Malware Analysis Report

2025-01-22 19:26

Sample ID 240806-teaamaxbme
Target 2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat
SHA256 71d98518acc17769e133e17eab1883bf1e1a4385387409cd7d942488cfd847f0
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

71d98518acc17769e133e17eab1883bf1e1a4385387409cd7d942488cfd847f0

Threat Level: Known bad

The file 2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Cobaltstrike family

Cobalt Strike reflective loader

Cobaltstrike

xmrig

Xmrig family

XMRig Miner payload

XMRig Miner payload

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-06 15:57

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-06 15:57

Reported

2024-08-06 16:00

Platform

win7-20240708-en

Max time kernel

142s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\gJFSpFl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bVqNhPZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kFMGXVN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ePNgDhn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GBzTqMA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HNZlAKW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bAiXLuL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gLhbCrH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PnfKdeY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IEOmDtq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DeGEdDi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WshGKsu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GBNyTYj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vvbJkMb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UfaPsxa.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\REJLOgs.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZzRFgGw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rurUHyz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tpYcHTi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ExnNNJs.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UDKhKOC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2680 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\REJLOgs.exe
PID 2680 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\REJLOgs.exe
PID 2680 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\REJLOgs.exe
PID 2680 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZzRFgGw.exe
PID 2680 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZzRFgGw.exe
PID 2680 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZzRFgGw.exe
PID 2680 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GBzTqMA.exe
PID 2680 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GBzTqMA.exe
PID 2680 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GBzTqMA.exe
PID 2680 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HNZlAKW.exe
PID 2680 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HNZlAKW.exe
PID 2680 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HNZlAKW.exe
PID 2680 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DeGEdDi.exe
PID 2680 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DeGEdDi.exe
PID 2680 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DeGEdDi.exe
PID 2680 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gJFSpFl.exe
PID 2680 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gJFSpFl.exe
PID 2680 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gJFSpFl.exe
PID 2680 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bVqNhPZ.exe
PID 2680 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bVqNhPZ.exe
PID 2680 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bVqNhPZ.exe
PID 2680 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bAiXLuL.exe
PID 2680 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bAiXLuL.exe
PID 2680 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bAiXLuL.exe
PID 2680 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kFMGXVN.exe
PID 2680 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kFMGXVN.exe
PID 2680 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kFMGXVN.exe
PID 2680 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rurUHyz.exe
PID 2680 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rurUHyz.exe
PID 2680 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rurUHyz.exe
PID 2680 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gLhbCrH.exe
PID 2680 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gLhbCrH.exe
PID 2680 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gLhbCrH.exe
PID 2680 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tpYcHTi.exe
PID 2680 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tpYcHTi.exe
PID 2680 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tpYcHTi.exe
PID 2680 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PnfKdeY.exe
PID 2680 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PnfKdeY.exe
PID 2680 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PnfKdeY.exe
PID 2680 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ExnNNJs.exe
PID 2680 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ExnNNJs.exe
PID 2680 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ExnNNJs.exe
PID 2680 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WshGKsu.exe
PID 2680 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WshGKsu.exe
PID 2680 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WshGKsu.exe
PID 2680 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GBNyTYj.exe
PID 2680 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GBNyTYj.exe
PID 2680 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GBNyTYj.exe
PID 2680 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vvbJkMb.exe
PID 2680 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vvbJkMb.exe
PID 2680 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vvbJkMb.exe
PID 2680 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UfaPsxa.exe
PID 2680 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UfaPsxa.exe
PID 2680 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UfaPsxa.exe
PID 2680 wrote to memory of 264 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UDKhKOC.exe
PID 2680 wrote to memory of 264 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UDKhKOC.exe
PID 2680 wrote to memory of 264 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UDKhKOC.exe
PID 2680 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ePNgDhn.exe
PID 2680 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ePNgDhn.exe
PID 2680 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ePNgDhn.exe
PID 2680 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IEOmDtq.exe
PID 2680 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IEOmDtq.exe
PID 2680 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IEOmDtq.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\REJLOgs.exe

