Malware Analysis Report

2025-03-15 08:07

Sample ID 240815-m46lsstfnn
Target 2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat
SHA256 e3426a0b314d10311aadb77f7e063d07e09de12ddd5c7a4d27537a328290c3b5
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e3426a0b314d10311aadb77f7e063d07e09de12ddd5c7a4d27537a328290c3b5

Threat Level: Known bad

The file 2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Xmrig family

Cobaltstrike family

Cobalt Strike reflective loader

xmrig

Cobaltstrike

XMRig Miner payload

XMRig Miner payload

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-15 11:02

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-15 11:02

Reported

2024-08-15 11:04

Platform

win7-20240705-en

Max time kernel

141s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\lebSegn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gWZlAvG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dUrkODF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dutQXja.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wmEioWq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\Ciwxonp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZByEWla.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZhgLUmQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wnaeiKy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ihfXNNC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aUwhsBe.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jQptGCO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YFvMVON.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dwjEnqs.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DqObolo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JlLMIRa.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hXveRdQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mzRAQxH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OlBBLST.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aUQTsYe.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kpjTaDq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2636 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wnaeiKy.exe
PID 2636 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wnaeiKy.exe
PID 2636 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wnaeiKy.exe
PID 2636 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ihfXNNC.exe
PID 2636 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ihfXNNC.exe
PID 2636 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ihfXNNC.exe
PID 2636 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OlBBLST.exe
PID 2636 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OlBBLST.exe
PID 2636 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OlBBLST.exe
PID 2636 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DqObolo.exe
PID 2636 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DqObolo.exe
PID 2636 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DqObolo.exe
PID 2636 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aUQTsYe.exe
PID 2636 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aUQTsYe.exe
PID 2636 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aUQTsYe.exe
PID 2636 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JlLMIRa.exe
PID 2636 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JlLMIRa.exe
PID 2636 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JlLMIRa.exe
PID 2636 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gWZlAvG.exe
PID 2636 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gWZlAvG.exe
PID 2636 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gWZlAvG.exe
PID 2636 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aUwhsBe.exe
PID 2636 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aUwhsBe.exe
PID 2636 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aUwhsBe.exe
PID 2636 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dUrkODF.exe
PID 2636 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dUrkODF.exe
PID 2636 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dUrkODF.exe
PID 2636 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hXveRdQ.exe
PID 2636 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hXveRdQ.exe
PID 2636 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hXveRdQ.exe
PID 2636 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mzRAQxH.exe
PID 2636 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mzRAQxH.exe
PID 2636 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mzRAQxH.exe
PID 2636 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dutQXja.exe
PID 2636 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dutQXja.exe
PID 2636 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dutQXja.exe
PID 2636 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jQptGCO.exe
PID 2636 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jQptGCO.exe
PID 2636 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jQptGCO.exe
PID 2636 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kpjTaDq.exe
PID 2636 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kpjTaDq.exe
PID 2636 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kpjTaDq.exe
PID 2636 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wmEioWq.exe
PID 2636 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wmEioWq.exe
PID 2636 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wmEioWq.exe
PID 2636 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YFvMVON.exe
PID 2636 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YFvMVON.exe
PID 2636 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YFvMVON.exe
PID 2636 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dwjEnqs.exe
PID 2636 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dwjEnqs.exe
PID 2636 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dwjEnqs.exe
PID 2636 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Ciwxonp.exe
PID 2636 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Ciwxonp.exe
PID 2636 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Ciwxonp.exe
PID 2636 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZByEWla.exe
PID 2636 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZByEWla.exe
PID 2636 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZByEWla.exe
PID 2636 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZhgLUmQ.exe
PID 2636 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZhgLUmQ.exe
PID 2636 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZhgLUmQ.exe
PID 2636 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lebSegn.exe
PID 2636 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lebSegn.exe
PID 2636 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lebSegn.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\wnaeiKy.exe

C:\Windows\System\wnaeiKy.exe

C:\Windows\System\ihfXNNC.exe

C:\Windows\System\ihfXNNC.exe

C:\Windows\System\OlBBLST.exe

C:\Windows\System\OlBBLST.exe

C:\Windows\System\DqObolo.exe

C:\Windows\System\DqObolo.exe

C:\Windows\System\aUQTsYe.exe

C:\Windows\System\aUQTsYe.exe

C:\Windows\System\JlLMIRa.exe

C:\Windows\System\JlLMIRa.exe

C:\Windows\System\gWZlAvG.exe

C:\Windows\System\gWZlAvG.exe

C:\Windows\System\aUwhsBe.exe

C:\Windows\System\aUwhsBe.exe

C:\Windows\System\dUrkODF.exe

C:\Windows\System\dUrkODF.exe

C:\Windows\System\hXveRdQ.exe

C:\Windows\System\hXveRdQ.exe

C:\Windows\System\mzRAQxH.exe

C:\Windows\System\mzRAQxH.exe

C:\Windows\System\dutQXja.exe

C:\Windows\System\dutQXja.exe

C:\Windows\System\jQptGCO.exe

C:\Windows\System\jQptGCO.exe

C:\Windows\System\kpjTaDq.exe

C:\Windows\System\kpjTaDq.exe

C:\Windows\System\wmEioWq.exe

C:\Windows\System\wmEioWq.exe

C:\Windows\System\YFvMVON.exe

C:\Windows\System\YFvMVON.exe

C:\Windows\System\dwjEnqs.exe

C:\Windows\System\dwjEnqs.exe

C:\Windows\System\Ciwxonp.exe

C:\Windows\System\Ciwxonp.exe

C:\Windows\System\ZByEWla.exe

C:\Windows\System\ZByEWla.exe

C:\Windows\System\ZhgLUmQ.exe

C:\Windows\System\ZhgLUmQ.exe

C:\Windows\System\lebSegn.exe

C:\Windows\System\lebSegn.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2636-0-0x000000013F070000-0x000000013F3C1000-memory.dmp

