Malware Analysis Report

2025-08-11 08:12

Sample ID 241025-n2zadazdlq
Target 2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat
SHA256 ec0342c224d1a630bac0247fcd10a2300d53d93c16cf8e30604a7fda933131b7
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ec0342c224d1a630bac0247fcd10a2300d53d93c16cf8e30604a7fda933131b7

Threat Level: Known bad

The file 2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

Cobaltstrike family

Cobaltstrike

Xmrig family

XMRig Miner payload

xmrig

Cobalt Strike reflective loader

XMRig Miner payload

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-10-25 11:54

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-25 11:54

Reported

2024-10-25 11:56

Platform

win7-20240903-en

Max time kernel

141s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\QuRPZQm.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NoZxtwd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JboAAAe.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ISCWzMh.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EihacFP.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wQkQiIA.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uopnPaT.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tVHcKMP.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jeQImhV.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lOLSMhD.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ELahDtr.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bqEVcys.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LduQRtn.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aIwWGhH.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KJWWyLq.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vPliCSL.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EbjHOXJ.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SAYbfNI.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MeLwrat.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BytHjrL.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qdYIpDh.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 292 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uopnPaT.exe
PID 292 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uopnPaT.exe
PID 292 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uopnPaT.exe
PID 292 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tVHcKMP.exe
PID 292 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tVHcKMP.exe
PID 292 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tVHcKMP.exe
PID 292 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BytHjrL.exe
PID 292 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BytHjrL.exe
PID 292 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BytHjrL.exe
PID 292 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QuRPZQm.exe
PID 292 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QuRPZQm.exe
PID 292 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QuRPZQm.exe
PID 292 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EbjHOXJ.exe
PID 292 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EbjHOXJ.exe
PID 292 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EbjHOXJ.exe
PID 292 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NoZxtwd.exe
PID 292 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NoZxtwd.exe
PID 292 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NoZxtwd.exe
PID 292 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SAYbfNI.exe
PID 292 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SAYbfNI.exe
PID 292 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SAYbfNI.exe
PID 292 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JboAAAe.exe
PID 292 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JboAAAe.exe
PID 292 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JboAAAe.exe
PID 292 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LduQRtn.exe
PID 292 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LduQRtn.exe
PID 292 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LduQRtn.exe
PID 292 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KJWWyLq.exe
PID 292 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KJWWyLq.exe
PID 292 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KJWWyLq.exe
PID 292 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ISCWzMh.exe
PID 292 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ISCWzMh.exe
PID 292 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ISCWzMh.exe
PID 292 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aIwWGhH.exe
PID 292 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aIwWGhH.exe
PID 292 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aIwWGhH.exe
PID 292 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lOLSMhD.exe
PID 292 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lOLSMhD.exe
PID 292 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lOLSMhD.exe
PID 292 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EihacFP.exe
PID 292 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EihacFP.exe
PID 292 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EihacFP.exe
PID 292 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ELahDtr.exe
PID 292 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ELahDtr.exe
PID 292 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ELahDtr.exe
PID 292 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vPliCSL.exe
PID 292 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vPliCSL.exe
PID 292 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vPliCSL.exe
PID 292 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qdYIpDh.exe
PID 292 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qdYIpDh.exe
PID 292 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qdYIpDh.exe
PID 292 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wQkQiIA.exe
PID 292 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wQkQiIA.exe
PID 292 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wQkQiIA.exe
PID 292 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jeQImhV.exe
PID 292 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jeQImhV.exe
PID 292 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jeQImhV.exe
PID 292 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bqEVcys.exe
PID 292 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bqEVcys.exe
PID 292 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bqEVcys.exe
PID 292 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MeLwrat.exe
PID 292 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MeLwrat.exe
PID 292 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MeLwrat.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\uopnPaT.exe

C:\Windows\System\uopnPaT.exe

C:\Windows\System\tVHcKMP.exe

C:\Windows\System\tVHcKMP.exe

C:\Windows\System\BytHjrL.exe

C:\Windows\System\BytHjrL.exe

C:\Windows\System\QuRPZQm.exe

C:\Windows\System\QuRPZQm.exe

C:\Windows\System\EbjHOXJ.exe

C:\Windows\System\EbjHOXJ.exe

C:\Windows\System\NoZxtwd.exe

C:\Windows\System\NoZxtwd.exe

C:\Windows\System\SAYbfNI.exe

C:\Windows\System\SAYbfNI.exe

C:\Windows\System\JboAAAe.exe

C:\Windows\System\JboAAAe.exe

C:\Windows\System\LduQRtn.exe

C:\Windows\System\LduQRtn.exe

C:\Windows\System\KJWWyLq.exe

C:\Windows\System\KJWWyLq.exe

C:\Windows\System\ISCWzMh.exe

C:\Windows\System\ISCWzMh.exe

C:\Windows\System\aIwWGhH.exe

C:\Windows\System\aIwWGhH.exe

C:\Windows\System\lOLSMhD.exe

C:\Windows\System\lOLSMhD.exe

C:\Windows\System\EihacFP.exe

C:\Windows\System\EihacFP.exe

C:\Windows\System\ELahDtr.exe

C:\Windows\System\ELahDtr.exe

C:\Windows\System\vPliCSL.exe

C:\Windows\System\vPliCSL.exe

C:\Windows\System\qdYIpDh.exe

C:\Windows\System\qdYIpDh.exe

C:\Windows\System\wQkQiIA.exe

C:\Windows\System\wQkQiIA.exe

C:\Windows\System\jeQImhV.exe

C:\Windows\System\jeQImhV.exe

C:\Windows\System\bqEVcys.exe

C:\Windows\System\bqEVcys.exe

C:\Windows\System\MeLwrat.exe

C:\Windows\System\MeLwrat.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/292-0-0x000000013F060000-0x000000013F3B1000-memory.dmp

