Malware Analysis Report

2025-03-15 08:07

Sample ID 240815-myyn1ateln
Target 2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat
SHA256 9311ff1052617b0a651f8b395441dcd4939677da44d9a255bccca5ed9a1c71b5
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9311ff1052617b0a651f8b395441dcd4939677da44d9a255bccca5ed9a1c71b5

Threat Level: Known bad

The file 2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Cobaltstrike family

Cobalt Strike reflective loader

Cobaltstrike

xmrig

XMRig Miner payload

Xmrig family

XMRig Miner payload

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-15 10:53

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-15 10:53

Reported

2024-08-15 10:55

Platform

win7-20240705-en

Max time kernel

140s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\EjLSJKt.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yolmzwK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lFDWffz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mbKkSId.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OyDgiVf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dZJmlJU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IaYVdEZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RtfopzW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CZfBebo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jbwTEXE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ornhikP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iupFaFp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sMIMFvG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eTiSDNG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QpSgtFj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OUfXvMY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KybSQoN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZLxCpdj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ieNwCGZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WEnVqKK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MsmHxtI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2860 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dZJmlJU.exe
PID 2860 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dZJmlJU.exe
PID 2860 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dZJmlJU.exe
PID 2860 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EjLSJKt.exe
PID 2860 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EjLSJKt.exe
PID 2860 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EjLSJKt.exe
PID 2860 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ornhikP.exe
PID 2860 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ornhikP.exe
PID 2860 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ornhikP.exe
PID 2860 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZLxCpdj.exe
PID 2860 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZLxCpdj.exe
PID 2860 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZLxCpdj.exe
PID 2860 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ieNwCGZ.exe
PID 2860 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ieNwCGZ.exe
PID 2860 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ieNwCGZ.exe
PID 2860 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WEnVqKK.exe
PID 2860 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WEnVqKK.exe
PID 2860 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WEnVqKK.exe
PID 2860 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iupFaFp.exe
PID 2860 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iupFaFp.exe
PID 2860 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iupFaFp.exe
PID 2860 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IaYVdEZ.exe
PID 2860 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IaYVdEZ.exe
PID 2860 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IaYVdEZ.exe
PID 2860 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RtfopzW.exe
PID 2860 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RtfopzW.exe
PID 2860 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RtfopzW.exe
PID 2860 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CZfBebo.exe
PID 2860 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CZfBebo.exe
PID 2860 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CZfBebo.exe
PID 2860 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sMIMFvG.exe
PID 2860 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sMIMFvG.exe
PID 2860 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sMIMFvG.exe
PID 2860 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jbwTEXE.exe
PID 2860 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jbwTEXE.exe
PID 2860 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jbwTEXE.exe
PID 2860 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yolmzwK.exe
PID 2860 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yolmzwK.exe
PID 2860 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yolmzwK.exe
PID 2860 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lFDWffz.exe
PID 2860 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lFDWffz.exe
PID 2860 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lFDWffz.exe
PID 2860 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eTiSDNG.exe
PID 2860 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eTiSDNG.exe
PID 2860 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eTiSDNG.exe
PID 2860 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QpSgtFj.exe
PID 2860 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QpSgtFj.exe
PID 2860 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QpSgtFj.exe
PID 2860 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OUfXvMY.exe
PID 2860 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OUfXvMY.exe
PID 2860 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OUfXvMY.exe
PID 2860 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mbKkSId.exe
PID 2860 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mbKkSId.exe
PID 2860 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mbKkSId.exe
PID 2860 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KybSQoN.exe
PID 2860 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KybSQoN.exe
PID 2860 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KybSQoN.exe
PID 2860 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MsmHxtI.exe
PID 2860 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MsmHxtI.exe
PID 2860 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MsmHxtI.exe
PID 2860 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OyDgiVf.exe
PID 2860 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OyDgiVf.exe
PID 2860 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OyDgiVf.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\dZJmlJU.exe

C:\Windows\System\dZJmlJU.exe

C:\Windows\System\EjLSJKt.exe

C:\Windows\System\EjLSJKt.exe

C:\Windows\System\ornhikP.exe

C:\Windows\System\ornhikP.exe

C:\Windows\System\ZLxCpdj.exe

C:\Windows\System\ZLxCpdj.exe

C:\Windows\System\ieNwCGZ.exe

C:\Windows\System\ieNwCGZ.exe

C:\Windows\System\WEnVqKK.exe

C:\Windows\System\WEnVqKK.exe

C:\Windows\System\iupFaFp.exe

C:\Windows\System\iupFaFp.exe

C:\Windows\System\IaYVdEZ.exe

C:\Windows\System\IaYVdEZ.exe

C:\Windows\System\RtfopzW.exe

C:\Windows\System\RtfopzW.exe

C:\Windows\System\CZfBebo.exe

C:\Windows\System\CZfBebo.exe

C:\Windows\System\sMIMFvG.exe

C:\Windows\System\sMIMFvG.exe

C:\Windows\System\jbwTEXE.exe

C:\Windows\System\jbwTEXE.exe

C:\Windows\System\yolmzwK.exe

C:\Windows\System\yolmzwK.exe

C:\Windows\System\lFDWffz.exe

C:\Windows\System\lFDWffz.exe

C:\Windows\System\eTiSDNG.exe

C:\Windows\System\eTiSDNG.exe

C:\Windows\System\QpSgtFj.exe

C:\Windows\System\QpSgtFj.exe

C:\Windows\System\OUfXvMY.exe

C:\Windows\System\OUfXvMY.exe

C:\Windows\System\mbKkSId.exe

C:\Windows\System\mbKkSId.exe

C:\Windows\System\KybSQoN.exe

C:\Windows\System\KybSQoN.exe

C:\Windows\System\MsmHxtI.exe

C:\Windows\System\MsmHxtI.exe

C:\Windows\System\OyDgiVf.exe

C:\Windows\System\OyDgiVf.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2860-0-0x000000013F390000-0x000000013F6E1000-memory.dmp

