Malware Analysis Report

2025-04-03 17:59

Sample ID 241109-sr2d7sxbrr
Target 2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat
SHA256 1779f5062e13aa3ea7ea63d70f7b6f72ba2f75347f1b745e24be4550d64a9ed8
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1779f5062e13aa3ea7ea63d70f7b6f72ba2f75347f1b745e24be4550d64a9ed8

Threat Level: Known bad

The file 2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

xmrig

Xmrig family

Cobaltstrike

Cobalt Strike reflective loader

Cobaltstrike family

XMRig Miner payload

XMRig Miner payload

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-11-09 15:22

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 15:22

Reported

2024-11-09 15:24

Platform

win7-20240708-en

Max time kernel

140s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

Cobaltstrike family

cobaltstrike

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\IDpGLKC.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FJaXWnG.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\McumCBW.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vzwBHbX.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SCvVvum.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NkILxiL.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SwbzUPU.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uoKxvSW.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PLnCbpJ.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wedVZRx.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aMnewsV.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TIoeqvN.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OEUASsz.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HkdCARn.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bKukUms.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HvEySNn.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dxMJMTi.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YyxcBlu.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dNWTGpi.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aDGJuqI.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OEwvBPs.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2356 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IDpGLKC.exe
PID 2356 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IDpGLKC.exe
PID 2356 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IDpGLKC.exe
PID 2356 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SwbzUPU.exe
PID 2356 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SwbzUPU.exe
PID 2356 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SwbzUPU.exe
PID 2356 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dNWTGpi.exe
PID 2356 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dNWTGpi.exe
PID 2356 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dNWTGpi.exe
PID 2356 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bKukUms.exe
PID 2356 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bKukUms.exe
PID 2356 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bKukUms.exe
PID 2356 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FJaXWnG.exe
PID 2356 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FJaXWnG.exe
PID 2356 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FJaXWnG.exe
PID 2356 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uoKxvSW.exe
PID 2356 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uoKxvSW.exe
PID 2356 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uoKxvSW.exe
PID 2356 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HvEySNn.exe
PID 2356 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HvEySNn.exe
PID 2356 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HvEySNn.exe
PID 2356 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\McumCBW.exe
PID 2356 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\McumCBW.exe
PID 2356 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\McumCBW.exe
PID 2356 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PLnCbpJ.exe
PID 2356 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PLnCbpJ.exe
PID 2356 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PLnCbpJ.exe
PID 2356 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wedVZRx.exe
PID 2356 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wedVZRx.exe
PID 2356 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wedVZRx.exe
PID 2356 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aMnewsV.exe
PID 2356 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aMnewsV.exe
PID 2356 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aMnewsV.exe
PID 2356 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aDGJuqI.exe
PID 2356 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aDGJuqI.exe
PID 2356 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aDGJuqI.exe
PID 2356 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TIoeqvN.exe
PID 2356 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TIoeqvN.exe
PID 2356 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TIoeqvN.exe
PID 2356 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dxMJMTi.exe
PID 2356 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dxMJMTi.exe
PID 2356 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dxMJMTi.exe
PID 2356 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OEwvBPs.exe
PID 2356 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OEwvBPs.exe
PID 2356 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OEwvBPs.exe
PID 2356 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OEUASsz.exe
PID 2356 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OEUASsz.exe
PID 2356 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OEUASsz.exe
PID 2356 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YyxcBlu.exe
PID 2356 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YyxcBlu.exe
PID 2356 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YyxcBlu.exe
PID 2356 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vzwBHbX.exe
PID 2356 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vzwBHbX.exe
PID 2356 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vzwBHbX.exe
PID 2356 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NkILxiL.exe
PID 2356 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NkILxiL.exe
PID 2356 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NkILxiL.exe
PID 2356 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HkdCARn.exe
PID 2356 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HkdCARn.exe
PID 2356 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HkdCARn.exe
PID 2356 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SCvVvum.exe
PID 2356 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SCvVvum.exe
PID 2356 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SCvVvum.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\IDpGLKC.exe

C:\Windows\System\IDpGLKC.exe

C:\Windows\System\SwbzUPU.exe

C:\Windows\System\SwbzUPU.exe

C:\Windows\System\dNWTGpi.exe

C:\Windows\System\dNWTGpi.exe

C:\Windows\System\bKukUms.exe

C:\Windows\System\bKukUms.exe

C:\Windows\System\FJaXWnG.exe

C:\Windows\System\FJaXWnG.exe

C:\Windows\System\uoKxvSW.exe

C:\Windows\System\uoKxvSW.exe

C:\Windows\System\HvEySNn.exe

C:\Windows\System\HvEySNn.exe

C:\Windows\System\McumCBW.exe

C:\Windows\System\McumCBW.exe

C:\Windows\System\PLnCbpJ.exe

C:\Windows\System\PLnCbpJ.exe

C:\Windows\System\wedVZRx.exe

C:\Windows\System\wedVZRx.exe

C:\Windows\System\aMnewsV.exe

C:\Windows\System\aMnewsV.exe

C:\Windows\System\aDGJuqI.exe

C:\Windows\System\aDGJuqI.exe

C:\Windows\System\TIoeqvN.exe

C:\Windows\System\TIoeqvN.exe

C:\Windows\System\dxMJMTi.exe

C:\Windows\System\dxMJMTi.exe

C:\Windows\System\OEwvBPs.exe

C:\Windows\System\OEwvBPs.exe

C:\Windows\System\OEUASsz.exe

C:\Windows\System\OEUASsz.exe

C:\Windows\System\YyxcBlu.exe

C:\Windows\System\YyxcBlu.exe

C:\Windows\System\vzwBHbX.exe

C:\Windows\System\vzwBHbX.exe

C:\Windows\System\NkILxiL.exe

C:\Windows\System\NkILxiL.exe

C:\Windows\System\HkdCARn.exe

C:\Windows\System\HkdCARn.exe

C:\Windows\System\SCvVvum.exe

C:\Windows\System\SCvVvum.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2356-0-0x000000013F1B0000-0x000000013F501000-memory.dmp

