Malware Analysis Report

2025-03-15 08:08

Sample ID 240815-nm3dgsvaqj
Target 2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat
SHA256 0abd00e3fbd2f2341b01cc1c148b7cc9b8aa496baf5815aee28660fd22886018
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0abd00e3fbd2f2341b01cc1c148b7cc9b8aa496baf5815aee28660fd22886018

Threat Level: Known bad

The file 2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Cobalt Strike reflective loader

Cobaltstrike family

XMRig Miner payload

xmrig

Cobaltstrike

Xmrig family

XMRig Miner payload

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-15 11:31

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-15 11:31

Reported

2024-08-15 11:34

Platform

win7-20240729-en

Max time kernel

140s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\syTMsNp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WVrVeQj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HPaTVxt.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qIMNegO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NhOxeLZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ICICrVF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FlMLVMm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OUyqeli.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BItoASl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aYHsSjz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\Stwgers.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XuafsUj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FbXUiYO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xTYYBdX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TryOgjj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NlRjVzG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ylBDJhE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FvsLNLI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iGQpNES.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wYAWVuS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JraneBd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2124 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HPaTVxt.exe
PID 2124 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HPaTVxt.exe
PID 2124 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HPaTVxt.exe
PID 2124 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aYHsSjz.exe
PID 2124 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aYHsSjz.exe
PID 2124 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aYHsSjz.exe
PID 2124 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TryOgjj.exe
PID 2124 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TryOgjj.exe
PID 2124 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TryOgjj.exe
PID 2124 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Stwgers.exe
PID 2124 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Stwgers.exe
PID 2124 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Stwgers.exe
PID 2124 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iGQpNES.exe
PID 2124 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iGQpNES.exe
PID 2124 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iGQpNES.exe
PID 2124 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wYAWVuS.exe
PID 2124 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wYAWVuS.exe
PID 2124 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wYAWVuS.exe
PID 2124 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XuafsUj.exe
PID 2124 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XuafsUj.exe
PID 2124 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XuafsUj.exe
PID 2124 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NlRjVzG.exe
PID 2124 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NlRjVzG.exe
PID 2124 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NlRjVzG.exe
PID 2124 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ICICrVF.exe
PID 2124 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ICICrVF.exe
PID 2124 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ICICrVF.exe
PID 2124 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qIMNegO.exe
PID 2124 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qIMNegO.exe
PID 2124 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qIMNegO.exe
PID 2124 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ylBDJhE.exe
PID 2124 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ylBDJhE.exe
PID 2124 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ylBDJhE.exe
PID 2124 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JraneBd.exe
PID 2124 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JraneBd.exe
PID 2124 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JraneBd.exe
PID 2124 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FlMLVMm.exe
PID 2124 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FlMLVMm.exe
PID 2124 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FlMLVMm.exe
PID 2124 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NhOxeLZ.exe
PID 2124 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NhOxeLZ.exe
PID 2124 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NhOxeLZ.exe
PID 2124 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OUyqeli.exe
PID 2124 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OUyqeli.exe
PID 2124 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OUyqeli.exe
PID 2124 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\syTMsNp.exe
PID 2124 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\syTMsNp.exe
PID 2124 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\syTMsNp.exe
PID 2124 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WVrVeQj.exe
PID 2124 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WVrVeQj.exe
PID 2124 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WVrVeQj.exe
PID 2124 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BItoASl.exe
PID 2124 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BItoASl.exe
PID 2124 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BItoASl.exe
PID 2124 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FvsLNLI.exe
PID 2124 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FvsLNLI.exe
PID 2124 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FvsLNLI.exe
PID 2124 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FbXUiYO.exe
PID 2124 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FbXUiYO.exe
PID 2124 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FbXUiYO.exe
PID 2124 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xTYYBdX.exe
PID 2124 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xTYYBdX.exe
PID 2124 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xTYYBdX.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\HPaTVxt.exe

C:\Windows\System\HPaTVxt.exe

C:\Windows\System\aYHsSjz.exe

C:\Windows\System\aYHsSjz.exe

C:\Windows\System\TryOgjj.exe

C:\Windows\System\TryOgjj.exe

C:\Windows\System\Stwgers.exe

C:\Windows\System\Stwgers.exe

C:\Windows\System\iGQpNES.exe

C:\Windows\System\iGQpNES.exe

C:\Windows\System\wYAWVuS.exe

C:\Windows\System\wYAWVuS.exe

C:\Windows\System\XuafsUj.exe

C:\Windows\System\XuafsUj.exe

C:\Windows\System\NlRjVzG.exe

C:\Windows\System\NlRjVzG.exe

C:\Windows\System\ICICrVF.exe

C:\Windows\System\ICICrVF.exe

C:\Windows\System\qIMNegO.exe

C:\Windows\System\qIMNegO.exe

C:\Windows\System\ylBDJhE.exe

C:\Windows\System\ylBDJhE.exe

C:\Windows\System\JraneBd.exe

C:\Windows\System\JraneBd.exe

C:\Windows\System\FlMLVMm.exe

C:\Windows\System\FlMLVMm.exe

C:\Windows\System\NhOxeLZ.exe

C:\Windows\System\NhOxeLZ.exe

C:\Windows\System\OUyqeli.exe

C:\Windows\System\OUyqeli.exe

C:\Windows\System\syTMsNp.exe

C:\Windows\System\syTMsNp.exe

C:\Windows\System\WVrVeQj.exe

C:\Windows\System\WVrVeQj.exe

C:\Windows\System\BItoASl.exe

C:\Windows\System\BItoASl.exe

C:\Windows\System\FvsLNLI.exe

C:\Windows\System\FvsLNLI.exe

C:\Windows\System\FbXUiYO.exe

C:\Windows\System\FbXUiYO.exe

C:\Windows\System\xTYYBdX.exe

C:\Windows\System\xTYYBdX.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2124-0-0x000000013FC60000-0x000000013FFB1000-memory.dmp

