Malware Analysis Report

2025-08-11 08:12

Sample ID 241025-nvyehayelf
Target 2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat
SHA256 3db359e40e4eeadef105229bf5a086079238aefa2c4f315e75a41512b8ceeab5
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3db359e40e4eeadef105229bf5a086079238aefa2c4f315e75a41512b8ceeab5

Threat Level: Known bad

The file 2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

XMRig Miner payload

Xmrig family

Cobaltstrike family

xmrig

Cobaltstrike

Cobalt Strike reflective loader

XMRig Miner payload

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-10-25 11:43

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-25 11:43

Reported

2024-10-25 11:46

Platform

win7-20240903-en

Max time kernel

140s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\OGWvXqk.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tYxKCyM.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mRMvvwp.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PXxXMNE.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HfwmpqZ.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CxhGzCG.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ifhPzxF.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KATgFmA.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VOfjJUR.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SSboKPb.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GRFRMnc.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XLBsNhV.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MiqkgUZ.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LzeJkoK.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IhYMsiF.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hsEVMKq.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UVhDMjD.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xRODdQP.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oNNcrOq.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XgWrwuT.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GAKNYvt.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2668 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HfwmpqZ.exe
PID 2668 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HfwmpqZ.exe
PID 2668 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HfwmpqZ.exe
PID 2668 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GRFRMnc.exe
PID 2668 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GRFRMnc.exe
PID 2668 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GRFRMnc.exe
PID 2668 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LzeJkoK.exe
PID 2668 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LzeJkoK.exe
PID 2668 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LzeJkoK.exe
PID 2668 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IhYMsiF.exe
PID 2668 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IhYMsiF.exe
PID 2668 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IhYMsiF.exe
PID 2668 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XLBsNhV.exe
PID 2668 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XLBsNhV.exe
PID 2668 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XLBsNhV.exe
PID 2668 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CxhGzCG.exe
PID 2668 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CxhGzCG.exe
PID 2668 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CxhGzCG.exe
PID 2668 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MiqkgUZ.exe
PID 2668 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MiqkgUZ.exe
PID 2668 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MiqkgUZ.exe
PID 2668 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hsEVMKq.exe
PID 2668 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hsEVMKq.exe
PID 2668 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hsEVMKq.exe
PID 2668 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UVhDMjD.exe
PID 2668 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UVhDMjD.exe
PID 2668 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UVhDMjD.exe
PID 2668 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ifhPzxF.exe
PID 2668 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ifhPzxF.exe
PID 2668 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ifhPzxF.exe
PID 2668 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xRODdQP.exe
PID 2668 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xRODdQP.exe
PID 2668 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xRODdQP.exe
PID 2668 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KATgFmA.exe
PID 2668 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KATgFmA.exe
PID 2668 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KATgFmA.exe
PID 2668 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VOfjJUR.exe
PID 2668 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VOfjJUR.exe
PID 2668 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VOfjJUR.exe
PID 2668 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SSboKPb.exe
PID 2668 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SSboKPb.exe
PID 2668 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SSboKPb.exe
PID 2668 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oNNcrOq.exe
PID 2668 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oNNcrOq.exe
PID 2668 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oNNcrOq.exe
PID 2668 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OGWvXqk.exe
PID 2668 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OGWvXqk.exe
PID 2668 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OGWvXqk.exe
PID 2668 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tYxKCyM.exe
PID 2668 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tYxKCyM.exe
PID 2668 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tYxKCyM.exe
PID 2668 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XgWrwuT.exe
PID 2668 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XgWrwuT.exe
PID 2668 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XgWrwuT.exe
PID 2668 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mRMvvwp.exe
PID 2668 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mRMvvwp.exe
PID 2668 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mRMvvwp.exe
PID 2668 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PXxXMNE.exe
PID 2668 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PXxXMNE.exe
PID 2668 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PXxXMNE.exe
PID 2668 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GAKNYvt.exe
PID 2668 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GAKNYvt.exe
PID 2668 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GAKNYvt.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\HfwmpqZ.exe

C:\Windows\System\HfwmpqZ.exe

C:\Windows\System\GRFRMnc.exe

C:\Windows\System\GRFRMnc.exe

C:\Windows\System\LzeJkoK.exe

C:\Windows\System\LzeJkoK.exe

C:\Windows\System\IhYMsiF.exe

C:\Windows\System\IhYMsiF.exe

C:\Windows\System\XLBsNhV.exe

C:\Windows\System\XLBsNhV.exe

C:\Windows\System\CxhGzCG.exe

C:\Windows\System\CxhGzCG.exe

C:\Windows\System\MiqkgUZ.exe

C:\Windows\System\MiqkgUZ.exe

C:\Windows\System\hsEVMKq.exe

C:\Windows\System\hsEVMKq.exe

C:\Windows\System\UVhDMjD.exe

C:\Windows\System\UVhDMjD.exe

C:\Windows\System\ifhPzxF.exe

C:\Windows\System\ifhPzxF.exe

C:\Windows\System\xRODdQP.exe

C:\Windows\System\xRODdQP.exe

C:\Windows\System\KATgFmA.exe

C:\Windows\System\KATgFmA.exe

C:\Windows\System\VOfjJUR.exe

C:\Windows\System\VOfjJUR.exe

C:\Windows\System\SSboKPb.exe

C:\Windows\System\SSboKPb.exe

C:\Windows\System\oNNcrOq.exe

C:\Windows\System\oNNcrOq.exe

C:\Windows\System\OGWvXqk.exe

C:\Windows\System\OGWvXqk.exe

C:\Windows\System\tYxKCyM.exe

C:\Windows\System\tYxKCyM.exe

C:\Windows\System\XgWrwuT.exe

C:\Windows\System\XgWrwuT.exe

C:\Windows\System\mRMvvwp.exe

C:\Windows\System\mRMvvwp.exe

C:\Windows\System\PXxXMNE.exe

C:\Windows\System\PXxXMNE.exe

C:\Windows\System\GAKNYvt.exe

C:\Windows\System\GAKNYvt.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2668-0-0x000000013FDA0000-0x00000001400F1000-memory.dmp

