Malware Analysis Report

2025-08-06 02:06

Sample ID 241027-e6931atenb
Target 2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat
SHA256 a46c616f9f113294a8bbe7db4c3d5102805abbab78d747a3a6752ce2a15006b6
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a46c616f9f113294a8bbe7db4c3d5102805abbab78d747a3a6752ce2a15006b6

Threat Level: Known bad

The file 2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Cobaltstrike

Cobaltstrike family

XMRig Miner payload

Cobalt Strike reflective loader

xmrig

Xmrig family

XMRig Miner payload

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-10-27 04:34

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-27 04:34

Reported

2024-10-27 04:36

Platform

win7-20241010-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

Cobaltstrike family

cobaltstrike

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\QqtTUTW.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bGQssQH.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fwGhAPA.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lEYykPZ.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fOPiDzY.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hjPquFn.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YmKNfUq.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WSCqWsH.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SdVxgiL.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uQkshDF.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mquPQIX.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TAZVylb.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lYRZdRa.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XkcILPv.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dSUBEmy.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FCERGWZ.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uPPyebN.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gtxAIvM.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KXMYMgK.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CKuHHgU.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zRMvMXv.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2844 wrote to memory of 352 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FCERGWZ.exe
PID 2844 wrote to memory of 352 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FCERGWZ.exe
PID 2844 wrote to memory of 352 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FCERGWZ.exe
PID 2844 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uPPyebN.exe
PID 2844 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uPPyebN.exe
PID 2844 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uPPyebN.exe
PID 2844 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gtxAIvM.exe
PID 2844 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gtxAIvM.exe
PID 2844 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gtxAIvM.exe
PID 2844 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mquPQIX.exe
PID 2844 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mquPQIX.exe
PID 2844 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mquPQIX.exe
PID 2844 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KXMYMgK.exe
PID 2844 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KXMYMgK.exe
PID 2844 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KXMYMgK.exe
PID 2844 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CKuHHgU.exe
PID 2844 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CKuHHgU.exe
PID 2844 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CKuHHgU.exe
PID 2844 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TAZVylb.exe
PID 2844 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TAZVylb.exe
PID 2844 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TAZVylb.exe
PID 2844 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WSCqWsH.exe
PID 2844 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WSCqWsH.exe
PID 2844 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WSCqWsH.exe
PID 2844 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bGQssQH.exe
PID 2844 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bGQssQH.exe
PID 2844 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bGQssQH.exe
PID 2844 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lYRZdRa.exe
PID 2844 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lYRZdRa.exe
PID 2844 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lYRZdRa.exe
PID 2844 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fwGhAPA.exe
PID 2844 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fwGhAPA.exe
PID 2844 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fwGhAPA.exe
PID 2844 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lEYykPZ.exe
PID 2844 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lEYykPZ.exe
PID 2844 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lEYykPZ.exe
PID 2844 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fOPiDzY.exe
PID 2844 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fOPiDzY.exe
PID 2844 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fOPiDzY.exe
PID 2844 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hjPquFn.exe
PID 2844 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hjPquFn.exe
PID 2844 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hjPquFn.exe
PID 2844 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zRMvMXv.exe
PID 2844 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zRMvMXv.exe
PID 2844 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zRMvMXv.exe
PID 2844 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XkcILPv.exe
PID 2844 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XkcILPv.exe
PID 2844 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XkcILPv.exe
PID 2844 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SdVxgiL.exe
PID 2844 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SdVxgiL.exe
PID 2844 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SdVxgiL.exe
PID 2844 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YmKNfUq.exe
PID 2844 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YmKNfUq.exe
PID 2844 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YmKNfUq.exe
PID 2844 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QqtTUTW.exe
PID 2844 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QqtTUTW.exe
PID 2844 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QqtTUTW.exe
PID 2844 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uQkshDF.exe
PID 2844 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uQkshDF.exe
PID 2844 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uQkshDF.exe
PID 2844 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dSUBEmy.exe
PID 2844 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dSUBEmy.exe
PID 2844 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dSUBEmy.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\FCERGWZ.exe

C:\Windows\System\FCERGWZ.exe

C:\Windows\System\uPPyebN.exe

C:\Windows\System\uPPyebN.exe

C:\Windows\System\gtxAIvM.exe

C:\Windows\System\gtxAIvM.exe

C:\Windows\System\mquPQIX.exe

C:\Windows\System\mquPQIX.exe

C:\Windows\System\KXMYMgK.exe

C:\Windows\System\KXMYMgK.exe

C:\Windows\System\CKuHHgU.exe

C:\Windows\System\CKuHHgU.exe

C:\Windows\System\TAZVylb.exe

C:\Windows\System\TAZVylb.exe

C:\Windows\System\WSCqWsH.exe

C:\Windows\System\WSCqWsH.exe

C:\Windows\System\bGQssQH.exe

C:\Windows\System\bGQssQH.exe

C:\Windows\System\lYRZdRa.exe

C:\Windows\System\lYRZdRa.exe

C:\Windows\System\fwGhAPA.exe

C:\Windows\System\fwGhAPA.exe

C:\Windows\System\lEYykPZ.exe

C:\Windows\System\lEYykPZ.exe

C:\Windows\System\fOPiDzY.exe

C:\Windows\System\fOPiDzY.exe

C:\Windows\System\hjPquFn.exe

C:\Windows\System\hjPquFn.exe

C:\Windows\System\zRMvMXv.exe

C:\Windows\System\zRMvMXv.exe

C:\Windows\System\XkcILPv.exe

C:\Windows\System\XkcILPv.exe

C:\Windows\System\SdVxgiL.exe

C:\Windows\System\SdVxgiL.exe

C:\Windows\System\YmKNfUq.exe

C:\Windows\System\YmKNfUq.exe

C:\Windows\System\QqtTUTW.exe

C:\Windows\System\QqtTUTW.exe

C:\Windows\System\uQkshDF.exe

C:\Windows\System\uQkshDF.exe

C:\Windows\System\dSUBEmy.exe

C:\Windows\System\dSUBEmy.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2844-0-0x000000013FFE0000-0x0000000140331000-memory.dmp