memory/2636-1-0x00000000000F0000-0x0000000000100000-memory.dmp

C:\Windows\system\wnaeiKy.exe

MD5 ec6520806f7dffca7d2709c4301bcdc2
SHA1 ae363e7a06f31907b49323f75f33b0e010fe20c0
SHA256 4fedfd2637aed628354313a8111b0f2c2dc06c3aa99f13a14f9c3a33a6839a6f
SHA512 24398b3d06e44dd25157930121dfaf1feb5ed5d81bb8e574a1b8838b4fbc560fb439834280cac3635528df6aa1ec7403bd600d635c6bf80f3963c58e88f79082

\Windows\system\ihfXNNC.exe

MD5 9d2bc829f8c2b06df3c05e06b06eb3a5
SHA1 33400327da1eac0912f61e82a5d2711337a61236
SHA256 d0605eda4c389225fe571afe32a11946846e2d20d36cc62cf57db399ab667d44
SHA512 4a12b45cff03f416975535ac43c90a08379708964e67d0a1c0035671d48668eff255a3ccb82de57fd18c966b4e78c49a18abd24041623822b1cdfeb9348b673f

\Windows\system\OlBBLST.exe

MD5 f90225e8262605ee21f3c78433e4f866
SHA1 939c364555aa2ed8253f832f0141dc284885e5de
SHA256 324cdf2509ad1cce0d4da2e434389bd2d3c0c550ca93da2b3543415dab8f08f4
SHA512 1cd219e01a08de7bf09318db4582b0398fdcbe8d099d7995ed01a967e0b2ef88f6b1be8c7c5a90e0843e95394c44c92d2f274d2b841ce1b38c7b7da08003945e

memory/2772-21-0x000000013FDB0000-0x0000000140101000-memory.dmp

C:\Windows\system\DqObolo.exe

MD5 5cc7d0ed5d6f2ed810cc72ae76064880
SHA1 6634da5b441c7f6872fe47db251dab4bc68427c9
SHA256 62ccb7435b0a422720579c4ed3a5a077cdddd4dc9c17acfeee97a356afb318da
SHA512 cb7a3bfe620f2d2a8e831cb35890c3115b0ee280758e6f3d453c9ade3c6414860988afd309e4e09b43521c4bc7ddf38d50c6ae9a43a748a9f4ec06a3ee6523a2

C:\Windows\system\aUQTsYe.exe

MD5 8476020b560208fa30b6984ee6c6ab2d
SHA1 b7dc41d8d6655350ab8e8277523ba775e0ae498f
SHA256 abf51dce90b5247714bd16aa7fdd67e31229575fb97ae9f086abe8dc462e76ed
SHA512 07f38cab352beab7de30f5bbe5a5eaa11d91715a535ebffeeeee31ce5336b14fa17f1c2f76104709261e70f422510e1cdfa8feb267c93bd2c0eb6ae3c3a6c618

\Windows\system\JlLMIRa.exe

MD5 e7db0f15528a06f51046cb84917a431f
SHA1 2268f68f45413b429c8bac638107e90e87559be2
SHA256 bb8ff851e42ced861e2cb30e51cc2da92fbaf3f626f9548a94d6714c81b677c3
SHA512 b276b6fcc9930fa9cf84735b3b7cd9fc495d278235f0ec29b9c81bf5bd6d69fb9a7a238904507d4da572721b688f002dd335420ece0e74f8d5e471fc5789f222

memory/2636-38-0x000000013F9E0000-0x000000013FD31000-memory.dmp

memory/2888-36-0x000000013F3B0000-0x000000013F701000-memory.dmp

memory/2636-35-0x0000000002260000-0x00000000025B1000-memory.dmp

memory/2548-28-0x000000013F180000-0x000000013F4D1000-memory.dmp

memory/2636-26-0x000000013FDE0000-0x0000000140131000-memory.dmp

memory/2636-25-0x0000000002260000-0x00000000025B1000-memory.dmp

memory/2772-59-0x000000013FDB0000-0x0000000140101000-memory.dmp

C:\Windows\system\dUrkODF.exe

MD5 1cf0bfac0f7fec0701719b8fe7da40b7
SHA1 adb2c220f1c44749a5682137ad00b29cc5818d74
SHA256 467c001b4af235465b7d9a4b867e05139dd99c4e93b431a4c86ed763a661bad6
SHA512 65bdb8b0c55d27ca6f82daab206e1a2aaddba7d21050881b9ef4f27c76f1f2c0e741d39d8c979586374b645384d74d5200f1e7e5e5908cc722a8691112202634

C:\Windows\system\hXveRdQ.exe

MD5 241e54c278a7f529fc24f6a425ef54f5
SHA1 d9f360d87ef2a6048370239216ff95a99a191fc7
SHA256 d2326f88cefbef0178de66af2ec4913ec157778c756304d323095e8cd5e41775
SHA512 4c452106855b1c778bb1647620afa97966e7e7fcf5e9b381b1be9e968a4956ae02954949b9595f5a200aebdbe233b03b3780131cab5246ff0115a7b7540250b7

memory/776-78-0x000000013F3A0000-0x000000013F6F1000-memory.dmp

C:\Windows\system\dutQXja.exe

MD5 deae6fe44ad409cbdb9a2fe2687acb08
SHA1 c5723f9ddb57f0a13cb7404fd2cc8e2f6962282b
SHA256 dfcb90b313fbd4b3472add302c961a38274a1e377959c530dd28028d15c417f5
SHA512 687f36badd14c861fcf5b06f0851737e14ad16715c143b4204cfd2fb8bc087551f48795633cf2d3fcdeee88d50eede903f944b7dd211eca1d21623dff0bcbe21

