Malware Analysis Report

2025-03-15 08:03

Sample ID 240813-pammyaxcnk
Target 2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat
SHA256 08746a846e8fc37f3cfbac834eed7bf9412606e81d41582889bdc6d4e73f9792
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

08746a846e8fc37f3cfbac834eed7bf9412606e81d41582889bdc6d4e73f9792

Threat Level: Known bad

The file 2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Cobaltstrike family

Cobaltstrike

xmrig

Cobalt Strike reflective loader

Xmrig family

XMRig Miner payload

XMRig Miner payload

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-13 12:07

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-13 12:07

Reported

2024-08-13 12:10

Platform

win7-20240705-en

Max time kernel

142s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\BnxAhLr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IROpedw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hifaLUw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aQrElqJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uRoOtnp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\afMkbfw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mDbdLBi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cPOHMzy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HAZEcYA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sraMsBV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ipIjVzM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qqPQEtH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ImsKJSY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nSSDWNC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zQffceQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iklXESs.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jvyRBac.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TIWYqqX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kZoTyza.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pKvwIgS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iTOmbKS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 448 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aQrElqJ.exe
PID 448 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aQrElqJ.exe
PID 448 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aQrElqJ.exe
PID 448 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zQffceQ.exe
PID 448 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zQffceQ.exe
PID 448 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zQffceQ.exe
PID 448 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uRoOtnp.exe
PID 448 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uRoOtnp.exe
PID 448 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uRoOtnp.exe
PID 448 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iklXESs.exe
PID 448 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iklXESs.exe
PID 448 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iklXESs.exe
PID 448 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jvyRBac.exe
PID 448 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jvyRBac.exe
PID 448 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jvyRBac.exe
PID 448 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qqPQEtH.exe
PID 448 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qqPQEtH.exe
PID 448 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qqPQEtH.exe
PID 448 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HAZEcYA.exe
PID 448 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HAZEcYA.exe
PID 448 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HAZEcYA.exe
PID 448 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\afMkbfw.exe
PID 448 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\afMkbfw.exe
PID 448 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\afMkbfw.exe
PID 448 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BnxAhLr.exe
PID 448 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BnxAhLr.exe
PID 448 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BnxAhLr.exe
PID 448 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sraMsBV.exe
PID 448 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sraMsBV.exe
PID 448 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sraMsBV.exe
PID 448 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ipIjVzM.exe
PID 448 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ipIjVzM.exe
PID 448 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ipIjVzM.exe
PID 448 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ImsKJSY.exe
PID 448 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ImsKJSY.exe
PID 448 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ImsKJSY.exe
PID 448 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kZoTyza.exe
PID 448 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kZoTyza.exe
PID 448 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kZoTyza.exe
PID 448 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pKvwIgS.exe
PID 448 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pKvwIgS.exe
PID 448 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pKvwIgS.exe
PID 448 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iTOmbKS.exe
PID 448 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iTOmbKS.exe
PID 448 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iTOmbKS.exe
PID 448 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IROpedw.exe
PID 448 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IROpedw.exe
PID 448 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IROpedw.exe
PID 448 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mDbdLBi.exe
PID 448 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mDbdLBi.exe
PID 448 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mDbdLBi.exe
PID 448 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cPOHMzy.exe
PID 448 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cPOHMzy.exe
PID 448 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cPOHMzy.exe
PID 448 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nSSDWNC.exe
PID 448 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nSSDWNC.exe
PID 448 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nSSDWNC.exe
PID 448 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hifaLUw.exe
PID 448 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hifaLUw.exe
PID 448 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hifaLUw.exe
PID 448 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TIWYqqX.exe
PID 448 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TIWYqqX.exe
PID 448 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TIWYqqX.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\aQrElqJ.exe

C:\Windows\System\aQrElqJ.exe

C:\Windows\System\zQffceQ.exe

C:\Windows\System\zQffceQ.exe

C:\Windows\System\uRoOtnp.exe

C:\Windows\System\uRoOtnp.exe

C:\Windows\System\iklXESs.exe

C:\Windows\System\iklXESs.exe

C:\Windows\System\jvyRBac.exe

C:\Windows\System\jvyRBac.exe

C:\Windows\System\qqPQEtH.exe

C:\Windows\System\qqPQEtH.exe

C:\Windows\System\HAZEcYA.exe

C:\Windows\System\HAZEcYA.exe

C:\Windows\System\afMkbfw.exe

C:\Windows\System\afMkbfw.exe

C:\Windows\System\BnxAhLr.exe

C:\Windows\System\BnxAhLr.exe

C:\Windows\System\sraMsBV.exe

C:\Windows\System\sraMsBV.exe

C:\Windows\System\ipIjVzM.exe

C:\Windows\System\ipIjVzM.exe

C:\Windows\System\ImsKJSY.exe

C:\Windows\System\ImsKJSY.exe

C:\Windows\System\kZoTyza.exe

C:\Windows\System\kZoTyza.exe

C:\Windows\System\pKvwIgS.exe

C:\Windows\System\pKvwIgS.exe

C:\Windows\System\iTOmbKS.exe

C:\Windows\System\iTOmbKS.exe

C:\Windows\System\IROpedw.exe

C:\Windows\System\IROpedw.exe

C:\Windows\System\mDbdLBi.exe

C:\Windows\System\mDbdLBi.exe

C:\Windows\System\cPOHMzy.exe

C:\Windows\System\cPOHMzy.exe

C:\Windows\System\nSSDWNC.exe

C:\Windows\System\nSSDWNC.exe

C:\Windows\System\hifaLUw.exe

C:\Windows\System\hifaLUw.exe

C:\Windows\System\TIWYqqX.exe

C:\Windows\System\TIWYqqX.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/448-0-0x000000013F130000-0x000000013F481000-memory.dmp

