Malware Analysis Report

2025-08-06 02:05

Sample ID 241027-g9tarssqgt
Target 2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat
SHA256 392bb2b7c32e5344548d0dcebd59fdc44aaebba5b81aca573d8c898600e1e4b6
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

392bb2b7c32e5344548d0dcebd59fdc44aaebba5b81aca573d8c898600e1e4b6

Threat Level: Known bad

The file 2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

Cobalt Strike reflective loader

Xmrig family

xmrig

Cobaltstrike family

Cobaltstrike

XMRig Miner payload

XMRig Miner payload

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-10-27 06:30

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-27 06:30

Reported

2024-10-27 06:33

Platform

win7-20240903-en

Max time kernel

144s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

Cobaltstrike family

cobaltstrike

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\QLPJSgL.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MOIZZYJ.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AYgcBze.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ffMHgHQ.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\msLPbcc.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QpiUNFb.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qfiQasZ.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SqHacEJ.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gDnmtGx.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mKNEWyx.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yGNBKBt.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GQpKvIa.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GfiaXxK.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BFROFlo.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xrFeRFD.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NxbANXK.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WEftmWK.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mVzdyTM.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZxbSjLz.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cgOLVhA.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WaXAKFj.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1088 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BFROFlo.exe
PID 1088 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BFROFlo.exe
PID 1088 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BFROFlo.exe
PID 1088 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gDnmtGx.exe
PID 1088 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gDnmtGx.exe
PID 1088 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gDnmtGx.exe
PID 1088 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QLPJSgL.exe
PID 1088 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QLPJSgL.exe
PID 1088 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QLPJSgL.exe
PID 1088 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xrFeRFD.exe
PID 1088 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xrFeRFD.exe
PID 1088 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xrFeRFD.exe
PID 1088 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mKNEWyx.exe
PID 1088 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mKNEWyx.exe
PID 1088 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mKNEWyx.exe
PID 1088 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WEftmWK.exe
PID 1088 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WEftmWK.exe
PID 1088 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WEftmWK.exe
PID 1088 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yGNBKBt.exe
PID 1088 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yGNBKBt.exe
PID 1088 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yGNBKBt.exe
PID 1088 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MOIZZYJ.exe
PID 1088 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MOIZZYJ.exe
PID 1088 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MOIZZYJ.exe
PID 1088 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NxbANXK.exe
PID 1088 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NxbANXK.exe
PID 1088 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NxbANXK.exe
PID 1088 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mVzdyTM.exe
PID 1088 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mVzdyTM.exe
PID 1088 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mVzdyTM.exe
PID 1088 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AYgcBze.exe
PID 1088 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AYgcBze.exe
PID 1088 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AYgcBze.exe
PID 1088 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ffMHgHQ.exe
PID 1088 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ffMHgHQ.exe
PID 1088 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ffMHgHQ.exe
PID 1088 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GQpKvIa.exe
PID 1088 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GQpKvIa.exe
PID 1088 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GQpKvIa.exe
PID 1088 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZxbSjLz.exe
PID 1088 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZxbSjLz.exe
PID 1088 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZxbSjLz.exe
PID 1088 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GfiaXxK.exe
PID 1088 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GfiaXxK.exe
PID 1088 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GfiaXxK.exe
PID 1088 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QpiUNFb.exe
PID 1088 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QpiUNFb.exe
PID 1088 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QpiUNFb.exe
PID 1088 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\msLPbcc.exe
PID 1088 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\msLPbcc.exe
PID 1088 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\msLPbcc.exe
PID 1088 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qfiQasZ.exe
PID 1088 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qfiQasZ.exe
PID 1088 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qfiQasZ.exe
PID 1088 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SqHacEJ.exe
PID 1088 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SqHacEJ.exe
PID 1088 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SqHacEJ.exe
PID 1088 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cgOLVhA.exe
PID 1088 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cgOLVhA.exe
PID 1088 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cgOLVhA.exe
PID 1088 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WaXAKFj.exe
PID 1088 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WaXAKFj.exe
PID 1088 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WaXAKFj.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\BFROFlo.exe

C:\Windows\System\BFROFlo.exe

C:\Windows\System\gDnmtGx.exe

C:\Windows\System\gDnmtGx.exe

C:\Windows\System\QLPJSgL.exe

C:\Windows\System\QLPJSgL.exe

C:\Windows\System\xrFeRFD.exe

C:\Windows\System\xrFeRFD.exe

C:\Windows\System\mKNEWyx.exe

C:\Windows\System\mKNEWyx.exe

C:\Windows\System\WEftmWK.exe

C:\Windows\System\WEftmWK.exe

C:\Windows\System\yGNBKBt.exe

C:\Windows\System\yGNBKBt.exe

C:\Windows\System\MOIZZYJ.exe

C:\Windows\System\MOIZZYJ.exe

C:\Windows\System\NxbANXK.exe

C:\Windows\System\NxbANXK.exe

C:\Windows\System\mVzdyTM.exe

C:\Windows\System\mVzdyTM.exe

C:\Windows\System\AYgcBze.exe

C:\Windows\System\AYgcBze.exe

C:\Windows\System\ffMHgHQ.exe

C:\Windows\System\ffMHgHQ.exe

C:\Windows\System\GQpKvIa.exe

C:\Windows\System\GQpKvIa.exe

C:\Windows\System\ZxbSjLz.exe

C:\Windows\System\ZxbSjLz.exe

C:\Windows\System\GfiaXxK.exe

C:\Windows\System\GfiaXxK.exe

C:\Windows\System\QpiUNFb.exe

C:\Windows\System\QpiUNFb.exe

C:\Windows\System\msLPbcc.exe

C:\Windows\System\msLPbcc.exe

C:\Windows\System\qfiQasZ.exe

C:\Windows\System\qfiQasZ.exe

C:\Windows\System\SqHacEJ.exe

C:\Windows\System\SqHacEJ.exe

C:\Windows\System\cgOLVhA.exe

C:\Windows\System\cgOLVhA.exe

C:\Windows\System\WaXAKFj.exe

C:\Windows\System\WaXAKFj.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1088-0-0x000000013F240000-0x000000013F591000-memory.dmp