memory/2844-1-0x00000000000F0000-0x0000000000100000-memory.dmp

C:\Windows\system\FCERGWZ.exe

MD5 24780d04fa54332fb9896c4518e943e1
SHA1 065ee74b69c31f78c05636f40757883cf4fff4b5
SHA256 0e3cb2a990f5777f7c187bc1f5e5d60e3942e1b313ac6a9c342048abe3d8ec36
SHA512 584ad8507016bd82854497f30e0ea7e400d9fbbbd7dab038eac43d0b88f4283799eb2b23425e110569dc69fffa5feb1fdd3815af16d8558030d6ce7f2c0f1226

memory/2844-10-0x000000013F220000-0x000000013F571000-memory.dmp

C:\Windows\system\mquPQIX.exe

MD5 e9883eb7aab545627b9bf2afd1da6d8c
SHA1 7a0058d3fcd57481a7752125c8228dca2d9162d5
SHA256 0aeef98a7da22b309c79affabf88f93a9d366cb7778c08f2fffdc3497c18fe73
SHA512 6aa86962a64c6ad9c9d8dbf191d2c02398bb6bfb921cd1b4dcb272f2dff2885febda4d6af38dbc204cb9d4920f38dd51a5c20a96193424faa30634e92dabe681

\Windows\system\KXMYMgK.exe

MD5 a700391fd0cfc51210806172c640c508
SHA1 d02ddc1df5cde07734b6565038c58dc675478ba2
SHA256 fd45bb7fd764593bcf80ccfb8473b120b1232ad033cdefbda2f4b6ad062f6325
SHA512 caf548aae7b4792dc9b033b7055c9689eff79b8958a8b619ee884738d306f8c6e449b6ce17b65eb412d661693aaec413eb7888974098ce57efd882325530dd99

\Windows\system\uPPyebN.exe

MD5 2974c589845eb2ee30f5573ad29e1b96
SHA1 3e6efb718ac159b39d792b1f0f4082af77978083
SHA256 96fac8588bdeebe012a989cadf66033f55dac67911034873b866c73f55c8c032
SHA512 c17e497af08f0f89a37432dd4ba8997abadd99c63e50f15b6115d179fdc418c07f38f27234c7d46af5113a844b8a678d7291748fb14fb0693ebf5a0a1188216c

memory/352-18-0x000000013F220000-0x000000013F571000-memory.dmp

C:\Windows\system\gtxAIvM.exe

MD5 d489716cb29ebdfc60c6cfd8a6b188e3
SHA1 35b0b385c224e5c0afe0e2aec22a1bbe4f33e652
SHA256 083858a645f2d2425021ec643c4b87a1473e99e1f019467dfa9a35c918a7cd5c
SHA512 5ea29534e4785213585fbb3e65617db9eaf7c008881253402cf0b294543c001b7828ca9677eb895ec7088ea19de15b4293c683a206f07cd45c2e0df65ce6ad3b

C:\Windows\system\bGQssQH.exe

MD5 ae6832fcb7959b0dc1ca1631a1992f89
SHA1 eda30ff684152438814dd1c90480fd41d01846bb
SHA256 a49f27c230370150e0c850e27ca61851f22fd91d083e811502f3675c14b880fd
SHA512 756f5f8f40abb25b6c423853942c0d02c6267fcaab0c77e4a1a9b9f323779a60dd590df868048a8c86b2b8b0ab431ecb6deca9a97bb0dc933834855d2976d3ea

C:\Windows\system\CKuHHgU.exe

MD5 b22e0308ecb73dc9720a7cc276e4b02c
SHA1 1f7fffac0c9935f866755864ab695f14dce7551d
SHA256 3e4dcc6b7d2dda614d05bc73d281a6d5de28c624c1e2a1dd0bc699c392134765
SHA512 f21fd67c34077e60964adf3b537e734898a10d9c36ac24d2820aef8c1bd4130b6870e5317f2a3c50c83839a6f5cce5ac45e79257ec576ce7cea4ecb9c60c326b

\Windows\system\WSCqWsH.exe

MD5 efe7bec85b58b687bb25db45cc406904
SHA1 2fe982772c6292bdc70bc5afb5c0281e7eb7d10d
SHA256 05892bf5977c7e5002bca7cd9dbc48c6f470e099167b6caa5bb722ee89b63cf4
SHA512 b6b0aafd22600f874768fc25c73c9d3a04c80817be3fe2aac9710e880d2f4f3d4461ac355abe0227b9df0f81ae9654136d28a02abec4795a91c62dcac27f44f5

