Malware Analysis Report

2025-03-15 08:07

Sample ID 240814-y698jssepg
Target 2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat
SHA256 87f27ebca3322a81f90a4813a9a7a4175b09e2f03b6c478201dd3fb1b571aa6c
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

87f27ebca3322a81f90a4813a9a7a4175b09e2f03b6c478201dd3fb1b571aa6c

Threat Level: Known bad

The file 2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Cobaltstrike

Cobaltstrike family

xmrig

Cobalt Strike reflective loader

XMRig Miner payload

Xmrig family

XMRig Miner payload

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-14 20:25

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-14 20:25

Reported

2024-08-14 20:27

Platform

win7-20240704-en

Max time kernel

144s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\jhoMRTi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HuYdSAw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NYuaYKw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CgEMLKi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NDxtuUO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IoLFxpK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RKRLOws.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QOIQHzC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\joJgpJY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NRRWXMf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VHqmsgz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JaFhwBt.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OLxbKJx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KsmntwM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VeqaPwp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fTWFDqK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HgnzrVq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iFUWRAE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\flqLnwd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PEYMZqf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\myuLDxJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2544 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PEYMZqf.exe
PID 2544 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PEYMZqf.exe
PID 2544 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PEYMZqf.exe
PID 2544 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OLxbKJx.exe
PID 2544 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OLxbKJx.exe
PID 2544 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OLxbKJx.exe
PID 2544 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\myuLDxJ.exe
PID 2544 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\myuLDxJ.exe
PID 2544 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\myuLDxJ.exe
PID 2544 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CgEMLKi.exe
PID 2544 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CgEMLKi.exe
PID 2544 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CgEMLKi.exe
PID 2544 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KsmntwM.exe
PID 2544 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KsmntwM.exe
PID 2544 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KsmntwM.exe
PID 2544 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VeqaPwp.exe
PID 2544 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VeqaPwp.exe
PID 2544 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VeqaPwp.exe
PID 2544 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QOIQHzC.exe
PID 2544 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QOIQHzC.exe
PID 2544 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QOIQHzC.exe
PID 2544 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\joJgpJY.exe
PID 2544 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\joJgpJY.exe
PID 2544 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\joJgpJY.exe
PID 2544 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fTWFDqK.exe
PID 2544 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fTWFDqK.exe
PID 2544 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fTWFDqK.exe
PID 2544 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NDxtuUO.exe
PID 2544 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NDxtuUO.exe
PID 2544 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NDxtuUO.exe
PID 2544 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jhoMRTi.exe
PID 2544 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jhoMRTi.exe
PID 2544 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jhoMRTi.exe
PID 2544 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NRRWXMf.exe
PID 2544 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NRRWXMf.exe
PID 2544 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NRRWXMf.exe
PID 2544 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HuYdSAw.exe
PID 2544 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HuYdSAw.exe
PID 2544 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HuYdSAw.exe
PID 2544 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HgnzrVq.exe
PID 2544 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HgnzrVq.exe
PID 2544 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HgnzrVq.exe
PID 2544 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VHqmsgz.exe
PID 2544 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VHqmsgz.exe
PID 2544 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VHqmsgz.exe
PID 2544 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NYuaYKw.exe
PID 2544 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NYuaYKw.exe
PID 2544 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NYuaYKw.exe
PID 2544 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JaFhwBt.exe
PID 2544 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JaFhwBt.exe
PID 2544 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JaFhwBt.exe
PID 2544 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IoLFxpK.exe
PID 2544 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IoLFxpK.exe
PID 2544 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IoLFxpK.exe
PID 2544 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iFUWRAE.exe
PID 2544 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iFUWRAE.exe
PID 2544 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iFUWRAE.exe
PID 2544 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RKRLOws.exe
PID 2544 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RKRLOws.exe
PID 2544 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RKRLOws.exe
PID 2544 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\flqLnwd.exe
PID 2544 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\flqLnwd.exe
PID 2544 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\flqLnwd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\PEYMZqf.exe

C:\Windows\System\PEYMZqf.exe

C:\Windows\System\OLxbKJx.exe

C:\Windows\System\OLxbKJx.exe

C:\Windows\System\myuLDxJ.exe

C:\Windows\System\myuLDxJ.exe

C:\Windows\System\CgEMLKi.exe

C:\Windows\System\CgEMLKi.exe

C:\Windows\System\KsmntwM.exe

C:\Windows\System\KsmntwM.exe

C:\Windows\System\VeqaPwp.exe

C:\Windows\System\VeqaPwp.exe

C:\Windows\System\QOIQHzC.exe

C:\Windows\System\QOIQHzC.exe

C:\Windows\System\joJgpJY.exe

C:\Windows\System\joJgpJY.exe

C:\Windows\System\fTWFDqK.exe

C:\Windows\System\fTWFDqK.exe

C:\Windows\System\NDxtuUO.exe

C:\Windows\System\NDxtuUO.exe

C:\Windows\System\jhoMRTi.exe

C:\Windows\System\jhoMRTi.exe

C:\Windows\System\NRRWXMf.exe

C:\Windows\System\NRRWXMf.exe

C:\Windows\System\HuYdSAw.exe

C:\Windows\System\HuYdSAw.exe

C:\Windows\System\HgnzrVq.exe

C:\Windows\System\HgnzrVq.exe

C:\Windows\System\VHqmsgz.exe

C:\Windows\System\VHqmsgz.exe

C:\Windows\System\NYuaYKw.exe

C:\Windows\System\NYuaYKw.exe

C:\Windows\System\JaFhwBt.exe

C:\Windows\System\JaFhwBt.exe

C:\Windows\System\IoLFxpK.exe

C:\Windows\System\IoLFxpK.exe

C:\Windows\System\iFUWRAE.exe

C:\Windows\System\iFUWRAE.exe

C:\Windows\System\RKRLOws.exe

C:\Windows\System\RKRLOws.exe

C:\Windows\System\flqLnwd.exe

C:\Windows\System\flqLnwd.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2544-0-0x000000013F540000-0x000000013F891000-memory.dmp

