Malware Analysis Report

2025-03-15 08:07

Sample ID 240814-zjry5atdjh
Target 2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat
SHA256 0e4bfc4715567ed5f082eba2d08ab3fef55946a65ceedcba44e2b762f800a555
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0e4bfc4715567ed5f082eba2d08ab3fef55946a65ceedcba44e2b762f800a555

Threat Level: Known bad

The file 2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

Xmrig family

xmrig

Cobalt Strike reflective loader

Cobaltstrike family

Cobaltstrike

XMRig Miner payload

XMRig Miner payload

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-14 20:45

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-14 20:45

Reported

2024-08-14 20:48

Platform

win7-20240704-en

Max time kernel

147s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\YFwMItj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cGBbvEm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TJFTIPD.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AWzAtie.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\shTDOsi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZHpOqZa.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pHyBWcw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZpFAhBE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\opbepcf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AuvyMxo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YbxdqeY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bqSYpHN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FoSNCJL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jeEHWPL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xLObocD.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hOoyxtV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ctpUobm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uBeGcjs.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OUwbKFI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VWtVCzw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FGpSMgE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2376 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YFwMItj.exe
PID 2376 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YFwMItj.exe
PID 2376 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YFwMItj.exe
PID 2376 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xLObocD.exe
PID 2376 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xLObocD.exe
PID 2376 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xLObocD.exe
PID 2376 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cGBbvEm.exe
PID 2376 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cGBbvEm.exe
PID 2376 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cGBbvEm.exe
PID 2376 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZpFAhBE.exe
PID 2376 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZpFAhBE.exe
PID 2376 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZpFAhBE.exe
PID 2376 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hOoyxtV.exe
PID 2376 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hOoyxtV.exe
PID 2376 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hOoyxtV.exe
PID 2376 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\opbepcf.exe
PID 2376 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\opbepcf.exe
PID 2376 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\opbepcf.exe
PID 2376 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TJFTIPD.exe
PID 2376 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TJFTIPD.exe
PID 2376 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TJFTIPD.exe
PID 2376 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AuvyMxo.exe
PID 2376 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AuvyMxo.exe
PID 2376 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AuvyMxo.exe
PID 2376 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AWzAtie.exe
PID 2376 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AWzAtie.exe
PID 2376 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AWzAtie.exe
PID 2376 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ctpUobm.exe
PID 2376 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ctpUobm.exe
PID 2376 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ctpUobm.exe
PID 2376 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\shTDOsi.exe
PID 2376 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\shTDOsi.exe
PID 2376 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\shTDOsi.exe
PID 2376 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YbxdqeY.exe
PID 2376 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YbxdqeY.exe
PID 2376 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YbxdqeY.exe
PID 2376 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZHpOqZa.exe
PID 2376 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZHpOqZa.exe
PID 2376 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZHpOqZa.exe
PID 2376 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uBeGcjs.exe
PID 2376 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uBeGcjs.exe
PID 2376 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uBeGcjs.exe
PID 2376 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OUwbKFI.exe
PID 2376 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OUwbKFI.exe
PID 2376 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OUwbKFI.exe
PID 2376 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VWtVCzw.exe
PID 2376 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VWtVCzw.exe
PID 2376 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VWtVCzw.exe
PID 2376 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bqSYpHN.exe
PID 2376 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bqSYpHN.exe
PID 2376 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bqSYpHN.exe
PID 2376 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FoSNCJL.exe
PID 2376 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FoSNCJL.exe
PID 2376 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FoSNCJL.exe
PID 2376 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jeEHWPL.exe
PID 2376 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jeEHWPL.exe
PID 2376 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jeEHWPL.exe
PID 2376 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pHyBWcw.exe
PID 2376 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pHyBWcw.exe
PID 2376 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pHyBWcw.exe
PID 2376 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FGpSMgE.exe
PID 2376 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FGpSMgE.exe
PID 2376 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FGpSMgE.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\YFwMItj.exe

C:\Windows\System\YFwMItj.exe

C:\Windows\System\xLObocD.exe

C:\Windows\System\xLObocD.exe

C:\Windows\System\cGBbvEm.exe

C:\Windows\System\cGBbvEm.exe

C:\Windows\System\ZpFAhBE.exe

C:\Windows\System\ZpFAhBE.exe

C:\Windows\System\hOoyxtV.exe

C:\Windows\System\hOoyxtV.exe

C:\Windows\System\opbepcf.exe

C:\Windows\System\opbepcf.exe

C:\Windows\System\TJFTIPD.exe

C:\Windows\System\TJFTIPD.exe

C:\Windows\System\AuvyMxo.exe

C:\Windows\System\AuvyMxo.exe

C:\Windows\System\AWzAtie.exe

C:\Windows\System\AWzAtie.exe

C:\Windows\System\ctpUobm.exe

C:\Windows\System\ctpUobm.exe

C:\Windows\System\shTDOsi.exe

C:\Windows\System\shTDOsi.exe

C:\Windows\System\YbxdqeY.exe

C:\Windows\System\YbxdqeY.exe

C:\Windows\System\ZHpOqZa.exe

C:\Windows\System\ZHpOqZa.exe

C:\Windows\System\uBeGcjs.exe

C:\Windows\System\uBeGcjs.exe

C:\Windows\System\OUwbKFI.exe

C:\Windows\System\OUwbKFI.exe

C:\Windows\System\VWtVCzw.exe

C:\Windows\System\VWtVCzw.exe

C:\Windows\System\bqSYpHN.exe

C:\Windows\System\bqSYpHN.exe

C:\Windows\System\FoSNCJL.exe

C:\Windows\System\FoSNCJL.exe

C:\Windows\System\jeEHWPL.exe

C:\Windows\System\jeEHWPL.exe

C:\Windows\System\pHyBWcw.exe

C:\Windows\System\pHyBWcw.exe

C:\Windows\System\FGpSMgE.exe

C:\Windows\System\FGpSMgE.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2376-0-0x000000013F5E0000-0x000000013F931000-memory.dmp

