Malware Analysis Report

2025-08-06 02:05

Sample ID 241027-e1w9ystdqg
Target 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat
SHA256 953fed62f0a7328e96c4626e0bac4f00e3a427040f4467724b1c8a5ce1c76e8b
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

953fed62f0a7328e96c4626e0bac4f00e3a427040f4467724b1c8a5ce1c76e8b

Threat Level: Known bad

The file 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Cobaltstrike family

XMRig Miner payload

xmrig

Cobaltstrike

Cobalt Strike reflective loader

Xmrig family

XMRig Miner payload

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-10-27 04:25

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-27 04:24

Reported

2024-10-27 04:27

Platform

win7-20240903-en

Max time kernel

140s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

Cobaltstrike family

cobaltstrike

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\ofELQEa.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mLAGNuy.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YUVGoGI.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DoMKlNY.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LpKndmh.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CflhmPh.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QyjKxfH.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cMSsmFY.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cFlzpLS.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XOhWrlW.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VhjLvwx.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\teMeySE.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lWXUrRn.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rtzAjIR.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NLIHibS.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SgDgCeH.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KQytjBi.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cgZNoeu.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DetTUXU.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YoFKoxN.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uGdnmAF.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2408 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\teMeySE.exe
PID 2408 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\teMeySE.exe
PID 2408 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\teMeySE.exe
PID 2408 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cgZNoeu.exe
PID 2408 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cgZNoeu.exe
PID 2408 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cgZNoeu.exe
PID 2408 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YUVGoGI.exe
PID 2408 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YUVGoGI.exe
PID 2408 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YUVGoGI.exe
PID 2408 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DoMKlNY.exe
PID 2408 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DoMKlNY.exe
PID 2408 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DoMKlNY.exe
PID 2408 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lWXUrRn.exe
PID 2408 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lWXUrRn.exe
PID 2408 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lWXUrRn.exe
PID 2408 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LpKndmh.exe
PID 2408 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LpKndmh.exe
PID 2408 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LpKndmh.exe
PID 2408 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CflhmPh.exe
PID 2408 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CflhmPh.exe
PID 2408 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CflhmPh.exe
PID 2408 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ofELQEa.exe
PID 2408 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ofELQEa.exe
PID 2408 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ofELQEa.exe
PID 2408 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DetTUXU.exe
PID 2408 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DetTUXU.exe
PID 2408 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DetTUXU.exe
PID 2408 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rtzAjIR.exe
PID 2408 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rtzAjIR.exe
PID 2408 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rtzAjIR.exe
PID 2408 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NLIHibS.exe
PID 2408 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NLIHibS.exe
PID 2408 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NLIHibS.exe
PID 2408 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QyjKxfH.exe
PID 2408 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QyjKxfH.exe
PID 2408 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QyjKxfH.exe
PID 2408 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YoFKoxN.exe
PID 2408 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YoFKoxN.exe
PID 2408 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YoFKoxN.exe
PID 2408 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SgDgCeH.exe
PID 2408 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SgDgCeH.exe
PID 2408 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SgDgCeH.exe
PID 2408 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cMSsmFY.exe
PID 2408 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cMSsmFY.exe
PID 2408 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cMSsmFY.exe
PID 2408 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cFlzpLS.exe
PID 2408 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cFlzpLS.exe
PID 2408 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cFlzpLS.exe
PID 2408 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mLAGNuy.exe
PID 2408 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mLAGNuy.exe
PID 2408 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mLAGNuy.exe
PID 2408 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XOhWrlW.exe
PID 2408 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XOhWrlW.exe
PID 2408 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XOhWrlW.exe
PID 2408 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VhjLvwx.exe
PID 2408 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VhjLvwx.exe
PID 2408 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VhjLvwx.exe
PID 2408 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uGdnmAF.exe
PID 2408 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uGdnmAF.exe
PID 2408 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uGdnmAF.exe
PID 2408 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KQytjBi.exe
PID 2408 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KQytjBi.exe
PID 2408 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KQytjBi.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\teMeySE.exe

C:\Windows\System\teMeySE.exe

C:\Windows\System\cgZNoeu.exe

C:\Windows\System\cgZNoeu.exe

C:\Windows\System\YUVGoGI.exe

C:\Windows\System\YUVGoGI.exe

C:\Windows\System\DoMKlNY.exe

C:\Windows\System\DoMKlNY.exe

C:\Windows\System\lWXUrRn.exe

C:\Windows\System\lWXUrRn.exe

C:\Windows\System\LpKndmh.exe

C:\Windows\System\LpKndmh.exe

C:\Windows\System\CflhmPh.exe

C:\Windows\System\CflhmPh.exe

C:\Windows\System\ofELQEa.exe

C:\Windows\System\ofELQEa.exe

C:\Windows\System\DetTUXU.exe

C:\Windows\System\DetTUXU.exe

C:\Windows\System\rtzAjIR.exe

C:\Windows\System\rtzAjIR.exe

C:\Windows\System\NLIHibS.exe

C:\Windows\System\NLIHibS.exe

C:\Windows\System\QyjKxfH.exe

C:\Windows\System\QyjKxfH.exe

C:\Windows\System\YoFKoxN.exe

C:\Windows\System\YoFKoxN.exe

C:\Windows\System\SgDgCeH.exe

C:\Windows\System\SgDgCeH.exe

C:\Windows\System\cMSsmFY.exe

C:\Windows\System\cMSsmFY.exe

C:\Windows\System\cFlzpLS.exe

C:\Windows\System\cFlzpLS.exe

C:\Windows\System\mLAGNuy.exe

C:\Windows\System\mLAGNuy.exe

C:\Windows\System\XOhWrlW.exe

C:\Windows\System\XOhWrlW.exe

C:\Windows\System\VhjLvwx.exe

C:\Windows\System\VhjLvwx.exe

C:\Windows\System\uGdnmAF.exe

C:\Windows\System\uGdnmAF.exe

C:\Windows\System\KQytjBi.exe

C:\Windows\System\KQytjBi.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2408-0-0x000000013F7B0000-0x000000013FB01000-memory.dmp

