Malware Analysis Report

2025-03-15 08:02

Sample ID 240814-z3fp7svema
Target 2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat
SHA256 91dc3677505c52eb853eae7c3e1ee0189387ead408ac6d68415a7d29e25a5c8e
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

91dc3677505c52eb853eae7c3e1ee0189387ead408ac6d68415a7d29e25a5c8e

Threat Level: Known bad

The file 2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

XMRig Miner payload

Cobalt Strike reflective loader

xmrig

Cobaltstrike

Xmrig family

Cobaltstrike family

XMRig Miner payload

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-14 21:14

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-14 21:14

Reported

2024-08-14 21:16

Platform

win7-20240729-en

Max time kernel

141s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\azmcFMN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ATgNxkd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nMQZUhu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RYcurfh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AbKoSTI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vIwDYXo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qfHNGpF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yOJgSWP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LwgPVVm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nBFcgGR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tNGjBYh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KblNPTD.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FGumifU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SarEDSe.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AktOWTj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CcqRruC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BXvqMLw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KOsCvhT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\Evqlfcf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gWgKSUG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EowHJVn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 632 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\azmcFMN.exe
PID 632 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\azmcFMN.exe
PID 632 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\azmcFMN.exe
PID 632 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qfHNGpF.exe
PID 632 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qfHNGpF.exe
PID 632 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qfHNGpF.exe
PID 632 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yOJgSWP.exe
PID 632 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yOJgSWP.exe
PID 632 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yOJgSWP.exe
PID 632 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CcqRruC.exe
PID 632 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CcqRruC.exe
PID 632 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CcqRruC.exe
PID 632 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KblNPTD.exe
PID 632 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KblNPTD.exe
PID 632 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KblNPTD.exe
PID 632 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BXvqMLw.exe
PID 632 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BXvqMLw.exe
PID 632 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BXvqMLw.exe
PID 632 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ATgNxkd.exe
PID 632 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ATgNxkd.exe
PID 632 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ATgNxkd.exe
PID 632 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nMQZUhu.exe
PID 632 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nMQZUhu.exe
PID 632 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nMQZUhu.exe
PID 632 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RYcurfh.exe
PID 632 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RYcurfh.exe
PID 632 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RYcurfh.exe
PID 632 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FGumifU.exe
PID 632 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FGumifU.exe
PID 632 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FGumifU.exe
PID 632 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AbKoSTI.exe
PID 632 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AbKoSTI.exe
PID 632 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AbKoSTI.exe
PID 632 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LwgPVVm.exe
PID 632 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LwgPVVm.exe
PID 632 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LwgPVVm.exe
PID 632 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SarEDSe.exe
PID 632 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SarEDSe.exe
PID 632 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SarEDSe.exe
PID 632 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KOsCvhT.exe
PID 632 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KOsCvhT.exe
PID 632 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KOsCvhT.exe
PID 632 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nBFcgGR.exe
PID 632 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nBFcgGR.exe
PID 632 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nBFcgGR.exe
PID 632 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Evqlfcf.exe
PID 632 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Evqlfcf.exe
PID 632 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Evqlfcf.exe
PID 632 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gWgKSUG.exe
PID 632 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gWgKSUG.exe
PID 632 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gWgKSUG.exe
PID 632 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tNGjBYh.exe
PID 632 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tNGjBYh.exe
PID 632 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tNGjBYh.exe
PID 632 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vIwDYXo.exe
PID 632 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vIwDYXo.exe
PID 632 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vIwDYXo.exe
PID 632 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AktOWTj.exe
PID 632 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AktOWTj.exe
PID 632 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AktOWTj.exe
PID 632 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EowHJVn.exe
PID 632 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EowHJVn.exe
PID 632 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EowHJVn.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\azmcFMN.exe

C:\Windows\System\azmcFMN.exe

C:\Windows\System\qfHNGpF.exe

C:\Windows\System\qfHNGpF.exe

C:\Windows\System\yOJgSWP.exe

C:\Windows\System\yOJgSWP.exe

C:\Windows\System\CcqRruC.exe

C:\Windows\System\CcqRruC.exe

C:\Windows\System\KblNPTD.exe

C:\Windows\System\KblNPTD.exe

C:\Windows\System\BXvqMLw.exe

C:\Windows\System\BXvqMLw.exe

C:\Windows\System\ATgNxkd.exe

C:\Windows\System\ATgNxkd.exe

C:\Windows\System\nMQZUhu.exe

C:\Windows\System\nMQZUhu.exe

C:\Windows\System\RYcurfh.exe

C:\Windows\System\RYcurfh.exe

C:\Windows\System\FGumifU.exe

C:\Windows\System\FGumifU.exe

C:\Windows\System\AbKoSTI.exe

C:\Windows\System\AbKoSTI.exe

C:\Windows\System\LwgPVVm.exe

C:\Windows\System\LwgPVVm.exe

C:\Windows\System\SarEDSe.exe

C:\Windows\System\SarEDSe.exe

C:\Windows\System\KOsCvhT.exe

C:\Windows\System\KOsCvhT.exe

C:\Windows\System\nBFcgGR.exe

C:\Windows\System\nBFcgGR.exe

C:\Windows\System\Evqlfcf.exe

C:\Windows\System\Evqlfcf.exe

C:\Windows\System\gWgKSUG.exe

C:\Windows\System\gWgKSUG.exe

C:\Windows\System\tNGjBYh.exe

C:\Windows\System\tNGjBYh.exe

C:\Windows\System\vIwDYXo.exe

C:\Windows\System\vIwDYXo.exe

C:\Windows\System\AktOWTj.exe

C:\Windows\System\AktOWTj.exe

C:\Windows\System\EowHJVn.exe

C:\Windows\System\EowHJVn.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/632-0-0x000000013F5F0000-0x000000013F941000-memory.dmp

