Malware Analysis Report

2025-04-03 18:02

Sample ID 241109-stzy6axbmc
Target 2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat
SHA256 88eae1f65df3bde5e241391c85236ae6fe363d504700ee94accf27e78ca0aedc
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

88eae1f65df3bde5e241391c85236ae6fe363d504700ee94accf27e78ca0aedc

Threat Level: Known bad

The file 2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Cobalt Strike reflective loader

Cobaltstrike family

Cobaltstrike

xmrig

XMRig Miner payload

Xmrig family

XMRig Miner payload

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-11-09 15:25

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 15:25

Reported

2024-11-09 15:28

Platform

win7-20240903-en

Max time kernel

140s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

Cobaltstrike family

cobaltstrike

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\MLbWaOG.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cvjtXSW.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EZaAKhP.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YCQYQSQ.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ybZILko.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SmKJGAL.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LJUAzVh.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gzwOSQG.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WXTMfir.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cXgCUym.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fYyRkpD.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VJWpOqK.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\icYwDbi.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yuaYuxY.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\psYJGFP.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oAIqThX.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aTqHEQp.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RwFaHFq.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\drytJZL.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zBDOCZY.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ySgPuxZ.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2788 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VJWpOqK.exe
PID 2788 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VJWpOqK.exe
PID 2788 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VJWpOqK.exe
PID 2788 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LJUAzVh.exe
PID 2788 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LJUAzVh.exe
PID 2788 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LJUAzVh.exe
PID 2788 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\icYwDbi.exe
PID 2788 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\icYwDbi.exe
PID 2788 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\icYwDbi.exe
PID 2788 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MLbWaOG.exe
PID 2788 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MLbWaOG.exe
PID 2788 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MLbWaOG.exe
PID 2788 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cvjtXSW.exe
PID 2788 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cvjtXSW.exe
PID 2788 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cvjtXSW.exe
PID 2788 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gzwOSQG.exe
PID 2788 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gzwOSQG.exe
PID 2788 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gzwOSQG.exe
PID 2788 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aTqHEQp.exe
PID 2788 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aTqHEQp.exe
PID 2788 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aTqHEQp.exe
PID 2788 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EZaAKhP.exe
PID 2788 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EZaAKhP.exe
PID 2788 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EZaAKhP.exe
PID 2788 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yuaYuxY.exe
PID 2788 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yuaYuxY.exe
PID 2788 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yuaYuxY.exe
PID 2788 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RwFaHFq.exe
PID 2788 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RwFaHFq.exe
PID 2788 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RwFaHFq.exe
PID 2788 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\psYJGFP.exe
PID 2788 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\psYJGFP.exe
PID 2788 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\psYJGFP.exe
PID 2788 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\drytJZL.exe
PID 2788 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\drytJZL.exe
PID 2788 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\drytJZL.exe
PID 2788 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WXTMfir.exe
PID 2788 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WXTMfir.exe
PID 2788 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WXTMfir.exe
PID 2788 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YCQYQSQ.exe
PID 2788 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YCQYQSQ.exe
PID 2788 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YCQYQSQ.exe
PID 2788 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zBDOCZY.exe
PID 2788 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zBDOCZY.exe
PID 2788 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zBDOCZY.exe
PID 2788 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ybZILko.exe
PID 2788 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ybZILko.exe
PID 2788 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ybZILko.exe
PID 2788 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oAIqThX.exe
PID 2788 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oAIqThX.exe
PID 2788 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oAIqThX.exe
PID 2788 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SmKJGAL.exe
PID 2788 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SmKJGAL.exe
PID 2788 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SmKJGAL.exe
PID 2788 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ySgPuxZ.exe
PID 2788 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ySgPuxZ.exe
PID 2788 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ySgPuxZ.exe
PID 2788 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cXgCUym.exe
PID 2788 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cXgCUym.exe
PID 2788 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cXgCUym.exe
PID 2788 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fYyRkpD.exe
PID 2788 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fYyRkpD.exe
PID 2788 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fYyRkpD.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\VJWpOqK.exe

C:\Windows\System\VJWpOqK.exe

C:\Windows\System\LJUAzVh.exe

C:\Windows\System\LJUAzVh.exe

C:\Windows\System\icYwDbi.exe

C:\Windows\System\icYwDbi.exe

C:\Windows\System\MLbWaOG.exe

C:\Windows\System\MLbWaOG.exe

C:\Windows\System\cvjtXSW.exe

C:\Windows\System\cvjtXSW.exe

C:\Windows\System\gzwOSQG.exe

C:\Windows\System\gzwOSQG.exe

C:\Windows\System\aTqHEQp.exe

C:\Windows\System\aTqHEQp.exe

C:\Windows\System\EZaAKhP.exe

C:\Windows\System\EZaAKhP.exe

C:\Windows\System\yuaYuxY.exe

C:\Windows\System\yuaYuxY.exe

C:\Windows\System\RwFaHFq.exe

C:\Windows\System\RwFaHFq.exe

C:\Windows\System\psYJGFP.exe

C:\Windows\System\psYJGFP.exe

C:\Windows\System\drytJZL.exe

C:\Windows\System\drytJZL.exe

C:\Windows\System\WXTMfir.exe

C:\Windows\System\WXTMfir.exe

C:\Windows\System\YCQYQSQ.exe

C:\Windows\System\YCQYQSQ.exe

C:\Windows\System\zBDOCZY.exe

C:\Windows\System\zBDOCZY.exe

C:\Windows\System\ybZILko.exe

C:\Windows\System\ybZILko.exe

C:\Windows\System\oAIqThX.exe

C:\Windows\System\oAIqThX.exe

C:\Windows\System\SmKJGAL.exe

C:\Windows\System\SmKJGAL.exe

C:\Windows\System\ySgPuxZ.exe

C:\Windows\System\ySgPuxZ.exe

C:\Windows\System\cXgCUym.exe

C:\Windows\System\cXgCUym.exe

C:\Windows\System\fYyRkpD.exe

C:\Windows\System\fYyRkpD.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2788-0-0x000000013FB10000-0x000000013FE61000-memory.dmp