memory/292-1-0x0000000001B20000-0x0000000001B30000-memory.dmp

C:\Windows\system\uopnPaT.exe

MD5 0e5ceb496e9a3c38d993cbd6e32c697a
SHA1 5b2c5302d12eddfdbc5fc1504d3a4a67f8059060
SHA256 90660d1886dc93acf0190a7c568ca02c6628b7e61bbbd151f94cdcb59c37d75d
SHA512 2c1dcf9976568bdbc989bbf37da5f28aaefc525409f7d73b98b4ca22e5412ddf6fd73c65f148bb0a0746ebcdbc26d84eca7c8bd838ef2f88f5b35c5ef7fa13b2

\Windows\system\tVHcKMP.exe

MD5 4f524459545cf016503d2054d1c7959e
SHA1 0e463fc0652b90493e13ee98a248c7f73ef43088
SHA256 2755afff209b154379c02882c530992f37e3696a5ca05b3d48a05fd581940b8c
SHA512 bdffc09131b9132b1c3c29595e071043dd9a0cb0a2fcc35a64aa7ca74daf3995189e1df8e5f9d2997d1596716d037a14215bf1ccec90c90759890705369c7492

C:\Windows\system\BytHjrL.exe

MD5 cc1e07fef40c026c81b672857e0061b4
SHA1 4032913c26b8baf27a8ee6c621d2b1f565e71269
SHA256 4e5bd6faf0a9406036393327c78480d491329c114988251b44e866aeadfaf03e
SHA512 cfae571cf82daa175996ff3013b2c49c6c890b2de860cdcab633f2d370d40620ba28d391aa6384cbd7a35ba7de59fc66c89b1871d78892e8c31d0d67832621f5

C:\Windows\system\QuRPZQm.exe

MD5 4bb06c7ca9e040b371c3b93743ba9bea
SHA1 f260c921941a06287c61e9b0e68ba02cbc93ab26
SHA256 2e57b09758dab8214a39f63d36ce9412d3dff1bc76082d3892a53869af588a09
SHA512 786152181a7fc00efdfb6497cd947d62776a126596f713a145bca36eca641d6d2b814213966f92051475034dddec9b568d70f125614594fedc186ef61adb0279

\Windows\system\EbjHOXJ.exe

MD5 7deb020b9dda341b7622aec9e4c9a501
SHA1 b96cabda5ed4514c9700dbf1bf9ef7a1da15dacd
SHA256 23175bafc4e53944fe06d0cf0357e387c7b0ac3969661c3b0907c8ceb4fe941a
SHA512 e249ad010e7c6bcd61f48f925b858a2d5b504fbdee11f5e70c64f532e8c750f86780be35654f778a92a7eccfff49a3663072f9e252711ccc3e5eac303e7a54fd

memory/292-30-0x000000013FAC0000-0x000000013FE11000-memory.dmp

memory/2480-28-0x000000013FE60000-0x00000001401B1000-memory.dmp

memory/292-26-0x00000000022C0000-0x0000000002611000-memory.dmp

memory/292-25-0x000000013FE60000-0x00000001401B1000-memory.dmp

memory/1516-24-0x000000013F670000-0x000000013F9C1000-memory.dmp

memory/292-22-0x000000013F670000-0x000000013F9C1000-memory.dmp

memory/3068-21-0x000000013F350000-0x000000013F6A1000-memory.dmp

memory/1720-19-0x000000013FC20000-0x000000013FF71000-memory.dmp

memory/2268-34-0x000000013FAC0000-0x000000013FE11000-memory.dmp

memory/2928-47-0x000000013F820000-0x000000013FB71000-memory.dmp

memory/292-46-0x000000013F820000-0x000000013FB71000-memory.dmp

C:\Windows\system\SAYbfNI.exe

MD5 e1102971e54471ac10e009b3889662f6
SHA1 cc5b86bdda039518dabd9c49e61843221aa333f5
SHA256 ffaf153ded326e64a35a2e031dc4a23145ef689f8acf26631d4bc2f57ab49e3a
SHA512 90e97df6c3e61ce0451aa850d2b7b853a83c5eda1641f67c1d0f5dcf84686eeecd9cc6d1d09f4c2992c3672f050735ac675c8820737c84019aee8274c66fdab1

C:\Windows\system\NoZxtwd.exe

MD5 5951316e699f53c2a437c81d63aafab8
SHA1 b52ca8aca8b313f33685615fbc8e525ac1c774bb
SHA256 5be6ca348390ce2cc7f1ed679b176d98f12592dc0ee80af16f9209f7853e7c5e
SHA512 300ac210ebd527dbe1585337e70923075cceb766d05e3e18e163bac3103204b94ae16950952d1ee4ac82569ef7ccdfa606b682ff0881a2ff1c010df26a18b0fe

C:\Windows\system\ELahDtr.exe

MD5 9557de245950a7931f123443a80c5dd1
SHA1 070214181e357b566502d99daeab491e2d940b3c
SHA256 5ee8451b7d379fca1472e5c94812b2059996fe28b1e11a08d0df4101a7d348e3
SHA512 17b4fe2ca64adf80d38ce810f3952fb2334fab7d0c599d6b8dd21d5f01b8d72ac538f39e1e6bd8f02823d3b9ad332a24a6dadae21c1750cb5e7222ac034ac6d1