memory/448-1-0x00000000001F0000-0x0000000000200000-memory.dmp

\Windows\system\aQrElqJ.exe

MD5 21b9643bbf7d74231955e9a090fd527c
SHA1 13a588743db2d088d1287ae5457cf916490e368b
SHA256 4f499bd98e363210710a0cec150c9ba13ea8803e1a3beb9e565243809d809fef
SHA512 a3db8b90e70a9a339cce13f19dbaf19e7d4706fa3fdea9581a3e578d655c5f21cebcebf5056b67dd61a26788c0f946ddb866c255e3c56678fb7656dabe39e5dc

C:\Windows\system\zQffceQ.exe

MD5 84857d4124413079733e03e52ba0797c
SHA1 4a7a53f5fef4bde530c6fff9407b1d88f395dea2
SHA256 ec222732364aeddbc94a028b313bea79cea2d8a6247281d6bba08ec572bee14e
SHA512 31b09d51ca23d3d0c08d4bc7ae00092f12b53b5aa25b3db3505bc69d39976678da9320931f900259866c4ffe680881363c1adc735a14063b8049810ac7bf7427

\Windows\system\uRoOtnp.exe

MD5 dc8b802a4c73d2432cb4d93c085e399c
SHA1 5c0995df8bc310ecf5b0cb218ed4d2464da23ed2
SHA256 0a015403cb0162aca0c989a6e76bc6e2c005a79525ca31c553a26183719d6ab0
SHA512 ca8b107c23d5f07c6c44c370a127dfc9acc330d61c5d5bf463bb90ae10d7ff9746aaa3f197d436fd28c1ae3d7f3fe6aaa4d38f65e54010fb3dc037a948501f7a

memory/1988-16-0x000000013FB40000-0x000000013FE91000-memory.dmp

C:\Windows\system\qqPQEtH.exe

MD5 6c7fd8079c6913d0e1c5d40ce5a42f1d
SHA1 a4158357fae2aa456acac4d6b9350ae91e95c117
SHA256 90037f1f403abf08cae82ee9008df1f55fb226589e528e9a88b77d6beaab1074
SHA512 8036da322d951124156fff945d0b12dbdf4f0b169bae93b3597a543e94d8ff1b4ec2e0c79092ef704a79f28f378d92e817028d7c6af2e4b11cf0a9d700d1629d

C:\Windows\system\HAZEcYA.exe

MD5 0549d87c1cf2f124a3c5b689445f7ffb
SHA1 f3a9628d696311d108d13aa73c8fd25fdf85541a
SHA256 d446946c0d3a2d11773e007eb9bde86b76ce06aa8ba12ec7dd54ac653dddafd6
SHA512 15dc4a099828420c7c271e4dbedfc3468e1a9b3814be370c59dc2298bee40cb5b695f44c3454c04b75893014e94d8882a6f130d5dfbd8823826938f51429e098

C:\Windows\system\sraMsBV.exe

MD5 fefbe08cc58fca5b5f2ba76d0b214595
SHA1 aac0c3696661ecb68edd1310f63ddd8101335c87
SHA256 edb0cbf4e830d9fbce422be9f665423dfc8201432d31b61370a424a23779d04d
SHA512 afb80d1e78c0a92b90b96f2a6a461c438d7acbf92d03b659c33dfa2f59e4be3b7cbc3d1457fb0e4a3927407f7db98c5565eb857f0d1cae07d1fd23b2232903a7

C:\Windows\system\iTOmbKS.exe

MD5 bef6a8229c6e334a2064de61fafb5483
SHA1 b26a29688e7e673ceac68ff87b5ed17715ba6325
SHA256 338a5c37118c2a832de1dd6364b000d60d4af9d757ed278b405d25deb1a4b3a5
SHA512 971141c83f12f1b2ee2959dbf1c03e48be410e6baa15079264cf29bf1ea75ad96af8f712a9c1bd5120d8d9b540d8546d1ee6fcea81297e2b8ef8ca7933a46080

C:\Windows\system\mDbdLBi.exe

MD5 d1d65c8eb5aa20eaae014584a2ccef72
SHA1 f66047859c8047ad483c82d26a7166c6b6e1434c
SHA256 77905d09a4dbad954fd89db479698f869193427241d8f4580a64c645b9ea9009
SHA512 5e9eea4562652956ed8d06d68412e54fc7dad10e6677a14015632e294ffe48612aa9f6c84b769646c1878e71eac1c7d44f5404103ef624a5972f7f65f72f7a97

C:\Windows\system\TIWYqqX.exe

MD5 038d0678b6840570fa9cc0a25272830d
SHA1 939ea5629a77ace4c9b386dbf070fa8a4b734d5b
SHA256 02c281f469e511ab06fea69f4d432ba9728039a00a3c2884a260c6bfb3dc4db5
SHA512 3efac48332a754e96dca8ded1180495057047e47ad3f9cacfbe1f28a24efc12fd0ef49e723727a3b1c0efaec4ea51f396c645c45d547f24b0f89f2be49fa937a