C:\Windows\System\REJLOgs.exe

C:\Windows\System\ZzRFgGw.exe

C:\Windows\System\ZzRFgGw.exe

C:\Windows\System\GBzTqMA.exe

C:\Windows\System\GBzTqMA.exe

C:\Windows\System\HNZlAKW.exe

C:\Windows\System\HNZlAKW.exe

C:\Windows\System\DeGEdDi.exe

C:\Windows\System\DeGEdDi.exe

C:\Windows\System\gJFSpFl.exe

C:\Windows\System\gJFSpFl.exe

C:\Windows\System\bVqNhPZ.exe

C:\Windows\System\bVqNhPZ.exe

C:\Windows\System\bAiXLuL.exe

C:\Windows\System\bAiXLuL.exe

C:\Windows\System\kFMGXVN.exe

C:\Windows\System\kFMGXVN.exe

C:\Windows\System\rurUHyz.exe

C:\Windows\System\rurUHyz.exe

C:\Windows\System\gLhbCrH.exe

C:\Windows\System\gLhbCrH.exe

C:\Windows\System\tpYcHTi.exe

C:\Windows\System\tpYcHTi.exe

C:\Windows\System\PnfKdeY.exe

C:\Windows\System\PnfKdeY.exe

C:\Windows\System\ExnNNJs.exe

C:\Windows\System\ExnNNJs.exe

C:\Windows\System\WshGKsu.exe

C:\Windows\System\WshGKsu.exe

C:\Windows\System\GBNyTYj.exe

C:\Windows\System\GBNyTYj.exe

C:\Windows\System\vvbJkMb.exe

C:\Windows\System\vvbJkMb.exe

C:\Windows\System\UfaPsxa.exe

C:\Windows\System\UfaPsxa.exe

C:\Windows\System\UDKhKOC.exe

C:\Windows\System\UDKhKOC.exe

C:\Windows\System\ePNgDhn.exe

C:\Windows\System\ePNgDhn.exe

C:\Windows\System\IEOmDtq.exe

C:\Windows\System\IEOmDtq.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2680-0-0x000000013FFC0000-0x0000000140314000-memory.dmp

memory/2680-1-0x0000000000080000-0x0000000000090000-memory.dmp

\Windows\system\GBzTqMA.exe

MD5 cae11ee601a12481c738fdbe79ae70d8
SHA1 c99a53932dea4e8b40d635f1b7fa632ceb9d1b92
SHA256 aa89fb8e728c628adc77b0cfb57cb6dd3ef6d0e2c17c77d610e6386b4cf68a2f
SHA512 01c88004cf2c2a11509454d0cf09622041e5e8bb8ca28c6fdc7aa9cde619e2c52aa53f37b9a5c99cee95cfde18874d6279536e6109b0b2368d64ff9420c11510

memory/2680-9-0x0000000002350000-0x00000000026A4000-memory.dmp

\Windows\system\ZzRFgGw.exe

MD5 aba154ac8da8c6dbbe6ca9dff77cfe0a
SHA1 9fadf640d384bb7fde03bd1fb3fba4aa6c282d4c
SHA256 55703cfed6bd69b2ebdde31b49164b003e2e3f1af2078f15d67ce5c9e06fbab6
SHA512 74290d13c105451398bb93215bf8245fea8d6b85df0f8bb659246a8c4604491b22120b61e199a9fa29e8ec1e7718625f169fbc984f819bdf6b7c92ba14a77baa

C:\Windows\system\REJLOgs.exe

MD5 0fde5577a3de0a4f49610d5e2636be51
SHA1 f8cb363ef96d5aa0f183cbe065c99ee8c7a669d5
SHA256 55b9ae806e7b4bd0acd5c54402f65173a3fb2f79563a34c974479e81b0e33957
SHA512 b0fcde08a3dad778bae98b4a44698af1a995dead0c32a46403f080b514a5853a1f914f9cd9c241f79e05b8a0c82d4e00ef3231e97352c59c96e06835af56d6f2

\Windows\system\HNZlAKW.exe

MD5 5e1d165b232dd3ef1a5b491c96c2196e
SHA1 1189e63c92b8f6d0149d4ecf6d7c43a350514292
SHA256 aa534b398127eb5992382e9108b65fc61140475410b6ed7999df0bb92257094d
SHA512 1012f7083ca60c2999528b0cd7eb53f00290be2b5e0fffcae2b6fb7fb9109c36983b3afdf547403208ac6ea9c1725e51a306d9572fb8b1c0d7265b989f57b9ee

memory/2544-21-0x000000013F880000-0x000000013FBD4000-memory.dmp

memory/2076-28-0x000000013FB80000-0x000000013FED4000-memory.dmp

memory/2680-25-0x000000013FB80000-0x000000013FED4000-memory.dmp

memory/2800-35-0x000000013F1D0000-0x000000013F524000-memory.dmp

memory/2680-38-0x0000000002350000-0x00000000026A4000-memory.dmp

\Windows\system\gJFSpFl.exe

MD5 587a417d9e22d5349e01af160f35c7b3
SHA1 9c0fbf3988f55407b372256ca3a6abfcd862507c
SHA256 d6017b8589a4ea6fcff7af68c3433f1a2cbdf227d59eb2f20a75e122e438653b
SHA512 076ee96e68b1b89426b738ed6c4847c03c60c347c9ff66bedf140e97f72e13df9a096ee0f19134710183fd1c5630a967f6790494805e962667101b7a5a8e51e4

memory/2680-34-0x000000013F1D0000-0x000000013F524000-memory.dmp

C:\Windows\system\DeGEdDi.exe

MD5 617bfc469cf8d504602bbd53445c941b
SHA1 8f273e8984ae2e17f292a87cb7ceaea3a68eb3b8
SHA256 a30d985d8d2882f5af4aa7cbce0cb17ee7fe655022692a9a57a1f04c54eaea68
SHA512 154982f47229a4965a0bf7b5a9884d306a719635904aff8bd3dd2a21ddd69daf821d08850051183b6fb12d86d53bb5c407ed27a8a61fb87b1258a0b02c6016c2

