Malware Analysis Report

2025-05-28 18:57

Sample ID 241110-tcdv2azjc1
Target 2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat
SHA256 2ce5ebfbde3351433e28dd5a8385785eca67a35cd0057197db4c03876119ac03
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2ce5ebfbde3351433e28dd5a8385785eca67a35cd0057197db4c03876119ac03

Threat Level: Known bad

The file 2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Cobalt Strike reflective loader

Cobaltstrike

XMRig Miner payload

Xmrig family

xmrig

Cobaltstrike family

XMRig Miner payload

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-11-10 15:54

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 15:54

Reported

2024-11-10 15:57

Platform

win7-20241010-en

Max time kernel

141s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

Cobaltstrike family

cobaltstrike

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\ueqXhna.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JDrYxqq.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rMiFinj.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uzfafvA.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BprvZOC.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\noJUgmu.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WBTnFIo.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pkNPkoq.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aDKqWjL.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GEuaWYn.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YQhVYBe.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xXfADhG.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fdKNbBO.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\psMYNHG.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IaILOVZ.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hXotPbT.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zorbmdl.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gQzAoUI.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\emBTqIV.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MCYNErB.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mHLvhmq.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2884 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zorbmdl.exe
PID 2884 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zorbmdl.exe
PID 2884 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zorbmdl.exe
PID 2884 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pkNPkoq.exe
PID 2884 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pkNPkoq.exe
PID 2884 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pkNPkoq.exe
PID 2884 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JDrYxqq.exe
PID 2884 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JDrYxqq.exe
PID 2884 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JDrYxqq.exe
PID 2884 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gQzAoUI.exe
PID 2884 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gQzAoUI.exe
PID 2884 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gQzAoUI.exe
PID 2884 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rMiFinj.exe
PID 2884 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rMiFinj.exe
PID 2884 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rMiFinj.exe
PID 2884 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\emBTqIV.exe
PID 2884 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\emBTqIV.exe
PID 2884 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\emBTqIV.exe
PID 2884 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aDKqWjL.exe
PID 2884 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aDKqWjL.exe
PID 2884 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aDKqWjL.exe
PID 2884 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GEuaWYn.exe
PID 2884 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GEuaWYn.exe
PID 2884 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GEuaWYn.exe
PID 2884 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fdKNbBO.exe
PID 2884 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fdKNbBO.exe
PID 2884 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fdKNbBO.exe
PID 2884 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\psMYNHG.exe
PID 2884 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\psMYNHG.exe
PID 2884 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\psMYNHG.exe
PID 2884 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uzfafvA.exe
PID 2884 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uzfafvA.exe
PID 2884 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uzfafvA.exe
PID 2884 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MCYNErB.exe
PID 2884 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MCYNErB.exe
PID 2884 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MCYNErB.exe
PID 2884 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BprvZOC.exe
PID 2884 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BprvZOC.exe
PID 2884 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BprvZOC.exe
PID 2884 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IaILOVZ.exe
PID 2884 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IaILOVZ.exe
PID 2884 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IaILOVZ.exe
PID 2884 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mHLvhmq.exe
PID 2884 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mHLvhmq.exe
PID 2884 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mHLvhmq.exe
PID 2884 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YQhVYBe.exe
PID 2884 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YQhVYBe.exe
PID 2884 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YQhVYBe.exe
PID 2884 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xXfADhG.exe
PID 2884 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xXfADhG.exe
PID 2884 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xXfADhG.exe
PID 2884 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hXotPbT.exe
PID 2884 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hXotPbT.exe
PID 2884 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hXotPbT.exe
PID 2884 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WBTnFIo.exe
PID 2884 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WBTnFIo.exe
PID 2884 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WBTnFIo.exe
PID 2884 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\noJUgmu.exe
PID 2884 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\noJUgmu.exe
PID 2884 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\noJUgmu.exe
PID 2884 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ueqXhna.exe
PID 2884 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ueqXhna.exe
PID 2884 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ueqXhna.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\zorbmdl.exe

C:\Windows\System\zorbmdl.exe

C:\Windows\System\pkNPkoq.exe

C:\Windows\System\pkNPkoq.exe

C:\Windows\System\JDrYxqq.exe

C:\Windows\System\JDrYxqq.exe

C:\Windows\System\gQzAoUI.exe

C:\Windows\System\gQzAoUI.exe

C:\Windows\System\rMiFinj.exe

C:\Windows\System\rMiFinj.exe

C:\Windows\System\emBTqIV.exe

C:\Windows\System\emBTqIV.exe

C:\Windows\System\aDKqWjL.exe

C:\Windows\System\aDKqWjL.exe

C:\Windows\System\GEuaWYn.exe

C:\Windows\System\GEuaWYn.exe

C:\Windows\System\fdKNbBO.exe

C:\Windows\System\fdKNbBO.exe

C:\Windows\System\psMYNHG.exe

C:\Windows\System\psMYNHG.exe

C:\Windows\System\uzfafvA.exe

C:\Windows\System\uzfafvA.exe

C:\Windows\System\MCYNErB.exe

C:\Windows\System\MCYNErB.exe

C:\Windows\System\BprvZOC.exe

C:\Windows\System\BprvZOC.exe

C:\Windows\System\IaILOVZ.exe

C:\Windows\System\IaILOVZ.exe

C:\Windows\System\mHLvhmq.exe

C:\Windows\System\mHLvhmq.exe

C:\Windows\System\YQhVYBe.exe

C:\Windows\System\YQhVYBe.exe

C:\Windows\System\xXfADhG.exe

C:\Windows\System\xXfADhG.exe

C:\Windows\System\hXotPbT.exe

C:\Windows\System\hXotPbT.exe

C:\Windows\System\WBTnFIo.exe

C:\Windows\System\WBTnFIo.exe

C:\Windows\System\noJUgmu.exe

C:\Windows\System\noJUgmu.exe

C:\Windows\System\ueqXhna.exe

C:\Windows\System\ueqXhna.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2884-0-0x000000013FF90000-0x00000001402E1000-memory.dmp

