Malware Analysis Report

2025-03-15 08:06

Sample ID 240814-sweq1azcph
Target 2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat
SHA256 3f46d690b502b2d9722d1cef7d0f0e4e6ecace8fc7e113892281dec598e9f04e
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3f46d690b502b2d9722d1cef7d0f0e4e6ecace8fc7e113892281dec598e9f04e

Threat Level: Known bad

The file 2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

xmrig

Cobaltstrike

Cobalt Strike reflective loader

Cobaltstrike family

XMRig Miner payload

Xmrig family

XMRig Miner payload

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-14 15:28

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-14 15:28

Reported

2024-08-14 15:30

Platform

win7-20240705-en

Max time kernel

140s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\wiOLEQJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IyKdaNy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mHZPSqY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SKKaqjC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oopaTKQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KKrmbvw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JIAsgLe.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eOMAdvi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SrpikmA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dwsYmqU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xuNIhCJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CGbJlbS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UKbJXOU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\USifVwp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PlEPIkf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vEqPpCa.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VuTTDSn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fKaneGh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MmhJOxc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GZjCRMR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LkfpfcO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2164 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oopaTKQ.exe
PID 2164 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oopaTKQ.exe
PID 2164 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oopaTKQ.exe
PID 2164 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KKrmbvw.exe
PID 2164 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KKrmbvw.exe
PID 2164 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KKrmbvw.exe
PID 2164 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MmhJOxc.exe
PID 2164 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MmhJOxc.exe
PID 2164 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MmhJOxc.exe
PID 2164 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GZjCRMR.exe
PID 2164 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GZjCRMR.exe
PID 2164 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GZjCRMR.exe
PID 2164 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JIAsgLe.exe
PID 2164 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JIAsgLe.exe
PID 2164 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JIAsgLe.exe
PID 2164 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wiOLEQJ.exe
PID 2164 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wiOLEQJ.exe
PID 2164 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wiOLEQJ.exe
PID 2164 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dwsYmqU.exe
PID 2164 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dwsYmqU.exe
PID 2164 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dwsYmqU.exe
PID 2164 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\USifVwp.exe
PID 2164 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\USifVwp.exe
PID 2164 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\USifVwp.exe
PID 2164 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PlEPIkf.exe
PID 2164 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PlEPIkf.exe
PID 2164 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PlEPIkf.exe
PID 2164 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xuNIhCJ.exe
PID 2164 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xuNIhCJ.exe
PID 2164 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xuNIhCJ.exe
PID 2164 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IyKdaNy.exe
PID 2164 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IyKdaNy.exe
PID 2164 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IyKdaNy.exe
PID 2164 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vEqPpCa.exe
PID 2164 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vEqPpCa.exe
PID 2164 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vEqPpCa.exe
PID 2164 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LkfpfcO.exe
PID 2164 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LkfpfcO.exe
PID 2164 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LkfpfcO.exe
PID 2164 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VuTTDSn.exe
PID 2164 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VuTTDSn.exe
PID 2164 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VuTTDSn.exe
PID 2164 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CGbJlbS.exe
PID 2164 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CGbJlbS.exe
PID 2164 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CGbJlbS.exe
PID 2164 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eOMAdvi.exe
PID 2164 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eOMAdvi.exe
PID 2164 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eOMAdvi.exe
PID 2164 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mHZPSqY.exe
PID 2164 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mHZPSqY.exe
PID 2164 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mHZPSqY.exe
PID 2164 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SrpikmA.exe
PID 2164 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SrpikmA.exe
PID 2164 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SrpikmA.exe
PID 2164 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UKbJXOU.exe
PID 2164 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UKbJXOU.exe
PID 2164 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UKbJXOU.exe
PID 2164 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fKaneGh.exe
PID 2164 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fKaneGh.exe
PID 2164 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fKaneGh.exe
PID 2164 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SKKaqjC.exe
PID 2164 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SKKaqjC.exe
PID 2164 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SKKaqjC.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\oopaTKQ.exe

C:\Windows\System\oopaTKQ.exe

C:\Windows\System\KKrmbvw.exe

C:\Windows\System\KKrmbvw.exe

C:\Windows\System\MmhJOxc.exe

C:\Windows\System\MmhJOxc.exe

C:\Windows\System\GZjCRMR.exe

C:\Windows\System\GZjCRMR.exe

C:\Windows\System\JIAsgLe.exe

C:\Windows\System\JIAsgLe.exe

C:\Windows\System\wiOLEQJ.exe

C:\Windows\System\wiOLEQJ.exe

C:\Windows\System\dwsYmqU.exe

C:\Windows\System\dwsYmqU.exe

C:\Windows\System\USifVwp.exe

C:\Windows\System\USifVwp.exe

C:\Windows\System\PlEPIkf.exe

C:\Windows\System\PlEPIkf.exe

C:\Windows\System\xuNIhCJ.exe

C:\Windows\System\xuNIhCJ.exe

C:\Windows\System\IyKdaNy.exe

C:\Windows\System\IyKdaNy.exe

C:\Windows\System\vEqPpCa.exe

C:\Windows\System\vEqPpCa.exe

C:\Windows\System\LkfpfcO.exe

C:\Windows\System\LkfpfcO.exe

C:\Windows\System\VuTTDSn.exe

C:\Windows\System\VuTTDSn.exe

C:\Windows\System\CGbJlbS.exe

C:\Windows\System\CGbJlbS.exe

C:\Windows\System\eOMAdvi.exe

C:\Windows\System\eOMAdvi.exe

C:\Windows\System\mHZPSqY.exe

C:\Windows\System\mHZPSqY.exe

C:\Windows\System\SrpikmA.exe

C:\Windows\System\SrpikmA.exe

C:\Windows\System\UKbJXOU.exe

C:\Windows\System\UKbJXOU.exe

C:\Windows\System\fKaneGh.exe

C:\Windows\System\fKaneGh.exe

C:\Windows\System\SKKaqjC.exe

C:\Windows\System\SKKaqjC.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2164-0-0x000000013FCF0000-0x0000000140044000-memory.dmp