memory/2356-1-0x0000000000080000-0x0000000000090000-memory.dmp

\Windows\system\IDpGLKC.exe

MD5 5599940dcca3d471d5b6bf520dcf7e67
SHA1 17dd9c68ea71e4d4632fd25aa6f890d017ff4667
SHA256 899bfecf74e0ba939f81b734f547611a3bf8625f63ab2d19041f6cb4d087b342
SHA512 dad4cf70819526cd00671a771cd473e9fd428ff925ee749b03a889628f3f82f9e1fc888d38793876a1351e6ec1bf0abd2ffd46adea8d918362f450e3a717fa73

C:\Windows\system\SwbzUPU.exe

MD5 f947824e44b51cac2b1790391514db0c
SHA1 113b1a6467ea360d8623271dc55aa82813e3ea60
SHA256 b0f45c700a21bf5ff8fd3f9f628909d7120fe8436f1ed1dbb0ed329ad6ac56ea
SHA512 825bf2bea952808202282f5de5165e6b821c47d539499a167f25768e64d30684861bf906461b4390161e666ccee4c90c6b09b91f2cdf3adbbb11fb66071afafb

\Windows\system\dNWTGpi.exe

MD5 9b17f7b119c8622e44dcd15d27c175b2
SHA1 3621ff705882466768b33ddaff46b1f5594645f6
SHA256 311ea20eb01a3df22efa7d668c4e99ba7b51f84a1141c9dbed2e6029e1811b9e
SHA512 80906e232b44fe40f5e55fc772d44236326d04c03ef0a8bcb2d61b0be02c2433c01d90751c20cf2a4f5adbccef3a4a1d9ca789f2595c0435bd8ff8e5b5a30d24

\Windows\system\bKukUms.exe

MD5 432c26aeffe8af28bf7145e1e56a1f17
SHA1 181c4f31c22ae83593db8767418b7dc58c27cb30
SHA256 5b1d1f4e7405fdcde3813dfa61f890f3c73ed491a539c8b9d25db1b8ddec5c92
SHA512 63c8702fd1d23da5092b6142ffc2e5a86cef6b967cfd436c8bf0547928080470c63bc408dc800a55d095335e649d1b5aaf771dde6fe03069129673f4f9226425

C:\Windows\system\FJaXWnG.exe

MD5 81996a5ab63caf3cb9358f39fd767765
SHA1 15fefc58886182044b0fc920a55ef985f3c1e865
SHA256 e6a2306f722d9019bce12edff4322bf8d3bafe7677ccb8d2587d53654ce34598
SHA512 6e7a246cfbb893cc6f196f04b82821025a8ce958ba202bf1a3e97269ad67a851e082d86baf49048c0e163fa8caf3afb55defdd5fc7682a577d6583e40c10b574

C:\Windows\system\uoKxvSW.exe

MD5 99fe509e9b7317478d5cd5f75d4c83fb
SHA1 28352956c2f2e799c01f05344c34be19bfd90459
SHA256 cb8b051bd0dea6c6c7501738de4ea92b6a7f04285c5321ae8163f5e3a9921a2c
SHA512 c61d202c5a099eea046b478ba276ec8f2ac778f96bca7f00a653998dc11458649c54c14750f4cd92c170c39ebabcdd6b51c42eafce7aa104bdaae0a967484be4

C:\Windows\system\HvEySNn.exe

MD5 522ee1913ea2b9f0a078a7a3da3b33fd
SHA1 b96bfc146531f7a4ec8762d1470bcf41e6e7d54c
SHA256 73a4d910b5277882deaf92a87fb002dce612b2b2339d8dd2df886358df0ffdf6
SHA512 e1a96ab5fa646ee9c836cd223f93aa176edaaf96c2b828ee31af7c0b0f75f7a757bb71fedb93ee9b8c4d789fa53f27065b6df39f1a700c3b76e64f1b9de08fb1

C:\Windows\system\McumCBW.exe

MD5 b9694ecc039e0f680be84e2081606afb
SHA1 f80c9188084079e27c8eaeb2289788396290243e
SHA256 898119c7682c742d05669e332edbf1c82fb5f0ef49a14807ae298ae12c17b2ed
SHA512 72780d6c98ff14566d0652e9d89847d8356b3a5d39238e236cbf6e9382999b2bce6c0fc798a317396f51499f6d750c8dad1c3ccd3549dd9e672b9dc8e03541ac

C:\Windows\system\wedVZRx.exe

MD5 d80dd90547fc608e63da6c794b14cfe7
SHA1 306b400b5abfcc4b43fc7107e8f7c3565f0bdda7
SHA256 169e5418b2dec632f022e45a5576ab71a6870946fc6e616340ca96190feda6d3
SHA512 fcc66c32bcf80b65687f2b725809810ae2c871fabe0b18daf92dec5698d649d775ad7026428d1ea08bbf9e603633794b0e98e81b834bb45c3659e10fae159f39

