Malware Analysis Report

2025-03-15 08:00

Sample ID 240814-zr4b5atgpe
Target 2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat
SHA256 d99377a546391844c7a4e9917b86ee6d316fceaee76a6ee7cfda39786332d387
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d99377a546391844c7a4e9917b86ee6d316fceaee76a6ee7cfda39786332d387

Threat Level: Known bad

The file 2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Cobalt Strike reflective loader

Cobaltstrike

xmrig

XMRig Miner payload

Xmrig family

Cobaltstrike family

XMRig Miner payload

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-14 20:58

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-14 20:57

Reported

2024-08-14 21:00

Platform

win7-20240704-en

Max time kernel

142s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\kJuSAAh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fPYONeV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\voTbKCj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ygBcHFm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uzPBMEb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oNczCmu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\djidzbK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hBzHvwN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gDxENbN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\reMTGcD.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nCzXvto.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dpDFlAG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\Rpgjbrp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NCdAmXU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PlXokHj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vEYbZRh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FhkdbEG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rAKCtgP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zvRSPIJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZiYUZAv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DYEsBDF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1952 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rAKCtgP.exe
PID 1952 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rAKCtgP.exe
PID 1952 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rAKCtgP.exe
PID 1952 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zvRSPIJ.exe
PID 1952 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zvRSPIJ.exe
PID 1952 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zvRSPIJ.exe
PID 1952 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gDxENbN.exe
PID 1952 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gDxENbN.exe
PID 1952 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gDxENbN.exe
PID 1952 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fPYONeV.exe
PID 1952 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fPYONeV.exe
PID 1952 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fPYONeV.exe
PID 1952 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\reMTGcD.exe
PID 1952 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\reMTGcD.exe
PID 1952 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\reMTGcD.exe
PID 1952 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\voTbKCj.exe
PID 1952 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\voTbKCj.exe
PID 1952 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\voTbKCj.exe
PID 1952 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ygBcHFm.exe
PID 1952 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ygBcHFm.exe
PID 1952 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ygBcHFm.exe
PID 1952 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nCzXvto.exe
PID 1952 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nCzXvto.exe
PID 1952 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nCzXvto.exe
PID 1952 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uzPBMEb.exe
PID 1952 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uzPBMEb.exe
PID 1952 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uzPBMEb.exe
PID 1952 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZiYUZAv.exe
PID 1952 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZiYUZAv.exe
PID 1952 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZiYUZAv.exe
PID 1952 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Rpgjbrp.exe
PID 1952 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Rpgjbrp.exe
PID 1952 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Rpgjbrp.exe
PID 1952 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dpDFlAG.exe
PID 1952 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dpDFlAG.exe
PID 1952 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dpDFlAG.exe
PID 1952 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DYEsBDF.exe
PID 1952 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DYEsBDF.exe
PID 1952 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DYEsBDF.exe
PID 1952 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oNczCmu.exe
PID 1952 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oNczCmu.exe
PID 1952 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oNczCmu.exe
PID 1952 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\djidzbK.exe
PID 1952 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\djidzbK.exe
PID 1952 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\djidzbK.exe
PID 1952 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NCdAmXU.exe
PID 1952 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NCdAmXU.exe
PID 1952 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NCdAmXU.exe
PID 1952 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kJuSAAh.exe
PID 1952 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kJuSAAh.exe
PID 1952 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kJuSAAh.exe
PID 1952 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vEYbZRh.exe
PID 1952 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vEYbZRh.exe
PID 1952 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vEYbZRh.exe
PID 1952 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hBzHvwN.exe
PID 1952 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hBzHvwN.exe
PID 1952 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hBzHvwN.exe
PID 1952 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PlXokHj.exe
PID 1952 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PlXokHj.exe
PID 1952 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PlXokHj.exe
PID 1952 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FhkdbEG.exe
PID 1952 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FhkdbEG.exe
PID 1952 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FhkdbEG.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\rAKCtgP.exe

C:\Windows\System\rAKCtgP.exe

C:\Windows\System\zvRSPIJ.exe

C:\Windows\System\zvRSPIJ.exe

C:\Windows\System\gDxENbN.exe

C:\Windows\System\gDxENbN.exe

C:\Windows\System\fPYONeV.exe

C:\Windows\System\fPYONeV.exe

C:\Windows\System\reMTGcD.exe

C:\Windows\System\reMTGcD.exe

C:\Windows\System\voTbKCj.exe

C:\Windows\System\voTbKCj.exe

C:\Windows\System\ygBcHFm.exe

C:\Windows\System\ygBcHFm.exe

C:\Windows\System\nCzXvto.exe

C:\Windows\System\nCzXvto.exe

C:\Windows\System\uzPBMEb.exe

C:\Windows\System\uzPBMEb.exe

C:\Windows\System\ZiYUZAv.exe

C:\Windows\System\ZiYUZAv.exe

C:\Windows\System\Rpgjbrp.exe

C:\Windows\System\Rpgjbrp.exe

C:\Windows\System\dpDFlAG.exe

C:\Windows\System\dpDFlAG.exe

C:\Windows\System\DYEsBDF.exe

C:\Windows\System\DYEsBDF.exe

C:\Windows\System\oNczCmu.exe

C:\Windows\System\oNczCmu.exe

C:\Windows\System\djidzbK.exe

C:\Windows\System\djidzbK.exe

C:\Windows\System\NCdAmXU.exe

C:\Windows\System\NCdAmXU.exe

C:\Windows\System\kJuSAAh.exe

C:\Windows\System\kJuSAAh.exe

C:\Windows\System\vEYbZRh.exe

C:\Windows\System\vEYbZRh.exe

C:\Windows\System\hBzHvwN.exe

C:\Windows\System\hBzHvwN.exe

C:\Windows\System\PlXokHj.exe

C:\Windows\System\PlXokHj.exe

C:\Windows\System\FhkdbEG.exe

C:\Windows\System\FhkdbEG.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1952-0-0x000000013FE20000-0x0000000140171000-memory.dmp

