Malware Analysis Report

2025-03-15 08:02

Sample ID 240814-1cgegszhqp
Target 2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat
SHA256 0adc7117f2115f32df945e44ab2af9cabb5465db10904fd2fbe16ed472cbe7cb
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0adc7117f2115f32df945e44ab2af9cabb5465db10904fd2fbe16ed472cbe7cb

Threat Level: Known bad

The file 2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Cobaltstrike family

Cobalt Strike reflective loader

Xmrig family

XMRig Miner payload

Cobaltstrike

xmrig

XMRig Miner payload

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-14 21:30

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-14 21:30

Reported

2024-08-14 21:32

Platform

win7-20240704-en

Max time kernel

144s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\VnTEbqX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IDWOwcS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SwHNJBq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dbFleBB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lGjHQAb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\caPpyTW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gRTkZrB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oRnyCGq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YPGlDfo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wjHvlHr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WySsnMs.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\epWaAUx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DMrAExf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ydWkEYJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YGcRLqV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NhwjkSp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZczjrSH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jNVkzMQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TsBrmoW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YduWLHn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mUPDpND.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1612 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YPGlDfo.exe
PID 1612 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YPGlDfo.exe
PID 1612 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YPGlDfo.exe
PID 1612 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\caPpyTW.exe
PID 1612 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\caPpyTW.exe
PID 1612 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\caPpyTW.exe
PID 1612 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mUPDpND.exe
PID 1612 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mUPDpND.exe
PID 1612 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mUPDpND.exe
PID 1612 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NhwjkSp.exe
PID 1612 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NhwjkSp.exe
PID 1612 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NhwjkSp.exe
PID 1612 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VnTEbqX.exe
PID 1612 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VnTEbqX.exe
PID 1612 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VnTEbqX.exe
PID 1612 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IDWOwcS.exe
PID 1612 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IDWOwcS.exe
PID 1612 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IDWOwcS.exe
PID 1612 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SwHNJBq.exe
PID 1612 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SwHNJBq.exe
PID 1612 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SwHNJBq.exe
PID 1612 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gRTkZrB.exe
PID 1612 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gRTkZrB.exe
PID 1612 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gRTkZrB.exe
PID 1612 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oRnyCGq.exe
PID 1612 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oRnyCGq.exe
PID 1612 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oRnyCGq.exe
PID 1612 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dbFleBB.exe
PID 1612 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dbFleBB.exe
PID 1612 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dbFleBB.exe
PID 1612 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZczjrSH.exe
PID 1612 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZczjrSH.exe
PID 1612 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZczjrSH.exe
PID 1612 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jNVkzMQ.exe
PID 1612 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jNVkzMQ.exe
PID 1612 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jNVkzMQ.exe
PID 1612 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wjHvlHr.exe
PID 1612 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wjHvlHr.exe
PID 1612 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wjHvlHr.exe
PID 1612 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lGjHQAb.exe
PID 1612 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lGjHQAb.exe
PID 1612 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lGjHQAb.exe
PID 1612 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WySsnMs.exe
PID 1612 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WySsnMs.exe
PID 1612 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WySsnMs.exe
PID 1612 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\epWaAUx.exe
PID 1612 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\epWaAUx.exe
PID 1612 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\epWaAUx.exe
PID 1612 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DMrAExf.exe
PID 1612 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DMrAExf.exe
PID 1612 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DMrAExf.exe
PID 1612 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TsBrmoW.exe
PID 1612 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TsBrmoW.exe
PID 1612 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TsBrmoW.exe
PID 1612 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ydWkEYJ.exe
PID 1612 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ydWkEYJ.exe
PID 1612 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ydWkEYJ.exe
PID 1612 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YduWLHn.exe
PID 1612 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YduWLHn.exe
PID 1612 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YduWLHn.exe
PID 1612 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YGcRLqV.exe
PID 1612 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YGcRLqV.exe
PID 1612 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YGcRLqV.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\YPGlDfo.exe

C:\Windows\System\YPGlDfo.exe

C:\Windows\System\caPpyTW.exe

C:\Windows\System\caPpyTW.exe

C:\Windows\System\mUPDpND.exe

C:\Windows\System\mUPDpND.exe

C:\Windows\System\NhwjkSp.exe

C:\Windows\System\NhwjkSp.exe

C:\Windows\System\VnTEbqX.exe

C:\Windows\System\VnTEbqX.exe

C:\Windows\System\IDWOwcS.exe

C:\Windows\System\IDWOwcS.exe

C:\Windows\System\SwHNJBq.exe

C:\Windows\System\SwHNJBq.exe

C:\Windows\System\gRTkZrB.exe

C:\Windows\System\gRTkZrB.exe

C:\Windows\System\oRnyCGq.exe

C:\Windows\System\oRnyCGq.exe

C:\Windows\System\dbFleBB.exe

C:\Windows\System\dbFleBB.exe

C:\Windows\System\ZczjrSH.exe

C:\Windows\System\ZczjrSH.exe

C:\Windows\System\jNVkzMQ.exe

C:\Windows\System\jNVkzMQ.exe

C:\Windows\System\wjHvlHr.exe

C:\Windows\System\wjHvlHr.exe

C:\Windows\System\lGjHQAb.exe

C:\Windows\System\lGjHQAb.exe

C:\Windows\System\WySsnMs.exe

C:\Windows\System\WySsnMs.exe

C:\Windows\System\epWaAUx.exe

C:\Windows\System\epWaAUx.exe

C:\Windows\System\DMrAExf.exe

C:\Windows\System\DMrAExf.exe

C:\Windows\System\TsBrmoW.exe

C:\Windows\System\TsBrmoW.exe

C:\Windows\System\ydWkEYJ.exe

C:\Windows\System\ydWkEYJ.exe

C:\Windows\System\YduWLHn.exe

C:\Windows\System\YduWLHn.exe

C:\Windows\System\YGcRLqV.exe

C:\Windows\System\YGcRLqV.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1612-0-0x000000013FEE0000-0x0000000140231000-memory.dmp