C:\Windows\system\hifaLUw.exe

MD5 468c25e92dc9d1d67857bc2c411f2c8f
SHA1 e7d2f5f4b4900250c606bcdd8f8fe698477c1c30
SHA256 0c90b29f8cd9fb01a136f3b04c794bac7a059e2eca91553bd69d5a914991f8b6
SHA512 f8149d9da66af44a2bd4b68e1e495d145e1695a186923ad1f6c1ca7a4f3ddba7c6abd92dcdb685af7ce76260fa506d6def7107ece8fb98735effc952d2b76df7

C:\Windows\system\nSSDWNC.exe

MD5 a24bae3b9ef3305f46b24b03a5a46e0e
SHA1 20baef6542ff59cd97a0dc58c116f7ed02f13085
SHA256 bb48712db491e788eecf6a801ce9a623419662c0c0431e8fc74ce5ec55f9bf2c
SHA512 45f41e90c2163dc06fae5cf2963d2b82ada02736057e9f26015bdb44e6d8fbeba4ca6dd71effc8f7acc9a6800ed15219919c415506c06c202e5d90162f550d45

C:\Windows\system\cPOHMzy.exe

MD5 4261cbb720f34bcfeb1e8353ceed5eb9
SHA1 6f9d95e4541f5ae500a2824b489b2625ab45889b
SHA256 56d679ec313dbd0e034ac41957a052743b618ca2e6ca074b22e0abd92ff7a091
SHA512 a26329eeb15153583ba71f1d8a1bc5e58aabe30166b378d416ea50fdbde9b137fb5e9241d9de4226ae9a555202f532c9f146ba322e511f717ada3dec93a84787

memory/2124-110-0x000000013FE20000-0x0000000140171000-memory.dmp

memory/448-109-0x000000013FE20000-0x0000000140171000-memory.dmp

memory/1708-108-0x000000013F280000-0x000000013F5D1000-memory.dmp

C:\Windows\system\IROpedw.exe

MD5 9aa8f2b60d98fd9fd741ba477f0ef938
SHA1 acdb84c5b5e30af2228ed7be136f34cf82cd06e2
SHA256 0c4076cb2b3d584e4de6137231c24afd7c761c17ddcfeb2cac07361e79db2463
SHA512 96622e569e298ed484aaceb4450849531b636507da5117ae5893839d830566d72f7bcdee97fe019b6b9df5639415b0dabc1593d005d7f1dd8df8820b364bfed3

C:\Windows\system\pKvwIgS.exe

MD5 1187136bdfbeaf02752e5c80e43071ea
SHA1 d515e01802ce5ecfaab270b19d86367e5cf3bddc
SHA256 c1a1a320a4b1dad71dd3b68d8a9e031b59a69da3c2e3e2b46cc9422094a8912a
SHA512 9d364a40b65f19d3c5a8fc46a03de1077f8904958f4c768c826fde566fa0ed9db339096179b88c04cbea8a911840a068b0a64c6d1c9f5adfad83a78e92ecf346

C:\Windows\system\kZoTyza.exe

MD5 c997a2d8683c4e6afd5a63a7ae7bd891
SHA1 bb900cf7e1a79029df788192c0b4094bdef84473
SHA256 090e5e79fe6a25224fc4d3142a7c69511d3f30eeadaf6c555cfe1937892a7f7d
SHA512 080e9b268b8cef73938746039a89e3b47da829aa6df096483393f9b832728027a5c2e069ed996f46c3afac0fba52f50f7b5914b53d75f899dbab2cefefe18489

C:\Windows\system\ImsKJSY.exe

MD5 c46db5df5f99297f63b9c3fe4359adfd
SHA1 a937446301b8ccaac5eb6061923d825f08ec838e
SHA256 7c4e132c83210dc95cf146102c55b248e53ff5b9cd42cad865cfe99a5b44a90c
SHA512 0ec550631ba3d6d76a47698b499b177a07a14656b67594c2bc00a3431240645d21cd16e016be257bc105fd14943a2b80e7665d91ffe8eec2d5eff01b9f83c140

C:\Windows\system\ipIjVzM.exe

MD5 ecd57ab9d84362133616787614144a2a
SHA1 ec8d67d6915a29bd489a9e0cc690442d0855bb4f
SHA256 99c01af944fc1842dc3a035825ecf2ed973d1b80de83e399ebdb93dde2bad167
SHA512 03a066cb23901bf76748e38bd081255892b09db96c657b6dea442d1daa2c37e6ca10e85d262b89dbb122a670a96d059722326e718f868cf6d42e27781ee2e2ba

C:\Windows\system\BnxAhLr.exe

MD5 026c10d72a5f0fe1693d3c4c848536e0
SHA1 391a5f4990a41a27891e6fd26d53307e3535a3b3
SHA256 1a334aad4651e804df50102f2fb76c65f5bf4737bfa46c12b20066137b83ec19
SHA512 fb1fe26994e2b3f3e9abe3740e181539b1aae486fffe943a56a739bca669e0e52aa20c95fc696ae1b3d0a16fcd30ed8585f8873a06cda43caaeca28475b7b5a7

C:\Windows\system\afMkbfw.exe

MD5 ed81499a9d0635898b312c1e1f2ed6c5
SHA1 b826d06a405e2bbf94b70f487dc72cd0f5c278b5
SHA256 cbadf2656deebad55bc772a6c8c14344ac71338d99acc3d54de2f4fb61c43077
SHA512 8e8d78307b2e422117026a66842a03c5a146fd41246beb1fd7ff7d575928e717d4e31f1129f398baf5137cec562c325455801dcd40c128cd54dc445488ad5d25

