Malware Analysis Report

2025-03-15 08:00

Sample ID 240814-zqk46atfre
Target 2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat
SHA256 d0c628c771aec61d6cd406500e726f820420d5a03b399318b3877ed88b80e4eb
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d0c628c771aec61d6cd406500e726f820420d5a03b399318b3877ed88b80e4eb

Threat Level: Known bad

The file 2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Xmrig family

xmrig

Cobaltstrike family

Cobalt Strike reflective loader

XMRig Miner payload

Cobaltstrike

XMRig Miner payload

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-14 20:55

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-14 20:55

Reported

2024-08-14 20:57

Platform

win7-20240729-en

Max time kernel

140s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\TyCDFZv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TrdMPLm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YyKvFul.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vuJzdUb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ebIxzxT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sZbjdvk.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tDFSsUX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FRHUCkx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UefZvwZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vhXRwog.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bORpSRW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wCzgNOe.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KfIHNPb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HbUDJTc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vAZgYvv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ILtZjXX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dCCTqSY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bwRWxkK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bqVkviZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FtHNPAE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yhQtZKx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 632 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FRHUCkx.exe
PID 632 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FRHUCkx.exe
PID 632 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FRHUCkx.exe
PID 632 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HbUDJTc.exe
PID 632 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HbUDJTc.exe
PID 632 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HbUDJTc.exe
PID 632 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TyCDFZv.exe
PID 632 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TyCDFZv.exe
PID 632 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TyCDFZv.exe
PID 632 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UefZvwZ.exe
PID 632 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UefZvwZ.exe
PID 632 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UefZvwZ.exe
PID 632 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yhQtZKx.exe
PID 632 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yhQtZKx.exe
PID 632 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yhQtZKx.exe
PID 632 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TrdMPLm.exe
PID 632 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TrdMPLm.exe
PID 632 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TrdMPLm.exe
PID 632 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YyKvFul.exe
PID 632 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YyKvFul.exe
PID 632 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YyKvFul.exe
PID 632 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vuJzdUb.exe
PID 632 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vuJzdUb.exe
PID 632 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vuJzdUb.exe
PID 632 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ebIxzxT.exe
PID 632 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ebIxzxT.exe
PID 632 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ebIxzxT.exe
PID 632 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sZbjdvk.exe
PID 632 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sZbjdvk.exe
PID 632 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sZbjdvk.exe
PID 632 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dCCTqSY.exe
PID 632 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dCCTqSY.exe
PID 632 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dCCTqSY.exe
PID 632 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vhXRwog.exe
PID 632 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vhXRwog.exe
PID 632 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vhXRwog.exe
PID 632 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bORpSRW.exe
PID 632 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bORpSRW.exe
PID 632 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bORpSRW.exe
PID 632 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vAZgYvv.exe
PID 632 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vAZgYvv.exe
PID 632 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vAZgYvv.exe
PID 632 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bwRWxkK.exe
PID 632 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bwRWxkK.exe
PID 632 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bwRWxkK.exe
PID 632 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bqVkviZ.exe
PID 632 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bqVkviZ.exe
PID 632 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bqVkviZ.exe
PID 632 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tDFSsUX.exe
PID 632 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tDFSsUX.exe
PID 632 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tDFSsUX.exe
PID 632 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ILtZjXX.exe
PID 632 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ILtZjXX.exe
PID 632 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ILtZjXX.exe
PID 632 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FtHNPAE.exe
PID 632 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FtHNPAE.exe
PID 632 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FtHNPAE.exe
PID 632 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wCzgNOe.exe
PID 632 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wCzgNOe.exe
PID 632 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wCzgNOe.exe
PID 632 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KfIHNPb.exe
PID 632 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KfIHNPb.exe
PID 632 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KfIHNPb.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\FRHUCkx.exe

C:\Windows\System\FRHUCkx.exe

C:\Windows\System\HbUDJTc.exe

C:\Windows\System\HbUDJTc.exe

C:\Windows\System\TyCDFZv.exe

C:\Windows\System\TyCDFZv.exe

C:\Windows\System\UefZvwZ.exe

C:\Windows\System\UefZvwZ.exe

C:\Windows\System\yhQtZKx.exe

C:\Windows\System\yhQtZKx.exe

C:\Windows\System\TrdMPLm.exe

C:\Windows\System\TrdMPLm.exe

C:\Windows\System\YyKvFul.exe

C:\Windows\System\YyKvFul.exe

C:\Windows\System\vuJzdUb.exe

C:\Windows\System\vuJzdUb.exe

C:\Windows\System\ebIxzxT.exe

C:\Windows\System\ebIxzxT.exe

C:\Windows\System\sZbjdvk.exe

C:\Windows\System\sZbjdvk.exe

C:\Windows\System\dCCTqSY.exe

C:\Windows\System\dCCTqSY.exe

C:\Windows\System\vhXRwog.exe

C:\Windows\System\vhXRwog.exe

C:\Windows\System\bORpSRW.exe

C:\Windows\System\bORpSRW.exe

C:\Windows\System\vAZgYvv.exe

C:\Windows\System\vAZgYvv.exe

C:\Windows\System\bwRWxkK.exe

C:\Windows\System\bwRWxkK.exe

C:\Windows\System\bqVkviZ.exe

C:\Windows\System\bqVkviZ.exe

C:\Windows\System\tDFSsUX.exe

C:\Windows\System\tDFSsUX.exe

C:\Windows\System\ILtZjXX.exe

C:\Windows\System\ILtZjXX.exe

C:\Windows\System\FtHNPAE.exe

C:\Windows\System\FtHNPAE.exe

C:\Windows\System\wCzgNOe.exe

C:\Windows\System\wCzgNOe.exe

C:\Windows\System\KfIHNPb.exe

C:\Windows\System\KfIHNPb.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/632-0-0x000000013FEC0000-0x0000000140211000-memory.dmp

