Malware Analysis Report

2025-08-11 08:14

Sample ID 241025-n1cpzsyera
Target 2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat
SHA256 229bebd92a6b215cae70486bc4303023911e6e6299769923e235bedcbd430ff9
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

229bebd92a6b215cae70486bc4303023911e6e6299769923e235bedcbd430ff9

Threat Level: Known bad

The file 2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Cobalt Strike reflective loader

Cobaltstrike

xmrig

Cobaltstrike family

Xmrig family

XMRig Miner payload

XMRig Miner payload

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-10-25 11:51

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-25 11:51

Reported

2024-10-25 11:54

Platform

win7-20240903-en

Max time kernel

140s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\ROXzypk.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nzbqjHW.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZpSqGVc.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OQwaaeZ.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HgzDiDF.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eUtIDIl.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QSPxuzz.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eGkMNLH.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HVeobic.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gMYweKB.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DJoAAKS.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NeaTZvn.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jImBnTz.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ODUDEtT.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yEMkEAa.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\whjTHAj.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YOWsSLj.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aJcnBVV.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ArhBAlg.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xulpMeN.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XvOnaaS.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2216 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ODUDEtT.exe
PID 2216 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ODUDEtT.exe
PID 2216 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ODUDEtT.exe
PID 2216 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OQwaaeZ.exe
PID 2216 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OQwaaeZ.exe
PID 2216 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OQwaaeZ.exe
PID 2216 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HVeobic.exe
PID 2216 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HVeobic.exe
PID 2216 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HVeobic.exe
PID 2216 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HgzDiDF.exe
PID 2216 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HgzDiDF.exe
PID 2216 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HgzDiDF.exe
PID 2216 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eUtIDIl.exe
PID 2216 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eUtIDIl.exe
PID 2216 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eUtIDIl.exe
PID 2216 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gMYweKB.exe
PID 2216 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gMYweKB.exe
PID 2216 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gMYweKB.exe
PID 2216 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aJcnBVV.exe
PID 2216 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aJcnBVV.exe
PID 2216 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aJcnBVV.exe
PID 2216 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ArhBAlg.exe
PID 2216 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ArhBAlg.exe
PID 2216 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ArhBAlg.exe
PID 2216 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yEMkEAa.exe
PID 2216 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yEMkEAa.exe
PID 2216 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yEMkEAa.exe
PID 2216 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QSPxuzz.exe
PID 2216 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QSPxuzz.exe
PID 2216 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QSPxuzz.exe
PID 2216 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\whjTHAj.exe
PID 2216 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\whjTHAj.exe
PID 2216 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\whjTHAj.exe
PID 2216 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ROXzypk.exe
PID 2216 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ROXzypk.exe
PID 2216 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ROXzypk.exe
PID 2216 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nzbqjHW.exe
PID 2216 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nzbqjHW.exe
PID 2216 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nzbqjHW.exe
PID 2216 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DJoAAKS.exe
PID 2216 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DJoAAKS.exe
PID 2216 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DJoAAKS.exe
PID 2216 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xulpMeN.exe
PID 2216 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xulpMeN.exe
PID 2216 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xulpMeN.exe
PID 2216 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XvOnaaS.exe
PID 2216 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XvOnaaS.exe
PID 2216 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XvOnaaS.exe
PID 2216 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZpSqGVc.exe
PID 2216 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZpSqGVc.exe
PID 2216 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZpSqGVc.exe
PID 2216 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YOWsSLj.exe
PID 2216 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YOWsSLj.exe
PID 2216 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YOWsSLj.exe
PID 2216 wrote to memory of 480 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jImBnTz.exe
PID 2216 wrote to memory of 480 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jImBnTz.exe
PID 2216 wrote to memory of 480 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jImBnTz.exe
PID 2216 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NeaTZvn.exe
PID 2216 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NeaTZvn.exe
PID 2216 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NeaTZvn.exe
PID 2216 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eGkMNLH.exe
PID 2216 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eGkMNLH.exe
PID 2216 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eGkMNLH.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\ODUDEtT.exe

C:\Windows\System\ODUDEtT.exe

C:\Windows\System\OQwaaeZ.exe

C:\Windows\System\OQwaaeZ.exe

C:\Windows\System\HVeobic.exe

C:\Windows\System\HVeobic.exe

C:\Windows\System\HgzDiDF.exe

C:\Windows\System\HgzDiDF.exe

C:\Windows\System\eUtIDIl.exe

C:\Windows\System\eUtIDIl.exe

C:\Windows\System\gMYweKB.exe

C:\Windows\System\gMYweKB.exe

C:\Windows\System\aJcnBVV.exe

C:\Windows\System\aJcnBVV.exe

C:\Windows\System\ArhBAlg.exe

C:\Windows\System\ArhBAlg.exe

C:\Windows\System\yEMkEAa.exe

C:\Windows\System\yEMkEAa.exe

C:\Windows\System\QSPxuzz.exe

C:\Windows\System\QSPxuzz.exe

C:\Windows\System\whjTHAj.exe

C:\Windows\System\whjTHAj.exe

C:\Windows\System\ROXzypk.exe

C:\Windows\System\ROXzypk.exe

C:\Windows\System\nzbqjHW.exe

C:\Windows\System\nzbqjHW.exe

C:\Windows\System\DJoAAKS.exe

C:\Windows\System\DJoAAKS.exe

C:\Windows\System\xulpMeN.exe

C:\Windows\System\xulpMeN.exe

C:\Windows\System\XvOnaaS.exe

C:\Windows\System\XvOnaaS.exe

C:\Windows\System\ZpSqGVc.exe

C:\Windows\System\ZpSqGVc.exe

C:\Windows\System\YOWsSLj.exe

C:\Windows\System\YOWsSLj.exe

C:\Windows\System\jImBnTz.exe

C:\Windows\System\jImBnTz.exe

C:\Windows\System\NeaTZvn.exe

C:\Windows\System\NeaTZvn.exe

C:\Windows\System\eGkMNLH.exe

C:\Windows\System\eGkMNLH.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2216-0-0x000000013FD60000-0x00000001400B1000-memory.dmp