C:\Windows\system\kpjTaDq.exe

MD5 40a0b160d55fd39c067664fa99173716
SHA1 19e18bf8f98861b5d455c53a74c0008f9a63ca9e
SHA256 9ff9785ac7c4e275fcae9bf31c44d68949c4df28db8122a22cb1d2ac4e5f01ad
SHA512 c2168769a2f50af823213518ea1a99edeb931e1cb181f5a9aa6f7749dde5081f966c0d7b937587d51b9de4b7bcecba439678f7183760ddc7b55978276c3bf267

\Windows\system\YFvMVON.exe

MD5 7c33847041e6a068027ac9561ce38e53
SHA1 5cf0fc285530b28a24faa8675bead970dcad5fad
SHA256 b3a7a0811db9babbdbfc8ed775f28455993665e1c7688041c68d3bd31c8365d9
SHA512 8d5daff5f2da9b9e4356e6eb52cd7b307847dcf5536c323f4c530a2ed656f8309e4ac666fdcf9136c3ed39b57e4beb2850e149413791a9ea4547ef507c3e52eb

\Windows\system\ZhgLUmQ.exe

MD5 9ae86a7a09c4f91a9631d816c4efa71f
SHA1 4067b7d4def3f71b979a2a3d15ef25c26705481a
SHA256 3da9b50685492335215b94746ec13d6828b258e01223ce32fdca085d49dca56d
SHA512 c8d25f398fe990dfe309b681a84d034f055de6399bc55f80b0f54b3978b01f7ecc736847b799d2ff4cadf373c2a3e262706c6307f00f7a19142f9a592df04c22

\Windows\system\Ciwxonp.exe

MD5 7bb1518ad8580cdeba1b47f877a433f1
SHA1 dfaaa2c942e6aba4bbc33d8fb817e63cef62140f
SHA256 90be2cd05fc010bdee69d079a651a74eef65fdc0afce4d87370662e0e26afef4
SHA512 53ddd878a942667c9a7bdc0c2ee8150b44601fbdc2a6812c3b18e56b075fcb7320aa6fc89e36d03ec1f6dddf56989784357e74d911a3a03e8afc9885c1d6b5a2

memory/1256-110-0x000000013F7D0000-0x000000013FB21000-memory.dmp

C:\Windows\system\lebSegn.exe

MD5 aec8586f093fe8c5013bb65323b777cf
SHA1 be3e508bc9cdba19de757bce989bfa9c03b2dcbe
SHA256 38a822273ad49578b022a26c712dd5335ff00cf41ac02249cad30135a950803e
SHA512 3f999bf65d43b828a0f33f49eb032ee120470e05ac6551e7109eb8ed395f0144883a00c09f27134e055cb71c2425cdf35f67dc4ccbca4b21dc68af4289185931

memory/2636-100-0x000000013F7D0000-0x000000013FB21000-memory.dmp

memory/2636-99-0x000000013FBF0000-0x000000013FF41000-memory.dmp

memory/2728-98-0x000000013F350000-0x000000013F6A1000-memory.dmp

C:\Windows\system\ZByEWla.exe

MD5 9202e331a959fdd1c4d2027ef4965bfb
SHA1 693ede5ad53502385cff1b270a67ec0cc91f3d51
SHA256 86e8faa97f272130c1b68fa357e9191ef50b1a7e8fd697e08418d5c4b6898d77
SHA512 3fbce1bba83d435dad1de81e4ee4c97c2a0576708cfb1fc1633c8a48a61d5460a920107c6d55ed6856d076d46de83b23ecebfbf4ce664ec0fe4b84ce2a6d476a

memory/2636-139-0x0000000002260000-0x00000000025B1000-memory.dmp

memory/2636-115-0x000000013F7C0000-0x000000013FB11000-memory.dmp

C:\Windows\system\dwjEnqs.exe

MD5 66fe254ab2dc074c102d31f7aff546dd
SHA1 89c29b02dbdd8a560c9a9eab31e53ade380abaf1
SHA256 24d2fefdccba04ffed226bd6e0838ff42b90f0bae8954927a21afccd8d37f6de
SHA512 2b98f76f05ded690076bb6b41ee8ab2190e9c1e6f47242096e6e9eadc6951c3f4a076fadd1a36c44c73451ff9dee3ab13002a598c0627be3cf271d260e93c760

