Malware Analysis Report

2025-08-11 08:12

Sample ID 241025-nyxblszdjj
Target 2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat
SHA256 ad054e33da8cc51d62113c63a681aebc22d9f6fb6bad7f5d3ba9e169ccb14547
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ad054e33da8cc51d62113c63a681aebc22d9f6fb6bad7f5d3ba9e169ccb14547

Threat Level: Known bad

The file 2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

xmrig

Cobaltstrike family

Xmrig family

Cobaltstrike

Cobalt Strike reflective loader

XMRig Miner payload

XMRig Miner payload

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-10-25 11:48

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-25 11:48

Reported

2024-10-25 11:51

Platform

win7-20240903-en

Max time kernel

140s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\LVHRhbf.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eHsWQCG.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MSPrUnY.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mDiCSAb.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eSUCTWn.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pdnhsvY.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jAKCSHX.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sMBdoIS.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VovBvjq.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SsfrPvj.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lJqUJam.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XGfLbjT.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nkdUTMS.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aYfaJbS.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jjSTDYB.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fJAwrrg.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pQnbZXX.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TIVEZIg.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\geqRiEv.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YturTBA.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kKYxBfy.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2276 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lJqUJam.exe
PID 2276 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lJqUJam.exe
PID 2276 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lJqUJam.exe
PID 2276 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XGfLbjT.exe
PID 2276 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XGfLbjT.exe
PID 2276 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XGfLbjT.exe
PID 2276 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nkdUTMS.exe
PID 2276 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nkdUTMS.exe
PID 2276 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nkdUTMS.exe
PID 2276 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mDiCSAb.exe
PID 2276 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mDiCSAb.exe
PID 2276 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mDiCSAb.exe
PID 2276 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pQnbZXX.exe
PID 2276 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pQnbZXX.exe
PID 2276 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pQnbZXX.exe
PID 2276 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TIVEZIg.exe
PID 2276 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TIVEZIg.exe
PID 2276 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TIVEZIg.exe
PID 2276 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eSUCTWn.exe
PID 2276 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eSUCTWn.exe
PID 2276 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eSUCTWn.exe
PID 2276 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LVHRhbf.exe
PID 2276 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LVHRhbf.exe
PID 2276 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LVHRhbf.exe
PID 2276 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pdnhsvY.exe
PID 2276 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pdnhsvY.exe
PID 2276 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pdnhsvY.exe
PID 2276 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jAKCSHX.exe
PID 2276 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jAKCSHX.exe
PID 2276 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jAKCSHX.exe
PID 2276 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\geqRiEv.exe
PID 2276 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\geqRiEv.exe
PID 2276 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\geqRiEv.exe
PID 2276 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aYfaJbS.exe
PID 2276 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aYfaJbS.exe
PID 2276 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aYfaJbS.exe
PID 2276 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eHsWQCG.exe
PID 2276 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eHsWQCG.exe
PID 2276 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eHsWQCG.exe
PID 2276 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sMBdoIS.exe
PID 2276 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sMBdoIS.exe
PID 2276 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sMBdoIS.exe
PID 2276 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jjSTDYB.exe
PID 2276 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jjSTDYB.exe
PID 2276 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jjSTDYB.exe
PID 2276 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MSPrUnY.exe
PID 2276 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MSPrUnY.exe
PID 2276 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MSPrUnY.exe
PID 2276 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YturTBA.exe
PID 2276 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YturTBA.exe
PID 2276 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YturTBA.exe
PID 2276 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kKYxBfy.exe
PID 2276 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kKYxBfy.exe
PID 2276 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kKYxBfy.exe
PID 2276 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VovBvjq.exe
PID 2276 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VovBvjq.exe
PID 2276 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VovBvjq.exe
PID 2276 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fJAwrrg.exe
PID 2276 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fJAwrrg.exe
PID 2276 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fJAwrrg.exe
PID 2276 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SsfrPvj.exe
PID 2276 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SsfrPvj.exe
PID 2276 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SsfrPvj.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\lJqUJam.exe

C:\Windows\System\lJqUJam.exe

C:\Windows\System\XGfLbjT.exe

C:\Windows\System\XGfLbjT.exe

C:\Windows\System\nkdUTMS.exe

C:\Windows\System\nkdUTMS.exe

C:\Windows\System\mDiCSAb.exe

C:\Windows\System\mDiCSAb.exe

C:\Windows\System\pQnbZXX.exe

C:\Windows\System\pQnbZXX.exe

C:\Windows\System\TIVEZIg.exe

C:\Windows\System\TIVEZIg.exe

C:\Windows\System\eSUCTWn.exe

C:\Windows\System\eSUCTWn.exe

C:\Windows\System\LVHRhbf.exe

C:\Windows\System\LVHRhbf.exe

C:\Windows\System\pdnhsvY.exe

C:\Windows\System\pdnhsvY.exe

C:\Windows\System\jAKCSHX.exe

C:\Windows\System\jAKCSHX.exe

C:\Windows\System\geqRiEv.exe

C:\Windows\System\geqRiEv.exe

C:\Windows\System\aYfaJbS.exe

C:\Windows\System\aYfaJbS.exe

C:\Windows\System\eHsWQCG.exe

C:\Windows\System\eHsWQCG.exe

C:\Windows\System\sMBdoIS.exe

C:\Windows\System\sMBdoIS.exe

C:\Windows\System\jjSTDYB.exe

C:\Windows\System\jjSTDYB.exe

C:\Windows\System\MSPrUnY.exe

C:\Windows\System\MSPrUnY.exe

C:\Windows\System\YturTBA.exe

C:\Windows\System\YturTBA.exe

C:\Windows\System\kKYxBfy.exe

C:\Windows\System\kKYxBfy.exe

C:\Windows\System\VovBvjq.exe

C:\Windows\System\VovBvjq.exe

C:\Windows\System\fJAwrrg.exe

C:\Windows\System\fJAwrrg.exe

C:\Windows\System\SsfrPvj.exe

C:\Windows\System\SsfrPvj.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2276-0-0x000000013FE00000-0x0000000140151000-memory.dmp

