Malware Analysis Report

2025-04-03 18:03

Sample ID 241109-svqrwaxbmf
Target 2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat
SHA256 bdd012c106ef6b6be69b0d1fea641387b4fc959018965d98062ece2f45b4fac6
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bdd012c106ef6b6be69b0d1fea641387b4fc959018965d98062ece2f45b4fac6

Threat Level: Known bad

The file 2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

XMRig Miner payload

Xmrig family

xmrig

Cobaltstrike family

Cobaltstrike

Cobalt Strike reflective loader

XMRig Miner payload

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-11-09 15:27

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 15:27

Reported

2024-11-09 15:29

Platform

win7-20240903-en

Max time kernel

141s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

Cobaltstrike family

cobaltstrike

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\rZOGjtn.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vltxkkp.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tmjhKdw.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lCdPzvN.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SWPfxcb.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\Rdxwytz.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UVuQcPv.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NUCSyIv.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZTinELi.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MoNYRbK.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EZNXdcW.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zfyjqxj.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rtnnqza.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AmYzhSh.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aKzcIiX.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tyGjuyD.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XdPWEEn.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IOaZSZr.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CnjRxyK.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YBgCscm.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\muYzMxe.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2868 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zfyjqxj.exe
PID 2868 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zfyjqxj.exe
PID 2868 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zfyjqxj.exe
PID 2868 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IOaZSZr.exe
PID 2868 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IOaZSZr.exe
PID 2868 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IOaZSZr.exe
PID 2868 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rtnnqza.exe
PID 2868 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rtnnqza.exe
PID 2868 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rtnnqza.exe
PID 2868 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SWPfxcb.exe
PID 2868 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SWPfxcb.exe
PID 2868 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SWPfxcb.exe
PID 2868 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AmYzhSh.exe
PID 2868 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AmYzhSh.exe
PID 2868 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AmYzhSh.exe
PID 2868 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CnjRxyK.exe
PID 2868 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CnjRxyK.exe
PID 2868 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CnjRxyK.exe
PID 2868 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YBgCscm.exe
PID 2868 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YBgCscm.exe
PID 2868 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YBgCscm.exe
PID 2868 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Rdxwytz.exe
PID 2868 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Rdxwytz.exe
PID 2868 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Rdxwytz.exe
PID 2868 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aKzcIiX.exe
PID 2868 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aKzcIiX.exe
PID 2868 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aKzcIiX.exe
PID 2868 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UVuQcPv.exe
PID 2868 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UVuQcPv.exe
PID 2868 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UVuQcPv.exe
PID 2868 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NUCSyIv.exe
PID 2868 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NUCSyIv.exe
PID 2868 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NUCSyIv.exe
PID 2868 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZTinELi.exe
PID 2868 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZTinELi.exe
PID 2868 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZTinELi.exe
PID 2868 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tyGjuyD.exe
PID 2868 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tyGjuyD.exe
PID 2868 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tyGjuyD.exe
PID 2868 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XdPWEEn.exe
PID 2868 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XdPWEEn.exe
PID 2868 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XdPWEEn.exe
PID 2868 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rZOGjtn.exe
PID 2868 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rZOGjtn.exe
PID 2868 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rZOGjtn.exe
PID 2868 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vltxkkp.exe
PID 2868 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vltxkkp.exe
PID 2868 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vltxkkp.exe
PID 2868 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MoNYRbK.exe
PID 2868 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MoNYRbK.exe
PID 2868 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MoNYRbK.exe
PID 2868 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\muYzMxe.exe
PID 2868 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\muYzMxe.exe
PID 2868 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\muYzMxe.exe
PID 2868 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tmjhKdw.exe
PID 2868 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tmjhKdw.exe
PID 2868 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tmjhKdw.exe
PID 2868 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EZNXdcW.exe
PID 2868 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EZNXdcW.exe
PID 2868 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EZNXdcW.exe
PID 2868 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lCdPzvN.exe
PID 2868 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lCdPzvN.exe
PID 2868 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lCdPzvN.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\zfyjqxj.exe

C:\Windows\System\zfyjqxj.exe

C:\Windows\System\IOaZSZr.exe

C:\Windows\System\IOaZSZr.exe

C:\Windows\System\rtnnqza.exe

C:\Windows\System\rtnnqza.exe

C:\Windows\System\SWPfxcb.exe

C:\Windows\System\SWPfxcb.exe

C:\Windows\System\AmYzhSh.exe

C:\Windows\System\AmYzhSh.exe

C:\Windows\System\CnjRxyK.exe

C:\Windows\System\CnjRxyK.exe

C:\Windows\System\YBgCscm.exe

C:\Windows\System\YBgCscm.exe

C:\Windows\System\Rdxwytz.exe

C:\Windows\System\Rdxwytz.exe

C:\Windows\System\aKzcIiX.exe

C:\Windows\System\aKzcIiX.exe

C:\Windows\System\UVuQcPv.exe

C:\Windows\System\UVuQcPv.exe

C:\Windows\System\NUCSyIv.exe

C:\Windows\System\NUCSyIv.exe

C:\Windows\System\ZTinELi.exe

C:\Windows\System\ZTinELi.exe

C:\Windows\System\tyGjuyD.exe

C:\Windows\System\tyGjuyD.exe

C:\Windows\System\XdPWEEn.exe

C:\Windows\System\XdPWEEn.exe

C:\Windows\System\rZOGjtn.exe

C:\Windows\System\rZOGjtn.exe

C:\Windows\System\vltxkkp.exe

C:\Windows\System\vltxkkp.exe

C:\Windows\System\MoNYRbK.exe

C:\Windows\System\MoNYRbK.exe

C:\Windows\System\muYzMxe.exe

C:\Windows\System\muYzMxe.exe

C:\Windows\System\tmjhKdw.exe

C:\Windows\System\tmjhKdw.exe

C:\Windows\System\EZNXdcW.exe

C:\Windows\System\EZNXdcW.exe

C:\Windows\System\lCdPzvN.exe

C:\Windows\System\lCdPzvN.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2868-0-0x000000013F280000-0x000000013F5D1000-memory.dmp