C:\Windows\system\fwGhAPA.exe

MD5 326161f2f7355037ba09175dffa6202f
SHA1 dac8aba9cccec2feeafbfbcdd45dd4b764ab504e
SHA256 6fb2dc6dd4b28d17f8650a2e9256024bea0f20cf0ea96c68f5446c917b12d298
SHA512 d140089823a66d348a03f5819242273f0d922bb402b9f4f18a6d8f137d7674c58581dbaa276ecaeb2797a1006a3c3c6a2b8a2238cfd2e9d7caf2146861bf397e

C:\Windows\system\hjPquFn.exe

MD5 f67d36177ed462bbe17bf4c2919f7590
SHA1 d4d59cb97fd4bda3df2031c205cea54454f0af1b
SHA256 ca7a9cd772cb3df92e8ee95694c279472308faddaa409fab23269c59c66388db
SHA512 d4395db13c4c07b85af52e9f8a6205219f9ff66a94940345587b03d15f4fcdece90aa4c12cd4e16e043720bfb572c2550075b3be64be41131aaaa9b094920997

\Windows\system\dSUBEmy.exe

MD5 71f14efef63ec9c2b2cf52668336e096
SHA1 2a4d6f43b7c5887ceba69498ca10e5564d66eef3
SHA256 e847f3a2cf56593cd85932f163e54469536053dc3243af1906056b51e1844e2b
SHA512 bcffde4acc857ebc2ecf3000c6ace845402bff5a824dc1108f85df19619b5acc997fc3d89a0d1cbcbbf68ad78140b568edd4e3d60c32ab8c625a50b0c8973244

\Windows\system\uQkshDF.exe

MD5 981691877ffa1091b24a07b8d25099bb
SHA1 98312efe4e17eba2e2e6a0cc90b0ce679dc5bb2a
SHA256 ed007f5ca81ec7734d2eb973b64300852ed8060ce99a67b154209da0386ba948
SHA512 f27586c87ec86fb7a1eba2952fb24b11a7af17453ed05295ce1d6ccbafc59451cde1de5aa7a3de066f85eef1c4e67989bfbff8fabfe97f5de8cf4d8b82f247c7

\Windows\system\YmKNfUq.exe

MD5 0c519caca025c08a4bdc3fae769e211a
SHA1 2d60768c9db5c648464f1ce73720ec0cbde0618b
SHA256 390b57f4e4abea5f37c609bb3c2902623afcb0968292cf28bc16b2658a6db835
SHA512 b5f6ed59436be08cecfd7677a978d8fcbca54c5bc725b74fd3c38455cd7266ef53b28a9d3e0f81e7cb598b0ba84bb81b307ffaf7ef8f9a79169557e1035cfcc6

C:\Windows\system\XkcILPv.exe

MD5 9ba22371af9d21f406c8f747b76db6ef
SHA1 a3fa3c0c7dc5d37957e21d5f5cfcf61080ec52a1
SHA256 8031ae297bbd2135a75757908676613467122a8c6138aab4db0b77c6d2a7251d
SHA512 7c3da549da715c6f1573b0eab14bb73b727212152df46f934f657d5812627251f55f53b09aed0874026700b1ac897fd04a8580f68c14f17f9be2947364c9bbd7

C:\Windows\system\QqtTUTW.exe

MD5 01817b7f4d80ad1d4cfd2535bcb3dd09
SHA1 3c164d02d6286a188485cc041215be691b68922c
SHA256 91b9749dc9a8b6a40b19265ef367b1fe9e2774ff8ae19efd5695f97a3c61e406
SHA512 193b8d9480ccb106fb4ea03748b262af03fa74f935708e6a17b6d07cfdef21b05130ae4f644b8b8571992c1dc808f007f6e4ef5051d2456970ef9713bd942931

C:\Windows\system\SdVxgiL.exe

MD5 b928fada5199c9b4453ffc43380fb6d9
SHA1 91b15727d1b8dfe3a5a7a7ffde28fb38dc4bdd0f
SHA256 9f67ebab94c4ef4980178d7b4a3de5653c97db69843f94240956cff5a2b8ee9f
SHA512 c72280d7f2bb79fc47f589e6ba13a2a27aa24064ef3fde04f6fff794dbfee6a253347c5f2f7356ed6c6dec3865d82cece7bf91e6e46bc298f23b2a4f18964cb3

C:\Windows\system\zRMvMXv.exe

MD5 f89e7166da7ddb7837634965df2465d2
SHA1 fa8f73e89ae783fa42635a7ecc111056bcad0766
SHA256 d11c6bdf821659b84eb1ee0d2f01ece288547958b1936c39e2f8195e7c7ef97e
SHA512 c39536f8c16bf2969ee85ef9825ebcd87cf386aa0dbde851380b3e74f156d9e82da4ecaaa4f2a6304bd635bbcc0caaa23fbe607c198b691e306f9fcfc1c11056

C:\Windows\system\fOPiDzY.exe

MD5 b9ab7b711203669c1b727597803878a7
SHA1 55fb2c0b60777fcff1c17a6fa50fbe7df2c624d1
SHA256 996f06985f5185340d73ff20c39d8b3aa0bf50d28712a40667112f133502e0af
SHA512 558d25b1a1730c6e9150b17c78854cb7cb149444f0f4cbbb3db0289aa773689c488ced7102fb1313dd2d8f52a47a674d27071a0b26db5622fc86ab0518c238ec