memory/2860-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\dZJmlJU.exe

MD5 d5e2ad2168012d1c90d9c93947511e45
SHA1 7b854106020bace938b974ce2b651732e6f7ed81
SHA256 9c58b1238c4edd54896dff8e32bf844a8d3df2ddccaf707f347c7598ee6ad987
SHA512 d71d8c296041513bc0421c5f84f401f46936be275c3439469d442cbd95e0e6eaf75743ebe0d5314490ba4af003168ced474a2724ee07e3eab5698c99e7ffc2df

C:\Windows\system\EjLSJKt.exe

MD5 ba0b9ca9efa44da291708eebcae368b2
SHA1 25ed9eb10649a595df13ecb60f668a740f11fc23
SHA256 f6bd8d5d30fe7c89230f4b82802cc2e348a16c17415d02ca5b18ed5ff88638d1
SHA512 4666f2cc86ed25af029ebfc9aac629e3d64ee8959c2bc2fc17126128f80ca779204605953fc79412ccb787ebdca91e23b18f4b50b7901a1f0a10d5f100301567

memory/2464-17-0x000000013FFB0000-0x0000000140301000-memory.dmp

memory/2452-21-0x000000013FFF0000-0x0000000140341000-memory.dmp

C:\Windows\system\ornhikP.exe

MD5 2863837307334581d54bf9f2e2e2c080
SHA1 7709a433fa8882d4599864c460d5a555dfce914f
SHA256 88a87f3138c968c75c13ae947603505424a781e7b663be87f4967fe16e980a01
SHA512 8898050c6cea15d2815baf6ef87e6add284f418cdadeab8be22b40f5a9674448e43d37fa71d185160120ac35adf355828ecfb851594f50cc99cfdea928539c5a

memory/2860-19-0x000000013FFB0000-0x0000000140301000-memory.dmp

memory/2860-18-0x000000013FFF0000-0x0000000140341000-memory.dmp

memory/3040-13-0x000000013F5F0000-0x000000013F941000-memory.dmp

\Windows\system\ZLxCpdj.exe

MD5 6adba04bc90ae488f11109bf838a0f55
SHA1 7f962408fdb14c7c7a66e56ca2bc98914ab2f08b
SHA256 12091e358b647a0fe39464d5ca2bbdc140a9c3532dd258c976e84277c2874e59
SHA512 99aeb8db44a44ed875e82bc4953a34b2704e8aadd8ba5630753463fc32476af31788debabec84b5fdd1dd25b1106c53bbecd6a43fbd8f9384c3039424cadc762

memory/2260-29-0x000000013F700000-0x000000013FA51000-memory.dmp

memory/2860-24-0x000000013F700000-0x000000013FA51000-memory.dmp

\Windows\system\ieNwCGZ.exe

MD5 b020c7d0085f43a0aed05374d9c4e0c0
SHA1 9d340be5c84bf11728c79606dce4edc397530388
SHA256 c09b5b7ab689de8d46729db852801417b57d5eebf12149fb4a63c0727d76d8cb
SHA512 0b066faf5c1c690419f7a1f5e5fac8356b9bfbf819a2e0a539994c1b5ed0c73e71b3bd8f5b4a659f8abd66d21ca19ce1d0e1b8f1df276cb30882810256ad6c78

C:\Windows\system\iupFaFp.exe

MD5 75d685a159229305125c9bcfd58e41bf
SHA1 12eb21aabdc7bccdc62abe6327d787173b6eaa61
SHA256 35d705f8a240ac7a7245fc59f196f143c4ea9fc707455a1086c953b2472f2e32
SHA512 14f761d02a2ea2d4ecc028048b8e72d72bad9c9f40c37a7b081bffa956b86fac69659798535bab2357ed9474827f5ef92e8870be53a4fbfcf35b4a1a8a8b460b

\Windows\system\jbwTEXE.exe

MD5 649bdec09dd46c129580e3ca35829a0d
SHA1 72398bfd1f86a8220fc186dca241259bb59f4559
SHA256 b54415fea7861ac84b72a0bdaa8aadfb9f560e339752ad1bf68a3265b76e3b0b
SHA512 b5947c5219092e424746ad43dc0c5ccbe0e50208af731ef48a74e138a98fc42404dc1b984971af33b730b4980f3f990c2ecf2ae465b0c82a35a7a82eb1d0c2b2

memory/2860-76-0x000000013FDA0000-0x00000001400F1000-memory.dmp

memory/2648-73-0x000000013FDA0000-0x00000001400F1000-memory.dmp

memory/2680-67-0x000000013FED0000-0x0000000140221000-memory.dmp

memory/2860-66-0x000000013FDC0000-0x0000000140111000-memory.dmp

C:\Windows\system\RtfopzW.exe

MD5 3a5c3f57f96f24473e722ac79b2c7016
SHA1 43ccb8f1c8f7b0366e9fa26f8da38460626a0b1d
SHA256 e1039eaa865d0daa5d4682268b185021cd0209bbdb53bb5f3804ec5f8d140d62
SHA512 2fd7bd1143cacefcca78f3453d880a9f728e946efc92e90352c7ca70fca4016c591b3b2f1f46b640c8d94d4c69c1a7c684df65016708865dae05f5043d1b0ce8