memory/2868-1-0x0000000000580000-0x0000000000590000-memory.dmp

\Windows\system\zfyjqxj.exe

MD5 f8ef8f9048f7339a65ec8de77e83588c
SHA1 f17debb35a9bd54b4ff61c7daa361916f3156049
SHA256 4346cc8fd6f1a296a7cc5509efc8223c9770d7d823e20b550c266306f49ead46
SHA512 e6807054dee6efade17e2e3091ec13c2e07556e12a26876885462b0ec126242f8c9835fb5055e35505bb69f6227a3c6046a006cb42c679209537649d05b86ecc

C:\Windows\system\IOaZSZr.exe

MD5 e7ec46e87b7d1b8cdbeb051e97e10b05
SHA1 1d3fe91fe4312d5e600e9e72ac138ce08137c100
SHA256 d02072009e705b21835ef05fd316928adfcd51a36ad84cc9f7bb589b55e540f9
SHA512 3547228411c31db12a6e49c146f508072cf87fb05137ed3253cb6a485f78682fb11f473f5d63bbbed81a85e7415bf232e8f2a699f90f8ea42074f7bc1621f4e4

C:\Windows\system\rtnnqza.exe

MD5 559df22b00a91011e8bf92968f7a223a
SHA1 a16c9ba6fae7949366fb4656a036f00fbfd7db6b
SHA256 692621064834d71e10cf6efbfa5e9ab566295f013780bf70e8ea5bd10b00c19c
SHA512 73d86a5fcaad8dc1a7c174a93d233312ade3127591b3723a283e079c3cba8f3669004896ba8e530d6c6ff8b0e16930a5dda7b8fb9435b31bcfc8814572c781fa

memory/296-21-0x000000013FEE0000-0x0000000140231000-memory.dmp

memory/2868-22-0x00000000021B0000-0x0000000002501000-memory.dmp

\Windows\system\SWPfxcb.exe

MD5 5a9575603f61df7b81c05978a1e7d6ce
SHA1 0c0e90dd0b2b3faba8dbafc4abae9c78f183473e
SHA256 2bb83c6e4906d8646464c2bea367a01c8993857db2a3dd032e9af7deb2247149
SHA512 0e01df90c2fc1fb19f984581ed4c29b748779b6d26cb09c8a04d4514ea2b890f511c562073013da67c66f54be7d63adee3b3c7b6c11c11a57597859a826a44b2

memory/2868-109-0x00000000021B0000-0x0000000002501000-memory.dmp

C:\Windows\system\UVuQcPv.exe

MD5 457574fc5e9073367f67e74b6617ea30
SHA1 4a117ae6bf7dd1ebc434ccb15cc18c8e9a378f79
SHA256 8e10490c29d17ea49b33aaf6e6ae5e2f49070b1cd7a34f8180f5b0217ee773bf
SHA512 40327eabb4687633d503e8281e93de47bb148f4a7e05a76a906427a2ebf6fec7c5321d0946cec51d171399b58546945e2d681ecf071f8de58a4e415fbae51294

\Windows\system\EZNXdcW.exe

MD5 d6dc130814a368fcf93e00609ffe569e
SHA1 822e3fd6a32415d22be3a226608b69ba3bd82bbe
SHA256 d205f9d4e84f3c866364eb4b27e952ce531b18be6a5ce7ae5d6100b39003fe9e
SHA512 490cea49c1395c18265a5fc61cfeb4ffdf04d319f431f5b2797bd95bb58036b42225adb7dde0d0a73bac9a8150281393cb1ffe058988f0b919c0176730893afe

memory/2508-96-0x000000013F6B0000-0x000000013FA01000-memory.dmp

\Windows\system\muYzMxe.exe

MD5 cb241871303bb18e61bc89c907c08f07
SHA1 7aec50e8f369bafecefac80c0b790c5979fb3786
SHA256 a52fc213f0351f5ef586c9fb56a29252bcdbdef5e50fb02d1cfee8ac050cdeef
SHA512 144da48bc9ae2168f452a698322fdb76a94536390ee19e2b31fef56113f3d355984156888b7c7f050fcfd41db467688a3d6830a6130ddf8dc58b83a63dc19338

memory/2868-85-0x000000013FA40000-0x000000013FD91000-memory.dmp

\Windows\system\vltxkkp.exe

MD5 d0a0a1efb4859a7d47eb12caba810fdb
SHA1 cc1311c3fcafa53eaab6de61c546aaeda3d91552
SHA256 54be47cf0ca954adc0b210c62f610aaebc27f723fa2df3c1264095d45e180bed
SHA512 f83c29bff2a294b85203e3338a2ac5f2fa18588294bce8293ea91767ae2cbcd081029d09eac915c85e2960b9b4335c24c53145aaa5eeea1f5abd5d6a2425a555

