Malware Analysis Report

2025-08-11 08:13

Sample ID 241025-nxeeeayenb
Target 2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat
SHA256 135b5adf75a2385b655369f95dfbc995ef9afe247cc4dbd888580e2316c33be7
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

135b5adf75a2385b655369f95dfbc995ef9afe247cc4dbd888580e2316c33be7

Threat Level: Known bad

The file 2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Cobalt Strike reflective loader

Cobaltstrike

Cobaltstrike family

Xmrig family

XMRig Miner payload

xmrig

XMRig Miner payload

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-10-25 11:46

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-25 11:46

Reported

2024-10-25 11:48

Platform

win7-20240903-en

Max time kernel

141s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\QIxSCzc.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lPiJhfb.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ctpHZxL.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sQHMBya.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LZtmuod.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ADnjmkX.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ycCoRbI.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\semRLeX.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iFVgjGS.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AKeLOff.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hzutVqL.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sLAMOpg.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CfnIxGa.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rAfaCEq.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QDZKkql.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TSZsKQA.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\elWNuBD.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OpesDuH.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pgSvtGz.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PZDhaty.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tOzTglr.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1868 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tOzTglr.exe
PID 1868 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tOzTglr.exe
PID 1868 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tOzTglr.exe
PID 1868 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ycCoRbI.exe
PID 1868 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ycCoRbI.exe
PID 1868 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ycCoRbI.exe
PID 1868 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QDZKkql.exe
PID 1868 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QDZKkql.exe
PID 1868 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QDZKkql.exe
PID 1868 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TSZsKQA.exe
PID 1868 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TSZsKQA.exe
PID 1868 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TSZsKQA.exe
PID 1868 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QIxSCzc.exe
PID 1868 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QIxSCzc.exe
PID 1868 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QIxSCzc.exe
PID 1868 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\elWNuBD.exe
PID 1868 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\elWNuBD.exe
PID 1868 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\elWNuBD.exe
PID 1868 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lPiJhfb.exe
PID 1868 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lPiJhfb.exe
PID 1868 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lPiJhfb.exe
PID 1868 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hzutVqL.exe
PID 1868 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hzutVqL.exe
PID 1868 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hzutVqL.exe
PID 1868 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ctpHZxL.exe
PID 1868 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ctpHZxL.exe
PID 1868 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ctpHZxL.exe
PID 1868 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OpesDuH.exe
PID 1868 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OpesDuH.exe
PID 1868 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OpesDuH.exe
PID 1868 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sLAMOpg.exe
PID 1868 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sLAMOpg.exe
PID 1868 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sLAMOpg.exe
PID 1868 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sQHMBya.exe
PID 1868 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sQHMBya.exe
PID 1868 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sQHMBya.exe
PID 1868 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pgSvtGz.exe
PID 1868 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pgSvtGz.exe
PID 1868 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pgSvtGz.exe
PID 1868 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CfnIxGa.exe
PID 1868 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CfnIxGa.exe
PID 1868 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CfnIxGa.exe
PID 1868 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rAfaCEq.exe
PID 1868 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rAfaCEq.exe
PID 1868 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rAfaCEq.exe
PID 1868 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AKeLOff.exe
PID 1868 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AKeLOff.exe
PID 1868 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AKeLOff.exe
PID 1868 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\semRLeX.exe
PID 1868 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\semRLeX.exe
PID 1868 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\semRLeX.exe
PID 1868 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LZtmuod.exe
PID 1868 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LZtmuod.exe
PID 1868 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LZtmuod.exe
PID 1868 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PZDhaty.exe
PID 1868 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PZDhaty.exe
PID 1868 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PZDhaty.exe
PID 1868 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iFVgjGS.exe
PID 1868 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iFVgjGS.exe
PID 1868 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iFVgjGS.exe
PID 1868 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ADnjmkX.exe
PID 1868 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ADnjmkX.exe
PID 1868 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ADnjmkX.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\tOzTglr.exe

C:\Windows\System\tOzTglr.exe

C:\Windows\System\ycCoRbI.exe

C:\Windows\System\ycCoRbI.exe

C:\Windows\System\QDZKkql.exe

C:\Windows\System\QDZKkql.exe

C:\Windows\System\TSZsKQA.exe

C:\Windows\System\TSZsKQA.exe

C:\Windows\System\QIxSCzc.exe

C:\Windows\System\QIxSCzc.exe

C:\Windows\System\elWNuBD.exe

C:\Windows\System\elWNuBD.exe

C:\Windows\System\lPiJhfb.exe

C:\Windows\System\lPiJhfb.exe

C:\Windows\System\hzutVqL.exe

C:\Windows\System\hzutVqL.exe

C:\Windows\System\ctpHZxL.exe

C:\Windows\System\ctpHZxL.exe

C:\Windows\System\OpesDuH.exe

C:\Windows\System\OpesDuH.exe

C:\Windows\System\sLAMOpg.exe

C:\Windows\System\sLAMOpg.exe

C:\Windows\System\sQHMBya.exe

C:\Windows\System\sQHMBya.exe

C:\Windows\System\pgSvtGz.exe

C:\Windows\System\pgSvtGz.exe

C:\Windows\System\CfnIxGa.exe

C:\Windows\System\CfnIxGa.exe

C:\Windows\System\rAfaCEq.exe

C:\Windows\System\rAfaCEq.exe

C:\Windows\System\AKeLOff.exe

C:\Windows\System\AKeLOff.exe

C:\Windows\System\semRLeX.exe

C:\Windows\System\semRLeX.exe

C:\Windows\System\LZtmuod.exe

C:\Windows\System\LZtmuod.exe

C:\Windows\System\PZDhaty.exe

C:\Windows\System\PZDhaty.exe

C:\Windows\System\iFVgjGS.exe

C:\Windows\System\iFVgjGS.exe

C:\Windows\System\ADnjmkX.exe

C:\Windows\System\ADnjmkX.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1868-0-0x000000013FD90000-0x00000001400E1000-memory.dmp

