Malware Analysis Report

2025-08-11 08:12

Sample ID 241025-nwnxfsyeme
Target 2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat
SHA256 6de8ba516b58e04a387136fb3ba0f971416ea4d33914c1b4668039c4ada51ed9
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6de8ba516b58e04a387136fb3ba0f971416ea4d33914c1b4668039c4ada51ed9

Threat Level: Known bad

The file 2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Cobalt Strike reflective loader

Xmrig family

Cobaltstrike family

Cobaltstrike

XMRig Miner payload

xmrig

XMRig Miner payload

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-10-25 11:45

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-25 11:44

Reported

2024-10-25 11:47

Platform

win7-20240708-en

Max time kernel

140s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\GLQeGfc.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fArwlXP.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\USJJMmm.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wgRUnKR.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JKHIqHP.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WoPWrfE.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GkdpCRQ.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xNlEHOn.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PgahFZV.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rbyoHck.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MQAlWBT.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zXYHseg.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JyIRRGK.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UYFVPgT.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VrhQseS.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KrVyTBo.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NgISrYm.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UskdRyH.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FvGcJCx.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CNvvSWX.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BfYCTvG.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2484 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FvGcJCx.exe
PID 2484 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FvGcJCx.exe
PID 2484 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FvGcJCx.exe
PID 2484 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zXYHseg.exe
PID 2484 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zXYHseg.exe
PID 2484 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zXYHseg.exe
PID 2484 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GLQeGfc.exe
PID 2484 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GLQeGfc.exe
PID 2484 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GLQeGfc.exe
PID 2484 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fArwlXP.exe
PID 2484 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fArwlXP.exe
PID 2484 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fArwlXP.exe
PID 2484 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wgRUnKR.exe
PID 2484 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wgRUnKR.exe
PID 2484 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wgRUnKR.exe
PID 2484 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CNvvSWX.exe
PID 2484 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CNvvSWX.exe
PID 2484 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CNvvSWX.exe
PID 2484 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JyIRRGK.exe
PID 2484 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JyIRRGK.exe
PID 2484 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JyIRRGK.exe
PID 2484 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JKHIqHP.exe
PID 2484 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JKHIqHP.exe
PID 2484 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JKHIqHP.exe
PID 2484 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BfYCTvG.exe
PID 2484 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BfYCTvG.exe
PID 2484 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BfYCTvG.exe
PID 2484 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UYFVPgT.exe
PID 2484 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UYFVPgT.exe
PID 2484 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UYFVPgT.exe
PID 2484 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GkdpCRQ.exe
PID 2484 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GkdpCRQ.exe
PID 2484 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GkdpCRQ.exe
PID 2484 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xNlEHOn.exe
PID 2484 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xNlEHOn.exe
PID 2484 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xNlEHOn.exe
PID 2484 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PgahFZV.exe
PID 2484 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PgahFZV.exe
PID 2484 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PgahFZV.exe
PID 2484 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WoPWrfE.exe
PID 2484 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WoPWrfE.exe
PID 2484 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WoPWrfE.exe
PID 2484 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KrVyTBo.exe
PID 2484 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KrVyTBo.exe
PID 2484 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KrVyTBo.exe
PID 2484 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\USJJMmm.exe
PID 2484 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\USJJMmm.exe
PID 2484 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\USJJMmm.exe
PID 2484 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NgISrYm.exe
PID 2484 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NgISrYm.exe
PID 2484 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NgISrYm.exe
PID 2484 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rbyoHck.exe
PID 2484 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rbyoHck.exe
PID 2484 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rbyoHck.exe
PID 2484 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MQAlWBT.exe
PID 2484 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MQAlWBT.exe
PID 2484 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MQAlWBT.exe
PID 2484 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VrhQseS.exe
PID 2484 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VrhQseS.exe
PID 2484 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VrhQseS.exe
PID 2484 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UskdRyH.exe
PID 2484 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UskdRyH.exe
PID 2484 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UskdRyH.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\FvGcJCx.exe

C:\Windows\System\FvGcJCx.exe

C:\Windows\System\zXYHseg.exe

C:\Windows\System\zXYHseg.exe

C:\Windows\System\GLQeGfc.exe

C:\Windows\System\GLQeGfc.exe

C:\Windows\System\fArwlXP.exe

C:\Windows\System\fArwlXP.exe

C:\Windows\System\wgRUnKR.exe

C:\Windows\System\wgRUnKR.exe

C:\Windows\System\CNvvSWX.exe

C:\Windows\System\CNvvSWX.exe

C:\Windows\System\JyIRRGK.exe

C:\Windows\System\JyIRRGK.exe

C:\Windows\System\JKHIqHP.exe

C:\Windows\System\JKHIqHP.exe

C:\Windows\System\BfYCTvG.exe

C:\Windows\System\BfYCTvG.exe

C:\Windows\System\UYFVPgT.exe

C:\Windows\System\UYFVPgT.exe

C:\Windows\System\GkdpCRQ.exe

C:\Windows\System\GkdpCRQ.exe

C:\Windows\System\xNlEHOn.exe

C:\Windows\System\xNlEHOn.exe

C:\Windows\System\PgahFZV.exe

C:\Windows\System\PgahFZV.exe

C:\Windows\System\WoPWrfE.exe

C:\Windows\System\WoPWrfE.exe

C:\Windows\System\KrVyTBo.exe

C:\Windows\System\KrVyTBo.exe

C:\Windows\System\USJJMmm.exe

C:\Windows\System\USJJMmm.exe

C:\Windows\System\NgISrYm.exe

C:\Windows\System\NgISrYm.exe

C:\Windows\System\rbyoHck.exe

C:\Windows\System\rbyoHck.exe

C:\Windows\System\MQAlWBT.exe

C:\Windows\System\MQAlWBT.exe

C:\Windows\System\VrhQseS.exe

C:\Windows\System\VrhQseS.exe

C:\Windows\System\UskdRyH.exe

C:\Windows\System\UskdRyH.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2484-0-0x000000013F940000-0x000000013FC91000-memory.dmp