memory/2276-1-0x00000000000F0000-0x0000000000100000-memory.dmp

C:\Windows\system\lJqUJam.exe

MD5 f0e45977647a88c7ed72a55f6bc46c4e
SHA1 0b78b644aeca2b58c7a92e982fcbf52653cccd5d
SHA256 4e38e9fefc81d601be7645a27df8d30c94852045650b4c5ef5f4a3a177d15d3c
SHA512 dba765fc09783263cc9d2c81e69a303ced096b3b6bf4d2468047baf43ddab9367eef64592c58f85ddbf154e109ac7e06111661314ae9226246eb4094bce05ee9

C:\Windows\system\nkdUTMS.exe

MD5 33556b07a50503467922f4d95a494497
SHA1 0088186ede7b5fce62d3ab5c411b1b2ca7e60b5e
SHA256 eb1517f474d3ffdfe3d98785c339667dd14e05d2a73e629bba494ab04e86e970
SHA512 4df64472cccb31ceadc2465ce1e1d56c26bbce2cce05d00c623f96039072e26e9cf2f3c40cecc3f644983beb2040a517897dbb7a220deddf7eb0a03719344462

memory/2276-21-0x000000013F120000-0x000000013F471000-memory.dmp

memory/2296-24-0x000000013F120000-0x000000013F471000-memory.dmp

C:\Windows\system\XGfLbjT.exe

MD5 035e0f3c76df22ff1726441672398d41
SHA1 d228fc26ded41082c4fbcf57c2cfce39f9273e53
SHA256 f37d82bcd0eede2200d7e23002dfb81e67bd06e13e7880ce829044e296f5e47b
SHA512 2b580154fac1f191a1d6ee3de870cfbc843cca2797d92b179064b44bf134efbabb382f247d0a09302c336d96356fa3b6cb1dd0a3727c5d056e16f70ffe577c7a

memory/2840-28-0x000000013FBF0000-0x000000013FF41000-memory.dmp

memory/2276-14-0x000000013F150000-0x000000013F4A1000-memory.dmp

\Windows\system\TIVEZIg.exe

MD5 88838683d9edf7a50d177eee3bc12d4f
SHA1 ebbb2579639f4152e906b64267d46903bb3434cb
SHA256 61b4c8d5f1f3681ada37347b10829acf5927a5026e76bd86d48720574d1f686e
SHA512 93242dc4abdab4856e2cb76b3e070d5340a718bfb5c2b106e1890b3da3b8fac85ec276177f07269edfc4e0b653b58a47bf334f7b28d780cb2feb2542ba94df7f

memory/2796-41-0x000000013F880000-0x000000013FBD1000-memory.dmp

memory/1740-52-0x000000013F150000-0x000000013F4A1000-memory.dmp

C:\Windows\system\LVHRhbf.exe

MD5 8ac97163b1fcdc1ed1020abe7cdbecdc
SHA1 efbdfda7bb58ae66846a96b45356e556270b8ad1
SHA256 dea1408061660ac07ff4c5b6df9c0cb62bdc35f098a34bce91739eab396e0c65
SHA512 8fb3ba6482d35b11559f8739aa25eee949a98ee8b6d7d67ecaff46701f4db8d9e28346204746bc4c97e6c2ad5df0e1bb8ffe0ec282e6932defafc1e6638d810c

memory/2732-56-0x000000013F5E0000-0x000000013F931000-memory.dmp

memory/2672-49-0x000000013F650000-0x000000013F9A1000-memory.dmp

memory/2276-48-0x000000013FE00000-0x0000000140151000-memory.dmp

C:\Windows\system\eSUCTWn.exe

MD5 f34a0786b0037bfe8c90e55ae6fe731c
SHA1 1493beb3786785b57ebfbb884ea6926c9b0d2a8e
SHA256 02fee98e1894d95a39a96f40b92e1518cbafdd741745e7bfe42f9fe6d520a74e
SHA512 248006ee5c3e5f2f1d8be524c82bb4cb89c339c1127cf4784d05c3c0c5439e9df17e8ef3c450a143adbb58f4029644d394d0e1222e0d7c60c7a978b116b91fbf

memory/2276-53-0x000000013F5E0000-0x000000013F931000-memory.dmp

memory/2684-34-0x000000013F030000-0x000000013F381000-memory.dmp

C:\Windows\system\pQnbZXX.exe

MD5 aea81937c63660acee9809e0805668b1
SHA1 fba948022ff79ead96bbdee3526aa725619c4d1f
SHA256 dee2e7f9402e014826152dd77523d288ff6bba798e17ae400353a0279f4230b6
SHA512 ad28ea62d847218c33226733277fe5b5c3ae24f06c2b19238da633e1ae94f5033ca5b9b65525668399433d6c75a6e06b91b8444c67b0d529c637d8945a4cd2ed