memory/1868-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\tOzTglr.exe

MD5 e531c914053f64aa4a33ce996f5cd762
SHA1 c5c01f66eea88db3bd1e52f41c1d53d6e2847575
SHA256 58a06146ae33041c177c8cb373872f2f09b6d168d6dd50a9f545f967b59b4f72
SHA512 22d2a5470cf32d76232179099be7ac825e74333b1a5353c38a83035c55b079261bb631a05e8b47f2f1be193be41bee4a5286058c072d8b3e5f729c6e7e853a72

C:\Windows\system\ycCoRbI.exe

MD5 111f4ab6f9e707109c2f0ce1101d34fa
SHA1 724347f553e6ab4cdaa3a777ca91ce83e8ea9dd8
SHA256 71f39e052410906a5aa626f20d851c4439f84744ff9633f8a17f760b667ba997
SHA512 eab6471ea153accb69e0e2342553afa885ea78d3636b60d781dfcf33db60838c0193cc7c59b4c826fd29115ac27a6bdeba02e7c389709b7aed2ed3dba50e4a0c

memory/1868-15-0x0000000002240000-0x0000000002591000-memory.dmp

memory/2216-14-0x000000013FF80000-0x00000001402D1000-memory.dmp

memory/1868-6-0x0000000002240000-0x0000000002591000-memory.dmp

C:\Windows\system\QDZKkql.exe

MD5 cd4faeba48db1387b3d824e8026545e7
SHA1 2ced960985dac5dd191c720ecd2158a16fb7f361
SHA256 70771adb36dddae91e34292817cdb9491dae02d5ccb804f3d2b579965606bd8b
SHA512 153eaae7a7161a57d79f51a9ebba8d22a97bb740adb51873a14cbbc2be718d8f728753745b6cb1356657ee651c879c8322985710e3755364820b0c7cabc14fe1

\Windows\system\QIxSCzc.exe

MD5 a20cb17982e51a4bbf35e59540b32ca9
SHA1 e71289aaa21130db2b22010ba1650475b48f72eb
SHA256 76fd8821bf1b772c67b405ecb4b38f5399305af40b765ccd9fab5ed9026a1931
SHA512 a3f27ae89b0270039544bb6bd282cd4bdf674b29b108bfd1a220c6579dddcb381e8e80a3bde47676c6a949d00153ce90b76c6d95d2a7accb6cce52ede040d8a3

\Windows\system\TSZsKQA.exe

MD5 f0e13f056b68a3f7f1ca3ce5eecd8277
SHA1 dc6cb4aa2e74b9f2827d04104772e3aa31a3a311
SHA256 74b029d2419df53939fd338dacc17ad8087c91bfe96f0b7a1c0adbf5bd901f14
SHA512 72239fb36ac081d548423a64a47d189aa978301c02c664dc59a1507c1790e5d8f834a2ee66773fd4b2bdf1c86216bc668d84312eb585163bff955c77dc6bda0d

C:\Windows\system\CfnIxGa.exe

MD5 29aafe434109ae374ffe92888d0dd610
SHA1 8c31e5d3298065ca25d72369275409c75b724f90
SHA256 32e50780e5d9da8ae058cedffa88f48690a9a291b4079719c59d80f62574f48d
SHA512 e3c336628a1b8dad2ebde9d9e07e8e871165abd5b6531a9db157aa9b62c3ace40b22b16c2fe9fec617c70e48a5a52f390e41e7fde05736614ecf89c23b698482

memory/2756-85-0x000000013F090000-0x000000013F3E1000-memory.dmp

memory/2244-88-0x000000013FB50000-0x000000013FEA1000-memory.dmp

memory/2572-91-0x000000013FD80000-0x00000001400D1000-memory.dmp

memory/2776-93-0x000000013F980000-0x000000013FCD1000-memory.dmp

C:\Windows\system\lPiJhfb.exe

MD5 6047c1da5c9e818399a1baac814012a8
SHA1 ee229501579a4e3195ca70c607318d1746a87358
SHA256 2761912ed5ad9a3264033274ad68f4a341357aa778a305c84014d3cc3ef79604
SHA512 c841cd6f124de003e405bc2c94037d6a7ab81b328fc51dbd6e4b482ee116bad642e94fe6d3accb58ed444eedfe083d6bf2f2b1957130c6dc217a2a8f12073155

memory/2720-101-0x000000013F480000-0x000000013F7D1000-memory.dmp

C:\Windows\system\ADnjmkX.exe

MD5 fb65b4e5de88b6a0b864e0d0b8b3973a
SHA1 8912c8e69e146e6183002c76243e2cfa68670fa6
SHA256 6e228deb06d71fdb34b291fb473faaf5bd482ca24ba4354fd743fd914347861e
SHA512 aa7538e384916d8d6d59e29b265ab222980eee38632ad98f456050c476c5bf0519c7e0ea1273a2d108d4cc1aca15b8e2e82daa3e8cd5ecac4c02a26e714367fb