memory/2788-1-0x00000000000F0000-0x0000000000100000-memory.dmp

C:\Windows\system\VJWpOqK.exe

MD5 e24ff8912283b7808a7bcec79834a014
SHA1 4dcaaa95a1d3e8b75280e6b825c1ba29a00b6e34
SHA256 67707683d8bccea9d1cc6b4f00206267320b34f6569633acdf0f4de1ed4af05a
SHA512 ba64eeb8168dc39e7f571a9264cb239cb7d1f2143352cfa2613c0f787ad51e3a9b0c328e0ca78682ac4b4ef70517961c1baa09b766d1e013d93d2874f071a651

memory/2728-10-0x000000013FC40000-0x000000013FF91000-memory.dmp

C:\Windows\system\MLbWaOG.exe

MD5 c074fa3cd318ce575ed17a54806d044c
SHA1 8d385b40dd2fe89d1602c60a27a8daa6631abbad
SHA256 de4a1906a467c566c8a9857e25eb8cf566512ea6f63ac0307b26868ca9f75fb3
SHA512 ee7bf78b9c40390f81fa5f9ef221e951ccedc229d98b943202b1ff383fedda92e5f0179e3280e0dbbc1180fdead84902b918cf657e0d04247e2c1b3abe5c7ee4

memory/2788-45-0x000000013F4F0000-0x000000013F841000-memory.dmp

C:\Windows\system\yuaYuxY.exe

MD5 5469a09a890985a65bfa9fee437736cd
SHA1 150e855c179f729b4cdb492d106f4c3a2c38b18d
SHA256 35ffab64153c235bc6cfac84a02147c97dba443f488558116dd03da738edaeb9
SHA512 4239bf0ea6a641812196df2fbbe028eae7ee189f2221b9a9f7d8b785a834d90f6d21580c8db9821c0e67ef32afbfd781cc2d1de87edb3181ebe330d0cf8f1f2f

C:\Windows\system\cvjtXSW.exe

MD5 99b106685cc0b1d79274ab37c8ebe294
SHA1 65b65a497c84b6f5a3ec518533f0a519272d9c1b
SHA256 402f33c2c421fb2272d0b5228f3b6b8931cb0ddbe58431d4123eae3a5ff96f40
SHA512 605ab87b6f5116d11d3ac274f37d17d7755741a08501603dde6c2042097d1204fd31c8cb61df4f1bee047cced6f31fd9a7c3d673196c9a7d82d1566ec25f69f4

C:\Windows\system\aTqHEQp.exe

MD5 d3414c80dcf4dd76e9faae1a01321529
SHA1 491da15d8a144cc4c26a112bd2c9dd874e0a166a
SHA256 bed4914f0201f7ef2329f7a94208664f957034b16e35cd9621b6ba465c70b59b
SHA512 a5f87c6f5f322503ade11b91f262fd5267c38ff09ef70254870dafdb2ef93f6b7dd0fab0413da4cb9218275abaeef1fcb551229998620972c279ead0707d7b29

memory/2788-18-0x000000013F590000-0x000000013F8E1000-memory.dmp

C:\Windows\system\LJUAzVh.exe

MD5 878a3b27e6bba68534eaf2389ce80288
SHA1 e331700bac04191173d62f354af1d5f71e35a5a7
SHA256 a39803ae62bf9ecbbcb3b5ee34cf6492798191ff61277e9abf6f3c029f4c517a
SHA512 7c9185d1322f179df9584edfa61d5bbf4179208feacf8df43c19be755b6aaa44159eefc47a5ad458e7f1d009b87166fe70d814bf59d2f43bd9d7b9310440dafc

C:\Windows\system\icYwDbi.exe

MD5 eafe27086f4515c1da2a57d3184109ed
SHA1 a9bc4023cac56ed4f5f41fb5ee7385de52b798de
SHA256 e323f296d43819916f3804e34dd0a330c49c7f351e13d790c882f9e29d50a821
SHA512 03351f195b83b57b9e5cb4c19a720816c3f0e52a6a67848485820a4f718ed9649be7c6e456f824f11ed2b919acb34119db37120bafc370995468b044fa89e205

C:\Windows\system\drytJZL.exe

MD5 dffe9f4613d4258556091657c4d672ec
SHA1 b0d9c09871695d7156ef90eb9dedd7555191b1b0
SHA256 7a855b3ab05b37c1c1eb204ac0cfac857fc30e1cb11b5a6b5b7571e3ad089c54
SHA512 dc5c156c39fa8613df4055253327bdc18206cc7cca42e152a595bb505a5082b3b6425862030689a09c4eb567b80edd8185b6a13d8f9bceb2fa19de4370e8d0a8

