix.exe
PID 3556 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wUQBtWI.exe
PID 3556 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wUQBtWI.exe
PID 3556 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jPKRPCJ.exe
PID 3556 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jPKRPCJ.exe
PID 3556 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Lmiyqdm.exe
PID 3556 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Lmiyqdm.exe
PID 3556 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jRGtBOI.exe
PID 3556 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jRGtBOI.exe
PID 3556 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JPJYpmi.exe
PID 3556 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JPJYpmi.exe
PID 3556 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PTjMnMs.exe
PID 3556 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PTjMnMs.exe
PID 3556 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FvfmdqU.exe
PID 3556 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FvfmdqU.exe
PID 3556 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nHNEimU.exe
PID 3556 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nHNEimU.exe
PID 3556 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xZdMrVq.exe
PID 3556 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xZdMrVq.exe
PID 3556 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dqIHfCC.exe
PID 3556 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dqIHfCC.exe
PID 3556 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TYNERbj.exe
PID 3556 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TYNERbj.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\SIFawRG.exe

C:\Windows\System\SIFawRG.exe

C:\Windows\System\eEZdgdD.exe

C:\Windows\System\eEZdgdD.exe

C:\Windows\System\qUKGopp.exe

C:\Windows\System\qUKGopp.exe

C:\Windows\System\QBpevcS.exe

C:\Windows\System\QBpevcS.exe

C:\Windows\System\sVJctfI.exe

C:\Windows\System\sVJctfI.exe

C:\Windows\System\ZMXwTHu.exe

C:\Windows\System\ZMXwTHu.exe

C:\Windows\System\MzkSFkl.exe

C:\Windows\System\MzkSFkl.exe

C:\Windows\System\EFGCoya.exe

C:\Windows\System\EFGCoya.exe

C:\Windows\System\OXLbWFU.exe

C:\Windows\System\OXLbWFU.exe

C:\Windows\System\rUQzPix.exe

C:\Windows\System\rUQzPix.exe

C:\Windows\System\wUQBtWI.exe

C:\Windows\System\wUQBtWI.exe

C:\Windows\System\jPKRPCJ.exe

C:\Windows\System\jPKRPCJ.exe

C:\Windows\System\Lmiyqdm.exe

C:\Windows\System\Lmiyqdm.exe

C:\Windows\System\jRGtBOI.exe

C:\Windows\System\jRGtBOI.exe

C:\Windows\System\JPJYpmi.exe

C:\Windows\System\JPJYpmi.exe

C:\Windows\System\PTjMnMs.exe

C:\Windows\System\PTjMnMs.exe

C:\Windows\System\FvfmdqU.exe

C:\Windows\System\FvfmdqU.exe

C:\Windows\System\nHNEimU.exe

C:\Windows\System\nHNEimU.exe

C:\Windows\System\xZdMrVq.exe

C:\Windows\System\xZdMrVq.exe

C:\Windows\System\dqIHfCC.exe

C:\Windows\System\dqIHfCC.exe

C:\Windows\System\TYNERbj.exe

C:\Windows\System\TYNERbj.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 84.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 52.111.229.48:443 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3556-0-0x00007FF7AAF20000-0x00007FF7AB271000-memory.dmp

memory/3556-1-0x0000026C73F70000-0x0000026C73F80000-memory.dmp

C:\Windows\System\SIFawRG.exe

MD5 dd59237e78c549fe65935cce16952beb
SHA1 8f7733a07e656ebd55eef2ca3cead8c91949717b
SHA256 4ac79ff208ba82babd2de67109ea9c96a56bf68e5311c036fb95c922a970adb0
SHA512 2f48b9f6d6dea36145dd9bef294964c49e9c330327e62dec0ea3957980faf8f642fdeb196f4d17c6c02904077dc742fbb0c24c2e17e45825240c486ab6832bdc

memory/436-7-0x00007FF6CFF00000-0x00007FF6D0251000-memory.dmp

C:\Windows\System\eEZdgdD.exe

MD5 20c458549410c60e728eea47aef12f98
SHA1 1782059bbffaee8d469e04a4208d3141b2bfe7c7
SHA256 7cea72ad63f588be9e3fa37fed6f581b89bf17f18f8f49127f3c8c11fabc9386
SHA512 f4ab0777f3ed93cb7e2fd28da7463be11e8c431d9d6fe19cebbd73457392f3ca6d055d5e89e8e3f461a1f5a485a4462a5cfaeebb79ee45c40c07d1ad5130a86e