memory/2484-1-0x0000000000180000-0x0000000000190000-memory.dmp

\Windows\system\FvGcJCx.exe

MD5 0aa95e1459773152aaabdb42d776f85f
SHA1 fe0380e6883931f3728d571123c28309a7e50901
SHA256 132ad45f54c581ac3f338bdcb82bd3d0e29300eb0f93e7562935b44fe0a03713
SHA512 e6441cae9508a237cd6c06ad83f824f004f0ac55e2539f6fa1c852f253c6d30b4f08c7a44d3fd781dbd50aa4602d61c888070dc9216e3a0a79227673f885ab93

C:\Windows\system\zXYHseg.exe

MD5 204979b9350ab33ef15671585ff76d1b
SHA1 9682028f520415e4423ce6407e1f5b27ca303b83
SHA256 d79b3eae3c83f82f19e4ea857bce08829b94c19201750c3a6f2a2c48fcdf7afc
SHA512 ad41a2c52d00229eddd4e1481600ed6d1628660368baa3de7eea2f0fed52bc311381f124daef5f512595d8d70d3d5e4f7e1c49d68431174d763f575c5c453b6a

C:\Windows\system\GLQeGfc.exe

MD5 601b1595ee1fdfd0e1a6541a0e57ca59
SHA1 ca12038af7223631a7da40065d4a63a2489d2d4f
SHA256 1bf309c5bd7c1b173e2b540fcda3b62cf250d670dc8e412de2bdb79d3793e153
SHA512 259fd02f8da3bdec861fc50551a4d39a053b2684f0e8651ca821ad4730ba305c6ef9d5f92ce6415bd7b24510a6e485916d4f26494adb136d7e8440368de0521d

\Windows\system\fArwlXP.exe

MD5 3e99ded32c0b0151f4b3e178323cddbe
SHA1 e1e92fbd09664349b4f77e9306c3f0c8ab5863be
SHA256 f4e037d8ee6c581ad68bb4400257a6a80b22c480b4f6a281544791e8ea3a4e99
SHA512 8f92dccbcdb9e0847a9b0e45118f0d86d144d43a21cf51f8ec0a91061442ca422e2a617e937851133c3b06d8e03dc63d964162298b78673402fe7bd12fcc75f7

C:\Windows\system\CNvvSWX.exe

MD5 46de4412446dc5dd772ca87b086077e9
SHA1 0f8b1ce4030f408418af5ff0a17a9db9dc9062c3
SHA256 25d9ae54b4afc07567505c7de88f18ccb60cb2a09fec7e7cf6a16cbd6d17f1a6
SHA512 7f365882d03a5b942e549632e95a7c9a4878511c763e11de63971e16141bc841b70739b3682774d97fc8ad4a5958524ea94a78bdd0b4d52a27fe93040b05aca3

C:\Windows\system\wgRUnKR.exe

MD5 80bbd42428a26ec427f834525f765e02
SHA1 42de5e6bb2d215ee8546a18ed5a79ef6c4b2d8b0
SHA256 c31cc0702b853435e22e077106ed055e8c3962859902a9c5e8fe0a0ddb68aad5
SHA512 f2d814e56cc8551936caef1c655e6b2eafdfebe7ff9440696104f06655dad10359761b3857be3e2892465718a30aaa26584c64996f8c47d9e5110851717752d1

C:\Windows\system\JKHIqHP.exe

MD5 752f21bc18a2c628657a4e98a4eab1a2
SHA1 6de9726890057213f6d9d38c23471f0e3d5fb191
SHA256 f140d4ddea5f07cfc8205cbd04d349e893c6fd72642673445e7ec35c61201cee
SHA512 0536c6ad32932dcbc08b7fba9edc5add5ce35ef689c93b9e2bff846d72ceb290d08b5b52a86698f9fc8c48e78ca1cd7c53c064ef2af3082b1ce4d6734fabee1b

C:\Windows\system\GkdpCRQ.exe

MD5 e6d0d77f58200cc7f88980f4379f10f0
SHA1 aa24fbc825358778d6146e52d330735c2365aed5
SHA256 7655508a2e3cfdb63d7a8321eb02eb30da38231f3e1df7e665261c89ef88d340
SHA512 9ea5d86feb83eee989a63d269cc5b2986468925e49b468a25365773b732dc6a0fda62e5b0aac6c19ea223a29a683d9e13abe1ff87ce158651009728480d08d86

C:\Windows\system\PgahFZV.exe

MD5 8ac86726d6406a12a08fa93e53881da3
SHA1 6b1a00697df08069ea6aa3becb689e5fc55bcc0a
SHA256 a1dc39c7d1aaa83311b141c36432eb415f2f184703e05feb2efbd37ba137fe2b
SHA512 0feca645938afa8be6987f68d2e1af877b8b926ea6c123a45a673e777fc405f6e50ce87a160c4ec4494e1d465cc8b183eb684851d53d467880932a69da8038cf