memory/632-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\azmcFMN.exe

MD5 eb64a4a31e6dd61fd29ed72a2238cf7d
SHA1 15600900814adf133be4e324225b336ab648c0fd
SHA256 8154889dec80f1358800bacf4bf0ce89d2086c5132cbfaf608a5704cb7602b02
SHA512 91885a2de7a54db2e9f5677798a4ddc9aeffe61b2032d5ebab3233c636cecb9238704c1086723c5ff4d4eb06c83523653e4c293e2bf26eed8631710675ffbaaf

\Windows\system\qfHNGpF.exe

MD5 8144c0f1cd936f497c2890b2919b169c
SHA1 712ed042a5a402ce6babee2b613f34d93cda41d4
SHA256 8539ab292c67fbad3b27fc4639140abfced04dc425042ca035c76c8a88d4359b
SHA512 33aff8b047045d34c53739418f3339f8460772e50ada1d641ec7cb23001a6492f1f2f54a9439455fb2b3973df856eaa3b412a66ba68ba63c34fa14dd6988f894

\Windows\system\yOJgSWP.exe

MD5 3c3f47e5c96c75852beb4f0aae5cc866
SHA1 eeb58bba1fd1cce913b3be2699c2b5e9921d7f00
SHA256 b7da5a9ee950c43272611f852a2b1bca50f8a6f9e146d5ebc0e45adafbef3911
SHA512 67ce6fdfb137e8c238c7f0df9ced46051e416518680d22238a9dd2a027f95ca52c14f558114ce6836739abf12446bf305e483e7215029c19538014e359fdfa56

memory/2188-18-0x000000013F4F0000-0x000000013F841000-memory.dmp

memory/632-15-0x0000000002170000-0x00000000024C1000-memory.dmp

C:\Windows\system\CcqRruC.exe

MD5 15543f4ac755d979e37dc500b31b6dc5
SHA1 7ef01075bd8766a61c234521537a9a53d2320842
SHA256 ffd7ee3b3a3e0f6421f5531d2d5bd05f7e16675a4108c1f5917a4f3b53362739
SHA512 be86629369a858bee6fab8f5dea55e149182c73ce5914870e3c48f10fdea35125beeadb1e035b64b8bd9f1f4180fc77736b89d3f221a447f7c84f5f464aeaa30

memory/2240-26-0x000000013F8F0000-0x000000013FC41000-memory.dmp

\Windows\system\KblNPTD.exe

MD5 9c5bd96edbc9618e8e54b853eb438451
SHA1 1fe80323282cbf63c5b5e9fe613e0ea70374b543
SHA256 c4eafc35241744d479ed28a52786407f540dc8162d25e53284a799dd89e97d47
SHA512 f2204625f2349d62cce82489dd2d86fb08033f54e671cb3501ef0a2408839078a54a5014decb03d984398a555cc08d8c12100ecc29c2e953cb4335468bb6a3a1

memory/632-31-0x0000000002170000-0x00000000024C1000-memory.dmp

memory/2644-29-0x000000013F610000-0x000000013F961000-memory.dmp

memory/632-28-0x0000000002170000-0x00000000024C1000-memory.dmp

memory/632-27-0x000000013F950000-0x000000013FCA1000-memory.dmp

memory/2700-24-0x000000013F950000-0x000000013FCA1000-memory.dmp

C:\Windows\system\BXvqMLw.exe

MD5 e6c609677ad9e8614dcf17c4a0f94ffc
SHA1 acaed90af06b55f4281c798d63a52736daae4458
SHA256 ff8b403219e2ba59c6ae50771a21e40c583163256f852de25490a991540ed69b
SHA512 6e4f2e0149f71c92c0e88433d57337c64c2ec9f4f4eb0cca1202f3ef399412769a620e54c8ed0b0f1273e4dc37ff0480a0648e3874da35d87cd5fedf2c2c2338

memory/2684-48-0x000000013F540000-0x000000013F891000-memory.dmp

memory/2620-43-0x000000013F8E0000-0x000000013FC31000-memory.dmp

memory/632-62-0x0000000002170000-0x00000000024C1000-memory.dmp

C:\Windows\system\RYcurfh.exe

MD5 e65cc83426d4de0bc5227bc048d7773e
SHA1 a3bc20885d8785883cce9787414841878ef1a6c8
SHA256 b2f829f11d25d40201e95f943dd62668caf17eba7c35c3be7b89672323f7a61a
SHA512 98073180b21bf2651986a39a0c4e2d0e87f392f1bfbc27862006117c1fd181b13b7a3a6f9049049b097607968dbe136e7f45c93cc24fa6d1191abac94c305973

