Malware Analysis Report

2025-05-28 18:57

Sample ID 241110-s87bsasrfp
Target 2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat
SHA256 627bf59509313d97ab8a2972bd27135583fccd1ec2054d9c818bdbdb2d76797f
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

627bf59509313d97ab8a2972bd27135583fccd1ec2054d9c818bdbdb2d76797f

Threat Level: Known bad

The file 2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

xmrig

Cobaltstrike family

Xmrig family

Cobaltstrike

Cobalt Strike reflective loader

XMRig Miner payload

XMRig Miner payload

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-11-10 15:48

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 15:48

Reported

2024-11-10 15:51

Platform

win7-20240903-en

Max time kernel

140s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

Cobaltstrike family

cobaltstrike

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\zQsKSHF.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FmkmaOX.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jicyRKC.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PFSICgC.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jsdthIu.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hoayHmc.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rvdmiZd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wgEKHjj.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\czcNSRd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UdPjHot.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gJkmndg.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kOPqpyu.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NsJfTEG.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AQtYpgA.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\doYLUpz.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TUuKfii.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qOtgjxq.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HgHBXiy.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\upStjTz.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zyMsGzP.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZbFLRNT.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2236 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rvdmiZd.exe
PID 2236 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rvdmiZd.exe
PID 2236 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rvdmiZd.exe
PID 2236 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zQsKSHF.exe
PID 2236 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zQsKSHF.exe
PID 2236 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zQsKSHF.exe
PID 2236 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wgEKHjj.exe
PID 2236 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wgEKHjj.exe
PID 2236 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wgEKHjj.exe
PID 2236 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FmkmaOX.exe
PID 2236 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FmkmaOX.exe
PID 2236 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FmkmaOX.exe
PID 2236 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HgHBXiy.exe
PID 2236 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HgHBXiy.exe
PID 2236 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HgHBXiy.exe
PID 2236 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\czcNSRd.exe
PID 2236 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\czcNSRd.exe
PID 2236 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\czcNSRd.exe
PID 2236 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kOPqpyu.exe
PID 2236 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kOPqpyu.exe
PID 2236 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kOPqpyu.exe
PID 2236 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NsJfTEG.exe
PID 2236 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NsJfTEG.exe
PID 2236 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NsJfTEG.exe
PID 2236 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AQtYpgA.exe
PID 2236 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AQtYpgA.exe
PID 2236 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AQtYpgA.exe
PID 2236 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UdPjHot.exe
PID 2236 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UdPjHot.exe
PID 2236 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UdPjHot.exe
PID 2236 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\upStjTz.exe
PID 2236 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\upStjTz.exe
PID 2236 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\upStjTz.exe
PID 2236 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\doYLUpz.exe
PID 2236 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\doYLUpz.exe
PID 2236 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\doYLUpz.exe
PID 2236 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TUuKfii.exe
PID 2236 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TUuKfii.exe
PID 2236 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TUuKfii.exe
PID 2236 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jicyRKC.exe
PID 2236 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jicyRKC.exe
PID 2236 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jicyRKC.exe
PID 2236 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PFSICgC.exe
PID 2236 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PFSICgC.exe
PID 2236 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PFSICgC.exe
PID 2236 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jsdthIu.exe
PID 2236 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jsdthIu.exe
PID 2236 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jsdthIu.exe
PID 2236 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hoayHmc.exe
PID 2236 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hoayHmc.exe
PID 2236 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hoayHmc.exe
PID 2236 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qOtgjxq.exe
PID 2236 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qOtgjxq.exe
PID 2236 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qOtgjxq.exe
PID 2236 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zyMsGzP.exe
PID 2236 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zyMsGzP.exe
PID 2236 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zyMsGzP.exe
PID 2236 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gJkmndg.exe
PID 2236 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gJkmndg.exe
PID 2236 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gJkmndg.exe
PID 2236 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZbFLRNT.exe
PID 2236 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZbFLRNT.exe
PID 2236 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZbFLRNT.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\rvdmiZd.exe

C:\Windows\System\rvdmiZd.exe

C:\Windows\System\zQsKSHF.exe

C:\Windows\System\zQsKSHF.exe

C:\Windows\System\wgEKHjj.exe

C:\Windows\System\wgEKHjj.exe

C:\Windows\System\FmkmaOX.exe

C:\Windows\System\FmkmaOX.exe

C:\Windows\System\HgHBXiy.exe

C:\Windows\System\HgHBXiy.exe

C:\Windows\System\czcNSRd.exe

C:\Windows\System\czcNSRd.exe

C:\Windows\System\kOPqpyu.exe

C:\Windows\System\kOPqpyu.exe

C:\Windows\System\NsJfTEG.exe

C:\Windows\System\NsJfTEG.exe

C:\Windows\System\AQtYpgA.exe

C:\Windows\System\AQtYpgA.exe

C:\Windows\System\UdPjHot.exe

C:\Windows\System\UdPjHot.exe

C:\Windows\System\upStjTz.exe

C:\Windows\System\upStjTz.exe

C:\Windows\System\doYLUpz.exe

C:\Windows\System\doYLUpz.exe

C:\Windows\System\TUuKfii.exe

C:\Windows\System\TUuKfii.exe

C:\Windows\System\jicyRKC.exe

C:\Windows\System\jicyRKC.exe

C:\Windows\System\PFSICgC.exe

C:\Windows\System\PFSICgC.exe

C:\Windows\System\jsdthIu.exe

C:\Windows\System\jsdthIu.exe

C:\Windows\System\hoayHmc.exe

C:\Windows\System\hoayHmc.exe

C:\Windows\System\qOtgjxq.exe

C:\Windows\System\qOtgjxq.exe

C:\Windows\System\zyMsGzP.exe

C:\Windows\System\zyMsGzP.exe

C:\Windows\System\gJkmndg.exe

C:\Windows\System\gJkmndg.exe

C:\Windows\System\ZbFLRNT.exe

C:\Windows\System\ZbFLRNT.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2236-0-0x000000013F8D0000-0x000000013FC21000-memory.dmp