memory/1612-1-0x00000000003F0000-0x0000000000400000-memory.dmp

C:\Windows\system\YPGlDfo.exe

MD5 232ea4320f2d81c658f49dd0578a7dda
SHA1 d17bc3f8abc5f3f060cc07b66c10d9496db25634
SHA256 cea2fb41ffb903560c41c1a98f9f7894dfd4512face628069d6fd650ed3d583b
SHA512 c2a4e0f465d7ad735acd5b6075ec4a8ff2590679009cb291377d4e3bec284f2302200bed1028ab726872b2cfac35316904866d89375fac33d12d422eb71d5d21

\Windows\system\caPpyTW.exe

MD5 edbd4494b6a166c05081d35e97d14c8d
SHA1 261c236c87f5974efe54da9ef7c107cab3deef18
SHA256 7817fa5908a527a2f4cfc4d00e1f99d3a0a5c9255e8759f432f95e6a8cde48d6
SHA512 99b0d79edf79fa3caa85adda52c4eea0ab92ea22c082c667a78fb43f9d911cf8da8ac0f2aa4fe52df358ed40b677cebab1aecef7139145b912d7a1f1c4929315

memory/1612-7-0x000000013F310000-0x000000013F661000-memory.dmp

memory/1300-13-0x000000013F310000-0x000000013F661000-memory.dmp

memory/1612-16-0x000000013FAF0000-0x000000013FE41000-memory.dmp

memory/2732-15-0x000000013FAF0000-0x000000013FE41000-memory.dmp

C:\Windows\system\mUPDpND.exe

MD5 712939be41421d90c20ea715d1c60306
SHA1 465dca9ada0f85c57e921c618a4225d3f9b7ee6c
SHA256 d2260a248cbcdbd56b87b7ec0660943ea638a716b9f3883137505fddb53a6457
SHA512 75f907092a30e2e35b07ca3a31b731cd218003442df477760dde9ae38c057f9d5b58f2b3b4f58eec7de52561f5b14ceaba6c73ea094953f8bcdfcab1658eb537

memory/1612-21-0x00000000023B0000-0x0000000002701000-memory.dmp

C:\Windows\system\NhwjkSp.exe

MD5 2d67423a6d4d307415fd82a8810a3768
SHA1 bb4f9bc55213accf1ba5f3d9cda32e512f8c7105
SHA256 66ffcfd638d97d7d6757e1a44fdb01ee2f81d5f33e3cf531170cd23588dfc93b
SHA512 852254244a84cb5cbd2ea928a42b0f86a5b72a525782176ddcc0a0d9dd17b88e3788c5bade8ad1a341cde24519da9038e2f10f3902971ad0a8d6459ffad5116d

memory/1612-35-0x000000013F730000-0x000000013FA81000-memory.dmp

memory/3008-36-0x000000013F730000-0x000000013FA81000-memory.dmp

C:\Windows\system\IDWOwcS.exe

MD5 7e59f39a52142fb43dbf1d0c5db2fffd
SHA1 7c8c2a0290a82854c26b4e89dcef09855404ec24
SHA256 c38c220e2900b0349332ca3d5ae47105813fd473651aa64b00c77cf7dbd185d4
SHA512 d2a2a854ad30d194972452305b6512356c2c7a29d3c4ede2d897ebc46e77ec28a2b2b08a2d6c6075ff4dc537f13e104f0f32b4479c64122e5311252d4c399bd7

C:\Windows\system\gRTkZrB.exe

MD5 4c27fbf858cf52fd277b68ebd7c16a1c
SHA1 608d213589be2534411a503616ea444fe9ff1c39
SHA256 e4b64b0d36aad1fb03fea6a5260fa8b8fe5ea6f7589591589eaecd0d56996489
SHA512 8cae95b6161517ab711ea041b79239c362b006b09722c1a03f6d0f2cc32a5fbdf5144c66ad2e67e793bd2fc48aa72d2b51fc3cea7883aa86a3d34aedb0e2ac3e

C:\Windows\system\dbFleBB.exe

MD5 dcb48f57976fb27c8c76f2289c20253b
SHA1 575f83b2129dc2bb3ba389b38e788006a0ce816f
SHA256 3cb1115d9ef1e0b915ccd247f37603de19b8b873fd42d00baca17869ef5954f2
SHA512 b7267c4c3fd210c1639c12daab632e71f7e0894156ad30cf772abf411112c16fbb47e984228be77a7152cb18a65869cebd621fa2ffd59568212e25929d6cfce7

memory/1612-91-0x000000013F490000-0x000000013F7E1000-memory.dmp

\Windows\system\jNVkzMQ.exe

MD5 3f8b7506ef17721771c4e5245b03f47e
SHA1 829e39b18b4fe5b774c44c0a0b43d95bc0a8234a
SHA256 b3ff9afdc937c56e74706dd3f57d8d6e74ddbbedfee40422a07676748d9e22ac
SHA512 64a96fff291698315ae9922f0c97b9c97ca22c8ba81b520d50255f48e70144a7d16cdabe0dfb0d7d891b89d1d162abb749b4d49ec32ea5179b6a47936e76b1ee

