Malware Analysis Report

2025-03-15 08:02

Sample ID 240815-mvxmjayfmb
Target 2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat
SHA256 e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1

Threat Level: Known bad

The file 2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

xmrig

XMRig Miner payload

Xmrig family

Cobaltstrike family

Cobalt Strike reflective loader

Cobaltstrike

XMRig Miner payload

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-15 10:47

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-15 10:47

Reported

2024-08-15 10:50

Platform

win7-20240729-en

Max time kernel

140s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\hUCsPuQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LvhHQzc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xfyBEMO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xnDAVat.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\icuvtEB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mZBgisT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BwsPaEr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EilvOVR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gexnndi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\awaVaKx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IOmtonY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YQOqzYI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ELRIjCN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nbHewlH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ebbPaoh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tkTnwvA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bkGdnjG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xAJuAyn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RzmGEDq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fPRYZLN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hEjlGEY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2224 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\icuvtEB.exe
PID 2224 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\icuvtEB.exe
PID 2224 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\icuvtEB.exe
PID 2224 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ELRIjCN.exe
PID 2224 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ELRIjCN.exe
PID 2224 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ELRIjCN.exe
PID 2224 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BwsPaEr.exe
PID 2224 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BwsPaEr.exe
PID 2224 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BwsPaEr.exe
PID 2224 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EilvOVR.exe
PID 2224 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EilvOVR.exe
PID 2224 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EilvOVR.exe
PID 2224 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gexnndi.exe
PID 2224 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gexnndi.exe
PID 2224 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gexnndi.exe
PID 2224 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mZBgisT.exe
PID 2224 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mZBgisT.exe
PID 2224 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mZBgisT.exe
PID 2224 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\awaVaKx.exe
PID 2224 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\awaVaKx.exe
PID 2224 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\awaVaKx.exe
PID 2224 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hEjlGEY.exe
PID 2224 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hEjlGEY.exe
PID 2224 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hEjlGEY.exe
PID 2224 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nbHewlH.exe
PID 2224 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nbHewlH.exe
PID 2224 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nbHewlH.exe
PID 2224 wrote to memory of 360 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ebbPaoh.exe
PID 2224 wrote to memory of 360 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ebbPaoh.exe
PID 2224 wrote to memory of 360 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ebbPaoh.exe
PID 2224 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tkTnwvA.exe
PID 2224 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tkTnwvA.exe
PID 2224 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tkTnwvA.exe
PID 2224 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bkGdnjG.exe
PID 2224 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bkGdnjG.exe
PID 2224 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bkGdnjG.exe
PID 2224 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IOmtonY.exe
PID 2224 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IOmtonY.exe
PID 2224 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IOmtonY.exe
PID 2224 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hUCsPuQ.exe
PID 2224 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hUCsPuQ.exe
PID 2224 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hUCsPuQ.exe
PID 2224 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xAJuAyn.exe
PID 2224 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xAJuAyn.exe
PID 2224 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xAJuAyn.exe
PID 2224 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RzmGEDq.exe
PID 2224 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RzmGEDq.exe
PID 2224 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RzmGEDq.exe
PID 2224 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LvhHQzc.exe
PID 2224 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LvhHQzc.exe
PID 2224 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LvhHQzc.exe
PID 2224 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fPRYZLN.exe
PID 2224 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fPRYZLN.exe
PID 2224 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fPRYZLN.exe
PID 2224 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xfyBEMO.exe
PID 2224 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xfyBEMO.exe
PID 2224 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xfyBEMO.exe
PID 2224 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YQOqzYI.exe
PID 2224 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YQOqzYI.exe
PID 2224 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YQOqzYI.exe
PID 2224 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xnDAVat.exe
PID 2224 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xnDAVat.exe
PID 2224 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xnDAVat.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\icuvtEB.exe

C:\Windows\System\icuvtEB.exe

C:\Windows\System\ELRIjCN.exe

C:\Windows\System\ELRIjCN.exe

C:\Windows\System\BwsPaEr.exe

C:\Windows\System\BwsPaEr.exe

C:\Windows\System\EilvOVR.exe

C:\Windows\System\EilvOVR.exe

C:\Windows\System\gexnndi.exe

C:\Windows\System\gexnndi.exe

C:\Windows\System\mZBgisT.exe

C:\Windows\System\mZBgisT.exe

C:\Windows\System\awaVaKx.exe

C:\Windows\System\awaVaKx.exe

C:\Windows\System\hEjlGEY.exe

C:\Windows\System\hEjlGEY.exe

C:\Windows\System\nbHewlH.exe

C:\Windows\System\nbHewlH.exe

C:\Windows\System\ebbPaoh.exe

C:\Windows\System\ebbPaoh.exe

C:\Windows\System\tkTnwvA.exe

C:\Windows\System\tkTnwvA.exe

C:\Windows\System\bkGdnjG.exe

C:\Windows\System\bkGdnjG.exe

C:\Windows\System\IOmtonY.exe

C:\Windows\System\IOmtonY.exe

C:\Windows\System\hUCsPuQ.exe

C:\Windows\System\hUCsPuQ.exe

C:\Windows\System\xAJuAyn.exe

C:\Windows\System\xAJuAyn.exe

C:\Windows\System\RzmGEDq.exe

C:\Windows\System\RzmGEDq.exe

C:\Windows\System\LvhHQzc.exe

C:\Windows\System\LvhHQzc.exe

C:\Windows\System\fPRYZLN.exe

C:\Windows\System\fPRYZLN.exe

C:\Windows\System\xfyBEMO.exe

C:\Windows\System\xfyBEMO.exe

C:\Windows\System\YQOqzYI.exe

C:\Windows\System\YQOqzYI.exe

C:\Windows\System\xnDAVat.exe

C:\Windows\System\xnDAVat.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2224-0-0x000000013FE90000-0x00000001401E1000-memory.dmp

