Malware Analysis Report

2025-03-15 08:07

Sample ID 240815-m5tzdsyhnb
Target 2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat
SHA256 f66917555a3646dfcedf582dee6c9ed319ad8f1c6c4d21fe641f1717fee68cc0
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f66917555a3646dfcedf582dee6c9ed319ad8f1c6c4d21fe641f1717fee68cc0

Threat Level: Known bad

The file 2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

XMRig Miner payload

Xmrig family

Cobaltstrike family

Cobaltstrike

xmrig

Cobalt Strike reflective loader

XMRig Miner payload

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-15 11:03

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-15 11:03

Reported

2024-08-15 11:05

Platform

win7-20240729-en

Max time kernel

141s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\zoimbdG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kMcuLan.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mjEumXB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\riRpcGJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WdEpZXt.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nbeDHKB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BFYcVDk.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iCMihrm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tnyhRMF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EpJkHNq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JbrHVMq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YEpuRmy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QMeaOxm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tSWorrF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QoSAoDl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nSfgNBJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\POYvwbu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\alKEITs.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LsRkwPG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MiWdPQo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ftegOVj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2604 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QMeaOxm.exe
PID 2604 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QMeaOxm.exe
PID 2604 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QMeaOxm.exe
PID 2604 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WdEpZXt.exe
PID 2604 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WdEpZXt.exe
PID 2604 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WdEpZXt.exe
PID 2604 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nbeDHKB.exe
PID 2604 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nbeDHKB.exe
PID 2604 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nbeDHKB.exe
PID 2604 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\alKEITs.exe
PID 2604 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\alKEITs.exe
PID 2604 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\alKEITs.exe
PID 2604 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tSWorrF.exe
PID 2604 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tSWorrF.exe
PID 2604 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tSWorrF.exe
PID 2604 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QoSAoDl.exe
PID 2604 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QoSAoDl.exe
PID 2604 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QoSAoDl.exe
PID 2604 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BFYcVDk.exe
PID 2604 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BFYcVDk.exe
PID 2604 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BFYcVDk.exe
PID 2604 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iCMihrm.exe
PID 2604 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iCMihrm.exe
PID 2604 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iCMihrm.exe
PID 2604 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zoimbdG.exe
PID 2604 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zoimbdG.exe
PID 2604 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zoimbdG.exe
PID 2604 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kMcuLan.exe
PID 2604 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kMcuLan.exe
PID 2604 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kMcuLan.exe
PID 2604 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mjEumXB.exe
PID 2604 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mjEumXB.exe
PID 2604 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mjEumXB.exe
PID 2604 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YEpuRmy.exe
PID 2604 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YEpuRmy.exe
PID 2604 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YEpuRmy.exe
PID 2604 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nSfgNBJ.exe
PID 2604 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nSfgNBJ.exe
PID 2604 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nSfgNBJ.exe
PID 2604 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LsRkwPG.exe
PID 2604 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LsRkwPG.exe
PID 2604 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LsRkwPG.exe
PID 2604 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\riRpcGJ.exe
PID 2604 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\riRpcGJ.exe
PID 2604 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\riRpcGJ.exe
PID 2604 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tnyhRMF.exe
PID 2604 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tnyhRMF.exe
PID 2604 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tnyhRMF.exe
PID 2604 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MiWdPQo.exe
PID 2604 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MiWdPQo.exe
PID 2604 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MiWdPQo.exe
PID 2604 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ftegOVj.exe
PID 2604 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ftegOVj.exe
PID 2604 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ftegOVj.exe
PID 2604 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EpJkHNq.exe
PID 2604 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EpJkHNq.exe
PID 2604 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EpJkHNq.exe
PID 2604 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\POYvwbu.exe
PID 2604 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\POYvwbu.exe
PID 2604 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\POYvwbu.exe
PID 2604 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JbrHVMq.exe
PID 2604 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JbrHVMq.exe
PID 2604 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JbrHVMq.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\QMeaOxm.exe

C:\Windows\System\QMeaOxm.exe

C:\Windows\System\WdEpZXt.exe

C:\Windows\System\WdEpZXt.exe

C:\Windows\System\nbeDHKB.exe

C:\Windows\System\nbeDHKB.exe

C:\Windows\System\alKEITs.exe

C:\Windows\System\alKEITs.exe

C:\Windows\System\tSWorrF.exe

C:\Windows\System\tSWorrF.exe

C:\Windows\System\QoSAoDl.exe

C:\Windows\System\QoSAoDl.exe

C:\Windows\System\BFYcVDk.exe

C:\Windows\System\BFYcVDk.exe

C:\Windows\System\iCMihrm.exe

C:\Windows\System\iCMihrm.exe

C:\Windows\System\zoimbdG.exe

C:\Windows\System\zoimbdG.exe

C:\Windows\System\kMcuLan.exe

C:\Windows\System\kMcuLan.exe

C:\Windows\System\mjEumXB.exe

C:\Windows\System\mjEumXB.exe

C:\Windows\System\YEpuRmy.exe

C:\Windows\System\YEpuRmy.exe

C:\Windows\System\nSfgNBJ.exe

C:\Windows\System\nSfgNBJ.exe

C:\Windows\System\LsRkwPG.exe

C:\Windows\System\LsRkwPG.exe

C:\Windows\System\riRpcGJ.exe

C:\Windows\System\riRpcGJ.exe

C:\Windows\System\tnyhRMF.exe

C:\Windows\System\tnyhRMF.exe

C:\Windows\System\MiWdPQo.exe

C:\Windows\System\MiWdPQo.exe

C:\Windows\System\ftegOVj.exe

C:\Windows\System\ftegOVj.exe

C:\Windows\System\EpJkHNq.exe

C:\Windows\System\EpJkHNq.exe

C:\Windows\System\POYvwbu.exe

C:\Windows\System\POYvwbu.exe

C:\Windows\System\JbrHVMq.exe

C:\Windows\System\JbrHVMq.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2604-0-0x000000013FDB0000-0x0000000140101000-memory.dmp