C:\Windows\system\WoPWrfE.exe

MD5 114d2f6937e62942198e896830184c14
SHA1 6607f9afe0cd6de1b529d8866de283c8f33b1fb9
SHA256 e9809e67f9f46b578c93dc94bb14370e5c608249471345ce2c6f55162ba7f5e5
SHA512 c9e45c91218775ddc1d076de25e086cc3d1bbb4c384f7e8e1c7a29c8e56a06089147c0964ae5f5ddf1b017833a80d8b28917075da852acad1250f96885130cd3

C:\Windows\system\USJJMmm.exe

MD5 23f0d8ec09580613161ec0124e2a2afd
SHA1 a58f01e87b6f033571f47d107f9ec1f1e8d3f7b8
SHA256 6ce3e02f78a03ea46b93449aed9d7dd9911f622f1013d299565613b7bf6d1af1
SHA512 f6d405e1cacd59f336ef8e4bd08967389ba6b298e2c6a3a8885449f3bea4378f2fd0c1f90e1fd84f06c97fd756c15bead50b4c2aa59527d05bcbd6317a368c60

C:\Windows\system\VrhQseS.exe

MD5 27e5c8e56b35111fdfff295a094f7c4f
SHA1 25148dc70153c40ad64c9933e9a456e32b62f5cf
SHA256 8d8998aa38648061a59c220ca145d41c00971652cb2a157d6c372aecc2251538
SHA512 b7daed9d9a4114b11015b1db662d48a0dec77835c7b2e3e33c618cdeb78517ebbd15bcd86346581afec71b520b120f9c08e9cfe35b3e48b00d893303682738fd

C:\Windows\system\UskdRyH.exe

MD5 052312816e3c18a6132b8d64c29a9c39
SHA1 caec0729a5bfb50512173a89ecbe4a0f0c12fcc0
SHA256 264c55642ffaca9b5aef795efe5754c6c3e829aef03d247d340e14b17eb5972a
SHA512 bde647c077decabdee4d949e2a63118e8e33ca8b3afae92b1f0a88d19cf64169da5d0b55630a396c86ec7e98ee6f85f5ff03641b6c3daa266b93633a181010e5

memory/2484-115-0x000000013F1F0000-0x000000013F541000-memory.dmp

memory/2484-117-0x000000013F5D0000-0x000000013F921000-memory.dmp

memory/2724-116-0x000000013F1F0000-0x000000013F541000-memory.dmp

memory/2764-114-0x000000013F850000-0x000000013FBA1000-memory.dmp

memory/2788-113-0x000000013FA30000-0x000000013FD81000-memory.dmp

memory/2952-112-0x000000013F7E0000-0x000000013FB31000-memory.dmp

memory/2796-111-0x000000013FC60000-0x000000013FFB1000-memory.dmp

memory/2708-110-0x000000013F3F0000-0x000000013F741000-memory.dmp

memory/2484-109-0x000000013F3F0000-0x000000013F741000-memory.dmp

memory/1992-108-0x000000013F410000-0x000000013F761000-memory.dmp

memory/2484-107-0x000000013F410000-0x000000013F761000-memory.dmp

memory/2532-106-0x000000013F600000-0x000000013F951000-memory.dmp

memory/1996-105-0x000000013F550000-0x000000013F8A1000-memory.dmp

memory/2484-104-0x000000013F550000-0x000000013F8A1000-memory.dmp

memory/2008-103-0x000000013F020000-0x000000013F371000-memory.dmp

memory/2484-102-0x000000013F020000-0x000000013F371000-memory.dmp

memory/1952-101-0x000000013F980000-0x000000013FCD1000-memory.dmp

memory/1968-100-0x000000013F740000-0x000000013FA91000-memory.dmp

memory/2484-99-0x00000000022F0000-0x0000000002641000-memory.dmp

memory/2324-98-0x000000013F5D0000-0x000000013F921000-memory.dmp

memory/2112-97-0x000000013F5B0000-0x000000013F901000-memory.dmp

C:\Windows\system\MQAlWBT.exe

MD5 cccf98eeeff82b81a09d264abfd7f3db
SHA1 754c967ae7df8983b95c1dc73f3edb4c404f4d17
SHA256 e08e5a95fb316beeaf02b5246253b120e583b9ac2dbd5a72f96031129b023a2f
SHA512 31c850395756838a76a5e2586a12e8bcf2d3cf41f4a786a50209f8b9680af762b209075b8061d7ea31d0ede1f5e9b50b56b2da1a90affe95edaa2e0a812c7f82

C:\Windows\system\rbyoHck.exe

MD5 650dae588b30f095480a989072555767
SHA1 c85689e0a54288684bb65b5a313daf058e73fb72
SHA256 c090727875bb2d1d34f39fefbef500df93c6741d97de51f7c120c16dce62a87d
SHA512 b648388d0ff11bfbce9854b220de40e38512c765e836014e8ec67dae80012959fcd36d997c4aeefa29525e40a00cd165f3d5fa11eec917af12bb4627e51cdc8b

C:\Windows\system\NgISrYm.exe

MD5 3b7f218f215cd58fb6aba666961881ce
SHA1 174f697696a3dbe79487f53b88194bd96fc57a44
SHA256 7e67872a6e7849e450379a92c151f2170ac61b71a43cb998d08aace059290022
SHA512 551d486229c39fe022669f7346288dc5667bc364643368530a485d875dc9c574c511a15c8aa10d0906a3e2ea06013b407fdfb55225fb5d1f1d6a6eb54bf53b65

