Malware Analysis Report

2025-08-11 08:12

Sample ID 241025-n1q8dayerc
Target 2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat
SHA256 ffce603765f6bad1f27321a2c7dbe428b7b7aa9d5d4a0ed78b83296fc3f236f1
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ffce603765f6bad1f27321a2c7dbe428b7b7aa9d5d4a0ed78b83296fc3f236f1

Threat Level: Known bad

The file 2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

Cobaltstrike

XMRig Miner payload

Cobaltstrike family

Cobalt Strike reflective loader

xmrig

Xmrig family

XMRig Miner payload

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-10-25 11:52

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-25 11:52

Reported

2024-10-25 11:54

Platform

win7-20240903-en

Max time kernel

140s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\akfvPJS.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xabPOoe.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TcKMHTv.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uXpZXMS.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dUhUXFw.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KHAglYz.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ocoYEit.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ovrsbix.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vPyYRrZ.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CwhxAJo.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hdyluPt.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QChvyPh.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nhFXJOE.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jTxAHHz.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QwhyrUh.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nihYrQn.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IvcBcQQ.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xlkAOgW.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AXOozjm.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\stxLpsb.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kGVUcgu.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2532 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ovrsbix.exe
PID 2532 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ovrsbix.exe
PID 2532 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ovrsbix.exe
PID 2532 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vPyYRrZ.exe
PID 2532 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vPyYRrZ.exe
PID 2532 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vPyYRrZ.exe
PID 2532 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AXOozjm.exe
PID 2532 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AXOozjm.exe
PID 2532 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AXOozjm.exe
PID 2532 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jTxAHHz.exe
PID 2532 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jTxAHHz.exe
PID 2532 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jTxAHHz.exe
PID 2532 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CwhxAJo.exe
PID 2532 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CwhxAJo.exe
PID 2532 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CwhxAJo.exe
PID 2532 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hdyluPt.exe
PID 2532 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hdyluPt.exe
PID 2532 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hdyluPt.exe
PID 2532 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\akfvPJS.exe
PID 2532 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\akfvPJS.exe
PID 2532 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\akfvPJS.exe
PID 2532 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xabPOoe.exe
PID 2532 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xabPOoe.exe
PID 2532 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xabPOoe.exe
PID 2532 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QChvyPh.exe
PID 2532 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QChvyPh.exe
PID 2532 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QChvyPh.exe
PID 2532 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TcKMHTv.exe
PID 2532 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TcKMHTv.exe
PID 2532 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TcKMHTv.exe
PID 2532 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QwhyrUh.exe
PID 2532 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QwhyrUh.exe
PID 2532 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QwhyrUh.exe
PID 2532 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KHAglYz.exe
PID 2532 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KHAglYz.exe
PID 2532 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KHAglYz.exe
PID 2532 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nihYrQn.exe
PID 2532 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nihYrQn.exe
PID 2532 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nihYrQn.exe
PID 2532 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uXpZXMS.exe
PID 2532 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uXpZXMS.exe
PID 2532 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uXpZXMS.exe
PID 2532 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dUhUXFw.exe
PID 2532 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dUhUXFw.exe
PID 2532 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dUhUXFw.exe
PID 2532 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IvcBcQQ.exe
PID 2532 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IvcBcQQ.exe
PID 2532 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IvcBcQQ.exe
PID 2532 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\stxLpsb.exe
PID 2532 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\stxLpsb.exe
PID 2532 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\stxLpsb.exe
PID 2532 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kGVUcgu.exe
PID 2532 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kGVUcgu.exe
PID 2532 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kGVUcgu.exe
PID 2532 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ocoYEit.exe
PID 2532 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ocoYEit.exe
PID 2532 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ocoYEit.exe
PID 2532 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xlkAOgW.exe
PID 2532 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xlkAOgW.exe
PID 2532 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xlkAOgW.exe
PID 2532 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nhFXJOE.exe
PID 2532 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nhFXJOE.exe
PID 2532 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nhFXJOE.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\ovrsbix.exe

C:\Windows\System\ovrsbix.exe

C:\Windows\System\vPyYRrZ.exe

C:\Windows\System\vPyYRrZ.exe

C:\Windows\System\AXOozjm.exe

C:\Windows\System\AXOozjm.exe

C:\Windows\System\jTxAHHz.exe

C:\Windows\System\jTxAHHz.exe

C:\Windows\System\CwhxAJo.exe

C:\Windows\System\CwhxAJo.exe

C:\Windows\System\hdyluPt.exe

C:\Windows\System\hdyluPt.exe

C:\Windows\System\akfvPJS.exe

C:\Windows\System\akfvPJS.exe

C:\Windows\System\xabPOoe.exe

C:\Windows\System\xabPOoe.exe

C:\Windows\System\QChvyPh.exe

C:\Windows\System\QChvyPh.exe

C:\Windows\System\TcKMHTv.exe

C:\Windows\System\TcKMHTv.exe

C:\Windows\System\QwhyrUh.exe

C:\Windows\System\QwhyrUh.exe

C:\Windows\System\KHAglYz.exe

C:\Windows\System\KHAglYz.exe

C:\Windows\System\nihYrQn.exe

C:\Windows\System\nihYrQn.exe

C:\Windows\System\uXpZXMS.exe

C:\Windows\System\uXpZXMS.exe

C:\Windows\System\dUhUXFw.exe

C:\Windows\System\dUhUXFw.exe

C:\Windows\System\IvcBcQQ.exe

C:\Windows\System\IvcBcQQ.exe

C:\Windows\System\stxLpsb.exe

C:\Windows\System\stxLpsb.exe

C:\Windows\System\kGVUcgu.exe

C:\Windows\System\kGVUcgu.exe

C:\Windows\System\ocoYEit.exe

C:\Windows\System\ocoYEit.exe

C:\Windows\System\xlkAOgW.exe

C:\Windows\System\xlkAOgW.exe

C:\Windows\System\nhFXJOE.exe

C:\Windows\System\nhFXJOE.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2532-0-0x000000013FD00000-0x0000000140051000-memory.dmp