C:\Windows\System\qUKGopp.exe

MD5 640b089cd777964956ad4460292fa77e
SHA1 fc7069e5c1116dca54574999f435d3dde3b429cf
SHA256 9ad1aae9b832b1978e4b1cca1944471f0d87f2ba4c92c3a574e72370a5c88134
SHA512 76dbf70e5bff49bede9e61ccb5a99450194fe4fca5ab252d8ba4c3f158ec87931f37a525919e00797f76ca926cf7d61c407326c941da8745554596268901414c

memory/4688-16-0x00007FF6BC250000-0x00007FF6BC5A1000-memory.dmp

C:\Windows\System\QBpevcS.exe

MD5 f5db597cdc3c2e8fc7a5ec84e576d063
SHA1 ea358447cd5f57d4606d34cf9f3f6d98b900d2b3
SHA256 46fca46074dcab80ebb3f4f8ed4881c1d8f8e9465bbafb64f60b0e104df59275
SHA512 5af4fcee0aa20dec66a3020a8b03a703eb8bd5c452a785a875187ffacb64d1c4ad8eec7e682cd494ca1b471ca6524247a831e99d7a1d8bdd35e0872d280f1974

memory/3088-22-0x00007FF66E4E0000-0x00007FF66E831000-memory.dmp

C:\Windows\System\sVJctfI.exe

MD5 b0e0357d43b3ace59259b9e2834c76f6
SHA1 880381125bfa14c5fe67751fece2d7da94fbf9c0
SHA256 0e4e2089a264f78fda9647ff276c3dacbff3c4f1ad711eaebd5d375ff778c99e
SHA512 ffbcb400109c540bf21886ad261261c5bbeaedc2c82ce2cbd143801163188ad85531ffa40a09fed9c99c37877a37fdb4682118eb436028182ca157dc35b9af60

C:\Windows\System\MzkSFkl.exe

MD5 59bc3b6d79ff274898dd3cb1dce5432e
SHA1 5f0cfc29f757c521d8a25bcfbdacb8bb5daf9d52
SHA256 2c914dfc67436300cdab2329fe552607dd636fc2d20254084d8ca628c9981abf
SHA512 2b641c7cf93daaa2b8d9e09d337b95aa553afca2ccd18d7a6bff992234bf8bde9b59112e62e4cc90aded7c3f53087e89fb4581e11aeb7d83a7c5e7ad0a8acf96

C:\Windows\System\EFGCoya.exe

MD5 2baeaa55981dadbc0edbdd178eaae4c8
SHA1 b40d72ab1510569cc3bfb23b70ef3a875998f2a2
SHA256 12e2927855cd4fbd3d3d0f8d3d0803e12d1fe017b2de0a04b1ae057a5b69f549
SHA512 4118c1598d99a1953c06499b99e8ccbb35d9dfdd42cc81a6f4fe743967419616b55a66fcaf555f223892aece73d189b5bca57e8c0c27cc847a04efd91d80eae1

memory/2180-52-0x00007FF62E5D0000-0x00007FF62E921000-memory.dmp

memory/2252-60-0x00007FF600BD0000-0x00007FF600F21000-memory.dmp

C:\Windows\System\Lmiyqdm.exe

MD5 923bf372d1c56607f12a2eeac2d23986
SHA1 50f63862c3d32ec319fbb520d1985d6e910fcb27
SHA256 d39e4bb2cd7fd608290d98c378162a50e84f8486dc72956f90889012a5c40055
SHA512 27dd8f7531a30bdfd5190ab8a43f72bfb926eac617d04c97eb86cb95b82c0a62e11221f09e921911b88f66606cd8ecdf907751ad46700c83d0c27e48baff7f4b