memory/2276-30-0x000000013F030000-0x000000013F381000-memory.dmp

memory/2276-38-0x000000013F880000-0x000000013FBD1000-memory.dmp

C:\Windows\system\mDiCSAb.exe

MD5 8688ec9fdef55a09ac16c6a1a7677a5f
SHA1 6d05830c7bbf86aee1a6d708f5d034ef643db627
SHA256 40f9952927f1add61dfe8beea252a867bc4e16a20722447fd6d3cb97f30bbf47
SHA512 cc7a4f7f795042f5547dae4d0fd8723a489e0ac3b4a30e05996cf276ef0a17f2f6bfd4f66c413cc2886aff52c3c368438136a201666b754f700a360473d50d79

memory/2276-22-0x00000000022B0000-0x0000000002601000-memory.dmp

memory/2296-59-0x000000013F120000-0x000000013F471000-memory.dmp

memory/1896-20-0x000000013F480000-0x000000013F7D1000-memory.dmp

memory/1740-18-0x000000013F150000-0x000000013F4A1000-memory.dmp

memory/2276-9-0x000000013F480000-0x000000013F7D1000-memory.dmp

memory/2840-60-0x000000013FBF0000-0x000000013FF41000-memory.dmp

C:\Windows\system\aYfaJbS.exe

MD5 f3af4f9da05c5a8c010b707e8f237339
SHA1 94df784f38649f44aff9fe9820c3b3c8993e0f7b
SHA256 34f885408b35383caa214fb1407f23cd2c86aaafab17e92f8a1c201f4fb23f47
SHA512 840e29d4d874bb9f11c8c8e8459f573f93e9bb2a37d24ccadc32235c15773d261269627c481f0c04a802495dc710a8e8525f9e06e10a376a300944cea4198ce5

\Windows\system\geqRiEv.exe

MD5 1aa0b4416dd2289ca3668c0643ee8602
SHA1 4c12bdf9062d86f65b2e52a3d0ad7724513c0122
SHA256 84651f7c9490f044b67f8a4ee3e869b96043d39bcabe5dae9942310d6e5fb658
SHA512 c707b642eb12341376b30a809dfadb7de3754196ec03a788822c105070bec247b598ab39d1a90b39b5c16896d8ba727538b67dd8b8a2373c4688dbdf7ba9f611

C:\Windows\system\pdnhsvY.exe

MD5 c6dd4b3e67ade7ac7e0333a073dc40f1
SHA1 c5350bc5138d58506ab3e064699824068e0a7305
SHA256 06dac664d3ca18fa5b60d3943bb140767a2591da5d2e4be672ad3a296a2ae1f7
SHA512 f2b56e17276c54a259fb59d9002d4a1666ed85478ea6decb922cb8575910a32614fe8105d8dffbab37b54bf0c212daaa88c513344175115d731c010bfe31baff

memory/2684-121-0x000000013F030000-0x000000013F381000-memory.dmp

memory/2276-125-0x000000013F190000-0x000000013F4E1000-memory.dmp

C:\Windows\system\YturTBA.exe

MD5 c629f96ae55fce7a8af2878fdcbe7d6d
SHA1 04f1e969072833b296b15f7608e35e5d2c44ed94
SHA256 dbdcd3069fff0e0e043254d817ddf5775376eae322fb7a37545af98c1303e94c
SHA512 1277846740a2908fa4f864a67b6c06c329b3e5f1380f68f2d63046c8b69593329b63d821405f68d7a98d7a9447eacc506f1cf1d37651aceb00eb02823e765bac

\Windows\system\SsfrPvj.exe

MD5 b2194f3b22f0e3c435b54baaf427f6e0
SHA1 146539d4a2f6a17680f36d41db4c173103f69dd5
SHA256 391931caa722628fc9dcc849639028be4c57a3fd82232d27e0ad81e943cbd9b2
SHA512 c7e30db9b545feec3a4de72d7f4c7229b3f8319500e31118c685a4a1c4c3a594ac1768e489d96925d2487bc59c6420d346975e6c16905ca46c55bfa2d2bea0e6

\Windows\system\VovBvjq.exe

MD5 29382ef7177500e2a6d61d4d0e408357
SHA1 f8d98975ed68cfca5ede0decfd594941bad64f2e
SHA256 4a1161bb87038c4900b797f286c0251e56e494b47d7d6f1f8bc453508490c7cb
SHA512 4d5c0891ad19790e99c855daf62807dbbea23c9185b87ae1e7fb97cd6ad16496fab01e4108ff25ac6bff5e6c49a7d6ec3922493edab3b3deea1583b2c5751f51

memory/1440-97-0x000000013FD60000-0x00000001400B1000-memory.dmp

C:\Windows\system\MSPrUnY.exe

MD5 e84c1e9ce955511f1df5f1fcf30cc60b
SHA1 ca357419a70e3c0bc93a7dde902f062b3ef589a7
SHA256 adee1480fa02648c4e0c42d27033e3bf91a7a0cfc1260a717eb3ca18339bee9e
SHA512 398b41a65fe364ef4d7fe7bbaedc3a84af3d23beef340d64d0aa3877778cd1119bbd769bac942afd0c7d7d87983be80cab31dfcb7b8b508e05d64d187e59f5ea

memory/2828-94-0x000000013FA00000-0x000000013FD51000-memory.dmp

memory/2616-90-0x000000013F390000-0x000000013F6E1000-memory.dmp

\Windows\system\jjSTDYB.exe

MD5 f941821966c92bcf0392e6e1c0432860
SHA1 160834ab524a10cf58472296ca351cda8bf04d5b
SHA256 e126cebafe98c7d335420f61b04a40ca65feb623eec1d604373a093d5f99f969
SHA512 7bb3849d5e706787a0a01d0b4f19ec05b275171d2ac2ca14fa80514d3d426ae18720718bda33bce638d784626666d5556f654932147783f0275a812817846da9

