Malware Analysis Report

2025-01-22 19:26

Sample ID 240806-t8fz9sxhlh
Target 2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat
SHA256 fac50c17f8c212c120e2764de5d2b9b44ac32cce59e96a01d93953fd32dbb306
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fac50c17f8c212c120e2764de5d2b9b44ac32cce59e96a01d93953fd32dbb306

Threat Level: Known bad

The file 2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Xmrig family

Cobalt Strike reflective loader

xmrig

Cobaltstrike

XMRig Miner payload

Cobaltstrike family

XMRig Miner payload

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-06 16:43

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-06 16:43

Reported

2024-08-06 16:46

Platform

win7-20240708-en

Max time kernel

142s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\tnUofSw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ghdiXRd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qyQLuGD.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gvDrfuf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RBdInQv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yfIIqsy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\Tasdxio.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WpJxNJy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fPtJxge.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XeJizAb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ULJTnrJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NABSSkZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JUJvWMd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vBGqZlV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\acHLAtb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\omxPRng.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xVZfPxb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jkrVjAE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JzUHqmX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sIaHVRr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FMxJHHG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1532 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Tasdxio.exe
PID 1532 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Tasdxio.exe
PID 1532 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Tasdxio.exe
PID 1532 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WpJxNJy.exe
PID 1532 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WpJxNJy.exe
PID 1532 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WpJxNJy.exe
PID 1532 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xVZfPxb.exe
PID 1532 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xVZfPxb.exe
PID 1532 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xVZfPxb.exe
PID 1532 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fPtJxge.exe
PID 1532 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fPtJxge.exe
PID 1532 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fPtJxge.exe
PID 1532 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tnUofSw.exe
PID 1532 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tnUofSw.exe
PID 1532 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tnUofSw.exe
PID 1532 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jkrVjAE.exe
PID 1532 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jkrVjAE.exe
PID 1532 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jkrVjAE.exe
PID 1532 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XeJizAb.exe
PID 1532 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XeJizAb.exe
PID 1532 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XeJizAb.exe
PID 1532 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JUJvWMd.exe
PID 1532 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JUJvWMd.exe
PID 1532 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JUJvWMd.exe
PID 1532 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vBGqZlV.exe
PID 1532 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vBGqZlV.exe
PID 1532 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vBGqZlV.exe
PID 1532 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JzUHqmX.exe
PID 1532 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JzUHqmX.exe
PID 1532 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JzUHqmX.exe
PID 1532 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\acHLAtb.exe
PID 1532 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\acHLAtb.exe
PID 1532 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\acHLAtb.exe
PID 1532 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ghdiXRd.exe
PID 1532 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ghdiXRd.exe
PID 1532 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ghdiXRd.exe
PID 1532 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\omxPRng.exe
PID 1532 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\omxPRng.exe
PID 1532 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\omxPRng.exe
PID 1532 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ULJTnrJ.exe
PID 1532 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ULJTnrJ.exe
PID 1532 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ULJTnrJ.exe
PID 1532 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qyQLuGD.exe
PID 1532 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qyQLuGD.exe
PID 1532 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qyQLuGD.exe
PID 1532 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NABSSkZ.exe
PID 1532 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NABSSkZ.exe
PID 1532 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NABSSkZ.exe
PID 1532 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RBdInQv.exe
PID 1532 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RBdInQv.exe
PID 1532 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RBdInQv.exe
PID 1532 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gvDrfuf.exe
PID 1532 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gvDrfuf.exe
PID 1532 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gvDrfuf.exe
PID 1532 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yfIIqsy.exe
PID 1532 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yfIIqsy.exe
PID 1532 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yfIIqsy.exe
PID 1532 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sIaHVRr.exe
PID 1532 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sIaHVRr.exe
PID 1532 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sIaHVRr.exe
PID 1532 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FMxJHHG.exe
PID 1532 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FMxJHHG.exe
PID 1532 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FMxJHHG.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\Tasdxio.exe

C:\Windows\System\Tasdxio.exe

C:\Windows\System\WpJxNJy.exe

C:\Windows\System\WpJxNJy.exe

C:\Windows\System\xVZfPxb.exe

C:\Windows\System\xVZfPxb.exe

C:\Windows\System\fPtJxge.exe

C:\Windows\System\fPtJxge.exe

C:\Windows\System\tnUofSw.exe

C:\Windows\System\tnUofSw.exe

C:\Windows\System\jkrVjAE.exe

C:\Windows\System\jkrVjAE.exe

C:\Windows\System\XeJizAb.exe

C:\Windows\System\XeJizAb.exe

C:\Windows\System\JUJvWMd.exe

C:\Windows\System\JUJvWMd.exe

C:\Windows\System\vBGqZlV.exe

C:\Windows\System\vBGqZlV.exe

C:\Windows\System\JzUHqmX.exe

C:\Windows\System\JzUHqmX.exe

C:\Windows\System\acHLAtb.exe

C:\Windows\System\acHLAtb.exe

C:\Windows\System\ghdiXRd.exe

C:\Windows\System\ghdiXRd.exe

C:\Windows\System\omxPRng.exe

C:\Windows\System\omxPRng.exe

C:\Windows\System\ULJTnrJ.exe

C:\Windows\System\ULJTnrJ.exe

C:\Windows\System\qyQLuGD.exe

C:\Windows\System\qyQLuGD.exe

C:\Windows\System\NABSSkZ.exe

C:\Windows\System\NABSSkZ.exe

C:\Windows\System\RBdInQv.exe

C:\Windows\System\RBdInQv.exe

C:\Windows\System\gvDrfuf.exe

C:\Windows\System\gvDrfuf.exe

C:\Windows\System\yfIIqsy.exe

C:\Windows\System\yfIIqsy.exe

C:\Windows\System\sIaHVRr.exe

C:\Windows\System\sIaHVRr.exe

C:\Windows\System\FMxJHHG.exe

C:\Windows\System\FMxJHHG.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1532-0-0x000000013FB60000-0x000000013FEB4000-memory.dmp