memory/2568-132-0x000000013F070000-0x000000013F3C1000-memory.dmp

\Windows\system\XdPWEEn.exe

MD5 fbdf3fe116ce253307b9aaafca802a19
SHA1 8046163ad69b62b4fc0d6de95de84a07baf6ada6
SHA256 ace41fca944d0f05e140f168b8aa7d46b68216e91d6722784417c20ea965c931
SHA512 d92a0e0d0e0f9dca2bbdd51efadf528b45dfeb5a016059db2c3b97c0dcbd2457ae13d4969ef2ac0f94d82d180ee748db6e323a0216601cf327d102232f72fd43

memory/2868-68-0x000000013F960000-0x000000013FCB1000-memory.dmp

memory/2052-133-0x000000013FC40000-0x000000013FF91000-memory.dmp

memory/2104-67-0x000000013F620000-0x000000013F971000-memory.dmp

C:\Windows\system\NUCSyIv.exe

MD5 35a64bde3827a866c138c94499ae7307
SHA1 68ff5751f720cd6e28b7faf6b52f2c4b4ebbb3cc
SHA256 cb60d11928293d4f8d8ff4d79d283e83f6138437bdfa4278cac5b789a460897b
SHA512 2f119c2fa73f9b0f61c4355159efacde37996ed15ca921e093e17e0e0d7f1105c7f1bf8df4d9f164f7c595ea51436b2434b091e0712bd3996aee7027d2a98764

\Windows\system\ZTinELi.exe

MD5 16d51b500a2ac5b945ec65c21066dbce
SHA1 6f192e5a32ce56199a81e625f8df228563b2f3cb
SHA256 0b82c04991ed930faf65fd766d1044069bbc5382a8a29024f38dbab8a7f62c02
SHA512 1ac211361389e39b43a9e9359c6a62a315ac233637f990c3f935aa932328f88f5216e6c7be0c775cdeda69eed2d9d1c48727caa751b84234f7392b63ab4741d4

memory/2868-57-0x000000013F660000-0x000000013F9B1000-memory.dmp

\Windows\system\Rdxwytz.exe

MD5 a138be0497b63a42a5b584d29047403a
SHA1 f4a1637a4b8607825dca4fa3426f5b2ab3eab23d
SHA256 0fb3be37f3c9ff439b6e2cf7e1130d767e32748f9a2869569052c6a26ae8ce02
SHA512 c479f9081c4effbfed425709272b3a97dbbe111e103059a5d77ddbcf5a324f95033ad51b35a9e68ca367b58b2cb6454617c16b0fb7a8b1cc82aa5e7df801cd9e

\Windows\system\CnjRxyK.exe

MD5 8c5ec894f414facce554b40fcc5c4e0f
SHA1 046d600a0e17f1a1275c20217ebb4bcc9034edff
SHA256 53216c4edef2db884bf9539645a6761714e1a732cfc9cb3e3af616b195c7de26
SHA512 90367066e42a51104ed68bb3d8cdbf499593eccd698eee8883ace3a166d700c3300a9a6214c8cd333e1f7e660f3aad6f5cf50743f2482bf5a4fb313484ba83a1

memory/2868-108-0x000000013F6B0000-0x000000013FA01000-memory.dmp

C:\Windows\system\lCdPzvN.exe

MD5 64c5b3846c9cf83e6b2f2d6d4382a578
SHA1 f6ce57e6c3b3275e002000b6092ef5ad1e35ed45
SHA256 ce1e6efc978e81e987769303b77632fc9ca5f2a5d487871b426aaeb709ccb36a
SHA512 dec71cec0768db31d9f9032b5175fc00b17a097ec3a48808d5c01f2359c5d5de40f16a15202f155ba2a696a32f0651a3e27dd4526115f1a625bb4e88b2173aff

C:\Windows\system\tmjhKdw.exe

MD5 1234ba4d443afc41584d43eae1afe43b
SHA1 5646c3e91657901a1d6dda6a88f1649da5ff6fcc
SHA256 0c034ef7bac1f53fcfa6bd19a24bfccb29213f5a551a451732a8bdd3be1b7ad7
SHA512 6bbd15a2aa34efc97d2ed47f0c8bfbcef16b18d942043e59eb8e2e0449d3f1d8e049c7eebe416d3f7c799ed94a677bd2c147c3ef4bd282da2d021f26b0e576c3

memory/2868-100-0x00000000021B0000-0x0000000002501000-memory.dmp

memory/2440-92-0x000000013F2A0000-0x000000013F5F1000-memory.dmp

memory/2684-91-0x000000013FA40000-0x000000013FD91000-memory.dmp

C:\Windows\system\MoNYRbK.exe

MD5 f688440e41801f64d2ea4657203213a9
SHA1 a0d6524c084d317ffd50209f0ef842403353cedb
SHA256 45843921258c65f2085e31f6fe2523a9639aba8ee049c9b6a7769cdad80268ea
SHA512 b83a8e0c863de1b300e300ad03ad6e1daac454e8d51b3c4ca051a186aeb6bb00ff5f2775ee3576b093a1c225dd31e4ccd3df7139497abc4f6cf329af6e062b9a