memory/2236-1-0x0000000000200000-0x0000000000210000-memory.dmp

C:\Windows\system\rvdmiZd.exe

MD5 beda17125a8249334a402b7cb3a46968
SHA1 42ae630262d37379c80ee9d6410b2fa78ebbe40d
SHA256 47d956df9602246bf5450b4ce0ac887e467e56221bc58c9adc3bec08046f7d42
SHA512 9701c04398492a62ac241f55371856d5d6332f3b413a54020ee5dcb2c16e817c6124951b5dd4e13988c9dc1501c74e879aab186ab8229e35211c18c905d8176b

C:\Windows\system\zQsKSHF.exe

MD5 41b9334e47f0182da92eed5c70248d5b
SHA1 9a563b20202ece09aaae142ac4121a3dc0ef3d26
SHA256 48c28e9e418019a1924db3c903d59deebd29782d047b3c6ef646ee207c94309c
SHA512 2006db7dc860601080992cba050ce713805f38f7927cabf80457580c2a77faf6c87ef82e13082a0e4b51ef2a5af365a4439045cec58b65dc280ee097243f9bed

\Windows\system\wgEKHjj.exe

MD5 b912b1b0586547cfc9565bd122b524fb
SHA1 e4def1717085fc2d6d91e29487d0e6c8faca2481
SHA256 8014514bf0ffb772dcda55e49de993d5100c999a8c6c4a8eca4eb2a4d22492e3
SHA512 b77528826392f9e716dfe9e00310c6212f16128217cb8c2bee6a30d9ff29efe0083564c6ebb998b9925562a7b7dce0b07e74f6540fdcdfca2d74098845b9c953

memory/2236-59-0x00000000021A0000-0x00000000024F1000-memory.dmp

C:\Windows\system\kOPqpyu.exe

MD5 700e1d3e6c9d09b2164734a5b3c4d449
SHA1 ecf0637e6f739090caf0b00f1538904734e614de
SHA256 a4683f080e2bcdb810dcad282fc2b689d3ec515764bff0370d8ccffe097949d3
SHA512 2a39d0d850feaa7d3cfe9f5e9fd46be8742cf7f9b15f43b16215defa0d6cdcebd0c84f245028dbbcc0f6b3b63af3816c6ddae37bc910ec6928a3f464f4955f43

C:\Windows\system\UdPjHot.exe

MD5 8c3dfa69c2d6cd09a7912616d98d0be0
SHA1 87ba26d483500eaf7b7e9d895a08df93516790cd
SHA256 1c223483e3881cf16d740b871ce2b39fd4970736d4ba759d63750d359e4cb22e
SHA512 73e45ff76b469b1652b6a756c73aa8e20d537a1e8e450ee8603e61971a3a8773416704686298f5425cd88a031ea43adf50e1113c5d1cba502744986747a9c188

C:\Windows\system\doYLUpz.exe

MD5 8f8fa000401c26220334558dfe4f24ad
SHA1 59536fc7f6556dc0576387f446ccfd799cade9f8
SHA256 85f476ae9a92a2e0476dd07dbfbd571f26a4bfe2e7551af9983b652a7b821055
SHA512 a9563eaa31c2975d1db10513e579350677cdc3266df85d4da1ab3ae7553e6d3e63b0bb7c3ce1a58e8beddb9f076d9d8539b48f7e58f42c887ecaaed4f3f04ffc

C:\Windows\system\jicyRKC.exe

MD5 8c17b4a8478630397cb1f29a01bee5ca
SHA1 af029784aa5d53d6dfbf85dfb5caea07b7aa69cb
SHA256 afd1ef1386210153685dca6718bd9302b5df3831ec2cac824d635974f95c2d37
SHA512 0369295b19ae39b71629eb458509fb8d776c221524377f2a78541abf049408508e2678f652c873cde34d71a1c8c27bc4112de69d6a7c7d340b1cdaaa3c41a2c9

C:\Windows\system\gJkmndg.exe

MD5 0872ef6581f7f138eddee5bb582fd71e
SHA1 40e3c14d64e9638a5b5a1ffee6b197805c942be0
SHA256 3fdfe6cd9b132a0f608ef6b8c0ff6ebdc87b016c05733eedf637f09ed4073f06
SHA512 e4c0bc18201b07b144e2911477620709014a5b9f7ceff13f3c6934a9d21f6cf4548c975c3fb5ffdf72cfd44d499d8741eae47546af41b3318d9bec2db3f148b6

C:\Windows\system\ZbFLRNT.exe

MD5 65a6710691fb78a639552e094054f2f4
SHA1 d6118e6eb096f2c4f548300468e35f0f6a84b785
SHA256 632d1f765845c3718be92154e2d7921f766d7ea16b8cb876baef85bd993133f9
SHA512 6b8c65a56d666dcef13ee1efb5b51afbf4f3fc571772686e676f377054acd86a2a08f535e83ca1db44e11b8e0c5cf59a50dd57f3e40b540817aea519563573fb