C:\Windows\system\TIoeqvN.exe

MD5 f9da1af59764f9f7f39e0e787a5d7aeb
SHA1 f9092f35fb45d78eb91f0d238324aaba60d7b6b2
SHA256 333007b57bcb290e18be1294a1d3a6cf2ba62ebd6857996236456ffea818d7cc
SHA512 828d434236ee1772e4d6405851768935673227fed4eaf78787d7aeefebe932d81e36a6389dd0380fd944ad28a2c0a23b9230174c1159c5c0c2e2c080d2e33bde

C:\Windows\system\dxMJMTi.exe

MD5 8ec15098f15abb59fa3141aa2acfe0b4
SHA1 52c3877a1568936695880aa919f4e1f9def5136c
SHA256 67cb5d6937ece434e08ea2ce3e4de04cd9c1acdc2a2451a4020666adf51966b7
SHA512 02105ed8c07196bde75b64eb94972ad84305dde295ed78cb08441c67687092a0e4ad65449b5d2d0d028d206568da4fb2eaaaab221b5f7f103e13ccbbd6f73f9c

C:\Windows\system\OEUASsz.exe

MD5 c451e975b795d7088a0fac9e680602e0
SHA1 28e1a931fdbbb96e653cbc09f72ac0e9ac6ddb8c
SHA256 b572cae9079525ff318c5e032dbd1e6f3ea5451bad708e1605c757b46cf63244
SHA512 3fa066be402587e2442faa2505f8c099b8469a6a015adbda995dfc79e02a6795bf1d9e980a1aee7590ef6cbf502a30c19113fa2d7b41999509b3044788f3c061

C:\Windows\system\SCvVvum.exe

MD5 ad1967d1a407a386476ed0b6acd6e24f
SHA1 961e3a9b42cb5052c8cfc1275af7156e2b726728
SHA256 d15934e76a7923a2b3d3a641b44241c13dc9c03c10e73d8fce4f3b8d613bfe5f
SHA512 7276f70eaeb62709a5ee45bb713eb6ed2cf560e339088a1dd218c7ac8209aec0cbd0702442933554074e6599a3a64c3485aba28a37a13c20a4b3ef7cb6b151f3

C:\Windows\system\HkdCARn.exe

MD5 f3175beba23f1c86b29b5c2db6637f58
SHA1 3d11df98ca08bf8fe7a2f6c79d6f81ce9b274448
SHA256 fe3c0e832ca3ff0b8809d65fe3a7483ae4e8b4efbd01f74fcbd84095c1c967c4
SHA512 9aee3fd31a1b6bcb510be4069181610347072603da37b073d3d979c11ca8fad330d81988b9646f7f861dec942ed189c8678016d708a8246e4ecb0167481d43f9

C:\Windows\system\NkILxiL.exe

MD5 2f636cb6123e85bb785c62568fee5ba6
SHA1 bb279d151e0fb93ae90c7791e6915456ab1501d2
SHA256 9a445f54aad952acafeacd1f16374d356dd4f8983425f3c605411178cb2e0376
SHA512 94e19db507e068f272919760e4d6112afdac7b2e5edd55dee942e70c3e108c67e0c42d46c5804ffd2e1f22b64406de0e3ee8a21d49da8b1c63256cd744d3958b

C:\Windows\system\vzwBHbX.exe

MD5 38bd21c747ed2216037bb1d961b85e8c
SHA1 602f194ed136ff8fbd3a0e35b36a4e1a16040389
SHA256 1e78f8ecbbd7a057dc03a31c6620ad91e40c6326b73845a9f662a0b71c809d8f
SHA512 220104f5c1f3e9eb290984578842c6d46dbee8f1afd3b82cbc52bfaf88ca7ab6b0106755fb062b88187774e699863017aab4b5d65ecb11cb12a94eb8ae14b24f

memory/2356-107-0x0000000002260000-0x00000000025B1000-memory.dmp

C:\Windows\system\YyxcBlu.exe

MD5 278dc1c97e575b2a7620460a2226bf59
SHA1 7f1f81e5ea2eea3346b5167c15ef41ea1fbf0ae8
SHA256 5698ae9c834d1fac047429c1653eaa1f645a583e1bfd558176b80a059775b018
SHA512 3163680a8338faba7ebcbcaf9b3f70cf47b2a4e10b1d6843f802d4a6884352ef9f851ba7932184fe399a0d9139150bb8775080ae2498d1f41d45c4e397a277c0

C:\Windows\system\OEwvBPs.exe

MD5 35e99bbfcbfb0637769ffe397f0aaac0
SHA1 dbcd3145b765a5ad578648fcaf5adcabd56e6632
SHA256 22852b83cd3a02a6c2dcef762926ade129a828b92533bf922e4d06773ee7a625
SHA512 98043cd117c58bae37ff8906a00ceee06540dda1836fd0b5717e056e95bf4f88652f57a02cbbdfe8d82441f805ddb8e114c0c5187f3952aa5d02fa52337f6500

C:\Windows\system\aDGJuqI.exe

MD5 2b1adef429434598553e453d599b4716
SHA1 3406613718d6513eac84468a869336cd98342eb7
SHA256 b3c95e319d2c245fd2f8ae4e702f3f1049604e7564d63f93e7597ecf018c55d4
SHA512 76f95c3b1c34d6cbfd9fd0335bfdd3215ba3ade0402807b9c40074c4cb4f9790c733a41dd76ab677b636348a77397f9d0b48c1e333f4c024c4456d0ac4f9a334