memory/2376-1-0x0000000000100000-0x0000000000110000-memory.dmp

memory/2376-7-0x000000013F120000-0x000000013F471000-memory.dmp

C:\Windows\system\YFwMItj.exe

MD5 9201564dbeeee96d0f3af482df0dcb54
SHA1 dd7ce4792494306e1043c32aaa0aae9f42384fe6
SHA256 2d33f65ba80fb8c6aed588c91c24f61373df493d15be8da63d9d19aafa65828e
SHA512 663c200f297a26879ea20c26d0a33193e65d41aba513d09171b3812550e192cb4a2bf721b663b3eeb751a0775ef67c3a906b115d9067230e558002a7313cdbfb

\Windows\system\xLObocD.exe

MD5 82856729967fb3f6fd5c7b80c0ae2ca7
SHA1 a53f5380500fedeb6e08d8c9cf3253c8111e5294
SHA256 95315972ecc22f653c26a5b677781e7c673ac6533f06bc9bcc616b3d4f47cf6a
SHA512 051d25690f6fe3e9f1d0752bce45ea6ca62b643b8bc99f153155643ed2bd34ae00b14804ea30e9898eb7cc6750238e7c2a2dbc62a0b925eccc895ed0d4aa5502

memory/2376-13-0x0000000002330000-0x0000000002681000-memory.dmp

memory/2244-14-0x000000013F120000-0x000000013F471000-memory.dmp

memory/1692-16-0x000000013F840000-0x000000013FB91000-memory.dmp

\Windows\system\ZpFAhBE.exe

MD5 711b4ad7b99173779baa39d2e921f00e
SHA1 bcfed633cbf1b07ea308f3e528bfc6012b2c8192
SHA256 be55496e456ded10eabdd93df1e3e53e2934d9de319335ae7b21cefa8a78228d
SHA512 6f344c09ddb922d4a0be7c7b0d50bc2c38e67e270b66cdfee0e0ac4aef32b059d36ce2a43a7d9506794a1ad410f558cdb285fc946c46785ce7b37413c1ce0220

memory/2376-25-0x0000000002330000-0x0000000002681000-memory.dmp

memory/2376-36-0x000000013F0D0000-0x000000013F421000-memory.dmp

memory/2756-37-0x000000013F0D0000-0x000000013F421000-memory.dmp

memory/3044-30-0x000000013FFF0000-0x0000000140341000-memory.dmp

C:\Windows\system\opbepcf.exe

MD5 137a2928f723716350f65145c834412b
SHA1 3ba5da002beb858d1ec765eeb0f63b8c781dda18
SHA256 a15826a8e45c1f830de877acd11bdc897d44f991dedbcb4499df47d723879ca8
SHA512 4425b1768f845bf5c567420b76e22ab6c7d2a2193c768bf5f9634c93bad726000c7b1d47ff1701ee35bb62b49615eebdce9a1030ad34872b661835ba5fb2b81f

memory/2744-42-0x000000013FC60000-0x000000013FFB1000-memory.dmp

memory/2376-41-0x000000013FC60000-0x000000013FFB1000-memory.dmp

memory/2376-28-0x000000013FFF0000-0x0000000140341000-memory.dmp

C:\Windows\system\hOoyxtV.exe

MD5 c2f043224ac40840a1a9e859eaaebbe5
SHA1 69aa9bc06f8ec71b1a127ef0a65ea0a466aa476b
SHA256 1418a1bf1bf87e982c736a24821b06837e9917e4dfb27713653489299581bfe2
SHA512 b35ebe21588cf5e51665d16d2b3f33be10f8383f8b56b0611717bf755245318eb070e4eda44e1d78357ad2c9287c0c8bc2e262521fd8ab25c61ce9e75bda0681

memory/2172-26-0x000000013F790000-0x000000013FAE1000-memory.dmp

C:\Windows\system\cGBbvEm.exe

MD5 13c15f483c4f07e7eb71fdbffdc2402c
SHA1 99540747e529c5bc622498b6eae861b3589286b9
SHA256 ef94347fd38293053bdc0095fe8290689f767b63477cdea4e5e9f2bb7b53a94f
SHA512 5e30ab99c102012f043d5f51c11d3735cb8dc6faad104576c3bab0fcf7cd29cc25f31892da10cec2f5c7feac5ee235d41909e9249cca5b88e872882817ef38ac

C:\Windows\system\TJFTIPD.exe

MD5 c86564f78d45f5d7ff762f298b709eb3
SHA1 f0089532a11de18bef0314149de43990f2e24783
SHA256 18206273f2ccfa8fc40f0d95f80865238f81a513911ad1303bceebe8a8801441
SHA512 79e11dba43253d312634dde2d6d5c7e4235ae234c267d3f84bb351d5682c57dde9cf5129c86280ef28b97352a2bde1cb325726a83ea520c1bc26fcc1fd57828f

memory/2376-53-0x0000000002330000-0x0000000002681000-memory.dmp

\Windows\system\AuvyMxo.exe

MD5 acaff6b61f9c684ee3b2b5d3acd14097
SHA1 06a45ecbcba8a12941fe81990b5ca92763199cd4
SHA256 db6876a39d61f68300e74bd817c7c75a5409bb2a051a5dea9fbc19fcf40155a3
SHA512 fc30facc06335ad3f29572959064e7325fa097880a83a3a1bbfcca8c45c9f039c58f6d514e920620d75bf18601702249c3f34cf2ad3d10565c881b6c8af47ea8

