Malware Analysis Report

2025-03-15 08:02

Sample ID 240815-mvhtdayflg
Target 2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat
SHA256 d4c62700ce14c4cb710f5e1ba743afd1ca4ba3382b44f802015d66c4f8c05613
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d4c62700ce14c4cb710f5e1ba743afd1ca4ba3382b44f802015d66c4f8c05613

Threat Level: Known bad

The file 2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

xmrig

XMRig Miner payload

Cobalt Strike reflective loader

Cobaltstrike family

Xmrig family

Cobaltstrike

XMRig Miner payload

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-15 10:47

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-15 10:47

Reported

2024-08-15 10:49

Platform

win7-20240708-en

Max time kernel

140s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\UpOWngJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\baeojTc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PTWaTQX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LcetrGR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fkhcBmH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KakYiLR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vgdcLHY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tntKfmH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eQncUyq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jhobuIC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iQqgARr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ceEsHtF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LRiVlnn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XgDRCMC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oXfIjQg.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xGcbINp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EYXhYTr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uxHPdGS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GnSYJqx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yfPRbmt.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NMaKlvt.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2348 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yfPRbmt.exe
PID 2348 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yfPRbmt.exe
PID 2348 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yfPRbmt.exe
PID 2348 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NMaKlvt.exe
PID 2348 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NMaKlvt.exe
PID 2348 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NMaKlvt.exe
PID 2348 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PTWaTQX.exe
PID 2348 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PTWaTQX.exe
PID 2348 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PTWaTQX.exe
PID 2348 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tntKfmH.exe
PID 2348 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tntKfmH.exe
PID 2348 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tntKfmH.exe
PID 2348 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LRiVlnn.exe
PID 2348 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LRiVlnn.exe
PID 2348 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LRiVlnn.exe
PID 2348 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eQncUyq.exe
PID 2348 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eQncUyq.exe
PID 2348 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eQncUyq.exe
PID 2348 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oXfIjQg.exe
PID 2348 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oXfIjQg.exe
PID 2348 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oXfIjQg.exe
PID 2348 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fkhcBmH.exe
PID 2348 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fkhcBmH.exe
PID 2348 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fkhcBmH.exe
PID 2348 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XgDRCMC.exe
PID 2348 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XgDRCMC.exe
PID 2348 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XgDRCMC.exe
PID 2348 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jhobuIC.exe
PID 2348 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jhobuIC.exe
PID 2348 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jhobuIC.exe
PID 2348 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LcetrGR.exe
PID 2348 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LcetrGR.exe
PID 2348 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LcetrGR.exe
PID 2348 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iQqgARr.exe
PID 2348 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iQqgARr.exe
PID 2348 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iQqgARr.exe
PID 2348 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xGcbINp.exe
PID 2348 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xGcbINp.exe
PID 2348 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xGcbINp.exe
PID 2348 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KakYiLR.exe
PID 2348 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KakYiLR.exe
PID 2348 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KakYiLR.exe
PID 2348 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UpOWngJ.exe
PID 2348 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UpOWngJ.exe
PID 2348 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UpOWngJ.exe
PID 2348 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EYXhYTr.exe
PID 2348 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EYXhYTr.exe
PID 2348 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EYXhYTr.exe
PID 2348 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vgdcLHY.exe
PID 2348 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vgdcLHY.exe
PID 2348 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vgdcLHY.exe
PID 2348 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\baeojTc.exe
PID 2348 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\baeojTc.exe
PID 2348 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\baeojTc.exe
PID 2348 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ceEsHtF.exe
PID 2348 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ceEsHtF.exe
PID 2348 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ceEsHtF.exe
PID 2348 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uxHPdGS.exe
PID 2348 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uxHPdGS.exe
PID 2348 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uxHPdGS.exe
PID 2348 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GnSYJqx.exe
PID 2348 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GnSYJqx.exe
PID 2348 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GnSYJqx.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\yfPRbmt.exe

C:\Windows\System\yfPRbmt.exe

C:\Windows\System\NMaKlvt.exe

C:\Windows\System\NMaKlvt.exe

C:\Windows\System\PTWaTQX.exe

C:\Windows\System\PTWaTQX.exe

C:\Windows\System\tntKfmH.exe

C:\Windows\System\tntKfmH.exe

C:\Windows\System\LRiVlnn.exe

C:\Windows\System\LRiVlnn.exe

C:\Windows\System\eQncUyq.exe

C:\Windows\System\eQncUyq.exe

C:\Windows\System\oXfIjQg.exe

C:\Windows\System\oXfIjQg.exe

C:\Windows\System\fkhcBmH.exe

C:\Windows\System\fkhcBmH.exe

C:\Windows\System\XgDRCMC.exe

C:\Windows\System\XgDRCMC.exe

C:\Windows\System\jhobuIC.exe

C:\Windows\System\jhobuIC.exe

C:\Windows\System\LcetrGR.exe

C:\Windows\System\LcetrGR.exe

C:\Windows\System\iQqgARr.exe

C:\Windows\System\iQqgARr.exe

C:\Windows\System\xGcbINp.exe

C:\Windows\System\xGcbINp.exe

C:\Windows\System\KakYiLR.exe

C:\Windows\System\KakYiLR.exe

C:\Windows\System\UpOWngJ.exe

C:\Windows\System\UpOWngJ.exe

C:\Windows\System\EYXhYTr.exe

C:\Windows\System\EYXhYTr.exe

C:\Windows\System\vgdcLHY.exe

C:\Windows\System\vgdcLHY.exe

C:\Windows\System\baeojTc.exe

C:\Windows\System\baeojTc.exe

C:\Windows\System\ceEsHtF.exe

C:\Windows\System\ceEsHtF.exe

C:\Windows\System\uxHPdGS.exe

C:\Windows\System\uxHPdGS.exe

C:\Windows\System\GnSYJqx.exe

C:\Windows\System\GnSYJqx.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2348-0-0x000000013F020000-0x000000013F371000-memory.dmp

