Malware Analysis Report

2025-03-15 08:02

Sample ID 240814-z67cbszerj
Target 2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat
SHA256 f9890e500017842ef38ae3a3c923e7cef669f9a2a495f127e0b708e0629a8639
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f9890e500017842ef38ae3a3c923e7cef669f9a2a495f127e0b708e0629a8639

Threat Level: Known bad

The file 2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

xmrig

Cobaltstrike

Xmrig family

Cobalt Strike reflective loader

Cobaltstrike family

XMRig Miner payload

XMRig Miner payload

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-14 21:20

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-14 21:20

Reported

2024-08-14 21:23

Platform

win7-20240729-en

Max time kernel

142s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\IiswCcs.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SrZXdEF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JbWwINU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lTuUesp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JyzeMlv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PhthMmy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gspsYwc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SestRjd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fypniOZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eYrAkYz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\stnXumI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PcjdWZb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mANJUoA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sMoeIYJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dkBoNoO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DQawMLa.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wecqzFc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CupArAq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vPczCsa.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kzJmFBp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wfGIFjn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1316 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CupArAq.exe
PID 1316 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CupArAq.exe
PID 1316 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CupArAq.exe
PID 1316 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IiswCcs.exe
PID 1316 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IiswCcs.exe
PID 1316 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IiswCcs.exe
PID 1316 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lTuUesp.exe
PID 1316 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lTuUesp.exe
PID 1316 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lTuUesp.exe
PID 1316 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vPczCsa.exe
PID 1316 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vPczCsa.exe
PID 1316 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vPczCsa.exe
PID 1316 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\stnXumI.exe
PID 1316 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\stnXumI.exe
PID 1316 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\stnXumI.exe
PID 1316 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JyzeMlv.exe
PID 1316 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JyzeMlv.exe
PID 1316 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JyzeMlv.exe
PID 1316 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PcjdWZb.exe
PID 1316 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PcjdWZb.exe
PID 1316 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PcjdWZb.exe
PID 1316 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mANJUoA.exe
PID 1316 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mANJUoA.exe
PID 1316 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mANJUoA.exe
PID 1316 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SrZXdEF.exe
PID 1316 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SrZXdEF.exe
PID 1316 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SrZXdEF.exe
PID 1316 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sMoeIYJ.exe
PID 1316 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sMoeIYJ.exe
PID 1316 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sMoeIYJ.exe
PID 1316 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kzJmFBp.exe
PID 1316 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kzJmFBp.exe
PID 1316 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kzJmFBp.exe
PID 1316 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PhthMmy.exe
PID 1316 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PhthMmy.exe
PID 1316 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PhthMmy.exe
PID 1316 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dkBoNoO.exe
PID 1316 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dkBoNoO.exe
PID 1316 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dkBoNoO.exe
PID 1316 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wfGIFjn.exe
PID 1316 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wfGIFjn.exe
PID 1316 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wfGIFjn.exe
PID 1316 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DQawMLa.exe
PID 1316 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DQawMLa.exe
PID 1316 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DQawMLa.exe
PID 1316 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JbWwINU.exe
PID 1316 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JbWwINU.exe
PID 1316 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JbWwINU.exe
PID 1316 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gspsYwc.exe
PID 1316 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gspsYwc.exe
PID 1316 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gspsYwc.exe
PID 1316 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SestRjd.exe
PID 1316 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SestRjd.exe
PID 1316 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SestRjd.exe
PID 1316 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wecqzFc.exe
PID 1316 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wecqzFc.exe
PID 1316 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wecqzFc.exe
PID 1316 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fypniOZ.exe
PID 1316 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fypniOZ.exe
PID 1316 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fypniOZ.exe
PID 1316 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eYrAkYz.exe
PID 1316 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eYrAkYz.exe
PID 1316 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eYrAkYz.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\CupArAq.exe

C:\Windows\System\CupArAq.exe

C:\Windows\System\IiswCcs.exe

C:\Windows\System\IiswCcs.exe

C:\Windows\System\lTuUesp.exe

C:\Windows\System\lTuUesp.exe

C:\Windows\System\vPczCsa.exe

C:\Windows\System\vPczCsa.exe

C:\Windows\System\stnXumI.exe

C:\Windows\System\stnXumI.exe

C:\Windows\System\JyzeMlv.exe

C:\Windows\System\JyzeMlv.exe

C:\Windows\System\PcjdWZb.exe

C:\Windows\System\PcjdWZb.exe

C:\Windows\System\mANJUoA.exe

C:\Windows\System\mANJUoA.exe

C:\Windows\System\SrZXdEF.exe

C:\Windows\System\SrZXdEF.exe

C:\Windows\System\sMoeIYJ.exe

C:\Windows\System\sMoeIYJ.exe

C:\Windows\System\kzJmFBp.exe

C:\Windows\System\kzJmFBp.exe

C:\Windows\System\PhthMmy.exe

C:\Windows\System\PhthMmy.exe

C:\Windows\System\dkBoNoO.exe

C:\Windows\System\dkBoNoO.exe

C:\Windows\System\wfGIFjn.exe

C:\Windows\System\wfGIFjn.exe

C:\Windows\System\DQawMLa.exe

C:\Windows\System\DQawMLa.exe

C:\Windows\System\JbWwINU.exe

C:\Windows\System\JbWwINU.exe

C:\Windows\System\gspsYwc.exe

C:\Windows\System\gspsYwc.exe

C:\Windows\System\SestRjd.exe

C:\Windows\System\SestRjd.exe

C:\Windows\System\wecqzFc.exe

C:\Windows\System\wecqzFc.exe

C:\Windows\System\fypniOZ.exe

C:\Windows\System\fypniOZ.exe

C:\Windows\System\eYrAkYz.exe

C:\Windows\System\eYrAkYz.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1316-0-0x000000013F5D0000-0x000000013F921000-memory.dmp