\Windows\system\lFDWffz.exe

MD5 3681529c9b0132b4076c0100e3848270
SHA1 3c05ff368cded41f587f1b30acb426694f3a8a9a
SHA256 15b0e8ff79501534b63547073a76d0a86d7ce9031d8448aa57a431ca509e9ab0
SHA512 785451062be06af6e2cf3693f236e5be92c8fcc13702d1fe8d9301328734cde154c678a352693614cc0a1a36c93659074239a4fb2453476f3e933a74f5aafffd

memory/2860-97-0x00000000022C0000-0x0000000002611000-memory.dmp

memory/2984-98-0x000000013F560000-0x000000013F8B1000-memory.dmp

memory/2764-71-0x000000013FDC0000-0x0000000140111000-memory.dmp

\Windows\system\yolmzwK.exe

MD5 f87dc1e0cdb00d232689ba8d11c11107
SHA1 6a6123a4307473b47e8c6a63f14e2f5abd362c6d
SHA256 9ce7f64f87963320ae2d6ee4c90096d2d989b60dfe8914a7d429e1059396a00b
SHA512 8dd140618ba27a93497203a9ecc7d372dbfc3d68d847a07a1fd1d59a4be8f82ed25095db2b71e1c05a0246474b93d28062e55816b0d45e1e7eaaf3991d9fcc87

C:\Windows\system\eTiSDNG.exe

MD5 0598c1d9443fce494689e7e5460e4fd2
SHA1 2c2b03fdafe3349ee7321a6fc6b7cb50cfbbe3a1
SHA256 81802cb7eb7ea87767068f77a9a8b37d131cb8b7ce2f15e2561f2c83f6dcc377
SHA512 5a6a5ef88f0d36be94532bc34ad241a62cddafc98e3bf62344927505c25eb5488fa45e6f58f5d73ffb8962c24ce1a0aaf2462f0c205fb8153e6edf7491a05fc1

C:\Windows\system\OUfXvMY.exe

MD5 c6754fbd3842dabb85b0477821e2960b
SHA1 b83add4e9e9434b233f03115ef143efa97f4cb22
SHA256 ec4b6533b36e99e7ed0437e9299ed75925fc1b5bf696319160efbb3dabef9571
SHA512 3fac7bcb12867db8817600c7b4c554b5b2ceb4be260f2206efe6f60e36a39ecea9984927522e5f3818439b8bb1cd4d20417637cb165bce8db0c1c140865b225e

C:\Windows\system\KybSQoN.exe

MD5 438b697db2e28218af012cdc3f23cbc2
SHA1 28a51981f6a8557de4905bbcca3ab15579e1d9c6
SHA256 6f10d91e89fae8c238ee39a284b30ad55f753c5a987543e150c24a3f9c6351a4
SHA512 2d2546b1b7c9930a03d39f8879d0adbc7c733b9bfcd759103a612874f170474ba8063b4793d11f319c24d6783b88a25ed153902d3fd2e24bd75c9d11f4714ecf

C:\Windows\system\OyDgiVf.exe

MD5 713edfe2a44ec5a56af5212fd3e0c5f6
SHA1 d881889b99536e6bd218e2c359776b745fed8994
SHA256 32032b21fe20ee1a996e5ad6006ba030509f909518e977a91e1d1fa9900fab55
SHA512 818be3f20219e1138cec012f42e426397634293d304e9c6af6b7614d51b6f2cb2145c693b87d2f7464c22852aeeeffe41e59db3714c55d394bd5b55e4c2fa0cf

C:\Windows\system\MsmHxtI.exe

MD5 da65af14142b17b9e62cad0ea6aa3ada
SHA1 2e14690a2c250ddf63c9000560557663d94912af
SHA256 6296d17770e2894675ebb7d493ea1c60aae30f3639bc2af43eed9f8df1c7df37
SHA512 4653d117d1ed6552203573c64567c7e16e12bf980e68ef612f273c335801eb9a697b64cb20539d737e01a64beb2b82d7ba32705a604546bc65f0e066c3b42fd9

C:\Windows\system\mbKkSId.exe

MD5 588a14e757003563e5c5de73cf494424
SHA1 062cb29b076aee3244a00df17db48f81770ab58f
SHA256 c81b85d8111ac102757eba8919ff2feaa24ad14adee9dd1bbc6d24549afb86db
SHA512 b19e5a2d2dedab8c5053fc4664a4f718a671231c5be296894154477ebf5580635461f76060376b17eb0720732f43b4dedc7a9945e3fd0c63c491fd08496136ab

C:\Windows\system\QpSgtFj.exe

MD5 143df7085279957b2e5b6bff37863d2e
SHA1 6ffc2ace25e437afb289f3300656659ff0f309cf
SHA256 015c2417c571ee351182ce05d0b7a0517e9838e080c3bfbee15b6efdf5a78a7b
SHA512 7db59372c12ac3a8ee515a00ce48aad25c87adb7cdb6141bfa01849dc142f6e497a7b0d1aab65c15cd70f6ea888c163384f38b7f393b62b049ed034eb1392f0a