C:\Windows\system\wmEioWq.exe

MD5 0cb6ae08849bc16177a966ba7aa99f01
SHA1 088d8b8ab9ed2987a54d897ac07e0b2947f15b7c
SHA256 05e8158d3927c51fcec19a89478fbe580fd6bf6e2482b410ba52dcf9b20fe83a
SHA512 8c82b2f5c71cf6feeecfc30b6e103b5f48aa2f785b75c414e13e22ee815bc19b1f66e76eff81b8f6f1c657080717b018b5ad45422d10a5ad692306b71cbeb7e0

memory/2600-93-0x000000013FBF0000-0x000000013FF41000-memory.dmp

memory/2940-92-0x000000013F360000-0x000000013F6B1000-memory.dmp

memory/2636-91-0x0000000002260000-0x00000000025B1000-memory.dmp

memory/2716-86-0x000000013F9E0000-0x000000013FD31000-memory.dmp

memory/2164-85-0x000000013FAB0000-0x000000013FE01000-memory.dmp

memory/2636-84-0x000000013FAB0000-0x000000013FE01000-memory.dmp

C:\Windows\system\jQptGCO.exe

MD5 eca7f91b6f36a38f75f47cce1b4d8aa2
SHA1 32f8b55a33a8afd4da289cc2bf9f960d8f4f9085
SHA256 b66e98dd3cd92c83b77df65be09853bfc6a155d9376e0ae04a3e97c3316d1557
SHA512 abb3d160d885b1d60240cca25b6b080b67f8569bf6a5931711044e084998a0ea53ded2f409294ebae3763cdff87c43dfc68399122da7e08b17f3de318607c1f7

memory/2548-71-0x000000013F180000-0x000000013F4D1000-memory.dmp

memory/1256-70-0x000000013F7D0000-0x000000013FB21000-memory.dmp

memory/2616-69-0x000000013F0B0000-0x000000013F401000-memory.dmp

memory/2636-140-0x000000013FAB0000-0x000000013FE01000-memory.dmp

C:\Windows\system\aUwhsBe.exe

MD5 24cdaca37964e03c4ab5a9258bd729ff
SHA1 52feecfc10034b5cbdb90361c4049dc1cbc69e51
SHA256 55af8d8393deeacf6811ac9440ecd3e4769fe9a9290062ec907ff6bcd3cdb1fe
SHA512 1aaf4dffeccb90f1c303d6fee21479eb3f8f956442277e783887637b1b849d277983455eddfd81340208573aabbbe9bf8578ed90d520b6d0ff6c027830aa32c5

memory/2636-65-0x000000013F7D0000-0x000000013FB21000-memory.dmp

memory/2600-63-0x000000013FBF0000-0x000000013FF41000-memory.dmp

C:\Windows\system\mzRAQxH.exe

MD5 724910a37da7c0a621c5ce24649524b0
SHA1 a09d99f75cf2a04faf550c5d9c64a5bd0d9a6905
SHA256 63f0d0a3ce5d267eb58a36e2a30cff23ccc3f565a82042879c59f756035c61ae
SHA512 03794364027147a635a3af284bc84b7bf4b54380b2d50252f73d2400bf0e39d54f8c36f0abf2e498f92d284640acda7b0dc1161bf2249dc8ac9a3f1a93bbea68

memory/2636-52-0x000000013F070000-0x000000013F3C1000-memory.dmp

memory/2552-50-0x000000013FD70000-0x00000001400C1000-memory.dmp

memory/2636-49-0x000000013FD70000-0x00000001400C1000-memory.dmp

memory/2716-41-0x000000013F9E0000-0x000000013FD31000-memory.dmp

C:\Windows\system\gWZlAvG.exe

MD5 49693bd4bfc77ffc1e696359e7496ab6
SHA1 032aac699c7eaea56af4d7786e49530c000c547c
SHA256 a470cb012f957491d4017de4b3ed16a1de79874a14ffa15b057cbe223ee27111
SHA512 41a8b91d70cd825936da532953ff1ffe87f49b55e6e4f69bd6555cbea7672609e2ecd503f9d16b082b0c8986e80cd60b16f6fe2b592a3deeb3a50176499739b4

memory/2068-24-0x000000013FE60000-0x00000001401B1000-memory.dmp

memory/2636-23-0x000000013FE60000-0x00000001401B1000-memory.dmp

memory/2672-22-0x000000013FDE0000-0x0000000140131000-memory.dmp

memory/2636-141-0x0000000002260000-0x00000000025B1000-memory.dmp

memory/2940-142-0x000000013F360000-0x000000013F6B1000-memory.dmp

memory/2636-143-0x0000000002260000-0x00000000025B1000-memory.dmp

memory/2728-144-0x000000013F350000-0x000000013F6A1000-memory.dmp

memory/2636-145-0x000000013F070000-0x000000013F3C1000-memory.dmp

memory/2832-161-0x000000013F6F0000-0x000000013FA41000-memory.dmp

memory/992-165-0x000000013FBC0000-0x000000013FF11000-memory.dmp

memory/2604-164-0x000000013FC00000-0x000000013FF51000-memory.dmp

memory/2184-163-0x000000013FFB0000-0x0000000140301000-memory.dmp

memory/2896-162-0x000000013F7C0000-0x000000013FB11000-memory.dmp

memory/2204-160-0x000000013F7C0000-0x000000013FB11000-memory.dmp

memory/2304-166-0x000000013F2E0000-0x000000013F631000-memory.dmp

memory/2636-167-0x000000013F070000-0x000000013F3C1000-memory.dmp

memory/2772-219-0x000000013FDB0000-0x0000000140101000-memory.dmp

memory/2672-222-0x000000013FDE0000-0x0000000140131000-memory.dmp

memory/2068-223-0x000000013FE60000-0x00000001401B1000-memory.dmp

memory/2888-225-0x000000013F3B0000-0x000000013F701000-memory.dmp

memory/2548-227-0x000000013F180000-0x000000013F4D1000-memory.dmp

memory/2716-240-0x000000013F9E0000-0x000000013FD31000-memory.dmp

memory/2552-242-0x000000013FD70000-0x00000001400C1000-memory.dmp

memory/2600-244-0x000000013FBF0000-0x000000013FF41000-memory.dmp

memory/2616-246-0x000000013F0B0000-0x000000013F401000-memory.dmp

memory/776-249-0x000000013F3A0000-0x000000013F6F1000-memory.dmp

memory/1256-250-0x000000013F7D0000-0x000000013FB21000-memory.dmp

memory/2164-252-0x000000013FAB0000-0x000000013FE01000-memory.dmp

memory/2940-254-0x000000013F360000-0x000000013F6B1000-memory.dmp

memory/2728-256-0x000000013F350000-0x000000013F6A1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-15 11:02

