Malware Analysis Report

2025-04-03 18:00

Sample ID 241109-stdqxsxble
Target 2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat
SHA256 7818509911bf43dbd4c52a0dd9f6b86bd8d1411c6b7cf01776cbd5cf92ab5b00
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7818509911bf43dbd4c52a0dd9f6b86bd8d1411c6b7cf01776cbd5cf92ab5b00

Threat Level: Known bad

The file 2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Cobaltstrike

Xmrig family

Cobaltstrike family

xmrig

Cobalt Strike reflective loader

XMRig Miner payload

XMRig Miner payload

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-11-09 15:24

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 15:24

Reported

2024-11-09 15:27

Platform

win7-20240903-en

Max time kernel

140s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

Cobaltstrike family

cobaltstrike

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\XvLICHS.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EoqqzdV.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uAzbfYZ.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZhmojfE.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CStYORd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uRMuVKR.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YTDRltK.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nVyHBfq.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hOhrXDG.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nwrDnxt.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nYojjxl.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sTlawHk.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eXFvOuc.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TVGMhFP.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xQmWDiZ.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xzWGXGt.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SFmkboW.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qgFxSVD.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mlRwUCU.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\olVJyyz.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HxOETFH.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1288 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HxOETFH.exe
PID 1288 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HxOETFH.exe
PID 1288 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HxOETFH.exe
PID 1288 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EoqqzdV.exe
PID 1288 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EoqqzdV.exe
PID 1288 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EoqqzdV.exe
PID 1288 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TVGMhFP.exe
PID 1288 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TVGMhFP.exe
PID 1288 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TVGMhFP.exe
PID 1288 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xQmWDiZ.exe
PID 1288 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xQmWDiZ.exe
PID 1288 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xQmWDiZ.exe
PID 1288 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xzWGXGt.exe
PID 1288 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xzWGXGt.exe
PID 1288 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xzWGXGt.exe
PID 1288 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eXFvOuc.exe
PID 1288 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eXFvOuc.exe
PID 1288 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eXFvOuc.exe
PID 1288 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SFmkboW.exe
PID 1288 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SFmkboW.exe
PID 1288 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SFmkboW.exe
PID 1288 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hOhrXDG.exe
PID 1288 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hOhrXDG.exe
PID 1288 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hOhrXDG.exe
PID 1288 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XvLICHS.exe
PID 1288 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XvLICHS.exe
PID 1288 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XvLICHS.exe
PID 1288 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uAzbfYZ.exe
PID 1288 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uAzbfYZ.exe
PID 1288 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uAzbfYZ.exe
PID 1288 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qgFxSVD.exe
PID 1288 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qgFxSVD.exe
PID 1288 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qgFxSVD.exe
PID 1288 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZhmojfE.exe
PID 1288 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZhmojfE.exe
PID 1288 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZhmojfE.exe
PID 1288 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mlRwUCU.exe
PID 1288 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mlRwUCU.exe
PID 1288 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mlRwUCU.exe
PID 1288 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CStYORd.exe
PID 1288 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CStYORd.exe
PID 1288 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CStYORd.exe
PID 1288 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uRMuVKR.exe
PID 1288 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uRMuVKR.exe
PID 1288 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uRMuVKR.exe
PID 1288 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nwrDnxt.exe
PID 1288 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nwrDnxt.exe
PID 1288 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nwrDnxt.exe
PID 1288 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nYojjxl.exe
PID 1288 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nYojjxl.exe
PID 1288 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nYojjxl.exe
PID 1288 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sTlawHk.exe
PID 1288 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sTlawHk.exe
PID 1288 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sTlawHk.exe
PID 1288 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\olVJyyz.exe
PID 1288 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\olVJyyz.exe
PID 1288 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\olVJyyz.exe
PID 1288 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YTDRltK.exe
PID 1288 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YTDRltK.exe
PID 1288 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YTDRltK.exe
PID 1288 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nVyHBfq.exe
PID 1288 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nVyHBfq.exe
PID 1288 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nVyHBfq.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\HxOETFH.exe

C:\Windows\System\HxOETFH.exe

C:\Windows\System\EoqqzdV.exe

C:\Windows\System\EoqqzdV.exe

C:\Windows\System\TVGMhFP.exe

C:\Windows\System\TVGMhFP.exe

C:\Windows\System\xQmWDiZ.exe

C:\Windows\System\xQmWDiZ.exe

C:\Windows\System\xzWGXGt.exe

C:\Windows\System\xzWGXGt.exe

C:\Windows\System\eXFvOuc.exe

C:\Windows\System\eXFvOuc.exe

C:\Windows\System\SFmkboW.exe

C:\Windows\System\SFmkboW.exe

C:\Windows\System\hOhrXDG.exe

C:\Windows\System\hOhrXDG.exe

C:\Windows\System\XvLICHS.exe

C:\Windows\System\XvLICHS.exe

C:\Windows\System\uAzbfYZ.exe

C:\Windows\System\uAzbfYZ.exe

C:\Windows\System\qgFxSVD.exe

C:\Windows\System\qgFxSVD.exe

C:\Windows\System\ZhmojfE.exe

C:\Windows\System\ZhmojfE.exe

C:\Windows\System\mlRwUCU.exe

C:\Windows\System\mlRwUCU.exe

C:\Windows\System\CStYORd.exe

C:\Windows\System\CStYORd.exe

C:\Windows\System\uRMuVKR.exe

C:\Windows\System\uRMuVKR.exe

C:\Windows\System\nwrDnxt.exe

C:\Windows\System\nwrDnxt.exe

C:\Windows\System\nYojjxl.exe

C:\Windows\System\nYojjxl.exe

C:\Windows\System\sTlawHk.exe

C:\Windows\System\sTlawHk.exe

C:\Windows\System\olVJyyz.exe

C:\Windows\System\olVJyyz.exe

C:\Windows\System\YTDRltK.exe

C:\Windows\System\YTDRltK.exe

C:\Windows\System\nVyHBfq.exe

C:\Windows\System\nVyHBfq.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1288-0-0x000000013FAE0000-0x000000013FE31000-memory.dmp