memory/2604-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\QMeaOxm.exe

MD5 800eb861771eb1da3a2afa8fe17b9308
SHA1 d957f28ccdf4f280c72c67622007bde12012f4d8
SHA256 9846bac71f4a65912a78a8ce9726222bc5af60a4291b67ee2a92f130539023ac
SHA512 b1bd94ab619fe58bc42d10b12fa6ecc17156ca2f571b094638a511b74a9b7063e6f76d9ce767adebba607e01a7f995a993856b4aea46c24cc442b78b1e798218

C:\Windows\system\WdEpZXt.exe

MD5 1b1a77df7b0aea7305fdd5528b32c334
SHA1 c77e780df39c8de0476cd8d5900d540a476d08e5
SHA256 0c8dc60369a726be6fa1ba28c869f6ec5b6d23f8d5bc9219bc86cd468fdeb8ed
SHA512 fcd6e4d56c0425dbde00242b61cd157586043738dfec63d151d425eec6b339ffd54256aa2f446f7d7803f54e4fd9772cb9e21fe177dbda466587f0bae4600d73

C:\Windows\system\nbeDHKB.exe

MD5 0d491f3d4aad65447bf880681dfe2f35
SHA1 a578f8cf242ca82ac6b4f303df89b6e660b12f41
SHA256 d458d44fdca0892e10443027225caa3ccf01c9faf25320d8da46d3cef13b5def
SHA512 4c063c691346cc42eabfe71e985213b80781ae3d0f52c02911d31030a437d868eba78a6097d380fa332dcc1605eb3d7ac58f90c0f62732d1e8f2dd72d923f627

memory/2604-13-0x000000013F8C0000-0x000000013FC11000-memory.dmp

C:\Windows\system\alKEITs.exe

MD5 5d2d8ed636eb65ade7cc68c9c39f7f54
SHA1 cab06d54051ac398ba82be8a377d7a6a700ea27c
SHA256 97f6ed29ada67b45262cdeeb36062d1d8b664b5be5272d05703fefb204933fde
SHA512 b32c938606042909734375af8996525907810f710e959ec89136da63f7f526e7bde95239ea6dc1dd4c9b0853d0b17a1a1e5a831fae71c950d04f749751acf5ed

C:\Windows\system\tSWorrF.exe

MD5 264f82a6a9264a9c65495fcacc9619be
SHA1 d42f8ef4d161d86ea605ca7babba241731fbd6ec
SHA256 c6d58de4981ed7d9bab7f768f073f28f53d75d2a712ab68ec858c23202f28bd3
SHA512 b1d1bc02d33e105e86585b1767cbf75c53c3e4ce7e1d4666c0f8926dec0ed85b93de237e96d994982afe0d44b6488dcf844aebba8b7ce317e5fb712855955186

C:\Windows\system\QoSAoDl.exe

MD5 1ba2ecdd9c94171899d72abeee1be70f
SHA1 f0188bf243ea2497c92acd72a4ca2e57f81e988e
SHA256 7eac8d01cd453cdf8bbb3c22b3f7f8230d85bcfd922ce5b2a4f069b6a5fff9f9
SHA512 7e6e8758af6a69dc0cbbb35d79b1e2ca123d8e8d7fcf88562c6938e5d548e1906ab86985fb13dcf7041797514f8052d22d46cb3ac4f110aa20ff52a562dd642f

C:\Windows\system\BFYcVDk.exe

MD5 32fc894eec0904b700a5356fd8339170
SHA1 1464ce328a344706e9ad4d5a676cf83a7b693f8d
SHA256 0d4fc19e978c2360042cf1a6157a5ae3aea47e9fe2f50104b4d8b3be37f1da10
SHA512 cabe246758861a50f39f0418e4cac083b2094532201842699d7fa0333c00c760c58a00cd5c83fd780378be65aa199441f7c60f47d5a834ff07117bce14594354

C:\Windows\system\kMcuLan.exe

MD5 ecd56b70028d9b5d28aac31dad689556
SHA1 048b9d13d9ae258e133cbe2e49f752b452f1a1ad
SHA256 26c380542bd8004d56d9fbbdbf2d061473d451a8b9cb295d64c59d62b368fd5b
SHA512 21a2af8f2078e860cac743a3724375b014771c8ba9322eab638cd3a8381c53496198a493ce34f243cc76b1a0a94ea2e45b1f0c5158146cb392d99ce8536d44ef

C:\Windows\system\mjEumXB.exe

MD5 4afe943a8b04628977aca828a580eab1
SHA1 f784c058463ed01002edfb194e8a7f41b23b1485
SHA256 4b17ed2d53ab70fd1d98f6072f0a362a7a9e3bb62bedd9862cf31a4b6efe0a35
SHA512 b1c61f2cf8551a295b2ee84c594cc1df84e509d378ca0b6c46b79d6dc297529c451b570bb95d2f86175e93ba501826808323a26abdf1aaba9c12680c3d21383a