Reported

2024-08-15 11:04

Platform

win10v2004-20240802-en

Max time kernel

144s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\wnaeiKy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OlBBLST.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aUQTsYe.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dUrkODF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hXveRdQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dutQXja.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jQptGCO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wmEioWq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lebSegn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kpjTaDq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YFvMVON.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZhgLUmQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ihfXNNC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DqObolo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JlLMIRa.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gWZlAvG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aUwhsBe.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mzRAQxH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dwjEnqs.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\Ciwxonp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZByEWla.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2396 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wnaeiKy.exe
PID 2396 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wnaeiKy.exe
PID 2396 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ihfXNNC.exe
PID 2396 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ihfXNNC.exe
PID 2396 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OlBBLST.exe
PID 2396 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OlBBLST.exe
PID 2396 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DqObolo.exe
PID 2396 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DqObolo.exe
PID 2396 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aUQTsYe.exe
PID 2396 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aUQTsYe.exe
PID 2396 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JlLMIRa.exe
PID 2396 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JlLMIRa.exe
PID 2396 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gWZlAvG.exe
PID 2396 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gWZlAvG.exe
PID 2396 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aUwhsBe.exe
PID 2396 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aUwhsBe.exe
PID 2396 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dUrkODF.exe
PID 2396 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dUrkODF.exe
PID 2396 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hXveRdQ.exe
PID 2396 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hXveRdQ.exe
PID 2396 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mzRAQxH.exe
PID 2396 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mzRAQxH.exe
PID 2396 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dutQXja.exe
PID 2396 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dutQXja.exe
PID 2396 wrote to memory of 416 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jQptGCO.exe
PID 2396 wrote to memory of 416 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jQptGCO.exe
PID 2396 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kpjTaDq.exe
PID 2396 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kpjTaDq.exe
PID 2396 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wmEioWq.exe
PID 2396 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wmEioWq.exe
PID 2396 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YFvMVON.exe
PID 2396 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YFvMVON.exe
PID 2396 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dwjEnqs.exe
PID 2396 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dwjEnqs.exe
PID 2396 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Ciwxonp.exe
PID 2396 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Ciwxonp.exe
PID 2396 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZByEWla.exe
PID 2396 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZByEWla.exe
PID 2396 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZhgLUmQ.exe
PID 2396 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZhgLUmQ.exe
PID 2396 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lebSegn.exe
PID 2396 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lebSegn.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\wnaeiKy.exe

C:\Windows\System\wnaeiKy.exe

C:\Windows\System\ihfXNNC.exe

C:\Windows\System\ihfXNNC.exe

C:\Windows\System\OlBBLST.exe

C:\Windows\System\OlBBLST.exe

C:\Windows\System\DqObolo.exe

C:\Windows\System\DqObolo.exe

C:\Windows\System\aUQTsYe.exe

C:\Windows\System\aUQTsYe.exe

C:\Windows\System\JlLMIRa.exe

C:\Windows\System\JlLMIRa.exe

C:\Windows\System\gWZlAvG.exe

C:\Windows\System\gWZlAvG.exe

C:\Windows\System\aUwhsBe.exe

C:\Windows\System\aUwhsBe.exe

C:\Windows\System\dUrkODF.exe

C:\Windows\System\dUrkODF.exe

C:\Windows\System\hXveRdQ.exe

C:\Windows\System\hXveRdQ.exe

C:\Windows\System\mzRAQxH.exe

C:\Windows\System\mzRAQxH.exe

C:\Windows\System\dutQXja.exe

C:\Windows\System\dutQXja.exe

C:\Windows\System\jQptGCO.exe

C:\Windows\System\jQptGCO.exe

C:\Windows\System\kpjTaDq.exe

C:\Windows\System\kpjTaDq.exe

C:\Windows\System\wmEioWq.exe

C:\Windows\System\wmEioWq.exe

C:\Windows\System\YFvMVON.exe

C:\Windows\System\YFvMVON.exe

C:\Windows\System\dwjEnqs.exe

C:\Windows\System\dwjEnqs.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4460,i,4174666705242427184,7333705955694532165,262144 --variations-seed-version --mojo-platform-channel-handle=4512 /prefetch:8

C:\Windows\System\Ciwxonp.exe

C:\Windows\System\Ciwxonp.exe

C:\Windows\System\ZByEWla.exe

C:\Windows\System\ZByEWla.exe

C:\Windows\System\ZhgLUmQ.exe

C:\Windows\System\ZhgLUmQ.exe

C:\Windows\System\lebSegn.exe

C:\Windows\System\lebSegn.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 84.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2396-0-0x00007FF7BCFF0000-0x00007FF7BD341000-memory.dmp

memory/2396-1-0x0000018FB90A0000-0x0000018FB90B0000-memory.dmp

C:\Windows\System\wnaeiKy.exe

MD5 ec6520806f7dffca7d2709c4301bcdc2
SHA1 ae363e7a06f31907b49323f75f33b0e010fe20c0
SHA256 4fedfd2637aed628354313a8111b0f2c2dc06c3aa99f13a14f9c3a33a6839a6f
SHA512 24398b3d06e44dd25157930121dfaf1feb5ed5d81bb8e574a1b8838b4fbc560fb439834280cac3635528df6aa1ec7403bd600d635c6bf80f3963c58e88f79082

