Malware Analysis Report

2025-03-15 08:07

Sample ID 240815-njvjgazbnc
Target 2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat
SHA256 9dc08942a9069f8cc18d378a4a19af33a18c4d75ecfd03fe3cbfbbc22d2b077f
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9dc08942a9069f8cc18d378a4a19af33a18c4d75ecfd03fe3cbfbbc22d2b077f

Threat Level: Known bad

The file 2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

xmrig

Cobalt Strike reflective loader

XMRig Miner payload

Cobaltstrike family

Xmrig family

Cobaltstrike

XMRig Miner payload

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-15 11:26

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-15 11:26

Reported

2024-08-15 11:28

Platform

win7-20240708-en

Max time kernel

140s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\MGvoJEA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XurKEql.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vSvjtNp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SXTllMt.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wofnClE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xNmfHfn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zqkQDZT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fSrbeSk.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bDVTZZK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aisdMUA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CHgRkUe.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ofYkOpC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JunHmfQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qyisume.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NgfQmLF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vvGwTlv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gUhgZRm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UmcnAsp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WXfeEmL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QwcjkNV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VBeoQZc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1928 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CHgRkUe.exe
PID 1928 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CHgRkUe.exe
PID 1928 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CHgRkUe.exe
PID 1928 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wofnClE.exe
PID 1928 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wofnClE.exe
PID 1928 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wofnClE.exe
PID 1928 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xNmfHfn.exe
PID 1928 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xNmfHfn.exe
PID 1928 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xNmfHfn.exe
PID 1928 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SXTllMt.exe
PID 1928 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SXTllMt.exe
PID 1928 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SXTllMt.exe
PID 1928 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VBeoQZc.exe
PID 1928 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VBeoQZc.exe
PID 1928 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VBeoQZc.exe
PID 1928 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vvGwTlv.exe
PID 1928 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vvGwTlv.exe
PID 1928 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vvGwTlv.exe
PID 1928 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zqkQDZT.exe
PID 1928 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zqkQDZT.exe
PID 1928 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zqkQDZT.exe
PID 1928 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ofYkOpC.exe
PID 1928 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ofYkOpC.exe
PID 1928 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ofYkOpC.exe
PID 1928 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fSrbeSk.exe
PID 1928 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fSrbeSk.exe
PID 1928 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fSrbeSk.exe
PID 1928 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gUhgZRm.exe
PID 1928 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gUhgZRm.exe
PID 1928 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gUhgZRm.exe
PID 1928 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UmcnAsp.exe
PID 1928 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UmcnAsp.exe
PID 1928 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UmcnAsp.exe
PID 1928 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bDVTZZK.exe
PID 1928 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bDVTZZK.exe
PID 1928 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bDVTZZK.exe
PID 1928 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WXfeEmL.exe
PID 1928 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WXfeEmL.exe
PID 1928 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WXfeEmL.exe
PID 1928 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JunHmfQ.exe
PID 1928 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JunHmfQ.exe
PID 1928 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JunHmfQ.exe
PID 1928 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qyisume.exe
PID 1928 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qyisume.exe
PID 1928 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qyisume.exe
PID 1928 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MGvoJEA.exe
PID 1928 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MGvoJEA.exe
PID 1928 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MGvoJEA.exe
PID 1928 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XurKEql.exe
PID 1928 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XurKEql.exe
PID 1928 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XurKEql.exe
PID 1928 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QwcjkNV.exe
PID 1928 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QwcjkNV.exe
PID 1928 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QwcjkNV.exe
PID 1928 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aisdMUA.exe
PID 1928 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aisdMUA.exe
PID 1928 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aisdMUA.exe
PID 1928 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NgfQmLF.exe
PID 1928 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NgfQmLF.exe
PID 1928 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NgfQmLF.exe
PID 1928 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vSvjtNp.exe
PID 1928 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vSvjtNp.exe
PID 1928 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vSvjtNp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\CHgRkUe.exe

C:\Windows\System\CHgRkUe.exe

C:\Windows\System\wofnClE.exe

C:\Windows\System\wofnClE.exe

C:\Windows\System\xNmfHfn.exe

C:\Windows\System\xNmfHfn.exe

C:\Windows\System\SXTllMt.exe

C:\Windows\System\SXTllMt.exe

C:\Windows\System\VBeoQZc.exe

C:\Windows\System\VBeoQZc.exe

C:\Windows\System\vvGwTlv.exe

C:\Windows\System\vvGwTlv.exe

C:\Windows\System\zqkQDZT.exe

C:\Windows\System\zqkQDZT.exe

C:\Windows\System\ofYkOpC.exe

C:\Windows\System\ofYkOpC.exe

C:\Windows\System\fSrbeSk.exe

C:\Windows\System\fSrbeSk.exe

C:\Windows\System\gUhgZRm.exe

C:\Windows\System\gUhgZRm.exe

C:\Windows\System\UmcnAsp.exe

C:\Windows\System\UmcnAsp.exe

C:\Windows\System\bDVTZZK.exe

C:\Windows\System\bDVTZZK.exe

C:\Windows\System\WXfeEmL.exe

C:\Windows\System\WXfeEmL.exe

C:\Windows\System\JunHmfQ.exe

C:\Windows\System\JunHmfQ.exe

C:\Windows\System\qyisume.exe

C:\Windows\System\qyisume.exe

C:\Windows\System\MGvoJEA.exe

C:\Windows\System\MGvoJEA.exe

C:\Windows\System\XurKEql.exe

C:\Windows\System\XurKEql.exe

C:\Windows\System\QwcjkNV.exe

C:\Windows\System\QwcjkNV.exe

C:\Windows\System\aisdMUA.exe

C:\Windows\System\aisdMUA.exe

C:\Windows\System\NgfQmLF.exe

C:\Windows\System\NgfQmLF.exe

C:\Windows\System\vSvjtNp.exe

C:\Windows\System\vSvjtNp.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1928-0-0x000000013FDF0000-0x0000000140141000-memory.dmp