C:\Windows\system\AWzAtie.exe

MD5 2fc28661bb02e9342cdfba24b8555f31
SHA1 769b56d682b44be9368e582f945d77d557893a31
SHA256 e5d450760a0475a14e584ebab4e100be1884bc613e4942fa309e9a01943d4dbf
SHA512 503af93acffbc9d3259f7d7ba00f53e1161fa3730cabec3fec4821269c4afb2713f3bdcdc2a4593826bb600133c771f9f1dfcd78b843de7afb96ddc589f8a046

memory/2568-80-0x000000013F360000-0x000000013F6B1000-memory.dmp

memory/2376-82-0x000000013F9E0000-0x000000013FD31000-memory.dmp

\Windows\system\YbxdqeY.exe

MD5 84437934067ce7fe1071846c68e03f4d
SHA1 0acc88ffe0e4c2259bef5c893751bd3ae9a1b72d
SHA256 662158a8055a4590c767cf95d747e974cd16fcfca073f6c5108b437a28e8a1c7
SHA512 5980a279d1f9ba54cdadcd64b164b63d81c2871acaf688f74fc30d3c764becec3415f555a705f4b0d182849d6813cdef5fed74b400ebaa3a7eb81fab1151a2e3

memory/1728-88-0x000000013F9E0000-0x000000013FD31000-memory.dmp

\Windows\system\uBeGcjs.exe

MD5 3596286c2dc461d2ddcc5aafac339a80
SHA1 bb9b5daee4894652f2b18057bd92a00200f628d5
SHA256 8c3cae09194d0912696e664c18fa95ffeb67c3085f009ea5e58f9ced1224a300
SHA512 156ab2b4acf223f1704e73b101d3967a39c5eb84ec91deb9c1d8ee479043c09efc656e0be3327cc3cea412389b4fae5b4192ed56d1c42a2d3822406443e13e12

\Windows\system\VWtVCzw.exe

MD5 ab5afddf33259428c8ce2abe898ef3aa
SHA1 ee379f59d47dbb4da9286df96fd058cb8caa79ce
SHA256 d8952116778a19b07a5397ef792f6a77469a7cb6fe3e1e94df2ffa87c6c84858
SHA512 9066cdccd7ce343f992c7c6dacb2cb0d35b51466f29afdb92ca6bd97a60dbc14d6a30296e64b884880dea3b72f7cdefe4cd82f8ce4317f637cbbcb09ccd6cecd

C:\Windows\system\FoSNCJL.exe

MD5 b79f7af2e7b93b6b2fa148f9477b84b4
SHA1 fa1781913af05adb463927e786ad1b2d147716b1
SHA256 ebc2279b1c7c79fb652d448e7471b5f44ef2d8ea8a422ab8a72b1d8dc7a8a4e3
SHA512 bb0d8a040db16d22b8ff102e68f205a9b043765f18474b96bdfb56ed99c53ff6f1419ab9b69bab929a80d1f6004d0a6fe403cb560fc36c63dc70dcd710e8da5e

C:\Windows\system\pHyBWcw.exe

MD5 394c250b12cf04b5c7d33a60b7bdc60d
SHA1 3d85560d7181d9f207afbe032aaa804d49aa3fcd
SHA256 1210546bc09fda24512188c3c788d68d1c9119ad4927eb44522c8dcd04d6df9d
SHA512 3dc4cac78ab001e22c22b5734b5031dcb2418c64281082da0547ce3b12dda02a87fe6a7a04417d94d21f90980b2c4568636b02d83d6019babe8343e9a4bf00e4

C:\Windows\system\FGpSMgE.exe

MD5 0dfb978cf054e3f0584cbe7925e84b7d
SHA1 1ab36585cd0ba669d337306f267e12b475e4679e
SHA256 ed867c448ff4554a021d2ced9cb52c2d6b44d56d2e2f241eb9895c066f3c25af
SHA512 5f3a2165ce63e89395d3dad0793f30799064802e2ddc163e4d8beda0c3a3d948d4c1892429edbb8504f88339d53e2b3bb55a8f0c025b601004847feec8bdfd23

C:\Windows\system\jeEHWPL.exe

MD5 0e4454a1dfabf6846c00a016715480be
SHA1 7e7eff8d9c1eba302b26b807f8685235359fc0ec
SHA256 34c157eb1dce2b65284124888292e50ab3ae6e6dbcb16febfcd73c9d87061726
SHA512 e10c5827805d4a51b25fdf584393e2009facee16fa711b18acd9e995ff3854b93e62864721da019fe6c8aa30bf042c0d759676ce3f33f77de70f779376717321

memory/2744-98-0x000000013FC60000-0x000000013FFB1000-memory.dmp

memory/2376-97-0x0000000002330000-0x0000000002681000-memory.dmp

memory/1744-96-0x000000013F780000-0x000000013FAD1000-memory.dmp

memory/2376-95-0x0000000002330000-0x0000000002681000-memory.dmp

C:\Windows\system\bqSYpHN.exe

MD5 f6cffc0b4d9697e895be4de75af894fc
SHA1 61a36ea8417029a779ed5c5533c1a64e4f4d7dfc
SHA256 bca57e83880ecb53d4e2f563a0fa612e3620e78ef13a5a113414a85afef4d202
SHA512 f1b87d2bbdf976849ada2bd40902bac637e185b86e784114e5968291bfab7407b6a6b58eef1b801e51d1cca33a1b58c5282d91fa09ea0b78e722c89997a4e8df