memory/1288-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\HxOETFH.exe

MD5 1f3c0d6fbb68e676b8a7644e022ff56f
SHA1 85da49bf84ca0b6f6ed9a42203ab5e2fb9a66d06
SHA256 33400915621389c9ac4bc29c85e6aa26571e24e75b4f87d09b0b4bd536bf7c38
SHA512 3996e1a05dfb876d50866734cbc7ff22c3d2d0d4a541e55d02a6479c0386f63bddd30d55d60a9761ab5f544e2a3a77b67d3f11b87ee26b632603f047eebdb2ab

C:\Windows\system\EoqqzdV.exe

MD5 75d9f8b6ee08c4ff9296bcd40304f0f4
SHA1 cfb1c8f435d64ff141acee1cdd68bfef622487b7
SHA256 c85620645f188ab52a86f91ec9528885cc865a6833804cdae518c898e39f2ddf
SHA512 4b5fd78ae0ecc5d89674a401be56b0fa8a58828530bfa4fbae01478403903143868cd3dadeded6830332e1a204150d6b523437c24cc7b0601e43862126c66b87

\Windows\system\TVGMhFP.exe

MD5 c583bbf7bb169ef958fb424719ba0ef3
SHA1 659973b2d3b7a149e52ba161e176e0d8d796d7db
SHA256 1ce45faf96e7e34ae2ed232ef327192a08b65b9f1a87321d1365c40857cc762d
SHA512 4d80be4a77f1c84726cbf8fee3d9960fcf7887833ba432d89dcf5b0ec76aeeb7b5afd00c38d50a0e4aca2e3b9bc0ca7a913283259d1b8017311b798421ad93c9

C:\Windows\system\xQmWDiZ.exe

MD5 7b979870fdb997dd339566821030eea9
SHA1 5247998354e1074618273b207a9eeb4ca45ecf12
SHA256 e908572e4dc9acd6d0d438895a7f9978083b31a1861668bf7bb5adac51f289b1
SHA512 44a436f3861c9d7823d1629c385d809a13a9ed109c717eacd7e8d98d437b6a2c93053e674a398db44a670adbffe94cbe83a3609297677d094b3f1a1322c0eecf

C:\Windows\system\eXFvOuc.exe

MD5 b345295ae20cc32de203879aec9678c8
SHA1 81612bf42e7471f2bfc48f5be2fcc5023a5f60d4
SHA256 0bfc540cb08ce30d77af1c09def2e9b833545076898b264648eb306d3d366723
SHA512 4a5804aaa2f04fb9957fee88860c4aa3730937174a2d706db8cd10d944dcc941c537c1cd2dc7947d22330847fb0a553d5a1a7518d26f549ef265a86e3246c745

C:\Windows\system\xzWGXGt.exe

MD5 eaa0ae91c5d6761782be1ce5ec7fd279
SHA1 df7ec38897dc04661e54ee60af0df8d0a8833129
SHA256 ddfc8cb01cf0216e42ddbb1ecef08e2c0f08829df5ebdc96e3fecbfd451be3a1
SHA512 68e04fe5292aa735307220d52866fe3e27be4e40c71f568f02a22eab677a5e1213bad6dbc4f0fbd3a254bb61af031a7f47df2561609992cd8057fe89b03a20cb

C:\Windows\system\SFmkboW.exe

MD5 fb372ecc10cc1dcbe765f36cc3e2abd7
SHA1 44b0d1efa55344cabee92141149700923f106133
SHA256 cab9c689363ec9006aad7df2d20ddc6250e3b39eb9c8c25da8230611e1792e59
SHA512 da1b12c7c5313a219de9d20e1d56de7850fc28796cab3fb2220da6fd1d3f4704aef592079ef52a926e6e97ecea5ad0ba8547529ee5e03f6036e2a4192209b6f4

C:\Windows\system\hOhrXDG.exe

MD5 61ce55cfbded86bd66a003fad0d6df12
SHA1 ded9123f061f4cf894e197c8da5b45efd21b10a8
SHA256 4ca3654b360cbc4b71333f6876b84e0ccba7fea77cbf59e9d88fa57196577d84
SHA512 6cf671b00a2d723b762f3288b63e27a424f7bbfcd941a27e740936fc3662df2ddedee46507ac4485e4c0b485c89273bb9e3e036475ccfffe908bc17b2885f6ba

C:\Windows\system\uAzbfYZ.exe

MD5 406b7f223bc665e22ccff1c924e175fd
SHA1 5b59c6b997ad54026884d3fca36c9bfc2962e729
SHA256 79fadcaa8603404aaac0c863028adfb6f93ec779a179e508beb0a1fe0cd85323
SHA512 45e46bd35543d3d4ce57eddda80158a4ce4e35fa9782ecba53b968d0725a832428087dba2c612862808be6d072db71b9f817facb766aeb0050fd8815c3d7167b