C:\Windows\system\iFVgjGS.exe

MD5 6fbb3ed4e7eb82204ec74fc066ea6639
SHA1 e7d4f2e588d98ee60f3d68d6722ce06a7ffc1d1e
SHA256 dc88b937c08d90ae6b74de0dd0a5037439329396fa72bb2e7977ae238af6f5f4
SHA512 c4a54a152a06994c51a19e1ca418d4b7cc5ef5bff9c0d23f7a77c77511ec1520472a8ce2cfd67d9ad5ebebb292a8f4b239f8bf58bcf7ddf0859bf84f3a2e529a

C:\Windows\system\PZDhaty.exe

MD5 17a79e6abf93fecaccd9eb8268fb3a01
SHA1 4619d4fbe3180ac335341402fcafbf93e466e01b
SHA256 790ed8a9468c41ff1344f9110ed5d6ee2ee9dbe3e7feaab259ad98faf7dd1255
SHA512 34e7d7c0c810ba913fe16b5ee389bd8442a858d1e8fe395b5d8674ad5827159b93ad303d982479b3385d24376637b1828c4a32f9f5c671b017f9e536eb6d6fa1

C:\Windows\system\LZtmuod.exe

MD5 31ed77359378d33115ecbd6f88313cca
SHA1 321950704e6677b10cc5ed3f2a8dbd3c15c27878
SHA256 bcb341c038a260723b11a2bb077b006a4f07b2bcb77f8592f2693d23a061d42e
SHA512 d4b85b809830bc708318b6fbd5ff20ee78a66fe034557014bd1dfbd9706993504c11308e24818d3c8e802e945ddb2a94ce89530215fc677615b8f2896fccd310

C:\Windows\system\semRLeX.exe

MD5 8f08b0537e14557a73a322b6476246d9
SHA1 7db3397375502100fb5a933fc3d156e561b067ea
SHA256 a4ce68bdb051f4e6b3a28c6cdbae497f886bb5c3d03504df7cab61491d1b4502
SHA512 6a8cc9cba59cb5e67ce74259f3b767b02b37714c6879a73121f463daea191602894e738dca5a060c85200065bb050488616b698a32e1168eb976ccdfba83ef9f

C:\Windows\system\rAfaCEq.exe

MD5 a82c9b5b27d19046ee069acab7e8e111
SHA1 6ca71219a3da97a9ae0c7c0056c573e83469e469
SHA256 0b5ced242173d4145f5084b118e8178b58ecd9a4862b8d1c20686dabc7164053
SHA512 149d0539e9232ae896eecdcea159e7f7a6c3cae79f633e97ab2d6ff8f657adf602e90e292d58c43f9772b73c5706a013d9279cf5804a7e41ecae4b614270df5a

memory/1868-102-0x000000013F3F0000-0x000000013F741000-memory.dmp

C:\Windows\system\AKeLOff.exe

MD5 e7cae8da166f910000ebc8e94eb21b8b
SHA1 e90dd16d57e6ad9cf6060ba53dcb68349f7dde75
SHA256 25ed4536f2d1af6fac6ddecc4c7884533468fc178a7f91f4730696e3706e4c81
SHA512 b92e99f44c71caae6bb1fbd87f61f8405deb794c89d124f8ed88c822f2f5f4e7006f626d47a4fe7ce5c770bd0ea5d1b5bfa6fc5ac21512f88600f45870d29b43

memory/1868-100-0x000000013F480000-0x000000013F7D1000-memory.dmp

memory/1868-68-0x000000013FD90000-0x00000001400E1000-memory.dmp

C:\Windows\system\sQHMBya.exe

MD5 46afdf19369fb9945efb88b75a9fbc24
SHA1 11034b5da14b617f856b8412c916074154731db2
SHA256 262adce2acae2caa379e71df50f14af961cb27209b7987b2b7d26baa4f3fed8e
SHA512 77653341bfa62a5236ac69714679ce46b8464ba34d28e80f20a2c4ff7e5082af66d931f73289ac125db438b074997c0eebedd55db87156e1e1e5f9eb601ac6a8

C:\Windows\system\OpesDuH.exe

MD5 cd928bb41133664d21c5e834ffff4043
SHA1 d67bdacb77ad3093183eafd394e5742c519a599c
SHA256 eed9e9dd6fbb453dbb7388650b1b7a5292adea80b487b4f47727f92db4a2dbaa
SHA512 bd61f986dc917fdd0f39d96183ef9187248873ec6bf58b1648b289c0629b50ac43c61fa4dd058b211844b036663472a9436631ce1c92ad8e1bc7a11a6830840b

\Windows\system\pgSvtGz.exe

MD5 4bb2d0e3dbe0a311ea8a860922703f0a
SHA1 702b97478ff1e4c83cc4ec432f9ca51f0e0aece7
SHA256 1dbafba11e0baa6235af8f87f3a8328ece43659288c19386f3e88e39a93776f8
SHA512 be11bead6748be1a8d727115e05d02c6c6ce66ac4af57a0c362c362d8bb7361a3cfe60f24bff40d5f9f708a4d20ded9b469acaf4b4fd7a0f11abff949d0b630c

memory/2612-95-0x000000013F920000-0x000000013FC71000-memory.dmp

memory/1868-51-0x000000013F870000-0x000000013FBC1000-memory.dmp

\Windows\system\sLAMOpg.exe

MD5 aa43aacce55a02fe0a1cedb19412bad8
SHA1 8b31b9333f7ee028cfd8760af07940579bbdf6f1
SHA256 8e4544837ef67e86e2aa9cd8fa53e633fc5365fc462fedfc9eb21911714696c9
SHA512 6827d19b086d483d13dc61466f97f645d83867c468cd8e17522475dfee5c523ef08e5c726fef09606b93d371bd46d0e3c38376cc25dd51c3d9a1db19ffec9428