C:\Windows\system\qOtgjxq.exe

MD5 8ecf8ea9aa7c0329f763996ffd5d52d4
SHA1 16c25fc61c54c55cd5b2edf87910ba676c81c219
SHA256 c21fed18ea0a52778490e41a27fe4d7e29b8042d3a805d9da30538ed782d2984
SHA512 d06d502009dee00b0949a41cfa12dde3d5109b645e0ae1ecea5d3ce895bed06679a853835eaca72855bf874b89334c7d3641d9fe32f8e45d8fc55f39f25b475b

C:\Windows\system\zyMsGzP.exe

MD5 1e5d003fbd9032c0d8b4fef7d7a3fbad
SHA1 b56cb309e12c23eed29e9e247152f9444da1b57e
SHA256 15dcfebaa6be85fc38251593981db85e163925116df26f2d16fbdecaf6864940
SHA512 b346d3c5e1d1440d6ff775f63659f18d9a1c90b5f8fab4a07f080eaff4c248d12bf1790c42787a62b4c769073f30b2ce7919abb1bc365cca7c0c84f254cfdd07

C:\Windows\system\jsdthIu.exe

MD5 5b7dbef7b5e7ef7d8810e72b79b797b4
SHA1 2a93fb810bd958261fb927c7fea31e889aa2e564
SHA256 b2c72eaf9c27f2b879682e4f53d05ac0d69e766d5f4fc637d97da676ae3fc63c
SHA512 be36ec4cd257b0937aa589c2713de67a31365987e999d812c82e54fa8b75b550e84e7423f6767dff548859de7d7160d3e1f6a37a5b0bb93904db5b5fe0c6c3e8

C:\Windows\system\hoayHmc.exe

MD5 8e2a76a20dd0ce5c26ed148deb646d65
SHA1 b24c145ce17c1b9916d93e24bbfc21f5da514d18
SHA256 6997c9c63ce2da1701f493cba37348b3c644c46d71d961d8d757e280e6a092a4
SHA512 25c2375a13039fcd7a50a7b6f248eb255e88f963cd3c41184d9bf511dcfcc11e4fbc4687361be925fae19d8f63214a9d27e6c7fe9e0c519c6fe9e991dd7e6cf5

memory/2236-100-0x00000000021A0000-0x00000000024F1000-memory.dmp

memory/2700-99-0x000000013F5B0000-0x000000013F901000-memory.dmp

memory/2536-137-0x000000013FD90000-0x00000001400E1000-memory.dmp

memory/2236-106-0x000000013FEA0000-0x00000001401F1000-memory.dmp

C:\Windows\system\PFSICgC.exe

MD5 6452ddcd62f0c0d47adfa3525328a44a
SHA1 622c3281a85f8e4cda070cbf3556504991da5f38
SHA256 47ca4ba0f7f1fb15e0ce0942a522645360ba4cb17c2e2f00c7cbfac3f1a8da59
SHA512 75e3c7b2628c5e6592436c8770f842874199c6ce10979fe2a9f9f47ce98a2d8818044bc5c486bd6ece0637fb6b43b10fb8a3b804dedcea56be44979ae4600c7a

memory/1312-104-0x000000013FAC0000-0x000000013FE11000-memory.dmp

memory/2236-92-0x00000000021A0000-0x00000000024F1000-memory.dmp

memory/2236-85-0x000000013F8D0000-0x000000013FC21000-memory.dmp

memory/2500-84-0x000000013FD50000-0x00000001400A1000-memory.dmp

memory/1892-91-0x000000013F9C0000-0x000000013FD11000-memory.dmp

memory/2172-90-0x000000013F060000-0x000000013F3B1000-memory.dmp

C:\Windows\system\TUuKfii.exe

MD5 fd844b2520c1238fe34202d391d21f2f
SHA1 1e23453aa8372e512526d246baab5a263e8a028e
SHA256 bd99ae650201601886db2ca134ea399060253f4df5d07ad3116b83a7da77ebb0
SHA512 e3f32f33cbf7eca3342a2a97774dd39445bddebefb6079e8a54fcb54c99bc4cebf52f0d7fc1096b9daf68861de12d3f9670ccd021a8ed180437a6813db16e5b4

memory/1892-138-0x000000013F9C0000-0x000000013FD11000-memory.dmp

memory/2536-77-0x000000013FD90000-0x00000001400E1000-memory.dmp

memory/2236-76-0x000000013FD90000-0x00000001400E1000-memory.dmp

memory/2236-139-0x000000013F8D0000-0x000000013FC21000-memory.dmp

memory/2964-71-0x000000013FD70000-0x00000001400C1000-memory.dmp

memory/2236-67-0x000000013FD70000-0x00000001400C1000-memory.dmp

memory/2700-66-0x000000013F5B0000-0x000000013F901000-memory.dmp

memory/2236-152-0x00000000021A0000-0x00000000024F1000-memory.dmp

C:\Windows\system\upStjTz.exe

MD5 714e8ba8d27fd2f11f724731979fdb52
SHA1 334b61d4fbefa27def76cef1428c520d93b45990
SHA256 275fc5b00cded4799902d271136df3218916bb302802ba9fde81936aee4621a3
SHA512 ce7b8bf2283e34fc90736ca00227cf0d386319445f2258fe2cb9a42ed2c9a56f7da5c2a4baed5445c6198b0eed69af7079d0fa5aa4446deb90d39e9caa5a08b2