memory/1928-1-0x0000000000080000-0x0000000000090000-memory.dmp

C:\Windows\system\CHgRkUe.exe

MD5 c6b745a4595fe81478bf926d7a4f117e
SHA1 81e4ad3b8dca4bd4a24ce7c868a32badbe566839
SHA256 da7170afe3c89f9b704d3678a8d72c3f4929df2e014c2ae9999779d549e16414
SHA512 22cdcbe90485fffd0932995cc0819ff399d426cedcde21473651823ac4e9da59efcb402121c8c6adb53a4b6f4de7aa510d9e3abd57ec32a9e97721bba823e22b

C:\Windows\system\wofnClE.exe

MD5 e74b80311090a1dc0765871644fc1a68
SHA1 4023254c09fdd57dc370ac86d4dde07a34121e5d
SHA256 b7d15179a35f7f613a63a329c289e8babe9034fe278cfe96433dade98b719364
SHA512 5a614cbe26e560ab990f95ea0384893bd64686728d8f2b62c3d2e7ac5a8eb8f2afab2bac3ed7aef663ddbc272b8a64a85b7a2decb171fc84f4a89fd349080a2a

\Windows\system\xNmfHfn.exe

MD5 f3e0dcdd991736d45225b30395841566
SHA1 aaa85aa40ec235ed79c6cda01c6344e77a655bd6
SHA256 72627d8cc16173cca3c325206ac431460e0ae21586028ba1b8ca9be080c3bc2f
SHA512 3f68f527c749c27422db8ef3cc448581a63cfbc558f1808540e771f06f07ccb548af183c79bbeaea89c48809c8ab60f05342e97d370c86c1592ea26dbc0765c6

memory/1256-27-0x000000013FAB0000-0x000000013FE01000-memory.dmp

C:\Windows\system\SXTllMt.exe

MD5 1f4f27786e6df75cbba9aaaef271f815
SHA1 9dcfe55080b4cd515bd80a6a76b33c4b3211278d
SHA256 7885be79b12f60fb53873875a78e4bfd7d77ec3710323e1f45e0964d0d0ecbb5
SHA512 a328da4f303eff453d592bfbc33cc926fe61654fea15aabbece97652a0e9cfa040ae077de056eebd7bea0d2999ac9888d4f28131f07038c540a0a061f674d5bd

memory/2324-35-0x000000013F310000-0x000000013F661000-memory.dmp

C:\Windows\system\vvGwTlv.exe

MD5 2d747a3ca834c0e53c58c0d45f1cd062
SHA1 1970e6a457e841a57e458fc19bb65a2ae4553a8e
SHA256 60f469c60a6e8d043a9a00d7052cd3de5bdc7370104a1f4e06b035c4cc56c3d1
SHA512 18eff493a6cd5705124be34c9fdc25f026ae8fed17a27f881d68c5fcd6b2bab4db9a48458ba7c76486349741a08078f314a15f365bad63c19a4eee14fef566f3

memory/2764-50-0x000000013F7D0000-0x000000013FB21000-memory.dmp

C:\Windows\system\ofYkOpC.exe

MD5 9466b53cf3b50c6c6dcdde15ba1de426
SHA1 97bb93173237a52b25032aabc7799303f3d6f61a
SHA256 d66cdf6b4a851d39a3cbb01cab5daa3e97525f08d2602e52bfe25e3667a4b6d7
SHA512 e6c7ee112e09a78ddd7751892b5fe3349281edace25828ac8b353ab8cd2ab34ea4676d24e548597fba3661d18feb4e663a343f01bd3fe49039960de62d82c298

\Windows\system\gUhgZRm.exe

MD5 1e91dd8934b3bdf0fb9259ec4df40ccb
SHA1 7ea1f62167afc32be627f6ea62a18d04b0479139
SHA256 b3f6e151fb67aaf92b1f1ae45f34fac00dc3e62d9d061dac9382d0d849e61cd6
SHA512 7ae4d93e6a01780cad3587331332eead800bc6b80bcbc8a97be5ba99c8c9c341d2f4cd1fd30d11b9b4b254d63a4d5c13dc9f5393c894be62c44a077d1fea8364

memory/2776-81-0x000000013F430000-0x000000013F781000-memory.dmp

memory/2616-88-0x000000013FCF0000-0x0000000140041000-memory.dmp

memory/1092-94-0x000000013F4A0000-0x000000013F7F1000-memory.dmp

memory/2896-103-0x000000013FFB0000-0x0000000140301000-memory.dmp

C:\Windows\system\MGvoJEA.exe

MD5 42aea7ffeb273258ab6f7f748cf27511
SHA1 d6f708e69bc9967a2d991f834a91d3af06404e04
SHA256 25ecfbf9c8fff297f9d8dacd1a891cf5a63856927b72f7c8210cff31798e375f
SHA512 7ade4a1019bb20402a5b8c440b08806e968644554ab6da287c70ff616ae9cbd18bd2db2a46b24aacdcb02b8e16f0a9c64dc0f221ce5e3b5fff9619ebd8d43174