memory/2216-1-0x0000000001B20000-0x0000000001B30000-memory.dmp

\Windows\system\ODUDEtT.exe

MD5 1294d079b5d74b34c5010854c38abaa7
SHA1 ceb908bdcb36467924b14381bf797e554c3d7dba
SHA256 7c7f54e2d76e10230429a5d542d1d2b6cb761e0c3e5be8471be7111dc1573fe4
SHA512 2fafa54ac648543d50a4472844e97ffc3ccc252212e4b04c31d4350650ad1f8891bb7c9c0270877fb36a8952a87df37d21fddd460f8cbff2f749a00151d1e258

memory/2668-10-0x000000013FF50000-0x00000001402A1000-memory.dmp

memory/2700-14-0x000000013F370000-0x000000013F6C1000-memory.dmp

memory/2216-15-0x000000013F370000-0x000000013F6C1000-memory.dmp

\Windows\system\OQwaaeZ.exe

MD5 79dedeae47fe380279ce0156dcf0c04d
SHA1 130083e238392f196f65b800f2e60ccb679cd4fc
SHA256 8324cc03766b6241729ee66552eb929d0990e09258b019d89fc4b7fb6e9954f0
SHA512 ffc72fe34948eaa2e84499889722abd6b89aa1c01ffc8fe643f9001fab1ad51a13f7680107a9d5feda4837aa8fb00cde047353371af89d446149740239e03be2

C:\Windows\system\HVeobic.exe

MD5 8c53b8ae18d26356191ae8be9ace3bf3
SHA1 2625b9aa7b43a5ce77e97dc7e790de6a7020cc19
SHA256 6f0395e403932b366cb719bcda4b791f84c2974a3f425971f60e58cad7c4acf6
SHA512 8f3e75aeda9a6ce7206424864d6347de81636246d015cc2bc39c4d71e799ed13b91f154c455f9f1c8eec64b13742ae7e4a097ca56c3472af534806aa71c8db0d

memory/2804-21-0x000000013FE70000-0x00000001401C1000-memory.dmp

memory/2216-18-0x0000000002120000-0x0000000002471000-memory.dmp

\Windows\system\HgzDiDF.exe

MD5 c7d8b44e0a989117e767180e94fd831c
SHA1 2708f7fdcdc700cbd6cba067c2a67c2abccccc09
SHA256 aec53c8e00b116c6405a995ead85d1a6f04aec34c7b462e0cbf42b6b14d9a11a
SHA512 bf387e05a4a23d8941d1ef23875f54a58aad4cb17c191beacd9a52d2f5f2b99869849128ce7d68536ea37b3ee5cc15972b8f2b203ab69d8fe2bb2901df04bad3

memory/2788-28-0x000000013FB10000-0x000000013FE61000-memory.dmp

memory/2560-34-0x000000013F6A0000-0x000000013F9F1000-memory.dmp

\Windows\system\gMYweKB.exe

MD5 4716e65f58be475a6e97bff90e832470
SHA1 d69e60b4e9fbf98b36e1261f7f2a95969e0346d3
SHA256 026cb09c5af88168f6b648930f79ef9a0133b5a67f3288d94562b81445446d5f
SHA512 6d9d3e970b5c2e5de496a9e8c0c3f27a6ccc3bf587770c3feb5c46c1349d4f0c0ce691e5592adb09454fa8a9eb62fc7d5fda023a90f48094325ed1db9b56d318

memory/2648-42-0x000000013F910000-0x000000013FC61000-memory.dmp

memory/2668-40-0x000000013FF50000-0x00000001402A1000-memory.dmp

memory/2216-36-0x000000013FD60000-0x00000001400B1000-memory.dmp

\Windows\system\ArhBAlg.exe

MD5 74e35c2b3d1fb92aa44730824a9e9c44
SHA1 9c740d79270b7ed96dda06c5ea5f0741a4fa2100
SHA256 1bdb0bcad38e753eb24d7b6aec0aed9128e63cece5917d8ca4444045b5ac43a0
SHA512 51c5fba27881f375d17144ee5b0024b93aa1d75d0c98f02b651172bcb6afe40407ad55afe9ff3df9d89e50b0dd78747df78a13e4dfbbdcff1ebe37f366e009f6

memory/2804-55-0x000000013FE70000-0x00000001401C1000-memory.dmp

memory/2564-47-0x000000013FE90000-0x00000001401E1000-memory.dmp

C:\Windows\system\aJcnBVV.exe

MD5 5118eb6bff13be3089ae28b14e2e102d
SHA1 166647314d3f2114b227d5f0be4cfbb72f4e832f
SHA256 ec4b97e144b7e44142e65af661c5353737bf2a050d8ba28c63768ac5d7b5b9e1
SHA512 fd839ca54c34bd7bcf9cc23722447ccb8d2ae4fa918481bafe0cc8ce97088e25d1378e12b593d739305ae310ab2c68cbac1b283a8059b79df6ba0bcf051867a7