C:\Windows\system\lEYykPZ.exe

MD5 a008ab2033cbb5c08fb5ca667cde6cfd
SHA1 58643eb09ae57910a9356027565818381d9cda50
SHA256 7ff62d19057c597277bd41010e8bcad9a870a09204d90451791e7913a169002e
SHA512 6ed64b8778d2b7d65dfea8c922797503dfef19f07b727df6fb4c76cb16a5ed7ca94b6e3cad17bf75e965af4c5fbb5212f5425e7508e72ac554800c4c71e24438

C:\Windows\system\lYRZdRa.exe

MD5 4d3b248f11fc550481c611530a2e3a1b
SHA1 7393d113d53f07e82225161dd92603a8265695eb
SHA256 28c5cffa1d67cae91544bde228ac8a63a34a128d3764338cf37482eb4c5f88bc
SHA512 122ddc9398a23ac99cd370e0e4686131ddf0659401f22e66d4e8b4c9a321f52719176113131a1355a5b9271ff0c0d9fad0acb5ade853fcd17d442c06c7b5e370

C:\Windows\system\TAZVylb.exe

MD5 ca16c460c0974be6f60f72ab5c016799
SHA1 028cde7accc894ae71881cad604ba1c23d04fe50
SHA256 0bc940c7669f66dbfb241ce765b5944115597c94452eae1ab2b59b8566933b78
SHA512 4ef877a36f931f98f83b9b29aec6a4f97c2d8a6c63980bc632aa907936377630327165647696817bc7e343d69d09d91253fb7e2dae085dae6b93cf80a6753e8e

memory/1000-120-0x000000013F7D0000-0x000000013FB21000-memory.dmp

memory/2844-119-0x000000013F7D0000-0x000000013FB21000-memory.dmp

memory/2496-118-0x000000013F320000-0x000000013F671000-memory.dmp

memory/2844-117-0x000000013F320000-0x000000013F671000-memory.dmp

memory/2452-116-0x000000013F2C0000-0x000000013F611000-memory.dmp

memory/1000-114-0x000000013F7D0000-0x000000013FB21000-memory.dmp

memory/352-110-0x000000013F220000-0x000000013F571000-memory.dmp

memory/2844-109-0x000000013FFE0000-0x0000000140331000-memory.dmp

memory/1984-108-0x000000013F990000-0x000000013FCE1000-memory.dmp

memory/2960-121-0x000000013FE60000-0x00000001401B1000-memory.dmp

memory/2640-128-0x000000013F1E0000-0x000000013F531000-memory.dmp

memory/2752-137-0x000000013F930000-0x000000013FC81000-memory.dmp

memory/2708-129-0x000000013F8A0000-0x000000013FBF1000-memory.dmp

memory/2844-147-0x000000013F1E0000-0x000000013F531000-memory.dmp

memory/2844-150-0x000000013F990000-0x000000013FCE1000-memory.dmp

memory/2844-149-0x000000013F2C0000-0x000000013F611000-memory.dmp

memory/2844-148-0x000000013F8A0000-0x000000013FBF1000-memory.dmp

memory/2796-146-0x000000013F530000-0x000000013F881000-memory.dmp

memory/2844-145-0x000000013F530000-0x000000013F881000-memory.dmp

memory/2084-144-0x000000013FE30000-0x0000000140181000-memory.dmp

memory/2816-143-0x000000013FFA0000-0x00000001402F1000-memory.dmp

memory/2676-142-0x000000013F290000-0x000000013F5E1000-memory.dmp

memory/2844-141-0x000000013F290000-0x000000013F5E1000-memory.dmp

memory/2844-140-0x0000000002300000-0x0000000002651000-memory.dmp

memory/2652-139-0x000000013F160000-0x000000013F4B1000-memory.dmp

memory/2844-138-0x000000013F160000-0x000000013F4B1000-memory.dmp

memory/1788-136-0x000000013F5C0000-0x000000013F911000-memory.dmp

memory/2492-135-0x000000013F850000-0x000000013FBA1000-memory.dmp

memory/3068-134-0x000000013F510000-0x000000013F861000-memory.dmp

memory/2600-133-0x000000013FA50000-0x000000013FDA1000-memory.dmp

memory/2532-132-0x000000013F2B0000-0x000000013F601000-memory.dmp

memory/2636-131-0x000000013FDC0000-0x0000000140111000-memory.dmp

memory/2108-130-0x000000013FD70000-0x00000001400C1000-memory.dmp

memory/2844-151-0x000000013FFE0000-0x0000000140331000-memory.dmp

memory/2844-157-0x000000013F220000-0x000000013F571000-memory.dmp

memory/2844-174-0x000000013F8A0000-0x000000013FBF1000-memory.dmp

memory/352-204-0x000000013F220000-0x000000013F571000-memory.dmp

memory/2452-206-0x000000013F2C0000-0x000000013F611000-memory.dmp

memory/1984-208-0x000000013F990000-0x000000013FCE1000-memory.dmp

memory/2496-210-0x000000013F320000-0x000000013F671000-memory.dmp

memory/2652-222-0x000000013F160000-0x000000013F4B1000-memory.dmp

memory/2676-224-0x000000013F290000-0x000000013F5E1000-memory.dmp

memory/2960-226-0x000000013FE60000-0x00000001401B1000-memory.dmp

memory/2816-228-0x000000013FFA0000-0x00000001402F1000-memory.dmp

memory/2084-230-0x000000013FE30000-0x0000000140181000-memory.dmp

memory/2796-232-0x000000013F530000-0x000000013F881000-memory.dmp

memory/2640-234-0x000000013F1E0000-0x000000013F531000-memory.dmp

memory/2708-236-0x000000013F8A0000-0x000000013FBF1000-memory.dmp

memory/2108-238-0x000000013FD70000-0x00000001400C1000-memory.dmp

memory/1000-255-0x000000013F7D0000-0x000000013FB21000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-27 04:34