memory/2164-1-0x0000000000580000-0x0000000000590000-memory.dmp

\Windows\system\oopaTKQ.exe

MD5 46bebd3a20d86c932a68c7dd02f4a05e
SHA1 f1ccef195dd9235f21c9351514ba5cc9d67103e2
SHA256 0300ecbf42418e5e9ac9fa4dfdf819b95f9e35ba0832d693a849dc3fd73f491d
SHA512 31ff9246ba8b585e488bda4c633804b483bd6308a6671ea9be66ddad79149d1551c553f9de493594c700f0cb1740d785ff13799ca999f15f1f1a4f68751055ff

\Windows\system\KKrmbvw.exe

MD5 40c735640a0b1b9f7f4f02d93a7c75d4
SHA1 49de0cf1ff4208738fd6fbd1de0e505de2b99211
SHA256 6898877353cdb7ad79b8c1029d324ab1e5cd2639d1a3b2f0bb25426f95574fdf
SHA512 f82cc6fa0deb46837311bc0f33214af88c359719ea192f1424a037099d602bf3df75c34333011554f48fc4f4ab3445da6aa78fd0cd9c15aad7989aa70ff78cb6

memory/2164-10-0x000000013F120000-0x000000013F474000-memory.dmp

C:\Windows\system\GZjCRMR.exe

MD5 b77aa891097823c45ef236141e9fb5a9
SHA1 521fb028013978fdc4824421f253dd3b79f4dabe
SHA256 24a18c9124fc9e10ba4ce259033736b04f1c62402e585c79da739b1a3ef5ab11
SHA512 af9b58cf135e935bb623416e4ed6070eaacd727ffcbcfcbee648a29f296d38d2ca80356374684a1f9b4550e47120d46ea32cb3d49aa055682cad8a654546f76a

\Windows\system\wiOLEQJ.exe

MD5 c9c60dcd680f96752532ab66d97eb6da
SHA1 3487f337312a9d8930274bfc39f23f153690c611
SHA256 6aa7183cbfd58d8ef2db36afac2014965bde88c777d3baf68447eff7b35d948d
SHA512 3e4ae9c7bf015ee5de5fe356ef04338cf4195caa686c381f705d0860f5fbae8ac70b2c7851db4c255b57e295ed5e851db483d5366312f8dc8bb33d60bdaea0ba

C:\Windows\system\JIAsgLe.exe

MD5 5ac93ce2ef2402924498bc12071fca87
SHA1 b4080a01be47697fa6a397f2f6dd3463532801df
SHA256 c597d355c547031dfd9dcccb53c22c7658206692ef752b57e31768c540b74d8c
SHA512 626630379b8236ab39d7830f968841e407ff4e6a0295ba57472030613ad9136910df36fcdc90fa54d0e4f0121d5b8a7e99970d7ac7e41896f83c7d5539170154

memory/2656-40-0x000000013FC20000-0x000000013FF74000-memory.dmp

memory/2164-39-0x0000000002320000-0x0000000002674000-memory.dmp

memory/2812-38-0x000000013FAC0000-0x000000013FE14000-memory.dmp

C:\Windows\system\dwsYmqU.exe

MD5 83da9030535ff0813dbf24e629c2b2a4
SHA1 54ad7c05d231cdcfe69ffd7ef7cb6f5370d827a9
SHA256 64c8426caf71ba8d4a73833983eb51c0b6cdf5f1e8aeadd29f9ae315585a3cfd
SHA512 35899bcec6040ea9b49c9736427ff629689e824e203f12966fecfc97a1364aee7bf6e2e7de5ba1418a7bee44a20b8ba1ca981d99a2ebe3ffcf276492a83e7e98

memory/2164-49-0x000000013FCF0000-0x0000000140044000-memory.dmp

memory/2164-105-0x0000000002320000-0x0000000002674000-memory.dmp

C:\Windows\system\IyKdaNy.exe

MD5 936c80a3d8be912601420e9bd5ef69c9
SHA1 1da14df15477ecb1854fd5bf3f08a104f56ed195
SHA256 068c891b586751cb7e633af8891c72255e1ca0218296e34c1a82aadfa17bd278
SHA512 3700cad49067f945c674936f273cfa7199a9df3da02e6aa058e8443dcf8e3b5b88f8beecc1ba21e7241d9bd9d853fbb97b07845c30791e05b116e2679fd94fbc