memory/2860-106-0x00000000022C0000-0x0000000002611000-memory.dmp

memory/300-138-0x000000013F2E0000-0x000000013F631000-memory.dmp

memory/592-104-0x000000013FA70000-0x000000013FDC1000-memory.dmp

memory/2860-102-0x000000013FA70000-0x000000013FDC1000-memory.dmp

memory/2776-91-0x000000013FB30000-0x000000013FE81000-memory.dmp

memory/2452-90-0x000000013FFF0000-0x0000000140341000-memory.dmp

memory/2556-88-0x000000013F4F0000-0x000000013F841000-memory.dmp

C:\Windows\system\sMIMFvG.exe

MD5 1f4c50486abd889204320505bf940739
SHA1 1147ac4aa1052175b7ab5b7359a2a783f7706fb4
SHA256 1d1dbe5fdec45c4ada576d04b5a5b09d3e383e2d8ded870b2f9d13befbd281a8
SHA512 46e7b2c8d6a35a45dcba35d650930d6efabddf86ef5d4eac18804d63b7ee0c18a6e0a3117d251068061e3157d2b5f7b8b4ac8a076ced449360a34efd3b00c76b

memory/2796-86-0x000000013F340000-0x000000013F691000-memory.dmp

memory/2860-84-0x000000013FB30000-0x000000013FE81000-memory.dmp

memory/2860-83-0x00000000022C0000-0x0000000002611000-memory.dmp

memory/2688-82-0x000000013F930000-0x000000013FC81000-memory.dmp

memory/3040-80-0x000000013F5F0000-0x000000013F941000-memory.dmp

memory/2860-62-0x000000013F390000-0x000000013F6E1000-memory.dmp

C:\Windows\system\CZfBebo.exe

MD5 df25396eebb164f86c42e82d2acfe4ae
SHA1 b98a3f6e3555a1553dbe00efbfae81398352d6e6
SHA256 612867ba3cdf01b98df85539fe562d8e1b5cece3c484ebdfb9200792f2645bb1
SHA512 3a6f578b38827791f2a1ef0c03b10b029b86a56d1dcfce3649d17e202625b3cf70f0d742bedee1b238437a93e0a35484e34c5df6ca0af8334bed28ac346da9b9

C:\Windows\system\IaYVdEZ.exe

MD5 3619b1653ca30c9760b4e2bceb772b6f
SHA1 e82974b609351c2a7db60d63c727650dd665d6e9
SHA256 253d52c3d367d7cf40d07b59e7a84bc8f4f0268796dd99123b177e7d64da0326
SHA512 37ea515c6220a6227d56a566c2ae5e5c2a1be81cc9576f708c6b1e42b58130e46d787e9757966f4beef732b6f4d746930e178f7beebe335aaff32dc7571c08e3

memory/2860-53-0x000000013F930000-0x000000013FC81000-memory.dmp

memory/300-50-0x000000013F2E0000-0x000000013F631000-memory.dmp

memory/2860-44-0x00000000022C0000-0x0000000002611000-memory.dmp

C:\Windows\system\WEnVqKK.exe

MD5 a816df0afc02db72aed84cf69417780b
SHA1 daf30940ace0a55d5f54ae74ba4fd07a55087f3d
SHA256 0924d02f3312012ac4820a71a86ba59b361577a1ccf3eb857760c5ae6db466dc
SHA512 e49d68b54df1f70b2d88a5b08112febe73784c261464f4878b88997e6412436572435e48cc4003464fa85d0d1b4ebd3a219cb9885ecf0c1c1f62647d04132b61

memory/592-38-0x000000013FA70000-0x000000013FDC1000-memory.dmp

memory/2860-34-0x000000013FA70000-0x000000013FDC1000-memory.dmp

memory/2556-139-0x000000013F4F0000-0x000000013F841000-memory.dmp

memory/2776-140-0x000000013FB30000-0x000000013FE81000-memory.dmp

memory/2860-141-0x00000000022C0000-0x0000000002611000-memory.dmp

memory/2860-142-0x000000013F390000-0x000000013F6E1000-memory.dmp

memory/2984-148-0x000000013F560000-0x000000013F8B1000-memory.dmp

memory/2436-162-0x000000013F4F0000-0x000000013F841000-memory.dmp

memory/1384-164-0x000000013FB50000-0x000000013FEA1000-memory.dmp

memory/1728-163-0x000000013FF10000-0x0000000140261000-memory.dmp

memory/1632-161-0x000000013F210000-0x000000013F561000-memory.dmp

memory/1996-160-0x000000013F3E0000-0x000000013F731000-memory.dmp

memory/1460-159-0x000000013FFE0000-0x0000000140331000-memory.dmp

memory/856-158-0x000000013F370000-0x000000013F6C1000-memory.dmp

memory/2860-165-0x000000013F390000-0x000000013F6E1000-memory.dmp

memory/3040-225-0x000000013F5F0000-0x000000013F941000-memory.dmp

memory/2464-227-0x000000013FFB0000-0x0000000140301000-memory.dmp

memory/2452-230-0x000000013FFF0000-0x0000000140341000-memory.dmp

memory/2260-231-0x000000013F700000-0x000000013FA51000-memory.dmp

memory/592-233-0x000000013FA70000-0x000000013FDC1000-memory.dmp

memory/300-235-0x000000013F2E0000-0x000000013F631000-memory.dmp

memory/2764-238-0x000000013FDC0000-0x0000000140111000-memory.dmp

memory/2648-241-0x000000013FDA0000-0x00000001400F1000-memory.dmp

memory/2680-240-0x000000013FED0000-0x0000000140221000-memory.dmp

memory/2688-243-0x000000013F930000-0x000000013FC81000-memory.dmp

memory/2796-245-0x000000013F340000-0x000000013F691000-memory.dmp

memory/2556-247-0x000000013F4F0000-0x000000013F841000-memory.dmp

memory/2776-256-0x000000013FB30000-0x000000013FE81000-memory.dmp

memory/2984-258-0x000000013F560000-0x000000013F8B1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-15 10:53