memory/2668-1-0x0000000000180000-0x0000000000190000-memory.dmp

C:\Windows\system\HfwmpqZ.exe

MD5 addc9769c41178e3afe031fb572b5597
SHA1 ae8c5131d6506c5e9d3449de9be85e6218d90fd3
SHA256 d3a2c765f0944f8e8744993adc692e30975ef686c733e9c43dc1bc80556ac364
SHA512 df0d47467510d5ad9a8cdb7bdccd6330eabb2ed9dd9ccccb65ed880c1e6919d277e6cd1d5f39a22ccbda7a872b3ebb1a0c5c768e816da41aa093ab81f4e47e55

\Windows\system\GRFRMnc.exe

MD5 ca332066ada1fa08fec7811ace0ac2b3
SHA1 536f73317ae9c47221c243431658a9170cc29857
SHA256 799a97f952620f70c5fb690ab8db57f6871da228ae248284dbe1c5b511e60d31
SHA512 c68eb4e0bb540c47a54825c0a1b4f8bde9832c51b588ba4f3f44e288699a3b44bd7d762a9073c30a23a3613aacd86cb9c89a4b77a9d5a3f14c29e140601f0be9

\Windows\system\LzeJkoK.exe

MD5 210e65747bddb81f5d59f57c3a61f0e5
SHA1 170810390d3eeaa7f437bee7f5ec211aadfaa244
SHA256 642d62bede09fe1144966472c7a589b1c3cd15561d7fe5a5f3df7db6f8527527
SHA512 696bdea442e7d56e14c877966172b9cb1c0d9359de849c476d76a46fd17fe7f3f88497ce577948af24b3d5a7d862da5a78dddebf347e14d1956a2eecae85c3ad

memory/2724-22-0x000000013F1E0000-0x000000013F531000-memory.dmp

C:\Windows\system\XLBsNhV.exe

MD5 6df3e03d659b2766e51f1aa50f200664
SHA1 294a425ab64067f53161355c6a4028d4e3ea2032
SHA256 1b81fa5493a9bda3a19461972afb85a4892d972b2e33448813d0d74e930b4795
SHA512 ab256103667c40dde6623e13d2135b57cd4c32d6933e028e0cf1f391dfce32ea55b0b131c565a4906c29395dfa76c8b80040b549b1e0f704ccec5c1a52d9f405

memory/2668-112-0x000000013FDA0000-0x00000001400F1000-memory.dmp

memory/448-114-0x000000013FF50000-0x00000001402A1000-memory.dmp

\Windows\system\PXxXMNE.exe

MD5 1769f38bc396850baa66aab977f08632
SHA1 fc8cfbdf51c72eb2b65becb6284029388d9d39c4
SHA256 0f98587705f3e5e198611a947ad16312048d8f6bbb417f31b954eb81add05757
SHA512 d29e6301342b2964e926775a5cb85cb696d25a47b983f59d590e8fdd016dcfc66dd61475d14be1d99a2052079883574078bad1b2aef5bd1f07ae97b431438268

C:\Windows\system\tYxKCyM.exe

MD5 584ebdce469470f193bf34194ca72328
SHA1 ffaefa8b0f3227acf7f849d888faab86bd81f76d
SHA256 3cf9ef5b0b7b65783394bf26ec57660cb872b7c85d31b3ad1205169d260d11e1
SHA512 54aaead0569a0b85959c46536da6af3cb4828dc8bddd277334538ff330285dea52409e047db4e4c1ceab256869727587f60799845499581478fc1b1ba1a46e83

\Windows\system\XgWrwuT.exe

MD5 107f345a9caabd0e79d1fbf295233f34
SHA1 d4f5929018ab4728521e6a7a7c59da8be00b66f3
SHA256 f542dccf72f0fafc5feb668b48532c6da3b955052500ceac1e3db34205bf26d6
SHA512 b55cf9c59244ebe735e89feafe008cefa527659373f41a6ead7667d0e5b1647f8f26827f6ed9816ca1280555a6d09beb1fe77c0a80665ab0885fb59625db470a

\Windows\system\OGWvXqk.exe

MD5 6bce175d37520677cdbbb606b036c580
SHA1 dc6d02ee2fe979ee86b8e2e2b319320f115136f9
SHA256 33691005fd7a38a00f2f886091e1e9f1d466e17cd5aca406944793f5e6a17365
SHA512 bfd8f402578cd035f8296641444e0b84c806c007811b1138d8711538be5c0047ba30b36ed4ccaea4133cc04f322e2a4851f1ce27df7b625845efd51680c3e9d1