memory/2408-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\teMeySE.exe

MD5 26a61a9f07bcd6f5c018fbdfe64f314c
SHA1 bea605197b15ddc643c4b04892c0bdb0e3981b0b
SHA256 bd255431a9840c21ecbc204c3a210e9c6495d5adcd7b826915078e890e377fa9
SHA512 40fc56c95295e55d5ef0a60e2ee50106ac04e306b98920fc9550e79a98cd424729f194b2d6e853c9d57bfc8dcee434091ea87a1dc193bc4f8e6c07c7330990c9

C:\Windows\system\cgZNoeu.exe

MD5 1dacca90c6c3c39691a55cf77f5e77b1
SHA1 4eaa397d1e4bf00a0397e0c7bc823a2636833d51
SHA256 a65b00d1195a66badea1020b130f51b393db780e87de63b42feb4ef8393aabad
SHA512 a4664ccff64585dee81a68d6a205318425c492c3655c82e26ee9dc2c7139a480ffcf48b38eb91c61c0b4283552e1d830e5e46d17cc0709eb7f7c722e706fc9ee

\Windows\system\YUVGoGI.exe

MD5 5bdd8c815e5ff3c64e53fbda1771bcf9
SHA1 13a9efb409450971b5d562212ded57bdf607d5c2
SHA256 92ef1ae4025ed2bab0f74edfd61ee412e8e9f651bdf4a86b0a55981df3e65f1d
SHA512 8badd66506acbb4e846dabdf014e9493ab9a9a81c16ce40e590b1adae111aecec9ab0ad271b07914d00f2af76f9263be3d649be206a755aa09b6ca4685785202

C:\Windows\system\DoMKlNY.exe

MD5 da43c3e997d2194576fa701a548983d8
SHA1 872729bad82b910454833e3696c6e8a94acd798c
SHA256 d2ff29464414e804a279fd0d843ee1889899727a74189b500a43546204520293
SHA512 b1fa1d06c04a86a9febbc5d6e8107ce682f6fb1634b6c20c8c5076bb2bdfc37eb233e1a5dd8104cdb505a7b3c3a46116255d482b02b1f05b92fa53bf44788569

C:\Windows\system\lWXUrRn.exe

MD5 fe8b72a4d7b97e41067d3e290780720a
SHA1 71270bd6be92ceab7d98b862dde965b0f401a165
SHA256 99bc1e9b4fbf3bfd5724b58cee7a58c92cac4d3918032c351ca7bba537429daa
SHA512 0853feec1a68d8cdaafff34f413dba045e1c53b40596df78df5bfc9190b7b4a498140e8322a7f5b1a95107a5a38804375d7bbb6ab8a2e64afb939558b3c0d09f

memory/2408-21-0x000000013FCC0000-0x0000000140011000-memory.dmp

memory/316-17-0x000000013F780000-0x000000013FAD1000-memory.dmp

memory/2408-36-0x000000013F450000-0x000000013F7A1000-memory.dmp

memory/2408-38-0x000000013FC30000-0x000000013FF81000-memory.dmp

\Windows\system\LpKndmh.exe

MD5 71e0d42cdc3afd21c4f53aa5f90ad2a2
SHA1 4d9316707882df8eaff70ccfa4bf3b30072bc0f2
SHA256 cb41c0e396cebfbeab8d93677acbb0e3a67c41537ee97bcaf618d690acb65f2c
SHA512 f1354722b74553b0129f17d1313028e20cf683126160196bf5c9bb25bb1763e9fa619317f93493d1a06cc05e823e6478e2fbc07d26f483faf45d3f6b77425e67

memory/2420-35-0x000000013FCC0000-0x0000000140011000-memory.dmp

memory/1312-34-0x000000013FFB0000-0x0000000140301000-memory.dmp

memory/2936-33-0x000000013F450000-0x000000013F7A1000-memory.dmp

memory/2408-32-0x000000013FFB0000-0x0000000140301000-memory.dmp

memory/2580-31-0x000000013F110000-0x000000013F461000-memory.dmp

memory/2408-29-0x000000013F110000-0x000000013F461000-memory.dmp

\Windows\system\CflhmPh.exe

MD5 e08a0e28ad491ba53fc52425020dd268
SHA1 211ce4310bcfbd8da4ab175e0379d48cd1d4f3b0
SHA256 9455bbed00843d64babc2f7222971cf65723393b36b177c37905b4653ee856ef
SHA512 69a8f5000ba9802ef74d6a9bc640f58ffb17e91f68ff0c423be16bd657655c8b6f4b5987d721b9af93de50bf7fce2b2fd29670e73cb77736ab6d20e0cc8fa784

