Malware Analysis Report

2025-03-15 08:07

Sample ID 240814-zmb23sycrj
Target 2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat
SHA256 7704bc9af6bfe7ac6738088d5b4e6882e3058f4e8b919a50119f487876c069ed
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7704bc9af6bfe7ac6738088d5b4e6882e3058f4e8b919a50119f487876c069ed

Threat Level: Known bad

The file 2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Cobaltstrike family

Cobalt Strike reflective loader

Cobaltstrike

xmrig

Xmrig family

XMRig Miner payload

XMRig Miner payload

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-14 20:49

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-14 20:49

Reported

2024-08-14 20:52

Platform

win7-20240729-en

Max time kernel

140s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\KUVLbar.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zzhREvn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oNPVPph.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hUHbMal.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YgyaSpb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uEdVpvG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yVtUVDD.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NtsiVKY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yzqaHIx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AxEOCuI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iBTrSTB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UaECsnx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vmWGEln.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SjUrMMR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WIIherF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KyhBGXG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QGtpkLO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ccyTQib.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fQcFiSl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MlWYeUc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hNUuAOX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2124 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WIIherF.exe
PID 2124 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WIIherF.exe
PID 2124 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WIIherF.exe
PID 2124 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YgyaSpb.exe
PID 2124 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YgyaSpb.exe
PID 2124 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YgyaSpb.exe
PID 2124 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KyhBGXG.exe
PID 2124 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KyhBGXG.exe
PID 2124 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KyhBGXG.exe
PID 2124 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MlWYeUc.exe
PID 2124 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MlWYeUc.exe
PID 2124 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MlWYeUc.exe
PID 2124 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hNUuAOX.exe
PID 2124 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hNUuAOX.exe
PID 2124 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hNUuAOX.exe
PID 2124 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iBTrSTB.exe
PID 2124 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iBTrSTB.exe
PID 2124 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iBTrSTB.exe
PID 2124 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QGtpkLO.exe
PID 2124 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QGtpkLO.exe
PID 2124 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QGtpkLO.exe
PID 2124 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uEdVpvG.exe
PID 2124 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uEdVpvG.exe
PID 2124 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uEdVpvG.exe
PID 2124 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yzqaHIx.exe
PID 2124 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yzqaHIx.exe
PID 2124 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yzqaHIx.exe
PID 2124 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AxEOCuI.exe
PID 2124 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AxEOCuI.exe
PID 2124 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AxEOCuI.exe
PID 2124 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yVtUVDD.exe
PID 2124 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yVtUVDD.exe
PID 2124 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yVtUVDD.exe
PID 2124 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UaECsnx.exe
PID 2124 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UaECsnx.exe
PID 2124 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UaECsnx.exe
PID 2124 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vmWGEln.exe
PID 2124 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vmWGEln.exe
PID 2124 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vmWGEln.exe
PID 2124 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NtsiVKY.exe
PID 2124 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NtsiVKY.exe
PID 2124 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NtsiVKY.exe
PID 2124 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ccyTQib.exe
PID 2124 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ccyTQib.exe
PID 2124 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ccyTQib.exe
PID 2124 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KUVLbar.exe
PID 2124 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KUVLbar.exe
PID 2124 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KUVLbar.exe
PID 2124 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zzhREvn.exe
PID 2124 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zzhREvn.exe
PID 2124 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zzhREvn.exe
PID 2124 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fQcFiSl.exe
PID 2124 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fQcFiSl.exe
PID 2124 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fQcFiSl.exe
PID 2124 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oNPVPph.exe
PID 2124 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oNPVPph.exe
PID 2124 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oNPVPph.exe
PID 2124 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hUHbMal.exe
PID 2124 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hUHbMal.exe
PID 2124 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hUHbMal.exe
PID 2124 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SjUrMMR.exe
PID 2124 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SjUrMMR.exe
PID 2124 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SjUrMMR.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\WIIherF.exe

C:\Windows\System\WIIherF.exe

C:\Windows\System\YgyaSpb.exe

C:\Windows\System\YgyaSpb.exe

C:\Windows\System\KyhBGXG.exe

C:\Windows\System\KyhBGXG.exe

C:\Windows\System\MlWYeUc.exe

C:\Windows\System\MlWYeUc.exe

C:\Windows\System\hNUuAOX.exe

C:\Windows\System\hNUuAOX.exe

C:\Windows\System\iBTrSTB.exe

C:\Windows\System\iBTrSTB.exe

C:\Windows\System\QGtpkLO.exe

C:\Windows\System\QGtpkLO.exe

C:\Windows\System\uEdVpvG.exe

C:\Windows\System\uEdVpvG.exe

C:\Windows\System\yzqaHIx.exe

C:\Windows\System\yzqaHIx.exe

C:\Windows\System\AxEOCuI.exe

C:\Windows\System\AxEOCuI.exe

C:\Windows\System\yVtUVDD.exe

C:\Windows\System\yVtUVDD.exe

C:\Windows\System\UaECsnx.exe

C:\Windows\System\UaECsnx.exe

C:\Windows\System\vmWGEln.exe

C:\Windows\System\vmWGEln.exe

C:\Windows\System\NtsiVKY.exe

C:\Windows\System\NtsiVKY.exe

C:\Windows\System\ccyTQib.exe

C:\Windows\System\ccyTQib.exe

C:\Windows\System\KUVLbar.exe

C:\Windows\System\KUVLbar.exe

C:\Windows\System\zzhREvn.exe

C:\Windows\System\zzhREvn.exe

C:\Windows\System\fQcFiSl.exe

C:\Windows\System\fQcFiSl.exe

C:\Windows\System\oNPVPph.exe

C:\Windows\System\oNPVPph.exe

C:\Windows\System\hUHbMal.exe

C:\Windows\System\hUHbMal.exe

C:\Windows\System\SjUrMMR.exe

C:\Windows\System\SjUrMMR.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2124-0-0x000000013FE50000-0x00000001401A1000-memory.dmp