memory/1952-1-0x00000000000F0000-0x0000000000100000-memory.dmp

C:\Windows\system\zvRSPIJ.exe

MD5 8fd86c87c4dcf9996571c099377464d2
SHA1 b597873b96d5d314434c3aae7e4175ee18de3b5a
SHA256 321394c5456f13efd2f1af3618232ffd7cbd27843f7d5e4509f0f8e84d6f909f
SHA512 7fdf2239bd662771d6c5d6b06c51c0565e2ed31459a8bbc9d489166e5b22db2646bcfec8ac2d69c73c74136fbc2359ebb17ae99ba9a7e03b540136a02e44233a

\Windows\system\uzPBMEb.exe

MD5 3ae4f93bf930b684f4012f72b796478e
SHA1 a4c57dbb0ace96c5b89694b23563f4f7e32242c4
SHA256 fb1303f88c61a8350924245a51ba781a273a16cc67dd87104288ece78a1ce20e
SHA512 f4c76a60bf3226e6f6aeb44d0ecf95bcbe35d497d5aa70d3e417badd01a364ceccca3f3f8f730e6603ba3fed4f7f80e829d98b627c3fcf30029cc76ff7105524

\Windows\system\PlXokHj.exe

MD5 18e41c75b2737f2b4f8af4a22a762d26
SHA1 6ce410d502301b177d522f66dda2f0d7a4b85289
SHA256 13a1a16c251d769604ac51a59a6b1cf65159150dfe1e753ccbc3a0a3656fd32b
SHA512 5c36b2c3d771f67ea7b8ea8e7021dc734599cb8fb095a8dac80b65fffb0d4aaaef0f5489b19771769d728242368903e43c16990313d60bf6699af4b2b6fa9066

memory/1952-116-0x000000013F3B0000-0x000000013F701000-memory.dmp

C:\Windows\system\djidzbK.exe

MD5 3aed239ef612d9f25b7f977bc4d4a868
SHA1 bc32e657c3b4490e51e81ef98c9f9101f58ca324
SHA256 94ac41103df04d0cc42f88079a783f42e1e15f7799e0df68c48696bb39687cc8
SHA512 067a890465174945267297e45f230a8bc0fa33163b03b09ccd4f6a4272e76eac3846efddac09cefb965666033038e24c1aabb2c1c68232cd57db3793a394d37b

memory/1952-86-0x00000000021C0000-0x0000000002511000-memory.dmp

memory/3068-96-0x000000013F9E0000-0x000000013FD31000-memory.dmp

memory/2176-95-0x000000013FFC0000-0x0000000140311000-memory.dmp

C:\Windows\system\vEYbZRh.exe

MD5 abb3826be8e9ff15deae6effef59dcb5
SHA1 aac26e2ad80e20c0ed72c6186922026f5244a0a1
SHA256 e2fabf2f5f245006e280b573b85cc8d8e5b10f1b283a6357d06000db60a784d0
SHA512 806d201e84b176653769b3c094102c5aa2b37dc293cb12ba4a9e0442a7a8f43e9fd47e0d28787579b91963ef378a31fc7582b1172690254caba3728fe1549645

C:\Windows\system\NCdAmXU.exe

MD5 bb3f8956b1c73affbbde1d020fbd2c69
SHA1 95f26b452996e26fce57448d63189689d7648269
SHA256 6d90ea2728a4b35c7108d84bbedcc6c7a9edde93a15f5a8ac990549a1ed84628
SHA512 7ea3415ec9ba3da90986e71fe80a9c9c87bd2540a64133a66b6eaad351fdf1daa1a7cb298d2bd940ae965b16baa020f3e0181859108e3b0d40e037dcb00c12e5

C:\Windows\system\oNczCmu.exe

MD5 8ef72604f750cf30fedd1b571a7d6d3e
SHA1 d14f5ed3c4baff7c56f64728b691121d734b12b6
SHA256 6ef9307a587083363b15483c65ed6b7037f7d3c0a7209de91406c55f0297a350
SHA512 b4d62cd2556236b33392a18518bc133bcbe35750d828b77356d773bf359182c3049346880bddd064e5b471d2f710520ab87db9735417968518264f6c62ff2110

C:\Windows\system\dpDFlAG.exe

MD5 e0b65a3dafff7e2cbf29c0bdac8d2480
SHA1 c574be5ae904332fcd00de8a8eb7aff638676244
SHA256 3b89ed6893c64622c3c07b263a36ff4c13fbef97f7613d6afebfa303e2058d99
SHA512 0825169c988f8aafc37dcd1a46ceb238082e9ccaa4a53f9359b8bbf1936e04d86990aec56ca56db9c418c34424885b8b3bb95093b5ba354757306daf1465a98f