Reported

2024-10-27 04:36

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

Cobaltstrike family

cobaltstrike

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\XkcILPv.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SdVxgiL.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QqtTUTW.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KXMYMgK.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CKuHHgU.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lEYykPZ.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mquPQIX.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uQkshDF.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hjPquFn.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zRMvMXv.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YmKNfUq.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dSUBEmy.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uPPyebN.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WSCqWsH.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fwGhAPA.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bGQssQH.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lYRZdRa.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fOPiDzY.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FCERGWZ.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gtxAIvM.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TAZVylb.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5000 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FCERGWZ.exe
PID 5000 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FCERGWZ.exe
PID 5000 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uPPyebN.exe
PID 5000 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uPPyebN.exe
PID 5000 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gtxAIvM.exe
PID 5000 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gtxAIvM.exe
PID 5000 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mquPQIX.exe
PID 5000 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mquPQIX.exe
PID 5000 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KXMYMgK.exe
PID 5000 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KXMYMgK.exe
PID 5000 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CKuHHgU.exe
PID 5000 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CKuHHgU.exe
PID 5000 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TAZVylb.exe
PID 5000 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TAZVylb.exe
PID 5000 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WSCqWsH.exe
PID 5000 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WSCqWsH.exe
PID 5000 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bGQssQH.exe
PID 5000 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bGQssQH.exe
PID 5000 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lYRZdRa.exe
PID 5000 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lYRZdRa.exe
PID 5000 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fwGhAPA.exe
PID 5000 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fwGhAPA.exe
PID 5000 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lEYykPZ.exe
PID 5000 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lEYykPZ.exe
PID 5000 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fOPiDzY.exe
PID 5000 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fOPiDzY.exe
PID 5000 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hjPquFn.exe
PID 5000 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hjPquFn.exe
PID 5000 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zRMvMXv.exe
PID 5000 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zRMvMXv.exe
PID 5000 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XkcILPv.exe
PID 5000 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XkcILPv.exe
PID 5000 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SdVxgiL.exe
PID 5000 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SdVxgiL.exe
PID 5000 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YmKNfUq.exe
PID 5000 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YmKNfUq.exe
PID 5000 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QqtTUTW.exe
PID 5000 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QqtTUTW.exe
PID 5000 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uQkshDF.exe
PID 5000 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uQkshDF.exe
PID 5000 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dSUBEmy.exe
PID 5000 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dSUBEmy.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\FCERGWZ.exe

C:\Windows\System\FCERGWZ.exe

C:\Windows\System\uPPyebN.exe

C:\Windows\System\uPPyebN.exe

C:\Windows\System\gtxAIvM.exe

C:\Windows\System\gtxAIvM.exe

C:\Windows\System\mquPQIX.exe

C:\Windows\System\mquPQIX.exe

C:\Windows\System\KXMYMgK.exe

C:\Windows\System\KXMYMgK.exe

C:\Windows\System\CKuHHgU.exe

C:\Windows\System\CKuHHgU.exe

C:\Windows\System\TAZVylb.exe

C:\Windows\System\TAZVylb.exe

C:\Windows\System\WSCqWsH.exe

C:\Windows\System\WSCqWsH.exe

C:\Windows\System\bGQssQH.exe

C:\Windows\System\bGQssQH.exe

C:\Windows\System\lYRZdRa.exe

C:\Windows\System\lYRZdRa.exe

C:\Windows\System\fwGhAPA.exe

C:\Windows\System\fwGhAPA.exe

C:\Windows\System\lEYykPZ.exe

C:\Windows\System\lEYykPZ.exe

C:\Windows\System\fOPiDzY.exe

C:\Windows\System\fOPiDzY.exe

C:\Windows\System\hjPquFn.exe

C:\Windows\System\hjPquFn.exe

C:\Windows\System\zRMvMXv.exe

C:\Windows\System\zRMvMXv.exe

C:\Windows\System\XkcILPv.exe

C:\Windows\System\XkcILPv.exe

C:\Windows\System\SdVxgiL.exe

C:\Windows\System\SdVxgiL.exe

C:\Windows\System\YmKNfUq.exe

C:\Windows\System\YmKNfUq.exe

C:\Windows\System\QqtTUTW.exe

C:\Windows\System\QqtTUTW.exe

C:\Windows\System\uQkshDF.exe

C:\Windows\System\uQkshDF.exe

C:\Windows\System\dSUBEmy.exe

C:\Windows\System\dSUBEmy.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/5000-0-0x00007FF75CDF0000-0x00007FF75D141000-memory.dmp

memory/5000-1-0x0000022F03560000-0x0000022F03570000-memory.dmp

C:\Windows\System\gtxAIvM.exe

MD5 d489716cb29ebdfc60c6cfd8a6b188e3
SHA1 35b0b385c224e5c0afe0e2aec22a1bbe4f33e652
SHA256 083858a645f2d2425021ec643c4b87a1473e99e1f019467dfa9a35c918a7cd5c
SHA512 5ea29534e4785213585fbb3e65617db9eaf7c008881253402cf0b294543c001b7828ca9677eb895ec7088ea19de15b4293c683a206f07cd45c2e0df65ce6ad3b