C:\Windows\System\wUQBtWI.exe

MD5 02fc85cbe95832e58978573fbb135603
SHA1 20f029b9f61864fd91e0af064a0bc9bd7be38e83
SHA256 2d02809712238b4d1b3be115b268658cdd362a9adcb0182818977dd88e0e26ad
SHA512 86a5ae5fd522fd1aa18dc19bf287c50b00a5706c6c2ae409a2d8c02cd812a6503f17f45d8fd4e0a6daa35def1fd7aba2f55b24a86d7811b70d74afdb5e283fd5

memory/4612-80-0x00007FF6C2380000-0x00007FF6C26D1000-memory.dmp

memory/4472-89-0x00007FF781EC0000-0x00007FF782211000-memory.dmp

memory/4288-93-0x00007FF6B57E0000-0x00007FF6B5B31000-memory.dmp

C:\Windows\System\PTjMnMs.exe

MD5 b49eca0f463c0158bb46c98fcbc1f978
SHA1 4a5a49259387540cd4ff679d1bfbeb650746f8f8
SHA256 1ef71c23361854f14e9867a6c2d2bfa58b154d07b55aacd82185ceb5f3d5979e
SHA512 2fe1db7dad578cc2a8e5e5bf314f8e550a9dd89a1182a3307b86a91928117d42882277c251ec3ef4ea38e3e1f76bf26af5d95e23dd95c70c73d537f70920f53f

C:\Windows\System\JPJYpmi.exe

MD5 612c2f9f3ff1b093355164a0d05d3a59
SHA1 77c9e27bafd8293e1d56cc52367eb0c44bdc24a2
SHA256 56848f5dbd4cf4b7c3a6ba4bd85da74200599027975231d1b3b82f8f2fa34845
SHA512 cb0b0b3b35965bd3c8711ddd264244fc4d890bd3874792476a4853a3fe16a50450c14d3937fd947c06b7dabf2a3db0c9666d25e66293684eb90d178f456ae40a

memory/2012-94-0x00007FF7630B0000-0x00007FF763401000-memory.dmp

C:\Windows\System\jRGtBOI.exe

MD5 918bde73501ea50c73c334a10cd7615f
SHA1 55dc3a1ad5cf48e86b37ba3522aac17a12f98af2
SHA256 9abde8182ceaf73dd94e078ec596a4f5cc89e76a9887f049191ab179111adde7
SHA512 25daf7ad414021890f838e878a4c70a143dac2650fd9eb79a254054c4d579c1011eddef3af49d38e8a8c32f24ced95e4a771c0cc069da13f2cba0b04ac4385c6

memory/1268-90-0x00007FF7FAC50000-0x00007FF7FAFA1000-memory.dmp

memory/216-76-0x00007FF600290000-0x00007FF6005E1000-memory.dmp

C:\Windows\System\rUQzPix.exe

MD5 5d040ff44ced22c3057b0c509991f931
SHA1 24ad13a8e32f1b8dfcb9c9c2224a467f1afcfd2d
SHA256 27946c3a9a574f0e35ba3700c37058fd0eb04e39b9f411e666db7a95d5677f5e
SHA512 097863f570bfee45e6c25c1ba641e90d919d3117f39ad28f1938f471679a3f90b2085337faaa9a4b6c9dbc8033ec680cda21edffab72d5b09fefc57cbb1f0b92

memory/4240-68-0x00007FF7E9FA0000-0x00007FF7EA2F1000-memory.dmp

C:\Windows\System\jPKRPCJ.exe

MD5 e0fd0a726630ba670c0c2b5f1d66e6d8
SHA1 50eefe82b079c3ce3f1316fd306750c230b5b966
SHA256 0208c604b9a0dde206f9eaa0162a90ebd2c8f04680943e34d6049b8e91d673d3
SHA512 2d7349a61f2d05a41c578f8f2a89bd90661cf8ba0c683150b0af2dd1efe2bcf27065d437b8f4976470d60f1fc086944e94e9d7e8de4794f3c672728356b3e2b7