C:\Windows\system\NgfQmLF.exe

MD5 63c65de1f82985b8ddd92edc64543bda
SHA1 b4cd3ceec6eab84c06efe10380179618f9f500cc
SHA256 23089ded8f32286373fe45ac2f88cbd1e9f25f23fcbdb4d7985d06412bd64b06
SHA512 b5b0af84fb2487a29f3db77c9e4b56ed79b29a3cd3be3de9b68889a4d915341b3c77adfaa03701fe0efc75ef844d0e2487cc9285342b55178d9f202599feff0e

C:\Windows\system\vSvjtNp.exe

MD5 b8d980a112b248f343386dba9cf9ffd1
SHA1 4b19bef53c51813f3a9f2014dc603134e8d68f90
SHA256 0bab36ee3a421c1e3b25c0ef2eb72f26e97cbd03e3c358a28efc6e3290bad5e7
SHA512 f7b65ab16d45a354a6ec127af560765e22caf74ac47d764d904da4b3fca2082f2d734f48a7daec89bd65fbc51a74619b863ab4dda441f658587362a544c95382

C:\Windows\system\QwcjkNV.exe

MD5 43ced77a2bb9861a86dc6c54f36bf5b1
SHA1 dbe97179fb6466739c909691bd4c3ec2675a6af6
SHA256 f04c4142f94616e9f3d1ebc5eafc5db5262d1c2eb87a731ca45ec96509ec095d
SHA512 8d0978d140e20ab6dff4d443ac64536e38f5f0df89e3d3e15d478b723d3fa342bf79733bc159ca19bf877c94e7793cc4b2645aaaed20db1d49b029f93bad3486

C:\Windows\system\aisdMUA.exe

MD5 067efcd1760b9d4c9be5135a2a442fde
SHA1 25c330288218170df5cefd09ac728dcb65dce9e2
SHA256 f705b21cee936e88bb997094cccaf65791076b01bc45b05f2e4f5aac4aaeb3a4
SHA512 df5b3560f97b8d8011b15e7b0576253bd609c3d71b8bbce31443ccea24a41753d1e6969531220b5035a6b4f8b9259e1db6f0e794af930df44e30aeaf89ea3ae8

memory/1928-139-0x00000000022A0000-0x00000000025F1000-memory.dmp

C:\Windows\system\XurKEql.exe

MD5 588fb392166a118e85ca380e1e924965
SHA1 4f0dda2a873202c59cdb14b6e1fcb12581c557b5
SHA256 c46dc2f71ae5a8d037436f0a3ea0d32fe82594a4cfdf9dd8f1bf504b3ea1149a
SHA512 b39d58e6187ecd96feff934f321b4fbf864ed6850d4bbe9d1786f8caa83214b4b774768fd5092c62eca7185d511c984f34b2ac85fa63cdda1f322daf62c67874

memory/1928-140-0x000000013F430000-0x000000013F781000-memory.dmp

memory/1928-108-0x000000013F040000-0x000000013F391000-memory.dmp

memory/828-102-0x000000013F4C0000-0x000000013F811000-memory.dmp

memory/1928-101-0x000000013F4C0000-0x000000013F811000-memory.dmp

C:\Windows\system\JunHmfQ.exe

MD5 ec77448f2398b704eccc5502a4d57b1a
SHA1 f207d6fd854ef35e79c1bb94b2b5c11ae7edc531
SHA256 5aa06da7affe9e8bfe5a2037453e05bec21546cf2d38b17c507b18043bc82dd3
SHA512 e1294254e95af84870d9c4f91cd21aa2f24cc4c421ac80fd9b7fd45aaa9a7bbd4648c97ba277bdedc160a849d530ee10f6875bbf30c4782aa2ca390c3d787aee

C:\Windows\system\qyisume.exe

MD5 a01d6847cedc032220f4bf3b1d4d2cd7
SHA1 ba645e53c36cd2c512b0b26fbe3c56e79af5cfc4
SHA256 fbdda3a95fb6fdec55b64bbd6310b2f1a686068cafed72802632309f2238970a
SHA512 9fd24ca382cc2e3670d80e57f8572cb13807977c14c1810656eebbad23b504fd9a4c34ca2a785f55850d2b33b046805d8a583c1cae52f16846acd193b3b0b4b5

memory/1928-141-0x00000000022A0000-0x00000000025F1000-memory.dmp

memory/1928-93-0x000000013F4A0000-0x000000013F7F1000-memory.dmp

memory/2868-87-0x000000013FB70000-0x000000013FEC1000-memory.dmp

C:\Windows\system\WXfeEmL.exe

MD5 8c2ad59738d1cfafdc03fc6cd208f504
SHA1 5633f1803a0e47136bbfb65af958d1a1076515a8
SHA256 6ef7ed837191f97c45104e7f8a6aa2dfb4a4107838df41d3fa30f2d4ed48c5be
SHA512 6fbe26a416b3985874c899dee04c770f87d0369821502054e207d9fa98dd8b43f2db2c41e4d757c2a1a9205a06ab4f5e65364fc402ed78b3382346c5613ccfb7