C:\Windows\system\cFlzpLS.exe

MD5 d43dddecb96438c2c270e7f3f5ffe8b6
SHA1 a801d16058f75823ebf73592176ad674a5a42530
SHA256 fed125c0e0914db0dcf74fab0d29c9bf14159709c9f10d196f63897473c33638
SHA512 75956c96b8597af8dd8730202174488325a000f38f15f0461d3352d65428681f14fad224ef74ec985b9289d5672c2ee889e591b2f6d37e09e3fdb1d016660c1d

\Windows\system\XOhWrlW.exe

MD5 9a81f6c839ac113329452392e7054895
SHA1 d4eacbdf1dd93bfff6c352970233e43d0226692d
SHA256 becaec44230d38a2c6018cf2ceb28d612fd3891d96df25971fc8f2185a55f28e
SHA512 7d030ea895cf23007b2f330de4f562febbe8f59e935e04d7fffe54c411dfbde2aecbab270b0ef0baf0876f7fe48ada4dd27c77b05b594ae463b8d600c24ec1d3

\Windows\system\uGdnmAF.exe

MD5 b0fe780ee924607fb845deaac435d8c0
SHA1 c3b178b0e3cb96f4980ff7b96f58eaeb52d2b4ab
SHA256 05f2d53fe92515949e87c79f1e6a46f89e7da97c803eede8822b56ddeacf9cc1
SHA512 d0673ddf2b6d0998a864cb65f76011d0b03dddaa87408571ac07b1f4618c4d1fb6fd4ee3e3fb3efdb97846bbc39098e6a8b8e55b8ebf0fa50c826176fe0d5830

memory/2408-71-0x0000000002490000-0x00000000027E1000-memory.dmp

\Windows\system\SgDgCeH.exe

MD5 207f67b5783cf49254aafeb6ae2f71ec
SHA1 872f90b22bbde8645014973bcd3ce3d18e782951
SHA256 67345099cf9d01a1ce95957c552a09deec3975136f08fcc52b730b1aba43dcac
SHA512 91e92dbee0c75ba7ce36761fc73bb4d7bd80755f931d051023d15eef790f7e438765a43ac8d488dc456d0b3dacd44b8f8914188c5d354366c1dbefd96964a399

\Windows\system\QyjKxfH.exe

MD5 b35a1b27d350ee2784ba1a07d0dd4ff0
SHA1 9a7b8fd0e533b246f24c9dfc17a9d111833bb21f
SHA256 e8f22ed647aca1662ee94ef780e01c7d8a147a64c1b942eeb4247291199e321c
SHA512 637018d97aeeeaffb6103b306eb12e0e3d11c27c028b9ff80d093363988b1f6e75632572b557d369eb2acd47df5e92de82591fc10ba992b35096336698c6c927

\Windows\system\rtzAjIR.exe

MD5 66766dff4a1788949c11868aca7f9ef8
SHA1 185e243b9ebf24707be57b713400428ac86f45ba
SHA256 940fdcb9a1b87e6b4216c2ba77ca47a02831f1031904f19771748c7a6aaf99f0
SHA512 4917346d796788d86508db8162e15ca949b96910e49d1c78d74d72ac15b05bf07186c46cd526eb63afbb86db61a9056e0d48904fb90558bc6f4fb36d71c8fd95

memory/2408-131-0x000000013F7B0000-0x000000013FB01000-memory.dmp

memory/2408-118-0x000000013F3B0000-0x000000013F701000-memory.dmp

memory/3028-117-0x000000013FB70000-0x000000013FEC1000-memory.dmp

memory/3044-116-0x000000013FFB0000-0x0000000140301000-memory.dmp

memory/2648-115-0x000000013FF70000-0x00000001402C1000-memory.dmp

memory/2408-133-0x000000013FCC0000-0x0000000140011000-memory.dmp

memory/316-132-0x000000013F780000-0x000000013FAD1000-memory.dmp

memory/2408-114-0x0000000002490000-0x00000000027E1000-memory.dmp

memory/2408-113-0x000000013F230000-0x000000013F581000-memory.dmp

memory/2748-112-0x000000013F920000-0x000000013FC71000-memory.dmp

memory/2408-108-0x000000013F3C0000-0x000000013F711000-memory.dmp

C:\Windows\system\KQytjBi.exe

MD5 c9d1a6db4f2c687b9ee7fb8b2fd84407
SHA1 f17c1b0396b60644178de34cdc76f2f5b53bb19a
SHA256 3b47d44a46cd03fcbf7d78ecbace79ba1838d76a16e762544998625752240481
SHA512 d3bd30c890030aab864d5fd615dc72706c3ba01e5055b64464fbe70dccd39aa305c637ca6b65c4504a3fc37e50c45e2b7cc51bfa36bf9f12d2cdeb47ef411cd6

C:\Windows\system\VhjLvwx.exe

MD5 ba4189a8b1f721642e5c6117ace640bc
SHA1 e13c1cbb29f446a51f7f7b101f531f09eae940d1
SHA256 ed984d8966248c9a3b0a9caaf960ba61fa426028eb620c406625979f0a21b1c2
SHA512 3ae16e0a3e256b299181c6e780fa5fd1b04674deb47773f0dc9702dd085fe18b91eabb9e612ed1efa8ca3918b8e2f454c24f65e5229fb40c59363c1ab7404a9c

C:\Windows\system\mLAGNuy.exe

MD5 0ecf63c79129f652497e80738c2af6fc
SHA1 674f942e368a375d8b8956778bbf9bc18a3df244
SHA256 8c231fda2d8e5060e7007e930b71c5fe10bf30879f9f89f9563407b55b49d11d
SHA512 8a0cc20b859b52615ecdff3b97f0cae16b2804f0136b73989ee5f9c8f3c6cc303d2455bf5e9a49ab749fd61adb75440c144cb78c25ee17da8017bb23dc116860