Reported

2024-08-15 10:55

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\QpSgtFj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OUfXvMY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EjLSJKt.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ieNwCGZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WEnVqKK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sMIMFvG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jbwTEXE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yolmzwK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KybSQoN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mbKkSId.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MsmHxtI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dZJmlJU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iupFaFp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RtfopzW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CZfBebo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lFDWffz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OyDgiVf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ornhikP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZLxCpdj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IaYVdEZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eTiSDNG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3444 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dZJmlJU.exe
PID 3444 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dZJmlJU.exe
PID 3444 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EjLSJKt.exe
PID 3444 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EjLSJKt.exe
PID 3444 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ornhikP.exe
PID 3444 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ornhikP.exe
PID 3444 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZLxCpdj.exe
PID 3444 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZLxCpdj.exe
PID 3444 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ieNwCGZ.exe
PID 3444 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ieNwCGZ.exe
PID 3444 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WEnVqKK.exe
PID 3444 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WEnVqKK.exe
PID 3444 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iupFaFp.exe
PID 3444 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iupFaFp.exe
PID 3444 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IaYVdEZ.exe
PID 3444 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IaYVdEZ.exe
PID 3444 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RtfopzW.exe
PID 3444 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RtfopzW.exe
PID 3444 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CZfBebo.exe
PID 3444 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CZfBebo.exe
PID 3444 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sMIMFvG.exe
PID 3444 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sMIMFvG.exe
PID 3444 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jbwTEXE.exe
PID 3444 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jbwTEXE.exe
PID 3444 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yolmzwK.exe
PID 3444 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yolmzwK.exe
PID 3444 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lFDWffz.exe
PID 3444 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lFDWffz.exe
PID 3444 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eTiSDNG.exe
PID 3444 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eTiSDNG.exe
PID 3444 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QpSgtFj.exe
PID 3444 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QpSgtFj.exe
PID 3444 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OUfXvMY.exe
PID 3444 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OUfXvMY.exe
PID 3444 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mbKkSId.exe
PID 3444 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mbKkSId.exe
PID 3444 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KybSQoN.exe
PID 3444 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KybSQoN.exe
PID 3444 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MsmHxtI.exe
PID 3444 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MsmHxtI.exe
PID 3444 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OyDgiVf.exe
PID 3444 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OyDgiVf.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\dZJmlJU.exe

C:\Windows\System\dZJmlJU.exe

C:\Windows\System\EjLSJKt.exe

C:\Windows\System\EjLSJKt.exe

C:\Windows\System\ornhikP.exe

C:\Windows\System\ornhikP.exe

C:\Windows\System\ZLxCpdj.exe

C:\Windows\System\ZLxCpdj.exe

C:\Windows\System\ieNwCGZ.exe

C:\Windows\System\ieNwCGZ.exe

C:\Windows\System\WEnVqKK.exe

C:\Windows\System\WEnVqKK.exe

C:\Windows\System\iupFaFp.exe

C:\Windows\System\iupFaFp.exe

C:\Windows\System\IaYVdEZ.exe

C:\Windows\System\IaYVdEZ.exe

C:\Windows\System\RtfopzW.exe

C:\Windows\System\RtfopzW.exe

C:\Windows\System\CZfBebo.exe

C:\Windows\System\CZfBebo.exe

C:\Windows\System\sMIMFvG.exe

C:\Windows\System\sMIMFvG.exe

C:\Windows\System\jbwTEXE.exe

C:\Windows\System\jbwTEXE.exe

C:\Windows\System\yolmzwK.exe

C:\Windows\System\yolmzwK.exe

C:\Windows\System\lFDWffz.exe

C:\Windows\System\lFDWffz.exe

C:\Windows\System\eTiSDNG.exe

C:\Windows\System\eTiSDNG.exe

C:\Windows\System\QpSgtFj.exe

C:\Windows\System\QpSgtFj.exe

C:\Windows\System\OUfXvMY.exe

C:\Windows\System\OUfXvMY.exe

C:\Windows\System\mbKkSId.exe

C:\Windows\System\mbKkSId.exe

C:\Windows\System\KybSQoN.exe

C:\Windows\System\KybSQoN.exe

C:\Windows\System\MsmHxtI.exe

C:\Windows\System\MsmHxtI.exe

C:\Windows\System\OyDgiVf.exe

C:\Windows\System\OyDgiVf.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 udp

Files

memory/3444-0-0x00007FF76A780000-0x00007FF76AAD1000-memory.dmp

memory/3444-1-0x0000021E41560000-0x0000021E41570000-memory.dmp

C:\Windows\System\dZJmlJU.exe

MD5 d5e2ad2168012d1c90d9c93947511e45
SHA1 7b854106020bace938b974ce2b651732e6f7ed81
SHA256 9c58b1238c4edd54896dff8e32bf844a8d3df2ddccaf707f347c7598ee6ad987
SHA512 d71d8c296041513bc0421c5f84f401f46936be275c3439469d442cbd95e0e6eaf75743ebe0d5314490ba4af003168ced474a2724ee07e3eab5698c99e7ffc2df

memory/3848-8-0x00007FF687010000-0x00007FF687361000-memory.dmp

C:\Windows\System\EjLSJKt.exe

MD5 ba0b9ca9efa44da291708eebcae368b2
SHA1 25ed9eb10649a595df13ecb60f668a740f11fc23
SHA256 f6bd8d5d30fe7c89230f4b82802cc2e348a16c17415d02ca5b18ed5ff88638d1
SHA512 4666f2cc86ed25af029ebfc9aac629e3d64ee8959c2bc2fc17126128f80ca779204605953fc79412ccb787ebdca91e23b18f4b50b7901a1f0a10d5f100301567