\Windows\system\SSboKPb.exe

MD5 79db950576fd5cd6e818754333587779
SHA1 9df008125668fd212448b0a51f6d86da0168d14f
SHA256 ea69b0dc68ec6b1d040312a525e8b3db213e6b2f391ab61b7a9247e40c690c81
SHA512 b9b71ae67b2cc191511f7ff8656141c05fe78cda17388d82ff0d93d26489c870151705e5fb20804dc56f338d3b5508480c7e283653341daad4579bfc45a53468

C:\Windows\system\xRODdQP.exe

MD5 9d6701cf71511b63164ec6618ad91125
SHA1 f9a0bd1061d3a5e54a019cc39151d7296c313623
SHA256 9a2b19f10bdda5917c5d23dcda2d8e7fda64fbb200663414d4b74cc3a5a46d6b
SHA512 47bc569fe7accb42caae4c1460836aea68178a2ffb3ab714c1ca39ce7be5c2356dbcc7db815d1696a6223da47968959ee1989259d70dac68e6cde4c6606fe629

C:\Windows\system\UVhDMjD.exe

MD5 9fa8a37bca315446564a42795f9e20da
SHA1 36452a817dd3d73e35968d644a3d09728a184109
SHA256 ccea00037e960d2188ab543bc454cd83db4e24a945540a86cdc4bee55f2b1658
SHA512 121659404a985590d9dbacc3a08fc38becaf14385a48587af871b06e607894a3b5ff66a43e5dab5bcef50698b1f65f3a1822f2c806c09dd4997af6cec42abac1

\Windows\system\KATgFmA.exe

MD5 08951e54a9ca0a3a8856377a939308ac
SHA1 72dac10f55e5c961d5e00c981d18524f077cad8e
SHA256 23d854f82f77f6fb1f64873a27fe4b1e0dbc1596ee54ddc8c65100433b8e8f1d
SHA512 c7cc013b8327d7547a1f93f6be16404ee720e68180bcb5dd44d789c86540c33416eb176ef429ad184713cf8fb88727dedb64ec32cab5654bb22f2f36ff02a59e

\Windows\system\ifhPzxF.exe

MD5 66a8cd87c245bd2d2f85852176726450
SHA1 b1ebdfa523855c0d57d52c555aca2ef231b36cdc
SHA256 550018e45a3db9f2da11cce46dcd73c806fa7f07c65630492710ec467c2c3e97
SHA512 82bcca5c74bed92f3d903b060f403a73dfe97873379096d804ddd4a4438350db4837d748067650bb28fd8733f80616c980cc8b81407a93d5008db412d8ccb1cf

memory/2592-53-0x000000013F810000-0x000000013FB61000-memory.dmp

memory/2668-52-0x000000013F810000-0x000000013FB61000-memory.dmp

C:\Windows\system\MiqkgUZ.exe

MD5 f4b9394420a06b44a607349bb88b4074
SHA1 72df58a1c8a5ff8c32ed3c0730a1826a7fa8ef97
SHA256 d74a4ac5d00c8fc0601461c4f41e03a25824953b9634376ac35a88855a06f0e1
SHA512 9e5308605436c01b80e2498c0d26e20387a38afad9e1eee1a6a8f7bd9bfea2f9e67166a9333a8fb6fa957d1427e8da6249a08f4af49b6a02762c9aeb0ddfd4de

\Windows\system\hsEVMKq.exe

MD5 8f5dbdfd1d9bea90184f4e3d427f9079
SHA1 b62e247ecff213c61cbf71397c6a6fb0e5c73527
SHA256 aa8385e887167992fb0730a41f3cc82f93659ccdb242c1157592adc66bb8f3c5
SHA512 cfe50695d96033e6d1eb3581b318ac0165ab786fd8e30a108c33eb80e164ce43cfbe9afd28a06ea75ebe3fc99349a0fb31509095373bdb892106de62476462f6

memory/2668-42-0x000000013F580000-0x000000013F8D1000-memory.dmp

memory/1528-113-0x000000013F8F0000-0x000000013FC41000-memory.dmp

\Windows\system\CxhGzCG.exe

MD5 1697cccd2943608047429f500464223b
SHA1 8daab355aefa794296dc767ea88b6e086f4c46a4
SHA256 ebb186238bfa8fa3dc6c974b9a759eb644bcdd793ddb25bdb42d86e8fb11e9ae
SHA512 ca007af37ab8cb038b329d63185743393d7d04588e3397d5fd5d477d9649f5a45f8aba545f1615310de03f89ec93a703030c2795c9acd68ffe886d878531d55e

memory/2668-111-0x0000000002380000-0x00000000026D1000-memory.dmp

memory/1848-110-0x000000013F170000-0x000000013F4C1000-memory.dmp

C:\Windows\system\GAKNYvt.exe

MD5 1424369f4f5f02cefb87f4d2fc6c507e
SHA1 54289252eb930ac00392aee54764a585e231d7eb
SHA256 4f2f62cbf739fa200dba38dc8ed2c8588d99854de87a6dfc63d78aa812cee87c
SHA512 e4c75cdbfbd892f30c9da5a944f574f2bff77cf905c32eaf6c8e98b923e5371b5ab626300999bf70a88432dfa1749943978078da952e292272a853d7dec81d27