memory/2348-1-0x00000000002F0000-0x0000000000300000-memory.dmp

C:\Windows\system\yfPRbmt.exe

MD5 84c82d9f9d3f1430755b31f900ab25e7
SHA1 ab5dfd2c1dc5bf8f6620e0232c7a097964b7540f
SHA256 a9ea53a0957172ff49b7f590f75cd672809bb6a1edc156268e0869bf0f55127f
SHA512 bc93c7fd5a80db0b8b497291d888b7ade2c6ad629c09d39ad5011fab913d27871556be500aa2165da31d7348bd57ed00e4e7cbe214635fd683fd589272facb6b

C:\Windows\system\NMaKlvt.exe

MD5 c128fbf632fefa24be18346c4c206a2b
SHA1 2ad1d50a35d72d8c03d6b80adfa00e373e0ba115
SHA256 27640af7bd126364cb73d26c00a4e60fae38f32666f107e45e6435d9514516ff
SHA512 b303461959e10827a147c87bb2ab87e7456c7a4c0bc6a2912e261d1c509d0e713cb61d7e8da439bf3d288bb771136a09af33bb3a743cf3f4a85b06d87426c95d

\Windows\system\tntKfmH.exe

MD5 1e2d4ce41afec4b84fe5569ae7bc6b00
SHA1 f4e246b29113366f9fd182ad4eae5b09363598c3
SHA256 45587ee7d18628d5ecf66b4dd0d15bec4c061d134ba15623b559f0a411281e16
SHA512 c4844bcbc438eb6d8ec71721e5d4f157a8eafd22e640499bb61395c5c7d48b6d4920f9919cf3397c46f880aa7be820f001cae0fd0c1357fcd78cd8acf2562fa3

C:\Windows\system\PTWaTQX.exe

MD5 f5b96beb65e0b0890ddd46860600a273
SHA1 5dc61e4cd75352898b1042beab42fa56f92468da
SHA256 1d98f5032ad40b772f097c2128773476dfa5e80283d00d0eac5a6070559fcc33
SHA512 8bf5f7f7503769f0c2ee6f6ab72f0ce6b942c5c209ad2146e1344f9b2781af5fb30bf091e7059b008de4387f4988975706eb41563330e800277da7ab5e2a8751

memory/1540-39-0x000000013F750000-0x000000013FAA1000-memory.dmp

C:\Windows\system\jhobuIC.exe

MD5 a2d8bb2452ae3a2150d73fccc29f3622
SHA1 3c331c34268f7b271fccfd665fbe99cb38a681ba
SHA256 414018545bab3a691be7e7951f7d5fccca56a3a12e92be01f1d539e9123c1b91
SHA512 08b1ee7bdb48237c9d5c63955c8e058cebacab885effaf16a89afc95a452553ce48c96a8201242f2366ebfbf63fed1c5112f3803bed45964b15c4d9a7096e6b2

memory/2760-67-0x000000013FC90000-0x000000013FFE1000-memory.dmp

C:\Windows\system\iQqgARr.exe

MD5 4db8fca3fe47ee5c20615f5997ad4143
SHA1 8666503a23b44917abaa2dfdaae977ba8a00faba
SHA256 091161bc7e399d1dea5e35bdb4582755a35815a9791b3303a13e49b58983ad47
SHA512 1b8e40e2f3a17af0972474b9493f252c5bdddbf507772af23531042bd7aa9bd1b2ccb203de313ffc08cddddacdf312b031ea57ec0f47e1cfe09514b52dd5cb6e

memory/2196-81-0x000000013F290000-0x000000013F5E1000-memory.dmp

\Windows\system\KakYiLR.exe

MD5 f463c9354ca000200ad33bcbffe76e56
SHA1 6eba92b84f3f808034e36eb439919fcf6edbf5a2
SHA256 02169a3619bdbbca8263689a16c7d9993fc6a5ec63b8eea7c7176e2ece6ef59e
SHA512 835954f4eac683f42b274f4081c408b2dbea6b2ac7bb05c8bdabe45df87a62bf9be1963dbf5e8b3b1a870745757865b789a0ff7655005f5367f6e7dc2c73567a

memory/2632-98-0x000000013F530000-0x000000013F881000-memory.dmp

\Windows\system\uxHPdGS.exe

MD5 597c12b0d6ceb613ea1da05cf1805d6f
SHA1 9be7a1dc7f9cd870d800551c7672d1fbf1f5f856
SHA256 a51af65a474421ba9305c07a76b8e221134d772a6c269d74986a91a39451c493
SHA512 0651d86b6a5732adbda55cbf5c5db8fc89969a4ef098bbd645ea2b73f71b92220355801385506fbd133f5d9d1e6c0b409c9e58e751f6f5b2e4c4dba89a932015