memory/2376-113-0x0000000002330000-0x0000000002681000-memory.dmp

memory/1504-112-0x000000013F7A0000-0x000000013FAF1000-memory.dmp

C:\Windows\system\OUwbKFI.exe

MD5 6828044f6aca0a0a98225b7bf3e87e06
SHA1 7d50ac11b833fd31553287a4059b19960e9ff25e
SHA256 ec43da44f5a6771795afa52aa2ce7ccf8325bd75724e383d1f5e94198e8ce916
SHA512 b584bb0b8f96652233803fde2902fe706588abe25b2efc74991d1a5d2fa529963d1e8c582baf70988cf384276eaa67c7e7d15bc20216e77b7e2fccaccec0c5bb

memory/2504-139-0x000000013F8B0000-0x000000013FC01000-memory.dmp

memory/3044-87-0x000000013FFF0000-0x0000000140341000-memory.dmp

C:\Windows\system\ZHpOqZa.exe

MD5 2c7a8f710d3b5bbfdc8c05e1dc64ba08
SHA1 86b3985fe139fc1ba6b41589380346742543f77f
SHA256 4a5fd237302ba404dca04a4907169135058eb0c3671b00ddc4481e515dcefb3f
SHA512 b57b4348feaf24973bd9b6484b3b961cefdb14d02a1c93ca421a157caffc183ff61d688d4e3411dd18dc7bdf06d067fe1ae3eccf15674551c5e07dd521625a28

memory/2992-79-0x000000013F2D0000-0x000000013F621000-memory.dmp

memory/2376-78-0x0000000002330000-0x0000000002681000-memory.dmp

memory/2376-77-0x0000000002330000-0x0000000002681000-memory.dmp

memory/2820-59-0x000000013F080000-0x000000013F3D1000-memory.dmp

C:\Windows\system\ctpUobm.exe

MD5 6cfa8b78986b7d7410fd9b60cf437b75
SHA1 25f4eb90b895cb820e7377f93c4b4cb6c4382d51
SHA256 173cf9d1a6fd2256a3412ba899a7208700c60540895fb539972ce879350b2fd9
SHA512 3bb526b4d44998dff90bffc50d0f8881c600882e9fed3bf64f7cbb2f9882363e7fde9f5258e2bd266f56cab509c83aa80ce15d1697f32249a0ce7b3fb2d703db

memory/1692-74-0x000000013F840000-0x000000013FB91000-memory.dmp

C:\Windows\system\shTDOsi.exe

MD5 4647546c96675c18166cdb3dc59d6e34
SHA1 3606e3d3f18372b3cc417ed5c9b8d2218aa4dba7
SHA256 3168a544587ae0c0b6715372c2ae7a26bf6f677c79e60c98595ee6eb4db2901e
SHA512 f96cdac79999ceb1ab47d629a2d3a75aff3f72d0f4ea8b0c56635cf887182c79d94bc2b1834e7e70fb4e076dced1d0318edd1b6ea6a682df9a0d65b37bee29b7

memory/2504-70-0x000000013F8B0000-0x000000013FC01000-memory.dmp

memory/2376-140-0x000000013F5E0000-0x000000013F931000-memory.dmp

memory/2376-55-0x000000013F080000-0x000000013F3D1000-memory.dmp

memory/2660-54-0x000000013F4E0000-0x000000013F831000-memory.dmp

memory/2376-57-0x000000013F5E0000-0x000000013F931000-memory.dmp

memory/2376-161-0x0000000002330000-0x0000000002681000-memory.dmp

memory/960-160-0x000000013FB40000-0x000000013FE91000-memory.dmp

memory/2216-159-0x000000013F9D0000-0x000000013FD21000-memory.dmp

memory/2784-158-0x000000013FFE0000-0x0000000140331000-memory.dmp

memory/2392-157-0x000000013FB90000-0x000000013FEE1000-memory.dmp

memory/1668-156-0x000000013FC80000-0x000000013FFD1000-memory.dmp

memory/1828-155-0x000000013F2E0000-0x000000013F631000-memory.dmp

memory/1256-163-0x000000013FBD0000-0x000000013FF21000-memory.dmp

memory/2376-162-0x0000000002330000-0x0000000002681000-memory.dmp

memory/2376-164-0x000000013F5E0000-0x000000013F931000-memory.dmp

memory/2376-186-0x0000000002330000-0x0000000002681000-memory.dmp

memory/2376-187-0x0000000002330000-0x0000000002681000-memory.dmp

memory/2244-211-0x000000013F120000-0x000000013F471000-memory.dmp

memory/1692-213-0x000000013F840000-0x000000013FB91000-memory.dmp

memory/2172-215-0x000000013F790000-0x000000013FAE1000-memory.dmp

memory/3044-217-0x000000013FFF0000-0x0000000140341000-memory.dmp

memory/2756-219-0x000000013F0D0000-0x000000013F421000-memory.dmp

memory/2660-230-0x000000013F4E0000-0x000000013F831000-memory.dmp

memory/2744-229-0x000000013FC60000-0x000000013FFB1000-memory.dmp

memory/2820-232-0x000000013F080000-0x000000013F3D1000-memory.dmp

memory/2504-235-0x000000013F8B0000-0x000000013FC01000-memory.dmp

memory/2992-236-0x000000013F2D0000-0x000000013F621000-memory.dmp

memory/2568-238-0x000000013F360000-0x000000013F6B1000-memory.dmp

memory/1728-240-0x000000013F9E0000-0x000000013FD31000-memory.dmp

memory/1744-242-0x000000013F780000-0x000000013FAD1000-memory.dmp

memory/1504-245-0x000000013F7A0000-0x000000013FAF1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-14 20:45