C:\Windows\system\riRpcGJ.exe

MD5 a80bd1a106283c0d9648be663b6be021
SHA1 0035591baa525692d353e7c97fffd05c5b648764
SHA256 230ebf87b5f23960fd85625e30f8f7a274d9bbb8a5a55a0370e79f20b7baddf0
SHA512 1eb54273551e0044559acf99573d26a0666da083290d7a2423fb3234fcec5fba7c7a3ccf874765efede48729268a14d812c34c27c5fefe2541d6934a39e34b7e

C:\Windows\system\tnyhRMF.exe

MD5 18c35a37004024bc71080728f19f0823
SHA1 312761aa86512ebcc43c9c4f481d53fa7794556e
SHA256 2c916bd94f019f298ca0a978058c10726bc1b49fa4e98b9dd8b3286a2f075230
SHA512 0a2986ebd56495d832fb4e1365cb5161f75dcf5babfeb6368b012ae1041f0160f0a8d0193cd49ee42d225f6aaa87f80d09f2b9fc9b760cc7d2fc4d43ba13d3db

C:\Windows\system\EpJkHNq.exe

MD5 76c5b86d9fb8168d42a123a680109d12
SHA1 9ad85e4ad24bf8ea1c31c496eea4b433345c2965
SHA256 17a4af9eb4fa24b3e0a8ffce72776d7ef4b87516c2d27f4f77b39af7d36b9be3
SHA512 4c7a44e7afd75bef57bc0c5b8b418071ce3b6e2fc24610bc3b0fb88a34bcfbbc7a71f841e130778c19eb39ec2e7cf520aa6324a19524dafbbd580503ad6c02be

C:\Windows\system\JbrHVMq.exe

MD5 2a0ec37d7b581a6b72ced304a235dbdf
SHA1 c738e345cc528830a6aa8da0b1d3a98e721af5b2
SHA256 6a7b23c7837c43f830033d405e531be161e1d9ba2aa39397b687828b1922751a
SHA512 890d6a280b3818c142a95293cc0d86d94c30f0e2cf837f10e67adad28c9cd45e4c1ab2468bf59d35a38548ec26e962f044dec19fec92de7b92c364c3eb2ea769

C:\Windows\system\POYvwbu.exe

MD5 09fd1392a3332c9621193b0a180f9736
SHA1 7bd084710afb106ff16fcab4bddbb18b870ca128
SHA256 33df5634b9f3b442d7ded7c6a8289b6a57e700eaeeb3a5b7a12473dbde1ef715
SHA512 70285669b258d55e856a69e9238e3bbf9aa351d015f2f54f26130c2da2564c25dd137f4155545e78b9087257ac8ccf798cab07af3c44caff33044f520c3af9ed

C:\Windows\system\ftegOVj.exe

MD5 8bb10c805e44cda5dc84975c4987d185
SHA1 7f7208d8dfe83de40929e06a323d8d10aeec4e02
SHA256 e6b8f737855b30cb2a735175425333bf00282229e0151880fcd9c9b7755d3aab
SHA512 503e70854e4ce0502c4a013e80543d8d1a1f3a12ed30bae8f7671826c31e404beb3a656edae3bdb1d06f6571cc572c971d905acfe2b5017b81fdf82433a01fba

C:\Windows\system\MiWdPQo.exe

MD5 6748fb2d7822a3d48b1c02f2b63bcace
SHA1 809c942ba99b97e9546af1029674180003d98559
SHA256 e0030e454e9969ca3b7594767ac030214874dd58c1d80c35817253f1c94e47b8
SHA512 96fcc6e8c7c52f970e010b7a6d64cea03e3de433f530f73ab5bb60af6dcad88ef455df7e55c887f82df7937480acc6fec9647734411294b23116b564dbcccbdd

C:\Windows\system\LsRkwPG.exe

MD5 86c0566eeb2284c4cb7d1de1c7880808
SHA1 eb81069eee59e53db7397f61719188f038bcc5f7
SHA256 13b0f87a7c69ec71c4b39b23e2967bd709f2ee111589952f8ef1a3ab4476684e
SHA512 15edc0b075be61a2c15d0185a69d765405d4112ae5c66faac07015cbd5bd4f57bf6d650563e64edb7dc756f7109290b66de04a8fc7c817200d25031f8f9a32ae

C:\Windows\system\nSfgNBJ.exe

MD5 1c51ad616b1dfea0bd24fce882b08d97
SHA1 6f8c693cabc19691b0522dd3dd38ed29bd7625d8
SHA256 86e1d41f8f064f2934abe61b42fc7088941b089041fc3dc539450aa2b5cda9af
SHA512 3134cf7fc7bef619463040e8fe00ac06842fe19cb4ad2d425ca393a5eac68e7922c0bc080dc60fad0dd735e3caa618a49e98cedebaf800180ed4956bbbc25b1a

C:\Windows\system\YEpuRmy.exe

MD5 5afbb9c151dedd8e5c7f84c0f185647b
SHA1 0b201fdad140abf36d97801578315aeeba90188b
SHA256 40a8769ae15d68d79384433fe95c351986b4e550662a0d9507ecd22b6fbab24a
SHA512 9be1527686fa9af19cff997435a223e67c1c43da44a7740cac4d3477e9ae0811cd073bb07cf01b73d96d1904d9563718c9d2d1c65d8559cbadf8f8ccea77c064