C:\Windows\system\WySsnMs.exe

MD5 bf3a38b556261030fc31ca16f7807740
SHA1 9e27cdfa3e0c688f3a2b660af86d53f7c954389f
SHA256 95ea74aac4d8f19b47b6af2f8362f7369924b8e4e35c5b9b5343f717f61365a0
SHA512 350585996210fcf8406126d119e0b5dfdcc945ea0d8a96dfba2cf46cb8cf5c63864f61a4b365e2253a493f3bbacfcb04bfb139f61d5350581884143992bb5f7a

memory/1612-104-0x000000013FB70000-0x000000013FEC1000-memory.dmp

memory/1612-99-0x000000013F210000-0x000000013F561000-memory.dmp

memory/2112-98-0x000000013F210000-0x000000013F561000-memory.dmp

memory/2412-97-0x000000013F490000-0x000000013F7E1000-memory.dmp

memory/2432-96-0x000000013F8B0000-0x000000013FC01000-memory.dmp

C:\Windows\system\lGjHQAb.exe

MD5 ac047b865702a27e32ba89a31c7f082f
SHA1 481b3c36428e7d1ea36fe6f290a95963799a48fe
SHA256 d92fd77f31bf6af79528c05f372d25d409d999dea89b6f7a681c12dafd3195e8
SHA512 84a550f5da521c2c7e8b45ce632885e886ae1804efd12ce88a6683ca9a6ef9f72b756d741bfaf96542d7bd9c5b3a7440090cbe494657e90215202d8127363af7

memory/1612-90-0x000000013F8B0000-0x000000013FC01000-memory.dmp

\Windows\system\epWaAUx.exe

MD5 50e8fc2a21de8fc41f334e0542c00d70
SHA1 080cb620d207cc0c51933343655513c6e8f4f19a
SHA256 d329893fd3fae8a80dead6fdcc9302277004c5b3f7bfa78e4c08280562550da8
SHA512 eb3fba5afb85380371ddfbe5fa3508ff4211bfd54d7fbf2e1285a5442d5db230bd352cbb47c437048b7d88c0d845594987bac1c0522914870d5aad58bb252a0c

memory/2700-88-0x000000013F900000-0x000000013FC51000-memory.dmp

C:\Windows\system\wjHvlHr.exe

MD5 b08cd0f93761f2742eccd3601759e3a2
SHA1 d7b3d5bf140a232737fc1526a0a54aa341f801c4
SHA256 565e7961d3dbd2f5ef9a7aa21da64ebec62deb029e859a22c043983c541ff1ae
SHA512 c37aac02e1f90f872198c114ffd8bdc2d46f145810ff4d68ba73a0607df233583d7dafd459197a2a1de1d6eddab7b852f48d2be51456b8550c48bbab09b58822

memory/2880-118-0x000000013FAB0000-0x000000013FE01000-memory.dmp

C:\Windows\system\TsBrmoW.exe

MD5 bdb642d6d0e709d1deef11f20b3c27d1
SHA1 3b9a5a4f3e617832cfe63acdd6a2a9e37cb6a799
SHA256 6b888d29589988a583efa123c685280c498e2bdba2667bfce8a526122d00c494
SHA512 17ed5f51512e7f85ee81ba87ff6d00875febfb63845697d50b924e3301434a7a20da59f8c1cc14d8f204255edd45a62cf358cd54058a02d1118a0e0904711abd

C:\Windows\system\ydWkEYJ.exe

MD5 609b8a5e5ae4ad32e79f3dbae881f794
SHA1 130e96de86d6d2632ff9302d5c6240fd7c45bec5
SHA256 42b7a4bbfa0ddeadb3eb9186f4e3567490dbc7c26803ebb800a3fd6c58bcc98b
SHA512 1d9b692c5858892247e606e37f08eb24a7ab40cde3956b0b4d514fc9065a91eb7f65be9bb525af7388ed848a9dff3bab1b1961f12216e7724c8ec6836e4178b1

C:\Windows\system\YGcRLqV.exe

MD5 996c9b41b829a37744a13174a5743596
SHA1 4e6c4088e2bb098346fd5ec76cc7f2f5ee19a170
SHA256 a49685664c96f12a3ed09e015f8c1195a3a338cd3187f3f4cf49e602cf400322
SHA512 d770af17de773a8ca8b3de5f3a2b146e1e9d665a9a99cc918738897a23a024c0dead73b3ca3e3cff278fed8d5a2f06c868cecba63233e1a0f2a6e969ada9d5c5

C:\Windows\system\YduWLHn.exe

MD5 879294f2ea776490ef2781f701d63fff
SHA1 ff3d8abe977714bb4d79704aa068e64a2ebe7e52
SHA256 dc60e832484dec5772d45e850ba7e91e431dc6495685787dd7937acc33fd69d0
SHA512 7c6e2c921fb805cff121efe5b96e5f34d04e75d184f85c8e607d0f373d2943fc7892ed353557b99db05bdebce064f7135fb852e12e78c06eb48e96c2a6012d23

