Malware Analysis Report

2025-08-10 14:42

Sample ID 241026-j1593szmf1
Target 2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat
SHA256 b4fa2fb5b500915e79f08d7ae82fe28c8b89bdea6fdb905dcf929765daa037bf
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b4fa2fb5b500915e79f08d7ae82fe28c8b89bdea6fdb905dcf929765daa037bf

Threat Level: Known bad

The file 2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

XMRig Miner payload

Cobalt Strike reflective loader

Cobaltstrike

xmrig

Xmrig family

Cobaltstrike family

XMRig Miner payload

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-10-26 08:09

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-26 08:09

Reported

2024-10-26 08:11

Platform

win7-20240708-en

Max time kernel

137s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

Cobaltstrike family

cobaltstrike

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\UiHYRoR.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZJzwzsG.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\phcIurU.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HojYkxq.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\unRIDwn.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RGUQpkb.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YZhYfXB.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\glWkNnm.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FzRtVWQ.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oLYchmn.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gkktAYm.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zqVzyQw.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mJnizwx.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PcPhaME.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VKriwEQ.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IlnxBoE.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mxTRlfH.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sUcguhl.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tbrJclm.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BtvRQUr.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZweOfNV.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2220 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UiHYRoR.exe
PID 2220 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UiHYRoR.exe
PID 2220 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UiHYRoR.exe
PID 2220 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YZhYfXB.exe
PID 2220 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YZhYfXB.exe
PID 2220 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YZhYfXB.exe
PID 2220 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\glWkNnm.exe
PID 2220 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\glWkNnm.exe
PID 2220 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\glWkNnm.exe
PID 2220 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BtvRQUr.exe
PID 2220 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BtvRQUr.exe
PID 2220 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BtvRQUr.exe
PID 2220 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PcPhaME.exe
PID 2220 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PcPhaME.exe
PID 2220 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PcPhaME.exe
PID 2220 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VKriwEQ.exe
PID 2220 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VKriwEQ.exe
PID 2220 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VKriwEQ.exe
PID 2220 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IlnxBoE.exe
PID 2220 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IlnxBoE.exe
PID 2220 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IlnxBoE.exe
PID 2220 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mxTRlfH.exe
PID 2220 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mxTRlfH.exe
PID 2220 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mxTRlfH.exe
PID 2220 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZJzwzsG.exe
PID 2220 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZJzwzsG.exe
PID 2220 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZJzwzsG.exe
PID 2220 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FzRtVWQ.exe
PID 2220 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FzRtVWQ.exe
PID 2220 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FzRtVWQ.exe
PID 2220 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sUcguhl.exe
PID 2220 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sUcguhl.exe
PID 2220 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sUcguhl.exe
PID 2220 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\phcIurU.exe
PID 2220 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\phcIurU.exe
PID 2220 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\phcIurU.exe
PID 2220 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZweOfNV.exe
PID 2220 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZweOfNV.exe
PID 2220 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZweOfNV.exe
PID 2220 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oLYchmn.exe
PID 2220 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oLYchmn.exe
PID 2220 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oLYchmn.exe
PID 2220 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gkktAYm.exe
PID 2220 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gkktAYm.exe
PID 2220 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gkktAYm.exe
PID 2220 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HojYkxq.exe
PID 2220 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HojYkxq.exe
PID 2220 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HojYkxq.exe
PID 2220 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zqVzyQw.exe
PID 2220 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zqVzyQw.exe
PID 2220 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zqVzyQw.exe
PID 2220 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tbrJclm.exe
PID 2220 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tbrJclm.exe
PID 2220 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tbrJclm.exe
PID 2220 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\unRIDwn.exe
PID 2220 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\unRIDwn.exe
PID 2220 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\unRIDwn.exe
PID 2220 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mJnizwx.exe
PID 2220 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mJnizwx.exe
PID 2220 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mJnizwx.exe
PID 2220 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RGUQpkb.exe
PID 2220 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RGUQpkb.exe
PID 2220 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RGUQpkb.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\UiHYRoR.exe

C:\Windows\System\UiHYRoR.exe

C:\Windows\System\YZhYfXB.exe

C:\Windows\System\YZhYfXB.exe

C:\Windows\System\glWkNnm.exe

C:\Windows\System\glWkNnm.exe

C:\Windows\System\BtvRQUr.exe

C:\Windows\System\BtvRQUr.exe

C:\Windows\System\PcPhaME.exe

C:\Windows\System\PcPhaME.exe

C:\Windows\System\VKriwEQ.exe

C:\Windows\System\VKriwEQ.exe

C:\Windows\System\IlnxBoE.exe

C:\Windows\System\IlnxBoE.exe

C:\Windows\System\mxTRlfH.exe

C:\Windows\System\mxTRlfH.exe

C:\Windows\System\ZJzwzsG.exe

C:\Windows\System\ZJzwzsG.exe

C:\Windows\System\FzRtVWQ.exe

C:\Windows\System\FzRtVWQ.exe

C:\Windows\System\sUcguhl.exe

C:\Windows\System\sUcguhl.exe

C:\Windows\System\phcIurU.exe

C:\Windows\System\phcIurU.exe

C:\Windows\System\ZweOfNV.exe

C:\Windows\System\ZweOfNV.exe

C:\Windows\System\oLYchmn.exe

C:\Windows\System\oLYchmn.exe

C:\Windows\System\gkktAYm.exe

C:\Windows\System\gkktAYm.exe

C:\Windows\System\HojYkxq.exe

C:\Windows\System\HojYkxq.exe

C:\Windows\System\zqVzyQw.exe

C:\Windows\System\zqVzyQw.exe

C:\Windows\System\tbrJclm.exe

C:\Windows\System\tbrJclm.exe

C:\Windows\System\unRIDwn.exe

C:\Windows\System\unRIDwn.exe

C:\Windows\System\mJnizwx.exe

C:\Windows\System\mJnizwx.exe

C:\Windows\System\RGUQpkb.exe

C:\Windows\System\RGUQpkb.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2220-0-0x000000013F730000-0x000000013FA84000-memory.dmp