C:\Windows\system\zoimbdG.exe

MD5 f11a3770358efd6ff5d7b3d0b0c32fa6
SHA1 e22ceb61e823ceba324dd9e72d0916f82f0d0153
SHA256 5bebe01e675e23d14d7f6fa78a6bd8792f49ea426bdf647e7dfa679c1e50b992
SHA512 275e613bffa2ce934c450f92d6fe21a5572c420111e9ef79a1a645238f9e680bde443e3daf714fcc5c7e7003a0aaa447b07c4c350c538f71d10756944006eafe

C:\Windows\system\iCMihrm.exe

MD5 9db77f4aae939aca2ae43b9ba2d134c1
SHA1 0b6ef7d03cef471f2740a1716b4667f424f4b582
SHA256 d30611af37eec0547aa94ec7d07b8b577361036bba5e617da01d7ddcdb1d21bc
SHA512 4954326c928e9caee90d93d0558da84895c9bfe551797f494e06f046c31d93811d2f11096021dd7edd476961d61ef225ae38718aef4f29ed73dd345339b2665b

memory/2616-90-0x000000013F8C0000-0x000000013FC11000-memory.dmp

memory/2668-108-0x000000013FA60000-0x000000013FDB1000-memory.dmp

memory/2932-104-0x000000013FDB0000-0x0000000140101000-memory.dmp

memory/2816-102-0x000000013FD50000-0x00000001400A1000-memory.dmp

memory/2776-116-0x000000013F960000-0x000000013FCB1000-memory.dmp

memory/2688-120-0x000000013F4D0000-0x000000013F821000-memory.dmp

memory/2692-125-0x000000013FF70000-0x00000001402C1000-memory.dmp

memory/544-129-0x000000013FBB0000-0x000000013FF01000-memory.dmp

memory/2604-128-0x000000013FA40000-0x000000013FD91000-memory.dmp

memory/2540-127-0x000000013F180000-0x000000013F4D1000-memory.dmp

memory/2604-126-0x000000013F180000-0x000000013F4D1000-memory.dmp

memory/2604-123-0x000000013F550000-0x000000013F8A1000-memory.dmp

memory/2660-124-0x000000013F550000-0x000000013F8A1000-memory.dmp

memory/2828-122-0x000000013F360000-0x000000013F6B1000-memory.dmp

memory/2604-119-0x000000013F4D0000-0x000000013F821000-memory.dmp

memory/2760-118-0x000000013FCA0000-0x000000013FFF1000-memory.dmp

memory/2604-121-0x000000013F360000-0x000000013F6B1000-memory.dmp

memory/2604-115-0x000000013F960000-0x000000013FCB1000-memory.dmp

memory/2892-101-0x000000013F470000-0x000000013F7C1000-memory.dmp

memory/2604-100-0x000000013F470000-0x000000013F7C1000-memory.dmp

memory/2752-98-0x000000013FA40000-0x000000013FD91000-memory.dmp

memory/2604-96-0x0000000002300000-0x0000000002651000-memory.dmp

memory/2604-130-0x000000013FDB0000-0x0000000140101000-memory.dmp

memory/2616-131-0x000000013F8C0000-0x000000013FC11000-memory.dmp

memory/2520-150-0x000000013FD90000-0x00000001400E1000-memory.dmp

memory/780-151-0x000000013F9A0000-0x000000013FCF1000-memory.dmp

memory/2756-149-0x000000013FB80000-0x000000013FED1000-memory.dmp

memory/568-147-0x000000013FDD0000-0x0000000140121000-memory.dmp

memory/2212-145-0x000000013FFB0000-0x0000000140301000-memory.dmp

memory/2700-148-0x000000013F6B0000-0x000000013FA01000-memory.dmp

memory/3060-146-0x000000013FF60000-0x00000001402B1000-memory.dmp

memory/2604-153-0x000000013F8C0000-0x000000013FC11000-memory.dmp

memory/2604-152-0x000000013FDB0000-0x0000000140101000-memory.dmp

memory/2604-154-0x000000013F470000-0x000000013F7C1000-memory.dmp

memory/2604-155-0x000000013FDB0000-0x0000000140101000-memory.dmp

memory/2616-206-0x000000013F8C0000-0x000000013FC11000-memory.dmp

memory/2752-208-0x000000013FA40000-0x000000013FD91000-memory.dmp

memory/544-226-0x000000013FBB0000-0x000000013FF01000-memory.dmp

memory/2816-231-0x000000013FD50000-0x00000001400A1000-memory.dmp

memory/2892-229-0x000000013F470000-0x000000013F7C1000-memory.dmp

memory/2688-236-0x000000013F4D0000-0x000000013F821000-memory.dmp

memory/2660-238-0x000000013F550000-0x000000013F8A1000-memory.dmp

memory/2932-240-0x000000013FDB0000-0x0000000140101000-memory.dmp

memory/2776-234-0x000000013F960000-0x000000013FCB1000-memory.dmp

memory/2668-233-0x000000013FA60000-0x000000013FDB1000-memory.dmp

memory/2760-242-0x000000013FCA0000-0x000000013FFF1000-memory.dmp

memory/2692-247-0x000000013FF70000-0x00000001402C1000-memory.dmp

memory/2828-245-0x000000013F360000-0x000000013F6B1000-memory.dmp

memory/2540-255-0x000000013F180000-0x000000013F4D1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-15 11:03