memory/632-1-0x00000000001F0000-0x0000000000200000-memory.dmp

\Windows\system\FRHUCkx.exe

MD5 2b2e22b30b56829ca046f05d46ac400f
SHA1 97979bda783a75d728c618ff71ef2a9b7870e454
SHA256 0d249cb2c3f2f75b752879549c41c7c0bb69d5725c6bc8c98085b0061d3eaabe
SHA512 c99f6be9fa40678723cdca3d7992513a6008ce07c89e8f8dbf9af8a6464de113269ace0d7db16753a43b0de0ffd229efea927696ba994fe7a198a6c712ef774c

\Windows\system\HbUDJTc.exe

MD5 01a9e5c739d58891ed1abf3fe83f6108
SHA1 c3cf80ed918636f163f36d8f9702e337c0a07a44
SHA256 cf5b393721d51f957a21de4e4b035ebd996ca0fce51f581fe078d6f24ac60253
SHA512 e4815806d92608261981ec72646068c9d4a260874474644519a93da922bd8515297913a2548614d580973096341925e2f02db0ea780e4935948dad4c28bc24c0

memory/632-11-0x0000000002220000-0x0000000002571000-memory.dmp

memory/2240-16-0x000000013FD40000-0x0000000140091000-memory.dmp

memory/2188-15-0x000000013F2E0000-0x000000013F631000-memory.dmp

memory/632-21-0x0000000002220000-0x0000000002571000-memory.dmp

memory/2784-23-0x000000013FF20000-0x0000000140271000-memory.dmp

C:\Windows\system\TyCDFZv.exe

MD5 ce624e06e242709d2e38bebf2699c820
SHA1 5f5961d116f87e34eb30745315a2a894463284d8
SHA256 c8a75d37958497c8fd2bbf99655a9d49624aac1a74f08ac4dba91245895e10db
SHA512 b7e73319e9d2adac328dcb79ed1857dde2b921977792f0f88032aa9c03a89167e262ee658c85b9089e9ddc94ad1a3a92a166e4a410c2400f5f7842344ea932a8

C:\Windows\system\UefZvwZ.exe

MD5 7395b167e22950cf6789a318ce42de11
SHA1 4cd2ecda2e3020f0f30ff286f6d527eaefa70c15
SHA256 6b930538c3ac31a4c87bcf5865f9b4393dacef37c47558f76425ebd068db64b6
SHA512 9932937cecb07f075a6b66d31af2a429187ef0543314efd56a141e9f43cac72ff2a99fd5d533b172f35981c09e9cc00f1512353fc21e8e1edb377e0782b803b8

memory/2812-29-0x000000013FF40000-0x0000000140291000-memory.dmp

memory/632-28-0x0000000002220000-0x0000000002571000-memory.dmp

memory/632-12-0x000000013F2E0000-0x000000013F631000-memory.dmp

C:\Windows\system\yhQtZKx.exe

MD5 2dabc9b7bf3554f565fd319379406c84
SHA1 32124d2a06071c484f190df302529ac8fee8709a
SHA256 273fbc213c99858ace98dca8c6b36a96ab3d3d2cc3c1da77338115d297eac1d5
SHA512 718ae596f060ce05b183e5aa60f3633f85f6003bb7a9ad40f8dc9e9d97db2833877a3862c08eb5ff46357ace92fbad67a01ae6c0d8b383eaba9b7f8663b99bc2

C:\Windows\system\ebIxzxT.exe

MD5 d7bd7d93f3e53cd9644984a274223cf3
SHA1 1b82bee8f02dc314fa24d19958cd95fb9e9351f1
SHA256 040ebe647cbaac57c2ea1cd08ddd73e1fb10ee75405905851ff679af6370afa6
SHA512 6e44bdcf6bec9ee5b0b71fadeb7a2b50be40a5373c9cad570e7d4d33ed87b806e3c27983ca4cd7c726da4d0d90c59d5e70d9fac55439fe08d08aba2dbf6a3e1b

memory/632-35-0x0000000002220000-0x0000000002571000-memory.dmp

C:\Windows\system\dCCTqSY.exe

MD5 691abc6f27685b17884540a2fd7ac3b6
SHA1 a2b212b050e2ef76aaa3e85b1385568040a89110
SHA256 28f50cdafd52acb21fb3ff00cde6f0c08cc3af2d2940f3fac02da3316433e6bf
SHA512 6e7aa2e436c431128c741b16b2385abd59f835dcac7aff037d3a525a73773f1b5ffe68722031eb59306cee71a3be378dd6e17a9919065cc4dc0e9d5fe8093e4c