memory/2532-1-0x00000000000F0000-0x0000000000100000-memory.dmp

C:\Windows\system\ovrsbix.exe

MD5 b747aec628f8cc1dddb412c8ce2ff573
SHA1 1171aa9a966a57ece62459a2b0ab4681fab3b2a9
SHA256 2e605fc8d4d69b3495918433ff9c581b284fb79d44b680623a149a3d1151da16
SHA512 7af332817f4c30e13fb46765e31147afdee46c3e680aa36421505e4cad1a58f4e55ae877c8b16a836fb59d9392439f967c4d9e7f863c3fefe03314b2ea2942ab

\Windows\system\vPyYRrZ.exe

MD5 731bb354aee32b74dc17d3b8faaa6b1c
SHA1 6e0048d57fd3aca9315fe2ff50da2ab5d77c5874
SHA256 437d9857ddce2576cf0261b6d87efaa070968e29ff849b3c72c7adcfd4eff591
SHA512 d514b39eaf258fe2a60a7547108489866a91666bc27efb61fa450c6ceaaac653243479dde9de9d981870c298fbae4cac0ccc7604bf03b72dfa91f9b08a621ef9

\Windows\system\jTxAHHz.exe

MD5 ea26bd2c13ec70e2d364cfcc0300d8b1
SHA1 af03a8bf8d0f1c8bfe9503e2a94631213471a9a6
SHA256 48254d202e4dd0eb3edb3aa0788301c8d82facf8a0833e4df1c02b4295884716
SHA512 f594f384cf432d78e475f98cec239d32b66fd3bbc14e51182f268fa7e87b2cbd5158c31eee08362c36f3ab5b4662727769b4c3fd20de8e89703e8837c98da7cd

C:\Windows\system\AXOozjm.exe

MD5 dd7b7b1f301fe7bc635bc5caedd1d98e
SHA1 2de8dd0873711a8bd4a8a6f05b95c38e2845dc24
SHA256 ea87847bed4a84c67729792a4bf5ef4df89e90a4854c83168beba7b32643bb59
SHA512 6be4947d689558ac4c100dd31c0b4fca4dc367451e2e5c038efa127d8878f56487a860e36c60b89117f6bfa7f3e63ad4cf0e2bb434cb7619126d8b8fd93a1288

memory/2532-21-0x000000013F800000-0x000000013FB51000-memory.dmp

memory/2532-25-0x00000000022F0000-0x0000000002641000-memory.dmp

\Windows\system\CwhxAJo.exe

MD5 3dfb3012eb1ca73d46078be4ff496932
SHA1 6e93f073c22d36353f3dc28321d06a854085cd24
SHA256 f06f81da1e6e5adebd9cca82cad4ead356c082891541b543c801edc70fd609af
SHA512 944d83eda315a8a3f901de910048ba7ecd34e0d5ce1dc60b6bd9ac796aff53ccc387f1458b5d0f916fe2019ce97738f575e497e85214259b13f268732710728f

memory/1956-24-0x000000013F800000-0x000000013FB51000-memory.dmp

memory/2328-23-0x000000013F260000-0x000000013F5B1000-memory.dmp

memory/1300-31-0x000000013FE00000-0x0000000140151000-memory.dmp

\Windows\system\hdyluPt.exe

MD5 021ef29676f6bb9192fb222c2fa0a76f
SHA1 ec60b055ff832b2c0de21704ce855860586b078b
SHA256 fc34fc87fc03375ed5aa253f15633247781f81ef5c2f837a4898c17a11ff6526
SHA512 1ac6f9517a4e1e7f22ee3d35ccc134becd6fe4ad15937e38094b45286c726fc220f683eb0d5672caedd971fef9da49c795822f17c902bb31fd1e4f8d5729e6a9

memory/2816-35-0x000000013F4B0000-0x000000013F801000-memory.dmp

\Windows\system\QwhyrUh.exe

MD5 61fe9e548561343b63bc33b0160ed2ff
SHA1 0105df08bc88c718ed6bf240d6755b34d701b942
SHA256 9872f7e0079f11893de835767e667f347dcfe1080f5a30fae9bc19e81a8f7c20
SHA512 0864f936df7091be0fa451e279d8faad2fbd74833ca13e9ba20b1ab7a5acbd5c4c92be979e9a23db55b67690a5c3ff5c397a14e917b4f252a99764c99bf650e3