memory/2788-59-0x000000013FB10000-0x000000013FE61000-memory.dmp

memory/2216-78-0x0000000002120000-0x0000000002471000-memory.dmp

memory/2216-87-0x0000000002120000-0x0000000002471000-memory.dmp

\Windows\system\xulpMeN.exe

MD5 bfe4155d00bf200c9f4e7fe843192a23
SHA1 3ed71d784cdd00c1ee6e0301af7adbf0f36c6917
SHA256 bbe2aa9fa39da7710e2d94bcf0ad573e3199106692412a4e3ffb2d2cbfad5b01
SHA512 07ae67aa3b7ef2f7b8c699e870aad587434e76ff3d52904b4c64a73520f6cb7d127d0c78026570b7b182f12bf78588b495f8636a91757fafe4b178d4f6626651

memory/1856-110-0x000000013F610000-0x000000013F961000-memory.dmp

C:\Windows\system\XvOnaaS.exe

MD5 973f8b9ada538e778d2dab1e8c0555ed
SHA1 aaad177f86d0f416f5400221a9bd2f97b308177d
SHA256 f33235a0ae8b9c52fa0ec1a79ad214ab39ce858506e9cfca427e6cc3594b7efc
SHA512 0b8e6e040c620ebec044960dc686601821cdb65ef0851d5d0a6f3b4fee4f0ff3f4e2158f705e54270ca7511186b035351b19bf9ecdd61866c5f93e372e60cb4d

C:\Windows\system\ZpSqGVc.exe

MD5 a266f52af8dbb6320f0d2cf5851cb021
SHA1 4bb7bc8683b872c387f1aa66703808e0e30853b6
SHA256 5c35e49fe5b7ed501565ca3ca99f7bf31334118ef6bde242f648d8ad56da1573
SHA512 a277045bd298aae3eb3e2ba512b25764f42be1a4604ce477110ba05734520b87c6fa86c5dda4991dcbc5c93993e3f1b26c05de7bbff7319929380ba7f41bb113

C:\Windows\system\YOWsSLj.exe

MD5 fef351d02322e0df61b7f592c28a3607
SHA1 46655e0f2e2be62c3d25b0f56beee6f2a1707705
SHA256 078c31f59caf588449188b11f531c22b43de0bec8ea4e72f035339763fc7b188
SHA512 c0fda80eb28b8820fbb28416df9563e83803519bf077c451363921f002fe0a1f9c09f9c41d45ffa900cdd2a7310e8732bc03df39aa6eec50b95b4002382ff2ab

C:\Windows\system\jImBnTz.exe

MD5 5b946f39796ebe9fcc590b532ee8aba1
SHA1 99af8a9b8533dfc3d0a7d9b0b11f25d1019a65ba
SHA256 756ef7732b5ed4773673541457d89158b1382ea1c2141673ea6d692d5daef939
SHA512 4db38a2a5f59457deb86c4209a7f62a5e17dcd3f511d5597dfe05b320492cd5dd7a8392215c9216a9cd384b435d7de785679a72ac571955707aab4d3c7f3f2b6

C:\Windows\system\NeaTZvn.exe

MD5 e88c7de0836f257b714c62c50c41a0be
SHA1 fcb4cb09c92892667677b57737df42fec4dc06a7
SHA256 f764270d42c4ee80b5274407ca046a8c26b50f86e8805019af3b9dc08715a289
SHA512 ca7174b13614b30bf0877692cb8d72e8966eb540561346203aa0a13042c86f9b7a1a71e3ab28b072a4e76ad9b07292cbca1f91771b8ae42b3a2b6584e796a551

C:\Windows\system\eGkMNLH.exe

MD5 db310503d2a857e029dd1f775eaa4c03
SHA1 5f5910f16430c6d44f7857cff34321d695066f54
SHA256 c35948bb00338a6a243974a8a27dadebc89d8f52dee22becd6f211829b35b5f5
SHA512 e2e0006a4857723f9bd6991cd90efcb2c2b9e0fe684968bd0fb746f12a66574fa06552a45ddb537d2eb2922ee8b7ff0edcd81a940b2bfb6a003c97875ee872f8

memory/2564-109-0x000000013FE90000-0x00000001401E1000-memory.dmp

memory/2216-108-0x0000000002120000-0x0000000002471000-memory.dmp

memory/2216-140-0x0000000002120000-0x0000000002471000-memory.dmp

\Windows\system\DJoAAKS.exe

MD5 04f976256379243c656366fed5feeb74
SHA1 f92db2184383d1e643b8bf56b170cc433b5f8612
SHA256 9ae23bf8acf9d2232964170423c6de732cc311d3c37ae415dcd39bb00028a604
SHA512 8a4b9cfa4735d7b2d858d99d4f0620937e22462fc6cabe748cef9c3f64d3eccdc1345e274dfbe0aecb1a15dffed28b34e5f51795b91397f535c8813e3d0770e4

memory/2216-106-0x000000013F760000-0x000000013FAB1000-memory.dmp

memory/2216-103-0x000000013F610000-0x000000013F961000-memory.dmp

memory/1480-102-0x000000013F760000-0x000000013FAB1000-memory.dmp

memory/2216-100-0x0000000002120000-0x0000000002471000-memory.dmp

C:\Windows\system\nzbqjHW.exe

MD5 3fb90d526c55fabdb57a9523c6745c59
SHA1 e905dfdc7bd4ed0f8ea4213ec434800c4ec7d8dc
SHA256 e872ffad1a6963f36498a175bba0645815bd65876cce2313e361f9db97cb1c34
SHA512 4ad05dd54f84bd2a00772b40ee7e9b01db834e5e81e971032fba84e153c14242d26fd5c83fc09a2e110e68e7604b541518f898b851517c87d4547c7e67af6341

