Malware Analysis Report

2025-03-15 08:02

Sample ID 240815-mw2mwatdmn
Target 2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat
SHA256 a4d3c52ddd999983d3962eeed98a8d5e9f0b1ca6b24ea4b8b462c74a2ad329c1
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a4d3c52ddd999983d3962eeed98a8d5e9f0b1ca6b24ea4b8b462c74a2ad329c1

Threat Level: Known bad

The file 2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Cobalt Strike reflective loader

XMRig Miner payload

Xmrig family

xmrig

Cobaltstrike family

Cobaltstrike

XMRig Miner payload

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-15 10:49

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-15 10:49

Reported

2024-08-15 10:52

Platform

win7-20240705-en

Max time kernel

140s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\lVsQShw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FKawCaX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\faMitaO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nUMKkit.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qiwpHeM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xFAtEaN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rHKaQVk.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IAqyVZX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AYeHzDR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vfvHyCy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VjCoEtv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZgZixCE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QyJJJdq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RyLLpyy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pOcBcUN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VmUNgiJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gmXhzCI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JRAApjQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wysoCwX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pJHOVsi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LZJGxNM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2668 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AYeHzDR.exe
PID 2668 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AYeHzDR.exe
PID 2668 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AYeHzDR.exe
PID 2668 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wysoCwX.exe
PID 2668 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wysoCwX.exe
PID 2668 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wysoCwX.exe
PID 2668 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\faMitaO.exe
PID 2668 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\faMitaO.exe
PID 2668 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\faMitaO.exe
PID 2668 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vfvHyCy.exe
PID 2668 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vfvHyCy.exe
PID 2668 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vfvHyCy.exe
PID 2668 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pJHOVsi.exe
PID 2668 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pJHOVsi.exe
PID 2668 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pJHOVsi.exe
PID 2668 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZgZixCE.exe
PID 2668 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZgZixCE.exe
PID 2668 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZgZixCE.exe
PID 2668 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LZJGxNM.exe
PID 2668 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LZJGxNM.exe
PID 2668 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LZJGxNM.exe
PID 2668 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VjCoEtv.exe
PID 2668 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VjCoEtv.exe
PID 2668 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VjCoEtv.exe
PID 2668 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pOcBcUN.exe
PID 2668 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pOcBcUN.exe
PID 2668 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pOcBcUN.exe
PID 2668 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nUMKkit.exe
PID 2668 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nUMKkit.exe
PID 2668 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nUMKkit.exe
PID 2668 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VmUNgiJ.exe
PID 2668 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VmUNgiJ.exe
PID 2668 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VmUNgiJ.exe
PID 2668 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QyJJJdq.exe
PID 2668 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QyJJJdq.exe
PID 2668 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QyJJJdq.exe
PID 2668 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xFAtEaN.exe
PID 2668 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xFAtEaN.exe
PID 2668 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xFAtEaN.exe
PID 2668 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gmXhzCI.exe
PID 2668 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gmXhzCI.exe
PID 2668 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gmXhzCI.exe
PID 2668 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JRAApjQ.exe
PID 2668 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JRAApjQ.exe
PID 2668 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JRAApjQ.exe
PID 2668 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rHKaQVk.exe
PID 2668 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rHKaQVk.exe
PID 2668 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rHKaQVk.exe
PID 2668 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RyLLpyy.exe
PID 2668 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RyLLpyy.exe
PID 2668 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RyLLpyy.exe
PID 2668 wrote to memory of 504 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IAqyVZX.exe
PID 2668 wrote to memory of 504 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IAqyVZX.exe
PID 2668 wrote to memory of 504 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IAqyVZX.exe
PID 2668 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qiwpHeM.exe
PID 2668 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qiwpHeM.exe
PID 2668 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qiwpHeM.exe
PID 2668 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lVsQShw.exe
PID 2668 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lVsQShw.exe
PID 2668 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lVsQShw.exe
PID 2668 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FKawCaX.exe
PID 2668 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FKawCaX.exe
PID 2668 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FKawCaX.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\AYeHzDR.exe

C:\Windows\System\AYeHzDR.exe

C:\Windows\System\wysoCwX.exe

C:\Windows\System\wysoCwX.exe

C:\Windows\System\faMitaO.exe

C:\Windows\System\faMitaO.exe

C:\Windows\System\vfvHyCy.exe

C:\Windows\System\vfvHyCy.exe

C:\Windows\System\pJHOVsi.exe

C:\Windows\System\pJHOVsi.exe

C:\Windows\System\ZgZixCE.exe

C:\Windows\System\ZgZixCE.exe

C:\Windows\System\LZJGxNM.exe

C:\Windows\System\LZJGxNM.exe

C:\Windows\System\VjCoEtv.exe

C:\Windows\System\VjCoEtv.exe

C:\Windows\System\pOcBcUN.exe

C:\Windows\System\pOcBcUN.exe

C:\Windows\System\nUMKkit.exe

C:\Windows\System\nUMKkit.exe

C:\Windows\System\VmUNgiJ.exe

C:\Windows\System\VmUNgiJ.exe

C:\Windows\System\QyJJJdq.exe

C:\Windows\System\QyJJJdq.exe

C:\Windows\System\xFAtEaN.exe

C:\Windows\System\xFAtEaN.exe

C:\Windows\System\gmXhzCI.exe

C:\Windows\System\gmXhzCI.exe

C:\Windows\System\JRAApjQ.exe

C:\Windows\System\JRAApjQ.exe

C:\Windows\System\rHKaQVk.exe

C:\Windows\System\rHKaQVk.exe

C:\Windows\System\RyLLpyy.exe

C:\Windows\System\RyLLpyy.exe

C:\Windows\System\IAqyVZX.exe

C:\Windows\System\IAqyVZX.exe

C:\Windows\System\qiwpHeM.exe

C:\Windows\System\qiwpHeM.exe

C:\Windows\System\lVsQShw.exe

C:\Windows\System\lVsQShw.exe

C:\Windows\System\FKawCaX.exe

C:\Windows\System\FKawCaX.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2668-0-0x000000013F690000-0x000000013F9E1000-memory.dmp