memory/2220-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\UiHYRoR.exe

MD5 a572ffb7f903b4de03dd4b96f552d987
SHA1 acd09099e4b93c185b17f9f18fb40613a07e2833
SHA256 f8b881b43be00116378f4b1af6692402ed508543718a08c3b17b231a6b264532
SHA512 6dfc7b9bc703e2c4bc4485b44815414aa84bb0fe07c4ba7f3ba794a49391f8e1f3c4b1807ceb81b71c878a7308dac8c862cbcc6748c19f492302d573486c0fa5

memory/2220-6-0x000000013F050000-0x000000013F3A4000-memory.dmp

memory/2696-8-0x000000013F050000-0x000000013F3A4000-memory.dmp

C:\Windows\system\glWkNnm.exe

MD5 ed9117e2ee5e852283f20ead52c95b1e
SHA1 652fbbb9c4827e032a94988c2fbc831ba835da6b
SHA256 9ee2e67883542e7f8169e5c1d71eb3b516b13ce5e12974988a0554f779c4040e
SHA512 b84597c1f2d40e6234807cc06582744875d921a20380bdeda8a8735ea8f76fa544e0288aa61c49bb08a2b88297e78a3c3b98b5641aa98cc2fe906b2f23c411df

C:\Windows\system\BtvRQUr.exe

MD5 359f81a39b5157e37f0c01515e8c9efb
SHA1 588181f83b021b5a11d290c6119988e3541ffed0
SHA256 a893108f987816184bb8e3744a0bca1be989ed82fe050421a185e0804ce6d8a8
SHA512 c6875977306d8bc33bdab35661d8b4ae36db62f365c14bf6bbeda0a4cad7debc084913a61bb5f3abde2b2fc15f64c2b1b6067f895b67ea2e1beffb565cffc70b

memory/2684-30-0x000000013F200000-0x000000013F554000-memory.dmp

memory/2220-27-0x000000013F200000-0x000000013F554000-memory.dmp

memory/2708-25-0x000000013FBC0000-0x000000013FF14000-memory.dmp

memory/2220-23-0x000000013FBC0000-0x000000013FF14000-memory.dmp

memory/2220-14-0x0000000002300000-0x0000000002654000-memory.dmp

C:\Windows\system\YZhYfXB.exe

MD5 ae81075aa746ffe65ae5b792d69d6f4a
SHA1 3a9ae044ed315fd7708f49fc2a065bfa123cd828
SHA256 da0ef9f5e3463f015a3c401c27537a6557bee5382b3cf9141f793287e685ba95
SHA512 9a1a9730c79e3c8425ce648b443774d6e853a2d8ace1d5111cf8b05012c9fe3606559db7e0dd7faa199d3e177ffa8f807f328b66cb0a75647c672372e55eb09d

memory/2764-19-0x000000013F950000-0x000000013FCA4000-memory.dmp

C:\Windows\system\PcPhaME.exe

MD5 e1bb67519aa4ecf983e69790faa45066
SHA1 7d799243c57fcad1dc4ae6b735e018da347172eb
SHA256 5610d984ee84ef9407dcd7fbbf087042e5aa60cdc62a48b2681398e905843274
SHA512 5cf4e26309106fe90d6602003532489d514cb945fdeeddfb28abcb2ec015e9a2e0e3b5f353b189aa414bab534b0e194c0de7466973924b757ae55b231014e824

C:\Windows\system\VKriwEQ.exe

MD5 d04f1a54c54c2138bfcca60ffbe375a8
SHA1 2d0d12a1dfd921e658eda804e889f7b809b6ca1e
SHA256 c56492e1003814d8a50ec78bf7026ebb7238d2e076c4acd34095b707b62edbf7
SHA512 db490196ef755d77f98d0358c66dab933860a7713a41956c29c3ff1840ace81c741019e75ec7f270c3b52f2ed9b4f324aad9d3a4ebdef7a5180f5dbc5c60067b

memory/2220-42-0x000000013F040000-0x000000013F394000-memory.dmp

memory/3024-43-0x000000013F040000-0x000000013F394000-memory.dmp

memory/2652-41-0x000000013F870000-0x000000013FBC4000-memory.dmp

memory/2220-49-0x000000013F730000-0x000000013FA84000-memory.dmp

C:\Windows\system\mxTRlfH.exe

MD5 fdd7a1d035ba5ac12b712925a3bbc025
SHA1 08a8f7c02b125724e94816d6439040fc8dd84a9b
SHA256 08b78e8f078305c9614bb51da33a06cd1e32d3491e1d4465c95e746b005bb432
SHA512 a93fc45a61cf973487ca54bdc6cd92bb56885ece4e6a9db8f6ab5245a3a1c75bb0eb884cee40e0e90988ed8d3c797870f217515c28c0036895b00ed49d7cce15