C:\Windows\system\KrVyTBo.exe

MD5 5cc79e186f4da9a6cf51c5793408fd22
SHA1 3497be2945160cb82d99c2c79e55d466c2f86c59
SHA256 91c06dbd0ba24e72949f70de15c5653ff49a2c71f7d67e02a65177064489e2ee
SHA512 6638fd7fdd80798fadce3468d9dc4e64bada5eede437b93dc898bb679e502006846af41a0f1280dac58309cd7355271995f9a2eaf4a53d802e66b6623dc915e1

C:\Windows\system\xNlEHOn.exe

MD5 0ece11435adfdb26c66edd8d7bb8d69b
SHA1 d0acdca4ea219e9f24b2200b063585eb0ec40b78
SHA256 9ddd113aa393ade3534694a6aa937eee74ec31dc190d5f78e2be8ec14fb7a1da
SHA512 6a1413f82f6af86cefb23fd8ad532a2da9051083a6e0d14ccec6622a4f3f6ca32c6323435d19685bfc663149d8742c78649105a8fc98e4be57be1687288ec849

C:\Windows\system\UYFVPgT.exe

MD5 e4a3bb2b9fc12122a457da8c9988a7ef
SHA1 d4e3aa1041defa319a70b18498c767e29a7f58dc
SHA256 2443694022d31376ad59265cbed4856e46bc38b384d2ff5c6fc6c95dbeccca57
SHA512 615c523eeee70fbcf706ffd8d7e436e644272b5692c102a221a5b9c1e6b53d1e9a6e823b68081115188b81d2cd1b68bebb818c72e72160436c954ca543310ee8

C:\Windows\system\BfYCTvG.exe

MD5 66f14d60aae8e48aaed3db5db769ef7d
SHA1 adc4cdb6943a9669da85689a8a8a14472316b3c6
SHA256 276d223eb8b232b268fe80256409ef3c42f14e6eff5deae2842fdfc0be969322
SHA512 ffc9b541ca5aec8f1ab74dc2033d53d20dd1d5784a07cf6365f062e2e009b7d22c32af04cad684c9417d6bf11c161e5fdd1b68111479b30dcc7f87febe9206e3

C:\Windows\system\JyIRRGK.exe

MD5 ceb8b1cfc3a1929f2f23c94f0fa2aa65
SHA1 e66fb1c4ba23fb055933b5b60b6af8fe161ee809
SHA256 87bf680b879371e23caa9674701d87f0f2e7a55707b3efe2ffb0876ebf5273f8
SHA512 384dfcfc4ee258b4629afbc64a2fc2bfc8765724a8d405092652ad499f9e1d423d9a9bbcf2f9bed17d9f98e8cd9efac7af31904af0d0feb6878dd61f2f16eedd

memory/2484-128-0x000000013F940000-0x000000013FC91000-memory.dmp

memory/2484-129-0x000000013F5B0000-0x000000013F901000-memory.dmp

memory/1992-138-0x000000013F410000-0x000000013F761000-memory.dmp

memory/1976-151-0x000000013F650000-0x000000013F9A1000-memory.dmp

memory/1912-150-0x000000013F4A0000-0x000000013F7F1000-memory.dmp

memory/2560-148-0x000000013F510000-0x000000013F861000-memory.dmp

memory/2616-147-0x000000013FCB0000-0x0000000140001000-memory.dmp

memory/2700-146-0x000000013FAF0000-0x000000013FE41000-memory.dmp

memory/2724-144-0x000000013F1F0000-0x000000013F541000-memory.dmp

memory/2788-142-0x000000013FA30000-0x000000013FD81000-memory.dmp

memory/2796-140-0x000000013FC60000-0x000000013FFB1000-memory.dmp

memory/1996-136-0x000000013F550000-0x000000013F8A1000-memory.dmp

memory/1952-134-0x000000013F980000-0x000000013FCD1000-memory.dmp

memory/2324-132-0x000000013F5D0000-0x000000013F921000-memory.dmp

memory/2592-149-0x000000013F090000-0x000000013F3E1000-memory.dmp

memory/2908-145-0x000000013FB00000-0x000000013FE51000-memory.dmp

memory/2484-130-0x000000013F940000-0x000000013FC91000-memory.dmp

memory/2484-152-0x000000013F940000-0x000000013FC91000-memory.dmp

memory/2112-219-0x000000013F5B0000-0x000000013F901000-memory.dmp

memory/1968-221-0x000000013F740000-0x000000013FA91000-memory.dmp

memory/2532-225-0x000000013F600000-0x000000013F951000-memory.dmp

memory/2952-229-0x000000013F7E0000-0x000000013FB31000-memory.dmp

memory/2708-227-0x000000013F3F0000-0x000000013F741000-memory.dmp

memory/2764-231-0x000000013F850000-0x000000013FBA1000-memory.dmp

memory/2008-224-0x000000013F020000-0x000000013F371000-memory.dmp

memory/2324-237-0x000000013F5D0000-0x000000013F921000-memory.dmp

memory/1952-239-0x000000013F980000-0x000000013FCD1000-memory.dmp

memory/1992-242-0x000000013F410000-0x000000013F761000-memory.dmp

memory/2796-245-0x000000013FC60000-0x000000013FFB1000-memory.dmp

memory/2788-249-0x000000013FA30000-0x000000013FD81000-memory.dmp

memory/2724-247-0x000000013F1F0000-0x000000013F541000-memory.dmp

memory/1996-243-0x000000013F550000-0x000000013F8A1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-25 11:44