C:\Windows\system\bDVTZZK.exe

MD5 9cfb4c89ea8f7ddb8e0a02ce1dd7787f
SHA1 641a3dd9a43bc812c13b1ade225626662649c436
SHA256 bb3678273bd22d4d4dbfe6586db7ab0a1a7e3faf2b70ea42f5df753272edea42
SHA512 4fd74c8147a0ed80f5bd28e6ca35660f3d086f71b0c6b8eb0606183c1cdedd67b8df6556a9cd288ee0b3010f823481077b5ea8a2b78e85c50ec38948da68dc3b

memory/2324-84-0x000000013F310000-0x000000013F661000-memory.dmp

memory/2972-83-0x000000013FF40000-0x0000000140291000-memory.dmp

memory/1928-82-0x00000000022A0000-0x00000000025F1000-memory.dmp

memory/1928-66-0x000000013FDF0000-0x0000000140141000-memory.dmp

C:\Windows\system\UmcnAsp.exe

MD5 c624114489776791b6fba5fd33f16ddf
SHA1 f1f6704beb1e495f3a8976f88b12ccdc3098281e
SHA256 c2f4ea79904d1f9c5621009c98cd044a5293258ed4264856c3761bd41b555d3e
SHA512 4753094bfd0d4bca10f893febc83af6ce5bba7906d87ac92e536e7c65a20f346ec32397fb8bf5961521304419de290d23ec724103f3c8d6ba8037be0f906b516

memory/1928-71-0x000000013F430000-0x000000013F781000-memory.dmp

memory/2896-55-0x000000013FFB0000-0x0000000140301000-memory.dmp

memory/1928-54-0x00000000022A0000-0x00000000025F1000-memory.dmp

memory/1928-70-0x00000000022A0000-0x00000000025F1000-memory.dmp

memory/2640-69-0x000000013FB70000-0x000000013FEC1000-memory.dmp

memory/2524-68-0x000000013F7F0000-0x000000013FB41000-memory.dmp

C:\Windows\system\fSrbeSk.exe

MD5 79cb17ac8d924a873835f6ee1da9f2fb
SHA1 526d51bc46003fb690f7d05f9c1bb4f91155c8fb
SHA256 0f0ff44e4ea17e8c337dcfabeea069a88a7809b24eb68b802a51ca14a20ccd28
SHA512 d7e7299c529d30e4ad469eae7914b8d2ea087555a181dbc15581b05942a27235cfe785af606e9e3331606cb7a05d1698d432e8cbeb380f11d86504e10cfdc137

memory/1928-49-0x000000013F7D0000-0x000000013FB21000-memory.dmp

memory/2868-40-0x000000013FB70000-0x000000013FEC1000-memory.dmp

memory/1928-39-0x00000000022A0000-0x00000000025F1000-memory.dmp

C:\Windows\system\zqkQDZT.exe

MD5 1606314ed3d399d9d32bdcbde3862aab
SHA1 2c617744f099d518c470ce3328c2ba61b4f8272b
SHA256 bcd4ee11b2b12698de343fdbebad5ce0bd98b3a4bc13fa3741fd2c255fa1cf5e
SHA512 408924a40aa50d8fb61ae667e7e0c6f82cef73f2cd5af949f0fca6742090a64526e2520acb2ae093a7041c04cd4c82b152fbdde8bc1109cca21c8689f1bbe6eb

memory/1092-142-0x000000013F4A0000-0x000000013F7F1000-memory.dmp

memory/2384-33-0x000000013FD70000-0x00000001400C1000-memory.dmp

memory/1928-32-0x000000013F310000-0x000000013F661000-memory.dmp

memory/1928-31-0x00000000022A0000-0x00000000025F1000-memory.dmp

memory/1928-29-0x00000000022A0000-0x00000000025F1000-memory.dmp

C:\Windows\system\VBeoQZc.exe

MD5 7331241f65fe7cdf6a5d543110f6df28
SHA1 84cc7e04cfe04ea526c6a65fdce79ad4a51fb3ca
SHA256 153ddd80241fe5b74927afea3cedb81a4718b4a747f7e04613628f9fedad212b
SHA512 21b26c8d590c0289bb284f8360c40c4dc23a349351454d3ad74f712b7a6f84bfc749eb84b4b8eb37b04f65fc3568c1c67927aa8c8cdb413a1be1b04bb6bc770f

memory/1928-26-0x00000000022A0000-0x00000000025F1000-memory.dmp

memory/2376-25-0x000000013FB70000-0x000000013FEC1000-memory.dmp

memory/2524-18-0x000000013F7F0000-0x000000013FB41000-memory.dmp

memory/1928-143-0x000000013F4C0000-0x000000013F811000-memory.dmp

memory/1928-144-0x000000013FDF0000-0x0000000140141000-memory.dmp

memory/2044-159-0x000000013F040000-0x000000013F391000-memory.dmp

memory/804-164-0x000000013F660000-0x000000013F9B1000-memory.dmp

memory/2016-163-0x000000013F830000-0x000000013FB81000-memory.dmp

memory/2040-162-0x000000013F3A0000-0x000000013F6F1000-memory.dmp

memory/1872-161-0x000000013F310000-0x000000013F661000-memory.dmp

memory/1880-160-0x000000013FC90000-0x000000013FFE1000-memory.dmp

memory/1992-165-0x000000013FC20000-0x000000013FF71000-memory.dmp

memory/1928-166-0x000000013FDF0000-0x0000000140141000-memory.dmp

memory/2524-224-0x000000013F7F0000-0x000000013FB41000-memory.dmp

memory/1256-226-0x000000013FAB0000-0x000000013FE01000-memory.dmp

memory/2376-228-0x000000013FB70000-0x000000013FEC1000-memory.dmp

memory/2384-230-0x000000013FD70000-0x00000001400C1000-memory.dmp

memory/2868-232-0x000000013FB70000-0x000000013FEC1000-memory.dmp

memory/2324-234-0x000000013F310000-0x000000013F661000-memory.dmp

memory/2764-236-0x000000013F7D0000-0x000000013FB21000-memory.dmp

memory/2896-238-0x000000013FFB0000-0x0000000140301000-memory.dmp

memory/2640-240-0x000000013FB70000-0x000000013FEC1000-memory.dmp

memory/2776-242-0x000000013F430000-0x000000013F781000-memory.dmp

memory/2972-244-0x000000013FF40000-0x0000000140291000-memory.dmp

memory/2616-246-0x000000013FCF0000-0x0000000140041000-memory.dmp

memory/828-257-0x000000013F4C0000-0x000000013F811000-memory.dmp

memory/1092-259-0x000000013F4A0000-0x000000013F7F1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-15 11:26