C:\Windows\system\DMrAExf.exe

MD5 e833ad00d4770fa13d6426d26f4eb680
SHA1 ebd92355d1d9cc1e3d56e04442f47326ef87ef64
SHA256 93a7eab758a525fcb83cbacb67b910bb9353af845afefe6b0153b2645ebaa335
SHA512 a04ef2c0131e9e48f60f00ce9cfbb5e15ea84072a9b1331163294edd406a1d5bcffd56eac50dd079bc4a248a7f5a5c9b9c854e9cf1614ef3254c053bf0ea847a

memory/2940-58-0x000000013F770000-0x000000013FAC1000-memory.dmp

memory/1300-57-0x000000013F310000-0x000000013F661000-memory.dmp

memory/2196-77-0x000000013F510000-0x000000013F861000-memory.dmp

memory/1612-76-0x000000013F510000-0x000000013F861000-memory.dmp

memory/1612-75-0x000000013F900000-0x000000013FC51000-memory.dmp

memory/2632-73-0x000000013F1A0000-0x000000013F4F1000-memory.dmp

memory/1612-72-0x000000013FEE0000-0x0000000140231000-memory.dmp

C:\Windows\system\ZczjrSH.exe

MD5 de8349bf7440fd7042716b5bfbffc23c
SHA1 1ac2a7eb6f3ad115299a3562e6099df5982ffdc8
SHA256 d669f837423a51ccb0bdc5245442190d278f5eb1e63a27f397c2fc50bfb5bcd9
SHA512 e81b131ebf85635945c3236b335de6e73366238fee4523f8418f28f5189f856301f5b87450274de7f5419381e576deb1ddde1ada495e4d72e6af52c5c76e7e55

memory/1612-55-0x000000013F770000-0x000000013FAC1000-memory.dmp

C:\Windows\system\oRnyCGq.exe

MD5 16d9a1d9dec03319424cee580fd115c9
SHA1 3973bf9522c5740ed6f2fddcd90594711eee121a
SHA256 91ffc67a0b0412292196a67d2340708146b8867a030f0cb2e82916d5b1a7809a
SHA512 71e4890ffdb16efb63ccc869c20b2663e8c52d0a02c8a55045906e7c58cb04b72ed46b536b56b00becf86423085a0317c73ed303826a2107852709450309ad98

memory/1612-54-0x00000000023B0000-0x0000000002701000-memory.dmp

memory/2672-53-0x000000013FCD0000-0x0000000140021000-memory.dmp

memory/3004-52-0x000000013FD80000-0x00000001400D1000-memory.dmp

memory/1612-51-0x00000000023B0000-0x0000000002701000-memory.dmp

C:\Windows\system\SwHNJBq.exe

MD5 b1f31cebc28a7dad18ecd7b9f7f44bbb
SHA1 83e871f547fe3b1638371c42954f63ec1d166aeb
SHA256 f4ed82ade55ea9e99fd9fe62a1d8711ac74c3bfef484247b68ff21f26fd973f5
SHA512 da38359c04f6e18611452b400003f683a7ee701d56d5864d8b0f75bc8da077923e9b4a28a1ac5c322c59eae7abaebdea40873b26f37bbea3c624aeec7613daca

memory/2880-29-0x000000013FAB0000-0x000000013FE01000-memory.dmp

C:\Windows\system\VnTEbqX.exe

MD5 1741a6cc8082ec6d7ed04383196e90f2
SHA1 6784f6606d04fd27f41bd64587e5fa9348e22292
SHA256 8145727230b4803be8e835aeeced4dd76815e62efd24838aeb103912e2a947c9
SHA512 096ab67616edeeb759620b440f0a227fd64a0721092065bee7306d2bd545506147bd198dea320dcb00ca998764becfe5c638c4fe307384975decaafc55d65540