C:\Windows\system\ZiYUZAv.exe

MD5 04e95b26c56f6f3489984b68cc28a044
SHA1 e469935d5630220866c9138ed73dc40c733b3a4e
SHA256 478d29331370c9cd07a9e44182709c44c6ed683bd18e24579efe68e70290efa7
SHA512 9afc67c518c5d6d895f3017c77121bd4ceb27c5154d10a2b6f85d24baa1d189f4272ade173b87c7c2c74b95041278eefa9d566f1a18877e7a130c36562841c75

C:\Windows\system\nCzXvto.exe

MD5 1255524a0818840bfd98795919b7756b
SHA1 9ac0371ccb2142373e452ff24be532427cf6a952
SHA256 1ee97bec2e789308bd4e23e197e6e31060d9173fb1a66ab89fb45e7e30f01ee7
SHA512 b89ebb5f4185e927ef8c4f22551ec750de7bd6db62bbf1a687d708333cbc0d81dd1ffe4ee842d043e5f2f5cb9968ac8fc1f6b1be85cbcbdc0e72edc3ebb91d03

\Windows\system\FhkdbEG.exe

MD5 3163a08a810d7b46f9ddd0a516fd1ec3
SHA1 86a3f64fa1b0b93ec7052aff06d79a9cbd0dac8e
SHA256 0a0c86a9b39a2cacee05dba5ea60f265f9636babdbf63b91adaa6141129cfb0f
SHA512 af1a35a36507b69e06025416facfc031872969e93fa81a0b6fb5e80ac9d88d3a5274ea738bfcbfd5fd6dd02365de0b39c9142a2eb833190092b16b64e4a0651c

memory/1952-81-0x000000013F340000-0x000000013F691000-memory.dmp

memory/1952-128-0x000000013FE20000-0x0000000140171000-memory.dmp

\Windows\system\hBzHvwN.exe

MD5 5a538338899c5469f2bd401a9310a256
SHA1 9bbbfb6c803dfe19f7123da9d669233817d81e70
SHA256 3b57999ae5adf4252870f84c943b16a72388976bc45252881d676fbc25a68d64
SHA512 4d20698e83b0c2ba8d0a7752aa64ce4f95b8fe24e805c309f022f9ff8e82cc4c4fa0b2d1beff60c0fd214f709f7288dfe5ada5a45a97eb05662a299d7e943ce4

\Windows\system\kJuSAAh.exe

MD5 376abc219deeaa9b39bfebab935552bb
SHA1 f308ae745fad42d76a0332a3a56b75f1e09bfbc7
SHA256 900013d91711a988523a05af3ac31d8ea448f2e70d48394bf8e77742ceeed03e
SHA512 4853d12ed3b734096d41c9736d88d11c6296a4797f9c6aa999d858b8de3247f7243e2281941e9f5cada573bd197f0394bc4a3fc94488bc4ca6a92264ef80b7ab

memory/1952-60-0x000000013F910000-0x000000013FC61000-memory.dmp

\Windows\system\DYEsBDF.exe

MD5 f7e81efc09521892db100f8cdb1ee603
SHA1 ca5ad31e7d7c79a95c7bf3580d1aa902ffd6c6e5
SHA256 89430db1dddafaf1e6f04f3791acadd9ec6de9ddf34ea737c3f1f8ad990e5e61
SHA512 2dc277762343712d5d9d5b449ed0d8a82ad17fcd95f9270cf3d7b3759aa8110b0c58425b69de028669d6f8b5a46bb41ca9a85ce98b4c63dcd4c45bd449da895f

C:\Windows\system\gDxENbN.exe

MD5 27b64fc4efee216407cf00ee1f2e28a2
SHA1 bdb96b01e653ac7f162f5254b53a7b6748c2f193
SHA256 1b662c4374e48cb2e26bf79bcb8a0c50e4ba1d56477210794239cea38aaeb2ff
SHA512 b19f80b5372cce01273f15d8b8382b381bbd523e3a144674ac78d8ec5d9245ecada4af0d99c61d4dec2a81e8c4710ddf9226543a0d1208ba7233aaba76c3c692

memory/1036-50-0x000000013F900000-0x000000013FC51000-memory.dmp

\Windows\system\Rpgjbrp.exe

MD5 c82839f45c742502945124ea6551db41
SHA1 25acaa0f596c282e269af00879774e9bafb47d38
SHA256 9132f6229fc30a570fd08fdfdbf48a4f2b33d86cf394fcc8527bbe65734b51c3
SHA512 a86d7ac1ce1486d0bf77f32c0db944fb9b41c9c6cf1065b54605de647805e818c6b5273817b68b85a95731f0cd89229d88ac95b394c154466fe33537edf6ae79

memory/2300-41-0x000000013F6D0000-0x000000013FA21000-memory.dmp

memory/1952-115-0x000000013FAA0000-0x000000013FDF1000-memory.dmp

memory/2440-129-0x000000013FC10000-0x000000013FF61000-memory.dmp

memory/1952-114-0x000000013F3C0000-0x000000013F711000-memory.dmp

memory/1952-111-0x000000013F570000-0x000000013F8C1000-memory.dmp

C:\Windows\system\ygBcHFm.exe

MD5 f623e27720b07fdc6ff92308df47bdf1
SHA1 7e37ab6b76c825cb00ea10ad33a5b3d4d2961901
SHA256 99b35d394af20da5a61f372b1d2ed085e6d5d112fb009cecbbdf8316bb1b4b4b
SHA512 9bafb21e769f12043319233ad283e97de093a1a2c68db21e3020a0508162b8c9fd199c4ef953813425c7ef57c291bb22dfbee6885103343ba01fbb87dc9d39aa