C:\Windows\system\akfvPJS.exe

MD5 5a05ff45dee6fa342c95ef78b69dc316
SHA1 0a37393a1c39e9642767528e11451fb21624a8aa
SHA256 29766e57260d63826c5531b6c3eaae04fc6c1951d1bb47ef06bc596aad5c368c
SHA512 752c5217b245c9dfec9cff859d8c45409d50d74d8df3f29cbc934cf679ff0100fba201ffe2c02ad0ef95266803ff3a75235ae6ba4316ca0bf428fea447b21851

memory/2532-59-0x000000013F4B0000-0x000000013F801000-memory.dmp

memory/2532-96-0x00000000022F0000-0x0000000002641000-memory.dmp

\Windows\system\xlkAOgW.exe

MD5 dd38dc3dc1d23738f5ab13f4c78f2b10
SHA1 0a21ff3e02f9f6e790d41649048e8c4dbd8e9b8f
SHA256 6c979b7130af2048f6d822567192ea1c8a2e37742ef59cc71a5cc5e0d4bf50c8
SHA512 0a30c2f01ab647d5e359bf23c096e0f506bd2d9e1e8bfee4c943edbc66fc2b001c3aeb4d1800dbfb9b14e60ef312d70460412247e6a8337c6f5cb9d438b72e29

memory/2780-100-0x000000013F240000-0x000000013F591000-memory.dmp

memory/2532-99-0x00000000022F0000-0x0000000002641000-memory.dmp

C:\Windows\system\stxLpsb.exe

MD5 456c7bd5d92aeac7a720db03ce3bf034
SHA1 a46aa7f83d24953fd91d04d6e870fd8e26abfb59
SHA256 1187905fcae89521ffdd2659f5534adaf36554846f3285a0910ffd1e0d1d75e7
SHA512 f323f94f6bd438805a3bd09dff3fb3c6bdc359dfea6f035590545dcd7f080345b92c7ad7a165a30110f06477db5f980818dd24bb33773556a6b96ea15065ad80

C:\Windows\system\uXpZXMS.exe

MD5 b011a4bc3b8d63ebe6624ca657e25b14
SHA1 97097450edb7640107229a95e866937c5fd803f1
SHA256 d53b63476eece83bf2d763ba2e49b31787d018d82ef5a744b6c8537deb01d6c3
SHA512 7629653d77a90c4f20a3c57e00711cf514e8c3ce0a90cd823ac6b17e0ac866155a05cc58648d1588cdba8bf3d6355c817a34e5a6060acfe6a36af0e3697b2265

\Windows\system\kGVUcgu.exe

MD5 b383dd9b2c7267068f9164ef983b46a6
SHA1 c84bcfd78d5c0c4ae2027d1d6b70cf0c349dc219
SHA256 aac41dea56ecece8dca1604f8a9b7a5a944ff575fd7c1013ab2b7d82f5aa82be
SHA512 7b34cfb20c582964bd978d529b2cb3ffa29619d705fe15fe77f2c2b22ba03bc1e1c56e79ed512408dc4bfdf090334defa7bbac1fd318fd74a046c29f7428fc2a

memory/3020-88-0x000000013F940000-0x000000013FC91000-memory.dmp

\Windows\system\IvcBcQQ.exe

MD5 f4d5049db7fc4739bc9e208fb63ffce1
SHA1 bdac238af3c0eeeb2c27e3b1e2b723eebff3f507
SHA256 0233a04e202368834bc52bb37cdb1f010eefd05be6246a6373f19e0ade57f561
SHA512 d6084c781313465d5b1d0c1e06b70c23dc2c8b9be7c813f8c4ddb042e19e4b7cc9bc1f6c1e9244017721a3d07cea01bbb8fc9e325f5f4796d9246bb4c88d9e41

C:\Windows\system\xabPOoe.exe

MD5 e7f8403e22d0ab1593160418aa38c121
SHA1 69c44ae2b5feaedde7626c55e7807e4b55245f63
SHA256 4873e247acd6f5cff04fb9e2880003604beddb5df2e3cfa6c01c92d4becd2b6b
SHA512 8cefa3a51dc17de934ea825a625e80ed434a7cc0a4c04b8fa9d5aec511ead6df23859aa796dba10653d7b104e06512c030470cd138383b8c8ed3d2b80b3ab4c7

\Windows\system\KHAglYz.exe

MD5 e89c564d0e70f0ea54a69b2e1652999e
SHA1 ba1612a45e47021792b0388ee4d88dcea1cfbe2a
SHA256 ba4310c1cd999869ac490af9ff393abd9f0459af58c92f411d47263a54fc6c6b
SHA512 f449ca55629ccd37ac2ce603db1b5835c1ba9e02c1d9640e60d39f55a72d9951aad71b73cb4d35076b6c8cb41f16b4ed3f51490978a9f3c13aa8e4650919a638

\Windows\system\TcKMHTv.exe

MD5 be84a168702978b0ea5a5f861ddd70c9
SHA1 7c2e7020490cb404a7d0cc47b7c5155eb3a07f5a
SHA256 08d4084dce88f147517f8ad8f5e13aab27092e8ecc8192e05489d5749d078dab
SHA512 e12be6c0747a906495c6940018e63bc80a9a00e1d89218259b678151c4c312701f75fbecf43765c4ce5b08c5216c41cd00aa96869b01fe1d98bee5d82bc07128