memory/2124-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\HPaTVxt.exe

MD5 7ad9efe6d61ecaf7f57f913261b8c527
SHA1 cb9de80e04bb923c32e82fc364667feea77841f2
SHA256 a9c811cad96201ba6e8e4ae9220814eefa5453c9780384402ac23e8b35a55ef5
SHA512 2585d4d1242f4e784c995b4a798c8e5ce7f969c5c93110768bbf6dfdb33aa2ce027136bdf04928629ec20d4ae8d172709a5ef38b30ff88e0bf59c257cdececc8

\Windows\system\aYHsSjz.exe

MD5 b0005c7a3420a205011b28207d0fd3a9
SHA1 fa00b36fc7e02e380fd5716f65354a1dfce144fb
SHA256 357e52576a78e49ac6404aa6e8e9b40e88f94876fdc50b39eb17ff4e3b4eb809
SHA512 740def5f8d440db1ce8c628636ac033bad1177439e1e9e3a107ba9dd95bf588616a9aba06d797855ab152c1dadb4a355a50b0b33770fcef8dfc7209e67bf03ad

C:\Windows\system\TryOgjj.exe

MD5 30b44b15cfa63ff389066939d49780af
SHA1 794dbf0b998f85a2cf5a13a3c8f57f4c061c1d3b
SHA256 42b726321d7f26b070bbb15fc48432c17446990d0a073544574dabeda054a0e3
SHA512 193afcc5e37e9a2eefa5b7309863ebcc759d72a1413469dc70d4b6273df36e2eb6f0bc66b540287dc2b906386fdeaa8c07f2813cf384bf7fee8b34975eadde64

C:\Windows\system\iGQpNES.exe

MD5 5f9fb92da9311690b964861bff90e23b
SHA1 981577a2ddda46bc3efda5d2c0b509bd860375d5
SHA256 c292518ab0a4402c55fdce912aaf681a38c1cb76b0d952ed0f128d7bd4633cfe
SHA512 d09d4b71b0adc365712bba42863d3ae25e14f39fb87a37b4b5712054c99614ecc15af86a7677dc959706d48499711aa726f3fe494fe8b4433e8b20344b0061c4

\Windows\system\NlRjVzG.exe

MD5 80e1ef40eaffd886ad40f2e7640eb791
SHA1 29c2c5981ec31adff0b574c2142eecee6408ec81
SHA256 4db6c8397bac00f786c6cc9fd216e00f92b36f972bdce58cd094b3f39d3e778d
SHA512 1aa53d213787375df6762d4f05f934bcc9e39291ea9ee24e9da989f4c4b6339d745b261e813f2203ac30387a3a567c2793202bc44b57b80660fc455300278c2a

C:\Windows\system\XuafsUj.exe

MD5 bf28b3b4d86abdf71b29dffeb32631d5
SHA1 56cf1f69ef1e0a88674adef17bce1eff592edc30
SHA256 25072bac8cf63ac77ad1d909867ef4f157fdf05ab2dc2d2eea28e536658aac9e
SHA512 cd5f9de47fc5359e34cc9f687efbf3ab355d23098cea41651dbe12174d510a6c14b90fb3df3b0fd9597af889e1a24925bd314b8d4fc8a087165c83aa6aa82220

C:\Windows\system\wYAWVuS.exe

MD5 7adcd5f9ac866a14735f14c96fd016dc
SHA1 e544b82ca618d2b728f1e9d5b9de29895f427005
SHA256 0607f35a4df0ffc9130306fa6b3bfc1a7b43cbe482c9b0a0fc37e8b0395627d2
SHA512 d5f3827e092f4aa38166fee646f9f71a6f4dc47d095ba48289b40d952970dc58196927521beb23ade1260741424a1f2d6147627ae89946d7a146ca154a54a2ab

C:\Windows\system\Stwgers.exe

MD5 4c68f630875f4fa65d6787be8049decd
SHA1 9eac5a262dcd75287383c30c30c8efc3897a679f
SHA256 2226ae65eb4ab407e9e3a251550bf2facdea05fe43d6233ce1dca41651192105
SHA512 3a416b84ad821dae01cc5c0831f87e059945e1f22fcfe41161c23cca0919ca344998558ce028177827b0bf744465bf0f0d26871fe1d74e89cc848a568ff56fd0

memory/2124-53-0x000000013F110000-0x000000013F461000-memory.dmp

memory/2952-81-0x000000013F3E0000-0x000000013F731000-memory.dmp

\Windows\system\xTYYBdX.exe

MD5 b08e519306ed4058348e60ee95a3c6af
SHA1 71a62ce1a3111459116eddd08ed226fbaf0f3219
SHA256 c8120935d10d32ad3997fb37792dd44ad815616e820fcabbfbdd60875f8f41c2
SHA512 c699dd78fcf3a60610b804b60a22f521634a72a762ccf7040d5039362771710863add6599acf3ab2469efc3f251180dacf3ac49fa622e21e0a474e6c45bfd7c8