memory/2236-41-0x000000013F2C0000-0x000000013F611000-memory.dmp

memory/1984-159-0x000000013FA10000-0x000000013FD61000-memory.dmp

memory/2236-162-0x000000013FEA0000-0x00000001401F1000-memory.dmp

memory/1900-161-0x000000013FB80000-0x000000013FED1000-memory.dmp

memory/1924-160-0x000000013F820000-0x000000013FB71000-memory.dmp

memory/2380-158-0x000000013FA20000-0x000000013FD71000-memory.dmp

memory/2404-157-0x000000013FAD0000-0x000000013FE21000-memory.dmp

memory/1940-156-0x000000013F830000-0x000000013FB81000-memory.dmp

memory/2460-155-0x000000013FEA0000-0x00000001401F1000-memory.dmp

memory/2076-40-0x000000013F520000-0x000000013F871000-memory.dmp

\Windows\system\NsJfTEG.exe

MD5 cdaede17c156e4c53a377baa810086fd
SHA1 4f5be93228f3841c31b081f32df2da49f98139f3
SHA256 4a23fa1221974d838630ba1842fb2f0a0619fbbf35784c1bd26706fb4557a735
SHA512 e9da2a28ab252e9c8f305901a82a795c5e5f3f016e2acf8a6e5dfc948255ab7837346097d15e22c8b67fb9e4a750093be8805ce26a74f5e2b637645319240b86

C:\Windows\system\HgHBXiy.exe

MD5 fb9b05d1dde11a80015c4f615ddf7b2a
SHA1 8f1f14ceca0c051d184693ecfd3f613c2032e747
SHA256 91f151e3d394d8121a248700dcdd5282508e6ed6f100368b42fdbd7348abb9b8
SHA512 c6eca44f6565d0762f4ec68a6ba558be75f897152e5075b2b28427aaebc76dcbede67c5006a3355f9745ca212cbbfa54853eb8c838083c77e319f1f151a510ea

memory/2180-61-0x000000013F760000-0x000000013FAB1000-memory.dmp

memory/2628-60-0x000000013F0E0000-0x000000013F431000-memory.dmp

memory/2236-58-0x000000013F0E0000-0x000000013F431000-memory.dmp

memory/2236-57-0x000000013F070000-0x000000013F3C1000-memory.dmp

memory/2304-56-0x000000013F290000-0x000000013F5E1000-memory.dmp

memory/2236-28-0x000000013F290000-0x000000013F5E1000-memory.dmp

memory/2644-54-0x000000013F4E0000-0x000000013F831000-memory.dmp

memory/2236-53-0x000000013F4E0000-0x000000013F831000-memory.dmp

memory/2316-51-0x000000013F070000-0x000000013F3C1000-memory.dmp

C:\Windows\system\AQtYpgA.exe

MD5 4c454695921f29a4bf58d9f91291b246
SHA1 959c6597c26d405fca5abf201992dec3ac67747f
SHA256 bae2ab98d1a40fe0b83432f388b99f96b9fde4a7ba7c37c1658890526f5e5ed9
SHA512 77d7aecf8ac11e902269b9436287cd7267c31eafb76b8edb1b9af3bb9a3a5d29bb742f291e29fb4011c73f084fdd9b4dd91cc132fbc7d3ec88e072072fcc28d3

C:\Windows\system\czcNSRd.exe

MD5 8be4bd1ee508cd6a3f1533231040e5b9
SHA1 9e06b9f4a2b190c041e2fda88cbb6899bed3413b
SHA256 3abdb8f56a93985972f1e1e8fff43034a0db8b2c659af4a548a885e23f62c230
SHA512 37dacbbe99c294fed2bc93831351af68517968ce63bf447fb5bd644c3337dd6a03845e9e9ef9179e4fdd33e5ea3a6fe135050dd954bd649a507b856c6d6b65f6

memory/2236-48-0x00000000021A0000-0x00000000024F1000-memory.dmp

memory/1000-46-0x000000013F2C0000-0x000000013F611000-memory.dmp

memory/2236-34-0x000000013F520000-0x000000013F871000-memory.dmp

C:\Windows\system\FmkmaOX.exe

MD5 e9b4cfdc3b6f7b6c4320b1318d535210
SHA1 c420f7280a82f90744da70a17f27ad5a3d2af59b
SHA256 5ba92d078e5b2f03f2b6113905ac67e38c19ac13a7415d80d27873cb6261adaa
SHA512 8f4af482c1da57dbcba6696881e8eb84277edda2ad08eaff593e3374658baddab8a647f8f25fcd7245f6d223593ee71deaeae27b8ff3428b83356edc522fdf9f

memory/2172-20-0x000000013F060000-0x000000013F3B1000-memory.dmp

memory/2236-163-0x000000013F8D0000-0x000000013FC21000-memory.dmp

memory/2172-221-0x000000013F060000-0x000000013F3B1000-memory.dmp

memory/2304-223-0x000000013F290000-0x000000013F5E1000-memory.dmp

memory/2076-225-0x000000013F520000-0x000000013F871000-memory.dmp

memory/2316-228-0x000000013F070000-0x000000013F3C1000-memory.dmp

memory/1000-229-0x000000013F2C0000-0x000000013F611000-memory.dmp

memory/2628-231-0x000000013F0E0000-0x000000013F431000-memory.dmp

memory/2644-233-0x000000013F4E0000-0x000000013F831000-memory.dmp

memory/2180-235-0x000000013F760000-0x000000013FAB1000-memory.dmp

memory/2964-237-0x000000013FD70000-0x00000001400C1000-memory.dmp

memory/2700-241-0x000000013F5B0000-0x000000013F901000-memory.dmp

memory/2536-240-0x000000013FD90000-0x00000001400E1000-memory.dmp

memory/2500-243-0x000000013FD50000-0x00000001400A1000-memory.dmp

memory/1312-256-0x000000013FAC0000-0x000000013FE11000-memory.dmp

memory/1892-246-0x000000013F9C0000-0x000000013FD11000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 15:48