memory/3552-61-0x00007FF7FD550000-0x00007FF7FD8A1000-memory.dmp

C:\Windows\System\OXLbWFU.exe

MD5 96e0854aa1d2def083368d1651d651a9
SHA1 da4cb8784d20cc55deda3512da2e5c604d4c7fca
SHA256 96ec1ebe21237cf4710aff79d80b2c89391bc9ee4db51581144e1ca06f97e560
SHA512 d09032cb46037a5c0b794d1c1a1acf5b707d2f876708472848b8d595b109c7d7bd97b2961bbd3ce091572b91d713a58a592507ebfdb67acd527dd96f802c613a

memory/4736-48-0x00007FF702B20000-0x00007FF702E71000-memory.dmp

C:\Windows\System\ZMXwTHu.exe

MD5 aacae323a71239b415bdd8a602d724c3
SHA1 3b96b504949fd408975019fa39a35adf143ecfdf
SHA256 b3ecf60748a02a0f42b2aa5fd78ea7cfff6d5235364b94c0dd522a8ecd8a2259
SHA512 3b4c136432cc95751aa44a8512a0b9f87c8219d35326aa68f7dc337dafd4569b894853b13f81b6fdcacc33f4c23502a6ad28d5f4057327956b98948a155f1710

memory/4504-35-0x00007FF7DFCD0000-0x00007FF7E0021000-memory.dmp

memory/4968-28-0x00007FF6ADC60000-0x00007FF6ADFB1000-memory.dmp

C:\Windows\System\FvfmdqU.exe

MD5 8d4e7332df1b61b9a672e86b8bc7aa5c
SHA1 3383b3d1ab4ea2f4e8c6942f6f42be8b513a3c60
SHA256 591917ad44782b2b385b1aa1394580cb7dcf98682ca2b876ecfe434da2a936ee
SHA512 c2c8e5e148f3f4d959544c3c1aa4bde88c7b52425772d34d8ce0e7361bd5bae0cadcdcdc3498a64401f8fcd2ad40ca69464134b286db6a8899de0154e8af5869

C:\Windows\System\nHNEimU.exe

MD5 ff7f088ecf4d21281af06fac2f6097ab
SHA1 4c10ca6966409f1c0bbfb51bf03da1ded96d4664
SHA256 44312baa7cc133a7271494018bd149a3474ec6d4fb128cb6c7a0baf4d3e04390
SHA512 82b63a78145feb72810f2f1eae34def9592f922d9858ab9ab4d005b1dfa797a7b0b93ae3da3dbb3dc48cf08b9d5a2183254e103d09824c61e10bbab861e3b617

C:\Windows\System\xZdMrVq.exe

MD5 e0e50cfe59ae3ddb321845d088444d6f
SHA1 04e44b86f701e5b2e0e50076a853ac35c6242c47
SHA256 f0d72207841dd39b4cd493423e4674bafabc529b088e635ab7c2a6c1b566ede5
SHA512 37e8998801e89688d9ff608a8141158842ff5de444a97dcb3b9083fe63bdf012af767a93dff035d08c610d50534ffc5feb412c20c536539a15a4f1724a22db2e

C:\Windows\System\TYNERbj.exe

MD5 a45b28a521b5e14fa39796a9d35f7f8b
SHA1 3eaa22969d2e717e3f4711902433c1d506448583
SHA256 ded72261c3983e5594e6b10a22ec3da84973c42dcb8ad98ad3c5b5f5448794de
SHA512 eeed89f0481bfe518455ce6f5b20835f3de046d61de8930875070f8661c28582840aac9755d98efa93f0e0480043806b8c33379a7140939e5656fe65d4b33e1b

memory/968-120-0x00007FF7F0930000-0x00007FF7F0C81000-memory.dmp

memory/4688-129-0x00007FF6BC250000-0x00007FF6BC5A1000-memory.dmp

memory/1384-130-0x00007FF626610000-0x00007FF626961000-memory.dmp

memory/436-128-0x00007FF6CFF00000-0x00007FF6D0251000-memory.dmp

memory/4776-127-0x00007FF6C3650000-0x00007FF6C39A1000-memory.dmp

C:\Windows\System\dqIHfCC.exe

MD5 8014cf5dac5aa278227d4069db4d6b15
SHA1 24878b6d0eb693f854f9a9935f2a0bd0fada0431
SHA256 687f4f0f13f0b5c62271ff26bb6535f079076d85732608f0285704e5cb8e25c5
SHA512 bf9c76b39a37134c8625d50194b2c7281391612439afa6a11bb0dee0d862975c8af19030f8e4b4b3db60cd1927f3f35a74179a1b704aa729a3d1ba9eaec992bc