C:\Windows\system\cMSsmFY.exe

MD5 07156cfdb1c08a003013e30dee9a3a39
SHA1 af32afcd4c82f707157389f9c0a8bd05b1ecf6fb
SHA256 99171ae3e072498a099364e4c8fd811c2b5dc88dfebe24b70cec0b72e3725ced
SHA512 633b78180aa4bdd9fe599a13eff897c9d304a245da013ef4dca552949d79532d777b9741cbd44212ca04d194365ff52ba954253ddf2e337aaeefd865d499c278

memory/2408-102-0x000000013FFB0000-0x0000000140301000-memory.dmp

memory/2408-100-0x000000013FD00000-0x0000000140051000-memory.dmp

memory/2408-99-0x000000013FF70000-0x00000001402C1000-memory.dmp

C:\Windows\system\ofELQEa.exe

MD5 7ce954f7f1455cf2a60f2a5130b67630
SHA1 358fe9a1ffb78a77ce7e67c91024c485b1457d21
SHA256 da2d73a514147dbdb677ab7dd30bd73667505083a51451fb9282a11b4545bae7
SHA512 2c584cd9d639276976bf029fd2cc9b8a380ed627310eef36b781ad6abf7b24c6e2cc36408831fed06b0e922f57054cfd235af3015058bf4aafe66279234e1e27

C:\Windows\system\YoFKoxN.exe

MD5 32bf994f3314905c4a45bc78e8758cd7
SHA1 a23a4febcd5f984af7f893f09118308cf6a2f932
SHA256 b75cdbbf49c2f2b74329043c4aa97f1341101641a2059963ecd3a3f65170eb8e
SHA512 c6153dffebc94c8ace5da588dd1e64ed56bba0629432040ddbc4ce33fa36c9fce9410cfabfdfc8e413a50094f254da9ad945c26c9299425048184a63235b9e35

C:\Windows\system\NLIHibS.exe

MD5 74257ca37b69cd8939e7648018e727bf
SHA1 cf4598b75b8b387dfe4753010fd352f524a3a176
SHA256 ca7fab838cf50cfbce223d7b9284e8111f48b68e43ec8129a92a654c48c820f5
SHA512 6028507c6bbe689114f0782ef0744075e91a22072ebb621fe6fc6207e5ae413823e106229aaa244ed39b3f9d2f4741e1ca2833c4480aff61b97793c0a11ede0a

C:\Windows\system\DetTUXU.exe

MD5 af6fb51512a626b416b284bbe48ec92a
SHA1 be77c73ae373a0e2916200e9d239df784878030c
SHA256 9e10cd9a2deed9ad89001ca4c85e1c8f35df8ac8311ec4c6b74dd1a3c41a03cc
SHA512 0124f610eaa68b55092f5a9d722d3e0afd83445740ccd629880edf4bd77fad8672d9500efad7251f39fca3b6ab7928a40e4fab57ab3e3e393cc255f2eaeec7d9

memory/2408-50-0x0000000002490000-0x00000000027E1000-memory.dmp

memory/1768-48-0x000000013FC30000-0x000000013FF81000-memory.dmp

memory/2408-134-0x000000013F7B0000-0x000000013FB01000-memory.dmp

memory/1768-141-0x000000013FC30000-0x000000013FF81000-memory.dmp

memory/2188-143-0x000000013F570000-0x000000013F8C1000-memory.dmp

memory/2752-145-0x000000013F140000-0x000000013F491000-memory.dmp

memory/2632-151-0x000000013F230000-0x000000013F581000-memory.dmp

memory/564-156-0x000000013F850000-0x000000013FBA1000-memory.dmp

memory/2976-155-0x000000013F460000-0x000000013F7B1000-memory.dmp

memory/2572-154-0x000000013F650000-0x000000013F9A1000-memory.dmp

memory/2512-153-0x000000013FA50000-0x000000013FDA1000-memory.dmp

memory/2560-152-0x000000013F6F0000-0x000000013FA41000-memory.dmp

memory/2520-150-0x000000013F3B0000-0x000000013F701000-memory.dmp

memory/2760-149-0x000000013F3C0000-0x000000013F711000-memory.dmp

memory/2628-147-0x000000013FD00000-0x0000000140051000-memory.dmp

memory/2408-157-0x000000013F7B0000-0x000000013FB01000-memory.dmp

memory/316-209-0x000000013F780000-0x000000013FAD1000-memory.dmp

memory/2580-211-0x000000013F110000-0x000000013F461000-memory.dmp

memory/2936-215-0x000000013F450000-0x000000013F7A1000-memory.dmp

memory/2420-214-0x000000013FCC0000-0x0000000140011000-memory.dmp

memory/1312-217-0x000000013FFB0000-0x0000000140301000-memory.dmp

memory/1768-234-0x000000013FC30000-0x000000013FF81000-memory.dmp

memory/3028-236-0x000000013FB70000-0x000000013FEC1000-memory.dmp

memory/2748-238-0x000000013F920000-0x000000013FC71000-memory.dmp

memory/3044-240-0x000000013FFB0000-0x0000000140301000-memory.dmp

memory/2648-244-0x000000013FF70000-0x00000001402C1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-27 04:24