memory/1868-136-0x0000000002240000-0x0000000002591000-memory.dmp

memory/2204-90-0x000000013F9C0000-0x000000013FD11000-memory.dmp

memory/2680-89-0x000000013FC20000-0x000000013FF71000-memory.dmp

memory/1868-87-0x000000013F090000-0x000000013F3E1000-memory.dmp

memory/2764-86-0x000000013F140000-0x000000013F491000-memory.dmp

memory/2560-84-0x000000013F870000-0x000000013FBC1000-memory.dmp

C:\Windows\system\ctpHZxL.exe

MD5 3d4a989ae72b37062799a4201c434c47
SHA1 8835dfb94be51fef63100274c9fb04ef7a16ff87
SHA256 84769a269b6e29f9f31d64f1865ab5ba899429aa819648b33dbabe12e7b2fd3d
SHA512 b275d9d32b1c3aa399a46ed5ef80affc7a0f8c0a74f6f822211f963734181be681b447f61e2fa5196f9d51f5840667a8cc78e14fd0c619fd490eb8b44e791baa

memory/1868-80-0x000000013F920000-0x000000013FC71000-memory.dmp

memory/1868-43-0x0000000002240000-0x0000000002591000-memory.dmp

memory/2912-78-0x000000013FE90000-0x00000001401E1000-memory.dmp

memory/2816-77-0x000000013F8D0000-0x000000013FC21000-memory.dmp

memory/2660-76-0x000000013F110000-0x000000013F461000-memory.dmp

C:\Windows\system\hzutVqL.exe

MD5 e5ffcd1a7afc0c62c9ee132fd74e9ce2
SHA1 0bf0522fb0a1b57d98148a6a79eb1ab913c779cc
SHA256 95e950d077fc6dc41cffb776096a71155ab451efe9d628ba82d51297eabb059b
SHA512 728abaf09fd6f33453eb99729fbf51af4795ba264013a9c8db00c380411ab0d11705defd34b056abf385d5f783b738c29051b8b9c5063ecb8882f15f1403a93b

C:\Windows\system\elWNuBD.exe

MD5 187e559809525051c68a959905846632
SHA1 d238f3d9a1f5c5cc4e1178ef48e0ed75d0e97c19
SHA256 e98e60f20c5a73c1fa5809b1d89326d80f1038db10caefe8ed2ac9cea7dfa832
SHA512 b32f15b19838bdacdd039291671867d1c0e3afd4648ab05caff63b5d21205c7ad1ca6735b937ad8b51e3ce04271549784071eb7444ae2a2697831e34509eec97

memory/1868-40-0x000000013F110000-0x000000013F461000-memory.dmp

memory/1868-56-0x000000013F980000-0x000000013FCD1000-memory.dmp

memory/1868-47-0x0000000002240000-0x0000000002591000-memory.dmp

memory/1868-38-0x000000013F8D0000-0x000000013FC21000-memory.dmp

memory/2720-29-0x000000013F480000-0x000000013F7D1000-memory.dmp

memory/1868-34-0x000000013F140000-0x000000013F491000-memory.dmp

memory/2660-138-0x000000013F110000-0x000000013F461000-memory.dmp

memory/1868-137-0x000000013F980000-0x000000013FCD1000-memory.dmp

memory/1868-139-0x000000013FD90000-0x00000001400E1000-memory.dmp

memory/2776-140-0x000000013F980000-0x000000013FCD1000-memory.dmp

memory/2612-144-0x000000013F920000-0x000000013FC71000-memory.dmp

memory/2464-156-0x000000013F3F0000-0x000000013F741000-memory.dmp

memory/1868-163-0x000000013F3F0000-0x000000013F741000-memory.dmp

memory/1624-161-0x000000013F6A0000-0x000000013F9F1000-memory.dmp

memory/2332-160-0x000000013F720000-0x000000013FA71000-memory.dmp

memory/552-159-0x000000013F020000-0x000000013F371000-memory.dmp

memory/1500-158-0x000000013F7D0000-0x000000013FB21000-memory.dmp

memory/1732-157-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

memory/1592-162-0x000000013F260000-0x000000013F5B1000-memory.dmp

memory/1868-164-0x000000013FD90000-0x00000001400E1000-memory.dmp

memory/2244-213-0x000000013FB50000-0x000000013FEA1000-memory.dmp

memory/2216-214-0x000000013FF80000-0x00000001402D1000-memory.dmp

memory/2720-228-0x000000013F480000-0x000000013F7D1000-memory.dmp

memory/2764-230-0x000000013F140000-0x000000013F491000-memory.dmp

memory/2680-232-0x000000013FC20000-0x000000013FF71000-memory.dmp

memory/2816-234-0x000000013F8D0000-0x000000013FC21000-memory.dmp

memory/2560-236-0x000000013F870000-0x000000013FBC1000-memory.dmp

memory/2756-240-0x000000013F090000-0x000000013F3E1000-memory.dmp

memory/2912-239-0x000000013FE90000-0x00000001401E1000-memory.dmp

memory/2204-242-0x000000013F9C0000-0x000000013FD11000-memory.dmp

memory/2572-244-0x000000013FD80000-0x00000001400D1000-memory.dmp

memory/2612-254-0x000000013F920000-0x000000013FC71000-memory.dmp

memory/2776-256-0x000000013F980000-0x000000013FCD1000-memory.dmp

memory/2660-257-0x000000013F110000-0x000000013F461000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-25 11:46