memory/1612-27-0x000000013FAB0000-0x000000013FE01000-memory.dmp

memory/2768-26-0x000000013FDE0000-0x0000000140131000-memory.dmp

memory/2940-146-0x000000013F770000-0x000000013FAC1000-memory.dmp

memory/1612-138-0x000000013FEE0000-0x0000000140231000-memory.dmp

memory/968-153-0x000000013FB70000-0x000000013FEC1000-memory.dmp

memory/2112-152-0x000000013F210000-0x000000013F561000-memory.dmp

memory/2944-155-0x000000013FCD0000-0x0000000140021000-memory.dmp

memory/1612-154-0x000000013F770000-0x000000013FAC1000-memory.dmp

memory/2432-150-0x000000013F8B0000-0x000000013FC01000-memory.dmp

memory/2832-158-0x000000013F710000-0x000000013FA61000-memory.dmp

memory/1504-160-0x000000013FA00000-0x000000013FD51000-memory.dmp

memory/1320-159-0x000000013F120000-0x000000013F471000-memory.dmp

memory/1372-157-0x000000013F510000-0x000000013F861000-memory.dmp

memory/2256-156-0x000000013F7E0000-0x000000013FB31000-memory.dmp

memory/1612-161-0x000000013FEE0000-0x0000000140231000-memory.dmp

memory/1612-177-0x000000013F8B0000-0x000000013FC01000-memory.dmp

memory/1612-181-0x000000013F490000-0x000000013F7E1000-memory.dmp

memory/1612-185-0x000000013F210000-0x000000013F561000-memory.dmp

memory/1612-195-0x000000013FB70000-0x000000013FEC1000-memory.dmp

memory/1300-216-0x000000013F310000-0x000000013F661000-memory.dmp

memory/2732-218-0x000000013FAF0000-0x000000013FE41000-memory.dmp

memory/2768-220-0x000000013FDE0000-0x0000000140131000-memory.dmp

memory/3008-222-0x000000013F730000-0x000000013FA81000-memory.dmp

memory/3004-224-0x000000013FD80000-0x00000001400D1000-memory.dmp

memory/2672-228-0x000000013FCD0000-0x0000000140021000-memory.dmp

memory/2880-227-0x000000013FAB0000-0x000000013FE01000-memory.dmp

memory/2632-232-0x000000013F1A0000-0x000000013F4F1000-memory.dmp

memory/2940-230-0x000000013F770000-0x000000013FAC1000-memory.dmp

memory/2196-234-0x000000013F510000-0x000000013F861000-memory.dmp

memory/2700-236-0x000000013F900000-0x000000013FC51000-memory.dmp

memory/2412-238-0x000000013F490000-0x000000013F7E1000-memory.dmp

memory/2432-243-0x000000013F8B0000-0x000000013FC01000-memory.dmp

memory/2112-247-0x000000013F210000-0x000000013F561000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-14 21:30

Reported

2024-08-14 21:32

Platform

win10v2004-20240802-en

Max time kernel

142s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\JLKdRTp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mgojWoo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vITKEXM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VJiWsku.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LcfYgCA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GKigUoY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IAecJVM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NvWXGFj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NMUuMfE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FusaauG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HrWpwrh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fhSZPqD.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FEWJGIU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RAwdVxY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OvXjdPI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VmdFlFw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xirjJCy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XahukFI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mLlRibA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JlMsOKj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\knZtTmh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1512 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VmdFlFw.exe
PID 1512 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VmdFlFw.exe
PID 1512 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HrWpwrh.exe
PID 1512 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HrWpwrh.exe
PID 1512 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LcfYgCA.exe
PID 1512 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LcfYgCA.exe
PID 1512 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fhSZPqD.exe
PID 1512 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fhSZPqD.exe
PID 1512 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FEWJGIU.exe
PID 1512 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FEWJGIU.exe
PID 1512 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FusaauG.exe
PID 1512 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FusaauG.exe
PID 1512 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JLKdRTp.exe
PID 1512 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JLKdRTp.exe
PID 1512 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GKigUoY.exe
PID 1512 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GKigUoY.exe
PID 1512 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mgojWoo.exe
PID 1512 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mgojWoo.exe
PID 1512 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RAwdVxY.exe
PID 1512 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RAwdVxY.exe
PID 1512 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vITKEXM.exe
PID 1512 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vITKEXM.exe
PID 1512 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\knZtTmh.exe
PID 1512 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\knZtTmh.exe
PID 1512 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xirjJCy.exe
PID 1512 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xirjJCy.exe
PID 1512 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IAecJVM.exe
PID 1512 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IAecJVM.exe
PID 1512 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XahukFI.exe
PID 1512 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XahukFI.exe
PID 1512 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VJiWsku.exe
PID 1512 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VJiWsku.exe
PID 1512 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mLlRibA.exe
PID 1512 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mLlRibA.exe
PID 1512 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OvXjdPI.exe
PID 1512 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OvXjdPI.exe
PID 1512 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NvWXGFj.exe
PID 1512 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NvWXGFj.exe
PID 1512 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JlMsOKj.exe
PID 1512 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JlMsOKj.exe
PID 1512 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NMUuMfE.exe
PID 1512 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NMUuMfE.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\VmdFlFw.exe

C:\Windows\System\VmdFlFw.exe

C:\Windows\System\HrWpwrh.exe

C:\Windows\System\HrWpwrh.exe

C:\Windows\System\LcfYgCA.exe

C:\Windows\System\LcfYgCA.exe

C:\Windows\System\fhSZPqD.exe

C:\Windows\System\fhSZPqD.exe

C:\Windows\System\FEWJGIU.exe

C:\Windows\System\FEWJGIU.exe

C:\Windows\System\FusaauG.exe

C:\Windows\System\FusaauG.exe

C:\Windows\System\JLKdRTp.exe

C:\Windows\System\JLKdRTp.exe

C:\Windows\System\GKigUoY.exe

C:\Windows\System\GKigUoY.exe

C:\Windows\System\mgojWoo.exe

C:\Windows\System\mgojWoo.exe

C:\Windows\System\RAwdVxY.exe

C:\Windows\System\RAwdVxY.exe

C:\Windows\System\vITKEXM.exe

C:\Windows\System\vITKEXM.exe

C:\Windows\System\knZtTmh.exe

C:\Windows\System\knZtTmh.exe

C:\Windows\System\xirjJCy.exe

C:\Windows\System\xirjJCy.exe

C:\Windows\System\IAecJVM.exe

C:\Windows\System\IAecJVM.exe

C:\Windows\System\XahukFI.exe

C:\Windows\System\XahukFI.exe

C:\Windows\System\VJiWsku.exe

C:\Windows\System\VJiWsku.exe

C:\Windows\System\mLlRibA.exe

C:\Windows\System\mLlRibA.exe

C:\Windows\System\OvXjdPI.exe

C:\Windows\System\OvXjdPI.exe

C:\Windows\System\NvWXGFj.exe

C:\Windows\System\NvWXGFj.exe

C:\Windows\System\JlMsOKj.exe

C:\Windows\System\JlMsOKj.exe

C:\Windows\System\NMUuMfE.exe

C:\Windows\System\NMUuMfE.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
DE 3.120.209.58:8080 tcp