\Windows\system\FGumifU.exe

MD5 bffec7ce62b0f2c927bccd78b30ee9ab
SHA1 f3a681d3c61e4ba5506b62080770e5a32b84a2a0
SHA256 1e80ba7c1a8437b8fc186ab56837c6e826a5455930ddccaef46d27fca5d44a73
SHA512 68ed80be85ff001fc6a3b248b52cebbb3e6e6f8dbdb9a6cbafb757c52aee112874fcf74cd08f8dd353515397c7eb861ef9feb09b125d7dcdbbfd08e771dfc045

memory/632-76-0x0000000002170000-0x00000000024C1000-memory.dmp

C:\Windows\system\nBFcgGR.exe

MD5 73b2e1b9b502a6db76cf0e52602368cc
SHA1 3864a331d6022e9a6661b7374238d7285788d106
SHA256 438332a28094254750563b5d9af43a5fe0c94c4a3f46da68220382ea1964cdcb
SHA512 763646f6591a1e2fad7760072262043b7247a1f5af01592227730cd075b00ccda8a9fafe8044fb689022a0dacc7ce3eaeb67274f0c30e8cd0aece6224f31b72e

\Windows\system\LwgPVVm.exe

MD5 483102acf827b80cc6e652fe3bdf8c52
SHA1 6cb2bd7396ffd55cb5c93a351a2e3ff13821f54b
SHA256 fd77cd403f5034d77f011eaf3fafbb7fcbfd3d2fd0e637c9a274a45820ccd5db
SHA512 2fb254fc5c532f92891b9c6f0397cadbef244a9d6784103b9decb833e66bdef465c6d3730e3cf2b4072aed40aabeae69461eb9a151e6e65e5b4c03d2ef33fc1c

C:\Windows\system\AktOWTj.exe

MD5 22bb8ea04632bd4c48bd31f6f3dd7217
SHA1 c0afcfa900d2e5609cd9074c2ce78687624daf42
SHA256 69c91916cdb3ba9118086fe334d8a4bcc35cf594d93d18dde815a42897aaba59
SHA512 b281173795e8d3e08f3b1fdfa31df4be2b650a7e06bfc251d4c53e6ea8f8be44ce82fb0756d6fef0cc0ffb2d26582783d94ab9f4542a708b36063a9f97e51c43

\Windows\system\tNGjBYh.exe

MD5 c9587a2f982e43c69d3fc42712ff3a02
SHA1 cf6bd35b910c2f554ff9a29060ad40c02fcfb2cf
SHA256 e15135977ab57f9ee314efe67cb98011b49e56110ea56a9cd303747135afd771
SHA512 c2ea2a54431b823e41e5d9178f61e7d474734ac82106128f0c4c3edcd32b733ed7ba2ddeb95c23cf656eb68f744bd84c3a372a93d677a8078949bdb3dc3ec73e

\Windows\system\Evqlfcf.exe

MD5 cd1dc294b89bc2194203d76d609090c4
SHA1 15baf23b00434ae94cd13e9f80c851ffc47469fe
SHA256 c57e402a6b103600b7f084104ddd0f0edf601dfa8463bf6e6aa71a6f51ae5931
SHA512 40081efa29c97fece6894b26d17a1379c278602beab74aaca7ba05d4160436cc7c862453b8913ecefe06078861d641febaa90744b8316adc0fd6c5077bdacfc3

memory/632-130-0x000000013FE20000-0x0000000140171000-memory.dmp

memory/1992-129-0x000000013FEB0000-0x0000000140201000-memory.dmp

memory/2428-92-0x000000013FDB0000-0x0000000140101000-memory.dmp

C:\Windows\system\SarEDSe.exe

MD5 f987d5fb5c2aadec1f85eed2a06e4c61
SHA1 54d935b1cd10623634d3ed410bc08015741e9aad
SHA256 6c87885d8c1603a4c4ff0bcbe669806d8aa527086f69f96db2e1b71f829238e2
SHA512 81412e7dfae75f888248d01ed59c14f556001ffa644cf578f93c11ac96a95a322b3c4b2b5913f5f56828e7eb203aae606171c1d99859809d7df6f13663caf9b0

\Windows\system\KOsCvhT.exe

MD5 ff478d3018e6efeb9defc34287871fa1
SHA1 cb1d279231359f7283cd6a33e7b4499a2191c1bb
SHA256 dd35a71f8392af05fe272addbb83e5e3ff9d7cceeaeb3ccee0718490731e46d8
SHA512 b1ffc80c5214a65896dcde6df8c4284894596d9b59f8c5914733881c058111b4ea262bd1a76157755e1c59f485611963a52cee1b454a81ba05a7635f0326ebe8

C:\Windows\system\EowHJVn.exe

MD5 5d2f4e2479831b0bde77ed27b15f03f6
SHA1 a044d00f7c0ce1deee8edbfdef5cf110a49a2f3a
SHA256 7b603a10bf59df625659e4d0ad8481b7a83697568ba25d0ca4bf202115ba13ab
SHA512 33bba89c213321dc426dec105a77ebbfeaf82a45938bafc9cca4dc9f9cafa8a662cb1df9d16dbb5dc63b4c1c383dea3390b08b144f850a8101751ef50d69ca24

C:\Windows\system\vIwDYXo.exe

MD5 8caa01aa8c18eab62312847e52f2dcf4
SHA1 c45eed710c102cbf9ecea76165c92b4a67144832
SHA256 1cd187aa2e0ef8c05f045071cc86bcc44a9362f571762cacd99fc54ad72b8ef1
SHA512 aa905a0dd1b536b94438c004c8cf7e27d140c949f0e2a209255c700ed0c912845af16d24c4a16a5a7bb59243a85f2e6a981a0e51dfc4a04fcd59fcfbe7d5a79a