memory/2544-1-0x0000000000200000-0x0000000000210000-memory.dmp

\Windows\system\PEYMZqf.exe

MD5 ecfaaa1d3e24d34f3d0b01404b08fc91
SHA1 af89a080067181e7ccb6af4e1232d2e87850b01e
SHA256 e2c792a82c80cc331e53f565830f9326b82ca47ee42a9599b8350478f635d8ae
SHA512 efcac90bdce48fe7b0118b4425aa70a357b9a46bc91ae69344c1acb8d484ac3d012b37c608be32ac4fc608721494234633775d7f7e6f5b876a8be0161dea2159

C:\Windows\system\OLxbKJx.exe

MD5 d7bb83afe8c18a48369eddf11ca1ce37
SHA1 0b5a3ecfb0ba774913adae8e68539ffa4ca75c96
SHA256 b37c703cb9c0efd1c7b740295d7a966eb269938834c3125f62806d1033140f2e
SHA512 ddc47eed9be3e35f9a5d8e0aadc358625c28561f51f47163db8f1878ccb81780a7cf19fc7b45006018dbb42710cf7ab30a924f704ba9b2095a26f5272a2ba219

memory/2376-15-0x000000013F5E0000-0x000000013F931000-memory.dmp

memory/2544-12-0x000000013FD30000-0x0000000140081000-memory.dmp

memory/2544-9-0x0000000002170000-0x00000000024C1000-memory.dmp

\Windows\system\myuLDxJ.exe

MD5 77ade68a0ca316aead759fbbdcd24526
SHA1 a5def735cade3efc14a4a212efd747234e9d8ad9
SHA256 10ad1e08e11bc1e9b8d5bbcc0cc48212ba60f79b4faffeb5dc4802e6d7521c7f
SHA512 5238b605e758f2bea1045787ece32cf3b0765509d0cdb8223d44af37f236f2d97e11c6722c61b3d1ff68f0bf9a501bef2f2ce49db5b3c6ee21e73bf75430e866

C:\Windows\system\CgEMLKi.exe

MD5 d8f6e71e6f561adb40d82fc703a4112c
SHA1 87493aaf0fb19d11275a66ff6f4d71dfb6048d3d
SHA256 53c26556cd046c8c9d1fecd5c5c412d2f5c00f391e375b91effbe3f114ea0c74
SHA512 ffc8d12a16f1edda98b0a4afa05b3c4f2f75412efc46362afdd98884189f03a1182c1b51651edcf05b11603243e77ff7df43dbf4354f3f1de5f072078b7b91a5

memory/2964-20-0x000000013FD30000-0x0000000140081000-memory.dmp

memory/2812-28-0x000000013FFF0000-0x0000000140341000-memory.dmp

memory/1640-27-0x000000013F3A0000-0x000000013F6F1000-memory.dmp

memory/2544-29-0x0000000002170000-0x00000000024C1000-memory.dmp

memory/2756-34-0x000000013F250000-0x000000013F5A1000-memory.dmp

C:\Windows\system\KsmntwM.exe

MD5 5f9f3d84ae8dd6c561e1940661295caf
SHA1 6552d1b62e056cc2507454563f1782e32b183fd5
SHA256 8140023e2fca193b8e22de8aa28d0312419ed5e182a1522f5a75ab2270c5f057
SHA512 82ff13c168820e740f32fd79ff326b379f3aaf823b11cc6adf408026d5fbf8292bf8d8cc925641458ccd640157f7f2d4bf485659519a8b87a795cc961409f7c1

C:\Windows\system\VeqaPwp.exe

MD5 c4ad242163bbd79487e15bda4369080c
SHA1 ec3c6e0d05a27b4e1ebbbf5bd02cd449e26bde85
SHA256 615b3d98665495b4085225e0fb799fe4d00fcb86d227bb0d8716fcfc4a6e4847
SHA512 2857e776c994848a572761367a263b1e0b8c1da8b94405b9cf4ca72c98aa68f25dc5d4a472c1865c709f4ca460f9ff414938d77cd8e9fde073aad49d462bf5ea

C:\Windows\system\joJgpJY.exe

MD5 9c899f2c0ba43233879e373628921a13
SHA1 bb8febba611178dd1dfae31e77d4b5875d93efc2
SHA256 6359981a10a735c344b0d2a1561cfa39a3576515203480922b44155cb85c68a3
SHA512 07d6138b8f8637c41b12916a5a1ce4e89febaa6c76cd8a661e48a14920789fe85160b2489a6bf2295b535cd62f36fd5c3ef30dd411a3b1936a5fa597bbf4fdbe

C:\Windows\system\fTWFDqK.exe

MD5 4d46dd4509118dfd5dea3f92778f5999
SHA1 f8470ff2de860359c4db84513100964cd1921722
SHA256 5da9d4eb390e2915786e58f832e06883141c30a1cb7a4e1d5795c5336b52a954
SHA512 263747cf3486bf32237c66506a4ede99af3c5c8b2c29ebf79cb1c9685b680e35df33cbb1c90029a29149a82e436b406811a652f2de8087324c79782967916350