memory/1316-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\CupArAq.exe

MD5 e4d34b1eac24f6abd437eb2bf47a0040
SHA1 c9e266980412148f1dfc89b8e7bdfffb078fbeca
SHA256 497ce566297b5ec16573dd4609739ecc7f4a5f17575becd9d544f7bd1af0ed98
SHA512 2f7389259231a6e3766b4cac9b5dce7ab052144108f7b00793b3517bac9732ab01f13127056ca699f9170098e402f36d27eb8ddcbfa87a7f423d991d97c702b8

memory/1316-6-0x000000013F070000-0x000000013F3C1000-memory.dmp

memory/1500-8-0x000000013F070000-0x000000013F3C1000-memory.dmp

C:\Windows\system\IiswCcs.exe

MD5 7e4bea86398f8e1af5d2344ce241e108
SHA1 f2779bf7812a9e3f23b59332da65da392a58ac8b
SHA256 5f4d337ff7a2b9804614ce17cdd32880e08aa2eff13b0f12dbf32693cd64ff34
SHA512 36c8622dd842eb5fcd42dc3dc035baca5f69081a42e14e505676c17cab93a7a9524b0384d437b0ad438c1c6312a4f21ebf90fc5167a42af187753db5cf215050

memory/1292-16-0x000000013F710000-0x000000013FA61000-memory.dmp

memory/1316-15-0x0000000002220000-0x0000000002571000-memory.dmp

C:\Windows\system\lTuUesp.exe

MD5 bc6cadb18c39ff32d1e7e458dac279fa
SHA1 8ac26e36a66ae183ac88e91c33c6463364f4e6b5
SHA256 c3da0cb6aac83c83afe971ab273eecf94d78dda41b575b7c83012409ec9a25ea
SHA512 22f0464d4d983d033c78b34b689c7c06a924dcca55b12782f2ee60f07c51fffd374fa8266872f649d3ba51a4855e522e1e4d6c3963bf194306cc0dd40f4e3e73

memory/2804-23-0x000000013F980000-0x000000013FCD1000-memory.dmp

memory/1316-22-0x000000013F980000-0x000000013FCD1000-memory.dmp

C:\Windows\system\vPczCsa.exe

MD5 54a1f2ab20c3d434791c9da3302e3600
SHA1 f898094de0c2176ba4663c35e1bd3439953c8cfc
SHA256 7c3c35a38affc5ead467ab84c8035449f3701de7a07205bbd9eab27454a44343
SHA512 a2bc05b0553566f60d042437b7e9c17f108cfa7360718a506e91ddddf1552d095a9ef846ecbafbb39a543c38824168d63156520d0d17cd692df6162c6badd31b

memory/1316-28-0x000000013FB10000-0x000000013FE61000-memory.dmp

memory/2800-30-0x000000013FB10000-0x000000013FE61000-memory.dmp

C:\Windows\system\JyzeMlv.exe

MD5 4169e378ae809604eb73bfd10d9bb33a
SHA1 20b92c6cc923a715cef84c415fd7b9bdf9cc11d4
SHA256 fe550399fc13ece380241c5ba03a596e01752d32a9b128e7d65c50d780095fcc
SHA512 16e9d8f03d848b5795cd50eaf69a17bd66af784f9c8b85c60090341455adf8d45003fde13c497f49b6c738f7f2c0dcdc11468aa275c1acd57cb415e5b69e23cf

memory/2628-42-0x000000013F650000-0x000000013F9A1000-memory.dmp

memory/1316-41-0x0000000002220000-0x0000000002571000-memory.dmp

memory/2908-36-0x000000013FBB0000-0x000000013FF01000-memory.dmp

memory/1316-35-0x000000013FBB0000-0x000000013FF01000-memory.dmp

C:\Windows\system\stnXumI.exe

MD5 544ee3e4d1abadf995f3f72e61ab966a
SHA1 a21b27552f5d3f1c2f468dbbb6e984a1a9e1d12d
SHA256 97be945dc7d9f3cc64b6f989b46f4fd00d93e3635ca13b5dfff206d5207615ec
SHA512 9b4d07727c0075f9cfe4477987151f6763a1534a080670259d2e414e3f2be3c7f877e96d7fb33cb481c062b7c5e1e1c8a849661b118dfe5a75b803ad9123ca0b

C:\Windows\system\PcjdWZb.exe

MD5 af5f99fbe4007c7c703205e60fbc9c89
SHA1 b6f9d701c77d60c74049817bb198b39fd0cc55f5
SHA256 a819debd71fcd71aeca06d379dbd0d3bc1c8a20e1c18d57f6bba3fc760efaffc
SHA512 45371004dda16fb390d4b4874600ca44063978295dee3bc0d9b64dc153afa972308c9a986e8dc6273185d6bca25da2430db1b62291ddfd601fffbcca950d8aa2

memory/2896-55-0x000000013FE20000-0x0000000140171000-memory.dmp

memory/2668-63-0x000000013F130000-0x000000013F481000-memory.dmp

memory/2740-62-0x000000013FA00000-0x000000013FD51000-memory.dmp

memory/1316-61-0x000000013F5D0000-0x000000013F921000-memory.dmp

C:\Windows\system\SrZXdEF.exe

MD5 2b89302075a557901d005bdf12628809
SHA1 3fa4a03ebd0deec64927f0bcf5bec62703b209c5
SHA256 1f36ab8f5aa4702a139ed5e0fecf2ff64f865de7562fd83be130e1f4b5a97772
SHA512 e3e85d43f621c2c03974e7fb80065dec9d41ec0ea9be9c8e75e369531beebd8f5c0a6e93ac0ed6749b4635d34488e66802eced7cf19ce707b232d9bf20acff02