Reported

2024-10-25 11:47

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\bzaYDqp.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vpTsrOF.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lUHwYSE.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rfAPYUx.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GoFXClv.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xOUcTWM.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YubogAr.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nHHZaam.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uhdAkTO.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xsQofnK.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AvrlSWz.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jXALLmJ.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LICuuvi.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gpLPwwK.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yQpekzG.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mVeRaEj.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cqLKeRO.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AiouZoZ.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rTxYdXU.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dMClBdU.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bwPEBkt.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 736 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LICuuvi.exe
PID 736 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LICuuvi.exe
PID 736 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gpLPwwK.exe
PID 736 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gpLPwwK.exe
PID 736 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YubogAr.exe
PID 736 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YubogAr.exe
PID 736 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nHHZaam.exe
PID 736 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nHHZaam.exe
PID 736 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cqLKeRO.exe
PID 736 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cqLKeRO.exe
PID 736 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GoFXClv.exe
PID 736 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GoFXClv.exe
PID 736 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dMClBdU.exe
PID 736 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dMClBdU.exe
PID 736 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uhdAkTO.exe
PID 736 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uhdAkTO.exe
PID 736 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xsQofnK.exe
PID 736 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xsQofnK.exe
PID 736 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AiouZoZ.exe
PID 736 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AiouZoZ.exe
PID 736 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yQpekzG.exe
PID 736 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yQpekzG.exe
PID 736 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xOUcTWM.exe
PID 736 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xOUcTWM.exe
PID 736 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bwPEBkt.exe
PID 736 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bwPEBkt.exe
PID 736 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bzaYDqp.exe
PID 736 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bzaYDqp.exe
PID 736 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AvrlSWz.exe
PID 736 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AvrlSWz.exe
PID 736 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mVeRaEj.exe
PID 736 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mVeRaEj.exe
PID 736 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vpTsrOF.exe
PID 736 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vpTsrOF.exe
PID 736 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lUHwYSE.exe
PID 736 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lUHwYSE.exe
PID 736 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jXALLmJ.exe
PID 736 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jXALLmJ.exe
PID 736 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rTxYdXU.exe
PID 736 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rTxYdXU.exe
PID 736 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rfAPYUx.exe
PID 736 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rfAPYUx.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-25_107df4901265f66641bc2b5c9c6fc2fb_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\LICuuvi.exe

C:\Windows\System\LICuuvi.exe

C:\Windows\System\gpLPwwK.exe

C:\Windows\System\gpLPwwK.exe

C:\Windows\System\YubogAr.exe

C:\Windows\System\YubogAr.exe

C:\Windows\System\nHHZaam.exe

C:\Windows\System\nHHZaam.exe

C:\Windows\System\cqLKeRO.exe

C:\Windows\System\cqLKeRO.exe

C:\Windows\System\GoFXClv.exe

C:\Windows\System\GoFXClv.exe

C:\Windows\System\dMClBdU.exe

C:\Windows\System\dMClBdU.exe

C:\Windows\System\uhdAkTO.exe

C:\Windows\System\uhdAkTO.exe

C:\Windows\System\xsQofnK.exe

C:\Windows\System\xsQofnK.exe

C:\Windows\System\AiouZoZ.exe

C:\Windows\System\AiouZoZ.exe

C:\Windows\System\yQpekzG.exe

C:\Windows\System\yQpekzG.exe

C:\Windows\System\xOUcTWM.exe

C:\Windows\System\xOUcTWM.exe

C:\Windows\System\bwPEBkt.exe

C:\Windows\System\bwPEBkt.exe

C:\Windows\System\bzaYDqp.exe

C:\Windows\System\bzaYDqp.exe

C:\Windows\System\AvrlSWz.exe

C:\Windows\System\AvrlSWz.exe

C:\Windows\System\mVeRaEj.exe

C:\Windows\System\mVeRaEj.exe

C:\Windows\System\vpTsrOF.exe

C:\Windows\System\vpTsrOF.exe

C:\Windows\System\lUHwYSE.exe

C:\Windows\System\lUHwYSE.exe

C:\Windows\System\jXALLmJ.exe

C:\Windows\System\jXALLmJ.exe

C:\Windows\System\rTxYdXU.exe

C:\Windows\System\rTxYdXU.exe

C:\Windows\System\rfAPYUx.exe

C:\Windows\System\rfAPYUx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/736-0-0x00007FF69A420000-0x00007FF69A771000-memory.dmp

memory/736-1-0x0000024B6E2D0000-0x0000024B6E2E0000-memory.dmp

C:\Windows\System\gpLPwwK.exe

MD5 9cb055380bb13fcd9c8f34250b24fd20
SHA1 ff5fb465354ce5e7d783b005796cd6f7f61316c8
SHA256 9c50c25b861d7d61fbae9d07afe4851c3dd6288e9cc12d7f0b725736c1a00ca7
SHA512 cfaef5354ab85439e839e394a62776c9d135f5d67d8c95f5e4d58c34733b88abd5a4981c32edc231f05803e889bf0ac4f02438d0e5606c8eccdc4602589d1498