memory/1532-1-0x00000000001F0000-0x0000000000200000-memory.dmp

\Windows\system\Tasdxio.exe

MD5 7e9bbd25ed6a4b917a9ecd1864d3b6b8
SHA1 eac2a27abcbca1f8a45528189390e2256a0a061f
SHA256 65f7af471506e1cf6035fd91b1aa1b06f45277142c50c65d3969afba4db2e63e
SHA512 3520663021dda657120ed901dc84fcfe9b41f8d8910e7b6c35314b4f4f2fa15a98d3d913cf287ad09c07d65d1f07b27b2d0492571b97664bae629451c4eff27e

\Windows\system\xVZfPxb.exe

MD5 98aa97df4458d8ac0b8689ac25497d4a
SHA1 605561a9535051febc8c37ea0dd4c24f1140765f
SHA256 cb2becc17c99064062afe079e29863d670bc5cd833e8599ea02472b1c2e5340d
SHA512 e145bb6e65da06fdb795bf906741784a8f799ff409d035d7dffbbb034582363de7b1ad12ce829a2c64cd2b4165483a97e1054f7ae375e0128b46930ed7ab4f31

C:\Windows\system\fPtJxge.exe

MD5 a9e182ec9151d0fd7c588b3df814fc5d
SHA1 6b6440eafcf491ad0db47b919723ace29db0f132
SHA256 a7880160f4783eef51f07d3bbfb22b0d1f7b1cbefb6fff3f0c7703c8eea56513
SHA512 d0f42bfdb714a2faf97100e1e1215462f16a30bade99a3780e64795b2707f79c11e66780cef17f1bbe09c744244380f2a644fc986751c31b84fffea0f29b7839

memory/2436-26-0x000000013F5C0000-0x000000013F914000-memory.dmp

memory/2172-28-0x000000013F440000-0x000000013F794000-memory.dmp

memory/1532-27-0x000000013F440000-0x000000013F794000-memory.dmp

memory/2568-25-0x000000013F570000-0x000000013F8C4000-memory.dmp

memory/2884-20-0x000000013F2B0000-0x000000013F604000-memory.dmp

C:\Windows\system\WpJxNJy.exe

MD5 ce3ea2a7140ec4a191cb0ce860fb1cac
SHA1 c9da29fc28e6919864a6c3c86d9724526a3cd830
SHA256 2c77586a47993d4982fdb69a1783b38bddd55970ad53bcdf9e81e14389c5f41d
SHA512 b8248db798f704966207f2e483b478cbf2c84fa71f08ef2a04699ae71541d3ea6ede6f6a0fbb1cd34e5d5beb42d460fa689c5e3d4c9bbaf8ab4c33319c152ebe

memory/1532-11-0x000000013F570000-0x000000013F8C4000-memory.dmp

C:\Windows\system\tnUofSw.exe

MD5 fc8394bae73509d71e3f7854b38b69fa
SHA1 e4a60621f39b3d6439750bbca7c1625669457261
SHA256 22c606584c0902f913d393e3c2b5cd32cba7d128663ceb43638f4d3bd6d77573
SHA512 a40317895402ce67b80fc1a6ed148a5a3d680c906fd35a713f3fe7f0971b69962cd6806232a26593ebe5c03ee3c1810f3a225072e18b1c84cf5e29005d4e9b66

memory/2428-35-0x000000013F0D0000-0x000000013F424000-memory.dmp

C:\Windows\system\jkrVjAE.exe

MD5 b9235e902ed8fd944657cac22a96058a
SHA1 31e1db4242949dc980d29056e5a6cb5a85044b52
SHA256 f9fdfefa9b78b6e55a557e36b40fca3ad186c2643b35e906f826d8fb566bf28a
SHA512 47051b21ee05649182287a8d08adc1ee0200643f591c576b5dd30dfdba078a2039f86fc8cf9a82114a0c6f7a18db90d4b6e97cf0155d86c85389f6a70858a918

memory/1532-40-0x000000013F370000-0x000000013F6C4000-memory.dmp

memory/2076-41-0x000000013F370000-0x000000013F6C4000-memory.dmp

memory/1532-34-0x000000013F0D0000-0x000000013F424000-memory.dmp

\Windows\system\XeJizAb.exe

MD5 076de34d79d6598237f2fab738d27ad6
SHA1 c25dd0f70637ed3723d452908b62451c8587886c
SHA256 0ade44cd87186f8011e92284628f8bb6193d9ebb0509fcf8a3217dda805678af
SHA512 c6eb1831f232fbcba13346f8087f02cf126b20cf11ddef2c66ed68e3d443368a6506a45f7bbcb18f30fb6738ef36c114de75473d8fe7b80490afea752daa4437