Reported

2024-08-14 20:47

Platform

win10v2004-20240802-en

Max time kernel

141s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\VCAaQfi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eCuGQYy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zWvYGcC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hiOYCNi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HhVLGDW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tQAoEPe.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aMFtNHl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MgfYyas.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LYEityV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IngznGR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WnJTdxi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ApYjUye.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LgJupxZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dQvFRVB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ICPGNWh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iQMRskm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hJTlsil.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bboLYzn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IhiCCuC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ghYmvUi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QbgeEKa.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2540 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LYEityV.exe
PID 2540 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LYEityV.exe
PID 2540 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bboLYzn.exe
PID 2540 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bboLYzn.exe
PID 2540 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IngznGR.exe
PID 2540 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IngznGR.exe
PID 2540 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IhiCCuC.exe
PID 2540 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IhiCCuC.exe
PID 2540 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VCAaQfi.exe
PID 2540 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VCAaQfi.exe
PID 2540 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WnJTdxi.exe
PID 2540 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WnJTdxi.exe
PID 2540 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ghYmvUi.exe
PID 2540 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ghYmvUi.exe
PID 2540 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eCuGQYy.exe
PID 2540 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eCuGQYy.exe
PID 2540 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ApYjUye.exe
PID 2540 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ApYjUye.exe
PID 2540 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QbgeEKa.exe
PID 2540 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QbgeEKa.exe
PID 2540 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zWvYGcC.exe
PID 2540 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zWvYGcC.exe
PID 2540 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hiOYCNi.exe
PID 2540 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hiOYCNi.exe
PID 2540 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HhVLGDW.exe
PID 2540 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HhVLGDW.exe
PID 2540 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tQAoEPe.exe
PID 2540 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tQAoEPe.exe
PID 2540 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aMFtNHl.exe
PID 2540 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aMFtNHl.exe
PID 2540 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dQvFRVB.exe
PID 2540 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dQvFRVB.exe
PID 2540 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MgfYyas.exe
PID 2540 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MgfYyas.exe
PID 2540 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ICPGNWh.exe
PID 2540 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ICPGNWh.exe
PID 2540 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iQMRskm.exe
PID 2540 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iQMRskm.exe
PID 2540 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hJTlsil.exe
PID 2540 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hJTlsil.exe
PID 2540 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LgJupxZ.exe
PID 2540 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LgJupxZ.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\LYEityV.exe

C:\Windows\System\LYEityV.exe

C:\Windows\System\bboLYzn.exe

C:\Windows\System\bboLYzn.exe

C:\Windows\System\IngznGR.exe

C:\Windows\System\IngznGR.exe

C:\Windows\System\IhiCCuC.exe

C:\Windows\System\IhiCCuC.exe

C:\Windows\System\VCAaQfi.exe

C:\Windows\System\VCAaQfi.exe

C:\Windows\System\WnJTdxi.exe

C:\Windows\System\WnJTdxi.exe

C:\Windows\System\ghYmvUi.exe

C:\Windows\System\ghYmvUi.exe

C:\Windows\System\eCuGQYy.exe

C:\Windows\System\eCuGQYy.exe

C:\Windows\System\ApYjUye.exe

C:\Windows\System\ApYjUye.exe

C:\Windows\System\QbgeEKa.exe

C:\Windows\System\QbgeEKa.exe

C:\Windows\System\zWvYGcC.exe

C:\Windows\System\zWvYGcC.exe

C:\Windows\System\hiOYCNi.exe

C:\Windows\System\hiOYCNi.exe

C:\Windows\System\HhVLGDW.exe

C:\Windows\System\HhVLGDW.exe

C:\Windows\System\tQAoEPe.exe

C:\Windows\System\tQAoEPe.exe

C:\Windows\System\aMFtNHl.exe

C:\Windows\System\aMFtNHl.exe

C:\Windows\System\dQvFRVB.exe

C:\Windows\System\dQvFRVB.exe

C:\Windows\System\MgfYyas.exe

C:\Windows\System\MgfYyas.exe

C:\Windows\System\ICPGNWh.exe

C:\Windows\System\ICPGNWh.exe

C:\Windows\System\iQMRskm.exe

C:\Windows\System\iQMRskm.exe

C:\Windows\System\hJTlsil.exe

C:\Windows\System\hJTlsil.exe

C:\Windows\System\LgJupxZ.exe

C:\Windows\System\LgJupxZ.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2540-0-0x00007FF7472C0000-0x00007FF747611000-memory.dmp

memory/2540-1-0x000001809F210000-0x000001809F220000-memory.dmp

C:\Windows\System\LYEityV.exe

MD5 89f01b45414451d9dab8d94979cdcf00
SHA1 fd3fe3025fe9470ecaba91fd783fab7c176e55f4
SHA256 4c85d4f2fbbf4fca0ea1133577970e23a9efb99d8ec4c1ddb8c29503f365e4ee
SHA512 3b2c0f6e882e8983d4c480dcc714b05912ec6af1570e03b2d48c25ddee7910cc53967b6d9775edf098215c606dcdfbf5cde13d20a79744da6e88622cae1a375c

memory/3232-10-0x00007FF7631C0000-0x00007FF763511000-memory.dmp

C:\Windows\System\bboLYzn.exe

MD5 9dd400d46b744b3f088cf9babdfc1367
SHA1 398601fbe9f3993c3010d6222e61b3ff518f32ab
SHA256 db6ec1021ab7c7626ec2d5ca82f4b464cdafc01d5f6aa8bc6c6009cd219b550a
SHA512 137a90a3ae6d713799b92b883e45691d18081e8e94941fe25e1a8c4bb4159ba9be2f55bfca363785233d944d54ff22348a42d859ae5d505c269e9f38292b233f