C:\Windows\system\ZhmojfE.exe

MD5 cf793b469000aeaecae1d8c3d4de183f
SHA1 8c8ef4b5963d8a7f5c10db4519e366075e70d11c
SHA256 39329046ecc18db7e304daeca6b61da9a4b1f03d25074caf86f146b4db81be4e
SHA512 733eac2a4a1405a8efb768a256cb1bbdacbcc4815993147bc156838efd5633672b3a5859c4fb2f1e5ec834ca11edcd83d38f4b1d1b6ef75674c24761f50d645d

C:\Windows\system\olVJyyz.exe

MD5 7e4407c11cf671f68a98c025acfcd39b
SHA1 7d7565d5cd81ef8e58e799487d3a937adafe0a52
SHA256 48148dd17abbf3de71e08ab3f0fe368fe7c6813c297a0ce283c8bbd4ab4bdf2c
SHA512 4115a5d3bac47a33c75cc396bf1e8930491c5fefcfae8a9a9188e423c2456f1999cd8d4e1e2a6d80a630f8ba70553dd8f97c07c1576ac837e5bdc8d09fe4e47a

C:\Windows\system\nVyHBfq.exe

MD5 14fb8eb7344730a6a28c6a7130d910af
SHA1 3dc5d9c2ee5b2abf61717d5a0fc79f79455161a7
SHA256 69e2ef1d84bb08f70a4e09424dbfc51dfecb60fda5057aa5742cf085db628785
SHA512 5e980774f3c13ddd278478698d8d0cb21324466729be3bd6ee32029ab89de6592f07af1870fd661dd80037ddf13f894c3659a42a5d6732bf561bbcbc5ceda57b

C:\Windows\system\YTDRltK.exe

MD5 72d570fd112371301be709f468dd1828
SHA1 74c5ad0e85f259fbfe63d99783b8978b791bdd05
SHA256 78a7f543138c218a3fdbeb79eb895b83af2e4fe1f13345666743fbeeecb2821e
SHA512 3fe833418626a52a2b6c0361c7296e1d01bf63c6396fbf86837a826499cc00bd6a48904feb792cb55c94a394c7f92357b6d5094bd68609aca5b123bd01a09ee9

C:\Windows\system\sTlawHk.exe

MD5 9d15e0205ff855f524c4a4a261ba6402
SHA1 c1faada06e8a3e027ba17c036cf6068e3e13cb40
SHA256 f47bd556aebaace413f7ebadb412c020a2417c0175c5bf6e7f61a2ae419c5c05
SHA512 5fa81c54263cbfb9a7abf752eb3a56e18422b5bce0336ef35dd53db2d187e3fc20010d73766561ad4ac9bd4dc8232321d62f0e2644335b73155829a71374511a

C:\Windows\system\nYojjxl.exe

MD5 746c9f272bfd41e4b6c7d4d4bc948143
SHA1 e773984cbced13a852c1ad90867ee0360ff3c300
SHA256 8f1ac0a6aed55bebbba1a067b00b0123576df397e51c81a9013c254dc33a4aff
SHA512 01be93d21b9dd491f56d618420d88d40b1fa5b8cd08774e2cfd27a07326bcf4784eb7a8b1689b1253c72ec1566f74b88da43e70d2f473c522bb9dfb64f76a398

C:\Windows\system\nwrDnxt.exe

MD5 2c1a68361c621f07098153a3f6a19a0d
SHA1 cf68fa666c039d913d555f7f1d67775701e69d6d
SHA256 6ce3875b06db0aedd1288f22ee543fb1d400423a2b3ea0d8e4ebd17c4e048734
SHA512 90f994f857fbe9ec3830a87d33c5550bc04a1c7b43952118b2c7d359d5af549bb499c950252cd6b59065ec1180eb86b1ebf401408715a5bd986f6b91426401c9

C:\Windows\system\uRMuVKR.exe

MD5 37e2a32beec44de3c2618d6fa7d86f36
SHA1 5197f9876536de9b24181925997d0e759d63de2a
SHA256 89453932d002975009b62a3ef8b9f2f28f7d11582ffec2e2bc6890b209d99cdf
SHA512 5343b239dbd2dac05a117614d82b2f33bdffb964b5f450b68ab232ab215fbd29e690dd7d4c23a3c4068ae881883e13e9fd8af72b8ee58b1907556b5b7f9eaeab

C:\Windows\system\CStYORd.exe

MD5 a109f0ac6039c673ee97827b203a336d
SHA1 5a0b8d853d7000d6298d4840a748dcb4a93f036a
SHA256 6f5e718de307e0e0d19f1f507cb0b66d360d9263b655e7c966a3dccec72ab6de
SHA512 4467213636f0f0d2a802f32eeb6e67518d3886acd4e07f0589d2b392e23800b00c4b3996248f6d7d197310695d74a4a7435df8a27ab05d722da76958b95af292

C:\Windows\system\mlRwUCU.exe

MD5 88d56ad7890d6164451b6c345e705968
SHA1 166659d3f29234f740bd8d37b08c10446c465b4b
SHA256 b50c0aa86c20b2628ad33792a329225cb7d4c77ad823fc90192fa189ee7afa96
SHA512 2e99709f3437ada6571f0c40e0c1cb4061b323cd9c009851e51657abb5f202e5ffe4cd3dca78ae036f40d304cb643b19fff18bd13c9507a4e86ae7fcaed67a38