memory/2536-43-0x000000013FF30000-0x0000000140284000-memory.dmp

\Windows\system\bVqNhPZ.exe

MD5 c94c7a65ff4f33798130a7acb787e043
SHA1 fde91e4a4ce8b84af07c6efba2faddb18e364a4e
SHA256 feb77437d1896e9fb7752fc828c454e9fd7eca8f0a422382d3c69ea9ac892a6f
SHA512 54a6bff067b9bbb415ed8fbdcd3e6e952beb5dfd42d0bd26ead2ccecf76013f16d0e0031989e2fcb6a945366e2ff5662ad5ca7d4194c6d6247c3c9ddce23b348

memory/2756-17-0x000000013FFA0000-0x00000001402F4000-memory.dmp

memory/2612-50-0x000000013FB10000-0x000000013FE64000-memory.dmp

memory/2680-49-0x000000013FFC0000-0x0000000140314000-memory.dmp

memory/2680-16-0x000000013F880000-0x000000013FBD4000-memory.dmp

memory/2732-15-0x000000013F430000-0x000000013F784000-memory.dmp

C:\Windows\system\bAiXLuL.exe

MD5 b731fb4b82167c081d89e0de1b93f2c4
SHA1 388685abb14b413ed6bedf1b7f759fb785337bba
SHA256 46684e504435334ce36f79d451cb3f2b0335ad7f947ce359df74b3c6a2b13c24
SHA512 f9ce353f707981053455f64d2c52ac1e5df6a2a51f22e8cab3cc8c6a72654ca081cd445f9f51450f99993db267492e55917760da1a47bd627e4ee523cbec2448

memory/2396-56-0x000000013F760000-0x000000013FAB4000-memory.dmp

\Windows\system\kFMGXVN.exe

MD5 0200e36f398dc69fa71e41a8dfab81b8
SHA1 a2206acd2c90c91912d0b7067a13952e6174812a
SHA256 ce65fe2e5565c916a534c277b8704f7fa4ed056404881f75dff8b6eef0a7db59
SHA512 2e7cb8ab57a793efcced92ad9bcec9991f224d869c2116e1c0afa13c70a3f39ea7833e88254ce80b077962cf6f7017f3d113f276e77cd707f6332de889c1f357

memory/2680-68-0x000000013F240000-0x000000013F594000-memory.dmp

memory/2340-70-0x000000013F240000-0x000000013F594000-memory.dmp

C:\Windows\system\tpYcHTi.exe

MD5 5a763f177c91bf598c903cb162c90973
SHA1 c06880d9d6969df72fdf5f88431153e57e526276
SHA256 5d6d5a1e4e95ad390ce034f3c0e107c5bd9cf13e8596ce452d268de3fd6458fe
SHA512 7d293e0418916599ffa0b89a637e75f56574a73fbc4c37049230038b8626fbc2d76651bfc55ac95de70431b61cf7823145226d774e404643138223601986f6e2

memory/2544-75-0x000000013F880000-0x000000013FBD4000-memory.dmp

memory/2680-96-0x000000013F650000-0x000000013F9A4000-memory.dmp

C:\Windows\system\PnfKdeY.exe

MD5 8717329003110e11b20930ad399c07c9
SHA1 c74e24bdbb703fb8dca2d9a4d8ac74f6616fa5dc
SHA256 d303f44d55315a94e5e985c085155573680f35e7aa72ba940cc01c3716902e8b
SHA512 1be167954a4ac774e6ecbdcbb372f5864d7cad815f4f4f7e2cef34af042bcc16927fa4b31f36cbc24d482d7d7bc7d04a5a502f6e5f1cdac67cb8b61058e04cc4

C:\Windows\system\WshGKsu.exe

MD5 8881ff6ef910623e8d185c3f2b585b7a
SHA1 6680433ae62fbed80edaf558e20e72966d519cfa
SHA256 a42acc468c45e8b5e3691738e1f4f450a02a98cb8a443c563da737c9314ba4f0
SHA512 7699185c8a832a357adbbd7cdb5f5879806c7928c425755f163ea390e93fe8d4d0f6e1898cbca3598e67339b12a38391e7f7fc9973b0c0d5af0d059cdb196508

C:\Windows\system\ePNgDhn.exe

MD5 b6ac8810d577de9e764336f10a11cfb7
SHA1 7dc0f103a93bcd01a0ac7943b57c46c8562a35a9
SHA256 a3088638c3300d4855de1bc54bfbdcb0badc6bd2fcae680bf0031726ba3aaf8a
SHA512 c3ae5ef2c1356a1a8573f4894786d571ddc1e1f7373f6f6bd8ecb36d002ea735728b32011708c83d4bf7fd21ae82e03c0e1f72e682326023bac71c1cd57b4ade

\Windows\system\IEOmDtq.exe

MD5 eb4d4e5e97502ff98018a65bf04243f3
SHA1 2a43805d65f39c3d0fcb11b9ba4f7d4b6357a991
SHA256 255cafdce691e87703ab6b1b70492b1ce8ec86424dffd943d306c4f851c4827d
SHA512 6565fece397f9fb4e51ccdb946ca208bf7aed3dd0c0fecd1ca7e3c37825d27ebe4e1be7a37b6e95d152c59b1bfb99841a9e0d607e7e75764b023f70cf8223f04