\Windows\system\bwRWxkK.exe

MD5 b7ce8ad123609fff30434ad5077a2608
SHA1 4e427567b4d0ac1094a8dc73530700fd6331f0cf
SHA256 adfbdaf47474ac9142c934cc6f664aa0287abbf3e061b2152622990aecc6d047
SHA512 dbb8452bbdd7865e883e2a32f3f50bcf3b2966f8962b35e1ffea12766842b9031390124c8bc40321f0b181b3db889dd36fddef46a97f1eb5245fa42bdf15039a

C:\Windows\system\FtHNPAE.exe

MD5 e8fc8c645c94d32f81c897f3b81aeb09
SHA1 cbe88de90a1bfb4f2c0a10473faca4946e8112dd
SHA256 e9e6154008f80069de88c762aeec4576d9dc737ea1a13924c9e94f1e1f1a7c38
SHA512 5e9e89e88df066c8aff875defe01753ce479375b49966cc9752111756581b3968326ead648ac6295a43da690f8013c6b75725344f8b809b2f82e4d47c792692c

C:\Windows\system\bqVkviZ.exe

MD5 d1c2961431b7e8908633debc62e6d696
SHA1 f814b040238777021e2f0f72307f4de992dc4216
SHA256 ce580c62f7d0dc6e58d736bf8055c6f82c5d1cee223af5d5e6a1283d020c7dae
SHA512 c313e4a3d73adbf2d4c60baacf2be0bd760ac26b4b1f0f7189946fcb0f98e374d0b4e89cd7b4ceefaafecd45a9c2fb7783b5408bc717abf503de36ffc56374f3

C:\Windows\system\ILtZjXX.exe

MD5 654a006aa8b2088f8098c4ebd541b0db
SHA1 d940163cf28507125de00bdf10623851000b2870
SHA256 001e3e46b454bec0863130511d920de25caa49b61f4193905ad29f4f66ff3483
SHA512 d7af0c6d73671b9b0d16501b9ea08d6e10509673911dd49ea9975e43d97da80fbc1f479c063d3d53cca612625341a11bcfefb746ef33bcde0691bc349cc837be

\Windows\system\wCzgNOe.exe

MD5 88e5762dce65e348b4d850fd88d7d885
SHA1 91dbcc83b5b1e31e49cf81264e6f4c611e199614
SHA256 108a817820c0f396bdfc0302e11047d715ab1428502e41fc8ccf0d3d88dcf1f6
SHA512 e58c7b80c95056d8d783a273f2543677819b24a129d597b10c18670cd88ba6c9c012b8a9063e9b47715044c9f48906577e146d5c7788c52e75114b6f42fb6c96

C:\Windows\system\vAZgYvv.exe

MD5 b024c4a830f74878b3f53a36c13d60cd
SHA1 686e8aadfed5d6e9a9ef519d1939f82d6d01dd22
SHA256 ec2bf3ea9c3ca4f3e0e3f9d691301d2648f3c41fd04d844fe5e452a780e762c6
SHA512 795cab578283d10fd5ccf851caa2f05a48094e1a76f94b644abc1002c16588333616d4892d45f4d1786210bc8fe3d23201d1fe9dc8b4a1426d819169069749fe

memory/632-106-0x000000013F810000-0x000000013FB61000-memory.dmp

memory/632-105-0x000000013F620000-0x000000013F971000-memory.dmp

memory/632-104-0x000000013F320000-0x000000013F671000-memory.dmp

memory/1528-103-0x000000013F2A0000-0x000000013F5F1000-memory.dmp

memory/632-102-0x000000013F2A0000-0x000000013F5F1000-memory.dmp

memory/748-101-0x000000013F0A0000-0x000000013F3F1000-memory.dmp

memory/632-98-0x000000013F0A0000-0x000000013F3F1000-memory.dmp

memory/2620-97-0x000000013FCC0000-0x0000000140011000-memory.dmp

memory/2812-92-0x000000013FF40000-0x0000000140291000-memory.dmp

C:\Windows\system\KfIHNPb.exe

MD5 2ee425713443af5150f131e8c9bb3198
SHA1 c5c1eefeb349497f8a2b82f8fdfa412f04e4650e
SHA256 3d3ede725e15fa756d8b58b852cc749e7b6bb45552902ab303b53aa154c6494e
SHA512 26206b8404500fe7f9e3cc9e975e84b4163fac3331583a1a500c2f9bdefad786a4b99b0d4708ef3b6d6c2e5f361705c438b2b48b4de7ca873518fa7e9c61e011

C:\Windows\system\tDFSsUX.exe

MD5 d5a429db62746413e000f6693b1473f5
SHA1 b3be8d3f9181a4754db767adb6a9a501c8b36651
SHA256 712922a1956d5d4c8b6c976079e8d8b8f9adb11016b0a739976a5b59313a45bb
SHA512 94204802c55a3daf84b8aca704967ae78566705f975a18cc3d8f55162604cd48f766e30b5e7d8d44bf0d22e7f52fc9a3f64bf5185f03a5691410e082bac75769