C:\Windows\system\aMnewsV.exe

MD5 c2b74ae5ebc425224624ffc6e69f8269
SHA1 27ef0c0f55a21a9a6b5ebe92469f2b0fa98d7676
SHA256 a147c3f8c1164becb5edcc3169fad53162304c15f989a739d86ce5d1ef7fe449
SHA512 78a9871239b72c51912e6647a87870a9b174d0597b736fc072f6c239f0f8460c2ac02f8567b22010dd9782a23aa871d9ba59fa56cf810f76781e8fde81ad0953

C:\Windows\system\PLnCbpJ.exe

MD5 7496664793efe8e39c30ebda39febc28
SHA1 1354525a5c7faaf704338407f61fa12a23acc541
SHA256 e886895457688cb127c91cdc6603b3952772d31c61bf4ec32e011906aeb3c6e1
SHA512 34942c8ab46f3338bf5f28838ae97920f982c5caa75f368bd8b8205af0956dac637b6e7c22694c355b0973297c1ea657e4ff0ea447fc4cd3cd34477322113d25

memory/2052-108-0x000000013F460000-0x000000013F7B1000-memory.dmp

memory/2356-109-0x000000013F520000-0x000000013F871000-memory.dmp

memory/1956-110-0x000000013F520000-0x000000013F871000-memory.dmp

memory/2356-113-0x000000013F590000-0x000000013F8E1000-memory.dmp

memory/2356-115-0x000000013F6E0000-0x000000013FA31000-memory.dmp

memory/2028-114-0x000000013F590000-0x000000013F8E1000-memory.dmp

memory/1096-112-0x000000013F9E0000-0x000000013FD31000-memory.dmp

memory/2356-111-0x000000013F9E0000-0x000000013FD31000-memory.dmp

memory/2060-116-0x000000013F6E0000-0x000000013FA31000-memory.dmp

memory/2456-119-0x000000013FEC0000-0x0000000140211000-memory.dmp

memory/2356-118-0x000000013FEC0000-0x0000000140211000-memory.dmp

memory/3044-117-0x000000013F430000-0x000000013F781000-memory.dmp

memory/2356-120-0x000000013F6A0000-0x000000013F9F1000-memory.dmp

memory/2792-122-0x000000013F100000-0x000000013F451000-memory.dmp

memory/2172-121-0x000000013F6A0000-0x000000013F9F1000-memory.dmp

memory/2940-128-0x000000013F880000-0x000000013FBD1000-memory.dmp

memory/2528-130-0x000000013F750000-0x000000013FAA1000-memory.dmp

memory/2356-129-0x000000013FA00000-0x000000013FD51000-memory.dmp

memory/2356-127-0x000000013F880000-0x000000013FBD1000-memory.dmp

memory/2780-126-0x000000013F640000-0x000000013F991000-memory.dmp

memory/2356-125-0x000000013F640000-0x000000013F991000-memory.dmp

memory/2820-123-0x000000013F390000-0x000000013F6E1000-memory.dmp

memory/2944-124-0x000000013F460000-0x000000013F7B1000-memory.dmp

memory/2356-131-0x000000013F1B0000-0x000000013F501000-memory.dmp

memory/2576-150-0x000000013FFF0000-0x0000000140341000-memory.dmp

memory/2608-152-0x000000013FAA0000-0x000000013FDF1000-memory.dmp

memory/2632-151-0x000000013FF00000-0x0000000140251000-memory.dmp

memory/1404-149-0x000000013F6E0000-0x000000013FA31000-memory.dmp

memory/2728-148-0x000000013F230000-0x000000013F581000-memory.dmp

memory/2748-147-0x000000013F560000-0x000000013F8B1000-memory.dmp

memory/2220-146-0x000000013FA00000-0x000000013FD51000-memory.dmp

memory/2356-153-0x000000013F1B0000-0x000000013F501000-memory.dmp

memory/2356-154-0x000000013F750000-0x000000013FAA1000-memory.dmp

memory/2356-155-0x000000013F1B0000-0x000000013F501000-memory.dmp

memory/1956-225-0x000000013F520000-0x000000013F871000-memory.dmp

memory/2528-223-0x000000013F750000-0x000000013FAA1000-memory.dmp

memory/2820-232-0x000000013F390000-0x000000013F6E1000-memory.dmp

memory/2172-230-0x000000013F6A0000-0x000000013F9F1000-memory.dmp

memory/2780-234-0x000000013F640000-0x000000013F991000-memory.dmp

memory/1096-242-0x000000013F9E0000-0x000000013FD31000-memory.dmp

memory/2060-246-0x000000013F6E0000-0x000000013FA31000-memory.dmp

memory/2940-253-0x000000013F880000-0x000000013FBD1000-memory.dmp

memory/2944-251-0x000000013F460000-0x000000013F7B1000-memory.dmp

memory/2456-244-0x000000013FEC0000-0x0000000140211000-memory.dmp

memory/2792-248-0x000000013F100000-0x000000013F451000-memory.dmp

memory/2052-240-0x000000013F460000-0x000000013F7B1000-memory.dmp

memory/3044-228-0x000000013F430000-0x000000013F781000-memory.dmp

memory/2028-226-0x000000013F590000-0x000000013F8E1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 15:22