Reported

2024-10-25 11:48

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\OpesDuH.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sLAMOpg.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sQHMBya.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pgSvtGz.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ycCoRbI.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QDZKkql.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QIxSCzc.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rAfaCEq.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AKeLOff.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\semRLeX.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tOzTglr.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\elWNuBD.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lPiJhfb.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iFVgjGS.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ADnjmkX.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TSZsKQA.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ctpHZxL.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LZtmuod.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hzutVqL.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CfnIxGa.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PZDhaty.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3968 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tOzTglr.exe
PID 3968 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tOzTglr.exe
PID 3968 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ycCoRbI.exe
PID 3968 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ycCoRbI.exe
PID 3968 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QDZKkql.exe
PID 3968 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QDZKkql.exe
PID 3968 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TSZsKQA.exe
PID 3968 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TSZsKQA.exe
PID 3968 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QIxSCzc.exe
PID 3968 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QIxSCzc.exe
PID 3968 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\elWNuBD.exe
PID 3968 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\elWNuBD.exe
PID 3968 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lPiJhfb.exe
PID 3968 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lPiJhfb.exe
PID 3968 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hzutVqL.exe
PID 3968 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hzutVqL.exe
PID 3968 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ctpHZxL.exe
PID 3968 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ctpHZxL.exe
PID 3968 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OpesDuH.exe
PID 3968 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OpesDuH.exe
PID 3968 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sLAMOpg.exe
PID 3968 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sLAMOpg.exe
PID 3968 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sQHMBya.exe
PID 3968 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sQHMBya.exe
PID 3968 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pgSvtGz.exe
PID 3968 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pgSvtGz.exe
PID 3968 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CfnIxGa.exe
PID 3968 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CfnIxGa.exe
PID 3968 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rAfaCEq.exe
PID 3968 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rAfaCEq.exe
PID 3968 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AKeLOff.exe
PID 3968 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AKeLOff.exe
PID 3968 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\semRLeX.exe
PID 3968 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\semRLeX.exe
PID 3968 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LZtmuod.exe
PID 3968 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LZtmuod.exe
PID 3968 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PZDhaty.exe
PID 3968 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PZDhaty.exe
PID 3968 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iFVgjGS.exe
PID 3968 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iFVgjGS.exe
PID 3968 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ADnjmkX.exe
PID 3968 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ADnjmkX.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\tOzTglr.exe

C:\Windows\System\tOzTglr.exe

C:\Windows\System\ycCoRbI.exe

C:\Windows\System\ycCoRbI.exe

C:\Windows\System\QDZKkql.exe

C:\Windows\System\QDZKkql.exe

C:\Windows\System\TSZsKQA.exe

C:\Windows\System\TSZsKQA.exe

C:\Windows\System\QIxSCzc.exe

C:\Windows\System\QIxSCzc.exe

C:\Windows\System\elWNuBD.exe

C:\Windows\System\elWNuBD.exe

C:\Windows\System\lPiJhfb.exe

C:\Windows\System\lPiJhfb.exe

C:\Windows\System\hzutVqL.exe

C:\Windows\System\hzutVqL.exe

C:\Windows\System\ctpHZxL.exe

C:\Windows\System\ctpHZxL.exe

C:\Windows\System\OpesDuH.exe

C:\Windows\System\OpesDuH.exe

C:\Windows\System\sLAMOpg.exe

C:\Windows\System\sLAMOpg.exe

C:\Windows\System\sQHMBya.exe

C:\Windows\System\sQHMBya.exe

C:\Windows\System\pgSvtGz.exe

C:\Windows\System\pgSvtGz.exe

C:\Windows\System\CfnIxGa.exe

C:\Windows\System\CfnIxGa.exe

C:\Windows\System\rAfaCEq.exe

C:\Windows\System\rAfaCEq.exe

C:\Windows\System\AKeLOff.exe

C:\Windows\System\AKeLOff.exe

C:\Windows\System\semRLeX.exe

C:\Windows\System\semRLeX.exe

C:\Windows\System\LZtmuod.exe

C:\Windows\System\LZtmuod.exe

C:\Windows\System\PZDhaty.exe

C:\Windows\System\PZDhaty.exe

C:\Windows\System\iFVgjGS.exe

C:\Windows\System\iFVgjGS.exe

C:\Windows\System\ADnjmkX.exe

C:\Windows\System\ADnjmkX.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3968-0-0x00007FF745E50000-0x00007FF7461A1000-memory.dmp

memory/3968-1-0x0000022155AF0000-0x0000022155B00000-memory.dmp

C:\Windows\System\tOzTglr.exe

MD5 e531c914053f64aa4a33ce996f5cd762
SHA1 c5c01f66eea88db3bd1e52f41c1d53d6e2847575
SHA256 58a06146ae33041c177c8cb373872f2f09b6d168d6dd50a9f545f967b59b4f72
SHA512 22d2a5470cf32d76232179099be7ac825e74333b1a5353c38a83035c55b079261bb631a05e8b47f2f1be193be41bee4a5286058c072d8b3e5f729c6e7e853a72

C:\Windows\System\QDZKkql.exe

MD5 cd4faeba48db1387b3d824e8026545e7
SHA1 2ced960985dac5dd191c720ecd2158a16fb7f361
SHA256 70771adb36dddae91e34292817cdb9491dae02d5ccb804f3d2b579965606bd8b
SHA512 153eaae7a7161a57d79f51a9ebba8d22a97bb740adb51873a14cbbc2be718d8f728753745b6cb1356657ee651c879c8322985710e3755364820b0c7cabc14fe1