memory/2884-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\zorbmdl.exe

MD5 cd3ce4ca39915c7e37b7e21894420687
SHA1 35deb79b7567451ca8f01294cd15ae9e903e6b8f
SHA256 006e37dfe3842df3bc9eba66aaec2df8c7489dba26fb1611fac8949d5f8a6dc0
SHA512 4c86bd023271a47a4ebac9ae742ca52b8cc2b3f991ec0ca2dfd5f0a78bd95ab38fabcfb63129f2d4d0759c618b50ccaa3f898b4d35c81345a61d1017dfec56fe

memory/2792-7-0x000000013F060000-0x000000013F3B1000-memory.dmp

memory/2884-5-0x000000013F060000-0x000000013F3B1000-memory.dmp

C:\Windows\system\pkNPkoq.exe

MD5 7a6e4deb12248ef85f235db6eaa3c02e
SHA1 ddcf2fd56189829f4b8e7ae8c1d750735ebb8890
SHA256 441a9d9af5fcf0e2132a8081e487990338b838787019d55be69899ef62d576de
SHA512 fdaac2978f3769160f46b496e8f4f117c0983203010f22d76e5c2c25d3d0ec7dcfbdbd51ade8ae29a94fff9b98ce3eceea62c864aa60042af1a2c5e8c6304ef4

C:\Windows\system\JDrYxqq.exe

MD5 cae0435c7a3918ee0415aaf79d9825dc
SHA1 4b77fe346bcf1f48caae88a2f9579f3f62d06e18
SHA256 006bcb50297a6c3de3e1f634f570830872b1f18f879b0e680ca963cafc8d2f84
SHA512 d50914dfe0968489c5820aed781dfae4d9fab06b3bd05a8a753767d8cefa3d9beb6b4fcd06158473aa59db013b285325fcc57e0d5867e873fbe59e4b2bbaa63c

C:\Windows\system\gQzAoUI.exe

MD5 5de0d7fe042f8441c6ec434f9c7ccd20
SHA1 ea9470b516476e3408ae13ca7cc8ca499cbc35eb
SHA256 09974cd19e3343e5b67a75b8d41ead52e340a7400f9b76acb36939fb18f2b5b0
SHA512 62741ec08cc0b945e61fcc359299dd4fe6ee979985df0153dd5eea44c5f25a8322de46306596156b53399624fbce5494e6099a97027520642ef6bb3063bab4e4

C:\Windows\system\rMiFinj.exe

MD5 950c5de929fa26dc89c2015cc7c3a8fb
SHA1 a357635d97721cb3ccf5337568398442f5735171
SHA256 772b190acae0e9303bace5d06e379f7fe5d89a33b035d1b3c8315db57d5c49c8
SHA512 2556aca363a5a87ccaed607bfb7c07ba9cc15cc541dc68e822ece42bfa1587062aa7511e221aa963484e766a988291320c3c91b35f8db6a3262d33b5df229aab

C:\Windows\system\emBTqIV.exe

MD5 fda18903f4bacce83c31dc705fd69a6b
SHA1 49ebf0ce9dbfab8bd03773d2d831187478a22034
SHA256 34f6d2b440e9a73beda069859e2dd1f697b5ce92550cdfd308bef9774b618bd5
SHA512 7932f129adfadc9af1685bdf5e5735893887ceb5da6ff0becf3d51277fce5f928aa3408c132c4a655fd6a466fc8d270a69358b2d128f63cfc3df598ea70c7cdb

\Windows\system\GEuaWYn.exe

MD5 771dc6aa5f94d4e9adb4b5b5b160c840
SHA1 5e3c280aa921714329cf1e8feeb542565ecb4498
SHA256 fa92cdc3b813a212995f470ec77939512b8fb104b2e3596b082f28f9cd5578a1
SHA512 887d24a2823a962231c1f074eb13b05439995311b9c053aa9ef268b74be5956c590c42914164e7d55a919c9987186cd7067555c6e08702586e245fd7530fe233

C:\Windows\system\fdKNbBO.exe

MD5 6ff2599397d27d0fa9765c0734ff4c01
SHA1 c308db0ddb7bcffb0b78266e05d4bc806ff2e272
SHA256 9d82f23055a744c1f941f11f590c4ca65f3d64b9bca61805f04e13c30964b108
SHA512 305dfc002a7f7728beb49b033f7515dbaa21974113e4be89e944c4dddf9cbdd4f8a75829f3fe60260b11bc83be1d6e19c8f1ad5f08730a1bf4640a76824988af

C:\Windows\system\psMYNHG.exe

MD5 8bfe54def89bab8e174687a831c21456
SHA1 0c9dcda6e6c6229b84db09b1f792831c4f85d0af
SHA256 8e41d5330222ed369f6d6aa0621b1430eeb37f16175ca007e7899a232a2d2864
SHA512 32fa2e127fcedffa2dcf5415a70180c9903bcbea9ee8920980285bf1eac814234797f708cddd9ad60ac99dfebfc52ad096f12d79140ace15b88b431c18548861