Reported

2024-10-27 04:27

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

Cobaltstrike family

cobaltstrike

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\NOkWqTW.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MKhgWEn.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mRQLVRU.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wMdeBKq.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GPBDtXJ.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HRCpIfY.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KCQiTsV.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zZrmOKH.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QdNftHv.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vGlFjMQ.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GkLwGdC.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DQhLWsb.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LjQiQzM.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VnwJAtc.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QysedPq.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DgxhDJt.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iRrUCrO.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LYZnAmh.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fHwxncM.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cVfOTwD.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ndrHcns.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4516 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mRQLVRU.exe
PID 4516 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mRQLVRU.exe
PID 4516 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vGlFjMQ.exe
PID 4516 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vGlFjMQ.exe
PID 4516 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GkLwGdC.exe
PID 4516 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GkLwGdC.exe
PID 4516 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DgxhDJt.exe
PID 4516 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DgxhDJt.exe
PID 4516 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wMdeBKq.exe
PID 4516 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wMdeBKq.exe
PID 4516 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GPBDtXJ.exe
PID 4516 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GPBDtXJ.exe
PID 4516 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iRrUCrO.exe
PID 4516 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iRrUCrO.exe
PID 4516 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DQhLWsb.exe
PID 4516 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DQhLWsb.exe
PID 4516 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HRCpIfY.exe
PID 4516 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HRCpIfY.exe
PID 4516 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LjQiQzM.exe
PID 4516 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LjQiQzM.exe
PID 4516 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VnwJAtc.exe
PID 4516 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VnwJAtc.exe
PID 4516 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QysedPq.exe
PID 4516 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QysedPq.exe
PID 4516 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LYZnAmh.exe
PID 4516 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LYZnAmh.exe
PID 4516 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NOkWqTW.exe
PID 4516 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NOkWqTW.exe
PID 4516 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fHwxncM.exe
PID 4516 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fHwxncM.exe
PID 4516 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KCQiTsV.exe
PID 4516 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KCQiTsV.exe
PID 4516 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MKhgWEn.exe
PID 4516 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MKhgWEn.exe
PID 4516 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cVfOTwD.exe
PID 4516 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cVfOTwD.exe
PID 4516 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zZrmOKH.exe
PID 4516 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zZrmOKH.exe
PID 4516 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QdNftHv.exe
PID 4516 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QdNftHv.exe
PID 4516 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ndrHcns.exe
PID 4516 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ndrHcns.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\mRQLVRU.exe

C:\Windows\System\mRQLVRU.exe

C:\Windows\System\vGlFjMQ.exe

C:\Windows\System\vGlFjMQ.exe

C:\Windows\System\GkLwGdC.exe

C:\Windows\System\GkLwGdC.exe

C:\Windows\System\DgxhDJt.exe

C:\Windows\System\DgxhDJt.exe

C:\Windows\System\wMdeBKq.exe

C:\Windows\System\wMdeBKq.exe

C:\Windows\System\GPBDtXJ.exe

C:\Windows\System\GPBDtXJ.exe

C:\Windows\System\iRrUCrO.exe

C:\Windows\System\iRrUCrO.exe

C:\Windows\System\DQhLWsb.exe

C:\Windows\System\DQhLWsb.exe

C:\Windows\System\HRCpIfY.exe

C:\Windows\System\HRCpIfY.exe

C:\Windows\System\LjQiQzM.exe

C:\Windows\System\LjQiQzM.exe

C:\Windows\System\VnwJAtc.exe

C:\Windows\System\VnwJAtc.exe

C:\Windows\System\QysedPq.exe

C:\Windows\System\QysedPq.exe

C:\Windows\System\LYZnAmh.exe

C:\Windows\System\LYZnAmh.exe

C:\Windows\System\NOkWqTW.exe

C:\Windows\System\NOkWqTW.exe

C:\Windows\System\fHwxncM.exe

C:\Windows\System\fHwxncM.exe

C:\Windows\System\KCQiTsV.exe

C:\Windows\System\KCQiTsV.exe

C:\Windows\System\MKhgWEn.exe

C:\Windows\System\MKhgWEn.exe

C:\Windows\System\cVfOTwD.exe

C:\Windows\System\cVfOTwD.exe

C:\Windows\System\zZrmOKH.exe

C:\Windows\System\zZrmOKH.exe

C:\Windows\System\QdNftHv.exe

C:\Windows\System\QdNftHv.exe

C:\Windows\System\ndrHcns.exe

C:\Windows\System\ndrHcns.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/4516-0-0x00007FF7219E0000-0x00007FF721D31000-memory.dmp

memory/4516-1-0x00000205CFE60000-0x00000205CFE70000-memory.dmp

C:\Windows\System\mRQLVRU.exe

MD5 41ec2fc56131d536fb6389562c289205
SHA1 f0fb645c218089b483d2051e365b035e3bd836f3
SHA256 a56518c1a7bed7091dde2a35111aa668e71d8f91117ddc259e669b035a8c2acd
SHA512 50e3c459acde9acf9472c52374ba4210ea774d37f4a80d98db2b02f8e3b210d3c1344fc9df8c7cae13d283b968d7ba44dbc3025b5cfa6b1fc2d266dcdf8f40e6