C:\Windows\system\UDKhKOC.exe

MD5 305cef12edc976327b1e70df678ae2a0
SHA1 b3f0a87728f4eee7afdd65f7845714d7009d2178
SHA256 c5bad03636fc696b9229bb1d16a47c1867866017f6f24e7961659834d05b7b6a
SHA512 65fc86e12a37b4f82fab01d5cec6c990634990c850bece94de7ac7c87981b9963ae5ed427271cb3bdb6018d72617b6c458745ccf00d61bb78f20812307cd704b

C:\Windows\system\UfaPsxa.exe

MD5 c6842cd9b87758ece9c8bf5a84040252
SHA1 e952c77c186df9d68c74919463861084f72a7015
SHA256 e7ec435255dc67db09b1c857dd2b02966c0a47ffdf017ecc7ebce346d2d56e11
SHA512 78621668a0ed3aaf67c9e868f199c6f071e99208d7ef9bd01bc2cdebb4d345064e3c66d82d21cb5d3d456377807ad67366cfb09bf460d32332c65cbc591c4bc6

C:\Windows\system\vvbJkMb.exe

MD5 7bc11a4da436bdbe19fc3cdc033b77e7
SHA1 623976be60e6fecdc5f94b97f6df88dbd5359fae
SHA256 582eba46b7b96c8c50a370eca2a0d2c4563bdffb59eae933999f2e495fe2765c
SHA512 b5a1fdc8d6a58449d306421712ab95b408abe43e2f25047b8aafaf780a3dda65e84f5b4422e37ce863d0aa592995935d7c81981a68e37dd0560650aced904ea6

C:\Windows\system\GBNyTYj.exe

MD5 67254871ffb09342abc2c587c18d8577
SHA1 d312e5ead10e93579310c6800163e072220bb48d
SHA256 97472a8e72a7821f4c1414cfa6ea711304f00a13dd468c8d4f6b0d192caf7180
SHA512 ee212e88c8e7895ff77c214eeedf11d683c187aeb9c91bfb86f89d7393e7c65495b7477af01809cc6c8d7ccc4bd03b842c0461dd797f5a4be6b2fb304872447c

memory/2348-100-0x000000013F650000-0x000000013F9A4000-memory.dmp

memory/2680-88-0x000000013F520000-0x000000013F874000-memory.dmp

memory/2076-87-0x000000013FB80000-0x000000013FED4000-memory.dmp

C:\Windows\system\ExnNNJs.exe

MD5 19fc320b250879ee3d8ec0829b577163
SHA1 33ea22229a4abc2d09c4327344470374a5eae8af
SHA256 d68d2b27570b57d3aecf0d561bfc15b7bccb25a184f3053c99bbba27bee7ad5e
SHA512 dc338a79d7248f5523bc8237b4ad6012e0221447b5724afc8f1fa2c6bfcdbb7700bcac2657f882de98bc6b834445de720a3d7ebbb8ed56cf0eaeaf67aa78a773

memory/1160-95-0x000000013F520000-0x000000013F874000-memory.dmp

memory/2800-94-0x000000013F1D0000-0x000000013F524000-memory.dmp

memory/788-77-0x000000013F400000-0x000000013F754000-memory.dmp

memory/2680-76-0x000000013F400000-0x000000013F754000-memory.dmp

memory/1744-85-0x000000013FF80000-0x00000001402D4000-memory.dmp

memory/2680-84-0x0000000002350000-0x00000000026A4000-memory.dmp

C:\Windows\system\gLhbCrH.exe

MD5 7595c4bdf6a774bfcf9d780e153b6045
SHA1 e4dbbb28a5f58cc4e0e02aa7745b4e4e3c1a4395
SHA256 0d83d41ae43c8ab57e219eaffb4037cb835c88fb7d00e39505af0553f5146c89
SHA512 ec0a12e47a29b4581c23da06bcb51219a9eafa8800dcf2aa749c68d15e1fb86c9b095ab3eab9b70a89474f7b6b683ba622d165a316ebfc26b98561a4441f79c0

memory/2716-63-0x000000013F710000-0x000000013FA64000-memory.dmp

memory/2680-62-0x000000013F710000-0x000000013FA64000-memory.dmp

C:\Windows\system\rurUHyz.exe

MD5 99979d8adb199741541544eeea892ab8
SHA1 a612bd48a9183e3a6d83e114cefad5c4897ef6ea
SHA256 87aba2a0faa1b68557ab5e4650474e6416453b2f125e7010f574010e8be2f001
SHA512 1a80630939c15421a88f1fd808abe8da19b4c8e8da1128d7cf5d84ee3053642da174cf70edab6e264e1262d3105d961d4dda0741a5a2ddebf18e8051938c3e28