C:\Windows\system\jvyRBac.exe

MD5 05b0278a51a3df0c9a2fddedecde88c8
SHA1 6172bb4c94737150f283824283d8c80df114cd7e
SHA256 3c5d17649aa4c52b2f1f2ac956dd3791149c2a4ce688e7f8643e5e0a4c23b8d6
SHA512 3497e96eb8b67b897507e7c86d096e3b20d4405f215a453c34e3a2d1f63b6af4cc81cb0d779aa5482a824e57a441cf4305ee511a6cb4653ad3121d4e817c85fe

C:\Windows\system\iklXESs.exe

MD5 0f7cedbbfa3247fde4494092a1fa6ebe
SHA1 40cadf02ae32ae249d7218187c948407553abd51
SHA256 a01ba930b99fd292310d4f0ae98347f2cfa9bcca2caed8b9adc20402e87a7d17
SHA512 86d0f8008447e6923fc563f2fad1bad96a6fad51778ec94599d220c013b143ceb24e4478075bd4c8d7ae90ad7fd166024f6f2a7655e1cab99248f7199745809e

memory/2168-111-0x000000013F500000-0x000000013F851000-memory.dmp

memory/448-112-0x0000000002290000-0x00000000025E1000-memory.dmp

memory/660-113-0x000000013F1E0000-0x000000013F531000-memory.dmp

memory/448-114-0x000000013FEA0000-0x00000001401F1000-memory.dmp

memory/2768-115-0x000000013FEA0000-0x00000001401F1000-memory.dmp

memory/448-116-0x000000013FE50000-0x00000001401A1000-memory.dmp

memory/2852-117-0x000000013FE50000-0x00000001401A1000-memory.dmp

memory/448-118-0x000000013FA90000-0x000000013FDE1000-memory.dmp

memory/3012-119-0x000000013FA90000-0x000000013FDE1000-memory.dmp

memory/448-132-0x000000013F500000-0x000000013F851000-memory.dmp

memory/448-131-0x000000013FEB0000-0x0000000140201000-memory.dmp

memory/2620-130-0x000000013F670000-0x000000013F9C1000-memory.dmp

memory/448-129-0x000000013F670000-0x000000013F9C1000-memory.dmp

memory/1156-128-0x000000013FB90000-0x000000013FEE1000-memory.dmp

memory/448-127-0x000000013FB90000-0x000000013FEE1000-memory.dmp

memory/2596-126-0x000000013FEB0000-0x0000000140201000-memory.dmp

memory/448-125-0x000000013FEB0000-0x0000000140201000-memory.dmp

memory/2748-124-0x000000013F4C0000-0x000000013F811000-memory.dmp

memory/448-123-0x000000013F4C0000-0x000000013F811000-memory.dmp

memory/2756-122-0x000000013F9F0000-0x000000013FD41000-memory.dmp

memory/448-121-0x000000013F9F0000-0x000000013FD41000-memory.dmp

memory/2708-120-0x000000013F430000-0x000000013F781000-memory.dmp

memory/448-133-0x000000013F130000-0x000000013F481000-memory.dmp

memory/1988-134-0x000000013FB40000-0x000000013FE91000-memory.dmp

memory/2588-148-0x000000013FEB0000-0x0000000140201000-memory.dmp

memory/2156-154-0x000000013FAB0000-0x000000013FE01000-memory.dmp

memory/2064-153-0x000000013FE50000-0x00000001401A1000-memory.dmp

memory/2504-151-0x000000013F770000-0x000000013FAC1000-memory.dmp

memory/2616-150-0x000000013F420000-0x000000013F771000-memory.dmp

memory/2648-149-0x000000013F550000-0x000000013F8A1000-memory.dmp

memory/1708-135-0x000000013F280000-0x000000013F5D1000-memory.dmp

memory/1788-152-0x000000013F2F0000-0x000000013F641000-memory.dmp

memory/448-155-0x000000013F130000-0x000000013F481000-memory.dmp

memory/448-177-0x000000013F130000-0x000000013F481000-memory.dmp

memory/448-178-0x000000013FB40000-0x000000013FE91000-memory.dmp

memory/2124-226-0x000000013FE20000-0x0000000140171000-memory.dmp

memory/1988-225-0x000000013FB40000-0x000000013FE91000-memory.dmp

memory/660-228-0x000000013F1E0000-0x000000013F531000-memory.dmp

memory/2708-231-0x000000013F430000-0x000000013F781000-memory.dmp

memory/2852-232-0x000000013FE50000-0x00000001401A1000-memory.dmp

memory/2748-234-0x000000013F4C0000-0x000000013F811000-memory.dmp

memory/1156-236-0x000000013FB90000-0x000000013FEE1000-memory.dmp

memory/1708-242-0x000000013F280000-0x000000013F5D1000-memory.dmp

memory/2168-248-0x000000013F500000-0x000000013F851000-memory.dmp

memory/3012-247-0x000000013FA90000-0x000000013FDE1000-memory.dmp

memory/2768-245-0x000000013FEA0000-0x00000001401F1000-memory.dmp

memory/2756-252-0x000000013F9F0000-0x000000013FD41000-memory.dmp

memory/2596-251-0x000000013FEB0000-0x0000000140201000-memory.dmp

memory/2620-257-0x000000013F670000-0x000000013F9C1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-13 12:07