Reported

2024-11-10 15:51

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

Cobaltstrike family

cobaltstrike

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\dhRCBfx.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mMTdqMD.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xmaJdvR.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BduGTDT.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lwpFgQI.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aEygsxg.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zufUofr.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tViZCKL.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ITGtWPq.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uuZPvEe.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bwjaFhf.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ykTtcUq.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dOlJUfP.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cNjqzlW.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pfNoDHV.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KyKCGvg.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gMEWJjN.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nAZnDdo.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jzInWfI.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AiTHIwA.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\adnyHxz.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4716 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dOlJUfP.exe
PID 4716 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dOlJUfP.exe
PID 4716 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dhRCBfx.exe
PID 4716 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dhRCBfx.exe
PID 4716 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cNjqzlW.exe
PID 4716 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cNjqzlW.exe
PID 4716 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pfNoDHV.exe
PID 4716 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pfNoDHV.exe
PID 4716 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mMTdqMD.exe
PID 4716 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mMTdqMD.exe
PID 4716 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KyKCGvg.exe
PID 4716 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KyKCGvg.exe
PID 4716 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xmaJdvR.exe
PID 4716 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xmaJdvR.exe
PID 4716 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jzInWfI.exe
PID 4716 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jzInWfI.exe
PID 4716 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AiTHIwA.exe
PID 4716 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AiTHIwA.exe
PID 4716 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ITGtWPq.exe
PID 4716 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ITGtWPq.exe
PID 4716 wrote to memory of 732 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BduGTDT.exe
PID 4716 wrote to memory of 732 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BduGTDT.exe
PID 4716 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lwpFgQI.exe
PID 4716 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lwpFgQI.exe
PID 4716 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uuZPvEe.exe
PID 4716 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uuZPvEe.exe
PID 4716 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aEygsxg.exe
PID 4716 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aEygsxg.exe
PID 4716 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bwjaFhf.exe
PID 4716 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bwjaFhf.exe
PID 4716 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zufUofr.exe
PID 4716 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zufUofr.exe
PID 4716 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\adnyHxz.exe
PID 4716 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\adnyHxz.exe
PID 4716 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tViZCKL.exe
PID 4716 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tViZCKL.exe
PID 4716 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ykTtcUq.exe
PID 4716 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ykTtcUq.exe
PID 4716 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gMEWJjN.exe
PID 4716 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gMEWJjN.exe
PID 4716 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nAZnDdo.exe
PID 4716 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nAZnDdo.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\dOlJUfP.exe

C:\Windows\System\dOlJUfP.exe

C:\Windows\System\dhRCBfx.exe

C:\Windows\System\dhRCBfx.exe

C:\Windows\System\cNjqzlW.exe

C:\Windows\System\cNjqzlW.exe

C:\Windows\System\pfNoDHV.exe

C:\Windows\System\pfNoDHV.exe

C:\Windows\System\mMTdqMD.exe

C:\Windows\System\mMTdqMD.exe

C:\Windows\System\KyKCGvg.exe

C:\Windows\System\KyKCGvg.exe

C:\Windows\System\xmaJdvR.exe

C:\Windows\System\xmaJdvR.exe

C:\Windows\System\jzInWfI.exe

C:\Windows\System\jzInWfI.exe

C:\Windows\System\AiTHIwA.exe

C:\Windows\System\AiTHIwA.exe

C:\Windows\System\ITGtWPq.exe

C:\Windows\System\ITGtWPq.exe

C:\Windows\System\BduGTDT.exe

C:\Windows\System\BduGTDT.exe

C:\Windows\System\lwpFgQI.exe

C:\Windows\System\lwpFgQI.exe

C:\Windows\System\uuZPvEe.exe

C:\Windows\System\uuZPvEe.exe

C:\Windows\System\aEygsxg.exe

C:\Windows\System\aEygsxg.exe

C:\Windows\System\bwjaFhf.exe

C:\Windows\System\bwjaFhf.exe

C:\Windows\System\zufUofr.exe

C:\Windows\System\zufUofr.exe

C:\Windows\System\adnyHxz.exe

C:\Windows\System\adnyHxz.exe

C:\Windows\System\tViZCKL.exe

C:\Windows\System\tViZCKL.exe

C:\Windows\System\ykTtcUq.exe

C:\Windows\System\ykTtcUq.exe

C:\Windows\System\gMEWJjN.exe

C:\Windows\System\gMEWJjN.exe

C:\Windows\System\nAZnDdo.exe

C:\Windows\System\nAZnDdo.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 71.209.201.84.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/4716-0-0x00007FF6C6DA0000-0x00007FF6C70F1000-memory.dmp