C:\Windows\system\gWgKSUG.exe

MD5 241e19c0e1017b01408c87cb3adf847f
SHA1 fc2ee032df8c38fe88873362c55321adac9cd1b6
SHA256 84c92195eb836a6c3f7fcfdb9d92bbb4edf84dcd87566c62bbf152dcfdfeeb12
SHA512 bf58c078c5e7cdbca5b32f6857bac22efd1aad7e1b5a3c49ed8ab3bd5dba215778c0d94a6b0098f3bc75b996c2ac64fb8be77cac203fecb0955cb57f9a93e36d

memory/632-95-0x000000013FEB0000-0x0000000140201000-memory.dmp

memory/632-94-0x000000013FD00000-0x0000000140051000-memory.dmp

memory/632-85-0x000000013FDB0000-0x0000000140101000-memory.dmp

memory/2620-84-0x000000013F8E0000-0x000000013FC31000-memory.dmp

memory/632-83-0x0000000002170000-0x00000000024C1000-memory.dmp

memory/1040-78-0x000000013F0B0000-0x000000013F401000-memory.dmp

memory/632-77-0x000000013F0B0000-0x000000013F401000-memory.dmp

memory/2908-69-0x000000013F1B0000-0x000000013F501000-memory.dmp

memory/632-75-0x000000013F5F0000-0x000000013F941000-memory.dmp

C:\Windows\system\AbKoSTI.exe

MD5 3f2e59055f95f804db5525b552c42792
SHA1 9e7bdd648fce2a6024f1f4c84779628e85dc6b47
SHA256 d586de83847110e8f01c4586688f12d4a8413ce6ea9ee88e5187df24176c3976
SHA512 83e36686900c76cbcbdba1041eb8781ca9c5e9a8805c6578ac2213584c1bd39ea698368a6dfcebd871b2e2e129fd489dbfcf9a48c4fe575fd3f17287ba7d5edc

memory/2580-64-0x000000013F660000-0x000000013F9B1000-memory.dmp

memory/2544-60-0x000000013F860000-0x000000013FBB1000-memory.dmp

memory/2560-57-0x000000013FD70000-0x00000001400C1000-memory.dmp

memory/632-55-0x000000013FD70000-0x00000001400C1000-memory.dmp

memory/632-52-0x0000000002170000-0x00000000024C1000-memory.dmp

C:\Windows\system\ATgNxkd.exe

MD5 46f16e07496390661cb895eaea2e76af
SHA1 05bf46e1e2a43b482060bebfdbb7c5d88a2dd7d6
SHA256 ff5ec7a0b62ba03031527088f32a58df64f5a3969cf394cdc2faf57d5791cdfb
SHA512 df2b46eff4b708a0a2191196f52f565494c1a60d25101678eef202f276c90f091ca7ba9858aa1b1f3a96bc3fcb92a1fd7b1a3415aad0b60b52b0e7f912e82af2

C:\Windows\system\nMQZUhu.exe

MD5 41a039ca81b762ab414703a9152db902
SHA1 b9d2a96dfbbe9fb09a5a818a14f2e2e8a3e1091d
SHA256 98db99e4024fcd5bdcd17a8fa3515f86cad223a4155bd254e71ba73940a6a082
SHA512 108af6e87b088c2f26837f27e5853c7b9ee8d7af1b9838c64534c2f567223827a1d6f8689060947a28ee4e372a335c92a4a665272dd883906cc3a8c890f33f42

memory/632-49-0x0000000002170000-0x00000000024C1000-memory.dmp

memory/2580-137-0x000000013F660000-0x000000013F9B1000-memory.dmp

memory/632-138-0x000000013F5F0000-0x000000013F941000-memory.dmp

memory/1500-154-0x000000013FE20000-0x0000000140171000-memory.dmp

memory/2428-151-0x000000013FDB0000-0x0000000140101000-memory.dmp

memory/2908-155-0x000000013F1B0000-0x000000013F501000-memory.dmp

memory/2980-152-0x000000013FD00000-0x0000000140051000-memory.dmp

memory/1952-150-0x000000013F720000-0x000000013FA71000-memory.dmp

memory/2084-156-0x000000013F360000-0x000000013F6B1000-memory.dmp

memory/2836-159-0x000000013F9D0000-0x000000013FD21000-memory.dmp

memory/632-161-0x000000013F0B0000-0x000000013F401000-memory.dmp

memory/1632-160-0x000000013F4F0000-0x000000013F841000-memory.dmp

memory/2756-158-0x000000013FCE0000-0x0000000140031000-memory.dmp

memory/1908-157-0x000000013F2F0000-0x000000013F641000-memory.dmp

memory/632-162-0x0000000002170000-0x00000000024C1000-memory.dmp

memory/632-163-0x000000013FDB0000-0x0000000140101000-memory.dmp

memory/632-164-0x000000013FD00000-0x0000000140051000-memory.dmp

memory/632-165-0x000000013F5F0000-0x000000013F941000-memory.dmp

memory/632-187-0x000000013FEB0000-0x0000000140201000-memory.dmp

memory/632-188-0x000000013FE20000-0x0000000140171000-memory.dmp

memory/2188-216-0x000000013F4F0000-0x000000013F841000-memory.dmp

memory/2240-218-0x000000013F8F0000-0x000000013FC41000-memory.dmp

memory/2700-220-0x000000013F950000-0x000000013FCA1000-memory.dmp

memory/2644-222-0x000000013F610000-0x000000013F961000-memory.dmp

memory/2620-224-0x000000013F8E0000-0x000000013FC31000-memory.dmp

memory/2684-226-0x000000013F540000-0x000000013F891000-memory.dmp

memory/2544-228-0x000000013F860000-0x000000013FBB1000-memory.dmp

memory/2580-232-0x000000013F660000-0x000000013F9B1000-memory.dmp

memory/2560-231-0x000000013FD70000-0x00000001400C1000-memory.dmp

memory/1040-234-0x000000013F0B0000-0x000000013F401000-memory.dmp

memory/1992-250-0x000000013FEB0000-0x0000000140201000-memory.dmp

memory/2908-247-0x000000013F1B0000-0x000000013F501000-memory.dmp

memory/2428-255-0x000000013FDB0000-0x0000000140101000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-14 21:14