memory/2340-137-0x000000013F240000-0x000000013F594000-memory.dmp

memory/2680-136-0x000000013F240000-0x000000013F594000-memory.dmp

memory/2680-138-0x000000013F400000-0x000000013F754000-memory.dmp

memory/788-139-0x000000013F400000-0x000000013F754000-memory.dmp

memory/2680-140-0x0000000002350000-0x00000000026A4000-memory.dmp

memory/2680-141-0x000000013F520000-0x000000013F874000-memory.dmp

memory/2348-142-0x000000013F650000-0x000000013F9A4000-memory.dmp

memory/2732-143-0x000000013F430000-0x000000013F784000-memory.dmp

memory/2756-144-0x000000013FFA0000-0x00000001402F4000-memory.dmp

memory/2544-145-0x000000013F880000-0x000000013FBD4000-memory.dmp

memory/2076-146-0x000000013FB80000-0x000000013FED4000-memory.dmp

memory/2800-147-0x000000013F1D0000-0x000000013F524000-memory.dmp

memory/2536-148-0x000000013FF30000-0x0000000140284000-memory.dmp

memory/2612-149-0x000000013FB10000-0x000000013FE64000-memory.dmp

memory/2396-150-0x000000013F760000-0x000000013FAB4000-memory.dmp

memory/2716-151-0x000000013F710000-0x000000013FA64000-memory.dmp

memory/2340-152-0x000000013F240000-0x000000013F594000-memory.dmp

memory/788-153-0x000000013F400000-0x000000013F754000-memory.dmp

memory/1744-154-0x000000013FF80000-0x00000001402D4000-memory.dmp

memory/1160-155-0x000000013F520000-0x000000013F874000-memory.dmp

memory/2348-156-0x000000013F650000-0x000000013F9A4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-06 15:57

Reported

2024-08-06 16:00

Platform

win10v2004-20240802-en

Max time kernel

141s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\DeGEdDi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bAiXLuL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PnfKdeY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GBNyTYj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gJFSpFl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ExnNNJs.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\REJLOgs.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZzRFgGw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gLhbCrH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UDKhKOC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ePNgDhn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tpYcHTi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WshGKsu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vvbJkMb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GBzTqMA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HNZlAKW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bVqNhPZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kFMGXVN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rurUHyz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UfaPsxa.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IEOmDtq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3484 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\REJLOgs.exe
PID 3484 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\REJLOgs.exe
PID 3484 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZzRFgGw.exe
PID 3484 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZzRFgGw.exe
PID 3484 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GBzTqMA.exe
PID 3484 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GBzTqMA.exe
PID 3484 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HNZlAKW.exe
PID 3484 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HNZlAKW.exe
PID 3484 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DeGEdDi.exe
PID 3484 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DeGEdDi.exe
PID 3484 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gJFSpFl.exe
PID 3484 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gJFSpFl.exe
PID 3484 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bVqNhPZ.exe
PID 3484 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bVqNhPZ.exe
PID 3484 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bAiXLuL.exe
PID 3484 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bAiXLuL.exe
PID 3484 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kFMGXVN.exe
PID 3484 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kFMGXVN.exe
PID 3484 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rurUHyz.exe
PID 3484 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rurUHyz.exe
PID 3484 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gLhbCrH.exe
PID 3484 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gLhbCrH.exe
PID 3484 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tpYcHTi.exe
PID 3484 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tpYcHTi.exe
PID 3484 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PnfKdeY.exe
PID 3484 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PnfKdeY.exe
PID 3484 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ExnNNJs.exe
PID 3484 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ExnNNJs.exe
PID 3484 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WshGKsu.exe
PID 3484 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WshGKsu.exe
PID 3484 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GBNyTYj.exe
PID 3484 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GBNyTYj.exe
PID 3484 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vvbJkMb.exe
PID 3484 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vvbJkMb.exe
PID 3484 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UfaPsxa.exe
PID 3484 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UfaPsxa.exe
PID 3484 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UDKhKOC.exe
PID 3484 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UDKhKOC.exe
PID 3484 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ePNgDhn.exe
PID 3484 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ePNgDhn.exe
PID 3484 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IEOmDtq.exe
PID 3484 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IEOmDtq.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\REJLOgs.exe