memory/4716-1-0x0000026926780000-0x0000026926790000-memory.dmp

C:\Windows\System\dOlJUfP.exe

MD5 e9a6a9dbb85ea60ddfcb370611edf874
SHA1 dd0f54478055adcd41edacf5a59374f4bb3c401b
SHA256 365f6b879ee7b4c243e987d0a989285c782b40680d4cd457a40cdce4acb70e44
SHA512 9677b171986bb2c964f35f032c916d7d9afd4ce0a0885f7409c350978cce1dcf978750c153f26c74bcad1451f7c2a1ddff421f54d6159cb79f42e19ca80228cb

memory/4424-8-0x00007FF6F89F0000-0x00007FF6F8D41000-memory.dmp

C:\Windows\System\dhRCBfx.exe

MD5 079762613fed53684b685794bc83b4bf
SHA1 369ef5fcc3b85a80dcb4e40aba4c3105cf95f60c
SHA256 e0e00eafa99127dd6430f9be654d15b7c527509d2dc3a4b6f4922cf1ea68bcf9
SHA512 8e6eba0baceb7357a6cc930405aab592dff7d515fa3940910c43f5e6b01669aab6e71f41732c72246051098acc9fe80800269609b1619fae87648aa7db83edef

memory/3464-18-0x00007FF6A9B40000-0x00007FF6A9E91000-memory.dmp

C:\Windows\System\pfNoDHV.exe

MD5 bd6b7aa99d22efa76da26000c0ccb11c
SHA1 041ccb7544cacfd8080e316e97cef08f457008ef
SHA256 253b447a9cec0bd03f521c7e00434ce41bee007f211365f3382a028fd523a9fa
SHA512 c84a635141d5992560931d670d3884a87cd635ad7134ae972debfc5579d3df3211e1aa572b02e62222e908f0822d68178f1f3363aca00a843a93ac39fdbae1e8

memory/1572-23-0x00007FF6469F0000-0x00007FF646D41000-memory.dmp

C:\Windows\System\mMTdqMD.exe

MD5 23e02ffc2d38395979c020b146d82878
SHA1 b761e07714d931ae3742b9332e4d26991404dc39
SHA256 2a2e36762374ae06fdd77efe70eb8001412b8a9ac247fba6e6d13d0c4b54c9b5
SHA512 7eb8f6a19db0b8ae7feed5c84a8fe6749819429347b17723448f73a1f96c9be4a86b35aefa035c74f0a55d3bb33fad13ede65d4f9508dd2a5d53eee6e5e3cc66

C:\Windows\System\jzInWfI.exe

MD5 92a702da68428067fb8148e4ed1e94ce
SHA1 638c795226ed6d804d76199beccb11c2bbe223de
SHA256 abff49ed1640169e4dfd8eb2326bdef59e17432675522b61a8ad7dd8c18b1831
SHA512 b6bfe99234b44ed9614de1e8d2a108ab46214e779cdeadb477e523e270cd383a9eeb5f10eb46ec4702232eb7811a797735af70cf5a8a0c7bac65801a886ab75b

C:\Windows\System\ITGtWPq.exe

MD5 f6cff765ca7358ec6e9aceaf8114857f
SHA1 3735b376b472d5e5d16d2393884ff9649ace8f20
SHA256 3cf1749e131adcf89cd98574a1484650c693245b925e005f9733dcb652f0f492
SHA512 e894e08353e883633b82b5a072a6110693b183df810f4ae4f2c83adcf8b2ff194b5d313763abd0142fdb38b0abd76da9017b7ad5f38b136f661225f882bd04a8

C:\Windows\System\lwpFgQI.exe

MD5 16896adb283d0a022b07b6aaf2a058a9
SHA1 cc15666a4c59ed26bf6dc27704ec0d9b222104ef
SHA256 3a3ce17d54fd381f3b3e28816d4543ab432d5ed0814926ab479120d815d05933
SHA512 1dfd0966b375cac69a31f58b1a7860c6df72f2130684e9beb8435dbae01f6bd6c83ed0e867235376972ee2dd31c205714439ce4c073c3381773a65466e2b471f

C:\Windows\System\zufUofr.exe

MD5 8b33dce1c03a7828016f39d8cb18481d
SHA1 058f6b1d52bb8dc2ae1844280dc99ef765383d07
SHA256 b14e6965d26545912384a50eba38b42ffe5ff8a26fb68673729a4c79f089c4ed
SHA512 cdd67d74f72340448dd8194fb74efd9301b25fd00ee952a0b300b0f92dd25ce1ffdcd3f3bd68f0e34607baca92605e899faf7671357f29fca488f38614d79a1b

memory/4360-86-0x00007FF630CA0000-0x00007FF630FF1000-memory.dmp

C:\Windows\System\bwjaFhf.exe

MD5 7480fb196400e769b7efbb179794105f
SHA1 6c757e4d80aaf91070480e0f97fb7a6906cab291
SHA256 64f385f6df99ea05030f1f424bec2344fd90d711471fc8ccfbfb8c1a0298d471
SHA512 9316daff5c13e72fa7736443bd9e2496a8eef341e0f279c2838918d529898fb411632571f2641be678cda53f7581ecf39d1484192831f27c8c1b05a79c4a5243