C:\Windows\System\mquPQIX.exe

MD5 e9883eb7aab545627b9bf2afd1da6d8c
SHA1 7a0058d3fcd57481a7752125c8228dca2d9162d5
SHA256 0aeef98a7da22b309c79affabf88f93a9d366cb7778c08f2fffdc3497c18fe73
SHA512 6aa86962a64c6ad9c9d8dbf191d2c02398bb6bfb921cd1b4dcb272f2dff2885febda4d6af38dbc204cb9d4920f38dd51a5c20a96193424faa30634e92dabe681

C:\Windows\System\uPPyebN.exe

MD5 2974c589845eb2ee30f5573ad29e1b96
SHA1 3e6efb718ac159b39d792b1f0f4082af77978083
SHA256 96fac8588bdeebe012a989cadf66033f55dac67911034873b866c73f55c8c032
SHA512 c17e497af08f0f89a37432dd4ba8997abadd99c63e50f15b6115d179fdc418c07f38f27234c7d46af5113a844b8a678d7291748fb14fb0693ebf5a0a1188216c

C:\Windows\System\KXMYMgK.exe

MD5 a700391fd0cfc51210806172c640c508
SHA1 d02ddc1df5cde07734b6565038c58dc675478ba2
SHA256 fd45bb7fd764593bcf80ccfb8473b120b1232ad033cdefbda2f4b6ad062f6325
SHA512 caf548aae7b4792dc9b033b7055c9689eff79b8958a8b619ee884738d306f8c6e449b6ce17b65eb412d661693aaec413eb7888974098ce57efd882325530dd99

memory/1184-28-0x00007FF6D69B0000-0x00007FF6D6D01000-memory.dmp

C:\Windows\System\WSCqWsH.exe

MD5 efe7bec85b58b687bb25db45cc406904
SHA1 2fe982772c6292bdc70bc5afb5c0281e7eb7d10d
SHA256 05892bf5977c7e5002bca7cd9dbc48c6f470e099167b6caa5bb722ee89b63cf4
SHA512 b6b0aafd22600f874768fc25c73c9d3a04c80817be3fe2aac9710e880d2f4f3d4461ac355abe0227b9df0f81ae9654136d28a02abec4795a91c62dcac27f44f5

C:\Windows\System\bGQssQH.exe

MD5 ae6832fcb7959b0dc1ca1631a1992f89
SHA1 eda30ff684152438814dd1c90480fd41d01846bb
SHA256 a49f27c230370150e0c850e27ca61851f22fd91d083e811502f3675c14b880fd
SHA512 756f5f8f40abb25b6c423853942c0d02c6267fcaab0c77e4a1a9b9f323779a60dd590df868048a8c86b2b8b0ab431ecb6deca9a97bb0dc933834855d2976d3ea

C:\Windows\System\lYRZdRa.exe

MD5 4d3b248f11fc550481c611530a2e3a1b
SHA1 7393d113d53f07e82225161dd92603a8265695eb
SHA256 28c5cffa1d67cae91544bde228ac8a63a34a128d3764338cf37482eb4c5f88bc
SHA512 122ddc9398a23ac99cd370e0e4686131ddf0659401f22e66d4e8b4c9a321f52719176113131a1355a5b9271ff0c0d9fad0acb5ade853fcd17d442c06c7b5e370

memory/1500-71-0x00007FF681FE0000-0x00007FF682331000-memory.dmp

C:\Windows\System\fwGhAPA.exe

MD5 326161f2f7355037ba09175dffa6202f
SHA1 dac8aba9cccec2feeafbfbcdd45dd4b764ab504e
SHA256 6fb2dc6dd4b28d17f8650a2e9256024bea0f20cf0ea96c68f5446c917b12d298
SHA512 d140089823a66d348a03f5819242273f0d922bb402b9f4f18a6d8f137d7674c58581dbaa276ecaeb2797a1006a3c3c6a2b8a2238cfd2e9d7caf2146861bf397e

C:\Windows\System\hjPquFn.exe

MD5 f67d36177ed462bbe17bf4c2919f7590
SHA1 d4d59cb97fd4bda3df2031c205cea54454f0af1b
SHA256 ca7a9cd772cb3df92e8ee95694c279472308faddaa409fab23269c59c66388db
SHA512 d4395db13c4c07b85af52e9f8a6205219f9ff66a94940345587b03d15f4fcdece90aa4c12cd4e16e043720bfb572c2550075b3be64be41131aaaa9b094920997

memory/1744-105-0x00007FF7A4680000-0x00007FF7A49D1000-memory.dmp

memory/3556-113-0x00007FF721DD0000-0x00007FF722121000-memory.dmp

memory/5024-121-0x00007FF637B10000-0x00007FF637E61000-memory.dmp

memory/1440-127-0x00007FF7C5760000-0x00007FF7C5AB1000-memory.dmp

C:\Windows\System\dSUBEmy.exe

MD5 71f14efef63ec9c2b2cf52668336e096
SHA1 2a4d6f43b7c5887ceba69498ca10e5564d66eef3
SHA256 e847f3a2cf56593cd85932f163e54469536053dc3243af1906056b51e1844e2b
SHA512 bcffde4acc857ebc2ecf3000c6ace845402bff5a824dc1108f85df19619b5acc997fc3d89a0d1cbcbbf68ad78140b568edd4e3d60c32ab8c625a50b0c8973244

memory/5048-124-0x00007FF6E78E0000-0x00007FF6E7C31000-memory.dmp

memory/4344-120-0x00007FF6785E0000-0x00007FF678931000-memory.dmp

C:\Windows\System\uQkshDF.exe

MD5 981691877ffa1091b24a07b8d25099bb
SHA1 98312efe4e17eba2e2e6a0cc90b0ce679dc5bb2a
SHA256 ed007f5ca81ec7734d2eb973b64300852ed8060ce99a67b154209da0386ba948
SHA512 f27586c87ec86fb7a1eba2952fb24b11a7af17453ed05295ce1d6ccbafc59451cde1de5aa7a3de066f85eef1c4e67989bfbff8fabfe97f5de8cf4d8b82f247c7