\Windows\system\NhOxeLZ.exe

MD5 6c6804edb49f57b366869f1a1eef9eb1
SHA1 cf41210d3fcde203b553f002437a85bbc3e62086
SHA256 6e7f42203bd5333b907aa5af51c0eb65cca74938b43daf49109fcbf4cd872709
SHA512 1d741cc1b09eeafcf76efea95c8a4443a7d19c9d3eeaa0c71497bfc623ad3c1786025243ec2df79ed7bc15401d7601f47725aed6ad2b3312d5887132229cf8e0

C:\Windows\system\FvsLNLI.exe

MD5 795b27a21eca23f23bf90b4d30dcd01c
SHA1 b9d12bec9b6d8d22d6a582edfa926d3253483278
SHA256 bd3c8d371b5c855a8a166460c0c89ed56a0bebf8b5a2a0592ca23fc6f0f6f6bb
SHA512 df25b2e547cc0d76c58cc0c3e89e9d231ed1d156be9a193dfebf2adc295f7e8db1bdc52cda3e1b58609aba410dd4c321a28e1ca377a0ae6e45aacf405cf27be3

C:\Windows\system\WVrVeQj.exe

MD5 34893bf828231024662c7212dbac4fb4
SHA1 f799f00c3f51e9a84fe9bbe37f5c0975d6a5d1a9
SHA256 ed2203c39dfe56ba1c90d7877ec3f3a06586bab934e5669cc3905f182dc56c09
SHA512 fec63c22744923b706f71686b21fd39be5e7f52740099fa04042bddd06e1a0c87d7874bcf3cf86952c2b4bf1c5acef730a2ce2a8275085c31691991889a2e14d

\Windows\system\FbXUiYO.exe

MD5 66781931fe6f60fb92bf438a41068e33
SHA1 409133f415fe415a6c0c1f90fd657dc46ce59474
SHA256 8625eb0ffc6fe09b3b0546ddf3ceb5ea50ebd2bb4fa18c6e0e7df46f1b502c28
SHA512 1defae8b56b56f0610e8335aa6eadcf4c132052194ce3131b7006a2b1da5b381779c9278f24ca4c624e3beadd1e862f84db80ea932d5ff27bac2f54292173d7f

memory/2124-104-0x000000013F100000-0x000000013F451000-memory.dmp

\Windows\system\BItoASl.exe

MD5 9a9333e4652f9ac99dda4ddd91eafc49
SHA1 673a6e56ac379cea44d09b536b47ae655503cdb4
SHA256 5398791e44f71c7d0abdc75ad77becd0e081187ad14f73c905e3cff1d353f795
SHA512 19c9939d82894d7438f1dab4d46447ad8561422ecd4b821f83e752e056ff52f3aa447a1fb794ab05c4144dda7790c5cd4eedb2992ca66af71ecd409f8756b9d3

memory/3068-96-0x000000013F8D0000-0x000000013FC21000-memory.dmp

\Windows\system\syTMsNp.exe

MD5 c7cbeba32abf3c07f103dee69daabbfd
SHA1 0b59537d42969c01ab70b50785fb837cf5c305b8
SHA256 98261b73ae051da6d36b3351c7c74579d859fc63964c9401e4cc25aeef858105
SHA512 1e2106ca6308c1545dfea47ebd607b6c84b01282f1f37fcafa62e801319895558ebb56b804b84795ccea2183d0fd0119178c4379fa57131df5425d476c2eaaec

memory/2124-122-0x000000013F1B0000-0x000000013F501000-memory.dmp

memory/2124-135-0x0000000002380000-0x00000000026D1000-memory.dmp

memory/2124-116-0x0000000002380000-0x00000000026D1000-memory.dmp

C:\Windows\system\ylBDJhE.exe

MD5 032bd963f4a26e961fde062e4f90c293
SHA1 5e35e8eab62a868bbaa8dfdaa89417184577a556
SHA256 a309ec1446502446260a772bdb2cf900afcb923a9ce811f7aeb9396ae805f72d
SHA512 04c1bd34736761fb2c3249719d9dea552fab63c2936667777ee0441a853170c6d01e5d4df27ed53ec46dfc6e73620510136762fdeae9f41acd973c8913ed9abb

memory/2648-74-0x000000013F1C0000-0x000000013F511000-memory.dmp

\Windows\system\JraneBd.exe

MD5 bfa7ea4c088d2376a16e9c4a3ac9184b
SHA1 16c2f500fd754bf6fc898b58a1704b9d10e50d91
SHA256 094cd99e53ca065abc6ff5a5f26b6db5dbfff6da751e48a96a258657bfe085c9
SHA512 d482ec6b1502a8077c35e55cb424985d1bae5222e7423864391386f7ffce2be1c5ae4d53332ba03414b6b1cb8d5819305f13cbcac9c0d5659ed8e1de2ec5fbfb

memory/2124-108-0x000000013FC60000-0x000000013FFB1000-memory.dmp

memory/2828-136-0x000000013FD40000-0x0000000140091000-memory.dmp

C:\Windows\system\OUyqeli.exe

MD5 93ec3bd3ead9b6526e4222456e02db9a
SHA1 b0692440c35abe31c55bf872125fc52a06712f8b
SHA256 ec4bc47f4cfdf27160235f78ccafd419a33eb73a475b0bff5aa260b9fceb614f
SHA512 7e5e834c268785631ffde472c637139283ed0326a2f3eb1f537adcd1c464e02bae31531c19eef89aa7eaa3d373d59ca0d4960d5bdd5b6dc783ce2474c922af3e