memory/1952-100-0x00000000021C0000-0x0000000002511000-memory.dmp

C:\Windows\system\reMTGcD.exe

MD5 8638613018abeec4b660d4d6c4bf9ca0
SHA1 2f711eb075e3b20fd6685b417a07ac1fab3ca7dd
SHA256 70899eb29d848f49415422582a784be7bd3c4fff310563c36d96dd142d2989a5
SHA512 38ecd05e7bb726f904aec236f41efc7d75d972d17dc13083ae5f50b34891913fbe6f6d8ca83579cf9bb0c03e32ce9623492928dec19317f75dbf338112db7b9d

memory/2892-98-0x000000013F910000-0x000000013FC61000-memory.dmp

memory/2568-78-0x000000013F0F0000-0x000000013F441000-memory.dmp

memory/1952-58-0x000000013F9E0000-0x000000013FD31000-memory.dmp

memory/1952-57-0x000000013F850000-0x000000013FBA1000-memory.dmp

memory/1952-55-0x00000000021C0000-0x0000000002511000-memory.dmp

memory/2452-46-0x000000013F600000-0x000000013F951000-memory.dmp

memory/2440-15-0x000000013FC10000-0x000000013FF61000-memory.dmp

memory/2300-132-0x000000013F6D0000-0x000000013FA21000-memory.dmp

memory/2176-138-0x000000013FFC0000-0x0000000140311000-memory.dmp

memory/2460-137-0x000000013F1B0000-0x000000013F501000-memory.dmp

memory/2496-135-0x000000013F760000-0x000000013FAB1000-memory.dmp

memory/1952-130-0x000000013FE20000-0x0000000140171000-memory.dmp

memory/1952-7-0x00000000021C0000-0x0000000002511000-memory.dmp

C:\Windows\system\rAKCtgP.exe

MD5 761425f6b5e5dff12415bc1c3ec3b924
SHA1 97007542a850226029ba74f763cabe1035247764
SHA256 b1d956cec268896fc5f5eeab0b9a5f7a6d23b38346be562e66c70cee9972256a
SHA512 65a6e70fa3197e34bfe000e4ecf2bb7536a6961845485298b68b853a374730008cf035de462626e1f524eed96985cff34cfe38a4fa7df15c7b0e6b6e1f89365b

C:\Windows\system\voTbKCj.exe

MD5 1b84ff67ef4891da136d93231cc89092
SHA1 b04f4dbe5050bbf160bfb9b75106d48bb9e41e23
SHA256 5230a5cf5c61f6479ddb0e097fbd35d9bdbcb99343961e19f5ffd9229dcba7b8
SHA512 19701333b2996a7652322d53e35a19bd42ae6979ddd0f0e1040681900ec98b6a14dc1c0549e8d7025dbfe23acdb52ea5296b6f76a3d5a2f47a39e58a18d45a9b

C:\Windows\system\fPYONeV.exe

MD5 43a0680fdb387594e11ec2397230908d
SHA1 22ff628f4b80d124365440281b549ec11ce997ee
SHA256 4f094ec99b796a189a152131ff2f089cb2df1d202499c97b1ba7b1ea7ccc3c51
SHA512 24fb9332a8f109d31ed834e85be1035f408c7359f5bd07a777f455cea38f488a54d362ac18162cd2af5c148ac9f558c9c7111a7ea85dbd5244c84cf96bfd82e8

memory/1952-26-0x000000013F900000-0x000000013FC51000-memory.dmp

memory/1952-17-0x000000013F0F0000-0x000000013F441000-memory.dmp

memory/1300-148-0x000000013F3C0000-0x000000013F711000-memory.dmp

memory/2628-150-0x000000013F3B0000-0x000000013F701000-memory.dmp

memory/2212-149-0x000000013FAA0000-0x000000013FDF1000-memory.dmp

memory/2732-147-0x000000013FCF0000-0x0000000140041000-memory.dmp

memory/2644-146-0x000000013FE70000-0x00000001401C1000-memory.dmp

memory/2612-145-0x000000013F570000-0x000000013F8C1000-memory.dmp

memory/2724-144-0x000000013FAA0000-0x000000013FDF1000-memory.dmp

memory/2888-143-0x000000013FC90000-0x000000013FFE1000-memory.dmp

memory/2892-142-0x000000013F910000-0x000000013FC61000-memory.dmp

memory/2744-141-0x000000013FAD0000-0x000000013FE21000-memory.dmp

memory/3068-140-0x000000013F9E0000-0x000000013FD31000-memory.dmp

memory/2828-139-0x000000013F850000-0x000000013FBA1000-memory.dmp

memory/1952-153-0x000000013F850000-0x000000013FBA1000-memory.dmp

memory/1952-152-0x000000013FE20000-0x0000000140171000-memory.dmp

memory/2640-166-0x000000013F340000-0x000000013F691000-memory.dmp

memory/2440-198-0x000000013FC10000-0x000000013FF61000-memory.dmp

memory/2452-221-0x000000013F600000-0x000000013F951000-memory.dmp

memory/2300-225-0x000000013F6D0000-0x000000013FA21000-memory.dmp

memory/1036-223-0x000000013F900000-0x000000013FC51000-memory.dmp

memory/2568-227-0x000000013F0F0000-0x000000013F441000-memory.dmp

memory/2176-230-0x000000013FFC0000-0x0000000140311000-memory.dmp

memory/2892-234-0x000000013F910000-0x000000013FC61000-memory.dmp

memory/3068-237-0x000000013F9E0000-0x000000013FD31000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-14 20:57