\Windows\system\eHsWQCG.exe

MD5 4be0d273b2c5ec12e8e2ca36e78c7b83
SHA1 92848e964719f02f027880322568f8a0cc5f41dd
SHA256 168046c457e8fbf42a887765dbbdc190ed5a2c8ec60deebd54218ab1334ca67e
SHA512 f27641a39002264ae1d1daa56ad4d82fb89747fc537df726443715db1e90d526a1689a4c850069402518e21992ab09c7b30a673b5a06dafb357ebba85b6d5106

memory/2276-126-0x000000013F2D0000-0x000000013F621000-memory.dmp

memory/2276-124-0x00000000022B0000-0x0000000002601000-memory.dmp

memory/2276-119-0x000000013F3B0000-0x000000013F701000-memory.dmp

memory/2796-137-0x000000013F880000-0x000000013FBD1000-memory.dmp

C:\Windows\system\fJAwrrg.exe

MD5 2e39fc3a74f8712f6150c65983fc70f6
SHA1 c32de3271b681f8d205682b84371feda9b6059c6
SHA256 dbc445401cb8bb5b56a43bfa178ddb1a9af24dc3fa32ae32cbe0d03b10b8015e
SHA512 7b6e3d77c020717f7d67fbae74e91ec40b25385f0e62f9eb92347b51390a2eec33964e06301fa97800218522f4167b7d20816bd24cde3b0599131395d00f4b2f

C:\Windows\system\kKYxBfy.exe

MD5 a8faf545966615446a3aeeff7f19d893
SHA1 32a1aeb1cdc296ab053ceb4252cd2ea6733cd5c9
SHA256 2103892727c1589b3884f893360dfe777ad8a720e55c016624570ae6487638b3
SHA512 7dbf2157d6633eb75e5693d3a46d3034324bef2fc017f06182c550bed478b67fa3b69713ee5699aa787a3ab9656313972b84fb4ac879ba84521850dfd2cdfcf7

memory/2280-113-0x000000013F2D0000-0x000000013F621000-memory.dmp

memory/2276-110-0x000000013F5F0000-0x000000013F941000-memory.dmp

memory/2276-82-0x000000013FA00000-0x000000013FD51000-memory.dmp

C:\Windows\system\sMBdoIS.exe

MD5 e761aaa557e601a176c9d2480146c04e
SHA1 32056fd56ca0b107e2917887e190bbe2ff86610d
SHA256 63640fc3a695bf653da2ef66f2548d5b88430fbc28fc6dd365cabecb7707e061
SHA512 2c6126dc896a05f18bd350d308ee92a788db25a30a3fe470301a5933cb23cd4447a93c60beff4f6b4326b89ec4c6a14b9cc4dc7b33b38a07194cbef097982e2d

C:\Windows\system\jAKCSHX.exe

MD5 d17f3b77fcaf4e335142cc388b316e20
SHA1 9a4aeefea16d0bfa00ba6ad95796d076aa26cd7f
SHA256 2deb6a9fb02407621fd3dabc75bbaedaa2bad5d5293d4b8cae049f4be2fd049a
SHA512 afd6df0f33e4b82c60a89148b5a8d0143f3e5573081586d8235e50934afc023b5476c8834f9fe9bb7f8c11ccffd94c0189021686d77d8fa893e904634d3bfb15

memory/2672-138-0x000000013F650000-0x000000013F9A1000-memory.dmp

memory/2276-139-0x000000013F5E0000-0x000000013F931000-memory.dmp

memory/2732-141-0x000000013F5E0000-0x000000013F931000-memory.dmp

memory/2276-140-0x000000013FE00000-0x0000000140151000-memory.dmp

memory/2296-144-0x000000013F120000-0x000000013F471000-memory.dmp

memory/2616-150-0x000000013F390000-0x000000013F6E1000-memory.dmp

memory/2276-151-0x000000013FA00000-0x000000013FD51000-memory.dmp

memory/3040-154-0x000000013F3B0000-0x000000013F701000-memory.dmp

memory/2552-152-0x000000013FE10000-0x0000000140161000-memory.dmp

memory/536-156-0x000000013FC70000-0x000000013FFC1000-memory.dmp

memory/1232-161-0x000000013F020000-0x000000013F371000-memory.dmp

memory/2276-165-0x000000013F3B0000-0x000000013F701000-memory.dmp

memory/2856-164-0x000000013F810000-0x000000013FB61000-memory.dmp

memory/2016-163-0x000000013F3F0000-0x000000013F741000-memory.dmp

memory/1984-162-0x000000013F850000-0x000000013FBA1000-memory.dmp

memory/2772-160-0x000000013F5F0000-0x000000013F941000-memory.dmp

memory/2876-158-0x000000013F190000-0x000000013F4E1000-memory.dmp

memory/2276-166-0x000000013FE00000-0x0000000140151000-memory.dmp

memory/1896-220-0x000000013F480000-0x000000013F7D1000-memory.dmp

memory/1740-222-0x000000013F150000-0x000000013F4A1000-memory.dmp

memory/2684-224-0x000000013F030000-0x000000013F381000-memory.dmp

memory/2840-226-0x000000013FBF0000-0x000000013FF41000-memory.dmp

memory/2796-228-0x000000013F880000-0x000000013FBD1000-memory.dmp

memory/2672-230-0x000000013F650000-0x000000013F9A1000-memory.dmp

memory/2296-232-0x000000013F120000-0x000000013F471000-memory.dmp

memory/2732-234-0x000000013F5E0000-0x000000013F931000-memory.dmp

memory/2828-249-0x000000013FA00000-0x000000013FD51000-memory.dmp

memory/1440-252-0x000000013FD60000-0x00000001400B1000-memory.dmp

memory/2616-253-0x000000013F390000-0x000000013F6E1000-memory.dmp

memory/2280-255-0x000000013F2D0000-0x000000013F621000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-25 11:48