C:\Windows\system\jhoMRTi.exe

MD5 001cc0611eabe43ad6d4374ab8680fa3
SHA1 00f5b769ec4b64fcabd87e28a18747aed868bd31
SHA256 fc613e4f4d4b2722302dddbcac941380e374a8da8790829a259014e8b0d2590d
SHA512 3310871ff0bb79201ee98c9dad70fde22edba7a7fcf7f1a54d6db88f37c1bb127a5924025bf49f562fe1a9815e9cbf5e46260840e1a072e47e95289455b65c77

C:\Windows\system\NRRWXMf.exe

MD5 2d6fea8e8390fae73cc264f86691fe4d
SHA1 4ef46cf6948ac41ea9c6354aebad9f7fd6cd71af
SHA256 078646146155cd4462f9ec3ac9ee66438f9052e96cf6e93deda517cb91f323a2
SHA512 b73b6101d8e5be536d058ca2ef779c69fc98146eebe959f7a4197ed40f8895f8d85a698c5b5ab02bd597126a3f981782e327502c93a27f769165bd32781d1d72

C:\Windows\system\HuYdSAw.exe

MD5 c1b9b7f72d03acb5d34334184440d7cf
SHA1 7c0dacaa205bbd434389613c637dfb6658173a15
SHA256 d95cecdba4a1aa99f9818f7d8225edd5ca375ff18f88a28552d0183973cad59d
SHA512 b7240a663609e677baae49e4fccb7a47ea82a5d0e61d60f59a5b10e88171f80d72cbbd8150bfffd0fcc9154d1868aaedd7765882c3990db500b4bf806bd670ee

\Windows\system\NYuaYKw.exe

MD5 c60a329d2f5df331ba1c72dab662d8de
SHA1 992eec63d86952d3fea33ec3bc94d1c0e32dd811
SHA256 fb4483bb341d040b4382a25ae08816ec5f9c69c6031ffc3acc0360bb9d6046b3
SHA512 2f8143f11fa999a949bc312cd33bd623394ef857a8e5c3b2c0c3db1571a286d09a3cc8179570114530ad544e879249dcdb586c7f0af25e69a9651ea96c075fe6

C:\Windows\system\IoLFxpK.exe

MD5 e8c41b377557e052a28f6fbf6c08f133
SHA1 decfa1bef4b3629c6ec2c55735c8960c44bc1fd5
SHA256 d2450d008a821e24c220744048a242443ab0e788ba05242a53daee6b4a2cc28c
SHA512 fd0ab656dada4817557af98089157c28b515954c5cdc80000b89de65a84968819960e8b931d847d27c968313a146da6da3a909ef46644bd9d62d7c16f8bdc8b8

C:\Windows\system\RKRLOws.exe

MD5 6f544e14f45e97175fcaa9f16e17deec
SHA1 6b9c3e84df6adc5a4f27602c57536f1da263c90a
SHA256 b6532cf96e8e10bb7341748f949cfed0a6dfd6c6f1a9e61aa4174102072bf342
SHA512 8492a1682f8930e0eff7b278eee7b18b6772046871e47cfc9295ed8197ddae20e0793d64645ff6bc571194d94fe27e5f0ae8faf826829e834b97ae89e3720bd9

\Windows\system\flqLnwd.exe

MD5 0d7b1cc56a613c51716f43901d1ffbd8
SHA1 9e9e78a1337f778ba4edb745aa5ce6b54de9dd12
SHA256 f7bff9d3e98cbb1b52d0f61cf2f5fb348ff62f55653e728f88288a426269c3bf
SHA512 7cf1b52a8d23fd020049a174b25461d18875726e51b3c318dc593b6c937c67c2501530fe09d454b030baedd35d7e12fca17e83b42e25e54d65837bb6ea15760b

C:\Windows\system\iFUWRAE.exe

MD5 ce1972cdad34302579fbd79df5b15675
SHA1 6b108dc19e4573504336af7ea4eb2ad6b3b957ea
SHA256 7bddaf3acf23a4fa567d5c6e1f57011cac914cd1e5b60b65146579a0ebd804b8
SHA512 aa4a8a6ea674a5d3c6ca1e96d765ceadbe012aec18116a68cd4caef32d254f2925b11c586aa0be78b505d9b5601df9230f67d207738950ab8f75f61ce1c8c0b9

C:\Windows\system\JaFhwBt.exe

MD5 e1dc971e904b232ae21cb84b0e67706e
SHA1 3cfaf3698d22c86dc862d54f485e3a1f8a391447
SHA256 1b36988824c33573ce314dc49b385235e0308300b44cdda20cb1db42b572286b
SHA512 e8aa522d2bbc5df3710d9d88d448ee518226e4918b6a9bc0bc44eba143a78a544650b9def53cf2d3daafe8c08ec65fa88b07f7927107ef5447c0de0a3d5d1534

C:\Windows\system\VHqmsgz.exe

MD5 222184f3d5b8247e6811bd9c20854710
SHA1 e44efcc3572cc23ce43e8852bccd672e99fc4d5f
SHA256 a3f10da3f6b4d150c9bb029cc24021d5d95f7d3312c91fa3910c320689d28d7c
SHA512 5163a587ffe75dd134e258f59eb2a07b24623285540660e6a0c32f46fd9228b7bee8301dd5b01d6b4e31737f7a6d3d98239bded61afe696ccea691e212b38d7f