memory/1088-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\BFROFlo.exe

MD5 af346e39460d073266452cbf8082afb1
SHA1 c3db709440e8c7f68fb44f08155d9563328c657c
SHA256 968bed06f4583807173ea847c0999bf54ab6f4d56556228ddf1b665167e092d7
SHA512 7e1bc5da26c315c645483efb96a7d3db078ae634f71231d9c44f3aacd9c07cea7aa0501900c6caae1d0c8419a4b516bc95bfa11b4e3ad67adc99c86fcf453feb

\Windows\system\QLPJSgL.exe

MD5 1e9b219181ba96ca4c28bdf7b7fe51e2
SHA1 78d4e89d84951999757acd990b0fafe779ee2692
SHA256 f286242dd342289ca2d02c5453ed37c4db7838bdacca2360b756c65efe277765
SHA512 823b5f7bad2d9de0be0a5cc76269efb6a7d61b6a182495d8d701370faea639b1828c676f4da4474c84e753a7245b58b68ccd3721bda6f65249f4dc74a353e2d5

memory/1088-9-0x000000013F780000-0x000000013FAD1000-memory.dmp

\Windows\system\gDnmtGx.exe

MD5 ec74b4629217b9b2c92a5dcf5bb56b4e
SHA1 299ccf88c16ab13b3a8853cfb31f5d7235c4cfa4
SHA256 83ac208f23f1e556e325868ca759d3a8ab6b1894f33a96587efbc154ad627ef2
SHA512 baecb841378c83134f45d0da5537a92c29968a5f9bcac1b8fc608aaf6e95ab4c75c7a19241a9543efe1f54b35fd3085cfcb16d1d5f38cdb7482e9ed9f3aa2617

memory/1088-18-0x000000013F7B0000-0x000000013FB01000-memory.dmp

memory/2444-23-0x000000013F7B0000-0x000000013FB01000-memory.dmp

memory/2344-22-0x000000013F9F0000-0x000000013FD41000-memory.dmp

memory/1696-17-0x000000013F780000-0x000000013FAD1000-memory.dmp

memory/1088-14-0x000000013F9F0000-0x000000013FD41000-memory.dmp

\Windows\system\xrFeRFD.exe

MD5 0f524b43828b6af7d51860f8ee708893
SHA1 97cbf833d5c13aef7a3147762e3f228ac98ea7c3
SHA256 8c5a598b1fc2ac366ea75ab1e3eec34e8bd09aa36b1b576ef6d77c21c758a62a
SHA512 2ddbea160b5e4ff8dfa84d450ab2ac0a224f2019ac0081d899440e049834cf4be40a731174b73b4282baecd4c4ce78aed9621fe7771cf2ff657b9f57a643a99c

C:\Windows\system\MOIZZYJ.exe

MD5 e93b1c4ac1ecb78a92ebea1bce34f9fe
SHA1 b3c67600ea7049d129f342e4844b65d2b5f429ba
SHA256 78c203416cab64f3cf8e9dc708d1b60c76192ef6501b40f97d62b0f5b14c8b05
SHA512 cf72b7af852775aa403a31848c2517249a6fd83e1b911c9723e6808258d8bad0653155327d2d9763aa9465dac22c3b887d4581c435effceb578afb2e6705605f

\Windows\system\ZxbSjLz.exe

MD5 9d06a6e0d690547146c6dd60d81c9b57
SHA1 b5b64bce0f653e01a51c298e04d0642a3059ef9e
SHA256 c5c4dd21f359dc9916417b51f2ca91f31865ede8c686d2c7b5a16e867bb81748
SHA512 84f1b4237b29f1af7c475522cb472d0ffdb311173534bb69c3f5e42aaf3e09c5088668a5095805804e2dfbca4120b73d3d7a067eda626a88fb382ac43ab873db

\Windows\system\qfiQasZ.exe

MD5 647f03a397fbb671e85a166934a53824
SHA1 a03c695469a92af6039d71e9f1fbf7a327fe281d
SHA256 ef8e92352b1b168aed9ebc7a05c71fa4b2f96cdfa0fcf273ec813fa4e606c67d
SHA512 94c2b73ff54731ce97c3c289201e1a48a914060927c7a2bb78c80a00dc23866e629221b36514663db9e0b56455fb4cec1b88837cf3a5ccd5f43f9a123901e673

memory/1088-94-0x000000013FF80000-0x00000001402D1000-memory.dmp

C:\Windows\system\NxbANXK.exe

MD5 e9b3d11367a483c3fdbf327a1a9b83da
SHA1 171361c1140af742c44d4062e3ebcca1a4850365
SHA256 d6abf551e4e38d9ce5d154b643cbfa7c6d3c87dfb63739e8861c9ad75b7b2139
SHA512 70e351afdf0aa3c95fb73d30c0b36cec9099909af4e04ff50b4f967fb3124d20abbd0f8b6cc34cb7e97d3dedd0ab4f601f4c47cbcde55d3218fc9c91e3285987