memory/2968-141-0x000000013FE50000-0x00000001401A1000-memory.dmp

memory/2468-90-0x000000013FB70000-0x000000013FEC1000-memory.dmp

C:\Windows\system\ROXzypk.exe

MD5 49efbf99284654dc83553413c4775dce
SHA1 e47366a022191a95d24764001fc6a870cc3b47b1
SHA256 d56e3f317b4695bd73c42fa22e6f2698c0f8f8761ae1708ffc9d2cb7507b4209
SHA512 3e691b8b130add4c5f9f977674aec5e8a4918c89815ffa40c772e124163f1c6f09479696a7b9dc8a61853dd947b3fac50240385462d176d91bdbd9149c8df921

memory/2216-142-0x000000013F7E0000-0x000000013FB31000-memory.dmp

memory/2648-81-0x000000013F910000-0x000000013FC61000-memory.dmp

memory/2104-80-0x000000013FA10000-0x000000013FD61000-memory.dmp

C:\Windows\system\whjTHAj.exe

MD5 63340fb66e33f4584205acca05fd15a6
SHA1 aa9f382e95da32f81464d51a64d8f849fd9bbd6c
SHA256 7eaf2b1ee9dca82594d0def487a71773254daef074c9d8160ff1bb281323ef65
SHA512 87338c74f12a8a46cfded83c94d14ac9c11f6c68b88f9ce0603a7b1ef6d91ce5d7c26827813ee662c16a024abee85ea9eec3472450f0ec84449cc52b8cbb20c6

memory/2560-76-0x000000013F6A0000-0x000000013F9F1000-memory.dmp

memory/2400-75-0x000000013FCB0000-0x0000000140001000-memory.dmp

memory/2216-74-0x0000000002120000-0x0000000002471000-memory.dmp

memory/2216-144-0x0000000002120000-0x0000000002471000-memory.dmp

memory/2348-143-0x000000013F7E0000-0x000000013FB31000-memory.dmp

C:\Windows\system\QSPxuzz.exe

MD5 9f2a5a03f109866f606a8d1012240e0c
SHA1 5e9097951f172188dddbc05ca585a476db0fe094
SHA256 1731d01377bdc20cbc10eceaf9a8e9e9c076591e87224e20e9807ddea30fe9cb
SHA512 764f88c9bcf983dc752e5c5952887e5d51dc882dc4af7f3327854f7bf19a788f7c942b3b0a6cdb1057f0505b2513eadbfed4782ad49175582569c3190a6c89af

\Windows\system\yEMkEAa.exe

MD5 ff5cc292d6d0ed414d2621822e8f4af2
SHA1 36186c6171409fc4bdc721db571d53bcc19ecbb5
SHA256 cac6a73e6f95a33cd58c3b9398f0492d681118e307a0c263fac7c4d3b507582c
SHA512 a47f36e4914e9a5ec3675c977dd944821f8e2031354dab643408c1b1e93f5c916d181d4202c6516eae7522804d0432477ca40e583686503dd1702fb08b04b97c

memory/2348-64-0x000000013F7E0000-0x000000013FB31000-memory.dmp

memory/2216-62-0x000000013F7E0000-0x000000013FB31000-memory.dmp

memory/2968-56-0x000000013FE50000-0x00000001401A1000-memory.dmp

memory/2216-51-0x0000000002120000-0x0000000002471000-memory.dmp

C:\Windows\system\eUtIDIl.exe

MD5 5cb81bdf8d40aac6e307627b69d7f6c5
SHA1 4773e4597b938a2dacbf6299ade68d024ffec5ae
SHA256 950e48459e7b0dd4b973409080667188543421134a35834de663141e9c66f74f
SHA512 8666770345e8f1cffe5e2764da90a483b57276a128210e35ed482fb4665ae9c63931ad8e0773f7ea1bd64430b631ff2bc4f75d92e0b9ac06c38d3c600c0e4a84

memory/2216-32-0x000000013F6A0000-0x000000013F9F1000-memory.dmp

memory/2104-145-0x000000013FA10000-0x000000013FD61000-memory.dmp

memory/2216-146-0x000000013FD60000-0x00000001400B1000-memory.dmp

memory/2216-168-0x000000013F760000-0x000000013FAB1000-memory.dmp

memory/1904-166-0x000000013FF00000-0x0000000140251000-memory.dmp

memory/1796-164-0x000000013FE50000-0x00000001401A1000-memory.dmp

memory/2292-162-0x000000013FCF0000-0x0000000140041000-memory.dmp

memory/2184-167-0x000000013F4B0000-0x000000013F801000-memory.dmp

memory/1044-160-0x000000013FB90000-0x000000013FEE1000-memory.dmp

memory/480-165-0x000000013F4E0000-0x000000013F831000-memory.dmp

memory/1964-163-0x000000013F6D0000-0x000000013FA21000-memory.dmp

memory/2216-169-0x000000013FD60000-0x00000001400B1000-memory.dmp

memory/2668-220-0x000000013FF50000-0x00000001402A1000-memory.dmp

memory/2700-219-0x000000013F370000-0x000000013F6C1000-memory.dmp

memory/2804-232-0x000000013FE70000-0x00000001401C1000-memory.dmp

memory/2788-231-0x000000013FB10000-0x000000013FE61000-memory.dmp

memory/2560-234-0x000000013F6A0000-0x000000013F9F1000-memory.dmp

memory/2564-236-0x000000013FE90000-0x00000001401E1000-memory.dmp

memory/2648-238-0x000000013F910000-0x000000013FC61000-memory.dmp

memory/2968-240-0x000000013FE50000-0x00000001401A1000-memory.dmp

memory/2400-244-0x000000013FCB0000-0x0000000140001000-memory.dmp

memory/2348-243-0x000000013F7E0000-0x000000013FB31000-memory.dmp

memory/2104-246-0x000000013FA10000-0x000000013FD61000-memory.dmp

memory/2468-258-0x000000013FB70000-0x000000013FEC1000-memory.dmp

memory/1480-260-0x000000013F760000-0x000000013FAB1000-memory.dmp

memory/1856-262-0x000000013F610000-0x000000013F961000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-25 11:51