Files

memory/1512-0-0x00007FF727890000-0x00007FF727BE1000-memory.dmp

memory/1512-1-0x000001924B7A0000-0x000001924B7B0000-memory.dmp

C:\Windows\System\VmdFlFw.exe

MD5 1d6ae61b79dd29d5cf64691019b8c7da
SHA1 575b0f0a1981a58861f16a9279baee6c8f76ae26
SHA256 a7a81865df788d335566c26cae8ee899dbeb8884b3bf27a2f8eac53c7dec0438
SHA512 70167183794cc173656bbb08f0ed7cc242032056af1eb872e3b954169fe564a10f91d0760279795b2436374452a78a4b21cae17fdc64ce6016c4d978d2c1b6fe

memory/1540-7-0x00007FF6F3100000-0x00007FF6F3451000-memory.dmp

C:\Windows\System\LcfYgCA.exe

MD5 5ced0a8d5a36cf93c36f7f55fbe22a2e
SHA1 616946d8f3fcbcfbff3dc4bb8316cd885f0b08fc
SHA256 f65d41d9778dba3219ccb5477109e87bf1e8f479d6f3a653d18d357fdfcf7a27
SHA512 b2a712fd04a2df8c6f1a11877969b21031d05dd8f0c964e452d026b394ff635b45357aa697c18381630393bf2ede8548674d150957b35984d37d3b4765de8270

C:\Windows\System\FEWJGIU.exe

MD5 41ca8e0732e7c0d78290e3715e5c52f0
SHA1 3096e54046ac2d9acaec96599fbb909510fe9892
SHA256 d79363cc9f9ed64ef2e906e6c5d80be4655000f76d800d37df574eadb8453086
SHA512 fff1f822b7e7abb85e0240e9dde200794cbde6bd1c21c6d52ac44aebb69c751288b5933edbe21578c76ac821f3a65573cedc12e9a85fa433f74d4366d68d868f

memory/3472-56-0x00007FF738370000-0x00007FF7386C1000-memory.dmp

C:\Windows\System\GKigUoY.exe

MD5 eeada16a851550b8f82abedd22f3adf3
SHA1 b95c946e9ccc2278c8925a83495653fa09ceba7f
SHA256 70cbfc601f3c526d7fcf83984935ab42762d350f4d9634af70842eeccf5ae76c
SHA512 abf5d1fe4139fde66a9e8f76c4eda9e39e9475d187b47f23c8e4239a5fc0e180c0a4dc8d15ba5fe6a4048e41b6ade939998732c349566872db643be41f89f55e

C:\Windows\System\IAecJVM.exe

MD5 7bce583462bb86869a9eb5c3f3c81385
SHA1 080a3ba8e08a042e9fe3137968ac75cca4ef6ac6
SHA256 80ef5c3f3b29b64b396f5ba63fb2207b0baf0498d587ae134de72601bc9842c9
SHA512 4496312d364fb4a2263330821f891951ca478897299b82c7dc6056d368911a7fe3567cda952f3d981e7baa08c6d7ebf242e8a5a478f685b5e01d9a9082aa36e5

C:\Windows\System\mLlRibA.exe

MD5 ca57eacd498740f27fef40ad6497c330
SHA1 4e88f704d4f01b5b07dd468065463c6a40b95186
SHA256 c0f865974e137791b125108b7e157dfb3ad7fb5ae6f8a23828210ba128aa9ec6
SHA512 4ec66a2e7e121eb863200999588de081f3c965abfc4a8023549ffefe60297b408a88098955e4c4a92844478c9fa22934b0a73bc9e2102d2efdde629869064b78

memory/3056-105-0x00007FF75D5C0000-0x00007FF75D911000-memory.dmp

memory/3828-110-0x00007FF6B8B80000-0x00007FF6B8ED1000-memory.dmp

memory/3784-117-0x00007FF708590000-0x00007FF7088E1000-memory.dmp

memory/1832-120-0x00007FF6A2B90000-0x00007FF6A2EE1000-memory.dmp

memory/4216-125-0x00007FF7A4670000-0x00007FF7A49C1000-memory.dmp

memory/2232-127-0x00007FF67BEC0000-0x00007FF67C211000-memory.dmp

memory/624-126-0x00007FF6A62F0000-0x00007FF6A6641000-memory.dmp

memory/2528-124-0x00007FF7A3020000-0x00007FF7A3371000-memory.dmp

memory/4940-123-0x00007FF6A13A0000-0x00007FF6A16F1000-memory.dmp

memory/1172-122-0x00007FF6B03F0000-0x00007FF6B0741000-memory.dmp

C:\Windows\System\NMUuMfE.exe

MD5 efadf0eccba382c4e9094b72b18f8f48
SHA1 a472c0851e395adb7616a5bd4c178cad531fad7b
SHA256 b0987761d3aa52ff44bfa29f96064bb0feac4da2defcf065e8a43411af42d01c
SHA512 e632afb8c9baeb6a5299c496dcf328c639610c52c8c0ee88e3e6fc20dd2561729ec768439d73850328da8e16dd6d3b168345d7acc4a0c282c21ebddec4ce07a6

memory/4928-118-0x00007FF685390000-0x00007FF6856E1000-memory.dmp

C:\Windows\System\JlMsOKj.exe

MD5 38299120715a385b11ff2b441ac94c34
SHA1 cb6b810e1dc4abb31c3f86239cb76eb7c405fa78
SHA256 fd7db49b8aed37225d52820de5b512177d8812ccf011f405e21eff3106a06d02
SHA512 2a953562b009945658508c5aa1113ae36de21604a98b7b384aee1a5cc26d528a1340e4fffdb46e1d5a0839a8141d459872c1662f13d38f6d7331772576a743e5