Reported

2024-08-15 11:05

Platform

win10v2004-20240802-en

Max time kernel

140s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\BQhCHDI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WyGZlYz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UVyedPH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RBLjMRA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SyxnKlx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JDkThKw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nxWPCuc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BKxeetH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ubvshGD.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qGunXNt.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CTmlgvI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cxBoWmx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xPJxGoI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TwGFYYe.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LiVNNkt.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AtnPdvm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EmtLUfQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YWllxMg.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VicMluU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rMypbHi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OTGiQUE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2128 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TwGFYYe.exe
PID 2128 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TwGFYYe.exe
PID 2128 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rMypbHi.exe
PID 2128 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rMypbHi.exe
PID 2128 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OTGiQUE.exe
PID 2128 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OTGiQUE.exe
PID 2128 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AtnPdvm.exe
PID 2128 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AtnPdvm.exe
PID 2128 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RBLjMRA.exe
PID 2128 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RBLjMRA.exe
PID 2128 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SyxnKlx.exe
PID 2128 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SyxnKlx.exe
PID 2128 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LiVNNkt.exe
PID 2128 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LiVNNkt.exe
PID 2128 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BKxeetH.exe
PID 2128 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BKxeetH.exe
PID 2128 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BQhCHDI.exe
PID 2128 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BQhCHDI.exe
PID 2128 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EmtLUfQ.exe
PID 2128 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EmtLUfQ.exe
PID 2128 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JDkThKw.exe
PID 2128 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JDkThKw.exe
PID 2128 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YWllxMg.exe
PID 2128 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YWllxMg.exe
PID 2128 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ubvshGD.exe
PID 2128 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ubvshGD.exe
PID 2128 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nxWPCuc.exe
PID 2128 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nxWPCuc.exe
PID 2128 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qGunXNt.exe
PID 2128 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qGunXNt.exe
PID 2128 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CTmlgvI.exe
PID 2128 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CTmlgvI.exe
PID 2128 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VicMluU.exe
PID 2128 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VicMluU.exe
PID 2128 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cxBoWmx.exe
PID 2128 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cxBoWmx.exe
PID 2128 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xPJxGoI.exe
PID 2128 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xPJxGoI.exe
PID 2128 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WyGZlYz.exe
PID 2128 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WyGZlYz.exe
PID 2128 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UVyedPH.exe
PID 2128 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UVyedPH.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\TwGFYYe.exe

C:\Windows\System\TwGFYYe.exe

C:\Windows\System\rMypbHi.exe

C:\Windows\System\rMypbHi.exe

C:\Windows\System\OTGiQUE.exe

C:\Windows\System\OTGiQUE.exe

C:\Windows\System\AtnPdvm.exe

C:\Windows\System\AtnPdvm.exe

C:\Windows\System\RBLjMRA.exe

C:\Windows\System\RBLjMRA.exe

C:\Windows\System\SyxnKlx.exe

C:\Windows\System\SyxnKlx.exe

C:\Windows\System\LiVNNkt.exe

C:\Windows\System\LiVNNkt.exe

C:\Windows\System\BKxeetH.exe

C:\Windows\System\BKxeetH.exe

C:\Windows\System\BQhCHDI.exe

C:\Windows\System\BQhCHDI.exe

C:\Windows\System\EmtLUfQ.exe

C:\Windows\System\EmtLUfQ.exe

C:\Windows\System\JDkThKw.exe

C:\Windows\System\JDkThKw.exe

C:\Windows\System\YWllxMg.exe

C:\Windows\System\YWllxMg.exe

C:\Windows\System\ubvshGD.exe

C:\Windows\System\ubvshGD.exe

C:\Windows\System\nxWPCuc.exe

C:\Windows\System\nxWPCuc.exe

C:\Windows\System\qGunXNt.exe

C:\Windows\System\qGunXNt.exe

C:\Windows\System\CTmlgvI.exe

C:\Windows\System\CTmlgvI.exe

C:\Windows\System\VicMluU.exe

C:\Windows\System\VicMluU.exe

C:\Windows\System\cxBoWmx.exe

C:\Windows\System\cxBoWmx.exe

C:\Windows\System\xPJxGoI.exe

C:\Windows\System\xPJxGoI.exe

C:\Windows\System\WyGZlYz.exe

C:\Windows\System\WyGZlYz.exe

C:\Windows\System\UVyedPH.exe

C:\Windows\System\UVyedPH.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2128-0-0x00007FF6B40F0000-0x00007FF6B4441000-memory.dmp

memory/2128-1-0x00000281B5550000-0x00000281B5560000-memory.dmp

C:\Windows\System\TwGFYYe.exe

MD5 d29891d28f9b41b99691f11480c54316
SHA1 ff041a346d2630b0c974490b8c075eda8294d13d
SHA256 040c4e73fc45bce44858410b42b1688af04b37835df200a545e46395623f7e43
SHA512 a15e6156c2b99037bfac3c6cb44e66aaeea1bd052230f530ce11fb339858ab1a29a6bf0a7cfb3c6e8da39b7b7997cfc4779e10d525e6c4dfe6d144aaae0d4cd8

memory/4704-7-0x00007FF61DF90000-0x00007FF61E2E1000-memory.dmp

C:\Windows\System\rMypbHi.exe

MD5 fe0b99ed0a2ff39d23d95be076186d7f
SHA1 24c439121c1ae19571906809ecaa8eebbdf2b9b8
SHA256 3be6e74cd931c4b767035f6862173ee7cf6020c0461fda8f2a31c78d711cb31f
SHA512 da3fb7f400343956124781e5cb0e08b1c2dea4737ef58374a2d7b4f329932e2c01fcef25cd9f52b7cf99463c1b3fedde93e334be35971fe8054a06bf1b7f4769