C:\Windows\system\GfiaXxK.exe

MD5 b9802c5a4b5d71a5525968c01332dfc9
SHA1 e716acddf9e1f02572a40cc4a29d15e4cd2b3899
SHA256 b808c84415bd7e1db832f9eb424a7bb19dc945179689ea0795884a994906e71b
SHA512 0c7ece077d96ed3fb0f32b2a0438f7ee7c28068cae9aebb126755f17356a342c56242d2c48f3035f7e0f7556b5ed31a1493274f89536e3cfb83d86847b703123

memory/1088-90-0x000000013F240000-0x000000013F591000-memory.dmp

\Windows\system\msLPbcc.exe

MD5 362350cdd46eb5e796c8eaae562382fe
SHA1 bfafee3a7b169e947a663d5b4d9a5b4c35f2497d
SHA256 c621d55095331bec620c18e86610f4ac66691fe1703a5982e5f90b7e8021e380
SHA512 f85f95aadd3b52f993d833499d89360b552f47067329770741791d73003236f7b5e0ca0a401f53b99fcd85fda4f810c2f5614cea22452ab39ea00a4b9bd6da36

memory/1088-82-0x00000000022C0000-0x0000000002611000-memory.dmp

memory/2704-81-0x000000013F3C0000-0x000000013F711000-memory.dmp

memory/2872-79-0x000000013F1B0000-0x000000013F501000-memory.dmp

memory/1088-68-0x00000000022C0000-0x0000000002611000-memory.dmp

memory/2860-67-0x000000013F8A0000-0x000000013FBF1000-memory.dmp

C:\Windows\system\ffMHgHQ.exe

MD5 09b8827546af5e11f213d35e1fbecd52
SHA1 256bdf1fdbc015e3266c5fe70cf3502ca9f327a7
SHA256 8131c8743542282063bec63a661267e689f05d0c803f9794020c92ec653cf239
SHA512 9abcb6c3d641cf53ddc2c80bd003b8ee78d3f6a7eb3351dc286a3c6a056daa06bb919b53c62e94efa65ab1b7e38a459078cebb9a3ade2bef0698992fe4c92714

C:\Windows\system\mVzdyTM.exe

MD5 eb7d04f9fb88feb7d93df6fae4b72131
SHA1 1b8a66d5b6882694da3f0f52e3fb369f8029ef96
SHA256 485e3ea1dd5d80c367c0d778f5edb34243700424d062116278dcd3128576ce8a
SHA512 2eef732906017b4a6a9b19eec040c2eb87f58c830ad36aafb754369a59726153cfc2d1dba1b9e6999aa5c2f295819b9769706895e0e5ee434b23d7cb486dda52

\Windows\system\GQpKvIa.exe

MD5 8e7c45a45a7a5b184dd165843ab504d3
SHA1 65243be8aec65f42215bca11d914dd10b27be6c3
SHA256 9a6700f270618b7147c32a4bbd5bad2520ef989378782201598500d326d961bd
SHA512 57c83785873424b9c2539716da9336ba17c78fcc6a3ade26d27f3a26bfc896469a037e3c8ce89ac79d090e802789fd91f1a730f1f0d542962646d5991f6e6436

\Windows\system\AYgcBze.exe

MD5 c5e12a3de48a44b17c715951f4fcec29
SHA1 0d894b064a2da0f76bd5f64f05872cba6cc9d5a5
SHA256 710bcab21727c9a94aa724464c194f01f4be4718001a541440b9c39b9c5f3dc2
SHA512 088f1623e33ba59488ca68a58136b44b438408b5da90c4fac97b23274f101eb408e5673ef5272eefd2e7edece09d892c5a501ab41693f65239690d77c064b084

memory/2816-50-0x000000013F250000-0x000000013F5A1000-memory.dmp

C:\Windows\system\WEftmWK.exe

MD5 75bdda8b1cf2bc918a72a36c5ffcbebc
SHA1 010fe4bda274b05eede90bacf80c26c620f251a0
SHA256 8aa841f0c666dd8dbef3bb89b792f4c55d34f5ab65a09b0b0577ab229d459e90
SHA512 d3603b8ba3f2fc5ef75176d6b45ec90adb8f054f7fbf57a079b838324769c83e91e6375a87a0f92d1a8a6094aae36863f2bda8034dc0e4bf67183f3a15bf3877

\Windows\system\yGNBKBt.exe

MD5 d7eaceea28d9e7a88c419876d3ec12db
SHA1 d8137ab22e7fd2a6ae62f0108e84af63536f2cff
SHA256 dfa7863750a39f4b655f86b1f71e272081667611d74301c44130722981832d39
SHA512 ba146c098cef54d20843f18c99507a18a70d22715bc9bd2725336005d24733d96bbbf4febb7cf43f25687e065e84e8cf9ba41e7a59103937790cd497f0a0d4f4