C:\Windows\system\mRMvvwp.exe

MD5 24db6371787490c84e77f2c1dc3d519a
SHA1 9438ebb6a9f36280a2d423a64f7197bd6bf2b2bf
SHA256 1e03d8bf5248b8a7d421d256f6a3af87b1a185878452cee55a876bc82da25a7c
SHA512 7215ceea236d320886f233fc494d572f17be1bf1b868212422e1fad8a90924e3ce9d789ff945e6968468e6b2b1d353d48835ec81668c8d45ec74500ab95a28ee

memory/2668-107-0x000000013F3B0000-0x000000013F701000-memory.dmp

memory/2668-106-0x000000013F170000-0x000000013F4C1000-memory.dmp

memory/2396-122-0x000000013FE70000-0x00000001401C1000-memory.dmp

C:\Windows\system\oNNcrOq.exe

MD5 c47da5720218b6a625d469bb83c3eb73
SHA1 c2377ae735f9c10cf86b1f7f8445dd78f8f5a523
SHA256 1dd22ce585e180095e2342959385580e78fa74d2a471e41440b6f2c30a6d279e
SHA512 5c16b8b792d018e3770f9afdac5136aa61d0e1b8776ac305eb8f3e4cfd1944d331aa8b039a4c5b8ddf28b28ae13c651dc7565f0ffc5dcf0286da4062059efd96

C:\Windows\system\VOfjJUR.exe

MD5 ef35230e5fa2da66ddf92e5856f92777
SHA1 15ee260aa42cb87f585710e3bbe7fbc318c91445
SHA256 91b15f2354125f2c840ff64b4c67681faf08a80710345155055ad74ce1734d4f
SHA512 b30c161e6b35998d8a693974ccd6a03c8897460c19e28395528dbc25b0e79ce1c94800d78be07d60798c3caf87203b613b7be8e8f07c67ef4b2f8ec8b0437dbd

memory/2668-88-0x0000000002380000-0x00000000026D1000-memory.dmp

memory/900-80-0x000000013FC10000-0x000000013FF61000-memory.dmp

memory/2844-123-0x000000013F580000-0x000000013F8D1000-memory.dmp

memory/2668-57-0x000000013F4D0000-0x000000013F821000-memory.dmp

memory/2844-46-0x000000013F580000-0x000000013F8D1000-memory.dmp

memory/2836-37-0x000000013F990000-0x000000013FCE1000-memory.dmp

memory/2668-36-0x000000013F990000-0x000000013FCE1000-memory.dmp

memory/2396-29-0x000000013FE70000-0x00000001401C1000-memory.dmp

C:\Windows\system\IhYMsiF.exe

MD5 5faf9e74c2e840e994b597466dd06590
SHA1 d66935032963f8a477b567706f13fe1ef4354fcf
SHA256 afbc7808991e7e7f1b437a5504e382f00f9ae4d51f1ff4c4b0ee52e51c8e1c17
SHA512 68184bdafd6e81d61e05138b08261bc778d6f1dd692264cadcd8897e51152787f214aad02a830d9c5eb0e82d0d03ebc10e8c6c69eaa98695fb80b885931b76fb

memory/2668-27-0x000000013F030000-0x000000013F381000-memory.dmp

memory/2668-26-0x0000000002380000-0x00000000026D1000-memory.dmp

memory/2728-25-0x000000013FC80000-0x000000013FFD1000-memory.dmp

memory/2668-24-0x0000000002380000-0x00000000026D1000-memory.dmp

memory/2804-23-0x000000013F030000-0x000000013F381000-memory.dmp

memory/2668-19-0x000000013F1E0000-0x000000013F531000-memory.dmp

memory/2668-133-0x000000013F8F0000-0x000000013FC41000-memory.dmp

memory/2668-134-0x000000013FDA0000-0x00000001400F1000-memory.dmp

memory/1808-150-0x000000013FD50000-0x00000001400A1000-memory.dmp

memory/2896-155-0x000000013FEC0000-0x0000000140211000-memory.dmp

memory/2760-153-0x000000013F540000-0x000000013F891000-memory.dmp

memory/2376-152-0x000000013FC00000-0x000000013FF51000-memory.dmp

memory/2984-151-0x000000013F3B0000-0x000000013F701000-memory.dmp

memory/1496-148-0x000000013FBD0000-0x000000013FF21000-memory.dmp

memory/1584-146-0x000000013FC20000-0x000000013FF71000-memory.dmp

memory/2620-144-0x000000013F580000-0x000000013F8D1000-memory.dmp

memory/2652-142-0x000000013F4D0000-0x000000013F821000-memory.dmp

memory/2904-154-0x000000013F170000-0x000000013F4C1000-memory.dmp

memory/2668-156-0x000000013FDA0000-0x00000001400F1000-memory.dmp

memory/2724-223-0x000000013F1E0000-0x000000013F531000-memory.dmp

memory/2728-225-0x000000013FC80000-0x000000013FFD1000-memory.dmp

memory/2804-227-0x000000013F030000-0x000000013F381000-memory.dmp

memory/2836-231-0x000000013F990000-0x000000013FCE1000-memory.dmp

memory/2396-230-0x000000013FE70000-0x00000001401C1000-memory.dmp

memory/2592-233-0x000000013F810000-0x000000013FB61000-memory.dmp

memory/900-237-0x000000013FC10000-0x000000013FF61000-memory.dmp

memory/2844-236-0x000000013F580000-0x000000013F8D1000-memory.dmp

memory/1528-239-0x000000013F8F0000-0x000000013FC41000-memory.dmp

memory/1848-241-0x000000013F170000-0x000000013F4C1000-memory.dmp

memory/448-244-0x000000013FF50000-0x00000001402A1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-25 11:43