C:\Windows\system\HgnzrVq.exe

MD5 a33ed8864cd4eb41d788ef8db0d5f57c
SHA1 2b6c3c84841a8fb9c649d6cc58c07157d6a45c5b
SHA256 085b98f24d49da3d4cee07631297cfbca8ed8f90a61bb1938f216d731edf8d6f
SHA512 34cfeba0bb222de8536660420072dedbdcc1446a0ba9fe52314b67a4d891535b598b0e7c10d8c4810392edc36004a406dd3f8799d82f23bb69c901dfe17095fd

C:\Windows\system\NDxtuUO.exe

MD5 ea07dafd3922e908483d53329fe22558
SHA1 5f9c4bc40bf0bec9117730e6aae0d06e89eee4b4
SHA256 90a59405b3ad4b0dae6b16cba13c6f176994c2b993d4f250221e8ec41498bbb1
SHA512 5d7e1d857c31b2c8d422896c1f138f35028b0266c209d59585df7285c132eae090cd6034c843d71bdd3bd12a731427583526a39306222a482793ad976a0f392b

C:\Windows\system\QOIQHzC.exe

MD5 b425bd453fc7359f7bb79d6e9b0e0c64
SHA1 5a8f79770a9e5fb2c6935c768732085cc3c6b103
SHA256 c0af8748ea8246a502f19806c1b71b6c25e46ee659d4e89d0eb940010e573d8f
SHA512 880be41ee1b742700d28a1183b4c4274af96fcbdb85aab3fb4e60117527d1c5f0585f34f8b5169c86f4e8d96c52cb09e1bb2187abd33a8550ae5e2acd432d4d5

memory/2544-114-0x000000013F540000-0x000000013F891000-memory.dmp

memory/2544-121-0x0000000002170000-0x00000000024C1000-memory.dmp

memory/2544-122-0x0000000002170000-0x00000000024C1000-memory.dmp

memory/2756-120-0x000000013F250000-0x000000013F5A1000-memory.dmp

memory/1640-118-0x000000013F3A0000-0x000000013F6F1000-memory.dmp

memory/2800-123-0x000000013F590000-0x000000013F8E1000-memory.dmp

memory/2828-126-0x000000013F680000-0x000000013F9D1000-memory.dmp

memory/2544-127-0x0000000002170000-0x00000000024C1000-memory.dmp

memory/2960-124-0x000000013F790000-0x000000013FAE1000-memory.dmp

memory/2612-128-0x000000013F0D0000-0x000000013F421000-memory.dmp

memory/2544-129-0x000000013F0D0000-0x000000013F421000-memory.dmp

memory/2672-130-0x000000013FE60000-0x00000001401B1000-memory.dmp

memory/1608-133-0x000000013FA20000-0x000000013FD71000-memory.dmp

memory/2544-134-0x000000013FE60000-0x00000001401B1000-memory.dmp

memory/2384-132-0x000000013FDA0000-0x00000001400F1000-memory.dmp

memory/2016-138-0x000000013FC30000-0x000000013FF81000-memory.dmp

memory/2544-137-0x0000000002170000-0x00000000024C1000-memory.dmp

memory/940-135-0x000000013F590000-0x000000013F8E1000-memory.dmp

memory/2424-136-0x000000013F420000-0x000000013F771000-memory.dmp

memory/3056-131-0x000000013F510000-0x000000013F861000-memory.dmp

memory/1008-139-0x000000013F120000-0x000000013F471000-memory.dmp

memory/1012-141-0x000000013F1C0000-0x000000013F511000-memory.dmp

memory/2544-142-0x000000013FDA0000-0x00000001400F1000-memory.dmp

memory/2380-140-0x000000013F140000-0x000000013F491000-memory.dmp

memory/2296-143-0x000000013FE60000-0x00000001401B1000-memory.dmp

memory/2764-144-0x000000013F820000-0x000000013FB71000-memory.dmp

memory/2544-145-0x000000013FA20000-0x000000013FD71000-memory.dmp

memory/2544-146-0x0000000002170000-0x00000000024C1000-memory.dmp

memory/2544-147-0x0000000002170000-0x00000000024C1000-memory.dmp

memory/2544-148-0x000000013F540000-0x000000013F891000-memory.dmp

memory/2544-151-0x000000013F540000-0x000000013F891000-memory.dmp

memory/2544-174-0x0000000002170000-0x00000000024C1000-memory.dmp

memory/2544-194-0x0000000002170000-0x00000000024C1000-memory.dmp

memory/2544-195-0x0000000002170000-0x00000000024C1000-memory.dmp

memory/2376-203-0x000000013F5E0000-0x000000013F931000-memory.dmp

memory/2964-205-0x000000013FD30000-0x0000000140081000-memory.dmp

memory/1640-208-0x000000013F3A0000-0x000000013F6F1000-memory.dmp

memory/2812-209-0x000000013FFF0000-0x0000000140341000-memory.dmp

memory/2960-211-0x000000013F790000-0x000000013FAE1000-memory.dmp

memory/2800-213-0x000000013F590000-0x000000013F8E1000-memory.dmp

memory/2828-215-0x000000013F680000-0x000000013F9D1000-memory.dmp

memory/2612-217-0x000000013F0D0000-0x000000013F421000-memory.dmp

memory/2672-219-0x000000013FE60000-0x00000001401B1000-memory.dmp

memory/3056-221-0x000000013F510000-0x000000013F861000-memory.dmp

memory/2384-223-0x000000013FDA0000-0x00000001400F1000-memory.dmp

memory/1608-225-0x000000013FA20000-0x000000013FD71000-memory.dmp

memory/940-227-0x000000013F590000-0x000000013F8E1000-memory.dmp

memory/2756-243-0x000000013F250000-0x000000013F5A1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-14 20:25