Reported

2024-11-09 15:24

Platform

win10v2004-20241007-en

Max time kernel

140s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

Cobaltstrike family

cobaltstrike

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\MxxyPAl.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZQEqSIz.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FchlEVU.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fcIEibC.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\svTBQAc.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mfVzWzR.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WkPRsMB.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SdCzaQr.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FCRoSyF.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VvDkDFD.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wxplRzi.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\frfqzLz.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RnfaPPL.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wYUDrnQ.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LoSldln.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JKYvpNe.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JgtaKCw.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\INueiWa.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ozKLfGZ.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HJIYnBl.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WVLgxOs.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2280 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LoSldln.exe
PID 2280 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LoSldln.exe
PID 2280 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mfVzWzR.exe
PID 2280 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mfVzWzR.exe
PID 2280 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MxxyPAl.exe
PID 2280 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MxxyPAl.exe
PID 2280 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JKYvpNe.exe
PID 2280 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JKYvpNe.exe
PID 2280 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WkPRsMB.exe
PID 2280 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WkPRsMB.exe
PID 2280 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wxplRzi.exe
PID 2280 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wxplRzi.exe
PID 2280 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JgtaKCw.exe
PID 2280 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JgtaKCw.exe
PID 2280 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\frfqzLz.exe
PID 2280 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\frfqzLz.exe
PID 2280 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RnfaPPL.exe
PID 2280 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RnfaPPL.exe
PID 2280 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\INueiWa.exe
PID 2280 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\INueiWa.exe
PID 2280 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wYUDrnQ.exe
PID 2280 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wYUDrnQ.exe
PID 2280 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SdCzaQr.exe
PID 2280 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SdCzaQr.exe
PID 2280 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZQEqSIz.exe
PID 2280 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZQEqSIz.exe
PID 2280 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FCRoSyF.exe
PID 2280 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FCRoSyF.exe
PID 2280 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FchlEVU.exe
PID 2280 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FchlEVU.exe
PID 2280 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fcIEibC.exe
PID 2280 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fcIEibC.exe
PID 2280 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ozKLfGZ.exe
PID 2280 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ozKLfGZ.exe
PID 2280 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\svTBQAc.exe
PID 2280 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\svTBQAc.exe
PID 2280 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HJIYnBl.exe
PID 2280 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HJIYnBl.exe
PID 2280 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WVLgxOs.exe
PID 2280 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WVLgxOs.exe
PID 2280 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VvDkDFD.exe
PID 2280 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VvDkDFD.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\LoSldln.exe

C:\Windows\System\LoSldln.exe

C:\Windows\System\mfVzWzR.exe

C:\Windows\System\mfVzWzR.exe

C:\Windows\System\MxxyPAl.exe

C:\Windows\System\MxxyPAl.exe

C:\Windows\System\JKYvpNe.exe

C:\Windows\System\JKYvpNe.exe

C:\Windows\System\WkPRsMB.exe

C:\Windows\System\WkPRsMB.exe

C:\Windows\System\wxplRzi.exe

C:\Windows\System\wxplRzi.exe

C:\Windows\System\JgtaKCw.exe

C:\Windows\System\JgtaKCw.exe

C:\Windows\System\frfqzLz.exe

C:\Windows\System\frfqzLz.exe

C:\Windows\System\RnfaPPL.exe

C:\Windows\System\RnfaPPL.exe

C:\Windows\System\INueiWa.exe

C:\Windows\System\INueiWa.exe

C:\Windows\System\wYUDrnQ.exe

C:\Windows\System\wYUDrnQ.exe

C:\Windows\System\SdCzaQr.exe

C:\Windows\System\SdCzaQr.exe

C:\Windows\System\ZQEqSIz.exe

C:\Windows\System\ZQEqSIz.exe

C:\Windows\System\FCRoSyF.exe

C:\Windows\System\FCRoSyF.exe

C:\Windows\System\FchlEVU.exe

C:\Windows\System\FchlEVU.exe

C:\Windows\System\fcIEibC.exe

C:\Windows\System\fcIEibC.exe

C:\Windows\System\ozKLfGZ.exe

C:\Windows\System\ozKLfGZ.exe

C:\Windows\System\svTBQAc.exe

C:\Windows\System\svTBQAc.exe

C:\Windows\System\HJIYnBl.exe

C:\Windows\System\HJIYnBl.exe

C:\Windows\System\WVLgxOs.exe

C:\Windows\System\WVLgxOs.exe

C:\Windows\System\VvDkDFD.exe

C:\Windows\System\VvDkDFD.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2280-0-0x00007FF793E10000-0x00007FF794161000-memory.dmp

memory/2280-1-0x00000221656A0000-0x00000221656B0000-memory.dmp

C:\Windows\System\LoSldln.exe

MD5 beb5c8bc890ed76b7564803474bfdf76
SHA1 7c406d7a72fa2495fc06aa3958ddd50feb69ecec
SHA256 e4f2015e52472e62a65f2ca15ab04e725b162402b0a6a78dc92f0eae8be51555
SHA512 b01a16d2bbdbbc5e747eb6295297a93c7ab17032aabfa6b1a44543214f5d1d28b3eb6611d13e5adad5dacd402ce478e84bc92be6eac00f2148a5e801015bc2ea

memory/1932-10-0x00007FF62A590000-0x00007FF62A8E1000-memory.dmp

memory/4332-16-0x00007FF7141C0000-0x00007FF714511000-memory.dmp

C:\Windows\System\WkPRsMB.exe

MD5 3ebc5b384b2f8c8349a4a6dd188f48e1
SHA1 4aa42f471a47b76a3cd849dc1bb713d224727b28
SHA256 5b5e456d4d7e84913d6d89c5a16ea3e63f983b3e428b2d8f39f3b6f37b9c3ae5
SHA512 f005321cfacff9ac2be761dbfc3362fb33112bdef35fe76af03db0bbf5db64f5be958423ca57acdc7ce4780e84f576a65bd13a11806a7ed57baaf4943ad5bbb2