memory/2220-63-0x0000000002300000-0x0000000002654000-memory.dmp

C:\Windows\system\ZJzwzsG.exe

MD5 1d0a238ddf6934862e71ce29e819f24b
SHA1 42c462af94d6c96c933daf6d7cda5c7104697895
SHA256 5e12701c1865c27fa074d3419e6d9f82813f06a4a6be376a12af38b026e90182
SHA512 b88407a7d088fa55798045047288f2295bc03cdda2d934dff6d45f2ad9e2c63432253225ed4be7a3299c07f84677109fa8dd17dd58e2c34a9ca0cdcb5ea9ffee

memory/2580-61-0x000000013FC70000-0x000000013FFC4000-memory.dmp

memory/2220-60-0x000000013FC70000-0x000000013FFC4000-memory.dmp

memory/2984-66-0x000000013F5E0000-0x000000013F934000-memory.dmp

memory/2764-65-0x000000013F950000-0x000000013FCA4000-memory.dmp

memory/2604-56-0x000000013F810000-0x000000013FB64000-memory.dmp

memory/2696-53-0x000000013F050000-0x000000013F3A4000-memory.dmp

C:\Windows\system\IlnxBoE.exe

MD5 95c0b0c986932f7bb26ed1636e1b07d1
SHA1 909082f0c2e2af4017d6cccce0411c0ac95d7bc9
SHA256 e2f518df46b7458df4d58de4cfde4a5e0b323589ebcf0934e411adfde0089565
SHA512 c9271e54cf8b32d547b72650e6943e6d8d550634a4adf4031df88a7210aca8947dbae4c3c008bbb667e60f01e1c45f41ef947334a2d6efa9da57663a63d22fbe

\Windows\system\oLYchmn.exe

MD5 a6318f1e208b79087050a877623a9e3b
SHA1 b6c79c1bf74324e785b6c6aaff6f7b351a2011e9
SHA256 803a99f4f761e52bcefdb82c780fb986153206b1f6af616018da2aca5dc3024c
SHA512 e463b155d741b6d47d5c1d88c8544cff96fdba533ae042de289252e3e3252749c3b6c0d3adc84fedc6a2bd1e4a3320c20840c153bd8ac321b4bff88740a097d5

\Windows\system\phcIurU.exe

MD5 8c4053d619c0148f426835a9f6ad66b2
SHA1 d8f88a6af7da2a874f36b9a2fbe5e901ae73e7c4
SHA256 7739488983931c5a64a65e123a871853d6c1d4187b3d458e13b5ac0942f3237b
SHA512 0eda9391caab39f45dcc038830949a99bea2a6327158902bea0c35c51f69add822f974044aa340550324792117f8c3d9da5f72078858f0b3412d3fd02a5315e2

C:\Windows\system\tbrJclm.exe

MD5 d33af498d302fa713c67dfe7246e53fc
SHA1 3432eea9199eadd2fb09cc17a7a17a571b66dff9
SHA256 6423ac5ee42544c7736325b1a8f7220f5e14466c6293639a5f247a6648033afb
SHA512 9c411286f6ecdec9a91923e238a9e0a118d09df95cfdb548b96bc42d85faa61b2c5c1baed6fcf3f973385854e49cdf07f6733295ba99339a709718e8fd63be60

\Windows\system\RGUQpkb.exe

MD5 330970ec11b817de7f526a8c99404ee9
SHA1 c49e1db1bc077c1780b0524edbf079e88dbcd4cd
SHA256 a2bc509b1eed099c32c3e502607b3a4651ee117e439ab1eb1583c17f1ecb26ce
SHA512 6f56cbe493cef3bdd21488814b5a333e7386ca04eca22c2fd8fc1f5059a94cd9f1609a239709212f338df049959e2362a0ef4f07b79143dfe983bf6cb9681b3e

C:\Windows\system\mJnizwx.exe

MD5 266db4aa2f6dd1e8ff5033aea4e9e326
SHA1 de3fa0db0af84e7210856f384f996591a3c75cf9
SHA256 d2f2940a2c429a449769ab452dd70c72f8adeeb7bd12523307d73d40c8db02e5
SHA512 635650dbd087cf79d831c7e89d5fba65138930e31eb3f9cc81c69b03bacaff03f1753f013fd57bea81da7d3cbf78cb480469e2212d43a0bc3a706631bd180717

C:\Windows\system\unRIDwn.exe

MD5 6f39d4c77dcc785fda6741c3bf4fbb92
SHA1 cdb47ddefb7626b27d12d4801a71c5ca53b6e114
SHA256 afca2276e21d94217eeacabadfd4d4bd83a0f507951ace50972327c90703a87d
SHA512 5d9588f109e956d56764f3868f6cb9bfccfdd229e754103d4330428ac78bf6c6c51cffeeb955c2b9b3393e365eefcecca1e6ff0ccbb90917ef9e0a72401f6447