Reported

2024-08-14 21:00

Platform

win10v2004-20240802-en

Max time kernel

141s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\IRzMzvw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lJqciEY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WaREuyW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AKIJWdM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sAvbqqn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QassaPW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ucepLGH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GJkbsDS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KgUEVIr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cHTaDpl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SizUtPe.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TeLaRry.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HFJOcBy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eVFSZEo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HvgjWlZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yxxPYkv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ojPQsed.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vBUAOmk.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dPyoZip.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QTqeJRQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FPKYiFG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4568 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ucepLGH.exe
PID 4568 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ucepLGH.exe
PID 4568 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TeLaRry.exe
PID 4568 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TeLaRry.exe
PID 4568 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HvgjWlZ.exe
PID 4568 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HvgjWlZ.exe
PID 4568 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FPKYiFG.exe
PID 4568 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FPKYiFG.exe
PID 4568 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HFJOcBy.exe
PID 4568 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HFJOcBy.exe
PID 4568 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yxxPYkv.exe
PID 4568 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yxxPYkv.exe
PID 4568 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IRzMzvw.exe
PID 4568 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IRzMzvw.exe
PID 4568 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GJkbsDS.exe
PID 4568 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GJkbsDS.exe
PID 4568 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ojPQsed.exe
PID 4568 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ojPQsed.exe
PID 4568 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lJqciEY.exe
PID 4568 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lJqciEY.exe
PID 4568 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vBUAOmk.exe
PID 4568 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vBUAOmk.exe
PID 4568 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dPyoZip.exe
PID 4568 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dPyoZip.exe
PID 4568 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KgUEVIr.exe
PID 4568 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KgUEVIr.exe
PID 4568 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QTqeJRQ.exe
PID 4568 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QTqeJRQ.exe
PID 4568 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cHTaDpl.exe
PID 4568 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cHTaDpl.exe
PID 4568 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WaREuyW.exe
PID 4568 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WaREuyW.exe
PID 4568 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AKIJWdM.exe
PID 4568 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AKIJWdM.exe
PID 4568 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sAvbqqn.exe
PID 4568 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sAvbqqn.exe
PID 4568 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SizUtPe.exe
PID 4568 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SizUtPe.exe
PID 4568 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eVFSZEo.exe
PID 4568 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eVFSZEo.exe
PID 4568 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QassaPW.exe
PID 4568 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QassaPW.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\ucepLGH.exe

C:\Windows\System\ucepLGH.exe

C:\Windows\System\TeLaRry.exe

C:\Windows\System\TeLaRry.exe

C:\Windows\System\HvgjWlZ.exe

C:\Windows\System\HvgjWlZ.exe

C:\Windows\System\FPKYiFG.exe

C:\Windows\System\FPKYiFG.exe

C:\Windows\System\HFJOcBy.exe

C:\Windows\System\HFJOcBy.exe

C:\Windows\System\yxxPYkv.exe

C:\Windows\System\yxxPYkv.exe

C:\Windows\System\IRzMzvw.exe

C:\Windows\System\IRzMzvw.exe

C:\Windows\System\GJkbsDS.exe

C:\Windows\System\GJkbsDS.exe

C:\Windows\System\ojPQsed.exe

C:\Windows\System\ojPQsed.exe

C:\Windows\System\lJqciEY.exe

C:\Windows\System\lJqciEY.exe

C:\Windows\System\vBUAOmk.exe

C:\Windows\System\vBUAOmk.exe

C:\Windows\System\dPyoZip.exe

C:\Windows\System\dPyoZip.exe

C:\Windows\System\KgUEVIr.exe

C:\Windows\System\KgUEVIr.exe

C:\Windows\System\QTqeJRQ.exe

C:\Windows\System\QTqeJRQ.exe

C:\Windows\System\cHTaDpl.exe

C:\Windows\System\cHTaDpl.exe

C:\Windows\System\WaREuyW.exe

C:\Windows\System\WaREuyW.exe

C:\Windows\System\AKIJWdM.exe

C:\Windows\System\AKIJWdM.exe

C:\Windows\System\sAvbqqn.exe

C:\Windows\System\sAvbqqn.exe

C:\Windows\System\SizUtPe.exe

C:\Windows\System\SizUtPe.exe

C:\Windows\System\eVFSZEo.exe

C:\Windows\System\eVFSZEo.exe

C:\Windows\System\QassaPW.exe

C:\Windows\System\QassaPW.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 21.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
DE 3.120.209.58:8080 tcp