memory/2648-137-0x000000013F1C0000-0x000000013F511000-memory.dmp

\Windows\system\qIMNegO.exe

MD5 b45533529c5aefba010b35c593c1ef92
SHA1 62814e8f62864bb01c1117b4ace96cc4840c6573
SHA256 2a0e798717ecf6a4d47dcccbc6f32f0ef31bd7404186822cf3dc65788bc1d508
SHA512 9b1318ccf9b210e22a4a0385754d5f8f827b400fe35e9fc417aacc6c60897eb9afab0c2886e5bb3a1c2f7ad1f8bc025f3614368f97876008463c56e4edc312da

memory/2884-84-0x000000013F4A0000-0x000000013F7F1000-memory.dmp

memory/2124-82-0x000000013F4A0000-0x000000013F7F1000-memory.dmp

C:\Windows\system\FlMLVMm.exe

MD5 831721347d12cb2fd98a6e31e2c90745
SHA1 e69df395a5909fc463a73bc8d7c3e0a3cddf1fad
SHA256 0f6184c62cef021c9cdb9e5edc960f5f12a8c4f5d28826f6747ec41463031fe0
SHA512 8a967fb6af07b23fcc30a06abca2478dc4ba35b25bf2ba6769e69fe9a90b2b52a644d03049a59dbaa9c8d785714fab98f827a6cad7c2f3b17dffa0b1b3aa44f5

memory/2124-79-0x000000013F8D0000-0x000000013FC21000-memory.dmp

memory/2124-78-0x000000013F3E0000-0x000000013F731000-memory.dmp

memory/2952-138-0x000000013F3E0000-0x000000013F731000-memory.dmp

memory/2124-69-0x000000013F1C0000-0x000000013F511000-memory.dmp

memory/2828-62-0x000000013FD40000-0x0000000140091000-memory.dmp

memory/2372-57-0x000000013F840000-0x000000013FB91000-memory.dmp

memory/2608-56-0x000000013F740000-0x000000013FA91000-memory.dmp

memory/2124-55-0x000000013F740000-0x000000013FA91000-memory.dmp

memory/2136-54-0x000000013F110000-0x000000013F461000-memory.dmp

memory/1652-52-0x000000013FFF0000-0x0000000140341000-memory.dmp

memory/3068-140-0x000000013F8D0000-0x000000013FC21000-memory.dmp

memory/2884-139-0x000000013F4A0000-0x000000013F7F1000-memory.dmp

memory/2124-51-0x000000013FFF0000-0x0000000140341000-memory.dmp

memory/2316-50-0x000000013F890000-0x000000013FBE1000-memory.dmp

memory/2124-49-0x000000013F890000-0x000000013FBE1000-memory.dmp

memory/1236-48-0x000000013FFD0000-0x0000000140321000-memory.dmp

memory/2124-47-0x000000013FFD0000-0x0000000140321000-memory.dmp

memory/1104-46-0x000000013FDD0000-0x0000000140121000-memory.dmp

memory/2124-45-0x0000000002380000-0x00000000026D1000-memory.dmp

memory/3044-44-0x000000013FE20000-0x0000000140171000-memory.dmp

memory/2124-43-0x0000000002380000-0x00000000026D1000-memory.dmp

memory/2124-141-0x000000013FC60000-0x000000013FFB1000-memory.dmp

C:\Windows\system\ICICrVF.exe

MD5 e7e443f6af5ab8b14387bfc6e7137c6d
SHA1 1dff29a6f30640a228f837acf312c37e2a5a1cbe
SHA256 8a8557bf9929252f16eb7ee18318cec3761c273b4b56c5287ca2195c38bf5b05
SHA512 3153d350ecb7d4040c2d36612e98d34341c0e00320486f3cd730ed02537fd1f5e783a192018367ac175760a1c983856e74624564eb01c938f0f6be05ec010e2a

memory/2716-162-0x000000013FD40000-0x0000000140091000-memory.dmp

memory/2124-163-0x000000013F1B0000-0x000000013F501000-memory.dmp

memory/2708-161-0x000000013FA10000-0x000000013FD61000-memory.dmp

memory/2576-160-0x000000013F510000-0x000000013F861000-memory.dmp

memory/1864-159-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

memory/2056-158-0x000000013FFC0000-0x0000000140311000-memory.dmp

memory/3012-157-0x000000013F1B0000-0x000000013F501000-memory.dmp

memory/2588-156-0x000000013FAE0000-0x000000013FE31000-memory.dmp

memory/2536-155-0x000000013F100000-0x000000013F451000-memory.dmp

memory/2124-164-0x000000013FC60000-0x000000013FFB1000-memory.dmp

memory/2316-232-0x000000013F890000-0x000000013FBE1000-memory.dmp

memory/2372-237-0x000000013F840000-0x000000013FB91000-memory.dmp

memory/1236-240-0x000000013FFD0000-0x0000000140321000-memory.dmp

memory/3044-245-0x000000013FE20000-0x0000000140171000-memory.dmp

memory/2608-243-0x000000013F740000-0x000000013FA91000-memory.dmp

memory/1652-242-0x000000013FFF0000-0x0000000140341000-memory.dmp

memory/2136-235-0x000000013F110000-0x000000013F461000-memory.dmp

memory/1104-233-0x000000013FDD0000-0x0000000140121000-memory.dmp

memory/2952-247-0x000000013F3E0000-0x000000013F731000-memory.dmp

memory/2884-249-0x000000013F4A0000-0x000000013F7F1000-memory.dmp

memory/2828-251-0x000000013FD40000-0x0000000140091000-memory.dmp

memory/2648-255-0x000000013F1C0000-0x000000013F511000-memory.dmp

memory/3068-254-0x000000013F8D0000-0x000000013FC21000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-15 11:31