memory/2124-1-0x00000000001F0000-0x0000000000200000-memory.dmp

\Windows\system\WIIherF.exe

MD5 e358776c4ef5658a6c8d371c349a9adc
SHA1 cc25a34e0a01fea823eb7368e7db88898062ed83
SHA256 7049ebb37fb983769000ad28e3acb2a1b5fbf762c717f5d86df4b4266bed243f
SHA512 afa0b8fd61fe4ae5706a4506b0a6dd3c24ac02cd6748e8b5694fb891b8c54dc87d14816b73f18236a038bf78a009278c6f53f70af9593641ba9281e8327f6f9e

\Windows\system\YgyaSpb.exe

MD5 61e2d97c85a64e4ab39f97b37b05b298
SHA1 1b33fb8bd1d5386ff98d19209236e9338ba4d126
SHA256 b414c736bf000b6ff6dc5d7a00b1f564f1845c18362267a187e98cc630d8381b
SHA512 5be8f7a1624872d8a35ab8fec33b340ce001e14955233c0a50975574aaa7574c44f6247695e71d16d66cff6837a8283c3945487a7ea70a9aee2d8959d45b66ff

\Windows\system\KyhBGXG.exe

MD5 e819f45a861b51772810e69462483eb7
SHA1 49ab80d8242987937240a5dfcaabc0f69b4bad2e
SHA256 b17e6cfa80193d4c8391bf94e2470fa167c6e2051d73bcdaf13c4610af631ece
SHA512 0bd142f17a011ed643f8e14561a9755d53f7627882629c9528127d5a9f62670f42c67f96b53d4b5cf0081bfd1feac5e354d05adf488b2ffbfaaaf6171328339e

memory/2124-17-0x000000013F160000-0x000000013F4B1000-memory.dmp

\Windows\system\MlWYeUc.exe

MD5 57386051d165a59240e4ff6447573527
SHA1 c911a833beab204a34baae10116bb34c90606ea7
SHA256 89925b8053ca1f2c09640ada3e49bdd9e9175119759dc8f730dc314e2bda942a
SHA512 6bcad626a507babd6df9f5a343ca03f34349e77117ad06f8e2087e74307bb59150d35bdbfc385473ae3d1821926290860ef0c93fda2d28ec9903a70b1e9677a7

C:\Windows\system\hNUuAOX.exe

MD5 f7d29da800b2a0d9ccaa76edc7e51bef
SHA1 cbbef753241a66988e4e858fc861ce3872b42134
SHA256 e990c5755375b2c8c2517faa2cd02fca638d90754879f92e51a7a4179b2ec75a
SHA512 5278b5487c4fb63e893ad3a4de44d8513f901ee862c9e4bb2e9e926fcf4576e0fb268a49964c3520b141e71eeb0411508d1b71711479262f4806a46df65f3b30

memory/2124-30-0x000000013F930000-0x000000013FC81000-memory.dmp

memory/3044-28-0x000000013F8E0000-0x000000013FC31000-memory.dmp

memory/2308-34-0x000000013FA40000-0x000000013FD91000-memory.dmp

memory/2124-33-0x000000013FA40000-0x000000013FD91000-memory.dmp

memory/2124-36-0x000000013F5D0000-0x000000013F921000-memory.dmp

memory/2372-35-0x000000013F160000-0x000000013F4B1000-memory.dmp

memory/2124-49-0x000000013F030000-0x000000013F381000-memory.dmp

\Windows\system\uEdVpvG.exe

MD5 487ca191495e5c51917f26e356c8cd80
SHA1 3b809a1a38d5b3c126be1e5a1ca1743ca7e1fb0a
SHA256 9c7663a573d4ba3c3a057e157b22c31be808b14110c3c65f1305b543da4b9838
SHA512 c2b086c859c5f3256727f16f42e0f047ce01938ea6ab07841c53c811e3978a46b4422a9796f484ea6cfee96625985fb0c61d4b20d090c4915fdd41c3778aa794

memory/2124-52-0x000000013F780000-0x000000013FAD1000-memory.dmp

memory/2620-50-0x000000013F030000-0x000000013F381000-memory.dmp

memory/2344-46-0x000000013FD30000-0x0000000140081000-memory.dmp

C:\Windows\system\QGtpkLO.exe

MD5 0e809ee73003c67de9c808b348e71106
SHA1 1e38e11171802527f18478730eba2a0238736f53
SHA256 f631d21dc756e588a06ee429bec1348cc4ccc415ca6b45ddb9c733cbeb3275e4
SHA512 d24cb3babff60522b0920b97e4b3df8808ac7fe8960a12ceb59567d5a2cdf499d300d93a5ebbd01ccad98f1cb25f2046f07c81a27006fc39a522888741a4d391