memory/2668-1-0x00000000001F0000-0x0000000000200000-memory.dmp

C:\Windows\system\AYeHzDR.exe

MD5 0d8bbb300d21f10e26a9385fc822669f
SHA1 71380a854db3ef0f3a2405401dc5ba19f02da719
SHA256 da1778c1b6c5f4c5fa5b9688803ec3f16739af146c0a91d504b8c836319342fb
SHA512 d061405e13308b789b6a9eebbc7ef81835af3c0566b6ccc972c5538974aaf445c84f43ab474f1a5d5e1f008f55a11966d47fd5808f4f8e44115b38a05c5fe189

C:\Windows\system\wysoCwX.exe

MD5 cc7920b36766e7b3e934e2024efaba92
SHA1 fced483b04ce955e9e13dbb7d8f739c20c382e39
SHA256 a93d310eb73488dc280e1e7d17739f6d2cb80aae7d351fac6a3abbebbd0cbebd
SHA512 62516c59d82f26d7a9c21adbb03fbf0e2cb18d6b0fe8ee65fadb441bdf1fe75a5a03766de38acc2fbf0a2529e0427583abba1bd5e28ac85550cfc4088553162e

\Windows\system\faMitaO.exe

MD5 cca901924a28cdcb6718eb2201dcfa53
SHA1 4fc47f8a59fc0b69b452ea304bc02f7dd946381e
SHA256 e048cf52c4423a0f41eec500c280df610790e3419b807b4a1fb24af3ac9f309a
SHA512 c5b76e2bde39e44ef09c1cd93f270ea2b9e49212a78298e8158a72d421db45a542b6fc1bf6bc8d0e45e56ec728ba37d9874337ae120bcce71057c87c1bf8d6f0

memory/2668-30-0x000000013FD40000-0x0000000140091000-memory.dmp

\Windows\system\vfvHyCy.exe

MD5 5e6a13ecbcc32e82d2bd80c8f9df6220
SHA1 98f5337c817df00fa8420ca86e38ec114d48891c
SHA256 90aa7680d804d61ee3ea69c7f82b77c5387eb8452f787e9088d71fad506c5bc1
SHA512 b48353b10f6c22120dd33b2a6eb33f78350cce6cdd009bff89611bdac53777a36af756705bae647be96bc33aa06c2c93c469b4b4bbf29c523cc368c641b9e9ad

memory/2724-35-0x000000013FD40000-0x0000000140091000-memory.dmp

C:\Windows\system\ZgZixCE.exe

MD5 870f5f42bf143e026ceacc68703a84c6
SHA1 ae4da4613ccbc9df59218be73c8007e4c6541d17
SHA256 34129542df93d495418466426e2d05527cfd91cb3ec6578e970e4de688fe4b11
SHA512 039572b0484ae23bdd45b7dadb1a581c70ddb79d6fd68e212088b95cface9423b98cf177bec198c36f8f0fac99106c7ae07f3e252b1643b2312457de9ec6cf4c

memory/2636-49-0x000000013FAF0000-0x000000013FE41000-memory.dmp

C:\Windows\system\VjCoEtv.exe

MD5 9ab2dbb3b7ce84257b07b34bdac52a4b
SHA1 7f69794850aab763ecb59de52e2a5f8f5c32044b
SHA256 48b7a43e11c7f82402658e897d1a68a3a1e9a0dccb8cbf13b9bc209fcc2b4208
SHA512 a14d778cbb23d82a078bba8a811d932bad54c55a7ca9be6b7ca910172935a1fff9df93fdb3ec489062055e0c9a57c09ddb0e6b24f97323a6b48252b7f6d1c34b

memory/2852-55-0x000000013F570000-0x000000013F8C1000-memory.dmp

C:\Windows\system\IAqyVZX.exe

MD5 8cd088bd4854424d44950ea018bee2c7
SHA1 16680bfa407c391f7d59b20f01d2beaf3314bccb
SHA256 f1ba3840d4c1bb002d91a491385766c3fd521f35cfa17c6397d9b2ac161fd5a1
SHA512 96fa5f3d98f8719e2881a47978711c773a7cc77e9a334f3003748b719229d055f56b838bdd773da2dca0da3b1f98f236aafe7bc43fb0b0474c4c0abba0903028

C:\Windows\system\qiwpHeM.exe

MD5 5f1d4ef5528569cefb88b9ca2e64aca9
SHA1 10fdcbd261351c5c9601f23a99b4f634091c9edd
SHA256 69da8cd28316dcec7eae83b646ef3d39cc5664975a6607a1e02f83e7807968dd
SHA512 45bfb7ab6148d9fa09e2ec67d3c691fccbf67f281cd6765a71c52e92f76f8a7bbbe2cbde9306020d44193f6439c03e21b2eef94c4ebb6f3d2b73e88f26b644a8

C:\Windows\system\lVsQShw.exe

MD5 bb6d6ca03d790613ff68b52f5d5b8fe6
SHA1 cb538264147911fe925f98e833776f52f0ba0800
SHA256 d74b51f7dae139995dc97546b4d3d001c3384d1caac5c817d17e1155f2ed33af
SHA512 1908691184d5fd42c73451a2582f5737bd573880ca7c94f0a403d63862d204b956cadff92a213606fb77ba4e8a5942fb3126211805d914d0713669f0d766cf88