memory/2308-131-0x000000013F2E0000-0x000000013F631000-memory.dmp

C:\Windows\system\GnSYJqx.exe

MD5 457ba196f969307b14948aa8c575195e
SHA1 4e0348443aef068271d6ab8bc5096e40efdf22ca
SHA256 963cd19da4704730a92c9d298139f3482e431598497f233ec1dea900243a2088
SHA512 5a5e503af588509af91de67ee3bbfcb7a1577534c52627c02508e3f1d636643e7068d1762fb3a45e9dec31393dec3da60aa029d640c307e75ae6e758b332c7c7

memory/2348-127-0x00000000022D0000-0x0000000002621000-memory.dmp

memory/2348-126-0x000000013F950000-0x000000013FCA1000-memory.dmp

memory/2608-124-0x000000013F050000-0x000000013F3A1000-memory.dmp

C:\Windows\system\ceEsHtF.exe

MD5 5b0888ce20cc7961cadcd45b1d4411ba
SHA1 bba8acb4a0af10796497356cbad7aae64c5b96f9
SHA256 cdf44f0ae3346c73e76e1719479a6a95c146c8cdd8f149479d07c2d0ef5d4956
SHA512 8f4de7504216daab5168a0f930a81b8b7b8fdfe7a653d523a52705f13d817e28eb384f8230788b8bedc3ed94bda4cf697b960fab472bde31151774031bf2651e

memory/2348-119-0x000000013F390000-0x000000013F6E1000-memory.dmp

memory/2348-108-0x00000000022D0000-0x0000000002621000-memory.dmp

\Windows\system\baeojTc.exe

MD5 e1a15268ecd09cdf856c974e72a4fe6b
SHA1 4b76ff5b2009550bb7d98021dc74c9054958b1c1
SHA256 3ec3bcfd7f9d0163db349ef6ccbb76a22e5868e03dbfa4b76611d0ca194a3c35
SHA512 5df26c7f139cd586857d3ce8a082cacd97f40bb2444d4d0b8950ace62c9a029509fa179bf0c26b6573be38e9e28866ddc8c5386907717229e22701d98ba64a85

C:\Windows\system\vgdcLHY.exe

MD5 01e15cda26bd52002a186a357d616ea5
SHA1 844576d7b308942b35881ab97d9c3ba1213395bc
SHA256 7771a10dee5fc16b50245c47f410c44d76380f99d42c07fb7bdbd6eb75b5f95c
SHA512 a10333d8b623ef80939a676c1da0230fb4987bed8eec6725491baae42e59c335436b4b3a954b049285bdbd22a912229aa327662a6eb16f2695ac9b97fd3616f7

memory/2652-112-0x000000013F950000-0x000000013FCA1000-memory.dmp

C:\Windows\system\EYXhYTr.exe

MD5 14d1b94e7e3556c17e04238cebca6e4e
SHA1 5a54e5ae8baf586902ed9f421052c3dc904514b6
SHA256 98835fb7dcb12866ffad43b5c7cdffd105852ee207153eac228e8aab272eb32f
SHA512 965c6defb8d10db6261b2d095848082ae9565a60127b1d0ca22ad1d1281b4a4209d2792875df483599f366e3ea23a9b723fa50dfb81ea4ed757c1a2b6e2ea2f0

memory/2920-94-0x000000013F6C0000-0x000000013FA11000-memory.dmp

C:\Windows\system\UpOWngJ.exe

MD5 e7a68c7f8b0614bcb69dc8b38fa68b9f
SHA1 2e79aaa1b7820536536017ac639ee6e5c29a3c33
SHA256 092b3259a48edc58f12540c11b2cb1521884b302e9eedfae3157df9f14841a03
SHA512 1187dbfee5b55415276c207b83b54460fbd6e77a88dbbd8f71506c8fcc42a1a55fdd510161d4eea5d748e4432972ea3c364e9b9c02a00df98f586f125340eb07

memory/2732-84-0x000000013F260000-0x000000013F5B1000-memory.dmp

memory/2348-83-0x000000013F5C0000-0x000000013F911000-memory.dmp

C:\Windows\system\xGcbINp.exe

MD5 2eb1fb4211178ce768b21a477bafa3de
SHA1 2a4eb3459bde4bc0859c2c994a684f5c499b8af5
SHA256 13d0922b19a4c9366a74cbc8c6033c639da2e0f5f2d4909c56b33bf3b77c1cd4
SHA512 1342f5f5b15b45f3b4729776aade2be37cb5d98350652fa3b06def0d8bb621ec5e39f326545f8df48913aa1ba536bf13464ed0bd387574426649da77c504ce7b

memory/2348-74-0x000000013F530000-0x000000013F881000-memory.dmp

memory/2852-69-0x000000013F5C0000-0x000000013F911000-memory.dmp

memory/2348-68-0x000000013F6C0000-0x000000013FA11000-memory.dmp

C:\Windows\system\LcetrGR.exe

MD5 f5232f3a0a48517980df52a9dbfd8f8c
SHA1 f713d1510d837c3bf380e9d3974a17ac92781c12
SHA256 010e2485772b686cd50ec7fafe2bb383b6d308486bca097debf4597fbc267487
SHA512 7ed91ece28c22d844c2e06c1b0dd06a87bb06872ee0033c5b59bea8699d3e02e9f2ab72d6e010494d7d3cbe9176f7b50ea7b8cdda6517939d709ce4182d538a5