Reported

2024-08-15 11:34

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\yhFkjlV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KnIRYnG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KAuynYm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uHAsVSo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CjZtxuu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sBiyzSd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zFYoJrr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qdsYLeZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\INgnIow.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yifKjbf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KjeVnkq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UxicEcz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JRWeJcM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gsCfSJb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NAiniAS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BeIQzws.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ULEyfUT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hfXHkKs.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LtcWpag.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\quTckqn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ndFMAlO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3920 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KAuynYm.exe
PID 3920 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KAuynYm.exe
PID 3920 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uHAsVSo.exe
PID 3920 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uHAsVSo.exe
PID 3920 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CjZtxuu.exe
PID 3920 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CjZtxuu.exe
PID 3920 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sBiyzSd.exe
PID 3920 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sBiyzSd.exe
PID 3920 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yhFkjlV.exe
PID 3920 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yhFkjlV.exe
PID 3920 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yifKjbf.exe
PID 3920 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yifKjbf.exe
PID 3920 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hfXHkKs.exe
PID 3920 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hfXHkKs.exe
PID 3920 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gsCfSJb.exe
PID 3920 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gsCfSJb.exe
PID 3920 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KnIRYnG.exe
PID 3920 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KnIRYnG.exe
PID 3920 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KjeVnkq.exe
PID 3920 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KjeVnkq.exe
PID 3920 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UxicEcz.exe
PID 3920 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UxicEcz.exe
PID 3920 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JRWeJcM.exe
PID 3920 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JRWeJcM.exe
PID 3920 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LtcWpag.exe
PID 3920 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LtcWpag.exe
PID 3920 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\quTckqn.exe
PID 3920 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\quTckqn.exe
PID 3920 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NAiniAS.exe
PID 3920 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NAiniAS.exe
PID 3920 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BeIQzws.exe
PID 3920 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BeIQzws.exe
PID 3920 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ndFMAlO.exe
PID 3920 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ndFMAlO.exe
PID 3920 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zFYoJrr.exe
PID 3920 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zFYoJrr.exe
PID 3920 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qdsYLeZ.exe
PID 3920 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qdsYLeZ.exe
PID 3920 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ULEyfUT.exe
PID 3920 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ULEyfUT.exe
PID 3920 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\INgnIow.exe
PID 3920 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\INgnIow.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\KAuynYm.exe

C:\Windows\System\KAuynYm.exe

C:\Windows\System\uHAsVSo.exe

C:\Windows\System\uHAsVSo.exe

C:\Windows\System\CjZtxuu.exe

C:\Windows\System\CjZtxuu.exe

C:\Windows\System\sBiyzSd.exe

C:\Windows\System\sBiyzSd.exe

C:\Windows\System\yhFkjlV.exe

C:\Windows\System\yhFkjlV.exe

C:\Windows\System\yifKjbf.exe

C:\Windows\System\yifKjbf.exe

C:\Windows\System\hfXHkKs.exe

C:\Windows\System\hfXHkKs.exe

C:\Windows\System\gsCfSJb.exe

C:\Windows\System\gsCfSJb.exe

C:\Windows\System\KnIRYnG.exe

C:\Windows\System\KnIRYnG.exe

C:\Windows\System\KjeVnkq.exe

C:\Windows\System\KjeVnkq.exe

C:\Windows\System\UxicEcz.exe

C:\Windows\System\UxicEcz.exe

C:\Windows\System\JRWeJcM.exe

C:\Windows\System\JRWeJcM.exe

C:\Windows\System\LtcWpag.exe

C:\Windows\System\LtcWpag.exe

C:\Windows\System\quTckqn.exe

C:\Windows\System\quTckqn.exe

C:\Windows\System\NAiniAS.exe

C:\Windows\System\NAiniAS.exe

C:\Windows\System\BeIQzws.exe

C:\Windows\System\BeIQzws.exe

C:\Windows\System\ndFMAlO.exe

C:\Windows\System\ndFMAlO.exe

C:\Windows\System\zFYoJrr.exe

C:\Windows\System\zFYoJrr.exe

C:\Windows\System\qdsYLeZ.exe

C:\Windows\System\qdsYLeZ.exe

C:\Windows\System\ULEyfUT.exe

C:\Windows\System\ULEyfUT.exe

C:\Windows\System\INgnIow.exe

C:\Windows\System\INgnIow.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3920-0-0x00007FF603E80000-0x00007FF6041D1000-memory.dmp