C:\Windows\system\aDKqWjL.exe

MD5 2b097fa8c5d2ab4d5857fe8c2a950c0c
SHA1 99cbdbf09d268f8836bc3b0245ee4b38f2a86b67
SHA256 6af997923d2fe9ad7d5cf4a98ea1b2aedc6117ec1b324bea954c29dad70d2fe8
SHA512 8066482a3d19931d359144fea8aa682a10c8f32c16ce244d27fca6763b32d392c9efb67c4e0f0973d0410fb6fe6ea87f1bfc5ba8208550bde025642f520e96be

C:\Windows\system\uzfafvA.exe

MD5 720570066be2182ee8a01a3cea02510f
SHA1 55c874c987e8011f3b66a4630d33791712152683
SHA256 380521ce4fef3e5f42b5dd477a80a061143acacf44091bb2f41d1d9e8760a0b9
SHA512 1b99ab8f7522613c2848bf66bfc25aa2f436e4cd5e0e49e3775d30b9be39dfe1466e051045338aef7c8e3b06004c08bc07d29d8865ceb64938f900caa0e964c4

C:\Windows\system\MCYNErB.exe

MD5 f4b1785aaa532313f70e4317ce9ac6a3
SHA1 42852aba1cd4027233177fb3d50481c9ad435322
SHA256 5afb5509e65bffd164cd2fb822e3f0966075235aec2b9e0e4e5298047bf45d06
SHA512 bea6aa3077675230ce17d77f99197132655094878b91250fdf2fa86573c916359f9f079b8a1742399d3913e952a2b2c091e0e0dd3612be601f0156c73ec97925

C:\Windows\system\IaILOVZ.exe

MD5 5f48226a9603328fca0777142327bb13
SHA1 b93850eb0b5ed3861a2c579b2f0395820a94bb7a
SHA256 d525c983bf691e6208ef88e14ccccb130fd6cbcb5d04d22aa8fb9d5808baaab8
SHA512 77557bf5c342caece916cc8898e6b041913c614afca1d034fbdf446c6aa40d393a7b47cf0345d957165a4696196cc20c27d9004ca3734fabe47bbbdf8cf81135

C:\Windows\system\hXotPbT.exe

MD5 5a02d1ccce321ce9f99222941d3d892f
SHA1 86e704068ab43721b38899528f21020d345ad140
SHA256 713e0f90fdbabc151a1207c905e4966e056a806e82025d31c5074751a6b509a4
SHA512 af5e80d94a4d365a879afc01dce9a82412fac0a532621675d9e5d18a1875960c543e141a4e485058d2848c38f7b941633c0656caae17d75c749fd92b3c5bb4e3

C:\Windows\system\noJUgmu.exe

MD5 00ccefef449b3f11fb007077dfb42247
SHA1 3d22f7a4bf8ab8185ef6043fc29520e4cb96c4b8
SHA256 edcb1649b289e90d184b3de179677d183cd4c8a3bc6758b6d37a60d602c14b4c
SHA512 c16d5ac5c70bf2c913dc67f94f5065553f864669844b87b87d2dbc4f1e2734424aa43aa8eb06c6bd775066297972a2b16db98602e525e4609e14c19abd7f5550

\Windows\system\ueqXhna.exe

MD5 2bde6b4b3a887a8d62eb8c6efc69f9e6
SHA1 b89670fd040249beb65b09765e2c93df61128eae
SHA256 3ca29c3b1424437d23cfced34c601b21543a6b0b604e15051e3d3395757d0c74
SHA512 2f1de97551bc6f8e3e224889bdad94edcedd147e5534ff986ce0308db7ede1206366f716696d6c182b7ab5de31561479ce9ce8db21090be7714ad024461e6126

C:\Windows\system\WBTnFIo.exe

MD5 a06784ef18a10ddd05e52be2bb7a1d38
SHA1 8ff899d2f0ec7ad56e41a1c5c088fb6a16127ca7
SHA256 61d4c21395ca497b93daa00c59d1f5f07d4adf02404f6a648d856d1aa5898451
SHA512 a067a0d91730ba1bcd98480d21d69488c3312f1b70a7d2a66507d6d7668aaa1636ab3e44252f531d1aa2ec97428c484bfcef5ec05ca5f24de95c4f92256dd899

C:\Windows\system\xXfADhG.exe

MD5 9aad230bf05836cc34c8e4d4163d421f
SHA1 08a5c9fec69a8bcc4bf8a2f5a9f9d9985aa8d15a
SHA256 44be162032bf96cb3480d3f0e142dbd9c18cd82e7fc3e48c1450e3095d3511d5
SHA512 dccac1c3bd8c16c6faf075ee8444f9ff962e1de63a3e3927cdedfa1f9ea89297d0c33dd0b6134cd90d88e79cb10595018fdf03e9f42a92da50eabe5d35b724c3

C:\Windows\system\YQhVYBe.exe

MD5 851fbdd5547d3946ba6b2c90fc18e72a
SHA1 d4ce9023fdb208a25ed37330346f44473e9ffa60
SHA256 bb471370ebf2c8b67bcaf9ba27e85bd32c814173243fa8a6916c1bf856769970
SHA512 0a8055cfc495806c425f3461d5c4b651edc5c901560e4353f71203e305060d76618bc59f0914afdfc1d0845b3c72784fd825551687f54844eaf845b243c1bc6f