Reported

2024-08-14 21:16

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\yOJgSWP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FGumifU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SarEDSe.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\Evqlfcf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EowHJVn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CcqRruC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ATgNxkd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vIwDYXo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AktOWTj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KblNPTD.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BXvqMLw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AbKoSTI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LwgPVVm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nBFcgGR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gWgKSUG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tNGjBYh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\azmcFMN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qfHNGpF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nMQZUhu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RYcurfh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KOsCvhT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4296 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\azmcFMN.exe
PID 4296 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\azmcFMN.exe
PID 4296 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qfHNGpF.exe
PID 4296 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qfHNGpF.exe
PID 4296 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yOJgSWP.exe
PID 4296 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yOJgSWP.exe
PID 4296 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CcqRruC.exe
PID 4296 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CcqRruC.exe
PID 4296 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KblNPTD.exe
PID 4296 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KblNPTD.exe
PID 4296 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BXvqMLw.exe
PID 4296 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BXvqMLw.exe
PID 4296 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ATgNxkd.exe
PID 4296 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ATgNxkd.exe
PID 4296 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nMQZUhu.exe
PID 4296 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nMQZUhu.exe
PID 4296 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RYcurfh.exe
PID 4296 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RYcurfh.exe
PID 4296 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FGumifU.exe
PID 4296 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FGumifU.exe
PID 4296 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AbKoSTI.exe
PID 4296 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AbKoSTI.exe
PID 4296 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LwgPVVm.exe
PID 4296 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LwgPVVm.exe
PID 4296 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SarEDSe.exe
PID 4296 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SarEDSe.exe
PID 4296 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KOsCvhT.exe
PID 4296 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KOsCvhT.exe
PID 4296 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nBFcgGR.exe
PID 4296 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nBFcgGR.exe
PID 4296 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Evqlfcf.exe
PID 4296 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Evqlfcf.exe
PID 4296 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gWgKSUG.exe
PID 4296 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gWgKSUG.exe
PID 4296 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tNGjBYh.exe
PID 4296 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tNGjBYh.exe
PID 4296 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vIwDYXo.exe
PID 4296 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vIwDYXo.exe
PID 4296 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AktOWTj.exe
PID 4296 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AktOWTj.exe
PID 4296 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EowHJVn.exe
PID 4296 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EowHJVn.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\azmcFMN.exe

C:\Windows\System\azmcFMN.exe

C:\Windows\System\qfHNGpF.exe

C:\Windows\System\qfHNGpF.exe

C:\Windows\System\yOJgSWP.exe

C:\Windows\System\yOJgSWP.exe

C:\Windows\System\CcqRruC.exe

C:\Windows\System\CcqRruC.exe

C:\Windows\System\KblNPTD.exe

C:\Windows\System\KblNPTD.exe

C:\Windows\System\BXvqMLw.exe

C:\Windows\System\BXvqMLw.exe

C:\Windows\System\ATgNxkd.exe

C:\Windows\System\ATgNxkd.exe

C:\Windows\System\nMQZUhu.exe

C:\Windows\System\nMQZUhu.exe

C:\Windows\System\RYcurfh.exe

C:\Windows\System\RYcurfh.exe

C:\Windows\System\FGumifU.exe

C:\Windows\System\FGumifU.exe

C:\Windows\System\AbKoSTI.exe

C:\Windows\System\AbKoSTI.exe

C:\Windows\System\LwgPVVm.exe

C:\Windows\System\LwgPVVm.exe

C:\Windows\System\SarEDSe.exe

C:\Windows\System\SarEDSe.exe

C:\Windows\System\KOsCvhT.exe

C:\Windows\System\KOsCvhT.exe

C:\Windows\System\nBFcgGR.exe

C:\Windows\System\nBFcgGR.exe

C:\Windows\System\Evqlfcf.exe

C:\Windows\System\Evqlfcf.exe

C:\Windows\System\gWgKSUG.exe

C:\Windows\System\gWgKSUG.exe

C:\Windows\System\tNGjBYh.exe

C:\Windows\System\tNGjBYh.exe

C:\Windows\System\vIwDYXo.exe

C:\Windows\System\vIwDYXo.exe

C:\Windows\System\AktOWTj.exe

C:\Windows\System\AktOWTj.exe

C:\Windows\System\EowHJVn.exe

C:\Windows\System\EowHJVn.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 52.111.227.13:443 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/4296-0-0x00007FF738D20000-0x00007FF739071000-memory.dmp

memory/4296-1-0x000002DA44660000-0x000002DA44670000-memory.dmp

C:\Windows\System\azmcFMN.exe

MD5 eb64a4a31e6dd61fd29ed72a2238cf7d
SHA1 15600900814adf133be4e324225b336ab648c0fd
SHA256 8154889dec80f1358800bacf4bf0ce89d2086c5132cbfaf608a5704cb7602b02
SHA512 91885a2de7a54db2e9f5677798a4ddc9aeffe61b2032d5ebab3233c636cecb9238704c1086723c5ff4d4eb06c83523653e4c293e2bf26eed8631710675ffbaaf