Reported

2024-10-25 11:46

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\mqGotzV.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AHpQJUU.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WxZasJF.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uXhTQup.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nlqSvUa.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fzEIlPG.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qhBWNSy.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WKnMQBb.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CGyYIBi.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XeKzmZn.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SuSkgyK.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KHYRIRS.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TzyZOWR.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bluUQLK.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TWDvdiL.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VkBrETh.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nuyniPQ.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EGLuNjS.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KaPOtUi.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KgCBYTr.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WHfBIJJ.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3620 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KHYRIRS.exe
PID 3620 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KHYRIRS.exe
PID 3620 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TzyZOWR.exe
PID 3620 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TzyZOWR.exe
PID 3620 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mqGotzV.exe
PID 3620 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mqGotzV.exe
PID 3620 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qhBWNSy.exe
PID 3620 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qhBWNSy.exe
PID 3620 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nuyniPQ.exe
PID 3620 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nuyniPQ.exe
PID 3620 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EGLuNjS.exe
PID 3620 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EGLuNjS.exe
PID 3620 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WKnMQBb.exe
PID 3620 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WKnMQBb.exe
PID 3620 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AHpQJUU.exe
PID 3620 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AHpQJUU.exe
PID 3620 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WxZasJF.exe
PID 3620 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WxZasJF.exe
PID 3620 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CGyYIBi.exe
PID 3620 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CGyYIBi.exe
PID 3620 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bluUQLK.exe
PID 3620 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bluUQLK.exe
PID 3620 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KaPOtUi.exe
PID 3620 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KaPOtUi.exe
PID 3620 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TWDvdiL.exe
PID 3620 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TWDvdiL.exe
PID 3620 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uXhTQup.exe
PID 3620 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uXhTQup.exe
PID 3620 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nlqSvUa.exe
PID 3620 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nlqSvUa.exe
PID 3620 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XeKzmZn.exe
PID 3620 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XeKzmZn.exe
PID 3620 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KgCBYTr.exe
PID 3620 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KgCBYTr.exe
PID 3620 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VkBrETh.exe
PID 3620 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VkBrETh.exe
PID 3620 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fzEIlPG.exe
PID 3620 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fzEIlPG.exe
PID 3620 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WHfBIJJ.exe
PID 3620 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WHfBIJJ.exe
PID 3620 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SuSkgyK.exe
PID 3620 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SuSkgyK.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-25_0b1f5a6d0b17fb6b2290043a09e4c754_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\KHYRIRS.exe

C:\Windows\System\KHYRIRS.exe

C:\Windows\System\TzyZOWR.exe

C:\Windows\System\TzyZOWR.exe

C:\Windows\System\mqGotzV.exe

C:\Windows\System\mqGotzV.exe

C:\Windows\System\qhBWNSy.exe

C:\Windows\System\qhBWNSy.exe

C:\Windows\System\nuyniPQ.exe

C:\Windows\System\nuyniPQ.exe

C:\Windows\System\EGLuNjS.exe

C:\Windows\System\EGLuNjS.exe

C:\Windows\System\WKnMQBb.exe

C:\Windows\System\WKnMQBb.exe

C:\Windows\System\AHpQJUU.exe

C:\Windows\System\AHpQJUU.exe

C:\Windows\System\WxZasJF.exe

C:\Windows\System\WxZasJF.exe

C:\Windows\System\CGyYIBi.exe

C:\Windows\System\CGyYIBi.exe

C:\Windows\System\bluUQLK.exe

C:\Windows\System\bluUQLK.exe

C:\Windows\System\KaPOtUi.exe

C:\Windows\System\KaPOtUi.exe

C:\Windows\System\TWDvdiL.exe

C:\Windows\System\TWDvdiL.exe

C:\Windows\System\uXhTQup.exe

C:\Windows\System\uXhTQup.exe

C:\Windows\System\nlqSvUa.exe

C:\Windows\System\nlqSvUa.exe

C:\Windows\System\XeKzmZn.exe

C:\Windows\System\XeKzmZn.exe

C:\Windows\System\KgCBYTr.exe

C:\Windows\System\KgCBYTr.exe

C:\Windows\System\VkBrETh.exe

C:\Windows\System\VkBrETh.exe

C:\Windows\System\fzEIlPG.exe

C:\Windows\System\fzEIlPG.exe

C:\Windows\System\WHfBIJJ.exe

C:\Windows\System\WHfBIJJ.exe

C:\Windows\System\SuSkgyK.exe

C:\Windows\System\SuSkgyK.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp

Files

memory/3620-0-0x00007FF680410000-0x00007FF680761000-memory.dmp

memory/3620-1-0x0000025379DF0000-0x0000025379E00000-memory.dmp

C:\Windows\System\KHYRIRS.exe

MD5 8fe6c15089db5e9909d925cc002c84aa
SHA1 d3fb891698a4c5161ed5f9ef6ba7dcc7d2c50e55
SHA256 9508af0b425adc6e56a3ab34dd5144d749c6361cb85d96e72476355c6865a91b
SHA512 bdc708752ab87b33d7ca15f0cd66b35d5609d71ab179e942ddfd18fbe40370576b7e3464cbe4ad0dfe4caeabc3f4332c95bd6772a8102134b7c4788bc70a4957