C:\Windows\System\wxplRzi.exe

MD5 cd996253967ea5a84793328214f4c075
SHA1 26730756341dfef09f9f4d5a404092768c342e76
SHA256 cc83f3f015bbb5d3e341f924496a782c9092cdd2196a8ccdfa4355ddeb8b11ac
SHA512 a2a1cfd2e4d87f0b578c90117940b22dbbebba6d995c65e2c6eedfb9b26c2cd61655a66229867ae1cddd11583e70d71f96d4aa56c6739d70b7894b9cfd1e7559

C:\Windows\System\JgtaKCw.exe

MD5 d09ddcdcec8b62a9a3afe9cc2e49aa0a
SHA1 3e675e3bf745775357c150fd101adce4df80691b
SHA256 be0ab50d99b5aa1430e3030f581d000e0b0a266670dcf18af1670520747d9d18
SHA512 6fa4583a5b406e4de9e550937924b4dc6f75bdb9d8cdc59b57a28ca6194ec2baae5a760caa6f1108412e58a8804f2a3f2eab7ebba2bdbe60305365b92faf7b37

C:\Windows\System\RnfaPPL.exe

MD5 4f4a60afb64c870807eb730daabe0263
SHA1 81199712b1a0efd9a8ca021ff043d4e67da1541e
SHA256 40c58455bf223a19407fcdef0ff560acd103d4a8676283c04951c2f1f3fee180
SHA512 a94d7d9010edad8a14bd3aa4d369bac68b0fdea8d87c3b82d79b97d4340d4ebdfea18792249778ec7c4f170fd9d47d3627026b6f7c2554c74b041f6fe415e9af

memory/2828-58-0x00007FF763EF0000-0x00007FF764241000-memory.dmp

C:\Windows\System\wYUDrnQ.exe

MD5 72daedb0c94860ed587178c5596b1814
SHA1 cd3cdc2f2c3b4ec22f90a46d2609a9e0273043da
SHA256 b824b5f4a145e751eda144689f40fbec486856e024117c8cec96f21935398e9f
SHA512 a05d129e7f0605d98cf94569197bb0c7ca75515f644bd343bc32d78d2965047a1eea7e75eb28f9835657a76a5607a28881d58f688ea86d920d754157f92eef12

C:\Windows\System\SdCzaQr.exe

MD5 1a3f27488c2d32a68426b44a2688bc50
SHA1 08384fdb25eb859fdd976f5b70fa3ac96eef08d8
SHA256 ed6ce41a4eb38211b4965172b679870f4c4378e3ea6d527b27286f430d210113
SHA512 ab38350bd2d36803464fc4604d26770bcc2ad07bc6c208bf99054ecd962d4b3b91bff16590060b05eb429c396aff9ae01dc979cd17ff4c88640958d01291be71

memory/2856-86-0x00007FF6A9770000-0x00007FF6A9AC1000-memory.dmp

C:\Windows\System\FchlEVU.exe

MD5 7b46f34f929bef1c6b09e33103b44ad3
SHA1 b73d53a9b4054d69d6690d31b9855106d3d19581
SHA256 1dfa7805cf52b58e2652493a440e302b1b5301c24ec5ff2aa4662227cee5650f
SHA512 462232a7a618b1ba73bac0ddbbfc5868e6c08afd086645101736bba34d1a8579b618d57e36c303c79a9016556a40bfedbd983792a53655b633b3b077f806b3e8

C:\Windows\System\fcIEibC.exe

MD5 16c6598f788d521f1959fd2c56d31da1
SHA1 a6da37aacb516006e952eab6c6a7eac4f94704f4
SHA256 c05cf3feea43517612193153a740e9ee4eb632908ed56c8151e6a698f4bfe863
SHA512 73d0b0f1bf9507eb7463fcba4be75d7a2a0dc2dcf7d2432b15465c8377dc25e5964d215e7d67446d9c84b8967de2911975df80ddcdcb42f045d5318712750350

memory/2188-105-0x00007FF768030000-0x00007FF768381000-memory.dmp

C:\Windows\System\ozKLfGZ.exe

MD5 8ae898bba8cc917e18e061ab32db2a8a
SHA1 e47ca94bc8d6f6edf06389a4379c12b19f6bd529
SHA256 8b23781f41713d890d0a2d84a6c4e1d8e5c2663f0581ba9ae5f92071b0f46cdf
SHA512 9f0a6c07f5ea13b563b935625cc0ffbf2c5142bb3f3b99babf76fcfeb89683f9562f1c9746cfaa3eb3595067a6eedee1f29e4a7c9d7df0d24a86c64078a96c22