\Windows\system\EihacFP.exe

MD5 9760991c2814533f8223c88fa1e5426b
SHA1 0f487660697ee1c30c11c4d8d7cb38bd47d7bd86
SHA256 d0380f5260a864938c082a38e712c24526a2a0d4f8ea97ccb11b32d1944e1479
SHA512 0776843532351bd245f4c7c0420e8be68ab527edfa2d49b9c072b3e38099713fb4808d643e535e0df5b097e7a2f9fb74427e34d013270f062e86d63b6c91190d

memory/2636-103-0x000000013F980000-0x000000013FCD1000-memory.dmp

C:\Windows\system\qdYIpDh.exe

MD5 a701ec6312d960b7a0396323699d38e1
SHA1 8b02870de586b2531cc30c8defb2d4cf49921d4d
SHA256 6e1737a27b04119eb378db056dcc6e6b0fef5d45b3e1e314a6ae306ad2064b9b
SHA512 49d37b5eeb1feb282aebed1ef3e0683103815d02cb0eff4fcce085a4913ca93da36fd0939764bd46870f8e7ab1380f3cb6bf6ab3aca494514b538a433cd31d31

C:\Windows\system\wQkQiIA.exe

MD5 f4c4945ed3c0b4f9e388a79770ab10fa
SHA1 93287f21925b810f5bde41010ce6d3341d78e014
SHA256 fc95bb3dccc1bd55c336d332403349567d503f8386f0af1f6d2f0cf098289d7a
SHA512 bd82da1b162856391605e06940538ab73e62c94c134e06274f3a0aa13fda42c1f54c6d3cdfb1de0c6af9986e416229b57e4d9e30708a661d071e8f3651dcf371

C:\Windows\system\bqEVcys.exe

MD5 98ea70399574a2336093603a1933d205
SHA1 70b1508bf1a852abf9af55ade2b6203d969546f6
SHA256 69dfddcf922fc66bda0d3b281681c809dd838f4da4ee90ec81111b8363f1ecd5
SHA512 ce247ceed782dea5038862a8ed6978efbab8e2f52403c66aeba5e66251bdfb83adffd9d8e5f9990711b36a30376fa6b15c1d351fafead659cc1056889ee60a98

C:\Windows\system\MeLwrat.exe

MD5 23e2b05e2a8f520c6f4bfc1a890844b7
SHA1 2c155b44229d784000872277fe662e124ee59171
SHA256 c4eb6160a685f4ce44b975c8345f779192d2eb73356c710093d66f23e6de735d
SHA512 b7ec885a5cc78c59bea16b1427a907a9eb50d38a4f2341d8a22ebca0774b6fd3e8d537ae49f6b8cfc11c6cc521769c775346508edf131f698766e55134bd76fa

C:\Windows\system\jeQImhV.exe

MD5 a2c3499eecc7c3254a40bd02024a0fcf
SHA1 82948a8814ac1c34a99f6661bed40152e3d85c9a
SHA256 6aba69cbdae8b18e1d0349bb89183dd91821fa4fd9e7b03ba1ebe3f381376f76
SHA512 bc780b4db49e29abffb2ee574f1c7c765236438114c5be26778c9d4002446118b5ca8334f5a894b75a7f4d04d8dcdedf74df866aeaf84ea6bf455d6f0a9f121f

C:\Windows\system\vPliCSL.exe

MD5 41b9263c2f73dcce1e7fc399af2f350a
SHA1 4ac04956e3abd65fb47c73246b23c76dac939e40
SHA256 42801e7fa760f60a5f8988834b22a7d7996f53e0dc60fab013081d8fece834ba
SHA512 0e47ec7fd563913faf45f51c2085d04f6658b47d8dfb8a2cff8c6c1bc5bede1fc8e575d93d70b8f2a65cee4691657d130732ff3058a73ef145e41aefdbc3d4b5

memory/2480-107-0x000000013FE60000-0x00000001401B1000-memory.dmp

memory/2724-106-0x000000013F390000-0x000000013F6E1000-memory.dmp

memory/2268-136-0x000000013FAC0000-0x000000013FE11000-memory.dmp

memory/1032-105-0x000000013F8E0000-0x000000013FC31000-memory.dmp

memory/292-104-0x000000013F8E0000-0x000000013FC31000-memory.dmp

C:\Windows\system\KJWWyLq.exe

MD5 a4d1808246109627d507ded297a09413
SHA1 5d51e8adda0c77c0b34bfa24e4bd5b31c8c633d9
SHA256 7da72d5ec26585b03fcf87a5ba07ad14c4d9a3068b906adcd1b21c6acb47a002
SHA512 85fe715e78be8ded0cb364c17b1bb1750c2850e2829e45f4f6878d28be73fef9764b5e549e3be41a1675cef44ed2a20fa5943e000d146a434f685619323310e9

