Malware Analysis Report

2025-03-15 08:08

Sample ID 240815-mxk2hsyfra
Target 2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat
SHA256 3df9f79354d14edf3f142b7916aa887cb9e7b8e9be6c249c3a92517ec8d291c9
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3df9f79354d14edf3f142b7916aa887cb9e7b8e9be6c249c3a92517ec8d291c9

Threat Level: Known bad

The file 2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Xmrig family

Cobalt Strike reflective loader

Cobaltstrike family

XMRig Miner payload

xmrig

Cobaltstrike

XMRig Miner payload

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-15 10:50

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-15 10:50

Reported

2024-08-15 10:53

Platform

win7-20240708-en

Max time kernel

140s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\sCiDdEJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xAvSkNE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XsUKqCn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jvVkJJr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FHDqhwE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NZsVCAT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ygSdwee.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kWNxjAS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yIVHZxI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VEaFlxJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kcrfOYj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YCsQBkJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rWRkYCj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iuZZrWB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hlsPdgK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bvIILoP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HhITiOL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sapVoDx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iaHRSYm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bFUKoOs.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nZWHXVh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2568 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bvIILoP.exe
PID 2568 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bvIILoP.exe
PID 2568 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bvIILoP.exe
PID 2568 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xAvSkNE.exe
PID 2568 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xAvSkNE.exe
PID 2568 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xAvSkNE.exe
PID 2568 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XsUKqCn.exe
PID 2568 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XsUKqCn.exe
PID 2568 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XsUKqCn.exe
PID 2568 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VEaFlxJ.exe
PID 2568 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VEaFlxJ.exe
PID 2568 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VEaFlxJ.exe
PID 2568 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bFUKoOs.exe
PID 2568 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bFUKoOs.exe
PID 2568 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bFUKoOs.exe
PID 2568 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jvVkJJr.exe
PID 2568 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jvVkJJr.exe
PID 2568 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jvVkJJr.exe
PID 2568 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FHDqhwE.exe
PID 2568 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FHDqhwE.exe
PID 2568 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FHDqhwE.exe
PID 2568 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NZsVCAT.exe
PID 2568 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NZsVCAT.exe
PID 2568 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NZsVCAT.exe
PID 2568 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HhITiOL.exe
PID 2568 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HhITiOL.exe
PID 2568 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HhITiOL.exe
PID 2568 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kcrfOYj.exe
PID 2568 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kcrfOYj.exe
PID 2568 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kcrfOYj.exe
PID 2568 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ygSdwee.exe
PID 2568 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ygSdwee.exe
PID 2568 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ygSdwee.exe
PID 2568 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kWNxjAS.exe
PID 2568 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kWNxjAS.exe
PID 2568 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kWNxjAS.exe
PID 2568 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YCsQBkJ.exe
PID 2568 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YCsQBkJ.exe
PID 2568 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YCsQBkJ.exe
PID 2568 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rWRkYCj.exe
PID 2568 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rWRkYCj.exe
PID 2568 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rWRkYCj.exe
PID 2568 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sapVoDx.exe
PID 2568 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sapVoDx.exe
PID 2568 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sapVoDx.exe
PID 2568 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iaHRSYm.exe
PID 2568 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iaHRSYm.exe
PID 2568 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iaHRSYm.exe
PID 2568 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iuZZrWB.exe
PID 2568 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iuZZrWB.exe
PID 2568 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iuZZrWB.exe
PID 2568 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sCiDdEJ.exe
PID 2568 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sCiDdEJ.exe
PID 2568 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sCiDdEJ.exe
PID 2568 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yIVHZxI.exe
PID 2568 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yIVHZxI.exe
PID 2568 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yIVHZxI.exe
PID 2568 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nZWHXVh.exe
PID 2568 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nZWHXVh.exe
PID 2568 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nZWHXVh.exe
PID 2568 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hlsPdgK.exe
PID 2568 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hlsPdgK.exe
PID 2568 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hlsPdgK.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\bvIILoP.exe

C:\Windows\System\bvIILoP.exe

C:\Windows\System\xAvSkNE.exe

C:\Windows\System\xAvSkNE.exe

C:\Windows\System\XsUKqCn.exe

C:\Windows\System\XsUKqCn.exe

C:\Windows\System\VEaFlxJ.exe

C:\Windows\System\VEaFlxJ.exe

C:\Windows\System\bFUKoOs.exe

C:\Windows\System\bFUKoOs.exe

C:\Windows\System\jvVkJJr.exe

C:\Windows\System\jvVkJJr.exe

C:\Windows\System\FHDqhwE.exe

C:\Windows\System\FHDqhwE.exe

C:\Windows\System\NZsVCAT.exe

C:\Windows\System\NZsVCAT.exe

C:\Windows\System\HhITiOL.exe

C:\Windows\System\HhITiOL.exe

C:\Windows\System\kcrfOYj.exe

C:\Windows\System\kcrfOYj.exe

C:\Windows\System\ygSdwee.exe

C:\Windows\System\ygSdwee.exe

C:\Windows\System\kWNxjAS.exe

C:\Windows\System\kWNxjAS.exe

C:\Windows\System\YCsQBkJ.exe

C:\Windows\System\YCsQBkJ.exe

C:\Windows\System\rWRkYCj.exe

C:\Windows\System\rWRkYCj.exe

C:\Windows\System\sapVoDx.exe

C:\Windows\System\sapVoDx.exe

C:\Windows\System\iaHRSYm.exe

C:\Windows\System\iaHRSYm.exe

C:\Windows\System\iuZZrWB.exe

C:\Windows\System\iuZZrWB.exe

C:\Windows\System\sCiDdEJ.exe

C:\Windows\System\sCiDdEJ.exe

C:\Windows\System\yIVHZxI.exe

C:\Windows\System\yIVHZxI.exe

C:\Windows\System\nZWHXVh.exe

C:\Windows\System\nZWHXVh.exe

C:\Windows\System\hlsPdgK.exe

C:\Windows\System\hlsPdgK.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2568-0-0x000000013F820000-0x000000013FB71000-memory.dmp