C:\Windows\System\yOJgSWP.exe

MD5 3c3f47e5c96c75852beb4f0aae5cc866
SHA1 eeb58bba1fd1cce913b3be2699c2b5e9921d7f00
SHA256 b7da5a9ee950c43272611f852a2b1bca50f8a6f9e146d5ebc0e45adafbef3911
SHA512 67ce6fdfb137e8c238c7f0df9ced46051e416518680d22238a9dd2a027f95ca52c14f558114ce6836739abf12446bf305e483e7215029c19538014e359fdfa56

C:\Windows\System\KblNPTD.exe

MD5 9c5bd96edbc9618e8e54b853eb438451
SHA1 1fe80323282cbf63c5b5e9fe613e0ea70374b543
SHA256 c4eafc35241744d479ed28a52786407f540dc8162d25e53284a799dd89e97d47
SHA512 f2204625f2349d62cce82489dd2d86fb08033f54e671cb3501ef0a2408839078a54a5014decb03d984398a555cc08d8c12100ecc29c2e953cb4335468bb6a3a1

memory/916-31-0x00007FF65FF60000-0x00007FF6602B1000-memory.dmp

C:\Windows\System\BXvqMLw.exe

MD5 e6c609677ad9e8614dcf17c4a0f94ffc
SHA1 acaed90af06b55f4281c798d63a52736daae4458
SHA256 ff8b403219e2ba59c6ae50771a21e40c583163256f852de25490a991540ed69b
SHA512 6e4f2e0149f71c92c0e88433d57337c64c2ec9f4f4eb0cca1202f3ef399412769a620e54c8ed0b0f1273e4dc37ff0480a0648e3874da35d87cd5fedf2c2c2338

C:\Windows\System\RYcurfh.exe

MD5 e65cc83426d4de0bc5227bc048d7773e
SHA1 a3bc20885d8785883cce9787414841878ef1a6c8
SHA256 b2f829f11d25d40201e95f943dd62668caf17eba7c35c3be7b89672323f7a61a
SHA512 98073180b21bf2651986a39a0c4e2d0e87f392f1bfbc27862006117c1fd181b13b7a3a6f9049049b097607968dbe136e7f45c93cc24fa6d1191abac94c305973

C:\Windows\System\LwgPVVm.exe

MD5 483102acf827b80cc6e652fe3bdf8c52
SHA1 6cb2bd7396ffd55cb5c93a351a2e3ff13821f54b
SHA256 fd77cd403f5034d77f011eaf3fafbb7fcbfd3d2fd0e637c9a274a45820ccd5db
SHA512 2fb254fc5c532f92891b9c6f0397cadbef244a9d6784103b9decb833e66bdef465c6d3730e3cf2b4072aed40aabeae69461eb9a151e6e65e5b4c03d2ef33fc1c

C:\Windows\System\FGumifU.exe

MD5 bffec7ce62b0f2c927bccd78b30ee9ab
SHA1 f3a681d3c61e4ba5506b62080770e5a32b84a2a0
SHA256 1e80ba7c1a8437b8fc186ab56837c6e826a5455930ddccaef46d27fca5d44a73
SHA512 68ed80be85ff001fc6a3b248b52cebbb3e6e6f8dbdb9a6cbafb757c52aee112874fcf74cd08f8dd353515397c7eb861ef9feb09b125d7dcdbbfd08e771dfc045

memory/2144-73-0x00007FF7D23F0000-0x00007FF7D2741000-memory.dmp

C:\Windows\System\AbKoSTI.exe

MD5 3f2e59055f95f804db5525b552c42792
SHA1 9e7bdd648fce2a6024f1f4c84779628e85dc6b47
SHA256 d586de83847110e8f01c4586688f12d4a8413ce6ea9ee88e5187df24176c3976
SHA512 83e36686900c76cbcbdba1041eb8781ca9c5e9a8805c6578ac2213584c1bd39ea698368a6dfcebd871b2e2e129fd489dbfcf9a48c4fe575fd3f17287ba7d5edc

C:\Windows\System\SarEDSe.exe

MD5 f987d5fb5c2aadec1f85eed2a06e4c61
SHA1 54d935b1cd10623634d3ed410bc08015741e9aad
SHA256 6c87885d8c1603a4c4ff0bcbe669806d8aa527086f69f96db2e1b71f829238e2
SHA512 81412e7dfae75f888248d01ed59c14f556001ffa644cf578f93c11ac96a95a322b3c4b2b5913f5f56828e7eb203aae606171c1d99859809d7df6f13663caf9b0

C:\Windows\System\EowHJVn.exe

MD5 5d2f4e2479831b0bde77ed27b15f03f6
SHA1 a044d00f7c0ce1deee8edbfdef5cf110a49a2f3a
SHA256 7b603a10bf59df625659e4d0ad8481b7a83697568ba25d0ca4bf202115ba13ab
SHA512 33bba89c213321dc426dec105a77ebbfeaf82a45938bafc9cca4dc9f9cafa8a662cb1df9d16dbb5dc63b4c1c383dea3390b08b144f850a8101751ef50d69ca24

C:\Windows\System\AktOWTj.exe

MD5 22bb8ea04632bd4c48bd31f6f3dd7217
SHA1 c0afcfa900d2e5609cd9074c2ce78687624daf42
SHA256 69c91916cdb3ba9118086fe334d8a4bcc35cf594d93d18dde815a42897aaba59
SHA512 b281173795e8d3e08f3b1fdfa31df4be2b650a7e06bfc251d4c53e6ea8f8be44ce82fb0756d6fef0cc0ffb2d26582783d94ab9f4542a708b36063a9f97e51c43