C:\Windows\system\qgFxSVD.exe

MD5 755f056e071c65e684aa4d6fda0bcbe7
SHA1 526ade43447814a09f6567de368dfbab13972579
SHA256 688b1f7dd1187f1dc5d0c0f7b2a9184c0a43f0d2d1d47d9d8746cd1ec51df2da
SHA512 eacad5bc3758adc6b643680c5079cc7bb27517f6b9dc7756d5c15bcd6e7a3839f4ca92b66de7124a186216e0671563142fed39c95686ca57a7f5d39bc7692f91

C:\Windows\system\XvLICHS.exe

MD5 9955b1382d218bab49b0c050766f6900
SHA1 1f57206d171a25c804c46c0d3a7992ce29dd012a
SHA256 200b2e42566348793c8ea3f78ed63bbd86b5e9144e8469b5484c5ca80342b7ee
SHA512 a9929f0119841b1836d28b17efb3e074890e31bad0574b17942fe5598dd865e0cbb6de9c499096c62a5dea28a5aca47601d78670eea69f6b1a04fd6dcdc9551c

memory/2892-107-0x000000013F3D0000-0x000000013F721000-memory.dmp

memory/3056-108-0x000000013FB10000-0x000000013FE61000-memory.dmp

memory/2540-110-0x000000013FF60000-0x00000001402B1000-memory.dmp

memory/1288-111-0x0000000002210000-0x0000000002561000-memory.dmp

memory/1288-114-0x000000013F1C0000-0x000000013F511000-memory.dmp

memory/1288-119-0x000000013F4D0000-0x000000013F821000-memory.dmp

memory/2768-124-0x000000013F780000-0x000000013FAD1000-memory.dmp

memory/1288-123-0x000000013F780000-0x000000013FAD1000-memory.dmp

memory/1288-127-0x000000013F0C0000-0x000000013F411000-memory.dmp

memory/2648-130-0x000000013F5A0000-0x000000013F8F1000-memory.dmp

memory/1288-129-0x000000013F5A0000-0x000000013F8F1000-memory.dmp

memory/2888-128-0x000000013F0C0000-0x000000013F411000-memory.dmp

memory/2268-126-0x000000013F670000-0x000000013F9C1000-memory.dmp

memory/1288-125-0x000000013F670000-0x000000013F9C1000-memory.dmp

memory/2852-122-0x000000013F0C0000-0x000000013F411000-memory.dmp

memory/1288-121-0x000000013F0C0000-0x000000013F411000-memory.dmp

memory/2812-120-0x000000013F4D0000-0x000000013F821000-memory.dmp

memory/2308-118-0x000000013FA80000-0x000000013FDD1000-memory.dmp

memory/2704-117-0x000000013FEE0000-0x0000000140231000-memory.dmp

memory/1288-116-0x000000013FEE0000-0x0000000140231000-memory.dmp

memory/2184-115-0x000000013F1C0000-0x000000013F511000-memory.dmp

memory/796-113-0x000000013FA20000-0x000000013FD71000-memory.dmp

memory/1964-112-0x000000013FA30000-0x000000013FD81000-memory.dmp

memory/1288-109-0x000000013FF60000-0x00000001402B1000-memory.dmp

memory/1288-131-0x000000013FAE0000-0x000000013FE31000-memory.dmp

memory/2784-147-0x000000013F760000-0x000000013FAB1000-memory.dmp

memory/2892-132-0x000000013F3D0000-0x000000013F721000-memory.dmp

memory/3028-151-0x000000013FF80000-0x00000001402D1000-memory.dmp

memory/3052-152-0x000000013F790000-0x000000013FAE1000-memory.dmp

memory/2688-150-0x000000013F1F0000-0x000000013F541000-memory.dmp

memory/2632-149-0x000000013FB50000-0x000000013FEA1000-memory.dmp

memory/2860-148-0x000000013F230000-0x000000013F581000-memory.dmp

memory/2916-146-0x000000013FC80000-0x000000013FFD1000-memory.dmp

memory/1288-153-0x000000013FAE0000-0x000000013FE31000-memory.dmp

memory/1288-154-0x000000013FAE0000-0x000000013FE31000-memory.dmp

memory/2892-221-0x000000013F3D0000-0x000000013F721000-memory.dmp

memory/2540-223-0x000000013FF60000-0x00000001402B1000-memory.dmp

memory/796-225-0x000000013FA20000-0x000000013FD71000-memory.dmp

memory/2888-233-0x000000013F0C0000-0x000000013F411000-memory.dmp

memory/2768-231-0x000000013F780000-0x000000013FAD1000-memory.dmp

memory/2812-229-0x000000013F4D0000-0x000000013F821000-memory.dmp

memory/2704-227-0x000000013FEE0000-0x0000000140231000-memory.dmp

memory/2852-247-0x000000013F0C0000-0x000000013F411000-memory.dmp

memory/2648-251-0x000000013F5A0000-0x000000013F8F1000-memory.dmp

memory/2268-249-0x000000013F670000-0x000000013F9C1000-memory.dmp

memory/1964-243-0x000000013FA30000-0x000000013FD81000-memory.dmp

memory/2184-241-0x000000013F1C0000-0x000000013F511000-memory.dmp

memory/2308-245-0x000000013FA80000-0x000000013FDD1000-memory.dmp

memory/3056-239-0x000000013FB10000-0x000000013FE61000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 15:24