C:\Windows\system\FKawCaX.exe

MD5 a376bb3115028e9b58e2a627c08a5def
SHA1 d78411a0ef2254c76f8defb7f3def68361b6236d
SHA256 e19673e1ef1a7c000520eba4f3c2cb60598f193e72fcae286b078802418730a5
SHA512 0b4a07b3ba00ee6ec193565a93f49cb2c2865bf71a21b3707e3660b89fc6ea7ed227707ca7f6cdce86d269746b3fa4a1a4eb00b5a2105c66624711098683d1af

C:\Windows\system\RyLLpyy.exe

MD5 cbabee3c46e6376f06e6dc2417e8c21e
SHA1 ed6335679d9d196634e1a7102d9a8a46bc843b17
SHA256 a68dc34719d44e2dc6be5bcf17f0dfcd8a69676d5046eecd8d6b38e0fc3f02e5
SHA512 0b0c4b02b8bc942a55b511b628eaeff3ea62a50a71803fe2e08266afd9f1d91ba430c168871c65ec20450c7e0555f83e982d0a88115915694278d5c28abe01f4

C:\Windows\system\rHKaQVk.exe

MD5 d4207e35ec52896e787ef4bac2a5981d
SHA1 e9474b770f66d32acbf4e0e8ff9074feb7ddf398
SHA256 6a684a373b35abd1f71b72b344520fa809e9956f9d9a71766174be2d2a1fdee6
SHA512 884af338e14469b8c7681799e6e8450667bff765b6c71f4c7680f2bec410da5255ed01a08adde58f70b747b68d703aab2e9600e359d72e55961359245b247778

C:\Windows\system\gmXhzCI.exe

MD5 cedba16e5f2e32888e313bad5d3b2a1b
SHA1 ccf0d8b5e94e31c377442cc17ed04516fc5c85b9
SHA256 e2626a49bf1c6e1a3f4325f1685aabcb8c682394a9c69f04640513b2116d5cdb
SHA512 2511ff125705d446832725b3427ea8bdbc825a0e9ca54d519f989741652c64250985b2fcac090d4cd076e9ea99e0172f25605c7306186ab0b786679e208547dd

memory/2568-134-0x000000013F820000-0x000000013FB71000-memory.dmp

C:\Windows\system\QyJJJdq.exe

MD5 35940f904f1c6274cedda2537dc64e63
SHA1 03bc8543586e2e085db74bead13dfa0f1631641c
SHA256 888b90d7487fd3b1bb89100e0967ebc89dead7561aaf1871250a1a16f46f8090
SHA512 6034d47a38d9efb2ccd56d1f205c68a8eef361b1cf118f495b58533646064a8eff7ef302cf670316def6b6f4bf4a445152717bf4fa8e81106ba522ee19945510

memory/2940-100-0x000000013F240000-0x000000013F591000-memory.dmp

memory/2724-99-0x000000013FD40000-0x0000000140091000-memory.dmp

memory/2668-98-0x0000000002240000-0x0000000002591000-memory.dmp

memory/2668-97-0x000000013FBB0000-0x000000013FF01000-memory.dmp

memory/2668-96-0x000000013FE20000-0x0000000140171000-memory.dmp

memory/328-95-0x000000013FBB0000-0x000000013FF01000-memory.dmp

memory/2604-94-0x000000013FB70000-0x000000013FEC1000-memory.dmp

memory/2668-93-0x000000013FB70000-0x000000013FEC1000-memory.dmp

C:\Windows\system\nUMKkit.exe

MD5 de4629eefd0499f763def91f7358078c
SHA1 d23e1f9aac560b4afda4254d5d53c68103c8167f
SHA256 39a8255dbbd6ad18ce04a6dccb2ec06d0c3f7fe936a73df4fa19d4e4f8cc2a5e
SHA512 a69ca675c79830aa90bc0d96bebf37a80ed9d00c20fffa16aa12d917f38ad4638bde18bf5b539faf66eb1cc836822be4ab68f4846d4fa1fab126a1853129b131

memory/2668-90-0x0000000002240000-0x0000000002591000-memory.dmp

memory/2668-89-0x000000013FC10000-0x000000013FF61000-memory.dmp

memory/2668-80-0x000000013F240000-0x000000013F591000-memory.dmp

memory/2452-72-0x000000013F0C0000-0x000000013F411000-memory.dmp

C:\Windows\system\VmUNgiJ.exe

MD5 a19ffc4da3bd714cc8fc4e62b9b52b14
SHA1 0acf1b151ad199e52be799d8e38a458dd6dba1ba
SHA256 44de80d5da597e6b5cea58d0eceb5ab2250c9302ced98dc232c82c44d967d5ae
SHA512 25c5e58a92bee17d4887dee644c812acd9910cbceace7c5ee3c1541a9b70c74b2716ce95579806c769f9b71e151a3c9f65c1f2661fe528f5f7aee9cd5ab334cb

memory/3020-64-0x000000013F130000-0x000000013F481000-memory.dmp

C:\Windows\system\JRAApjQ.exe

MD5 f35b68dedf86003f37d86055a9243969
SHA1 f29fe00c66703dc3e61bb4127de8408f033d12b6
SHA256 9e1f5f485ac393a6c8b4ebe1d978f7ed7f935f45d1d8e30b2c2fe2e782a974dc
SHA512 ca4818fc8a64547b55c84a5621b198cc3bbee937ea33ae4ac83e9d0fdf9b931cc220373bc68b39640c0f808258b0eb8c28c59eb142e26f93ebf03a2e0edbed5a