C:\Windows\System\IngznGR.exe

MD5 a62590cda3e9f13dfd3489c9de98e9d4
SHA1 0e39ff6654683c5954e1f7253624686fb2485882
SHA256 9ee1134b060aed0d7a1308a453c7e13ae4b4341ac17761aab2f1070f42639789
SHA512 051e1a0e9bcf3378605a0aae045ed49c657651af05a0eb31155ba5ad2421c2bf4986e92f2346367c3ffbc4e62680ac7ca04f3c9a128a34bb225020d4e32dd7a3

C:\Windows\System\IhiCCuC.exe

MD5 bc428a494ae2e030fec480ef17ce36cf
SHA1 d9ba30e5ded45fb221d0b63acd3d95fdd65ca788
SHA256 c25b9b248a458ab8978773e8dfd27c4ac51463a2b542bd4f73c6c0625b4bc239
SHA512 ae345e98931c4893ab5a3eb591c8898072e1c7aeca3704bf69bfec98e8d171c20d9cb8758b2c1f0b3f63dbfe101d60a8269386d767e7ae6d24312a16239b648d

C:\Windows\System\WnJTdxi.exe

MD5 c09183c3542cdb94632c6254685959df
SHA1 25d441c4e1e628bd53692f40facc7900d01ac45d
SHA256 6c47cd281bf3f9fd51b9292cbdfb2fa28498f413329dba654a7a103c8b71a64e
SHA512 6c71c475d81350c5d71ecd3bd5de5b0c0933f6894b63f6a8acb6419a61a1dbda3e8e35e54957d0af1514def1dc71df764bd323f8dc86ef5b1ff7ba44810b78c9

C:\Windows\System\VCAaQfi.exe

MD5 6c3c5ce0f140df0b50f3f7da306d5849
SHA1 cbf530c73e37295993d37218b96c8393210f11df
SHA256 1f96da46ae16453d0059aa0f08b3600cbef4f82f258ad16e35ae140573a296d7
SHA512 8b33ba9095b55ffd7b605c2f1810fa1f99c051c510ba131fa817fc2f26788315d784f4e3c86d0ba62fa98848b7ce40d5691a12fba6da16a7acccc32a563a76f5

C:\Windows\System\eCuGQYy.exe

MD5 0c5c9a91bc929bea6a30c713dc2778a2
SHA1 da3b38a05a943a4592bdca887028b4a2ffaafafd
SHA256 ec01e2ad6cec1b050295153a69c6c88caf167c350479ec3e5f2daa28ac16c0f8
SHA512 c227ed74c2cd0eab04f7f64cc927c7b2ec544cfe119c4b1730f490ca9ad7a7464cdfe3d5635fdf707e664f147f2e326e9f5627f9f547a2092c8543685d183d3a

C:\Windows\System\HhVLGDW.exe

MD5 f278f5aefb2f0dd250fb35199bcde0de
SHA1 02be003b0e74172afaca19d513bb1d3c1adb5eb2
SHA256 065f2a39687267a5200a29097d09d912d48eaa317076415786b46bb9d858be0d
SHA512 d46e25ba7e04cab2d259307d86955f1ad76b9f7c487faca691691b484b6bba952dc4122ff08526b0006de7d10ab3e0bcdc0e0fe5604daaad7502d028802f9d98

memory/716-72-0x00007FF6C47B0000-0x00007FF6C4B01000-memory.dmp

C:\Windows\System\aMFtNHl.exe

MD5 6a2e528920c1d67bda4a2d9b1b981e95
SHA1 7d10f38cbc8975d7ec2af39dd0b3a987d4035013
SHA256 122ce65d0f40885a7137b10d5236109129d0c0f634d5682924406b329df1a729
SHA512 55007d11fee96ab547f51126908c0369d20fa6426f3b7d4a6e46fe085e24007156738e015e61f380b0b8dc0ec3f57362b45933a7116905ff52f4905429ee7986

C:\Windows\System\hJTlsil.exe

MD5 f012794eb5cffffab74a51cb6fe51987
SHA1 03e0a97f8790638bf069506125c675f9ff9f089c
SHA256 75a35c58dc6b6b45657ee7db924bc954d74d6b1ddff26139e27bca3bc37739b2
SHA512 0929ef0e8386e6ec2f44bb347a44780c4a9233a65adbfac3057abbb53c3519a7329a061a0a6d99e668646c1c54d1ff175ae78c27b9c55a190e05696363452a9f

memory/3060-114-0x00007FF72C800000-0x00007FF72CB51000-memory.dmp

memory/2868-118-0x00007FF75A140000-0x00007FF75A491000-memory.dmp

memory/3144-120-0x00007FF7B2C20000-0x00007FF7B2F71000-memory.dmp

C:\Windows\System\LgJupxZ.exe

MD5 38aa7ffe01f18f6a8ac28800f9f6ddbc
SHA1 2fa1e3aabc4d2295eaeae94215c5ae1d0079b3e8
SHA256 681c20aaf045966e8719ee9ae1125ab6387a177a9d20999babb3f80956eba99b
SHA512 67543ab5c52b3feacbbd73a0ccb97a4b227ea4afa94454fe7ed393ed8023c966ae5a32394e76310b0e14af3c1f69dfa3038a183db481869ecfba98e1dcc94180