Reported

2024-08-13 12:10

Platform

win10v2004-20240802-en

Max time kernel

142s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\AzuDSTT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\smxggpZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EBoIIuH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DEgUpWO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZMtHUYE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UzYfeFF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dIXtKFA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IkPiZud.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DPxXNdl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qhMeSFU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RQJaPLh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oSNEHRA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dtLkERB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zenMWHW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MRrdtGy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IMoApsH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YrrkfYu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RpCBlNz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YzSPMgT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RdXoUOB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fCevyBw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3392 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dtLkERB.exe
PID 3392 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dtLkERB.exe
PID 3392 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UzYfeFF.exe
PID 3392 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UzYfeFF.exe
PID 3392 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dIXtKFA.exe
PID 3392 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dIXtKFA.exe
PID 3392 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IkPiZud.exe
PID 3392 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IkPiZud.exe
PID 3392 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zenMWHW.exe
PID 3392 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zenMWHW.exe
PID 3392 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AzuDSTT.exe
PID 3392 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AzuDSTT.exe
PID 3392 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RdXoUOB.exe
PID 3392 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RdXoUOB.exe
PID 3392 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\smxggpZ.exe
PID 3392 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\smxggpZ.exe
PID 3392 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DPxXNdl.exe
PID 3392 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DPxXNdl.exe
PID 3392 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MRrdtGy.exe
PID 3392 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MRrdtGy.exe
PID 3392 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EBoIIuH.exe
PID 3392 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EBoIIuH.exe
PID 3392 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IMoApsH.exe
PID 3392 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IMoApsH.exe
PID 3392 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qhMeSFU.exe
PID 3392 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qhMeSFU.exe
PID 3392 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RQJaPLh.exe
PID 3392 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RQJaPLh.exe
PID 3392 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YrrkfYu.exe
PID 3392 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YrrkfYu.exe
PID 3392 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RpCBlNz.exe
PID 3392 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RpCBlNz.exe
PID 3392 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DEgUpWO.exe
PID 3392 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DEgUpWO.exe
PID 3392 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZMtHUYE.exe
PID 3392 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZMtHUYE.exe
PID 3392 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YzSPMgT.exe
PID 3392 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YzSPMgT.exe
PID 3392 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oSNEHRA.exe
PID 3392 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oSNEHRA.exe
PID 3392 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fCevyBw.exe
PID 3392 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fCevyBw.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\dtLkERB.exe

C:\Windows\System\dtLkERB.exe

C:\Windows\System\UzYfeFF.exe

C:\Windows\System\UzYfeFF.exe

C:\Windows\System\dIXtKFA.exe

C:\Windows\System\dIXtKFA.exe

C:\Windows\System\IkPiZud.exe

C:\Windows\System\IkPiZud.exe

C:\Windows\System\zenMWHW.exe

C:\Windows\System\zenMWHW.exe

C:\Windows\System\AzuDSTT.exe

C:\Windows\System\AzuDSTT.exe

C:\Windows\System\RdXoUOB.exe

C:\Windows\System\RdXoUOB.exe

C:\Windows\System\smxggpZ.exe

C:\Windows\System\smxggpZ.exe

C:\Windows\System\DPxXNdl.exe

C:\Windows\System\DPxXNdl.exe

C:\Windows\System\MRrdtGy.exe

C:\Windows\System\MRrdtGy.exe

C:\Windows\System\EBoIIuH.exe

C:\Windows\System\EBoIIuH.exe

C:\Windows\System\IMoApsH.exe

C:\Windows\System\IMoApsH.exe

C:\Windows\System\qhMeSFU.exe

C:\Windows\System\qhMeSFU.exe

C:\Windows\System\RQJaPLh.exe

C:\Windows\System\RQJaPLh.exe

C:\Windows\System\YrrkfYu.exe

C:\Windows\System\YrrkfYu.exe

C:\Windows\System\RpCBlNz.exe

C:\Windows\System\RpCBlNz.exe

C:\Windows\System\DEgUpWO.exe

C:\Windows\System\DEgUpWO.exe

C:\Windows\System\ZMtHUYE.exe

C:\Windows\System\ZMtHUYE.exe

C:\Windows\System\YzSPMgT.exe

C:\Windows\System\YzSPMgT.exe

C:\Windows\System\oSNEHRA.exe

C:\Windows\System\oSNEHRA.exe

C:\Windows\System\fCevyBw.exe

C:\Windows\System\fCevyBw.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 19.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3392-0-0x00007FF62EDA0000-0x00007FF62F0F1000-memory.dmp

memory/3392-1-0x0000019A1DE60000-0x0000019A1DE70000-memory.dmp

C:\Windows\System\dtLkERB.exe

MD5 ad897e09ab9dbaedcd73bc19eb164a8f
SHA1 f329108f94290d4785770aea2695ed02d84702ed
SHA256 bfa7e6731edb35e781e95d567fbb587c01e8265c0cf77340ab197430320f038f
SHA512 06c9a4b73d5b0bd7fffd03ebb6f852bef35b5c0a22ff63ca8376845e83d378b49a9962260955a71ed2021fb0cfe0403b5226f59024c3e3a6247a5c7c97904268