memory/2124-41-0x0000000002280000-0x00000000025D1000-memory.dmp

C:\Windows\system\iBTrSTB.exe

MD5 2168ac01bd71df4fbdf2f4a27f40708a
SHA1 5ae8073f40ba066396aca1912946b1de5a9c3da2
SHA256 2c53a35fac482b8805f54e031265115c6eae5e1f290b4d3b31d51b94d9507528
SHA512 65c67110661210de366ec54fbce025175a16344755809adb431018d7930a25b21bc65f8ddda8fe019580572f0b7314ef0f6089bc3c2ef763a94f644ba12570a3

memory/2148-32-0x000000013F5D0000-0x000000013F921000-memory.dmp

memory/1104-31-0x000000013F930000-0x000000013FC81000-memory.dmp

memory/2640-57-0x000000013F780000-0x000000013FAD1000-memory.dmp

C:\Windows\system\KUVLbar.exe

MD5 11e21d3dab3453b934396f58923efbff
SHA1 f9e2c25f1000d7a3076afb3226a07b98c0b47413
SHA256 0ea68fb3e101de9c68f3b939f27bf6ac000c9838a404ae3b75d1e95fbe7370d7
SHA512 e6a8ad6eea69ce180954f6c3ba9493f4b5634a22e3633c839d15565bc40b3f75da99785dbbfa33fa947968fe98cf9f01488a45e3772348b6236727a86a46cb2e

C:\Windows\system\oNPVPph.exe

MD5 40ced5a150b1cb6bbb3198700048504b
SHA1 d5172d878d0b314620f142f8db02dd5cbcf26d06
SHA256 9766dec8c71e9cbe60e8ba363be852cd3b4551a401a19d06b98a39c27176636e
SHA512 b6d5f55ae9d2d51dd1ba6b578dab2ee081732621c394531f9516bc85e34417ca6ccf15c448bb293e6f444248e806eceee454ab12030547bcd49cec0076ad92a5

\Windows\system\hUHbMal.exe

MD5 cbbe2c27ca557c0609a419aa0fd6480e
SHA1 2801691ee142f01d526f03de5febb0e238cc8f3c
SHA256 25c6da70e0daae2223e6d01c3d1e1ac11775c4b5c8f57186c11c3bb502457d70
SHA512 57276d294fe8922e091dc4c534787dade3a1d05c4ce62e3efd412d9c0644ba45fdff85f6036110d56b232861724f8bbd665c571941876ce837f2a6297629f610

memory/2572-103-0x000000013FCC0000-0x0000000140011000-memory.dmp

\Windows\system\fQcFiSl.exe

MD5 bcd3ac7019d6b59d77b16b80cdc2f6b6
SHA1 ebd2e89e7fe0b4638f962818a4d24b5f112d66d2
SHA256 7bcfe74f1b2529d0ca50fae9e5c483ada72c6f6a82c902eea4ebaddabf240e0c
SHA512 945e3528f617b55436c2b402d65d77adcc392f31ec2126af91cf6fd5f788b016c4edf7e317b9f4124f520705fc280fbb09f5ce61a65678066ce861cd7f1b304f

memory/2124-95-0x000000013F440000-0x000000013F791000-memory.dmp

memory/2676-87-0x000000013F1C0000-0x000000013F511000-memory.dmp

memory/2124-86-0x000000013F1C0000-0x000000013F511000-memory.dmp

memory/2404-85-0x000000013F5F0000-0x000000013F941000-memory.dmp

C:\Windows\system\vmWGEln.exe

MD5 8f560a940bbef5782930992bc0d8a3ac
SHA1 f4bccd79d2a3795af5a5e055059ebfe58a50c722
SHA256 182e7aeb3d29c23e066f8898841936b8c19c0f49886eae981f4a2be1aa118bac
SHA512 5900a5c52ab7865e07a0781c312ae4e4a6e709a43acf2624c2e8af09670a16138ded1437134b54ba2067485340d16944980d9ad744f5688c64b8dbe4b86ce86e

memory/2124-126-0x000000013F660000-0x000000013F9B1000-memory.dmp

memory/2124-125-0x000000013F020000-0x000000013F371000-memory.dmp

memory/2124-124-0x0000000002280000-0x00000000025D1000-memory.dmp

C:\Windows\system\SjUrMMR.exe

MD5 49f3783990ceb8bb53d9fb49cd3bce39
SHA1 b24a4e6832174c275d4e9559d5e8ad2d4f4f707b
SHA256 fcacfc27a5441c85a93520f83e838294be42a6cb6bc70b925354b8c2bb0fe073
SHA512 0c3d91db1e6ede2a8abd8bfbc75dda943067d37e14f3db3bfd32dfd98c8b4f74b2b0b774e61d57bb6f0185245c1bb4d7501d0bd201472cef45abeec318075414

C:\Windows\system\NtsiVKY.exe

MD5 c8337dacc931149294d49d3bd5d29fb0
SHA1 aa43f19d065c8896d8106303863482d75dc68c24
SHA256 39bb5eb887f86fc5043bd9f6b396bf55bbf1169d998583de04127864842457b1
SHA512 b5f04a30e5a7bd16287e7c1509699576bcde0d9ac79309c0a6d16e29942abdbc48baced57ef5791d8e78c6e1b23b6b9721654543187652c8013deaf69c08c4eb

memory/2124-120-0x000000013FE50000-0x00000001401A1000-memory.dmp

C:\Windows\system\UaECsnx.exe

MD5 1d6a1165ce16ad4ce13dfe28897c0038
SHA1 a81f33025ff1f110da9f5af55174dc5497bc18ee
SHA256 50ac9137bc59c117916562b9198ab2ce0f0543dff7922f6c705fd1accca78d5f
SHA512 53d6c49620b5ba712b3aa7d75be5e02db7403c17dd62c169083899b49e23438997bef523188267e9b1067ff9ff2c0302eb61c8d967a32795f5e1c715a8a7fed6