Reported

2024-11-09 15:27

Platform

win10v2004-20241007-en

Max time kernel

141s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

Cobaltstrike family

cobaltstrike

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\OEtWJIX.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jgKOQwK.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dRUbbBQ.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kcnfNTG.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GeyoJVw.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EwGmIhf.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SdgSxck.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HctwnwU.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ecfXdcy.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bgxGPsE.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nHMVhql.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CRLOYNJ.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HkyfTzY.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XkqbVxy.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rtBtwGE.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FuAzjCT.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ybVqnGU.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RAIJPvC.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vfvImcs.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eCBNMAk.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gCcpJJo.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4124 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ecfXdcy.exe
PID 4124 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ecfXdcy.exe
PID 4124 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bgxGPsE.exe
PID 4124 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bgxGPsE.exe
PID 4124 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nHMVhql.exe
PID 4124 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nHMVhql.exe
PID 4124 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vfvImcs.exe
PID 4124 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vfvImcs.exe
PID 4124 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OEtWJIX.exe
PID 4124 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OEtWJIX.exe
PID 4124 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CRLOYNJ.exe
PID 4124 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CRLOYNJ.exe
PID 4124 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jgKOQwK.exe
PID 4124 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jgKOQwK.exe
PID 4124 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HkyfTzY.exe
PID 4124 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HkyfTzY.exe
PID 4124 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dRUbbBQ.exe
PID 4124 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dRUbbBQ.exe
PID 4124 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FuAzjCT.exe
PID 4124 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FuAzjCT.exe
PID 4124 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ybVqnGU.exe
PID 4124 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ybVqnGU.exe
PID 4124 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RAIJPvC.exe
PID 4124 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RAIJPvC.exe
PID 4124 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XkqbVxy.exe
PID 4124 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XkqbVxy.exe
PID 4124 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kcnfNTG.exe
PID 4124 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kcnfNTG.exe
PID 4124 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eCBNMAk.exe
PID 4124 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eCBNMAk.exe
PID 4124 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GeyoJVw.exe
PID 4124 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GeyoJVw.exe
PID 4124 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rtBtwGE.exe
PID 4124 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rtBtwGE.exe
PID 4124 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gCcpJJo.exe
PID 4124 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gCcpJJo.exe
PID 4124 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EwGmIhf.exe
PID 4124 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EwGmIhf.exe
PID 4124 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SdgSxck.exe
PID 4124 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SdgSxck.exe
PID 4124 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HctwnwU.exe
PID 4124 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HctwnwU.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\ecfXdcy.exe

C:\Windows\System\ecfXdcy.exe

C:\Windows\System\bgxGPsE.exe

C:\Windows\System\bgxGPsE.exe

C:\Windows\System\nHMVhql.exe

C:\Windows\System\nHMVhql.exe

C:\Windows\System\vfvImcs.exe

C:\Windows\System\vfvImcs.exe

C:\Windows\System\OEtWJIX.exe

C:\Windows\System\OEtWJIX.exe

C:\Windows\System\CRLOYNJ.exe

C:\Windows\System\CRLOYNJ.exe

C:\Windows\System\jgKOQwK.exe

C:\Windows\System\jgKOQwK.exe

C:\Windows\System\HkyfTzY.exe

C:\Windows\System\HkyfTzY.exe

C:\Windows\System\dRUbbBQ.exe

C:\Windows\System\dRUbbBQ.exe

C:\Windows\System\FuAzjCT.exe

C:\Windows\System\FuAzjCT.exe

C:\Windows\System\ybVqnGU.exe

C:\Windows\System\ybVqnGU.exe

C:\Windows\System\RAIJPvC.exe

C:\Windows\System\RAIJPvC.exe

C:\Windows\System\XkqbVxy.exe

C:\Windows\System\XkqbVxy.exe

C:\Windows\System\kcnfNTG.exe

C:\Windows\System\kcnfNTG.exe

C:\Windows\System\eCBNMAk.exe

C:\Windows\System\eCBNMAk.exe

C:\Windows\System\GeyoJVw.exe

C:\Windows\System\GeyoJVw.exe

C:\Windows\System\rtBtwGE.exe

C:\Windows\System\rtBtwGE.exe

C:\Windows\System\gCcpJJo.exe

C:\Windows\System\gCcpJJo.exe

C:\Windows\System\EwGmIhf.exe

C:\Windows\System\EwGmIhf.exe

C:\Windows\System\SdgSxck.exe

C:\Windows\System\SdgSxck.exe

C:\Windows\System\HctwnwU.exe

C:\Windows\System\HctwnwU.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/4124-0-0x00007FF630C50000-0x00007FF630FA1000-memory.dmp

memory/4124-1-0x0000026955AD0000-0x0000026955AE0000-memory.dmp

C:\Windows\System\ecfXdcy.exe

MD5 6b00dd20b7e29bd0fcedbb5e639bbcfe
SHA1 d4f9ff082b9b9a2a61bc45aaf767ebadb212bb35
SHA256 d23e28bcff0c5e612a043b95898cfbdf294bc32c4b87847b7ec5d368f502bc35
SHA512 14213750797c440b25fdbfd1f9006b87b00b563fc59f3ef41236711faa13e4ec84c6b70dee4b363e589dd775d79eb04916b928869e550a4afb7d30e05ef43d28