memory/2736-62-0x000000013F6C0000-0x000000013FA11000-memory.dmp

memory/2348-59-0x000000013FC90000-0x000000013FFE1000-memory.dmp

memory/2348-57-0x00000000022D0000-0x0000000002621000-memory.dmp

C:\Windows\system\XgDRCMC.exe

MD5 ea1c61220d0445c7e1559ca662dbe0b3
SHA1 e89abb2861a5d12ef5322bae0d6193cd88bc9aa3
SHA256 8f55d8941a42ac547c4698827849dee3d1d0b5efb514b6b88db10f0181d9cda0
SHA512 79ca0c28e8dae812f383675c4b32ae6d07a9002548e9f375abcefcf80e436f59a2ab293c47e6f406b4d09931ea451110700869d1c7a25d67dc45926d6a3150bb

memory/2436-54-0x000000013F5E0000-0x000000013F931000-memory.dmp

C:\Windows\system\oXfIjQg.exe

MD5 a93dc31ec81a70c40150ec0ee758fce1
SHA1 a4443a86d50c3b3ef2eeded2028450b80f41da2c
SHA256 c5f198ac76c49a6ed17c37ab313b736505be50f71196b1fe0a16520e0ac2c69a
SHA512 b35af5f12711883d0458701c07b4e4a799fd2d55bb3edc274661498b1ee6a8814786e25c657fd285e9f2e1ea90610e159f0785fc42aea5432412901a0433ee64

\Windows\system\fkhcBmH.exe

MD5 9bf0636201b41a9127be009c1bf0f498
SHA1 c8a663055581f494d43db2975d7ec38d376b9a69
SHA256 62c4d91bc52a84a11f9a31b42cb633ff605f71151b91080efededeb42515ca91
SHA512 cba8d34e7a64d4b6e3fda10b3a1b70f4eb1a22807eaf99dbc7923151ad0f4728e3f76fa2e193272d878cf479510719bf27fb343f3bb8a3bf0bd52ba635a53bad

memory/1264-34-0x000000013F100000-0x000000013F451000-memory.dmp

C:\Windows\system\LRiVlnn.exe

MD5 99416f41d15aa8392668f8ee874a70cd
SHA1 08c1fbfd1368bbdb08f4aee034fb75ce3fe10b5e
SHA256 2bd91dbb9544b0ec9aa2105cbff6726725dae9505f34e447e52647ba349f1e5b
SHA512 d2910019d09909c6a1dafc265c84f37bc8b7dc3d8846f556bf68536cf0cde2f526d2a5906769cb8d83c299327a19df7ae33d72b545dfabdd00067bd9149615e2

\Windows\system\eQncUyq.exe

MD5 15a34481930b332c65e72481fd2c6d17
SHA1 1f5c7bf0ab850e92779a10f78f260d987f4dad33
SHA256 d7e75d8d621556d3a2e9b9908bb11d399fa027c61d62405bfe7832ec932eb1a4
SHA512 364ad67f904896289e040573d59500a5ed1c17e2d73f020db8532514eb8c457480b4823dfc5750c54fc48ed4c215e3e9af7f85920c7cf0f99c1c0c5f2dda92fd

memory/2348-29-0x000000013F5E0000-0x000000013F931000-memory.dmp

memory/2520-24-0x000000013FE00000-0x0000000140151000-memory.dmp

memory/2348-22-0x000000013FE00000-0x0000000140151000-memory.dmp

memory/2348-8-0x00000000022D0000-0x0000000002621000-memory.dmp

memory/2348-133-0x000000013F020000-0x000000013F371000-memory.dmp

memory/2348-134-0x00000000022D0000-0x0000000002621000-memory.dmp

memory/2348-135-0x000000013F020000-0x000000013F371000-memory.dmp

memory/2348-142-0x000000013F390000-0x000000013F6E1000-memory.dmp

memory/1312-156-0x000000013FD00000-0x0000000140051000-memory.dmp

memory/1900-153-0x000000013FDC0000-0x0000000140111000-memory.dmp

memory/640-157-0x000000013F0F0000-0x000000013F441000-memory.dmp

memory/1608-155-0x000000013F270000-0x000000013F5C1000-memory.dmp

memory/2624-151-0x000000013F390000-0x000000013F6E1000-memory.dmp

memory/2840-154-0x000000013F670000-0x000000013F9C1000-memory.dmp

memory/644-152-0x000000013FF40000-0x0000000140291000-memory.dmp

memory/2348-158-0x000000013F020000-0x000000013F371000-memory.dmp

memory/1264-225-0x000000013F100000-0x000000013F451000-memory.dmp

memory/1540-227-0x000000013F750000-0x000000013FAA1000-memory.dmp

memory/2436-229-0x000000013F5E0000-0x000000013F931000-memory.dmp

memory/2520-231-0x000000013FE00000-0x0000000140151000-memory.dmp

memory/2760-235-0x000000013FC90000-0x000000013FFE1000-memory.dmp

memory/2736-233-0x000000013F6C0000-0x000000013FA11000-memory.dmp

memory/2732-241-0x000000013F260000-0x000000013F5B1000-memory.dmp

memory/2196-237-0x000000013F290000-0x000000013F5E1000-memory.dmp

memory/2852-239-0x000000013F5C0000-0x000000013F911000-memory.dmp

memory/2920-243-0x000000013F6C0000-0x000000013FA11000-memory.dmp

memory/2632-245-0x000000013F530000-0x000000013F881000-memory.dmp

memory/2608-247-0x000000013F050000-0x000000013F3A1000-memory.dmp

memory/2652-249-0x000000013F950000-0x000000013FCA1000-memory.dmp

memory/2308-251-0x000000013F2E0000-0x000000013F631000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-15 10:47