memory/2224-1-0x0000000000080000-0x0000000000090000-memory.dmp

C:\Windows\system\ELRIjCN.exe

MD5 4a16f39f2ac4c032e01b9a991a609519
SHA1 d25d49fc7a02e62caf114f93d5730911a53d0f72
SHA256 2fb3965043659737311b4b7945ec37775a965bc9ebadf9c46428981a20c9f306
SHA512 a226321c39148e4228d95def038af65dbfb893739d2eee3a9730fc95a55ba6e352c571c1c23690a938bb56f348c23f1fbe82739e3f3af6229bc9e13cc95abc65

memory/2224-7-0x000000013F2E0000-0x000000013F631000-memory.dmp

\Windows\system\BwsPaEr.exe

MD5 ac5cd9e20d3edd3f969f47206521cb6e
SHA1 f4894a2035e61fe9d3f0fe3ec4641e5a2c565b52
SHA256 9b6c389ec15938152b07c7f67d59249644607ff70d42edf9ae23fb1a3d90a6a5
SHA512 e872d5e0ac26a0b4c17cae90bb6366e2e92633dab84d91f1eee91b4b195c72764fbaadbbb707c199f61ce43764557db6d2733f3dd1f80fa277248dbaf71f4edf

memory/1928-22-0x000000013F0A0000-0x000000013F3F1000-memory.dmp

memory/2224-20-0x000000013F0A0000-0x000000013F3F1000-memory.dmp

memory/2740-19-0x000000013F2E0000-0x000000013F631000-memory.dmp

memory/2432-18-0x000000013FB60000-0x000000013FEB1000-memory.dmp

C:\Windows\system\icuvtEB.exe

MD5 bdd0fd3cf38024d1f624800375ca484b
SHA1 95eb522f386bf38107493a6f0d0668035b959d37
SHA256 c5fae26d5281e458d272e52a377509cd0dfe4e0cdade69f61be2df8f0f60c407
SHA512 47876e15c469c16320ec9bd583cffc2dbfe09300b092169a91e83e1c4ccfed8732b8b3e1e80b9b5562db890ae6c1141c7ffd9d9365c64ffe98fa040bace2d4a0

memory/2224-12-0x0000000002370000-0x00000000026C1000-memory.dmp

\Windows\system\EilvOVR.exe

MD5 b5d42630ba95d1b8aa4fa881e6edc768
SHA1 8fd6d7eb3ceba5137e2d7f77f98d82a71db6020f
SHA256 d697bb3f70a103775a14f986e4d377078bf0979e7445fcb2283f743f3b95f41b
SHA512 f85a5e672d8892d8ad6f6933f09ef2a3d838ef33d72ef27ebafc612507831b5a1a89d0742200678e881367f82918874ee1338ac76d7f5c9ae25c6ad73777a9b0

memory/2988-29-0x000000013FEB0000-0x0000000140201000-memory.dmp

C:\Windows\system\gexnndi.exe

MD5 27abdbb99f799fc5ff6032c8b4c7c6f3
SHA1 eb3b005b9e7a8dc4e189199edfaf1ec2810e1ca4
SHA256 85ac7aabf5ee75188f77ff56e8af8184427bf5ab3dd5b8a38d86148f311eefbd
SHA512 086931e7795ae7eb48715f3d4ed467d542309729c61baaa6e9486d3c719083260e88bab5a8e8e2413edde68a78209d6614442405be291ff1da71fc27708ca71d

memory/2808-35-0x000000013F060000-0x000000013F3B1000-memory.dmp

C:\Windows\system\mZBgisT.exe

MD5 ef99a7d32c84a940e09098915a15bc10
SHA1 f420f73c53ebea9e5ed36b8aeed2a53a2215fe31
SHA256 6166e37c7a996e7e7d57c39d997a65153d7bb543ff561b9a6f80b61873500c21
SHA512 4a94d4e7f0cdb44a27606a7d63705221b0489244d3973b2e31350db1ae6248a7c98eb14b1db6efc37860d220b9247f6eac68de94f924ab3d1fc5c61e973750bf

memory/2224-38-0x000000013FA80000-0x000000013FDD1000-memory.dmp

memory/2224-41-0x000000013FE90000-0x00000001401E1000-memory.dmp

memory/2824-43-0x000000013FA80000-0x000000013FDD1000-memory.dmp

\Windows\system\hEjlGEY.exe

MD5 3869418ed38a45742f7c08703bc118b2
SHA1 b644df3a7e279c6b1ed7dd46fc0a108972d20e69
SHA256 591adf3c7b144f80b3858ea126eaeaa17aa72b79577b9ab44f9e7cfa74d8f8cf
SHA512 c71261d4ee1c98dd97f2b36896b98235b963c2cbcedd7588ad74ebb0bf21a6c30bb3cd847fb7f986afa1d8d2969b2ed0d669ed15e4cf123869aa3500f8484f88