C:\Windows\System\ycCoRbI.exe

MD5 111f4ab6f9e707109c2f0ce1101d34fa
SHA1 724347f553e6ab4cdaa3a777ca91ce83e8ea9dd8
SHA256 71f39e052410906a5aa626f20d851c4439f84744ff9633f8a17f760b667ba997
SHA512 eab6471ea153accb69e0e2342553afa885ea78d3636b60d781dfcf33db60838c0193cc7c59b4c826fd29115ac27a6bdeba02e7c389709b7aed2ed3dba50e4a0c

C:\Windows\System\QIxSCzc.exe

MD5 a20cb17982e51a4bbf35e59540b32ca9
SHA1 e71289aaa21130db2b22010ba1650475b48f72eb
SHA256 76fd8821bf1b772c67b405ecb4b38f5399305af40b765ccd9fab5ed9026a1931
SHA512 a3f27ae89b0270039544bb6bd282cd4bdf674b29b108bfd1a220c6579dddcb381e8e80a3bde47676c6a949d00153ce90b76c6d95d2a7accb6cce52ede040d8a3

C:\Windows\System\hzutVqL.exe

MD5 e5ffcd1a7afc0c62c9ee132fd74e9ce2
SHA1 0bf0522fb0a1b57d98148a6a79eb1ab913c779cc
SHA256 95e950d077fc6dc41cffb776096a71155ab451efe9d628ba82d51297eabb059b
SHA512 728abaf09fd6f33453eb99729fbf51af4795ba264013a9c8db00c380411ab0d11705defd34b056abf385d5f783b738c29051b8b9c5063ecb8882f15f1403a93b

memory/3316-39-0x00007FF67CFD0000-0x00007FF67D321000-memory.dmp

C:\Windows\System\lPiJhfb.exe

MD5 6047c1da5c9e818399a1baac814012a8
SHA1 ee229501579a4e3195ca70c607318d1746a87358
SHA256 2761912ed5ad9a3264033274ad68f4a341357aa778a305c84014d3cc3ef79604
SHA512 c841cd6f124de003e405bc2c94037d6a7ab81b328fc51dbd6e4b482ee116bad642e94fe6d3accb58ed444eedfe083d6bf2f2b1957130c6dc217a2a8f12073155

memory/3000-60-0x00007FF7B8BD0000-0x00007FF7B8F21000-memory.dmp

memory/1876-62-0x00007FF708E10000-0x00007FF709161000-memory.dmp

C:\Windows\System\OpesDuH.exe

MD5 cd928bb41133664d21c5e834ffff4043
SHA1 d67bdacb77ad3093183eafd394e5742c519a599c
SHA256 eed9e9dd6fbb453dbb7388650b1b7a5292adea80b487b4f47727f92db4a2dbaa
SHA512 bd61f986dc917fdd0f39d96183ef9187248873ec6bf58b1648b289c0629b50ac43c61fa4dd058b211844b036663472a9436631ce1c92ad8e1bc7a11a6830840b

C:\Windows\System\sLAMOpg.exe

MD5 aa43aacce55a02fe0a1cedb19412bad8
SHA1 8b31b9333f7ee028cfd8760af07940579bbdf6f1
SHA256 8e4544837ef67e86e2aa9cd8fa53e633fc5365fc462fedfc9eb21911714696c9
SHA512 6827d19b086d483d13dc61466f97f645d83867c468cd8e17522475dfee5c523ef08e5c726fef09606b93d371bd46d0e3c38376cc25dd51c3d9a1db19ffec9428

memory/4700-64-0x00007FF7009F0000-0x00007FF700D41000-memory.dmp

memory/5060-63-0x00007FF6E8050000-0x00007FF6E83A1000-memory.dmp

memory/3828-61-0x00007FF73D790000-0x00007FF73DAE1000-memory.dmp

C:\Windows\System\elWNuBD.exe

MD5 187e559809525051c68a959905846632
SHA1 d238f3d9a1f5c5cc4e1178ef48e0ed75d0e97c19
SHA256 e98e60f20c5a73c1fa5809b1d89326d80f1038db10caefe8ed2ac9cea7dfa832
SHA512 b32f15b19838bdacdd039291671867d1c0e3afd4648ab05caff63b5d21205c7ad1ca6735b937ad8b51e3ce04271549784071eb7444ae2a2697831e34509eec97

memory/3220-50-0x00007FF6B7FD0000-0x00007FF6B8321000-memory.dmp

C:\Windows\System\ctpHZxL.exe

MD5 3d4a989ae72b37062799a4201c434c47
SHA1 8835dfb94be51fef63100274c9fb04ef7a16ff87
SHA256 84769a269b6e29f9f31d64f1865ab5ba899429aa819648b33dbabe12e7b2fd3d
SHA512 b275d9d32b1c3aa399a46ed5ef80affc7a0f8c0a74f6f822211f963734181be681b447f61e2fa5196f9d51f5840667a8cc78e14fd0c619fd490eb8b44e791baa