C:\Windows\system\SKKaqjC.exe

MD5 2ce6740f45fe67cd560bfdfdab891aef
SHA1 1da880e49b2249a6ca9dae4ef2a9c291624cbab4
SHA256 c258c17ef703eb412db7f33c677eb378fb7e601a8adfac7533ed4d333605dc95
SHA512 82506848e6d85a1d61e5bfec50ec1699247a7bd0b1e1b0ea167e1ded7a2f24826ca70079138903ed581b6dd23b9f801b7e68291f2cd79860b3ac6da377b29f0b

memory/2164-97-0x0000000002320000-0x0000000002674000-memory.dmp

memory/2164-96-0x000000013F210000-0x000000013F564000-memory.dmp

memory/2164-95-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

\Windows\system\UKbJXOU.exe

MD5 939d5ef6851b2bbeb00e60dd0a9443c9
SHA1 67470ec01324d3cc6a83130e8cdf4c936bfcac07
SHA256 4cc3b225c79ab8b583fd6e5eff68d26c162291c0ca620fb0560424e79db6c4a3
SHA512 0f957ddce24f8080d67d655414bad81b2188cbb46110f20c57a4f8df2fa62d5ad144b72dd71c4302c71e640f5815f26f896462a9bf6c500ccb4d58a09671434a

\Windows\system\mHZPSqY.exe

MD5 e7eb35b0c49ca9e17adb07b55305a64a
SHA1 92c52832f084d1fb78dc69bf09f9d3e88519a28d
SHA256 e48480b2d19205baefe11cc86932f2e303ccf6a081ec34e50d775b66326bd3ad
SHA512 5e9cc3b974937888d7936087a8d3f1a1c98367c6ebe3b3649b74882ca3064b917f4d2de3804afde451c168015b675c44fa62b000897ee1478c140198e237b3e7

\Windows\system\CGbJlbS.exe

MD5 1cd66e1be22bbc98c81ea4835872f0cd
SHA1 455bb5e1a4ef64bd3b4654b46ebe05b053d0a926
SHA256 67e98cd33eab8a35d3e07114dc684309a4706597e9928767147c783198d6c133
SHA512 2e384602124de2dfa9833569915783e41b2b8360adb00a36be45e4fec3d58b09cca7b8a37e4ec9690eb5e970a666fc01d1ad6e991e827cfeb7518eabb52aae12

\Windows\system\LkfpfcO.exe

MD5 6006ce7d8f3ab8beb36b67b586566410
SHA1 44d450df614ffdcec8d28e6284e5baeb116df985
SHA256 8536cb3719ba264a38ad14c928884d2747eb503c41e63924225db5ff0137bce2
SHA512 7067de905fd3ee97dd108d83f1b096151eb1329f483512e4ea3cc18f6924362bc9b4c26465ed8890b30ddef88e8944e4755f1ad97ca0e7251bb9d26f5423cdf5

memory/2164-53-0x000000013F090000-0x000000013F3E4000-memory.dmp

\Windows\system\PlEPIkf.exe

MD5 72365b896d9180c758473139a06ce888
SHA1 4e28593c1452f17b38f46e2b850a43ec8a0fc968
SHA256 3a0ea68371860bd049810bd39a085186c23aa48e82823fd43fb9ad10365879c1
SHA512 e1b982fe495b87f21433938f3092c754f29406376f7ae590e6fec8a80dd3f0cc0a04547f4152ce7ef5dfdeb764eff251dc9fc62968c25970919ef23755071743

memory/2364-119-0x000000013F8F0000-0x000000013FC44000-memory.dmp

memory/2552-118-0x000000013F090000-0x000000013F3E4000-memory.dmp

memory/2164-117-0x000000013F760000-0x000000013FAB4000-memory.dmp

memory/2164-116-0x000000013F460000-0x000000013F7B4000-memory.dmp

memory/1860-127-0x000000013F120000-0x000000013F474000-memory.dmp

memory/1500-108-0x000000013F050000-0x000000013F3A4000-memory.dmp

memory/2164-106-0x000000013F6B0000-0x000000013FA04000-memory.dmp

C:\Windows\system\fKaneGh.exe

MD5 1619e4efcfeb177932e12a4441a29509
SHA1 a549d045cb87f35aac7906926a77d03d6ea393d1
SHA256 9060d435bb65793012bfb9989ad3424551b8d19daf26b46be291e6f7d59fc2c6
SHA512 71d858bde3a5b022e58f287f771d2465db25a59deb4f6987b819f02b53d72ff04ab2e6f737f5c66ae17b3b58cfc70fdc2c753e77dac062e3b5ce08415e208afc

C:\Windows\system\SrpikmA.exe

MD5 25858a3d68ca7870bae674cf3242b5cc
SHA1 91abbafc550600fd23cf5a6f52f6c06675180a37
SHA256 124c1ae6d9a8b9e9753c4860e3b8ba3f350dc9dd1e1ac1bf9fa45c936b10e1c6
SHA512 68202659e45fecc0fd985825e65a421efce444ac21cf88093d939ffa104109223143a1b5ce65090aa108f65a35b97fa98c992858a9665aeca1bef615ddf30b0f

C:\Windows\system\eOMAdvi.exe

MD5 46d2cbad4b8f9c1a0646c345e18eb2bb
SHA1 8b4eb599539bac72b1b67f33fa0ceec90937cd6d
SHA256 ee9c86cf691da7a06c88328c36ed13aae2f824859e124ff7c0620bb77d41c167
SHA512 69d6e878bd1e3040e4c378d431ed6a0a6131f6ecee3777b8ca8331dd21aff7826774655fea26d47611c526f470b18c3a02831cd2b6133d9c17d535bb0567ff67