\Windows\system\awaVaKx.exe

MD5 0b450a3f9ea0c2dea0c196b06ec42d3e
SHA1 1787646dcc46017a273a0777fe918b604c742f21
SHA256 713bd4a8d0662a2f50396e4d52bb8b8b7932028e910bb37c7c90451379766f62
SHA512 66af5adbce30a540ed191eb5f0c598e5111d955500713639f52a5bb4b514a8ae9cceceda16a302ab3fb004574a7b3fda018100a9f9ef52b652ccf4ee842d58aa

memory/2224-52-0x0000000002370000-0x00000000026C1000-memory.dmp

memory/2932-55-0x000000013F490000-0x000000013F7E1000-memory.dmp

memory/2652-56-0x000000013FCC0000-0x0000000140011000-memory.dmp

memory/1928-58-0x000000013F0A0000-0x000000013F3F1000-memory.dmp

C:\Windows\system\nbHewlH.exe

MD5 435fe85978728c72a4fb32b5e23ccc9a
SHA1 fdd044dc6365cb533aeb406235026d5100ceab52
SHA256 b097f0e813eead32a76078634d363f7a6b6dc090012de2497b64017501854b67
SHA512 e59c621162e43911324c5a466ccac51c118ffa326ec60a86b148d0b819f1657ade53511ce89e3663ffcf5842b0a98265a08779f510f7daffb40d3d3866e868e9

memory/1612-64-0x000000013F590000-0x000000013F8E1000-memory.dmp

\Windows\system\ebbPaoh.exe

MD5 7d3fa332b54aaf81b690a810491712a9
SHA1 b78e0ba335ce3bdaaea23cb7b8ecb00b4307d173
SHA256 552fb694d1161d8dddd90c26a148d72118063cd81ef7e00e28ae44b09ae690bc
SHA512 869967c4f67d47884156a24695e061b11d3b209c816573af334e3eb346f795488fc5783142b29a87cd189a1ddc22ebf199d1bbd95bca71ff5f4e705a0ea26c0c

memory/2824-80-0x000000013FA80000-0x000000013FDD1000-memory.dmp

\Windows\system\tkTnwvA.exe

MD5 49e757dd81780cde3713ff6e84624032
SHA1 7534e6025d490f21a211c83ca4a9a14bff49ed6c
SHA256 5f5559b89248ba0980c2cb218f6508be2553b332defe155a37708bc8a8b802eb
SHA512 63cadf2bf0d58c2d4aefd2c2ccaf5a6983cc7427d2c7a5604852d52ea3dc8c04541fec0396e35dab2afd656b89d95101d63117e2eec73f0ede423c51f38d2be6

memory/1488-78-0x000000013F800000-0x000000013FB51000-memory.dmp

memory/360-76-0x000000013F910000-0x000000013FC61000-memory.dmp

memory/2808-74-0x000000013F060000-0x000000013F3B1000-memory.dmp

memory/2224-72-0x000000013F800000-0x000000013FB51000-memory.dmp

memory/2224-71-0x000000013F910000-0x000000013FC61000-memory.dmp

memory/1948-83-0x000000013FC20000-0x000000013FF71000-memory.dmp

C:\Windows\system\bkGdnjG.exe

MD5 6c4bdb7131e3c2018164b777b870c2c4
SHA1 d34a002973f368417b1323291d8054a2b03d0a2d
SHA256 e070fca12ec6c5d637ff86152d88e70bbe1793cc74c0ebf38a00caed18ffc435
SHA512 0847434ce570b7ac4b5d0ecfd9f3cd2d8979ae94522d0682b3e7cac06a611235ff9cb411f2f276cd8c2e680c4f4b08078014e4133499c14e22f522faabb3b60e

memory/2224-61-0x000000013F590000-0x000000013F8E1000-memory.dmp

C:\Windows\system\hUCsPuQ.exe

MD5 81b64fbd165684732d01d45e50e5197e
SHA1 005a2c57812dafef3ccfb44f17777b4fffd523d8
SHA256 add029a26dc423e56f183e7b34a6a6c7473f311fa72051d36b3a7ee67564896e
SHA512 6af4ab26a21d99f00b454df55626fe8990802102d4acb1d9e670ea856c990774c58886e777499f89e63e50ec6b7ecd6879570b72a6af7bd1781e1adab3cfaca5

C:\Windows\system\RzmGEDq.exe

MD5 3a85a50be704a066db3bc725035f452b
SHA1 eb77c3ac92116ba782880165ad682b53f4e46e1e
SHA256 ef53855d78f23e6280fcec8ab8aff53c543b9d3b443427ca83d3b8c2cb5f11da
SHA512 54eb91188b6dbfeaede33a85d6fc186de76cd2e38dbb78d7ad42c7e5c023d1a5358cdda5a3fff826fd1ca94049bab41d24b310de2b3a8f8adb0e118e52ecbb5b

C:\Windows\system\fPRYZLN.exe

MD5 d54b460bdcfa8b71094fb03215bbd7a1
SHA1 7f52a5670ee4ece55c767ad46b275b09fab66bc0
SHA256 bf1a8c7ee76ff6794dee13b0e6248e04e1f8825beae58b8b4c523776768b06d1
SHA512 07f5bdce4dd90e9c5a4aa79984c77d426887a06d48758c23d593d7a8ca6f587d4cba8837e2d94bcabc275d30eb5f7a7b87eb4f0e178d259c1433d7de4ff80958

C:\Windows\system\xfyBEMO.exe

MD5 444918270c46ff2f0ec14e529f5d9e6b
SHA1 d231352494976d43e464a3d8586d59e0ff5dbbf5
SHA256 7cfae6907c82d82ec9bc23fe29de094051a12dc8329add61129d6aa9fd4d7cb9
SHA512 151c2e16afdc6951adabd4c9308f2c7d8d174e7233c6a6a22735b5730a3bc660c943d5b644c48c70651321917a9272fa0b3502313b10907cae048704562bc67c