C:\Windows\System\UzYfeFF.exe

MD5 5b1031a55a96f9c6f7e60077f2a8b5ec
SHA1 515e5a25433b5ad56027e3a69ca33a241c4e1d43
SHA256 1f913e20f80ac8d6bf4be280f94f0afc6d86c26353ec13be29609630c5f6c8d1
SHA512 1b043730b6e38bb97886becbc74493b0642973dc8f16378db59b422cb45097945c08d607dd3b037de5c969738bd2dc44c8e098daab4a8a743208953ff238288a

memory/1756-14-0x00007FF7F6480000-0x00007FF7F67D1000-memory.dmp

C:\Windows\System\dIXtKFA.exe

MD5 ad79718ff581f2fa26295480a9231567
SHA1 4d287e7cc8d25c30625e7d7ec597f1f44f5f2488
SHA256 3db33630939aeb2419cf8e75d2a668c44243b844cea70baad5cb2e67bf52138e
SHA512 92cf6c650262fd9cdf12c5dbfc56fe1b95f32d4d4caba691259acc3b91ef40c5ca5e9cad74c4ce3cfa35ebaf963168b33a7a9ad90ff2a9c8d6c41f07c1c8cdb9

memory/3524-7-0x00007FF7754A0000-0x00007FF7757F1000-memory.dmp

C:\Windows\System\IkPiZud.exe

MD5 7adf97f5a2fbb68b328d89b627d3fc49
SHA1 74ffe20e02e90da0934735d2393ecf11324b690c
SHA256 3a33769850c0174ac1c025e88372df33d1a4e964f5ccc1d44c9bea2659c0b036
SHA512 72c56a1338513ab3c66814e81863a97cc5dbdc4094ce5964927eea5ce80010ee9a4884dac2d3ae4653a1f5413d6948a1e79e282dca7a7c96ef86ec6d21039f29

memory/1472-20-0x00007FF7B0AE0000-0x00007FF7B0E31000-memory.dmp

memory/4384-26-0x00007FF79C210000-0x00007FF79C561000-memory.dmp

C:\Windows\System\zenMWHW.exe

MD5 e4e1b00b33093057dda9daf616e3043d
SHA1 841fa5b0b3846b27128d05ca3946c2cb322de6fc
SHA256 4fcfa4f8797c6ae9be10fe815ef407ab7dd826b80aa4a1f17e1fe0fec74e1697
SHA512 31f67da10ce3344c75905cae7ed7f6037f0afbe35534299daa26d1d0f50946bfae8d36c2b17b8a8f4aff021cb03c252757a51444f5d1817c67dec5aea6e5e258

C:\Windows\System\AzuDSTT.exe

MD5 b8d4bdfd3fd30d44bb9000386ef24209
SHA1 9bc205d47777b454a3840debb3490a191e310eb7
SHA256 09785d50d743bb0225db07854e9c6fcf39974e63cd300fb239f98dd6b9d75207
SHA512 0a92725f384a6330d4f411ee83c8d21bc312250b1be82586beb70cfa18ccc4c6b31f12beaaafbc17e18684d1d3aec06975773ceb9d70bb1427e9c00a36574800

C:\Windows\System\RdXoUOB.exe

MD5 3af2b95d8b3daedfcbfa2bf6ed7223f1
SHA1 d75c95cda77ec75b124e7ec9ef7eed6277665f55
SHA256 cafa85fb5a9bda634546fac77121f8ac43bd1bfe35b22cfb3632c9bc9fd21762
SHA512 a435b29ba6b720560989b1ef883fbc3209b46292e4c199f03bf49adce7dca8ea5adaa4bfc96f269ff3297074d6f9f36c50c60edbca7c426ed1ebddba76594cff

memory/4420-45-0x00007FF62E690000-0x00007FF62E9E1000-memory.dmp

C:\Windows\System\smxggpZ.exe

MD5 58de14a4bc192d166c1690901f9207aa
SHA1 f347fc144670abbf36a26af306146cb33d0a01db
SHA256 c516f24774281e40a49a6906b8e40592c01ad646e6abd4f440c5708698a22335
SHA512 7de2131ba6a23034ba93e7bc78f9a908c889f6fd9b81b8d4b2313555e03c14ae95a37996c2e59404e47dc47e75ffc700009873c327e3e4ece55980ffd81d9b94

memory/3768-30-0x00007FF755690000-0x00007FF7559E1000-memory.dmp

C:\Windows\System\MRrdtGy.exe

MD5 d8acc569d4590c25846c26b626d3abba
SHA1 47cc908d5107facd52ab0a7e0567d053aa9e5a90
SHA256 065a1dd0711dc9a543f5161b3a55a8b56f2c4e7fed3fb2b006d3eee0b8bed49e
SHA512 e21ebe02bccb0f82ba3c87493fa9baa9fffec062141199dea00836ad4fc6392d2f3eb2b038ff6549f4dc27a97328f2f9302189ecda1c9e4e8e43db4996750635

memory/2380-61-0x00007FF7ECEF0000-0x00007FF7ED241000-memory.dmp

memory/624-70-0x00007FF764280000-0x00007FF7645D1000-memory.dmp

C:\Windows\System\IMoApsH.exe

MD5 c16af2dd85d91292944fec64eaf4c4a2
SHA1 b9d09d953f26c475e13f15ac761248af8fa377d3
SHA256 bb8b0a6f1a889e5832e7f8871d4942527a072fe24338f064b8f78d15bb62ded8
SHA512 cfe76b30cb16a7f1749edc6470990df175e2c500d33b1f350b5d3cf30b4850de81d88cf8eb628b79085186781890e829ef6b62a3ed60cfa06be22c8c7a458223

memory/2960-84-0x00007FF6E84A0000-0x00007FF6E87F1000-memory.dmp

C:\Windows\System\YrrkfYu.exe

MD5 751ad43ff7e584f9ef30410bbd740bf9
SHA1 97580ee043a4538f4d929494320ad2420cc08c00
SHA256 b8e6eb6b73e73abc2f432919f4d65cfbfe547cd65e950a3604541e8da1498be7
SHA512 a4be7e17228df3202aa5087b6c43690e27a4e0473ea57e7720770685bcc7077c0e07c5bfbe32d5301ea9e8ab46be3aae4c0d8f0fbeb618c14cd3b5e4a6d98e22