C:\Windows\system\xFAtEaN.exe

MD5 eacce68997d5fb64a789fe11b1066f3e
SHA1 b87af987b4d00a04578f6ac13e207a3758e30037
SHA256 5e0b9fba3d4b824aec0e049f568c8ed03cc1d1a314c38fd89511436feacfe388
SHA512 82085cbc49a9454a83b0b387ced568f130be81ec430fe6f636db4b4860914378af1f495482a1d1a44708369777b1a6205994a974ed6afe20f041aa5b6944730c

memory/2988-76-0x000000013FC10000-0x000000013FF61000-memory.dmp

memory/2668-60-0x000000013F690000-0x000000013F9E1000-memory.dmp

C:\Windows\system\pOcBcUN.exe

MD5 e7674709920171155b74d55bdeb04194
SHA1 d68a284cdb082f5d71c0c98acd06cc6f3019bc33
SHA256 b0a8086b96f802f41e81cf98d83729fc474d4994289af798feee790c2a80c90f
SHA512 75560da7d83a8f8c0635beca25ff00fbc04d9b327244ff407e5a5dc915b7fd27df69a1d6dabdfb224de32dfd977ee1eda045cec999a5a0da7fff39f9b61cad56

memory/2568-40-0x000000013F820000-0x000000013FB71000-memory.dmp

memory/2668-39-0x0000000002240000-0x0000000002591000-memory.dmp

C:\Windows\system\LZJGxNM.exe

MD5 6f5a9c06281d25d2b63f24257a6d0f1d
SHA1 f20981fe93771f241f9dd2c2cadf7c4774ee1e79
SHA256 9b08150ad0cf8d2628794e304927a2721f506c1d6a8a29a9c759df86d75e7c6f
SHA512 dcfffbea0c97c8c33aea89fa2f9270b58e6d0017efafd32fc48b0af63199c476a9aac405d1d0cb66f78044017b530dde6211c8c170b27ab52304ce299b6035eb

memory/2668-33-0x0000000002240000-0x0000000002591000-memory.dmp

memory/2956-32-0x000000013F860000-0x000000013FBB1000-memory.dmp

memory/2668-31-0x0000000002240000-0x0000000002591000-memory.dmp

memory/2880-29-0x000000013F390000-0x000000013F6E1000-memory.dmp

memory/2668-28-0x0000000002240000-0x0000000002591000-memory.dmp

memory/2688-27-0x000000013F800000-0x000000013FB51000-memory.dmp

memory/3020-26-0x000000013F130000-0x000000013F481000-memory.dmp

C:\Windows\system\pJHOVsi.exe

MD5 69289ce35ff1c8a2b0a6a0a8e6816da2
SHA1 6979e53dff5f6c77a1b452805cc40968095fe8ae
SHA256 dca09c661fbd8acfe2df396a878b1c372f2b763bc010e5ba5595e352a5cc9d54
SHA512 5f8e04e8053393ed2d6baa2536894d4262a58738b02946379d1dc152f91233cb74ff024e1d8a911c4570f2f3cf588413134eb3ffcdd1a42e76631f9aae4b9e55

memory/2668-136-0x0000000002240000-0x0000000002591000-memory.dmp

memory/2988-137-0x000000013FC10000-0x000000013FF61000-memory.dmp

memory/2452-138-0x000000013F0C0000-0x000000013F411000-memory.dmp

memory/2668-139-0x000000013FB70000-0x000000013FEC1000-memory.dmp

memory/328-148-0x000000013FBB0000-0x000000013FF01000-memory.dmp

memory/2604-147-0x000000013FB70000-0x000000013FEC1000-memory.dmp

memory/2668-146-0x000000013FC10000-0x000000013FF61000-memory.dmp

memory/2668-140-0x000000013F690000-0x000000013F9E1000-memory.dmp

memory/2928-155-0x000000013F4B0000-0x000000013F801000-memory.dmp

memory/296-159-0x000000013F540000-0x000000013F891000-memory.dmp

memory/3036-165-0x000000013F850000-0x000000013FBA1000-memory.dmp

memory/2432-163-0x000000013FD00000-0x0000000140051000-memory.dmp

memory/1916-162-0x000000013F8B0000-0x000000013FC01000-memory.dmp

memory/504-161-0x000000013F4A0000-0x000000013F7F1000-memory.dmp

memory/1272-160-0x000000013F600000-0x000000013F951000-memory.dmp

memory/2236-157-0x000000013FE20000-0x0000000140171000-memory.dmp

memory/2940-153-0x000000013F240000-0x000000013F591000-memory.dmp

memory/2668-164-0x000000013FE20000-0x0000000140171000-memory.dmp

memory/2668-166-0x000000013F690000-0x000000013F9E1000-memory.dmp

memory/3020-228-0x000000013F130000-0x000000013F481000-memory.dmp

memory/2956-234-0x000000013F860000-0x000000013FBB1000-memory.dmp

memory/2688-232-0x000000013F800000-0x000000013FB51000-memory.dmp

memory/2880-231-0x000000013F390000-0x000000013F6E1000-memory.dmp

memory/2568-236-0x000000013F820000-0x000000013FB71000-memory.dmp

memory/2724-240-0x000000013FD40000-0x0000000140091000-memory.dmp

memory/2636-239-0x000000013FAF0000-0x000000013FE41000-memory.dmp

memory/2852-242-0x000000013F570000-0x000000013F8C1000-memory.dmp

memory/2452-244-0x000000013F0C0000-0x000000013F411000-memory.dmp

memory/2940-252-0x000000013F240000-0x000000013F591000-memory.dmp

memory/2988-254-0x000000013FC10000-0x000000013FF61000-memory.dmp

memory/2604-258-0x000000013FB70000-0x000000013FEC1000-memory.dmp

memory/328-257-0x000000013FBB0000-0x000000013FF01000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-15 10:49