C:\Windows\system\YQOqzYI.exe

MD5 64121f80d451c5a87a278d0a7e3164f7
SHA1 74ae04cfdc07c5af5df554ddff7a3eb6c3e2df82
SHA256 42a7456ff3aa506659ec86789c35c93565a5055fbf09abd365dbd1be933dffc3
SHA512 373121d459209d9f695e871d521fa7ba3532f31bb2a787075cda65ec36379ca9cd2b314557b248a470b295dbe0f5a9605eb1ffba4447dd258e75005363752d6a

\Windows\system\xnDAVat.exe

MD5 bcdeca127a8a72259ce0fe60a3b1096c
SHA1 ef117fd771eee2a1c85b9e0ccd8b755dcc3281b3
SHA256 9520b6e1252637665782259827a2d6246f9b324ad0530f7d2e61d7a8c61c57bb
SHA512 d7dff5eac2caf730110be031be6fdfaa6d9796d0451f0ed0023b795d377ae9737e2bf6302115dc3bf87f86658323d0378b0fef78af9b1e01dd2ddfe9591d0bd5

C:\Windows\system\LvhHQzc.exe

MD5 de4204d96f3c40fa70a1a0a31c9c97c7
SHA1 5a69b22faedac3203222f9ec758ac97a69250b36
SHA256 0097509158c920e819088bbb3d53e7ed529be559d49d4dac14e37a5fd9f6936e
SHA512 96384aac4e1bc1076f40c3cf8173cc39c79d2a213fc308e7f6595a50e28edf5556ef75f2f85801c82513ee03ad41c1d0706dd1fc81d872efd48f73df4093d0fc

C:\Windows\system\xAJuAyn.exe

MD5 ef2ae1b34d67d0ee8ffb14024fbe2583
SHA1 0af41358aa2004d67caadd8803e6b4424d3c6156
SHA256 10063ed5f10e581bd71aa09d2fc2e82bc3daa24d574b899ba81cebd50ca4ba5d
SHA512 1e469cec6ff030a594db9ad729b1be33ecd32bef459ca5f70e80dadcfa03760140ef42d4896ed00a04fe90aff3863f56a8416a8d612fba2286eaa3b505cce60c

memory/2224-106-0x0000000002370000-0x00000000026C1000-memory.dmp

memory/2224-105-0x000000013F910000-0x000000013FC61000-memory.dmp

memory/844-102-0x000000013FD70000-0x00000001400C1000-memory.dmp

memory/2224-98-0x0000000002370000-0x00000000026C1000-memory.dmp

memory/360-140-0x000000013F910000-0x000000013FC61000-memory.dmp

memory/1612-97-0x000000013F590000-0x000000013F8E1000-memory.dmp

memory/1604-93-0x000000013F6A0000-0x000000013F9F1000-memory.dmp

memory/2224-92-0x000000013F590000-0x000000013F8E1000-memory.dmp

memory/2932-91-0x000000013F490000-0x000000013F7E1000-memory.dmp

C:\Windows\system\IOmtonY.exe

MD5 830fe606d05c011f2dcc2a5d5ef8bbfb
SHA1 3025b27c8cea16fdc7664f16d83559e449f02ba8
SHA256 44bb79b48862c5b4add57fbf923f526d038415ab37618e1377dfbda5611688b9
SHA512 d2584c55124503017f83a35c7e277719ebadc014d32dd4812bd9a447ad9a4100a457273d22cc1d73a90f7aa395d81288c67f445e8827ec640983160897f7de6a

memory/2224-88-0x000000013F6A0000-0x000000013F9F1000-memory.dmp

memory/2224-87-0x0000000002370000-0x00000000026C1000-memory.dmp

memory/1488-141-0x000000013F800000-0x000000013FB51000-memory.dmp

memory/1948-142-0x000000013FC20000-0x000000013FF71000-memory.dmp

memory/2224-144-0x000000013F6A0000-0x000000013F9F1000-memory.dmp

memory/2224-145-0x000000013FE90000-0x00000001401E1000-memory.dmp

memory/1604-149-0x000000013F6A0000-0x000000013F9F1000-memory.dmp

memory/2224-155-0x0000000002370000-0x00000000026C1000-memory.dmp

memory/1488-158-0x000000013F800000-0x000000013FB51000-memory.dmp

memory/844-160-0x000000013FD70000-0x00000001400C1000-memory.dmp

memory/2928-166-0x000000013F1F0000-0x000000013F541000-memory.dmp

memory/2912-167-0x000000013F9C0000-0x000000013FD11000-memory.dmp

memory/2904-165-0x000000013F4A0000-0x000000013F7F1000-memory.dmp

memory/2772-163-0x000000013FC30000-0x000000013FF81000-memory.dmp

memory/2356-164-0x000000013FB60000-0x000000013FEB1000-memory.dmp

memory/940-168-0x000000013FB90000-0x000000013FEE1000-memory.dmp

memory/3004-169-0x000000013FC30000-0x000000013FF81000-memory.dmp

memory/2224-170-0x000000013FE90000-0x00000001401E1000-memory.dmp

memory/2432-221-0x000000013FB60000-0x000000013FEB1000-memory.dmp

memory/2740-223-0x000000013F2E0000-0x000000013F631000-memory.dmp

memory/1928-225-0x000000013F0A0000-0x000000013F3F1000-memory.dmp

memory/2988-227-0x000000013FEB0000-0x0000000140201000-memory.dmp

memory/2808-232-0x000000013F060000-0x000000013F3B1000-memory.dmp

memory/2824-234-0x000000013FA80000-0x000000013FDD1000-memory.dmp

memory/2932-238-0x000000013F490000-0x000000013F7E1000-memory.dmp

memory/2652-237-0x000000013FCC0000-0x0000000140011000-memory.dmp

memory/1612-244-0x000000013F590000-0x000000013F8E1000-memory.dmp

memory/360-246-0x000000013F910000-0x000000013FC61000-memory.dmp

memory/1948-248-0x000000013FC20000-0x000000013FF71000-memory.dmp

memory/1604-259-0x000000013F6A0000-0x000000013F9F1000-memory.dmp

memory/844-261-0x000000013FD70000-0x00000001400C1000-memory.dmp

memory/1488-270-0x000000013F800000-0x000000013FB51000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-15 10:47