C:\Windows\system\JboAAAe.exe

MD5 1416fcd95e06587104a9ac9a2fe1e1f6
SHA1 1322de14f66fa0405f68221598d85caf50aeeed9
SHA256 5193c2ccc1dd52fafd0e4b838e877f261f37d80cdef8605ea2602fb20fabb1ce
SHA512 2bf75eb384a6ac5f9b6c5c6f2ae4fb86a467508f666082c937eed130b71ea75b8968376d8c7c71013a03dd2114e2ff18aacda3a33a2d4b3a64112b206324b040

memory/2628-87-0x000000013FAD0000-0x000000013FE21000-memory.dmp

memory/3068-86-0x000000013F350000-0x000000013F6A1000-memory.dmp

memory/3028-137-0x000000013F5C0000-0x000000013F911000-memory.dmp

memory/2640-85-0x000000013FD70000-0x00000001400C1000-memory.dmp

memory/1720-84-0x000000013FC20000-0x000000013FF71000-memory.dmp

memory/292-83-0x00000000022C0000-0x0000000002611000-memory.dmp

memory/292-81-0x000000013FE90000-0x00000001401E1000-memory.dmp

memory/292-80-0x00000000022C0000-0x0000000002611000-memory.dmp

C:\Windows\system\lOLSMhD.exe

MD5 b3ccef4da09ae5cda7bf48b4430c64e7
SHA1 324f4034c0dc6c49b0db7d0ecbf38048b7a5bd8b
SHA256 983df2aa88178975061538b8ac336ce09014414ce14f0a138a6bbb1f0ef1b9ed
SHA512 b35d420b0fe24c2d3548e266c2545a9488143d246fb6f730fb7fad4c34a61ec294b9cd026ada0a976bfa8aabced5e3facc7af378e4479b43ec70e54cb5ef1456

memory/2784-78-0x000000013FE90000-0x00000001401E1000-memory.dmp

memory/292-77-0x000000013FAD0000-0x000000013FE21000-memory.dmp

C:\Windows\system\LduQRtn.exe

MD5 9c6aaec13d9ccebd67a2f1427cbae307
SHA1 127af0957c5ef9fe4525cbe47c45202c468b8916
SHA256 5972f9c49c27ed4c611c1a2136229144a2050408d36a5c8487934a4ac8b657a3
SHA512 aa9682e16f189100cfddd43e815c6c49d0dc27886805d6e98f1aa0889f37a62f9c31e9b34276d20ee97d1e46d674f9bf12cdcac8153190988709cba3b7caa94a

\Windows\system\aIwWGhH.exe

MD5 31149ce6cf527deff420cf6347534985
SHA1 9bf435bdd20d4a33d9bea9388d06382d9a13a08b
SHA256 abfa7a5c8c17d1db2430b28e20ebc7d0648bf6a2ac5f70f0a93a12440426afc2
SHA512 d5503eb35a12fc93c85b4c2c7d08b769a759191c088056b998bdfbda5e1bc657e2779ce29d5eb9130713abd893abe86bf47c7ded5f1786e777f1e2363c36981b

memory/292-59-0x000000013F060000-0x000000013F3B1000-memory.dmp

memory/2728-101-0x000000013F1B0000-0x000000013F501000-memory.dmp

memory/2928-138-0x000000013F820000-0x000000013FB71000-memory.dmp

memory/292-71-0x000000013FD70000-0x00000001400C1000-memory.dmp

C:\Windows\system\ISCWzMh.exe

MD5 fb288315066c890d37a91bc644c6af76
SHA1 024a5c042638229987d53a006d350181ce04268d
SHA256 122ec1f1fa9dc6b5acee2f997ce326547a5ba8214ea3983a50176e133706c93f
SHA512 d81ef79aba5770d3861610d454fe092d2752d91642a78af364b899837b6fe2e258da3fa41ff7c89a1db810d7fbc98d3ad45678013fc8ea303263629f77d9cbba

memory/3028-41-0x000000013F5C0000-0x000000013F911000-memory.dmp

memory/292-139-0x000000013F060000-0x000000013F3B1000-memory.dmp

memory/1472-156-0x000000013F5C0000-0x000000013F911000-memory.dmp

memory/636-160-0x000000013FE10000-0x0000000140161000-memory.dmp

memory/2368-159-0x000000013FCD0000-0x0000000140021000-memory.dmp

memory/1244-158-0x000000013F920000-0x000000013FC71000-memory.dmp

memory/1304-157-0x000000013F490000-0x000000013F7E1000-memory.dmp

memory/2924-155-0x000000013FB90000-0x000000013FEE1000-memory.dmp

memory/2732-153-0x000000013F8A0000-0x000000013FBF1000-memory.dmp

memory/292-161-0x000000013F060000-0x000000013F3B1000-memory.dmp

memory/1720-212-0x000000013FC20000-0x000000013FF71000-memory.dmp

memory/1516-214-0x000000013F670000-0x000000013F9C1000-memory.dmp

memory/3068-216-0x000000013F350000-0x000000013F6A1000-memory.dmp

memory/2480-228-0x000000013FE60000-0x00000001401B1000-memory.dmp

memory/2268-230-0x000000013FAC0000-0x000000013FE11000-memory.dmp

memory/2928-232-0x000000013F820000-0x000000013FB71000-memory.dmp

memory/3028-234-0x000000013F5C0000-0x000000013F911000-memory.dmp

memory/2784-236-0x000000013FE90000-0x00000001401E1000-memory.dmp

memory/2640-238-0x000000013FD70000-0x00000001400C1000-memory.dmp

memory/2628-240-0x000000013FAD0000-0x000000013FE21000-memory.dmp

memory/2636-242-0x000000013F980000-0x000000013FCD1000-memory.dmp

memory/1032-244-0x000000013F8E0000-0x000000013FC31000-memory.dmp

memory/2728-246-0x000000013F1B0000-0x000000013F501000-memory.dmp

memory/2724-254-0x000000013F390000-0x000000013F6E1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-25 11:54