Reported

2024-08-15 10:49

Platform

win10v2004-20240802-en

Max time kernel

143s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\RGEUvyy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GlERwev.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dbaSZMn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\irwDwOO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CvJnVpm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zbULbuk.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LAqrZoH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PtvhuVC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\Wcspvex.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CeNKpNX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\StcJlJV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VSgnHQo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YaWXOzc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ItacToq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hChkuld.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\btmDWwy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PiPAFYI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iQiFUZI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CWIzEZN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cqouLGi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EsLbEoe.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4776 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EsLbEoe.exe
PID 4776 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EsLbEoe.exe
PID 4776 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CeNKpNX.exe
PID 4776 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CeNKpNX.exe
PID 4776 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hChkuld.exe
PID 4776 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hChkuld.exe
PID 4776 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CvJnVpm.exe
PID 4776 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CvJnVpm.exe
PID 4776 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zbULbuk.exe
PID 4776 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zbULbuk.exe
PID 4776 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\irwDwOO.exe
PID 4776 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\irwDwOO.exe
PID 4776 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ItacToq.exe
PID 4776 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ItacToq.exe
PID 4776 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RGEUvyy.exe
PID 4776 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RGEUvyy.exe
PID 4776 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\btmDWwy.exe
PID 4776 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\btmDWwy.exe
PID 4776 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PiPAFYI.exe
PID 4776 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PiPAFYI.exe
PID 4776 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LAqrZoH.exe
PID 4776 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LAqrZoH.exe
PID 4776 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iQiFUZI.exe
PID 4776 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iQiFUZI.exe
PID 4776 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CWIzEZN.exe
PID 4776 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CWIzEZN.exe
PID 4776 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PtvhuVC.exe
PID 4776 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PtvhuVC.exe
PID 4776 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\StcJlJV.exe
PID 4776 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\StcJlJV.exe
PID 4776 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Wcspvex.exe
PID 4776 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Wcspvex.exe
PID 4776 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cqouLGi.exe
PID 4776 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cqouLGi.exe
PID 4776 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VSgnHQo.exe
PID 4776 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VSgnHQo.exe
PID 4776 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GlERwev.exe
PID 4776 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GlERwev.exe
PID 4776 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YaWXOzc.exe
PID 4776 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YaWXOzc.exe
PID 4776 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dbaSZMn.exe
PID 4776 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dbaSZMn.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\EsLbEoe.exe

C:\Windows\System\EsLbEoe.exe

C:\Windows\System\CeNKpNX.exe

C:\Windows\System\CeNKpNX.exe

C:\Windows\System\hChkuld.exe

C:\Windows\System\hChkuld.exe

C:\Windows\System\CvJnVpm.exe

C:\Windows\System\CvJnVpm.exe

C:\Windows\System\zbULbuk.exe

C:\Windows\System\zbULbuk.exe

C:\Windows\System\irwDwOO.exe

C:\Windows\System\irwDwOO.exe

C:\Windows\System\ItacToq.exe

C:\Windows\System\ItacToq.exe

C:\Windows\System\RGEUvyy.exe

C:\Windows\System\RGEUvyy.exe

C:\Windows\System\btmDWwy.exe

C:\Windows\System\btmDWwy.exe

C:\Windows\System\PiPAFYI.exe

C:\Windows\System\PiPAFYI.exe

C:\Windows\System\LAqrZoH.exe

C:\Windows\System\LAqrZoH.exe

C:\Windows\System\iQiFUZI.exe

C:\Windows\System\iQiFUZI.exe

C:\Windows\System\CWIzEZN.exe

C:\Windows\System\CWIzEZN.exe

C:\Windows\System\PtvhuVC.exe

C:\Windows\System\PtvhuVC.exe

C:\Windows\System\StcJlJV.exe

C:\Windows\System\StcJlJV.exe

C:\Windows\System\Wcspvex.exe

C:\Windows\System\Wcspvex.exe

C:\Windows\System\cqouLGi.exe

C:\Windows\System\cqouLGi.exe

C:\Windows\System\VSgnHQo.exe

C:\Windows\System\VSgnHQo.exe

C:\Windows\System\GlERwev.exe

C:\Windows\System\GlERwev.exe

C:\Windows\System\YaWXOzc.exe

C:\Windows\System\YaWXOzc.exe

C:\Windows\System\dbaSZMn.exe

C:\Windows\System\dbaSZMn.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/4776-0-0x00007FF603A70000-0x00007FF603DC1000-memory.dmp

memory/4776-1-0x00000269BE3B0000-0x00000269BE3C0000-memory.dmp

C:\Windows\System\EsLbEoe.exe

MD5 a0c3a5ab8d453327c8608b2b46dc0c08
SHA1 86b34be6674f2dc58de63fd34a10485f19374cb4
SHA256 78cde5e640e0ef696a87b54dae53064196cc2a2b9ac5b206b1e84cb7aa0a7315
SHA512 649307f0db47391468f2a134de02e42ace6ad53f22dff3fb45d678ed30b81107df4cf26e5ce243e0b34c7a7ad4c16d8bd55312e63810d016750ecc2738f96389