Reported

2024-08-15 11:28

Platform

win10v2004-20240802-en

Max time kernel

142s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\xNlkhSH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FjBxCuW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lkTjlzX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HnJgTrX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lItmsKe.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oWSqqAO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ovFtZMQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YEVKYyq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BbZAvGd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hCirSkm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qyJMvnk.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VmksQfD.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NtHrteb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LHlqCnZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cQNubHK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QXZvFVt.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sfxDGoe.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cgvyYsx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GLDyBYG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ADqpiVO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bdRJFIs.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3352 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FjBxCuW.exe
PID 3352 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FjBxCuW.exe
PID 3352 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QXZvFVt.exe
PID 3352 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QXZvFVt.exe
PID 3352 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YEVKYyq.exe
PID 3352 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YEVKYyq.exe
PID 3352 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sfxDGoe.exe
PID 3352 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sfxDGoe.exe
PID 3352 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lkTjlzX.exe
PID 3352 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lkTjlzX.exe
PID 3352 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xNlkhSH.exe
PID 3352 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xNlkhSH.exe
PID 3352 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BbZAvGd.exe
PID 3352 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BbZAvGd.exe
PID 3352 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HnJgTrX.exe
PID 3352 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HnJgTrX.exe
PID 3352 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hCirSkm.exe
PID 3352 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hCirSkm.exe
PID 3352 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ADqpiVO.exe
PID 3352 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ADqpiVO.exe
PID 3352 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qyJMvnk.exe
PID 3352 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qyJMvnk.exe
PID 3352 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bdRJFIs.exe
PID 3352 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bdRJFIs.exe
PID 3352 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cgvyYsx.exe
PID 3352 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cgvyYsx.exe
PID 3352 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lItmsKe.exe
PID 3352 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lItmsKe.exe
PID 3352 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oWSqqAO.exe
PID 3352 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oWSqqAO.exe
PID 3352 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VmksQfD.exe
PID 3352 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VmksQfD.exe
PID 3352 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ovFtZMQ.exe
PID 3352 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ovFtZMQ.exe
PID 3352 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NtHrteb.exe
PID 3352 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NtHrteb.exe
PID 3352 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LHlqCnZ.exe
PID 3352 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LHlqCnZ.exe
PID 3352 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cQNubHK.exe
PID 3352 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cQNubHK.exe
PID 3352 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GLDyBYG.exe
PID 3352 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GLDyBYG.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\FjBxCuW.exe

C:\Windows\System\FjBxCuW.exe

C:\Windows\System\QXZvFVt.exe

C:\Windows\System\QXZvFVt.exe

C:\Windows\System\YEVKYyq.exe

C:\Windows\System\YEVKYyq.exe

C:\Windows\System\sfxDGoe.exe

C:\Windows\System\sfxDGoe.exe

C:\Windows\System\lkTjlzX.exe

C:\Windows\System\lkTjlzX.exe

C:\Windows\System\xNlkhSH.exe

C:\Windows\System\xNlkhSH.exe

C:\Windows\System\BbZAvGd.exe

C:\Windows\System\BbZAvGd.exe

C:\Windows\System\HnJgTrX.exe

C:\Windows\System\HnJgTrX.exe

C:\Windows\System\hCirSkm.exe

C:\Windows\System\hCirSkm.exe

C:\Windows\System\ADqpiVO.exe

C:\Windows\System\ADqpiVO.exe

C:\Windows\System\qyJMvnk.exe

C:\Windows\System\qyJMvnk.exe

C:\Windows\System\bdRJFIs.exe

C:\Windows\System\bdRJFIs.exe

C:\Windows\System\cgvyYsx.exe

C:\Windows\System\cgvyYsx.exe

C:\Windows\System\lItmsKe.exe

C:\Windows\System\lItmsKe.exe

C:\Windows\System\oWSqqAO.exe

C:\Windows\System\oWSqqAO.exe

C:\Windows\System\VmksQfD.exe

C:\Windows\System\VmksQfD.exe

C:\Windows\System\ovFtZMQ.exe

C:\Windows\System\ovFtZMQ.exe

C:\Windows\System\NtHrteb.exe

C:\Windows\System\NtHrteb.exe

C:\Windows\System\LHlqCnZ.exe

C:\Windows\System\LHlqCnZ.exe

C:\Windows\System\cQNubHK.exe

C:\Windows\System\cQNubHK.exe

C:\Windows\System\GLDyBYG.exe

C:\Windows\System\GLDyBYG.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3352-0-0x00007FF73BBF0000-0x00007FF73BF41000-memory.dmp

memory/3352-1-0x0000028C88810000-0x0000028C88820000-memory.dmp

C:\Windows\System\FjBxCuW.exe

MD5 e8fa3f6841807d9afb9e89ecd8adfaea
SHA1 93cf284a25383997ea077ae006659288b6a6b484
SHA256 49bb4e10ed381dbcf5bd994f1699cefb6a3983ab9c3985de8c1d2491f5e906c6
SHA512 e8e401f84e84e9ea521b95acf12d5e5fbe622feb5a10dd76bf4af15b6402078e463a9c06b534f9e61c05825fd3b44c9eda4f7c4045b7b04a7ddffdea5f815788