Reported

2024-08-14 20:27

Platform

win10v2004-20240802-en

Max time kernel

140s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\dCEZqoJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pJXmJza.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VymiDFG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OydqIlZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LZDwLUu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wJbKxDO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LuQxYyy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dGMyaql.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZRLRIBh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\knyMepl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZxJMqAW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CStjpkY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bKWzvPY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qSeOATs.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WxLBMeG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BVESvFT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zuLvAMR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fkdTzxA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uwXswaF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UJcIWIH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bMfWOQy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4804 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zuLvAMR.exe
PID 4804 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zuLvAMR.exe
PID 4804 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fkdTzxA.exe
PID 4804 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fkdTzxA.exe
PID 4804 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\knyMepl.exe
PID 4804 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\knyMepl.exe
PID 4804 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LZDwLUu.exe
PID 4804 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LZDwLUu.exe
PID 4804 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZxJMqAW.exe
PID 4804 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZxJMqAW.exe
PID 4804 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CStjpkY.exe
PID 4804 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CStjpkY.exe
PID 4804 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bKWzvPY.exe
PID 4804 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bKWzvPY.exe
PID 4804 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uwXswaF.exe
PID 4804 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uwXswaF.exe
PID 4804 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dCEZqoJ.exe
PID 4804 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dCEZqoJ.exe
PID 4804 wrote to memory of 100 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pJXmJza.exe
PID 4804 wrote to memory of 100 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pJXmJza.exe
PID 4804 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UJcIWIH.exe
PID 4804 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UJcIWIH.exe
PID 4804 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VymiDFG.exe
PID 4804 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VymiDFG.exe
PID 4804 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bMfWOQy.exe
PID 4804 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bMfWOQy.exe
PID 4804 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WxLBMeG.exe
PID 4804 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WxLBMeG.exe
PID 4804 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qSeOATs.exe
PID 4804 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qSeOATs.exe
PID 4804 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LuQxYyy.exe
PID 4804 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LuQxYyy.exe
PID 4804 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dGMyaql.exe
PID 4804 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dGMyaql.exe
PID 4804 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OydqIlZ.exe
PID 4804 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OydqIlZ.exe
PID 4804 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wJbKxDO.exe
PID 4804 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wJbKxDO.exe
PID 4804 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BVESvFT.exe
PID 4804 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BVESvFT.exe
PID 4804 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZRLRIBh.exe
PID 4804 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZRLRIBh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\zuLvAMR.exe

C:\Windows\System\zuLvAMR.exe

C:\Windows\System\fkdTzxA.exe

C:\Windows\System\fkdTzxA.exe

C:\Windows\System\knyMepl.exe

C:\Windows\System\knyMepl.exe

C:\Windows\System\LZDwLUu.exe

C:\Windows\System\LZDwLUu.exe

C:\Windows\System\ZxJMqAW.exe

C:\Windows\System\ZxJMqAW.exe

C:\Windows\System\CStjpkY.exe

C:\Windows\System\CStjpkY.exe

C:\Windows\System\bKWzvPY.exe

C:\Windows\System\bKWzvPY.exe

C:\Windows\System\uwXswaF.exe

C:\Windows\System\uwXswaF.exe

C:\Windows\System\dCEZqoJ.exe

C:\Windows\System\dCEZqoJ.exe

C:\Windows\System\pJXmJza.exe

C:\Windows\System\pJXmJza.exe

C:\Windows\System\UJcIWIH.exe

C:\Windows\System\UJcIWIH.exe

C:\Windows\System\VymiDFG.exe

C:\Windows\System\VymiDFG.exe

C:\Windows\System\bMfWOQy.exe

C:\Windows\System\bMfWOQy.exe

C:\Windows\System\WxLBMeG.exe

C:\Windows\System\WxLBMeG.exe

C:\Windows\System\qSeOATs.exe

C:\Windows\System\qSeOATs.exe

C:\Windows\System\LuQxYyy.exe

C:\Windows\System\LuQxYyy.exe

C:\Windows\System\dGMyaql.exe

C:\Windows\System\dGMyaql.exe

C:\Windows\System\OydqIlZ.exe

C:\Windows\System\OydqIlZ.exe

C:\Windows\System\wJbKxDO.exe

C:\Windows\System\wJbKxDO.exe

C:\Windows\System\BVESvFT.exe

C:\Windows\System\BVESvFT.exe

C:\Windows\System\ZRLRIBh.exe

C:\Windows\System\ZRLRIBh.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 37.58.20.217.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/4804-0-0x00007FF6E9A70000-0x00007FF6E9DC1000-memory.dmp

memory/4804-1-0x00000265FE370000-0x00000265FE380000-memory.dmp

C:\Windows\System\zuLvAMR.exe

MD5 bf5d1c42e3ac06c2c9894d4ff40c5e26
SHA1 0e6c225dc9e7574f2cf552bfc0c1b5e3c6bf854c
SHA256 358f9ebbaf6fec68f56bb1c904b451260e01985c5fea09e31dbfa1770e758ce0
SHA512 8bb855ba7c518f34cb28aab64d08c9fb69f2748f22d75df3b53a00561ff5a4c44d174aa3b05acdf126295aaab5a1a890bcf95c0a4fec45fc0c96150989e9af83