C:\Windows\System\ihfXNNC.exe

MD5 9d2bc829f8c2b06df3c05e06b06eb3a5
SHA1 33400327da1eac0912f61e82a5d2711337a61236
SHA256 d0605eda4c389225fe571afe32a11946846e2d20d36cc62cf57db399ab667d44
SHA512 4a12b45cff03f416975535ac43c90a08379708964e67d0a1c0035671d48668eff255a3ccb82de57fd18c966b4e78c49a18abd24041623822b1cdfeb9348b673f

C:\Windows\System\OlBBLST.exe

MD5 f90225e8262605ee21f3c78433e4f866
SHA1 939c364555aa2ed8253f832f0141dc284885e5de
SHA256 324cdf2509ad1cce0d4da2e434389bd2d3c0c550ca93da2b3543415dab8f08f4
SHA512 1cd219e01a08de7bf09318db4582b0398fdcbe8d099d7995ed01a967e0b2ef88f6b1be8c7c5a90e0843e95394c44c92d2f274d2b841ce1b38c7b7da08003945e

memory/4216-7-0x00007FF6A7350000-0x00007FF6A76A1000-memory.dmp

memory/1920-21-0x00007FF7CE870000-0x00007FF7CEBC1000-memory.dmp

C:\Windows\System\aUQTsYe.exe

MD5 8476020b560208fa30b6984ee6c6ab2d
SHA1 b7dc41d8d6655350ab8e8277523ba775e0ae498f
SHA256 abf51dce90b5247714bd16aa7fdd67e31229575fb97ae9f086abe8dc462e76ed
SHA512 07f38cab352beab7de30f5bbe5a5eaa11d91715a535ebffeeeee31ce5336b14fa17f1c2f76104709261e70f422510e1cdfa8feb267c93bd2c0eb6ae3c3a6c618

C:\Windows\System\JlLMIRa.exe

MD5 e7db0f15528a06f51046cb84917a431f
SHA1 2268f68f45413b429c8bac638107e90e87559be2
SHA256 bb8ff851e42ced861e2cb30e51cc2da92fbaf3f626f9548a94d6714c81b677c3
SHA512 b276b6fcc9930fa9cf84735b3b7cd9fc495d278235f0ec29b9c81bf5bd6d69fb9a7a238904507d4da572721b688f002dd335420ece0e74f8d5e471fc5789f222

C:\Windows\System\aUwhsBe.exe

MD5 24cdaca37964e03c4ab5a9258bd729ff
SHA1 52feecfc10034b5cbdb90361c4049dc1cbc69e51
SHA256 55af8d8393deeacf6811ac9440ecd3e4769fe9a9290062ec907ff6bcd3cdb1fe
SHA512 1aaf4dffeccb90f1c303d6fee21479eb3f8f956442277e783887637b1b849d277983455eddfd81340208573aabbbe9bf8578ed90d520b6d0ff6c027830aa32c5

C:\Windows\System\dUrkODF.exe

MD5 1cf0bfac0f7fec0701719b8fe7da40b7
SHA1 adb2c220f1c44749a5682137ad00b29cc5818d74
SHA256 467c001b4af235465b7d9a4b867e05139dd99c4e93b431a4c86ed763a661bad6
SHA512 65bdb8b0c55d27ca6f82daab206e1a2aaddba7d21050881b9ef4f27c76f1f2c0e741d39d8c979586374b645384d74d5200f1e7e5e5908cc722a8691112202634

C:\Windows\System\dutQXja.exe

MD5 deae6fe44ad409cbdb9a2fe2687acb08
SHA1 c5723f9ddb57f0a13cb7404fd2cc8e2f6962282b
SHA256 dfcb90b313fbd4b3472add302c961a38274a1e377959c530dd28028d15c417f5
SHA512 687f36badd14c861fcf5b06f0851737e14ad16715c143b4204cfd2fb8bc087551f48795633cf2d3fcdeee88d50eede903f944b7dd211eca1d21623dff0bcbe21

C:\Windows\System\jQptGCO.exe

MD5 eca7f91b6f36a38f75f47cce1b4d8aa2
SHA1 32f8b55a33a8afd4da289cc2bf9f960d8f4f9085
SHA256 b66e98dd3cd92c83b77df65be09853bfc6a155d9376e0ae04a3e97c3316d1557
SHA512 abb3d160d885b1d60240cca25b6b080b67f8569bf6a5931711044e084998a0ea53ded2f409294ebae3763cdff87c43dfc68399122da7e08b17f3de318607c1f7

memory/3060-90-0x00007FF708C70000-0x00007FF708FC1000-memory.dmp

memory/1828-92-0x00007FF6B42E0000-0x00007FF6B4631000-memory.dmp

memory/2180-91-0x00007FF761170000-0x00007FF7614C1000-memory.dmp

C:\Windows\System\YFvMVON.exe

MD5 7c33847041e6a068027ac9561ce38e53
SHA1 5cf0fc285530b28a24faa8675bead970dcad5fad
SHA256 b3a7a0811db9babbdbfc8ed775f28455993665e1c7688041c68d3bd31c8365d9
SHA512 8d5daff5f2da9b9e4356e6eb52cd7b307847dcf5536c323f4c530a2ed656f8309e4ac666fdcf9136c3ed39b57e4beb2850e149413791a9ea4547ef507c3e52eb