\Windows\system\SmKJGAL.exe

MD5 ea592ca8a43248cf3f99f623ead29d47
SHA1 902e8052b5af3fd40c4fb9c74cb5439e700d8e66
SHA256 2796b5f95a20095104e12fea6242ab619fccf955c50fdf997c9878f1abe5b4f8
SHA512 6da5fb1be496b118d374fe23bdf864ed9509e62b1bfd2f90a93c31284676527aed7d65cbf6d592a6abfebc5d45c1bf6b9fa1952d8676899149381f7ee3a72388

\Windows\system\cXgCUym.exe

MD5 a9203d911c13d046e2d24180e5325f94
SHA1 c90c6746ae5798402bf3b02ed7c9aed18527e2ac
SHA256 11069e1c724d0c5aea68e0dd503172c9463e3a18b1f4ad6bf28427af2b925487
SHA512 3591272f62f5681c21426be4e7bd1efd91c0c2d2afa92225aa2b4f47fa40dd5ea5bff37b344f16b2098c90aac9ee4a9d09c19a0064eeba32c8fed0767c4dbc11

\Windows\system\ybZILko.exe

MD5 474dd548ba6ea989894dd4601c0f3e9b
SHA1 a3f1733cd9cc18f03047901f217ac8fd5a6b7345
SHA256 7e2836376d9d11dc441260c59f33fca85bd1e4e8dbefce1e6537f73f59a9d5dd
SHA512 b57b02c588cc3ac3e5162b7591f38f62d80b82bc7915c714abf9808f87dc1d782286d7a7a411212eb796b1e3df6460d946de129e44fa2db265cab4d4b0143319

memory/2572-68-0x000000013FBC0000-0x000000013FF11000-memory.dmp

\Windows\system\YCQYQSQ.exe

MD5 233eac07ce2dff66de27def69c31cc12
SHA1 c0a6fb0a56f35371a69fe4aa4212cde19fe0ff32
SHA256 f870c98a9586c3884f843f36bbf254707565e1924603f6a5a46557e99d6c526b
SHA512 04a934301b6b47dde433fce5a8903e38b1c16b592e89bbbc29e7a863489f59cd7fd9ffff99530e371c4f1e98a90c168b7e0bc38334a45e4a1768260860eab0b7

C:\Windows\system\psYJGFP.exe

MD5 15f969c9f870ad90f941e36f8d0c5d67
SHA1 8ac039eebb61b9eb40b32118920bc3c96b3527de
SHA256 423f5099779b2c42b749e96a01a852f036008a34360fcd43d2773825326a502e
SHA512 d3cf26048e3719e89316dba2abfcf07bfe581b6de94753bbfbe976f75156fc66e83bb9bbc5b84ec99c4ede8d654064c33e7c5143986aa877ce643fdfa6175377

memory/2788-60-0x00000000022F0000-0x0000000002641000-memory.dmp

memory/2604-54-0x000000013FDE0000-0x0000000140131000-memory.dmp

\Windows\system\RwFaHFq.exe

MD5 fd5f2a55506a417122506e4183797d9b
SHA1 b9a72bad0ddcdc652ad0a509d3433db256caae5a
SHA256 91deaf64aa29fb00001defc02f9a6057a127ce7d854dda84cdb3ce011d29d3f0
SHA512 45ec085f8bf0fb3db95737c80ff50a4cdc0325701289eb9eb04a0eec35a0e3ab899878a4343e2e7849aaccf93864492be2ecefad221ddda77e4d58ce3abbd4d7

memory/2788-40-0x00000000022F0000-0x0000000002641000-memory.dmp

C:\Windows\system\gzwOSQG.exe

MD5 e15e31fab1f2e1a8fd61b99977e1ba8a
SHA1 91b109697c7d285e899d3255f77bc5f790bc26f5
SHA256 911bbee589aeda9e408dee3beae98c5de5bbce9f6d8ca811cba2dcc2765bcc0d
SHA512 9d642c95232c43fd62cd014ada35f7688909b989184675da5ffd6c79ebeb63d04c4905c0e6d889891c4fe10c571bcd5730ff9c35af6f7b018b95dfb724e67526

memory/2864-116-0x000000013F3E0000-0x000000013F731000-memory.dmp

memory/2788-115-0x000000013F3E0000-0x000000013F731000-memory.dmp

memory/3032-27-0x000000013FA10000-0x000000013FD61000-memory.dmp

memory/2788-114-0x000000013F030000-0x000000013F381000-memory.dmp

memory/2592-113-0x000000013F4F0000-0x000000013F841000-memory.dmp

memory/2788-112-0x000000013F650000-0x000000013F9A1000-memory.dmp

memory/2856-111-0x000000013F590000-0x000000013F8E1000-memory.dmp

memory/2244-110-0x000000013F290000-0x000000013F5E1000-memory.dmp

memory/2788-109-0x000000013F1C0000-0x000000013F511000-memory.dmp

memory/2788-108-0x000000013FF00000-0x0000000140251000-memory.dmp

memory/2788-107-0x000000013F290000-0x000000013F5E1000-memory.dmp

memory/2788-105-0x00000000022F0000-0x0000000002641000-memory.dmp

C:\Windows\system\EZaAKhP.exe

MD5 47f00e57df7c7aee70da990e64715100
SHA1 6750b1b5b24c8d67158f1894fc0d2c8bd2ffb250
SHA256 020b5a202fbf0dfa44a2927b143d83342915a29642140566453029017813a4e0
SHA512 bfe72aa94bb1ea55a29a7d9ff869ad5b10f47361ab1244b5fbe638210a139110af330affd2c858974db563d8c789ce6d0689111dff63c091269536556cd05214