Reported

2024-08-15 10:50

Platform

win10v2004-20240802-en

Max time kernel

140s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\ELRIjCN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gexnndi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nbHewlH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ebbPaoh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hUCsPuQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LvhHQzc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YQOqzYI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EilvOVR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tkTnwvA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bkGdnjG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IOmtonY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RzmGEDq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xfyBEMO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BwsPaEr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mZBgisT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fPRYZLN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\icuvtEB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\awaVaKx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hEjlGEY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xAJuAyn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xnDAVat.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4812 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\icuvtEB.exe
PID 4812 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\icuvtEB.exe
PID 4812 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ELRIjCN.exe
PID 4812 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ELRIjCN.exe
PID 4812 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BwsPaEr.exe
PID 4812 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BwsPaEr.exe
PID 4812 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EilvOVR.exe
PID 4812 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EilvOVR.exe
PID 4812 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gexnndi.exe
PID 4812 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gexnndi.exe
PID 4812 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mZBgisT.exe
PID 4812 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mZBgisT.exe
PID 4812 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\awaVaKx.exe
PID 4812 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\awaVaKx.exe
PID 4812 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hEjlGEY.exe
PID 4812 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hEjlGEY.exe
PID 4812 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nbHewlH.exe
PID 4812 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nbHewlH.exe
PID 4812 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ebbPaoh.exe
PID 4812 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ebbPaoh.exe
PID 4812 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tkTnwvA.exe
PID 4812 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tkTnwvA.exe
PID 4812 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bkGdnjG.exe
PID 4812 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bkGdnjG.exe
PID 4812 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IOmtonY.exe
PID 4812 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IOmtonY.exe
PID 4812 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hUCsPuQ.exe
PID 4812 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hUCsPuQ.exe
PID 4812 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xAJuAyn.exe
PID 4812 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xAJuAyn.exe
PID 4812 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RzmGEDq.exe
PID 4812 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RzmGEDq.exe
PID 4812 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LvhHQzc.exe
PID 4812 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LvhHQzc.exe
PID 4812 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fPRYZLN.exe
PID 4812 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fPRYZLN.exe
PID 4812 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xfyBEMO.exe
PID 4812 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xfyBEMO.exe
PID 4812 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YQOqzYI.exe
PID 4812 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YQOqzYI.exe
PID 4812 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xnDAVat.exe
PID 4812 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xnDAVat.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\icuvtEB.exe

C:\Windows\System\icuvtEB.exe

C:\Windows\System\ELRIjCN.exe

C:\Windows\System\ELRIjCN.exe

C:\Windows\System\BwsPaEr.exe

C:\Windows\System\BwsPaEr.exe

C:\Windows\System\EilvOVR.exe

C:\Windows\System\EilvOVR.exe

C:\Windows\System\gexnndi.exe

C:\Windows\System\gexnndi.exe

C:\Windows\System\mZBgisT.exe

C:\Windows\System\mZBgisT.exe

C:\Windows\System\awaVaKx.exe

C:\Windows\System\awaVaKx.exe

C:\Windows\System\hEjlGEY.exe

C:\Windows\System\hEjlGEY.exe

C:\Windows\System\nbHewlH.exe

C:\Windows\System\nbHewlH.exe

C:\Windows\System\ebbPaoh.exe

C:\Windows\System\ebbPaoh.exe

C:\Windows\System\tkTnwvA.exe

C:\Windows\System\tkTnwvA.exe

C:\Windows\System\bkGdnjG.exe

C:\Windows\System\bkGdnjG.exe

C:\Windows\System\IOmtonY.exe

C:\Windows\System\IOmtonY.exe

C:\Windows\System\hUCsPuQ.exe

C:\Windows\System\hUCsPuQ.exe

C:\Windows\System\xAJuAyn.exe

C:\Windows\System\xAJuAyn.exe

C:\Windows\System\RzmGEDq.exe

C:\Windows\System\RzmGEDq.exe

C:\Windows\System\LvhHQzc.exe

C:\Windows\System\LvhHQzc.exe

C:\Windows\System\fPRYZLN.exe

C:\Windows\System\fPRYZLN.exe

C:\Windows\System\xfyBEMO.exe

C:\Windows\System\xfyBEMO.exe

C:\Windows\System\YQOqzYI.exe

C:\Windows\System\YQOqzYI.exe

C:\Windows\System\xnDAVat.exe

C:\Windows\System\xnDAVat.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 52.111.229.43:443 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/4812-0-0x00007FF6E92D0000-0x00007FF6E9621000-memory.dmp

memory/4812-1-0x000001D25A100000-0x000001D25A110000-memory.dmp

memory/2792-7-0x00007FF7CAF50000-0x00007FF7CB2A1000-memory.dmp

C:\Windows\System\BwsPaEr.exe

MD5 ac5cd9e20d3edd3f969f47206521cb6e
SHA1 f4894a2035e61fe9d3f0fe3ec4641e5a2c565b52
SHA256 9b6c389ec15938152b07c7f67d59249644607ff70d42edf9ae23fb1a3d90a6a5
SHA512 e872d5e0ac26a0b4c17cae90bb6366e2e92633dab84d91f1eee91b4b195c72764fbaadbbb707c199f61ce43764557db6d2733f3dd1f80fa277248dbaf71f4edf

