Malware Analysis Report

2025-08-11 08:11

Sample ID 241025-nvkhmsyeld
Target 2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat
SHA256 f4e34a310e209cda8c05991ca933c2c54aae34f99a269534dbea1ea0495ea60d
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f4e34a310e209cda8c05991ca933c2c54aae34f99a269534dbea1ea0495ea60d

Threat Level: Known bad

The file 2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Cobaltstrike family

xmrig

Cobalt Strike reflective loader

XMRig Miner payload

Xmrig family

Cobaltstrike

XMRig Miner payload

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-10-25 11:43

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-25 11:43

Reported

2024-10-25 11:45

Platform

win7-20240903-en

Max time kernel

140s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\OCDZoGw.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QluPupV.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QhmhGlU.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vJovBAx.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tBVMUYa.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jPKltco.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tpVoeqD.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HNwpgiM.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OkcEBNe.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CQDCvQW.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FIDPGuy.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zLumjuj.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lexlksp.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mBwbXJY.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XSKGkOV.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LplFxea.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rcYfxvl.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\anKlcIM.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BbFRkvU.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zwDRwie.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TgxVVZm.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1868 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jPKltco.exe
PID 1868 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jPKltco.exe
PID 1868 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jPKltco.exe
PID 1868 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mBwbXJY.exe
PID 1868 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mBwbXJY.exe
PID 1868 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mBwbXJY.exe
PID 1868 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tpVoeqD.exe
PID 1868 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tpVoeqD.exe
PID 1868 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tpVoeqD.exe
PID 1868 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OCDZoGw.exe
PID 1868 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OCDZoGw.exe
PID 1868 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OCDZoGw.exe
PID 1868 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XSKGkOV.exe
PID 1868 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XSKGkOV.exe
PID 1868 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XSKGkOV.exe
PID 1868 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LplFxea.exe
PID 1868 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LplFxea.exe
PID 1868 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LplFxea.exe
PID 1868 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OkcEBNe.exe
PID 1868 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OkcEBNe.exe
PID 1868 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OkcEBNe.exe
PID 1868 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CQDCvQW.exe
PID 1868 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CQDCvQW.exe
PID 1868 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CQDCvQW.exe
PID 1868 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FIDPGuy.exe
PID 1868 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FIDPGuy.exe
PID 1868 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FIDPGuy.exe
PID 1868 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zwDRwie.exe
PID 1868 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zwDRwie.exe
PID 1868 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zwDRwie.exe
PID 1868 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HNwpgiM.exe
PID 1868 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HNwpgiM.exe
PID 1868 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HNwpgiM.exe
PID 1868 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QhmhGlU.exe
PID 1868 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QhmhGlU.exe
PID 1868 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QhmhGlU.exe
PID 1868 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TgxVVZm.exe
PID 1868 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TgxVVZm.exe
PID 1868 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TgxVVZm.exe
PID 1868 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vJovBAx.exe
PID 1868 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vJovBAx.exe
PID 1868 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vJovBAx.exe
PID 1868 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zLumjuj.exe
PID 1868 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zLumjuj.exe
PID 1868 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zLumjuj.exe
PID 1868 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lexlksp.exe
PID 1868 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lexlksp.exe
PID 1868 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lexlksp.exe
PID 1868 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rcYfxvl.exe
PID 1868 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rcYfxvl.exe
PID 1868 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rcYfxvl.exe
PID 1868 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QluPupV.exe
PID 1868 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QluPupV.exe
PID 1868 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QluPupV.exe
PID 1868 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\anKlcIM.exe
PID 1868 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\anKlcIM.exe
PID 1868 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\anKlcIM.exe
PID 1868 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tBVMUYa.exe
PID 1868 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tBVMUYa.exe
PID 1868 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tBVMUYa.exe
PID 1868 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BbFRkvU.exe
PID 1868 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BbFRkvU.exe
PID 1868 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BbFRkvU.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\jPKltco.exe

C:\Windows\System\jPKltco.exe

C:\Windows\System\mBwbXJY.exe

C:\Windows\System\mBwbXJY.exe

C:\Windows\System\tpVoeqD.exe

C:\Windows\System\tpVoeqD.exe

C:\Windows\System\OCDZoGw.exe

C:\Windows\System\OCDZoGw.exe

C:\Windows\System\XSKGkOV.exe

C:\Windows\System\XSKGkOV.exe

C:\Windows\System\LplFxea.exe

C:\Windows\System\LplFxea.exe

C:\Windows\System\OkcEBNe.exe

C:\Windows\System\OkcEBNe.exe

C:\Windows\System\CQDCvQW.exe

C:\Windows\System\CQDCvQW.exe

C:\Windows\System\FIDPGuy.exe

C:\Windows\System\FIDPGuy.exe

C:\Windows\System\zwDRwie.exe

C:\Windows\System\zwDRwie.exe

C:\Windows\System\HNwpgiM.exe

C:\Windows\System\HNwpgiM.exe

C:\Windows\System\QhmhGlU.exe

C:\Windows\System\QhmhGlU.exe

C:\Windows\System\TgxVVZm.exe

C:\Windows\System\TgxVVZm.exe

C:\Windows\System\vJovBAx.exe

C:\Windows\System\vJovBAx.exe

C:\Windows\System\zLumjuj.exe

C:\Windows\System\zLumjuj.exe

C:\Windows\System\lexlksp.exe

C:\Windows\System\lexlksp.exe

C:\Windows\System\rcYfxvl.exe

C:\Windows\System\rcYfxvl.exe

C:\Windows\System\QluPupV.exe

C:\Windows\System\QluPupV.exe

C:\Windows\System\anKlcIM.exe

C:\Windows\System\anKlcIM.exe

C:\Windows\System\tBVMUYa.exe

C:\Windows\System\tBVMUYa.exe

C:\Windows\System\BbFRkvU.exe

C:\Windows\System\BbFRkvU.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1868-0-0x000000013F390000-0x000000013F6E1000-memory.dmp