C:\Windows\System\hChkuld.exe

MD5 ff05741375a2972d36cc9c8af4313f41
SHA1 155377141c92bc3e6ed3c2158dbb02091b56d274
SHA256 b105ddba92213e1e170bee0f645f08d995fdf5a3b7ffd4e01291bd2be1f73882
SHA512 05e415024491983ce6b1cfe4890deb5519a2ab0150fe8a047179047b7e89cbce888eeabb72141aefb33c8ad8356ea36e872f77ec78543162024e121a19084c37

memory/5008-7-0x00007FF73F980000-0x00007FF73FCD1000-memory.dmp

C:\Windows\System\ItacToq.exe

MD5 0d9c85f7b68d90ab2e86679346d16269
SHA1 99e8e92676b36659d12fbe2e5df930353a0685e4
SHA256 49ab13a354524078f627f7ea96fdf19a6f2418f40ff97983306bc4b9ae736e67
SHA512 4626aba9a1296ccebdea3d53b73e98cdf6d40f9a5bffc318afc8a783e387c4cca70772d67dd0e35a4779897788a93d9fa26cef62f5c1d7f7015a78783e1abf95

C:\Windows\System\btmDWwy.exe

MD5 820fa2eecf656135c42b0e6aa3e2439d
SHA1 53dc66f4a0c3051862c9c0e964ae65b691ea6043
SHA256 8ba9a557fbbcde6b878b65bda463240a53e5a532ee68c7a70801442a981954c8
SHA512 442ec9edcaf11cb78d69fe33d86691c2b5367f6b565f0e04a9ea81b14f466b885fac9ab05dc132904c8bbc1ace2ec574b85359fca29f3e3d079d2c2198ab89c9

memory/4188-58-0x00007FF79E0F0000-0x00007FF79E441000-memory.dmp

C:\Windows\System\CWIzEZN.exe

MD5 ed68b0ce7914f16b4646a4ef7270c436
SHA1 1a4cdb18530e939b82dd3d38aec9648f198e523d
SHA256 e3f7edf7abaeb83a8394291e0690ce2b2527fde605687c88a451adba6c538087
SHA512 c15bc83f71ac91727a284b12b50ba4345f3d6f16bf8c1046becfa3abda6be9130b1ff2ce978d15839d61b42d0cd03813844117c3ce102fb56d9481e285404bc7

memory/2800-75-0x00007FF773350000-0x00007FF7736A1000-memory.dmp

memory/5108-89-0x00007FF6AF3B0000-0x00007FF6AF701000-memory.dmp

memory/1688-91-0x00007FF7D1440000-0x00007FF7D1791000-memory.dmp

C:\Windows\System\Wcspvex.exe

MD5 b9d9427f619b23eb4ba2ccf932f99c11
SHA1 41b867b1055422f6ba8b1b2c5e71e5e30a7d81a6
SHA256 1ef26c2c3d59ad8a9ee68a9281badd34ccdc99b776fbc9821b1e9c4abc97b220
SHA512 ecdc3e39a0d7a51d1c3bd05bd561252370fc8df5a524e803dc48512212fadf6c2dc92a9b8eac281b639c1ddfe08884b040806e5b1dc197b316d3b7714d1f3021

C:\Windows\System\StcJlJV.exe

MD5 3d2e53b2338b6e3bd1c8f6376fefaedb
SHA1 620a1a2badf14059364ecb8127dcc58bc9eab4a0
SHA256 3e72f4b1e6a922a21a958665a4a3769f16574222fec88ea0952151aa6deac7dd
SHA512 ed9132a1ac71957ecaa5419e8732986934bf882722811ff38a2d409d2b19db2c69ec93cdd154c0431e9a8521b58cb76698fd09a4e84a1364b784008aae560b63

C:\Windows\System\PtvhuVC.exe

MD5 d62da8969782055141d678464d9e9ff1
SHA1 6718c88be155e517e86e89f68385f950d0a10468
SHA256 6ce3e4e581f999b4ac5a3177e6063bd87c5c2e71bb1ea93ff041ae841878ed61
SHA512 4631f4f9db494febafecbae65ad06b7e052c6f4146cf6f52c48fab8351944c34f107214ee8f4029f2bbec75c491477aa7629fcc35d99ee13fc090271f067ccda

memory/1108-92-0x00007FF7B6950000-0x00007FF7B6CA1000-memory.dmp

memory/1544-90-0x00007FF690790000-0x00007FF690AE1000-memory.dmp

memory/1476-81-0x00007FF75E650000-0x00007FF75E9A1000-memory.dmp

memory/3876-74-0x00007FF72D360000-0x00007FF72D6B1000-memory.dmp

memory/3824-73-0x00007FF67B180000-0x00007FF67B4D1000-memory.dmp

C:\Windows\System\iQiFUZI.exe

MD5 a47e02257fc0fba200b7432b7abe9c71
SHA1 6a041d3cc78b8871e5bed9a5c8a4ad98c472db63
SHA256 4deb060b1e9ed93c83e0504f8c3132c826818a94a85d1d70f939a611cbbcc15e
SHA512 3ad9fd3ca3e76db76e42607f31e490b92ebe49a67264a3e68b5b04dd475937e9c2b3175e51cddf315d1bfd1992c3d5569bb5ddb1850a2572339607c9d15f4356