C:\Windows\System\NvWXGFj.exe

MD5 9f4913d2e2415595d9c3f9a8a22bb720
SHA1 91b1b8183dc19d15ebd6ff2d20542ed0784695f1
SHA256 7266ee624b202358b17d9b4797757a8fe3d6941f7cb7d66c1aec94e59df61d05
SHA512 a9a6893152bd29620fc512bf1f26f931471b18254c04a6d923176947d4e031d4cd9d8c690e2047e522b100ae5f86197399aebf8c390003c5bd10097b780fdd92

C:\Windows\System\OvXjdPI.exe

MD5 10e7df477027bf68f1a468fe70febdd8
SHA1 af20b1dfc023850eab422ba15bc19da1b9d056ca
SHA256 8d086fe4f58d06dfa51ffcc8bc3fabfaad3c48fad69d65ec1f016adadb1d62bf
SHA512 5acbb80520002023a9c229f718ad31cba744f257a5c6101331f88e407b61fa42ed5e8a361716425d81c40131d4980012893f49e897b2d289178489c9a4e105ef

memory/1116-109-0x00007FF6504C0000-0x00007FF650811000-memory.dmp

C:\Windows\System\VJiWsku.exe

MD5 db9ffe93446c853c3be1572b0a8d5084
SHA1 ba4abfa60d888a758340e6999efa452df6840074
SHA256 6b6bc82223e578c1f23b1afd92c16b246b8b19b2d31a7fc82aad5909bd5a146f
SHA512 1536c8d7edc42d22be8e3404e5e45244a5c5cf6c809056fb9ac548690a46fd4733cb398eb5e8de544d8fc56255abac21e577467e2db3ca4275417f67ed7cf129

C:\Windows\System\XahukFI.exe

MD5 a0d97fe6451043292b9259a57799bf34
SHA1 9d0b8c24d6126f66b11b38d71512639e0f1740d0
SHA256 ea6ec688cdcc4b48efedd010148504dfeeb4bd6be342c9aae0bbe08e4f0a05fe
SHA512 d44160ea6a75dfa8c1cd9987796cea302cb44fb33fd7ad7568d1d114b345fa82da00efbf6d8e6edaa885b597e6e9a14ceac9bf46d465832590f0d3dafa3807ee

memory/2988-95-0x00007FF783AA0000-0x00007FF783DF1000-memory.dmp

memory/1456-91-0x00007FF6DD2A0000-0x00007FF6DD5F1000-memory.dmp

C:\Windows\System\xirjJCy.exe

MD5 9efdf32e581bf42cb82dcae58fce83d7
SHA1 e2e128674a80a74e484601341728a16e360f25e2
SHA256 270adea835bb370ba56f8c6e1fee25e270b427fef1345a8b1987eaef399df0d2
SHA512 91fac3c8829fe0fc1ff56672116a51661137f61ca2766adc2b9b01c76af1ea939402ea392d4e38a5dadabafa92b0dc55fffff7bb20f030d156f93e7039dede5a

C:\Windows\System\knZtTmh.exe

MD5 b2fd54ce73bec966a961bce56da5e916
SHA1 51c032a0459123f829a1ec0d5e3ecab200909a8c
SHA256 a6b5a0c8c926c9d91499e6317ed3b1b1f14283a661897b006bc79e9b1aa6c79d
SHA512 51cd36b54705209ec71a5f56e29bd44cd64d1cdeef204aa82fe97ff8d8086f6a495fe5874aa87a458dd76ef17a9dcee4916f55259c82f05e8365a0e922c8eac8

C:\Windows\System\vITKEXM.exe

MD5 4e79c915ed1ff2761a711edb2721decd
SHA1 89530eea95bc256ebe999f1a369e88781dc0e77c
SHA256 ce3d0828dea500ad5a4a88ae22a412abb250f599318ea0818f73047d4549e1f4
SHA512 5134f27bec137b0f54ce0ec3abdbc8d652af60f976f6d43cce1e8cd30d452f9146f45d60abcf908c3047fcebd55285509918c940dfcbe574a2a021c5c97d7a2d

memory/1328-68-0x00007FF6C4A30000-0x00007FF6C4D81000-memory.dmp

C:\Windows\System\RAwdVxY.exe

MD5 50cc22e30d665a73370e728273662789
SHA1 578da1e64581e2ffe045754df4162e74186ee89e
SHA256 aec5a674320abca9a23940559cc960d80627a70f534392106735abba46403c21
SHA512 b82ba2d5be48ca9e4ecfae216c36bbc8e36f5ae36b46b0bf93c38b3ccdf7309e5a9de22c47cbbdee561934bc5ed718001ee6e8907f279b38fbc446e9f5aa964c

memory/3416-57-0x00007FF7C2870000-0x00007FF7C2BC1000-memory.dmp

C:\Windows\System\mgojWoo.exe

MD5 62ae09efdc59a8cf07e84cae618d3dc4
SHA1 951d0aee29a45b07ebd03aecbbb32fac2d846a23
SHA256 0e90418e17eef8a57decc59c67c1b09200d8d4673091d4feb8c53d44380c4127
SHA512 08c4334fb85ae77e9f88f07504c45b27b97676b98b9def96c99be380104b68052d20311b53e42d947c4a0963b744a8a2d22c5ada844874a9d1ccba95497eb4a3