memory/2008-102-0x000000013F910000-0x000000013FC61000-memory.dmp

C:\Windows\system\fYyRkpD.exe

MD5 3c18790021cb4f278b8804159cc1db19
SHA1 a7c4edf3ef6bcc772f9432615cde874c3f741181
SHA256 5c6b1537676f1ea6ae3153262470eb32232cc2691dd38eaaa95d29106b73a08c
SHA512 9a6a22fcd25e0786a362171bb76b3faf2066da4f4372d77807aa9b4fa3f4c1504e1ab44f03155a94b90a6b0db597a9f598b22d909335dd9ec0a71f8be68cfbcc

memory/2736-96-0x000000013F650000-0x000000013F9A1000-memory.dmp

memory/2788-90-0x000000013F2A0000-0x000000013F5F1000-memory.dmp

C:\Windows\system\ySgPuxZ.exe

MD5 750beb9ac50832be04a041955c235d79
SHA1 3593e737d3fa190bb5f343d78974b77719468ef0
SHA256 cc49a4f0bfb86ed95432de65b0234e4bf72e9fd5ca18c6f8d86d24efe32f4207
SHA512 ad8dc50d786fb0aa86fc0f3d7355e58f3879e26df57abcaacec07e499177949b2e5f4e366803bd0a3dba2c6c61b2bb865e51a58c01a4b53332507b92d5b5c5e7

C:\Windows\system\oAIqThX.exe

MD5 4598acc714b6c46b975b4ec2b9556317
SHA1 23be7fe9520dfeb4bc4317c37cd3f0fbadecaa7a
SHA256 0b05da4f1abae73eaa2fd3ee45b8c1ef5e7e0ef2ced54b7db4956fcc785350f1
SHA512 f6262a3077b65af66a503abdb884be30878003ad6663427e02ca12e1b5e4bde8152d1112384adec69d2455c7a2cd20bb92e6fcf271f094d6d60522981be1e3a6

C:\Windows\system\zBDOCZY.exe

MD5 9b11d23178f1a26dc521a84ec3255c6c
SHA1 c7f19b4cf6d7c06a7966006b672b212c4bb62306
SHA256 d5c10f16beb367ac62efe564220dae68d2adb52bb125c9636ea56ef1065be690
SHA512 44454975db8d45135c6ed5eef8bc75df9dcc83b458fc005421227b04864edc977576955f6a634a5e8df7617b07c3e6ceecc84043854b2616b1a6353a94dbdbb2

C:\Windows\system\WXTMfir.exe

MD5 baacf1f888ba380f075cef016cefded2
SHA1 fd18bf8d5b6dd9bfda5ba5df6c8b7357ac8bf0b3
SHA256 8472843d34246ec91953b5f4f3736d48184428d91c8fe8473be375fad6131b22
SHA512 053fdacfd8d88b0bf35718ac0b8aee946e13f49af30e00550c8d8abe0e59f6dff3786960dd37619e350a142fb80267d7b6d37d8fcedfded7f70259cfbc2283e2

memory/2788-129-0x000000013FB10000-0x000000013FE61000-memory.dmp

memory/2728-130-0x000000013FC40000-0x000000013FF91000-memory.dmp

memory/2604-131-0x000000013FDE0000-0x0000000140131000-memory.dmp

memory/2788-132-0x000000013FB10000-0x000000013FE61000-memory.dmp

memory/2952-152-0x000000013F100000-0x000000013F451000-memory.dmp

memory/2880-151-0x000000013F8B0000-0x000000013FC01000-memory.dmp

memory/2556-150-0x000000013FB30000-0x000000013FE81000-memory.dmp

memory/2908-149-0x000000013FC20000-0x000000013FF71000-memory.dmp

memory/2932-148-0x000000013F970000-0x000000013FCC1000-memory.dmp

memory/1808-147-0x000000013F1C0000-0x000000013F511000-memory.dmp

memory/2260-146-0x000000013FF00000-0x0000000140251000-memory.dmp

memory/2980-144-0x000000013F9B0000-0x000000013FD01000-memory.dmp

memory/776-142-0x000000013F030000-0x000000013F381000-memory.dmp

memory/2600-140-0x000000013F2A0000-0x000000013F5F1000-memory.dmp

memory/1356-153-0x000000013FC10000-0x000000013FF61000-memory.dmp

memory/2788-154-0x000000013F650000-0x000000013F9A1000-memory.dmp

memory/2788-155-0x000000013FB10000-0x000000013FE61000-memory.dmp

memory/2728-217-0x000000013FC40000-0x000000013FF91000-memory.dmp

memory/2856-221-0x000000013F590000-0x000000013F8E1000-memory.dmp

memory/3032-220-0x000000013FA10000-0x000000013FD61000-memory.dmp

memory/2572-224-0x000000013FBC0000-0x000000013FF11000-memory.dmp

memory/2604-227-0x000000013FDE0000-0x0000000140131000-memory.dmp

memory/2736-231-0x000000013F650000-0x000000013F9A1000-memory.dmp

memory/2592-230-0x000000013F4F0000-0x000000013F841000-memory.dmp

memory/2008-226-0x000000013F910000-0x000000013FC61000-memory.dmp

memory/2864-233-0x000000013F3E0000-0x000000013F731000-memory.dmp

memory/2244-240-0x000000013F290000-0x000000013F5E1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 15:25