C:\Windows\System\OTGiQUE.exe

MD5 f4679fd0ef402f351821b528e72f9a5a
SHA1 10c3ed3aa5479a9cd2a40f342d19c74b133e7c41
SHA256 952ae56f8343b45a335ea589b05332380d0dca71db4de0b285adeccf2afe6cae
SHA512 c6c850d04dfc037bfa573fc094e7970a8c9f12c8290aff0e0c8202b1592e46d89748da3a921425330aa011bf75a0858fb924705415c404038ffc9d2509c2099f

memory/1900-17-0x00007FF7203A0000-0x00007FF7206F1000-memory.dmp

C:\Windows\System\AtnPdvm.exe

MD5 e1cd4085fc589502685626654fd0c247
SHA1 7a4b8d49088f512de864676d83d24aa2ec052069
SHA256 84dee60f32064dcf08a268d47ab78adf8415b0c7ca4b2ca7cf4c8ba59a46ae88
SHA512 67d26d4a5042d6a55183443aec10f59ad5ae28f75164db707e450e560bdeec072cf3b9718ed99f523afb35eb05356de601b2a25d02a990034c0d7f926e928431

C:\Windows\System\RBLjMRA.exe

MD5 29dda88cf8a07c0e9af52a0293767ffb
SHA1 4783ffb0a67dcf979184671ec9acebf535e4b885
SHA256 5842f14d776c44f1c011a13bceb0479cc51c165807c8347ec871cc9b429cf627
SHA512 6b1d53cf33b816c6980d6f61ae7142ddcfcde2a04fa800cdcb846b90af98dda8266ac17d980e94947febe28dad5c434efa234c90c6bdbd06dd9681ec471c9109

C:\Windows\System\SyxnKlx.exe

MD5 dcca9679b4c0254505aad42878da89b7
SHA1 41f4cc194d66b68bdef3fa0eecd82731d7ed28fb
SHA256 0336771b2657c387696e004433d038f2bf20b09d6be08d863caade676d0fb949
SHA512 fa39316ede6b51fb9b5ac47f1d9619d197946eda5da026b70ccb91d43dd2af083c6556482901e5c8260ae27dca36e9e18d8bf10d3c72d5607d02748b1c5e7226

memory/3640-36-0x00007FF70CAC0000-0x00007FF70CE11000-memory.dmp

C:\Windows\System\LiVNNkt.exe

MD5 34288abdf27ea9c7b9604b29d2d940c8
SHA1 fa96b605105bf3d0da6fa76afa464439a3d3da37
SHA256 b995caf7117ee655a27152453380d52297b1e1c64e26208ffdbb5d7714e97905
SHA512 3c9242a4335652949a4c0537e85a9c64fcdfee970438a691c1adf88967fbbd78dcd415fee9975e7e130b62907e982ff42c380552c7726108f593e31e77cbf7e7

memory/2236-42-0x00007FF708270000-0x00007FF7085C1000-memory.dmp

memory/4724-32-0x00007FF6560E0000-0x00007FF656431000-memory.dmp

memory/5040-24-0x00007FF60CD00000-0x00007FF60D051000-memory.dmp

memory/3452-12-0x00007FF6C4C40000-0x00007FF6C4F91000-memory.dmp

C:\Windows\System\BKxeetH.exe

MD5 b24199dbff77b0d7eb35985afe580191
SHA1 f9fdd4ddc80cedb98fd48e3af8ec9a843dde138d
SHA256 6323446b43b89616bded823736f6582af57d8f4c6aa69b84bcbaae297a99d745
SHA512 9d9f0a65658d579f6209f8a4f019dbda7387207bd1e364889a21f50c1928d0fc40592ce62145ba391cea3d80cf93de15ae0ca68f8f0430bed49aa76dff3f7a04

C:\Windows\System\BQhCHDI.exe

MD5 ce2c02149bc81b24185873c10fb13c93
SHA1 00ef9498872266d0984473189622fec1f539e8c3
SHA256 a98ebab5ec3ea9643a84fdfc94d244333675c4966926b41745a5dddaae56648c
SHA512 72d0c5c50eb4ee414c4b5016de9105aada7ecd79a37a0954d5af9ea5e60348ac1db56c8e985ea70f00dc826a70a22064ea613380d2ba824dff6fdbb43075e349

memory/2128-54-0x00007FF6B40F0000-0x00007FF6B4441000-memory.dmp

memory/4704-59-0x00007FF61DF90000-0x00007FF61E2E1000-memory.dmp

C:\Windows\System\YWllxMg.exe

MD5 0d685b1663910c8fff67ccfa01c0e2e5
SHA1 d280b2276247dabbdcf6e4193f1d00d0eae960f2
SHA256 ff0ac9a092421539d9a3ed17a9d1973b108bf438712feb5a1a71b7ca9941988f
SHA512 1d16f6b7687d838b4282b1eaac3df9822d27682b31e8222ff88a4069de4a138096aeac788f5db7e84a8bf8d096487a75dbc1971051f8be7c23b8ee2b17cad286