C:\Windows\System\TSZsKQA.exe

MD5 f0e13f056b68a3f7f1ca3ce5eecd8277
SHA1 dc6cb4aa2e74b9f2827d04104772e3aa31a3a311
SHA256 74b029d2419df53939fd338dacc17ad8087c91bfe96f0b7a1c0adbf5bd901f14
SHA512 72239fb36ac081d548423a64a47d189aa978301c02c664dc59a1507c1790e5d8f834a2ee66773fd4b2bdf1c86216bc668d84312eb585163bff955c77dc6bda0d

memory/1532-27-0x00007FF6269F0000-0x00007FF626D41000-memory.dmp

memory/1680-24-0x00007FF695490000-0x00007FF6957E1000-memory.dmp

memory/1484-14-0x00007FF63F220000-0x00007FF63F571000-memory.dmp

memory/4528-6-0x00007FF6C9830000-0x00007FF6C9B81000-memory.dmp

C:\Windows\System\sQHMBya.exe

MD5 46afdf19369fb9945efb88b75a9fbc24
SHA1 11034b5da14b617f856b8412c916074154731db2
SHA256 262adce2acae2caa379e71df50f14af961cb27209b7987b2b7d26baa4f3fed8e
SHA512 77653341bfa62a5236ac69714679ce46b8464ba34d28e80f20a2c4ff7e5082af66d931f73289ac125db438b074997c0eebedd55db87156e1e1e5f9eb601ac6a8

C:\Windows\System\CfnIxGa.exe

MD5 29aafe434109ae374ffe92888d0dd610
SHA1 8c31e5d3298065ca25d72369275409c75b724f90
SHA256 32e50780e5d9da8ae058cedffa88f48690a9a291b4079719c59d80f62574f48d
SHA512 e3c336628a1b8dad2ebde9d9e07e8e871165abd5b6531a9db157aa9b62c3ace40b22b16c2fe9fec617c70e48a5a52f390e41e7fde05736614ecf89c23b698482

memory/2284-78-0x00007FF6739A0000-0x00007FF673CF1000-memory.dmp

C:\Windows\System\pgSvtGz.exe

MD5 4bb2d0e3dbe0a311ea8a860922703f0a
SHA1 702b97478ff1e4c83cc4ec432f9ca51f0e0aece7
SHA256 1dbafba11e0baa6235af8f87f3a8328ece43659288c19386f3e88e39a93776f8
SHA512 be11bead6748be1a8d727115e05d02c6c6ce66ac4af57a0c362c362d8bb7361a3cfe60f24bff40d5f9f708a4d20ded9b469acaf4b4fd7a0f11abff949d0b630c

memory/3608-89-0x00007FF6F0FE0000-0x00007FF6F1331000-memory.dmp

C:\Windows\System\AKeLOff.exe

MD5 e7cae8da166f910000ebc8e94eb21b8b
SHA1 e90dd16d57e6ad9cf6060ba53dcb68349f7dde75
SHA256 25ed4536f2d1af6fac6ddecc4c7884533468fc178a7f91f4730696e3706e4c81
SHA512 b92e99f44c71caae6bb1fbd87f61f8405deb794c89d124f8ed88c822f2f5f4e7006f626d47a4fe7ce5c770bd0ea5d1b5bfa6fc5ac21512f88600f45870d29b43

memory/3924-84-0x00007FF669A10000-0x00007FF669D61000-memory.dmp

memory/1028-95-0x00007FF720FA0000-0x00007FF7212F1000-memory.dmp

C:\Windows\System\rAfaCEq.exe

MD5 a82c9b5b27d19046ee069acab7e8e111
SHA1 6ca71219a3da97a9ae0c7c0056c573e83469e469
SHA256 0b5ced242173d4145f5084b118e8178b58ecd9a4862b8d1c20686dabc7164053
SHA512 149d0539e9232ae896eecdcea159e7f7a6c3cae79f633e97ab2d6ff8f657adf602e90e292d58c43f9772b73c5706a013d9279cf5804a7e41ecae4b614270df5a

C:\Windows\System\semRLeX.exe

MD5 8f08b0537e14557a73a322b6476246d9
SHA1 7db3397375502100fb5a933fc3d156e561b067ea
SHA256 a4ce68bdb051f4e6b3a28c6cdbae497f886bb5c3d03504df7cab61491d1b4502
SHA512 6a8cc9cba59cb5e67ce74259f3b767b02b37714c6879a73121f463daea191602894e738dca5a060c85200065bb050488616b698a32e1168eb976ccdfba83ef9f

memory/4088-101-0x00007FF66C5A0000-0x00007FF66C8F1000-memory.dmp

memory/3968-98-0x00007FF745E50000-0x00007FF7461A1000-memory.dmp

memory/4416-109-0x00007FF7257A0000-0x00007FF725AF1000-memory.dmp

memory/2640-116-0x00007FF64BAA0000-0x00007FF64BDF1000-memory.dmp

memory/624-122-0x00007FF7FD310000-0x00007FF7FD661000-memory.dmp

memory/4508-126-0x00007FF6F0030000-0x00007FF6F0381000-memory.dmp

C:\Windows\System\ADnjmkX.exe

MD5 fb65b4e5de88b6a0b864e0d0b8b3973a
SHA1 8912c8e69e146e6183002c76243e2cfa68670fa6
SHA256 6e228deb06d71fdb34b291fb473faaf5bd482ca24ba4354fd743fd914347861e
SHA512 aa7538e384916d8d6d59e29b265ab222980eee38632ad98f456050c476c5bf0519c7e0ea1273a2d108d4cc1aca15b8e2e82daa3e8cd5ecac4c02a26e714367fb