C:\Windows\system\zqVzyQw.exe

MD5 2f4e463264337dc40491072b0ee3a5f3
SHA1 7773b7c96205720dd01e52aaf6210a5032988de1
SHA256 66107e7f8d971aa2b04b952e269cfe95218666f66c1ac87f842cb404eefd861f
SHA512 3e31f69398a6fe813fc35bdc300ce550cc5332832fa9e65063c3d93b5bd4e20ece8b3817e86bc85118b7bdb13f52adcafe323d728b2895485318326e8d674f1a

C:\Windows\system\HojYkxq.exe

MD5 ad337706a4df0d389380af75999444ba
SHA1 36b8c6762dc369ccb317d7e253c3c06bb60f37a7
SHA256 5d2f36f0ba340518f4d9a46687314d5be800b8424c5aa08b6ce17d2a244f39d9
SHA512 3b7bd4e4acf6e2cd887facebf2ffdb0085e3d7db1f065b4559c7e53cac735a9c056b8612718b2bb910dda36f97be53c66d62b83a808607c3ad920a504be8aad4

C:\Windows\system\gkktAYm.exe

MD5 bb9ccb74fa809b78c70e5508630ef3c6
SHA1 126a88fee4e8f275fba77ff4b85013828383049e
SHA256 80a2c1bad0e0944d432ade40c2f050741eb6a800c5cd44bb69af3aa420a77062
SHA512 d68781c1e63e6cdc2a12a3054ee445396adf1a5af05b2e72eec0fc421b653851082f8ecdc8da5267de86f9168404dad0086fffd3c206f66af11de417029f9625

C:\Windows\system\ZweOfNV.exe

MD5 ec98b639116d8d42fe65cdfc7372db42
SHA1 5deb05c20592d9b354684d02bd8587d26dc59389
SHA256 a952dce9d7d68d33b85a64614333d5603e69e4ed4e293ed07cb93532aa17ee8e
SHA512 c784c2e4429e59b5856c9775c1c8790ab62f622ca4f6a126d777f2946e698d177dc59573ef7cd348d3892fdb78829a29d74b69d4256ddf7de2a42c8d6386a9f9

C:\Windows\system\sUcguhl.exe

MD5 ca19fa6f9ab5503566240705d9477159
SHA1 f659595650e7ca4ca76ce0994844c5a273b1867f
SHA256 25fc1c16eb017d4101ba9c6e5bdd3d6af6487b901d36fb0b345088142a032b2f
SHA512 4d16d4e9885a813d5f52f6e042152572dff612ca4a6784961cc2983f905fb2cbfe208426ce81119c62b8701b3069e7304b558ee7679b1f073c2202b4b2d50110

C:\Windows\system\FzRtVWQ.exe

MD5 aaf024594d3a8093f56017d2a2592665
SHA1 ad939c8d4c6f36e99c4a515e202bd36945e9221d
SHA256 2469743229297267ca9fdbcf0b58806f42588030a9f302d7ed30351ac1a53135
SHA512 89156e23bffc8b11cb69c416555bfb1e335c8f85db19d1f938760250765272549a95d7ae3ce0150423ee3bab177ec2e55002116135541f5bd9b3008369b8c698

memory/2220-126-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

memory/2172-129-0x000000013F500000-0x000000013F854000-memory.dmp

memory/2648-130-0x000000013F6E0000-0x000000013FA34000-memory.dmp

memory/1316-131-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

memory/2220-132-0x000000013F060000-0x000000013F3B4000-memory.dmp

memory/576-134-0x000000013F060000-0x000000013F3B4000-memory.dmp

memory/2220-133-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

memory/2960-128-0x000000013F6C0000-0x000000013FA14000-memory.dmp

memory/2220-127-0x0000000002300000-0x0000000002654000-memory.dmp

memory/2684-135-0x000000013F200000-0x000000013F554000-memory.dmp

memory/2220-136-0x000000013FC70000-0x000000013FFC4000-memory.dmp

memory/2220-137-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

memory/2696-138-0x000000013F050000-0x000000013F3A4000-memory.dmp

memory/2708-139-0x000000013FBC0000-0x000000013FF14000-memory.dmp

memory/2764-140-0x000000013F950000-0x000000013FCA4000-memory.dmp

memory/2684-141-0x000000013F200000-0x000000013F554000-memory.dmp

memory/2652-142-0x000000013F870000-0x000000013FBC4000-memory.dmp

memory/3024-143-0x000000013F040000-0x000000013F394000-memory.dmp

memory/2604-144-0x000000013F810000-0x000000013FB64000-memory.dmp

memory/2580-145-0x000000013FC70000-0x000000013FFC4000-memory.dmp

memory/2984-146-0x000000013F5E0000-0x000000013F934000-memory.dmp

memory/1316-147-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

memory/2960-148-0x000000013F6C0000-0x000000013FA14000-memory.dmp

memory/2172-150-0x000000013F500000-0x000000013F854000-memory.dmp

memory/2648-149-0x000000013F6E0000-0x000000013FA34000-memory.dmp

memory/576-151-0x000000013F060000-0x000000013F3B4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-26 08:09