memory/1868-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\jPKltco.exe

MD5 ee661a74c92017e2f3711b914f34b74f
SHA1 12801fc71de9bcef44e77d1b75329476e82bad96
SHA256 547536721ce399221561a2546022c10bc31ee2500e082b25b69ef3a62d70f596
SHA512 488249d5dbef5f771f7e71fe628f777b77a76d9327645d23c60de38015775dea9b03b7713bf9fa3682a1dea7c7cafe0728d4d113ea721c2320dbaf341e46e639

C:\Windows\system\mBwbXJY.exe

MD5 7c74c3423b444d4d06f0a7618b10b891
SHA1 3b17794af26ec509f3a72cd247853da13d1388ba
SHA256 872b41861ffca6a6c6e8f89bf4d7442a725740cfabb4ae940115adeb5a401551
SHA512 58621cc346b5d022f7c6d4d7eea6362c9dc7c0fd76d5e80612a66787603438edee87aaaefcc8a847fb2d6bd9daaac81ecae7a4c383ef09ea178d69e37374612d

memory/2084-18-0x000000013FA90000-0x000000013FDE1000-memory.dmp

memory/1868-22-0x0000000002360000-0x00000000026B1000-memory.dmp

memory/2876-21-0x000000013F360000-0x000000013F6B1000-memory.dmp

memory/1868-30-0x000000013FBB0000-0x000000013FF01000-memory.dmp

C:\Windows\system\OCDZoGw.exe

MD5 d2a824f36cd199bed093a83ab6c70287
SHA1 ac93e4e7fd8d1e278fc4de4de42ea4a4ba45bc10
SHA256 a6ffd972f97f009f7e9907a589e52e2792f403280e637749e5486029ead9604f
SHA512 4052da3ac0c7aa6bb8709a609c8093ba273e18cb2dc6c2f7f9630adb0716e4f2a0c99c73652ec117a1f2f9cfe263e709fa64de7bade115eec8ee55aab6c28013

memory/2828-42-0x000000013FEB0000-0x0000000140201000-memory.dmp

memory/2892-49-0x000000013F480000-0x000000013F7D1000-memory.dmp

\Windows\system\CQDCvQW.exe

MD5 3fc2d5cd38bd16952cd7c3fa0b520b38
SHA1 2c23db20edaf8727308653bfcb471bb654c32de4
SHA256 01d72746ff41eb2865e6dd18d722b44c6c91b0208260b1b777acff1673b2b6e5
SHA512 3127fa369378768069e0a2c83f04d35f199f2c285e7f5d16847c9afa0b34e88baacccbf013616f94f57e159b44a54874bd702c134788848cb7672ed8585d2a71

memory/1868-51-0x000000013FD20000-0x0000000140071000-memory.dmp

C:\Windows\system\OkcEBNe.exe

MD5 b95891d0606679c864400a22b4950d60
SHA1 5d244a2fe84408576f0e4fd523db10d06dda6c6e
SHA256 2e6d69108db639f9fac14c3662fe15d45e572d764a08e382a45b3789f6ce292b
SHA512 41d6b83001cc5a0ce0898404aba3ce7e8194ac4c0c5a50576d94aba5b29628b446f557925ab0fcdc15bda572b1bdd9f3abc3499e1fd8190c2108c5e7fa3f7f6c

C:\Windows\system\LplFxea.exe

MD5 d27c656e403b2dfbc03b61ad90c09d86
SHA1 3d3b40e5ac7ebc3290df42b506534469b23a2a10
SHA256 0c1df84c0257a98cf10f86b224da98cd2f1c75a002df8a46c25c2eebdb05ed0c
SHA512 e9903ee877937a2b64a25ed7e85062c7a874fb696139a0dbc58ab2cdc2d22f40d350286caa1cb846c827604df93637879efa232aeecf27811ef7f82da8357fbf

memory/1868-40-0x000000013FEB0000-0x0000000140201000-memory.dmp

memory/1868-39-0x000000013F9F0000-0x000000013FD41000-memory.dmp

memory/2772-36-0x000000013F9F0000-0x000000013FD41000-memory.dmp

memory/2460-35-0x000000013FBB0000-0x000000013FF01000-memory.dmp

C:\Windows\system\XSKGkOV.exe

MD5 118ee54ba7aadd1b6e7af63cb5607ba5
SHA1 fbaf1212fc28a9a40e9e3b6dca253ce5c6ccd51a
SHA256 f79f55a4e96c879e004809115a72ada3c062fab0e9522576751d7a2948aed8c0
SHA512 d8c079d2495623e889d9a7f7d1b3e5fe05f184638747b00f115d3c03d43c4896a8761b84b5b6d91db3ffb8c40786424ea9a9c6e2c409bf10cf4da3ddf4ea8184

memory/1868-20-0x0000000002360000-0x00000000026B1000-memory.dmp

memory/1588-19-0x000000013F510000-0x000000013F861000-memory.dmp

C:\Windows\system\tpVoeqD.exe

MD5 f2b7bbba2137a4730ad3339f98bfbf3d
SHA1 d1fd0252319cfa265c086ff8d6d131bfcc8c7da7
SHA256 39ceb5bef61cd96e53384f4e5614f4fe4f82013eea1bf80581d2e2340040ef51
SHA512 eead57e920f6ab437f1d02a922a581b699262c9b0f01009da31b39225cbe8953cc70074ddac1d4ccfa9d6516e688ec31060255a89f09d423efbd22521f4eb431

memory/2084-56-0x000000013FA90000-0x000000013FDE1000-memory.dmp

\Windows\system\HNwpgiM.exe

MD5 515428d38df05f04e1ef52bf21544f81
SHA1 29661eac7a1d70d3555fa669e9fda1b6aa36e53d
SHA256 00bd4395b1e57f881d5438e4ce98b95263a1ca052bfb3d898f36ddf55f8537cf
SHA512 152e43da44ebaecae7ccde561889adad432f725e11033bbac2c37e2369ac0a3081bd7a81fee3fcfb77596857d39947549ef59fd1a47110433b66fa6a9fefd1fb