memory/1032-7-0x00007FF7D34B0000-0x00007FF7D3801000-memory.dmp

C:\Windows\System\QXZvFVt.exe

MD5 d7378d35b0bdd9da0cda68688417bc04
SHA1 a18682c31572a35d95990195d56df0d0c100fdb7
SHA256 017a6e607e36d9215fce1ad9ad509e6ccf145c4c91c3f681317e6ccdf2bdff64
SHA512 1546af34ad9f3e1e81500739dc5f10307f9bcf2d4ddf9daaf3e5c87fceb6ac7cda6839eaf27150995f7dd1b24f57a9fcd81428c52b3ec7894cebe43d9fa94c17

C:\Windows\System\YEVKYyq.exe

MD5 51b300dfd3d8dfe39b1815c66d6b253a
SHA1 f4cedf4e456ac8d7f6c712abe365390792b9cad5
SHA256 7c4a6650d2e7e237f587ba2cfc7329d59fa3936b0ba79ea8e38c1109b525be71
SHA512 c1a23137ccb568470312928e71d6eebb77cc7fae45997614cdd2d221c3010e5563fc43a73846455e0e52e2cbbf60a634d55cfcab108fd40ce35ff4c8fe558813

memory/1188-14-0x00007FF7B61A0000-0x00007FF7B64F1000-memory.dmp

memory/4708-18-0x00007FF66A3A0000-0x00007FF66A6F1000-memory.dmp

C:\Windows\System\sfxDGoe.exe

MD5 43cbfe605aaeedfedee64ac7ef04aac9
SHA1 4137f14e350a0a08e27a793a5d2b7588fb48c61c
SHA256 4bbf370c33c818498257c297ebc2efd333640270497552e168c69e1f5354420b
SHA512 408bc153a21a573dd349de18f1f7cd9d85d8d7569ffdbc33c847b12d25c6da67daa3f621d8c3c9c9e6be4d1d1b598fc4343907b4eb9ba190d7912b12bacdf189

C:\Windows\System\lkTjlzX.exe

MD5 7baf4d303584a39e0be2f3ec81d6779d
SHA1 7ba4922f5749a64a0e37da9d013c80194cf42167
SHA256 8377a857efabc0d5bd083545f9a9d78014784d3474f489d69464d6239b605856
SHA512 c134fd6c9cf3326a8f0b9000dfcfc69cfa44f5de932144df2da0bdd8a49225e0e95da16840364ad9aeb4a3d5e6f726b9a02cd7397a18790a372fe6a3425f5cd9

memory/712-30-0x00007FF7BDB70000-0x00007FF7BDEC1000-memory.dmp

C:\Windows\System\xNlkhSH.exe

MD5 e87503ac0486a4378abcf0586a21f0cd
SHA1 7807da7eabc8e6dbc9df2807251c7a40d82281a9
SHA256 8eabbee432808eddcea0029215e5c01db210939e19498f983a9269a34f1df3e8
SHA512 2d5552df5e6058c505e4c2adcf5aa5cd2bafbd55ba88cae3c85b323634deb2117b1c50cec9ced2c55d995faee6d38a3d6536fb95ead0b47836727dd4d2ccf0e0

C:\Windows\System\BbZAvGd.exe

MD5 e2480807fdc6b4ccc1a1416566411963
SHA1 82cb25938e6cb2410d0cdeead1baf7e097b0acd9
SHA256 8bd3613ab347cba28a8cfdfa0353e1246de18d4bfdb42512f1f8e9dbd6e5d9c6
SHA512 216ceff4364b986992eec3414a3202015ed816f11adc1a8705698ab9f2c80ba4196f9e2cd6ed928ba8a5b12dcb14c32ecb36d525318edccc10f24717e7c81332

memory/4220-36-0x00007FF7694C0000-0x00007FF769811000-memory.dmp

C:\Windows\System\HnJgTrX.exe

MD5 d3a76127cd59c2dcbd1a63a59b60e73b
SHA1 84a746446aa28161849a58c6bd6d761246056dab
SHA256 d15bc19edd2ff7179216cfe7854bb327675abdc8b64d65f57157f4ff82d41de4
SHA512 331a83d8b2323b65d024de9ae6e258d56b3b0b413e3423d364935e6d861252f257dfd10be0d5810743fb736f16a72356da373637ad3a266ec8b74d6cfd4318b8

memory/3544-52-0x00007FF662CB0000-0x00007FF663001000-memory.dmp

C:\Windows\System\hCirSkm.exe

MD5 93e262a9e74bf3c44c1cb730de184b0e
SHA1 c626a8d93cdcfdd5656e82d162acf4a77c41adfa
SHA256 ef43e3500bcc66989ce727b775b5a7efd4808f52efe74c95d6f550c363530022
SHA512 cc5d82fb68b811637d3477e7e7fd127ff2ba1afb0ad2cc165e058366260565d8ccd718fa6be1bf3ea619bf792ec9401cf629b9b896bf9d9947c86493633de0ff