C:\Windows\System\iQMRskm.exe

MD5 f4e343a50882c703506b3a8ebf1063b5
SHA1 784e78d8451bd3e0b631f18eb7ca12f83ded0fca
SHA256 c654bb8de9ae7e5e7f37285d4208f139bfab8ad2ab240348ebf1f0af5119aff5
SHA512 016e10f7c6fba5db66fa2109b415801318645b250d97d1342161f38158d652e4c2486aa87e82a49c4e6d8c7db995f96b80a947309039acd9c7fbac9ebb02384e

memory/848-119-0x00007FF72B0F0000-0x00007FF72B441000-memory.dmp

memory/1312-117-0x00007FF6943C0000-0x00007FF694711000-memory.dmp

memory/4992-116-0x00007FF617CD0000-0x00007FF618021000-memory.dmp

memory/2316-115-0x00007FF7D63A0000-0x00007FF7D66F1000-memory.dmp

memory/3272-112-0x00007FF7DADF0000-0x00007FF7DB141000-memory.dmp

memory/4160-111-0x00007FF720C70000-0x00007FF720FC1000-memory.dmp

C:\Windows\System\ICPGNWh.exe

MD5 71478876380e393c2195225850194dec
SHA1 6da34a2e2e544cc6ebbb482b1cea50c2526e7fc3
SHA256 78277ed3547be8cbede4314bb5addd8e1eb6b39452e3a129ff5ae9795331d210
SHA512 ab755cf247a9262aa1611e7cf4af1ee3f8018d331ba3d2f98badbb7ac084bb36adecaa281b0d33b09418f6b3709e4b39bc57c5ffc8e5743bd18d88212bf7f1dc

C:\Windows\System\dQvFRVB.exe

MD5 a71b965d2464f8fedc4bfd6bdf7427e7
SHA1 56d1a150eccc0168742635f5fd3075e11374a418
SHA256 fc0c400c05799c0ccf69e863645e974e860577cbc80463c3c985a9da62988045
SHA512 3364827d5a3f99988a72c0f1c98777bb9aa4c727e0faed8a122739c387bb1ee891db170b303b78befab643d186d8aa3ddb835ecb76541c775f8a15e8c94e65c5

C:\Windows\System\MgfYyas.exe

MD5 5b6cf50700a85741cb6b47bd53f3be62
SHA1 0b888b76a568801fc7f5f0c65105f733eda50681
SHA256 73ed8377273bd9d50e724d630c03fd3abfaa8016b258cb00584b02d356f48467
SHA512 931ffc2f8395965b1b948b8563b9cec9fac67ca5d122eff03be0a937338577cfb15bfc59fe4b3e536095484a87d32e46af6b09a9af1361d42f955ae46e8a7f76

memory/1956-99-0x00007FF7BE8A0000-0x00007FF7BEBF1000-memory.dmp

C:\Windows\System\tQAoEPe.exe

MD5 f688f3f515167b990b77993d21b95d27
SHA1 f4c22db2821bd0a629090264fec28c2583db80cc
SHA256 99c2f1182ef58a3eaa1e9d8ddbe3382a5f6d923e2f30ba2460386f4bffb6cb6c
SHA512 449b0568ad55ecfa578078cc62c3f9a4842dfc5e62bb4a17c065e06d41d0a506f457b48d1857cd3802717b9d51a00853052a2b39ddbc4ac11970d1649397f2c2

memory/5052-93-0x00007FF740DD0000-0x00007FF741121000-memory.dmp

memory/2452-86-0x00007FF6F8280000-0x00007FF6F85D1000-memory.dmp

C:\Windows\System\hiOYCNi.exe

MD5 1c9108cdeb84a9fd5bc4e06497b4986f
SHA1 7a61c8562f6ed89974973ffcf3bb6dff5f9cc936
SHA256 087f0761260f2edb85106e7bcabe8ee12805e5440b7f02cb20825c03d1a273fb
SHA512 8f1b5e9861999d4ece057231b6f33623e427a8a932091f7da8b66898d0654b110b7ea1eb18310bd86a5301cc1f1a6fc68025374dc81d06d29525459674d8b0aa

memory/680-76-0x00007FF6CF4A0000-0x00007FF6CF7F1000-memory.dmp

C:\Windows\System\QbgeEKa.exe

MD5 838fec81dc8bf3a480a42dc9530a2635
SHA1 c009f6ff5a5779dd1d44b4d3f72dbffe03b77314
SHA256 1e027cf2ac321c03b57a4b080a38c3697eda65031beb4a18301820cf6187563e
SHA512 49adb8b989e46316b6b18076a64dc8f9dcdff3be43ecea5281fd39a2086b8cbaba940f9fcfa30d10dfd8ea2cdd0b973789543c24478dbb6fa35723f71d5ddff3