C:\Windows\system\FIDPGuy.exe

MD5 8e9bcd1b0fdfcf021114c004b432349d
SHA1 27f8e71d6b0bd77dfc7b0f625fd5dbf8237745ca
SHA256 e3c8a54f463d8da430a6b66e8aeb0172b3b935d3aa93747903d78f32f54a7f18
SHA512 f01a60c247ca86bf6bc6f8578be61258c193935b5e7e7195b124a3e5a0883be79b648870e324c695692015487024ea1b1b774a59ddee4655521a45c4d55f2174

C:\Windows\system\rcYfxvl.exe

MD5 12602110b6d4056523ba77fef7772eaf
SHA1 6f78356a51fb5b7ef5db5e78d5e8c1fb34231300
SHA256 46626d6ae35c2c850d7cd921b284c814519c4461a42798e6e902140e578306e3
SHA512 4725bea12447a580a47587342e405b379f9ca52585660b484b54a61f193758150fa21ae7d395175a5d92e999ba4652d1b9e2fe3b9cfcda6042a8ac2730502b8e

C:\Windows\system\lexlksp.exe

MD5 9f9d8fa978db48f8b34b062ac1789df2
SHA1 02f76457b65db4b2e12c1fa131d783d7c5269d81
SHA256 99a1bcd863747492f66762550dfd1a2612dfcb08da24aa824b655ae6d73e8267
SHA512 a3847b71d23aef0716bad73a63d627981e3b57a904358f805232e182151b90a0b2061dfde70a24ec34c0e8a0db3ab15d8f20d6da637801c4128d392fcd9b1fcc

memory/2700-122-0x000000013F340000-0x000000013F691000-memory.dmp

\Windows\system\tBVMUYa.exe

MD5 b12ccc5c31457e6458d9042eb61720ab
SHA1 60ea34a82bcdd22e728c00d650eb6d5a70ba7e67
SHA256 4b269e75baa59a66b32a062dec745b6fb6f4afa9b259ec4e81c3ee42499309bf
SHA512 234eaf096f22d8a33d854d6f5ce178b116b366ef9e3068199cd8570da88097efa1a3665ac383853ba2f6cb40a30cbd226e69fc11edab94cc11ad10dce91c31f4

C:\Windows\system\vJovBAx.exe

MD5 4ffe387750519f7f625098bfa63e739f
SHA1 2f35fcf21e66915df677a6288686631ce9da219d
SHA256 1c2e2db42e7a4233da25b3333d6aa9ad6e19bca8e8b0f8c3ab8f1261ce0ec81f
SHA512 9fa3eea41c5cdd72e4411b6eecf7047cb5b243cf8aa7bebc200f531829399d5297e677852cc94ed055ec0d9875be404ba78be4bd98baea3fce8bd70eeb5fa9e4

\Windows\system\QluPupV.exe

MD5 d5d11fcc85a8a4122a1f306afc1b81aa
SHA1 6eba264966ce1f9226e17194ebf9fe7bb54971bc
SHA256 755f5bec351b0b14a866152092fe18b912523871b6684f74884e789cdfe8cd37
SHA512 902b38161e44eb0eb21d5df4e35753a79ae7b2e8bce49fb0dfba4a7e24afe568468dc4e766e37ad8b992896dd788670b25adbf090455975c8923c52a873b9510

memory/2656-92-0x000000013F450000-0x000000013F7A1000-memory.dmp

memory/1868-88-0x0000000002360000-0x00000000026B1000-memory.dmp

memory/2772-137-0x000000013F9F0000-0x000000013FD41000-memory.dmp

C:\Windows\system\QhmhGlU.exe

MD5 4889fc202495f6cb1a91d8a10b44954b
SHA1 4c25f0060fa0922c437269034fd3f004eb5a8870
SHA256 b39d111e7fb2b6b552f829e217455b998e4134db6f17e19ba33b8695a64423a8
SHA512 2f14dd9603372ccc462898cebe28e5015f90c2654a1dda1ea079acb089c5e1545ea319094b38842c6ba7c40e3774dc2afa2169e9bea8e4c29b2c985631bf1ae8

memory/1868-81-0x000000013FEB0000-0x0000000140201000-memory.dmp

C:\Windows\system\zwDRwie.exe

MD5 f9f4486c4c520134fee3db856fd59d8b
SHA1 63b0fe447972435648ab2f3bf28d97e86f4f53d1
SHA256 c7a8c39e8e47bfcdf97f47f43b9519a1a202afd1522afde4b7563093059b29e3
SHA512 8fd64abf4df5630fa1cce7eec6618907514a7ff5592717effeadce46d8a9a7990ccefe1b83c553217e97a82a85823b5eb56c1adee5b8c1e2cd1132b51005998b