Reported

2024-10-25 11:56

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\cdVLYuS.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\airEmQp.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EuZmSCO.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OEBkNnE.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eronHPT.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GeerTYM.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tNGYyhO.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kqUmsBO.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UKgCkED.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PxElHep.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NNmfyLp.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DjKfyzb.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rbmzQux.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cEQVkAm.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XYSTzlS.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xYRTiBL.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\quvZurg.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ciZwxCz.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\meiumHc.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sPceonp.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gnvFqke.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1764 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xYRTiBL.exe
PID 1764 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xYRTiBL.exe
PID 1764 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OEBkNnE.exe
PID 1764 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OEBkNnE.exe
PID 1764 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kqUmsBO.exe
PID 1764 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kqUmsBO.exe
PID 1764 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\quvZurg.exe
PID 1764 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\quvZurg.exe
PID 1764 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UKgCkED.exe
PID 1764 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UKgCkED.exe
PID 1764 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PxElHep.exe
PID 1764 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PxElHep.exe
PID 1764 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cdVLYuS.exe
PID 1764 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cdVLYuS.exe
PID 1764 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ciZwxCz.exe
PID 1764 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ciZwxCz.exe
PID 1764 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NNmfyLp.exe
PID 1764 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NNmfyLp.exe
PID 1764 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eronHPT.exe
PID 1764 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eronHPT.exe
PID 1764 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\meiumHc.exe
PID 1764 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\meiumHc.exe
PID 1764 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\airEmQp.exe
PID 1764 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\airEmQp.exe
PID 1764 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sPceonp.exe
PID 1764 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sPceonp.exe
PID 1764 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gnvFqke.exe
PID 1764 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gnvFqke.exe
PID 1764 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DjKfyzb.exe
PID 1764 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DjKfyzb.exe
PID 1764 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EuZmSCO.exe
PID 1764 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EuZmSCO.exe
PID 1764 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GeerTYM.exe
PID 1764 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GeerTYM.exe
PID 1764 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tNGYyhO.exe
PID 1764 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tNGYyhO.exe
PID 1764 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cEQVkAm.exe
PID 1764 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cEQVkAm.exe
PID 1764 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rbmzQux.exe
PID 1764 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rbmzQux.exe
PID 1764 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XYSTzlS.exe
PID 1764 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XYSTzlS.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\xYRTiBL.exe

C:\Windows\System\xYRTiBL.exe

C:\Windows\System\OEBkNnE.exe

C:\Windows\System\OEBkNnE.exe

C:\Windows\System\kqUmsBO.exe

C:\Windows\System\kqUmsBO.exe

C:\Windows\System\quvZurg.exe

C:\Windows\System\quvZurg.exe

C:\Windows\System\UKgCkED.exe

C:\Windows\System\UKgCkED.exe

C:\Windows\System\PxElHep.exe

C:\Windows\System\PxElHep.exe

C:\Windows\System\cdVLYuS.exe

C:\Windows\System\cdVLYuS.exe

C:\Windows\System\ciZwxCz.exe

C:\Windows\System\ciZwxCz.exe

C:\Windows\System\NNmfyLp.exe

C:\Windows\System\NNmfyLp.exe

C:\Windows\System\eronHPT.exe

C:\Windows\System\eronHPT.exe

C:\Windows\System\meiumHc.exe

C:\Windows\System\meiumHc.exe

C:\Windows\System\airEmQp.exe

C:\Windows\System\airEmQp.exe

C:\Windows\System\sPceonp.exe

C:\Windows\System\sPceonp.exe

C:\Windows\System\gnvFqke.exe

C:\Windows\System\gnvFqke.exe

C:\Windows\System\DjKfyzb.exe

C:\Windows\System\DjKfyzb.exe

C:\Windows\System\EuZmSCO.exe

C:\Windows\System\EuZmSCO.exe

C:\Windows\System\GeerTYM.exe

C:\Windows\System\GeerTYM.exe

C:\Windows\System\tNGYyhO.exe

C:\Windows\System\tNGYyhO.exe

C:\Windows\System\cEQVkAm.exe

C:\Windows\System\cEQVkAm.exe

C:\Windows\System\rbmzQux.exe

C:\Windows\System\rbmzQux.exe

C:\Windows\System\XYSTzlS.exe

C:\Windows\System\XYSTzlS.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1764-0-0x00007FF6AF1A0000-0x00007FF6AF4F1000-memory.dmp

memory/1764-1-0x000001840C080000-0x000001840C090000-memory.dmp

C:\Windows\System\xYRTiBL.exe

MD5 d72baa11ff66cd7b80fda0b3a6c3fb56
SHA1 a9c1e3c51f79ff1a8f7e90ad2ef773cd3ac890b2
SHA256 587b64e656ebd1880359c552c5aaaee39a4784692e3099d83ca9cd82d3e9c6fe
SHA512 b74b2db2adcba74c81a1cd33a2645cd1d99ed6c97e2ad55cdd18b2d689bef6279214afdac120927c197a331a99684fd085b9e36d0016fb72af41019b050a17f8