C:\Windows\System\wmEioWq.exe

MD5 0cb6ae08849bc16177a966ba7aa99f01
SHA1 088d8b8ab9ed2987a54d897ac07e0b2947f15b7c
SHA256 05e8158d3927c51fcec19a89478fbe580fd6bf6e2482b410ba52dcf9b20fe83a
SHA512 8c82b2f5c71cf6feeecfc30b6e103b5f48aa2f785b75c414e13e22ee815bc19b1f66e76eff81b8f6f1c657080717b018b5ad45422d10a5ad692306b71cbeb7e0

C:\Windows\System\kpjTaDq.exe

MD5 40a0b160d55fd39c067664fa99173716
SHA1 19e18bf8f98861b5d455c53a74c0008f9a63ca9e
SHA256 9ff9785ac7c4e275fcae9bf31c44d68949c4df28db8122a22cb1d2ac4e5f01ad
SHA512 c2168769a2f50af823213518ea1a99edeb931e1cb181f5a9aa6f7749dde5081f966c0d7b937587d51b9de4b7bcecba439678f7183760ddc7b55978276c3bf267

memory/416-78-0x00007FF6E1680000-0x00007FF6E19D1000-memory.dmp

memory/2568-76-0x00007FF74F640000-0x00007FF74F991000-memory.dmp

memory/4392-73-0x00007FF775680000-0x00007FF7759D1000-memory.dmp

memory/1892-72-0x00007FF787020000-0x00007FF787371000-memory.dmp

memory/1180-67-0x00007FF76FC60000-0x00007FF76FFB1000-memory.dmp

C:\Windows\System\mzRAQxH.exe

MD5 724910a37da7c0a621c5ce24649524b0
SHA1 a09d99f75cf2a04faf550c5d9c64a5bd0d9a6905
SHA256 63f0d0a3ce5d267eb58a36e2a30cff23ccc3f565a82042879c59f756035c61ae
SHA512 03794364027147a635a3af284bc84b7bf4b54380b2d50252f73d2400bf0e39d54f8c36f0abf2e498f92d284640acda7b0dc1161bf2249dc8ac9a3f1a93bbea68

memory/936-62-0x00007FF6F2F30000-0x00007FF6F3281000-memory.dmp

memory/3900-58-0x00007FF6A6630000-0x00007FF6A6981000-memory.dmp

C:\Windows\System\hXveRdQ.exe

MD5 241e54c278a7f529fc24f6a425ef54f5
SHA1 d9f360d87ef2a6048370239216ff95a99a191fc7
SHA256 d2326f88cefbef0178de66af2ec4913ec157778c756304d323095e8cd5e41775
SHA512 4c452106855b1c778bb1647620afa97966e7e7fcf5e9b381b1be9e968a4956ae02954949b9595f5a200aebdbe233b03b3780131cab5246ff0115a7b7540250b7

memory/764-54-0x00007FF6EEB30000-0x00007FF6EEE81000-memory.dmp

C:\Windows\System\gWZlAvG.exe

MD5 49693bd4bfc77ffc1e696359e7496ab6
SHA1 032aac699c7eaea56af4d7786e49530c000c547c
SHA256 a470cb012f957491d4017de4b3ed16a1de79874a14ffa15b057cbe223ee27111
SHA512 41a8b91d70cd825936da532953ff1ffe87f49b55e6e4f69bd6555cbea7672609e2ecd503f9d16b082b0c8986e80cd60b16f6fe2b592a3deeb3a50176499739b4

memory/4812-40-0x00007FF7CBDB0000-0x00007FF7CC101000-memory.dmp

memory/3528-24-0x00007FF6DB730000-0x00007FF6DBA81000-memory.dmp

C:\Windows\System\DqObolo.exe

MD5 5cc7d0ed5d6f2ed810cc72ae76064880
SHA1 6634da5b441c7f6872fe47db251dab4bc68427c9
SHA256 62ccb7435b0a422720579c4ed3a5a077cdddd4dc9c17acfeee97a356afb318da
SHA512 cb7a3bfe620f2d2a8e831cb35890c3115b0ee280758e6f3d453c9ade3c6414860988afd309e4e09b43521c4bc7ddf38d50c6ae9a43a748a9f4ec06a3ee6523a2

memory/1512-17-0x00007FF6C81A0000-0x00007FF6C84F1000-memory.dmp

memory/764-107-0x00007FF6EEB30000-0x00007FF6EEE81000-memory.dmp

C:\Windows\System\dwjEnqs.exe

MD5 66fe254ab2dc074c102d31f7aff546dd
SHA1 89c29b02dbdd8a560c9a9eab31e53ade380abaf1
SHA256 24d2fefdccba04ffed226bd6e0838ff42b90f0bae8954927a21afccd8d37f6de
SHA512 2b98f76f05ded690076bb6b41ee8ab2190e9c1e6f47242096e6e9eadc6951c3f4a076fadd1a36c44c73451ff9dee3ab13002a598c0627be3cf271d260e93c760

C:\Windows\System\ZByEWla.exe

MD5 9202e331a959fdd1c4d2027ef4965bfb
SHA1 693ede5ad53502385cff1b270a67ec0cc91f3d51
SHA256 86e8faa97f272130c1b68fa357e9191ef50b1a7e8fd697e08418d5c4b6898d77
SHA512 3fbce1bba83d435dad1de81e4ee4c97c2a0576708cfb1fc1633c8a48a61d5460a920107c6d55ed6856d076d46de83b23ecebfbf4ce664ec0fe4b84ce2a6d476a