C:\Windows\System\tNGjBYh.exe

MD5 c9587a2f982e43c69d3fc42712ff3a02
SHA1 cf6bd35b910c2f554ff9a29060ad40c02fcfb2cf
SHA256 e15135977ab57f9ee314efe67cb98011b49e56110ea56a9cd303747135afd771
SHA512 c2ea2a54431b823e41e5d9178f61e7d474734ac82106128f0c4c3edcd32b733ed7ba2ddeb95c23cf656eb68f744bd84c3a372a93d677a8078949bdb3dc3ec73e

C:\Windows\System\gWgKSUG.exe

MD5 241e19c0e1017b01408c87cb3adf847f
SHA1 fc2ee032df8c38fe88873362c55321adac9cd1b6
SHA256 84c92195eb836a6c3f7fcfdb9d92bbb4edf84dcd87566c62bbf152dcfdfeeb12
SHA512 bf58c078c5e7cdbca5b32f6857bac22efd1aad7e1b5a3c49ed8ab3bd5dba215778c0d94a6b0098f3bc75b996c2ac64fb8be77cac203fecb0955cb57f9a93e36d

C:\Windows\System\vIwDYXo.exe

MD5 8caa01aa8c18eab62312847e52f2dcf4
SHA1 c45eed710c102cbf9ecea76165c92b4a67144832
SHA256 1cd187aa2e0ef8c05f045071cc86bcc44a9362f571762cacd99fc54ad72b8ef1
SHA512 aa905a0dd1b536b94438c004c8cf7e27d140c949f0e2a209255c700ed0c912845af16d24c4a16a5a7bb59243a85f2e6a981a0e51dfc4a04fcd59fcfbe7d5a79a

C:\Windows\System\Evqlfcf.exe

MD5 cd1dc294b89bc2194203d76d609090c4
SHA1 15baf23b00434ae94cd13e9f80c851ffc47469fe
SHA256 c57e402a6b103600b7f084104ddd0f0edf601dfa8463bf6e6aa71a6f51ae5931
SHA512 40081efa29c97fece6894b26d17a1379c278602beab74aaca7ba05d4160436cc7c862453b8913ecefe06078861d641febaa90744b8316adc0fd6c5077bdacfc3

C:\Windows\System\nBFcgGR.exe

MD5 73b2e1b9b502a6db76cf0e52602368cc
SHA1 3864a331d6022e9a6661b7374238d7285788d106
SHA256 438332a28094254750563b5d9af43a5fe0c94c4a3f46da68220382ea1964cdcb
SHA512 763646f6591a1e2fad7760072262043b7247a1f5af01592227730cd075b00ccda8a9fafe8044fb689022a0dacc7ce3eaeb67274f0c30e8cd0aece6224f31b72e

memory/4272-102-0x00007FF644CF0000-0x00007FF645041000-memory.dmp

C:\Windows\System\KOsCvhT.exe

MD5 ff478d3018e6efeb9defc34287871fa1
SHA1 cb1d279231359f7283cd6a33e7b4499a2191c1bb
SHA256 dd35a71f8392af05fe272addbb83e5e3ff9d7cceeaeb3ccee0718490731e46d8
SHA512 b1ffc80c5214a65896dcde6df8c4284894596d9b59f8c5914733881c058111b4ea262bd1a76157755e1c59f485611963a52cee1b454a81ba05a7635f0326ebe8

memory/860-86-0x00007FF674100000-0x00007FF674451000-memory.dmp

memory/4092-63-0x00007FF7E4020000-0x00007FF7E4371000-memory.dmp

memory/3584-59-0x00007FF7875E0000-0x00007FF787931000-memory.dmp

C:\Windows\System\nMQZUhu.exe

MD5 41a039ca81b762ab414703a9152db902
SHA1 b9d2a96dfbbe9fb09a5a818a14f2e2e8a3e1091d
SHA256 98db99e4024fcd5bdcd17a8fa3515f86cad223a4155bd254e71ba73940a6a082
SHA512 108af6e87b088c2f26837f27e5853c7b9ee8d7af1b9838c64534c2f567223827a1d6f8689060947a28ee4e372a335c92a4a665272dd883906cc3a8c890f33f42

C:\Windows\System\ATgNxkd.exe

MD5 46f16e07496390661cb895eaea2e76af
SHA1 05bf46e1e2a43b482060bebfdbb7c5d88a2dd7d6
SHA256 ff5ec7a0b62ba03031527088f32a58df64f5a3969cf394cdc2faf57d5791cdfb
SHA512 df2b46eff4b708a0a2191196f52f565494c1a60d25101678eef202f276c90f091ca7ba9858aa1b1f3a96bc3fcb92a1fd7b1a3415aad0b60b52b0e7f912e82af2

memory/4856-49-0x00007FF726700000-0x00007FF726A51000-memory.dmp

memory/1088-39-0x00007FF6DA140000-0x00007FF6DA491000-memory.dmp

C:\Windows\System\CcqRruC.exe

MD5 15543f4ac755d979e37dc500b31b6dc5
SHA1 7ef01075bd8766a61c234521537a9a53d2320842
SHA256 ffd7ee3b3a3e0f6421f5531d2d5bd05f7e16675a4108c1f5917a4f3b53362739
SHA512 be86629369a858bee6fab8f5dea55e149182c73ce5914870e3c48f10fdea35125beeadb1e035b64b8bd9f1f4180fc77736b89d3f221a447f7c84f5f464aeaa30