C:\Windows\system\VuTTDSn.exe

MD5 d5e5d275274011b89ffa5d17c48139b1
SHA1 c37fa58fa046a00f09fd3b971ada7f3eea736ede
SHA256 5feeab88c1c684d4c4ab2e1bf02b4d125c5d3b7e0599f985b6312c802a5d20d7
SHA512 2e981e4bf9dec11446136f0b6ce5b03276ed49461e45c29a0f50e47cdbe8b5d93059d4ca4d505d58768e9f95c9395f3b7c87dbcb4945a280cbc23f1f4910bc31

C:\Windows\system\vEqPpCa.exe

MD5 4552f0230a9d2de971cf0929890d6657
SHA1 f6f53fc87642fbe5ae5b92b2b6506fa7ac044f87
SHA256 a4536cabf3d3c7788e0adb7f9374c0da01853c7e8ec47277285125b006881b9c
SHA512 62fe2d09021347e8847c5a94a87dc7690522321c94cf6ff7eaeb7433d89fdfb3d586dfa4dd3149b0ce0d4e07dad679e4ee480dd5895370727768cd33df4037ce

C:\Windows\system\xuNIhCJ.exe

MD5 4ec48494b63fea156f91b8e8a73cc89e
SHA1 72004315c0e91d6bf4e8f911983f943680e977fc
SHA256 6b18ad2c8b59028f1e8daeab51214abad70aeb29a2b94f55da3df58953728c57
SHA512 40ddd47b1d57de91041bcc068b0db75df76114acd8ae50534b2e597bf06495214f9d7aa3a3b0a82506d3e1784d3086b3460f3a94ded1e3a25ccdbf8eab33a3cc

C:\Windows\system\USifVwp.exe

MD5 929207d49a42108de26ae05992ecf8bb
SHA1 fc5015e2e9cec86cf10df72f48a960645adef859
SHA256 b93bcbae9be8501bd811e8a0609d87074a77e3a3d911b23cf54368b12007e1ed
SHA512 5d09b772ab0df08382bccdee815272245442edab40645ba53a33e4050ba212ca9a2b4a0a8464f56b16bfbdebb67275483330bed3af1b07b20397522fa649949a

memory/2164-92-0x000000013F980000-0x000000013FCD4000-memory.dmp

memory/2164-84-0x000000013F820000-0x000000013FB74000-memory.dmp

memory/2164-75-0x000000013F660000-0x000000013F9B4000-memory.dmp

memory/2164-69-0x000000013F880000-0x000000013FBD4000-memory.dmp

memory/2792-45-0x000000013F300000-0x000000013F654000-memory.dmp

memory/2164-128-0x0000000002320000-0x0000000002674000-memory.dmp

memory/2164-6-0x000000013F050000-0x000000013F3A4000-memory.dmp

memory/1860-27-0x000000013F120000-0x000000013F474000-memory.dmp

memory/2364-26-0x000000013F8F0000-0x000000013FC44000-memory.dmp

memory/2164-25-0x000000013F8F0000-0x000000013FC44000-memory.dmp

memory/1344-24-0x000000013FB00000-0x000000013FE54000-memory.dmp

memory/1500-23-0x000000013F050000-0x000000013F3A4000-memory.dmp

C:\Windows\system\MmhJOxc.exe

MD5 4eec8afae8bcee2246b2f7f49d10602d
SHA1 421475a60f0dd6d772b7918194951e53d57e6020
SHA256 2595e082d1ce5e90462eb97bfc3ae53c85b9a595515c7d1969cecb50020c60b2
SHA512 df6d406fac5fcf013f83008e02254bbd3790775111062324ddcf1e17f78aa76daa2f026bc272082b6663af342b11e86edefc0d8788df5fa7423c9beb1b4242f6

memory/2656-130-0x000000013FC20000-0x000000013FF74000-memory.dmp

memory/2812-129-0x000000013FAC0000-0x000000013FE14000-memory.dmp

memory/2792-138-0x000000013F300000-0x000000013F654000-memory.dmp

memory/2164-139-0x000000013F090000-0x000000013F3E4000-memory.dmp

memory/2164-140-0x000000013F980000-0x000000013FCD4000-memory.dmp

memory/2164-141-0x000000013F460000-0x000000013F7B4000-memory.dmp

memory/1500-143-0x000000013F050000-0x000000013F3A4000-memory.dmp

memory/1344-142-0x000000013FB00000-0x000000013FE54000-memory.dmp

memory/2364-144-0x000000013F8F0000-0x000000013FC44000-memory.dmp

memory/1860-145-0x000000013F120000-0x000000013F474000-memory.dmp

memory/2812-146-0x000000013FAC0000-0x000000013FE14000-memory.dmp

memory/2792-147-0x000000013F300000-0x000000013F654000-memory.dmp

memory/2552-149-0x000000013F090000-0x000000013F3E4000-memory.dmp

memory/2656-148-0x000000013FC20000-0x000000013FF74000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-14 15:28