Files

memory/4568-0-0x00007FF674800000-0x00007FF674B51000-memory.dmp

memory/4568-1-0x000001C6A25B0000-0x000001C6A25C0000-memory.dmp

C:\Windows\System\ucepLGH.exe

MD5 a53000776c5f7f84224f16405f6ff133
SHA1 1c919ed1db253fa8fa3819b283bdbbc2de066722
SHA256 6b400e224d0fba22f661d20311c2c9dcef388f89ee0a4cea02fcb3d23dc548b3
SHA512 be9dcca89c836fae8a78676a0ad8a2e3ad315d30b78d9d7eac50bd94f505494ace13ae965e81131cc698c8b27ea3d92fa20fd017b4a15e95b82bc2a1eddc7d3b

memory/1992-10-0x00007FF680000000-0x00007FF680351000-memory.dmp

C:\Windows\System\TeLaRry.exe

MD5 791dae4703ddf0d6d3298f9c834aaa54
SHA1 bac122d64e283fa1bd581b5980ff428f03ea6d45
SHA256 1f3951a16daac4f573034b2f80cb1a15192f8acbee9244bfc738cdea59daf7d9
SHA512 b8c87422b98df116fbc8326780375321d819e29260d151c9fbabd96c4a5ce617a4764e2c6390c95ca8b8b832737e1e42caff020f9c43fefc070de3ec31afc56a

C:\Windows\System\HvgjWlZ.exe

MD5 f41f1cb33b0d2f29ee0c834edcc58342
SHA1 325ebf79d67675a83a0ba77c74789d1c5bd7d215
SHA256 e685c26d3c366299fab874f51d88f1e455109a710e67a032161a2bc524b04faa
SHA512 66dab37ca7933f5df9edf74b6b98174a8ebc8565ab3a8f0e68a29dba1022f77fced5dc019fb649b37a64a7a565647892bb017c5aa25d0f952ddacd388caa27f4

memory/3584-27-0x00007FF737DB0000-0x00007FF738101000-memory.dmp

C:\Windows\System\HFJOcBy.exe

MD5 367d96f8cdf1074063ec586c7624725b
SHA1 04358aa1a17d724c330bf0bc9d69176069d7e31d
SHA256 4ba7412607bacd1c313fdf4a27be60bb7b966dd426322e6f83ad1e443228934b
SHA512 7601a7f6f4da996b12cd8b4fed8d774b43b8380ddd76cd465a8bf79862cec2ca3a877a9df1b19e35af9499a028b504d205d92d169082f204bf8163d7cc2f576d

C:\Windows\System\GJkbsDS.exe

MD5 797c00102e63de7e15cd278f967c5780
SHA1 d294e2a32a31805f25d7dcfb065e1c8a12de02e5
SHA256 4c3853c17a3da21202e2a58ba21ce2b4c7ef03e464d823bbd711605c8307d84f
SHA512 8297449362066576a5affe7ffe2117ea6d953e2760f911bd891b2975038094465c7bd1855c8d5a23d3b668a825b05ab2051559bbce1c74e7ab37e19523d06f3c

C:\Windows\System\lJqciEY.exe

MD5 cc30d6f70115cfb76b96a65a16aec28d
SHA1 35bc1e124148ad37648157088953804369299e07
SHA256 fa3e0cf902792cec40630fa2f8d70481b34bb7aae8616f61256fa3363942bc91
SHA512 c6b820d5d03c2e27c5a8038a719afb2bab106a64e8454162713ad8565492849e833f96afd1874d3832bd48dff6aa0bd8e59a8942ae1f7353ef81f40b15d6d99c

C:\Windows\System\vBUAOmk.exe

MD5 9910fde93c99ebadc1bf10076aee8c88
SHA1 070e544ed8a0e8e88001a4d5c3c9992d1472e6dd
SHA256 1b88efceb452417231911e765909a6a595683b09a6bbf0c8febd9d3a05066bc0
SHA512 c35c97bb8fcfae00249d7e3e3a2c14dda588c6abd199aef0b834889c6dd12b6c152bc7d6b49891f10dc92bf7286252b26e56933274ab92f6b2f040fbff89234e

C:\Windows\System\KgUEVIr.exe

MD5 bbc3fe288bc7a6721f6e02919f0b7ee3
SHA1 161b600a37b8e882a179f2c2b26408097d322976
SHA256 4c234ade1298299e216d6f7fc93637fa0bb9e63dea1ea224310db4dd31db685c
SHA512 bb7d8476fe66400bd19b67f706ab1f346fae6e9715005e67760ccc578785f906cde1bbe5fb1f526c662619c463a1015f6bd2f769580a24d92d6b56d871dd4de5

memory/4028-70-0x00007FF783090000-0x00007FF7833E1000-memory.dmp

memory/3676-72-0x00007FF6E9100000-0x00007FF6E9451000-memory.dmp

memory/2384-76-0x00007FF732AA0000-0x00007FF732DF1000-memory.dmp

C:\Windows\System\dPyoZip.exe

MD5 ee4f689de6e0bb120608f89c340f2994
SHA1 72e01ccfb62ee3bd70df843e91a944f6e3fd91b7
SHA256 bc2c9c6ccde69bcf8ccd9de19e6462653c23f2a47afccc11891a42fef70b84e6
SHA512 486ead7942a25eedd814438e24bcf085b1fee9344fae0cc70d8673b94985e9ca008aaf72487f37a54d705122115e1db9c6bc5e5548200d0caf50e190e4bbe764