C:\Windows\System\GkLwGdC.exe

MD5 0fbeb471a644231f4410d7d29fade268
SHA1 afbead12b0fe5b8167640cf1c8623a2a62e8ab57
SHA256 a37303f66b38b3e1291767ca42f8cb5afa9e3a804b3c8dc69c9b22d47210a761
SHA512 65393efa2b57848f4de1f04504873d989955ab5e44fb813fdc2bf5057f4927294eebcfcb607af49fd2b692ac3160f665318fd7f6c7982a5a83ff615cf2c5978c

memory/372-7-0x00007FF6F5060000-0x00007FF6F53B1000-memory.dmp

C:\Windows\System\vGlFjMQ.exe

MD5 49e4ea8d05e643feee9bba73735c958f
SHA1 ff7ed2156b905fb87a00b16e5ee66f3ea476de55
SHA256 9e59ce1675204e88c2479a73357ac92b4068470a4ad0695e1239d2ac8d3a5a42
SHA512 219d2f7b375d5593deb30b2f1d372e7ea8565d3d4024a3fc81e8e1e85a26ac8466ae7567f339468247fc267ad510267f290786cc4e462034ddb8e0a03828b98f

memory/4524-12-0x00007FF66A930000-0x00007FF66AC81000-memory.dmp

memory/4612-20-0x00007FF68DD50000-0x00007FF68E0A1000-memory.dmp

C:\Windows\System\wMdeBKq.exe

MD5 3591026ef9fe2232a8cee7850b34f944
SHA1 1546702addf32c7a3107264902b272f0235c9579
SHA256 ff29eac87170eece6e7d2b654415f43704fa050ecf5004ac3d8ffd69c4ed4eb6
SHA512 0fa218b59771445a08be01345df7fc0d3ee46071f625b3657dea10d3ebfbccbf15973874acbf7c1c687ef761d4be738369d660a04a8831d073fe3aeddde39b72

memory/2780-26-0x00007FF737950000-0x00007FF737CA1000-memory.dmp

C:\Windows\System\DgxhDJt.exe

MD5 e7ab49e273cc6abfec5ba44e0657b222
SHA1 7c87fe9a470d0cff16d2678e9b6ba2a2fa788283
SHA256 24af2bf4e2f2d01a4df9f45684785e190379ea157e2662fea346967d875ed835
SHA512 f1af31fc5849664683f4c564d6fbdd03ed8378a70634288924c7882fb2117e4756960afab2042fe8bca5e7e9aea4f544947b87a69dfb630db582e3ab7325af0d

C:\Windows\System\GPBDtXJ.exe

MD5 5bd69306bfe3a3bb3dd7b1946bb97557
SHA1 1de90c05b54a18757e054ebae9dca2034ade5d20
SHA256 ebbba21aa8ada1b3b226cd1e0a2060152b6042ae1491766b202a794844210091
SHA512 5e255ba9cd0559ef5ce1532c96d298681cc3f9fd5ee1b73b61f3ac25448dc9bf3df43dee1699398b3c3a8cf6fa5780fb1ad35c29adfc55646ac1b4c68393efe8

memory/2964-35-0x00007FF78B600000-0x00007FF78B951000-memory.dmp

C:\Windows\System\iRrUCrO.exe

MD5 4ce1915625b6b9ca3e07c1373bbf3cd7
SHA1 393982f93d4fcd8a3ec19c1f0273e19120b95c08
SHA256 7b065bb2eea17c40a5d9a1c85ca3f7dfec037296f8a896a358e621761f1c1a9f
SHA512 9030b64ff1e4bd40f6366cb334682cd759e6e13034511a75f15b9480c32d46cdc97846a8c3b6672229b54fdb456a20ff0c949a076e2a578766a0aefbd23ea0e3

C:\Windows\System\HRCpIfY.exe

MD5 84200ff8311afd0d50c67a30e139911a
SHA1 c05cc42b768356e0a2c0615329b0824c103df9c0
SHA256 56d2a047bc0f123e1b006042958dea1b681ef744c42bee2fbf4098193f4405dc
SHA512 27306e01381f89b8cfad5863a815edee7fe7de3570c66568947791d0c274866ae9f5b4b67442ccadd755087681ec88835f107034279133b55115a641545d7dc4

memory/2364-51-0x00007FF74A320000-0x00007FF74A671000-memory.dmp

memory/4516-60-0x00007FF7219E0000-0x00007FF721D31000-memory.dmp

C:\Windows\System\VnwJAtc.exe

MD5 e5c90b80ac23cd41376519717edf380a
SHA1 b409fb49d2cf05bd2f4206bb30fd260568f2ec68
SHA256 6f9a455a7a91f3fe33f6659418f220a1533f564eb83f300f5be44c2aefefdca6
SHA512 594c95cc93102c4f3a00f7ae1eed0c9107ee9d27f5287df1457e8ddcfe7aebcb3633866dfb7bac8ec98923fffe787823a570eecf81b55571a97be37002dbdca7

memory/4744-67-0x00007FF6C8130000-0x00007FF6C8481000-memory.dmp

memory/372-66-0x00007FF6F5060000-0x00007FF6F53B1000-memory.dmp

C:\Windows\System\LjQiQzM.exe

MD5 28c2a268709f39979e61fa35b569b919
SHA1 df03f63deb6c1ba0d1dc9f6ead12fcb1030d0356
SHA256 db3904f18d71ba50820db0cccd4cc274637fb53d5455f336cb9beddcf8627ca8
SHA512 48099b94dac5d219bc4e8d58ad705d37d54240e100715d0e114b008501fdc237c9302e8e1a926f21c00a8bbd21e6b11051d0abc5cd053d3a211887b52f91ceb5