C:\Windows\System\LAqrZoH.exe

MD5 2b368e319fc2f79d3eb303d4b860bf6f
SHA1 d3d90e62b57ff6eb9591deb34330db951fe02cf7
SHA256 789f137965c5f518314be17151aa35870cd600aae79c2d34b6f6a2971b7ae0e0
SHA512 2e895d8b6ea2c9260a6b4c9d8cbea6866c97dc3f2c37d49e10a4604b1b9f5a80783c520913e7e049d192462f67e2230680531da703ae95ae143bcf61fd46e0da

memory/4356-68-0x00007FF78D6A0000-0x00007FF78D9F1000-memory.dmp

memory/2436-65-0x00007FF626C30000-0x00007FF626F81000-memory.dmp

C:\Windows\System\PiPAFYI.exe

MD5 8d611548a2902d111580dfa163dfa84a
SHA1 c232a71c39868c1dc7b8fe6b2018fbef53e49912
SHA256 ca6dc7e7f58dc74208bab4eee59ff5ee71754a8789c942a87e2b4c8e7dd6518e
SHA512 ebc1c7461120ad4c5e7e61b4f5f6630740266781ffd1c59ba794f21ba384f171219ba447a642daaa5c01b4da8540f0ef896f2317e004e70c1cb24bf6f44d2e65

C:\Windows\System\RGEUvyy.exe

MD5 77f45e1df61c7ea0efbb6f4baabffd98
SHA1 579ca46ff92fc63dfe7d5d52546d7cde4342487a
SHA256 d0380ad67060232419959d643743d9272e80e2f8d493dafcd0c53db94aee7284
SHA512 a08ec46d98559c44fe4601f76169bc1101b1d4065bcc702a4372ca4203a637c8bd08bd15a2b5c0cb397d47806e0c5b7d2dd6ff66ad062b45fc9921335fc59e68

memory/452-45-0x00007FF762820000-0x00007FF762B71000-memory.dmp

memory/2680-44-0x00007FF712210000-0x00007FF712561000-memory.dmp

C:\Windows\System\CvJnVpm.exe

MD5 83231076ee7cb8395ae2ff8dbf3605e7
SHA1 519ad80bd18f8135b9f77a79fb0635e5f153f83b
SHA256 4a42a675aa89e9207c17bdcd4cb80ed9d45f21926ecf000121c14d874a85f5df
SHA512 5c0c85657440b1720f3415b93db000e87b02cdb2f92e1438c6ad422a35f7e716149123d9749c0f20b5fa508b2fbde8845e2628a2c6e5e9d6658ea673fed58c01

C:\Windows\System\zbULbuk.exe

MD5 732e76121a988cc066a3426e6c339599
SHA1 aeafce5a654334bf3da08d8f59dd9419c9b90a99
SHA256 471aea48ad8537d8b89a3c62f35b7c5e664fa90f7e0bab960b1a3962505002f8
SHA512 8f129b2d3e06d02bff7e1f7962dc5319f55763f35470277765df96f788d0e85efa932087f19e6973fbfdb75ef9d10ce51a58bc761d19d3b466560b2733538096

C:\Windows\System\irwDwOO.exe

MD5 755c21475c8bca45181803dd7ed09c8e
SHA1 fc563134b72ee4e8e6c4511fc1b32d6c085115d9
SHA256 1f1bd101e25b682885b63fb85bf3e0d2f6777927dd38f010997f97f5dc363b64
SHA512 1ae63c9e5998bd6b19fab8b14d5183a935f9da7658b2609b9c4cec2b35385c2838f204c9f1740a8c30e58e0690e9524c7ca1d29849e4ab02434c478975642152

memory/4700-24-0x00007FF685980000-0x00007FF685CD1000-memory.dmp

memory/3704-20-0x00007FF638F10000-0x00007FF639261000-memory.dmp

C:\Windows\System\CeNKpNX.exe

MD5 fe07916af8c6ff237597c8d2df8b24ea
SHA1 84e0b3ff184a9dcbb66e65e0d826fc621f3fe5ad
SHA256 e4cebbe2702df29b7a24ceeed00e739aaa3279f6f343251671500a9765dc4843
SHA512 777bcdea4e93fc35a2ef721e053093af4d044f79cefe584720270b1cce63ce62a1191f6c8750b3685d612a06cb06334ddd75e311bef7594ad4246e99b0bec777

C:\Windows\System\cqouLGi.exe

MD5 4ab2a5f992814eb6a1c5a56a9070f590
SHA1 db02c344d78d9e3d24b17371bd60a453bd9f6a54
SHA256 e664a88e4dd453757f1478c6a9d1d274eef543898c938ac191d856d58a3fd248
SHA512 69697c9697f89c8d2e5175830fc6c0e8fcc3f9ccb4fbe0fde695a7215be990e8449f2e828f3cd31a8aa405f8d4f5898fcc1aae596bbf1458615c3c8a57eb56a5

memory/4776-102-0x00007FF603A70000-0x00007FF603DC1000-memory.dmp

memory/5008-108-0x00007FF73F980000-0x00007FF73FCD1000-memory.dmp

memory/3704-117-0x00007FF638F10000-0x00007FF639261000-memory.dmp

C:\Windows\System\dbaSZMn.exe

MD5 d148de388d07d644c3dccdf447487fcc
SHA1 f144ef5db12d1bc3a630cd5bfb19cb476b2500dc
SHA256 735ac8a1f838186137639955d7385bfa038626112ecd7c09131b09413b3f5dd4
SHA512 57f6c8377f5572ba016c60efe747e43cd84895b5f993459cb4a37583b3254d253dadfabd94e08c23bc7349ceba380efc6c1f5c926c6d736b5abed50ce831758a