\Windows\system\sMoeIYJ.exe

MD5 e226fb4299faf404e0d8de00147db77b
SHA1 de60f0d54a4d8cc26b5e5ca6ea437a2d26f82c87
SHA256 5a877ac55d6a1b57a4dbb5f225e88935640484e5caf9b478482f200ff1c39c5f
SHA512 0edfc984e778116bafefb7da5908cddf6330795b291e835b245432be1317955bc85facd0b8b1d8c20fbcbbcbfdb1982d01f96f3c1f01148c657452d1b9c25374

memory/1316-48-0x000000013FA00000-0x000000013FD51000-memory.dmp

memory/1316-54-0x000000013FE20000-0x0000000140171000-memory.dmp

C:\Windows\system\mANJUoA.exe

MD5 af66bc4b65d0f7eb9896eeb8a1e1b27f
SHA1 cabf37fc0c0f5b5ad52b8640952ac5e71bf93ddf
SHA256 123ee2098e1d00e2a41446f4bebbf22f6f8157a12e5fc426bdc30d08a03d1fff
SHA512 a594142fd7179111d79178a0ca2537c76dca71733fcb55604a26bf2abe008d1e632e696c4cf84961209b582c65e8ef14cf37f28dd43394cf310e03406ab0a88f

memory/1500-70-0x000000013F070000-0x000000013F3C1000-memory.dmp

memory/2652-71-0x000000013FFB0000-0x0000000140301000-memory.dmp

C:\Windows\system\PhthMmy.exe

MD5 71af8917fa96351c90e0195278185e6e
SHA1 b341e1fd11117456994a15c71c3f9b9aa626b75a
SHA256 8fa295b4defe2fa36739726cbf9d68358b719818eb708f76a90ea2e207441228
SHA512 f86274face99e616ba6b53bb5337cb5bb00f958ccd2b65eb35d302e15abecb1b0960043008e1dcf5cef9498c6267d244b2bc5bbef39b314c017bdab8bac0a49a

memory/808-84-0x000000013FD40000-0x0000000140091000-memory.dmp

memory/2548-77-0x000000013F5B0000-0x000000013F901000-memory.dmp

C:\Windows\system\wfGIFjn.exe

MD5 61fe24790d9d6736ec8adfa4727667d1
SHA1 75a406c0ecc70e6d10315dfa3aeeb51ad146fd93
SHA256 8bc87ded84701f763d45e615d6f928f8f3ec2d215de612ce1affc077d02a70b2
SHA512 919bec8e60554c75accf9acc588cc872aa556f61bd8bb86829f4affcc85c3133a129ec1aa9b51e449d0cd4459bc95eed1ea0e07c16ea582eb861ecd767b9e0cb

memory/1748-99-0x000000013F1A0000-0x000000013F4F1000-memory.dmp

C:\Windows\system\SestRjd.exe

MD5 bf60d78603cf22aeac1a600c32ff9f11
SHA1 fc4208625ce67f65a01315e8a4f0606ed574be52
SHA256 fc4aeb17e1f437d3909f6f4f1d01332102394d9534b4cd64326c7ecf99f07295
SHA512 e62e70f8043b75bd774d27419f1e38333f05714e02661dd9d9377b009c6ea75271bf852ce4d9855317f4a515598766b896190ddce83895b8ae770ef4bd2a814e

\Windows\system\eYrAkYz.exe

MD5 1c514e7ed10b51b92b6563c604a81d32
SHA1 5132182ac0f7de5727995574001a83720e4d6553
SHA256 6aca55bf845220ebdd72dbf3d083e0242df591e3edd2a7511bc3970fcdde4d13
SHA512 e2c50d953e0c60fbe4b6f5b522f95d643d08aa6619b7e64c82c37e47e023b78731b5f9cee46b5f2a8fc31ff568602709d3fc21dc1b2c16a060d557abce038d82

C:\Windows\system\fypniOZ.exe

MD5 d12eb47a1a6eb4f0772cc2308c4c7b70
SHA1 c339f9da15af84c84853080e9da050d1318480b8
SHA256 0bdd67d23e5fe389e4fc9d4aed63294264ad2b606cd988e34b8ea4f8a9fb3c20
SHA512 da2e17873b0b1eb587aa2cc9f1986a21a0925ba73d3270e86be933d4845db30cd4fb55c44302179e6bd113b16787940c259283b9373129d9fce2514e7d6c6806

C:\Windows\system\wecqzFc.exe

MD5 0a39f99983df4b5ee6dd0004c39f6fe3
SHA1 5956124c5ce48dddd3acf098750e33b32640e428
SHA256 7374e3919154c5052b5070d4472ddff2f247245d6e32ff326ccc7ae91372eb35
SHA512 8fe657208c3e6c19c4018ab723fd199987266f97ac06474c7866c1f7ca9dc3ab41b56ad4353b2b18d6a2c790c6390ae41087a6c9349b426cda0a73bd04ba36a4