C:\Windows\System\ELRIjCN.exe

MD5 4a16f39f2ac4c032e01b9a991a609519
SHA1 d25d49fc7a02e62caf114f93d5730911a53d0f72
SHA256 2fb3965043659737311b4b7945ec37775a965bc9ebadf9c46428981a20c9f306
SHA512 a226321c39148e4228d95def038af65dbfb893739d2eee3a9730fc95a55ba6e352c571c1c23690a938bb56f348c23f1fbe82739e3f3af6229bc9e13cc95abc65

memory/4772-12-0x00007FF63DE30000-0x00007FF63E181000-memory.dmp

C:\Windows\System\icuvtEB.exe

MD5 bdd0fd3cf38024d1f624800375ca484b
SHA1 95eb522f386bf38107493a6f0d0668035b959d37
SHA256 c5fae26d5281e458d272e52a377509cd0dfe4e0cdade69f61be2df8f0f60c407
SHA512 47876e15c469c16320ec9bd583cffc2dbfe09300b092169a91e83e1c4ccfed8732b8b3e1e80b9b5562db890ae6c1141c7ffd9d9365c64ffe98fa040bace2d4a0

memory/5016-18-0x00007FF69AFA0000-0x00007FF69B2F1000-memory.dmp

C:\Windows\System\EilvOVR.exe

MD5 b5d42630ba95d1b8aa4fa881e6edc768
SHA1 8fd6d7eb3ceba5137e2d7f77f98d82a71db6020f
SHA256 d697bb3f70a103775a14f986e4d377078bf0979e7445fcb2283f743f3b95f41b
SHA512 f85a5e672d8892d8ad6f6933f09ef2a3d838ef33d72ef27ebafc612507831b5a1a89d0742200678e881367f82918874ee1338ac76d7f5c9ae25c6ad73777a9b0

C:\Windows\System\hEjlGEY.exe

MD5 3869418ed38a45742f7c08703bc118b2
SHA1 b644df3a7e279c6b1ed7dd46fc0a108972d20e69
SHA256 591adf3c7b144f80b3858ea126eaeaa17aa72b79577b9ab44f9e7cfa74d8f8cf
SHA512 c71261d4ee1c98dd97f2b36896b98235b963c2cbcedd7588ad74ebb0bf21a6c30bb3cd847fb7f986afa1d8d2969b2ed0d669ed15e4cf123869aa3500f8484f88

C:\Windows\System\ebbPaoh.exe

MD5 7d3fa332b54aaf81b690a810491712a9
SHA1 b78e0ba335ce3bdaaea23cb7b8ecb00b4307d173
SHA256 552fb694d1161d8dddd90c26a148d72118063cd81ef7e00e28ae44b09ae690bc
SHA512 869967c4f67d47884156a24695e061b11d3b209c816573af334e3eb346f795488fc5783142b29a87cd189a1ddc22ebf199d1bbd95bca71ff5f4e705a0ea26c0c

C:\Windows\System\nbHewlH.exe

MD5 435fe85978728c72a4fb32b5e23ccc9a
SHA1 fdd044dc6365cb533aeb406235026d5100ceab52
SHA256 b097f0e813eead32a76078634d363f7a6b6dc090012de2497b64017501854b67
SHA512 e59c621162e43911324c5a466ccac51c118ffa326ec60a86b148d0b819f1657ade53511ce89e3663ffcf5842b0a98265a08779f510f7daffb40d3d3866e868e9

C:\Windows\System\hUCsPuQ.exe

MD5 81b64fbd165684732d01d45e50e5197e
SHA1 005a2c57812dafef3ccfb44f17777b4fffd523d8
SHA256 add029a26dc423e56f183e7b34a6a6c7473f311fa72051d36b3a7ee67564896e
SHA512 6af4ab26a21d99f00b454df55626fe8990802102d4acb1d9e670ea856c990774c58886e777499f89e63e50ec6b7ecd6879570b72a6af7bd1781e1adab3cfaca5

C:\Windows\System\LvhHQzc.exe

MD5 de4204d96f3c40fa70a1a0a31c9c97c7
SHA1 5a69b22faedac3203222f9ec758ac97a69250b36
SHA256 0097509158c920e819088bbb3d53e7ed529be559d49d4dac14e37a5fd9f6936e
SHA512 96384aac4e1bc1076f40c3cf8173cc39c79d2a213fc308e7f6595a50e28edf5556ef75f2f85801c82513ee03ad41c1d0706dd1fc81d872efd48f73df4093d0fc