memory/4088-73-0x00007FF7DCA10000-0x00007FF7DCD61000-memory.dmp

memory/1628-71-0x00007FF639FB0000-0x00007FF63A301000-memory.dmp

memory/4580-69-0x00007FF753F90000-0x00007FF7542E1000-memory.dmp

memory/1060-68-0x00007FF603710000-0x00007FF603A61000-memory.dmp

memory/1820-61-0x00007FF7493B0000-0x00007FF749701000-memory.dmp

C:\Windows\System\ojPQsed.exe

MD5 94ee4aeff3fe88acd8312b2bc4af99cf
SHA1 89e8b3cef367817239c75f9b9b33b2c5eb53d51e
SHA256 26fa5200b72b99ffd57716347b4d17b5e099a1c9fc64743366f7632eb513407f
SHA512 8024feb8827872e8725639140213052dd62a0ea07644fd76bcae4995be4e7abc6322e0abaf70fd467d3e07c9895e8df325a8ad65973e71d355a0f037028cf859

memory/3992-55-0x00007FF7E8810000-0x00007FF7E8B61000-memory.dmp

C:\Windows\System\IRzMzvw.exe

MD5 ab93677cff382852eecd16ede0590a1a
SHA1 41d8522d70f796e74b231a9366172790e5022e88
SHA256 1befaa94c22dfb7fe9072c046d5d16f6cee4ff9b574d1e37874d1c4e61a1ee34
SHA512 4b6061d6098cf25dd0b9770dedd216c0ce9c3c901c1524933daf077ef99ef30ba5cb9a91e3bad29d5494f6295abc1cdaf53b200f64f69d90ff06b359f12616d2

memory/3996-40-0x00007FF6B8BE0000-0x00007FF6B8F31000-memory.dmp

C:\Windows\System\yxxPYkv.exe

MD5 1d47127291429e52c1a82171f060c18d
SHA1 498eefeafb56f840e92b893cd16a4f97f647b9ed
SHA256 5d0c3e92e4489f2f2cc6d883c362213ae942923f2fe432b097034f9ee2d072c1
SHA512 907e33aa872373cb3c5bf75722722df7dd1764dd61d786b64d40c29bbd396b8c899a39bf70d15659699d025ade521b951d93070751617cad7492c605a42749e5

C:\Windows\System\FPKYiFG.exe

MD5 dfe7bbca6284020e335b43ecffad0616
SHA1 616d39910cecf8d284ae8085bf4393f8f95dc902
SHA256 9832da0d946656be7fa17e46e0f62ab5eb04540c7fd632d7ca837ba41052bfe1
SHA512 e8d28ef36b2993df118a4ac34cbb611695564b4659032d3e2035e4022b649ac9a85d105cc418aa641a3d8ff119b19df8f60a7db62210a63df9d569a9a51764c2

memory/4320-14-0x00007FF6A6250000-0x00007FF6A65A1000-memory.dmp

C:\Windows\System\QTqeJRQ.exe

MD5 b8b40266eb14bd925dddbad3067c1bbb
SHA1 babb11bf0384bc39b8e8f305af65c2bd9c031b4e
SHA256 d0f31ba30580ec7b682d35f68b01a772b84c83140b0f2f9ab8a0ed1ab26f55d0
SHA512 2224b0396ddfe1e1daee709aadbe456eff155c28149c27aaaeaa4e4971a435ab9e96df0c08a9940334e8cc387c05ad62e7c5cbec82dabe53717220072bbbec05

memory/1916-88-0x00007FF626CA0000-0x00007FF626FF1000-memory.dmp

memory/3424-92-0x00007FF7BCAD0000-0x00007FF7BCE21000-memory.dmp

C:\Windows\System\sAvbqqn.exe

MD5 5abea4fa4c2cf5cefe9d7e61453c8e7f
SHA1 134e0c55732133ec6e28c50752e7fc0e32b5ba03
SHA256 e96cba568eb13ed46045de5ed7856aef977f3b984815ff24ecd8911528b93a97
SHA512 a60bdce39543e8ab9cf83e4d1c814d8e0ab45108f3c21d275b013bfb3322894814dd0749e169ccccbdf768113be6cb77216a712d2de4a558a743d25dbe707a19

memory/1744-108-0x00007FF78F140000-0x00007FF78F491000-memory.dmp

memory/1908-106-0x00007FF62DD30000-0x00007FF62E081000-memory.dmp

C:\Windows\System\AKIJWdM.exe

MD5 e894d852fb9d070fefdc7eacd24f70f7
SHA1 25c807db2b0b6a9b1b822d237ae23efded667cb5
SHA256 2e230815330166623b700af7a1b01fb708c7ca102e5e77c90dd02326308919fe
SHA512 23cf61ea88d4323e2cdde069bc5c2809e0bfe9d6daef32047908209496417ab57618887a573a0d158ce640c9b61897995fa97ae6af8597e0d189074d7fbd714b

memory/3392-100-0x00007FF6741F0000-0x00007FF674541000-memory.dmp

C:\Windows\System\WaREuyW.exe

MD5 1725c6e02294f9906609eeee99347c49
SHA1 38df0a3f6ab3975dd84973a76b98ceb1e2340bf7
SHA256 a31be254d1b23a2e99f6c3ef032a5416591f9b0fcb06f9de821d82f659eda550
SHA512 6b5d4e5784384403ef7368fe70e276a3be1cae4265604444be17fca8ec3629a5044bbbd022e121bf25c2179ddd14ae6edf13ddc1f70097173e3e81f114079dd0