Reported

2024-11-09 15:28

Platform

win10v2004-20241007-en

Max time kernel

141s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

Cobaltstrike family

cobaltstrike

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\uCnTVkJ.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ypaxTyt.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xxufLXq.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JoPHGWP.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YEcuJob.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dOMyzfD.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HZoMRyw.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MozXkMx.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vkAshwW.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lYUxqSe.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MWnEZzb.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NhTItIN.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FzJZpND.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XRcxdTT.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WEaGhXL.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iELWOvP.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aVTFLCp.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nMhblTg.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NUjiKMZ.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ciAspRk.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AAGScWh.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2800 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FzJZpND.exe
PID 2800 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FzJZpND.exe
PID 2800 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ciAspRk.exe
PID 2800 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ciAspRk.exe
PID 2800 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XRcxdTT.exe
PID 2800 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XRcxdTT.exe
PID 2800 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WEaGhXL.exe
PID 2800 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WEaGhXL.exe
PID 2800 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AAGScWh.exe
PID 2800 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AAGScWh.exe
PID 2800 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MozXkMx.exe
PID 2800 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MozXkMx.exe
PID 2800 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dOMyzfD.exe
PID 2800 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dOMyzfD.exe
PID 2800 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HZoMRyw.exe
PID 2800 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HZoMRyw.exe
PID 2800 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vkAshwW.exe
PID 2800 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vkAshwW.exe
PID 2800 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uCnTVkJ.exe
PID 2800 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uCnTVkJ.exe
PID 2800 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aVTFLCp.exe
PID 2800 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aVTFLCp.exe
PID 2800 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lYUxqSe.exe
PID 2800 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lYUxqSe.exe
PID 2800 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ypaxTyt.exe
PID 2800 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ypaxTyt.exe
PID 2800 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nMhblTg.exe
PID 2800 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nMhblTg.exe
PID 2800 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NUjiKMZ.exe
PID 2800 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NUjiKMZ.exe
PID 2800 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xxufLXq.exe
PID 2800 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xxufLXq.exe
PID 2800 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JoPHGWP.exe
PID 2800 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JoPHGWP.exe
PID 2800 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YEcuJob.exe
PID 2800 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YEcuJob.exe
PID 2800 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MWnEZzb.exe
PID 2800 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MWnEZzb.exe
PID 2800 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NhTItIN.exe
PID 2800 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NhTItIN.exe
PID 2800 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iELWOvP.exe
PID 2800 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iELWOvP.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\FzJZpND.exe

C:\Windows\System\FzJZpND.exe

C:\Windows\System\ciAspRk.exe

C:\Windows\System\ciAspRk.exe

C:\Windows\System\XRcxdTT.exe

C:\Windows\System\XRcxdTT.exe

C:\Windows\System\WEaGhXL.exe

C:\Windows\System\WEaGhXL.exe

C:\Windows\System\AAGScWh.exe

C:\Windows\System\AAGScWh.exe

C:\Windows\System\MozXkMx.exe

C:\Windows\System\MozXkMx.exe

C:\Windows\System\dOMyzfD.exe

C:\Windows\System\dOMyzfD.exe

C:\Windows\System\HZoMRyw.exe

C:\Windows\System\HZoMRyw.exe

C:\Windows\System\vkAshwW.exe

C:\Windows\System\vkAshwW.exe

C:\Windows\System\uCnTVkJ.exe

C:\Windows\System\uCnTVkJ.exe

C:\Windows\System\aVTFLCp.exe

C:\Windows\System\aVTFLCp.exe

C:\Windows\System\lYUxqSe.exe

C:\Windows\System\lYUxqSe.exe

C:\Windows\System\ypaxTyt.exe

C:\Windows\System\ypaxTyt.exe

C:\Windows\System\nMhblTg.exe

C:\Windows\System\nMhblTg.exe

C:\Windows\System\NUjiKMZ.exe

C:\Windows\System\NUjiKMZ.exe

C:\Windows\System\xxufLXq.exe

C:\Windows\System\xxufLXq.exe

C:\Windows\System\JoPHGWP.exe

C:\Windows\System\JoPHGWP.exe

C:\Windows\System\YEcuJob.exe

C:\Windows\System\YEcuJob.exe

C:\Windows\System\MWnEZzb.exe

C:\Windows\System\MWnEZzb.exe

C:\Windows\System\NhTItIN.exe

C:\Windows\System\NhTItIN.exe

C:\Windows\System\iELWOvP.exe

C:\Windows\System\iELWOvP.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2800-0-0x00007FF723860000-0x00007FF723BB1000-memory.dmp

memory/2800-1-0x0000021EE4910000-0x0000021EE4920000-memory.dmp

C:\Windows\System\FzJZpND.exe

MD5 699ba62cb974acc9c6042cfc72820d95
SHA1 b9d78ccd0dbf4af843d1e5b7657164fb504912aa
SHA256 be0750169aa83bc09a8ac8986e772dee708e356171075bac5a5c87b51f3336e2
SHA512 f1867fe06b9f6a6e130e63916f82776e0f64c68cc97886c71a604e8b3cdef7478c0b5fc178eada9d163e8632578e0a137a7f2efa6363e8f30778778bcb709981