C:\Windows\System\svTBQAc.exe

MD5 b78c2522777d0f89a2de5226460c8957
SHA1 1aa0b7d5d2171c7c66dc417c31447ced3d3c6835
SHA256 fd3a5c759a2ebe9acb892fd3e1fc8169745e8a83085235b37c9937220a9a5448
SHA512 e0c0cf4fde44e50bf200c7ca6d8920b912f3130fc2c984c22dd3d6ed48a0082f520d709c7819e76a764bdbb3f195680f56e3db2b7a75672e895145cdce825ec1

memory/1548-108-0x00007FF62B5B0000-0x00007FF62B901000-memory.dmp

memory/4236-104-0x00007FF615650000-0x00007FF6159A1000-memory.dmp

memory/1932-101-0x00007FF62A590000-0x00007FF62A8E1000-memory.dmp

memory/2280-98-0x00007FF793E10000-0x00007FF794161000-memory.dmp

C:\Windows\System\FCRoSyF.exe

MD5 9210e94d9e8cbe0d0c5925482b0888aa
SHA1 083ac05a9a7723c532d0d7769d989f896c444477
SHA256 2bcd3a13d67015f782143c233a199c30445f2e1f6ff32043ad134e497e2478c6
SHA512 373aaedd8858132d61150f9f7a11c163d7f753965ed5a6be242c8598159b1d2e64f7e1d9cbcec030e15b2c00ec03a37cafa1846b51d55031ac00af613ef3b955

C:\Windows\System\ZQEqSIz.exe

MD5 d4b58045d49ec046a82ed8a0cde194a2
SHA1 bb8812d0bd88f11a038bcce9c4a01d9bc20ab1b3
SHA256 fc96166a66a22a58641bb6542d8502d08ca04fede8c417168935732730410c4f
SHA512 4edca5a65589c0066345d7e51235c1e4692351a1f4130e4bea0b13b6925598ff4d79769baa9883e7410d3509426079b6f531124fe8e01177ec1d32016b0d55a8

memory/3588-85-0x00007FF741860000-0x00007FF741BB1000-memory.dmp

memory/4604-84-0x00007FF665CD0000-0x00007FF666021000-memory.dmp

memory/4004-76-0x00007FF7D3F00000-0x00007FF7D4251000-memory.dmp

memory/3092-66-0x00007FF628E20000-0x00007FF629171000-memory.dmp

C:\Windows\System\INueiWa.exe

MD5 26619f64677c7ffa27488013a48ddfc4
SHA1 d92b1821cf72ae314a63b21afaf8b0a31b66fbb6
SHA256 7963e93756b3571f0522788628361f0eb40677651432c1115afb6e01df1f24da
SHA512 9332a3c491841f9f9bb42d4ad3b6904ac13956fedf4bc92dd066ac41f4170cbb8b1a4ea38134e07e49d2ecacde56c097f414881be52e85f73c90878003d5e832

memory/3744-60-0x00007FF697640000-0x00007FF697991000-memory.dmp

memory/4932-59-0x00007FF65D800000-0x00007FF65DB51000-memory.dmp

memory/2564-57-0x00007FF675430000-0x00007FF675781000-memory.dmp

memory/4228-46-0x00007FF627A00000-0x00007FF627D51000-memory.dmp

C:\Windows\System\frfqzLz.exe

MD5 aab930dc24292fa2bb7b0e88b7d60d7c
SHA1 76008109ed3198d2c2783a092a3245c572d82435
SHA256 63fc5f916c209f1925d0a1a3f5a86ed269c1b27cb59503802c837456066acb8a
SHA512 920e8afd54cf0d6bbc45a72848fecd197aa7a5f4f9b9d793523093a5cf896eab40a767ca7ac99cc18b463feb5b3e5848213f7450b080b3151f7f51c22af0a09f

memory/1944-37-0x00007FF7178F0000-0x00007FF717C41000-memory.dmp

memory/2548-33-0x00007FF6B7970000-0x00007FF6B7CC1000-memory.dmp

C:\Windows\System\MxxyPAl.exe

MD5 d736dbe8c9732a15f8ca54195778284f
SHA1 65df3c627621823ea00ebc87b1fae5600f70028c
SHA256 c6f68a629143c7fc215d56afbc6d8d6ffbbc689b99ba93ab2401729a1d0cff1f
SHA512 713795a63c819641fb1f1273bf91ff0479eb67af350248460ed282a90aa801edabbe3ebc016ad90f496c87a87e42cefe9a5b8a2d7c90c546c55d149e3eea8200

C:\Windows\System\JKYvpNe.exe

MD5 187251a65843dbf5f9476bf03fadc6f2
SHA1 3e72258ce1cd068d1a7fa018cd10d2dcc686d32d
SHA256 fe0ed7d0904a438e518c5301e5db841937472505d3df3c22492838274d5f38ed
SHA512 b6b1dd17fe9f92d9f2365b011570817f3be732dfc13f2ae04ff26859929998521ce261582226c3ccf8727c6fc768b25039d6646867dbf75412f3fcb758825b86

memory/768-24-0x00007FF768D00000-0x00007FF769051000-memory.dmp

C:\Windows\System\mfVzWzR.exe

MD5 ab2695f0868d880a13499163421a118f
SHA1 5e3596beb1c1bd2a7e473e6c35e4f6dbf31478c3
SHA256 73c0cf6840197444aa8016095a0191bc1d6c74df24ff66c3b505ed9c17e0ca17
SHA512 bdcd0a3c68eecb7d43b0bd3f03867d3c41b3b3397d2279fa86cb430d1481246b33a7491c387637ff952cbeafdbb3a88b575b0ca179bc8ebb3f598ad9340171d6

memory/4332-113-0x00007FF7141C0000-0x00007FF714511000-memory.dmp

memory/1944-115-0x00007FF7178F0000-0x00007FF717C41000-memory.dmp

memory/2548-114-0x00007FF6B7970000-0x00007FF6B7CC1000-memory.dmp

memory/768-121-0x00007FF768D00000-0x00007FF769051000-memory.dmp

C:\Windows\System\HJIYnBl.exe

MD5 f17c61eb66a037f60d85830e476d8ada
SHA1 eee01317375dc0767bc3085b3f2562df149ab68e
SHA256 2f5cfc2c71cda0ec2b5bd8298f7bc9600eddaf40babbcba08682053da1489677
SHA512 e4f9ec02592cd54bb321658e2712161d78a98d411e59ea95a98137140e62f527892fd2c57388132c97fd04352aea345445aef1a27f169d11b885f148de4e60e9