\Windows\system\mKNEWyx.exe

MD5 c392cb0d1cbf6ec489e8bc034cdbf7d4
SHA1 784008c4568e302cd5f5ef18d1106c533e9e7dcc
SHA256 6b1f909ae18cd07389d50d4ba0b2bab03d0421e91cf80099a49956fab0029249
SHA512 2671d9d894cf8c10266c37e133b13a18b632826a14c44f46e6485bde628c38421e3713d6da899ba41018dfb2911dd4568490433e55dddde885ad3615c676f2f2

memory/1088-95-0x00000000022C0000-0x0000000002611000-memory.dmp

memory/1088-93-0x000000013F8A0000-0x000000013FBF1000-memory.dmp

C:\Windows\system\QpiUNFb.exe

MD5 2092571d1713de95b7e3a5df5a3e1cf7
SHA1 cb11494fbd2eae4e5e4ed2912c26572596ccadf2
SHA256 c9d7f83226c3b210a50bc59dfef733632b2100b2d0886d5bdce8c56ec755e6e2
SHA512 c0f104a6d84fdd08ba323117567f3649d26e79bfc47a8e80f40958582a7bea27a891f4b408709bbf9bbdca6b7f4b88156afa51eccfaed405975da28cb619f757

memory/1088-63-0x00000000022C0000-0x0000000002611000-memory.dmp

memory/1088-55-0x00000000022C0000-0x0000000002611000-memory.dmp

memory/1088-38-0x00000000022C0000-0x0000000002611000-memory.dmp

memory/1088-35-0x000000013F620000-0x000000013F971000-memory.dmp

memory/2364-29-0x000000013F140000-0x000000013F491000-memory.dmp

memory/1088-25-0x00000000022C0000-0x0000000002611000-memory.dmp

\Windows\system\SqHacEJ.exe

MD5 eafc5ea2e607f741d08c9d878df0ec26
SHA1 ecf747a170f983af82d144172712702fd5094517
SHA256 a51d53d44958dffc5d0efe0af308e3183203fc18e4a72513b555d5399a96dd0d
SHA512 4945ddf03bcb89a11863de499c5f360537bf467d3f3ab45699ec8da4c2d5a7dd3a95e2858ce47b7724ed769f567dba68f020dd21884c876df23b37fb75e450e3

memory/1100-117-0x000000013FC50000-0x000000013FFA1000-memory.dmp

memory/2344-127-0x000000013F9F0000-0x000000013FD41000-memory.dmp

memory/2804-128-0x000000013F620000-0x000000013F971000-memory.dmp

memory/1088-126-0x00000000022C0000-0x0000000002611000-memory.dmp

memory/1088-125-0x00000000022C0000-0x0000000002611000-memory.dmp

memory/1608-124-0x000000013F4F0000-0x000000013F841000-memory.dmp

C:\Windows\system\cgOLVhA.exe

MD5 abb2eb23cca87ca05a44c6d85ebbc33b
SHA1 e0cdc293c4d11af774186ca2104e5c0fb33cf874
SHA256 95af843efdf692ed0702e3138f1b060523745099449ca522659edc583e8fb2c3
SHA512 507f6d1517a6b1b9cc5d292c4dcd87d77d5d6e5e25267caaa183302bf06b5c58f11692163a7e67370a8580c4b56cfe2cc1264ed14f814ec07558e2257a93377e

memory/1088-121-0x000000013FB40000-0x000000013FE91000-memory.dmp

memory/1088-113-0x000000013FC50000-0x000000013FFA1000-memory.dmp

C:\Windows\system\WaXAKFj.exe

MD5 1f80626b0278efad25ac51cb863e6d64
SHA1 6884ab99cce8911da512b8b38f47b1e5b0002d5b
SHA256 d368dfe1a77b0be266ac50daf21f009caefb78ee834bb13f5da1503c466d7fa8
SHA512 249919fe32a3d39fdbebeb3370afaf07b235ee45077fa44c630bbf6484a92764a7802199f0ff8fcdc7f421f72b5ccda843f79baa1ba16e7586f8f717f44ab527

memory/1088-137-0x000000013F240000-0x000000013F591000-memory.dmp

memory/2364-141-0x000000013F140000-0x000000013F491000-memory.dmp

memory/2744-155-0x000000013F590000-0x000000013F8E1000-memory.dmp

memory/1700-154-0x000000013FB40000-0x000000013FE91000-memory.dmp

memory/2548-150-0x000000013F120000-0x000000013F471000-memory.dmp

memory/2644-148-0x000000013FF80000-0x00000001402D1000-memory.dmp

memory/2564-146-0x000000013F300000-0x000000013F651000-memory.dmp

memory/2536-144-0x000000013F3B0000-0x000000013F701000-memory.dmp

memory/2816-143-0x000000013F250000-0x000000013F5A1000-memory.dmp

memory/2176-152-0x000000013F280000-0x000000013F5D1000-memory.dmp

memory/2872-147-0x000000013F1B0000-0x000000013F501000-memory.dmp

memory/1088-156-0x00000000022C0000-0x0000000002611000-memory.dmp

memory/1088-157-0x000000013F8A0000-0x000000013FBF1000-memory.dmp

memory/1088-158-0x000000013FB40000-0x000000013FE91000-memory.dmp

memory/1088-159-0x000000013F240000-0x000000013F591000-memory.dmp

memory/1392-161-0x000000013F980000-0x000000013FCD1000-memory.dmp

memory/2188-162-0x000000013F170000-0x000000013F4C1000-memory.dmp

memory/1788-160-0x000000013FD20000-0x0000000140071000-memory.dmp

memory/1696-211-0x000000013F780000-0x000000013FAD1000-memory.dmp

memory/2344-213-0x000000013F9F0000-0x000000013FD41000-memory.dmp

memory/2444-215-0x000000013F7B0000-0x000000013FB01000-memory.dmp

memory/2364-232-0x000000013F140000-0x000000013F491000-memory.dmp

memory/2816-234-0x000000013F250000-0x000000013F5A1000-memory.dmp

memory/2860-236-0x000000013F8A0000-0x000000013FBF1000-memory.dmp

memory/2872-238-0x000000013F1B0000-0x000000013F501000-memory.dmp

memory/2704-240-0x000000013F3C0000-0x000000013F711000-memory.dmp

memory/1100-242-0x000000013FC50000-0x000000013FFA1000-memory.dmp

memory/1608-244-0x000000013F4F0000-0x000000013F841000-memory.dmp

memory/2804-246-0x000000013F620000-0x000000013F971000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-27 06:30