C:\Windows\System\kqUmsBO.exe

MD5 cc7bc87fd84d3e17b69acf6dca12c500
SHA1 c9ef9983a2c65716b067bee4cffc885d1e6fb0f6
SHA256 9c548010736ba021333b47941c0061dd687ddb2e898bcdbb0a0f33f52b9d7600
SHA512 b4304ad8e49f3697980dafe84d735e162d0193a926ce8bd2a60c1b9268c71fc0687e49c73debd17e077c70e8f33faa0f6129237bf637e9eed168634aef882f90

memory/4712-6-0x00007FF70B0B0000-0x00007FF70B401000-memory.dmp

memory/2152-17-0x00007FF6BF8B0000-0x00007FF6BFC01000-memory.dmp

memory/1832-19-0x00007FF69C360000-0x00007FF69C6B1000-memory.dmp

C:\Windows\System\cdVLYuS.exe

MD5 f45e4930751bf4bcab51af034d4eff9d
SHA1 97cac6ba912653ae55874b9025f043bbfbf4f534
SHA256 7a56278e674f1c42b8df4800b08bb2e6a13291bac208af97ae1ecd32f5e5a3df
SHA512 0d69e10c0b10a5ff0ad4c4b5e0c6683d541c032435b74b5437fb7e700c0bae2305faf7e6f4dfe93030fea01e6eab11f622207126c0b64e2f51d4debdf84ef806

C:\Windows\System\UKgCkED.exe

MD5 ed953f1af87f9db21e729959bc8c5724
SHA1 7176a82d003c102d484547b1d0ce2a93edc36e77
SHA256 ebcbbf4c5be2f5387c8bd2848e69605cc3beabb0f33abebd40883276353dc4b3
SHA512 54839ab729bb3c8d8ed2d925a06229102fbbee9204c867b3cf2b8463f6aaca4d5eac3dfe4cb24eac3740ea5c2f47e7c2ebe98db98fab555c4c3a615b90df0665

C:\Windows\System\PxElHep.exe

MD5 db3e270ff2de41e5bdae44e3c4b9fbdc
SHA1 de596da86f9ba11294888c2b0de02218428748f2
SHA256 15dabc74d7ced974dc22e715842a4960285bf4d2504ea84a2b1dbe2750272841
SHA512 5390ad86c5cab669e28050f458d653bb72cce82d952998c7c7d297a845318faff43c1b34e006ef422e73da21e24e48064c112dc50ba586757bdf20177e340597

memory/3576-50-0x00007FF71EB30000-0x00007FF71EE81000-memory.dmp

C:\Windows\System\ciZwxCz.exe

MD5 0d1044c05834ec94897c4e2aee0a96c8
SHA1 811626a07ff16790939e5ccb6f9c4b6f6f82d48a
SHA256 e1370a21ace2cced062039316a9525a0abf481eec6f2856adba1bb1f356a2e96
SHA512 45f6a5c10edd4ced8b74adbcaa48ffc98167a09039aed4d07f4eb8917669814d172b27f76a42201d16f94762521c6449aae135a4e0350a7b736960669ed0f523

memory/4744-63-0x00007FF6A1930000-0x00007FF6A1C81000-memory.dmp

C:\Windows\System\EuZmSCO.exe

MD5 8b319825fee8efd68608a28571d21ea6
SHA1 5a982fd1e726dad82030730d464ff604dc0d1bc5
SHA256 e0c34f3307272ee9be693b4ab34899ea00acb62355cb81a28a84068cb2c5514c
SHA512 3e14c4cd44fe931f5ffeedadbfda76cb89f122c54fe47b788d3fd585fe941b914994d5f5cd5bd2626dde8fef828503db1e513e521a4a6cd2cd9876b98dacdb6c

memory/2732-90-0x00007FF644950000-0x00007FF644CA1000-memory.dmp

memory/1832-97-0x00007FF69C360000-0x00007FF69C6B1000-memory.dmp

C:\Windows\System\tNGYyhO.exe

MD5 cdb8dcede5ae2bc322d9dcfecb07cd7a
SHA1 ce5937dd608063746bced7a496aac5c3998bae2e
SHA256 d319687a2394d00359ef6059b93341b76fc1ece0b32782127fd4284d3a05e42b
SHA512 f43512e54c992c3c33711ab83fb5656b77b62032dc79196a993dfabf82a77d96e53dff9fcc74347d0ceba1fc32ab14ee65baf9087de4dbe06f9fa91eb8b103f9

memory/1820-130-0x00007FF70DDC0000-0x00007FF70E111000-memory.dmp

memory/4712-129-0x00007FF70B0B0000-0x00007FF70B401000-memory.dmp

C:\Windows\System\XYSTzlS.exe

MD5 0ef9c51f8c314b1b635691aded2454b5
SHA1 9baf6c6a260201cd32836cbfc2f2d259fd86a06b
SHA256 2786b7cdebc17916d2920e578303499200ab3cd3aadef6f8350f17b83d210324
SHA512 10fe6c88e20a8bd32409f67d65ee60e1748b3b8e56e690c6f17a20c6b229ec3f90a38caf9c202b1a0de0d71cbda057f2e6a3ab143766e3d7d123fd1d4fadf1e4

C:\Windows\System\rbmzQux.exe

MD5 2ec8e702a090c1a41b714c015a32afba
SHA1 f9d919216e0c5b2cce122e4e9506431c95ba4ef2
SHA256 ded9b9f2d5b6808c3621967b8032676b457e999206834d48154bf033b456359b
SHA512 20e2bebcd0913648a2e03b3f0e198b02f94418741a0c442bd4a9dc239d51d0c002578c822832fb45447eabfb1f97a945ff04f4a7ac29b748346518f6f096b4d6