C:\Windows\System\ieNwCGZ.exe

MD5 b020c7d0085f43a0aed05374d9c4e0c0
SHA1 9d340be5c84bf11728c79606dce4edc397530388
SHA256 c09b5b7ab689de8d46729db852801417b57d5eebf12149fb4a63c0727d76d8cb
SHA512 0b066faf5c1c690419f7a1f5e5fac8356b9bfbf819a2e0a539994c1b5ed0c73e71b3bd8f5b4a659f8abd66d21ca19ce1d0e1b8f1df276cb30882810256ad6c78

memory/5072-35-0x00007FF79BFA0000-0x00007FF79C2F1000-memory.dmp

C:\Windows\System\iupFaFp.exe

MD5 75d685a159229305125c9bcfd58e41bf
SHA1 12eb21aabdc7bccdc62abe6327d787173b6eaa61
SHA256 35d705f8a240ac7a7245fc59f196f143c4ea9fc707455a1086c953b2472f2e32
SHA512 14f761d02a2ea2d4ecc028048b8e72d72bad9c9f40c37a7b081bffa956b86fac69659798535bab2357ed9474827f5ef92e8870be53a4fbfcf35b4a1a8a8b460b

C:\Windows\System\WEnVqKK.exe

MD5 a816df0afc02db72aed84cf69417780b
SHA1 daf30940ace0a55d5f54ae74ba4fd07a55087f3d
SHA256 0924d02f3312012ac4820a71a86ba59b361577a1ccf3eb857760c5ae6db466dc
SHA512 e49d68b54df1f70b2d88a5b08112febe73784c261464f4878b88997e6412436572435e48cc4003464fa85d0d1b4ebd3a219cb9885ecf0c1c1f62647d04132b61

memory/1196-45-0x00007FF631850000-0x00007FF631BA1000-memory.dmp

memory/3308-51-0x00007FF779CB0000-0x00007FF77A001000-memory.dmp

C:\Windows\System\CZfBebo.exe

MD5 df25396eebb164f86c42e82d2acfe4ae
SHA1 b98a3f6e3555a1553dbe00efbfae81398352d6e6
SHA256 612867ba3cdf01b98df85539fe562d8e1b5cece3c484ebdfb9200792f2645bb1
SHA512 3a6f578b38827791f2a1ef0c03b10b029b86a56d1dcfce3649d17e202625b3cf70f0d742bedee1b238437a93e0a35484e34c5df6ca0af8334bed28ac346da9b9

C:\Windows\System\sMIMFvG.exe

MD5 1f4c50486abd889204320505bf940739
SHA1 1147ac4aa1052175b7ab5b7359a2a783f7706fb4
SHA256 1d1dbe5fdec45c4ada576d04b5a5b09d3e383e2d8ded870b2f9d13befbd281a8
SHA512 46e7b2c8d6a35a45dcba35d650930d6efabddf86ef5d4eac18804d63b7ee0c18a6e0a3117d251068061e3157d2b5f7b8b4ac8a076ced449360a34efd3b00c76b

memory/4932-65-0x00007FF6FBE20000-0x00007FF6FC171000-memory.dmp

memory/3444-64-0x00007FF76A780000-0x00007FF76AAD1000-memory.dmp

memory/4600-62-0x00007FF77F190000-0x00007FF77F4E1000-memory.dmp

C:\Windows\System\RtfopzW.exe

MD5 3a5c3f57f96f24473e722ac79b2c7016
SHA1 43ccb8f1c8f7b0366e9fa26f8da38460626a0b1d
SHA256 e1039eaa865d0daa5d4682268b185021cd0209bbdb53bb5f3804ec5f8d140d62
SHA512 2fd7bd1143cacefcca78f3453d880a9f728e946efc92e90352c7ca70fca4016c591b3b2f1f46b640c8d94d4c69c1a7c684df65016708865dae05f5043d1b0ce8

memory/872-54-0x00007FF6F3860000-0x00007FF6F3BB1000-memory.dmp

memory/3160-49-0x00007FF64F5C0000-0x00007FF64F911000-memory.dmp

C:\Windows\System\IaYVdEZ.exe

MD5 3619b1653ca30c9760b4e2bceb772b6f
SHA1 e82974b609351c2a7db60d63c727650dd665d6e9
SHA256 253d52c3d367d7cf40d07b59e7a84bc8f4f0268796dd99123b177e7d64da0326
SHA512 37ea515c6220a6227d56a566c2ae5e5c2a1be81cc9576f708c6b1e42b58130e46d787e9757966f4beef732b6f4d746930e178f7beebe335aaff32dc7571c08e3

memory/3868-29-0x00007FF652CF0000-0x00007FF653041000-memory.dmp

C:\Windows\System\ZLxCpdj.exe

MD5 6adba04bc90ae488f11109bf838a0f55
SHA1 7f962408fdb14c7c7a66e56ca2bc98914ab2f08b
SHA256 12091e358b647a0fe39464d5ca2bbdc140a9c3532dd258c976e84277c2874e59
SHA512 99aeb8db44a44ed875e82bc4953a34b2704e8aadd8ba5630753463fc32476af31788debabec84b5fdd1dd25b1106c53bbecd6a43fbd8f9384c3039424cadc762