C:\Windows\system\mHLvhmq.exe

MD5 c887eee10654c34481ac58e00b8575e1
SHA1 35b2fb3fe7199fe89ac5a0ba94ba99950904b08d
SHA256 7ea60ab1eb3079920f7c38c1a9440eb51914a343b21c42b92c161e918c770dd1
SHA512 716dfacecc59380911e5ae2e058c76f36c93e7833197bd3569c87c3a025eb8ddd10641534fa6134b2b4d5c5aab45e40fa576cedd6374cbb945f56e26e85cec15

C:\Windows\system\BprvZOC.exe

MD5 2686e7edace988b7c755415f0cf37c76
SHA1 f5c9cfbcf8abfc1aefba24a1450f09c43c7b9aaa
SHA256 b6b8d72da8330f8652eaee936b2a21401c51060a8b5fd5f86b853b165b0223ae
SHA512 b821c2134ea003af0525fd8dcb45fb10c1c274fb763f60ed8a78e1699d9434473d852ce5ee1b5e7a41d866caf7811abbd8a59b35964077a5f7156adfd1c4bf02

memory/2792-111-0x000000013F060000-0x000000013F3B1000-memory.dmp

memory/2708-118-0x000000013F5C0000-0x000000013F911000-memory.dmp

memory/1952-122-0x000000013FD80000-0x00000001400D1000-memory.dmp

memory/1060-124-0x000000013F510000-0x000000013F861000-memory.dmp

memory/2152-126-0x000000013FB00000-0x000000013FE51000-memory.dmp

memory/2884-125-0x000000013F1D0000-0x000000013F521000-memory.dmp

memory/1816-127-0x000000013F810000-0x000000013FB61000-memory.dmp

memory/2884-130-0x000000013FB20000-0x000000013FE71000-memory.dmp

memory/2288-132-0x000000013F670000-0x000000013F9C1000-memory.dmp

memory/2884-133-0x000000013F5C0000-0x000000013F911000-memory.dmp

memory/1584-134-0x000000013F2E0000-0x000000013F631000-memory.dmp

memory/2400-136-0x000000013FA20000-0x000000013FD71000-memory.dmp

memory/2300-139-0x000000013F180000-0x000000013F4D1000-memory.dmp

memory/2884-140-0x0000000002250000-0x00000000025A1000-memory.dmp

memory/2884-142-0x000000013F510000-0x000000013F861000-memory.dmp

memory/2884-143-0x000000013FB00000-0x000000013FE51000-memory.dmp

memory/2884-144-0x0000000002250000-0x00000000025A1000-memory.dmp

memory/2884-141-0x000000013F5B0000-0x000000013F901000-memory.dmp

memory/2884-138-0x000000013FBD0000-0x000000013FF21000-memory.dmp

memory/2884-137-0x000000013F870000-0x000000013FBC1000-memory.dmp

memory/2884-135-0x000000013F670000-0x000000013F9C1000-memory.dmp

memory/2884-131-0x000000013FC00000-0x000000013FF51000-memory.dmp

memory/2060-129-0x000000013F0D0000-0x000000013F421000-memory.dmp

memory/2884-128-0x0000000002250000-0x00000000025A1000-memory.dmp

memory/2392-123-0x000000013F5B0000-0x000000013F901000-memory.dmp

memory/396-121-0x000000013FBD0000-0x000000013FF21000-memory.dmp

memory/2532-120-0x000000013F870000-0x000000013FBC1000-memory.dmp

memory/1276-119-0x000000013F670000-0x000000013F9C1000-memory.dmp

memory/2668-117-0x000000013FC00000-0x000000013FF51000-memory.dmp

memory/1240-116-0x000000013FB20000-0x000000013FE71000-memory.dmp

memory/2172-115-0x000000013FD50000-0x00000001400A1000-memory.dmp

memory/3052-114-0x000000013F1D0000-0x000000013F521000-memory.dmp

memory/2828-113-0x000000013FED0000-0x0000000140221000-memory.dmp

memory/2920-112-0x000000013F2F0000-0x000000013F641000-memory.dmp

memory/2884-110-0x000000013FF90000-0x00000001402E1000-memory.dmp

memory/2884-109-0x000000013F2F0000-0x000000013F641000-memory.dmp

memory/2884-145-0x000000013FF90000-0x00000001402E1000-memory.dmp

memory/2884-155-0x000000013F060000-0x000000013F3B1000-memory.dmp

memory/2884-165-0x000000013F2F0000-0x000000013F641000-memory.dmp

memory/2884-170-0x0000000002250000-0x00000000025A1000-memory.dmp

memory/2792-200-0x000000013F060000-0x000000013F3B1000-memory.dmp

memory/2920-202-0x000000013F2F0000-0x000000013F641000-memory.dmp

memory/3052-204-0x000000013F1D0000-0x000000013F521000-memory.dmp

memory/1240-216-0x000000013FB20000-0x000000013FE71000-memory.dmp

memory/2532-219-0x000000013F870000-0x000000013FBC1000-memory.dmp

memory/2708-220-0x000000013F5C0000-0x000000013F911000-memory.dmp

memory/2828-222-0x000000013FED0000-0x0000000140221000-memory.dmp

memory/2668-229-0x000000013FC00000-0x000000013FF51000-memory.dmp

memory/1276-227-0x000000013F670000-0x000000013F9C1000-memory.dmp

memory/396-230-0x000000013FBD0000-0x000000013FF21000-memory.dmp

memory/2172-226-0x000000013FD50000-0x00000001400A1000-memory.dmp

memory/1952-232-0x000000013FD80000-0x00000001400D1000-memory.dmp

memory/1060-241-0x000000013F510000-0x000000013F861000-memory.dmp

memory/2392-234-0x000000013F5B0000-0x000000013F901000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 15:54