C:\Windows\system\rZOGjtn.exe

MD5 07b6a65aaad14741307f5b9731625b4c
SHA1 5f1265ee3a5245ef6ac5d58da178e80928601f5a
SHA256 4b4b5a9af3b732e54fe910df189672dcd231669a607932a26635c79ba00821bd
SHA512 2607ca6a8302eab9886657a7312078a3f3e433b0993a37f1004e0bc47fa870b84c3f22d8791203244c71e517ac7c78ad356fbc21d0057c86a4df4e851d0ac724

memory/2868-81-0x000000013FD40000-0x0000000140091000-memory.dmp

C:\Windows\system\tyGjuyD.exe

MD5 1e4bd37fd6afd243b2a15e92772df0bd
SHA1 049b40975ab0a7824f8029466c057b4f8476739a
SHA256 473242679a45f23944704d527cfa07b5a810ca4f778d2a697c655a16d23d4794
SHA512 d74fda55f3b0075551b03853029053bf0e087d190f4f77d6a6da8ac795c2856c3399c9e968ce5c1041652d41891103b0a699a7ef44d72fa23c9dfc3007fe8908

memory/2868-73-0x000000013F280000-0x000000013F5D1000-memory.dmp

memory/3048-72-0x000000013F960000-0x000000013FCB1000-memory.dmp

memory/2268-61-0x000000013F660000-0x000000013F9B1000-memory.dmp

memory/2868-50-0x00000000021B0000-0x0000000002501000-memory.dmp

C:\Windows\system\aKzcIiX.exe

MD5 f634dd3801acf3c3ae46cedffd34c899
SHA1 491cdbb76765a949ffb03ac48555747f341e61be
SHA256 04cb0bf5747c4c4a5aee23fcc4be800c9f87c5bb1caa68ea6c8eeebc1836b932
SHA512 65dfdf45b5fd54594fe5cbdb0da94db258d53c87a73c21f65604ce1d426bf8ec290455560a5b067eddc7cb58fdb9e1cf1f7d773134cbf595ec94929d3978a75d

C:\Windows\system\YBgCscm.exe

MD5 01744e1b7ac949a91c88395e2198368a
SHA1 6b23c137c8a80d45ec3d4ffe3b7c5baa7abb031f
SHA256 54eaeac1d8885e70bc422c5e6689ada188af674d6bef6733b5239e4ffd2968f5
SHA512 bf55b976e09028cd7f79d35eabfd354df620ce5adbd104b5e9d637a3b9c30ecbdbf6336d49a9a2bc94bf501e9fc88ed43ce1051b0e4acd9e38cc983dc0cd4992

memory/2868-41-0x000000013FEF0000-0x0000000140241000-memory.dmp

memory/2052-34-0x000000013FC40000-0x000000013FF91000-memory.dmp

memory/2868-33-0x000000013FC40000-0x000000013FF91000-memory.dmp

C:\Windows\system\AmYzhSh.exe

MD5 fe3cdce80132f563a2438ff2cc9d5f22
SHA1 0ed703e93d10477e1dcc0f7cbc4e0c04444f69da
SHA256 354a00125835bec6a34e719a49f54fc76d0ca31207fee004c06a0a89b22ab17b
SHA512 5ab3865e12751b11ee9648a8a4d3e2ddba57d896975bc4ad36853eb47b21ec4a3dd870337f96381bc017110c8cd868df3d4472a32cbf4545bcea3fd6006a97a2

memory/2568-28-0x000000013F070000-0x000000013F3C1000-memory.dmp

memory/2868-27-0x00000000021B0000-0x0000000002501000-memory.dmp

memory/2868-20-0x000000013FEE0000-0x0000000140231000-memory.dmp

memory/2300-19-0x000000013F5D0000-0x000000013F921000-memory.dmp

memory/2368-18-0x000000013FDB0000-0x0000000140101000-memory.dmp

memory/3048-134-0x000000013F960000-0x000000013FCB1000-memory.dmp

memory/2868-135-0x000000013FD40000-0x0000000140091000-memory.dmp

memory/2440-137-0x000000013F2A0000-0x000000013F5F1000-memory.dmp

memory/2684-136-0x000000013FA40000-0x000000013FD91000-memory.dmp

memory/2508-142-0x000000013F6B0000-0x000000013FA01000-memory.dmp

memory/2868-138-0x000000013F280000-0x000000013F5D1000-memory.dmp

memory/2760-155-0x000000013F950000-0x000000013FCA1000-memory.dmp

memory/2868-163-0x000000013F6B0000-0x000000013FA01000-memory.dmp

memory/2876-160-0x000000013F5B0000-0x000000013F901000-memory.dmp

memory/2868-162-0x000000013F950000-0x000000013FCA1000-memory.dmp

memory/2868-161-0x00000000021B0000-0x0000000002501000-memory.dmp

memory/2548-159-0x000000013F860000-0x000000013FBB1000-memory.dmp

memory/2488-158-0x000000013FC50000-0x000000013FFA1000-memory.dmp

memory/2708-151-0x000000013FD40000-0x0000000140091000-memory.dmp

memory/2624-149-0x000000013F550000-0x000000013F8A1000-memory.dmp

memory/1608-147-0x000000013F290000-0x000000013F5E1000-memory.dmp

memory/2540-157-0x000000013F150000-0x000000013F4A1000-memory.dmp

memory/2060-145-0x000000013FEF0000-0x0000000140241000-memory.dmp

memory/2696-153-0x000000013F330000-0x000000013F681000-memory.dmp

memory/2868-164-0x000000013F280000-0x000000013F5D1000-memory.dmp

memory/2368-231-0x000000013FDB0000-0x0000000140101000-memory.dmp

memory/296-233-0x000000013FEE0000-0x0000000140231000-memory.dmp

memory/2300-235-0x000000013F5D0000-0x000000013F921000-memory.dmp

memory/2268-243-0x000000013F660000-0x000000013F9B1000-memory.dmp

memory/2104-242-0x000000013F620000-0x000000013F971000-memory.dmp

memory/2052-239-0x000000013FC40000-0x000000013FF91000-memory.dmp

memory/2568-238-0x000000013F070000-0x000000013F3C1000-memory.dmp

memory/3048-245-0x000000013F960000-0x000000013FCB1000-memory.dmp

memory/2684-247-0x000000013FA40000-0x000000013FD91000-memory.dmp

memory/2440-251-0x000000013F2A0000-0x000000013F5F1000-memory.dmp

memory/2508-254-0x000000013F6B0000-0x000000013FA01000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 15:27