memory/1868-138-0x000000013F9F0000-0x000000013FD41000-memory.dmp

memory/1868-131-0x0000000002360000-0x00000000026B1000-memory.dmp

memory/1868-130-0x000000013FD60000-0x00000001400B1000-memory.dmp

memory/2668-129-0x000000013F960000-0x000000013FCB1000-memory.dmp

memory/1868-128-0x000000013FF60000-0x00000001402B1000-memory.dmp

memory/1868-127-0x0000000002360000-0x00000000026B1000-memory.dmp

C:\Windows\system\BbFRkvU.exe

MD5 4d2f3e124f36a8285197faaf539a0762
SHA1 937436a24e131e5d08951d5d599664fdfd77c0f8
SHA256 8f65a4588855ba1731da8844342514d83b85cad92d1b5a4a35eb602122ff5503
SHA512 4e4bb83587a9cd3b2430f699250dae0a2ae8858a199f5a7e388de08b208db2b7cc37432c1ad25c0e7ddcfd45bbf38fc38ed7bd4f7f1c1ae470ebe5b22ff5ff05

memory/2460-125-0x000000013FBB0000-0x000000013FF01000-memory.dmp

C:\Windows\system\anKlcIM.exe

MD5 9777d0a05aeb2efbe04adf73315d21cc
SHA1 fa0d18c91193c43332af9112dac10842475ce4e0
SHA256 eaa4216637717e8e0a24645ead3f479b5786c6dec4acd6815c3ccc7e4beaaa1d
SHA512 6707b264ba98796c65bf9d90107a79c9557e485be68c467f6ce5520856222b3af44396330a1294f700b51ae38c37237389359b8ba2a725d78d2598bc0a9efc84

memory/2828-139-0x000000013FEB0000-0x0000000140201000-memory.dmp

memory/1868-104-0x000000013F960000-0x000000013FCB1000-memory.dmp

memory/1868-101-0x0000000002360000-0x00000000026B1000-memory.dmp

memory/1868-100-0x000000013FA20000-0x000000013FD71000-memory.dmp

C:\Windows\system\zLumjuj.exe

MD5 7fd6c474b9b485daaa7a157dd08e81f0
SHA1 c242b11a759700e730abf76d97a2038020691e06
SHA256 a13102f2455545568fda5adb26111bd0b62261f6780473867ad5e2855f73b307
SHA512 b8f05374d676b52113f3d60d7eb765fd8c054f4c3d2327e6f66e53b5d14f73628391636ee51801c4cb1cff3f44c81b4a981b2ef1c0a57f2336c3de57fac8673f

C:\Windows\system\TgxVVZm.exe

MD5 f9e9c7cce10330d2c97272d1fd53b66c
SHA1 ee65f797002fad4ef247cb61539952b3285a00b8
SHA256 c21e172ad866b6aed80d58da3a9ffeedb54682148b6e9f94a6b52fac6460be62
SHA512 3847dd5441e5bd45d8fbfffc7410b189ac412ecfd65bd584cab4ccd9da611ceb9edfb5096fcfcfa1f209c88b746ab7df526a65cb67fa86adb10461a4900d93fa

memory/2896-87-0x000000013FEB0000-0x0000000140201000-memory.dmp

memory/2912-58-0x000000013FD20000-0x0000000140071000-memory.dmp

memory/1868-55-0x000000013F390000-0x000000013F6E1000-memory.dmp

memory/1868-140-0x000000013F390000-0x000000013F6E1000-memory.dmp

memory/2912-147-0x000000013FD20000-0x0000000140071000-memory.dmp

memory/1868-150-0x0000000002360000-0x00000000026B1000-memory.dmp

memory/2700-153-0x000000013F340000-0x000000013F691000-memory.dmp

memory/1868-164-0x000000013F960000-0x000000013FCB1000-memory.dmp

memory/2900-162-0x000000013F190000-0x000000013F4E1000-memory.dmp

memory/2524-163-0x000000013F230000-0x000000013F581000-memory.dmp

memory/2944-161-0x000000013F6E0000-0x000000013FA31000-memory.dmp

memory/596-160-0x000000013FCE0000-0x0000000140031000-memory.dmp

memory/1928-159-0x000000013F5F0000-0x000000013F941000-memory.dmp

memory/2980-158-0x000000013FD60000-0x00000001400B1000-memory.dmp

memory/1484-157-0x000000013FA20000-0x000000013FD71000-memory.dmp

memory/1036-156-0x000000013FF60000-0x00000001402B1000-memory.dmp

memory/1876-155-0x000000013F630000-0x000000013F981000-memory.dmp

memory/1868-165-0x000000013F390000-0x000000013F6E1000-memory.dmp

memory/2084-213-0x000000013FA90000-0x000000013FDE1000-memory.dmp

memory/2876-222-0x000000013F360000-0x000000013F6B1000-memory.dmp

memory/1588-223-0x000000013F510000-0x000000013F861000-memory.dmp

memory/2460-227-0x000000013FBB0000-0x000000013FF01000-memory.dmp

memory/2772-226-0x000000013F9F0000-0x000000013FD41000-memory.dmp

memory/2828-229-0x000000013FEB0000-0x0000000140201000-memory.dmp

memory/2892-231-0x000000013F480000-0x000000013F7D1000-memory.dmp

memory/2912-243-0x000000013FD20000-0x0000000140071000-memory.dmp

memory/2896-245-0x000000013FEB0000-0x0000000140201000-memory.dmp

memory/2656-247-0x000000013F450000-0x000000013F7A1000-memory.dmp

memory/2668-249-0x000000013F960000-0x000000013FCB1000-memory.dmp

memory/2700-254-0x000000013F340000-0x000000013F691000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-25 11:43