C:\Windows\System\REJLOgs.exe

C:\Windows\System\ZzRFgGw.exe

C:\Windows\System\ZzRFgGw.exe

C:\Windows\System\GBzTqMA.exe

C:\Windows\System\GBzTqMA.exe

C:\Windows\System\HNZlAKW.exe

C:\Windows\System\HNZlAKW.exe

C:\Windows\System\DeGEdDi.exe

C:\Windows\System\DeGEdDi.exe

C:\Windows\System\gJFSpFl.exe

C:\Windows\System\gJFSpFl.exe

C:\Windows\System\bVqNhPZ.exe

C:\Windows\System\bVqNhPZ.exe

C:\Windows\System\bAiXLuL.exe

C:\Windows\System\bAiXLuL.exe

C:\Windows\System\kFMGXVN.exe

C:\Windows\System\kFMGXVN.exe

C:\Windows\System\rurUHyz.exe

C:\Windows\System\rurUHyz.exe

C:\Windows\System\gLhbCrH.exe

C:\Windows\System\gLhbCrH.exe

C:\Windows\System\tpYcHTi.exe

C:\Windows\System\tpYcHTi.exe

C:\Windows\System\PnfKdeY.exe

C:\Windows\System\PnfKdeY.exe

C:\Windows\System\ExnNNJs.exe

C:\Windows\System\ExnNNJs.exe

C:\Windows\System\WshGKsu.exe

C:\Windows\System\WshGKsu.exe

C:\Windows\System\GBNyTYj.exe

C:\Windows\System\GBNyTYj.exe

C:\Windows\System\vvbJkMb.exe

C:\Windows\System\vvbJkMb.exe

C:\Windows\System\UfaPsxa.exe

C:\Windows\System\UfaPsxa.exe

C:\Windows\System\UDKhKOC.exe

C:\Windows\System\UDKhKOC.exe

C:\Windows\System\ePNgDhn.exe

C:\Windows\System\ePNgDhn.exe

C:\Windows\System\IEOmDtq.exe

C:\Windows\System\IEOmDtq.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3484-0-0x00007FF68ADE0000-0x00007FF68B134000-memory.dmp

memory/3484-1-0x0000023DE4A30000-0x0000023DE4A40000-memory.dmp

C:\Windows\System\REJLOgs.exe

MD5 0fde5577a3de0a4f49610d5e2636be51
SHA1 f8cb363ef96d5aa0f183cbe065c99ee8c7a669d5
SHA256 55b9ae806e7b4bd0acd5c54402f65173a3fb2f79563a34c974479e81b0e33957
SHA512 b0fcde08a3dad778bae98b4a44698af1a995dead0c32a46403f080b514a5853a1f914f9cd9c241f79e05b8a0c82d4e00ef3231e97352c59c96e06835af56d6f2

memory/3144-8-0x00007FF722E40000-0x00007FF723194000-memory.dmp

C:\Windows\System\ZzRFgGw.exe

MD5 aba154ac8da8c6dbbe6ca9dff77cfe0a
SHA1 9fadf640d384bb7fde03bd1fb3fba4aa6c282d4c
SHA256 55703cfed6bd69b2ebdde31b49164b003e2e3f1af2078f15d67ce5c9e06fbab6
SHA512 74290d13c105451398bb93215bf8245fea8d6b85df0f8bb659246a8c4604491b22120b61e199a9fa29e8ec1e7718625f169fbc984f819bdf6b7c92ba14a77baa

C:\Windows\System\GBzTqMA.exe

MD5 cae11ee601a12481c738fdbe79ae70d8
SHA1 c99a53932dea4e8b40d635f1b7fa632ceb9d1b92
SHA256 aa89fb8e728c628adc77b0cfb57cb6dd3ef6d0e2c17c77d610e6386b4cf68a2f
SHA512 01c88004cf2c2a11509454d0cf09622041e5e8bb8ca28c6fdc7aa9cde619e2c52aa53f37b9a5c99cee95cfde18874d6279536e6109b0b2368d64ff9420c11510

C:\Windows\System\HNZlAKW.exe

MD5 5e1d165b232dd3ef1a5b491c96c2196e
SHA1 1189e63c92b8f6d0149d4ecf6d7c43a350514292
SHA256 aa534b398127eb5992382e9108b65fc61140475410b6ed7999df0bb92257094d
SHA512 1012f7083ca60c2999528b0cd7eb53f00290be2b5e0fffcae2b6fb7fb9109c36983b3afdf547403208ac6ea9c1725e51a306d9572fb8b1c0d7265b989f57b9ee

memory/4956-24-0x00007FF6B4680000-0x00007FF6B49D4000-memory.dmp

memory/1912-23-0x00007FF78C190000-0x00007FF78C4E4000-memory.dmp

memory/4308-13-0x00007FF6081B0000-0x00007FF608504000-memory.dmp

memory/4044-32-0x00007FF7880D0000-0x00007FF788424000-memory.dmp

C:\Windows\System\DeGEdDi.exe

MD5 617bfc469cf8d504602bbd53445c941b
SHA1 8f273e8984ae2e17f292a87cb7ceaea3a68eb3b8
SHA256 a30d985d8d2882f5af4aa7cbce0cb17ee7fe655022692a9a57a1f04c54eaea68
SHA512 154982f47229a4965a0bf7b5a9884d306a719635904aff8bd3dd2a21ddd69daf821d08850051183b6fb12d86d53bb5c407ed27a8a61fb87b1258a0b02c6016c2

C:\Windows\System\gJFSpFl.exe

MD5 587a417d9e22d5349e01af160f35c7b3
SHA1 9c0fbf3988f55407b372256ca3a6abfcd862507c
SHA256 d6017b8589a4ea6fcff7af68c3433f1a2cbdf227d59eb2f20a75e122e438653b
SHA512 076ee96e68b1b89426b738ed6c4847c03c60c347c9ff66bedf140e97f72e13df9a096ee0f19134710183fd1c5630a967f6790494805e962667101b7a5a8e51e4

memory/2704-38-0x00007FF742190000-0x00007FF7424E4000-memory.dmp

C:\Windows\System\bVqNhPZ.exe

MD5 c94c7a65ff4f33798130a7acb787e043
SHA1 fde91e4a4ce8b84af07c6efba2faddb18e364a4e
SHA256 feb77437d1896e9fb7752fc828c454e9fd7eca8f0a422382d3c69ea9ac892a6f
SHA512 54a6bff067b9bbb415ed8fbdcd3e6e952beb5dfd42d0bd26ead2ccecf76013f16d0e0031989e2fcb6a945366e2ff5662ad5ca7d4194c6d6247c3c9ddce23b348