memory/2620-123-0x000000013F060000-0x000000013F3B1000-memory.dmp

memory/2908-122-0x000000013FF60000-0x00000001402B1000-memory.dmp

memory/2532-121-0x000000013F250000-0x000000013F5A1000-memory.dmp

memory/2764-120-0x000000013F710000-0x000000013FA61000-memory.dmp

memory/1292-119-0x000000013F760000-0x000000013FAB1000-memory.dmp

memory/2716-118-0x000000013FEE0000-0x0000000140231000-memory.dmp

memory/2532-117-0x000000013F760000-0x000000013FAB1000-memory.dmp

C:\Windows\system\nhFXJOE.exe

MD5 5f7a70af28f40145fcd78ff443de188c
SHA1 1c6f6db591f5d8500548b82fadc7318eca4e4373
SHA256 3730b3056afffaf6727b49adddca17a574db3e95aabe038bfea8560ec7d54dca
SHA512 11dbc5b5d3ab703447c9a56afe0e36fdb8053eb1b876fd09017c29f2851064d74e5e18bce518a6042468493809a3bf0f2356f46bf876a26dac31e0a887d28920

memory/1776-114-0x000000013F250000-0x000000013F5A1000-memory.dmp

memory/2136-113-0x000000013FC90000-0x000000013FFE1000-memory.dmp

C:\Windows\system\ocoYEit.exe

MD5 cb74b886437a380425adb60f22becf82
SHA1 a375c2f722a7be9918175e4ca69544f073dca616
SHA256 89baceab4cb75e3e43d2698f14f4fea481f2a94fb5e936d9bdfd2f5dc11fcae9
SHA512 671ea1977a8ff9f3b2bd5a8ccd04d46eae50757b770d18e6767f4760e2ca47af40974da44175f85cc34978621ce23f5cefd4002ba1feef12b6dcd4ed3b971171

memory/2532-104-0x000000013F8D0000-0x000000013FC21000-memory.dmp

C:\Windows\system\dUhUXFw.exe

MD5 43a36868e3840bbb3cfe6543fda8a8f9
SHA1 b2f9584edd4aa7751a74ebe93a03dd3b146bc035
SHA256 b24c6b85c5ca1a2cbe7d5be9ca1185255275a5949a4471ca10c8789dd106fdc9
SHA512 fbad724735e467eff815e34dbb66e757b23ea091ddb71920b70828a035f68bc49fbf02492614907cbf8a0602be17536b37398fcf6ac63c80589dcd469ee6acd5

C:\Windows\system\nihYrQn.exe

MD5 47bf4f9472e4ddd51401bf550a113da6
SHA1 3736ba668833e6c214d488138ac5d86f48fafadb
SHA256 45e7cd1dc8886af589ae386477b66aa4f1d558e0c1357b7ba1ab5eeb0c66c60c
SHA512 4149d5b85c38c8a243ae99b528880616b0ce2943a1c260e57cb0cd9bc433ed6386663d70476b62fcf7181243f58ae2199848bc8f99bc3a645201926d5cf476d3

memory/2532-67-0x000000013F940000-0x000000013FC91000-memory.dmp

C:\Windows\system\QChvyPh.exe

MD5 b29fd3d217888209f67165ef5145f6ce
SHA1 614309b3dba6674abf77964dc8c8b3bbf0e78528
SHA256 43ee446a8e6fbb56316cb9b12fe28fedcf7379889e6029e98ce078d6df3674c9
SHA512 f4a513b6b2eff56e271be759477b6fd9a32b251703cdc642eb713bc787da675429397754c30c7e45cb686e90d0ce117ee01a33c61dd73d18529e4f8db5fc37e7

memory/2532-63-0x000000013F710000-0x000000013FA61000-memory.dmp

memory/2356-48-0x000000013F7B0000-0x000000013FB01000-memory.dmp

memory/1300-131-0x000000013FE00000-0x0000000140151000-memory.dmp

memory/2532-133-0x000000013FD00000-0x0000000140051000-memory.dmp

memory/2532-132-0x000000013FD00000-0x0000000140051000-memory.dmp

memory/2816-137-0x000000013F4B0000-0x000000013F801000-memory.dmp

memory/2532-140-0x00000000022F0000-0x0000000002641000-memory.dmp

memory/2180-149-0x000000013F8D0000-0x000000013FC21000-memory.dmp

memory/1948-152-0x000000013F490000-0x000000013F7E1000-memory.dmp

memory/600-155-0x000000013F530000-0x000000013F881000-memory.dmp

memory/1308-154-0x000000013F440000-0x000000013F791000-memory.dmp

memory/2592-153-0x000000013F5B0000-0x000000013F901000-memory.dmp

memory/900-151-0x000000013F5B0000-0x000000013F901000-memory.dmp

memory/704-156-0x000000013FFA0000-0x00000001402F1000-memory.dmp

memory/2532-157-0x000000013FD00000-0x0000000140051000-memory.dmp

memory/2356-207-0x000000013F7B0000-0x000000013FB01000-memory.dmp

memory/1956-210-0x000000013F800000-0x000000013FB51000-memory.dmp

memory/2328-211-0x000000013F260000-0x000000013F5B1000-memory.dmp

memory/1300-231-0x000000013FE00000-0x0000000140151000-memory.dmp

memory/2816-232-0x000000013F4B0000-0x000000013F801000-memory.dmp

memory/3020-234-0x000000013F940000-0x000000013FC91000-memory.dmp

memory/2780-236-0x000000013F240000-0x000000013F591000-memory.dmp

memory/2908-238-0x000000013FF60000-0x00000001402B1000-memory.dmp

memory/2620-240-0x000000013F060000-0x000000013F3B1000-memory.dmp

memory/2764-242-0x000000013F710000-0x000000013FA61000-memory.dmp

memory/2136-244-0x000000013FC90000-0x000000013FFE1000-memory.dmp

memory/1776-246-0x000000013F250000-0x000000013F5A1000-memory.dmp

memory/1292-250-0x000000013F760000-0x000000013FAB1000-memory.dmp

memory/2716-248-0x000000013FEE0000-0x0000000140231000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-25 11:52