memory/2568-1-0x0000000000080000-0x0000000000090000-memory.dmp

\Windows\system\bvIILoP.exe

MD5 995405e24965a49772353ee26dda6cc6
SHA1 b6d69ceb65c40455f41d710846dcf30eb5e14a17
SHA256 cc00807e8d8c9f119587219ecd6c0df6c667f5eb4422ee55a630dfa09e134fda
SHA512 ee73fb71b8512572589f579e911e017a41eb74d3e6df747231c14539cb10455b4ed3a494387eb56ef7c1590a921724a6c7305221d78884af6c0e26313870c3f8

memory/2440-8-0x000000013FFA0000-0x00000001402F1000-memory.dmp

\Windows\system\xAvSkNE.exe

MD5 42c333cfde20e070f35b8793ade68cdc
SHA1 4549db539617f5cb5bc8ba4464003f5c610e05f8
SHA256 fc9eadd0ea695918298b2fea73833030077329b6e978603238bfaef59dd33fc6
SHA512 d0c8da9f51da8285eee9d1f1cbee6e1eea436eb128b6da4f127a44fdbb3281e6de3bc12e4779c49b4e18ed48089a83fc2ea76d705487dc12cf5976accbd8ae84

\Windows\system\bFUKoOs.exe

MD5 7e6d369e812f8bfa53140bceedc271b9
SHA1 635974a06bc9405278111f699da4b396fc431fbc
SHA256 e548249640befaeb779d122e8ae6cd2cd79b7e25f72012e816685a096a885295
SHA512 6bae779c0a75262e1e1a5b7ccf219b601cd322a74f4de78cb1f02688bc26126f501196cf1a7ff5f47bf24d417d0592787be0baa11808dc790b5db9d5d24d3fe2

\Windows\system\FHDqhwE.exe

MD5 97c9628fbce4e9ea53ac50a074ea92d8
SHA1 b7c14af30a36226984f1c1c99a2307c64d350fb1
SHA256 dca3065a2b7013dacc2bfa47a2e979783c970723f0cbd23ad441bf434f44eeb8
SHA512 4870c74766c13d2c31ca8976f0adde2cf14c51aa532cdbb97e0bfb8e012163f1dc9aab7f57971738bc32bbd6b0becf3b4b6f6bf6d63d7e65b81ef4d05207f536

\Windows\system\sCiDdEJ.exe

MD5 d5024bc247b10d8ae9ca3ddc6939516b
SHA1 460152eb18c8cfc088c8a68f9410d329e0cbf88c
SHA256 2073b1f49bbdc6de7eb434d4a575441b9cde67f3569edc7c231417f554833eb2
SHA512 09f71fd3622d4aaf1ea9176351effb2e4003435406410f5648d1366fdbc532d3dbb69f0ab5b47718ed001dc8193133a26d49a697fde7fe60c2f7d4b020a0018b

memory/2732-96-0x000000013FD50000-0x00000001400A1000-memory.dmp

memory/2568-106-0x0000000002340000-0x0000000002691000-memory.dmp

memory/2416-17-0x000000013F580000-0x000000013F8D1000-memory.dmp

C:\Windows\system\iuZZrWB.exe

MD5 c509500f8e7189bb102ccec44cfe9750
SHA1 2bd7f22fc1cb94bba1a938e836f58a7b06db8fe4
SHA256 bf1d02d1f94cfb9d5ca3d25df48c0811951439ab8fbd87f69f7e40b16d28c378
SHA512 d1a48f99934e6a80d65721c887453824ccb8b080d8bf72970eadd90e2da9417373fd37552258d7897c9aba7ee30f5f21a5acda56de9c98f0683292a3a9c2b930

\Windows\system\hlsPdgK.exe

MD5 223ac886e4c56a2095f07038c9ddb363
SHA1 b1a0aed4d705c6fae322df1d5f6bde12b639d051
SHA256 d88e5496189ae6eb57ab8f8eac21ce0788aac0e3cefee8d556b64fac5d83a0de
SHA512 aa40354db4ff599d235f65744e6fd4272fa39d1e803d7982e8f3868cea8dbe07c053f406bf7eccd6ad5f7339af64540b0376bb3ffbaf5c992fecdefda17765f0

C:\Windows\system\HhITiOL.exe

MD5 6aeed203cf1cc2e9999f00117925218f
SHA1 9766689d1f98488897858cb7f4dc64c2ac7e3a7c
SHA256 fb3344371af2b37b34402078d2bb732e10b6e28e9892f276cf48669684d4c985
SHA512 73d5e74f500b82857dd308141ed91b3be28a3da51868648a739ce5872ed97a9e430e99890013378ef79edea051e155fb1c488e71d038256e62878eec8f4e2011