Reported

2024-11-09 15:29

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

Cobaltstrike family

cobaltstrike

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\dUZIVkZ.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YmMbYTP.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BMzTiEf.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gkOGJBX.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rgupddw.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GdkksUS.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sHGImmS.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bHjRESn.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iWQKVpB.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JeQwySX.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OGSUFMQ.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rGNXNjj.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wPXalwn.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lhJZcNX.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CwjuHHx.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VGgIXKT.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\csHWtTV.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RoqqHZB.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WGimjxu.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eiclfam.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QpLsXTp.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 228 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QpLsXTp.exe
PID 228 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QpLsXTp.exe
PID 228 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rgupddw.exe
PID 228 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rgupddw.exe
PID 228 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CwjuHHx.exe
PID 228 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CwjuHHx.exe
PID 228 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JeQwySX.exe
PID 228 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JeQwySX.exe
PID 228 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lhJZcNX.exe
PID 228 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lhJZcNX.exe
PID 228 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VGgIXKT.exe
PID 228 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VGgIXKT.exe
PID 228 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OGSUFMQ.exe
PID 228 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OGSUFMQ.exe
PID 228 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GdkksUS.exe
PID 228 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GdkksUS.exe
PID 228 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dUZIVkZ.exe
PID 228 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dUZIVkZ.exe
PID 228 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rGNXNjj.exe
PID 228 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rGNXNjj.exe
PID 228 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\csHWtTV.exe
PID 228 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\csHWtTV.exe
PID 228 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YmMbYTP.exe
PID 228 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YmMbYTP.exe
PID 228 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RoqqHZB.exe
PID 228 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RoqqHZB.exe
PID 228 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BMzTiEf.exe
PID 228 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BMzTiEf.exe
PID 228 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WGimjxu.exe
PID 228 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WGimjxu.exe
PID 228 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wPXalwn.exe
PID 228 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wPXalwn.exe
PID 228 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sHGImmS.exe
PID 228 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sHGImmS.exe
PID 228 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gkOGJBX.exe
PID 228 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gkOGJBX.exe
PID 228 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eiclfam.exe
PID 228 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eiclfam.exe
PID 228 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bHjRESn.exe
PID 228 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bHjRESn.exe
PID 228 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iWQKVpB.exe
PID 228 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iWQKVpB.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\QpLsXTp.exe

C:\Windows\System\QpLsXTp.exe

C:\Windows\System\rgupddw.exe

C:\Windows\System\rgupddw.exe

C:\Windows\System\CwjuHHx.exe

C:\Windows\System\CwjuHHx.exe

C:\Windows\System\JeQwySX.exe

C:\Windows\System\JeQwySX.exe

C:\Windows\System\lhJZcNX.exe

C:\Windows\System\lhJZcNX.exe

C:\Windows\System\VGgIXKT.exe

C:\Windows\System\VGgIXKT.exe

C:\Windows\System\OGSUFMQ.exe

C:\Windows\System\OGSUFMQ.exe

C:\Windows\System\GdkksUS.exe

C:\Windows\System\GdkksUS.exe

C:\Windows\System\dUZIVkZ.exe

C:\Windows\System\dUZIVkZ.exe

C:\Windows\System\rGNXNjj.exe

C:\Windows\System\rGNXNjj.exe

C:\Windows\System\csHWtTV.exe

C:\Windows\System\csHWtTV.exe

C:\Windows\System\YmMbYTP.exe

C:\Windows\System\YmMbYTP.exe

C:\Windows\System\RoqqHZB.exe

C:\Windows\System\RoqqHZB.exe

C:\Windows\System\BMzTiEf.exe

C:\Windows\System\BMzTiEf.exe

C:\Windows\System\WGimjxu.exe

C:\Windows\System\WGimjxu.exe

C:\Windows\System\wPXalwn.exe

C:\Windows\System\wPXalwn.exe

C:\Windows\System\sHGImmS.exe

C:\Windows\System\sHGImmS.exe

C:\Windows\System\gkOGJBX.exe

C:\Windows\System\gkOGJBX.exe

C:\Windows\System\eiclfam.exe

C:\Windows\System\eiclfam.exe

C:\Windows\System\bHjRESn.exe

C:\Windows\System\bHjRESn.exe

C:\Windows\System\iWQKVpB.exe

C:\Windows\System\iWQKVpB.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 73.208.201.84.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 udp