C:\Windows\System\bgxGPsE.exe

MD5 de73c83c1fa09b3eb6c06ef40bc4048d
SHA1 5c7c9b9baa695af5f883b2995166bab6bc4c9a82
SHA256 91c243aee0275c8a94cc9118adfcca697b5a07016f1735f2882b5ccac28d9feb
SHA512 2544a403cbfcffd5f24a0e04f3d6901ba93e71c86153d56d7122f00450d1b7a4bb8b1e3306d5a27982f5d51610391067617ffd038afc7d81f27973fba6d47cfe

memory/3516-17-0x00007FF7A0E00000-0x00007FF7A1151000-memory.dmp

C:\Windows\System\vfvImcs.exe

MD5 67606f9bce5cd626e545014d02e1a2eb
SHA1 3eb497f324f8dd3e6f0c27d7a1b75082b00653f7
SHA256 861ddec5ada85dc55bf1cf76ec0da876a1c013c02d93b09b72b1937670398d15
SHA512 dd4c07475fa501486d6951f71e15d265a968ab3b3ba46cb259420bd0c3711b51c99d48c4a4fc1b00910fc0a1e64035896f82d8de5303f16230953624dfcee22f

C:\Windows\System\OEtWJIX.exe

MD5 6bcdcac667f7b0c4567f9d53d0b31a44
SHA1 02971a2a7172a0c683f9543e78ddc1039d93dca2
SHA256 2119b8436c94b199aebd9e3e9e07c22cfdb815cff1a68ad0b825d02b93a68767
SHA512 52d56dc2cc881129e1389a8c41ed4332512e3fb63b12948930e92478dad3b72362d55775b66dec479a52fc556286b7873c0add7742faac12057ff5a4b06db3ec

memory/736-33-0x00007FF7D0590000-0x00007FF7D08E1000-memory.dmp

C:\Windows\System\HkyfTzY.exe

MD5 b24f51b4f81548b86604098d77bf08ef
SHA1 ac31f440d0414cd0784905ea6bf684a413b8aa1f
SHA256 f7d1328c37dc038954c05e12b52734c2a6acf5a0cbe3c2b7969fb04f5fee9efd
SHA512 1ad28dc3f6e415c007b3ad1620cf45d66605b6079b6ad13cd9b49e1b768b6e5bbfb619d66c00367f8ad4197d45318af754923c9d41d7cba9898a660bc23bcdf4

memory/2552-54-0x00007FF674C80000-0x00007FF674FD1000-memory.dmp

C:\Windows\System\FuAzjCT.exe

MD5 068ac44dc5829f6394a7466bd74182cf
SHA1 d1fce9662ea4d5d023dc65728f990100480f3ba9
SHA256 ef45bc4f2787f802a15631fd327720cf3f3909141a2608bf7d4a5e9410e03e1f
SHA512 efabaf095791c406251dfd4c19b8f05448ddbb4dfbc05a9c59053ffe02ace826e06535068c4640a0e4c996abeaca104d9030a130623a2b897961658a02732451

C:\Windows\System\RAIJPvC.exe

MD5 aa6417ceee1274a6fe7a0cdfba708849
SHA1 c68f49548d63263970cd3312e1500043ac2fce92
SHA256 2ccbe7c9ff39493685c1245ba4b4be53d069acc4bcd532eea993971b480e9c21
SHA512 3b6363e7795408a560bb8c4eaffa205b87e49e7fc0b12bef932439f76074af5b45622aae4964dbeb15d656053192e0849a94695894150ec48b2c54d23a50188e

C:\Windows\System\XkqbVxy.exe

MD5 2289e9b213f47516b9f91f1b7f5c99ad
SHA1 eeca393520d52a1d21094f8f5823aee5db8635fc
SHA256 454ebe42e10ee9bb67c9e04086e57ceb52c67183575d7a510d98ebc82a3bbfc9
SHA512 666634aad478f128287908f766012612a92fc14c1bc92bafac3df83bb78b93311f862603994a698d5c13b39ced643e2d96e5bade7fad8fb7c74312ad4793dc3f

memory/3496-78-0x00007FF7852E0000-0x00007FF785631000-memory.dmp

memory/3464-77-0x00007FF66A350000-0x00007FF66A6A1000-memory.dmp

C:\Windows\System\ybVqnGU.exe

MD5 a516f5db3fc37c8b11b9064ba99c675f
SHA1 52e6b850e72e1afa6e60daf638b02d2bb6f76ab0
SHA256 7a283eb5aa5269db10a139aeb44f6cbc4f497bef2e35b8c2d558d5aab96cbdae
SHA512 0564e05c8c0e40488f4c3e70319e5b83d21f14c77b8a7430297a9e622b815bf5c31075e94cb4ca08e3f34280af9f31fe3a233372a581d2f65299c62dbd1d0408

memory/3840-71-0x00007FF6FE770000-0x00007FF6FEAC1000-memory.dmp

C:\Windows\System\dRUbbBQ.exe

MD5 b3c342a32b54727ed0a736fd48a57a4f
SHA1 cc266f687023dd6836be3f0a59848cba96d3c825
SHA256 f71bb44cb82ed044c4507e1ea7a88eab012e672c7ebe15bd0b850b843d2af2cb
SHA512 9b6bb2008f72a793a8065f9fb132deec9daf6e8047e75678c04dae869706bf62785a007fc499f40caaba172d9d009ffbb09b20e598bd4592db1c4a2df5141ae1