memory/1604-62-0x00007FF7655F0000-0x00007FF765941000-memory.dmp

C:\Windows\System\DQhLWsb.exe

MD5 cf441bfa7e65c48abdc919b69694f922
SHA1 ad5874b4a5881ecefdada7f0fd18e4024f6ef765
SHA256 d92152641b93e00afbbe8c37c2e0069b1aece73a3b7789eff664bc7700d2ecd4
SHA512 e93c4678e183fb37dabaa308957ac1ba8eeb7d524e40088f7361a64c8f3d23a1188bd46713b52e9a68f7f5c553c8ab73a0ec698f7fa646035732d130479a708d

memory/972-50-0x00007FF6A1AB0000-0x00007FF6A1E01000-memory.dmp

memory/2184-44-0x00007FF7DD820000-0x00007FF7DDB71000-memory.dmp

memory/2204-43-0x00007FF6E7CD0000-0x00007FF6E8021000-memory.dmp

memory/4524-70-0x00007FF66A930000-0x00007FF66AC81000-memory.dmp

C:\Windows\System\QysedPq.exe

MD5 f0452a0a7130ef39a2095cbb0494b57f
SHA1 d1cc189f678a795fc3d4a324bf0ac967ca77f313
SHA256 eaa6ed4b56dc6285f413a27835b8b3bbf7a45bee29f7c9432b6acb75dab3df3b
SHA512 c07dbe7c95c3a41ed4bebcf57034a174c8f8e171f73290500abb94e506a2614637df7036fbad8fbbe80e4c77173e1b35cebda77404b77564f4f41ef6ca474faf

memory/3732-75-0x00007FF635B10000-0x00007FF635E61000-memory.dmp

C:\Windows\System\LYZnAmh.exe

MD5 04aa99884df19bc2a35ef0303678996f
SHA1 08e4f84b64886d110596e884000af0ae3dd23494
SHA256 9f0a0fd1972997f1cea5e31518a8a67fe168d0d98ae864c8b4e1d9c4db00069a
SHA512 aa663002b0808b99f488fc86db7f40fd12f7e0b8a13d7f59dd533b12ac5e2ab129c397d605b330eb7acd0bd5f232c51507be09304cbb35b0f3074d2b1f3164aa

memory/2820-86-0x00007FF6E3DC0000-0x00007FF6E4111000-memory.dmp

C:\Windows\System\fHwxncM.exe

MD5 aa7ea32bb0ffeb0c891eb76e3f5822da
SHA1 f58f65830c9cd91d137313cf642a67bd0140323f
SHA256 971983d40235071bdfeb193040e9c1c681f97ccad1bc730c4c8543b290e823ce
SHA512 8f43d0a06274080ff3cc3f51c93ff2cfdda50cca3e6e20e09ad998992a8d098a5e20aeedbeea9896a3e6efe8d41d5887e7a94470643f86cdf76255cc3444b51b

C:\Windows\System\NOkWqTW.exe

MD5 84951bceaaf1a164418d439bfe8dea24
SHA1 0ba5a3f1a613267d9dc52a1788ae6066e27cd073
SHA256 4fbcbcbd36a28bbdb3f9f7e28ec58e3197804259638946690cf6b9f42b73210f
SHA512 e2573decc80e3b68b44df1dd3ded48221ec6f4a193be649a8b38abd7c5c28bf5527e57478da1c26f190fc5a1b05c9f7248352d68a6cd5fb347f2762ee5a5781e

memory/4316-95-0x00007FF67B6D0000-0x00007FF67BA21000-memory.dmp

C:\Windows\System\MKhgWEn.exe

MD5 da3d556930b03ea63f54d1e77f313345
SHA1 bd77a2e54d1044ae1302c29d676698eb1b40ec26
SHA256 318e48ed9e7305c55ebd954e283e073392e61b3b4e7a5db3c74d492d16293923
SHA512 09fe4903913a16f56a44abd2adecfb3418aa24177b1b8f0b6b5268d522a1fb22c8f39f70b8a0a04f887553ee46f247fcac94aabbe2d804ec7f323f56fd3c20e3

memory/2964-113-0x00007FF78B600000-0x00007FF78B951000-memory.dmp

memory/4820-116-0x00007FF74A220000-0x00007FF74A571000-memory.dmp

memory/4992-118-0x00007FF6C6D20000-0x00007FF6C7071000-memory.dmp

memory/5112-120-0x00007FF7F4BC0000-0x00007FF7F4F11000-memory.dmp

memory/2184-119-0x00007FF7DD820000-0x00007FF7DDB71000-memory.dmp

memory/2708-117-0x00007FF78B5D0000-0x00007FF78B921000-memory.dmp

C:\Windows\System\zZrmOKH.exe

MD5 8207ad73776225da657854da82fed1df
SHA1 d7db7b1a2fbd171360162e062f2f56138b792bd0
SHA256 15f4f5f95494c7f93d222098a2214f2771c2cfcba641dd8e121e0f134622bef4
SHA512 61b66a547622a1c8437982a084da266889c6f160b02eee7fe9cb46ed4f95ed76a18de94e94868ff36f6b0957edf6e74b6613c2e74a88ef59cc1d81010a1735dc

memory/512-114-0x00007FF62BD10000-0x00007FF62C061000-memory.dmp

C:\Windows\System\cVfOTwD.exe

MD5 222f22dea2210524fb9beab7a35f83f0
SHA1 9d148d8b5f651dfb0480ed749870931a45ccb5e9
SHA256 732af093dc0be8eea3b1d8294739de4416988f59b30027ecfdad5240e02e075b
SHA512 20efc86e4e58d88b5ca5eae0ab5775cc18cab8de8ed26d800bac494bc80a105008ee7fe05a05b5b55e7b0f1bc74936afece9fd830c4672a3eb73d08121c17490