Reported

2024-10-25 11:45

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\cgETvJO.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oChjBqi.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dXpysas.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IziXmUK.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IdeOTRQ.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MVMgsyl.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HkqbZsN.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nBHtFnQ.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dhcOTdH.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OHPtLMm.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YVZotDn.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LfUaFmH.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uKlqATs.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LMKxTad.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AtDqQdf.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mreQECg.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HkvenMA.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aoNgqeg.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YWuaHYM.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yjekeIT.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NhZODOb.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3488 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mreQECg.exe
PID 3488 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mreQECg.exe
PID 3488 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HkqbZsN.exe
PID 3488 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HkqbZsN.exe
PID 3488 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cgETvJO.exe
PID 3488 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cgETvJO.exe
PID 3488 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oChjBqi.exe
PID 3488 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oChjBqi.exe
PID 3488 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nBHtFnQ.exe
PID 3488 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nBHtFnQ.exe
PID 3488 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OHPtLMm.exe
PID 3488 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OHPtLMm.exe
PID 3488 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YVZotDn.exe
PID 3488 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YVZotDn.exe
PID 3488 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dXpysas.exe
PID 3488 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dXpysas.exe
PID 3488 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HkvenMA.exe
PID 3488 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HkvenMA.exe
PID 3488 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LfUaFmH.exe
PID 3488 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LfUaFmH.exe
PID 3488 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dhcOTdH.exe
PID 3488 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dhcOTdH.exe
PID 3488 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IziXmUK.exe
PID 3488 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IziXmUK.exe
PID 3488 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aoNgqeg.exe
PID 3488 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aoNgqeg.exe
PID 3488 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YWuaHYM.exe
PID 3488 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YWuaHYM.exe
PID 3488 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yjekeIT.exe
PID 3488 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yjekeIT.exe
PID 3488 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uKlqATs.exe
PID 3488 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uKlqATs.exe
PID 3488 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IdeOTRQ.exe
PID 3488 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IdeOTRQ.exe
PID 3488 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NhZODOb.exe
PID 3488 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NhZODOb.exe
PID 3488 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LMKxTad.exe
PID 3488 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LMKxTad.exe
PID 3488 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AtDqQdf.exe
PID 3488 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AtDqQdf.exe
PID 3488 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MVMgsyl.exe
PID 3488 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MVMgsyl.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\mreQECg.exe

C:\Windows\System\mreQECg.exe

C:\Windows\System\HkqbZsN.exe

C:\Windows\System\HkqbZsN.exe

C:\Windows\System\cgETvJO.exe

C:\Windows\System\cgETvJO.exe

C:\Windows\System\oChjBqi.exe

C:\Windows\System\oChjBqi.exe

C:\Windows\System\nBHtFnQ.exe

C:\Windows\System\nBHtFnQ.exe

C:\Windows\System\OHPtLMm.exe

C:\Windows\System\OHPtLMm.exe

C:\Windows\System\YVZotDn.exe

C:\Windows\System\YVZotDn.exe

C:\Windows\System\dXpysas.exe

C:\Windows\System\dXpysas.exe

C:\Windows\System\HkvenMA.exe

C:\Windows\System\HkvenMA.exe

C:\Windows\System\LfUaFmH.exe

C:\Windows\System\LfUaFmH.exe

C:\Windows\System\dhcOTdH.exe

C:\Windows\System\dhcOTdH.exe

C:\Windows\System\IziXmUK.exe

C:\Windows\System\IziXmUK.exe

C:\Windows\System\aoNgqeg.exe

C:\Windows\System\aoNgqeg.exe

C:\Windows\System\YWuaHYM.exe

C:\Windows\System\YWuaHYM.exe

C:\Windows\System\yjekeIT.exe

C:\Windows\System\yjekeIT.exe

C:\Windows\System\uKlqATs.exe

C:\Windows\System\uKlqATs.exe

C:\Windows\System\IdeOTRQ.exe

C:\Windows\System\IdeOTRQ.exe

C:\Windows\System\NhZODOb.exe

C:\Windows\System\NhZODOb.exe

C:\Windows\System\LMKxTad.exe

C:\Windows\System\LMKxTad.exe

C:\Windows\System\AtDqQdf.exe

C:\Windows\System\AtDqQdf.exe

C:\Windows\System\MVMgsyl.exe

C:\Windows\System\MVMgsyl.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3488-0-0x00007FF72E6D0000-0x00007FF72EA21000-memory.dmp

memory/3488-1-0x00000168BE8A0000-0x00000168BE8B0000-memory.dmp

C:\Windows\System\mreQECg.exe

MD5 2f4f11716419523ebe57e50c21d6f65e
SHA1 86c9c793b38cd7249d647a4cdfdd5e7333084cf4
SHA256 a87764ee35af9a05ff5c808c418bb5cba4d616c9ef0c3f83165c45a0ebbec8fe
SHA512 e5f3539a2ba34a8c64ef67f5e33ad05d20e52779553bc29f43c6838374269071240701be32fcff87da0e4f13818e40ef0ea5ac3c03de5d08a4d31b5cae431715

memory/2420-7-0x00007FF77F7F0000-0x00007FF77FB41000-memory.dmp

C:\Windows\System\HkqbZsN.exe

MD5 7fa95c123891770905e1bbb518cd5b8f
SHA1 de3cb0291d96c769b3f3edae4b3b6b5f206298c4
SHA256 6d4203c50ab1c38d60fb3356be6614b64ac29da350ac5b76095ef0ccddfe4034
SHA512 f2b7d8b101d7b63e7c80673dcfd6bde9748a53b10d62bda8336e731a7bb39aeaee59fb951a97c1489c05abfbcc19c208ccd219005e4d1bed28955310ccff078e