Reported

2024-10-26 08:11

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

Cobaltstrike family

cobaltstrike

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\SOkhteF.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pIYyiRC.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RQeGoSC.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tIaYhHq.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PgIFhUg.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fIVqvmO.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fVRVBOM.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CBUMvsu.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dAcnonA.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bBZblvc.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nDEcwty.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XTVWKmc.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EMMVihc.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\btrTfKH.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XEuZzSH.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YTbEkPC.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PVxXWGp.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RiiBeas.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QLXczht.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PqiiUlk.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qXOJkBA.exe C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2884 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YTbEkPC.exe
PID 2884 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YTbEkPC.exe
PID 2884 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tIaYhHq.exe
PID 2884 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tIaYhHq.exe
PID 2884 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PVxXWGp.exe
PID 2884 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PVxXWGp.exe
PID 2884 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bBZblvc.exe
PID 2884 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bBZblvc.exe
PID 2884 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nDEcwty.exe
PID 2884 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nDEcwty.exe
PID 2884 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XTVWKmc.exe
PID 2884 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XTVWKmc.exe
PID 2884 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SOkhteF.exe
PID 2884 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SOkhteF.exe
PID 2884 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EMMVihc.exe
PID 2884 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EMMVihc.exe
PID 2884 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\btrTfKH.exe
PID 2884 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\btrTfKH.exe
PID 2884 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RiiBeas.exe
PID 2884 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RiiBeas.exe
PID 2884 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PgIFhUg.exe
PID 2884 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PgIFhUg.exe
PID 2884 wrote to memory of 100 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pIYyiRC.exe
PID 2884 wrote to memory of 100 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pIYyiRC.exe
PID 2884 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XEuZzSH.exe
PID 2884 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XEuZzSH.exe
PID 2884 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RQeGoSC.exe
PID 2884 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RQeGoSC.exe
PID 2884 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fIVqvmO.exe
PID 2884 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fIVqvmO.exe
PID 2884 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QLXczht.exe
PID 2884 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QLXczht.exe
PID 2884 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PqiiUlk.exe
PID 2884 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PqiiUlk.exe
PID 2884 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qXOJkBA.exe
PID 2884 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qXOJkBA.exe
PID 2884 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fVRVBOM.exe
PID 2884 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fVRVBOM.exe
PID 2884 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CBUMvsu.exe
PID 2884 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CBUMvsu.exe
PID 2884 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dAcnonA.exe
PID 2884 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dAcnonA.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\YTbEkPC.exe

C:\Windows\System\YTbEkPC.exe

C:\Windows\System\tIaYhHq.exe

C:\Windows\System\tIaYhHq.exe

C:\Windows\System\PVxXWGp.exe

C:\Windows\System\PVxXWGp.exe

C:\Windows\System\bBZblvc.exe

C:\Windows\System\bBZblvc.exe

C:\Windows\System\nDEcwty.exe

C:\Windows\System\nDEcwty.exe

C:\Windows\System\XTVWKmc.exe

C:\Windows\System\XTVWKmc.exe

C:\Windows\System\SOkhteF.exe

C:\Windows\System\SOkhteF.exe

C:\Windows\System\EMMVihc.exe

C:\Windows\System\EMMVihc.exe

C:\Windows\System\btrTfKH.exe

C:\Windows\System\btrTfKH.exe

C:\Windows\System\RiiBeas.exe

C:\Windows\System\RiiBeas.exe

C:\Windows\System\PgIFhUg.exe

C:\Windows\System\PgIFhUg.exe

C:\Windows\System\pIYyiRC.exe

C:\Windows\System\pIYyiRC.exe

C:\Windows\System\XEuZzSH.exe

C:\Windows\System\XEuZzSH.exe

C:\Windows\System\RQeGoSC.exe

C:\Windows\System\RQeGoSC.exe

C:\Windows\System\fIVqvmO.exe

C:\Windows\System\fIVqvmO.exe

C:\Windows\System\QLXczht.exe

C:\Windows\System\QLXczht.exe

C:\Windows\System\PqiiUlk.exe

C:\Windows\System\PqiiUlk.exe

C:\Windows\System\qXOJkBA.exe

C:\Windows\System\qXOJkBA.exe

C:\Windows\System\fVRVBOM.exe

C:\Windows\System\fVRVBOM.exe

C:\Windows\System\CBUMvsu.exe

C:\Windows\System\CBUMvsu.exe

C:\Windows\System\dAcnonA.exe

C:\Windows\System\dAcnonA.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 101.209.201.84.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2884-0-0x00007FF7F2C90000-0x00007FF7F2FE4000-memory.dmp

memory/2884-1-0x0000021CAFA20000-0x0000021CAFA30000-memory.dmp

C:\Windows\System\YTbEkPC.exe

MD5 dd66a2c5322056d989dcc480853af3e3
SHA1 bc4ef536f6d13751670b4d6ec24481acb9c2faed
SHA256 8d03b108ad39483a18c8df9f34468c833a50093aaf658682c25b32487af5b80e
SHA512 a87bb287b151e2bba1c1f311e7e924a9469c01bffff7951549fd9506629b915808fa27b07927a55d4773521d26cd82d87aceb5e3aca749de99e3a2e5cde4730c

C:\Windows\System\PVxXWGp.exe

MD5 677599c398b0f0b609a618a0e1fcea3c
SHA1 c0663243544a0dc22e687be0f5142c9df21d8d0f
SHA256 0eafb559a25ad592648fccf582454220d2761b46f77c5fad89195c9e9c48c2b5
SHA512 4e33bc13204020e39fa4cd12522af809ea09e901153c727ee30265b6914f365c6d15dc7d0096cebc8ff7564a5e574c4f57a9c258c9b1323a789493d9b3fee281