C:\Windows\system\vhXRwog.exe

MD5 98475f24f11c407311fd055dd506e2ad
SHA1 0ae2186eb6a56f0e203c1bfe6d8ff9ff71bea791
SHA256 bcfb245bcff01de1bb9602cba4f54a83553546a61cf32507dde40743d4b0a7cf
SHA512 1e603ff001b8a30993e47f5c75f3ee1ed4d5fa49f66b22242e6d7f7c0cb686981f278f9eca67bb5ddda5f36e33981f07accbd0dd73db08e9926a9d147ca9cba8

C:\Windows\system\bORpSRW.exe

MD5 76b23e41c074168c211881d2f41bfe2f
SHA1 79224f3a0a238f7f846938033ac410558e3f0259
SHA256 c7192469d2814993e62554993d005d057cd99c09b0f69a9a89baf8465185f6e0
SHA512 d3dc0cf780eed11d3241edbfd0afb2745a5fd8f4e15a46dc2ccf009cd466fd05ad78bd1b960b253aa025e639c25b110230e469ecb8284d7b53510482ef9dbb33

memory/2908-78-0x000000013F9E0000-0x000000013FD31000-memory.dmp

memory/632-77-0x000000013F9E0000-0x000000013FD31000-memory.dmp

memory/2556-71-0x000000013F3C0000-0x000000013F711000-memory.dmp

memory/2784-70-0x000000013FF20000-0x0000000140271000-memory.dmp

C:\Windows\system\sZbjdvk.exe

MD5 a7a4a1fcd0f201d14d711a1807ecf5fa
SHA1 85bdc6f709e3b2d512d4324e6e01a3dff3bd00b3
SHA256 c4aa0244f1968b9e216d0626b1fe1a56b13138cc5a8012dd9f0c2409ec60007e
SHA512 41811b4760ccca7922afdafaec5b9d09bfc581ef71beadec0c3b76cc84b10ded4addc8e7a7ff30df6a95423dd31c19d6f9371beabb32701fdb92c55ad09bd342

memory/632-67-0x000000013F3C0000-0x000000013F711000-memory.dmp

memory/2676-66-0x000000013FAD0000-0x000000013FE21000-memory.dmp

memory/2540-53-0x000000013F1F0000-0x000000013F541000-memory.dmp

memory/2528-50-0x000000013F900000-0x000000013FC51000-memory.dmp

\Windows\system\vuJzdUb.exe

MD5 13f01bcd5fc1b40992fcbbd7b64a5a29
SHA1 c016232f3668282f3880df1f18091312c8dbbca4
SHA256 914534289962777180b1e384c6ca3fa42ee5bcd8c7a7c3ff1ed3669961e2f055
SHA512 1043789a5ff55b77644c1478369d6abe3cf054f34ec6b0cc3245bc65ef2b0cba8870831f74aecb2e3f70ae768d06598b8983eaf891b5cccad8e8bd8b6a07ccb5

\Windows\system\TrdMPLm.exe

MD5 3062fa3cabf4505881f98be22519bf18
SHA1 88766790c014a72dc23667f7be5ea24516e0c5f6
SHA256 5e472641355c67867616cb8b670fcdb6c302445c615fc8727473981be4195a21
SHA512 020a1806205a0ec4a214500df5a99d45829b17ab2b146f3a441a0d2edc6278524bc05f3a04e71d8d13e343b397bb8151fe65207a8a1554d307004dd658f2ca57

memory/2536-60-0x000000013F320000-0x000000013F671000-memory.dmp

memory/632-59-0x000000013FEC0000-0x0000000140211000-memory.dmp

memory/632-56-0x000000013FAD0000-0x000000013FE21000-memory.dmp

memory/632-47-0x000000013F900000-0x000000013FC51000-memory.dmp

memory/632-45-0x000000013F1F0000-0x000000013F541000-memory.dmp

C:\Windows\system\YyKvFul.exe

MD5 ca5e6afff1ac129ed8b4c88702c6fff4
SHA1 6c7b206f84874f429dbe30bf643ef199a658814c
SHA256 4acc6f4bb9b4b8d0c5dd594a6309aaf5eba4feb4e278f1446faf2cca3c2336d2
SHA512 cb4eb999a21f6f417ef5f2f3803654f01c246d33d8cd14c8f4fc1aad3b7d008cde9370c71c35759a812cdfd6d70a87c0f69e21099afeecd24efdf683be089e45