Reported

2024-10-25 11:54

Platform

win10v2004-20241007-en

Max time kernel

140s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\gMYweKB.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yEMkEAa.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QSPxuzz.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XvOnaaS.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZpSqGVc.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OQwaaeZ.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HVeobic.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HgzDiDF.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jImBnTz.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eGkMNLH.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YOWsSLj.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ROXzypk.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nzbqjHW.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DJoAAKS.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aJcnBVV.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xulpMeN.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NeaTZvn.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\whjTHAj.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ODUDEtT.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eUtIDIl.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ArhBAlg.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2216 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ODUDEtT.exe
PID 2216 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ODUDEtT.exe
PID 2216 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OQwaaeZ.exe
PID 2216 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OQwaaeZ.exe
PID 2216 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HVeobic.exe
PID 2216 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HVeobic.exe
PID 2216 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HgzDiDF.exe
PID 2216 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HgzDiDF.exe
PID 2216 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eUtIDIl.exe
PID 2216 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eUtIDIl.exe
PID 2216 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gMYweKB.exe
PID 2216 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gMYweKB.exe
PID 2216 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aJcnBVV.exe
PID 2216 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aJcnBVV.exe
PID 2216 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ArhBAlg.exe
PID 2216 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ArhBAlg.exe
PID 2216 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yEMkEAa.exe
PID 2216 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yEMkEAa.exe
PID 2216 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QSPxuzz.exe
PID 2216 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QSPxuzz.exe
PID 2216 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\whjTHAj.exe
PID 2216 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\whjTHAj.exe
PID 2216 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ROXzypk.exe
PID 2216 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ROXzypk.exe
PID 2216 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nzbqjHW.exe
PID 2216 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nzbqjHW.exe
PID 2216 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DJoAAKS.exe
PID 2216 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DJoAAKS.exe
PID 2216 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xulpMeN.exe
PID 2216 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xulpMeN.exe
PID 2216 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XvOnaaS.exe
PID 2216 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XvOnaaS.exe
PID 2216 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZpSqGVc.exe
PID 2216 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZpSqGVc.exe
PID 2216 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YOWsSLj.exe
PID 2216 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YOWsSLj.exe
PID 2216 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jImBnTz.exe
PID 2216 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jImBnTz.exe
PID 2216 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NeaTZvn.exe
PID 2216 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NeaTZvn.exe
PID 2216 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eGkMNLH.exe
PID 2216 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eGkMNLH.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-25_b346335f26a9c80e41a61c4caa52601e_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\ODUDEtT.exe

C:\Windows\System\ODUDEtT.exe

C:\Windows\System\OQwaaeZ.exe

C:\Windows\System\OQwaaeZ.exe

C:\Windows\System\HVeobic.exe

C:\Windows\System\HVeobic.exe

C:\Windows\System\HgzDiDF.exe

C:\Windows\System\HgzDiDF.exe

C:\Windows\System\eUtIDIl.exe

C:\Windows\System\eUtIDIl.exe

C:\Windows\System\gMYweKB.exe

C:\Windows\System\gMYweKB.exe

C:\Windows\System\aJcnBVV.exe

C:\Windows\System\aJcnBVV.exe

C:\Windows\System\ArhBAlg.exe

C:\Windows\System\ArhBAlg.exe

C:\Windows\System\yEMkEAa.exe

C:\Windows\System\yEMkEAa.exe

C:\Windows\System\QSPxuzz.exe

C:\Windows\System\QSPxuzz.exe

C:\Windows\System\whjTHAj.exe

C:\Windows\System\whjTHAj.exe

C:\Windows\System\ROXzypk.exe

C:\Windows\System\ROXzypk.exe

C:\Windows\System\nzbqjHW.exe

C:\Windows\System\nzbqjHW.exe

C:\Windows\System\DJoAAKS.exe

C:\Windows\System\DJoAAKS.exe

C:\Windows\System\xulpMeN.exe

C:\Windows\System\xulpMeN.exe

C:\Windows\System\XvOnaaS.exe

C:\Windows\System\XvOnaaS.exe

C:\Windows\System\ZpSqGVc.exe

C:\Windows\System\ZpSqGVc.exe

C:\Windows\System\YOWsSLj.exe

C:\Windows\System\YOWsSLj.exe

C:\Windows\System\jImBnTz.exe

C:\Windows\System\jImBnTz.exe

C:\Windows\System\NeaTZvn.exe

C:\Windows\System\NeaTZvn.exe

C:\Windows\System\eGkMNLH.exe

C:\Windows\System\eGkMNLH.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 72.209.201.84.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 70.209.201.84.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
DE 3.120.209.58:8080 tcp