C:\Windows\System\LICuuvi.exe

MD5 c44897545e36a760699593e4799fd846
SHA1 cc1e16c8027fd90a8e65b13e214bd490621307a0
SHA256 40f3362d86115dd2eac123d418224988ef73e1f88ce67f1ecc1e0152352014c5
SHA512 c15dfb9c393ba8a8544658e99922f0f8c597ffdd62d9bcd6aaf6ef978f76af3fdc3eb809ed2f7b5532efdb81d24319ab91ae2fbbbd28406dd51a0cd6f4f0202b

memory/4340-12-0x00007FF7EDF00000-0x00007FF7EE251000-memory.dmp

C:\Windows\System\YubogAr.exe

MD5 b3f431064b241702a9535bc8a667f2e1
SHA1 edf2b691f01d8df41b87f9c994a618f380625252
SHA256 f5a51ebb1079d4d25096cba554a2adb93ba042b613b609e109ecebf5ac1bcfc3
SHA512 ef6e11b09505cffee21c7f4d4ee4995d49be0bec4aef9c4054c75e448f37e5a54ed5f78725c39981b40452161c62c968702afe5c386643842bcca29c6f363d2f

memory/4968-6-0x00007FF776F40000-0x00007FF777291000-memory.dmp

C:\Windows\System\nHHZaam.exe

MD5 be06bd2193c5b7e9c6a6250c3f5e177f
SHA1 7670ecaedbdcaec8683f0a45aa772761982773d5
SHA256 2c8f546999abf141bed4a66c989d65dc976f50b43638e9965d34164b474d44a2
SHA512 d9860187df8096748cbc9298252e5b6678e26287c127c6143fad29dc5d44319d5d3f0a94f24e91bbba326bcea8161096b0aa4c9ecec645582927fce2917094e4

memory/4736-22-0x00007FF7A6EF0000-0x00007FF7A7241000-memory.dmp

C:\Windows\System\cqLKeRO.exe

MD5 f03a38de50319478b359bd4f82833139
SHA1 112d66194762f6adc2b3c380da042d9d5971e91a
SHA256 c3a816c0c46e7e9ac3a49fbff59d3de7695694d3dbade7728a4d277cac2a5cf5
SHA512 a388d8f23480020cc2ebd52747591022dbc1341f2d0d60b8cd3cea0554b770eea2311ba4b9f928e6a92a31be69af5b8ca25f4fc6d635e6241e8950e103503cad

memory/1036-30-0x00007FF758170000-0x00007FF7584C1000-memory.dmp

memory/3492-26-0x00007FF701FD0000-0x00007FF702321000-memory.dmp

C:\Windows\System\dMClBdU.exe

MD5 99bb52ec7f5f6172ded83083672078b5
SHA1 17371c6388a5a1cf138e6663edb1f2dedf756e1b
SHA256 c0668dcbbcd759c3e6358d48f43a9c4b6fdf644d92d56c7bea3e34f8c2735955
SHA512 ec09153f58a3fce54ca28370f39e0877e8defc51474f6b6831c4d63c25a400d2ce321e6735071728d51a237cfee04e6734570d7f45062e3f04bfcb7c430ac726

memory/2996-42-0x00007FF629550000-0x00007FF6298A1000-memory.dmp

C:\Windows\System\uhdAkTO.exe

MD5 a185f42175d2aa4394d74743b43f1593
SHA1 0d8a390718216c1587d6cb07e3bca43e7326205e
SHA256 a6bd83ef63baa09aac1061d4fb5f27cd5c14df4fc5b39095de8d9f07810461d1
SHA512 02443496fd2ea30f0522e2a776cdbd305022623ee6e004e7e92130d16ac48ae0d62aaad385abdfc4c261252c3c4440ef3de1dfed72e465e93ae4c6b027ef4a58

memory/4248-54-0x00007FF65BEC0000-0x00007FF65C211000-memory.dmp

C:\Windows\System\xsQofnK.exe

MD5 1685535d81b4887ae5d5a2bcac745a3b
SHA1 4fa186ca96d5e424159b87ff49d51b773b098060
SHA256 aaa56911b3fd8fdf30af655b08ed779ab5f7ae30392da12844be5aeb117339f1
SHA512 beb586bfef85b8822ae37290014e3fb1211a9e4ade161a46b3e9319c60aeaf1b82a80f9c8a601dc1740241819b829ff4103cda19071a1ddd79bab9d3d7796442

memory/736-53-0x00007FF69A420000-0x00007FF69A771000-memory.dmp

memory/4360-48-0x00007FF7AC720000-0x00007FF7ACA71000-memory.dmp

C:\Windows\System\GoFXClv.exe

MD5 72b990755e7bed0f23bef657b7973c2b
SHA1 8fe111338fd15833333310b38774ce7c14c52586
SHA256 7e6eb111ee6c794a87363df1183cbcbd5a19d6f2f3790b7384e7933cd41d8e74
SHA512 b9f8609ee7e4261dbe6a2c51e0d60a647f403ce7f49c2d62055ebb9640204fcead2a125824de8d79bac447742c01ae4c18a17d9d929c726324606609a53392bf

memory/4884-36-0x00007FF71C9B0000-0x00007FF71CD01000-memory.dmp

memory/4968-58-0x00007FF776F40000-0x00007FF777291000-memory.dmp

C:\Windows\System\AiouZoZ.exe

MD5 c24d72cf94bde2182a6e3f9b9b606726
SHA1 2525e787763ac167d2dfef9690af3e4682844174
SHA256 cbc3a918133532ecc55b9bb09f9b93a06cc9a8f17389df1e90b089b778c78a35
SHA512 0ccf991a4a2bf962e3c6613fd45b45219ec6e95c311e926ad884bfc57c9b880c85d7a5c7fd2aa74331602970a29c9f67c766fc0ec507167422ef3be9c7605f95