C:\Windows\System\cgETvJO.exe

MD5 dba1befb3e7791bb88e7ab6ed25e481a
SHA1 c6868af175bdc7b8ec4bc8c7265e1bab4fc4489d
SHA256 debda88bdec95ea58b6341677b1592912a0c42727950386bc93df7f99a681037
SHA512 ed2395056d8de0a87e7fb377cb30eb554bc9c9603652bd37122eb5fa275d26b54a98c21578ffedf029f553966edd4028a414f343a23914c1aab0acd993ade6b6

memory/2276-12-0x00007FF6C3800000-0x00007FF6C3B51000-memory.dmp

memory/232-18-0x00007FF654830000-0x00007FF654B81000-memory.dmp

C:\Windows\System\nBHtFnQ.exe

MD5 beef062ae233e56124b6b12db672a618
SHA1 97769465b1154c05a98163a2517bfcc93b7b3958
SHA256 cdccf741f6a1f46053d79fa8b80707681dece4330af1db2697674eaa079fd3eb
SHA512 516ba6640a604f0132af0ab01f09e9c6511b22505c6ead0b7377bafa812babf18fb3ed0d361b42218f8ace2009ac06ca8604613ad8c6d3639b9314c506d41709

memory/5064-24-0x00007FF603470000-0x00007FF6037C1000-memory.dmp

C:\Windows\System\oChjBqi.exe

MD5 88a77514059a4bf12161adbe8fd3126e
SHA1 73f017689cec5412400a37765147c47fd378cf75
SHA256 21306f179ce2909e4cb2b5964287ede1bdc1097c603496ec9478eb80653d2c72
SHA512 611a09bb702fabb0f3e7e9300f07663601a7cb7679ed6a0aa51a5be10d6960faa2c2b94131e48be371459f3597c546fd5b4d41d04db8a31038bb0c3ae30f781b

C:\Windows\System\YVZotDn.exe

MD5 82c10b5fdb3f702320702abeed7d54e6
SHA1 20432d2a6f589b2bbc208f98a27b383ee7866d8e
SHA256 1533c7a6bb7333515609819c9113ec9a5bae4c07330c2322feabcfac1a9687f4
SHA512 cb9605816cb3d4e8d36ff0e908ef838aacefaf849642be7c6f10e0c1e04a52bb4f96d1475cfedceb87e52f1043ac78834509109d9049c6972f180488261c64bf

C:\Windows\System\OHPtLMm.exe

MD5 824d66c69cf88e080c5165f7404c6eef
SHA1 d73c7139e12121eb07dbcb782a0d2d76beda51ef
SHA256 2ffc36ee6deee1b759c0218bbdd7e03b9e7bd4596c895e9cc020524e5a80b06f
SHA512 03b58440949919c2047e2142b53e798bbae2053ff50a02dedbb4ed2de0877aecf7c7631890cb74dd22c09fae314c1d1dba2c027678340f8901752f7944d3c59e

C:\Windows\System\dXpysas.exe

MD5 32a7077f7d55c82d803f9d1836079722
SHA1 eac938cf4d4827a32bf2959468173ae08869be9a
SHA256 fc5949383b6d21d644e3d77500f540b4c87c53afddfd1a245b2da53c5fd9800f
SHA512 bfa7ab1114e1e082f0ca995b6c3a28e3f8bcd0aa9286317ef6d049d16a843fa5cbb962beed28c6c3f8d52c43d1029b3fd46b285e4bc55f19bc36e22e04b46188

C:\Windows\System\dhcOTdH.exe

MD5 1c2115e6cf285527e81e4442863ca6c5
SHA1 51d0db905b54d575477bbfbc69f3609d3deacae2
SHA256 89a0ee2f8580808c05e5105e930bb7367d5edf4a8a090e6a60496baf2569dc59
SHA512 59b674d5720a801894976c9acc9030f01aeffa0f6b891f5845ffdf21d30c2638e910e7540ed32ad67b5b3caacc093697c39c3b9176ef5f61a230284e35e7ce61

memory/4536-81-0x00007FF6DF6C0000-0x00007FF6DFA11000-memory.dmp

C:\Windows\System\yjekeIT.exe

MD5 2a1a596804f4b2a29c78562f66424e32
SHA1 3914b8546cfd185137cee519ec62eafaafccebd9
SHA256 da2914cc0f30faa6f3b4b9b61220cd3c405006c3b4606d20c8c369a5f81527d2
SHA512 452bf5756cd36aed09e1eed2b62d32da4cc185f02600251fb6a489d9be927647f5ab5c3ac42fe232fcd653cd453e8ed8af981cef6abb671afae9c592f2ddee55

C:\Windows\System\YWuaHYM.exe

MD5 0a8e5cf6de7ee2c86c2b309d4275c5eb
SHA1 b149cd6fc9b56de4bb98e0f244d4e6a19e58b54d
SHA256 c7e89d2f1b4b6f75d299563d9cae512abe8e5543bb6e8baca7cea0eb07fbf99b
SHA512 e9b8ccd6f1a039d9f2bbb4044fbeb64ebf937adafde03260af93decc1f67b392251eb3f792abe3b621379522cdfbfc8a84b09e0c68e063cae835eb1408cf51a8

memory/3708-105-0x00007FF7E3550000-0x00007FF7E38A1000-memory.dmp

C:\Windows\System\NhZODOb.exe

MD5 7495709b70e6bf93d2394aba7e74a805
SHA1 ab980f47fd92ab31c4035a6e8ca09a9c2c4cd340
SHA256 5eaf251a1ead51784db78ff1801a8ed21b2abf971c718979a1197a0fcb13614e
SHA512 cb3588a714e78eeff8fab1ab35d711eafb0509d484f98174a5d5056c84d0f7dd302e6386a94bbca06ae56693c70c58cd1a2616c7c3cac6238051c196a6c56e89