C:\Windows\System\ciAspRk.exe

MD5 cfe78632a8b65b003ce352c599f8158e
SHA1 eb35a720f95fdedf237a48117e22dab2f66b0ace
SHA256 14c9200c4004a6028fdfbc88565ff0a9f762299cee6eda697477f333e652b6bc
SHA512 a2820b4b396bd563b5d5bdd23f208ad58754a7a0feada71af5d86dbf8ae04758634ac5e6d750cd34a009211b8bd65ffe7e972600609e0afcac46966dd03ae09d

C:\Windows\System\WEaGhXL.exe

MD5 79ca5d474d2fa787ac993735cc5f275d
SHA1 04636e24bd498218e9772ab853e515a92cc24df3
SHA256 981b1de08a859a173f7a7f1fd33ed5c33d90584212497476b1d9a65756c078eb
SHA512 fe4d78d70458f46b8f91371b7ee01b86ff3f8ecb024f362afc96df1f6bb66b9ca73b12f8d751b9cf0b8b96fc3284b3cf126c2616e6531ec903e3ad947e5e28f2

C:\Windows\System\XRcxdTT.exe

MD5 52866630a4b6071a0c79d3b00bbc227a
SHA1 06f844973ead2131bb8ab5fcdafa464c4178cc1a
SHA256 45fb5875754236e5f977792cfd1e209f7a78a727d3416ab83ed2fc9b9aed7533
SHA512 7054d82d34e7638cc190774bb5bad31abb1885ac0615d8b736a4fc27589c0ef4a99424afd20c5e962ed897abba9fd1c02c52fdbbce26c6a4098bc05263353560

C:\Windows\System\HZoMRyw.exe

MD5 f4a34ad88eb8f1bf02b7f8f7f95458c2
SHA1 9eb39dad8d254b88a47241f5bdd3bd0bd13dae16
SHA256 d73bf7398ddabc7bae8a15b748a381dcfb5c4ac627c96300516b2ec37395af73
SHA512 b1c5807597556904f5e473334d2ea09bc4b37e2a70a6018f3a147db6f66b8af1f03b8cdc8c20ec13467733087e5f72b71019a3e5f153b6c0cf7b24e9939e69b1

C:\Windows\System\aVTFLCp.exe

MD5 7785fd754fc0f56cebad930f5ab78545
SHA1 18fc34ecbe460cb174d4e7a27fbfb85a4842e5ce
SHA256 ee3ef1eebf5f678529e39ddfa1a931d099ba91d4dafc9fddcd5d0d5134f5d9de
SHA512 1477266f46c586a4927ec8e0f9a407460bb4dcb7e65287b73f617723b9ce5405fb510a6e4ba9c83881cdab8e88967ec5de67a3a5f867b86765c086bb153d48c3

C:\Windows\System\ypaxTyt.exe

MD5 f49a786de988d848f2e390434fbad217
SHA1 59447a2f547a8dd0d44d0bb710c6d103a7efb95b
SHA256 f799e42d138fbdba459ac6f83393d276c58c1ca9cd4ba7d4bc03b128a14acbd5
SHA512 797119fe6031650246e6e0e5b4d3cb95e9c1a51580c2b5f61a4ee296e5e94401f302a86d3a9796e9bb9c962a693a18183df6b20bb0adb498ffc47b2428cd0275

C:\Windows\System\nMhblTg.exe

MD5 a7cbb354417f7347cdc7a94c0696e4d8
SHA1 7f0bb3165cadc043d1348f5a2fdaa3ad65dfd55c
SHA256 ed5c0dd203a8e213f0e5460a47b387fa758010ee2c06600273873b227cd92568
SHA512 5a5895a6371b8b53b0408a99c5200b6a1e028cf3e7c948adb6c948e51cd1ca9192615273125bdf1fa40772f1dce1e4ea8784d40903661f29120dbdf457230f13

memory/1048-82-0x00007FF76A000000-0x00007FF76A351000-memory.dmp

memory/1904-86-0x00007FF739620000-0x00007FF739971000-memory.dmp

memory/3656-88-0x00007FF774700000-0x00007FF774A51000-memory.dmp

memory/5052-87-0x00007FF773020000-0x00007FF773371000-memory.dmp

C:\Windows\System\lYUxqSe.exe

MD5 6efac1268b14e7529a1714ade6bbea8a
SHA1 3b0a875f686ef6926b17c060720d57494b1b4a7b
SHA256 82737e7f4b2158f280bcbad27b6d28008390391ad6c7a479d1d0e3d65dc7e8b6
SHA512 0f9bf3525543c1037fdf8e1dc1f5ab73a954b26c8383768ad4039ac5c57b094c2e7eeb5cd0380204ac89367948c8f30568b1d82258e03488bca77293c89d128e

C:\Windows\System\JoPHGWP.exe

MD5 4a7e2f88dfc1f39d9a8fefdacdb3fc2c
SHA1 04beb5cc44de8ec9fcf9c6ce7d29138e6b55f94f
SHA256 34d935287660551f50bb24c458a4cfbedfd4669dde87c89fc9e9bf0ae05d36b0
SHA512 47e9ede1f714275d4500125c4efbb01e152f9e32a4b76a8477be42defb7bd29ab1a41dc355cf391d2a79af6150ca56c650538cf87e1bb796bcd4cf812ed2804b