\Windows\system\yIVHZxI.exe

MD5 d2aa8367433f6e7ed458c0177c8c6068
SHA1 7ffdadcb57cf897e9f11181ac242799fe2242be2
SHA256 1a852d71546f61c04211912cab42b89eedfbb6b02beab5b67525fb31bc200bcb
SHA512 11d387de8f9911b3ea026ef9b18f4a55e04a46c14e6d6c244d8194122e5e3dfc3f970b09eab68e2aab3f2dc285241abc75b93b295c23dbde874dc5f94ff03f80

\Windows\system\sapVoDx.exe

MD5 63830a1ed506c837f5bf60bfdd3486da
SHA1 09c287087a43fff02cd06168bc7b181bc83d3749
SHA256 5a4c541c50e743bde2c02e549472f642778e6581218361eea6f2e4ac5a83e665
SHA512 a8c1cc09b44aebdcfced6f184c63902758ebf78a586255f5205b82a48e0e8473a7ac5a0acd7c25331e35cd6665abb2b3a53f3376e2ba37f90b6f328993aeebba

\Windows\system\YCsQBkJ.exe

MD5 5b7d358c27d06c7f45c97e8949ac8f2b
SHA1 9412178f9686b3a841132a48c5094fc7eb827105
SHA256 d9f6cbcc89968784774d2bfbc01bfb703d7ac538ef4c6b79b229521b4a7ce98c
SHA512 e33bdd974de65d713bf9cdeaed801cf6d5c0a3110e66ae5b6a436e1031758c66408eef02f9633a6ccd4ff867665ef672e221d59e14eebb633a2bcb45fe577080

C:\Windows\system\kcrfOYj.exe

MD5 bd6f636a24861b5fee493bcb3ebacf3b
SHA1 d0be33e63d43d5da09f1f39eb67cdb1f96233215
SHA256 159ba02662847d91fd5841db7e8e7ca29d4bc31a21252f0e896aa5de53286062
SHA512 ea5e52f2e3e60e0fa32d63a71b29f87349f547cfa2914d1c5fb35876a5413fa38d568e796af3ab0c0a46bc77609637fa8504eda57e1a82dcacb28f31110cc6db

C:\Windows\system\NZsVCAT.exe

MD5 2fb812dd742f53b13cfab12b87176679
SHA1 5db7e39f53be2b910934f09acbdde89cbf600b57
SHA256 c98dcdbbc5a73c0b816cb6012c9a51d9fb49c7fc644d6b0a5e257f67aeaa6a1d
SHA512 d0bcc2743e36c8f2917a3fe4cd396b999838e5cd15e2c340a67b46f581b6c60a92793b3dc9c875c68af0ceb6ddd7b83b0c0507460833b701fcc73525edd06f18

memory/2824-51-0x000000013F940000-0x000000013FC91000-memory.dmp

\Windows\system\ygSdwee.exe

MD5 c102cb9d32bb911233f75481243d54a5
SHA1 a7f90d6a8624b68251a6f729879a14ac8223b04e
SHA256 843197dc711c8161e74332134cef10eea1de6e1a1322a404d59ce3e34583429b
SHA512 97b5c97d629f6a03133b8ff391761e3cd63b96b1ab0cda8cf88e38c7fe0b822dc6bfd17f066a853e4b72143dd7be6f0980b056ca6493f0665a0d57714645ce2e

C:\Windows\system\XsUKqCn.exe

MD5 0d72fd2f621ccc4c0a371343237531da
SHA1 5efd5bee3a092dd77a156ef6e5fd1b30c2f753a4
SHA256 0f18e9feb8060f6069f60e4fc172bcb76b0a9b035c79011edae02037d333fcb2
SHA512 73dfe621654ce6a1b7a9779b4b1fc1f878e163371d4bf51d5586bb38e7111b643f5ae84e4404e8931b20e577d5e56e0362a9fe6c6371db7e651670e668d2775d

memory/2568-41-0x0000000002340000-0x0000000002691000-memory.dmp

C:\Windows\system\jvVkJJr.exe

MD5 14bc3fbc268768fac36597b6d8ab48e2
SHA1 9857e5372369850e1fd709042760e7153fae3a91
SHA256 e81f3cff131a6af26d7c94c66121524cbfcf1082bb6747582d9b8a2ca2a12bec
SHA512 a4254dbf4bc6ab1406350fa41a54503f76f3017144ea70032c9ce45ad729d8ad4dbae092f74e76b2387ada1ce24b581f156a2888789b704a2cdb5f16ae8e104e

memory/2568-133-0x000000013F820000-0x000000013FB71000-memory.dmp

C:\Windows\system\VEaFlxJ.exe

MD5 f26efb93fb29ed1345e6bb5a2c1329d6
SHA1 1f07cca5e04ead39d7ef3326d4ab5948631428d3
SHA256 1d7568f7fb2f44cb1dfd3b5591670074e3f2b05050c05d4f8f652ca7876fff57
SHA512 0a2a0ce92de782b2cfa31bb6cde9f573049f0f7903b5157b912e9a92bceee65eb68ccc330ea88f2ed3933f3cd51b2ed64ae69abca270e45080cd143d059f5916