memory/1592-121-0x00007FF70D830000-0x00007FF70DB81000-memory.dmp

memory/2540-114-0x00007FF72CB20000-0x00007FF72CE71000-memory.dmp

memory/3556-111-0x00007FF7AAF20000-0x00007FF7AB271000-memory.dmp

memory/4968-132-0x00007FF6ADC60000-0x00007FF6ADFB1000-memory.dmp

memory/4736-134-0x00007FF702B20000-0x00007FF702E71000-memory.dmp

memory/2012-143-0x00007FF7630B0000-0x00007FF763401000-memory.dmp

memory/1268-144-0x00007FF7FAC50000-0x00007FF7FAFA1000-memory.dmp

memory/4288-142-0x00007FF6B57E0000-0x00007FF6B5B31000-memory.dmp

memory/4472-141-0x00007FF781EC0000-0x00007FF782211000-memory.dmp

memory/4240-139-0x00007FF7E9FA0000-0x00007FF7EA2F1000-memory.dmp

memory/2252-136-0x00007FF600BD0000-0x00007FF600F21000-memory.dmp

memory/4504-133-0x00007FF7DFCD0000-0x00007FF7E0021000-memory.dmp

memory/3552-137-0x00007FF7FD550000-0x00007FF7FD8A1000-memory.dmp

memory/3556-146-0x00007FF7AAF20000-0x00007FF7AB271000-memory.dmp

memory/1592-152-0x00007FF70D830000-0x00007FF70DB81000-memory.dmp

memory/4776-153-0x00007FF6C3650000-0x00007FF6C39A1000-memory.dmp

memory/3556-168-0x00007FF7AAF20000-0x00007FF7AB271000-memory.dmp

memory/436-200-0x00007FF6CFF00000-0x00007FF6D0251000-memory.dmp

memory/4688-203-0x00007FF6BC250000-0x00007FF6BC5A1000-memory.dmp

memory/3088-204-0x00007FF66E4E0000-0x00007FF66E831000-memory.dmp

memory/4968-206-0x00007FF6ADC60000-0x00007FF6ADFB1000-memory.dmp

memory/2180-210-0x00007FF62E5D0000-0x00007FF62E921000-memory.dmp

memory/4504-208-0x00007FF7DFCD0000-0x00007FF7E0021000-memory.dmp

memory/4736-212-0x00007FF702B20000-0x00007FF702E71000-memory.dmp

memory/3552-225-0x00007FF7FD550000-0x00007FF7FD8A1000-memory.dmp

memory/2252-226-0x00007FF600BD0000-0x00007FF600F21000-memory.dmp

memory/4612-230-0x00007FF6C2380000-0x00007FF6C26D1000-memory.dmp

memory/4240-229-0x00007FF7E9FA0000-0x00007FF7EA2F1000-memory.dmp

memory/4288-232-0x00007FF6B57E0000-0x00007FF6B5B31000-memory.dmp

memory/4472-236-0x00007FF781EC0000-0x00007FF782211000-memory.dmp

memory/216-235-0x00007FF600290000-0x00007FF6005E1000-memory.dmp

memory/1268-240-0x00007FF7FAC50000-0x00007FF7FAFA1000-memory.dmp

memory/2012-239-0x00007FF7630B0000-0x00007FF763401000-memory.dmp

memory/2540-242-0x00007FF72CB20000-0x00007FF72CE71000-memory.dmp

memory/968-244-0x00007FF7F0930000-0x00007FF7F0C81000-memory.dmp

memory/1592-248-0x00007FF70D830000-0x00007FF70DB81000-memory.dmp

memory/4776-247-0x00007FF6C3650000-0x00007FF6C39A1000-memory.dmp

memory/1384-250-0x00007FF626610000-0x00007FF626961000-memory.dmp