C:\Windows\System\mqGotzV.exe

MD5 9d67be0afb749b0e3402caf1d67b9adc
SHA1 25f87ae8e44f309ddb87adc93cdf97042ea9d42c
SHA256 b2bd9f8bed2e22e9cdb3daa837c174817e330ab9249c7f37a1c336962c872173
SHA512 230a553ed72c43606a1b00d5c9e6122c9b1f305baa27be83bb3ede55bf2d573f7b46f4dffd35d6205acd14a381ee8ec2d90d56951c474da66a0f6065a60a725d

C:\Windows\System\TzyZOWR.exe

MD5 09a3749af18a8d9ced617071dade77a0
SHA1 10e0a62c16633a1b6f1953ccebe752c0b4183de6
SHA256 6ca47ef9c40bfff0c907962dcf4ea6c14bea04e0c4500616af4c44cae4968eaa
SHA512 f9f949a7ffaefd3e6318bb42a9c989e64463079900a1ad6343f81a7b68b554e17555c1d0a1c52c516aec2c464224d499f011a78ec519086ddc8320bea64c95b7

C:\Windows\System\qhBWNSy.exe

MD5 9ebe4b6820150aca124a5ae45072738f
SHA1 6b7ccdda5786282213536fc6fe2110900a83073e
SHA256 658922695235798b80801f626fe6fff149415798df334b20c9d97a8c0a019514
SHA512 a1326be6d7b8fb3b9147dae2b063bb7ba78adb391db3037bfece89f76ad92e6269dcf42ecb1c98001de795a640250960b22edc34e2fd38090f638d83ab32e9c3

C:\Windows\System\EGLuNjS.exe

MD5 a63352dd3684d50d6950d03101c657d4
SHA1 37fe5552310c562f2d1ee50544ab8593909b50ed
SHA256 329f1e791a11a8b1b3b18dc04b4acd267d2f4945e53d9171e392023311b24289
SHA512 e8857c31527cfa445fb60dc710ab8bc9eb813b7093d4367068714e6c4883360e732e62d8901341c88fe62c12400500d2678f39b63b4d235a7dda74652d131f6f

memory/2908-26-0x00007FF7B96A0000-0x00007FF7B99F1000-memory.dmp

C:\Windows\System\WxZasJF.exe

MD5 502acc8c294009ed8f844a30d3ea54a5
SHA1 7a42cb2981b90d44a4eaa91090bb57735c9fb7c6
SHA256 3fbd67dd514a2a12c78f42b781f5df845bb882deb9db28f87855225651bfe625
SHA512 289a6e7b2ff2e4f126a02c35247f8b88b05b03d8498ed399744244ee215b54cfde01fdc4d9c005cdf8476e7d25dca45ddc1cd262a6ada3e8d2307712fb2dcdb9

memory/1996-41-0x00007FF7D7DA0000-0x00007FF7D80F1000-memory.dmp

C:\Windows\System\KaPOtUi.exe

MD5 2d1e8e475825b86ee5417f1ec0089332
SHA1 671001d1ed9323008ee0984bd1dc188d6e608856
SHA256 86ade7804151f3b8fc68c8cdd468a727eb8e0743060e15522a39b122436b17c3
SHA512 b1ece08abe5996f135a401c5cccc8455800ae988b965bef50f96684fca2e8ad92556f821df8ea2e29b3f17b9ff5e5ace2b5281e26a71e335dba2d200c712a134

C:\Windows\System\TWDvdiL.exe

MD5 05675cdfe7a95f7b0038bbb4f136fd75
SHA1 79ecbfa6b3960e4dc95617434a0b80640c71c459
SHA256 ce3746e6b73632cc274d7a50a4057dea385cc4830dfe77e981da087c1d1f37ba
SHA512 dce3ce454c14fa0e651270ef42435a2156df997df3a8fde9e8958aa0f987bfbe7f1a84359750395c9955d5a931890d7e3f3973782a907313f810dc020ff53863

memory/3784-75-0x00007FF7DEAF0000-0x00007FF7DEE41000-memory.dmp

C:\Windows\System\uXhTQup.exe

MD5 0a479d2de06167f240907a00973d3f99
SHA1 3b7e2c0e0dbf256292217db2bac64418a7c104d7
SHA256 e952a9144d5c50761b54b7a22255a21e9f670fbff951ce2029a9e6979d20a35e
SHA512 4ea8e122272c75eb0dfba6928c949f61af89fae751c2063e12fbb287ab330ab2df67c6f23db7112e3b2083e1ab1d7300c0322751f6585edddaa3f3972b6efca5

memory/4084-85-0x00007FF7ADB70000-0x00007FF7ADEC1000-memory.dmp

memory/4632-86-0x00007FF6A8130000-0x00007FF6A8481000-memory.dmp

memory/812-84-0x00007FF731630000-0x00007FF731981000-memory.dmp

memory/3380-82-0x00007FF63CD00000-0x00007FF63D051000-memory.dmp

memory/3600-77-0x00007FF652DC0000-0x00007FF653111000-memory.dmp

memory/3612-76-0x00007FF6A87F0000-0x00007FF6A8B41000-memory.dmp

memory/2544-74-0x00007FF699800000-0x00007FF699B51000-memory.dmp

C:\Windows\System\bluUQLK.exe

MD5 8bbbe288fb9670267c0cff8c60734b25
SHA1 6131e021c2473efdfd79f0bede3afcfe8e392e8c
SHA256 fde8dc76a5d485425b5ccc330f34ef41583678b25407a2a30cc5741eab0fecce
SHA512 20ab45d5054fe46e918575f632a712c2ec9ee44019daeefcb43cc119fb9434d73ecbae9c8f86481827926c4f19d2de7b8c62c653e73fdc5393cc82659c0e7851