C:\Windows\system\gspsYwc.exe

MD5 271790b834c249e67a807abd240ccf45
SHA1 4aa95faa0d576e6608684b745e2096b463bbd614
SHA256 c26c5390dbf4cc5040ba7ee514f0ab9fcb07a418ac4172048b2b1b45845e2475
SHA512 152a2468fef78a8c6d42ab30a240de1b86be721654c2084ee21a738b45fee8523e1a6f0258d5a1b2ce7e6061af5904bbecb62b5873dd90eea6747c7408c20bbd

C:\Windows\system\JbWwINU.exe

MD5 247ea2be0ec1c3f98090de212a858c00
SHA1 8c47ac35bb855ba79706f0cdee9f115e18423970
SHA256 0e955b10187924ba3ce541123f197ddedc7bcd1b7036898ac485d72801bbbd77
SHA512 74453e4fa582a033217407352395424551c86926c4568b91875da391a15f4669cc8e782b6b3a07c58a0b4ad0cee184d5b88581d4cad51c0bd70612f93415fba6

C:\Windows\system\DQawMLa.exe

MD5 90c8bd0a138c253746c6fa9337bdc884
SHA1 3489157b2cc8642c58985b07ba1c9f40b4b7f635
SHA256 8bf4c531e74cd70abe1bae52e5c237f5bffbea117de20fc52be7c6295ca95ab8
SHA512 737afa3f63ad852bf9cb69bbb47b835aaae8303da0210649b27497479a31028736beb04e37b405545dc4d4cd8d9974e7e8e81252af898a52ce1a27c5b5efd6f3

memory/1316-104-0x000000013FD80000-0x00000001400D1000-memory.dmp

memory/2628-103-0x000000013F650000-0x000000013F9A1000-memory.dmp

memory/1316-98-0x000000013F1A0000-0x000000013F4F1000-memory.dmp

memory/2908-97-0x000000013FBB0000-0x000000013FF01000-memory.dmp

memory/316-91-0x000000013F8B0000-0x000000013FC01000-memory.dmp

memory/1316-90-0x0000000002220000-0x0000000002571000-memory.dmp

memory/2800-89-0x000000013FB10000-0x000000013FE61000-memory.dmp

C:\Windows\system\dkBoNoO.exe

MD5 7dbaff32ca609343234cce67a5c8c80c
SHA1 b9c15a0bf33fd7c5bac69dd58c1e21579b8ccf8c
SHA256 9a412f29f8a1ecfbadf9062c8624f876a0180dc426ff5ca859650acb11e8c59b
SHA512 2a1fc0bf8665f700458591e83514b750c16c544f9b22b2fe923120c18c1ec9466ddc4518951121b9f9c3e68c9a290173474807e5d0ed23c4cf94d03c449e6fde

memory/1316-76-0x0000000002220000-0x0000000002571000-memory.dmp

memory/1316-83-0x000000013F980000-0x000000013FCD1000-memory.dmp

C:\Windows\system\kzJmFBp.exe

MD5 43301a0e56127ceae73a43c69d03df5b
SHA1 0dad59836c92254b1eb7e9caa4773872e7e1d2bd
SHA256 ac101b00ac5bb08b8e1e6fa910f9948f07194e5bcc4aeafad639ba5cb8402ebb
SHA512 c70f82f376c8260fb4b1261a5b2d7c04aa3493a3eff5ff313eee9527e5c265a8ca4b58a8f2c6572b678f972305689e267bde6d4483893ee973966f0efefdba98