C:\Windows\system\nZWHXVh.exe

MD5 78754dece7c3201e580dc12f25fb2b4a
SHA1 0b62cc348730c74ab248358d3c665a7d14add36a
SHA256 d2b7ffb466999ff704b2bdae73b464d540136cdf1c77e0a985df162b41f8df98
SHA512 71b0de212ff2b4f939e411ca4740907e4eab2f691e8e7e7cfd4a87324c92a687d6891e750d6e3e1cd1dfe95625e17924f8f704d9ccaf04cda4a23b520504611d

memory/2568-105-0x000000013F150000-0x000000013F4A1000-memory.dmp

memory/2568-104-0x000000013FE60000-0x00000001401B1000-memory.dmp

memory/2568-103-0x000000013FF70000-0x00000001402C1000-memory.dmp

memory/2852-102-0x000000013F8E0000-0x000000013FC31000-memory.dmp

memory/2808-101-0x000000013FB40000-0x000000013FE91000-memory.dmp

memory/320-100-0x000000013F9D0000-0x000000013FD21000-memory.dmp

memory/2568-95-0x000000013FD50000-0x00000001400A1000-memory.dmp

memory/2388-94-0x000000013F120000-0x000000013F471000-memory.dmp

C:\Windows\system\iaHRSYm.exe

MD5 b4b3160cfb60fd48612f7c440c18e987
SHA1 75570fe1a4922ac6991ae41b9fd2a9185a5d66d3
SHA256 76aab64af81e1ebb26dfe0af62f24144665d5f3da9cf333a4cec9ddd306d21f3
SHA512 394323e7e4f690090aa5c41b18d34ede2172565a7dd7cae081effa3e140e987f581d4accb902785aa26ea1aed6f54a7d95a7215d876ff3368f24690ad987c26a

memory/2568-88-0x0000000002340000-0x0000000002691000-memory.dmp

memory/2640-81-0x000000013FB70000-0x000000013FEC1000-memory.dmp

memory/2568-80-0x0000000002340000-0x0000000002691000-memory.dmp

memory/2568-78-0x000000013FEE0000-0x0000000140231000-memory.dmp

memory/2568-75-0x0000000002340000-0x0000000002691000-memory.dmp

memory/2896-74-0x000000013FE30000-0x0000000140181000-memory.dmp

C:\Windows\system\rWRkYCj.exe

MD5 5966bc098f0b3ed51bf2b210a70371a6
SHA1 d83f2c76a6d71f88ad5a6374a11fbe37e07524d7
SHA256 40bf8830a1eb82140b4757bc13a5b0bfcdd2744ee03c72aae775f1b56b70fd41
SHA512 02b67f446c624107a7f6315e0f74300ec41599dbb9e10c3e420ec5966a43b4f3b33fd4c18ba42f11e245f64761b40a1371c848ee3baa7964347fa5d548c7ced8

C:\Windows\system\kWNxjAS.exe

MD5 d471648ff8c5805b22c928fe47ebffc2
SHA1 c80c869604e307f9879ad9c2a187cc97e7f36cdf
SHA256 7e1a5f7160d6ec21e4773676902ec1d7e70357142aabac2e3bdb365d75e6b8c7
SHA512 1927e39021d261685373b6d77831dd4104c9a7f0238a791fe1257e915d27e53bd5729ef64e94ffa368a06a743d6b040126d8760c030c86f9f48e5ed2f2960c4a

memory/2568-70-0x000000013FE30000-0x0000000140181000-memory.dmp

memory/2568-69-0x000000013FFA0000-0x00000001402F1000-memory.dmp

memory/2568-67-0x000000013FD50000-0x00000001400A1000-memory.dmp

memory/2568-25-0x000000013F120000-0x000000013F471000-memory.dmp

memory/2440-134-0x000000013FFA0000-0x00000001402F1000-memory.dmp

memory/2500-48-0x000000013F880000-0x000000013FBD1000-memory.dmp

memory/2568-29-0x0000000002340000-0x0000000002691000-memory.dmp

memory/2416-136-0x000000013F580000-0x000000013F8D1000-memory.dmp

memory/2568-135-0x0000000002340000-0x0000000002691000-memory.dmp

memory/2568-12-0x0000000002340000-0x0000000002691000-memory.dmp

memory/2568-138-0x000000013FE30000-0x0000000140181000-memory.dmp

memory/2568-139-0x0000000002340000-0x0000000002691000-memory.dmp

memory/2568-140-0x000000013FEE0000-0x0000000140231000-memory.dmp

memory/2568-141-0x000000013F820000-0x000000013FB71000-memory.dmp

memory/2852-143-0x000000013F8E0000-0x000000013FC31000-memory.dmp

memory/1804-158-0x000000013FF70000-0x00000001402C1000-memory.dmp

memory/1500-160-0x000000013FE60000-0x00000001401B1000-memory.dmp

memory/576-163-0x000000013F770000-0x000000013FAC1000-memory.dmp

memory/1240-162-0x000000013F060000-0x000000013F3B1000-memory.dmp

memory/2148-161-0x000000013F410000-0x000000013F761000-memory.dmp

memory/600-159-0x000000013F5B0000-0x000000013F901000-memory.dmp

memory/1932-157-0x000000013F150000-0x000000013F4A1000-memory.dmp

memory/2740-155-0x000000013FEE0000-0x0000000140231000-memory.dmp

memory/2656-153-0x000000013FD50000-0x00000001400A1000-memory.dmp

memory/2348-151-0x000000013FFA0000-0x00000001402F1000-memory.dmp

memory/2568-164-0x000000013F820000-0x000000013FB71000-memory.dmp

memory/2440-231-0x000000013FFA0000-0x00000001402F1000-memory.dmp

memory/2416-233-0x000000013F580000-0x000000013F8D1000-memory.dmp

memory/2824-235-0x000000013F940000-0x000000013FC91000-memory.dmp

memory/2500-237-0x000000013F880000-0x000000013FBD1000-memory.dmp

memory/2388-243-0x000000013F120000-0x000000013F471000-memory.dmp

memory/2896-239-0x000000013FE30000-0x0000000140181000-memory.dmp

memory/2732-242-0x000000013FD50000-0x00000001400A1000-memory.dmp

memory/320-245-0x000000013F9D0000-0x000000013FD21000-memory.dmp

memory/2808-249-0x000000013FB40000-0x000000013FE91000-memory.dmp

memory/2640-247-0x000000013FB70000-0x000000013FEC1000-memory.dmp

memory/2852-261-0x000000013F8E0000-0x000000013FC31000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-15 10:50