C:\Windows\system\zzhREvn.exe

MD5 a598a3df47778af2504e4a7bb5368b9f
SHA1 00bfeb36fe73f2852de5bdb36f6014f3dbc99f05
SHA256 970b7dba331ba2ce4c097fc79653e837f741c979ce71ff2b31f42ac2d7de4fb1
SHA512 c86e828166729d6ef1580394b23f1e27231702c96501c8a5f6aa95b677f270d339fded1a39a6ddd1115ad29bfe4b8fa606c51b6a401b67a3e7fabc9bc0202ee8

C:\Windows\system\ccyTQib.exe

MD5 b99e96b9d80680315c1eeee6a77b7b40
SHA1 4505add5a8f01142595badab71ca435cefd21366
SHA256 23e3b40bdab0d2a87107faf6180ec5afdb09fc152a994c69e1c44ab574938c58
SHA512 a81d1cd93ed1886023ec990baa2f26cce25052d58c9cf3b8902c0ccb690530e9ec44c032886743b377565be19676b31fc0144ece47b4ac88c7866104f1a2d643

memory/2124-92-0x000000013F320000-0x000000013F671000-memory.dmp

C:\Windows\system\AxEOCuI.exe

MD5 d850cae1c6df9dbd46ef3fd7791c9c6e
SHA1 17f9bfbbc09b4a25d31e838d4bdbfe5a1f3b671c
SHA256 2af22a1bdb9c172e09e43f4021fd92462144e7b4152cf5135a8fcc50155f0bac
SHA512 fef32c526ada502c1a8925d86e97c670948bd666bd2e466813a7e8bd3cf560fc61e857aeea2b51f4055911cf46cc6ea99a455f0f1c1017d54604e583520fa382

C:\Windows\system\yVtUVDD.exe

MD5 969edf1ad32c7ae03d9c2d01036cb96b
SHA1 d207e2cb0d8e89592d07be2cc66094b0cdd7a791
SHA256 9e7e27e635b533709f9e3766abebf988b404a8ba2686be892d517d6ce89b7c80
SHA512 8ac00c5c8e0c0c937c2bff0fd1676576e06964eb494e2d1ff01acf7d6b9692ab7298093a4f84d481ffeacb94531568bf60e7b6192ea4d5a86fc1ed9eb356f9f3

memory/2828-64-0x000000013FDC0000-0x0000000140111000-memory.dmp

memory/2124-63-0x0000000002280000-0x00000000025D1000-memory.dmp

C:\Windows\system\yzqaHIx.exe

MD5 f93e6174fc8200d99ec5fb8b117432d9
SHA1 0d59cf904812d8aa6e79871427f3eaf322696719
SHA256 6b3061247fe0510325ef72130d7b4eb6250b3e47e070da3e3ae4e0e860423689
SHA512 43f17648176152f7f6c2db7de170db043a6787bf3ff42b4f660d5f40872c928d91227ba49fce5c3b42ea116f57ce035d4ff563c8869adc10e1cd0e1a7bcc0458

memory/2344-134-0x000000013FD30000-0x0000000140081000-memory.dmp

memory/2124-135-0x000000013FE50000-0x00000001401A1000-memory.dmp

memory/2120-156-0x000000013FB10000-0x000000013FE61000-memory.dmp

memory/2844-154-0x000000013F3F0000-0x000000013F741000-memory.dmp

memory/2584-152-0x000000013F660000-0x000000013F9B1000-memory.dmp

memory/2008-150-0x000000013F790000-0x000000013FAE1000-memory.dmp

memory/1984-149-0x000000013F440000-0x000000013F791000-memory.dmp

memory/1532-155-0x000000013FE20000-0x0000000140171000-memory.dmp

memory/2708-153-0x000000013F110000-0x000000013F461000-memory.dmp

memory/2544-147-0x000000013F320000-0x000000013F671000-memory.dmp

memory/824-151-0x000000013F020000-0x000000013F371000-memory.dmp

memory/2124-157-0x000000013FE50000-0x00000001401A1000-memory.dmp

memory/2124-180-0x000000013F660000-0x000000013F9B1000-memory.dmp

memory/2124-179-0x000000013F020000-0x000000013F371000-memory.dmp

memory/3044-205-0x000000013F8E0000-0x000000013FC31000-memory.dmp

memory/2372-206-0x000000013F160000-0x000000013F4B1000-memory.dmp

memory/1104-208-0x000000013F930000-0x000000013FC81000-memory.dmp

memory/2148-210-0x000000013F5D0000-0x000000013F921000-memory.dmp

memory/2308-212-0x000000013FA40000-0x000000013FD91000-memory.dmp

memory/2620-215-0x000000013F030000-0x000000013F381000-memory.dmp

memory/2344-216-0x000000013FD30000-0x0000000140081000-memory.dmp

memory/2828-233-0x000000013FDC0000-0x0000000140111000-memory.dmp

memory/2640-235-0x000000013F780000-0x000000013FAD1000-memory.dmp

memory/2404-237-0x000000013F5F0000-0x000000013F941000-memory.dmp

memory/2676-239-0x000000013F1C0000-0x000000013F511000-memory.dmp

memory/2572-241-0x000000013FCC0000-0x0000000140011000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-14 20:49