C:\Windows\System\xfyBEMO.exe

MD5 444918270c46ff2f0ec14e529f5d9e6b
SHA1 d231352494976d43e464a3d8586d59e0ff5dbbf5
SHA256 7cfae6907c82d82ec9bc23fe29de094051a12dc8329add61129d6aa9fd4d7cb9
SHA512 151c2e16afdc6951adabd4c9308f2c7d8d174e7233c6a6a22735b5730a3bc660c943d5b644c48c70651321917a9272fa0b3502313b10907cae048704562bc67c

memory/3916-123-0x00007FF696E40000-0x00007FF697191000-memory.dmp

memory/2872-127-0x00007FF75A240000-0x00007FF75A591000-memory.dmp

memory/1440-126-0x00007FF6B5940000-0x00007FF6B5C91000-memory.dmp

memory/4036-125-0x00007FF696D00000-0x00007FF697051000-memory.dmp

memory/4040-124-0x00007FF76D980000-0x00007FF76DCD1000-memory.dmp

C:\Windows\System\fPRYZLN.exe

MD5 d54b460bdcfa8b71094fb03215bbd7a1
SHA1 7f52a5670ee4ece55c767ad46b275b09fab66bc0
SHA256 bf1a8c7ee76ff6794dee13b0e6248e04e1f8825beae58b8b4c523776768b06d1
SHA512 07f5bdce4dd90e9c5a4aa79984c77d426887a06d48758c23d593d7a8ca6f587d4cba8837e2d94bcabc275d30eb5f7a7b87eb4f0e178d259c1433d7de4ff80958

C:\Windows\System\xnDAVat.exe

MD5 bcdeca127a8a72259ce0fe60a3b1096c
SHA1 ef117fd771eee2a1c85b9e0ccd8b755dcc3281b3
SHA256 9520b6e1252637665782259827a2d6246f9b324ad0530f7d2e61d7a8c61c57bb
SHA512 d7dff5eac2caf730110be031be6fdfaa6d9796d0451f0ed0023b795d377ae9737e2bf6302115dc3bf87f86658323d0378b0fef78af9b1e01dd2ddfe9591d0bd5

memory/3588-118-0x00007FF610180000-0x00007FF6104D1000-memory.dmp

memory/3416-117-0x00007FF604FC0000-0x00007FF605311000-memory.dmp

C:\Windows\System\YQOqzYI.exe

MD5 64121f80d451c5a87a278d0a7e3164f7
SHA1 74ae04cfdc07c5af5df554ddff7a3eb6c3e2df82
SHA256 42a7456ff3aa506659ec86789c35c93565a5055fbf09abd365dbd1be933dffc3
SHA512 373121d459209d9f695e871d521fa7ba3532f31bb2a787075cda65ec36379ca9cd2b314557b248a470b295dbe0f5a9605eb1ffba4447dd258e75005363752d6a

memory/4284-110-0x00007FF7F1DA0000-0x00007FF7F20F1000-memory.dmp

C:\Windows\System\xAJuAyn.exe

MD5 ef2ae1b34d67d0ee8ffb14024fbe2583
SHA1 0af41358aa2004d67caadd8803e6b4424d3c6156
SHA256 10063ed5f10e581bd71aa09d2fc2e82bc3daa24d574b899ba81cebd50ca4ba5d
SHA512 1e469cec6ff030a594db9ad729b1be33ecd32bef459ca5f70e80dadcfa03760140ef42d4896ed00a04fe90aff3863f56a8416a8d612fba2286eaa3b505cce60c

C:\Windows\System\IOmtonY.exe

MD5 830fe606d05c011f2dcc2a5d5ef8bbfb
SHA1 3025b27c8cea16fdc7664f16d83559e449f02ba8
SHA256 44bb79b48862c5b4add57fbf923f526d038415ab37618e1377dfbda5611688b9
SHA512 d2584c55124503017f83a35c7e277719ebadc014d32dd4812bd9a447ad9a4100a457273d22cc1d73a90f7aa395d81288c67f445e8827ec640983160897f7de6a

memory/5000-100-0x00007FF72FC80000-0x00007FF72FFD1000-memory.dmp

C:\Windows\System\RzmGEDq.exe

MD5 3a85a50be704a066db3bc725035f452b
SHA1 eb77c3ac92116ba782880165ad682b53f4e46e1e
SHA256 ef53855d78f23e6280fcec8ab8aff53c543b9d3b443427ca83d3b8c2cb5f11da
SHA512 54eb91188b6dbfeaede33a85d6fc186de76cd2e38dbb78d7ad42c7e5c023d1a5358cdda5a3fff826fd1ca94049bab41d24b310de2b3a8f8adb0e118e52ecbb5b

memory/1592-90-0x00007FF6C1C50000-0x00007FF6C1FA1000-memory.dmp

memory/2256-89-0x00007FF624150000-0x00007FF6244A1000-memory.dmp

C:\Windows\System\tkTnwvA.exe

MD5 49e757dd81780cde3713ff6e84624032
SHA1 7534e6025d490f21a211c83ca4a9a14bff49ed6c
SHA256 5f5559b89248ba0980c2cb218f6508be2553b332defe155a37708bc8a8b802eb
SHA512 63cadf2bf0d58c2d4aefd2c2ccaf5a6983cc7427d2c7a5604852d52ea3dc8c04541fec0396e35dab2afd656b89d95101d63117e2eec73f0ede423c51f38d2be6