memory/3920-1-0x00000209586C0000-0x00000209586D0000-memory.dmp

C:\Windows\System\KAuynYm.exe

MD5 40d7e3f646140fe01261ee768effd858
SHA1 f38b5233fcd49ebdcbb4eb1b6a6a49a0c85beae7
SHA256 82fac0c5afc69223384fed7699c8f908d363fbe16a2b5119ca5d7345d93d6ab2
SHA512 51151049506bedae7a5609803793a2144919be8f17207960f208a41f294a35358f9f7d133ccfc65f50829d16ce0d30ae8faf5bfcd8484776f4a76a85526f5e34

memory/2280-7-0x00007FF66AFD0000-0x00007FF66B321000-memory.dmp

C:\Windows\System\uHAsVSo.exe

MD5 2ad2d25d23ac78b50ac6106a26dd2d7a
SHA1 040351943ecfd0c1bea086b3ae885d7031d3f4a2
SHA256 c1d58be9c4b0e2bc73c9fe5a8d1cf23fb8a92d1621fd4fb877ea08f9c2001707
SHA512 4e793167e1309aa0e1ae3a80ddd592e7f74b7372aad00136ebc83017dd650cda9410501a61628dd31cf753513686336cd4df31fe2bccc17ea2151aefa687d429

C:\Windows\System\yhFkjlV.exe

MD5 f66e7a268f630eb4cf136e06ade0ddac
SHA1 2679483459daecebb0760f941ac90f9b47a0b0c7
SHA256 973266bfd758dfcd36947ab7f2e41bbd7e6f51c9f3b618d43b6c49b0ce355017
SHA512 c68cad259342df486fcc07a97b892f82244db00b21457d075ed295e1ed8dd539ff65db2873c509e258950b762bf19af8f7b0af52a2a06bf44f7bf8e439ccfa45

C:\Windows\System\yifKjbf.exe

MD5 fb882e9c0844356a0f55de96078f9913
SHA1 4d0cf7f33234817cf74c25c32cd4095ebe7f59ee
SHA256 0390f96ec9b1ac20a3547d02fa0c0c0353a761dee3c5c32c15b68f0273514ad9
SHA512 adf6d29d636f8c7997ac4acf420bf10a0954aff9fdf50d47ad88ceba1d36f4481b7234422dfe61c8b9fbd9c00e58d0bc5f9f3aa9563ecdce8d54718b9bf85b58

C:\Windows\System\KjeVnkq.exe

MD5 3629d8c7a2887794edff449048e43417
SHA1 65e0e7919f7fad85ac13d2a28e89861ef25e56da
SHA256 1f029897b35a3da868c05b99cf4000062894483d019b5e37a7b4e46ac913d5e6
SHA512 177a39d5a4db0699286d4d5ae5208ab44db9adec735e5b97cb6efcc24fbd354db5614711e23dcb10b41291052b8e7452cfdf8a4b9ae59411a2e32560068c2830

memory/4092-73-0x00007FF64D510000-0x00007FF64D861000-memory.dmp

C:\Windows\System\quTckqn.exe

MD5 c5a007fd35fc7ec5d56aaa61dbbec59d
SHA1 543611004b4cc8eb71231d88c1dc6eba427e9b90
SHA256 54d0a650e630e7ce7abd375df9fc097b9ffb1a34186e6bf9f81d4537e69fdd5c
SHA512 662e45b0cfc308267137d22ad1c3c64d81484e0671de3b9d7b990fa68f48e4f75e8eede58bfe72d3b9acb2cc45489e175b1496d730e0fb29ad3684487ffc9af6

C:\Windows\System\BeIQzws.exe

MD5 2bf8317abc2f6f15c1de78021c9ddba0
SHA1 0b86b4fef721fe3655535f59fc5e5d8ab2882316
SHA256 9fe605be21587f7a152de202fb28763244aca1a51a314fee6e823f3a655a0df0
SHA512 bd5b7e11f0be78d8d680ab7dfc5a05de113375cc42ae76bff36118821a1c656b61ad68d19870a64cad7c1cb4d02302a3506c378a2e2a98e18316a14affde8e76

memory/4164-95-0x00007FF7EB560000-0x00007FF7EB8B1000-memory.dmp

C:\Windows\System\ndFMAlO.exe

MD5 95e2dc953453a8ce578dbc81d4beeb5e
SHA1 a578a326ee8c3c93d4cc727d8600f0ec26d6ec0d
SHA256 df59d9591a1a6c7208a6d67c76c78fa2b2f6a142d80aee99b58fbe06dfe490db
SHA512 dbae7894133d280412eb338e038956f88ce80e29d0f6e5dbdc69bb2d4fb9be59c38e9695f8e00713e77484ac0048723c6b547ae4a90c672fbfca89938e7ac0d5

memory/2684-111-0x00007FF71AC50000-0x00007FF71AFA1000-memory.dmp

memory/2828-115-0x00007FF6EB850000-0x00007FF6EBBA1000-memory.dmp

memory/2024-116-0x00007FF66F7E0000-0x00007FF66FB31000-memory.dmp

memory/1808-114-0x00007FF64E3C0000-0x00007FF64E711000-memory.dmp

memory/904-113-0x00007FF644E20000-0x00007FF645171000-memory.dmp

memory/232-112-0x00007FF679590000-0x00007FF6798E1000-memory.dmp

memory/1944-110-0x00007FF771010000-0x00007FF771361000-memory.dmp

C:\Windows\System\qdsYLeZ.exe

MD5 2b789311f549076804cc7dd5537df3dc
SHA1 be0276206b27edd515b02c1d64cfb40ab9d6cdf7
SHA256 b25015b873cd6b6b91c0c5fff7d31c3d691843b53bd416024863755df3939a77
SHA512 5b91aa628e0a53beba118dfd5cc4069f65b0244002c48ddfdda0144825a87ca15eb6f2e2c1b36d440fc2d2d2d6576d22f06531baec097dd80e5454eff1860185