Reported

2024-10-27 06:33

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

Cobaltstrike family

cobaltstrike

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\fFIyMqz.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\njEQiJe.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rYwpRdF.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hUfXJQA.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\Xyiomhp.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GvQmHXp.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qDyojyW.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CtKzsgr.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HjDdCrC.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PZbPtpM.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BChxpqO.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DQHnbWi.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FiltYEg.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\Auhmvpm.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ekMBouZ.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MYNWPOM.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FLSXaLu.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZNXgVod.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DsZyxxH.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YNJhAEW.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fVtVWim.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3592 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FiltYEg.exe
PID 3592 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FiltYEg.exe
PID 3592 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Auhmvpm.exe
PID 3592 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Auhmvpm.exe
PID 3592 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qDyojyW.exe
PID 3592 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qDyojyW.exe
PID 3592 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Xyiomhp.exe
PID 3592 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Xyiomhp.exe
PID 3592 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CtKzsgr.exe
PID 3592 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CtKzsgr.exe
PID 3592 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YNJhAEW.exe
PID 3592 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YNJhAEW.exe
PID 3592 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HjDdCrC.exe
PID 3592 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HjDdCrC.exe
PID 3592 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fVtVWim.exe
PID 3592 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fVtVWim.exe
PID 3592 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PZbPtpM.exe
PID 3592 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PZbPtpM.exe
PID 3592 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GvQmHXp.exe
PID 3592 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GvQmHXp.exe
PID 3592 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ekMBouZ.exe
PID 3592 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ekMBouZ.exe
PID 3592 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fFIyMqz.exe
PID 3592 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fFIyMqz.exe
PID 3592 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MYNWPOM.exe
PID 3592 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MYNWPOM.exe
PID 3592 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BChxpqO.exe
PID 3592 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BChxpqO.exe
PID 3592 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FLSXaLu.exe
PID 3592 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FLSXaLu.exe
PID 3592 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZNXgVod.exe
PID 3592 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZNXgVod.exe
PID 3592 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DsZyxxH.exe
PID 3592 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DsZyxxH.exe
PID 3592 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\njEQiJe.exe
PID 3592 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\njEQiJe.exe
PID 3592 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DQHnbWi.exe
PID 3592 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DQHnbWi.exe
PID 3592 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rYwpRdF.exe
PID 3592 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rYwpRdF.exe
PID 3592 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hUfXJQA.exe
PID 3592 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hUfXJQA.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\FiltYEg.exe

C:\Windows\System\FiltYEg.exe

C:\Windows\System\Auhmvpm.exe

C:\Windows\System\Auhmvpm.exe

C:\Windows\System\qDyojyW.exe

C:\Windows\System\qDyojyW.exe

C:\Windows\System\Xyiomhp.exe

C:\Windows\System\Xyiomhp.exe

C:\Windows\System\CtKzsgr.exe

C:\Windows\System\CtKzsgr.exe

C:\Windows\System\YNJhAEW.exe

C:\Windows\System\YNJhAEW.exe

C:\Windows\System\HjDdCrC.exe

C:\Windows\System\HjDdCrC.exe

C:\Windows\System\fVtVWim.exe

C:\Windows\System\fVtVWim.exe

C:\Windows\System\PZbPtpM.exe

C:\Windows\System\PZbPtpM.exe

C:\Windows\System\GvQmHXp.exe

C:\Windows\System\GvQmHXp.exe

C:\Windows\System\ekMBouZ.exe

C:\Windows\System\ekMBouZ.exe

C:\Windows\System\fFIyMqz.exe

C:\Windows\System\fFIyMqz.exe

C:\Windows\System\MYNWPOM.exe

C:\Windows\System\MYNWPOM.exe

C:\Windows\System\BChxpqO.exe

C:\Windows\System\BChxpqO.exe

C:\Windows\System\FLSXaLu.exe

C:\Windows\System\FLSXaLu.exe

C:\Windows\System\ZNXgVod.exe

C:\Windows\System\ZNXgVod.exe

C:\Windows\System\DsZyxxH.exe

C:\Windows\System\DsZyxxH.exe

C:\Windows\System\njEQiJe.exe

C:\Windows\System\njEQiJe.exe

C:\Windows\System\DQHnbWi.exe

C:\Windows\System\DQHnbWi.exe

C:\Windows\System\rYwpRdF.exe

C:\Windows\System\rYwpRdF.exe

C:\Windows\System\hUfXJQA.exe

C:\Windows\System\hUfXJQA.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3592-0-0x00007FF793450000-0x00007FF7937A1000-memory.dmp

memory/3592-1-0x000001FE5B6F0000-0x000001FE5B700000-memory.dmp

C:\Windows\System\FiltYEg.exe

MD5 1f791207fd69d7a13e98f55f0d9dc7d2
SHA1 61c4a04281cf4961cb2e879b25d2524c76acae43
SHA256 6751841af1ea9a47173ff376e7e3f06da963d47d2510c667bceeefde173fcd21
SHA512 c397c2fbb73aa472f5d34cf91a405f867daa7f3915d54f561236f49706eba2c30aea0387971cb068c818a0007be8306ece97d284c20103fc32c015c11eb787e3