memory/4776-95-0x00007FF73C590000-0x00007FF73C8E1000-memory.dmp

memory/892-98-0x00007FF780DD0000-0x00007FF781121000-memory.dmp

memory/3680-97-0x00007FF7476A0000-0x00007FF7479F1000-memory.dmp

memory/4336-96-0x00007FF703120000-0x00007FF703471000-memory.dmp

memory/4444-94-0x00007FF771710000-0x00007FF771A61000-memory.dmp

memory/3772-89-0x00007FF78B8D0000-0x00007FF78BC21000-memory.dmp

memory/2840-88-0x00007FF6464E0000-0x00007FF646831000-memory.dmp

memory/732-87-0x00007FF6940B0000-0x00007FF694401000-memory.dmp

C:\Windows\System\aEygsxg.exe

MD5 4853deb4b8bbcdf358dbf95a67d8c966
SHA1 10508b7e466f71d776460701244e82b6dcc3cf1c
SHA256 5f123c9f2f6d6e01c3ee6aa498889d3c935784979e8bebd61c8652b9ffb23e5c
SHA512 6fb151dd1166c5aaceb5eabd339f4fc61cab2b47e9c10a8f3a6720f98ec4a91f228b8ff89cd1727edb7b86f3007efae9761980e78e41d5fefdcbdcee17827940

memory/1420-82-0x00007FF7788B0000-0x00007FF778C01000-memory.dmp

memory/4392-77-0x00007FF7E0C40000-0x00007FF7E0F91000-memory.dmp

C:\Windows\System\uuZPvEe.exe

MD5 d2bc4d1392ac8bfc558d8d60c79c12ed
SHA1 4575e24b8143efc6bc7ff3568a7dac55eeddf745
SHA256 9e983b7aaa75376974d975cde5bbbdd098d9260ad802163845e3a520de9d49e6
SHA512 37a2cb5e67a5595d7613d8133107bbba434a21d4a370fdf8c3e75be6415a8fe638ff7311da9d8138b4ca9b36cab55ae1d75d1d59f00b7bd07ae93e257aa82451

memory/5056-68-0x00007FF64ED20000-0x00007FF64F071000-memory.dmp

C:\Windows\System\BduGTDT.exe

MD5 fe3788f812d5180761888e5fa1a25392
SHA1 727c7c8542acc9e5ef31b35ec4f7294f6e0daaf3
SHA256 9ade302588f06b61b3ae753eff2b2992e333043f1d80aba3c2419deb217167ed
SHA512 43b66b4114bfc8d1a99bdeafefccb785e06b8e70704c69449db6acc19c3a6f519101a631af1be8aa239d4ba15dce8c3b2f6a97267b50219658a2d3c379f891c2

C:\Windows\System\AiTHIwA.exe

MD5 c87529a90e6f9c71b1cde0c4618143d0
SHA1 fc6e2d3f7e4e4b2b9c187952046f4387b8e0ec07
SHA256 5ddf0ff59084c491527f50db1f14138317015dc58c11f87fa52bce1d7f96c6cd
SHA512 b163b4b4288da8c4557e29a9ffaa1479ce9f10e1b4c835b8f5cfdd8a0f6c15702e707ad5aee8c5c0ee1eb5326af56bedda6985a365bc9a5f9de76b6ada3afc99

C:\Windows\System\xmaJdvR.exe

MD5 22fd57850ffa55b526f92c267489b661
SHA1 cbe5bc43b1780cc8b89be23be9b0945dd30a9617
SHA256 e788fbce21a1d87aec42e206e6f07e38841702138fe72075cf08bf3804059451
SHA512 2506312a5704fd5d1c1a18d2cc8a99ee83210e3bd4f6da456b360118ddf1a1415d39f7c335e6d5cd3c28b9b41dc73715e6e5bd1c629e43bdcbbee643befff75a

C:\Windows\System\KyKCGvg.exe

MD5 bd8219a4c62cff3e8c4fa6d14b364fe7
SHA1 45c21dd3260e0334f136299d6129c9fe5d9adf62
SHA256 b45cc4dc517dfa86df52a198dca1c055f1ad0463c40fa6e294dc068a3fa2062c
SHA512 429c550b5072a6c2b360d5f6b51827b933b9a79beffd4dfe037f429ab90392b55b5faa7436321094f59ae239fa4720c6d1410bb707f5cc78d815a0da6b47c0a3

memory/4244-31-0x00007FF74C110000-0x00007FF74C461000-memory.dmp

C:\Windows\System\cNjqzlW.exe

MD5 c0b94d705346add5f44eb1fa1e6f3e26
SHA1 68b23878921759eac92370d077540c5eb8f2dc8d
SHA256 7ee9f817b95ecf504adb3ed0da9b725b1fdd343318fcdea72f39419008a467fd
SHA512 558df339682bcaf076752da39016c817ce1bedff372b34fb9dd81c906e935e3b4038cc987f92429f5bfbdf88bc51812613c52c47a0046198cad55f98debfe224

memory/3464-103-0x00007FF6A9B40000-0x00007FF6A9E91000-memory.dmp

memory/4716-101-0x00007FF6C6DA0000-0x00007FF6C70F1000-memory.dmp

memory/4244-106-0x00007FF74C110000-0x00007FF74C461000-memory.dmp

C:\Windows\System\gMEWJjN.exe

MD5 0d1e720bd7c19c293034eb8eb399472e
SHA1 31ee9bceb9919f3e17d3dae12c4b1293b6521caf
SHA256 5504997df9f4a1e6948b64c8e417a3d517e8b0c8500a62a96ae6dcef39346b89
SHA512 157235d4e61476ea7cb121bec4ab8b1ac726fbd59c893bcc3f0c2724e063a69ac0d982acb7d6b25584d23214820369a8448e05e2eeac3b11f86199b1064d15f4