Reported

2024-11-10 15:57

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

Cobaltstrike family

cobaltstrike

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\fpzeSPb.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dFablLy.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jeeKNAe.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GJtzZct.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LTEcIwE.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\emDsXog.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RMnQifx.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qByjvmM.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QEImdxU.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dIHoUeN.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\erZVkWp.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UjuZksc.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zazXphj.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XGwbNwe.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pCCcCse.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zsvZXhS.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HRFefzB.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cqYZSrg.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SzmabeS.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dTsiWzU.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fkTWcsh.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4480 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jeeKNAe.exe
PID 4480 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jeeKNAe.exe
PID 4480 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GJtzZct.exe
PID 4480 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GJtzZct.exe
PID 4480 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zsvZXhS.exe
PID 4480 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zsvZXhS.exe
PID 4480 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qByjvmM.exe
PID 4480 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qByjvmM.exe
PID 4480 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HRFefzB.exe
PID 4480 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HRFefzB.exe
PID 4480 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LTEcIwE.exe
PID 4480 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LTEcIwE.exe
PID 4480 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cqYZSrg.exe
PID 4480 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cqYZSrg.exe
PID 4480 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QEImdxU.exe
PID 4480 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QEImdxU.exe
PID 4480 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dTsiWzU.exe
PID 4480 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dTsiWzU.exe
PID 4480 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SzmabeS.exe
PID 4480 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SzmabeS.exe
PID 4480 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fkTWcsh.exe
PID 4480 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fkTWcsh.exe
PID 4480 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UjuZksc.exe
PID 4480 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UjuZksc.exe
PID 4480 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dIHoUeN.exe
PID 4480 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dIHoUeN.exe
PID 4480 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\erZVkWp.exe
PID 4480 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\erZVkWp.exe
PID 4480 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zazXphj.exe
PID 4480 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zazXphj.exe
PID 4480 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\emDsXog.exe
PID 4480 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\emDsXog.exe
PID 4480 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RMnQifx.exe
PID 4480 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RMnQifx.exe
PID 4480 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fpzeSPb.exe
PID 4480 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fpzeSPb.exe
PID 4480 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dFablLy.exe
PID 4480 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dFablLy.exe
PID 4480 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XGwbNwe.exe
PID 4480 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XGwbNwe.exe
PID 4480 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pCCcCse.exe
PID 4480 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pCCcCse.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\jeeKNAe.exe

C:\Windows\System\jeeKNAe.exe

C:\Windows\System\GJtzZct.exe

C:\Windows\System\GJtzZct.exe

C:\Windows\System\zsvZXhS.exe

C:\Windows\System\zsvZXhS.exe

C:\Windows\System\qByjvmM.exe

C:\Windows\System\qByjvmM.exe

C:\Windows\System\HRFefzB.exe

C:\Windows\System\HRFefzB.exe

C:\Windows\System\LTEcIwE.exe

C:\Windows\System\LTEcIwE.exe

C:\Windows\System\cqYZSrg.exe

C:\Windows\System\cqYZSrg.exe

C:\Windows\System\QEImdxU.exe

C:\Windows\System\QEImdxU.exe

C:\Windows\System\dTsiWzU.exe

C:\Windows\System\dTsiWzU.exe

C:\Windows\System\SzmabeS.exe

C:\Windows\System\SzmabeS.exe

C:\Windows\System\fkTWcsh.exe

C:\Windows\System\fkTWcsh.exe

C:\Windows\System\UjuZksc.exe

C:\Windows\System\UjuZksc.exe

C:\Windows\System\dIHoUeN.exe

C:\Windows\System\dIHoUeN.exe

C:\Windows\System\erZVkWp.exe

C:\Windows\System\erZVkWp.exe

C:\Windows\System\zazXphj.exe

C:\Windows\System\zazXphj.exe

C:\Windows\System\emDsXog.exe

C:\Windows\System\emDsXog.exe

C:\Windows\System\RMnQifx.exe

C:\Windows\System\RMnQifx.exe

C:\Windows\System\fpzeSPb.exe

C:\Windows\System\fpzeSPb.exe

C:\Windows\System\dFablLy.exe

C:\Windows\System\dFablLy.exe

C:\Windows\System\XGwbNwe.exe

C:\Windows\System\XGwbNwe.exe

C:\Windows\System\pCCcCse.exe

C:\Windows\System\pCCcCse.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 71.209.201.84.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp

Files

memory/4480-0-0x00007FF796330000-0x00007FF796681000-memory.dmp

memory/4480-1-0x0000024068D70000-0x0000024068D80000-memory.dmp

C:\Windows\System\jeeKNAe.exe

MD5 9ba8f42f48c81e4c0a0ead8659d9f466
SHA1 cb36d707b12eef000506bc1da8eb787ddd07c5f1
SHA256 218a1e63a2965155c694206f591ae16d797221ac96346ea4b089c583fa477429
SHA512 beb3629785d806e9d887982370cff0e2eb2f18088a029d678607d93fe1cd9aee47039aab506fff1928d77e06f747d7d7460a8fbfa119bad056be8767879d953b