Files

memory/228-0-0x00007FF6276D0000-0x00007FF627A21000-memory.dmp

memory/228-1-0x0000029810160000-0x0000029810170000-memory.dmp

C:\Windows\System\QpLsXTp.exe

MD5 754f5d70b5749a8d5c86ba7d76322f09
SHA1 1ef5143a3405e789f8cde7018d1f16a150916eb7
SHA256 84ca801571ecd94372b8b9c334259aa76390d2fc42d85b48f28ec06187679c99
SHA512 1e5751d50d3f81dbf6693e3005b009461868b3e5632de21c90118c57cad9ca9f9ab6fbcf3176d23adaf1c8028b1e7198ca271588297adc0069a8fcd890372943

memory/1084-8-0x00007FF646250000-0x00007FF6465A1000-memory.dmp

C:\Windows\System\CwjuHHx.exe

MD5 10d161e3fd968de9d8830a12c2e813f0
SHA1 d48cda3f2acfde028597a9c27d356c608aff52b7
SHA256 50ff642141c2a76b4c8503bfcaaae89c855c04f235fff53f3aeb48e1c4bdccf1
SHA512 995b0b45b518634cc6afe0012f32d58ad8c9c851369fce480a3edbcf0483b7c29b0858e05c5e6cd1bd0e02b8ecd4f0c00619d09743e6340e73b133611908daa4

memory/3936-20-0x00007FF6B1920000-0x00007FF6B1C71000-memory.dmp

memory/2112-14-0x00007FF678480000-0x00007FF6787D1000-memory.dmp

C:\Windows\System\rgupddw.exe

MD5 660e0aa3c381fa1b966ece6e4b1e553a
SHA1 93f2d49306994c709f5628f49c7ef10c307ff26f
SHA256 830531c0a1c7e49dc303c0fbb648940725a8c16a567ba66e811d12902733e178
SHA512 1f4e343016eb62793b9cb6eb9dcbcf13e95edddd52247f3226886121d9ef80c2c68386cc3a5bfb8518492430de957e7690ba051fe96bc7af8f2e25409c9ebf36

C:\Windows\System\JeQwySX.exe

MD5 d998300f9672c115e59c15e7f6cbf981
SHA1 928ce9ce33c5e0acf4910a064a5cb4d11c66ed81
SHA256 61f098ba73e1659f8e7e167a54762ccf0493d6b99c3c5dcd93b9df8028bedea5
SHA512 7af7c23889c4f50e75f8acc5ebc6b3c796f672a26c2c950b1b32645dfb2d1fc0219a3e9e1b60748d581b85cc20746b91e9f19247a26e971a6ce56567b778855b

C:\Windows\System\lhJZcNX.exe

MD5 0a9a9bf9bea9cec279a1ace5ea4bb897
SHA1 dd293f6012212aa72843441d5b5af0e6665c9e49
SHA256 ee558648738261d1a9543e5d8baa72c7cdf10dc97cc45e10e81659112fad8b1b
SHA512 f502f1e21b35ffed3551c9dbde2a833b9a82ddd7e0fef37a0c5018bfd38e9f07c48f6e9b98d7bede27019f257a3fde792b2c0e512087784128a1865ee50e7e28

C:\Windows\System\VGgIXKT.exe

MD5 01cd6cdea7fcd627a6307ebc997f9894
SHA1 938ed290daad7a342b98a3eb26b4f0ab44fd6df2
SHA256 d76a16995258d37e5d8a90f1b1b1e0cf97f1f1d22204f802bc89a084752d8e13
SHA512 c5cf41f12f42154781922d9ebd503f057f677ce1f33b82a3d2ff68ecb99a054e1357e1a66c4879aaad6be8c89a6e4e6e28cbc0672483682bac403cca62c387e9

memory/4420-42-0x00007FF6407F0000-0x00007FF640B41000-memory.dmp

C:\Windows\System\dUZIVkZ.exe

MD5 7cc256c99443e3336f3692862f93d24e
SHA1 ffd91f0bd9a1d08587b87f81707cf648523f77df
SHA256 7899dfa2d50ffd92cbf1201d9ec61949b6ab093077eb0392e2270baf7aefe099
SHA512 f29ff5efe7db054df46422e476f17620e3d57d5079ddc2c66a840880f0c23bd23eab76b9d29d887d988b8ed8306b8fab09394c8422a3bafd2812fa5664af4151

C:\Windows\System\GdkksUS.exe

MD5 2c5d69c6a70e4fca8863440c196f14db
SHA1 86878204f4000460d8bab920b4d38cb1d755a98d
SHA256 f0024b1dd076c211f9e48bb86084a660fdffd377fa7ed34fd512d20e78d5b2fe
SHA512 54c806ec22978bc828c3697af7a66151ad410269d2744720b0ec56ee72afd3c7b609062d7417838184dfff898dbd0946745e9804de1f6a659442c45ce4b89d36

memory/4016-52-0x00007FF60CD50000-0x00007FF60D0A1000-memory.dmp

memory/1332-49-0x00007FF66F600000-0x00007FF66F951000-memory.dmp

C:\Windows\System\OGSUFMQ.exe

MD5 bbdcf7b68be2437c008a9a6ef951acc9
SHA1 7d36bd7f0cc40a503093206c5dbe1ee4d8d4c7da
SHA256 b5dd060f7937f27b45d110e159dbbafbda39ecf9c635ed6b1dc495ae826e7f4d
SHA512 1d84a2f53492eee5b2dc4fb1582c21a017df40f04dbc968b752fea77fb1be38ededb9e69c7e4ba9d07eac9c8b526d501718aab4b9568d91e9b7930dfb6c25ce2

memory/2644-41-0x00007FF65A400000-0x00007FF65A751000-memory.dmp

memory/2768-34-0x00007FF7BE6C0000-0x00007FF7BEA11000-memory.dmp

memory/1396-30-0x00007FF796200000-0x00007FF796551000-memory.dmp

memory/228-57-0x00007FF6276D0000-0x00007FF627A21000-memory.dmp

memory/1084-61-0x00007FF646250000-0x00007FF6465A1000-memory.dmp

C:\Windows\System\rGNXNjj.exe

MD5 06adcee07b1a2b9b3a6915f3cca14531
SHA1 3ec61834620044227b26a9fb53b2182ea5eeef66
SHA256 097d26b06bb0c8a91e2016c89d6adb1ff10c942fe9b1068733d4eb8f4e32e311
SHA512 a79885b9060c22a5e242faea12edf501c332b7ed1af3d179f46773c707eea38112d968e2a25d747292ba667e62d2d80a7cdde78a250e395bd1412a83de633fe3