C:\Windows\System\ykTtcUq.exe

MD5 e6f81648a19159a1c1e9fd69454521f9
SHA1 42fd0feaff8c10fd43a3e37a9d31e883f69dd0c3
SHA256 5d7f68c07d40ffd3c409e6b0a2e26fc97e5fa45d4e64ee37eb692fbc0be5da36
SHA512 022efff137e0da4a04ce36fd0ccbd0cd1c39c5be480019cd4db06f007e6e9740941a648e8d9e0f20bc7ffa9fa859730ef394e10383a61c17e5ca180c0c10ec98

memory/752-135-0x00007FF6BCEA0000-0x00007FF6BD1F1000-memory.dmp

C:\Windows\System\adnyHxz.exe

MD5 8f23d394252f614a39815d8d0f76d938
SHA1 1f11b6fc6408f929ec6bbc689309393e9c7ccbc6
SHA256 1eda6ef0a95528cd3f8be7687cb99489f9c27fe6762648cf55238905779facb8
SHA512 88cacee4f2b1ad3c624ad4210ecdf88a44d2aa016980e96c2836f1bdafffdd62da1cc5a24ff29629547db8089433ffb7ecc23f6f5b880e25c49936aff729d419

C:\Windows\System\tViZCKL.exe

MD5 ece8dab3448b67fa23e9fd9750c2b21f
SHA1 a611749afc53a0e92849eb5646a20ba5ea871c82
SHA256 a6fb17a06521085380cdc3525775c733fe7baea49e4fff3d1b39e547aadb451a
SHA512 767a9cf2499bab55080de8f6febc502888bd3b6b32a51686e22d622ba82cb1c6acdeff5daceac0b03a5380e2482158e89fdaa4c8e782763d0de2ab63c484a02a

memory/2996-134-0x00007FF6FCD10000-0x00007FF6FD061000-memory.dmp

memory/2372-132-0x00007FF7C59C0000-0x00007FF7C5D11000-memory.dmp

C:\Windows\System\nAZnDdo.exe

MD5 3eab7768f05066a7d957f76138b2318a
SHA1 d4ebb9d8edcc74365a22cbdde44a4ad7cce234e0
SHA256 d1619364fded668f8a384dbe1a9503e3a03c50ec66c5f4a6dfaed7b634a5dcfe
SHA512 894228044e906ce492fb4a743d75f9d45d3af63301a4790762dd0f318bc229b2ac0d255afd691c176901922ee8a357ca3974e64441926e616af9c79ded35b68b

memory/1572-105-0x00007FF6469F0000-0x00007FF646D41000-memory.dmp

memory/4424-102-0x00007FF6F89F0000-0x00007FF6F8D41000-memory.dmp

memory/1324-143-0x00007FF745B80000-0x00007FF745ED1000-memory.dmp

memory/888-144-0x00007FF625970000-0x00007FF625CC1000-memory.dmp

memory/4716-145-0x00007FF6C6DA0000-0x00007FF6C70F1000-memory.dmp

memory/4716-146-0x00007FF6C6DA0000-0x00007FF6C70F1000-memory.dmp

memory/2996-164-0x00007FF6FCD10000-0x00007FF6FD061000-memory.dmp

memory/752-165-0x00007FF6BCEA0000-0x00007FF6BD1F1000-memory.dmp

memory/2372-163-0x00007FF7C59C0000-0x00007FF7C5D11000-memory.dmp

memory/4716-168-0x00007FF6C6DA0000-0x00007FF6C70F1000-memory.dmp

memory/4424-205-0x00007FF6F89F0000-0x00007FF6F8D41000-memory.dmp

memory/3464-207-0x00007FF6A9B40000-0x00007FF6A9E91000-memory.dmp

memory/4244-209-0x00007FF74C110000-0x00007FF74C461000-memory.dmp

memory/1572-211-0x00007FF6469F0000-0x00007FF646D41000-memory.dmp

memory/4776-217-0x00007FF73C590000-0x00007FF73C8E1000-memory.dmp

memory/4392-216-0x00007FF7E0C40000-0x00007FF7E0F91000-memory.dmp

memory/4336-219-0x00007FF703120000-0x00007FF703471000-memory.dmp

memory/5056-214-0x00007FF64ED20000-0x00007FF64F071000-memory.dmp

memory/1420-234-0x00007FF7788B0000-0x00007FF778C01000-memory.dmp

memory/3772-239-0x00007FF78B8D0000-0x00007FF78BC21000-memory.dmp

memory/732-243-0x00007FF6940B0000-0x00007FF694401000-memory.dmp

memory/2840-241-0x00007FF6464E0000-0x00007FF646831000-memory.dmp

memory/4444-238-0x00007FF771710000-0x00007FF771A61000-memory.dmp

memory/892-235-0x00007FF780DD0000-0x00007FF781121000-memory.dmp

memory/4360-231-0x00007FF630CA0000-0x00007FF630FF1000-memory.dmp

memory/3680-230-0x00007FF7476A0000-0x00007FF7479F1000-memory.dmp

memory/888-251-0x00007FF625970000-0x00007FF625CC1000-memory.dmp

memory/2372-254-0x00007FF7C59C0000-0x00007FF7C5D11000-memory.dmp

memory/1324-255-0x00007FF745B80000-0x00007FF745ED1000-memory.dmp

memory/752-257-0x00007FF6BCEA0000-0x00007FF6BD1F1000-memory.dmp

memory/2996-259-0x00007FF6FCD10000-0x00007FF6FD061000-memory.dmp