C:\Windows\System\tIaYhHq.exe

MD5 e469b3a46ccd6220eb3c3c4f49695417
SHA1 3067ff8585b60f00c46ee5912802ff2137e404b7
SHA256 b7137a423c21d2c769ebdea5e06e30f7750515b357d066a9c26cddabe4253303
SHA512 ffaea29f713ed333f0318c7a7817bb7a659c3e13f8e6ffdb7d826274e38f3e93cad139ba98ec53b7769442752c3ba3f8332700e48f99ef40c8602b04cab6247c

memory/4476-14-0x00007FF7ABD10000-0x00007FF7AC064000-memory.dmp

memory/2076-6-0x00007FF7830C0000-0x00007FF783414000-memory.dmp

C:\Windows\System\bBZblvc.exe

MD5 1a6ce6156dc8d8ad34633976fa603b72
SHA1 b1866ad4b5b293bb24c15eb64ae69da7e8c093bf
SHA256 8eba42e4c0b381994730b415027c7bf81a63f85bf3fc23939684e8cdec019946
SHA512 65027670c0b76d62f050576f600a8863dadbf28804832175befe3e67d7ccb7f15cad980a2265c8049728c578e6ab8c4aa55d3d440de0682da99b99cd1965a362

C:\Windows\System\nDEcwty.exe

MD5 4e107e092f20d8dd52812cd848a0055d
SHA1 680385cfb451bbfcec994617b947426b505346a4
SHA256 d9b34fccc23e967380eddcf665b6f05b8e2f592e51988e86c6f7af70b3ac3e56
SHA512 88502aa64806d490904ca82c1b659da08cf49a3d83ad49bb0b8b3029c4156c7926af84f8954dd76550931093a6f6fce612f1300eb1148cdc248c78c86299b012

memory/5084-32-0x00007FF6C8840000-0x00007FF6C8B94000-memory.dmp

memory/4192-31-0x00007FF784460000-0x00007FF7847B4000-memory.dmp

memory/2740-20-0x00007FF6AC250000-0x00007FF6AC5A4000-memory.dmp

C:\Windows\System\XTVWKmc.exe

MD5 879a8abf41bd39bd2f43d9fb6d0f5446
SHA1 119857551598ed85aa7b8a72b6e0513c50f36347
SHA256 041839934a5ca715233dc2badca664d7e1b8a57df30245c45ee31eb1435ed147
SHA512 a28d26c3da9f08b25ead51ddbc909f91207c6a0f1f70e900e841d08c899a3ebfa28e7542b40c6a73eb7d052d502fbe2da9ad1a9f2e1d2f81a19399128283efe5

C:\Windows\System\SOkhteF.exe

MD5 5b4a909a6c9f1b3ea3dd4d19c964a183
SHA1 140c96e512c141410e2a6c7faa1dff5918bff700
SHA256 05124766391d6320478be8183b8ebf673aa1183191a94e25ac8a4e632c572d13
SHA512 400b50bacf5c8104cb75f7b434d844eeaa9a9ef2c63fdcbcae6af54d9faa20e493cb1557026d1038f81ef61dbc890c0f3894e75171d96e7f1666a01cc5dab305

memory/4724-42-0x00007FF6D4200000-0x00007FF6D4554000-memory.dmp

C:\Windows\System\EMMVihc.exe

MD5 542fee9f4589ff5906d816474c1af4e3
SHA1 c157fcb7c7c9cae74c8ccce5229d84027d682ac4
SHA256 bdb60821794d34de6249d90cd5e42809eee7c1969fc8a82418c25a30968b7c30
SHA512 08c55a0584b929d3a693b3200aa42838a47df7dd3483662d0e4a80aba1a30f2c409e12603781231bf532efc9ddbfff3c77d8211772477d4225c55297c9c57e6b

memory/2884-46-0x00007FF7F2C90000-0x00007FF7F2FE4000-memory.dmp

memory/4912-47-0x00007FF66CA70000-0x00007FF66CDC4000-memory.dmp

memory/564-36-0x00007FF7C0730000-0x00007FF7C0A84000-memory.dmp

memory/2076-52-0x00007FF7830C0000-0x00007FF783414000-memory.dmp

C:\Windows\System\btrTfKH.exe

MD5 401418ec7479777cfd10b176e53ff207
SHA1 45eaed19818a695cadcc38e7bba71ec816b6be8e
SHA256 0be2f8fda6eb74b4b574e87c673e13232922b07260a39ed278a5a1477ec51baf
SHA512 1f2dccc7f6261e25274a0aebe3dbcfc8ee3bcf782659cf64d216b29b36cdd0efb8a522f4ddd2eea2fbae142ad7e00329f2b3bfe6a64bf8150bcd5e37e249e9e5

memory/2088-61-0x00007FF7C1280000-0x00007FF7C15D4000-memory.dmp

C:\Windows\System\PgIFhUg.exe

MD5 6001b10572dcaf7012234360d3b6140b
SHA1 59ef2de36af5a65f4c8729ee36a229c47393db9b
SHA256 730565fbc5acb340611489f2cc798131b02d0fd91250f6ac1a82ee85c0b54da4
SHA512 79e1c5de0c461de5012cee211175643f557628c66bc86c7dc878342a18cf03ee1cc6a6f395c2ece38114116e8d3066734a249623b4fb2f8f26ecf7202052b3e2