memory/2620-43-0x000000013FCC0000-0x0000000140011000-memory.dmp

memory/2540-139-0x000000013F1F0000-0x000000013F541000-memory.dmp

memory/632-140-0x000000013FEC0000-0x0000000140211000-memory.dmp

memory/2536-149-0x000000013F320000-0x000000013F671000-memory.dmp

memory/3020-156-0x000000013F810000-0x000000013FB61000-memory.dmp

memory/1952-154-0x000000013F320000-0x000000013F671000-memory.dmp

memory/800-155-0x000000013F620000-0x000000013F971000-memory.dmp

memory/2540-146-0x000000013F1F0000-0x000000013F541000-memory.dmp

memory/1908-157-0x000000013FB40000-0x000000013FE91000-memory.dmp

memory/2356-160-0x000000013FBC0000-0x000000013FF11000-memory.dmp

memory/572-161-0x000000013F500000-0x000000013F851000-memory.dmp

memory/1924-159-0x000000013FA80000-0x000000013FDD1000-memory.dmp

memory/2876-158-0x000000013FDC0000-0x0000000140111000-memory.dmp

memory/632-162-0x000000013F3C0000-0x000000013F711000-memory.dmp

memory/632-163-0x000000013FEC0000-0x0000000140211000-memory.dmp

memory/632-173-0x000000013F9E0000-0x000000013FD31000-memory.dmp

memory/632-186-0x000000013F0A0000-0x000000013F3F1000-memory.dmp

memory/2240-212-0x000000013FD40000-0x0000000140091000-memory.dmp

memory/2188-211-0x000000013F2E0000-0x000000013F631000-memory.dmp

memory/2784-214-0x000000013FF20000-0x0000000140271000-memory.dmp

memory/2812-218-0x000000013FF40000-0x0000000140291000-memory.dmp

memory/2620-217-0x000000013FCC0000-0x0000000140011000-memory.dmp

memory/2528-220-0x000000013F900000-0x000000013FC51000-memory.dmp

memory/2676-222-0x000000013FAD0000-0x000000013FE21000-memory.dmp

memory/2556-224-0x000000013F3C0000-0x000000013F711000-memory.dmp

memory/2908-226-0x000000013F9E0000-0x000000013FD31000-memory.dmp

memory/1528-243-0x000000013F2A0000-0x000000013F5F1000-memory.dmp

memory/748-241-0x000000013F0A0000-0x000000013F3F1000-memory.dmp

memory/2536-253-0x000000013F320000-0x000000013F671000-memory.dmp

memory/2540-255-0x000000013F1F0000-0x000000013F541000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-14 20:55

Reported

2024-08-14 20:56

Platform

win10v2004-20240802-en

Max time kernel

31s

Max time network

32s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\geZEGgN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GCKFVpn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vHjBwxY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aXRONmd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mWlmsRJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IpNxCBF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mLKmvBO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\APLPRgZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QONRLJy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pMPjjwx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DpCCfRP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vTqXGQb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kykyyiV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CwhINWF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EzpwROt.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jRBDmyz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tpjBBiC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FanvDaJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WcIsxNn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vtgBWIZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vzSydhR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1872 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vTqXGQb.exe
PID 1872 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vTqXGQb.exe
PID 1872 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FanvDaJ.exe
PID 1872 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FanvDaJ.exe
PID 1872 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aXRONmd.exe
PID 1872 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aXRONmd.exe
PID 1872 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mWlmsRJ.exe
PID 1872 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mWlmsRJ.exe
PID 1872 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CwhINWF.exe
PID 1872 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CwhINWF.exe
PID 1872 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EzpwROt.exe
PID 1872 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EzpwROt.exe
PID 1872 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vzSydhR.exe
PID 1872 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vzSydhR.exe
PID 1872 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jRBDmyz.exe
PID 1872 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jRBDmyz.exe
PID 1872 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\geZEGgN.exe
PID 1872 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\geZEGgN.exe
PID 1872 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tpjBBiC.exe
PID 1872 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tpjBBiC.exe
PID 1872 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GCKFVpn.exe
PID 1872 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GCKFVpn.exe
PID 1872 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vHjBwxY.exe
PID 1872 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vHjBwxY.exe
PID 1872 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IpNxCBF.exe
PID 1872 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IpNxCBF.exe
PID 1872 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WcIsxNn.exe
PID 1872 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WcIsxNn.exe
PID 1872 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mLKmvBO.exe
PID 1872 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mLKmvBO.exe
PID 1872 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\APLPRgZ.exe
PID 1872 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\APLPRgZ.exe
PID 1872 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vtgBWIZ.exe
PID 1872 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vtgBWIZ.exe
PID 1872 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QONRLJy.exe
PID 1872 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QONRLJy.exe
PID 1872 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pMPjjwx.exe
PID 1872 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pMPjjwx.exe
PID 1872 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DpCCfRP.exe
PID 1872 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DpCCfRP.exe
PID 1872 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kykyyiV.exe
PID 1872 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kykyyiV.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_4165a1f06aee4e58abb87ffc03f02c42_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\vTqXGQb.exe