C:\Windows\System\bzaYDqp.exe

MD5 2e30e8a29fab014a0439fb909c19acd5
SHA1 a121d8029697058ab1f2796feaa65f7b6f4df48c
SHA256 dc04edcc99ef9f1645be4d9e99630ea69c654bf191f2ecc13045a0492acb8f86
SHA512 c15d5bc571fc25f3187d20e3fc63539656162a5b1979929ca582b461de0c5837c5bf775818d075f4e1db162bd2783bbfb504d21f6aa9aa472604e1a505379302

C:\Windows\System\yQpekzG.exe

MD5 1a3ec7b10f9715299fb125e81bbe5f61
SHA1 0a273f7c45a373d646154a06ba64d8ee5de4fe44
SHA256 95c97c15cb05c3cbfcf4d87e3254a25b4d487d32faa3440d69e8d193c6b2e5e7
SHA512 e4c85555359cfad2010734897c6dc1dee462bad6fc9b5d1bc061e93562788865456feabd05cc2e479591894da3c6802a9bc431ec1c640ddb36dc283292338c58

C:\Windows\System\mVeRaEj.exe

MD5 a1e665f800c5a617395c7d044b991503
SHA1 883ecd035224a3d8baeb7a49d37d4ae6a40051c3
SHA256 ecd5ba35440c413a8e8b0ab03ab480e3254ecee7ed4a833336ca1e1796c4c528
SHA512 8a4a6264b5895a70f0d6d6a38511ac0acb80a4859489f051aab7d90ee4ff6bfc16654acd3bc9f0d5a5f358ebfda99bc8f992e4eb6ce935c1069c1f7b6b4810a1

C:\Windows\System\jXALLmJ.exe

MD5 102931901869d0b51b7a706452561ee5
SHA1 98368a2cfbdda54acc233ba05fd3125de8240ccd
SHA256 089eb11e5079bc254a2afed217cf4b247be66f8f9acddfcbb479fdf44545602d
SHA512 e95fe0a18c546bf4e0e028c6a2cead3710b1cbf0e2b9cb06404e723ff3f090af67ae789fb18419483b9fe0da04d64fb474e3992b047eaa95f4399e1ba4941b90

memory/4244-124-0x00007FF61B580000-0x00007FF61B8D1000-memory.dmp

memory/4248-129-0x00007FF65BEC0000-0x00007FF65C211000-memory.dmp

C:\Windows\System\rfAPYUx.exe

MD5 6afe80759103b9b6e7dfdd62e2f5b0aa
SHA1 ab43ec813fc2af0bb62e3ddb6e82bcf111ce340c
SHA256 d071df460622a419f48f47ec8e2b7a61dd0aed76e3f0720c9caffae1761defe7
SHA512 3928fbb95b67bc5c1e03ea162d4cf6898a6878288427ce542a5f5648dba01dc53558c2fd9bc27f3dfd0af292658add83a89280bfa8a73e8126ea3adce212e630

memory/3316-135-0x00007FF799DC0000-0x00007FF79A111000-memory.dmp

C:\Windows\System\rTxYdXU.exe

MD5 fd71ac00f8d3cbd0f68acf4e76d6634e
SHA1 5f4e161974b61f0b4b510bcda9ba71b617826549
SHA256 34a31f169904c03acb69cd289a2494219cb7a1bafeace72e68d9313a88343359
SHA512 76a672eac3d0d6f87f18f806696ede042d809dbf770caff82f4df12cbbfd9c21b9be73d5ba07ee3409c9632c8b9d2d1489df2efab5d5be8a9bf3d8cd8249e237

memory/4656-130-0x00007FF683DC0000-0x00007FF684111000-memory.dmp

memory/4360-125-0x00007FF7AC720000-0x00007FF7ACA71000-memory.dmp

memory/1560-123-0x00007FF6BB460000-0x00007FF6BB7B1000-memory.dmp

C:\Windows\System\lUHwYSE.exe

MD5 b5c480e3dc89bc1978c5f30c78ecddf4
SHA1 bf0f1cf153db55865ba744d01146a973ee6e95c5
SHA256 e98f65d2981cff9d21434ae53537f5df4212ff67a89694c05ed7c52baede7ce8
SHA512 2f81a84cefdf806ef1a3d93b314ca0055cf7027f52f996cd1c7ca2b1e6e3d60ec6826b296da6540ee1df8519e7fc39620ef85232c68210078a8310a9a38bb730

memory/2996-115-0x00007FF629550000-0x00007FF6298A1000-memory.dmp

memory/4556-112-0x00007FF7E4C90000-0x00007FF7E4FE1000-memory.dmp

memory/4884-107-0x00007FF71C9B0000-0x00007FF71CD01000-memory.dmp

C:\Windows\System\vpTsrOF.exe

MD5 e2fef4a261635fd3c516f8b1da63ae5c
SHA1 c9d81097c667599f93588f53fbcc80c7fd725bd7
SHA256 1a366c21848039d7920e18eb746db046ef9fc707aae3fbe750bca242cccf4a24
SHA512 7f26827e4b8e4971cb26075998bce767eed20403c3422a1ad243af17c12f2278c5ad8f7b40fc3e92a268a93c899805d9b764314c3879ecd4f24d28385e4fe106