Reported

2024-10-25 11:51

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\VpEwjWa.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pHDwJwM.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HWnGlBP.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sxZTdKI.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vbbLbLA.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iPDRyml.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uBiaool.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VmnOXyI.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WbEzkXV.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FrkWvFa.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ecsVelB.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\puIipWn.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NCUUncM.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rOfEgVS.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CqWqVrq.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ayaQpCA.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lPJikHz.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UZHIung.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\puSzbBf.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VZAsvpt.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oDRnLEx.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 668 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\puSzbBf.exe
PID 668 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\puSzbBf.exe
PID 668 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sxZTdKI.exe
PID 668 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sxZTdKI.exe
PID 668 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WbEzkXV.exe
PID 668 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WbEzkXV.exe
PID 668 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NCUUncM.exe
PID 668 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NCUUncM.exe
PID 668 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FrkWvFa.exe
PID 668 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FrkWvFa.exe
PID 668 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VZAsvpt.exe
PID 668 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VZAsvpt.exe
PID 668 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oDRnLEx.exe
PID 668 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oDRnLEx.exe
PID 668 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ecsVelB.exe
PID 668 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ecsVelB.exe
PID 668 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rOfEgVS.exe
PID 668 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rOfEgVS.exe
PID 668 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vbbLbLA.exe
PID 668 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vbbLbLA.exe
PID 668 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CqWqVrq.exe
PID 668 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CqWqVrq.exe
PID 668 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ayaQpCA.exe
PID 668 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ayaQpCA.exe
PID 668 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lPJikHz.exe
PID 668 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lPJikHz.exe
PID 668 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UZHIung.exe
PID 668 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UZHIung.exe
PID 668 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iPDRyml.exe
PID 668 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iPDRyml.exe
PID 668 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VpEwjWa.exe
PID 668 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VpEwjWa.exe
PID 668 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\puIipWn.exe
PID 668 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\puIipWn.exe
PID 668 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pHDwJwM.exe
PID 668 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pHDwJwM.exe
PID 668 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HWnGlBP.exe
PID 668 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HWnGlBP.exe
PID 668 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uBiaool.exe
PID 668 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uBiaool.exe
PID 668 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VmnOXyI.exe
PID 668 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VmnOXyI.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\puSzbBf.exe

C:\Windows\System\puSzbBf.exe

C:\Windows\System\sxZTdKI.exe

C:\Windows\System\sxZTdKI.exe

C:\Windows\System\WbEzkXV.exe

C:\Windows\System\WbEzkXV.exe

C:\Windows\System\NCUUncM.exe

C:\Windows\System\NCUUncM.exe

C:\Windows\System\FrkWvFa.exe

C:\Windows\System\FrkWvFa.exe

C:\Windows\System\VZAsvpt.exe

C:\Windows\System\VZAsvpt.exe

C:\Windows\System\oDRnLEx.exe

C:\Windows\System\oDRnLEx.exe

C:\Windows\System\ecsVelB.exe

C:\Windows\System\ecsVelB.exe

C:\Windows\System\rOfEgVS.exe

C:\Windows\System\rOfEgVS.exe

C:\Windows\System\vbbLbLA.exe

C:\Windows\System\vbbLbLA.exe

C:\Windows\System\CqWqVrq.exe

C:\Windows\System\CqWqVrq.exe

C:\Windows\System\ayaQpCA.exe

C:\Windows\System\ayaQpCA.exe

C:\Windows\System\lPJikHz.exe

C:\Windows\System\lPJikHz.exe

C:\Windows\System\UZHIung.exe

C:\Windows\System\UZHIung.exe

C:\Windows\System\iPDRyml.exe

C:\Windows\System\iPDRyml.exe

C:\Windows\System\VpEwjWa.exe

C:\Windows\System\VpEwjWa.exe

C:\Windows\System\puIipWn.exe

C:\Windows\System\puIipWn.exe

C:\Windows\System\pHDwJwM.exe

C:\Windows\System\pHDwJwM.exe

C:\Windows\System\HWnGlBP.exe

C:\Windows\System\HWnGlBP.exe

C:\Windows\System\uBiaool.exe

C:\Windows\System\uBiaool.exe

C:\Windows\System\VmnOXyI.exe

C:\Windows\System\VmnOXyI.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 70.209.201.84.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/668-0-0x00007FF78C530000-0x00007FF78C881000-memory.dmp

memory/668-1-0x0000021DC9AD0000-0x0000021DC9AE0000-memory.dmp

C:\Windows\System\puSzbBf.exe

MD5 5138306d4ce66c75834ebda8ddf89b45
SHA1 a4af81841481edfcfc555c1e789039c9b06072cf
SHA256 22cefdefb1bf019a824a2f86b6f958efdc7e9b1312db3491308d8360d64e0422
SHA512 3e92b147e173008373b09419557c4748f1a39c329f13f880b749515b28a48373d4afab006257d526cdae9e85b2d59359723f004faada0770de5c602d7fff4cf7