C:\Windows\System\Auhmvpm.exe

MD5 0e08bd84fb3ed82231940fc6cf99b2d4
SHA1 f170a17ba37922010cd4ad3d579500906ab20e5d
SHA256 71ae346ae9fa2779b0a644636c6afdf184b426eea3fcd92fb7b067b6ffa4d47e
SHA512 4f0d4f4dc023163bba95a7e268f2ec1a1a9fd670116beec0d9e1b38754464178c58e50b5afdb01fe3e7e27999d88394ad5fa59989cebf66347dc332aa4963191

memory/944-9-0x00007FF6B3D20000-0x00007FF6B4071000-memory.dmp

memory/2084-20-0x00007FF6435D0000-0x00007FF643921000-memory.dmp

C:\Windows\System\CtKzsgr.exe

MD5 8edee2d80f8178d1ac2487abfe4a30e2
SHA1 620365f905579f7a000432323e2fc2e5bfd30ed4
SHA256 2191f71982305e00e770628348fa2465d9ca213c8cd77bb9a0cdc72300f0d409
SHA512 d6ed1eb1a5484d8fb5284bd748a49c7bc59448789343af1cc9ae412fdfe65faf05218608f6114601537ca94280fbb734f4e69c6c057bda97d122245b3a23d766

memory/2336-30-0x00007FF76E250000-0x00007FF76E5A1000-memory.dmp

C:\Windows\System\fFIyMqz.exe

MD5 bfdc78c463cf23e0bbf9c5c2266bd74e
SHA1 6c33fcbea63e1e8f3b0e3426cd3195773e032d2b
SHA256 414b514e0c63b1f0a026d7f5d5136ae41805ca500c30190907ed87eab6140ed1
SHA512 81c30ac8a8e5fc7edbfd3c58f82989a53c2158ef077337ad9f7b4c0629f71f858b387c67fbc53f0b8c06a2d45f4ec4db47edf22017c775ba9f1131905954012f

C:\Windows\System\ekMBouZ.exe

MD5 5d231b9be3a53ced40074c6849162c5e
SHA1 eb200dcf3a7093cd16ce2941a15c14c65cc85bc5
SHA256 c2d80c52ea13c10ad29065310bb35c2434cf7beb1c1029c59ccc11937c8dedf2
SHA512 0526bcb966a8cf700b490a3f094309a0709552969cf921541ce392d8242b00a3dfc858c5f8895c269e4d03aed48eb37eb38ef49feff10934a40cfc2aafa05fae

memory/2616-63-0x00007FF79B470000-0x00007FF79B7C1000-memory.dmp

C:\Windows\System\fVtVWim.exe

MD5 7456c4b01e9f1bbcbb1d38f6acc7e4a7
SHA1 bcf0f2ab759a1a328564eed8066bc2b4778c25fb
SHA256 35ae01c4de3b77d0cfc9c8c1dd4dbb7879f742e2ea4bcd0cdbd1a3f54472bc54
SHA512 501bd3cca8fa471e013c4285bc765edd9a3b0e246b01619efcf6e1373721e6814a2aeeff4b1ac3d167917e04343ad100b54851a3321b874412f8402967081d1a

C:\Windows\System\GvQmHXp.exe

MD5 1e9c2f344e5fe9fe1bc812a32811ffc2
SHA1 1bd6cca12481db51db0002f1b41ef2360325cf34
SHA256 8d255648120e7d12bc5162185f6378c67f7dae5baa024cd22ca55261f5e9e383
SHA512 e16bc708ecbd9ce7d9b15f59c07468099d5df4e708cbc185d47e3fa8661bfb0879a20aec6def52615ee39eac15aa633abba8106f72f337947a07b7b5e6285119

C:\Windows\System\PZbPtpM.exe

MD5 960323918137c8a29443f829584b9a92
SHA1 d2e38d1c81315ba988879f57b8f5965e42766362
SHA256 9e6e90ab9399dd1aac28091895f6153e40d82a288feb50d738be75b85e5a429e
SHA512 eb93092abf8f2c5f33e51d1668197cce2add3d72cf74a1a392e6e26b3e8c4987b2f4856e07644a7c011976dec19d001bffaf5a018f72ef034636867b6db5ddc6

C:\Windows\System\YNJhAEW.exe

MD5 1a175784c491cb821dbdd5a1ec1eeaa9
SHA1 30593dfb0792439aa8c3c4ef274912300f5f156b
SHA256 665cca3c33b1dd2f7869fb9aee6df978b51ed16093a9af1941a3dd8c0f000c36
SHA512 1e7b2cd5d97c84c4fb13edeb7e4c2c9ec3c8c627501f9d5cb56904f02aa41b16d2995ec7aa1fd6689795b58e5454e0accedd84dca1e109ea74f6511c47e46f00