C:\Windows\System\iELWOvP.exe

MD5 fbf681e13cc3b490c7197ed604e42827
SHA1 68bf52f52f5563deca2309342262cec317ffac85
SHA256 bf3f5d2416c6e9c17e93a0da46bafc392d6a1885c76e219616f23511a9419aec
SHA512 3fb7ef44aae73f63fa3a0c3ba43c1321761016e1d94a8747d400b4aae172f5380bab014c5d6800287c23c30aa1ed3b51fad9bb9838f6bda0ae7529048139a962

C:\Windows\System\NhTItIN.exe

MD5 d79d90df88c7f129a247704a8f30435c
SHA1 b7fc5b51542454c83b745ee249a83d5951a492bb
SHA256 4d3ce7739d027ddc8f6a3d56d3b890504fbc3852951e4482035810f72d3eb5cf
SHA512 e6db7fcb76d07aa1aa1114f2cb809457aa4ea14222c5c28dba20f5471d261a96fd7b5ec30161476de0321c0e28ba2c6352dcd035a7949b1778f9bdedb4d4a573

C:\Windows\System\MWnEZzb.exe

MD5 d3a2adaeaf73eaa5280dca3a4d2fce10
SHA1 bbe93c6b279946d646562973af8bf01f8c460ef6
SHA256 53f2626195a90392330ec15bda88a519503f40c21ba485d1f68558c2cdcf46e7
SHA512 4866a21a98563d557b08718188958210940ad578771bc8b88ce8ae9bc296860abeb7b70e6722594133b4a2011269f09f19c53559e6bdb2513ee64389bc26db73

C:\Windows\System\YEcuJob.exe

MD5 45f738f8b03305d29666d026975a4336
SHA1 d9dd5cdab90ad7c8c531b904ff2d0fcfcac8f467
SHA256 7e9fe80f397f78e224660d0f15e25284dfeb102cf383d4b35654079393fb6ad8
SHA512 15b84507db7ada1fbb0e89dec7ac5f0cfcdb722708beb000982f1d6c98aff663827de8abac9874e90e39e652ad8fe9cf37500f17a42b370475a114c44d6c2590

C:\Windows\System\NUjiKMZ.exe

MD5 f9b2a5a6be619d9c690500d57056dd3d
SHA1 60d03bb5542458b6e15931a908b8b70da64567ab
SHA256 5e9701b8f9004c78624aa075df9ff27c308b42b4ca18d69afeef5c1c20835ca3
SHA512 a28442f86a2d7c4b74c06bc9fa7953dcc62adcd0af475ef874fb21f91302d6539f143033d6b84bf37db943ace5eba3adf75907ae80c89b9b367fefbbfe5a8cc7

C:\Windows\System\xxufLXq.exe

MD5 3b0dddc60d4627926d87e8db1fee5648
SHA1 7e0673387c27f4512738726600f1557014f2db5e
SHA256 a0b0fc1ff7c549a89fd075a313c939cd3e23ad6f61300c1189ec57676eec2c7c
SHA512 13c0886629ff6aff9661fb849bb8b6b75002ae6b94205e6af5d086c1f890ebd93bf627c2c202b80a4ee43631a84e7c86602cf38b1064c423c8171931f0a63c0e

memory/1816-85-0x00007FF7FD920000-0x00007FF7FDC71000-memory.dmp

memory/3828-84-0x00007FF7AA8F0000-0x00007FF7AAC41000-memory.dmp

memory/4008-81-0x00007FF676950000-0x00007FF676CA1000-memory.dmp

memory/2468-80-0x00007FF6012E0000-0x00007FF601631000-memory.dmp

memory/4220-68-0x00007FF6E9B60000-0x00007FF6E9EB1000-memory.dmp

C:\Windows\System\MozXkMx.exe

MD5 185430f4fe040d296c9e89098bb3d98f
SHA1 b4b71f86733995c45449136cb3bdd2cae1ed5074
SHA256 b501f3fda4a4186f3e5c0a7e770ef3dc092fb385a9da5c6b85d07a2abe6664ca
SHA512 782dc1c834480a60c5fd22b823b31d1177842027f12462f972e4ed33de12dc59cb3c66e4bc4d5e7d2fd3cf4c4d9ad456e3ee64d073c0e55577362f6e9a1ab271

C:\Windows\System\uCnTVkJ.exe

MD5 57f6426c2fd926f558f4ecd05c875c89
SHA1 7487b0a735b400f19baa6535200c8a90011c4083
SHA256 000e19b1202a19604a6e0c90208de76eece1c0f008acea0fd101c2adc74341fa
SHA512 ad50de7923357fae00a7dbf2349c6927340c26ee65913c0c0092239c5e89648df5baf4c5fbebc4f3c998724272d8efabb98c05b8dc5fe0d2f241863d2fe2f0f4

memory/2344-54-0x00007FF68AEE0000-0x00007FF68B231000-memory.dmp

C:\Windows\System\vkAshwW.exe

MD5 13c690843dd34cd0625d282e53057fb9
SHA1 1a22f8f5fbbc189605cda72ce86eca0f3e8357d9
SHA256 736f5712f132178d171d9d3000c33bedb80c6809adb0676c2ffe87ba561f2ecb
SHA512 c95879ca319d19a1956a0e472337769e3d31b05ad0bc0d14b3a648f8033a0970d9964297f807779436ba773af323f4f7edfc46c8afcddf854ce60aebb0d03302

memory/1412-44-0x00007FF677800000-0x00007FF677B51000-memory.dmp

C:\Windows\System\dOMyzfD.exe

MD5 59f5b4c6f91a678866c2c3ee67ebfb79
SHA1 bda792c32ed67be7650eb628d6e5770f27389172
SHA256 13dc008204d1d1fcbf595270e0a79be0dc3245247b55e07f557c6c70781b9af3
SHA512 798623a6ab68f346923b520a57f19990076795f6dc0b93468d3e421c7a3e69898fc4ef2df70442613a6acf6b957859c1bfd47091566a6fb3f43340caa231b55f