memory/1856-67-0x00007FF695BB0000-0x00007FF695F01000-memory.dmp

memory/2468-62-0x00007FF7C7070000-0x00007FF7C73C1000-memory.dmp

C:\Windows\System\AHpQJUU.exe

MD5 981658d898cd276ce9bea8355f6b38c8
SHA1 34459c9bdc2e5866f16a0da0eae5d37107f3f247
SHA256 88f4c3e4ebd37cb7dd21962267fdded8bc332f0c23560109fcc096aced22f6ed
SHA512 b5986ad32b83c6f9b2a04b3cc2b467db2e3785ea499220ca7c3d79566e0f4e751d8a8f2d2a5a098470ed2287c4c29e73b1b863f7aa14395a506c0e7f0547950e

C:\Windows\System\CGyYIBi.exe

MD5 f3a56ae2ccaaa9da2586d0716d6bb302
SHA1 2f5e6808f970eee217047536c94e7a2bf5992518
SHA256 5ab730f7cdb140465ec0b91dbac9d8e503e8ae9080a28e0dcea81b2bc23d1311
SHA512 6f5d1b36bda3edeeabd5651ab53cde7bcf8dfb37c20bd04c053128756022f4c6b3e3b303526f36aa18f9a83ac2ff673895f8f9a787307eb6bf5fe0ae6156acf0

memory/1632-53-0x00007FF7AE840000-0x00007FF7AEB91000-memory.dmp

C:\Windows\System\WKnMQBb.exe

MD5 3535c450e4a48740b4b8a297b46727f0
SHA1 dd4a7ef7def254c8fb45192ab690fb7b315970cd
SHA256 072cd0aad843a785af5b79b697b853441317f4905e51e73029c564c010f79007
SHA512 c4896105796a2670e2ea09585450bcd8daeaaa93e1f231d9dc62bbb1600b07da8b09eed410a2213d0d82acbc5b24d9e47a778cb7a41b63439b0054be56a0bba8

C:\Windows\System\nuyniPQ.exe

MD5 06f8117a8296c1f488445cfd7e785308
SHA1 9f9ea9c4b31e0887af39176d8e0229d7b4843b2e
SHA256 20a0e1b51e74821a92ff6fb6ab0d14102a8d3e7a7b3135d31e79a0be79d95c79
SHA512 09fcaa49150bbeddb3b5c92e176e8c03b8f65699e4c883a6be05ffab90d283cbcf82cc75f14e3aa1d20e4941056a18310a1ea7731a3a82c85e4aa8af9128a3e7

memory/2472-7-0x00007FF6238A0000-0x00007FF623BF1000-memory.dmp

C:\Windows\System\nlqSvUa.exe

MD5 9c7ceb9d65fa7030766b8411f55f0f8d
SHA1 424c08e9588e70ba357223b3a00e4a79fb7ee6e8
SHA256 cafb9dc4dcd93d075f93e3b1593b5aa150ec9a9e57c71dd2db9edd65f95fb11e
SHA512 65dc1d69ec4aa65ed809e6696d3bb178c4f2d857b2f3f38b19f595733144b54f5827975805e8d8120c023dd57f4b5fc4f73a423fe7d47ca5f60d1ed877792a66

memory/2360-115-0x00007FF70F380000-0x00007FF70F6D1000-memory.dmp

C:\Windows\System\SuSkgyK.exe

MD5 d14667efb4c0e79f8d8768ac0c2f2fa4
SHA1 e970642fa737e755240058435f5091fd128222a9
SHA256 7fb33dedcf5d022cbb6f322634eeb8eaf6e9bb543b23161fcd1f1b74b110755a
SHA512 a6aa407fe68c00c4f909f59e813ffc709abed0d0704653f8b81f1e4b3be960918114417701e435d94da8d116104f955022f17c67791f97392aebeaefeeeea839

C:\Windows\System\WHfBIJJ.exe

MD5 dd1108ba905719b597d87855c18b67e5
SHA1 224dc98c10f580ecce4bb7cb86b89cfe28114dfe
SHA256 1f5c419ff88aeede61098337a1ef2104107823ee730105a5b01d4f57e400c919
SHA512 568e3a2809369a49dd1e9cd9f34f6672e14e4bd97f10e1a92d5d4a4bd783ab400b90c68792ee46a132287999c2f6a36d7d43d8023e1d7924fa427a7d60f7140a

memory/1264-119-0x00007FF7B4640000-0x00007FF7B4991000-memory.dmp

C:\Windows\System\VkBrETh.exe

MD5 b09455d43a61eedcbcaf6055c797a852
SHA1 af6e0950e543479fb7298935a6f6391ca56b44e2
SHA256 e5af2565b6dc829c8cc7414d48ef1b1e554f37543e9cac742d6f163fc429e3bd
SHA512 789ad17c13a7e919f077b031686f3ecb582f5a23d5bbfd0fae80bae169fc386e43ec42b5b056f28a735efcc5ad62275bde70a109cbbafbe3085dd993a4b91ae0