memory/2716-56-0x000000013F680000-0x000000013F9D4000-memory.dmp

memory/2700-62-0x000000013F690000-0x000000013F9E4000-memory.dmp

memory/2724-70-0x000000013FBC0000-0x000000013FF14000-memory.dmp

C:\Windows\system\ghdiXRd.exe

MD5 e05c830a043d08f79fea6d98abee5443
SHA1 26ae02ece319ef8edb96ea237504169a668f93db
SHA256 dde4958824bd428e94e2fde4f13b7531a5e5bb1e007b24fced2fccdae2afe7ba
SHA512 085eff5c3503a8c1ffaebf43a84b93c8c7362e187bf7edab32fae9501b535ebd5abaeb3404e1ca2229092965762226edabf9bee09490c21f2f7a167d9207141c

memory/2568-81-0x000000013F570000-0x000000013F8C4000-memory.dmp

\Windows\system\omxPRng.exe

MD5 70794d7fe6066a62acf8c5209012c17e
SHA1 d2380fe382830686c2b5733db5b4af9bcf6fb318
SHA256 0483d79e5a43c14aa2be3a96d6b9fbea2a16be283687ca4f7053ae842cec7502
SHA512 901652a44fc0a60e2c8aea3aca47c9a71d87abe9b5f6e7ed1af3b93f00ee39832044cb3121e65e5948a875f09c675bd74c3244e8b243d65e0e3b30da89b8a141

C:\Windows\system\yfIIqsy.exe

MD5 e0dd97d406c9c89e40c3349b79a6bcc7
SHA1 e428fa438861ad47ea85c30906104df63cd5c208
SHA256 6d7dadb3f07d6184c79d69e02a92b37d288d9a6a31f34f2125b187523d22c7fe
SHA512 45d4f44ce9d593ff6bfae0be23294e3ff023375c04564b9528d21c5b3ddd0dd8694b548a3107a7965fe2e1cfe24a293cf3f1b95d8bef470eee9a962d3e2458e7

\Windows\system\FMxJHHG.exe

MD5 1be3e423a43c529458a1f519bfe41222
SHA1 f4867d2d5ecc929e86ddd984215d5f505e5cca33
SHA256 880ff948cfce794c4a9e7a4f387df7ca37ae86e6606d27aac5bb1c8add8d8058
SHA512 da62b0312ce5728987624cb6c95405cbc2e99ec4c44232cd487c7dfcbcf5db0068e52be7aeb77243a2b22efacc3aba2a818d2703683ed58590bf7d0b99dddd23

C:\Windows\system\sIaHVRr.exe

MD5 a3075465e067d8c56b580408efb0787a
SHA1 1dbef8902274df99024b68a340c0cff89a793ca7
SHA256 637edcc6ca1ced00419a6df367aeb85a1e995f58ed91476f36ee0ab4420d1e76
SHA512 54274f15271a351271a13cb3efcf22d850967f078d0d3191ddca4802b009257034e8491d2d0ae5b148b9f855da42d94276b57ada2ef821cbdc78e537bddcf9e1

C:\Windows\system\gvDrfuf.exe

MD5 9ea58de6b0a665d6ce2ea08344f852f6
SHA1 0221ff1940af63a1cd369e4399c849b1f58c7f5a
SHA256 0fcd6c85badfbc814bd955d499071e67945dc4286245e991596999dd2ebf8c9d
SHA512 1b01074710104d0c3472bf94ece4422c624932e753bf257a386316835045a7f24a7154fd67bcc623e42c3ee5a238cb256aa92f90507289645564558706db1de3

C:\Windows\system\RBdInQv.exe

MD5 05b068cce9887186959266c285e68169
SHA1 47e87b8bb479f95b3cc0deba8d1240c53d0ee9f5
SHA256 405e7a4a9d8fe7ef428697c2d006347f5f87f57b55ea7687792f2f487284f6bb
SHA512 da1dc83000cc9f97b9870f09c194601b7f813f3a3fd5b6bf70e648bd1e5938cc7843a3324eb2c1856df83c6d8614787184808ace7f1791714b598ab6c4342b8a

C:\Windows\system\NABSSkZ.exe

MD5 db9e51f7676579d9293bffc3023d2b77
SHA1 f1bc57d4441b86c5a2bd713911401690319695fe
SHA256 bc7aa6946d06c36c0bf2463d28d44234a8044f9a0bf7a1e4f3060954f169477a
SHA512 c7eea84ec334b1f29cf653bad4d40ea3b4cdea60892868e150ab00d8bf538616e6cc7dd43784c21614b45a0b4db3edea03babaf6a0069141e0159341330105d2

memory/1532-101-0x0000000002330000-0x0000000002684000-memory.dmp

C:\Windows\system\qyQLuGD.exe

MD5 b42e78076c889cd0503600d8e6f6b3fa
SHA1 3d59e848303d1c520d7b7bb0ba579065006178ee
SHA256 02bfbaea53a59850a197707f749c1a217c76b8cf283865859ba12188894e0c9d
SHA512 75064fa4666dcf5f9ca52858f9dc46c6c3f8d92709080967912cbf59cfea277583a46320e2584081dc466533be2cc484a98fde5b8c8b0ce0fc5c03b3aac7ef12