C:\Windows\System\WbEzkXV.exe

MD5 e20e483f3bbd064c72ee612c81d204b5
SHA1 f392638acc7ffba97445528b1456cbb868bb3187
SHA256 a0e4a28b8219e7504a737a734fcbfc5c04e2540dbf662b0d5896d61269fa2f1c
SHA512 3c9fadf06746b450c4dfb07c52b578c7567a98ed3e1f5f73321e90c383ac4c45c94abd9ce6fce75d5bbd5a652fd49cd918f7f67136b2fff24e35ddef23f6a051

memory/5064-24-0x00007FF6DEDA0000-0x00007FF6DF0F1000-memory.dmp

memory/4804-40-0x00007FF6ABD60000-0x00007FF6AC0B1000-memory.dmp

C:\Windows\System\oDRnLEx.exe

MD5 3459bf2ed24965688377eee7ef106914
SHA1 b7e2d9591a3bb0650d6b7c1b98478bfbf4167595
SHA256 8bc9f953f071f3f8d4dc60eb24a09539f2a0b49ecbed2dbf902804aa9b609bcd
SHA512 befb6bf1ab07b3047948f007e4d60f2c535e753af1c2e85cb01941e7be1a07b4a6d1bbc4e74a217ae658083df5790038361268c734fd6b216d429a51b1debb7f

C:\Windows\System\ayaQpCA.exe

MD5 c2fff0624a0922854bf1407929bb42f1
SHA1 93c28b132cb0963b39b78bd563acf677945e57f3
SHA256 47f4208998d35cef828f2ded900cdc6fe1fe6288301307400c514018cec07a9c
SHA512 44384a7aa6116284490e642fe485c77e015e7408e91e4c4c6d502d7c680ada5a0e2a59848fde6c58bf971ba9f8d322843953c1f44f748d72c5a42a7705fbb850

C:\Windows\System\rOfEgVS.exe

MD5 9caef132c400b88b3fd749202ef5a20d
SHA1 e28b1d4d77381974cdfbe050486df244101c9c83
SHA256 7b901927357e955acb6961251b4856cfcf4d3e1be15e7051e9958c708641a91a
SHA512 10448c3b58d2b12c3a14606638f6cde1e50e689dcdded49bcad4399709a766e235fa7af463fe5db0f6b97ab874df3e57f50045424a2c444b2bae4bfd2ecb8772

C:\Windows\System\lPJikHz.exe

MD5 b28467580b1edbd35fe92b8793dc3083
SHA1 c65a06ffb4f14691c8b12c5d3038696ada532015
SHA256 eef7571232c7de38bc65b8bff4354c93f8cd8210b844ae14ec4c97b3df3f6841
SHA512 1037e95ff3389a46b4deb1e7499b09337bd4f70a1ba879e380f037a317d7af35ac3daac166674825f881d0e1577f7abc8ac8cd26db37a0da0d0a706830629895

memory/2772-94-0x00007FF61C950000-0x00007FF61CCA1000-memory.dmp

C:\Windows\System\iPDRyml.exe

MD5 06b4a4da1fe320b51118af44b38ff3d7
SHA1 7d63a8992e250044ba6cebc991d9fba5dc588e8e
SHA256 39a0f85bc356c775b0b7c99a50abec6b95ba1e92879496c7354e5693f8f8b693
SHA512 e6013a1022777d202fb6a7f89d031684269027e9b31938bddd86f61a0a95c207f46896df826f902fd5f1a313cf2281265dbae3f70497adbc4ac3bea39a78d7ee

C:\Windows\System\puIipWn.exe

MD5 231551b4a4a5a0e747bdbd95222bb46d
SHA1 24965bfdccb22403ce431b34915e3a808e35c767
SHA256 a658619dfb03bd26cf4ee727cdf0b904e4826e34bf3594beeeb27e1e6c0afe2b
SHA512 cefdd021e80bdb39103d08ad4821416d13ba61f5bca3fdd0ea479b9010922e19d99def1482bd9ada1ea9e8ac66f3ed1448e04cf0c469cb5e80e37153669e433f

C:\Windows\System\VpEwjWa.exe

MD5 236ff1fea40bf27fee4754da0ba0c63d
SHA1 4519802102551ef6bdc6a93a001da3dad13c8c02
SHA256 3a811106a0291e7200999d7d5a5d04ccd083a706847d2952992fffdc83d353e4
SHA512 e7913557f09eb518cf3dfabb4d7e65c5268afb0bfbd63536d3301bacecfc07b74328663cb8ddd1ea3447dcdb8efbe3ae61ddef73a38b56b555b3b9307e5d7ed9

memory/1924-95-0x00007FF65C3E0000-0x00007FF65C731000-memory.dmp

memory/3336-93-0x00007FF6EF570000-0x00007FF6EF8C1000-memory.dmp

C:\Windows\System\UZHIung.exe

MD5 c4ed4aa36a58341943d8c4057f2f3775
SHA1 d611ddb8309da1d92778662a81af50b67b7cb6a3
SHA256 5a3e682e8c6ffcf4405af777a71b6a7635e240de7bea25b4b87a771dd7ea9512
SHA512 540a3b4390f9cfa89d83b4cf7377ab40cb1d8b3a4ade94207b3de2d4337f2c3998d2158644922017562cf2f2b6cb1918dd43d68c33aa6b1b2eb049f55d6ad071

memory/3236-91-0x00007FF666520000-0x00007FF666871000-memory.dmp

C:\Windows\System\vbbLbLA.exe

MD5 2edab1c0fda98f5538df574e904daa16
SHA1 3465b0ecc8c8aa773ff3700a65ffc9ebe814a8dc
SHA256 e4ecd918fe826caae2be454bf64ae38f00c00b05135445037913cf075dda13c6
SHA512 0ce759d8309eb42160b88ab84a1b1a00539c1f81dcd3918df161a2ec9474301ec5688a59d412a512af70996770029d59f948e312dd794964a88c8b651f0d830a