C:\Windows\System\YmMbYTP.exe

MD5 64086ffe86a9212b3595f8f77b51d8eb
SHA1 b729edcb9d6aa91ad76273a0f524e6de23a95d0b
SHA256 0690bd2173adfe7cc9a39ed22642d217373de533ab867e57ec5dde3117652d9a
SHA512 c46f1d1ce5395d54c90ce7e7177b0cb0a73df61e4811c05db98499eb8a126aefd5a669fe950bd5ee7637ef93c4e3ed01abdd22a9800f489a9ec66ba2952af955

memory/2372-78-0x00007FF6A7AF0000-0x00007FF6A7E41000-memory.dmp

memory/2352-80-0x00007FF7EC7C0000-0x00007FF7ECB11000-memory.dmp

C:\Windows\System\wPXalwn.exe

MD5 a643ef4fd2d763cd9c45d800c57f5f1d
SHA1 aba3287f978a5f31884ff4c7840305fb0efe041b
SHA256 c21697db301320cf901a2177a19fd188060582017710bcae44329714a361652c
SHA512 c6fe447600463d97a01b4a1e2ac2a6a66a1cef92f5e89418656252f88aaa090655c4ea7bc56badc93f51349eea3df2a320c4d459727539acb658057942bed103

C:\Windows\System\WGimjxu.exe

MD5 35c8c9ee0203c78c9bcb51b2e3c08dcc
SHA1 2051fb5a8e421b728e0eb81a6f6017384465f7a2
SHA256 67db09cbf70baef799991d48680b49c7c88fee42e6901b14a32dbb112ba70132
SHA512 37dc77a710e951b5b50a6a36e562085b78e8cbec3de99600b651eb01e6885493ac54a72c694395ef96314ddd8de99c6a9b9deb33ed5beb83de25721f5c9e345b

C:\Windows\System\sHGImmS.exe

MD5 c0767e4e11fb4246ad0b838257357701
SHA1 39b9af2d47f139c8584449addd04d9e08db7b407
SHA256 c2b6c60b461b292c032749acbdd7bd3c10cd802ee5d2bb6abddc1a6b0e283836
SHA512 aecc42452cc0349818a4d946cf4489cd8e131b734234df1e7cccb7b30f98f4cb7263c49b8b9cb790992bf05b3446f6016aca6d4ba944da8b98001708ae022351

C:\Windows\System\gkOGJBX.exe

MD5 99ef305717bd0dadca30153e8a55cb97
SHA1 3843878221bb9de7ef4a9a38586303f549e6e293
SHA256 e1f1e3df441eca9ff5c6923e7b7cdf0545d7a67c040828247d91ff7be3e5adfc
SHA512 ac2156f6a4b7cf86525bb51671f65adfc8fed63aad23292a17f918fe9736735a70b2b97a61190ac928c376b237c1e4ed24ab174698abc9311b6ba7824578dce0

C:\Windows\System\iWQKVpB.exe

MD5 e42c663b971e51a7355170467dce4b5d
SHA1 44d2df07d19f3cfe4fbb14c793e2364d93affaa2
SHA256 f347e81a0f52ed4d31198243830cf490c645a0d77de76e5467b6f2f279860586
SHA512 340d7c01673544764e1c108461a0e6a37fb600161658f0225461d3b5cf9569fa66e44b6693b0ae8e0d52597a24c0ecf1e1f6e27983c49bfa4e1c496f52014d1b

C:\Windows\System\bHjRESn.exe

MD5 361b27671905daa9fd9ac13400602bb6
SHA1 fdc109a86091db7e2d225b78ba696f8d66773d37
SHA256 a62d5d3443697cda8b1cdf9a7f935837fba6867796586770adf31a93c487bcc9
SHA512 45e5eadb011b39a57e5706772783e4964d6dbe87928d74d7a13eaedf2423c4cd71e5550d5fc8e5d11c04a9d617209edb9a9302e439c530dcfa3bcd589b92698a