memory/1216-23-0x00007FF79E880000-0x00007FF79EBD1000-memory.dmp

C:\Windows\System\ornhikP.exe

MD5 2863837307334581d54bf9f2e2e2c080
SHA1 7709a433fa8882d4599864c460d5a555dfce914f
SHA256 88a87f3138c968c75c13ae947603505424a781e7b663be87f4967fe16e980a01
SHA512 8898050c6cea15d2815baf6ef87e6add284f418cdadeab8be22b40f5a9674448e43d37fa71d185160120ac35adf355828ecfb851594f50cc99cfdea928539c5a

memory/428-18-0x00007FF7FC390000-0x00007FF7FC6E1000-memory.dmp

memory/428-73-0x00007FF7FC390000-0x00007FF7FC6E1000-memory.dmp

C:\Windows\System\jbwTEXE.exe

MD5 649bdec09dd46c129580e3ca35829a0d
SHA1 72398bfd1f86a8220fc186dca241259bb59f4559
SHA256 b54415fea7861ac84b72a0bdaa8aadfb9f560e339752ad1bf68a3265b76e3b0b
SHA512 b5947c5219092e424746ad43dc0c5ccbe0e50208af731ef48a74e138a98fc42404dc1b984971af33b730b4980f3f990c2ecf2ae465b0c82a35a7a82eb1d0c2b2

memory/1216-79-0x00007FF79E880000-0x00007FF79EBD1000-memory.dmp

memory/2236-83-0x00007FF608330000-0x00007FF608681000-memory.dmp

memory/3868-82-0x00007FF652CF0000-0x00007FF653041000-memory.dmp

C:\Windows\System\lFDWffz.exe

MD5 3681529c9b0132b4076c0100e3848270
SHA1 3c05ff368cded41f587f1b30acb426694f3a8a9a
SHA256 15b0e8ff79501534b63547073a76d0a86d7ce9031d8448aa57a431ca509e9ab0
SHA512 785451062be06af6e2cf3693f236e5be92c8fcc13702d1fe8d9301328734cde154c678a352693614cc0a1a36c93659074239a4fb2453476f3e933a74f5aafffd

memory/2672-90-0x00007FF727C50000-0x00007FF727FA1000-memory.dmp

memory/5072-89-0x00007FF79BFA0000-0x00007FF79C2F1000-memory.dmp

C:\Windows\System\QpSgtFj.exe

MD5 143df7085279957b2e5b6bff37863d2e
SHA1 6ffc2ace25e437afb289f3300656659ff0f309cf
SHA256 015c2417c571ee351182ce05d0b7a0517e9838e080c3bfbee15b6efdf5a78a7b
SHA512 7db59372c12ac3a8ee515a00ce48aad25c87adb7cdb6141bfa01849dc142f6e497a7b0d1aab65c15cd70f6ea888c163384f38b7f393b62b049ed034eb1392f0a

C:\Windows\System\OUfXvMY.exe

MD5 c6754fbd3842dabb85b0477821e2960b
SHA1 b83add4e9e9434b233f03115ef143efa97f4cb22
SHA256 ec4b6533b36e99e7ed0437e9299ed75925fc1b5bf696319160efbb3dabef9571
SHA512 3fac7bcb12867db8817600c7b4c554b5b2ceb4be260f2206efe6f60e36a39ecea9984927522e5f3818439b8bb1cd4d20417637cb165bce8db0c1c140865b225e

memory/832-108-0x00007FF6FF9C0000-0x00007FF6FFD11000-memory.dmp

memory/1104-107-0x00007FF6BDB00000-0x00007FF6BDE51000-memory.dmp

memory/3160-105-0x00007FF64F5C0000-0x00007FF64F911000-memory.dmp

memory/2232-97-0x00007FF77AE20000-0x00007FF77B171000-memory.dmp

C:\Windows\System\eTiSDNG.exe

MD5 0598c1d9443fce494689e7e5460e4fd2
SHA1 2c2b03fdafe3349ee7321a6fc6b7cb50cfbbe3a1
SHA256 81802cb7eb7ea87767068f77a9a8b37d131cb8b7ce2f15e2561f2c83f6dcc377
SHA512 5a6a5ef88f0d36be94532bc34ad241a62cddafc98e3bf62344927505c25eb5488fa45e6f58f5d73ffb8962c24ce1a0aaf2462f0c205fb8153e6edf7491a05fc1

memory/1196-95-0x00007FF631850000-0x00007FF631BA1000-memory.dmp

C:\Windows\System\yolmzwK.exe

MD5 f87dc1e0cdb00d232689ba8d11c11107
SHA1 6a6123a4307473b47e8c6a63f14e2f5abd362c6d
SHA256 9ce7f64f87963320ae2d6ee4c90096d2d989b60dfe8914a7d429e1059396a00b
SHA512 8dd140618ba27a93497203a9ecc7d372dbfc3d68d847a07a1fd1d59a4be8f82ed25095db2b71e1c05a0246474b93d28062e55816b0d45e1e7eaaf3991d9fcc87

memory/1300-80-0x00007FF61D690000-0x00007FF61D9E1000-memory.dmp

memory/872-113-0x00007FF6F3860000-0x00007FF6F3BB1000-memory.dmp

memory/3848-71-0x00007FF687010000-0x00007FF687361000-memory.dmp

C:\Windows\System\mbKkSId.exe

MD5 588a14e757003563e5c5de73cf494424
SHA1 062cb29b076aee3244a00df17db48f81770ab58f
SHA256 c81b85d8111ac102757eba8919ff2feaa24ad14adee9dd1bbc6d24549afb86db
SHA512 b19e5a2d2dedab8c5053fc4664a4f718a671231c5be296894154477ebf5580635461f76060376b17eb0720732f43b4dedc7a9945e3fd0c63c491fd08496136ab