Reported

2024-08-14 15:30

Platform

win10v2004-20240802-en

Max time kernel

143s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\uBmtEEB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WWjTwSi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pKmiXSU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dDnZrKP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BWWbIvo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yZcjMzK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hxaMFFk.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JJXmggp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QBLUTnt.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zKpEkwe.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wJhIzNn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OZzfzPw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wKnkONf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LyvuVTj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UkrpBkM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rbeufGi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NoMXPJo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nwinJSz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aMedXUP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TJkqRhj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JfpvXGq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3804 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uBmtEEB.exe
PID 3804 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uBmtEEB.exe
PID 3804 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rbeufGi.exe
PID 3804 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rbeufGi.exe
PID 3804 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WWjTwSi.exe
PID 3804 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WWjTwSi.exe
PID 3804 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OZzfzPw.exe
PID 3804 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OZzfzPw.exe
PID 3804 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pKmiXSU.exe
PID 3804 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pKmiXSU.exe
PID 3804 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JJXmggp.exe
PID 3804 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JJXmggp.exe
PID 3804 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wKnkONf.exe
PID 3804 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wKnkONf.exe
PID 3804 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NoMXPJo.exe
PID 3804 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NoMXPJo.exe
PID 3804 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LyvuVTj.exe
PID 3804 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LyvuVTj.exe
PID 3804 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dDnZrKP.exe
PID 3804 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dDnZrKP.exe
PID 3804 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BWWbIvo.exe
PID 3804 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BWWbIvo.exe
PID 3804 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nwinJSz.exe
PID 3804 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nwinJSz.exe
PID 3804 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QBLUTnt.exe
PID 3804 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QBLUTnt.exe
PID 3804 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aMedXUP.exe
PID 3804 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aMedXUP.exe
PID 3804 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zKpEkwe.exe
PID 3804 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zKpEkwe.exe
PID 3804 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wJhIzNn.exe
PID 3804 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wJhIzNn.exe
PID 3804 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TJkqRhj.exe
PID 3804 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TJkqRhj.exe
PID 3804 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UkrpBkM.exe
PID 3804 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UkrpBkM.exe
PID 3804 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yZcjMzK.exe
PID 3804 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yZcjMzK.exe
PID 3804 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JfpvXGq.exe
PID 3804 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JfpvXGq.exe
PID 3804 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hxaMFFk.exe
PID 3804 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hxaMFFk.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\uBmtEEB.exe

C:\Windows\System\uBmtEEB.exe

C:\Windows\System\rbeufGi.exe

C:\Windows\System\rbeufGi.exe

C:\Windows\System\WWjTwSi.exe

C:\Windows\System\WWjTwSi.exe

C:\Windows\System\OZzfzPw.exe

C:\Windows\System\OZzfzPw.exe

C:\Windows\System\pKmiXSU.exe

C:\Windows\System\pKmiXSU.exe

C:\Windows\System\JJXmggp.exe

C:\Windows\System\JJXmggp.exe

C:\Windows\System\wKnkONf.exe

C:\Windows\System\wKnkONf.exe

C:\Windows\System\NoMXPJo.exe

C:\Windows\System\NoMXPJo.exe

C:\Windows\System\LyvuVTj.exe

C:\Windows\System\LyvuVTj.exe

C:\Windows\System\dDnZrKP.exe

C:\Windows\System\dDnZrKP.exe

C:\Windows\System\BWWbIvo.exe

C:\Windows\System\BWWbIvo.exe

C:\Windows\System\nwinJSz.exe

C:\Windows\System\nwinJSz.exe

C:\Windows\System\QBLUTnt.exe

C:\Windows\System\QBLUTnt.exe

C:\Windows\System\aMedXUP.exe

C:\Windows\System\aMedXUP.exe

C:\Windows\System\zKpEkwe.exe

C:\Windows\System\zKpEkwe.exe

C:\Windows\System\wJhIzNn.exe

C:\Windows\System\wJhIzNn.exe

C:\Windows\System\TJkqRhj.exe

C:\Windows\System\TJkqRhj.exe

C:\Windows\System\UkrpBkM.exe

C:\Windows\System\UkrpBkM.exe

C:\Windows\System\yZcjMzK.exe

C:\Windows\System\yZcjMzK.exe

C:\Windows\System\JfpvXGq.exe

C:\Windows\System\JfpvXGq.exe

C:\Windows\System\hxaMFFk.exe

C:\Windows\System\hxaMFFk.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3804-0-0x00007FF78F6F0000-0x00007FF78FA44000-memory.dmp

memory/3804-1-0x0000020826270000-0x0000020826280000-memory.dmp

C:\Windows\System\uBmtEEB.exe

MD5 694c4890d033da50e9b07ef71b63d13d
SHA1 811e2c0d85d8b097646c98251e2142477fd0495e
SHA256 d8687e2029e3e7919c30ecb2ee5c210444e92cebfb4a1dd1ff872e4961ea24e7
SHA512 8c672b9387c08acd27169cb28cc21f197fde558390b5a86641fc7a38a9d325496b87e6e47aed3d4bafa8812e188adc681afa176d549bb3c961df6e38ca670fcc

memory/3028-6-0x00007FF682A30000-0x00007FF682D84000-memory.dmp

C:\Windows\System\rbeufGi.exe

MD5 917fe94c830c389d2844abf875eb57ac
SHA1 fa874842a6deed1efcafc45eee99d2b5b798b1cd
SHA256 7701e67547ffb6f9e799fe58ff8e7100e3e0d267173bcbacaa51793b66906870
SHA512 9ead65c29a5bd83be276da66327723cdce3f026ef01377c37cb380ae190138041e1c93d27d8ac70d5911196af7450d93ce733489d6afca852676cdad573afbe7