memory/3452-71-0x00007FF6C4C40000-0x00007FF6C4F91000-memory.dmp

C:\Windows\System\ubvshGD.exe

MD5 3d8a2d3949b0a1ae4048f43357e5a667
SHA1 1d7f7038ae0653ef65adf01a37ea5f8a881c2746
SHA256 1f73cca652673cc5cc88ed0ee8b67437f1dfd8db381ed25e00c7393a4232158b
SHA512 42df1d6a131832415bcd441ea0382fc11201a392a058408b186018bc2449c62a71e7139eee26106893d37d2b9895600640dc60835ba633d3dc2870260b9f6cc5

memory/5040-81-0x00007FF60CD00000-0x00007FF60D051000-memory.dmp

memory/4724-87-0x00007FF6560E0000-0x00007FF656431000-memory.dmp

C:\Windows\System\nxWPCuc.exe

MD5 1c4bef2c6f3dbba98a231ac4127176d6
SHA1 9c58aa9e7ec669aaf4b7018e1372e72ceee36c84
SHA256 8872839d7653e7cae042d2f6aa223135b9d8f843cd82f38a2c486c39ddfff899
SHA512 4f3446e33c9f91f7c0b3b53efecc941d3b20761bc2a1fcf479ac5881b82eed9d5e00988dfa60350f73957f17faf680efa5bf914a6724a29cb1b00fc39fc13228

memory/3352-88-0x00007FF7B2BF0000-0x00007FF7B2F41000-memory.dmp

C:\Windows\System\qGunXNt.exe

MD5 0b6df975f2b905d4d7711121a5faea7f
SHA1 db3b04928e97b01bc3fbe168d59c958957b59fd1
SHA256 d04b8eb850b0a64ab2703fd6c6d62ebe92b454c3406250fbca232e39dbc07bf2
SHA512 1325346809c3446bb761a30fa017a76d528a92da716a248bc14fc2a3f385a70ac4a2ad97b63ff6b1b3426f541f4d23a04a5f64d64521bd44953b75f99ac2095b

memory/1080-97-0x00007FF70C130000-0x00007FF70C481000-memory.dmp

memory/3640-96-0x00007FF70CAC0000-0x00007FF70CE11000-memory.dmp

memory/1072-82-0x00007FF6E0A30000-0x00007FF6E0D81000-memory.dmp

memory/1900-79-0x00007FF7203A0000-0x00007FF7206F1000-memory.dmp

memory/2440-75-0x00007FF698770000-0x00007FF698AC1000-memory.dmp

memory/4856-73-0x00007FF7266D0000-0x00007FF726A21000-memory.dmp

C:\Windows\System\JDkThKw.exe

MD5 2046b038bb67a55b857f5abd7fd0ff80
SHA1 59de5fc30df012aa7960767b233b32ec5a119699
SHA256 33951fbf44ab9451e37efd93e91001034ed650d1ebda79535da886e461bb8322
SHA512 215362e6c686bf0a095e8eebe6bb57680d301ce33d5774f53065d1dc4a5ab261e77eff3652ff3141d9ec6373424687fbaa4353fe284ebc41271a336cb4d55d4a

memory/1216-65-0x00007FF6C12C0000-0x00007FF6C1611000-memory.dmp

C:\Windows\System\EmtLUfQ.exe

MD5 65633ecea55c5dac2fd04fb7cfc4cf18
SHA1 cd30a6917c74e0042a29a07387bc94e94d69bd83
SHA256 647ba66c14e4d3cd27322119ff331de10aff92c969ff805058e209f78bf65499
SHA512 855c562896536e9d95bb08e7234552db4bd03b421bd93634c3da45415bbf8cf99e5924bfff4dd818e15edbf359904e18a4495b8368b54a9820923e5fc379e92b

memory/1968-57-0x00007FF661F80000-0x00007FF6622D1000-memory.dmp

C:\Windows\System\CTmlgvI.exe

MD5 0e48d145944e2d1579ef51a7fb368722
SHA1 904520fd3f4da4f8fc7e5c27e759ef66d1e25d6b
SHA256 b368f9ac6b68fa937dac4bfc16b2c1d2dc7a994cedd4dd7ba57c4e98c6e876c6
SHA512 5698fb21784e401b9254b56281fed0af8067bfc31f1a5c0c1000592fcdc6cd0bf5e97eaea88f2257889b2cca995581245a674df595b745264a81c8851face099

memory/1968-117-0x00007FF661F80000-0x00007FF6622D1000-memory.dmp

C:\Windows\System\xPJxGoI.exe

MD5 341c0ff9de2e9a58323a3f3864f33c23
SHA1 3dbcc3ae3c8253578f5610653d0f9e58fc541605
SHA256 4b180171a6807ed8100d9caf1ebcf4dea88777763147c0052d301996881dbaba
SHA512 630e871fde6fb699e4457fdd7ddc0cc0546501f8569c711eec1554ea171081bcfc2eb5f83b5370055d11017091c6afaa0f7b8c8ab45aecb91f137a00431d6245

C:\Windows\System\WyGZlYz.exe

MD5 9f7c80cabb9fdd1e322e6fd4e382ced3
SHA1 2492a16e9f36a2fd68ed881cdc0381e9cc235477
SHA256 5c92d0c6b0d223fe9fc879ec14c7b4437390dc543c62c32558c241d616f1b892
SHA512 e87859f700d30d6761b64e619d7164192e885600f28a34a1dd7ccd74a9e0dd959c11c89fd52b434e0a2dc52e4856fdcf504e6796a00898e5020996781f38020a