Reported

2024-10-25 11:54

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\SXWsWjj.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jVcgHzc.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\urxkLVh.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WdvDejg.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RSQFjzT.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sgLXlJp.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PysYUSO.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bPyTItp.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SSbLcit.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mINPePc.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CiwPRGi.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cBSSSUg.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JuCuLOO.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\judZQpF.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KeZKehj.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZBoluBS.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QpMTLrz.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mKbVIXY.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hCAUkFI.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MdReKcT.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yaNuRZV.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5104 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sgLXlJp.exe
PID 5104 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sgLXlJp.exe
PID 5104 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PysYUSO.exe
PID 5104 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PysYUSO.exe
PID 5104 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bPyTItp.exe
PID 5104 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bPyTItp.exe
PID 5104 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SSbLcit.exe
PID 5104 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SSbLcit.exe
PID 5104 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SXWsWjj.exe
PID 5104 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SXWsWjj.exe
PID 5104 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\judZQpF.exe
PID 5104 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\judZQpF.exe
PID 5104 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jVcgHzc.exe
PID 5104 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jVcgHzc.exe
PID 5104 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QpMTLrz.exe
PID 5104 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QpMTLrz.exe
PID 5104 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KeZKehj.exe
PID 5104 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KeZKehj.exe
PID 5104 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mKbVIXY.exe
PID 5104 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mKbVIXY.exe
PID 5104 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mINPePc.exe
PID 5104 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mINPePc.exe
PID 5104 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CiwPRGi.exe
PID 5104 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CiwPRGi.exe
PID 5104 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\urxkLVh.exe
PID 5104 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\urxkLVh.exe
PID 5104 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WdvDejg.exe
PID 5104 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WdvDejg.exe
PID 5104 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cBSSSUg.exe
PID 5104 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cBSSSUg.exe
PID 5104 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RSQFjzT.exe
PID 5104 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RSQFjzT.exe
PID 5104 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JuCuLOO.exe
PID 5104 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JuCuLOO.exe
PID 5104 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hCAUkFI.exe
PID 5104 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hCAUkFI.exe
PID 5104 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZBoluBS.exe
PID 5104 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZBoluBS.exe
PID 5104 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MdReKcT.exe
PID 5104 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MdReKcT.exe
PID 5104 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yaNuRZV.exe
PID 5104 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yaNuRZV.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\sgLXlJp.exe

C:\Windows\System\sgLXlJp.exe

C:\Windows\System\PysYUSO.exe

C:\Windows\System\PysYUSO.exe

C:\Windows\System\bPyTItp.exe

C:\Windows\System\bPyTItp.exe

C:\Windows\System\SSbLcit.exe

C:\Windows\System\SSbLcit.exe

C:\Windows\System\SXWsWjj.exe

C:\Windows\System\SXWsWjj.exe

C:\Windows\System\judZQpF.exe

C:\Windows\System\judZQpF.exe

C:\Windows\System\jVcgHzc.exe

C:\Windows\System\jVcgHzc.exe

C:\Windows\System\QpMTLrz.exe

C:\Windows\System\QpMTLrz.exe

C:\Windows\System\KeZKehj.exe

C:\Windows\System\KeZKehj.exe

C:\Windows\System\mKbVIXY.exe

C:\Windows\System\mKbVIXY.exe

C:\Windows\System\mINPePc.exe

C:\Windows\System\mINPePc.exe

C:\Windows\System\CiwPRGi.exe

C:\Windows\System\CiwPRGi.exe

C:\Windows\System\urxkLVh.exe

C:\Windows\System\urxkLVh.exe

C:\Windows\System\WdvDejg.exe

C:\Windows\System\WdvDejg.exe

C:\Windows\System\cBSSSUg.exe

C:\Windows\System\cBSSSUg.exe

C:\Windows\System\RSQFjzT.exe

C:\Windows\System\RSQFjzT.exe

C:\Windows\System\JuCuLOO.exe

C:\Windows\System\JuCuLOO.exe

C:\Windows\System\hCAUkFI.exe

C:\Windows\System\hCAUkFI.exe

C:\Windows\System\ZBoluBS.exe

C:\Windows\System\ZBoluBS.exe

C:\Windows\System\MdReKcT.exe

C:\Windows\System\MdReKcT.exe

C:\Windows\System\yaNuRZV.exe

C:\Windows\System\yaNuRZV.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 68.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/5104-0-0x00007FF79A2E0000-0x00007FF79A631000-memory.dmp

memory/5104-1-0x00000202353F0000-0x0000020235400000-memory.dmp

memory/1680-6-0x00007FF7907A0000-0x00007FF790AF1000-memory.dmp

C:\Windows\System\sgLXlJp.exe

MD5 f7172c41a2568c098b96af909f49d6a6
SHA1 5d2f4ef286cea53e16cff34f9f67b7141efd2900
SHA256 2d69642395ebb109484d9b1b761266afcde26b09fa48713d1dc49fe3f0c1cdf4
SHA512 844f457a03defb543fb88f57aca599d5b74240ebb99025e6df4974e5c572c10bbbdc24ee60c3b2c051a6239857001b1e580c5822b79c418c5fe6e5e099ee2239