C:\Windows\System\AvrlSWz.exe

MD5 a282da00d456777da2c752ee5def6388
SHA1 89fea047f23a5a8288c4b6c44a1725ac71602b66
SHA256 e2273d8d2e8c1e9284c15a08acc61fbed4aa76d9897409acb3331f71c8c68f51
SHA512 3955657503b55b452b670dcfb10fd83c90c42d00cab8d0a96d9b4c145b8dae4759288fc1da5e4bbbd7bfa3e71fa71b018cba85057e7f5687ec2e1c68988c33b7

memory/3304-99-0x00007FF7754F0000-0x00007FF775841000-memory.dmp

memory/1036-98-0x00007FF758170000-0x00007FF7584C1000-memory.dmp

memory/1100-97-0x00007FF6DD0B0000-0x00007FF6DD401000-memory.dmp

memory/3492-92-0x00007FF701FD0000-0x00007FF702321000-memory.dmp

memory/3604-91-0x00007FF768480000-0x00007FF7687D1000-memory.dmp

memory/2424-88-0x00007FF639490000-0x00007FF6397E1000-memory.dmp

memory/3044-85-0x00007FF772DB0000-0x00007FF773101000-memory.dmp

C:\Windows\System\bwPEBkt.exe

MD5 16bac7458cb47f0d346ed4fed1ca19e0
SHA1 ca790b200827b10cf3ef8a5a177e7f2cf3f4208e
SHA256 2428f1275f9c6a38d849cf27ee2cf8ad47e68b12c880596229928d8eb70e8fdb
SHA512 f697734e4758e57b580f636c2cd791b1a6063468d64816df21bc3364cb916ac3924475b4a41e46ca4faeff26d99fadc7b1d7458cd92454218708dfdbad043e0e

C:\Windows\System\xOUcTWM.exe

MD5 8b5c1817b61496be90263f45e67aef4b
SHA1 3b4946a2dfe8a189415cab596bcf1e4423175d59
SHA256 60c68c112f740d0a0331ac8fdcc01ca79ece72cccaeb8b6e28531c8296da9a82
SHA512 982bf1879dfc63a3058e39364ac9a897693ae266a63c323f784651466d83b62892d2535bb6cb306240ca4a6ef1a7e5a4d9c86f28a6d39dd7e2a341fc0f2913f5

memory/3124-72-0x00007FF6DC880000-0x00007FF6DCBD1000-memory.dmp

memory/4736-71-0x00007FF7A6EF0000-0x00007FF7A7241000-memory.dmp

memory/1380-67-0x00007FF682690000-0x00007FF6829E1000-memory.dmp

memory/4340-64-0x00007FF7EDF00000-0x00007FF7EE251000-memory.dmp

memory/736-138-0x00007FF69A420000-0x00007FF69A771000-memory.dmp

memory/3604-153-0x00007FF768480000-0x00007FF7687D1000-memory.dmp

memory/3304-154-0x00007FF7754F0000-0x00007FF775841000-memory.dmp

memory/3124-160-0x00007FF6DC880000-0x00007FF6DCBD1000-memory.dmp

memory/4656-158-0x00007FF683DC0000-0x00007FF684111000-memory.dmp

memory/1100-152-0x00007FF6DD0B0000-0x00007FF6DD401000-memory.dmp

memory/3316-159-0x00007FF799DC0000-0x00007FF79A111000-memory.dmp

memory/1560-156-0x00007FF6BB460000-0x00007FF6BB7B1000-memory.dmp

memory/3044-149-0x00007FF772DB0000-0x00007FF773101000-memory.dmp

memory/736-161-0x00007FF69A420000-0x00007FF69A771000-memory.dmp

memory/4968-210-0x00007FF776F40000-0x00007FF777291000-memory.dmp

memory/4340-212-0x00007FF7EDF00000-0x00007FF7EE251000-memory.dmp

memory/4736-220-0x00007FF7A6EF0000-0x00007FF7A7241000-memory.dmp

memory/3492-222-0x00007FF701FD0000-0x00007FF702321000-memory.dmp

memory/1036-224-0x00007FF758170000-0x00007FF7584C1000-memory.dmp

memory/4884-226-0x00007FF71C9B0000-0x00007FF71CD01000-memory.dmp

memory/4248-228-0x00007FF65BEC0000-0x00007FF65C211000-memory.dmp

memory/2996-232-0x00007FF629550000-0x00007FF6298A1000-memory.dmp

memory/4360-231-0x00007FF7AC720000-0x00007FF7ACA71000-memory.dmp

memory/1380-242-0x00007FF682690000-0x00007FF6829E1000-memory.dmp

memory/3124-245-0x00007FF6DC880000-0x00007FF6DCBD1000-memory.dmp

memory/2424-246-0x00007FF639490000-0x00007FF6397E1000-memory.dmp

memory/3604-252-0x00007FF768480000-0x00007FF7687D1000-memory.dmp

memory/4556-254-0x00007FF7E4C90000-0x00007FF7E4FE1000-memory.dmp

memory/4244-257-0x00007FF61B580000-0x00007FF61B8D1000-memory.dmp

memory/3304-264-0x00007FF7754F0000-0x00007FF775841000-memory.dmp

memory/3044-263-0x00007FF772DB0000-0x00007FF773101000-memory.dmp

memory/1100-261-0x00007FF6DD0B0000-0x00007FF6DD401000-memory.dmp

memory/1560-259-0x00007FF6BB460000-0x00007FF6BB7B1000-memory.dmp

memory/4656-266-0x00007FF683DC0000-0x00007FF684111000-memory.dmp

memory/3316-268-0x00007FF799DC0000-0x00007FF79A111000-memory.dmp