memory/2652-90-0x000000013F1B0000-0x000000013F504000-memory.dmp

memory/2076-133-0x000000013F370000-0x000000013F6C4000-memory.dmp

memory/1532-89-0x000000013F1B0000-0x000000013F504000-memory.dmp

memory/2492-96-0x000000013F9F0000-0x000000013FD44000-memory.dmp

memory/1532-95-0x0000000002330000-0x0000000002684000-memory.dmp

C:\Windows\system\ULJTnrJ.exe

MD5 28ebe286b2ae4b68a9206e1135274a3b
SHA1 355493bcd488fc08983368fa84f35eebbd84abb1
SHA256 0f6921eb935b52578e6bbbba69e8f311c9211b666b499998572253b06b09b8a0
SHA512 3d08980f5fef1686be1d05749641113b9380a7a28d8739408ed804493629257bf80a65bd04a321dd6c710aedc1f53bf71d83e22cc08de7fd5bc3099a4d582eb9

memory/2916-82-0x000000013F460000-0x000000013F7B4000-memory.dmp

memory/2720-75-0x000000013FC10000-0x000000013FF64000-memory.dmp

C:\Windows\system\acHLAtb.exe

MD5 0eec6a248529fff36cbed267dc7d2a94
SHA1 f65e9903f178ac27785fa58c3921429be82b0ca0
SHA256 f484c57599a98ce92a293dd58b3eb7de4f06f5f1c64e98e75e5e451502930ec6
SHA512 1e0dda3415c3546cbb6b686af69782c717f47d19f3a794f42ec78f74f5f094014c3dc29e3c7901cca72488d1ce5d5d14b397afb504336eb889463d229689323a

memory/1532-69-0x000000013FB60000-0x000000013FEB4000-memory.dmp

memory/1532-61-0x000000013F690000-0x000000013F9E4000-memory.dmp

C:\Windows\system\JzUHqmX.exe

MD5 4d7574295fef77d4ae5dc0b41bb2fd5c
SHA1 50221c49e21591ffde8b09a82d3646420e60583d
SHA256 790184ca0964a07d8e5e81888a52fa4ed8089f306e44e043020bf94ae8591502
SHA512 0acb1f441a1b17e11df6e58b0e09552de88be7d897f0f5e23bd7b187c3fac333ce91ae9b04f9735b39a3035f4825560809344ca755190b541d15fc90a92c54dc

C:\Windows\system\vBGqZlV.exe

MD5 822e9583b6692730302f0df5e6ea1402
SHA1 56c9f9c6bc69f9a69e9f15f79fd2b843e5bd3338
SHA256 c8bc1b14cd47a17bc06e2cb392f82ebe9037893e46a4d83e662f3073173a0a25
SHA512 51f601e660b3bba195ab696449e980e302a5d32d54ff243e93f066336aa75fa45fe72cab7e833a6a893fff7f4088f1504d81fcf8f60105226c1b30e6e6a72b97

memory/1804-49-0x000000013FC20000-0x000000013FF74000-memory.dmp

memory/1532-48-0x0000000002330000-0x0000000002684000-memory.dmp

memory/1532-55-0x000000013F680000-0x000000013F9D4000-memory.dmp

C:\Windows\system\JUJvWMd.exe

MD5 1a72852baa1a85da4a76ab0d4be707dd
SHA1 19ece0e539bfd9ea53c7718b6d31c1ae6fb9d2c1
SHA256 3b07dfbf04a9f242a1376cca22eceec30e5a3b8a44bb56cd3aa343233471bb2a
SHA512 6d96cd909dd715a184e6e7c685494c9d65eb13f6c161f5fa128759a6be2e8ad3dbc97711c1869653e7fdb7bf4adb15b459426a3571c3c96a43f7dd3962f3574c

memory/2700-134-0x000000013F690000-0x000000013F9E4000-memory.dmp

memory/1532-135-0x0000000002330000-0x0000000002684000-memory.dmp

memory/2720-136-0x000000013FC10000-0x000000013FF64000-memory.dmp

memory/2916-137-0x000000013F460000-0x000000013F7B4000-memory.dmp

memory/1532-138-0x000000013F1B0000-0x000000013F504000-memory.dmp

memory/2492-139-0x000000013F9F0000-0x000000013FD44000-memory.dmp

memory/2884-140-0x000000013F2B0000-0x000000013F604000-memory.dmp

memory/2172-141-0x000000013F440000-0x000000013F794000-memory.dmp

memory/2568-142-0x000000013F570000-0x000000013F8C4000-memory.dmp

memory/2436-143-0x000000013F5C0000-0x000000013F914000-memory.dmp

memory/2428-144-0x000000013F0D0000-0x000000013F424000-memory.dmp

memory/2076-145-0x000000013F370000-0x000000013F6C4000-memory.dmp

memory/1804-146-0x000000013FC20000-0x000000013FF74000-memory.dmp

memory/2716-147-0x000000013F680000-0x000000013F9D4000-memory.dmp

memory/2700-148-0x000000013F690000-0x000000013F9E4000-memory.dmp

memory/2724-149-0x000000013FBC0000-0x000000013FF14000-memory.dmp

memory/2720-150-0x000000013FC10000-0x000000013FF64000-memory.dmp

memory/2916-151-0x000000013F460000-0x000000013F7B4000-memory.dmp

memory/2652-152-0x000000013F1B0000-0x000000013F504000-memory.dmp

memory/2492-153-0x000000013F9F0000-0x000000013FD44000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-06 16:43