C:\Windows\System\vTqXGQb.exe

C:\Windows\System\FanvDaJ.exe

C:\Windows\System\FanvDaJ.exe

C:\Windows\System\aXRONmd.exe

C:\Windows\System\aXRONmd.exe

C:\Windows\System\mWlmsRJ.exe

C:\Windows\System\mWlmsRJ.exe

C:\Windows\System\CwhINWF.exe

C:\Windows\System\CwhINWF.exe

C:\Windows\System\EzpwROt.exe

C:\Windows\System\EzpwROt.exe

C:\Windows\System\vzSydhR.exe

C:\Windows\System\vzSydhR.exe

C:\Windows\System\jRBDmyz.exe

C:\Windows\System\jRBDmyz.exe

C:\Windows\System\geZEGgN.exe

C:\Windows\System\geZEGgN.exe

C:\Windows\System\tpjBBiC.exe

C:\Windows\System\tpjBBiC.exe

C:\Windows\System\GCKFVpn.exe

C:\Windows\System\GCKFVpn.exe

C:\Windows\System\vHjBwxY.exe

C:\Windows\System\vHjBwxY.exe

C:\Windows\System\IpNxCBF.exe

C:\Windows\System\IpNxCBF.exe

C:\Windows\System\WcIsxNn.exe

C:\Windows\System\WcIsxNn.exe

C:\Windows\System\mLKmvBO.exe

C:\Windows\System\mLKmvBO.exe

C:\Windows\System\APLPRgZ.exe

C:\Windows\System\APLPRgZ.exe

C:\Windows\System\vtgBWIZ.exe

C:\Windows\System\vtgBWIZ.exe

C:\Windows\System\QONRLJy.exe

C:\Windows\System\QONRLJy.exe

C:\Windows\System\pMPjjwx.exe

C:\Windows\System\pMPjjwx.exe

C:\Windows\System\DpCCfRP.exe

C:\Windows\System\DpCCfRP.exe

C:\Windows\System\kykyyiV.exe

C:\Windows\System\kykyyiV.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp

Files

memory/1872-0-0x00007FF6F8190000-0x00007FF6F84E1000-memory.dmp

memory/1872-1-0x000002BD31EF0000-0x000002BD31F00000-memory.dmp

C:\Windows\System\vTqXGQb.exe

MD5 47ed28fd87d628ac4324c404bc899db9
SHA1 585f23131f1f337cbb1afa3f89d05df66b0cc42b
SHA256 424e9c2cc22121adca9a2764838cfe968ac1d94bbfe1a176d9c6282351de6518
SHA512 897b2f24724375cedb2713c2990f61196bb8d9fb304ed4879b24984e504bd3c3dfa7adb90b9090fc1696c9f9c3d9b2b36faa358a39533e463824d7e233c345a6

memory/4960-7-0x00007FF62A6D0000-0x00007FF62AA21000-memory.dmp

C:\Windows\System\FanvDaJ.exe

MD5 b90e27e4704f0c6407924656e2147547
SHA1 004ce32e4814ea9976690466d7453cefb4ace448
SHA256 438a3f965c63c97edcc2149acff138e5768ba3f4c6986becd3e84ab230a15842
SHA512 1ee87671dc7db70f37b2700ed8a48812a82e100f36e16dc024efb59f04f0e1657dab001e72c6352fb3ab90681dc5fef93044428898f31f8dc282e39a5b0f4f5b

C:\Windows\System\aXRONmd.exe

MD5 1de9c2cbcac67f5dcbe2f93b225d2487
SHA1 b44beb2c7bc888b47caee7f4de9f4c8b4e9fe21f
SHA256 ba15fb8ede40a32641db55824e9d44f38c1ac29553b031f7e9d3b72f61c7ed1a
SHA512 3eb73f935f8d59fb93fd72f7771132f837d13a227eaecfe3b03c5577ec67d472207f1c9e18555293a19ae1982d697e74bda2475a49f557fc60e57012c76a690e

memory/1216-14-0x00007FF680F20000-0x00007FF681271000-memory.dmp

memory/3236-18-0x00007FF6E8D60000-0x00007FF6E90B1000-memory.dmp

C:\Windows\System\mWlmsRJ.exe

MD5 4ebc0e3723c7d3094725b43a9de46f08
SHA1 a3364163214ffc3f0444244aaa282f570f1f4061
SHA256 cf01b50583a7a593adbbaa7a83751b9bf4d7d522322219672243b7b61a960fab
SHA512 ac942ea122ab1b0702868605a4c3a39a67d5d91a91105e8fad3f9df59e4d879d745587d516d16382b586420c4015f76b9e4e853f0099516eb8e07fd1f3b1305d

C:\Windows\System\CwhINWF.exe

MD5 db8dc286d8d5770a838334d037630040
SHA1 6c7d8c15a5fb8a837f72125cf0c62a41553d7d67
SHA256 9bd557e7563864d4d05cc69eea59f3154c82e81d109ff5f40e09455add6fe3c2
SHA512 498b49f2d6971ca2dd87f0bde72caee942046683af5337eb42f48414b0f8b143a283b3541f39ce8dc0beb064abecb8f448c4a3f89093c2b72400755f6a88f803

memory/4364-32-0x00007FF618C30000-0x00007FF618F81000-memory.dmp

memory/2556-31-0x00007FF63E5C0000-0x00007FF63E911000-memory.dmp

C:\Windows\System\EzpwROt.exe

MD5 3b7befce63e335f3f87b1c92a1b630a9
SHA1 8d65da27af509d15e0940afa1dd3f0fa90ce6397
SHA256 9575d637551a3f893f6a2ed988c271e27048abcf02d0e47a4a547585c4337818
SHA512 27db4e0e970740e64eb7642dbfc600c957afc0edef761373e06f42e429c6c3c3036a76600a95d771fa8c9505868ff5abf64e66c7825a93792c11ff44dc5c67b0

C:\Windows\System\vzSydhR.exe

MD5 024cc7e932a68ca2b300446649bc60eb
SHA1 7f1f987e504258d8f6858a77739481381f8609b7
SHA256 c725239d6970e2715f1b2897b9f1b0f4e52023bb303429386cb2e21778da6996
SHA512 889be61650dc7e164ecb64cada129b33159724c281da89f2fd4d978356f4767603da22265d4702304bfe93192345758a0e3ac6762f1101a3a7439e26879d2433