C:\Windows\System\bAiXLuL.exe

MD5 b731fb4b82167c081d89e0de1b93f2c4
SHA1 388685abb14b413ed6bedf1b7f759fb785337bba
SHA256 46684e504435334ce36f79d451cb3f2b0335ad7f947ce359df74b3c6a2b13c24
SHA512 f9ce353f707981053455f64d2c52ac1e5df6a2a51f22e8cab3cc8c6a72654ca081cd445f9f51450f99993db267492e55917760da1a47bd627e4ee523cbec2448

memory/4628-50-0x00007FF690AF0000-0x00007FF690E44000-memory.dmp

C:\Windows\System\kFMGXVN.exe

MD5 0200e36f398dc69fa71e41a8dfab81b8
SHA1 a2206acd2c90c91912d0b7067a13952e6174812a
SHA256 ce65fe2e5565c916a534c277b8704f7fa4ed056404881f75dff8b6eef0a7db59
SHA512 2e7cb8ab57a793efcced92ad9bcec9991f224d869c2116e1c0afa13c70a3f39ea7833e88254ce80b077962cf6f7017f3d113f276e77cd707f6332de889c1f357

memory/4448-44-0x00007FF7CBAA0000-0x00007FF7CBDF4000-memory.dmp

memory/60-56-0x00007FF786020000-0x00007FF786374000-memory.dmp

C:\Windows\System\rurUHyz.exe

MD5 99979d8adb199741541544eeea892ab8
SHA1 a612bd48a9183e3a6d83e114cefad5c4897ef6ea
SHA256 87aba2a0faa1b68557ab5e4650474e6416453b2f125e7010f574010e8be2f001
SHA512 1a80630939c15421a88f1fd808abe8da19b4c8e8da1128d7cf5d84ee3053642da174cf70edab6e264e1262d3105d961d4dda0741a5a2ddebf18e8051938c3e28

memory/3484-62-0x00007FF68ADE0000-0x00007FF68B134000-memory.dmp

memory/2652-63-0x00007FF71E650000-0x00007FF71E9A4000-memory.dmp

C:\Windows\System\gLhbCrH.exe

MD5 7595c4bdf6a774bfcf9d780e153b6045
SHA1 e4dbbb28a5f58cc4e0e02aa7745b4e4e3c1a4395
SHA256 0d83d41ae43c8ab57e219eaffb4037cb835c88fb7d00e39505af0553f5146c89
SHA512 ec0a12e47a29b4581c23da06bcb51219a9eafa8800dcf2aa749c68d15e1fb86c9b095ab3eab9b70a89474f7b6b683ba622d165a316ebfc26b98561a4441f79c0

memory/4308-72-0x00007FF6081B0000-0x00007FF608504000-memory.dmp

memory/5092-75-0x00007FF626FA0000-0x00007FF6272F4000-memory.dmp

C:\Windows\System\tpYcHTi.exe

MD5 5a763f177c91bf598c903cb162c90973
SHA1 c06880d9d6969df72fdf5f88431153e57e526276
SHA256 5d6d5a1e4e95ad390ce034f3c0e107c5bd9cf13e8596ce452d268de3fd6458fe
SHA512 7d293e0418916599ffa0b89a637e75f56574a73fbc4c37049230038b8626fbc2d76651bfc55ac95de70431b61cf7823145226d774e404643138223601986f6e2

memory/3180-74-0x00007FF622DF0000-0x00007FF623144000-memory.dmp

memory/3144-71-0x00007FF722E40000-0x00007FF723194000-memory.dmp

C:\Windows\System\PnfKdeY.exe

MD5 8717329003110e11b20930ad399c07c9
SHA1 c74e24bdbb703fb8dca2d9a4d8ac74f6616fa5dc
SHA256 d303f44d55315a94e5e985c085155573680f35e7aa72ba940cc01c3716902e8b
SHA512 1be167954a4ac774e6ecbdcbb372f5864d7cad815f4f4f7e2cef34af042bcc16927fa4b31f36cbc24d482d7d7bc7d04a5a502f6e5f1cdac67cb8b61058e04cc4

memory/2384-83-0x00007FF6889E0000-0x00007FF688D34000-memory.dmp

C:\Windows\System\ExnNNJs.exe

MD5 19fc320b250879ee3d8ec0829b577163
SHA1 33ea22229a4abc2d09c4327344470374a5eae8af
SHA256 d68d2b27570b57d3aecf0d561bfc15b7bccb25a184f3053c99bbba27bee7ad5e
SHA512 dc338a79d7248f5523bc8237b4ad6012e0221447b5724afc8f1fa2c6bfcdbb7700bcac2657f882de98bc6b834445de720a3d7ebbb8ed56cf0eaeaf67aa78a773