memory/4080-88-0x00007FF7890E0000-0x00007FF789431000-memory.dmp

memory/848-87-0x00007FF7363A0000-0x00007FF7366F1000-memory.dmp

C:\Windows\System\CqWqVrq.exe

MD5 b95e72c402b6dc743466c71c5fc3de98
SHA1 18964d9077a8b3ee7cb866d944d32c06a0c0add0
SHA256 3e1f014c5bb42b1b5c1cd465626f58c7571245fedabdcddb76d8bb127b427f03
SHA512 aa856f3a99dcabc242d42238d7dedff1625bca81e20d52e6c9beecd97f09037173dbfacdaf1872dc1ca53adf23848210be65dfb01088b3acf2049b9ea0df0307

memory/928-77-0x00007FF7B69F0000-0x00007FF7B6D41000-memory.dmp

memory/2316-67-0x00007FF762B90000-0x00007FF762EE1000-memory.dmp

memory/2020-59-0x00007FF60CBB0000-0x00007FF60CF01000-memory.dmp

memory/1260-56-0x00007FF64BCE0000-0x00007FF64C031000-memory.dmp

C:\Windows\System\ecsVelB.exe

MD5 329db940195b0a1d0046fbcf68060e75
SHA1 a2910f0e912e9a63ae56657ed221d7de5671a60e
SHA256 f8199ac1f26b1651c6a4fa42b50056291ec4950b2c0c16ba4f154690e4062698
SHA512 d1d18388a4461ed5c221f27a5f820725b5a1ffa12382056779edafb1610ebeb18561f163068304fc403210d167759064adb24feedf42c4f51ebc70aba2173716

memory/3068-44-0x00007FF6D5300000-0x00007FF6D5651000-memory.dmp

memory/2492-41-0x00007FF7E1A90000-0x00007FF7E1DE1000-memory.dmp

C:\Windows\System\NCUUncM.exe

MD5 98a27e5aa4d1f0608705a1741cb85c40
SHA1 f2c84d62540d2068f472d24397fb8411483cdcdc
SHA256 88edecd8e1cdd61ceb5477785248c08cdf1eb52ef3b30a9624c4bace1cad8b5d
SHA512 468e5ae625998164ae8533f1c2fe2ed90b3f052c9896628cc1192b2d23adc3341625addd6e5c1755da8904113e7db638d9bbca69c18807bd75728cfd368a204a

C:\Windows\System\FrkWvFa.exe

MD5 54c8fc95d3c8f9258b6eb318f8063d08
SHA1 550ece6923644b37c990f683ff9402019b599c70
SHA256 327b9ea5b23e0427b8720daa885193bbb1e23f3eec13270808096bcd09b47959
SHA512 81e76ac58f096bd9bc7f7989491dee8f1936da674f84610101c16e04f112541c9b939505893c24c59232e0044918eae4e83db2ce89bf3a73ce54ab10ea8859c9

C:\Windows\System\VZAsvpt.exe

MD5 fa959285d6c2edabfc5580695c752ea7
SHA1 d55b67dab1fa9f6c8574aebe9026e28fc456daa8
SHA256 2b3e6ac5b3cbd0d439d3393b81e7af55aa71f07081682ad0e242b3f2796b1e28
SHA512 9e8cd90a413e38dd5f3385faf5e2a73eb51c2cc7d5c1d1b96b0e841330f87a3bb9efeaaa7dd03b17e6059eba014257e2be43e70993b5f3225b13343fccbd9027

memory/1272-30-0x00007FF6E17C0000-0x00007FF6E1B11000-memory.dmp

C:\Windows\System\sxZTdKI.exe

MD5 9f66a830cdf14420812d683e908d5a63
SHA1 b57ab6204c9a0f2b69516a09d5784c709bd1edc8
SHA256 98c89b4685e8f84bfac0cf83b1dc0c177f636c4cd0d008cf149eddf31d5f1fc7
SHA512 49f19c7a7fa90f7f7ecf2483d4b5e0df5c72788da58941662da45db6b0e18dbd3b847add0af73d0c9516020770ee134459ac4188c9b6fc51502b6fee864f37b2

memory/2184-16-0x00007FF6A3A00000-0x00007FF6A3D51000-memory.dmp

memory/4272-8-0x00007FF6167E0000-0x00007FF616B31000-memory.dmp

C:\Windows\System\HWnGlBP.exe

MD5 f4567a1cde5b314500238290d3f59549
SHA1 53f5226244c6455fdf4b44942ecd09ac69ae0255
SHA256 f6f1bfaca0edcb6ca50b3563ddff48b1863853fa6126f57a3e670310ebc2f83e
SHA512 03ce9b4b0801477801d58ed7b111b617440ac67646f5fa31395d35b2ea7e754cd285a6c26ee7276c6fd032b77ca1881a6c32be87ba947e7dff07ff2929a05f57