memory/4008-9-0x00007FF719D90000-0x00007FF71A0E1000-memory.dmp

C:\Windows\System\fkdTzxA.exe

MD5 315f251cb7389c1ae038ec95ae849a66
SHA1 3641b68f087756b872e740b619b855a2e39a804b
SHA256 f12e059521a144c5937b1a00e10fa170baa4cd6c22679811e23773d4ee1c1e5f
SHA512 7896d64d4c840ab40570f17b2c4e5d125ff7502151ce0f7cf122d460187171a021079163324c20429b017d793f70b012d5ac45cdc841d988ad5e1507f8e7d7b2

memory/2968-20-0x00007FF62D3A0000-0x00007FF62D6F1000-memory.dmp

memory/5092-18-0x00007FF73E160000-0x00007FF73E4B1000-memory.dmp

C:\Windows\System\knyMepl.exe

MD5 1e765546519f17930678cc8212b0df2f
SHA1 0892f5831cf78b1735e0b71024811c3ecef3524a
SHA256 891e5b860c173e1b13e66f90a32e2f8ff5afd14416f916d6bec38fe916ef5dc1
SHA512 ccdc220b43853dcae3d7e640a8df9634075e77767dfee9e0e1d07cbd214047a6826a31cbef7fae49df242a1edf0c5ae4ba0e91185937909864db425af45e50f6

C:\Windows\System\LZDwLUu.exe

MD5 bb6b2977f35d6963b01bc5dcc73034c9
SHA1 4cde90116109d82bfc4e4656f36ad7afb7164ed5
SHA256 76e3585ae1dfad4a68ae8ccb9f8ffaec754586525edd83543dd1a940956cc54e
SHA512 1b5d1c37828eb56aa1dc62582b1c810f15fabe63159f80616bdcaf4839a0a433e8dacf377b06f5504eb2d3640e279d183c337b9011b5898a7b253a0851adc75f

memory/4464-28-0x00007FF7317A0000-0x00007FF731AF1000-memory.dmp

C:\Windows\System\CStjpkY.exe

MD5 6e82776ec6a51b8bee39de721ef607e4
SHA1 cb90eb32d4b33df6039e7340a24bf4dfb721d8f8
SHA256 d718d8fa8761462dd60faeeab41fb120fe40967476cd0df19c0f871eb000efa6
SHA512 431b6623303dfbc085e32b1d1d5fb1b2945d84503b7f96797ecf107fe5dc5e9ebbd7227570167611e581e6141ac03b2695f17e4088419934d5cda7ddc95f215f

C:\Windows\System\bKWzvPY.exe

MD5 c6c1051abf068c1c191732d536b31a3c
SHA1 35324721d1e614b8af1de9d456792f200dd4db9f
SHA256 d8fa27b012739159757e41b192962a26b803b8ac94ae578a084cf77e11ca5d27
SHA512 9fba205295d7e60e5f19077bdf62a8ec9860a526aef3247d8b0b4833c6e091c5df4013ea8d3e2457e35d2dcf0cd57b122018f03ce655f1b44507ceac290c86f0

memory/2356-38-0x00007FF7A6C40000-0x00007FF7A6F91000-memory.dmp

C:\Windows\System\uwXswaF.exe

MD5 cf53ae75e3876f5ace7cde8f595f0140
SHA1 aa13978ee0fcc8674c8701fec54793f5aec967f5
SHA256 2bdc7638c472ec34f39ccd9e27e7d3f5a3ee03e6d432c9a0a799be5a77b07814
SHA512 d427efa62eb76367cb7e69998b7ea3125b7f7e2f0b3459af5e41fb6104a2bee6b2fb042f9626f704d64fdc875861b5eea67aee37132b446fca3254e44ae19f36

C:\Windows\System\UJcIWIH.exe

MD5 d95a8613c167d746dda7ac95b6f92760
SHA1 0e6af7782e198f995bbe959643b195467924f765
SHA256 dc740c9c6e3dd0785272b4d8e8a95c3aa0fcaa0185f6d6206f20e2aafc8e1577
SHA512 736f1ff388156820f71ecda8e60cecf3607ce61a4db74a176e348e2dd3d6d4a68c35618e8e2d0cda58133daa3d21058dfd8718675df278d7da5bfb8c5a4599ac

C:\Windows\System\pJXmJza.exe

MD5 3e62ef0e7385f009350c2c70f44ef9fd
SHA1 e2a7c816c5a58aa2b191e3cdad8d6cacc9f58863
SHA256 d751d4416251780a90d369f49e3e796a1c2e3019d87dc60cc5d0fcbf672fac72
SHA512 cb21b466ee135294fa3d39a5e3c361aa4d849da71833a94a697db23d3054070715c9936e457a2179061555c6cd8760448cbad319d814be6f94df597a87e27a97

C:\Windows\System\bMfWOQy.exe

MD5 67bb5cf214c9fcc0802d4882bcf7f8b7
SHA1 67bc0ead38d9133a30baead4494d50b92fa9a932
SHA256 01f17600b24e616770718bed23f96f5fbf3d2810878dd7e7893ed45209467910
SHA512 f42801186450b3a3365ea10996a4c5461fcd82fb480e003f47340b648f13a34272cc7675e38f4ac4e3c34af1942d8334a76a952417b257e93924295f00ce374b

memory/1616-95-0x00007FF62A550000-0x00007FF62A8A1000-memory.dmp

memory/5092-101-0x00007FF73E160000-0x00007FF73E4B1000-memory.dmp

C:\Windows\System\qSeOATs.exe

MD5 f9d643eeda97de81a6c169aa5679d529
SHA1 6e6d6386f8d9c3ae945c94289a2f6022f5e2b0de
SHA256 95a69233e8a5d0e6c6eec3adbbe8496facec3e86e122a6af45abb4a2eb919819
SHA512 86ccae7ece037c87ce3af8b9950e505e1487c9b235a9208bd8f81268e1be6ef3c3b785059c2f3f8ae30c6c66422939e0aa886224ff8485f7a42e9be5bafee079