memory/1316-139-0x000000013F5D0000-0x000000013F921000-memory.dmp

memory/2668-143-0x000000013F130000-0x000000013F481000-memory.dmp

memory/2740-142-0x000000013FA00000-0x000000013FD51000-memory.dmp

memory/2548-152-0x000000013F5B0000-0x000000013F901000-memory.dmp

memory/808-153-0x000000013FD40000-0x0000000140091000-memory.dmp

memory/2668-150-0x000000013F130000-0x000000013F481000-memory.dmp

memory/3012-156-0x000000013FD80000-0x00000001400D1000-memory.dmp

memory/2192-162-0x000000013F650000-0x000000013F9A1000-memory.dmp

memory/2344-161-0x000000013FC40000-0x000000013FF91000-memory.dmp

memory/3064-160-0x000000013F240000-0x000000013F591000-memory.dmp

memory/2924-159-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

memory/2912-157-0x000000013F3E0000-0x000000013F731000-memory.dmp

memory/2936-158-0x000000013F0B0000-0x000000013F401000-memory.dmp

memory/1748-155-0x000000013F1A0000-0x000000013F4F1000-memory.dmp

memory/316-154-0x000000013F8B0000-0x000000013FC01000-memory.dmp

memory/1316-163-0x0000000002220000-0x0000000002571000-memory.dmp

memory/1316-164-0x000000013F5D0000-0x000000013F921000-memory.dmp

memory/1316-166-0x000000013FD40000-0x0000000140091000-memory.dmp

memory/1316-187-0x000000013F1A0000-0x000000013F4F1000-memory.dmp

memory/1316-188-0x000000013FD80000-0x00000001400D1000-memory.dmp

memory/1292-214-0x000000013F710000-0x000000013FA61000-memory.dmp

memory/1500-213-0x000000013F070000-0x000000013F3C1000-memory.dmp

memory/2804-221-0x000000013F980000-0x000000013FCD1000-memory.dmp

memory/2800-223-0x000000013FB10000-0x000000013FE61000-memory.dmp

memory/2908-225-0x000000013FBB0000-0x000000013FF01000-memory.dmp

memory/2628-227-0x000000013F650000-0x000000013F9A1000-memory.dmp

memory/2896-229-0x000000013FE20000-0x0000000140171000-memory.dmp

memory/2740-231-0x000000013FA00000-0x000000013FD51000-memory.dmp

memory/2652-235-0x000000013FFB0000-0x0000000140301000-memory.dmp

memory/2548-248-0x000000013F5B0000-0x000000013F901000-memory.dmp

memory/808-250-0x000000013FD40000-0x0000000140091000-memory.dmp

memory/316-252-0x000000013F8B0000-0x000000013FC01000-memory.dmp

memory/1748-254-0x000000013F1A0000-0x000000013F4F1000-memory.dmp

memory/2668-263-0x000000013F130000-0x000000013F481000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-14 21:20

Reported

2024-08-14 21:23

Platform

win10v2004-20240802-en

Max time kernel

147s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\ULdznCs.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NPyFZyV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EnFnRcm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZsMnLOK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CoCuPRC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xsvjtSP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZNYNOPl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PIpYAUh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SGKBQxP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uqXRXLe.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iRrXsjQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GeRfKai.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dRmwEMh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MPdSaTH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HTpLswk.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dXGJXTL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IckSQUC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UcZnKeH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jtRAhuA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XbWtZIj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iEUDqYt.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1524 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GeRfKai.exe
PID 1524 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GeRfKai.exe
PID 1524 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dRmwEMh.exe
PID 1524 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dRmwEMh.exe
PID 1524 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ULdznCs.exe
PID 1524 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ULdznCs.exe
PID 1524 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dXGJXTL.exe
PID 1524 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dXGJXTL.exe
PID 1524 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IckSQUC.exe
PID 1524 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IckSQUC.exe
PID 1524 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MPdSaTH.exe
PID 1524 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MPdSaTH.exe
PID 1524 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZNYNOPl.exe
PID 1524 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZNYNOPl.exe
PID 1524 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NPyFZyV.exe
PID 1524 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NPyFZyV.exe
PID 1524 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UcZnKeH.exe
PID 1524 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UcZnKeH.exe
PID 1524 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EnFnRcm.exe
PID 1524 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EnFnRcm.exe
PID 1524 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HTpLswk.exe
PID 1524 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HTpLswk.exe
PID 1524 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PIpYAUh.exe
PID 1524 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PIpYAUh.exe
PID 1524 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jtRAhuA.exe
PID 1524 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jtRAhuA.exe
PID 1524 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZsMnLOK.exe
PID 1524 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZsMnLOK.exe
PID 1524 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CoCuPRC.exe
PID 1524 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CoCuPRC.exe
PID 1524 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SGKBQxP.exe
PID 1524 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SGKBQxP.exe
PID 1524 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xsvjtSP.exe
PID 1524 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xsvjtSP.exe
PID 1524 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XbWtZIj.exe
PID 1524 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XbWtZIj.exe
PID 1524 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iEUDqYt.exe
PID 1524 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iEUDqYt.exe
PID 1524 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uqXRXLe.exe
PID 1524 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uqXRXLe.exe
PID 1524 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iRrXsjQ.exe
PID 1524 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iRrXsjQ.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\GeRfKai.exe

C:\Windows\System\GeRfKai.exe

C:\Windows\System\dRmwEMh.exe

C:\Windows\System\dRmwEMh.exe

C:\Windows\System\ULdznCs.exe

C:\Windows\System\ULdznCs.exe

C:\Windows\System\dXGJXTL.exe

C:\Windows\System\dXGJXTL.exe

C:\Windows\System\IckSQUC.exe

C:\Windows\System\IckSQUC.exe

C:\Windows\System\MPdSaTH.exe

C:\Windows\System\MPdSaTH.exe

C:\Windows\System\ZNYNOPl.exe

C:\Windows\System\ZNYNOPl.exe

C:\Windows\System\NPyFZyV.exe

C:\Windows\System\NPyFZyV.exe

C:\Windows\System\UcZnKeH.exe

C:\Windows\System\UcZnKeH.exe

C:\Windows\System\EnFnRcm.exe

C:\Windows\System\EnFnRcm.exe

C:\Windows\System\HTpLswk.exe

C:\Windows\System\HTpLswk.exe

C:\Windows\System\PIpYAUh.exe

C:\Windows\System\PIpYAUh.exe

C:\Windows\System\jtRAhuA.exe

C:\Windows\System\jtRAhuA.exe

C:\Windows\System\ZsMnLOK.exe

C:\Windows\System\ZsMnLOK.exe

C:\Windows\System\CoCuPRC.exe

C:\Windows\System\CoCuPRC.exe

C:\Windows\System\SGKBQxP.exe

C:\Windows\System\SGKBQxP.exe

C:\Windows\System\xsvjtSP.exe

C:\Windows\System\xsvjtSP.exe

C:\Windows\System\XbWtZIj.exe

C:\Windows\System\XbWtZIj.exe

C:\Windows\System\iEUDqYt.exe

C:\Windows\System\iEUDqYt.exe

C:\Windows\System\uqXRXLe.exe

C:\Windows\System\uqXRXLe.exe

C:\Windows\System\iRrXsjQ.exe

C:\Windows\System\iRrXsjQ.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1524-0-0x00007FF6AF950000-0x00007FF6AFCA1000-memory.dmp

memory/1524-1-0x0000020A8DF80000-0x0000020A8DF90000-memory.dmp

C:\Windows\System\GeRfKai.exe

MD5 c7f3586d6af7e4010a67ee03d67045e4
SHA1 ed1109a303d5b9194117d6e16c8ac3d27c4fa630
SHA256 1be8404d91340715ee49c7a6ef4ef25599f25ee4ef0376aab40c6b2882012869
SHA512 129e750b47a00d48ec175b0630483a14f93031524585b2d65bb3153aa038b723c7c1645075cb199233b21075d7e2d04d96a3893515ad8710a4646884ca211474