Reported

2024-08-15 10:53

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\QDtzrMU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uvrLutd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EYIJkus.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iHEboqA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gbfUQft.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HPOAXVh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kPEeDQr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AdkZojk.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cXNhOiy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KCuPINj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZVxCRTX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GvWVEMS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QlSEghp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\npcukMT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pfDImYI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lTYoxvp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\maiaofq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dEqibIo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oWeLtQQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MtzFDGP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qEeSeMU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2316 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iHEboqA.exe
PID 2316 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iHEboqA.exe
PID 2316 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\maiaofq.exe
PID 2316 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\maiaofq.exe
PID 2316 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gbfUQft.exe
PID 2316 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gbfUQft.exe
PID 2316 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dEqibIo.exe
PID 2316 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dEqibIo.exe
PID 2316 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HPOAXVh.exe
PID 2316 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HPOAXVh.exe
PID 2316 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oWeLtQQ.exe
PID 2316 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oWeLtQQ.exe
PID 2316 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZVxCRTX.exe
PID 2316 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZVxCRTX.exe
PID 2316 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GvWVEMS.exe
PID 2316 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GvWVEMS.exe
PID 2316 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MtzFDGP.exe
PID 2316 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MtzFDGP.exe
PID 2316 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QlSEghp.exe
PID 2316 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QlSEghp.exe
PID 2316 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qEeSeMU.exe
PID 2316 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qEeSeMU.exe
PID 2316 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kPEeDQr.exe
PID 2316 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kPEeDQr.exe
PID 2316 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lTYoxvp.exe
PID 2316 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lTYoxvp.exe
PID 2316 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\npcukMT.exe
PID 2316 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\npcukMT.exe
PID 2316 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pfDImYI.exe
PID 2316 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pfDImYI.exe
PID 2316 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AdkZojk.exe
PID 2316 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AdkZojk.exe
PID 2316 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QDtzrMU.exe
PID 2316 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QDtzrMU.exe
PID 2316 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uvrLutd.exe
PID 2316 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uvrLutd.exe
PID 2316 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cXNhOiy.exe
PID 2316 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cXNhOiy.exe
PID 2316 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KCuPINj.exe
PID 2316 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KCuPINj.exe
PID 2316 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EYIJkus.exe
PID 2316 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EYIJkus.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\iHEboqA.exe

C:\Windows\System\iHEboqA.exe

C:\Windows\System\maiaofq.exe

C:\Windows\System\maiaofq.exe

C:\Windows\System\gbfUQft.exe

C:\Windows\System\gbfUQft.exe

C:\Windows\System\dEqibIo.exe

C:\Windows\System\dEqibIo.exe

C:\Windows\System\HPOAXVh.exe

C:\Windows\System\HPOAXVh.exe

C:\Windows\System\oWeLtQQ.exe

C:\Windows\System\oWeLtQQ.exe

C:\Windows\System\ZVxCRTX.exe

C:\Windows\System\ZVxCRTX.exe

C:\Windows\System\GvWVEMS.exe

C:\Windows\System\GvWVEMS.exe

C:\Windows\System\MtzFDGP.exe

C:\Windows\System\MtzFDGP.exe

C:\Windows\System\QlSEghp.exe

C:\Windows\System\QlSEghp.exe

C:\Windows\System\qEeSeMU.exe

C:\Windows\System\qEeSeMU.exe

C:\Windows\System\kPEeDQr.exe

C:\Windows\System\kPEeDQr.exe

C:\Windows\System\lTYoxvp.exe

C:\Windows\System\lTYoxvp.exe

C:\Windows\System\npcukMT.exe

C:\Windows\System\npcukMT.exe

C:\Windows\System\pfDImYI.exe

C:\Windows\System\pfDImYI.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4072,i,1828333185976713750,7918646547767660928,262144 --variations-seed-version --mojo-platform-channel-handle=4432 /prefetch:8

C:\Windows\System\AdkZojk.exe

C:\Windows\System\AdkZojk.exe

C:\Windows\System\QDtzrMU.exe

C:\Windows\System\QDtzrMU.exe

C:\Windows\System\uvrLutd.exe

C:\Windows\System\uvrLutd.exe

C:\Windows\System\cXNhOiy.exe

C:\Windows\System\cXNhOiy.exe

C:\Windows\System\KCuPINj.exe

C:\Windows\System\KCuPINj.exe

C:\Windows\System\EYIJkus.exe

C:\Windows\System\EYIJkus.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2316-0-0x00007FF631CB0000-0x00007FF632001000-memory.dmp

memory/2316-1-0x000001EBEBBE0000-0x000001EBEBBF0000-memory.dmp

C:\Windows\System\iHEboqA.exe

MD5 c7c4daba696ccfc4715787ce1e23c760
SHA1 ecb0720a16107b602ca18c62f80dd28b1ec91d46
SHA256 0048c18392a9642d2e46e73f0760e5f7bfcaaa8d517a7091422ee806ba444829
SHA512 e58cc4dad496fdde7bbdc183f0b8a231ac6efc8ec3b1cd364f2db2840ce5baa43f86ad3edb3f4772ad7ef7d765bbe355834f04e8ff7394344884230421ec2323