Reported

2024-08-14 20:52

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\REDriUJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ahLGPDn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dQpbxto.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KUPuEjQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uccTCjZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jToKUih.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CUhMTAt.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hItrEtG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LpXixTv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hWkdUiH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VtltUYH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NXGcrVV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YynnUDO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HuLeswS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aQlFyQE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NGliWzF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rBFJDlt.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UbwjMwO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cVEsHsq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cisLhAN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\faINjHF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1048 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cVEsHsq.exe
PID 1048 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cVEsHsq.exe
PID 1048 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NGliWzF.exe
PID 1048 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NGliWzF.exe
PID 1048 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cisLhAN.exe
PID 1048 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cisLhAN.exe
PID 1048 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VtltUYH.exe
PID 1048 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VtltUYH.exe
PID 1048 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NXGcrVV.exe
PID 1048 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NXGcrVV.exe
PID 1048 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uccTCjZ.exe
PID 1048 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uccTCjZ.exe
PID 1048 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jToKUih.exe
PID 1048 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jToKUih.exe
PID 1048 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\faINjHF.exe
PID 1048 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\faINjHF.exe
PID 1048 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CUhMTAt.exe
PID 1048 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CUhMTAt.exe
PID 1048 wrote to memory of 732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YynnUDO.exe
PID 1048 wrote to memory of 732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YynnUDO.exe
PID 1048 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rBFJDlt.exe
PID 1048 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rBFJDlt.exe
PID 1048 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UbwjMwO.exe
PID 1048 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UbwjMwO.exe
PID 1048 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HuLeswS.exe
PID 1048 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HuLeswS.exe
PID 1048 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\REDriUJ.exe
PID 1048 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\REDriUJ.exe
PID 1048 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ahLGPDn.exe
PID 1048 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ahLGPDn.exe
PID 1048 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dQpbxto.exe
PID 1048 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dQpbxto.exe
PID 1048 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hItrEtG.exe
PID 1048 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hItrEtG.exe
PID 1048 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aQlFyQE.exe
PID 1048 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aQlFyQE.exe
PID 1048 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KUPuEjQ.exe
PID 1048 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KUPuEjQ.exe
PID 1048 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LpXixTv.exe
PID 1048 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LpXixTv.exe
PID 1048 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hWkdUiH.exe
PID 1048 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hWkdUiH.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\cVEsHsq.exe

C:\Windows\System\cVEsHsq.exe

C:\Windows\System\NGliWzF.exe

C:\Windows\System\NGliWzF.exe

C:\Windows\System\cisLhAN.exe

C:\Windows\System\cisLhAN.exe

C:\Windows\System\VtltUYH.exe

C:\Windows\System\VtltUYH.exe

C:\Windows\System\NXGcrVV.exe

C:\Windows\System\NXGcrVV.exe

C:\Windows\System\uccTCjZ.exe

C:\Windows\System\uccTCjZ.exe

C:\Windows\System\jToKUih.exe

C:\Windows\System\jToKUih.exe

C:\Windows\System\faINjHF.exe

C:\Windows\System\faINjHF.exe

C:\Windows\System\CUhMTAt.exe

C:\Windows\System\CUhMTAt.exe

C:\Windows\System\YynnUDO.exe

C:\Windows\System\YynnUDO.exe

C:\Windows\System\rBFJDlt.exe

C:\Windows\System\rBFJDlt.exe

C:\Windows\System\UbwjMwO.exe

C:\Windows\System\UbwjMwO.exe

C:\Windows\System\HuLeswS.exe

C:\Windows\System\HuLeswS.exe

C:\Windows\System\REDriUJ.exe

C:\Windows\System\REDriUJ.exe

C:\Windows\System\ahLGPDn.exe

C:\Windows\System\ahLGPDn.exe

C:\Windows\System\dQpbxto.exe

C:\Windows\System\dQpbxto.exe

C:\Windows\System\hItrEtG.exe

C:\Windows\System\hItrEtG.exe

C:\Windows\System\aQlFyQE.exe

C:\Windows\System\aQlFyQE.exe

C:\Windows\System\KUPuEjQ.exe

C:\Windows\System\KUPuEjQ.exe

C:\Windows\System\LpXixTv.exe

C:\Windows\System\LpXixTv.exe

C:\Windows\System\hWkdUiH.exe

C:\Windows\System\hWkdUiH.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1048-0-0x00007FF731290000-0x00007FF7315E1000-memory.dmp

memory/1048-1-0x000001AE3F5A0000-0x000001AE3F5B0000-memory.dmp

C:\Windows\System\NGliWzF.exe

MD5 fc299b781d66337126562768af4ce8a2
SHA1 2e3b1209963aad234541698373042143099398d4
SHA256 667ab0845d023d174f154787c7979ebbfa6716d76d22ed50dfd720aab5216506
SHA512 b64f72ee3de11c3309fa32f691e0644c38035be23e3e5c432c4b6384fd9ae251b52f5772dd78fd812f09877babd010d11054bd5b4bee71021f33a27f7db1f814