C:\Windows\System\bPyTItp.exe

MD5 369a6de3fd59eb8897d268f5b8c7fc01
SHA1 3572de0cf0350f83f606ccaa958c24f6997fa124
SHA256 9a2b7242e7b06452fbdaa6d5f53d98312e2f05eedb547043265654b2efebdc12
SHA512 6265a577173c2e490d3d3c3499fedf1cbebc0ce340429c948413ee365d7264df01f4b2a4e0bd0a0e72ead0292078948da7e554aa40101e8d959d12d2675eb292

C:\Windows\System\SSbLcit.exe

MD5 d762d7426a6438fe50e3ddbeb46f2bb0
SHA1 1372ba1c063fca5e4022801affd3558d75a25a2d
SHA256 fe3849d99d0a29c55c14593b28306cfbce7d4be62b487283d3a8ffeb5d1c4399
SHA512 c4a69ea2cb76bdc1a9ec34c9158a9779bdf85c7d37a282740c77be930452fb53523424b28985a0694057b577afd2dc6bf6e9cf37b7c192a8daadbf6d5090330a

C:\Windows\System\judZQpF.exe

MD5 319ecb3c3c35fc569f0d9c0df6390e46
SHA1 5f0ef4dc8636646f62976b6104fb7f5d6218e425
SHA256 222282a53e98818f1e0be990aa68f262a2796caf4f7b4c1a09ff842bea3377f8
SHA512 733c484b79d830526108e59d5b99d24da02b4b7051d9207a3ae42f881e673c8be10dde22bdefe578f062fd5b96c5d2f3645411cb7fc95c68c417618aa504f8a0

C:\Windows\System\jVcgHzc.exe

MD5 822795e7841aa2621cd0aabb2fc324cb
SHA1 ed97688766ea0bbf61e963446a4722cdba254754
SHA256 59a95ef81f74c55bfe6e2984bb94ed5d040d1e1a47953ebdba775aad9824b0b8
SHA512 a1cb3ac802c67460f30131ca0713251bec2cadf6f7042df2bff616a83f7bb8608cd49bba0283713c679174ec333256d9b95f6afac995a0bfcf12d976e01069d5

memory/2032-43-0x00007FF6A3140000-0x00007FF6A3491000-memory.dmp

C:\Windows\System\KeZKehj.exe

MD5 f3f3dbc3b3649bbea31fbc4dca0af17b
SHA1 c12d976b17bff42fdd14fa1913afa7072ea30ff7
SHA256 c41b4ac9ffedb3e5cd359690a5a4275942ea78381b08033df74fb37b2cc5d256
SHA512 f853e830eae1b8e531d8852555d71172ee03640aa954ac29ddcd1832afec81ddf7b331d4f7d4704a225ab5f2a9a705adda936f69cd25509e3139108fc56b7471

C:\Windows\System\CiwPRGi.exe

MD5 b4a56c4c87cc2868c65b160a33f6f865
SHA1 adccfa5a99c2945af961279fa28b6dce1bd63561
SHA256 e46f94e23ac45e740af5af422c8dc399494bb215b47df4fd9c76a0f3211455ee
SHA512 f8c672c16a25049203afd46f07db0aec5095c146f12b9bbdf34f91eeaf2f5a4f21ec999af2494caed92caa2d2a123cd60ddf73272898188c00170a810857e85f

C:\Windows\System\cBSSSUg.exe

MD5 f68fb5aa105506edc19f355471632141
SHA1 56f7501ea438979e705d177d10c479e1939a5f8e
SHA256 01b5afef693fbc341740bdf430b8b91c010ee6bbbd95c9d5652b319fc7758bee
SHA512 7df7d2edcbe2004ca05f0c1f9709c796ca3f5f30f6dd79016066e137eb547a51f3552d0ea1693e2799780c2665c5087e8446614505d2ca00ad1b9210926d3c95

C:\Windows\System\WdvDejg.exe

MD5 191a0d21c615a3637d83e410071001e3
SHA1 923945537aa674487b626a01637bf40d03dfab26
SHA256 ccf6691f455ee02fb0279d21c77681029f44111a2b83d532cc94ea1b3e253618
SHA512 a23b1150977edeea6fa004fe964a269d3844896bf3de1940b5ce7dff65f041faf1432b6c2b354de7188fa0d4fbb70f6a3522d9af038e60f282b176e6b43c4471

memory/1268-104-0x00007FF644700000-0x00007FF644A51000-memory.dmp

memory/3064-114-0x00007FF7A46E0000-0x00007FF7A4A31000-memory.dmp

memory/4828-119-0x00007FF6C8F90000-0x00007FF6C92E1000-memory.dmp

memory/1052-121-0x00007FF645650000-0x00007FF6459A1000-memory.dmp

memory/4536-123-0x00007FF680BC0000-0x00007FF680F11000-memory.dmp

C:\Windows\System\yaNuRZV.exe

MD5 fa90fd5123191f0dc568f81899fd4cfc
SHA1 504b993ff5aa3c7630010b40cd41289144a0415f
SHA256 0fe283d56defa131677adcfa166ce23831c89f95851c3c2ff7bc8d6c2967a781
SHA512 67a03377c2e243a334a938d2a6101d8168f4091c5f17c656022446ce5d9ef41bb0de69772fb628a94b49193c1b733c1d1d9f556254beeb9668ac1265339f807f