Files

memory/2216-0-0x00007FF77CBB0000-0x00007FF77CF01000-memory.dmp

memory/2216-1-0x00000238397A0000-0x00000238397B0000-memory.dmp

C:\Windows\System\ODUDEtT.exe

MD5 1294d079b5d74b34c5010854c38abaa7
SHA1 ceb908bdcb36467924b14381bf797e554c3d7dba
SHA256 7c7f54e2d76e10230429a5d542d1d2b6cb761e0c3e5be8471be7111dc1573fe4
SHA512 2fafa54ac648543d50a4472844e97ffc3ccc252212e4b04c31d4350650ad1f8891bb7c9c0270877fb36a8952a87df37d21fddd460f8cbff2f749a00151d1e258

memory/1872-7-0x00007FF7EF790000-0x00007FF7EFAE1000-memory.dmp

C:\Windows\System\HVeobic.exe

MD5 8c53b8ae18d26356191ae8be9ace3bf3
SHA1 2625b9aa7b43a5ce77e97dc7e790de6a7020cc19
SHA256 6f0395e403932b366cb719bcda4b791f84c2974a3f425971f60e58cad7c4acf6
SHA512 8f3e75aeda9a6ce7206424864d6347de81636246d015cc2bc39c4d71e799ed13b91f154c455f9f1c8eec64b13742ae7e4a097ca56c3472af534806aa71c8db0d

C:\Windows\System\OQwaaeZ.exe

MD5 79dedeae47fe380279ce0156dcf0c04d
SHA1 130083e238392f196f65b800f2e60ccb679cd4fc
SHA256 8324cc03766b6241729ee66552eb929d0990e09258b019d89fc4b7fb6e9954f0
SHA512 ffc72fe34948eaa2e84499889722abd6b89aa1c01ffc8fe643f9001fab1ad51a13f7680107a9d5feda4837aa8fb00cde047353371af89d446149740239e03be2

memory/2596-20-0x00007FF7D49E0000-0x00007FF7D4D31000-memory.dmp

C:\Windows\System\HgzDiDF.exe

MD5 c7d8b44e0a989117e767180e94fd831c
SHA1 2708f7fdcdc700cbd6cba067c2a67c2abccccc09
SHA256 aec53c8e00b116c6405a995ead85d1a6f04aec34c7b462e0cbf42b6b14d9a11a
SHA512 bf387e05a4a23d8941d1ef23875f54a58aad4cb17c191beacd9a52d2f5f2b99869849128ce7d68536ea37b3ee5cc15972b8f2b203ab69d8fe2bb2901df04bad3

memory/1556-39-0x00007FF7E2F80000-0x00007FF7E32D1000-memory.dmp

C:\Windows\System\yEMkEAa.exe

MD5 ff5cc292d6d0ed414d2621822e8f4af2
SHA1 36186c6171409fc4bdc721db571d53bcc19ecbb5
SHA256 cac6a73e6f95a33cd58c3b9398f0492d681118e307a0c263fac7c4d3b507582c
SHA512 a47f36e4914e9a5ec3675c977dd944821f8e2031354dab643408c1b1e93f5c916d181d4202c6516eae7522804d0432477ca40e583686503dd1702fb08b04b97c

C:\Windows\System\whjTHAj.exe

MD5 63340fb66e33f4584205acca05fd15a6
SHA1 aa9f382e95da32f81464d51a64d8f849fd9bbd6c
SHA256 7eaf2b1ee9dca82594d0def487a71773254daef074c9d8160ff1bb281323ef65
SHA512 87338c74f12a8a46cfded83c94d14ac9c11f6c68b88f9ce0603a7b1ef6d91ce5d7c26827813ee662c16a024abee85ea9eec3472450f0ec84449cc52b8cbb20c6

C:\Windows\System\QSPxuzz.exe

MD5 9f2a5a03f109866f606a8d1012240e0c
SHA1 5e9097951f172188dddbc05ca585a476db0fe094
SHA256 1731d01377bdc20cbc10eceaf9a8e9e9c076591e87224e20e9807ddea30fe9cb
SHA512 764f88c9bcf983dc752e5c5952887e5d51dc882dc4af7f3327854f7bf19a788f7c942b3b0a6cdb1057f0505b2513eadbfed4782ad49175582569c3190a6c89af

memory/332-77-0x00007FF7644E0000-0x00007FF764831000-memory.dmp

C:\Windows\System\XvOnaaS.exe

MD5 973f8b9ada538e778d2dab1e8c0555ed
SHA1 aaad177f86d0f416f5400221a9bd2f97b308177d
SHA256 f33235a0ae8b9c52fa0ec1a79ad214ab39ce858506e9cfca427e6cc3594b7efc
SHA512 0b8e6e040c620ebec044960dc686601821cdb65ef0851d5d0a6f3b4fee4f0ff3f4e2158f705e54270ca7511186b035351b19bf9ecdd61866c5f93e372e60cb4d

C:\Windows\System\xulpMeN.exe

MD5 bfe4155d00bf200c9f4e7fe843192a23
SHA1 3ed71d784cdd00c1ee6e0301af7adbf0f36c6917
SHA256 bbe2aa9fa39da7710e2d94bcf0ad573e3199106692412a4e3ffb2d2cbfad5b01
SHA512 07ae67aa3b7ef2f7b8c699e870aad587434e76ff3d52904b4c64a73520f6cb7d127d0c78026570b7b182f12bf78588b495f8636a91757fafe4b178d4f6626651

C:\Windows\System\YOWsSLj.exe

MD5 fef351d02322e0df61b7f592c28a3607
SHA1 46655e0f2e2be62c3d25b0f56beee6f2a1707705
SHA256 078c31f59caf588449188b11f531c22b43de0bec8ea4e72f035339763fc7b188
SHA512 c0fda80eb28b8820fbb28416df9563e83803519bf077c451363921f002fe0a1f9c09f9c41d45ffa900cdd2a7310e8732bc03df39aa6eec50b95b4002382ff2ab