C:\Windows\System\zsvZXhS.exe

MD5 3b77a5b8cc8e71f37e4223dc7fee4173
SHA1 d69c4ed183b89f8dfc4f955a37715851695c172c
SHA256 aa9a03920057d1d6f17f389d1ae8b00f050c619f57e1a3537e6ba6fde2a3aaec
SHA512 2882153983b3fabc139eb18f885b6b52da94fa2a29ba279712d2411a6ab32a7c796a6211aa2c5b38241d1d1675b7ead0ad36fa5748c1661504eb221501632d98

C:\Windows\System\qByjvmM.exe

MD5 3cb50921a7ef4122c123f616f1b39aa9
SHA1 c98734c6d0459df4db4db41aac4a4557224b375e
SHA256 fd815343424931793e15c3d6ab0ced70d7abd14c571443b580b0d8b1d5d0649c
SHA512 07be1471ae1c1b3efe4a08a9c464a8527cf6c820570750d53cf6f7e7a3347e3bcf2b75a05aa06534ebc847901b1b2d5511fd632db314c11d55b5b4966d40836c

C:\Windows\System\HRFefzB.exe

MD5 4cb6b11f1ccd33ce7e6e27feec563838
SHA1 c0094ff42973599caabdbe34072cbea49f03f188
SHA256 8aa5bdfd7523f8ad90214e27fdeca9d031266d27cbd1e009f1d3f0723522a6f4
SHA512 d699405f9ae85e26d931b7c80ebef2f2eac2dd87110b08baeb3b66bc32d24422d5fe0ad6910b3b091fa11dbab659e8e258c05aba8357baad4349e8d90636871b

memory/1868-30-0x00007FF7BBD20000-0x00007FF7BC071000-memory.dmp

memory/844-23-0x00007FF670620000-0x00007FF670971000-memory.dmp

memory/1576-18-0x00007FF673510000-0x00007FF673861000-memory.dmp

memory/892-17-0x00007FF652920000-0x00007FF652C71000-memory.dmp

C:\Windows\System\GJtzZct.exe

MD5 effc0dbc74b21a4d8eed552d24d704fa
SHA1 bb4b8fa60788fb689d7b41b34a1f5c68aa40ed3d
SHA256 e8680bfffbb37874dfff19f76431806314cddaa0ccadf9cc53cecf4c1331114b
SHA512 f764ecf9a1d82ae2a2efdd537a1924514e395a2d4f4661b68170cd94aeac6af97f7d4d0699995f118d4167e0c06b6f3ccd87bcf2599d55fa60aff4cff096873d

memory/3456-10-0x00007FF798FA0000-0x00007FF7992F1000-memory.dmp

C:\Windows\System\LTEcIwE.exe

MD5 fe507d945f44e00d9066f58603c6df8b
SHA1 c5e202db738091df1e10211fa66c8b669ea1b0b5
SHA256 25b96c3707f3eb38c76d5744aed0a2637b785b0798be746b5925d160f9fa58a9
SHA512 21a97c8977adc241836c9059a62a885fe1a0667428df6311b1f2e6e67f603b2474042752885e4b41d333e38a8b1699481d7e97cbbfda97f29cc9290f60382f31

memory/2912-36-0x00007FF663E20000-0x00007FF664171000-memory.dmp

C:\Windows\System\cqYZSrg.exe

MD5 361d19ebfa58e553ada5b77299f8e4aa
SHA1 7dc5a1dcbdaec4baa98e6e775617f598f194a6dc
SHA256 bced33ded90e32cc7992fcaefc6143129c92138e2eac99a0d3129527ce956cd1
SHA512 0c39351d106046c0b07620a4b62ad4eef7d850e48e7fa725c2a78ce2cee4f48fcc80bbecbeff38cfe601592cd6179da5adea7ae24a25c5db139bc8f1299aa8d9

memory/2284-42-0x00007FF750C10000-0x00007FF750F61000-memory.dmp

memory/4264-48-0x00007FF66A740000-0x00007FF66AA91000-memory.dmp

C:\Windows\System\SzmabeS.exe

MD5 02ee8eaa2499211d87c4fda7220561f4
SHA1 787b09a2a136dfbf39be3404355eafa7bb46e8ef
SHA256 596d089685b92787e39a2e2deccc293e40d23b3531abe8898e8c4d50b97db6f7
SHA512 7d102dcf78fd9e073d02b3018a5e7bf61356876e07e7a63442a88e2afb15b466d628545bff49a040f4d4b6a94db8081737fc1db1bc5828dc8f565b6b60b100b9

memory/1628-61-0x00007FF791BB0000-0x00007FF791F01000-memory.dmp

memory/892-66-0x00007FF652920000-0x00007FF652C71000-memory.dmp

C:\Windows\System\fkTWcsh.exe

MD5 d8d3b0e2ff017d2395c6f28677bce614
SHA1 94b36ce9e78352eb3e6dec6ec757481fd2493551
SHA256 083649ed1b0e53cb17e340ed9d21a6ef9748c0f922f3ced99237c3cce9ba86ed
SHA512 f9028da4a2976e953a37d9c1250ca8c4e109eea428118655d6f91b72fc4ecfb7aaf7aac9019cbe18f92182ccebce7a37452ae6438823290ce17076a7a9bed836

memory/3016-69-0x00007FF603290000-0x00007FF6035E1000-memory.dmp

memory/1200-67-0x00007FF624C20000-0x00007FF624F71000-memory.dmp

C:\Windows\System\dTsiWzU.exe

MD5 ab69ff42fbb5f88dbb4a411ebd7f49df
SHA1 1d94cf36f4d19568c6519fec11ea23b7fa39e336
SHA256 062eb8c505bcf1a098ad3be884e19bbe0ab922960e90a03a384c68003d27a8a7
SHA512 a6862d586985f66fc5d4bc1f98d3e3a1f9ea77d0c7fff3bbb22501bd3dc53097af920de5207833be28434ff0f53e820bb3a80299939a6b26701f39890a7ead4c