C:\Windows\System\HjDdCrC.exe

MD5 0085e3e4250ad4f06ae4a033009822d0
SHA1 9d8855a6d2301a369eda33b77f72506e859972fd
SHA256 bad7e3ef7bd528ab8608e6817dba401678f5378a62dd8fad46d60655c436506d
SHA512 50e4848d2931c37372f62906afb9831dad6bd056d995a6daa773bb1ccc41bc47152a7aede5e210f5ebcc70b53670bd4646d8a7093543b87aff60e0d07fe5f9fa

memory/2872-45-0x00007FF662730000-0x00007FF662A81000-memory.dmp

memory/3856-44-0x00007FF736050000-0x00007FF7363A1000-memory.dmp

memory/1852-34-0x00007FF7C4F70000-0x00007FF7C52C1000-memory.dmp

C:\Windows\System\Xyiomhp.exe

MD5 611adf5e2c8c21c030161265209916fc
SHA1 bbab0d4227f99df50d0a0edfc48a7b5d9fc44d21
SHA256 a9b55ab889937f0a9143c10a3c9335d0a6b1826ddbe93605f0428f3b18a3aa2b
SHA512 8e70237476bcd800ac7c56d55490c8671246e93b1d6e84656688449cd1ac983f84491dbe5b0b948203fe2aeba142f40ffbcd2e35f96a7cedeb63b10700c69204

C:\Windows\System\qDyojyW.exe

MD5 b4390c97a50942ee8d57ffa8b2f1056a
SHA1 5b3501e2e0e46f1ab66691394e947d7421bb148e
SHA256 86b8bffd6972a16b859784a562cc00c5ff5139a5c8d8f6ba72095e72deb61497
SHA512 83eb04eff7d37f1365bf6a4b5eca92a2465a4040e0e16e5165408f4b7316867795d97dd2990548b6c4a89ea7962de3dc5ddb41d30ff35828c4209b5d1c682a41

memory/4320-12-0x00007FF68B0E0000-0x00007FF68B431000-memory.dmp

memory/4244-74-0x00007FF6EA850000-0x00007FF6EABA1000-memory.dmp

C:\Windows\System\DsZyxxH.exe

MD5 d328eb9503ac2b60ff62b219ab861d13
SHA1 5f458b41456366e5edd0752fce889e196aae4dec
SHA256 266c59639aa524ebb0887cf88cc63270a6a6a0b10893e1199a54773a54cc001a
SHA512 91bbc024df9263e9ff7dac8206693a4ca98709e7e0879f0b6abe125776b457adf98e3d5d63b247eecd535f509af4f5ace5fc6be9bc1f2b393b6eaa7ceb786fe9

C:\Windows\System\ZNXgVod.exe

MD5 26e1fd0ce30fa14058c0d05aae47e5e2
SHA1 2fcf4fba98204337636e103bf3c551de7dde9cd6
SHA256 7960a03732b1ca04221a496c071763dedc7878637923c1787cd8afa4c3b9e0f2
SHA512 c318b4701c4a806796f30fd940e82ebad66299bd46481a2ac756ad834535834ea9d94867373bc682dfe589d61ef97fe474bc412e925eebf377b5a91c08f89b4c

C:\Windows\System\hUfXJQA.exe

MD5 7b17bd1cb01db6b8ff49fd0dac97c3b3
SHA1 9596d453622ccd88bcfa07ae3f3e47cb667f8067
SHA256 0924308283f60ae310c43b989c2186894ccf097b3787e887c51b2a0307a0910f
SHA512 a3c04f66355c6d45907ee79c4843776c4ac426bfd92d5e6be2e0dc757c8dc429a8738cb1761b15a7531847f7dc746490baec545d181b242af24e59f981668155

memory/4764-114-0x00007FF77F440000-0x00007FF77F791000-memory.dmp

C:\Windows\System\rYwpRdF.exe

MD5 ba29bd207d62821c67f90c2035c0fac0
SHA1 813be3386f55e5d994f01e5df28d6bcac94400a2
SHA256 13228d103054c262fa75e34452bc89f2ec24726b5ed4ab5dae46bedd9b9c57d5
SHA512 9870ad1093f621798aacde69c9a2462237a9e26ec6c4d637ceb5c5c5db39da8e4d86ed527ad0bdc03182665ca980675f9e05f8ebb688a0edc8f9b3cd9c912c22

C:\Windows\System\DQHnbWi.exe

MD5 828bac2b953c0396b856e97db7a10de4
SHA1 0e87b0555fa7af9fc14824d4a65c842feef6b3f0
SHA256 c5848b9c980bc5b15503262576ea55c27214f4ecdb16f1af588b809bcbd0ac5a
SHA512 2c15730e67a180a2f47f77556a4681e6b5cd107792c70d1a06c4dc4150780e4b436a1eb1e76798e9e2396c62002e5f709d4ed9086146974f375cfe816161621e

C:\Windows\System\FLSXaLu.exe

MD5 03f3e33d218b8603e5554a40f73c6fe6
SHA1 286abe3b418fa137bf3254cb42e9f07857b21aef
SHA256 bb187d3585a0b112dea50b55e948b4960f50d01efcab44ee387bfab082f71463
SHA512 445ba189b7c5a349c42e0bb02eb75bd4f73a73634b3733a3616a2d7713a44a3012b6d1ac508b41c57f9121ec0ce55375f2c07afc3ce956be33665190e1e28a96

C:\Windows\System\BChxpqO.exe

MD5 122fb033b074291afb03667425e943d1
SHA1 7292a3d6d615ea1511eae6dffe2ed777b3552e8d
SHA256 788937c7e3e99a5ff1572ee4a65d76a26b67e0d1519dbe0e3735ee614f6c161b
SHA512 2c02e023e90a3ebb857821609f07ce2830ed472962b8a5d6950a79a90eec6a84642f226fd89f36f7134aeee972e72d81021ff24145d02bfb99bbd74037910ede