C:\Windows\System\eGkMNLH.exe

MD5 db310503d2a857e029dd1f775eaa4c03
SHA1 5f5910f16430c6d44f7857cff34321d695066f54
SHA256 c35948bb00338a6a243974a8a27dadebc89d8f52dee22becd6f211829b35b5f5
SHA512 e2e0006a4857723f9bd6991cd90efcb2c2b9e0fe684968bd0fb746f12a66574fa06552a45ddb537d2eb2922ee8b7ff0edcd81a940b2bfb6a003c97875ee872f8

C:\Windows\System\NeaTZvn.exe

MD5 e88c7de0836f257b714c62c50c41a0be
SHA1 fcb4cb09c92892667677b57737df42fec4dc06a7
SHA256 f764270d42c4ee80b5274407ca046a8c26b50f86e8805019af3b9dc08715a289
SHA512 ca7174b13614b30bf0877692cb8d72e8966eb540561346203aa0a13042c86f9b7a1a71e3ab28b072a4e76ad9b07292cbca1f91771b8ae42b3a2b6584e796a551

C:\Windows\System\jImBnTz.exe

MD5 5b946f39796ebe9fcc590b532ee8aba1
SHA1 99af8a9b8533dfc3d0a7d9b0b11f25d1019a65ba
SHA256 756ef7732b5ed4773673541457d89158b1382ea1c2141673ea6d692d5daef939
SHA512 4db38a2a5f59457deb86c4209a7f62a5e17dcd3f511d5597dfe05b320492cd5dd7a8392215c9216a9cd384b435d7de785679a72ac571955707aab4d3c7f3f2b6

memory/2072-126-0x00007FF6FD020000-0x00007FF6FD371000-memory.dmp

memory/2380-128-0x00007FF7931C0000-0x00007FF793511000-memory.dmp

memory/2216-127-0x00007FF77CBB0000-0x00007FF77CF01000-memory.dmp

memory/3120-125-0x00007FF668DF0000-0x00007FF669141000-memory.dmp

memory/2836-124-0x00007FF65DAF0000-0x00007FF65DE41000-memory.dmp

C:\Windows\System\DJoAAKS.exe

MD5 04f976256379243c656366fed5feeb74
SHA1 f92db2184383d1e643b8bf56b170cc433b5f8612
SHA256 9ae23bf8acf9d2232964170423c6de732cc311d3c37ae415dcd39bb00028a604
SHA512 8a4b9cfa4735d7b2d858d99d4f0620937e22462fc6cabe748cef9c3f64d3eccdc1345e274dfbe0aecb1a15dffed28b34e5f51795b91397f535c8813e3d0770e4

C:\Windows\System\ZpSqGVc.exe

MD5 a266f52af8dbb6320f0d2cf5851cb021
SHA1 4bb7bc8683b872c387f1aa66703808e0e30853b6
SHA256 5c35e49fe5b7ed501565ca3ca99f7bf31334118ef6bde242f648d8ad56da1573
SHA512 a277045bd298aae3eb3e2ba512b25764f42be1a4604ce477110ba05734520b87c6fa86c5dda4991dcbc5c93993e3f1b26c05de7bbff7319929380ba7f41bb113

memory/4468-98-0x00007FF6CC730000-0x00007FF6CCA81000-memory.dmp

memory/4640-97-0x00007FF66B130000-0x00007FF66B481000-memory.dmp

memory/4504-94-0x00007FF7F8F70000-0x00007FF7F92C1000-memory.dmp

memory/1684-90-0x00007FF722B90000-0x00007FF722EE1000-memory.dmp

memory/2292-86-0x00007FF6C9B00000-0x00007FF6C9E51000-memory.dmp

C:\Windows\System\nzbqjHW.exe

MD5 3fb90d526c55fabdb57a9523c6745c59
SHA1 e905dfdc7bd4ed0f8ea4213ec434800c4ec7d8dc
SHA256 e872ffad1a6963f36498a175bba0645815bd65876cce2313e361f9db97cb1c34
SHA512 4ad05dd54f84bd2a00772b40ee7e9b01db834e5e81e971032fba84e153c14242d26fd5c83fc09a2e110e68e7604b541518f898b851517c87d4547c7e67af6341

C:\Windows\System\ROXzypk.exe

MD5 49efbf99284654dc83553413c4775dce
SHA1 e47366a022191a95d24764001fc6a870cc3b47b1
SHA256 d56e3f317b4695bd73c42fa22e6f2698c0f8f8761ae1708ffc9d2cb7507b4209
SHA512 3e691b8b130add4c5f9f977674aec5e8a4918c89815ffa40c772e124163f1c6f09479696a7b9dc8a61853dd947b3fac50240385462d176d91bdbd9149c8df921

memory/3292-72-0x00007FF792AA0000-0x00007FF792DF1000-memory.dmp

memory/756-71-0x00007FF637EC0000-0x00007FF638211000-memory.dmp

memory/4848-64-0x00007FF711F20000-0x00007FF712271000-memory.dmp

memory/2184-63-0x00007FF7B3070000-0x00007FF7B33C1000-memory.dmp

memory/1348-56-0x00007FF686BD0000-0x00007FF686F21000-memory.dmp

C:\Windows\System\aJcnBVV.exe

MD5 5118eb6bff13be3089ae28b14e2e102d
SHA1 166647314d3f2114b227d5f0be4cfbb72f4e832f
SHA256 ec4b97e144b7e44142e65af661c5353737bf2a050d8ba28c63768ac5d7b5b9e1
SHA512 fd839ca54c34bd7bcf9cc23722447ccb8d2ae4fa918481bafe0cc8ce97088e25d1378e12b593d739305ae310ab2c68cbac1b283a8059b79df6ba0bcf051867a7