C:\Windows\System\JLKdRTp.exe

MD5 d40ed6926b3e62c87ea7b5408640a458
SHA1 0512cdb2136ed0826d8e6f66c9783de6ec0b6a28
SHA256 a2fe3580715e94b1d5ea7829a2f8f61d9d023516d1e9984fe4a1e721af3e4f18
SHA512 a294261c1a4211933fcf16ae6372f1dde5fa7b779e75b9098fb3db77406cd97de173d19bc58ec755191aaf0a03036cde3eaeb4117e3cac75d78cb8835d050ae9

memory/1332-41-0x00007FF741900000-0x00007FF741C51000-memory.dmp

C:\Windows\System\FusaauG.exe

MD5 69d932b847c376e0da53da84ad12ff2d
SHA1 d00eef3b0aee808b4f3446315cdd8812f25ad2cf
SHA256 1062e5b02b8f4159a897b31380058e66c5ba2abbf4706dc5e7d3d70e7d1f42bf
SHA512 d79213b7a725dd7903ff0532a594c5af37b3f13fc34913a822ad369c84c90d7cfcefbeca0ccca8a5add450d824e63522ef3569e0a49dd7a8d3b17f19bc34c748

C:\Windows\System\fhSZPqD.exe

MD5 a8e67751c413192c1961bf08fe7533a3
SHA1 734bb165fb08566185b21d8a17113d285fb8215b
SHA256 2c63a1a26a3764f64647548dfd4b5ab092048bc981a70f47446cddc953268676
SHA512 8f1f137744de36b3fab2de25003267f1460114bd701fb3a4a999272249367251749f91361bccb45cff9748f2c104be74e54117dc8136f66aee424d205b8480a2

memory/3852-30-0x00007FF7290F0000-0x00007FF729441000-memory.dmp

memory/2872-17-0x00007FF617B90000-0x00007FF617EE1000-memory.dmp

C:\Windows\System\HrWpwrh.exe

MD5 25cc1ac540e3231c6518299feba1a70c
SHA1 b397974a43411f779a49a9fc42f4d9848a5e541c
SHA256 1a1d290fc4b8bbda5ce792a53d112ee3c6e4aa0af78d00f2bac987cc182cb1b0
SHA512 5ea90645fd6b7a1e4a7544437352dd6860c4d022264ad87652c0710cd75cfbd5f3a20500d5620f22ff17e7a6890cff79837893325ea589b2ee3f31e2093d83d0

memory/1332-133-0x00007FF741900000-0x00007FF741C51000-memory.dmp

memory/3784-147-0x00007FF708590000-0x00007FF7088E1000-memory.dmp

memory/1456-139-0x00007FF6DD2A0000-0x00007FF6DD5F1000-memory.dmp

memory/3416-138-0x00007FF7C2870000-0x00007FF7C2BC1000-memory.dmp

memory/2872-131-0x00007FF617B90000-0x00007FF617EE1000-memory.dmp

memory/1540-129-0x00007FF6F3100000-0x00007FF6F3451000-memory.dmp

memory/1512-128-0x00007FF727890000-0x00007FF727BE1000-memory.dmp

memory/1512-150-0x00007FF727890000-0x00007FF727BE1000-memory.dmp

memory/1512-172-0x00007FF727890000-0x00007FF727BE1000-memory.dmp

memory/3852-220-0x00007FF7290F0000-0x00007FF729441000-memory.dmp

memory/1540-218-0x00007FF6F3100000-0x00007FF6F3451000-memory.dmp

memory/2872-222-0x00007FF617B90000-0x00007FF617EE1000-memory.dmp

memory/3472-226-0x00007FF738370000-0x00007FF7386C1000-memory.dmp

memory/1172-230-0x00007FF6B03F0000-0x00007FF6B0741000-memory.dmp

memory/1332-228-0x00007FF741900000-0x00007FF741C51000-memory.dmp

memory/1328-236-0x00007FF6C4A30000-0x00007FF6C4D81000-memory.dmp

memory/3416-234-0x00007FF7C2870000-0x00007FF7C2BC1000-memory.dmp

memory/4216-240-0x00007FF7A4670000-0x00007FF7A49C1000-memory.dmp

memory/1456-238-0x00007FF6DD2A0000-0x00007FF6DD5F1000-memory.dmp

memory/3056-246-0x00007FF75D5C0000-0x00007FF75D911000-memory.dmp

memory/1116-248-0x00007FF6504C0000-0x00007FF650811000-memory.dmp

memory/3828-250-0x00007FF6B8B80000-0x00007FF6B8ED1000-memory.dmp

memory/4928-256-0x00007FF685390000-0x00007FF6856E1000-memory.dmp

memory/3784-254-0x00007FF708590000-0x00007FF7088E1000-memory.dmp

memory/2232-258-0x00007FF67BEC0000-0x00007FF67C211000-memory.dmp

memory/624-252-0x00007FF6A62F0000-0x00007FF6A6641000-memory.dmp

memory/2528-244-0x00007FF7A3020000-0x00007FF7A3371000-memory.dmp

memory/2988-242-0x00007FF783AA0000-0x00007FF783DF1000-memory.dmp

memory/4940-233-0x00007FF6A13A0000-0x00007FF6A16F1000-memory.dmp

memory/1832-224-0x00007FF6A2B90000-0x00007FF6A2EE1000-memory.dmp