Reported

2024-08-15 10:52

Platform

win10v2004-20240802-en

Max time kernel

140s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\VjCoEtv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nUMKkit.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rHKaQVk.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AYeHzDR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\faMitaO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vfvHyCy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pJHOVsi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZgZixCE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VmUNgiJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LZJGxNM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pOcBcUN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qiwpHeM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FKawCaX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IAqyVZX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lVsQShw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wysoCwX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QyJJJdq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xFAtEaN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gmXhzCI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JRAApjQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RyLLpyy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1484 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AYeHzDR.exe
PID 1484 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AYeHzDR.exe
PID 1484 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wysoCwX.exe
PID 1484 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wysoCwX.exe
PID 1484 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\faMitaO.exe
PID 1484 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\faMitaO.exe
PID 1484 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vfvHyCy.exe
PID 1484 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vfvHyCy.exe
PID 1484 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pJHOVsi.exe
PID 1484 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pJHOVsi.exe
PID 1484 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZgZixCE.exe
PID 1484 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZgZixCE.exe
PID 1484 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LZJGxNM.exe
PID 1484 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LZJGxNM.exe
PID 1484 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VjCoEtv.exe
PID 1484 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VjCoEtv.exe
PID 1484 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pOcBcUN.exe
PID 1484 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pOcBcUN.exe
PID 1484 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nUMKkit.exe
PID 1484 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nUMKkit.exe
PID 1484 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VmUNgiJ.exe
PID 1484 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VmUNgiJ.exe
PID 1484 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QyJJJdq.exe
PID 1484 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QyJJJdq.exe
PID 1484 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xFAtEaN.exe
PID 1484 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xFAtEaN.exe
PID 1484 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gmXhzCI.exe
PID 1484 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gmXhzCI.exe
PID 1484 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JRAApjQ.exe
PID 1484 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JRAApjQ.exe
PID 1484 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rHKaQVk.exe
PID 1484 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rHKaQVk.exe
PID 1484 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RyLLpyy.exe
PID 1484 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RyLLpyy.exe
PID 1484 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IAqyVZX.exe
PID 1484 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IAqyVZX.exe
PID 1484 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qiwpHeM.exe
PID 1484 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qiwpHeM.exe
PID 1484 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lVsQShw.exe
PID 1484 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lVsQShw.exe
PID 1484 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FKawCaX.exe
PID 1484 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FKawCaX.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\AYeHzDR.exe

C:\Windows\System\AYeHzDR.exe

C:\Windows\System\wysoCwX.exe

C:\Windows\System\wysoCwX.exe

C:\Windows\System\faMitaO.exe

C:\Windows\System\faMitaO.exe

C:\Windows\System\vfvHyCy.exe

C:\Windows\System\vfvHyCy.exe

C:\Windows\System\pJHOVsi.exe

C:\Windows\System\pJHOVsi.exe

C:\Windows\System\ZgZixCE.exe

C:\Windows\System\ZgZixCE.exe

C:\Windows\System\LZJGxNM.exe

C:\Windows\System\LZJGxNM.exe

C:\Windows\System\VjCoEtv.exe

C:\Windows\System\VjCoEtv.exe

C:\Windows\System\pOcBcUN.exe

C:\Windows\System\pOcBcUN.exe

C:\Windows\System\nUMKkit.exe

C:\Windows\System\nUMKkit.exe

C:\Windows\System\VmUNgiJ.exe

C:\Windows\System\VmUNgiJ.exe

C:\Windows\System\QyJJJdq.exe

C:\Windows\System\QyJJJdq.exe

C:\Windows\System\xFAtEaN.exe

C:\Windows\System\xFAtEaN.exe

C:\Windows\System\gmXhzCI.exe

C:\Windows\System\gmXhzCI.exe

C:\Windows\System\JRAApjQ.exe

C:\Windows\System\JRAApjQ.exe

C:\Windows\System\rHKaQVk.exe

C:\Windows\System\rHKaQVk.exe

C:\Windows\System\RyLLpyy.exe

C:\Windows\System\RyLLpyy.exe

C:\Windows\System\IAqyVZX.exe

C:\Windows\System\IAqyVZX.exe

C:\Windows\System\qiwpHeM.exe

C:\Windows\System\qiwpHeM.exe

C:\Windows\System\lVsQShw.exe

C:\Windows\System\lVsQShw.exe

C:\Windows\System\FKawCaX.exe

C:\Windows\System\FKawCaX.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
DE 3.120.209.58:8080 tcp

Files

memory/1484-0-0x00007FF623260000-0x00007FF6235B1000-memory.dmp

memory/1484-1-0x0000022C3CB30000-0x0000022C3CB40000-memory.dmp

C:\Windows\System\AYeHzDR.exe

MD5 0d8bbb300d21f10e26a9385fc822669f
SHA1 71380a854db3ef0f3a2405401dc5ba19f02da719
SHA256 da1778c1b6c5f4c5fa5b9688803ec3f16739af146c0a91d504b8c836319342fb
SHA512 d061405e13308b789b6a9eebbc7ef81835af3c0566b6ccc972c5538974aaf445c84f43ab474f1a5d5e1f008f55a11966d47fd5808f4f8e44115b38a05c5fe189