C:\Windows\System\cHTaDpl.exe

MD5 64b58a0f51a0556cd68293af5bfa3b04
SHA1 b48f5ac291ef025eb6bf1ba6367c2ad4adcdf9e1
SHA256 66aaaad7451906515186e91ac836faffb3d9254137000e20bdd6e2a627cbe5c7
SHA512 05974d0b61f2991c4d6e647fbf21b0d498c294e9b84499068a204627a179da018f06bd91dfba6deba95d0ae6bd4408304c47082a283340dcfe99d7d06aa3e733

C:\Windows\System\SizUtPe.exe

MD5 9c1abb27934197f8ef835521e7723685
SHA1 450e06b37a46a1f7612e33c5fb135af2e1ab1229
SHA256 a365e5fc29452a5e4dba8a51118d8a7f8a25ee19dfbaa8c6bea40b11028d0527
SHA512 909e30b472f6f00d982f76ae46d96c3cedd1ea2302f030c9641e80bec29053faabee2a62e6b2c036068a6c7ef7043a0f9bda2a8538ad527c9f774f22ffc0073c

memory/4568-114-0x00007FF674800000-0x00007FF674B51000-memory.dmp

memory/4732-118-0x00007FF7ECAC0000-0x00007FF7ECE11000-memory.dmp

C:\Windows\System\QassaPW.exe

MD5 c3981bdae4ebf0c3c3603b1091669bea
SHA1 917cd9d2aeb010c1c1b3ed6eccca947acb7a0e0f
SHA256 1a95dcccb87c522c00407fbedf9dd35306c203c922096b571f72c476d8271ac2
SHA512 e96bc48829d236f25c9e8e2289ffda70563f7cab1167384619e863f5890466b5d859d63d7b02a63d70257c6da7c8de07a4083d425c20c246f4b85a30eaff7e8d

memory/5060-125-0x00007FF75E890000-0x00007FF75EBE1000-memory.dmp

C:\Windows\System\eVFSZEo.exe

MD5 66c0162e01e7bb4c1cb1adb12fc45ea7
SHA1 2ae3497dcd05d7b4c04e743b97b1699eb8197efd
SHA256 f73e51136c3b5f4cb3ce973ee4800946d57806d2dee5d74214ad7f22e696146a
SHA512 e47ab24da87a693d7b648144698240904fee186fcf1bcd1dbc42678b40e82abe8f1ee4ee9350526172030f75c855fa06b9d37e477a7e25f1ffcb324fa0ae2737

memory/1992-120-0x00007FF680000000-0x00007FF680351000-memory.dmp

memory/4320-129-0x00007FF6A6250000-0x00007FF6A65A1000-memory.dmp

memory/1872-130-0x00007FF60FD80000-0x00007FF6100D1000-memory.dmp

memory/4568-131-0x00007FF674800000-0x00007FF674B51000-memory.dmp

memory/4028-144-0x00007FF783090000-0x00007FF7833E1000-memory.dmp

memory/4088-142-0x00007FF7DCA10000-0x00007FF7DCD61000-memory.dmp

memory/2384-143-0x00007FF732AA0000-0x00007FF732DF1000-memory.dmp

memory/1744-149-0x00007FF78F140000-0x00007FF78F491000-memory.dmp

memory/4732-150-0x00007FF7ECAC0000-0x00007FF7ECE11000-memory.dmp

memory/5060-151-0x00007FF75E890000-0x00007FF75EBE1000-memory.dmp

memory/4568-153-0x00007FF674800000-0x00007FF674B51000-memory.dmp

memory/1992-199-0x00007FF680000000-0x00007FF680351000-memory.dmp

memory/4320-201-0x00007FF6A6250000-0x00007FF6A65A1000-memory.dmp

memory/3584-203-0x00007FF737DB0000-0x00007FF738101000-memory.dmp

memory/3996-205-0x00007FF6B8BE0000-0x00007FF6B8F31000-memory.dmp

memory/1628-207-0x00007FF639FB0000-0x00007FF63A301000-memory.dmp

memory/3992-209-0x00007FF7E8810000-0x00007FF7E8B61000-memory.dmp

memory/3676-211-0x00007FF6E9100000-0x00007FF6E9451000-memory.dmp

memory/1820-213-0x00007FF7493B0000-0x00007FF749701000-memory.dmp

memory/1060-215-0x00007FF603710000-0x00007FF603A61000-memory.dmp

memory/4580-217-0x00007FF753F90000-0x00007FF7542E1000-memory.dmp

memory/4088-223-0x00007FF7DCA10000-0x00007FF7DCD61000-memory.dmp

memory/2384-221-0x00007FF732AA0000-0x00007FF732DF1000-memory.dmp

memory/4028-220-0x00007FF783090000-0x00007FF7833E1000-memory.dmp

memory/1916-226-0x00007FF626CA0000-0x00007FF626FF1000-memory.dmp

memory/3424-228-0x00007FF7BCAD0000-0x00007FF7BCE21000-memory.dmp

memory/3392-230-0x00007FF6741F0000-0x00007FF674541000-memory.dmp

memory/1908-232-0x00007FF62DD30000-0x00007FF62E081000-memory.dmp

memory/1744-234-0x00007FF78F140000-0x00007FF78F491000-memory.dmp

memory/5060-240-0x00007FF75E890000-0x00007FF75EBE1000-memory.dmp

memory/4732-241-0x00007FF7ECAC0000-0x00007FF7ECE11000-memory.dmp

memory/1872-243-0x00007FF60FD80000-0x00007FF6100D1000-memory.dmp