C:\Windows\System\WWjTwSi.exe

MD5 687077cc451ec3b547a49ec0f434995d
SHA1 120493591b5d4d86a393017b410511517d14f16b
SHA256 362310fc2d92299b0c2ca897d8a88c251802c6b2e1004cb16821973feae29af7
SHA512 df49888b20fe9f6b551351030cc7d705e9f903ced131e01a2b508763768cd630326c9a532ac77229199a26b3b5a26c549017ccbd9bc026618a445340626c7598

memory/4624-18-0x00007FF7D8E50000-0x00007FF7D91A4000-memory.dmp

memory/1136-20-0x00007FF6D06F0000-0x00007FF6D0A44000-memory.dmp

C:\Windows\System\OZzfzPw.exe

MD5 dcd89d960461c47c64acb23093d8dff0
SHA1 d4a34ad5c02191d93c8cf56fca9e8946a1cb7c0b
SHA256 5f7b27a02eb11c0c4dd4ad8a5c45a3ec06d15db6be5b520cdf1cc36ae5c6a8e6
SHA512 7aa6e3ec7513e1f01cd28edf415d1e830f798382e458560e105dbf5bfad2d02dbe9d87c95287f53713007105d827f1e1fc5703d91dafdee079fdccad0727b3ee

memory/1540-26-0x00007FF7EB390000-0x00007FF7EB6E4000-memory.dmp

C:\Windows\System\pKmiXSU.exe

MD5 d07b3c9d92a4c7df80bd1ec774a016a9
SHA1 1fa6352b952ec19e7748870e15457e5e656be72b
SHA256 fe0b8c544f296e377858b23126b8edd820a41ca65c3a18ffde21e865c9a5c268
SHA512 870c0dba52a9e2a87aaa662b4d980e1660dea864fd75cc7c5e38eb39c1c87c7e4df2080669f30247bfc6e84d6bfaee8d6ee5fbcad263aadb7902bf5f3ecbfd83

memory/440-32-0x00007FF623770000-0x00007FF623AC4000-memory.dmp

C:\Windows\System\JJXmggp.exe

MD5 2fe7ae4602cefc4d4696875e32d8869d
SHA1 79814e0f9abf4e36ffdcb2a58b49ed954f09c766
SHA256 d8b932cc069bf6c02095c27832677e0771a8d1456811a5387fb947b43774bfa2
SHA512 53f270a898bc84c5d91d9557446e53da637c37e29d01a5ca2ed52f416033465955281072d795d60ff77d6aacd8beee08f7d59f39b8e65395e97955564f263ea1

C:\Windows\System\wKnkONf.exe

MD5 23b02376fb2e29ebf892425d0e2b0b4e
SHA1 24160a2ba4ef462626f13875c83b9e1ff80956bc
SHA256 417cfdc03830d5a10ce19c7ceb364bf79226214fafe8db8544c16ceaf5468134
SHA512 92176a516b71533ab4bb7c6139227a92e019eb0d1340c0e2b7c0f17d44dbc8e8fc0e728f5d2f412c86b78a3c5e63362b7eb3fef5bbee6ec26c8b82bc81a3757b

memory/5048-43-0x00007FF740600000-0x00007FF740954000-memory.dmp

memory/3164-38-0x00007FF7D6F50000-0x00007FF7D72A4000-memory.dmp

C:\Windows\System\NoMXPJo.exe

MD5 66f023a21ff779f2fafc1ae2837742b3
SHA1 bcef1d332d346b0db7bc0bbaedc0a72297cb02b3
SHA256 d78e33e7e2b5762f2062fb4aca58efa7cb8a14337e5c5463ed685084a560b5fa
SHA512 018d8a192b20fc8c561c6bafc0afb4bd53f0df793907fb32fe8436485821b219b228b4f0d83842bff3754e3b073bd35e35d7e847cbe6da6310e511c17be2bdb8

C:\Windows\System\LyvuVTj.exe

MD5 95b060f1b50028b09c5e9ee6b84f8362
SHA1 5f414bee175ed2f469a4a8d6adafe9f956c28498
SHA256 50dd4f38c03319c3e6ee01157ec70d74233563657ec09f4a5c79e3edd2e8ebc1
SHA512 9c735cad02ded7b300cdf4711d8278b135bb2622b69f6ea793f091a5e12d97aa1245f9fe8d757e27dab01f6684eb02795d9da2c4f35854a4d6de8829ed65accb

memory/3524-48-0x00007FF62C1D0000-0x00007FF62C524000-memory.dmp

memory/3944-55-0x00007FF6D72B0000-0x00007FF6D7604000-memory.dmp

C:\Windows\System\dDnZrKP.exe

MD5 c067a453d3d1105580ad697d53979ca9
SHA1 fdbdce2f86b7d5e88c1cfaa92183e5f275c34da9
SHA256 2b9fa27a8ed2c54b0f84d625395fec89f2d89f426aa35a3f42d8937c81342550
SHA512 8ea0d8c62f20c64a59f2833df549c624ffc1663a01f2612f13ed36d6305a0d9c81d5cebc31e3be018877f23dd9538e26d5a581dbf0237910d25e17a0ca4a6008

memory/3804-60-0x00007FF78F6F0000-0x00007FF78FA44000-memory.dmp

memory/3924-61-0x00007FF747610000-0x00007FF747964000-memory.dmp

C:\Windows\System\nwinJSz.exe

MD5 4a62fd8f62ac12ff423e22d423cca0c5
SHA1 07a1d25baaa162bb95e9d7adad318512694e601a
SHA256 d18ff487d239c4a26b53e536fe5718d77a0c0723abd6f7f21e1a9c6a9e803d89
SHA512 4cce7cf2227deeeb7442a9ba09a6c6fac7c39d722f6d4ec48718090b4be70c30d169f18b03c77f66212d7dfbd3761cb936e347def2fbebe218c9f5ace97d3d55