C:\Windows\System\cisLhAN.exe

MD5 00d9f3eb591cf33e97b90bed9a42a83a
SHA1 b3eb79d31563edb9891c2a68f14209c57e8f3328
SHA256 275b5ccff2a73affbb8cc7c86ce1f89bdcbc303e462ca02e5ab44e076233f0e6
SHA512 25a067c1f7d257030309cacc7746f057d508eb702c8e0a26bf7eb5429ae6cf0c510666f591db34f8de0e30bbfc7c172a7e155e6043725c52e1b7c9f1dae44f6a

memory/4204-26-0x00007FF75E980000-0x00007FF75ECD1000-memory.dmp

C:\Windows\System\NXGcrVV.exe

MD5 76787f3a2e1667ab4b916fed00433fac
SHA1 4f8dcdc858d7bff2c546cea110e39330d8ef717b
SHA256 d0589153dc35d2d5d827b235c680d9fe82d08a756dc89218ac0d7f113769c13b
SHA512 0f1b5a497b33c7417b42ced4b6ccf682d3a11d3dc54562c95edfd761235499b913fa3f79c78d57c3c78bd7d0605c3d979b2e76d35ab39fad5567e7a4d91d7849

C:\Windows\System\uccTCjZ.exe

MD5 e22352a365c3348bce165ed3a5b164d5
SHA1 8bc9ef2e68c41f16063b292ffc998cf3a04841ed
SHA256 604dc8e0811a9b5c636bf35162685b80a38923466b5ea73adce09ef16520b772
SHA512 9951650c439eb367ce858ada4c1e4c3ebc84897f9053a74adbc7657706d9822f4a1382ad7394239e039a9d1ea8317bc8563fa5c8d637e029529c056a3f320370

memory/2384-30-0x00007FF7169E0000-0x00007FF716D31000-memory.dmp

memory/3200-25-0x00007FF6D7110000-0x00007FF6D7461000-memory.dmp

C:\Windows\System\VtltUYH.exe

MD5 d2976c42a1dde768b053796b9800be2a
SHA1 8c012fd07207faff3a4f1aa51582871cade273d4
SHA256 2ece92e52f970ccfe02aca9b585284012356bdf501ebfcae8b5ea3f3e8cd634b
SHA512 ff9c7ea7ff66a33a35986be8f12a599a2f8fb9993be9a06af8bfbdd09a3471c8d9c054bf1229c845780335c4005faccd7f2761baf63f12c5b479718ea4c13390

C:\Windows\System\jToKUih.exe

MD5 5a38484b616ac1d4012fc688c4d8a00d
SHA1 fb29dfed19241a3027149f65ebafa957171a775a
SHA256 e68fe9d3395ed9a71e1aa270e4f36923825b14367f093a4d08cbaa4032e81a1a
SHA512 956f737320bb4dc9cb76c0e0aed6b6056ed5c5bb44b264787920e3439fbe3d947a5a4537385d38edb6148638ce9b9ff4f14362235420c85d5e8cb2b5026fa589

memory/5116-40-0x00007FF716000000-0x00007FF716351000-memory.dmp

C:\Windows\System\faINjHF.exe

MD5 48b86696e1b264dc8083a1b2688c9eca
SHA1 47772cd846ccb482c18cea8b43717a0242ca4b9b
SHA256 63ecabdfdcebb99f6abfad05310b8bac5805c925cfb4499de619891c8732d39d
SHA512 c95e1d3583f71a6b091d4772c00bffc7add5895850229303fa94feee704b66578534fb1914386d204c37ad6e86c593500b03f557459c079f8ae153be878d5d51

C:\Windows\System\YynnUDO.exe

MD5 e4045d707e01daa08911f779d16efb54
SHA1 d66ed3b286c042cdf24facc3ddfcfc0d10f7cad8
SHA256 747466a7c0d7b205a8ab06308c8bbb8f68e5c4598c40f47881d73b0b5f0a4f76
SHA512 c138a8c3aef413c704667c80d06e0454c866e7ab8ba42139481edab5817219b9cdc95a9d7d0aefa026081fb1904e93a0927c28cc59f43f817d79da238fdd76dc

C:\Windows\System\rBFJDlt.exe

MD5 5530742d7a1b6b7769e228d1804b2c79
SHA1 4fa1f3c3350dbd66e47e9a7c856b531b37065fe5
SHA256 698a790db2f4883e4cdbf4036094e6ff7e627ccea7073f2e8c2e5f95b69412e9
SHA512 1782119bfb967006b8f910e925de4089bb64faac144ac2e4ea989154eef750001478a1a486f897c903487bc3f9b975817463ff780b7f0527e9a2b60efe9260c9

C:\Windows\System\HuLeswS.exe

MD5 ec9b5c91eac99704ad698a0b5f45a4de
SHA1 e20cd0325adf577e838825865bf0430d4e942eb4
SHA256 501141c7f8b0bf96a7d58fba49370f824a5e3cdcf7e86ffa635ae22f82f12357
SHA512 f86d2154b18a8acf8f3e2d7a2a68c328cbd948b9655fee6b5e1b05a245c523db2f741a26bd743e8b4de39db3b6d807e174034742e1c0ca42064cd29bd7c8c313

memory/3164-85-0x00007FF621A80000-0x00007FF621DD1000-memory.dmp

memory/2816-87-0x00007FF694C30000-0x00007FF694F81000-memory.dmp

C:\Windows\System\dQpbxto.exe

MD5 526c5894a27db7521a7d76ec5c9e24e5
SHA1 0093dd647d0a3d53c938fd8d8f6dcf8438e5e9c1
SHA256 e3f7cf35d8f5dc553f5b951fcc05b8c607af702d4c96e90f0d66123a545a9472
SHA512 aff2e017bf14d5c27df3f2532365b69d6cab2a41449c6ede6585148f27d59199d0adc3e4d6e51eb9c69fd398368fd42079aa3464b0ad1384d22b991534c5b223