C:\Windows\System\MYNWPOM.exe

MD5 e443dd9913b832d473059c8bf6667ea9
SHA1 41a7cf630a323625c256ae82d26a5d04177fd9ad
SHA256 ffb92b0ac555df7c8b5c43b18e8cc4098c011c55fbcf5315bd0e79bab3c3ce1f
SHA512 10ea451509a9695af2f176829c72ea0bec2468ee512a31c4d8a1a01063eef7fa1d7ef4ef07cbca943eb0fcac96cf6da8736a49898381753f05e6cc6941c62ad1

memory/2656-98-0x00007FF7FC690000-0x00007FF7FC9E1000-memory.dmp

C:\Windows\System\njEQiJe.exe

MD5 7c5437642a73599a192259e15c7740b3
SHA1 0baeecdde25f20e2ee1063d9dd800e0fd4cd12a5
SHA256 98177afc90279ba41574b6854ee236610eb735bc166dca02c087172a615fba9b
SHA512 7db92b6c70cd7a93adae7c51a8879711e89e96095738505eebd41604ae1c3aba6e339e5244e149a14e69ccf3f44fde6cae3db3089267dc7d4b3988548c85dfab

memory/4588-87-0x00007FF6419D0000-0x00007FF641D21000-memory.dmp

memory/3116-86-0x00007FF6E2B80000-0x00007FF6E2ED1000-memory.dmp

memory/4880-120-0x00007FF668F30000-0x00007FF669281000-memory.dmp

memory/2956-122-0x00007FF672490000-0x00007FF6727E1000-memory.dmp

memory/1292-121-0x00007FF7586E0000-0x00007FF758A31000-memory.dmp

memory/1816-123-0x00007FF766590000-0x00007FF7668E1000-memory.dmp

memory/4432-124-0x00007FF6AA0B0000-0x00007FF6AA401000-memory.dmp

memory/1444-125-0x00007FF610A90000-0x00007FF610DE1000-memory.dmp

memory/2524-126-0x00007FF699710000-0x00007FF699A61000-memory.dmp

memory/2680-127-0x00007FF7954E0000-0x00007FF795831000-memory.dmp

memory/3592-128-0x00007FF793450000-0x00007FF7937A1000-memory.dmp

memory/2084-131-0x00007FF6435D0000-0x00007FF643921000-memory.dmp

memory/3592-136-0x00007FF793450000-0x00007FF7937A1000-memory.dmp

memory/3856-134-0x00007FF736050000-0x00007FF7363A1000-memory.dmp

memory/1852-133-0x00007FF7C4F70000-0x00007FF7C52C1000-memory.dmp

memory/4320-130-0x00007FF68B0E0000-0x00007FF68B431000-memory.dmp

memory/944-129-0x00007FF6B3D20000-0x00007FF6B4071000-memory.dmp

memory/2336-132-0x00007FF76E250000-0x00007FF76E5A1000-memory.dmp

memory/3116-141-0x00007FF6E2B80000-0x00007FF6E2ED1000-memory.dmp

memory/4764-145-0x00007FF77F440000-0x00007FF77F791000-memory.dmp

memory/2656-143-0x00007FF7FC690000-0x00007FF7FC9E1000-memory.dmp

memory/4588-142-0x00007FF6419D0000-0x00007FF641D21000-memory.dmp

memory/2616-138-0x00007FF79B470000-0x00007FF79B7C1000-memory.dmp

memory/3592-151-0x00007FF793450000-0x00007FF7937A1000-memory.dmp

memory/944-213-0x00007FF6B3D20000-0x00007FF6B4071000-memory.dmp

memory/4320-215-0x00007FF68B0E0000-0x00007FF68B431000-memory.dmp

memory/2084-217-0x00007FF6435D0000-0x00007FF643921000-memory.dmp

memory/2336-219-0x00007FF76E250000-0x00007FF76E5A1000-memory.dmp

memory/2872-221-0x00007FF662730000-0x00007FF662A81000-memory.dmp

memory/1852-223-0x00007FF7C4F70000-0x00007FF7C52C1000-memory.dmp

memory/1816-227-0x00007FF766590000-0x00007FF7668E1000-memory.dmp

memory/3856-226-0x00007FF736050000-0x00007FF7363A1000-memory.dmp

memory/2616-231-0x00007FF79B470000-0x00007FF79B7C1000-memory.dmp

memory/4244-229-0x00007FF6EA850000-0x00007FF6EABA1000-memory.dmp

memory/4880-247-0x00007FF668F30000-0x00007FF669281000-memory.dmp

memory/1444-250-0x00007FF610A90000-0x00007FF610DE1000-memory.dmp

memory/1292-254-0x00007FF7586E0000-0x00007FF758A31000-memory.dmp

memory/2956-256-0x00007FF672490000-0x00007FF6727E1000-memory.dmp

memory/4764-258-0x00007FF77F440000-0x00007FF77F791000-memory.dmp

memory/2680-252-0x00007FF7954E0000-0x00007FF795831000-memory.dmp

memory/2524-249-0x00007FF699710000-0x00007FF699A61000-memory.dmp

memory/2656-244-0x00007FF7FC690000-0x00007FF7FC9E1000-memory.dmp

memory/4588-242-0x00007FF6419D0000-0x00007FF641D21000-memory.dmp

memory/4432-240-0x00007FF6AA0B0000-0x00007FF6AA401000-memory.dmp

memory/3116-239-0x00007FF6E2B80000-0x00007FF6E2ED1000-memory.dmp