memory/3456-55-0x00007FF798FA0000-0x00007FF7992F1000-memory.dmp

memory/4480-54-0x00007FF796330000-0x00007FF796681000-memory.dmp

C:\Windows\System\QEImdxU.exe

MD5 e97af8476c7d49be6ac8727dc8bad9da
SHA1 46c3c9a5502f8c50a39ead8ae0de7ec8f6072b70
SHA256 b08818b6ce3b062b83de1abd3c08aa98c690d3cc1f04ac22dc24c465661a9cc7
SHA512 657437d3ea4a2b8c9f828b06963f8d74fee6154cbee5048d4147456fe71e3d9cdf4f925eea31910d0571582d3f0c693860964c130f0745f28fe79a0006318cc4

memory/1576-72-0x00007FF673510000-0x00007FF673861000-memory.dmp

C:\Windows\System\UjuZksc.exe

MD5 9cdd7f376ad33a2a317af7415c9f14f7
SHA1 2e68ae76623efe82fa2649723dccd4e0c2853840
SHA256 c53c122384336736e889552341b3d2c71c90546e2d3e408ebfd7835ab65425d0
SHA512 579765dc056764341beb57fc75ee1fa83ded37b8908049e02bc0860561142c6f6b197f02eed4cb18b2bb78008afe52c00a3620a3c108e3f4147c5485061f3b1c

C:\Windows\System\dIHoUeN.exe

MD5 1489aa8a774f18946a5c10a19b922cfe
SHA1 76504be4ecc338f1ae685b100b5fdafa7d19ac75
SHA256 aab30e32da7a2c26b01504410c70c915ce38938222595f96674104ec4baa4c86
SHA512 7bed9b72b236f5543888eca3e5e99efbd0dd30d8be7bb770f0fdf2abcc7636df33de41a3be98d13d01615939cbeea54e83725082ea544a565fa22f60a31284e4

memory/1868-81-0x00007FF7BBD20000-0x00007FF7BC071000-memory.dmp

C:\Windows\System\erZVkWp.exe

MD5 640eee1b01e1819a288731e04509c034
SHA1 48c9f57091f6ecc80dbc9b2dbaec1134c90fdcfc
SHA256 2034927e33e72a757858cc64177ded349b603677ce5b3f73eff2ada7543767b6
SHA512 fd3ef4f7c41bd24747e4b3214285518ebc2d72e17441ea5b9f45d9d4dfb96e0ab3410ec56607ad918f7fcf3db60c3a27c24ae03d9c90797dbc92907662d17a66

C:\Windows\System\zazXphj.exe

MD5 893b567bbc5b42a50cc79ef45cb228f3
SHA1 cb6db005ea5d190f32734d11341863e63c91e2e5
SHA256 3b21bb387ae78d1f4fd40e2fafe7d451828dfc2692fce63edd19dadc9145054c
SHA512 842f5e88a0539014736656ade9844b6405ddce68b20866e62a643c1bdce95477991b588b78c7fa9b97ad65a98442951de71c6dbe834ebf3139db2f59d8cc04cd

memory/2284-97-0x00007FF750C10000-0x00007FF750F61000-memory.dmp

C:\Windows\System\emDsXog.exe

MD5 eff32b361b81eca9c562d82545d7ddab
SHA1 f59ef507e095b069a434c9b89d7bac544d960481
SHA256 abcd460441b5e3ad56be45524a440239468e7746037f9afb359a32f6ef74f840
SHA512 f177178730561adafba330ac5d95a77c431a6c6f77ec8dca15e932c870e6a94335536d6d3bb1c0f9f8f43ac5168d4aa27c176f85bcf02d2b118319bb632b877a

memory/4264-104-0x00007FF66A740000-0x00007FF66AA91000-memory.dmp

C:\Windows\System\RMnQifx.exe

MD5 20ccf8dcbdbb64a175af76ce2c29aec8
SHA1 1b78f05a53b45f003748698c81f6016cea25ba3b
SHA256 d03f0f06a9988d95e77b904bc2dd85670d8de6d000f43ac2f4d579ec47f54db5
SHA512 185a5a9ac5d2d256a9d469709ff0dc8a96174368d9feb35e8ebe05533d4c2454943eb71b8538984816d1a8e6c948b8cc1f8d30362eb02502e8d9c498fb94333e

memory/1628-120-0x00007FF791BB0000-0x00007FF791F01000-memory.dmp

memory/2312-124-0x00007FF708F20000-0x00007FF709271000-memory.dmp

C:\Windows\System\XGwbNwe.exe

MD5 7637e585df42e05f803d7c325b99a74d
SHA1 ae7555d9e779e75d6f139ee14491e8766151dda2
SHA256 3424bbc52454895430a296e026d69d6c1b9db4c139cbbc4f052daed31116d829
SHA512 b9f95601730680396765301baf187bf0425c917d6707cfb8d54dea09615f05cd5a814cd357069ca8a1754e74133fb555836b3b41077924c41df77be2d93c883a