C:\Windows\System\QqtTUTW.exe

MD5 01817b7f4d80ad1d4cfd2535bcb3dd09
SHA1 3c164d02d6286a188485cc041215be691b68922c
SHA256 91b9749dc9a8b6a40b19265ef367b1fe9e2774ff8ae19efd5695f97a3c61e406
SHA512 193b8d9480ccb106fb4ea03748b262af03fa74f935708e6a17b6d07cfdef21b05130ae4f644b8b8571992c1dc808f007f6e4ef5051d2456970ef9713bd942931

C:\Windows\System\YmKNfUq.exe

MD5 0c519caca025c08a4bdc3fae769e211a
SHA1 2d60768c9db5c648464f1ce73720ec0cbde0618b
SHA256 390b57f4e4abea5f37c609bb3c2902623afcb0968292cf28bc16b2658a6db835
SHA512 b5f6ed59436be08cecfd7677a978d8fcbca54c5bc725b74fd3c38455cd7266ef53b28a9d3e0f81e7cb598b0ba84bb81b307ffaf7ef8f9a79169557e1035cfcc6

memory/532-112-0x00007FF7DF1B0000-0x00007FF7DF501000-memory.dmp

C:\Windows\System\SdVxgiL.exe

MD5 b928fada5199c9b4453ffc43380fb6d9
SHA1 91b15727d1b8dfe3a5a7a7ffde28fb38dc4bdd0f
SHA256 9f67ebab94c4ef4980178d7b4a3de5653c97db69843f94240956cff5a2b8ee9f
SHA512 c72280d7f2bb79fc47f589e6ba13a2a27aa24064ef3fde04f6fff794dbfee6a253347c5f2f7356ed6c6dec3865d82cece7bf91e6e46bc298f23b2a4f18964cb3

C:\Windows\System\fOPiDzY.exe

MD5 b9ab7b711203669c1b727597803878a7
SHA1 55fb2c0b60777fcff1c17a6fa50fbe7df2c624d1
SHA256 996f06985f5185340d73ff20c39d8b3aa0bf50d28712a40667112f133502e0af
SHA512 558d25b1a1730c6e9150b17c78854cb7cb149444f0f4cbbb3db0289aa773689c488ced7102fb1313dd2d8f52a47a674d27071a0b26db5622fc86ab0518c238ec

C:\Windows\System\XkcILPv.exe

MD5 9ba22371af9d21f406c8f747b76db6ef
SHA1 a3fa3c0c7dc5d37957e21d5f5cfcf61080ec52a1
SHA256 8031ae297bbd2135a75757908676613467122a8c6138aab4db0b77c6d2a7251d
SHA512 7c3da549da715c6f1573b0eab14bb73b727212152df46f934f657d5812627251f55f53b09aed0874026700b1ac897fd04a8580f68c14f17f9be2947364c9bbd7

memory/1696-104-0x00007FF7B5230000-0x00007FF7B5581000-memory.dmp

C:\Windows\System\zRMvMXv.exe

MD5 f89e7166da7ddb7837634965df2465d2
SHA1 fa8f73e89ae783fa42635a7ecc111056bcad0766
SHA256 d11c6bdf821659b84eb1ee0d2f01ece288547958b1936c39e2f8195e7c7ef97e
SHA512 c39536f8c16bf2969ee85ef9825ebcd87cf386aa0dbde851380b3e74f156d9e82da4ecaaa4f2a6304bd635bbcc0caaa23fbe607c198b691e306f9fcfc1c11056

memory/828-96-0x00007FF730B70000-0x00007FF730EC1000-memory.dmp

memory/3436-95-0x00007FF7F5060000-0x00007FF7F53B1000-memory.dmp

C:\Windows\System\lEYykPZ.exe

MD5 a008ab2033cbb5c08fb5ca667cde6cfd
SHA1 58643eb09ae57910a9356027565818381d9cda50
SHA256 7ff62d19057c597277bd41010e8bcad9a870a09204d90451791e7913a169002e
SHA512 6ed64b8778d2b7d65dfea8c922797503dfef19f07b727df6fb4c76cb16a5ed7ca94b6e3cad17bf75e965af4c5fbb5212f5425e7508e72ac554800c4c71e24438

memory/3196-80-0x00007FF7F3920000-0x00007FF7F3C71000-memory.dmp

memory/5116-68-0x00007FF7AEDE0000-0x00007FF7AF131000-memory.dmp

memory/1796-64-0x00007FF63A860000-0x00007FF63ABB1000-memory.dmp

memory/1004-57-0x00007FF69DEC0000-0x00007FF69E211000-memory.dmp

memory/2000-56-0x00007FF69CF80000-0x00007FF69D2D1000-memory.dmp

C:\Windows\System\TAZVylb.exe

MD5 ca16c460c0974be6f60f72ab5c016799
SHA1 028cde7accc894ae71881cad604ba1c23d04fe50
SHA256 0bc940c7669f66dbfb241ce765b5944115597c94452eae1ab2b59b8566933b78
SHA512 4ef877a36f931f98f83b9b29aec6a4f97c2d8a6c63980bc632aa907936377630327165647696817bc7e343d69d09d91253fb7e2dae085dae6b93cf80a6753e8e