C:\Windows\System\QBLUTnt.exe

MD5 8ee9e1f0c8d1c0774aefce72a5319965
SHA1 5c3078cf68c4a79dc9db69dcac6cdfb2d51eed32
SHA256 6c507b682600ad56f02c47dcfc58137049084a92431a1beea78a144a028ddf36
SHA512 a044693a6f2ddbe70f2144d8be8b94e7736cd2beba97a3b1fd0f6e5a81a136644195c8009ac88d8008d0316a0d8224f1361fb5edefe75bd9a3ec7533647245dc

C:\Windows\System\aMedXUP.exe

MD5 d4095aa548baa1053b8b33a44c0afe67
SHA1 994cb1488513ef9643ad8faa0b38abdc920dcde0
SHA256 5ff43054643e833c3560042ce6f6b02fe6612e6d9bf7632becf9c1653724ffe0
SHA512 c9e03b297b798d8dd5a1b7535665e079c0ad8b3bfff75e8a5ea4bebd7a7cf62980c77886f455171e7d0c37b055604fe0750e2d6ff9d9f2d315f867192b9d979c

C:\Windows\System\zKpEkwe.exe

MD5 661c320e85c0aa4c46f155d2f509c7a6
SHA1 0fcc97855cfb24b0902aed8d45ec38f9f9c5dcb7
SHA256 5315d08ed5c67083959273a0c529dc693d4d3af125e57f191e9db43a2f55f773
SHA512 be4f2bb36dfada4303df6610cccbb07c988799f830dfaa7087360367951631e3d4d4ea057f153abb75636aeb2c1e5f9e5330b7bbd1be8bf7e4f93c24e20310eb

C:\Windows\System\TJkqRhj.exe

MD5 bfda7496583c5859265ecfb6dd545b60
SHA1 dfed2b6bd072f6392dc71143104325875126ba8f
SHA256 22b063d4d14fb7f701e60ae8f3ff3984c3c480c369ebd0cccf32f18a7669dde3
SHA512 47fbb14a1a49bc0bdc3cd93e71f1c37ee0295df339b66f2ed5dc3b0d129db68515c1e33d21cdb156e3c972cb86638b6be1f88aa8e6f78549eb82693e78de2a2d

C:\Windows\System\wJhIzNn.exe

MD5 bd8fdda6f38aa61979b98af54018fe89
SHA1 41b19e26bdfd3896d0fdae09d537cfc7d3d67211
SHA256 6cb7dbc201822671b0302912f2de7c96fe03d57843328a06eedfa735442459ce
SHA512 d4a771574bb540be53ff2607867a486891d2fdb754723ac9eeec4734c5b691b5dde8cc7745ce5e75eae805a304cadb70ead2bdfa7689d64aa9c88897c1b35b0f

memory/1972-109-0x00007FF7CDE60000-0x00007FF7CE1B4000-memory.dmp

memory/3240-104-0x00007FF77E0C0000-0x00007FF77E414000-memory.dmp

memory/3936-101-0x00007FF74BD30000-0x00007FF74C084000-memory.dmp

memory/440-97-0x00007FF623770000-0x00007FF623AC4000-memory.dmp

memory/1340-96-0x00007FF7D6E20000-0x00007FF7D7174000-memory.dmp

memory/1540-92-0x00007FF7EB390000-0x00007FF7EB6E4000-memory.dmp

memory/4752-80-0x00007FF69D860000-0x00007FF69DBB4000-memory.dmp

memory/1136-79-0x00007FF6D06F0000-0x00007FF6D0A44000-memory.dmp

C:\Windows\System\BWWbIvo.exe

MD5 e236152a33d81d88961cedaf6b01db86
SHA1 c0329c6f95b2d7e176543f6051527f2e27271d1a
SHA256 a6fad9f3dbc595ff159b692b36e5238f61539195c1700769af8eb795d460bca9
SHA512 2a0f5313e4a23a25ec206e05d21247c5cde69b90fa3415f3c53f21ecca4caa1c3c60e0ed9df87c9a8e78ec6b0c0e81daaef9756466f00de5ed0ebd489af6efd4

memory/3544-73-0x00007FF6E2710000-0x00007FF6E2A64000-memory.dmp

memory/4524-72-0x00007FF7EC7A0000-0x00007FF7ECAF4000-memory.dmp

memory/4624-68-0x00007FF7D8E50000-0x00007FF7D91A4000-memory.dmp

memory/3028-67-0x00007FF682A30000-0x00007FF682D84000-memory.dmp

C:\Windows\System\UkrpBkM.exe

MD5 654ece55cacc9861a25698ec8232a929
SHA1 e6010344d2b8a7917d563afb924d96ed8d5d63a0
SHA256 0f7707217e0bbde93c63426fb5794e95e2fc327ea24b4343704bfb37ac641700
SHA512 0c9a40c6319f06abe52cb39bbb5bafa7b850d497cc2fb0a836178eece75656a22d9b6955e6a89c68753f7f06b84bc1d6819564ceae2b8cca3edecda23cab2141