memory/1116-134-0x00007FF7954C0000-0x00007FF795811000-memory.dmp

C:\Windows\System\pCCcCse.exe

MD5 8ecb5a9905030da2cce9679315118d09
SHA1 ee8f37d65e1a697e22975bf78293e799e785fdbc
SHA256 efba3f48db88aca2dd334f723541a88baa4bd0f62e525766f6ed33ae7b802290
SHA512 179a4462b144d145fad98f01b9ac162e34cfe762b58880cea2818ac9d01f0a096656f4729f8a51e481e2e4a9e0d742b8356c003ff39af57c2b3fbd2923767745

memory/1792-142-0x00007FF7BF100000-0x00007FF7BF451000-memory.dmp

memory/3688-141-0x00007FF777E90000-0x00007FF7781E1000-memory.dmp

memory/3016-137-0x00007FF603290000-0x00007FF6035E1000-memory.dmp

C:\Windows\System\dFablLy.exe

MD5 aad50f5f5a0cf50a0456a775f56bc1a0
SHA1 215eae9e455b2128161e6b582ee61c2c1ba6dd13
SHA256 b6fb99e1972eb4550b73d0156f1f3760399a60ab148baab838f4180becd21c75
SHA512 8812d4e6c81fdb2a81abe255df43048debb78bdb208a7302174855fc680a6565738cb2b915ccba2d3b33b92f6c6a91a88e1818f5759480fac6fd1c8d6ea9ebec

C:\Windows\System\fpzeSPb.exe

MD5 885b8f8f5aeeee15af15294ba112d684
SHA1 7fc6935b5059e5fc6b43a277be880c9a3d9d61a9
SHA256 e4187c1d9dc702b770ecdf4c93e237cdafe52c852bb6f6e9160c1e75493f45b6
SHA512 96fd39c93813d9a5283766ce14a9c33b60f8a236ee6b7d14434e1896413263b461352198911d1ba09f5795dce35150ed497ed4acb47d4cc2801fc27cd463571c

memory/2176-110-0x00007FF75EA00000-0x00007FF75ED51000-memory.dmp

memory/3888-106-0x00007FF6C50B0000-0x00007FF6C5401000-memory.dmp

memory/3908-98-0x00007FF781830000-0x00007FF781B81000-memory.dmp

memory/2912-96-0x00007FF663E20000-0x00007FF664171000-memory.dmp

memory/2200-90-0x00007FF62A970000-0x00007FF62ACC1000-memory.dmp

memory/464-84-0x00007FF7E88F0000-0x00007FF7E8C41000-memory.dmp

memory/3460-83-0x00007FF604900000-0x00007FF604C51000-memory.dmp

memory/844-76-0x00007FF670620000-0x00007FF670971000-memory.dmp

memory/464-152-0x00007FF7E88F0000-0x00007FF7E8C41000-memory.dmp

memory/2200-154-0x00007FF62A970000-0x00007FF62ACC1000-memory.dmp

memory/2312-164-0x00007FF708F20000-0x00007FF709271000-memory.dmp

memory/4480-155-0x00007FF796330000-0x00007FF796681000-memory.dmp

memory/1792-167-0x00007FF7BF100000-0x00007FF7BF451000-memory.dmp

memory/3688-166-0x00007FF777E90000-0x00007FF7781E1000-memory.dmp

memory/1116-165-0x00007FF7954C0000-0x00007FF795811000-memory.dmp

memory/2176-163-0x00007FF75EA00000-0x00007FF75ED51000-memory.dmp

memory/3888-162-0x00007FF6C50B0000-0x00007FF6C5401000-memory.dmp

memory/3908-161-0x00007FF781830000-0x00007FF781B81000-memory.dmp

memory/4480-179-0x00007FF796330000-0x00007FF796681000-memory.dmp

memory/3456-215-0x00007FF798FA0000-0x00007FF7992F1000-memory.dmp

memory/892-217-0x00007FF652920000-0x00007FF652C71000-memory.dmp

memory/1576-219-0x00007FF673510000-0x00007FF673861000-memory.dmp

memory/844-221-0x00007FF670620000-0x00007FF670971000-memory.dmp

memory/1868-223-0x00007FF7BBD20000-0x00007FF7BC071000-memory.dmp

memory/2912-227-0x00007FF663E20000-0x00007FF664171000-memory.dmp

memory/2284-233-0x00007FF750C10000-0x00007FF750F61000-memory.dmp

memory/1200-236-0x00007FF624C20000-0x00007FF624F71000-memory.dmp

memory/4264-237-0x00007FF66A740000-0x00007FF66AA91000-memory.dmp

memory/1628-239-0x00007FF791BB0000-0x00007FF791F01000-memory.dmp

memory/3016-241-0x00007FF603290000-0x00007FF6035E1000-memory.dmp

memory/3460-249-0x00007FF604900000-0x00007FF604C51000-memory.dmp

memory/464-251-0x00007FF7E88F0000-0x00007FF7E8C41000-memory.dmp

memory/2200-253-0x00007FF62A970000-0x00007FF62ACC1000-memory.dmp

memory/3908-255-0x00007FF781830000-0x00007FF781B81000-memory.dmp

memory/3888-261-0x00007FF6C50B0000-0x00007FF6C5401000-memory.dmp

memory/2176-263-0x00007FF75EA00000-0x00007FF75ED51000-memory.dmp

memory/2312-265-0x00007FF708F20000-0x00007FF709271000-memory.dmp

memory/1116-267-0x00007FF7954C0000-0x00007FF795811000-memory.dmp

memory/1792-269-0x00007FF7BF100000-0x00007FF7BF451000-memory.dmp

memory/3688-271-0x00007FF777E90000-0x00007FF7781E1000-memory.dmp