Reported

2024-08-06 16:46

Platform

win10v2004-20240802-en

Max time kernel

134s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\YHZYLzL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xQXytOg.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HsIlSOw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RFFgPSX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FPfTSHX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JWRjBsz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tuVJxiQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xlyFFLX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dhlPzqA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uuValsa.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rgDxPsn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gNIKgPe.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hPGKrpk.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\driynTt.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WgpeZTb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hKjzJla.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rMIVgTX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WCMIPAh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cbuzTWH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xoojwgW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\heBJqMf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3184 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WCMIPAh.exe
PID 3184 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WCMIPAh.exe
PID 3184 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rgDxPsn.exe
PID 3184 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rgDxPsn.exe
PID 3184 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gNIKgPe.exe
PID 3184 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gNIKgPe.exe
PID 3184 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FPfTSHX.exe
PID 3184 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FPfTSHX.exe
PID 3184 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JWRjBsz.exe
PID 3184 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JWRjBsz.exe
PID 3184 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tuVJxiQ.exe
PID 3184 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tuVJxiQ.exe
PID 3184 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hPGKrpk.exe
PID 3184 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hPGKrpk.exe
PID 3184 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cbuzTWH.exe
PID 3184 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cbuzTWH.exe
PID 3184 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xlyFFLX.exe
PID 3184 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xlyFFLX.exe
PID 3184 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dhlPzqA.exe
PID 3184 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dhlPzqA.exe
PID 3184 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xoojwgW.exe
PID 3184 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xoojwgW.exe
PID 3184 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YHZYLzL.exe
PID 3184 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YHZYLzL.exe
PID 3184 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uuValsa.exe
PID 3184 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uuValsa.exe
PID 3184 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xQXytOg.exe
PID 3184 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xQXytOg.exe
PID 3184 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\heBJqMf.exe
PID 3184 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\heBJqMf.exe
PID 3184 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WgpeZTb.exe
PID 3184 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WgpeZTb.exe
PID 3184 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hKjzJla.exe
PID 3184 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hKjzJla.exe
PID 3184 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\driynTt.exe
PID 3184 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\driynTt.exe
PID 3184 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rMIVgTX.exe
PID 3184 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rMIVgTX.exe
PID 3184 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HsIlSOw.exe
PID 3184 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HsIlSOw.exe
PID 3184 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RFFgPSX.exe
PID 3184 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RFFgPSX.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\WCMIPAh.exe

C:\Windows\System\WCMIPAh.exe

C:\Windows\System\rgDxPsn.exe

C:\Windows\System\rgDxPsn.exe

C:\Windows\System\gNIKgPe.exe

C:\Windows\System\gNIKgPe.exe

C:\Windows\System\FPfTSHX.exe

C:\Windows\System\FPfTSHX.exe

C:\Windows\System\JWRjBsz.exe

C:\Windows\System\JWRjBsz.exe

C:\Windows\System\tuVJxiQ.exe

C:\Windows\System\tuVJxiQ.exe

C:\Windows\System\hPGKrpk.exe

C:\Windows\System\hPGKrpk.exe

C:\Windows\System\cbuzTWH.exe

C:\Windows\System\cbuzTWH.exe

C:\Windows\System\xlyFFLX.exe

C:\Windows\System\xlyFFLX.exe

C:\Windows\System\dhlPzqA.exe

C:\Windows\System\dhlPzqA.exe

C:\Windows\System\xoojwgW.exe

C:\Windows\System\xoojwgW.exe

C:\Windows\System\YHZYLzL.exe

C:\Windows\System\YHZYLzL.exe

C:\Windows\System\uuValsa.exe

C:\Windows\System\uuValsa.exe

C:\Windows\System\xQXytOg.exe

C:\Windows\System\xQXytOg.exe

C:\Windows\System\heBJqMf.exe

C:\Windows\System\heBJqMf.exe

C:\Windows\System\WgpeZTb.exe

C:\Windows\System\WgpeZTb.exe

C:\Windows\System\hKjzJla.exe

C:\Windows\System\hKjzJla.exe

C:\Windows\System\driynTt.exe

C:\Windows\System\driynTt.exe

C:\Windows\System\rMIVgTX.exe

C:\Windows\System\rMIVgTX.exe

C:\Windows\System\HsIlSOw.exe

C:\Windows\System\HsIlSOw.exe

C:\Windows\System\RFFgPSX.exe

C:\Windows\System\RFFgPSX.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 18.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 52.111.229.48:443 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3184-0-0x00007FF69B7E0000-0x00007FF69BB34000-memory.dmp

memory/3184-1-0x0000019E867D0000-0x0000019E867E0000-memory.dmp

C:\Windows\System\WCMIPAh.exe

MD5 94156eb0dfc8ccb655a95932858bfdb0
SHA1 5fbae10dd222f318039d797383f7c639c9b081aa
SHA256 caf6ae44f2e3bb0c67007b9d1c86440b69581aba0ef56b88915f0d6abfb94fe5
SHA512 905c48adfbfd443a3bb9f904bd1224931ece4033a07cefa0a4963d6f1e52ea88ce1f58902718c2f6e936cc77d2c4fd36e98b906427ceec42f33d769d5accb04d