C:\Windows\System\dRmwEMh.exe

MD5 92221ac15b3856556a5ef80cce30c606
SHA1 046fb53a3b3b01ccb12652936c46eaf35d6417fb
SHA256 ee65784aabee2752aafb64b2ad6e7d372d94669688a7d37815416ce8f9dccde6
SHA512 f6105f2b31737f058ddb9060343fad703b4b2e0463ca4a95029d82384ae3a9ae5eb5f3f83fe2dc4660fe98c5ca3ea1e1869959b74ceecfbcc2c2c04de6911438

C:\Windows\System\ULdznCs.exe

MD5 e9ddbd3b173f16495104b4dead9064b5
SHA1 281c42728c49014b8dcd8abb18a7c61594cbbbb3
SHA256 fcf16246175303d56b957ccc2105ddb20475d84d2859e3aea11118120c4ca367
SHA512 cddb356908d5f5ceca08ea8f599d44edaf0ca4288f298c13272743c07138927936b97f2140b306ef00d47a9afa698f2fe2c78d49fbc423b8a8451ac3268b4ccf

memory/4308-18-0x00007FF7636A0000-0x00007FF7639F1000-memory.dmp

memory/3616-14-0x00007FF6DD2F0000-0x00007FF6DD641000-memory.dmp

memory/3580-10-0x00007FF7E1770000-0x00007FF7E1AC1000-memory.dmp

C:\Windows\System\dXGJXTL.exe

MD5 450d4a99720c66784dbf3b6fd2424e81
SHA1 f9c82a6c1c83483cf6da8b4a260c4db7afa91d77
SHA256 267f4f5abbca18536fcee49a184fc41f691ba39fe4d62e53f1d6840174bee7a4
SHA512 beef506e0bd7271645873d7481d62f2d86fe3cfd1c5961d98b1bb42cc51dd322c27c652eb05576c819430077a22cfc6b41d223d2f0008dd40bacb2b4cdf5c561

memory/700-26-0x00007FF610B30000-0x00007FF610E81000-memory.dmp

C:\Windows\System\IckSQUC.exe

MD5 1367a15755d6e43918e70e0f4c15ef4f
SHA1 d65c792fef1fd812da760846c503ed32715fc533
SHA256 6761d4c2e10b3e3d8196c98fd2da09e9d0bec10a97e7ec6542a7e54fdb5fe24e
SHA512 d3bc8d8f4f07c1a0dc9ef3c6df2dddd7a60a52f345884d329a53bb860cd9caf43abb5189183be6214c4710de1767b4f95a131abb89a5474a2ede04e34fc52537

C:\Windows\System\MPdSaTH.exe

MD5 f151da0a97a451943d718269520e440b
SHA1 cf07d53f953d01d106fc8f6ec6c2322db9a200ff
SHA256 1fb40df585d9ce8721c87b8d50fdc95b89061a6d092890b5616961779c47cfbd
SHA512 b9c322c4b75230d860fc07185206ed86b29d5365e9f85a7ceba1d494c84d721c864d24ac6c6493f24b26b273575c30af38a977d6f22ba6e90bc52574418dcba0

memory/2616-36-0x00007FF6C0C30000-0x00007FF6C0F81000-memory.dmp

C:\Windows\System\ZNYNOPl.exe

MD5 f4841cf6dd2a6f658d2bc322dcdc8f20
SHA1 4b5b884b46e1a58644a1473abc8643615531efef
SHA256 9cd2bafb1f3f305f8b8acd57ea36eba006e052169b812c73c5cdae4e0f5a6ac5
SHA512 c046e3418c0300108b55a031840f50cb648dde7c8ea5c57165d0c8c28da61bfafda69b0f1fc1d3ba66152e9bf69bfd9cb0555fd27178d341616589e1461b5e5f

C:\Windows\System\UcZnKeH.exe

MD5 89ae92b19aff807545131ae2b9a2b9b0
SHA1 0cfc4667d8df3b99edddb0e230ff20706f26e7f1
SHA256 10bc8f4f54cacdd85891faa47f34d2a2ad216500a9ff0f6227f73960ff451491
SHA512 e21cf774d3288a392c47f8074a608939869159cb70442c1e9ebeabbd3fa3ab6c8bf37c411a12b1acf7e60b9f01629bd197259ebb40152cd280abad963176e36f

memory/3660-62-0x00007FF7D59E0000-0x00007FF7D5D31000-memory.dmp

C:\Windows\System\EnFnRcm.exe

MD5 ceca01e106325a83d2d73bb25c1e9a93
SHA1 57937f85d1f1bccf3496dd8255bd3f1a5d2a6ba0
SHA256 83773df13be2758e9e870995a1e4e56af00a696ac26fce20ab0ba552e32bdd6f
SHA512 0d75a241b3a98d45de24bb90f2d9508c4ae7fad58f0664d4fe512323c4a8071e7880dd8fad17ef037f01f4e4c2c1fc5abddd220dff43c0a6df53db6dd5822d74