C:\Windows\System\fzEIlPG.exe

MD5 2628d9f09a29e149505aa5e5aa5340c5
SHA1 a653ccc4724f058eda9f371941a35a7d82bbf088
SHA256 4ae65e5e8a4a6e2c90fcf7fdb983292962278b47c9380de3a26716001ce945ae
SHA512 bd7b8c02f333b079fdd52a572672d9e3c76de5f7c332a1f99aa0f917a14d3a71932f42cd5cd11c19434148d409364d25ac6157e2bdb6ce8e68b34468c655c14d

memory/3936-106-0x00007FF63EF70000-0x00007FF63F2C1000-memory.dmp

C:\Windows\System\KgCBYTr.exe

MD5 1f138966560b4d651fb979f4f71e6721
SHA1 ecbbdf24046487665e632543331dbe8182da0b3d
SHA256 35e78fb6c6e7619850fa26fe2fe0a8473e83a7585e0becd143070e8bd9c2823c
SHA512 d4096744b056b36c7c043e0cb806bad7e536ac5d046dba17ae348f47eacaf76f6800c87cdb5ad8787552cd03432c86edc131a6a12af7dd12009969e9e963508a

memory/1692-100-0x00007FF7A0090000-0x00007FF7A03E1000-memory.dmp

memory/3620-126-0x00007FF680410000-0x00007FF680761000-memory.dmp

memory/2472-129-0x00007FF6238A0000-0x00007FF623BF1000-memory.dmp

memory/1564-128-0x00007FF629DC0000-0x00007FF62A111000-memory.dmp

memory/1996-130-0x00007FF7D7DA0000-0x00007FF7D80F1000-memory.dmp

memory/1632-131-0x00007FF7AE840000-0x00007FF7AEB91000-memory.dmp

memory/4120-127-0x00007FF6B42B0000-0x00007FF6B4601000-memory.dmp

C:\Windows\System\XeKzmZn.exe

MD5 c10e837830a64a93cb1f0df82dfffb06
SHA1 3cdacd2c32687073c317f2b0e31a764e7b292934
SHA256 c2e9c4f1715e5365171c22a1929e997ec2deb3495d3167f9d7497432bbfe15a3
SHA512 85fc53a70fc8dbce3cff081fd0b2548a46bf1229560fac0b3005c87f9bbfce91eb36c8534caa434ef79abbe4458ef9657441c4ba76cef99f2a7e4e158b3012bd

memory/1040-92-0x00007FF709C90000-0x00007FF709FE1000-memory.dmp

memory/3784-132-0x00007FF7DEAF0000-0x00007FF7DEE41000-memory.dmp

memory/3612-133-0x00007FF6A87F0000-0x00007FF6A8B41000-memory.dmp

memory/3620-134-0x00007FF680410000-0x00007FF680761000-memory.dmp

memory/1040-149-0x00007FF709C90000-0x00007FF709FE1000-memory.dmp

memory/3936-151-0x00007FF63EF70000-0x00007FF63F2C1000-memory.dmp

memory/1692-150-0x00007FF7A0090000-0x00007FF7A03E1000-memory.dmp

memory/2360-152-0x00007FF70F380000-0x00007FF70F6D1000-memory.dmp

memory/3620-160-0x00007FF680410000-0x00007FF680761000-memory.dmp

memory/2472-214-0x00007FF6238A0000-0x00007FF623BF1000-memory.dmp

memory/2908-216-0x00007FF7B96A0000-0x00007FF7B99F1000-memory.dmp

memory/3600-218-0x00007FF652DC0000-0x00007FF653111000-memory.dmp

memory/2468-227-0x00007FF7C7070000-0x00007FF7C73C1000-memory.dmp

memory/1996-228-0x00007FF7D7DA0000-0x00007FF7D80F1000-memory.dmp

memory/2544-235-0x00007FF699800000-0x00007FF699B51000-memory.dmp

memory/812-233-0x00007FF731630000-0x00007FF731981000-memory.dmp

memory/1632-238-0x00007FF7AE840000-0x00007FF7AEB91000-memory.dmp

memory/1856-236-0x00007FF695BB0000-0x00007FF695F01000-memory.dmp

memory/3380-231-0x00007FF63CD00000-0x00007FF63D051000-memory.dmp

memory/4084-242-0x00007FF7ADB70000-0x00007FF7ADEC1000-memory.dmp

memory/3784-246-0x00007FF7DEAF0000-0x00007FF7DEE41000-memory.dmp

memory/4632-245-0x00007FF6A8130000-0x00007FF6A8481000-memory.dmp

memory/3612-241-0x00007FF6A87F0000-0x00007FF6A8B41000-memory.dmp

memory/1040-255-0x00007FF709C90000-0x00007FF709FE1000-memory.dmp

memory/1692-257-0x00007FF7A0090000-0x00007FF7A03E1000-memory.dmp

memory/3936-259-0x00007FF63EF70000-0x00007FF63F2C1000-memory.dmp

memory/2360-262-0x00007FF70F380000-0x00007FF70F6D1000-memory.dmp

memory/1264-263-0x00007FF7B4640000-0x00007FF7B4991000-memory.dmp

memory/4120-265-0x00007FF6B42B0000-0x00007FF6B4601000-memory.dmp

memory/1564-267-0x00007FF629DC0000-0x00007FF62A111000-memory.dmp