C:\Windows\System\gNIKgPe.exe

MD5 e391490fad3482bd93b10a667319160b
SHA1 37330500077a907c4951af4d6d723f81fedcc8b8
SHA256 59eefbf3e54373b9a2df5bad4a8a184c854748f1f5480f2b794d5a6888655a3d
SHA512 dbc77b10944e1a37397d52e4c709887e79458cea2cadbfec373a0132196a11f963290e04c80b2e3b6d5d9f18ae413fbe4eb51e480be0409af899b7ce4b94327b

C:\Windows\System\rgDxPsn.exe

MD5 ef7c49739400b02ac90ef8e5412b7d04
SHA1 382a37c165b2c0b962ba2d91cf30104a2e4565fa
SHA256 259f18dc8014017ce6751b4e6c402f860d37c4ced7f7d4afc34432b58510d751
SHA512 d273467f617cb9c97f0e70d038d1c9eace8632a68913369bf336dd8f67ce6a4d94cb0452914330236e43163df15989116c85e934541f6642940754d0268ccde0

C:\Windows\System\JWRjBsz.exe

MD5 cdd80c4dec7aa1c0c91293a8d3d80a23
SHA1 990ed313c72a1f6b6e7c56c87586ae27a3958e4e
SHA256 d98e284e6720348f751606321487ad13e780bf11f3aa83ab3dcbbe847126c373
SHA512 df0dd6be048cf1ee2cd63f0be25d67a63ae7b71314c1b93058962396254e726de97bc6a302dd2c486a89fc200d885e81066354cfa88fad451eb8a8048309ae13

C:\Windows\System\tuVJxiQ.exe

MD5 b8a7e9e8d213e9f684023c3ef7eb28ef
SHA1 ab7463d98881180e8780571dcbc32e1f2ecd19f3
SHA256 f2e520c5cf47a8343749d473f1e8d6c31ff91c31881925ea752d2b38cb997582
SHA512 c2ba9fb1af7031ce74a16a53a87715bdab8ccefafc710f7d56062d55c2c2b1b7b13211559f9ad69fb157d9b003df944056b216c8df28a257a5882002a38fea46

memory/1032-28-0x00007FF762B50000-0x00007FF762EA4000-memory.dmp

memory/2320-26-0x00007FF7BDB10000-0x00007FF7BDE64000-memory.dmp

C:\Windows\System\FPfTSHX.exe

MD5 5946135fde1c42586f59d42e8b82f4da
SHA1 3dbed0b9aaa74726bbee526efbbf3cdd91aeab0d
SHA256 fe098ab067d6205c2153f0ba1d14c87b76e737f9c3f8d7cea954e7449ef76d8c
SHA512 da1257f5481693416109a0f2b899e18fc735f1d7c77cfe4671529550c07aed51913597d2fd2eda502ce00d1d35eeaad25d7f85c05d347d1e80d0b124d1852efe

memory/1156-19-0x00007FF708460000-0x00007FF7087B4000-memory.dmp

memory/2964-8-0x00007FF6BD190000-0x00007FF6BD4E4000-memory.dmp

memory/3860-37-0x00007FF6B65B0000-0x00007FF6B6904000-memory.dmp

memory/856-42-0x00007FF784920000-0x00007FF784C74000-memory.dmp

C:\Windows\System\hPGKrpk.exe

MD5 e110117f00fc79e44c20c583614d4052
SHA1 9265bb6bddb02b124ccd748a13faf2b17d232084
SHA256 7fd24dead2ed2753c77343400a4791edd4e4049c0e26c6d733bb613b9f857de2
SHA512 d9db17c37747774900f62e2a87783a9f63e3f65b3d42d6d61c15e380f74cc820fea2b97127ed938a42b79e333179f1c6c20444b6eaa36430184a3a4bdcb1f520

C:\Windows\System\xlyFFLX.exe

MD5 ca00efef618a6a32ff5cb5d456ac58ff
SHA1 a70a8ff1b8dde741e34a81bd8d235b2969ab4355
SHA256 12490a7675dc3c078b7fc20c85058645de7cb25441245e50dab03d3fcfc61c5a
SHA512 7e8d0247f6633e61888ed4a0a0d2d39b9cad5d6e90904f4541f9c9bbe522df0c556310e561c8b958512957e6ff07fac1131b851948175ebab54d171a7b3d1b9d

memory/4688-35-0x00007FF73CEF0000-0x00007FF73D244000-memory.dmp

C:\Windows\System\WgpeZTb.exe

MD5 9215d0341b89a6b0f0716dad22140cdc
SHA1 234835a2ef36ac7bb86f2a7de9b6fbb8dadd8b25
SHA256 f2ae8821591bbfcac7f1b168b876569d66b31f15d4c997605ccc6208ffe37f83
SHA512 9ce910910f61e8944b9dd4a2db665938d77a9a5ac7dfc33d0debaed0bebe7739f796bcd2207c14fb7f6202f740ff3a445442dd35cd20aaf3fb0beec537954b2d

C:\Windows\System\heBJqMf.exe

MD5 39f545bad2b6a0960ce40f14d067887d
SHA1 3f22d609644c7b1e4306b95da6a2f45a81f337e3
SHA256 023775dc8a22887f205723e289ed7c60ec5156f2c3311b6e5af91068e82fd1e0
SHA512 b9b96c068da9aa681601bc4851ca613d8126b09fe9b14faee8478f626b27cb3c78a5ac2255e3b7bbce1a6a6c42d31dc99c0f973e85ebf18ae8368961f45f1444