C:\Windows\System\jtRAhuA.exe

MD5 d58329924b9171598f35b175c7b0033e
SHA1 dcb108e24d3edd24b61c9ffd352a9c65f659be91
SHA256 abf4a20ec89fcea698310697a061d77e0344cf6e95be7e98bc383998f1b13c8e
SHA512 cf9a2b0c73e7d81c0d8cbefbfe09561b5e9c818b0a8fc5523867ecc7f0f17e6de0c73ccff585bc82ee87f294055d5d8f8801222966fbe280e3ced2451b950aba

C:\Windows\System\SGKBQxP.exe

MD5 9e8eb90900835727255c7756c991e64f
SHA1 857f69d37889ff6e6ed84bf5a186eff4c5238b0f
SHA256 e29bef41c6ab98fa9de5d9516b0387b42eaf753bc7ef2d873cc56503a9618c71
SHA512 e69295361df45bb443d708339e7d802f0db72758c907f89162cb632721d9da529e839e5194bb2e76025b9868a3e8850752de80643d279ccf718df73a7128a81d

C:\Windows\System\iEUDqYt.exe

MD5 c33ae0c0e4325b8596d5a3d96691576c
SHA1 3822512ee13291439fa1a8536170a5a3f7b46223
SHA256 949025fd45edfcfa8dcae819a3947b313ec179e9f0c89e93b30832a825a3115b
SHA512 4aac0743c7b2070152bdabb96e774279dfb8de0bc11d4f77670021f09d321f0b6c3486142685952699b78780968517a84dd6d03a0299c30000fdfc72efe47e77

C:\Windows\System\uqXRXLe.exe

MD5 24a19a10b69d9b2f3c58860899c1e2d8
SHA1 3c48a06c905c4d9a6174bab6abc0ecfb164b2084
SHA256 25089ac22fbf365000a2176b497eedac8d1da1c46988f8d4852bb152df9aa92e
SHA512 7db53982e6b5ea37f50c725ed921fe2ffe2ce7ba35466dd02a26661e507dd73b1f88ce3840564b7f245716fdc66230c4043dd7fb6bd05c530ca4ae55a787e83f

C:\Windows\System\iRrXsjQ.exe

MD5 c60e8ba3eda2f03152232f8837daca19
SHA1 4681a53e91c80438535bb3302d03b9d647edc36f
SHA256 d385387f3a1aadb639faa1bed64e73b0d5f72fd21d8b77afaf57526a09f9063f
SHA512 fad59278480fa09819d682140ad82492435f2f4c096eb907c6807cd377aa716ae8dee9a21adb18bf94489e7dd12cabec73d43f3d39cb898c12e01412fc4b53db

C:\Windows\System\XbWtZIj.exe

MD5 06a5e241366585e6e393169111844e7c
SHA1 d57a4edec53fed441342bb33d2d741fd81b36294
SHA256 1735d453f7276d1cc08e2a1c77c88663c3d009f070161d94054f1c1cd2aa8a8c
SHA512 569a6a2e817d84d07ae385c081ae76e91ebc0d6cd3ea868cfaa46cf3b3898bb03a115b096dbfdba82477d707d5add3a0726d363f1fd41a06d525e1261d169e39

C:\Windows\System\xsvjtSP.exe

MD5 2eb2bb366f80e68410d1b1ef8eb1ddbe
SHA1 891f3fd2fe0cd24bcc8200d6f55d78491e66e362
SHA256 6233fcbf7eb3434492b43639df9be3b3bea305b356ca9a63c69a3de57451a1a3
SHA512 08864067d282d71e8ef2acd83be8ef77688486298a0269141e59dc3f539a485d500b3c1b22e5cdb1fb77ec93e704db1522041afcb99169dbdff9d03a6dbd58ce

C:\Windows\System\CoCuPRC.exe

MD5 952142da55992aa04ed8f832f997562b
SHA1 94832f3545ef4bf9005fe99d19d35dcde0c52f94
SHA256 3bb98dde345c262ddcaf30f72279629a3018dd15d6a385066106d6225b22ca85
SHA512 c313d237cf6408aad8bb80333171d628637a1301bb0a5489dabcd9e256d2fb58a919f2410df927f7c817148a975d2bc107d8c6b74f61ba30e5d8f9db62594714

C:\Windows\System\ZsMnLOK.exe

MD5 695544269052ed22acf0ee9fccaf3d0f
SHA1 288397003cdfde7975117f5f55e4c53521a7458c
SHA256 ed72af5d6c6674e42f8e9e8c986814a5e468b5b7cf77321f497affc8c48a9243
SHA512 0c169282b1049aa70d7fa8a67cc217efd9ff4b1fbcccbde048b828e27afbbad2a2530138a2e8eefa7364ee6309b36ba5c73e1d08a0db27748110999acfd7f26d

C:\Windows\System\PIpYAUh.exe

MD5 eec773a7465593c4a06b1ba0104584f2
SHA1 91b92361f296ea70eb6a8db1b5f67548ca829d86
SHA256 f299fb16a0869fd6158fc1e5b28920dc997f0c3e0b8af03d80d66a9f4a8f06fa
SHA512 eb7d53ab260fff26a837dcfd016bd65284c6238cfcfd131c8fa6c5918f7eee85d8d0a9b6ab1c86a19739ff460e04f4aa974a880ee30c53966fba683449eaf37a