memory/2444-10-0x00007FF6E0950000-0x00007FF6E0CA1000-memory.dmp

C:\Windows\System\wysoCwX.exe

MD5 cc7920b36766e7b3e934e2024efaba92
SHA1 fced483b04ce955e9e13dbb7d8f739c20c382e39
SHA256 a93d310eb73488dc280e1e7d17739f6d2cb80aae7d351fac6a3abbebbd0cbebd
SHA512 62516c59d82f26d7a9c21adbb03fbf0e2cb18d6b0fe8ee65fadb441bdf1fe75a5a03766de38acc2fbf0a2529e0427583abba1bd5e28ac85550cfc4088553162e

memory/3328-22-0x00007FF6691B0000-0x00007FF669501000-memory.dmp

C:\Windows\System\vfvHyCy.exe

MD5 5e6a13ecbcc32e82d2bd80c8f9df6220
SHA1 98f5337c817df00fa8420ca86e38ec114d48891c
SHA256 90aa7680d804d61ee3ea69c7f82b77c5387eb8452f787e9088d71fad506c5bc1
SHA512 b48353b10f6c22120dd33b2a6eb33f78350cce6cdd009bff89611bdac53777a36af756705bae647be96bc33aa06c2c93c469b4b4bbf29c523cc368c641b9e9ad

C:\Windows\System\faMitaO.exe

MD5 cca901924a28cdcb6718eb2201dcfa53
SHA1 4fc47f8a59fc0b69b452ea304bc02f7dd946381e
SHA256 e048cf52c4423a0f41eec500c280df610790e3419b807b4a1fb24af3ac9f309a
SHA512 c5b76e2bde39e44ef09c1cd93f270ea2b9e49212a78298e8158a72d421db45a542b6fc1bf6bc8d0e45e56ec728ba37d9874337ae120bcce71057c87c1bf8d6f0

memory/4764-36-0x00007FF607160000-0x00007FF6074B1000-memory.dmp

memory/4912-40-0x00007FF6D3680000-0x00007FF6D39D1000-memory.dmp

C:\Windows\System\pOcBcUN.exe

MD5 e7674709920171155b74d55bdeb04194
SHA1 d68a284cdb082f5d71c0c98acd06cc6f3019bc33
SHA256 b0a8086b96f802f41e81cf98d83729fc474d4994289af798feee790c2a80c90f
SHA512 75560da7d83a8f8c0635beca25ff00fbc04d9b327244ff407e5a5dc915b7fd27df69a1d6dabdfb224de32dfd977ee1eda045cec999a5a0da7fff39f9b61cad56

C:\Windows\System\nUMKkit.exe

MD5 de4629eefd0499f763def91f7358078c
SHA1 d23e1f9aac560b4afda4254d5d53c68103c8167f
SHA256 39a8255dbbd6ad18ce04a6dccb2ec06d0c3f7fe936a73df4fa19d4e4f8cc2a5e
SHA512 a69ca675c79830aa90bc0d96bebf37a80ed9d00c20fffa16aa12d917f38ad4638bde18bf5b539faf66eb1cc836822be4ab68f4846d4fa1fab126a1853129b131

C:\Windows\System\QyJJJdq.exe

MD5 35940f904f1c6274cedda2537dc64e63
SHA1 03bc8543586e2e085db74bead13dfa0f1631641c
SHA256 888b90d7487fd3b1bb89100e0967ebc89dead7561aaf1871250a1a16f46f8090
SHA512 6034d47a38d9efb2ccd56d1f205c68a8eef361b1cf118f495b58533646064a8eff7ef302cf670316def6b6f4bf4a445152717bf4fa8e81106ba522ee19945510

C:\Windows\System\rHKaQVk.exe

MD5 d4207e35ec52896e787ef4bac2a5981d
SHA1 e9474b770f66d32acbf4e0e8ff9074feb7ddf398
SHA256 6a684a373b35abd1f71b72b344520fa809e9956f9d9a71766174be2d2a1fdee6
SHA512 884af338e14469b8c7681799e6e8450667bff765b6c71f4c7680f2bec410da5255ed01a08adde58f70b747b68d703aab2e9600e359d72e55961359245b247778

memory/5040-96-0x00007FF665590000-0x00007FF6658E1000-memory.dmp

C:\Windows\System\RyLLpyy.exe

MD5 cbabee3c46e6376f06e6dc2417e8c21e
SHA1 ed6335679d9d196634e1a7102d9a8a46bc843b17
SHA256 a68dc34719d44e2dc6be5bcf17f0dfcd8a69676d5046eecd8d6b38e0fc3f02e5
SHA512 0b0c4b02b8bc942a55b511b628eaeff3ea62a50a71803fe2e08266afd9f1d91ba430c168871c65ec20450c7e0555f83e982d0a88115915694278d5c28abe01f4

memory/3124-111-0x00007FF7F79D0000-0x00007FF7F7D21000-memory.dmp

C:\Windows\System\FKawCaX.exe

MD5 a376bb3115028e9b58e2a627c08a5def
SHA1 d78411a0ef2254c76f8defb7f3def68361b6236d
SHA256 e19673e1ef1a7c000520eba4f3c2cb60598f193e72fcae286b078802418730a5
SHA512 0b4a07b3ba00ee6ec193565a93f49cb2c2865bf71a21b3707e3660b89fc6ea7ed227707ca7f6cdce86d269746b3fa4a1a4eb00b5a2105c66624711098683d1af

memory/3480-123-0x00007FF726D50000-0x00007FF7270A1000-memory.dmp

C:\Windows\System\lVsQShw.exe

MD5 bb6d6ca03d790613ff68b52f5d5b8fe6
SHA1 cb538264147911fe925f98e833776f52f0ba0800
SHA256 d74b51f7dae139995dc97546b4d3d001c3384d1caac5c817d17e1155f2ed33af
SHA512 1908691184d5fd42c73451a2582f5737bd573880ca7c94f0a403d63862d204b956cadff92a213606fb77ba4e8a5942fb3126211805d914d0713669f0d766cf88