C:\Windows\System\cEQVkAm.exe

MD5 076a503b8e98484fffbd38304c38a1e0
SHA1 9191fceceab4e6db04de93b8139e44409365136c
SHA256 6c4e31ec88f3cb8063db266dfe2633b32d74d4b3c2bb707be8f5fca766c900ad
SHA512 c6d61ebcf30942042835d366f16f65c3e2d48a1759678f48c7f91fb921929d2d616acdf4899fe72bceccc70c84f54c3452613440cd9a4b29fe1c3e2ac0cf5102

memory/1632-122-0x00007FF6389D0000-0x00007FF638D21000-memory.dmp

memory/928-121-0x00007FF72DBC0000-0x00007FF72DF11000-memory.dmp

C:\Windows\System\GeerTYM.exe

MD5 1918521bdf85d4cbfc739919d78eb9b6
SHA1 351ffdc2103f47d292d8ec8d6d918f951cef5f46
SHA256 dda23a39930458db3764e0a432eb3480780b3b62c28076e4674ef385368258d7
SHA512 399fbf8645851673a64ffb8998c2ac36fc85c838b8996c607fd20ba5f44c33d1e383047a2a9e0995513fc2acdf0412e0365cb51122f2d9d3bbbc7c62b29932bb

memory/1152-116-0x00007FF6C7500000-0x00007FF6C7851000-memory.dmp

memory/3240-115-0x00007FF7BF300000-0x00007FF7BF651000-memory.dmp

memory/1764-111-0x00007FF6AF1A0000-0x00007FF6AF4F1000-memory.dmp

memory/2976-103-0x00007FF7C2E30000-0x00007FF7C3181000-memory.dmp

memory/2460-96-0x00007FF6FC3D0000-0x00007FF6FC721000-memory.dmp

C:\Windows\System\DjKfyzb.exe

MD5 6b68202c1eb383b2789d7b7788fc566b
SHA1 5299a754fb626ae651520e32a1557d0a8b8b77b4
SHA256 1e2a4d72889b9f8a2777d6a421f68734143996ce9b18ee6f64b19b6d58d43d8c
SHA512 fd5d0c5f8388387ffe94d034ec53e7e5c5b89844097dbdbebe9ad8d53d0b01b9a6534878f1dbefa60dde7b0201d253daa55a538ffb6f6e80455333286c214118

C:\Windows\System\gnvFqke.exe

MD5 83f2593e966952c9c438b22f45a92867
SHA1 94f25ef12a1da5c03fe33df6d4e7ca75d69f6643
SHA256 cdb9f472e667da78142661369e30be4ab3b0c27eb5a5ea45883956ecb7485722
SHA512 5786b8532b4b662fad021415da00016f1777dde7880f7428f1f02315220750d039b3dd82963207123a3051591f18356e6dd77b2b7473147ea6133de71213068a

C:\Windows\System\airEmQp.exe

MD5 9e8474b04eb89821351fcce6cc3c6d87
SHA1 789471e83557dad4e5f5c0d393624a15bb532ee4
SHA256 d1a93d76012501e7be3145bd485795d1b497e694a47286e5ecf0ef848ff0c9cc
SHA512 46bde7a59c3168a0c16286433430fe43cdafc0ff27e6cdc7afc7ffe0a817eaa1df75f82cc786a376916b2b634f20f72c1e7c035937249a9c60696c55dd66a11d

C:\Windows\System\sPceonp.exe

MD5 dc88eda7c096224a449a99b083b8db11
SHA1 53eff5c672ff2edb73b71af969728f0010dc5b3f
SHA256 04e77dc00098d938b08b0d4d08d77b0e2f78cbec1f23f7378c5046cd85a43c28
SHA512 be26015e7bccdcdbea0d58fa58a6cc1ff1e805709aae145e2cb34761d4f3255c5a3f873f348881776765b98261ac570ffa5c384e9b5e57f86f4e6bdc9a2b7f72

C:\Windows\System\meiumHc.exe

MD5 6a6641cb6f89f0da18c0ff25b3869701
SHA1 23bcb0aaf62c17c813bcc4bdbe312021ae8e4cdc
SHA256 9ff8b9ca387fc4d7439fc5e4eed0547f66d221220fb9ae597bee97e13c989a5a
SHA512 09feb0f4bbf4c3ef00b03ea43ec4c74ad4e1ebe1f06cfce4c9a6e549cccca3a3de84aed41c57926d95d6ab9c826f047e3ce299ce1637a37cf290a3ae4b1d2e8e

memory/5084-83-0x00007FF7CF230000-0x00007FF7CF581000-memory.dmp

memory/4676-82-0x00007FF734A20000-0x00007FF734D71000-memory.dmp

C:\Windows\System\eronHPT.exe

MD5 99038c48fc31504fedfb657ac3f30ba3
SHA1 905dd45ea404beb8fde89ed9d6392ff103925f4f
SHA256 c94a9fd3b3746cb05443c2cdf49f7ec6e7b8311b1b395c1116880595c6c53014
SHA512 7178bcbd4e2b744d2f7082efbe5d18ea9ca9abd9736736ef3e57286bf783ea1ead08f22a377c99e5f48e9561a36908b3d27260e4157fdd7a7653d5c7cf70d91d

memory/2156-74-0x00007FF715620000-0x00007FF715971000-memory.dmp

C:\Windows\System\NNmfyLp.exe

MD5 e9cf726d638199ad20b026381fe1f435
SHA1 f26c26e69de06316ad796445f361ab975ca5beab
SHA256 94f641c5c73a94f9c6cd35dedb140582184516461d7f98ae4c924e8b245a8806
SHA512 8a40f2c4497df757fd3e7dbd539b8b181ca16e6a327da8e75962291b8543f4f96cbc3d2f72aa7fa74f2c3dea577fefdb8836a56d08c73d6a4352e91d996d2bd3