C:\Windows\System\ADqpiVO.exe

MD5 6c2583c996f111f19e5b7f75afc483b3
SHA1 9f8d1d5f527474b84b9f6e172ab16ae35f0e101c
SHA256 2b8191bfda83140beb86e2143ede8b8a5233558cdd52a8f11e9a3b3229b87ec5
SHA512 dc29aad93ad5b7efd4fdeed38c1e9c573cdec3292823d99e9adcd15f2ca7ff45ad21d79872dad969a7ebe7508fc7c67b1b4a1f70d603c3b54359387f0a84a5b2

memory/440-60-0x00007FF7992F0000-0x00007FF799641000-memory.dmp

memory/1032-73-0x00007FF7D34B0000-0x00007FF7D3801000-memory.dmp

C:\Windows\System\bdRJFIs.exe

MD5 1fa12096508c3758bd3ddbf9be648964
SHA1 224ac0cbeb61e1495729cb4c75a44c401e7cee40
SHA256 c33e78f25e37f3a67acacade190ce3c529a0e57bf09a17b394f57f02c03e9fe6
SHA512 d1ad99754cf2eb019c011b2b26b4578580bb9c9e99d3ffc887937d5203de2307a43a8bce5ae3f4bd611d4d6bde68ddf63fd4b2c5082c61708bc5a81bdaca15c0

C:\Windows\System\lItmsKe.exe

MD5 ac269a7c7f990cab81b4fb599f0846ef
SHA1 4ad00c599aef5642575b902889254a4bbf13a97c
SHA256 e0aa76d4964649872309ba61d600a1f610694d251aaa156ae18c207b1e71d649
SHA512 fbd784d91f285df05ebe72741291e4121431ac1b24e51c071e29b482f5074a9ebcd859327912317f4ad952c22fe779263138aad4182c83764ddf002bbb028e8c

C:\Windows\System\oWSqqAO.exe

MD5 facc283c552d499f18cc317bd2dee48c
SHA1 821a7d8b6095c87b07d96ebca06d55b8b1383106
SHA256 2d8d7a9e2306b59aa57f5cd27fb7747f7e02f6cc21ebefa36bde32a5d8c123db
SHA512 94dd57a8982d06c67379001898e63c780b9695c917c81c5c438deaa2df60cfd8a9f6aac1de917f0b86c60958e726ccfd779ca2f4a43d72f766176af93c7ccf8a

C:\Windows\System\ovFtZMQ.exe

MD5 35a70af3a989d82bd9ca87e04fa6f19e
SHA1 aefa5f268746b98cd1bbde79578f1d936a662281
SHA256 8244541193388ec0c36a2e42c14d81180a029489079fb1aae9fbe975eb8849a4
SHA512 e404480c7349e0fa3ebe9e695bce8b251ccbefbc61d0865a373eee74a34b3af274496133d9cc717fb234323714f5102e3542d5e85161600a02b5f9e3ee9116a3

C:\Windows\System\LHlqCnZ.exe

MD5 d8d489b54d3997a4acff082fb366ff92
SHA1 e8b395136af54e9b181b4a308c2f9ccee83f9470
SHA256 3ac5207e873b0e1f063f44fc9951c471545c81096ac50ea2fa6914627baf1997
SHA512 a2f57c80ea180e8f999390123817aafdf3437b2fd3900d47a8ad750dc5d6ced0e31f004e7b72548bd737adee150ec34fb5469ff123c014a27767a8acfc5bc4e5

C:\Windows\System\GLDyBYG.exe

MD5 e032952e73475f0e6c9d4003cc4adf41
SHA1 162589ef8c75fffa70e1e299ab4ca87ba08baf4d
SHA256 647fd13facb74876ec209a0733fc791264640d58e014bb5a7611b42e9d430e68
SHA512 d8c221179149e068349c7ff9ece5721a64c10ca7dc25f048f46eff8da800a0ff82f620ab49591d7f74986facffc90dc07afb5f51fcd4801a6c1ac7aed2b960ce

C:\Windows\System\cQNubHK.exe

MD5 5fad8d860d8f195a113df5cd79864250
SHA1 20ba13de75c87dfc7744448e1bddff9bef97da2f
SHA256 c6a3c659532ed50824ab507ad5a23cfd0d31f537860da1dc77c57ce6e954c59a
SHA512 c0cb9e295fb1cdee4036c727cbce441f49ed9e2614aa5bf2218dbf4420636a56be491fdeaab30df088a8ba04f4745026a52381d9c248a3b0060430760442c47c

C:\Windows\System\NtHrteb.exe

MD5 5f8c8bda73e71eed27d6ed53a23a03e3
SHA1 d2651135b02aea22b5c70a7b2e4f9fb424f8e8b9
SHA256 20047d58aca3acff7ba22709f20e598f0f2cd1ba21da80fe5556fa05a420bf84
SHA512 bc9c84047d48d36e93bedcc500ed7e7ee74721979765b0cc62ea7d56cbede5df9764920583a51e25866c8757c4f7b702f239f2c541a619d1ef15f368db40c6ff

C:\Windows\System\VmksQfD.exe

MD5 d36d365b614faeea4f86f6a7746dce48
SHA1 21ce70eb2d20ec25a82828270481b2487e3ea3fe
SHA256 734d707e9907fc052b2127afc9a7ec5f7055991a4b6e502a58fae1f4bcc34075
SHA512 88305bf00f12469d0a0d61fd938606872b2a13666ab596fe6ce6f5284f2ad85e6db0b602927dd13048f46a72789b38dc3c7a7f6f55c31d9ca91ab47a530f8b8e