C:\Windows\System\RFFgPSX.exe

MD5 554e5d3d24002d74e96c3554ff8b2590
SHA1 994b37d9a0a4aacd9bd3f5475ea31def461fc92d
SHA256 95e44d05c1f784ef724715319f4ae31a234aeb29d085261e3a9e2347c28b4a5f
SHA512 f64ed0f0c6e96aa141223c5b1d74c83f15071deede49ce85f296459c0f92065b1d4d45c029d8731deba8990aeae7ee84bbeaa33681712084d1dc9fafa9d1445c

C:\Windows\System\HsIlSOw.exe

MD5 54b98b76bf240d07648608c9dde839a8
SHA1 537e13d71fccebc80e5ef1409826abf052847336
SHA256 567c2e8f98695f90f04e6d35834638512149ce8c1d968b99e1b2026c3449e620
SHA512 425aad87ad40332791d6a2048bf3893009528114bef9d3ecd38c06623ca207c916c8bb0338daf81a30095ad7cfe0a080bf7c46b1975d5fd48122b7a48be67473

C:\Windows\System\rMIVgTX.exe

MD5 c84acb370eb92b473e289bf9bfac5b05
SHA1 2278dff1bcdf72af864307d9ea23aaac08e8ea15
SHA256 3a0f2170cb9b7574c4fe951ab56d1524401704bc365f8ccaa4773c8daa397abc
SHA512 409c607ed0040a113e777f4cf12adecbe7eaf1300a706124d1b9e33875e235b2cd376cf5c7867aacb9a45e082e4014013a215158082f4d44c325c8acc71f9dab

C:\Windows\System\driynTt.exe

MD5 db966dade5ed7f7c7c0be771dafa3f5f
SHA1 4b2a59b8f0a611833d48cc74cbdb753f452d5dee
SHA256 5070c2ddf7e0aab1fd3014b3b8bbd10ed35af17c1c3b18bc077a2dcf9f7a255b
SHA512 071648c6ec4bc2980407daf3f2bbaf26befcdc3cc71d94133e54f35bd71fa544c0dac536bafd8e0b1825dfc27aaf52ed8c322928f09348699613862fb165d8d9

C:\Windows\System\hKjzJla.exe

MD5 7c17a0a366c5e28d9afbf7af17e91f10
SHA1 f160a80c46c615587852e9d8e4da66c6bc810e6d
SHA256 ddb309a57e1b1d13706eb8aff9582fccde7bca74afc59b987c9f0fa82a394dde
SHA512 f22f568da37fdff63daff92d83c039f61cf94c7a19ed1ea1825606ed1d53b74a6c0501b82fd31bf1d220ead7df2311972a7cf45378c8fd7ab16a26850049f7cb

C:\Windows\System\xQXytOg.exe

MD5 fe082fbc7321ab74df2d675c43cc8b11
SHA1 d964da11dbac4848ef8605360e362de83bd78824
SHA256 420f039ea99cf0c56c5b3747a5de7afbd3cd43a9d4d909bed321fa3e7e944f37
SHA512 21fd4264eb19983b739751b88402fe5c4f17e7d16fc6d239b6d1248b0cf2bd8738abb4c131e02a0da7666a2bd41f735d938b6ed043016d31969b52dea00aeebc

memory/1628-100-0x00007FF7AB9E0000-0x00007FF7ABD34000-memory.dmp

memory/2512-90-0x00007FF6C3EC0000-0x00007FF6C4214000-memory.dmp

memory/224-89-0x00007FF794680000-0x00007FF7949D4000-memory.dmp

C:\Windows\System\YHZYLzL.exe

MD5 423fbbaa2885b7537aab1f39b2b6b710
SHA1 c1b8fa29347dcfc36e57e78d3349cc4866fb3892
SHA256 4bd1e3ef97ff6de6f0ed7584ccbcb6335e1c4236684c225bd6ee1f9fcaa91b9b
SHA512 785aef56ca4e915a569b9c8b20142744de9efc6163ddf79b2e8a8bcc2c38fadf3a310e5f4dad19b3457e8fdbf35dcfc07e44ac35dfcbbe4d7fe5300bfe512ffc

memory/824-82-0x00007FF7316C0000-0x00007FF731A14000-memory.dmp

C:\Windows\System\uuValsa.exe

MD5 2d0e72c5832bc8b4902cde1f21659a4b
SHA1 fa7894f81cf330ddeaf3a3af1972790c30cb4888
SHA256 6c300366ea5e95d2369019b59f8b3a369a6092b6d2ac6a0c754cd4ee87662691
SHA512 c0e90b70637f06a13f277047ec7ae9698db4e522016d13d99162109044456b2a160fa4f698b9dfc650b63a8acee5c666f3e1310b22dc5d4662953c2d0330fae0

C:\Windows\System\xoojwgW.exe

MD5 e460d84d5cd53d3ae120ea4509bf7504
SHA1 df846bdf9cf147c1a1fd98e1eedb011c21959412
SHA256 810040ba4da059972940fb7a0996d5c14394732acd4b65034e62b847488eeda1
SHA512 e92bce6f43dcf8f9cb78b675c5f298dd386bfe6cd60daecbb630081ec3ffa84d27bfb6b9b3fccc36d09f45732dea396ee7bdad6d237ca0a5fe9aaa4e82485339