C:\Windows\System\KCQiTsV.exe

MD5 1eaeb46198548a7b0ac38f28bc432f98
SHA1 d56a60055b82fafbd061cfcbfb8fd5c5304df8c8
SHA256 3b2b674d1f08387582d88b5a73b10d996a7ad511ab4eae2d975e877e01dd7edd
SHA512 77e5f11d0160855e61fc7a9037035c2c20309edc118a8c1f213e8de99f484c28873def1c47900743064025ef77573e5e30fdd8f8fdb7a2042fbcb20024999dc3

memory/2204-89-0x00007FF6E7CD0000-0x00007FF6E8021000-memory.dmp

memory/2780-88-0x00007FF737950000-0x00007FF737CA1000-memory.dmp

memory/4612-82-0x00007FF68DD50000-0x00007FF68E0A1000-memory.dmp

memory/972-133-0x00007FF6A1AB0000-0x00007FF6A1E01000-memory.dmp

memory/4744-136-0x00007FF6C8130000-0x00007FF6C8481000-memory.dmp

C:\Windows\System\QdNftHv.exe

MD5 0e0fe668542a1061d86b2dd76e73d6f1
SHA1 e32a8003022eb8cffa3eade5d370773be5f42f2e
SHA256 c87fcda703358ba8aba9491f78c10e582154a4b5a4bad5c9d3c731e518f5da43
SHA512 a987a530985e57dc489afb4c7ef66c9ee7c81b3e7dd96b1a21ba6066bbbbcfe5fcc143827b9e06d4ef360aa367c1e0133cf2f9e8d5669c65929f2769745a2c02

C:\Windows\System\ndrHcns.exe

MD5 cc366d2d8d4077fff8e6b550dd1bce99
SHA1 3772aa184281ec10fb1510688b19e05bd82d73b5
SHA256 940c0aaca5802dcf9e402b97ea02d823c406f434d92963236c3b47d6a8999817
SHA512 f3d36acd66084b12946f1074e706404d2f330ff2c910d34c5d08975534f95c5659691cbba2dc1989801a08be610a7b09e7540bd42d0597a5c24e02fe1b5c1c31

memory/4496-147-0x00007FF611980000-0x00007FF611CD1000-memory.dmp

memory/3372-144-0x00007FF639440000-0x00007FF639791000-memory.dmp

memory/1604-135-0x00007FF7655F0000-0x00007FF765941000-memory.dmp

memory/2364-134-0x00007FF74A320000-0x00007FF74A671000-memory.dmp

memory/3732-148-0x00007FF635B10000-0x00007FF635E61000-memory.dmp

memory/2820-149-0x00007FF6E3DC0000-0x00007FF6E4111000-memory.dmp

memory/2708-156-0x00007FF78B5D0000-0x00007FF78B921000-memory.dmp

memory/5112-157-0x00007FF7F4BC0000-0x00007FF7F4F11000-memory.dmp

memory/4516-158-0x00007FF7219E0000-0x00007FF721D31000-memory.dmp

memory/3372-162-0x00007FF639440000-0x00007FF639791000-memory.dmp

memory/4496-173-0x00007FF611980000-0x00007FF611CD1000-memory.dmp

memory/372-209-0x00007FF6F5060000-0x00007FF6F53B1000-memory.dmp

memory/4524-211-0x00007FF66A930000-0x00007FF66AC81000-memory.dmp

memory/4612-221-0x00007FF68DD50000-0x00007FF68E0A1000-memory.dmp

memory/2780-223-0x00007FF737950000-0x00007FF737CA1000-memory.dmp

memory/2964-227-0x00007FF78B600000-0x00007FF78B951000-memory.dmp

memory/2204-226-0x00007FF6E7CD0000-0x00007FF6E8021000-memory.dmp

memory/972-231-0x00007FF6A1AB0000-0x00007FF6A1E01000-memory.dmp

memory/2184-234-0x00007FF7DD820000-0x00007FF7DDB71000-memory.dmp

memory/1604-235-0x00007FF7655F0000-0x00007FF765941000-memory.dmp

memory/2364-230-0x00007FF74A320000-0x00007FF74A671000-memory.dmp

memory/4744-239-0x00007FF6C8130000-0x00007FF6C8481000-memory.dmp

memory/3732-246-0x00007FF635B10000-0x00007FF635E61000-memory.dmp

memory/2820-248-0x00007FF6E3DC0000-0x00007FF6E4111000-memory.dmp

memory/4316-253-0x00007FF67B6D0000-0x00007FF67BA21000-memory.dmp

memory/512-255-0x00007FF62BD10000-0x00007FF62C061000-memory.dmp

memory/4992-257-0x00007FF6C6D20000-0x00007FF6C7071000-memory.dmp

memory/4820-259-0x00007FF74A220000-0x00007FF74A571000-memory.dmp

memory/5112-261-0x00007FF7F4BC0000-0x00007FF7F4F11000-memory.dmp

memory/2708-263-0x00007FF78B5D0000-0x00007FF78B921000-memory.dmp

memory/3372-268-0x00007FF639440000-0x00007FF639791000-memory.dmp

memory/4496-270-0x00007FF611980000-0x00007FF611CD1000-memory.dmp