C:\Windows\System\cgvyYsx.exe

MD5 e00950f43b0f7be7fc64b684fb3c4870
SHA1 77a76239829f5097b0f2be6195704398bd33cd2a
SHA256 30a76e28dda71078a26f45e7a6cb338902713a9572634950e6427d7da6faa12b
SHA512 901f26e4bb2008527709808773b78ac91a41528745123866224b26cacfe678839cc95943d214c542d0dd52a7189e846a3f8eef53dce1de49d6fb5f7b4d36690a

memory/2716-74-0x00007FF6C85E0000-0x00007FF6C8931000-memory.dmp

C:\Windows\System\qyJMvnk.exe

MD5 6e24d3cb8f69e2276bde10fc5dbd44d0
SHA1 ecb9dac4b91d33d1890a1c509b4b89079dd3cd70
SHA256 17e8587ff7914772fb30e5b1b8cafd831ec0403f1c79eaa9661acb46d98fe128
SHA512 e04486d6c1a9a992542fd365dc08981f445c1f7163cfc9cf47a474adc09268062c43c28dc925aee9c1a31f5d13af0bd5eb79864b127c3f72e1711661fa99ae79

memory/3244-69-0x00007FF6BCC10000-0x00007FF6BCF61000-memory.dmp

memory/3352-66-0x00007FF73BBF0000-0x00007FF73BF41000-memory.dmp

memory/3056-54-0x00007FF6ED0A0000-0x00007FF6ED3F1000-memory.dmp

memory/1880-42-0x00007FF787660000-0x00007FF7879B1000-memory.dmp

memory/4280-22-0x00007FF6E0660000-0x00007FF6E09B1000-memory.dmp

memory/1188-121-0x00007FF7B61A0000-0x00007FF7B64F1000-memory.dmp

memory/3484-122-0x00007FF6C7C20000-0x00007FF6C7F71000-memory.dmp

memory/900-124-0x00007FF78C620000-0x00007FF78C971000-memory.dmp

memory/4940-123-0x00007FF72DDC0000-0x00007FF72E111000-memory.dmp

memory/4104-125-0x00007FF71E650000-0x00007FF71E9A1000-memory.dmp

memory/3352-126-0x00007FF73BBF0000-0x00007FF73BF41000-memory.dmp

memory/4708-130-0x00007FF66A3A0000-0x00007FF66A6F1000-memory.dmp

memory/4744-129-0x00007FF7BB450000-0x00007FF7BB7A1000-memory.dmp

memory/776-132-0x00007FF6D7EE0000-0x00007FF6D8231000-memory.dmp

memory/2560-134-0x00007FF650BE0000-0x00007FF650F31000-memory.dmp

memory/1516-133-0x00007FF773910000-0x00007FF773C61000-memory.dmp

memory/992-131-0x00007FF778C90000-0x00007FF778FE1000-memory.dmp

memory/1880-138-0x00007FF787660000-0x00007FF7879B1000-memory.dmp

memory/3544-140-0x00007FF662CB0000-0x00007FF663001000-memory.dmp

memory/4220-137-0x00007FF7694C0000-0x00007FF769811000-memory.dmp

memory/712-136-0x00007FF7BDB70000-0x00007FF7BDEC1000-memory.dmp

memory/4280-135-0x00007FF6E0660000-0x00007FF6E09B1000-memory.dmp

memory/440-141-0x00007FF7992F0000-0x00007FF799641000-memory.dmp

memory/2716-143-0x00007FF6C85E0000-0x00007FF6C8931000-memory.dmp

memory/3244-142-0x00007FF6BCC10000-0x00007FF6BCF61000-memory.dmp

memory/3352-153-0x00007FF73BBF0000-0x00007FF73BF41000-memory.dmp

memory/1032-203-0x00007FF7D34B0000-0x00007FF7D3801000-memory.dmp

memory/1188-205-0x00007FF7B61A0000-0x00007FF7B64F1000-memory.dmp

memory/4280-217-0x00007FF6E0660000-0x00007FF6E09B1000-memory.dmp

memory/4708-221-0x00007FF66A3A0000-0x00007FF66A6F1000-memory.dmp

memory/712-220-0x00007FF7BDB70000-0x00007FF7BDEC1000-memory.dmp

memory/4220-226-0x00007FF7694C0000-0x00007FF769811000-memory.dmp

memory/1880-227-0x00007FF787660000-0x00007FF7879B1000-memory.dmp

memory/3544-229-0x00007FF662CB0000-0x00007FF663001000-memory.dmp

memory/3056-224-0x00007FF6ED0A0000-0x00007FF6ED3F1000-memory.dmp

memory/3244-233-0x00007FF6BCC10000-0x00007FF6BCF61000-memory.dmp

memory/2716-235-0x00007FF6C85E0000-0x00007FF6C8931000-memory.dmp

memory/440-232-0x00007FF7992F0000-0x00007FF799641000-memory.dmp

memory/3484-248-0x00007FF6C7C20000-0x00007FF6C7F71000-memory.dmp

memory/2560-254-0x00007FF650BE0000-0x00007FF650F31000-memory.dmp

memory/992-256-0x00007FF778C90000-0x00007FF778FE1000-memory.dmp

memory/1516-260-0x00007FF773910000-0x00007FF773C61000-memory.dmp

memory/776-258-0x00007FF6D7EE0000-0x00007FF6D8231000-memory.dmp

memory/4104-251-0x00007FF71E650000-0x00007FF71E9A1000-memory.dmp

memory/900-247-0x00007FF78C620000-0x00007FF78C971000-memory.dmp

memory/4940-253-0x00007FF72DDC0000-0x00007FF72E111000-memory.dmp

memory/4744-245-0x00007FF7BB450000-0x00007FF7BB7A1000-memory.dmp