memory/1260-118-0x00007FF6BA590000-0x00007FF6BA8E1000-memory.dmp

C:\Windows\System\OydqIlZ.exe

MD5 fa2174c0238c1bcfc18938bf65c275ee
SHA1 f66386924c58995d8dbc9bac619ccc90e91aa049
SHA256 494876276893737584987848bb1dc8e1a4dac2617a7ef0032b2c2b977b77c9f9
SHA512 61cf38b80ac52beb253ddbdb613070a40caf685a947ea8609f34b11d2db47d6b637047324f0926f42c41727d8ba434d367bdb2d8a1af03e8e486817497bf1974

memory/1092-129-0x00007FF69C920000-0x00007FF69CC71000-memory.dmp

C:\Windows\System\ZRLRIBh.exe

MD5 89bba70f3c94b62da6de323955acd62f
SHA1 254b52e978e2b016722f431244ee637232bdfebc
SHA256 b5336f1a19ef79de492d0bb37f588fa344c2d263eb670ea5e9b277d0b75fc66f
SHA512 b528b6e94cfb243686c02cb3e6225cf04ff01667c71a5ee68ba027651fda71f24cad343fd9a31f2f1d3da97190c825efc512557592bb349fe56a434396aacad1

memory/664-126-0x00007FF764220000-0x00007FF764571000-memory.dmp

C:\Windows\System\BVESvFT.exe

MD5 6cb97cdce43a7c3c56462cf2a812896f
SHA1 25f5bea6b594aa2fc292371a7124780a8ab60101
SHA256 c0522ca31b1d598a72b61a48e75f490096c1fcf22e117c162f86b80aa1d0dd0f
SHA512 7d365e7fe37ac6337b1773a3b0675ac75d72a5c54f5cbc51118f40079a38cf993ba86b40331c5d65e73367218011dabd1fc1fc3a07a139030fc8e29c5da09050

C:\Windows\System\wJbKxDO.exe

MD5 7be1f352aa72ab3cbfab3b534e9b0e9e
SHA1 f5baf80197dfbf9c94485e3870b131b01fa33b52
SHA256 c02a2c62cccdc23d84c7f3b933f1110fda56d9e9bb177774677b14c340a44152
SHA512 080aadd3c16b97dfa50874281cf49ba66939e88d779293d221f441931d2958bf60ae2fae164243c216bb0238f79b550d488e5b7f8011a444b61803ba69e285cb

memory/1936-119-0x00007FF764E60000-0x00007FF7651B1000-memory.dmp

C:\Windows\System\LuQxYyy.exe

MD5 68c3d89242ab4e6bf2df6ead6817f35b
SHA1 530f279b2cd28142ad88be2728ded011d793942f
SHA256 e4ffdd3932e9c02fa84ff2f0f1ee025fee346e6fe7ab664219444060dbcb7e03
SHA512 2451ad10394b5d62e3a3b44cbf3aad6670e2b64039af95ff2c5ecaa4ee61caf697712228d17d8394255df1603d09af648603f1145afb138fd2647dcdccb1a40b

C:\Windows\System\dGMyaql.exe

MD5 a0ddaee9e70f1a85a80f863645c52490
SHA1 2800611520aba5dd4d963d16bed2a6d1a697c31e
SHA256 194b11b4239e218d6e5dff00657ebb4cb4e661d2d22f328f71b1b480d9ab0d28
SHA512 c09d4c9164b05c6ed3ff9ab99c138bcb515bdd751ce01e7fffe5b8cabef32b0cb3889a0f68617e241ee2858195027e5fad2e6ac1fc5942c09677e5309d228f84

memory/2016-113-0x00007FF6F17E0000-0x00007FF6F1B31000-memory.dmp

memory/1440-112-0x00007FF7BE6A0000-0x00007FF7BE9F1000-memory.dmp

memory/4100-104-0x00007FF7FA6A0000-0x00007FF7FA9F1000-memory.dmp

C:\Windows\System\VymiDFG.exe

MD5 662bc7cca2a47fc36751053fb357b26d
SHA1 85afe8c7001df1a60535ccac77577e231f829697
SHA256 a9f6b7acb76caa464a516ea54670dd09285022e752fbef05588f16cfd97a8e51
SHA512 62eb8d8d542a91c39ee8ae10be2cba0fe388ee163e533238d559c303f6c7ba0900b613221c7fc0307a70882959bbdc23395efd99de69ce8e0a737d65bc92ecd0