C:\Windows\System\jRBDmyz.exe

MD5 0358b1380434d9f26190aa593e719c16
SHA1 6eff36a8859258ea86e2571610d5eeb37a819f23
SHA256 fca93d6e67d461efabb90d71eb0c598a335cd2254f552cee2a7382a96d3581b9
SHA512 ffedec55f8589c1fb94625ef1c0ef9457bfe049c317fe9a6d74bdcad45801439dd7483041ae12c64033f0594b33190ef478170721d4802e039d6c89b6defe066

C:\Windows\System\geZEGgN.exe

MD5 10aa5fbe514507899a97c17a35faa530
SHA1 57a16a0aee11fdf0e99341eab2a933768ca9a131
SHA256 5912d43f45a673de7df8054454ce70d5cb0ba0f1d4e911195b025efcfe411b0d
SHA512 4ebfe58f38978230e2403dfe78d33b3181744d553face28ef47cfe27a9bca2359450c6c1f5cda206ce5da288c2d3a089a092790073496378a36d6386c6898b12

C:\Windows\System\tpjBBiC.exe

MD5 291d0b4b18ea97d19cc984a2f4d2af4d
SHA1 908e530019b4d45ee7e66645e591df4b4e334067
SHA256 1df4bec4f33ad1f5007bbb825f41308923474acb183c2bfb20dcb03c9444d180
SHA512 9c154a9a3159e61490e5477a6682b9b40df3c3f7c37b55040b70675c73e0e9f654ed4c87db9957836ce07572a82b3efbd6ef18cb2902f096d3a36f511cca191d

memory/5020-53-0x00007FF637E70000-0x00007FF6381C1000-memory.dmp

memory/2072-50-0x00007FF7EF5E0000-0x00007FF7EF931000-memory.dmp

memory/3080-47-0x00007FF746820000-0x00007FF746B71000-memory.dmp

memory/2720-36-0x00007FF61F270000-0x00007FF61F5C1000-memory.dmp

memory/1468-61-0x00007FF672500000-0x00007FF672851000-memory.dmp

C:\Windows\System\GCKFVpn.exe

MD5 8db233dacc21a92f17c5121a26d70133
SHA1 abe681cd129e3a1e863419ea2e0f6279351e7a72
SHA256 be22c373812f972b9cebffcc1c184069a695df4134a87f67aacde3a1aedd97b0
SHA512 03cdf44cf14f29470b4f85f63acf93c719f9b647526b3a2e98f13a11c85f056b1eab93b90644174bb349a2ebb883db30388effaeea533be5a423e227d2ee5f46

memory/1872-68-0x00007FF6F8190000-0x00007FF6F84E1000-memory.dmp

C:\Windows\System\vHjBwxY.exe

MD5 9f62c65f3a0df91eb61c1a906c4b1dde
SHA1 a3f884f886e0b8182dfe8f2daecf6f5a60df0fae
SHA256 daff8093786638d7a7bba31baf2390cd62b6290e471dda2dd7a8874279ccf995
SHA512 594570459c15b1fba0f171fba6f5ba7c2b9af1ae63a6997921cc378a5751d88ea922869988a5969ddfab8df5095e78164020d74184459339738308872836a728

memory/4412-71-0x00007FF67ABF0000-0x00007FF67AF41000-memory.dmp

memory/1840-78-0x00007FF63AC50000-0x00007FF63AFA1000-memory.dmp

memory/392-82-0x00007FF7DDBF0000-0x00007FF7DDF41000-memory.dmp

C:\Windows\System\IpNxCBF.exe

MD5 e6851fc9c0d72b8004dcfbcbbf5a1b6e
SHA1 0a4a63bab37bee67dd47fba96ac5ef9b8cc60abf
SHA256 772bd8865dbeab000bd06bd55462c5a7b3f5398341c546067f15bebd2de0ea69
SHA512 170cfb2920d4a7b94762db4bf89e15c586d7ff58efd903e9b864f0103b3a29ab12988805de9c6902acdb5231304e90767760c91e00dafa97b51eb83d31fc1fb1

memory/4960-75-0x00007FF62A6D0000-0x00007FF62AA21000-memory.dmp

C:\Windows\System\WcIsxNn.exe

MD5 4170c99e32e4d648409ff8688030c77e
SHA1 3e63598c0f5449371851d558731a3de6844b0a01
SHA256 5564c2b3d293beaa68cf08d76a61c4fc3d4dd2e969569332e5b4f682a4d6c25d
SHA512 995835e1eee16b35d68546c6e6c3ade0c3e76ca6c0d2381e0de48f65e659fd030e17c0b3aa5e019d12cefc7e1fdd91dbe5af8ac6fe44da822fe89f408f946d91