C:\Windows\System\hItrEtG.exe

MD5 c85cfedfbd6811cd86d6e2887b19ce13
SHA1 9325840d27b7acc28160b427c9a844447ca4b73d
SHA256 4ecf5ccffc3129549b6d05dcaedd29c42e3f1c02a67633223cc9eba1de48db5c
SHA512 b5e4c0141524af892be058ee200543eead8f3a01b0d4495d4dc802b6070346143c0f2161736a436daf8049a95269cd22c996687b7adbf29cf53b199ec8fa8274

memory/3200-110-0x00007FF6D7110000-0x00007FF6D7461000-memory.dmp

C:\Windows\System\aQlFyQE.exe

MD5 85de7b7a320fd2648addf93c8653c01a
SHA1 8fa9fac4b2db26f0f8df5e1dd7b4bb4d82dce9c2
SHA256 7bd0ca6d49ce57a979bc8e1399992405da16199e52313169fa6de8c7d22343c8
SHA512 6a7ea10e4e1e9ae52b39921c9af768ade56707151bb5c624b5f84bfc251879e389e795773d17f135700b2f9444c6ccfffa7d45a47159f47793ceffc0a72fe73e

C:\Windows\System\LpXixTv.exe

MD5 d5ca62160e1ecd1556f545fbf871e560
SHA1 99b799fb72f6846f513119b739a7516d4e7b4c1b
SHA256 98ec3315e129d74e6c912cc7f37efcbe47f1e7631cd0f1cd90a2cc26fa9f27ba
SHA512 d64865d644b8aca970a40cd16e8f5c32fe1f3c9fe33954caa2e04377db9bdc01736ace3e93c6eb2a34886cd0de3d6802b9959e5a7ccadaa734885e83a0414372

C:\Windows\System\hWkdUiH.exe

MD5 275945b9edf1b10ca25b181f1ef3595a
SHA1 1e2c8e84dec877a02bd5b49fd319b9c6511ec1c8
SHA256 fcef13d8bd3cffd878ac02e86524cd62c6bd4f4ba3e2b2b9857eb4dc2850bf0f
SHA512 c010f056dc4dd18a200a78ac4a84fc61c4f12fdf1266b513cf07a55ffec4e5a9e922a389047049848fb10e1a821081ae25c375b52e2c515d1e436252dd227e4b

C:\Windows\System\KUPuEjQ.exe

MD5 d16817466beaea982e72a3462cb4f210
SHA1 25debc60bdd5bd80e25ed82ef928316c02148013
SHA256 8b7189be56779881a648fa2e5244c664284d90a518605aee52c051570a1a6278
SHA512 8a1ae73506bf32168f752a18aead51d52a8b59747805e922ad1d83283877069d04348e9eab9f6ad862c8e0bf9e5543bd97a42f668aa2c30c3c2ec43b2d520ea6

memory/764-112-0x00007FF699D80000-0x00007FF69A0D1000-memory.dmp

memory/4692-111-0x00007FF6CF8D0000-0x00007FF6CFC21000-memory.dmp

memory/3604-109-0x00007FF7E7A90000-0x00007FF7E7DE1000-memory.dmp

C:\Windows\System\ahLGPDn.exe

MD5 59467a8714ddc185754acca0be9a3c75
SHA1 a30ed339fc41a76aa5a2992e83fa3ade6b9a2a8e
SHA256 64f444fb9534c45b61e68d81d927a094877bde46196be564dd04b336db6a444b
SHA512 b48075d9e6f7423de78c10e41d2d5dd9e8e2012279521b511321d1679cb4f61d6663a18879fdae9a3b6ac6b9455165ab93c8c109a9e7f15b632d1d8b20922ab5

memory/4932-94-0x00007FF777BB0000-0x00007FF777F01000-memory.dmp

memory/2964-93-0x00007FF65A0E0000-0x00007FF65A431000-memory.dmp

C:\Windows\System\REDriUJ.exe

MD5 a130b47cdc764aba55ec00627557a253
SHA1 5da49b3e72d11bd06f68ebf1ef44158e46755ee5
SHA256 7755c5dd8e21250fb294924b2acdcc91f45a690adf07fb21ab8f8607daac6fc7
SHA512 6080c387dd641076e89dd36ec191dbf67f0c1ae7f4b18ab20d2e289bb37b76aeb89e5f4745e0f1d29944bb95d0e23256b654c1e245e591e3d511111866ddd9f7

memory/3120-88-0x00007FF6DDAF0000-0x00007FF6DDE41000-memory.dmp

memory/3008-76-0x00007FF72D7B0000-0x00007FF72DB01000-memory.dmp

C:\Windows\System\UbwjMwO.exe

MD5 41c67c6207db834952005d08dcd93d52
SHA1 82168dcc0af5bda02df12ae007a3974843ad564b
SHA256 2f75fc9d0b72d22cb1cd5f22d8a8ad17800ebe5a7cf98a51794719519298299e
SHA512 888bcc0979b546f072aa99cebd1f16f63943808aa54ab4e5af0169b3d6542aaa485a0b9b42346d9e6ee5eabca1b80e3e5154e2e376183905f2163480250ebfab