C:\Windows\System\eiclfam.exe

MD5 a7ae74ea4280bebf2633311a250b4c7b
SHA1 503a820bee89e113154290a4c38df71d1881b3d3
SHA256 619ac7a30deecd62f8d0075eb43c49019f8e7814e9facaca8162dee4467d3f19
SHA512 f1c11e0baf9f1454b6ad9806c50a159e02e56875b16fa9f63f208fc0f2cdd21385c308f813c80efa691cf1ab26fa4b0a4de59132c0972ef3ea3f2ff71e2c0876

memory/4420-108-0x00007FF6407F0000-0x00007FF640B41000-memory.dmp

memory/2728-100-0x00007FF7F1240000-0x00007FF7F1591000-memory.dmp

memory/2968-97-0x00007FF7AD640000-0x00007FF7AD991000-memory.dmp

memory/2124-94-0x00007FF7407F0000-0x00007FF740B41000-memory.dmp

memory/3268-93-0x00007FF7BC520000-0x00007FF7BC871000-memory.dmp

C:\Windows\System\RoqqHZB.exe

MD5 ea56a92454b1d72d89c6d7c6545723b5
SHA1 c527b4fdb98a4280b4da706ee60a8af7074b39b0
SHA256 c680b7fbe422914ecd4acf0346ab42e8d7c6f3ca33e39d322303521c485c2968
SHA512 3d114db7c85c599fb23880625d05de1edacca53b3cfc1cd1f5c0c14d8950a4c70407c12e9450b0ace2f64831f87f7c0bc7f1585ca3fff316e524b1674b82a2b5

C:\Windows\System\BMzTiEf.exe

MD5 074f84d12d35b3d99f570a8fd21c86ca
SHA1 f2bb3849197d92c903bfaa08854abab7a2bffe83
SHA256 96a9fab52ff4f6d4a8c305ac4a23804c9bbd7d28b7b9f4a60603af95ff246f9b
SHA512 0f072803955360501506dd1f315bd2593b99d17fbb46010628f2b49b98d1575f3cdb3a789d41f8adf504da8d3974f859e1e6624bfb37de82fa3de64206024b76

memory/3936-85-0x00007FF6B1920000-0x00007FF6B1C71000-memory.dmp

memory/2112-74-0x00007FF678480000-0x00007FF6787D1000-memory.dmp

C:\Windows\System\csHWtTV.exe

MD5 efb409644dbaa670a11f6095c6458ca7
SHA1 cb176b3df2042632f0d0a3bd1988220055082bbe
SHA256 f16b3799755e3c3699543a5166ff2d5ee2b9900ffeb53651285100591ddd6c2b
SHA512 dab3e138bce36d220bf984886443a44a68d13384224cbc1700935d52e4975165195a8d38b104d6c614c957b019312794f51edb07169ba548f6ee4ab6799a9b54

memory/4672-62-0x00007FF7C4450000-0x00007FF7C47A1000-memory.dmp

memory/1332-128-0x00007FF66F600000-0x00007FF66F951000-memory.dmp

memory/1832-130-0x00007FF6CD130000-0x00007FF6CD481000-memory.dmp

memory/5008-129-0x00007FF7F81B0000-0x00007FF7F8501000-memory.dmp

memory/4100-131-0x00007FF6FC020000-0x00007FF6FC371000-memory.dmp

memory/2984-132-0x00007FF60D0E0000-0x00007FF60D431000-memory.dmp

memory/4340-133-0x00007FF621030000-0x00007FF621381000-memory.dmp

memory/228-134-0x00007FF6276D0000-0x00007FF627A21000-memory.dmp

memory/4672-144-0x00007FF7C4450000-0x00007FF7C47A1000-memory.dmp

memory/4016-143-0x00007FF60CD50000-0x00007FF60D0A1000-memory.dmp

memory/3268-147-0x00007FF7BC520000-0x00007FF7BC871000-memory.dmp

memory/2968-150-0x00007FF7AD640000-0x00007FF7AD991000-memory.dmp

memory/2728-149-0x00007FF7F1240000-0x00007FF7F1591000-memory.dmp

memory/228-156-0x00007FF6276D0000-0x00007FF627A21000-memory.dmp

memory/1084-206-0x00007FF646250000-0x00007FF6465A1000-memory.dmp

memory/2112-208-0x00007FF678480000-0x00007FF6787D1000-memory.dmp

memory/3936-210-0x00007FF6B1920000-0x00007FF6B1C71000-memory.dmp

memory/1396-218-0x00007FF796200000-0x00007FF796551000-memory.dmp

memory/2768-220-0x00007FF7BE6C0000-0x00007FF7BEA11000-memory.dmp

memory/2644-222-0x00007FF65A400000-0x00007FF65A751000-memory.dmp

memory/4420-224-0x00007FF6407F0000-0x00007FF640B41000-memory.dmp

memory/4016-226-0x00007FF60CD50000-0x00007FF60D0A1000-memory.dmp

memory/1332-228-0x00007FF66F600000-0x00007FF66F951000-memory.dmp

memory/4672-232-0x00007FF7C4450000-0x00007FF7C47A1000-memory.dmp

memory/2372-245-0x00007FF6A7AF0000-0x00007FF6A7E41000-memory.dmp

memory/2352-244-0x00007FF7EC7C0000-0x00007FF7ECB11000-memory.dmp

memory/2124-248-0x00007FF7407F0000-0x00007FF740B41000-memory.dmp

memory/3268-249-0x00007FF7BC520000-0x00007FF7BC871000-memory.dmp

memory/2968-251-0x00007FF7AD640000-0x00007FF7AD991000-memory.dmp

memory/2728-253-0x00007FF7F1240000-0x00007FF7F1591000-memory.dmp

memory/5008-255-0x00007FF7F81B0000-0x00007FF7F8501000-memory.dmp

memory/4340-257-0x00007FF621030000-0x00007FF621381000-memory.dmp

memory/1832-259-0x00007FF6CD130000-0x00007FF6CD481000-memory.dmp

memory/4100-261-0x00007FF6FC020000-0x00007FF6FC371000-memory.dmp

memory/2984-263-0x00007FF60D0E0000-0x00007FF60D431000-memory.dmp