C:\Windows\System\gbfUQft.exe

MD5 9d2a554a38a58a7c56f94af914152fce
SHA1 6fe58ba05768901eabfcdbaaf725e11fd59a5b52
SHA256 cafc4b47805c1b5f02dcba150d57097c8170ed3ceacf4a1d23e2983763601b8f
SHA512 575b53b22f461b0dab29f1236db4dfeac875f8ec1f3edd80eee09b95b1e123e76fd4c560dcd62cc30efb83822b19a029d61d1c96e25a5b55dddc17a15983a1a5

C:\Windows\System\maiaofq.exe

MD5 a154adf1682c1924502c548a6944d3ea
SHA1 910f3509be3a32628d8e872dc4fdb1c473f6fea1
SHA256 78e7c1662b61d5c92f6b5f04399e53e7d541228851b3712404e568e3badbf184
SHA512 2974ea98566e0c454133a001a8c8400dba39cb982ff094fdaaa8ad5dc2d7f2ab85e3fa271f13e2369471537646e4cbf84eb2ba08e54676c013bac8192404de03

memory/1840-7-0x00007FF732D30000-0x00007FF733081000-memory.dmp

C:\Windows\System\oWeLtQQ.exe

MD5 4b53a5bdb3e58618168dc1e22efaf294
SHA1 a8e4b151951eb8ef183a3651d09d628823dbafe9
SHA256 ef66d8a07cbb5260f9764322ab13d1704a861792925c4ec7a259871593eab022
SHA512 186d22a36be4a0925125a0bad04419914635d2a3e88f0df9d19f176889be746f709ccd26bde749566f5a7b4dbdb2cf0f1ec73f16db36e8d67288a58ffc536315

C:\Windows\System\HPOAXVh.exe

MD5 166058ddc3d4d2ce9b4c9988a37fd2bf
SHA1 e2dde234e65b6e4a678caf1f2c477f8eed75b392
SHA256 416a667a53d2a902eb8f897927cfeffaee6624b7251499965f2fb00379514bcb
SHA512 57e34a95d44ea168c09ec1ef7bea474ca955fd1d7ac307e1f43507d1360f4c61fb1f605307f41ea10826f2bf315940626fd8d8e4c6415e6355cb185974ddfe7a

memory/2336-34-0x00007FF7C8B70000-0x00007FF7C8EC1000-memory.dmp

C:\Windows\System\GvWVEMS.exe

MD5 fa938132e20dcd1e66192f7c4c6b4363
SHA1 edb11a2542f7e3a71e30e4af5b8b02fa1dd64b8b
SHA256 d34cec2c6d4f65066eb86654d4d07084c4429bfeb10b906cebd1a70c59e49b52
SHA512 4dd18e35b175c78f5592b1b2210e7f0a7d4e22a5cd7ddf952c0bdef29966a0586b498f90b13b623723c6d8de3bfb2cb93fbb81417652848f14dc807607d716d2

C:\Windows\System\ZVxCRTX.exe

MD5 92ffe3b510cf16117764266390a08e57
SHA1 2ff4c4b511b5c430f80e553ce74ee42041c6adf0
SHA256 18dd848816389f0a9f6c42f6fd44287bb9189166debfc76f9a5afb27a309458e
SHA512 730f7c9e31946d3343790de478e7a7e05c5f6c1f4d23f0943cc3064af04711d464318940fa5b023cebd9ff4cdd03b53861c5a9e2a09409af4c7af5692b88f110

C:\Windows\System\MtzFDGP.exe

MD5 0ae2d026903c2ae76cc5c691e58fd6b8
SHA1 fe5ff750e1e61038ff797ed699ba1d1b131c9567
SHA256 bb0fd9c1ea93e4f3638adaff709477a00811edd6d588a02e167e7dcc675081c2
SHA512 673eb350f946c0d1e94aa9cebf6282eea8a2293c93a7db121054d60149f4067996aaaa68c73dcf98db68dab0128457b251aaff4988b50ef029cf6f9c3f90a261

memory/2212-66-0x00007FF667BC0000-0x00007FF667F11000-memory.dmp

C:\Windows\System\QlSEghp.exe

MD5 48baf9ac42e6a94a42e58a293a845bed
SHA1 0e6586d0873e4acc479b3320b63790f07f599b08
SHA256 c183bbdc5bd25da6741008c5391b817a8d37e966ceec59e89ac7fe29b20accc5
SHA512 a76cd18ff3cc474e4ec9130a2fa9f891f420a09a05db654c36ab50a631253d159210e1db777713cac9f4ec63fce111b1bb4adb16490402abd83be24c5034613f

C:\Windows\System\lTYoxvp.exe

MD5 97aa840fa89d23deb7311c0e9a80d47f
SHA1 5efc3bb3c3e7d0aaed1a956cd87c0a54b885f145
SHA256 f37a2ec1fe7efbdba6aa6f9668069e9f4ced772d677edf0e55a65d1da7b5a9aa
SHA512 49706aa5ec158c8a30c8d0c909a8903c9754528fb54db0385b1ff6c44fe9d090ee7959353752f09c340abe662809cc0df3bda3a3a2d3ab575a704fd65fd64025