memory/100-76-0x00007FF6F4B80000-0x00007FF6F4ED4000-memory.dmp

C:\Windows\System\pIYyiRC.exe

MD5 bc3aee856a70d0f8cc2e1a0baef0e88a
SHA1 d2a5cfe8fbd36f8df82f467b31f3d1ffd0048b69
SHA256 b14d24b060f792ede7d3cc5b2ee09cc26e739a9f6560d87a5222b36956895a05
SHA512 8765fcd5db25c5fbe761734495efe4ff8107a094bde7867305c7dbbe152223b183ff9820acf1f76ba8168049ab52ba04cff0477424ed2419f4a49054050c81b1

memory/1780-75-0x00007FF7A2710000-0x00007FF7A2A64000-memory.dmp

memory/4192-67-0x00007FF784460000-0x00007FF7847B4000-memory.dmp

memory/1444-66-0x00007FF64C320000-0x00007FF64C674000-memory.dmp

C:\Windows\System\RiiBeas.exe

MD5 2fd724adaaee04b4eaea3c70b65018d8
SHA1 044d38b465cb4843e087d85d4abc9f67372649dd
SHA256 83a379108aaf46bf2d7be97965d6e4737c2aac64f7bb287ec31bf54c0978b735
SHA512 a66b0d7e8357348dcdce8e7c650b5f000e994a6ace55d01d7d2efdd75ec62156a46a475214c822ade219449470b59633ab69900fcebba4713d1a630375c5ecf6

memory/2740-62-0x00007FF6AC250000-0x00007FF6AC5A4000-memory.dmp

C:\Windows\System\XEuZzSH.exe

MD5 57e34f6db90145013d23c873a9c3ef04
SHA1 e3afd3ea016c4fb6c31fc08056b9db2b5b133260
SHA256 beca7bb084927228f6049ec8b4157a3ea60d33debc1520b146481fa57bc0f80f
SHA512 6b5cd0165b92f6e375ad86401022820f7ea6afae573416efbee1e33fa70ff1080c10654339b1f50a4360e64307394e90086f75d995df4bc58a2a684c79693345

memory/4244-82-0x00007FF79F8F0000-0x00007FF79FC44000-memory.dmp

C:\Windows\System\RQeGoSC.exe

MD5 4d5df144fd633a324a08e89e1b7ee699
SHA1 69d740b4c0eb8540409179722473be2633ef1a32
SHA256 ebf6d814383afc3ba5e242efde13aecbee03ac590bbf292cc084cb2db1b0f01b
SHA512 7b4d4a37d95dda5cbf0b132376a74b83243f2f9ffba34c7ccdb91613742c288b48063c6fd1b9efdd4725426b59e5e116778bed242e7371406dd405d3576a298c

memory/2084-92-0x00007FF67B2A0000-0x00007FF67B5F4000-memory.dmp

memory/564-90-0x00007FF7C0730000-0x00007FF7C0A84000-memory.dmp

memory/4724-94-0x00007FF6D4200000-0x00007FF6D4554000-memory.dmp

C:\Windows\System\fIVqvmO.exe

MD5 94b1ee4c7013549f38343c2d46287ace
SHA1 3c7f01dbbc98645cfe4e86b2128e4c97dade5f1e
SHA256 3263c262871ee8a6fb4b0932580dc33cea41c801e2c7b05469059d4cd1748893
SHA512 1c3914b9d7e3eb19d8884b019a6a43c8c76216765541cd0145814776cc9010dc0e95189133a471ed2ad131d3153883e750e7e743b2afc0553e95cd4ace922bd1

memory/2676-96-0x00007FF653140000-0x00007FF653494000-memory.dmp

memory/4912-99-0x00007FF66CA70000-0x00007FF66CDC4000-memory.dmp

memory/2088-103-0x00007FF7C1280000-0x00007FF7C15D4000-memory.dmp

memory/924-104-0x00007FF756070000-0x00007FF7563C4000-memory.dmp

C:\Windows\System\PqiiUlk.exe

MD5 3f658c0f6bee5188ebae59dc0cde0bad
SHA1 133cb7623374adcb879a7aca88817930fe0aee9d
SHA256 285ec3548ea9d0834c30c60deb8fb39e700b7da858f4b858c2a828c3d7fa4bad
SHA512 81d059c4ba391a7ae51a5de0f056039bbd916f1ee98bd1719be5fe6fe7f776f93cf143909c1085f386c3a74782fd0c63a323d4fff3a4876463a82a81a3335434

memory/1620-111-0x00007FF647590000-0x00007FF6478E4000-memory.dmp

memory/1444-110-0x00007FF64C320000-0x00007FF64C674000-memory.dmp

C:\Windows\System\QLXczht.exe

MD5 e6ba6c64202c45ce190b2eda1638c3f4
SHA1 bf32902f374af113ec9172be7a1fd5bae4a0cc40
SHA256 4e98b665c6e04d5ac618bd89f0c27e58f3c24b75e9ab0d8d179f1586d79064ed
SHA512 00b6b0b4f975f03f9819f2cd2ae10498c21d3cfed4df0d282dc04b92ecb416dcc28a411edce8a8ed62e0cc13364237a627ef00a473862635741eb5a47bdd95af