memory/5032-121-0x00007FF7F1D30000-0x00007FF7F2081000-memory.dmp

memory/4068-120-0x00007FF6CDF40000-0x00007FF6CE291000-memory.dmp

C:\Windows\System\qiwpHeM.exe

MD5 5f1d4ef5528569cefb88b9ca2e64aca9
SHA1 10fdcbd261351c5c9601f23a99b4f634091c9edd
SHA256 69da8cd28316dcec7eae83b646ef3d39cc5664975a6607a1e02f83e7807968dd
SHA512 45bfb7ab6148d9fa09e2ec67d3c691fccbf67f281cd6765a71c52e92f76f8a7bbbe2cbde9306020d44193f6439c03e21b2eef94c4ebb6f3d2b73e88f26b644a8

C:\Windows\System\IAqyVZX.exe

MD5 8cd088bd4854424d44950ea018bee2c7
SHA1 16680bfa407c391f7d59b20f01d2beaf3314bccb
SHA256 f1ba3840d4c1bb002d91a491385766c3fd521f35cfa17c6397d9b2ac161fd5a1
SHA512 96fa5f3d98f8719e2881a47978711c773a7cc77e9a334f3003748b719229d055f56b838bdd773da2dca0da3b1f98f236aafe7bc43fb0b0474c4c0abba0903028

memory/4592-115-0x00007FF7E1B10000-0x00007FF7E1E61000-memory.dmp

memory/4620-114-0x00007FF7FBF50000-0x00007FF7FC2A1000-memory.dmp

C:\Windows\System\JRAApjQ.exe

MD5 f35b68dedf86003f37d86055a9243969
SHA1 f29fe00c66703dc3e61bb4127de8408f033d12b6
SHA256 9e1f5f485ac393a6c8b4ebe1d978f7ed7f935f45d1d8e30b2c2fe2e782a974dc
SHA512 ca4818fc8a64547b55c84a5621b198cc3bbee937ea33ae4ac83e9d0fdf9b931cc220373bc68b39640c0f808258b0eb8c28c59eb142e26f93ebf03a2e0edbed5a

C:\Windows\System\gmXhzCI.exe

MD5 cedba16e5f2e32888e313bad5d3b2a1b
SHA1 ccf0d8b5e94e31c377442cc17ed04516fc5c85b9
SHA256 e2626a49bf1c6e1a3f4325f1685aabcb8c682394a9c69f04640513b2116d5cdb
SHA512 2511ff125705d446832725b3427ea8bdbc825a0e9ca54d519f989741652c64250985b2fcac090d4cd076e9ea99e0172f25605c7306186ab0b786679e208547dd

memory/4732-88-0x00007FF6A3090000-0x00007FF6A33E1000-memory.dmp

memory/1032-87-0x00007FF604DC0000-0x00007FF605111000-memory.dmp

C:\Windows\System\xFAtEaN.exe

MD5 eacce68997d5fb64a789fe11b1066f3e
SHA1 b87af987b4d00a04578f6ac13e207a3758e30037
SHA256 5e0b9fba3d4b824aec0e049f568c8ed03cc1d1a314c38fd89511436feacfe388
SHA512 82085cbc49a9454a83b0b387ced568f130be81ec430fe6f636db4b4860914378af1f495482a1d1a44708369777b1a6205994a974ed6afe20f041aa5b6944730c

memory/440-81-0x00007FF7B67F0000-0x00007FF7B6B41000-memory.dmp

memory/5068-79-0x00007FF7F07B0000-0x00007FF7F0B01000-memory.dmp

C:\Windows\System\VmUNgiJ.exe

MD5 a19ffc4da3bd714cc8fc4e62b9b52b14
SHA1 0acf1b151ad199e52be799d8e38a458dd6dba1ba
SHA256 44de80d5da597e6b5cea58d0eceb5ab2250c9302ced98dc232c82c44d967d5ae
SHA512 25c5e58a92bee17d4887dee644c812acd9910cbceace7c5ee3c1541a9b70c74b2716ce95579806c769f9b71e151a3c9f65c1f2661fe528f5f7aee9cd5ab334cb

memory/2624-69-0x00007FF7BFB40000-0x00007FF7BFE91000-memory.dmp

memory/4924-65-0x00007FF675B60000-0x00007FF675EB1000-memory.dmp

memory/3516-58-0x00007FF6803E0000-0x00007FF680731000-memory.dmp

C:\Windows\System\VjCoEtv.exe

MD5 9ab2dbb3b7ce84257b07b34bdac52a4b
SHA1 7f69794850aab763ecb59de52e2a5f8f5c32044b
SHA256 48b7a43e11c7f82402658e897d1a68a3a1e9a0dccb8cbf13b9bc209fcc2b4208
SHA512 a14d778cbb23d82a078bba8a811d932bad54c55a7ca9be6b7ca910172935a1fff9df93fdb3ec489062055e0c9a57c09ddb0e6b24f97323a6b48252b7f6d1c34b