C:\Windows\System\HTpLswk.exe

MD5 999c596113074ae064169392f2a637a5
SHA1 137e38d28ee22f50ece5cf71bea9f06bd7365279
SHA256 6b70417c3bd520c9403d5e172f6d4ce8031700cd0eb527411112deee62e7e188
SHA512 1558c4d02e21e4f7645faa20c6eb684aea627ba570ab6b452ac0d3b017715730d26d5492be0eca2367516bca76a1a658801b3c9a5d85991acf1b369462f206b3

memory/1964-64-0x00007FF69C630000-0x00007FF69C981000-memory.dmp

memory/2596-63-0x00007FF7C97C0000-0x00007FF7C9B11000-memory.dmp

memory/5036-59-0x00007FF68AD20000-0x00007FF68B071000-memory.dmp

C:\Windows\System\NPyFZyV.exe

MD5 47c46c269809f095bd24ed8d245f562c
SHA1 76cda4e171ee6e5e18f3ef96374d7026d0410c2c
SHA256 3d319822201bbaaa4ae26487eb33fd634c001e9e7d2328e9e3c9ce3815b010ce
SHA512 02383278be66f6b362da8242837c431c012d77a716718392b5b8b00a04270838741ff32d85a74044a51d9c6c24b7e47d533cb2db6ac3a7b1bdc75f5919882b8a

memory/212-48-0x00007FF63EBF0000-0x00007FF63EF41000-memory.dmp

memory/940-32-0x00007FF6B5780000-0x00007FF6B5AD1000-memory.dmp

memory/1524-118-0x00007FF6AF950000-0x00007FF6AFCA1000-memory.dmp

memory/552-119-0x00007FF6EC160000-0x00007FF6EC4B1000-memory.dmp

memory/2520-121-0x00007FF734660000-0x00007FF7349B1000-memory.dmp

memory/1544-123-0x00007FF7232A0000-0x00007FF7235F1000-memory.dmp

memory/1668-125-0x00007FF75CC30000-0x00007FF75CF81000-memory.dmp

memory/4528-126-0x00007FF68A040000-0x00007FF68A391000-memory.dmp

memory/2424-127-0x00007FF602420000-0x00007FF602771000-memory.dmp

memory/1220-128-0x00007FF64D590000-0x00007FF64D8E1000-memory.dmp

memory/1984-124-0x00007FF7134E0000-0x00007FF713831000-memory.dmp

memory/4776-122-0x00007FF6D5E60000-0x00007FF6D61B1000-memory.dmp

memory/4352-120-0x00007FF774500000-0x00007FF774851000-memory.dmp

memory/3616-131-0x00007FF6DD2F0000-0x00007FF6DD641000-memory.dmp

memory/1964-139-0x00007FF69C630000-0x00007FF69C981000-memory.dmp

memory/2596-140-0x00007FF7C97C0000-0x00007FF7C9B11000-memory.dmp

memory/2616-135-0x00007FF6C0C30000-0x00007FF6C0F81000-memory.dmp

memory/4308-132-0x00007FF7636A0000-0x00007FF7639F1000-memory.dmp

memory/940-134-0x00007FF6B5780000-0x00007FF6B5AD1000-memory.dmp

memory/700-133-0x00007FF610B30000-0x00007FF610E81000-memory.dmp

memory/1524-129-0x00007FF6AF950000-0x00007FF6AFCA1000-memory.dmp

memory/1524-151-0x00007FF6AF950000-0x00007FF6AFCA1000-memory.dmp

memory/3580-201-0x00007FF7E1770000-0x00007FF7E1AC1000-memory.dmp

memory/3616-203-0x00007FF6DD2F0000-0x00007FF6DD641000-memory.dmp

memory/4308-205-0x00007FF7636A0000-0x00007FF7639F1000-memory.dmp

memory/700-207-0x00007FF610B30000-0x00007FF610E81000-memory.dmp

memory/940-209-0x00007FF6B5780000-0x00007FF6B5AD1000-memory.dmp

memory/2616-211-0x00007FF6C0C30000-0x00007FF6C0F81000-memory.dmp

memory/212-213-0x00007FF63EBF0000-0x00007FF63EF41000-memory.dmp

memory/5036-215-0x00007FF68AD20000-0x00007FF68B071000-memory.dmp

memory/3660-217-0x00007FF7D59E0000-0x00007FF7D5D31000-memory.dmp

memory/1964-219-0x00007FF69C630000-0x00007FF69C981000-memory.dmp

memory/2596-221-0x00007FF7C97C0000-0x00007FF7C9B11000-memory.dmp

memory/552-223-0x00007FF6EC160000-0x00007FF6EC4B1000-memory.dmp

memory/4352-234-0x00007FF774500000-0x00007FF774851000-memory.dmp

memory/4776-237-0x00007FF6D5E60000-0x00007FF6D61B1000-memory.dmp

memory/2520-238-0x00007FF734660000-0x00007FF7349B1000-memory.dmp

memory/1544-240-0x00007FF7232A0000-0x00007FF7235F1000-memory.dmp

memory/1984-242-0x00007FF7134E0000-0x00007FF713831000-memory.dmp

memory/1668-244-0x00007FF75CC30000-0x00007FF75CF81000-memory.dmp

memory/4528-246-0x00007FF68A040000-0x00007FF68A391000-memory.dmp

memory/2424-248-0x00007FF602420000-0x00007FF602771000-memory.dmp

memory/1220-250-0x00007FF64D590000-0x00007FF64D8E1000-memory.dmp