C:\Windows\System\RQJaPLh.exe

MD5 346be58b3d81da52bd92bc5ff2062765
SHA1 ac7be00ce3755eac8cbf2c863f7f9d2c6cabc117
SHA256 e71aca8a2f077f12c50187e6bf9b095371ebeff0cc16746eef2c4afe536808bd
SHA512 20acb103d8e09eeff56f767dce566bddf2c93ae94ebc1033f3c723c3a68da6d9bfce7c8c8a6f33f54876b45575e4de7570f1a61d1ae166f7c0e36bd02031d299

memory/4996-90-0x00007FF6E08B0000-0x00007FF6E0C01000-memory.dmp

memory/3392-87-0x00007FF62EDA0000-0x00007FF62F0F1000-memory.dmp

memory/388-86-0x00007FF66E7A0000-0x00007FF66EAF1000-memory.dmp

C:\Windows\System\qhMeSFU.exe

MD5 6530b230527177afab825a9e36a55894
SHA1 0be19f18562b6be1278dc4cb247e5d3a5fc91a2a
SHA256 ce6d2d07ce129e3eb7957bc140729884735085e443b4a6cf74407a1deb739360
SHA512 cf66a160d834ff49c1782baa51a526bc2b9225e746060e790c3b5ba7bddd32bdc8d06e9a499c54afdfd164f2313059d61a2e5ea791f2f592317ed2a9936a0817

memory/3584-79-0x00007FF697380000-0x00007FF6976D1000-memory.dmp

memory/2932-72-0x00007FF783880000-0x00007FF783BD1000-memory.dmp

C:\Windows\System\EBoIIuH.exe

MD5 be8e2f518bb2499ca9b521a32662af81
SHA1 7bbfd36aec9f71973c497c72d92509dc8a505fbb
SHA256 24d639a36f9a1f90ff9b780e947472844a44f94c26777c513fc46f49ae51e302
SHA512 e7c84f6b15fc9e0e895baff594f3253fe3d858c6157af98ecb08b40435fc86828076c4c5d5b06eeea3cf79d35ecbe57569493d55fae9c230e0801d9ed4c157c0

memory/3828-69-0x00007FF6C5B20000-0x00007FF6C5E71000-memory.dmp

C:\Windows\System\DPxXNdl.exe

MD5 0544369cbaec31bdd39d166909406330
SHA1 06641412b6bb45912458d925c27260d2ff3879fa
SHA256 9f860ae773015d28bb45227a2ab0ab85d1fea6bb11beda32bf06cb671495d61a
SHA512 6c6e247b13f21f4cf66dccc5c8b242b43bac2b721c3466e1a68b566dbab7e3d5f93ebb3bdc45b58e21cac3dea0838811df2c53dffb4f1dfcd29f86144c599f86

memory/1368-54-0x00007FF792F30000-0x00007FF793281000-memory.dmp

C:\Windows\System\RpCBlNz.exe

MD5 c36447a2e0c790d4c69d3a30c70bff49
SHA1 a4304b766e8d27e70ab3099be28a87015b303e7e
SHA256 0020ad521d7619036c3527ae103d9ac51e55aa1594449e3d8dda13b16e9b4230
SHA512 7efed8650808c9f66d5863fd43e18f8265e777e401fc20d4088f167eda5b02d67e9074ab6850615b78598c00f45089417e6197aee844def8a4eef7451ebb8379

C:\Windows\System\DEgUpWO.exe

MD5 f6334a9739cacdd8b35f4f9a01024ef2
SHA1 b8912a1b8ef5e8e884a5b04389483a74e90c671a
SHA256 e9af3d43e092f20371e82fa79fc6a512d96888406bbf47d6ae8a244bef1de6c4
SHA512 eb5a8ae2b1ec501b3d0ebf8b0076e5c43d300e4af9784cab4cad70fe3aec24fdd2266f37be87ebb457b8032b2afd7bd0dc7c1023754dba9368bdf5c2fca14843

memory/2712-107-0x00007FF750910000-0x00007FF750C61000-memory.dmp

C:\Windows\System\ZMtHUYE.exe

MD5 c9e64d8a3b156a27875a00152994912e
SHA1 9086a2327fc65bf715e4821009c983419b0849ef
SHA256 ae05c6a88e19afdec19ea55dc05df6b45d883cfa9c736640d9fdc1d1c3d5761c
SHA512 76539017ebc06a2d86f3b06d8dee84ce82b166a1ef03ef4b04cdb0e0d3785f97f7708e074550ac148f47e5ea9f515346ee8a25f6a6f75600affabfbe3e98ed9e

memory/4384-119-0x00007FF79C210000-0x00007FF79C561000-memory.dmp

memory/4420-127-0x00007FF62E690000-0x00007FF62E9E1000-memory.dmp

C:\Windows\System\fCevyBw.exe

MD5 f54223551076c53953bd2bb0f9578a50
SHA1 3d00ac32a3922790bb51dac59147383b2bf60521
SHA256 79848eec18c86ea599f95ab9849dde97a8c6f92cffc591125bd6a9de2714c285
SHA512 0382c5dc31b973a96be60b742116ac4c336cf25b87fe57e799cf694cb7452e491f62e0799233553f1e881f8b769dafb95fbe2cbf6608cafa62cff8e0bec8f515