C:\Windows\System\LZJGxNM.exe

MD5 6f5a9c06281d25d2b63f24257a6d0f1d
SHA1 f20981fe93771f241f9dd2c2cadf7c4774ee1e79
SHA256 9b08150ad0cf8d2628794e304927a2721f506c1d6a8a29a9c759df86d75e7c6f
SHA512 dcfffbea0c97c8c33aea89fa2f9270b58e6d0017efafd32fc48b0af63199c476a9aac405d1d0cb66f78044017b530dde6211c8c170b27ab52304ce299b6035eb

memory/3920-47-0x00007FF7D30A0000-0x00007FF7D33F1000-memory.dmp

C:\Windows\System\pJHOVsi.exe

MD5 69289ce35ff1c8a2b0a6a0a8e6816da2
SHA1 6979e53dff5f6c77a1b452805cc40968095fe8ae
SHA256 dca09c661fbd8acfe2df396a878b1c372f2b763bc010e5ba5595e352a5cc9d54
SHA512 5f8e04e8053393ed2d6baa2536894d4262a58738b02946379d1dc152f91233cb74ff024e1d8a911c4570f2f3cf588413134eb3ffcdd1a42e76631f9aae4b9e55

C:\Windows\System\ZgZixCE.exe

MD5 870f5f42bf143e026ceacc68703a84c6
SHA1 ae4da4613ccbc9df59218be73c8007e4c6541d17
SHA256 34129542df93d495418466426e2d05527cfd91cb3ec6578e970e4de688fe4b11
SHA512 039572b0484ae23bdd45b7dadb1a581c70ddb79d6fd68e212088b95cface9423b98cf177bec198c36f8f0fac99106c7ae07f3e252b1643b2312457de9ec6cf4c

memory/1656-31-0x00007FF70C8D0000-0x00007FF70CC21000-memory.dmp

memory/3948-27-0x00007FF634CD0000-0x00007FF635021000-memory.dmp

memory/1484-128-0x00007FF623260000-0x00007FF6235B1000-memory.dmp

memory/1484-129-0x00007FF623260000-0x00007FF6235B1000-memory.dmp

memory/3328-131-0x00007FF6691B0000-0x00007FF669501000-memory.dmp

memory/2444-130-0x00007FF6E0950000-0x00007FF6E0CA1000-memory.dmp

memory/3948-133-0x00007FF634CD0000-0x00007FF635021000-memory.dmp

memory/3516-137-0x00007FF6803E0000-0x00007FF680731000-memory.dmp

memory/4592-148-0x00007FF7E1B10000-0x00007FF7E1E61000-memory.dmp

memory/4068-150-0x00007FF6CDF40000-0x00007FF6CE291000-memory.dmp

memory/3480-149-0x00007FF726D50000-0x00007FF7270A1000-memory.dmp

memory/4620-147-0x00007FF7FBF50000-0x00007FF7FC2A1000-memory.dmp

memory/5040-145-0x00007FF665590000-0x00007FF6658E1000-memory.dmp

memory/4732-144-0x00007FF6A3090000-0x00007FF6A33E1000-memory.dmp

memory/3124-143-0x00007FF7F79D0000-0x00007FF7F7D21000-memory.dmp

memory/4924-141-0x00007FF675B60000-0x00007FF675EB1000-memory.dmp

memory/5068-139-0x00007FF7F07B0000-0x00007FF7F0B01000-memory.dmp

memory/3920-136-0x00007FF7D30A0000-0x00007FF7D33F1000-memory.dmp

memory/4912-135-0x00007FF6D3680000-0x00007FF6D39D1000-memory.dmp

memory/4764-134-0x00007FF607160000-0x00007FF6074B1000-memory.dmp

memory/1032-142-0x00007FF604DC0000-0x00007FF605111000-memory.dmp

memory/1656-132-0x00007FF70C8D0000-0x00007FF70CC21000-memory.dmp

memory/1484-151-0x00007FF623260000-0x00007FF6235B1000-memory.dmp

memory/2444-202-0x00007FF6E0950000-0x00007FF6E0CA1000-memory.dmp

memory/3948-221-0x00007FF634CD0000-0x00007FF635021000-memory.dmp

memory/3328-222-0x00007FF6691B0000-0x00007FF669501000-memory.dmp

memory/1656-224-0x00007FF70C8D0000-0x00007FF70CC21000-memory.dmp

memory/4912-228-0x00007FF6D3680000-0x00007FF6D39D1000-memory.dmp

memory/3920-227-0x00007FF7D30A0000-0x00007FF7D33F1000-memory.dmp

memory/4764-233-0x00007FF607160000-0x00007FF6074B1000-memory.dmp

memory/3516-234-0x00007FF6803E0000-0x00007FF680731000-memory.dmp

memory/2624-231-0x00007FF7BFB40000-0x00007FF7BFE91000-memory.dmp

memory/4924-239-0x00007FF675B60000-0x00007FF675EB1000-memory.dmp

memory/5068-240-0x00007FF7F07B0000-0x00007FF7F0B01000-memory.dmp

memory/440-237-0x00007FF7B67F0000-0x00007FF7B6B41000-memory.dmp

memory/3124-242-0x00007FF7F79D0000-0x00007FF7F7D21000-memory.dmp

memory/4732-248-0x00007FF6A3090000-0x00007FF6A33E1000-memory.dmp

memory/1032-245-0x00007FF604DC0000-0x00007FF605111000-memory.dmp

memory/5040-246-0x00007FF665590000-0x00007FF6658E1000-memory.dmp

memory/3480-252-0x00007FF726D50000-0x00007FF7270A1000-memory.dmp

memory/4592-254-0x00007FF7E1B10000-0x00007FF7E1E61000-memory.dmp

memory/4068-257-0x00007FF6CDF40000-0x00007FF6CE291000-memory.dmp

memory/4620-258-0x00007FF7FBF50000-0x00007FF7FC2A1000-memory.dmp

memory/5032-251-0x00007FF7F1D30000-0x00007FF7F2081000-memory.dmp