C:\Windows\System\dhlPzqA.exe

MD5 c2d86bfefd1266e27cbe4c3dab1d60c8
SHA1 f21b177d8f6e858aafa0cf4adff8023c2de3fe0e
SHA256 3db997f274281c5488f62d65fe26f49b4e959fd3cc8d35e758684aa6c974359d
SHA512 a125640baea22d8c88a4a4360e3029cb4567679698417e5ae7fe600bf34d29b181100e175d223c14c4b90ec47b06a72f4d404debd1928f2c45218e8bacb32e69

C:\Windows\System\cbuzTWH.exe

MD5 252ec1846c5ebf9cf3fe67f33e973c95
SHA1 931c5eb62bcd5d7327e6f63cf8fb011493ee6ce7
SHA256 f16ae098221fd5e4dd7c07a6435f6d4a759dbf6b6b1edb9bb764ceaebf1f49cd
SHA512 ea175c28c34872478851d2f233ace7757409641e04a8ae387c1a6cf0424053fd1f69adacc5dc2729f61e18f075a661c4f95c570e1558b8b696d008e7506e6f9a

memory/4856-52-0x00007FF7A6050000-0x00007FF7A63A4000-memory.dmp

memory/2084-48-0x00007FF72C250000-0x00007FF72C5A4000-memory.dmp

memory/2124-120-0x00007FF76B4B0000-0x00007FF76B804000-memory.dmp

memory/2620-121-0x00007FF741CA0000-0x00007FF741FF4000-memory.dmp

memory/320-122-0x00007FF71D0E0000-0x00007FF71D434000-memory.dmp

memory/1860-124-0x00007FF716690000-0x00007FF7169E4000-memory.dmp

memory/4232-123-0x00007FF7AF730000-0x00007FF7AFA84000-memory.dmp

memory/3184-125-0x00007FF69B7E0000-0x00007FF69BB34000-memory.dmp

memory/2716-126-0x00007FF7ACBA0000-0x00007FF7ACEF4000-memory.dmp

memory/4816-128-0x00007FF668080000-0x00007FF6683D4000-memory.dmp

memory/1256-127-0x00007FF68F900000-0x00007FF68FC54000-memory.dmp

memory/2964-129-0x00007FF6BD190000-0x00007FF6BD4E4000-memory.dmp

memory/1156-130-0x00007FF708460000-0x00007FF7087B4000-memory.dmp

memory/2320-131-0x00007FF7BDB10000-0x00007FF7BDE64000-memory.dmp

memory/1032-132-0x00007FF762B50000-0x00007FF762EA4000-memory.dmp

memory/4688-133-0x00007FF73CEF0000-0x00007FF73D244000-memory.dmp

memory/3860-134-0x00007FF6B65B0000-0x00007FF6B6904000-memory.dmp

memory/856-135-0x00007FF784920000-0x00007FF784C74000-memory.dmp

memory/2084-136-0x00007FF72C250000-0x00007FF72C5A4000-memory.dmp

memory/4856-137-0x00007FF7A6050000-0x00007FF7A63A4000-memory.dmp

memory/2124-138-0x00007FF76B4B0000-0x00007FF76B804000-memory.dmp

memory/2964-139-0x00007FF6BD190000-0x00007FF6BD4E4000-memory.dmp

memory/1156-140-0x00007FF708460000-0x00007FF7087B4000-memory.dmp

memory/1032-141-0x00007FF762B50000-0x00007FF762EA4000-memory.dmp

memory/4688-142-0x00007FF73CEF0000-0x00007FF73D244000-memory.dmp

memory/2084-144-0x00007FF72C250000-0x00007FF72C5A4000-memory.dmp

memory/3860-146-0x00007FF6B65B0000-0x00007FF6B6904000-memory.dmp

memory/4856-147-0x00007FF7A6050000-0x00007FF7A63A4000-memory.dmp

memory/856-145-0x00007FF784920000-0x00007FF784C74000-memory.dmp

memory/2320-143-0x00007FF7BDB10000-0x00007FF7BDE64000-memory.dmp

memory/824-149-0x00007FF7316C0000-0x00007FF731A14000-memory.dmp

memory/2716-151-0x00007FF7ACBA0000-0x00007FF7ACEF4000-memory.dmp

memory/224-150-0x00007FF794680000-0x00007FF7949D4000-memory.dmp

memory/1628-148-0x00007FF7AB9E0000-0x00007FF7ABD34000-memory.dmp

memory/4232-153-0x00007FF7AF730000-0x00007FF7AFA84000-memory.dmp

memory/2512-152-0x00007FF6C3EC0000-0x00007FF6C4214000-memory.dmp

memory/2620-159-0x00007FF741CA0000-0x00007FF741FF4000-memory.dmp

memory/2124-158-0x00007FF76B4B0000-0x00007FF76B804000-memory.dmp

memory/320-157-0x00007FF71D0E0000-0x00007FF71D434000-memory.dmp

memory/1256-156-0x00007FF68F900000-0x00007FF68FC54000-memory.dmp

memory/4816-155-0x00007FF668080000-0x00007FF6683D4000-memory.dmp

memory/1860-154-0x00007FF716690000-0x00007FF7169E4000-memory.dmp