memory/4048-54-0x00007FF775180000-0x00007FF7754D1000-memory.dmp

memory/2400-46-0x00007FF6D9470000-0x00007FF6D97C1000-memory.dmp

memory/2832-45-0x00007FF766730000-0x00007FF766A81000-memory.dmp

memory/2260-33-0x00007FF720DF0000-0x00007FF721141000-memory.dmp

memory/4836-29-0x00007FF7877C0000-0x00007FF787B11000-memory.dmp

C:\Windows\System\quvZurg.exe

MD5 dfc0c2e2f06acc1fd8c9aab4be6c7c77
SHA1 c846b87fe7d1dea7fd987eb8400b00bdc1f9485a
SHA256 0a39ed404ad491e55f066cd2d2cd40c94590bd33361040a8c3c23f5d65ff79cd
SHA512 04c9425055c39d632eb45f1dd6aa1fbf0079a22ae2bd521106cc9e32d7e23eb9cc1757bf7d56ad28fee7e19371555cfaf6307b75c08c5bc49aa0dd0c6c365a11

C:\Windows\System\OEBkNnE.exe

MD5 6877319d6a4581cb6638f9bb483b8948
SHA1 4f88c3e88a4966e4ceab3f54757ffbaf71363252
SHA256 d28e64625188244d1350ddb809fc256dc8f887d72d9bdf5961eca2b07e12ad59
SHA512 551df79ecc84e8d0fa9f333724b761b58c7ece75e6b3b4eea1b9af329f300f0544240ccca1ba7b089aeb35269691bd3145ba7b766498fac1aabcd38b5527665b

memory/1764-131-0x00007FF6AF1A0000-0x00007FF6AF4F1000-memory.dmp

memory/4744-142-0x00007FF6A1930000-0x00007FF6A1C81000-memory.dmp

memory/5084-146-0x00007FF7CF230000-0x00007FF7CF581000-memory.dmp

memory/928-151-0x00007FF72DBC0000-0x00007FF72DF11000-memory.dmp

memory/1152-149-0x00007FF6C7500000-0x00007FF6C7851000-memory.dmp

memory/3240-148-0x00007FF7BF300000-0x00007FF7BF651000-memory.dmp

memory/4676-144-0x00007FF734A20000-0x00007FF734D71000-memory.dmp

memory/2156-141-0x00007FF715620000-0x00007FF715971000-memory.dmp

memory/4048-140-0x00007FF775180000-0x00007FF7754D1000-memory.dmp

memory/2400-139-0x00007FF6D9470000-0x00007FF6D97C1000-memory.dmp

memory/2260-137-0x00007FF720DF0000-0x00007FF721141000-memory.dmp

memory/4836-135-0x00007FF7877C0000-0x00007FF787B11000-memory.dmp

memory/2152-133-0x00007FF6BF8B0000-0x00007FF6BFC01000-memory.dmp

memory/2732-147-0x00007FF644950000-0x00007FF644CA1000-memory.dmp

memory/3576-138-0x00007FF71EB30000-0x00007FF71EE81000-memory.dmp

memory/2832-136-0x00007FF766730000-0x00007FF766A81000-memory.dmp

memory/1632-152-0x00007FF6389D0000-0x00007FF638D21000-memory.dmp

memory/1764-153-0x00007FF6AF1A0000-0x00007FF6AF4F1000-memory.dmp

memory/4712-203-0x00007FF70B0B0000-0x00007FF70B401000-memory.dmp

memory/2152-217-0x00007FF6BF8B0000-0x00007FF6BFC01000-memory.dmp

memory/1832-219-0x00007FF69C360000-0x00007FF69C6B1000-memory.dmp

memory/2260-222-0x00007FF720DF0000-0x00007FF721141000-memory.dmp

memory/4836-225-0x00007FF7877C0000-0x00007FF787B11000-memory.dmp

memory/2832-224-0x00007FF766730000-0x00007FF766A81000-memory.dmp

memory/3576-227-0x00007FF71EB30000-0x00007FF71EE81000-memory.dmp

memory/4676-230-0x00007FF734A20000-0x00007FF734D71000-memory.dmp

memory/4048-235-0x00007FF775180000-0x00007FF7754D1000-memory.dmp

memory/2460-239-0x00007FF6FC3D0000-0x00007FF6FC721000-memory.dmp

memory/2732-243-0x00007FF644950000-0x00007FF644CA1000-memory.dmp

memory/2976-241-0x00007FF7C2E30000-0x00007FF7C3181000-memory.dmp

memory/2400-237-0x00007FF6D9470000-0x00007FF6D97C1000-memory.dmp

memory/2156-234-0x00007FF715620000-0x00007FF715971000-memory.dmp

memory/4744-231-0x00007FF6A1930000-0x00007FF6A1C81000-memory.dmp

memory/1152-257-0x00007FF6C7500000-0x00007FF6C7851000-memory.dmp

memory/1820-255-0x00007FF70DDC0000-0x00007FF70E111000-memory.dmp

memory/1632-260-0x00007FF6389D0000-0x00007FF638D21000-memory.dmp

memory/3240-258-0x00007FF7BF300000-0x00007FF7BF651000-memory.dmp

memory/928-253-0x00007FF72DBC0000-0x00007FF72DF11000-memory.dmp

memory/5084-251-0x00007FF7CF230000-0x00007FF7CF581000-memory.dmp