C:\Windows\System\IdeOTRQ.exe

MD5 e59f27b4b8c9cbd15289fe68e41e1a37
SHA1 99a04cf88405c25ebca45dc4e6c87edf47a8c061
SHA256 db48dff3b1549635c73eed4647c66daae1bcd526e5194dc5913e190d31188fdb
SHA512 90e318565e56897c261dd5ad6340ac02ecdfed7a473502e33e04997c363c131450c55189887d7e2a52fc79e6030d605ef8fa8baaf76e75e994fc6b8a7a0dabe4

memory/4452-135-0x00007FF62B810000-0x00007FF62BB61000-memory.dmp

C:\Windows\System\MVMgsyl.exe

MD5 9fc7c87738741b6a62327d43c1f51b27
SHA1 a48fb8463620532849ad4e4c241c48f02aa459ad
SHA256 e41073bf463188b52c760a67e907cee5189fd987b8fe248e2ad2a46f02bbb474
SHA512 6859af333d2c13ea958ed062d0531f58dd8ee7dbcfe299ee94cf8bef7835c170541f5c2a72a41d7e57b0aa8028119bed5701f1933e44dc28d4c3ea5bcc81aaa7

memory/4032-136-0x00007FF7C8CE0000-0x00007FF7C9031000-memory.dmp

C:\Windows\System\AtDqQdf.exe

MD5 ee74e5150d2bee55dd3f2adee815c364
SHA1 333d343c9d79cc44a842d96c541b3fefea7efdae
SHA256 f6ea05a25812d2be72d1b9e225774e81c71d9ed59224658a37f542f4a7f1abd1
SHA512 b6d4bf682dcf536d30dfe84ba776238b4965d79d01dd16afaaf08f7441a6bfb6216c9c85e3e9343ca3f89e6df17016c36bf014ccf7b76842176e96cc56e4039e

memory/792-131-0x00007FF70A410000-0x00007FF70A761000-memory.dmp

memory/2488-129-0x00007FF630680000-0x00007FF6309D1000-memory.dmp

C:\Windows\System\LMKxTad.exe

MD5 1c79aa03db1f8aa129c79aec32c85ee9
SHA1 003f442abd5d6d0ee86afc0e96d2622e199937fe
SHA256 f894ce64399ddd4ab9de3f572da5a8a955062598de77c0322a1f6f4bde007d8c
SHA512 2744dabd63bf8c43a7a75fa45bfff12cd22183c849e597bac04285a8f3f1dfa94a677a8111e63b87b86a8a392aa230aad9db22a98f78f0f639b0b7f3f6084bc2

memory/4920-121-0x00007FF694ED0000-0x00007FF695221000-memory.dmp

memory/3792-120-0x00007FF7A3090000-0x00007FF7A33E1000-memory.dmp

memory/4776-116-0x00007FF6CCB90000-0x00007FF6CCEE1000-memory.dmp

memory/3096-115-0x00007FF6F43E0000-0x00007FF6F4731000-memory.dmp

C:\Windows\System\uKlqATs.exe

MD5 fe53d4d456f45e03d7f74ba0764625c9
SHA1 bdd8b46d9ae5e6025e6f4fa07efbaf709ac859a7
SHA256 13edcfa8db68c4385bba9a2bb420172b2a1d0ed72d3c3a988a36c1b36eb0a430
SHA512 f9a33cd33d0ad6c0396d5d220cf21ea6b17a7c3b27d3d062b84464b08e8f54816a8146f3c177e90ef03315b13f27faeadc2d2c4e79cde83708442fc104e49598

memory/3756-110-0x00007FF6E0190000-0x00007FF6E04E1000-memory.dmp

memory/4764-109-0x00007FF620690000-0x00007FF6209E1000-memory.dmp

memory/4824-104-0x00007FF62DA60000-0x00007FF62DDB1000-memory.dmp

memory/460-96-0x00007FF6E5330000-0x00007FF6E5681000-memory.dmp

memory/4928-95-0x00007FF7E2CA0000-0x00007FF7E2FF1000-memory.dmp

memory/5064-92-0x00007FF603470000-0x00007FF6037C1000-memory.dmp

memory/848-91-0x00007FF6B1130000-0x00007FF6B1481000-memory.dmp

C:\Windows\System\aoNgqeg.exe

MD5 aa72faaa3fb1c68ab723e8fef2bc646b
SHA1 f1a8a4bb02cedb98c3a46067ce72d381c13a9d61
SHA256 b9e9f94f4c3ac80e06bf081fc59c43e35c5f2582552b372c8b1f1c6dc4d5b3eb
SHA512 d374c8c1c9c900a7529558bb3e6f67321d017bfc44401016f89f23a0fa7445df7b87b92e8f344f3e78a317f0084302e7436ffd6219386ffcd7e9992a7a18f8fe