C:\Windows\System\Ciwxonp.exe

MD5 7bb1518ad8580cdeba1b47f877a433f1
SHA1 dfaaa2c942e6aba4bbc33d8fb817e63cef62140f
SHA256 90be2cd05fc010bdee69d079a651a74eef65fdc0afce4d87370662e0e26afef4
SHA512 53ddd878a942667c9a7bdc0c2ee8150b44601fbdc2a6812c3b18e56b075fcb7320aa6fc89e36d03ec1f6dddf56989784357e74d911a3a03e8afc9885c1d6b5a2

C:\Windows\System\lebSegn.exe

MD5 aec8586f093fe8c5013bb65323b777cf
SHA1 be3e508bc9cdba19de757bce989bfa9c03b2dcbe
SHA256 38a822273ad49578b022a26c712dd5335ff00cf41ac02249cad30135a950803e
SHA512 3f999bf65d43b828a0f33f49eb032ee120470e05ac6551e7109eb8ed395f0144883a00c09f27134e055cb71c2425cdf35f67dc4ccbca4b21dc68af4289185931

memory/3060-136-0x00007FF708C70000-0x00007FF708FC1000-memory.dmp

memory/1828-138-0x00007FF6B42E0000-0x00007FF6B4631000-memory.dmp

memory/1428-139-0x00007FF755360000-0x00007FF7556B1000-memory.dmp

memory/2588-143-0x00007FF7084A0000-0x00007FF7087F1000-memory.dmp

memory/5092-144-0x00007FF6311A0000-0x00007FF6314F1000-memory.dmp

memory/4640-142-0x00007FF693D20000-0x00007FF694071000-memory.dmp

memory/3212-140-0x00007FF619F90000-0x00007FF61A2E1000-memory.dmp

memory/2180-137-0x00007FF761170000-0x00007FF7614C1000-memory.dmp

memory/416-135-0x00007FF6E1680000-0x00007FF6E19D1000-memory.dmp

memory/1180-134-0x00007FF76FC60000-0x00007FF76FFB1000-memory.dmp

C:\Windows\System\ZhgLUmQ.exe

MD5 9ae86a7a09c4f91a9631d816c4efa71f
SHA1 4067b7d4def3f71b979a2a3d15ef25c26705481a
SHA256 3da9b50685492335215b94746ec13d6828b258e01223ce32fdca085d49dca56d
SHA512 c8d25f398fe990dfe309b681a84d034f055de6399bc55f80b0f54b3978b01f7ecc736847b799d2ff4cadf373c2a3e262706c6307f00f7a19142f9a592df04c22

memory/3900-110-0x00007FF6A6630000-0x00007FF6A6981000-memory.dmp

memory/4812-104-0x00007FF7CBDB0000-0x00007FF7CC101000-memory.dmp

memory/1512-101-0x00007FF6C81A0000-0x00007FF6C84F1000-memory.dmp

memory/1920-102-0x00007FF7CE870000-0x00007FF7CEBC1000-memory.dmp

memory/4216-100-0x00007FF6A7350000-0x00007FF6A76A1000-memory.dmp

memory/2396-99-0x00007FF7BCFF0000-0x00007FF7BD341000-memory.dmp

memory/2396-145-0x00007FF7BCFF0000-0x00007FF7BD341000-memory.dmp

memory/2396-167-0x00007FF7BCFF0000-0x00007FF7BD341000-memory.dmp

memory/4216-200-0x00007FF6A7350000-0x00007FF6A76A1000-memory.dmp

memory/1512-202-0x00007FF6C81A0000-0x00007FF6C84F1000-memory.dmp

memory/3528-204-0x00007FF6DB730000-0x00007FF6DBA81000-memory.dmp

memory/1920-206-0x00007FF7CE870000-0x00007FF7CEBC1000-memory.dmp

memory/1892-218-0x00007FF787020000-0x00007FF787371000-memory.dmp

memory/4812-217-0x00007FF7CBDB0000-0x00007FF7CC101000-memory.dmp

memory/764-220-0x00007FF6EEB30000-0x00007FF6EEE81000-memory.dmp

memory/416-226-0x00007FF6E1680000-0x00007FF6E19D1000-memory.dmp

memory/936-232-0x00007FF6F2F30000-0x00007FF6F3281000-memory.dmp

memory/4392-230-0x00007FF775680000-0x00007FF7759D1000-memory.dmp

memory/2568-224-0x00007FF74F640000-0x00007FF74F991000-memory.dmp

memory/3900-228-0x00007FF6A6630000-0x00007FF6A6981000-memory.dmp

memory/1180-223-0x00007FF76FC60000-0x00007FF76FFB1000-memory.dmp

memory/2180-239-0x00007FF761170000-0x00007FF7614C1000-memory.dmp

memory/1828-241-0x00007FF6B42E0000-0x00007FF6B4631000-memory.dmp

memory/3060-242-0x00007FF708C70000-0x00007FF708FC1000-memory.dmp

memory/1428-250-0x00007FF755360000-0x00007FF7556B1000-memory.dmp

memory/3212-252-0x00007FF619F90000-0x00007FF61A2E1000-memory.dmp

memory/4640-254-0x00007FF693D20000-0x00007FF694071000-memory.dmp

memory/5092-258-0x00007FF6311A0000-0x00007FF6314F1000-memory.dmp

memory/2588-257-0x00007FF7084A0000-0x00007FF7087F1000-memory.dmp