C:\Windows\System\MdReKcT.exe

MD5 5918c27a7d6be1437379d1bae8a286d1
SHA1 7733ef8ffc545114feb65527470c02da5f17dd8c
SHA256 1b6b074f33e674b5edd9131bd81af3a0ad906a675b1e3f59a1ebc4f0473d7526
SHA512 58cbba05b0638bd031c27be5b6dc2498d6e51cfcd0070e58c00b05969d0e65f82cc6537b554408b14781f1e8f2e3204b8204f57d598018176b0d5ea360ba0df0

memory/776-122-0x00007FF7704E0000-0x00007FF770831000-memory.dmp

memory/1956-120-0x00007FF650580000-0x00007FF6508D1000-memory.dmp

C:\Windows\System\ZBoluBS.exe

MD5 ab7cb572eac1d2b120d3f91f5fee8f31
SHA1 939fec42fe9256b79ff4c652b1457de657c27a04
SHA256 e5a59045ad799d5d5452c48b1111b8b455aa000acc1aeac62d046a4496569de9
SHA512 5027567805682da1b4a35adc2168c00bb40b4ce94eccf165b9ffbc8697466b26699bf03fb97856c2828b912fa942f31d058f48e455af5dac0a6a045ed92bd460

memory/1724-115-0x00007FF66A210000-0x00007FF66A561000-memory.dmp

C:\Windows\System\hCAUkFI.exe

MD5 ac49d75fa5fbab0f05c8ba8a65e7b798
SHA1 34a962c04451057e424578da6dfa54f27b94e55f
SHA256 1c67877c3b0f7402fe6bb54a866d13eed96350096b12777cc9a874d30aa583c0
SHA512 6fe2143d009054a6d76f3ae2accc54af2b9e6110bcc075ef95753feb4e08d3225c5fc30103adea6fa6497f8aab7314ab357c91a76fdb388b781b06adfd751273

C:\Windows\System\JuCuLOO.exe

MD5 12f017a0617b94218b6e9e8e94767a09
SHA1 7d4170185c116f870fc30f985c8d04a48ccdf32b
SHA256 a3da256f029da4fcd3a8ef61050fb825b7075c2b636c6127bf0d78341c9594b8
SHA512 56ed29fc23fac185ba103c7ccaa46bfe5eb2198221551c1d4c9e5a5f8912d9f7f067317ac96fce6028ae3c154862bbc8be1673d22b4ebb966b229f62dcaccaa9

C:\Windows\System\RSQFjzT.exe

MD5 2caeeeee34e87f09f83dd79a66d8bf58
SHA1 6fbf2b8b35d72f4e0f42217982a710094c2bed42
SHA256 cf07b064b1151e357da315eb8acaa2239574521ef349f3fe920c6978be5d9fe9
SHA512 1226a1ccab1e8e3c8be76a284cdee76a55eb5389d7886fa3f45c6e38bd36504701cd4385586f4d88ed6a91ba6ca95017afb56993984ebce6902df8e163b1b648

memory/2596-98-0x00007FF684E00000-0x00007FF685151000-memory.dmp

memory/2516-89-0x00007FF649E70000-0x00007FF64A1C1000-memory.dmp

memory/956-85-0x00007FF7CC8C0000-0x00007FF7CCC11000-memory.dmp

C:\Windows\System\urxkLVh.exe

MD5 f0fdaf9f00d15eb262105eacf51f5ee5
SHA1 f22ad627da756782da95dfdc5128083b87cde17c
SHA256 e4fad3f84ebca2a4711cc3e980187ac94e487a07ad1d9048cfea80695fecbe53
SHA512 eff66ac332d3ed10738bbdf882d3bd531d9adc340c9cb3b046afa4d5b889c7c3b2ad5d51230530dbf24a257950e304e792c3099309bc31ee5a7eb3b5a6cb55ba

C:\Windows\System\mINPePc.exe

MD5 5666998e5e9d48721f1f91771891d982
SHA1 afa675d007ee32232f99c695c4713ce232c3882f
SHA256 b5e7cd5da7e48cc3c2e8fe6a765e6407c40d7e89a5872e292d3a43421835a352
SHA512 47085801e4944235bed8c976ff35adc7669138a47bdf1dddf9980875e14da77fb57cd3a606ff4564dec98337201fd68064b22b6e19fdebc656b5326e30a538e5

memory/3976-71-0x00007FF7E5630000-0x00007FF7E5981000-memory.dmp

memory/3360-66-0x00007FF699620000-0x00007FF699971000-memory.dmp

C:\Windows\System\QpMTLrz.exe

MD5 5f9d6fa8fa64a75b2eceb2ce9dbc1c7f
SHA1 0b3d42e9204ca3217f46c0a8bc3bd85a157bd3c0
SHA256 9c3baaff033e8933376d80bfe634f4263bcbf0fb5954acded179c2b4df545eaa
SHA512 0c16dad4abf94e3d088b0b78f3361d5be560d01b0564cb628b5e71548cdee423d82164e74399bca7238ff5d6c2e8f684eaabee65cb5c133393375605b03d9759