memory/1048-74-0x00007FF731290000-0x00007FF7315E1000-memory.dmp

memory/732-66-0x00007FF7A8650000-0x00007FF7A89A1000-memory.dmp

C:\Windows\System\CUhMTAt.exe

MD5 1160df369cabea1b6951762ba72af1c0
SHA1 9b10dd370fe36512254e1b3d771ed5e244af5321
SHA256 10d32595ae1a96aae744b946f92f600e4bd022e4d4e95c8052942e7fcd484f1a
SHA512 569612de3042e58ae040b079eacc744725cf76acf4501294ecef793256c6647c41730bd79a913f99baeae2f73c8633217f02b8accd89d4d9a98b92f52fd40f94

memory/396-60-0x00007FF759CE0000-0x00007FF75A031000-memory.dmp

memory/2452-52-0x00007FF7B2EA0000-0x00007FF7B31F1000-memory.dmp

memory/324-45-0x00007FF6D71C0000-0x00007FF6D7511000-memory.dmp

memory/3604-12-0x00007FF7E7A90000-0x00007FF7E7DE1000-memory.dmp

memory/3120-10-0x00007FF6DDAF0000-0x00007FF6DDE41000-memory.dmp

C:\Windows\System\cVEsHsq.exe

MD5 6b31b1cf00d3cf86b1b7039952f1f6fe
SHA1 9b04df83d3f5f3a554a349bce75805e6bc70a830
SHA256 0d9b1628404062ab0df9b5c69f37507953df8c0764e6142fce01119047941990
SHA512 aa4cc287f22b0c68128b6e5645ae140a0c485233a5d773a932a8c42e52b761ec9fb984987a5372861f8e9ed51d2923b9cc4f32c8e489f4693010f431878f831f

memory/2372-130-0x00007FF7B1B80000-0x00007FF7B1ED1000-memory.dmp

memory/1888-129-0x00007FF79E920000-0x00007FF79EC71000-memory.dmp

memory/4780-128-0x00007FF691340000-0x00007FF691691000-memory.dmp

memory/1652-131-0x00007FF7ACCF0000-0x00007FF7AD041000-memory.dmp

memory/1048-132-0x00007FF731290000-0x00007FF7315E1000-memory.dmp

memory/3164-143-0x00007FF621A80000-0x00007FF621DD1000-memory.dmp

memory/4780-150-0x00007FF691340000-0x00007FF691691000-memory.dmp

memory/4932-147-0x00007FF777BB0000-0x00007FF777F01000-memory.dmp

memory/764-149-0x00007FF699D80000-0x00007FF69A0D1000-memory.dmp

memory/2964-146-0x00007FF65A0E0000-0x00007FF65A431000-memory.dmp

memory/396-141-0x00007FF759CE0000-0x00007FF75A031000-memory.dmp

memory/732-142-0x00007FF7A8650000-0x00007FF7A89A1000-memory.dmp

memory/2384-137-0x00007FF7169E0000-0x00007FF716D31000-memory.dmp

memory/1048-154-0x00007FF731290000-0x00007FF7315E1000-memory.dmp

memory/3120-207-0x00007FF6DDAF0000-0x00007FF6DDE41000-memory.dmp

memory/3604-209-0x00007FF7E7A90000-0x00007FF7E7DE1000-memory.dmp

memory/3200-211-0x00007FF6D7110000-0x00007FF6D7461000-memory.dmp

memory/4204-213-0x00007FF75E980000-0x00007FF75ECD1000-memory.dmp

memory/2384-215-0x00007FF7169E0000-0x00007FF716D31000-memory.dmp

memory/5116-217-0x00007FF716000000-0x00007FF716351000-memory.dmp

memory/324-219-0x00007FF6D71C0000-0x00007FF6D7511000-memory.dmp

memory/2452-221-0x00007FF7B2EA0000-0x00007FF7B31F1000-memory.dmp

memory/732-223-0x00007FF7A8650000-0x00007FF7A89A1000-memory.dmp

memory/396-225-0x00007FF759CE0000-0x00007FF75A031000-memory.dmp

memory/3008-227-0x00007FF72D7B0000-0x00007FF72DB01000-memory.dmp

memory/3164-229-0x00007FF621A80000-0x00007FF621DD1000-memory.dmp

memory/2964-233-0x00007FF65A0E0000-0x00007FF65A431000-memory.dmp

memory/2816-232-0x00007FF694C30000-0x00007FF694F81000-memory.dmp

memory/4932-237-0x00007FF777BB0000-0x00007FF777F01000-memory.dmp

memory/4692-236-0x00007FF6CF8D0000-0x00007FF6CFC21000-memory.dmp

memory/1888-243-0x00007FF79E920000-0x00007FF79EC71000-memory.dmp

memory/764-241-0x00007FF699D80000-0x00007FF69A0D1000-memory.dmp

memory/4780-240-0x00007FF691340000-0x00007FF691691000-memory.dmp

memory/1652-245-0x00007FF7ACCF0000-0x00007FF7AD041000-memory.dmp

memory/2372-247-0x00007FF7B1B80000-0x00007FF7B1ED1000-memory.dmp