C:\Windows\System\bkGdnjG.exe

MD5 6c4bdb7131e3c2018164b777b870c2c4
SHA1 d34a002973f368417b1323291d8054a2b03d0a2d
SHA256 e070fca12ec6c5d637ff86152d88e70bbe1793cc74c0ebf38a00caed18ffc435
SHA512 0847434ce570b7ac4b5d0ecfd9f3cd2d8979ae94522d0682b3e7cac06a611235ff9cb411f2f276cd8c2e680c4f4b08078014e4133499c14e22f522faabb3b60e

memory/3268-74-0x00007FF7473E0000-0x00007FF747731000-memory.dmp

memory/556-67-0x00007FF75AE10000-0x00007FF75B161000-memory.dmp

memory/3500-61-0x00007FF69A7F0000-0x00007FF69AB41000-memory.dmp

memory/4388-55-0x00007FF690A60000-0x00007FF690DB1000-memory.dmp

memory/2704-53-0x00007FF607D60000-0x00007FF6080B1000-memory.dmp

C:\Windows\System\awaVaKx.exe

MD5 0b450a3f9ea0c2dea0c196b06ec42d3e
SHA1 1787646dcc46017a273a0777fe918b604c742f21
SHA256 713bd4a8d0662a2f50396e4d52bb8b8b7932028e910bb37c7c90451379766f62
SHA512 66af5adbce30a540ed191eb5f0c598e5111d955500713639f52a5bb4b514a8ae9cceceda16a302ab3fb004574a7b3fda018100a9f9ef52b652ccf4ee842d58aa

C:\Windows\System\mZBgisT.exe

MD5 ef99a7d32c84a940e09098915a15bc10
SHA1 f420f73c53ebea9e5ed36b8aeed2a53a2215fe31
SHA256 6166e37c7a996e7e7d57c39d997a65153d7bb543ff561b9a6f80b61873500c21
SHA512 4a94d4e7f0cdb44a27606a7d63705221b0489244d3973b2e31350db1ae6248a7c98eb14b1db6efc37860d220b9247f6eac68de94f924ab3d1fc5c61e973750bf

C:\Windows\System\gexnndi.exe

MD5 27abdbb99f799fc5ff6032c8b4c7c6f3
SHA1 eb3b005b9e7a8dc4e189199edfaf1ec2810e1ca4
SHA256 85ac7aabf5ee75188f77ff56e8af8184427bf5ab3dd5b8a38d86148f311eefbd
SHA512 086931e7795ae7eb48715f3d4ed467d542309729c61baaa6e9486d3c719083260e88bab5a8e8e2413edde68a78209d6614442405be291ff1da71fc27708ca71d

memory/2228-38-0x00007FF7D1720000-0x00007FF7D1A71000-memory.dmp

memory/2636-33-0x00007FF777EA0000-0x00007FF7781F1000-memory.dmp

memory/4772-130-0x00007FF63DE30000-0x00007FF63E181000-memory.dmp

memory/5016-131-0x00007FF69AFA0000-0x00007FF69B2F1000-memory.dmp

memory/2792-129-0x00007FF7CAF50000-0x00007FF7CB2A1000-memory.dmp

memory/4812-128-0x00007FF6E92D0000-0x00007FF6E9621000-memory.dmp

memory/556-139-0x00007FF75AE10000-0x00007FF75B161000-memory.dmp

memory/2636-132-0x00007FF777EA0000-0x00007FF7781F1000-memory.dmp

memory/3500-138-0x00007FF69A7F0000-0x00007FF69AB41000-memory.dmp

memory/5000-143-0x00007FF72FC80000-0x00007FF72FFD1000-memory.dmp

memory/3416-146-0x00007FF604FC0000-0x00007FF605311000-memory.dmp

memory/4284-144-0x00007FF7F1DA0000-0x00007FF7F20F1000-memory.dmp

memory/2704-133-0x00007FF607D60000-0x00007FF6080B1000-memory.dmp

memory/2256-137-0x00007FF624150000-0x00007FF6244A1000-memory.dmp

memory/2228-134-0x00007FF7D1720000-0x00007FF7D1A71000-memory.dmp

memory/4812-150-0x00007FF6E92D0000-0x00007FF6E9621000-memory.dmp

memory/2792-199-0x00007FF7CAF50000-0x00007FF7CB2A1000-memory.dmp

memory/4772-201-0x00007FF63DE30000-0x00007FF63E181000-memory.dmp

memory/5016-217-0x00007FF69AFA0000-0x00007FF69B2F1000-memory.dmp

memory/2636-219-0x00007FF777EA0000-0x00007FF7781F1000-memory.dmp

memory/2704-221-0x00007FF607D60000-0x00007FF6080B1000-memory.dmp

memory/4388-224-0x00007FF690A60000-0x00007FF690DB1000-memory.dmp

memory/2228-225-0x00007FF7D1720000-0x00007FF7D1A71000-memory.dmp

memory/3268-227-0x00007FF7473E0000-0x00007FF747731000-memory.dmp

memory/3500-237-0x00007FF69A7F0000-0x00007FF69AB41000-memory.dmp

memory/556-233-0x00007FF75AE10000-0x00007FF75B161000-memory.dmp

memory/2256-236-0x00007FF624150000-0x00007FF6244A1000-memory.dmp

memory/1592-239-0x00007FF6C1C50000-0x00007FF6C1FA1000-memory.dmp

memory/1440-246-0x00007FF6B5940000-0x00007FF6B5C91000-memory.dmp

memory/4040-255-0x00007FF76D980000-0x00007FF76DCD1000-memory.dmp

memory/3588-257-0x00007FF610180000-0x00007FF6104D1000-memory.dmp

memory/4284-254-0x00007FF7F1DA0000-0x00007FF7F20F1000-memory.dmp

memory/4036-252-0x00007FF696D00000-0x00007FF697051000-memory.dmp

memory/5000-250-0x00007FF72FC80000-0x00007FF72FFD1000-memory.dmp

memory/2872-247-0x00007FF75A240000-0x00007FF75A591000-memory.dmp

memory/3416-242-0x00007FF604FC0000-0x00007FF605311000-memory.dmp

memory/3916-243-0x00007FF696E40000-0x00007FF697191000-memory.dmp