C:\Windows\System\VvDkDFD.exe

MD5 4698615ce9b4964c4d57a6c2d7450e5c
SHA1 3719d3222f94e3fb93ac6be76214618358a2ab85
SHA256 29a2b2c76e8a43270eb3adf575c6dd91d7a3fd004c63e6c3c30f6d3927bee7be
SHA512 5e01811e90a665e4bbd8bc61cf5e30a2c624030f0525132099373b189df421ab3c0a9c7ba128b9ab1a347b7a22e1142923283fb554f52784e4c7d0888170c3d0

memory/2828-129-0x00007FF763EF0000-0x00007FF764241000-memory.dmp

C:\Windows\System\WVLgxOs.exe

MD5 61374cb464cb28eb3489a1bcaf87b8c4
SHA1 f43417477b2b960a49b8d0a610f50ca3632f266c
SHA256 385f84a9330af5bd7bd3ade3ab95b418b506e5d45304c7275a42bbcf06bfc9f8
SHA512 68bd73264dcdeec7481c6d3b71117b7519474d66435b2c21cae6f56416c76a112fc5d3a5ee48f9b5cd125029547dc9991056bf7fe61cc12ed0bd83e87654bdd4

memory/1592-131-0x00007FF674F80000-0x00007FF6752D1000-memory.dmp

memory/1192-128-0x00007FF7BB030000-0x00007FF7BB381000-memory.dmp

memory/1732-127-0x00007FF647A60000-0x00007FF647DB1000-memory.dmp

memory/4228-124-0x00007FF627A00000-0x00007FF627D51000-memory.dmp

memory/2280-136-0x00007FF793E10000-0x00007FF794161000-memory.dmp

memory/3092-144-0x00007FF628E20000-0x00007FF629171000-memory.dmp

memory/2856-152-0x00007FF6A9770000-0x00007FF6A9AC1000-memory.dmp

memory/4236-153-0x00007FF615650000-0x00007FF6159A1000-memory.dmp

memory/4604-158-0x00007FF665CD0000-0x00007FF666021000-memory.dmp

memory/1732-157-0x00007FF647A60000-0x00007FF647DB1000-memory.dmp

memory/4004-156-0x00007FF7D3F00000-0x00007FF7D4251000-memory.dmp

memory/2188-155-0x00007FF768030000-0x00007FF768381000-memory.dmp

memory/1548-154-0x00007FF62B5B0000-0x00007FF62B901000-memory.dmp

memory/3588-151-0x00007FF741860000-0x00007FF741BB1000-memory.dmp

memory/1192-159-0x00007FF7BB030000-0x00007FF7BB381000-memory.dmp

memory/1592-160-0x00007FF674F80000-0x00007FF6752D1000-memory.dmp

memory/2280-161-0x00007FF793E10000-0x00007FF794161000-memory.dmp

memory/4332-218-0x00007FF7141C0000-0x00007FF714511000-memory.dmp

memory/1932-220-0x00007FF62A590000-0x00007FF62A8E1000-memory.dmp

memory/768-222-0x00007FF768D00000-0x00007FF769051000-memory.dmp

memory/1944-225-0x00007FF7178F0000-0x00007FF717C41000-memory.dmp

memory/2548-226-0x00007FF6B7970000-0x00007FF6B7CC1000-memory.dmp

memory/4228-231-0x00007FF627A00000-0x00007FF627D51000-memory.dmp

memory/2564-232-0x00007FF675430000-0x00007FF675781000-memory.dmp

memory/4932-229-0x00007FF65D800000-0x00007FF65DB51000-memory.dmp

memory/3744-234-0x00007FF697640000-0x00007FF697991000-memory.dmp

memory/3092-245-0x00007FF628E20000-0x00007FF629171000-memory.dmp

memory/4604-252-0x00007FF665CD0000-0x00007FF666021000-memory.dmp

memory/2856-251-0x00007FF6A9770000-0x00007FF6A9AC1000-memory.dmp

memory/3588-254-0x00007FF741860000-0x00007FF741BB1000-memory.dmp

memory/2828-248-0x00007FF763EF0000-0x00007FF764241000-memory.dmp

memory/4004-247-0x00007FF7D3F00000-0x00007FF7D4251000-memory.dmp

memory/1548-257-0x00007FF62B5B0000-0x00007FF62B901000-memory.dmp

memory/2188-260-0x00007FF768030000-0x00007FF768381000-memory.dmp

memory/4236-259-0x00007FF615650000-0x00007FF6159A1000-memory.dmp

memory/1732-264-0x00007FF647A60000-0x00007FF647DB1000-memory.dmp

memory/1192-266-0x00007FF7BB030000-0x00007FF7BB381000-memory.dmp

memory/1592-269-0x00007FF674F80000-0x00007FF6752D1000-memory.dmp