C:\Windows\System\CKuHHgU.exe

MD5 b22e0308ecb73dc9720a7cc276e4b02c
SHA1 1f7fffac0c9935f866755864ab695f14dce7551d
SHA256 3e4dcc6b7d2dda614d05bc73d281a6d5de28c624c1e2a1dd0bc699c392134765
SHA512 f21fd67c34077e60964adf3b537e734898a10d9c36ac24d2820aef8c1bd4130b6870e5317f2a3c50c83839a6f5cce5ac45e79257ec576ce7cea4ecb9c60c326b

memory/1340-43-0x00007FF638DE0000-0x00007FF639131000-memory.dmp

memory/928-39-0x00007FF73F500000-0x00007FF73F851000-memory.dmp

memory/704-23-0x00007FF7EA700000-0x00007FF7EAA51000-memory.dmp

memory/4256-10-0x00007FF711E80000-0x00007FF7121D1000-memory.dmp

C:\Windows\System\FCERGWZ.exe

MD5 24780d04fa54332fb9896c4518e943e1
SHA1 065ee74b69c31f78c05636f40757883cf4fff4b5
SHA256 0e3cb2a990f5777f7c187bc1f5e5d60e3942e1b313ac6a9c342048abe3d8ec36
SHA512 584ad8507016bd82854497f30e0ea7e400d9fbbbd7dab038eac43d0b88f4283799eb2b23425e110569dc69fffa5feb1fdd3815af16d8558030d6ce7f2c0f1226

memory/1340-133-0x00007FF638DE0000-0x00007FF639131000-memory.dmp

memory/5000-128-0x00007FF75CDF0000-0x00007FF75D141000-memory.dmp

memory/2000-135-0x00007FF69CF80000-0x00007FF69D2D1000-memory.dmp

memory/5116-140-0x00007FF7AEDE0000-0x00007FF7AF131000-memory.dmp

memory/1796-138-0x00007FF63A860000-0x00007FF63ABB1000-memory.dmp

memory/1184-132-0x00007FF6D69B0000-0x00007FF6D6D01000-memory.dmp

memory/704-130-0x00007FF7EA700000-0x00007FF7EAA51000-memory.dmp

memory/4256-129-0x00007FF711E80000-0x00007FF7121D1000-memory.dmp

memory/3436-139-0x00007FF7F5060000-0x00007FF7F53B1000-memory.dmp

memory/3556-148-0x00007FF721DD0000-0x00007FF722121000-memory.dmp

memory/1440-149-0x00007FF7C5760000-0x00007FF7C5AB1000-memory.dmp

memory/532-147-0x00007FF7DF1B0000-0x00007FF7DF501000-memory.dmp

memory/1696-143-0x00007FF7B5230000-0x00007FF7B5581000-memory.dmp

memory/1744-145-0x00007FF7A4680000-0x00007FF7A49D1000-memory.dmp

memory/5000-150-0x00007FF75CDF0000-0x00007FF75D141000-memory.dmp

memory/5000-151-0x00007FF75CDF0000-0x00007FF75D141000-memory.dmp

memory/4256-202-0x00007FF711E80000-0x00007FF7121D1000-memory.dmp

memory/704-216-0x00007FF7EA700000-0x00007FF7EAA51000-memory.dmp

memory/928-222-0x00007FF73F500000-0x00007FF73F851000-memory.dmp

memory/1184-224-0x00007FF6D69B0000-0x00007FF6D6D01000-memory.dmp

memory/1340-226-0x00007FF638DE0000-0x00007FF639131000-memory.dmp

memory/1500-230-0x00007FF681FE0000-0x00007FF682331000-memory.dmp

memory/2000-228-0x00007FF69CF80000-0x00007FF69D2D1000-memory.dmp

memory/3196-233-0x00007FF7F3920000-0x00007FF7F3C71000-memory.dmp

memory/1004-236-0x00007FF69DEC0000-0x00007FF69E211000-memory.dmp

memory/1796-234-0x00007FF63A860000-0x00007FF63ABB1000-memory.dmp

memory/828-240-0x00007FF730B70000-0x00007FF730EC1000-memory.dmp

memory/1696-239-0x00007FF7B5230000-0x00007FF7B5581000-memory.dmp

memory/5048-252-0x00007FF6E78E0000-0x00007FF6E7C31000-memory.dmp

memory/5024-251-0x00007FF637B10000-0x00007FF637E61000-memory.dmp

memory/4344-248-0x00007FF6785E0000-0x00007FF678931000-memory.dmp

memory/1744-247-0x00007FF7A4680000-0x00007FF7A49D1000-memory.dmp

memory/3436-245-0x00007FF7F5060000-0x00007FF7F53B1000-memory.dmp

memory/5116-243-0x00007FF7AEDE0000-0x00007FF7AF131000-memory.dmp

memory/3556-257-0x00007FF721DD0000-0x00007FF722121000-memory.dmp

memory/1440-255-0x00007FF7C5760000-0x00007FF7C5AB1000-memory.dmp

memory/532-258-0x00007FF7DF1B0000-0x00007FF7DF501000-memory.dmp