memory/3036-63-0x00007FF7D7DC0000-0x00007FF7D8111000-memory.dmp

memory/4376-62-0x00007FF636D90000-0x00007FF6370E1000-memory.dmp

C:\Windows\System\jgKOQwK.exe

MD5 3cec5109ed778b986a3980eeb623ce8b
SHA1 7ac5c9590bd96b364f47fe60b7d0a9873b171e9d
SHA256 cced47bc76729252822b924b9b4141a3e55063909ba992ec0623b33cd82886c3
SHA512 598946bd6eb9eda3edff5a75435b6792b2bc57736c021ef763fe79b855d79eca1b4470a4949b80b5395613f92625ff0615cea649d0aa1e1a52dcec610ff13ba9

memory/1168-42-0x00007FF7F6E00000-0x00007FF7F7151000-memory.dmp

C:\Windows\System\CRLOYNJ.exe

MD5 cb6b41a0490e185861806561eb6b69c3
SHA1 075299abdab5a8d097325a62c73a311afd0437ea
SHA256 b1e6829ed4103153a857848250607d041f1f761c683a0b3abedb9f0db293a5c6
SHA512 08c4409bc5f40d452ab136891da636d78df8735b6aab3c325b0d89caeae0199b304e9749bb483431436f8e844d62ba7f94e13c56805fb7c7d070d08d3aa0aae8

memory/4872-35-0x00007FF65B730000-0x00007FF65BA81000-memory.dmp

memory/952-30-0x00007FF604FB0000-0x00007FF605301000-memory.dmp

C:\Windows\System\nHMVhql.exe

MD5 d68c0d9033da7434ad845009dae2fab9
SHA1 47625fc1f7458da417af79a1f6807da090e96902
SHA256 4a8232d7a80f2e83457412a0645f509ae80d8bce9445f297a2afbf21a6ec6e2a
SHA512 8de74bca1e9139b2cb84d9add14084f21ba02683cac652bab9acda8214403d8d1b213f5d7f900290a37c6d4ed5861abc47f2425dfabe817283a4c185f0e665fb

memory/3508-24-0x00007FF7A4A60000-0x00007FF7A4DB1000-memory.dmp

memory/3476-8-0x00007FF60A820000-0x00007FF60AB71000-memory.dmp

memory/4124-81-0x00007FF630C50000-0x00007FF630FA1000-memory.dmp

memory/3516-82-0x00007FF7A0E00000-0x00007FF7A1151000-memory.dmp

C:\Windows\System\kcnfNTG.exe

MD5 86e796ea6ed803909bf5d1f2bbbdbae8
SHA1 8b809421a993fb253a4a119df01dad6340e0ff79
SHA256 2d96191fc0a9dfbac5c9768b77737f472969699bcc297b464e3dea9c17960dea
SHA512 c902d923e0daf71d88b092baf131258fdab5e2d035cddd38ecfcbaba5a426f89729bead13c60b34a812da5360149f3264167b95cb1f8f8eff3632ff7e6935eca

C:\Windows\System\GeyoJVw.exe

MD5 9708a421f6288ec3d60fbe122e6f4dc1
SHA1 5b83ef7a45b9a661e932c0c84c46a3ade036b1eb
SHA256 d2b5751ff5dc279c3b13e55eff058713fa2b7e93312a3b2c50440ce735c49f3c
SHA512 63d2dfa8951d7a9f50289f9165ac719e42b322cd947df3fad59a05c55faebb654fbd6683833865c872ffa047c58a23312b0d3c3d32c5f3c8ac79b2240af93954

C:\Windows\System\gCcpJJo.exe

MD5 97208122e80b494b718b3ccf1fcc1efc
SHA1 c9ecf7967680283b74bcbb888968c5b14581215b
SHA256 15776b12b13025adca2f4d51af23b121034d8c98e554062995199b22926ac1f2
SHA512 d5bc0c39e12fe62561168e1d0d4983e0b0c45f805836ca203788dc38d32b2c0fa866fc98989bd9068bcee9103e7e412aedda827a9d26869fc03bf586422ff1cc

C:\Windows\System\SdgSxck.exe

MD5 3c24f5907d8cb7a9eb6d519ba4cf6bbb
SHA1 6585929ca677939c615b83249fe6ce49d57ea69d
SHA256 17a18275aa2b92a627b997abc97718824ef2704c7a0580eaaf70613d575936d1
SHA512 1cd06c0703061cb6f9fad824b199f74d4779320b2c138c82388b7a19765633f32f598d2e727b8436e6a5e51a38754d178715bee7db9c5c1a111992852e703284

C:\Windows\System\EwGmIhf.exe

MD5 bf9359a89381a7fe947fff95fa7e74ac
SHA1 e2befc314f3997aac0571469043817d685600ba6
SHA256 486a21aa0346bb686ee26cf3ad283490cd0b4005579d63f894dc01dca9e0b6c6
SHA512 c78360e2c909e07371618db278b686533ea30a4abbb5075a8fd18b2966d270d98bf53357957b81c863f075d2c7560ec0e8a67e6c5725e6df946ca9807da9ebca