memory/4932-124-0x00007FF6FBE20000-0x00007FF6FC171000-memory.dmp

memory/2944-134-0x00007FF616A50000-0x00007FF616DA1000-memory.dmp

C:\Windows\System\OyDgiVf.exe

MD5 713edfe2a44ec5a56af5212fd3e0c5f6
SHA1 d881889b99536e6bd218e2c359776b745fed8994
SHA256 32032b21fe20ee1a996e5ad6006ba030509f909518e977a91e1d1fa9900fab55
SHA512 818be3f20219e1138cec012f42e426397634293d304e9c6af6b7614d51b6f2cb2145c693b87d2f7464c22852aeeeffe41e59db3714c55d394bd5b55e4c2fa0cf

memory/532-138-0x00007FF716780000-0x00007FF716AD1000-memory.dmp

C:\Windows\System\MsmHxtI.exe

MD5 da65af14142b17b9e62cad0ea6aa3ada
SHA1 2e14690a2c250ddf63c9000560557663d94912af
SHA256 6296d17770e2894675ebb7d493ea1c60aae30f3639bc2af43eed9f8df1c7df37
SHA512 4653d117d1ed6552203573c64567c7e16e12bf980e68ef612f273c335801eb9a697b64cb20539d737e01a64beb2b82d7ba32705a604546bc65f0e066c3b42fd9

C:\Windows\System\KybSQoN.exe

MD5 438b697db2e28218af012cdc3f23cbc2
SHA1 28a51981f6a8557de4905bbcca3ab15579e1d9c6
SHA256 6f10d91e89fae8c238ee39a284b30ad55f753c5a987543e150c24a3f9c6351a4
SHA512 2d2546b1b7c9930a03d39f8879d0adbc7c733b9bfcd759103a612874f170474ba8063b4793d11f319c24d6783b88a25ed153902d3fd2e24bd75c9d11f4714ecf

memory/1960-127-0x00007FF752B20000-0x00007FF752E71000-memory.dmp

memory/4476-118-0x00007FF6D0B30000-0x00007FF6D0E81000-memory.dmp

memory/4600-117-0x00007FF77F190000-0x00007FF77F4E1000-memory.dmp

memory/2236-139-0x00007FF608330000-0x00007FF608681000-memory.dmp

memory/2672-140-0x00007FF727C50000-0x00007FF727FA1000-memory.dmp

memory/1104-142-0x00007FF6BDB00000-0x00007FF6BDE51000-memory.dmp

memory/2232-141-0x00007FF77AE20000-0x00007FF77B171000-memory.dmp

memory/3444-143-0x00007FF76A780000-0x00007FF76AAD1000-memory.dmp

memory/832-148-0x00007FF6FF9C0000-0x00007FF6FFD11000-memory.dmp

memory/4476-157-0x00007FF6D0B30000-0x00007FF6D0E81000-memory.dmp

memory/1960-163-0x00007FF752B20000-0x00007FF752E71000-memory.dmp

memory/2944-165-0x00007FF616A50000-0x00007FF616DA1000-memory.dmp

memory/3444-169-0x00007FF76A780000-0x00007FF76AAD1000-memory.dmp

memory/3848-225-0x00007FF687010000-0x00007FF687361000-memory.dmp

memory/428-227-0x00007FF7FC390000-0x00007FF7FC6E1000-memory.dmp

memory/1216-229-0x00007FF79E880000-0x00007FF79EBD1000-memory.dmp

memory/3868-231-0x00007FF652CF0000-0x00007FF653041000-memory.dmp

memory/5072-233-0x00007FF79BFA0000-0x00007FF79C2F1000-memory.dmp

memory/3308-235-0x00007FF779CB0000-0x00007FF77A001000-memory.dmp

memory/1196-237-0x00007FF631850000-0x00007FF631BA1000-memory.dmp

memory/3160-241-0x00007FF64F5C0000-0x00007FF64F911000-memory.dmp

memory/872-243-0x00007FF6F3860000-0x00007FF6F3BB1000-memory.dmp

memory/4932-247-0x00007FF6FBE20000-0x00007FF6FC171000-memory.dmp

memory/4600-245-0x00007FF77F190000-0x00007FF77F4E1000-memory.dmp

memory/1300-255-0x00007FF61D690000-0x00007FF61D9E1000-memory.dmp

memory/2236-257-0x00007FF608330000-0x00007FF608681000-memory.dmp

memory/2672-259-0x00007FF727C50000-0x00007FF727FA1000-memory.dmp

memory/2232-261-0x00007FF77AE20000-0x00007FF77B171000-memory.dmp

memory/832-265-0x00007FF6FF9C0000-0x00007FF6FFD11000-memory.dmp

memory/1104-263-0x00007FF6BDB00000-0x00007FF6BDE51000-memory.dmp

memory/4476-270-0x00007FF6D0B30000-0x00007FF6D0E81000-memory.dmp

memory/1960-272-0x00007FF752B20000-0x00007FF752E71000-memory.dmp

memory/532-276-0x00007FF716780000-0x00007FF716AD1000-memory.dmp

memory/2944-274-0x00007FF616A50000-0x00007FF616DA1000-memory.dmp