C:\Windows\System\WxLBMeG.exe

MD5 3ec2336a83df9307d342004453b57631
SHA1 db8f53a47ef2f37fb07d21fb49040a4786b62e51
SHA256 b8cf5c11e196dcf0779353cfcddf2b23441d65f0fc78b94b38973b2473da378a
SHA512 0f78715af585e08b3dd770f9f845452a127bf41e4074e5ededff75571d90c3e79ff22417da5521eec3044bcef79f5486143ef00ba0c884156637aeb1175f63a3

memory/1728-87-0x00007FF66AC20000-0x00007FF66AF71000-memory.dmp

memory/4008-86-0x00007FF719D90000-0x00007FF71A0E1000-memory.dmp

memory/4804-77-0x00007FF6E9A70000-0x00007FF6E9DC1000-memory.dmp

memory/1668-76-0x00007FF715A00000-0x00007FF715D51000-memory.dmp

memory/4796-72-0x00007FF7202A0000-0x00007FF7205F1000-memory.dmp

memory/100-65-0x00007FF7E4010000-0x00007FF7E4361000-memory.dmp

C:\Windows\System\dCEZqoJ.exe

MD5 be6bac1d21833338fe2bad5014185ed5
SHA1 b5772eee6d1b11964939b9c3d30f2219e6d8ef49
SHA256 adbd84409a73dbee47c416cc775840bbf803043a19093f47c8929910467f69af
SHA512 11c20dea925680858c9f6829f18fe9d8bcabfc9a8495e98eba4060d5ba9f99779435c5852803f1fc20cddb576871c62039bc368d5e3ddf564e7888c716ad2347

memory/400-56-0x00007FF67D020000-0x00007FF67D371000-memory.dmp

memory/1104-54-0x00007FF64ED40000-0x00007FF64F091000-memory.dmp

memory/1508-44-0x00007FF74C730000-0x00007FF74CA81000-memory.dmp

C:\Windows\System\ZxJMqAW.exe

MD5 761c75cd10bf142b464801341b8ffb64
SHA1 ee1abeb5076a48ae43831094c67619946a5bde99
SHA256 abcb56c2151e7936cb6e21fb7cbdb7ec2e9dd67c24b974aa2812f1ba9245436a
SHA512 d58158c2a889aef77fdfea8a742a596623105a70741386826949a82063806afdad999766fca2544739d1e3f4c321c8464cde8fc7f2dc093ae4196966dfa9af55

memory/1328-34-0x00007FF73C1A0000-0x00007FF73C4F1000-memory.dmp

memory/2968-132-0x00007FF62D3A0000-0x00007FF62D6F1000-memory.dmp

memory/4804-131-0x00007FF6E9A70000-0x00007FF6E9DC1000-memory.dmp

memory/2356-138-0x00007FF7A6C40000-0x00007FF7A6F91000-memory.dmp

memory/4100-147-0x00007FF7FA6A0000-0x00007FF7FA9F1000-memory.dmp

memory/1668-145-0x00007FF715A00000-0x00007FF715D51000-memory.dmp

memory/4796-144-0x00007FF7202A0000-0x00007FF7205F1000-memory.dmp

memory/1616-146-0x00007FF62A550000-0x00007FF62A8A1000-memory.dmp

memory/400-141-0x00007FF67D020000-0x00007FF67D371000-memory.dmp

memory/1104-140-0x00007FF64ED40000-0x00007FF64F091000-memory.dmp

memory/1508-139-0x00007FF74C730000-0x00007FF74CA81000-memory.dmp

memory/100-142-0x00007FF7E4010000-0x00007FF7E4361000-memory.dmp

memory/1328-137-0x00007FF73C1A0000-0x00007FF73C4F1000-memory.dmp

memory/1440-148-0x00007FF7BE6A0000-0x00007FF7BE9F1000-memory.dmp

memory/1260-152-0x00007FF6BA590000-0x00007FF6BA8E1000-memory.dmp

memory/1092-153-0x00007FF69C920000-0x00007FF69CC71000-memory.dmp

memory/664-151-0x00007FF764220000-0x00007FF764571000-memory.dmp

memory/2016-150-0x00007FF6F17E0000-0x00007FF6F1B31000-memory.dmp

memory/4804-154-0x00007FF6E9A70000-0x00007FF6E9DC1000-memory.dmp

memory/4008-204-0x00007FF719D90000-0x00007FF71A0E1000-memory.dmp

memory/5092-206-0x00007FF73E160000-0x00007FF73E4B1000-memory.dmp

memory/2968-208-0x00007FF62D3A0000-0x00007FF62D6F1000-memory.dmp

memory/4464-210-0x00007FF7317A0000-0x00007FF731AF1000-memory.dmp

memory/2356-228-0x00007FF7A6C40000-0x00007FF7A6F91000-memory.dmp

memory/1328-230-0x00007FF73C1A0000-0x00007FF73C4F1000-memory.dmp

memory/1508-234-0x00007FF74C730000-0x00007FF74CA81000-memory.dmp

memory/1104-233-0x00007FF64ED40000-0x00007FF64F091000-memory.dmp

memory/400-236-0x00007FF67D020000-0x00007FF67D371000-memory.dmp

memory/100-238-0x00007FF7E4010000-0x00007FF7E4361000-memory.dmp

memory/1728-240-0x00007FF66AC20000-0x00007FF66AF71000-memory.dmp

memory/1668-242-0x00007FF715A00000-0x00007FF715D51000-memory.dmp

memory/4796-245-0x00007FF7202A0000-0x00007FF7205F1000-memory.dmp

memory/1616-246-0x00007FF62A550000-0x00007FF62A8A1000-memory.dmp

memory/4100-248-0x00007FF7FA6A0000-0x00007FF7FA9F1000-memory.dmp

memory/1936-250-0x00007FF764E60000-0x00007FF7651B1000-memory.dmp

memory/2016-254-0x00007FF6F17E0000-0x00007FF6F1B31000-memory.dmp

memory/1440-253-0x00007FF7BE6A0000-0x00007FF7BE9F1000-memory.dmp

memory/664-256-0x00007FF764220000-0x00007FF764571000-memory.dmp

memory/1092-259-0x00007FF69C920000-0x00007FF69CC71000-memory.dmp

memory/1260-260-0x00007FF6BA590000-0x00007FF6BA8E1000-memory.dmp