C:\Windows\System\zFYoJrr.exe

MD5 6427295dce47b1af149c516d2b5f50ef
SHA1 ea583e9599687cbe6309c0d3e33fe964ccaf5bc6
SHA256 9fbb8ab5e23e7ba0471ba2147f4598562cca7055c1c7d3a4a3f57ce066376893
SHA512 8a63f0c9c2238b1f9a241ca015e4e2ae1d8ba986ad86aa0db7e0aa25de841df2cba912b278702385ccb35cc3119957492cfc8eb23d7d8e203abcdbca35fd012c

memory/4964-105-0x00007FF776FA0000-0x00007FF7772F1000-memory.dmp

memory/3024-102-0x00007FF6E7DC0000-0x00007FF6E8111000-memory.dmp

C:\Windows\System\NAiniAS.exe

MD5 e128478ecf832152df62a7c86c7515cf
SHA1 175c8d7e7c927397ab9514fa76a55f31cb2d6fc8
SHA256 db826293033db6b8ea09ec6f5ed88163b6a8f6fb0d1977a68f32d006fd32d303
SHA512 ba7cac607eb76c6915e12bf6c32fcc07c48edc87b036a183f793f49fda1314b7b77b88124eb90ad1eecf575441aa2dd2d838f0fda80c4a225395a1952f8bbcc9

memory/2452-83-0x00007FF7D4F80000-0x00007FF7D52D1000-memory.dmp

C:\Windows\System\LtcWpag.exe

MD5 2180fa4fc8a4aa12796834db70905d0c
SHA1 c4f3d3e9a7af1384ab95c43833796be96e2f7a8b
SHA256 6ec15a6c44afc2cbfe041c1d311d39ef7e7891613a39adb38071d3e2bacdb6b5
SHA512 6a6db1e575202d868c0837fa555f057263c34c2aed2258892991f1524831726bd12dd6302b509ba7c8bbf584d327d1c5df4a3f9efc45e1faa25d485bdcf65453

C:\Windows\System\JRWeJcM.exe

MD5 8ef18321d29b04e494de0a2fa142bc61
SHA1 7e14863d73c457d28a36e29ff669a8e433125b72
SHA256 459fb2193b9f84c41302806c469cf23ddbdfa898bad65c2275f6c7612414d30b
SHA512 db53b13ee9c892694ffc93454dd1dd4efa03f88ffe7cf0544b04c92bea18d9e15ec6f5c2cc77c483680989edddb440e36334e412fb5c8fc1784fd490832abee3

memory/2428-74-0x00007FF7513D0000-0x00007FF751721000-memory.dmp

memory/1540-71-0x00007FF76D450000-0x00007FF76D7A1000-memory.dmp

C:\Windows\System\gsCfSJb.exe

MD5 6bd622c869b4e68e1040480ada4ce7cf
SHA1 854bd88eff9bf2b33c355ff4b219c8159f5d9661
SHA256 87f6b4cf421974f40363bccf3db8138655f4fa5e43aac50fe9dd36b31aba1bd3
SHA512 c6b56a62199529779c93fb8c61b6f240419317b42001ec8ad64e24f350c0275cc2857ae045e4f3d63e78adde3d0f7123cb5e7a060939523e4df3f4cd2591cfc8

C:\Windows\System\UxicEcz.exe

MD5 61ebbd4ca547d615682bd6980cae1f61
SHA1 9afdd28c48bfb915fd52b0e99c1063ab15cca7dc
SHA256 a06d97c8c9288dd66728d13cda0f1af7d354cd58fa55cf019ed97c920353c911
SHA512 324ffe5fb737bb88a6872fca5d75e257af895f5da6c4bc7de66180d5ae6fdffc1ac1898bac8c91179d19f2e690f2048c533cd246aca55ed387829e7654cbd862

C:\Windows\System\KnIRYnG.exe

MD5 afc94d1d58b51486fa6cb09f18c9df97
SHA1 f695f1f2778790e57f9faab5a565aa5b1eecc560
SHA256 07f97e3595092f9e37e0bff9ac922fa6b76bdcef867252e585e33f55e479c6fa
SHA512 950a5b1ae4436f2e1063555df243c17b3a2f2829590c1be812d1e7d45a3e3caca55fe68a6613429dafc6a7d03302449a7e237fac37f7cb3d09dad1525b86d807

memory/2904-49-0x00007FF71AE50000-0x00007FF71B1A1000-memory.dmp

memory/1444-48-0x00007FF722F70000-0x00007FF7232C1000-memory.dmp

C:\Windows\System\hfXHkKs.exe

MD5 4f3a875943e8669f346b4ee73079a926
SHA1 115c235b833a3f1a7a2f5da7e250ba9204855435
SHA256 2f33a5e09dcef367985d261986150607778d9282d4923d80f70d2b6c94fd3528
SHA512 58cae4168b1bedd745ba0fec428f682df5ab19661a20f2108031cc475dcdfd4dab77c3b96ecc26a9fdd40488beaa70ad55bd82b7f7b215878a182d77baee027d

memory/2548-38-0x00007FF7389A0000-0x00007FF738CF1000-memory.dmp

C:\Windows\System\sBiyzSd.exe

MD5 1c2df070020fe9686d855a33ab48172d
SHA1 9552543dce8f0b05f5a0cc9a78cfc65f69f7e036
SHA256 b7f615cea8568862042d8c71fbfe469563e709143a37b3dc828f1c77d56ab765
SHA512 5d02cdf21623c6c4f4f1c595709faa29ca2525dc2468f4351c3bf4f3b4b4b5561c190a70019bfcab2053119a90397b58667c2ce4238e9ddb650d7be516b9766d