C:\Windows\System\qfHNGpF.exe

MD5 8144c0f1cd936f497c2890b2919b169c
SHA1 712ed042a5a402ce6babee2b613f34d93cda41d4
SHA256 8539ab292c67fbad3b27fc4639140abfced04dc425042ca035c76c8a88d4359b
SHA512 33aff8b047045d34c53739418f3339f8460772e50ada1d641ec7cb23001a6492f1f2f54a9439455fb2b3973df856eaa3b412a66ba68ba63c34fa14dd6988f894

memory/4300-27-0x00007FF682D30000-0x00007FF683081000-memory.dmp

memory/3868-20-0x00007FF6722C0000-0x00007FF672611000-memory.dmp

memory/4544-18-0x00007FF60E5B0000-0x00007FF60E901000-memory.dmp

memory/3932-12-0x00007FF774E50000-0x00007FF7751A1000-memory.dmp

memory/2792-119-0x00007FF7139F0000-0x00007FF713D41000-memory.dmp

memory/1996-121-0x00007FF6CE710000-0x00007FF6CEA61000-memory.dmp

memory/4680-122-0x00007FF7B3B30000-0x00007FF7B3E81000-memory.dmp

memory/2116-124-0x00007FF776730000-0x00007FF776A81000-memory.dmp

memory/640-123-0x00007FF7904A0000-0x00007FF7907F1000-memory.dmp

memory/1544-120-0x00007FF601B80000-0x00007FF601ED1000-memory.dmp

memory/1696-125-0x00007FF7C27A0000-0x00007FF7C2AF1000-memory.dmp

memory/3932-128-0x00007FF774E50000-0x00007FF7751A1000-memory.dmp

memory/4544-130-0x00007FF60E5B0000-0x00007FF60E901000-memory.dmp

memory/3908-129-0x00007FF7E6680000-0x00007FF7E69D1000-memory.dmp

memory/2196-127-0x00007FF658710000-0x00007FF658A61000-memory.dmp

memory/4296-126-0x00007FF738D20000-0x00007FF739071000-memory.dmp

memory/860-140-0x00007FF674100000-0x00007FF674451000-memory.dmp

memory/2792-143-0x00007FF7139F0000-0x00007FF713D41000-memory.dmp

memory/4272-141-0x00007FF644CF0000-0x00007FF645041000-memory.dmp

memory/2144-137-0x00007FF7D23F0000-0x00007FF7D2741000-memory.dmp

memory/3584-136-0x00007FF7875E0000-0x00007FF787931000-memory.dmp

memory/1088-134-0x00007FF6DA140000-0x00007FF6DA491000-memory.dmp

memory/4092-138-0x00007FF7E4020000-0x00007FF7E4371000-memory.dmp

memory/4856-135-0x00007FF726700000-0x00007FF726A51000-memory.dmp

memory/916-133-0x00007FF65FF60000-0x00007FF6602B1000-memory.dmp

memory/3868-132-0x00007FF6722C0000-0x00007FF672611000-memory.dmp

memory/4300-131-0x00007FF682D30000-0x00007FF683081000-memory.dmp

memory/4296-150-0x00007FF738D20000-0x00007FF739071000-memory.dmp

memory/4296-151-0x00007FF738D20000-0x00007FF739071000-memory.dmp

memory/3932-197-0x00007FF774E50000-0x00007FF7751A1000-memory.dmp

memory/4300-199-0x00007FF682D30000-0x00007FF683081000-memory.dmp

memory/3868-201-0x00007FF6722C0000-0x00007FF672611000-memory.dmp

memory/4544-203-0x00007FF60E5B0000-0x00007FF60E901000-memory.dmp

memory/916-205-0x00007FF65FF60000-0x00007FF6602B1000-memory.dmp

memory/1088-207-0x00007FF6DA140000-0x00007FF6DA491000-memory.dmp

memory/3584-211-0x00007FF7875E0000-0x00007FF787931000-memory.dmp

memory/4856-209-0x00007FF726700000-0x00007FF726A51000-memory.dmp

memory/4092-215-0x00007FF7E4020000-0x00007FF7E4371000-memory.dmp

memory/2144-214-0x00007FF7D23F0000-0x00007FF7D2741000-memory.dmp

memory/860-217-0x00007FF674100000-0x00007FF674451000-memory.dmp

memory/4272-220-0x00007FF644CF0000-0x00007FF645041000-memory.dmp

memory/1696-223-0x00007FF7C27A0000-0x00007FF7C2AF1000-memory.dmp

memory/2116-221-0x00007FF776730000-0x00007FF776A81000-memory.dmp

memory/1996-227-0x00007FF6CE710000-0x00007FF6CEA61000-memory.dmp

memory/2792-226-0x00007FF7139F0000-0x00007FF713D41000-memory.dmp

memory/2196-232-0x00007FF658710000-0x00007FF658A61000-memory.dmp

memory/4680-235-0x00007FF7B3B30000-0x00007FF7B3E81000-memory.dmp

memory/1544-234-0x00007FF601B80000-0x00007FF601ED1000-memory.dmp

memory/3908-237-0x00007FF7E6680000-0x00007FF7E69D1000-memory.dmp

memory/640-230-0x00007FF7904A0000-0x00007FF7907F1000-memory.dmp