C:\Windows\System\YaWXOzc.exe

MD5 6f9abaf6164a41e136533295856e93ee
SHA1 be4dae08ffc68ae325c3b5ea19df64da885d3cfa
SHA256 159fee32e2fbfa1889c98c9fd280c58641663fcfcceeecf438cf10b550cc3349
SHA512 073406de243747b719c554b9bcc714f3595b67049fe3528236c8cb649c69ce044f3590167542ccc7f3d57d8ed533015b80d4f26626a0443b62ab0bde693820a9

memory/4700-122-0x00007FF685980000-0x00007FF685CD1000-memory.dmp

C:\Windows\System\VSgnHQo.exe

MD5 cb71e8901fca9b86d02ffeded67cc076
SHA1 aa915ec87f2a3c7419043ef1357d7020b24fd81e
SHA256 9362af382ad50f7d59e2d9db3aa844caadc5b5981dba9bd219aebdcd8be0243b
SHA512 263d01f0304dc1bdb118053571b0ff223e04826329261afb4885690e71e4892f410872f8725ffd84030f4acc42b0c0b8f5b6485b660b9b0c71f802559ea01320

memory/4832-116-0x00007FF7AE260000-0x00007FF7AE5B1000-memory.dmp

memory/2680-131-0x00007FF712210000-0x00007FF712561000-memory.dmp

memory/3964-129-0x00007FF644AA0000-0x00007FF644DF1000-memory.dmp

memory/4064-139-0x00007FF696030000-0x00007FF696381000-memory.dmp

memory/2792-137-0x00007FF7D63B0000-0x00007FF7D6701000-memory.dmp

C:\Windows\System\GlERwev.exe

MD5 e9f7ce3fb4022878f68dc4bcc7acf9e6
SHA1 854083c259949670e81c34bb3c2fccec74ce92ba
SHA256 c3318d83be603f011e5bded6fa6d7fe3a7108327c8e61305e357965d15e94261
SHA512 c1efd3cf92fe4daaca3ffc229e7057225503bcafe4fff8c1a1b6b77ec7f7b829ee64e5b569616bed19c5a853f7b0f98f19e5431278ad3373c6c7431d23714819

memory/4972-105-0x00007FF64AB20000-0x00007FF64AE71000-memory.dmp

memory/5108-141-0x00007FF6AF3B0000-0x00007FF6AF701000-memory.dmp

memory/4972-145-0x00007FF64AB20000-0x00007FF64AE71000-memory.dmp

memory/1688-144-0x00007FF7D1440000-0x00007FF7D1791000-memory.dmp

memory/1108-142-0x00007FF7B6950000-0x00007FF7B6CA1000-memory.dmp

memory/4356-140-0x00007FF78D6A0000-0x00007FF78D9F1000-memory.dmp

memory/1544-143-0x00007FF690790000-0x00007FF690AE1000-memory.dmp

memory/4776-146-0x00007FF603A70000-0x00007FF603DC1000-memory.dmp

memory/4832-147-0x00007FF7AE260000-0x00007FF7AE5B1000-memory.dmp

memory/4776-169-0x00007FF603A70000-0x00007FF603DC1000-memory.dmp

memory/5008-200-0x00007FF73F980000-0x00007FF73FCD1000-memory.dmp

memory/3704-216-0x00007FF638F10000-0x00007FF639261000-memory.dmp

memory/4188-218-0x00007FF79E0F0000-0x00007FF79E441000-memory.dmp

memory/4700-220-0x00007FF685980000-0x00007FF685CD1000-memory.dmp

memory/2680-222-0x00007FF712210000-0x00007FF712561000-memory.dmp

memory/452-224-0x00007FF762820000-0x00007FF762B71000-memory.dmp

memory/2436-226-0x00007FF626C30000-0x00007FF626F81000-memory.dmp

memory/2800-228-0x00007FF773350000-0x00007FF7736A1000-memory.dmp

memory/3824-230-0x00007FF67B180000-0x00007FF67B4D1000-memory.dmp

memory/1476-233-0x00007FF75E650000-0x00007FF75E9A1000-memory.dmp

memory/3876-234-0x00007FF72D360000-0x00007FF72D6B1000-memory.dmp

memory/4356-236-0x00007FF78D6A0000-0x00007FF78D9F1000-memory.dmp

memory/5108-238-0x00007FF6AF3B0000-0x00007FF6AF701000-memory.dmp

memory/1688-240-0x00007FF7D1440000-0x00007FF7D1791000-memory.dmp

memory/1108-244-0x00007FF7B6950000-0x00007FF7B6CA1000-memory.dmp

memory/1544-243-0x00007FF690790000-0x00007FF690AE1000-memory.dmp

memory/4972-251-0x00007FF64AB20000-0x00007FF64AE71000-memory.dmp

memory/3964-253-0x00007FF644AA0000-0x00007FF644DF1000-memory.dmp

memory/4832-255-0x00007FF7AE260000-0x00007FF7AE5B1000-memory.dmp

memory/4064-259-0x00007FF696030000-0x00007FF696381000-memory.dmp

memory/2792-257-0x00007FF7D63B0000-0x00007FF7D6701000-memory.dmp