C:\Windows\System\IziXmUK.exe

MD5 3161485ebcc7622034e6dc9eba1dc3ac
SHA1 c9abc717488f0608c945d9c62e92701684a0a12b
SHA256 1d667d3720f9dc03cdee282adcddef825ff75dbc6c972186c96f6d14d6c773e6
SHA512 d27dee0311fb1be670c1092eb1b76a10123512248df8ee28172986eb3bc181e13c7e79982ed50f38d86d20171dae7c6b0ef17dae745899d03cc1a89b5244ef68

memory/2480-85-0x00007FF7EC360000-0x00007FF7EC6B1000-memory.dmp

memory/232-80-0x00007FF654830000-0x00007FF654B81000-memory.dmp

memory/2276-79-0x00007FF6C3800000-0x00007FF6C3B51000-memory.dmp

memory/4452-72-0x00007FF62B810000-0x00007FF62BB61000-memory.dmp

memory/2420-71-0x00007FF77F7F0000-0x00007FF77FB41000-memory.dmp

C:\Windows\System\LfUaFmH.exe

MD5 5a838f2a87e3f0c898309c9e62fb3f8f
SHA1 2313f6de7fef974293d5a74edfa088a1abdca741
SHA256 baccb1560000b518812297acf9a9f8f09b2ce9479e2b50c9bb8144d9e43c97ac
SHA512 a802cb0b6174bb03a8069bbd7162d21494b3ac730572b662159f5e9d81ab664569b7e2a3c4f1a0dac872ce96990853efcd73f0d209c50d3559e6d4cfffbbe01c

memory/2488-66-0x00007FF630680000-0x00007FF6309D1000-memory.dmp

C:\Windows\System\HkvenMA.exe

MD5 9f9fc86adedbebd711ee775cd153aac0
SHA1 02d267efc592ae8db0cb80556846c3e59a49e3d5
SHA256 8225fe011fe84059e7a826fca5f66146094a49f80c955ae78e958881511ad71f
SHA512 7d526ee45bfc4399e0c5d41984905d707efeb8941145c2481ec3c3ca80c1f83745831a0eb5cf4e5535c1cfbeed896c6a0b67aca20e1a1ef4e2a5e8b6082d248a

memory/3488-60-0x00007FF72E6D0000-0x00007FF72EA21000-memory.dmp

memory/3792-59-0x00007FF7A3090000-0x00007FF7A33E1000-memory.dmp

memory/3756-53-0x00007FF6E0190000-0x00007FF6E04E1000-memory.dmp

memory/3708-41-0x00007FF7E3550000-0x00007FF7E38A1000-memory.dmp

memory/4824-34-0x00007FF62DA60000-0x00007FF62DDB1000-memory.dmp

memory/460-28-0x00007FF6E5330000-0x00007FF6E5681000-memory.dmp

memory/3488-140-0x00007FF72E6D0000-0x00007FF72EA21000-memory.dmp

memory/2480-147-0x00007FF7EC360000-0x00007FF7EC6B1000-memory.dmp

memory/4536-146-0x00007FF6DF6C0000-0x00007FF6DFA11000-memory.dmp

memory/4928-157-0x00007FF7E2CA0000-0x00007FF7E2FF1000-memory.dmp

memory/4764-158-0x00007FF620690000-0x00007FF6209E1000-memory.dmp

memory/848-159-0x00007FF6B1130000-0x00007FF6B1481000-memory.dmp

memory/4920-162-0x00007FF694ED0000-0x00007FF695221000-memory.dmp

memory/792-163-0x00007FF70A410000-0x00007FF70A761000-memory.dmp

memory/4776-161-0x00007FF6CCB90000-0x00007FF6CCEE1000-memory.dmp

memory/3096-160-0x00007FF6F43E0000-0x00007FF6F4731000-memory.dmp

memory/4032-164-0x00007FF7C8CE0000-0x00007FF7C9031000-memory.dmp

memory/3488-165-0x00007FF72E6D0000-0x00007FF72EA21000-memory.dmp

memory/2420-214-0x00007FF77F7F0000-0x00007FF77FB41000-memory.dmp

memory/2276-216-0x00007FF6C3800000-0x00007FF6C3B51000-memory.dmp

memory/232-225-0x00007FF654830000-0x00007FF654B81000-memory.dmp

memory/5064-227-0x00007FF603470000-0x00007FF6037C1000-memory.dmp

memory/4824-229-0x00007FF62DA60000-0x00007FF62DDB1000-memory.dmp

memory/460-231-0x00007FF6E5330000-0x00007FF6E5681000-memory.dmp

memory/3708-233-0x00007FF7E3550000-0x00007FF7E38A1000-memory.dmp

memory/3756-245-0x00007FF6E0190000-0x00007FF6E04E1000-memory.dmp

memory/3792-247-0x00007FF7A3090000-0x00007FF7A33E1000-memory.dmp

memory/2488-249-0x00007FF630680000-0x00007FF6309D1000-memory.dmp

memory/4452-251-0x00007FF62B810000-0x00007FF62BB61000-memory.dmp

memory/4536-253-0x00007FF6DF6C0000-0x00007FF6DFA11000-memory.dmp

memory/2480-255-0x00007FF7EC360000-0x00007FF7EC6B1000-memory.dmp

memory/848-257-0x00007FF6B1130000-0x00007FF6B1481000-memory.dmp

memory/4928-259-0x00007FF7E2CA0000-0x00007FF7E2FF1000-memory.dmp

memory/3096-261-0x00007FF6F43E0000-0x00007FF6F4731000-memory.dmp

memory/4920-263-0x00007FF694ED0000-0x00007FF695221000-memory.dmp

memory/4776-265-0x00007FF6CCB90000-0x00007FF6CCEE1000-memory.dmp

memory/792-268-0x00007FF70A410000-0x00007FF70A761000-memory.dmp

memory/4032-270-0x00007FF7C8CE0000-0x00007FF7C9031000-memory.dmp

memory/4764-273-0x00007FF620690000-0x00007FF6209E1000-memory.dmp