C:\Windows\System\gMYweKB.exe

MD5 4716e65f58be475a6e97bff90e832470
SHA1 d69e60b4e9fbf98b36e1261f7f2a95969e0346d3
SHA256 026cb09c5af88168f6b648930f79ef9a0133b5a67f3288d94562b81445446d5f
SHA512 6d9d3e970b5c2e5de496a9e8c0c3f27a6ccc3bf587770c3feb5c46c1349d4f0c0ce691e5592adb09454fa8a9eb62fc7d5fda023a90f48094325ed1db9b56d318

memory/2828-47-0x00007FF635760000-0x00007FF635AB1000-memory.dmp

C:\Windows\System\ArhBAlg.exe

MD5 74e35c2b3d1fb92aa44730824a9e9c44
SHA1 9c740d79270b7ed96dda06c5ea5f0741a4fa2100
SHA256 1bdb0bcad38e753eb24d7b6aec0aed9128e63cece5917d8ca4444045b5ac43a0
SHA512 51c5fba27881f375d17144ee5b0024b93aa1d75d0c98f02b651172bcb6afe40407ad55afe9ff3df9d89e50b0dd78747df78a13e4dfbbdcff1ebe37f366e009f6

memory/5064-35-0x00007FF60A850000-0x00007FF60ABA1000-memory.dmp

C:\Windows\System\eUtIDIl.exe

MD5 5cb81bdf8d40aac6e307627b69d7f6c5
SHA1 4773e4597b938a2dacbf6299ade68d024ffec5ae
SHA256 950e48459e7b0dd4b973409080667188543421134a35834de663141e9c66f74f
SHA512 8666770345e8f1cffe5e2764da90a483b57276a128210e35ed482fb4665ae9c63931ad8e0773f7ea1bd64430b631ff2bc4f75d92e0b9ac06c38d3c600c0e4a84

memory/2552-16-0x00007FF6ED350000-0x00007FF6ED6A1000-memory.dmp

memory/2216-129-0x00007FF77CBB0000-0x00007FF77CF01000-memory.dmp

memory/2828-135-0x00007FF635760000-0x00007FF635AB1000-memory.dmp

memory/756-141-0x00007FF637EC0000-0x00007FF638211000-memory.dmp

memory/4640-143-0x00007FF66B130000-0x00007FF66B481000-memory.dmp

memory/4504-146-0x00007FF7F8F70000-0x00007FF7F92C1000-memory.dmp

memory/4468-145-0x00007FF6CC730000-0x00007FF6CCA81000-memory.dmp

memory/2292-142-0x00007FF6C9B00000-0x00007FF6C9E51000-memory.dmp

memory/1684-144-0x00007FF722B90000-0x00007FF722EE1000-memory.dmp

memory/332-140-0x00007FF7644E0000-0x00007FF764831000-memory.dmp

memory/1348-136-0x00007FF686BD0000-0x00007FF686F21000-memory.dmp

memory/1556-134-0x00007FF7E2F80000-0x00007FF7E32D1000-memory.dmp

memory/1872-130-0x00007FF7EF790000-0x00007FF7EFAE1000-memory.dmp

memory/4848-139-0x00007FF711F20000-0x00007FF712271000-memory.dmp

memory/2596-132-0x00007FF7D49E0000-0x00007FF7D4D31000-memory.dmp

memory/2552-131-0x00007FF6ED350000-0x00007FF6ED6A1000-memory.dmp

memory/2216-151-0x00007FF77CBB0000-0x00007FF77CF01000-memory.dmp

memory/2552-204-0x00007FF6ED350000-0x00007FF6ED6A1000-memory.dmp

memory/1872-206-0x00007FF7EF790000-0x00007FF7EFAE1000-memory.dmp

memory/5064-223-0x00007FF60A850000-0x00007FF60ABA1000-memory.dmp

memory/2184-228-0x00007FF7B3070000-0x00007FF7B33C1000-memory.dmp

memory/1556-226-0x00007FF7E2F80000-0x00007FF7E32D1000-memory.dmp

memory/2596-224-0x00007FF7D49E0000-0x00007FF7D4D31000-memory.dmp

memory/1348-236-0x00007FF686BD0000-0x00007FF686F21000-memory.dmp

memory/332-238-0x00007FF7644E0000-0x00007FF764831000-memory.dmp

memory/756-240-0x00007FF637EC0000-0x00007FF638211000-memory.dmp

memory/2828-235-0x00007FF635760000-0x00007FF635AB1000-memory.dmp

memory/3292-233-0x00007FF792AA0000-0x00007FF792DF1000-memory.dmp

memory/4848-231-0x00007FF711F20000-0x00007FF712271000-memory.dmp

memory/2292-244-0x00007FF6C9B00000-0x00007FF6C9E51000-memory.dmp

memory/1684-257-0x00007FF722B90000-0x00007FF722EE1000-memory.dmp

memory/4468-255-0x00007FF6CC730000-0x00007FF6CCA81000-memory.dmp

memory/4504-253-0x00007FF7F8F70000-0x00007FF7F92C1000-memory.dmp

memory/4640-250-0x00007FF66B130000-0x00007FF66B481000-memory.dmp

memory/2836-248-0x00007FF65DAF0000-0x00007FF65DE41000-memory.dmp

memory/3120-246-0x00007FF668DF0000-0x00007FF669141000-memory.dmp

memory/2072-243-0x00007FF6FD020000-0x00007FF6FD371000-memory.dmp

memory/2380-258-0x00007FF7931C0000-0x00007FF793511000-memory.dmp