C:\Windows\System\CjZtxuu.exe

MD5 86bc8592c2c2ff64672f10b594d9f885
SHA1 9a727a3952f9947aae93116a6699519825dde5f1
SHA256 f5a32fa8d2a3f7a1c11608b9c4a56c34e321aa764d5a55633b908ca79162be21
SHA512 c22103d4f7d8ff31b23c4c740428471fa91bc3abaad3d4793ef0922f415c2f29464987500f75436b116790c19a791cb1da97e826dc1fe4282cfc5d7fe8b18ad1

memory/3048-16-0x00007FF7A08B0000-0x00007FF7A0C01000-memory.dmp

memory/2548-123-0x00007FF7389A0000-0x00007FF738CF1000-memory.dmp

C:\Windows\System\ULEyfUT.exe

MD5 2a06e3d9da8268e4a0a69b8e4d6a4b08
SHA1 253243e060d3d41b71a5d0424f0dbdfb94c30e56
SHA256 d961bd91fc50183c5c426e17ee36536d5e28f1047f4380d3245bc6903e70e7b9
SHA512 80637b36472c688ce4f6a975bb57e00449c5da460df4230bf1d7bb4e8d84acc70cf78028a96715798e24f5dea80a6cbdc66e16d5c8a7cf32371d53c77df32dbf

memory/3972-134-0x00007FF731260000-0x00007FF7315B1000-memory.dmp

C:\Windows\System\INgnIow.exe

MD5 699749cf57ea252f3e0e3246208da1a7
SHA1 30c43b44cbdcfbd60a9d4b9e1fda06a22e08343f
SHA256 5ef48c5ec581dd3a74fca9f2adea3100d4af4b88e62ab305f6f639811169fbfd
SHA512 832f86adb414cfc85b7b803d4231cc28c447907bb86b174007943fdf9788a307e1c499435256f5e76f6291adadf27b52a1631fb19992a1b668ad4c11fc4c3f7c

memory/3048-120-0x00007FF7A08B0000-0x00007FF7A0C01000-memory.dmp

memory/2280-119-0x00007FF66AFD0000-0x00007FF66B321000-memory.dmp

memory/3920-117-0x00007FF603E80000-0x00007FF6041D1000-memory.dmp

memory/2452-139-0x00007FF7D4F80000-0x00007FF7D52D1000-memory.dmp

memory/4632-138-0x00007FF6884D0000-0x00007FF688821000-memory.dmp

memory/3972-148-0x00007FF731260000-0x00007FF7315B1000-memory.dmp

memory/3920-149-0x00007FF603E80000-0x00007FF6041D1000-memory.dmp

memory/3920-150-0x00007FF603E80000-0x00007FF6041D1000-memory.dmp

memory/4632-165-0x00007FF6884D0000-0x00007FF688821000-memory.dmp

memory/2280-212-0x00007FF66AFD0000-0x00007FF66B321000-memory.dmp

memory/3048-214-0x00007FF7A08B0000-0x00007FF7A0C01000-memory.dmp

memory/4164-216-0x00007FF7EB560000-0x00007FF7EB8B1000-memory.dmp

memory/2548-218-0x00007FF7389A0000-0x00007FF738CF1000-memory.dmp

memory/1444-221-0x00007FF722F70000-0x00007FF7232C1000-memory.dmp

memory/2904-222-0x00007FF71AE50000-0x00007FF71B1A1000-memory.dmp

memory/1540-224-0x00007FF76D450000-0x00007FF76D7A1000-memory.dmp

memory/4092-232-0x00007FF64D510000-0x00007FF64D861000-memory.dmp

memory/4964-231-0x00007FF776FA0000-0x00007FF7772F1000-memory.dmp

memory/3024-227-0x00007FF6E7DC0000-0x00007FF6E8111000-memory.dmp

memory/2428-229-0x00007FF7513D0000-0x00007FF751721000-memory.dmp

memory/2828-240-0x00007FF6EB850000-0x00007FF6EBBA1000-memory.dmp

memory/904-251-0x00007FF644E20000-0x00007FF645171000-memory.dmp

memory/2024-250-0x00007FF66F7E0000-0x00007FF66FB31000-memory.dmp

memory/1808-247-0x00007FF64E3C0000-0x00007FF64E711000-memory.dmp

memory/1944-246-0x00007FF771010000-0x00007FF771361000-memory.dmp

memory/2452-243-0x00007FF7D4F80000-0x00007FF7D52D1000-memory.dmp

memory/2684-242-0x00007FF71AC50000-0x00007FF71AFA1000-memory.dmp

memory/232-253-0x00007FF679590000-0x00007FF6798E1000-memory.dmp

memory/3972-257-0x00007FF731260000-0x00007FF7315B1000-memory.dmp

memory/4632-259-0x00007FF6884D0000-0x00007FF688821000-memory.dmp