C:\Windows\System\npcukMT.exe

MD5 8904f371cd5ceaa227c32251a0a432c5
SHA1 2008ba624a1363b088d478fec095e8bd128f2ee5
SHA256 b0aca9b4d73361f473f9e820c30765a5a8cb193f6e49c85f4866cb169f2c9ea5
SHA512 1b7a51894e1177f2d3acef19ae8324cca9df1127a06d0e5d8209d87674e994acdebc30d41f9b4833e590fb72dd65bea6b72e56ae1f28d92e6e84c6c5ed3c5c4f

memory/1904-86-0x00007FF676440000-0x00007FF676791000-memory.dmp

memory/1840-85-0x00007FF732D30000-0x00007FF733081000-memory.dmp

memory/2316-84-0x00007FF631CB0000-0x00007FF632001000-memory.dmp

memory/5112-80-0x00007FF781F10000-0x00007FF782261000-memory.dmp

memory/1412-79-0x00007FF79AFA0000-0x00007FF79B2F1000-memory.dmp

C:\Windows\System\kPEeDQr.exe

MD5 8d3172dec2efe1399a97bb5297e93429
SHA1 dbf6cba53ea0fb823a2c98125039ab5953f2faa1
SHA256 f48e742098a6055d11bc3b03199f09ab871ef8d1ec760a9ab7766b2c4781be9b
SHA512 9d24925fe11b5480826f356b30abbce8f62bd3c0eeae5a231b66c64c2f5fc76d0fde1ad359f139e19e1579c5177c3d7bbd0a748b1f2a00731dee7781fed223ef

C:\Windows\System\qEeSeMU.exe

MD5 241dd1e23c823d561c349d9ffa890a16
SHA1 4df3786ced40b77c1ffee0528168c5515bbca3d8
SHA256 ba833d00a45a254efaa5b82f07579898be98d9421f2d71bd088c570b0fb72173
SHA512 39f6ec450f38134186d36fc1dec659687b9258ecce55309ad46d23a138e4b865e642b998073c2dff5201522d99c34b78f5aeeb7e0de6833524834bcedfa9d867

memory/908-69-0x00007FF780E50000-0x00007FF7811A1000-memory.dmp

memory/1180-58-0x00007FF67A7B0000-0x00007FF67AB01000-memory.dmp

memory/3936-46-0x00007FF669D80000-0x00007FF66A0D1000-memory.dmp

memory/4660-45-0x00007FF698770000-0x00007FF698AC1000-memory.dmp

memory/2196-42-0x00007FF7ED590000-0x00007FF7ED8E1000-memory.dmp

C:\Windows\System\dEqibIo.exe

MD5 d4c01c995e534ee44aa5c77237bf39f9
SHA1 1d9629efef4e54d491f3e49e72e77041629bb9bb
SHA256 3a215cebf3836a5c4de0ef71d5db5db2813a5ffbe20eb47cfeea9f4fbb645d12
SHA512 90de4ae97bbed6714ebc1a232fb36288cd6ab1d71f8edcdd6fe398d4edc4df1f1aa5283ba37e623cbc79b286b429c4d0c37b929a7cda3e972de6560434cc6410

memory/3332-28-0x00007FF75AB10000-0x00007FF75AE61000-memory.dmp

memory/5056-27-0x00007FF68A960000-0x00007FF68ACB1000-memory.dmp

memory/1488-19-0x00007FF641080000-0x00007FF6413D1000-memory.dmp

memory/1412-103-0x00007FF79AFA0000-0x00007FF79B2F1000-memory.dmp

C:\Windows\System\pfDImYI.exe

MD5 43110caf8a03a2e68c253dce7d18a853
SHA1 1b59978034b3a9e0379ce76b87a6f696491d2ec7
SHA256 fa580b083e1f70684b1fdc75704b0f64ea42b9da1413404274557cd2f4cd799e
SHA512 3a8ac2ca00afae0d6d41314f4e1164f70d7c7bd4148bb70e08f1ba48697832315f497bdb307dd0ada888ca947d5210d9df9b2bca80d5e3eb5572d48de6fb7fe0

C:\Windows\System\EYIJkus.exe

MD5 847eec894d5b8aa3ac1b514f7e4afbd8
SHA1 c3089b6167a77be46c8a4e6fdc2263c882c0b95a
SHA256 5908638aedf9d2047cb5d4b5463500d17f1528e503fdf27a82c0d0e1b5fd14ce
SHA512 7d0927d077441178b9fc03e9149dbe7857c37af0272b7e2faacd44a8fa255a5b7e64644b73f04140bb5401525a521f84c7844f6cf395a8cb2582ef6dea770dc8

C:\Windows\System\QDtzrMU.exe

MD5 f6760f2133d03a852d97cd657f64db65
SHA1 9c593b25c069944d2e2caca60e898d46a84e695b
SHA256 86b1fd26671c36ab433cd743385060b8ff2199390fa867b12d77b12ef572d4ab
SHA512 5b0a93789591f09d75f88f5167b2e28652574f809d2c9a6dd3163b6a019c3a2b8e565dfa275b8ad5dae1ca01a1a94dd400a5ed58607c87c4200203fb4de66080