C:\Windows\System\mKbVIXY.exe

MD5 bb5262ba2c916aeaa51f7789e2a0b079
SHA1 66d8108586ef5016a8411a5a17477204725bc7ce
SHA256 638c99e0e70be08325b3f6bdad1144a3f138053546a2ebab765be3a1811778ed
SHA512 3dbb6ed4633673c27ce52f45f350b0c98f56e4a69616eb1ff71c1e942521a41a0a61e8f89208eaf1ffcdd3d3b75125c13ce39703551141197959872feed9ae88

memory/952-57-0x00007FF646950000-0x00007FF646CA1000-memory.dmp

memory/2160-56-0x00007FF6D82E0000-0x00007FF6D8631000-memory.dmp

C:\Windows\System\SXWsWjj.exe

MD5 fac369b4eb2897f47bf0b8661b1504b1
SHA1 75ad7e83bf884ec6aabc5e770294bb57f81d4255
SHA256 52c686cc62917e8e7db87dc13461955436548211a998ca0b2688d71cadf604f4
SHA512 5f2c85022dd9156ed3a213f40edcbef2063c50f6f131333786fd3a97b24fd85596b3a2566bd05110fe2052b00378d308427885a38a76f91af94cfcbd89fdba54

memory/5100-32-0x00007FF6DAE70000-0x00007FF6DB1C1000-memory.dmp

memory/4976-30-0x00007FF75D650000-0x00007FF75D9A1000-memory.dmp

C:\Windows\System\PysYUSO.exe

MD5 145025a79af2c74a556134e7d8804d19
SHA1 124c8fd704361d0a4abeb7a5bbae2dba9112f6a6
SHA256 344e7dbb999952bc91720654a1f3e4dc0c1392327f6b1a05bb878fee9e543e04
SHA512 9ea88df74df2cd8b052bd26d97981b7b9d5e36d2aaa80d3a8ff5c6411b770ea3646efb9fb09577ea7ffd436078d042e93d89dcf32eb65cc874bc9b2e20b2b016

memory/2060-17-0x00007FF698DF0000-0x00007FF699141000-memory.dmp

memory/2096-19-0x00007FF7ED190000-0x00007FF7ED4E1000-memory.dmp

memory/5104-128-0x00007FF79A2E0000-0x00007FF79A631000-memory.dmp

memory/1680-129-0x00007FF7907A0000-0x00007FF790AF1000-memory.dmp

memory/2060-130-0x00007FF698DF0000-0x00007FF699141000-memory.dmp

memory/4976-132-0x00007FF75D650000-0x00007FF75D9A1000-memory.dmp

memory/2096-131-0x00007FF7ED190000-0x00007FF7ED4E1000-memory.dmp

memory/2032-135-0x00007FF6A3140000-0x00007FF6A3491000-memory.dmp

memory/952-137-0x00007FF646950000-0x00007FF646CA1000-memory.dmp

memory/2160-136-0x00007FF6D82E0000-0x00007FF6D8631000-memory.dmp

memory/5100-134-0x00007FF6DAE70000-0x00007FF6DB1C1000-memory.dmp

memory/5104-133-0x00007FF79A2E0000-0x00007FF79A631000-memory.dmp

memory/1268-154-0x00007FF644700000-0x00007FF644A51000-memory.dmp

memory/3064-155-0x00007FF7A46E0000-0x00007FF7A4A31000-memory.dmp

memory/776-157-0x00007FF7704E0000-0x00007FF770831000-memory.dmp

memory/2596-153-0x00007FF684E00000-0x00007FF685151000-memory.dmp

memory/956-147-0x00007FF7CC8C0000-0x00007FF7CCC11000-memory.dmp

memory/3360-149-0x00007FF699620000-0x00007FF699971000-memory.dmp

memory/4536-158-0x00007FF680BC0000-0x00007FF680F11000-memory.dmp

memory/5104-159-0x00007FF79A2E0000-0x00007FF79A631000-memory.dmp

memory/1680-214-0x00007FF7907A0000-0x00007FF790AF1000-memory.dmp

memory/2060-216-0x00007FF698DF0000-0x00007FF699141000-memory.dmp

memory/2096-218-0x00007FF7ED190000-0x00007FF7ED4E1000-memory.dmp

memory/2032-233-0x00007FF6A3140000-0x00007FF6A3491000-memory.dmp

memory/4976-234-0x00007FF75D650000-0x00007FF75D9A1000-memory.dmp

memory/3976-236-0x00007FF7E5630000-0x00007FF7E5981000-memory.dmp

memory/5100-238-0x00007FF6DAE70000-0x00007FF6DB1C1000-memory.dmp

memory/2160-242-0x00007FF6D82E0000-0x00007FF6D8631000-memory.dmp

memory/952-241-0x00007FF646950000-0x00007FF646CA1000-memory.dmp

memory/1268-250-0x00007FF644700000-0x00007FF644A51000-memory.dmp

memory/1052-260-0x00007FF645650000-0x00007FF6459A1000-memory.dmp

memory/1724-262-0x00007FF66A210000-0x00007FF66A561000-memory.dmp

memory/3064-258-0x00007FF7A46E0000-0x00007FF7A4A31000-memory.dmp

memory/956-257-0x00007FF7CC8C0000-0x00007FF7CCC11000-memory.dmp

memory/2516-254-0x00007FF649E70000-0x00007FF64A1C1000-memory.dmp

memory/3360-253-0x00007FF699620000-0x00007FF699971000-memory.dmp

memory/1956-249-0x00007FF650580000-0x00007FF6508D1000-memory.dmp

memory/2596-246-0x00007FF684E00000-0x00007FF685151000-memory.dmp

memory/4828-245-0x00007FF6C8F90000-0x00007FF6C92E1000-memory.dmp

memory/776-266-0x00007FF7704E0000-0x00007FF770831000-memory.dmp

memory/4536-265-0x00007FF680BC0000-0x00007FF680F11000-memory.dmp