C:\Windows\System\oSNEHRA.exe

MD5 20f5e92e821993a722b51e2bca975bd9
SHA1 d62737d8b7e0c71b1b3d1a967fc261d86e3cb41b
SHA256 1ac69c4e61a980594a27030b7ad60301bf1a6b3875cb819a0c2c222e44ab1304
SHA512 9970f272de05d0c2f722622a5a9485e14b02bc4e7fd2cf0b17e3680ec75ebc949ea75378e0b74d5acbf3a3c25c2211d3b11b0a59126949c56320705f513e77b3

memory/1456-129-0x00007FF786720000-0x00007FF786A71000-memory.dmp

memory/1368-128-0x00007FF792F30000-0x00007FF793281000-memory.dmp

memory/3768-126-0x00007FF755690000-0x00007FF7559E1000-memory.dmp

memory/1148-125-0x00007FF601870000-0x00007FF601BC1000-memory.dmp

memory/3512-123-0x00007FF75B070000-0x00007FF75B3C1000-memory.dmp

memory/3456-122-0x00007FF61CCA0000-0x00007FF61CFF1000-memory.dmp

C:\Windows\System\YzSPMgT.exe

MD5 e5863bffd0504207420c858178b46fc7
SHA1 7a5fb03f19a9bbe88224416cad1f7589bc22f40d
SHA256 56e22db5313b7f8a81b542a670fc13e8414784e4a3418fbcb65b4623383f7a71
SHA512 b460574a8e8133c06359599eaaac9e25989c0ec342edd95bcc72926f3c3f8f6ecde41b3cca264277515efce1b4d08d6d3774902651161a26531569eef932c647

memory/364-110-0x00007FF65AE40000-0x00007FF65B191000-memory.dmp

memory/3524-99-0x00007FF7754A0000-0x00007FF7757F1000-memory.dmp

memory/3392-134-0x00007FF62EDA0000-0x00007FF62F0F1000-memory.dmp

memory/3828-149-0x00007FF6C5B20000-0x00007FF6C5E71000-memory.dmp

memory/388-148-0x00007FF66E7A0000-0x00007FF66EAF1000-memory.dmp

memory/2960-147-0x00007FF6E84A0000-0x00007FF6E87F1000-memory.dmp

memory/624-145-0x00007FF764280000-0x00007FF7645D1000-memory.dmp

memory/3584-146-0x00007FF697380000-0x00007FF6976D1000-memory.dmp

memory/4996-150-0x00007FF6E08B0000-0x00007FF6E0C01000-memory.dmp

memory/1148-155-0x00007FF601870000-0x00007FF601BC1000-memory.dmp

memory/1456-156-0x00007FF786720000-0x00007FF786A71000-memory.dmp

memory/3392-157-0x00007FF62EDA0000-0x00007FF62F0F1000-memory.dmp

memory/1756-206-0x00007FF7F6480000-0x00007FF7F67D1000-memory.dmp

memory/3524-208-0x00007FF7754A0000-0x00007FF7757F1000-memory.dmp

memory/1472-210-0x00007FF7B0AE0000-0x00007FF7B0E31000-memory.dmp

memory/4384-212-0x00007FF79C210000-0x00007FF79C561000-memory.dmp

memory/3768-214-0x00007FF755690000-0x00007FF7559E1000-memory.dmp

memory/4420-216-0x00007FF62E690000-0x00007FF62E9E1000-memory.dmp

memory/2380-218-0x00007FF7ECEF0000-0x00007FF7ED241000-memory.dmp

memory/1368-221-0x00007FF792F30000-0x00007FF793281000-memory.dmp

memory/3828-222-0x00007FF6C5B20000-0x00007FF6C5E71000-memory.dmp

memory/2932-224-0x00007FF783880000-0x00007FF783BD1000-memory.dmp

memory/3584-226-0x00007FF697380000-0x00007FF6976D1000-memory.dmp

memory/624-228-0x00007FF764280000-0x00007FF7645D1000-memory.dmp

memory/2960-230-0x00007FF6E84A0000-0x00007FF6E87F1000-memory.dmp

memory/4996-234-0x00007FF6E08B0000-0x00007FF6E0C01000-memory.dmp

memory/388-236-0x00007FF66E7A0000-0x00007FF66EAF1000-memory.dmp

memory/2712-238-0x00007FF750910000-0x00007FF750C61000-memory.dmp

memory/364-240-0x00007FF65AE40000-0x00007FF65B191000-memory.dmp

memory/3456-246-0x00007FF61CCA0000-0x00007FF61CFF1000-memory.dmp

memory/3512-248-0x00007FF75B070000-0x00007FF75B3C1000-memory.dmp

memory/1456-250-0x00007FF786720000-0x00007FF786A71000-memory.dmp

memory/1148-252-0x00007FF601870000-0x00007FF601BC1000-memory.dmp