C:\Windows\System\uBiaool.exe

MD5 effdd6786d1ec3fc9671df52bee1160c
SHA1 8c2ce5c342a7acf18e31db5ba2518c6149b0d20a
SHA256 faa1b141ceba85197e7b8cfada5e66bb474992b5548f8f7d81c163146d780979
SHA512 725bbaddb7535757384f954cf321c0233d885f819ace5f78af0505a77ba0100e38c59540de98cfa0c9b1f8b8f8862473c2d089d5d95dbdb72b0fe8de0021fea0

memory/5000-121-0x00007FF746FD0000-0x00007FF747321000-memory.dmp

memory/4272-119-0x00007FF6167E0000-0x00007FF616B31000-memory.dmp

C:\Windows\System\VmnOXyI.exe

MD5 e54c2949f7f101998f1de75ea6e10e4a
SHA1 04e9cafad66007c7f6afef8ce28a4da34215ad58
SHA256 1e50e0ddfafda86190ff72eaf772167f102d6cf7c1740d9593cc2c639c9aed88
SHA512 d6bb5abf108a01df1ccb22e5a8a311fe341c41206151b2aa64af76f06a944afff85efe2a72fd72f7ecf7751bacfa4f94e1ce96fbc8bfa97b74c414bb53835b31

memory/3500-124-0x00007FF774D80000-0x00007FF7750D1000-memory.dmp

memory/4600-122-0x00007FF72C600000-0x00007FF72C951000-memory.dmp

memory/668-116-0x00007FF78C530000-0x00007FF78C881000-memory.dmp

memory/4252-113-0x00007FF659330000-0x00007FF659681000-memory.dmp

C:\Windows\System\pHDwJwM.exe

MD5 f91ceff39e1aa3b5475611bcaa802ae8
SHA1 9137aec9e098b370eb93183d77a09ae08e9581f6
SHA256 8eae35bd9055ae1117c22d489008cdff3bef5bd01a019ba2d6e9af8a158c38fc
SHA512 7fd5392c13372520ffb82df434a247102d2450bc277045c2a5bd42d79cf42181d25699075eefa75ad5b7f818792b3beb66c77d21b1d13cc42b16eb0b4ef41c80

memory/668-130-0x00007FF78C530000-0x00007FF78C881000-memory.dmp

memory/2184-131-0x00007FF6A3A00000-0x00007FF6A3D51000-memory.dmp

memory/4804-133-0x00007FF6ABD60000-0x00007FF6AC0B1000-memory.dmp

memory/1272-132-0x00007FF6E17C0000-0x00007FF6E1B11000-memory.dmp

memory/3068-138-0x00007FF6D5300000-0x00007FF6D5651000-memory.dmp

memory/1260-140-0x00007FF64BCE0000-0x00007FF64C031000-memory.dmp

memory/2492-142-0x00007FF7E1A90000-0x00007FF7E1DE1000-memory.dmp

memory/3236-150-0x00007FF666520000-0x00007FF666871000-memory.dmp

memory/3336-151-0x00007FF6EF570000-0x00007FF6EF8C1000-memory.dmp

memory/1924-149-0x00007FF65C3E0000-0x00007FF65C731000-memory.dmp

memory/4252-152-0x00007FF659330000-0x00007FF659681000-memory.dmp

memory/848-147-0x00007FF7363A0000-0x00007FF7366F1000-memory.dmp

memory/928-145-0x00007FF7B69F0000-0x00007FF7B6D41000-memory.dmp

memory/4080-148-0x00007FF7890E0000-0x00007FF789431000-memory.dmp

memory/2316-146-0x00007FF762B90000-0x00007FF762EE1000-memory.dmp

memory/2772-144-0x00007FF61C950000-0x00007FF61CCA1000-memory.dmp

memory/2020-143-0x00007FF60CBB0000-0x00007FF60CF01000-memory.dmp

memory/5000-153-0x00007FF746FD0000-0x00007FF747321000-memory.dmp

memory/4600-157-0x00007FF72C600000-0x00007FF72C951000-memory.dmp

memory/3500-158-0x00007FF774D80000-0x00007FF7750D1000-memory.dmp

memory/668-159-0x00007FF78C530000-0x00007FF78C881000-memory.dmp

memory/4272-222-0x00007FF6167E0000-0x00007FF616B31000-memory.dmp

memory/5064-224-0x00007FF6DEDA0000-0x00007FF6DF0F1000-memory.dmp

memory/2184-226-0x00007FF6A3A00000-0x00007FF6A3D51000-memory.dmp

memory/4804-228-0x00007FF6ABD60000-0x00007FF6AC0B1000-memory.dmp

memory/1272-230-0x00007FF6E17C0000-0x00007FF6E1B11000-memory.dmp

memory/3068-232-0x00007FF6D5300000-0x00007FF6D5651000-memory.dmp

memory/2492-234-0x00007FF7E1A90000-0x00007FF7E1DE1000-memory.dmp

memory/1260-236-0x00007FF64BCE0000-0x00007FF64C031000-memory.dmp

memory/2020-239-0x00007FF60CBB0000-0x00007FF60CF01000-memory.dmp

memory/928-241-0x00007FF7B69F0000-0x00007FF7B6D41000-memory.dmp

memory/2316-243-0x00007FF762B90000-0x00007FF762EE1000-memory.dmp

memory/4080-247-0x00007FF7890E0000-0x00007FF789431000-memory.dmp

memory/848-251-0x00007FF7363A0000-0x00007FF7366F1000-memory.dmp

memory/1924-250-0x00007FF65C3E0000-0x00007FF65C731000-memory.dmp

memory/3236-253-0x00007FF666520000-0x00007FF666871000-memory.dmp

memory/3336-255-0x00007FF6EF570000-0x00007FF6EF8C1000-memory.dmp

memory/2772-246-0x00007FF61C950000-0x00007FF61CCA1000-memory.dmp

memory/4252-260-0x00007FF659330000-0x00007FF659681000-memory.dmp

memory/3500-262-0x00007FF774D80000-0x00007FF7750D1000-memory.dmp

memory/4600-264-0x00007FF72C600000-0x00007FF72C951000-memory.dmp

memory/5000-267-0x00007FF746FD0000-0x00007FF747321000-memory.dmp