C:\Windows\System\AAGScWh.exe

MD5 88e14b4a9c24c25d5d3c64159542384c
SHA1 8eeff1bd5a2138ffb06422beeb9bebbbdc01066e
SHA256 be42dd3c1eed5bb5eab7202c0109610aa145966c770e275f70958b177a11feac
SHA512 efc9c4595eb23ab0f96e19eed9368f6153063ed68e3a23ff9be1bd5ed4915eca7467fc8071512fb9ad45b24cd36b0056ecf4824e4a412f9c1521e92829d1f6c7

memory/4972-32-0x00007FF6ADDD0000-0x00007FF6AE121000-memory.dmp

memory/3616-24-0x00007FF7FD160000-0x00007FF7FD4B1000-memory.dmp

memory/4528-23-0x00007FF71DBA0000-0x00007FF71DEF1000-memory.dmp

memory/4940-13-0x00007FF7C1A20000-0x00007FF7C1D71000-memory.dmp

memory/1004-6-0x00007FF727240000-0x00007FF727591000-memory.dmp

memory/1112-127-0x00007FF63E0A0000-0x00007FF63E3F1000-memory.dmp

memory/1592-126-0x00007FF7EF010000-0x00007FF7EF361000-memory.dmp

memory/2136-125-0x00007FF773850000-0x00007FF773BA1000-memory.dmp

memory/2144-124-0x00007FF7185A0000-0x00007FF7188F1000-memory.dmp

memory/1668-123-0x00007FF7FAAC0000-0x00007FF7FAE11000-memory.dmp

memory/1004-129-0x00007FF727240000-0x00007FF727591000-memory.dmp

memory/4940-130-0x00007FF7C1A20000-0x00007FF7C1D71000-memory.dmp

memory/2800-131-0x00007FF723860000-0x00007FF723BB1000-memory.dmp

memory/2800-128-0x00007FF723860000-0x00007FF723BB1000-memory.dmp

memory/3616-133-0x00007FF7FD160000-0x00007FF7FD4B1000-memory.dmp

memory/1412-135-0x00007FF677800000-0x00007FF677B51000-memory.dmp

memory/5052-143-0x00007FF773020000-0x00007FF773371000-memory.dmp

memory/3656-145-0x00007FF774700000-0x00007FF774A51000-memory.dmp

memory/4008-142-0x00007FF676950000-0x00007FF676CA1000-memory.dmp

memory/2468-141-0x00007FF6012E0000-0x00007FF601631000-memory.dmp

memory/4972-134-0x00007FF6ADDD0000-0x00007FF6AE121000-memory.dmp

memory/1048-144-0x00007FF76A000000-0x00007FF76A351000-memory.dmp

memory/4220-139-0x00007FF6E9B60000-0x00007FF6E9EB1000-memory.dmp

memory/4528-132-0x00007FF71DBA0000-0x00007FF71DEF1000-memory.dmp

memory/2800-151-0x00007FF723860000-0x00007FF723BB1000-memory.dmp

memory/1004-211-0x00007FF727240000-0x00007FF727591000-memory.dmp

memory/4940-213-0x00007FF7C1A20000-0x00007FF7C1D71000-memory.dmp

memory/4528-216-0x00007FF71DBA0000-0x00007FF71DEF1000-memory.dmp

memory/3616-217-0x00007FF7FD160000-0x00007FF7FD4B1000-memory.dmp

memory/2344-221-0x00007FF68AEE0000-0x00007FF68B231000-memory.dmp

memory/4972-220-0x00007FF6ADDD0000-0x00007FF6AE121000-memory.dmp

memory/1412-235-0x00007FF677800000-0x00007FF677B51000-memory.dmp

memory/1904-232-0x00007FF739620000-0x00007FF739971000-memory.dmp

memory/4220-236-0x00007FF6E9B60000-0x00007FF6E9EB1000-memory.dmp

memory/1816-230-0x00007FF7FD920000-0x00007FF7FDC71000-memory.dmp

memory/3828-238-0x00007FF7AA8F0000-0x00007FF7AAC41000-memory.dmp

memory/3656-241-0x00007FF774700000-0x00007FF774A51000-memory.dmp

memory/4008-242-0x00007FF676950000-0x00007FF676CA1000-memory.dmp

memory/2468-245-0x00007FF6012E0000-0x00007FF601631000-memory.dmp

memory/1048-248-0x00007FF76A000000-0x00007FF76A351000-memory.dmp

memory/1668-250-0x00007FF7FAAC0000-0x00007FF7FAE11000-memory.dmp

memory/1112-252-0x00007FF63E0A0000-0x00007FF63E3F1000-memory.dmp

memory/5052-246-0x00007FF773020000-0x00007FF773371000-memory.dmp

memory/2144-254-0x00007FF7185A0000-0x00007FF7188F1000-memory.dmp

memory/2136-256-0x00007FF773850000-0x00007FF773BA1000-memory.dmp

memory/1592-258-0x00007FF7EF010000-0x00007FF7EF361000-memory.dmp