C:\Windows\System\UVyedPH.exe

MD5 fa9b61391e4062ddc5143448dd668c45
SHA1 06196b3a2217af89bfe1dd6fe06def4050742265
SHA256 769b3b8c763a13fb0d59bd282ffbaea8bf110c66c82da76169b0d07219a62a72
SHA512 106b37a2d0c250e7f78eead8657551e8cdb88ef1ee5760e95ec633077150ffa5731d25a4bc3a53305d02396914755aad28281a5d7224590a5415b6c1fa4d3186

memory/4544-135-0x00007FF688120000-0x00007FF688471000-memory.dmp

memory/976-133-0x00007FF61F6E0000-0x00007FF61FA31000-memory.dmp

memory/2440-132-0x00007FF698770000-0x00007FF698AC1000-memory.dmp

memory/4856-131-0x00007FF7266D0000-0x00007FF726A21000-memory.dmp

memory/4148-125-0x00007FF6A0B90000-0x00007FF6A0EE1000-memory.dmp

C:\Windows\System\cxBoWmx.exe

MD5 98625cdd444bea92433665656f10f7c1
SHA1 37c5f3484ef77e3fd2d3bafefc0222d40cfc233e
SHA256 61ddb084ebc02ff8b3b92605216a3a6285255ae5ece2698bd8d2883a8eaae1f2
SHA512 6c9d0013b92613729ae6c54354b18be366704f77f8e0b6bf01e5522e21585c2cdaf7abdc27716d96c5f3bee682e48baf231352f25dc9cb23c8c05220bfdffb71

memory/1752-116-0x00007FF72F6C0000-0x00007FF72FA11000-memory.dmp

C:\Windows\System\VicMluU.exe

MD5 c156af41f059b255745abc292ff0ef74
SHA1 cf7d47be2f3ae4faf15268127b4c310e4d197d13
SHA256 8815f767e83b2491518de4913c7078d6a999d5200e8196131a1e34c64e200589
SHA512 36b6bd9cda4ca6d1102b88a96e4edc9bdbc2096de9b423324af9f29546834e13ee591b88d145d019833d1765b426b6741c0346dbf5d73d59f24d1c09174d00c3

memory/2376-113-0x00007FF6163B0000-0x00007FF616701000-memory.dmp

memory/1816-106-0x00007FF6A4620000-0x00007FF6A4971000-memory.dmp

memory/2236-102-0x00007FF708270000-0x00007FF7085C1000-memory.dmp

memory/2676-53-0x00007FF6704B0000-0x00007FF670801000-memory.dmp

memory/1072-139-0x00007FF6E0A30000-0x00007FF6E0D81000-memory.dmp

memory/3352-141-0x00007FF7B2BF0000-0x00007FF7B2F41000-memory.dmp

memory/2128-140-0x00007FF6B40F0000-0x00007FF6B4441000-memory.dmp

memory/1080-150-0x00007FF70C130000-0x00007FF70C481000-memory.dmp

memory/1816-151-0x00007FF6A4620000-0x00007FF6A4971000-memory.dmp

memory/1752-161-0x00007FF72F6C0000-0x00007FF72FA11000-memory.dmp

memory/2376-160-0x00007FF6163B0000-0x00007FF616701000-memory.dmp

memory/4148-167-0x00007FF6A0B90000-0x00007FF6A0EE1000-memory.dmp

memory/976-165-0x00007FF61F6E0000-0x00007FF61FA31000-memory.dmp

memory/4544-166-0x00007FF688120000-0x00007FF688471000-memory.dmp

memory/2128-168-0x00007FF6B40F0000-0x00007FF6B4441000-memory.dmp

memory/4704-219-0x00007FF61DF90000-0x00007FF61E2E1000-memory.dmp

memory/3452-221-0x00007FF6C4C40000-0x00007FF6C4F91000-memory.dmp

memory/1900-223-0x00007FF7203A0000-0x00007FF7206F1000-memory.dmp

memory/4724-229-0x00007FF6560E0000-0x00007FF656431000-memory.dmp

memory/5040-230-0x00007FF60CD00000-0x00007FF60D051000-memory.dmp

memory/3640-232-0x00007FF70CAC0000-0x00007FF70CE11000-memory.dmp

memory/2236-234-0x00007FF708270000-0x00007FF7085C1000-memory.dmp

memory/2676-241-0x00007FF6704B0000-0x00007FF670801000-memory.dmp

memory/1216-243-0x00007FF6C12C0000-0x00007FF6C1611000-memory.dmp

memory/1968-245-0x00007FF661F80000-0x00007FF6622D1000-memory.dmp

memory/4856-250-0x00007FF7266D0000-0x00007FF726A21000-memory.dmp

memory/2440-252-0x00007FF698770000-0x00007FF698AC1000-memory.dmp

memory/3352-255-0x00007FF7B2BF0000-0x00007FF7B2F41000-memory.dmp

memory/1072-256-0x00007FF6E0A30000-0x00007FF6E0D81000-memory.dmp

memory/1080-258-0x00007FF70C130000-0x00007FF70C481000-memory.dmp

memory/1816-263-0x00007FF6A4620000-0x00007FF6A4971000-memory.dmp

memory/2376-265-0x00007FF6163B0000-0x00007FF616701000-memory.dmp

memory/1752-269-0x00007FF72F6C0000-0x00007FF72FA11000-memory.dmp

memory/4148-271-0x00007FF6A0B90000-0x00007FF6A0EE1000-memory.dmp

memory/976-273-0x00007FF61F6E0000-0x00007FF61FA31000-memory.dmp

memory/4544-275-0x00007FF688120000-0x00007FF688471000-memory.dmp