C:\Windows\System\mLKmvBO.exe

MD5 c75b192bc3e40a1f2455a78ead9eb71f
SHA1 136500a04860253a09b5a00556c42fbd207c87b8
SHA256 e118b5813b4306968d998ed171e47673c212fa7d0ec1f05f3a09964d951c27ce
SHA512 7ea4f0f87c734945e547e02212c3bea46322dbd28c8f23598d0e0de03744fdf9764d39855aede7b881fe130dbf43f8d9a5aaf164f72a54a4c834c35a4be7096a

memory/232-91-0x00007FF688DB0000-0x00007FF689101000-memory.dmp

memory/3236-89-0x00007FF6E8D60000-0x00007FF6E90B1000-memory.dmp

memory/1816-95-0x00007FF7F3EC0000-0x00007FF7F4211000-memory.dmp

C:\Windows\System\vtgBWIZ.exe

MD5 f567412264d27756ea3b9ca7df12e6d2
SHA1 53ba3c7087cc7a7184a3393f2b85f1a4a9da1d7c
SHA256 a63c4654060b107082fb21fff2b04b8f6d23e4a4bf4ec0c47d91b2e90ec484ce
SHA512 298c2817aaea85c7b4f2f13bc46d2c5b12c06232bd404726aafeda1e3f49d832725b3a1796b4815c95dc84272918d39e4404b6502a4fe693cafafc41e72466a1

C:\Windows\System\kykyyiV.exe

MD5 5920368aba0670a62ce1dfe89e499d96
SHA1 a210c8be90f0b25d62086d431736b967f288aeef
SHA256 e6ccd58376dfaa99f0156014ba1e7c68e5819829c3f98004f061cd18c5309280
SHA512 49cf2c69891094717d5a8e1bc0cf40f91a5664036be65fe0abb9b2263de443fcb726bdc39f9089872baedd588c8611b7ad28dc35b9969820329def5284a819ac

C:\Windows\System\DpCCfRP.exe

MD5 9d49674b72a9cdbc99dd536e71715ceb
SHA1 79cc4b92dd2ce3a694c1f4496925e624af4d486b
SHA256 29920fefc3bec4426f83f5c66bce3138d102a14859c7d0ceaa5fe0c9fa29a97d
SHA512 f1fc452d0f3ceeab1b5e44eaf95f5bf7e655b127187c0ff6d5b3afa51370a729b29805115b67748ed2412a23a91f727ce31b041671d75b8f6e8cba9895cb7556

memory/3156-126-0x00007FF755720000-0x00007FF755A71000-memory.dmp

memory/3256-130-0x00007FF7C3BC0000-0x00007FF7C3F11000-memory.dmp

memory/5020-131-0x00007FF637E70000-0x00007FF6381C1000-memory.dmp

memory/2072-129-0x00007FF7EF5E0000-0x00007FF7EF931000-memory.dmp

memory/2148-124-0x00007FF7BF890000-0x00007FF7BFBE1000-memory.dmp

memory/2720-123-0x00007FF61F270000-0x00007FF61F5C1000-memory.dmp

C:\Windows\System\pMPjjwx.exe

MD5 4e818245729209739fb53c76882d30a4
SHA1 addcbac835c88fc498740e9ec6985de91828f99d
SHA256 0e0c2713bbecd266815c4b020583ed924d47f9dea3a194cdcb4efcc0762baf99
SHA512 ef01dee57e0fb489a0867cbdd84f3227956e3116452ba6885ef06f253969618b2660d023771a65244005fa3310e51e6fdf935e5f5fd0df36907da851b03f5193

memory/1656-116-0x00007FF703C20000-0x00007FF703F71000-memory.dmp

memory/2236-113-0x00007FF7E7140000-0x00007FF7E7491000-memory.dmp

C:\Windows\System\QONRLJy.exe

MD5 ae9793edfa37ebc7850bd9fc46304e2b
SHA1 c06e1e94ea8031544a0e2e429f3dc93bcb7e2a82
SHA256 b7f3cf15bbf375009d27dae80d9ed2683f51c5ea6b7642938c33063b21b97108
SHA512 44724d92b8e5e222ea27ec47a9c68af79fdce5f447f8c49859fd929d5008c2426130c2013fd4611aa414503d13b99a54a2e21d5daca084f0be539274e5f57225

memory/944-107-0x00007FF7B6F20000-0x00007FF7B7271000-memory.dmp

C:\Windows\System\APLPRgZ.exe

MD5 48cbbe39c13647a41d8687861f06dcd6
SHA1 81565e7be40cf86e9a2e38f9d103330e01892f17
SHA256 29bf270609967bdd35371443e839b4664e42f1a1f8ecfd4ff03befae4f682da4
SHA512 56a8f473f869331262d9cba3fe31c7e2876139b9c6f7e3024b0635adf1e341e480ead53645a5f4b3d4fe2892d8db2d038762771f1f7771f7994f407e2204d100

memory/1872-134-0x00007FF6F8190000-0x00007FF6F84E1000-memory.dmp

memory/1840-145-0x00007FF63AC50000-0x00007FF63AFA1000-memory.dmp

memory/2236-152-0x00007FF7E7140000-0x00007FF7E7491000-memory.dmp

memory/1656-154-0x00007FF703C20000-0x00007FF703F71000-memory.dmp

memory/3256-156-0x00007FF7C3BC0000-0x00007FF7C3F11000-memory.dmp

memory/3156-155-0x00007FF755720000-0x00007FF755A71000-memory.dmp

memory/1816-150-0x00007FF7F3EC0000-0x00007FF7F4211000-memory.dmp

memory/1872-157-0x00007FF6F8190000-0x00007FF6F84E1000-memory.dmp