C:\Windows\System\HctwnwU.exe

MD5 7f3a293cfaedc5f0dac69f1c86f8e074
SHA1 a3c70b20a398fd8b0c7a5db64bcd363397140c80
SHA256 a07c0024d53afbcc7b6f871e420d8e4708ca6d6e01351535f0b275d12a263e48
SHA512 b68ddde69692defa7c23a22731f9ff89d0ef3e7e8e3b77207c43c884aae2a4f6ef7f0c6ee398583f0a533e6385739118f688e1b9b76516461eeccfb67896c36f

memory/1648-131-0x00007FF62B830000-0x00007FF62BB81000-memory.dmp

memory/4872-130-0x00007FF65B730000-0x00007FF65BA81000-memory.dmp

memory/1308-126-0x00007FF608AC0000-0x00007FF608E11000-memory.dmp

memory/4192-121-0x00007FF77AE40000-0x00007FF77B191000-memory.dmp

memory/736-120-0x00007FF7D0590000-0x00007FF7D08E1000-memory.dmp

memory/4500-116-0x00007FF659C60000-0x00007FF659FB1000-memory.dmp

memory/4004-115-0x00007FF62BA50000-0x00007FF62BDA1000-memory.dmp

memory/460-109-0x00007FF750F20000-0x00007FF751271000-memory.dmp

memory/952-108-0x00007FF604FB0000-0x00007FF605301000-memory.dmp

C:\Windows\System\rtBtwGE.exe

MD5 9e2f7b936416590442714adb75c2afdd
SHA1 e9b31199bedb202bc1230e4e084b4fefb5c37c05
SHA256 b02b2ef8f262af275a1cf5df2ef43ae7555796b660b83753d5b8e47503130a57
SHA512 1c6f9b09ebbd9740e97152ad9e48ef94594f2cae5f67bc544c51e16b51e76030392acfce00bc4d01bb175cc763c2f081e7f86f41c0d14450ea5fc2aebdc88fad

C:\Windows\System\eCBNMAk.exe

MD5 fa7b4d48c5f9a3ac66bfa30bbb8ae7e7
SHA1 e2821954144caac07ce9ee1e27a6012d3200bd65
SHA256 0753c925e167480c6d632c9cd262d56c7c19ae2d225025b31014960e60c346dd
SHA512 bea4a935fc1e14ebbadafdae3a7c0705c18fecce4e539b3caadc85525533928aa99b51d35325db250549433cc6b163b199432f790f84d36ab8dc5ac20748ab96

memory/3508-103-0x00007FF7A4A60000-0x00007FF7A4DB1000-memory.dmp

memory/1908-102-0x00007FF6C74D0000-0x00007FF6C7821000-memory.dmp

memory/4936-97-0x00007FF60E630000-0x00007FF60E981000-memory.dmp

memory/3476-86-0x00007FF60A820000-0x00007FF60AB71000-memory.dmp

memory/4376-145-0x00007FF636D90000-0x00007FF6370E1000-memory.dmp

memory/1168-150-0x00007FF7F6E00000-0x00007FF7F7151000-memory.dmp

memory/3496-148-0x00007FF7852E0000-0x00007FF785631000-memory.dmp

memory/3036-147-0x00007FF7D7DC0000-0x00007FF7D8111000-memory.dmp

memory/2552-143-0x00007FF674C80000-0x00007FF674FD1000-memory.dmp

memory/4124-134-0x00007FF630C50000-0x00007FF630FA1000-memory.dmp

memory/4936-149-0x00007FF60E630000-0x00007FF60E981000-memory.dmp

memory/4004-153-0x00007FF62BA50000-0x00007FF62BDA1000-memory.dmp

memory/4124-154-0x00007FF630C50000-0x00007FF630FA1000-memory.dmp

memory/1308-159-0x00007FF608AC0000-0x00007FF608E11000-memory.dmp

memory/1648-160-0x00007FF62B830000-0x00007FF62BB81000-memory.dmp

memory/4192-157-0x00007FF77AE40000-0x00007FF77B191000-memory.dmp

memory/4500-161-0x00007FF659C60000-0x00007FF659FB1000-memory.dmp

memory/3476-209-0x00007FF60A820000-0x00007FF60AB71000-memory.dmp

memory/3516-221-0x00007FF7A0E00000-0x00007FF7A1151000-memory.dmp

memory/3508-223-0x00007FF7A4A60000-0x00007FF7A4DB1000-memory.dmp

memory/952-225-0x00007FF604FB0000-0x00007FF605301000-memory.dmp

memory/736-227-0x00007FF7D0590000-0x00007FF7D08E1000-memory.dmp

memory/4872-229-0x00007FF65B730000-0x00007FF65BA81000-memory.dmp

memory/1168-231-0x00007FF7F6E00000-0x00007FF7F7151000-memory.dmp

memory/2552-234-0x00007FF674C80000-0x00007FF674FD1000-memory.dmp

memory/3840-237-0x00007FF6FE770000-0x00007FF6FEAC1000-memory.dmp

memory/4376-236-0x00007FF636D90000-0x00007FF6370E1000-memory.dmp

memory/3036-241-0x00007FF7D7DC0000-0x00007FF7D8111000-memory.dmp

memory/3464-240-0x00007FF66A350000-0x00007FF66A6A1000-memory.dmp

memory/3496-243-0x00007FF7852E0000-0x00007FF785631000-memory.dmp

memory/4936-253-0x00007FF60E630000-0x00007FF60E981000-memory.dmp

memory/1908-255-0x00007FF6C74D0000-0x00007FF6C7821000-memory.dmp

memory/460-258-0x00007FF750F20000-0x00007FF751271000-memory.dmp

memory/4004-259-0x00007FF62BA50000-0x00007FF62BDA1000-memory.dmp

memory/1648-264-0x00007FF62B830000-0x00007FF62BB81000-memory.dmp

memory/4192-265-0x00007FF77AE40000-0x00007FF77B191000-memory.dmp

memory/4500-261-0x00007FF659C60000-0x00007FF659FB1000-memory.dmp

memory/1308-267-0x00007FF608AC0000-0x00007FF608E11000-memory.dmp