C:\Windows\System\iFVgjGS.exe

MD5 6fbb3ed4e7eb82204ec74fc066ea6639
SHA1 e7d4f2e588d98ee60f3d68d6722ce06a7ffc1d1e
SHA256 dc88b937c08d90ae6b74de0dd0a5037439329396fa72bb2e7977ae238af6f5f4
SHA512 c4a54a152a06994c51a19e1ca418d4b7cc5ef5bff9c0d23f7a77c77511ec1520472a8ce2cfd67d9ad5ebebb292a8f4b239f8bf58bcf7ddf0859bf84f3a2e529a

C:\Windows\System\PZDhaty.exe

MD5 17a79e6abf93fecaccd9eb8268fb3a01
SHA1 4619d4fbe3180ac335341402fcafbf93e466e01b
SHA256 790ed8a9468c41ff1344f9110ed5d6ee2ee9dbe3e7feaab259ad98faf7dd1255
SHA512 34e7d7c0c810ba913fe16b5ee389bd8442a858d1e8fe395b5d8674ad5827159b93ad303d982479b3385d24376637b1828c4a32f9f5c671b017f9e536eb6d6fa1

memory/3220-128-0x00007FF6B7FD0000-0x00007FF6B8321000-memory.dmp

memory/3316-127-0x00007FF67CFD0000-0x00007FF67D321000-memory.dmp

memory/1532-125-0x00007FF6269F0000-0x00007FF626D41000-memory.dmp

memory/1680-124-0x00007FF695490000-0x00007FF6957E1000-memory.dmp

memory/1484-123-0x00007FF63F220000-0x00007FF63F571000-memory.dmp

memory/4572-120-0x00007FF686700000-0x00007FF686A51000-memory.dmp

C:\Windows\System\LZtmuod.exe

MD5 31ed77359378d33115ecbd6f88313cca
SHA1 321950704e6677b10cc5ed3f2a8dbd3c15c27878
SHA256 bcb341c038a260723b11a2bb077b006a4f07b2bcb77f8592f2693d23a061d42e
SHA512 d4b85b809830bc708318b6fbd5ff20ee78a66fe034557014bd1dfbd9706993504c11308e24818d3c8e802e945ddb2a94ce89530215fc677615b8f2896fccd310

memory/4528-115-0x00007FF6C9830000-0x00007FF6C9B81000-memory.dmp

memory/3828-146-0x00007FF73D790000-0x00007FF73DAE1000-memory.dmp

memory/2284-147-0x00007FF6739A0000-0x00007FF673CF1000-memory.dmp

memory/4700-145-0x00007FF7009F0000-0x00007FF700D41000-memory.dmp

memory/3968-135-0x00007FF745E50000-0x00007FF7461A1000-memory.dmp

memory/4572-153-0x00007FF686700000-0x00007FF686A51000-memory.dmp

memory/2640-155-0x00007FF64BAA0000-0x00007FF64BDF1000-memory.dmp

memory/4508-156-0x00007FF6F0030000-0x00007FF6F0381000-memory.dmp

memory/624-154-0x00007FF7FD310000-0x00007FF7FD661000-memory.dmp

memory/4416-152-0x00007FF7257A0000-0x00007FF725AF1000-memory.dmp

memory/1028-151-0x00007FF720FA0000-0x00007FF7212F1000-memory.dmp

memory/4088-150-0x00007FF66C5A0000-0x00007FF66C8F1000-memory.dmp

memory/3924-148-0x00007FF669A10000-0x00007FF669D61000-memory.dmp

memory/3968-157-0x00007FF745E50000-0x00007FF7461A1000-memory.dmp

memory/4528-215-0x00007FF6C9830000-0x00007FF6C9B81000-memory.dmp

memory/1484-217-0x00007FF63F220000-0x00007FF63F571000-memory.dmp

memory/1680-219-0x00007FF695490000-0x00007FF6957E1000-memory.dmp

memory/1532-221-0x00007FF6269F0000-0x00007FF626D41000-memory.dmp

memory/3316-223-0x00007FF67CFD0000-0x00007FF67D321000-memory.dmp

memory/5060-226-0x00007FF6E8050000-0x00007FF6E83A1000-memory.dmp

memory/1876-231-0x00007FF708E10000-0x00007FF709161000-memory.dmp

memory/3220-230-0x00007FF6B7FD0000-0x00007FF6B8321000-memory.dmp

memory/3000-228-0x00007FF7B8BD0000-0x00007FF7B8F21000-memory.dmp

memory/4700-233-0x00007FF7009F0000-0x00007FF700D41000-memory.dmp

memory/3828-235-0x00007FF73D790000-0x00007FF73DAE1000-memory.dmp

memory/3608-245-0x00007FF6F0FE0000-0x00007FF6F1331000-memory.dmp

memory/2284-247-0x00007FF6739A0000-0x00007FF673CF1000-memory.dmp

memory/4088-250-0x00007FF66C5A0000-0x00007FF66C8F1000-memory.dmp

memory/3924-251-0x00007FF669A10000-0x00007FF669D61000-memory.dmp

memory/4572-256-0x00007FF686700000-0x00007FF686A51000-memory.dmp

memory/4416-259-0x00007FF7257A0000-0x00007FF725AF1000-memory.dmp

memory/1028-260-0x00007FF720FA0000-0x00007FF7212F1000-memory.dmp

memory/624-255-0x00007FF7FD310000-0x00007FF7FD661000-memory.dmp

memory/4508-263-0x00007FF6F0030000-0x00007FF6F0381000-memory.dmp

memory/2640-264-0x00007FF64BAA0000-0x00007FF64BDF1000-memory.dmp