C:\Windows\System\uvrLutd.exe

MD5 2fc0bc8b96730619352409d491f7f2f2
SHA1 fc4e6dadfd7246f6bcc5b6ba04872395091f1e6f
SHA256 3d9a3eedc8baff1058a11cb0de5966edd13fc9c56c872c510e1078e48e5d46ea
SHA512 b89d2a6469a2e73574ce31a672ca227aec35bc8f69e288d8ee05f68573007f8f165d5eac742da139d44254301c1dfaeb68070995b73fabdf3002742282073fb1

memory/3092-145-0x00007FF769410000-0x00007FF769761000-memory.dmp

memory/2924-144-0x00007FF6F6B90000-0x00007FF6F6EE1000-memory.dmp

memory/1912-143-0x00007FF66C870000-0x00007FF66CBC1000-memory.dmp

memory/1116-140-0x00007FF72B450000-0x00007FF72B7A1000-memory.dmp

memory/3212-139-0x00007FF68F4A0000-0x00007FF68F7F1000-memory.dmp

memory/2164-136-0x00007FF70E1A0000-0x00007FF70E4F1000-memory.dmp

memory/752-131-0x00007FF7781B0000-0x00007FF778501000-memory.dmp

C:\Windows\System\AdkZojk.exe

MD5 544009f68c1b4a66a17e1b86d08b5742
SHA1 c16ed7481cf27fe27a128265ec1134c50e564c99
SHA256 231b6cae839bea172661e6faf4928ee049a33538d38f7422f3d893a0afeb1c07
SHA512 a66643d503d7b3df377fa1608bee30a7ef97283a6cc3508144ad462d4f4b9ab2b81be95b651ee4cc2227d1e1b87fb34a02aecacf3f253f75ab4e774c128db87b

C:\Windows\System\KCuPINj.exe

MD5 ef518ae3154a79c6b7a6816810493081
SHA1 651a561aafbdabd990db4eea2f3f2bef2baa73a2
SHA256 02c056054e6daaf2faba4de620685cc9bcc01b8f60612bb171867109fada064b
SHA512 776ad50ee3e51dd1b5989204ea81dfd32fda90a144a7e9e63148ccb2bb04aec459dae545e23487d727f6f7d0f1259ff4e70083c6c0f394e887e0677d2d679561

C:\Windows\System\cXNhOiy.exe

MD5 2a99407f2f5ec56599e49d318010429a
SHA1 9a77a3e5e10bb8577b1d96b56c41075f85d5310d
SHA256 803e8fc643aa32358ae65b93b003e2e16836fae4cf6757339062dfe2fde7fe6b
SHA512 ffd403bfe2b902386fbfccf14ce67b8448a959a75556fede5d42f83bd53cd12534677c41f297934b289d1b0b8e7888371088e834d4be81b3755f0b9fb897e232

memory/1904-117-0x00007FF676440000-0x00007FF676791000-memory.dmp

memory/5112-116-0x00007FF781F10000-0x00007FF782261000-memory.dmp

memory/908-102-0x00007FF780E50000-0x00007FF7811A1000-memory.dmp

memory/2212-101-0x00007FF667BC0000-0x00007FF667F11000-memory.dmp

memory/1180-100-0x00007FF67A7B0000-0x00007FF67AB01000-memory.dmp

memory/3936-99-0x00007FF669D80000-0x00007FF66A0D1000-memory.dmp

memory/5056-94-0x00007FF68A960000-0x00007FF68ACB1000-memory.dmp

memory/3332-95-0x00007FF75AB10000-0x00007FF75AE61000-memory.dmp

memory/1488-106-0x00007FF641080000-0x00007FF6413D1000-memory.dmp

memory/4660-98-0x00007FF698770000-0x00007FF698AC1000-memory.dmp

memory/2316-146-0x00007FF631CB0000-0x00007FF632001000-memory.dmp

memory/2164-163-0x00007FF70E1A0000-0x00007FF70E4F1000-memory.dmp

memory/752-161-0x00007FF7781B0000-0x00007FF778501000-memory.dmp

memory/2316-168-0x00007FF631CB0000-0x00007FF632001000-memory.dmp

memory/1840-207-0x00007FF732D30000-0x00007FF733081000-memory.dmp

memory/1488-215-0x00007FF641080000-0x00007FF6413D1000-memory.dmp

memory/2336-217-0x00007FF7C8B70000-0x00007FF7C8EC1000-memory.dmp

memory/5056-219-0x00007FF68A960000-0x00007FF68ACB1000-memory.dmp

memory/2196-221-0x00007FF7ED590000-0x00007FF7ED8E1000-memory.dmp

memory/3332-225-0x00007FF75AB10000-0x00007FF75AE61000-memory.dmp

memory/4660-224-0x00007FF698770000-0x00007FF698AC1000-memory.dmp

memory/3936-227-0x00007FF669D80000-0x00007FF66A0D1000-memory.dmp

memory/1412-234-0x00007FF79AFA0000-0x00007FF79B2F1000-memory.dmp

memory/2212-238-0x00007FF667BC0000-0x00007FF667F11000-memory.dmp

memory/1180-239-0x00007FF67A7B0000-0x00007FF67AB01000-memory.dmp

memory/908-236-0x00007FF780E50000-0x00007FF7811A1000-memory.dmp

memory/5112-232-0x00007FF781F10000-0x00007FF782261000-memory.dmp

memory/1904-229-0x00007FF676440000-0x00007FF676791000-memory.dmp

memory/3212-251-0x00007FF68F4A0000-0x00007FF68F7F1000-memory.dmp

memory/1116-250-0x00007FF72B450000-0x00007FF72B7A1000-memory.dmp

memory/752-261-0x00007FF7781B0000-0x00007FF778501000-memory.dmp

memory/1912-259-0x00007FF66C870000-0x00007FF66CBC1000-memory.dmp

memory/3092-258-0x00007FF769410000-0x00007FF769761000-memory.dmp

memory/2924-256-0x00007FF6F6B90000-0x00007FF6F6EE1000-memory.dmp

memory/2164-254-0x00007FF70E1A0000-0x00007FF70E4F1000-memory.dmp