C:\Windows\System\zWvYGcC.exe

MD5 1bb2fc86d4a0a565f7109bf66f213509
SHA1 74fdfe3f61772eceeef3c4b038136cddcf042d55
SHA256 6168e84517668818583f46c14dc6d2a479ca3469e5a258ece3b4f8b1023be247
SHA512 cf1952dd72d76058b00d8c36fadb97b085baa0facca79de4ef96b22be0a5096483d78f06ff13e26f93dbf77485e642205e5d939674e58138beca13fd239a2697

memory/3152-65-0x00007FF687130000-0x00007FF687481000-memory.dmp

C:\Windows\System\ApYjUye.exe

MD5 3b35bb0d6e56405edc58288a61dbc572
SHA1 29cd625b7929480b0960aaa2d24e20394bd01680
SHA256 7bd71063a1fffb3698789f1bfa1b72158023e0920187656d379bb9055c8a5100
SHA512 6af0e5789598476ead2ac4763842b516100fc6f7fa33a2e00144020ce683dd2353c53f43de6a031931ecaf28cf501dcf81c8cb8a8c2a9fa0ba651fdc03532aac

C:\Windows\System\ghYmvUi.exe

MD5 9bb7308b0369216a0c7aba34f789b709
SHA1 246081f979b265cf856ee46dc57f79d50bba94da
SHA256 e54cfc478cfd31c2c0a5b28fe311da187595caad3b5ddd1bcb9093a55868cfd0
SHA512 95c08823d90c23fc62c2b39603897d43cbc27d0c646dd367581f9d3dc93ab41dc2ea79c8c1a1cc5515060c1f147b5535bd6e8d72bb76f5a0b8ee2fa02bf3d0ea

memory/3576-57-0x00007FF6BACE0000-0x00007FF6BB031000-memory.dmp

memory/3252-42-0x00007FF650920000-0x00007FF650C71000-memory.dmp

memory/3216-35-0x00007FF7881A0000-0x00007FF7884F1000-memory.dmp

memory/4120-28-0x00007FF65A1E0000-0x00007FF65A531000-memory.dmp

memory/4700-20-0x00007FF6CB0A0000-0x00007FF6CB3F1000-memory.dmp

memory/3252-132-0x00007FF650920000-0x00007FF650C71000-memory.dmp

memory/3216-133-0x00007FF7881A0000-0x00007FF7884F1000-memory.dmp

memory/2452-141-0x00007FF6F8280000-0x00007FF6F85D1000-memory.dmp

memory/5052-143-0x00007FF740DD0000-0x00007FF741121000-memory.dmp

memory/1956-144-0x00007FF7BE8A0000-0x00007FF7BEBF1000-memory.dmp

memory/3144-149-0x00007FF7B2C20000-0x00007FF7B2F71000-memory.dmp

memory/3272-148-0x00007FF7DADF0000-0x00007FF7DB141000-memory.dmp

memory/848-147-0x00007FF72B0F0000-0x00007FF72B441000-memory.dmp

memory/4160-146-0x00007FF720C70000-0x00007FF720FC1000-memory.dmp

memory/3152-137-0x00007FF687130000-0x00007FF687481000-memory.dmp

memory/3576-134-0x00007FF6BACE0000-0x00007FF6BB031000-memory.dmp

memory/4120-131-0x00007FF65A1E0000-0x00007FF65A531000-memory.dmp

memory/716-138-0x00007FF6C47B0000-0x00007FF6C4B01000-memory.dmp

memory/3232-129-0x00007FF7631C0000-0x00007FF763511000-memory.dmp

memory/2540-128-0x00007FF7472C0000-0x00007FF747611000-memory.dmp

memory/2540-150-0x00007FF7472C0000-0x00007FF747611000-memory.dmp

memory/2540-151-0x00007FF7472C0000-0x00007FF747611000-memory.dmp

memory/3232-196-0x00007FF7631C0000-0x00007FF763511000-memory.dmp

memory/4700-198-0x00007FF6CB0A0000-0x00007FF6CB3F1000-memory.dmp

memory/4120-200-0x00007FF65A1E0000-0x00007FF65A531000-memory.dmp

memory/3216-202-0x00007FF7881A0000-0x00007FF7884F1000-memory.dmp

memory/3252-214-0x00007FF650920000-0x00007FF650C71000-memory.dmp

memory/3576-224-0x00007FF6BACE0000-0x00007FF6BB031000-memory.dmp

memory/2316-226-0x00007FF7D63A0000-0x00007FF7D66F1000-memory.dmp

memory/3152-228-0x00007FF687130000-0x00007FF687481000-memory.dmp

memory/3060-231-0x00007FF72C800000-0x00007FF72CB51000-memory.dmp

memory/680-232-0x00007FF6CF4A0000-0x00007FF6CF7F1000-memory.dmp

memory/716-234-0x00007FF6C47B0000-0x00007FF6C4B01000-memory.dmp

memory/4992-236-0x00007FF617CD0000-0x00007FF618021000-memory.dmp

memory/2452-238-0x00007FF6F8280000-0x00007FF6F85D1000-memory.dmp

memory/1312-240-0x00007FF6943C0000-0x00007FF694711000-memory.dmp

memory/1956-246-0x00007FF7BE8A0000-0x00007FF7BEBF1000-memory.dmp

memory/5052-243-0x00007FF740DD0000-0x00007FF741121000-memory.dmp

memory/2868-245-0x00007FF75A140000-0x00007FF75A491000-memory.dmp

memory/3272-250-0x00007FF7DADF0000-0x00007FF7DB141000-memory.dmp

memory/3144-252-0x00007FF7B2C20000-0x00007FF7B2F71000-memory.dmp

memory/848-248-0x00007FF72B0F0000-0x00007FF72B441000-memory.dmp

memory/4160-254-0x00007FF720C70000-0x00007FF720FC1000-memory.dmp