memory/448-117-0x00007FF7E3E80000-0x00007FF7E41D4000-memory.dmp

memory/5048-116-0x00007FF740600000-0x00007FF740954000-memory.dmp

C:\Windows\System\yZcjMzK.exe

MD5 534971ff0dfb67464f1d17e0158738ca
SHA1 7111f0e8f1280eac1a6e7e5163c84c29109fff7d
SHA256 c947eb5af506ac9fdfc9328eedc30e6efac2ef2a09b3addc80355c9eed31dfa0
SHA512 54a7dd324f8f290b3179a848eca1b88f0511f790ed75872edcfdca3e3274887de227e68ac05c48d7d65d228d2f35ff43d694ef20f9e2b946a5324b8240e0b55c

memory/3524-121-0x00007FF62C1D0000-0x00007FF62C524000-memory.dmp

memory/3808-128-0x00007FF6AB170000-0x00007FF6AB4C4000-memory.dmp

memory/1660-127-0x00007FF619F40000-0x00007FF61A294000-memory.dmp

C:\Windows\System\JfpvXGq.exe

MD5 7bd3850775493290677bb0d6c4438db6
SHA1 0e06b7b143bca50260773f969bbce51b88af9340
SHA256 14e287e88be8a1a6bb5ace7d94727ddffce4531dc3caee39678be9fccdff7c1e
SHA512 26c8aeca712b8fcc79b8a421f03d9a71b8085d89ba1c2dadc37bf823dd0aaa4f17d72f8ad46bbf92d1cf91be63c75d0f913d9d649c5950953008fd61915ebe61

C:\Windows\System\hxaMFFk.exe

MD5 38c7ad9bfd04c4442c5da56f7a340fc2
SHA1 9a2dceab91555ca8be098c554e7c88bce63d1e49
SHA256 7cba32f144becbf4fadcb7e0b2cb7fb417456358f68cfb89babd18a9cac2ae77
SHA512 7c38020b495a6edc85dcddf36758fbd9187a7f17c9dc9cec3e89a230e6cd2e4abbe04833bb701f8aa08ccd659087c035c520a24b45e2b8b637329cfdc10320db

memory/3924-135-0x00007FF747610000-0x00007FF747964000-memory.dmp

memory/64-137-0x00007FF717A90000-0x00007FF717DE4000-memory.dmp

memory/4524-136-0x00007FF7EC7A0000-0x00007FF7ECAF4000-memory.dmp

memory/3544-138-0x00007FF6E2710000-0x00007FF6E2A64000-memory.dmp

memory/4752-139-0x00007FF69D860000-0x00007FF69DBB4000-memory.dmp

memory/3936-140-0x00007FF74BD30000-0x00007FF74C084000-memory.dmp

memory/3240-141-0x00007FF77E0C0000-0x00007FF77E414000-memory.dmp

memory/1972-142-0x00007FF7CDE60000-0x00007FF7CE1B4000-memory.dmp

memory/1660-143-0x00007FF619F40000-0x00007FF61A294000-memory.dmp

memory/3808-144-0x00007FF6AB170000-0x00007FF6AB4C4000-memory.dmp

memory/3028-145-0x00007FF682A30000-0x00007FF682D84000-memory.dmp

memory/4624-146-0x00007FF7D8E50000-0x00007FF7D91A4000-memory.dmp

memory/1136-147-0x00007FF6D06F0000-0x00007FF6D0A44000-memory.dmp

memory/1540-148-0x00007FF7EB390000-0x00007FF7EB6E4000-memory.dmp

memory/440-149-0x00007FF623770000-0x00007FF623AC4000-memory.dmp

memory/3164-150-0x00007FF7D6F50000-0x00007FF7D72A4000-memory.dmp

memory/5048-151-0x00007FF740600000-0x00007FF740954000-memory.dmp

memory/3524-152-0x00007FF62C1D0000-0x00007FF62C524000-memory.dmp

memory/3944-153-0x00007FF6D72B0000-0x00007FF6D7604000-memory.dmp

memory/3924-154-0x00007FF747610000-0x00007FF747964000-memory.dmp

memory/4524-155-0x00007FF7EC7A0000-0x00007FF7ECAF4000-memory.dmp

memory/3544-156-0x00007FF6E2710000-0x00007FF6E2A64000-memory.dmp

memory/4752-158-0x00007FF69D860000-0x00007FF69DBB4000-memory.dmp

memory/1340-157-0x00007FF7D6E20000-0x00007FF7D7174000-memory.dmp

memory/1972-159-0x00007FF7CDE60000-0x00007FF7CE1B4000-memory.dmp

memory/3936-160-0x00007FF74BD30000-0x00007FF74C084000-memory.dmp

memory/3240-161-0x00007FF77E0C0000-0x00007FF77E414000-memory.dmp

memory/448-162-0x00007FF7E3E80000-0x00007FF7E41D4000-memory.dmp

memory/1660-163-0x00007FF619F40000-0x00007FF61A294000-memory.dmp

memory/3808-164-0x00007FF6AB170000-0x00007FF6AB4C4000-memory.dmp

memory/64-165-0x00007FF717A90000-0x00007FF717DE4000-memory.dmp