C:\Windows\System\qXOJkBA.exe

MD5 63625f67893c95577b3d385396923960
SHA1 451d7bd856b2354be8dc411edbe355c16c96a414
SHA256 c9f4b9917f8c264113885de6885ba8ce54621536df5b343e16f7a1856f76b0ee
SHA512 ef346660e18789848c9057e17360bdb5efee87f06c8d8d4984eb4f61f44f32e20a9f0f4218727c401041087578404b183c678dffcd96187d558f54316dcbd0d6

memory/464-117-0x00007FF75BD80000-0x00007FF75C0D4000-memory.dmp

memory/1780-116-0x00007FF7A2710000-0x00007FF7A2A64000-memory.dmp

memory/100-124-0x00007FF6F4B80000-0x00007FF6F4ED4000-memory.dmp

C:\Windows\System\fVRVBOM.exe

MD5 57942433141b6f0942e6eb324c73bf3c
SHA1 c9c87b235c3fc0e5d8368bac4f7b662c25d1d0ac
SHA256 5183db18d45d94faed9f2cf16ff96c923a2381aa8adf3b7404ff2572d2362b18
SHA512 c073749503cfec3776bdce8369254c7abafa4e1259bd87881482248e682ee06061db350d405577e2fe55046b485fb4c2df6d4807f6a7b9088495da538a1d39de

C:\Windows\System\CBUMvsu.exe

MD5 3d81d419eb4d38e06fa9432a063a343b
SHA1 3f2898ca7d20ee013d39cdae71745e0a072e22e7
SHA256 9fa1fb5cd7c94a18933532ac3254ec3fc6dec0e8eca84179b1eb1768093eb4e3
SHA512 e2dd8599eca2bbd7054827d34670759f613f6ab25b0908b2d02c095c32cfae8aa050ad1de6dae4ab6c968b0418c5ed3f981c6ccc219ec9197288c0d6139ca185

memory/2268-131-0x00007FF71A140000-0x00007FF71A494000-memory.dmp

C:\Windows\System\dAcnonA.exe

MD5 fc5133fa2746a1350451e57490df69d6
SHA1 03365b7a4decb1346179bed7db62b254332a73ad
SHA256 2b60bd382d39dd8bdc948efff989cdff809496db0c55c191d344e63609ee66da
SHA512 0a11422f23db3b1acf214d793d8bdc9e9f7bb71c254be3ccaa949c5db76c3862b0ffb8f75a8aebae104bce69ac4e23cece124f0c9ef8500a7b740a9adf716414

memory/3832-137-0x00007FF7B0150000-0x00007FF7B04A4000-memory.dmp

memory/4244-136-0x00007FF79F8F0000-0x00007FF79FC44000-memory.dmp

memory/652-125-0x00007FF6767B0000-0x00007FF676B04000-memory.dmp

memory/2676-140-0x00007FF653140000-0x00007FF653494000-memory.dmp

memory/924-141-0x00007FF756070000-0x00007FF7563C4000-memory.dmp

memory/1620-142-0x00007FF647590000-0x00007FF6478E4000-memory.dmp

memory/464-143-0x00007FF75BD80000-0x00007FF75C0D4000-memory.dmp

memory/652-144-0x00007FF6767B0000-0x00007FF676B04000-memory.dmp

memory/2268-145-0x00007FF71A140000-0x00007FF71A494000-memory.dmp

memory/3832-146-0x00007FF7B0150000-0x00007FF7B04A4000-memory.dmp

memory/4476-147-0x00007FF7ABD10000-0x00007FF7AC064000-memory.dmp

memory/2076-148-0x00007FF7830C0000-0x00007FF783414000-memory.dmp

memory/2740-149-0x00007FF6AC250000-0x00007FF6AC5A4000-memory.dmp

memory/4192-150-0x00007FF784460000-0x00007FF7847B4000-memory.dmp

memory/5084-151-0x00007FF6C8840000-0x00007FF6C8B94000-memory.dmp

memory/564-152-0x00007FF7C0730000-0x00007FF7C0A84000-memory.dmp

memory/4724-153-0x00007FF6D4200000-0x00007FF6D4554000-memory.dmp

memory/4912-154-0x00007FF66CA70000-0x00007FF66CDC4000-memory.dmp

memory/2088-155-0x00007FF7C1280000-0x00007FF7C15D4000-memory.dmp

memory/1444-156-0x00007FF64C320000-0x00007FF64C674000-memory.dmp

memory/1780-157-0x00007FF7A2710000-0x00007FF7A2A64000-memory.dmp

memory/100-158-0x00007FF6F4B80000-0x00007FF6F4ED4000-memory.dmp

memory/4244-159-0x00007FF79F8F0000-0x00007FF79FC44000-memory.dmp

memory/2084-160-0x00007FF67B2A0000-0x00007FF67B5F4000-memory.dmp

memory/2676-161-0x00007FF653140000-0x00007FF653494000-memory.dmp

memory/924-162-0x00007FF756070000-0x00007FF7563C4000-memory.dmp

memory/1620-163-0x00007FF647590000-0x00007FF6478E4000-memory.dmp

memory/464-164-0x00007FF75BD80000-0x00007FF75C0D4000-memory.dmp

memory/652-165-0x00007FF6767B0000-0x00007FF676B04000-memory.dmp

memory/2268-166-0x00007FF71A140000-0x00007FF71A494000-memory.dmp

memory/3832-167-0x00007FF7B0150000-0x00007FF7B04A4000-memory.dmp