memory/4164-89-0x00007FF6E6A10000-0x00007FF6E6D64000-memory.dmp

C:\Windows\System\WshGKsu.exe

MD5 8881ff6ef910623e8d185c3f2b585b7a
SHA1 6680433ae62fbed80edaf558e20e72966d519cfa
SHA256 a42acc468c45e8b5e3691738e1f4f450a02a98cb8a443c563da737c9314ba4f0
SHA512 7699185c8a832a357adbbd7cdb5f5879806c7928c425755f163ea390e93fe8d4d0f6e1898cbca3598e67339b12a38391e7f7fc9973b0c0d5af0d059cdb196508

memory/4444-96-0x00007FF649970000-0x00007FF649CC4000-memory.dmp

memory/4956-95-0x00007FF6B4680000-0x00007FF6B49D4000-memory.dmp

C:\Windows\System\GBNyTYj.exe

MD5 67254871ffb09342abc2c587c18d8577
SHA1 d312e5ead10e93579310c6800163e072220bb48d
SHA256 97472a8e72a7821f4c1414cfa6ea711304f00a13dd468c8d4f6b0d192caf7180
SHA512 ee212e88c8e7895ff77c214eeedf11d683c187aeb9c91bfb86f89d7393e7c65495b7477af01809cc6c8d7ccc4bd03b842c0461dd797f5a4be6b2fb304872447c

C:\Windows\System\vvbJkMb.exe

MD5 7bc11a4da436bdbe19fc3cdc033b77e7
SHA1 623976be60e6fecdc5f94b97f6df88dbd5359fae
SHA256 582eba46b7b96c8c50a370eca2a0d2c4563bdffb59eae933999f2e495fe2765c
SHA512 b5a1fdc8d6a58449d306421712ab95b408abe43e2f25047b8aafaf780a3dda65e84f5b4422e37ce863d0aa592995935d7c81981a68e37dd0560650aced904ea6

memory/1624-102-0x00007FF6C85F0000-0x00007FF6C8944000-memory.dmp

memory/4044-101-0x00007FF7880D0000-0x00007FF788424000-memory.dmp

C:\Windows\System\UfaPsxa.exe

MD5 c6842cd9b87758ece9c8bf5a84040252
SHA1 e952c77c186df9d68c74919463861084f72a7015
SHA256 e7ec435255dc67db09b1c857dd2b02966c0a47ffdf017ecc7ebce346d2d56e11
SHA512 78621668a0ed3aaf67c9e868f199c6f071e99208d7ef9bd01bc2cdebb4d345064e3c66d82d21cb5d3d456377807ad67366cfb09bf460d32332c65cbc591c4bc6

C:\Windows\System\UDKhKOC.exe

MD5 305cef12edc976327b1e70df678ae2a0
SHA1 b3f0a87728f4eee7afdd65f7845714d7009d2178
SHA256 c5bad03636fc696b9229bb1d16a47c1867866017f6f24e7961659834d05b7b6a
SHA512 65fc86e12a37b4f82fab01d5cec6c990634990c850bece94de7ac7c87981b9963ae5ed427271cb3bdb6018d72617b6c458745ccf00d61bb78f20812307cd704b

memory/3420-116-0x00007FF694A80000-0x00007FF694DD4000-memory.dmp

memory/4556-109-0x00007FF665270000-0x00007FF6655C4000-memory.dmp

memory/4628-121-0x00007FF690AF0000-0x00007FF690E44000-memory.dmp

memory/644-122-0x00007FF6BE550000-0x00007FF6BE8A4000-memory.dmp

C:\Windows\System\ePNgDhn.exe

MD5 b6ac8810d577de9e764336f10a11cfb7
SHA1 7dc0f103a93bcd01a0ac7943b57c46c8562a35a9
SHA256 a3088638c3300d4855de1bc54bfbdcb0badc6bd2fcae680bf0031726ba3aaf8a
SHA512 c3ae5ef2c1356a1a8573f4894786d571ddc1e1f7373f6f6bd8ecb36d002ea735728b32011708c83d4bf7fd21ae82e03c0e1f72e682326023bac71c1cd57b4ade

C:\Windows\System\IEOmDtq.exe

MD5 eb4d4e5e97502ff98018a65bf04243f3
SHA1 2a43805d65f39c3d0fcb11b9ba4f7d4b6357a991
SHA256 255cafdce691e87703ab6b1b70492b1ce8ec86424dffd943d306c4f851c4827d
SHA512 6565fece397f9fb4e51ccdb946ca208bf7aed3dd0c0fecd1ca7e3c37825d27ebe4e1be7a37b6e95d152c59b1bfb99841a9e0d607e7e75764b023f70cf8223f04

memory/3208-133-0x00007FF62E9A0000-0x00007FF62ECF4000-memory.dmp

memory/3692-128-0x00007FF6D2390000-0x00007FF6D26E4000-memory.dmp

memory/5092-134-0x00007FF626FA0000-0x00007FF6272F4000-memory.dmp

memory/1624-135-0x00007FF6C85F0000-0x00007FF6C8944000-memory.dmp

memory/3692-136-0x00007FF6D2390000-0x00007FF6D26E4000-memory.dmp

memory/3144-137-0x00007FF722E40000-0x00007FF723194000-memory.dmp

memory/4308-139-0x00007FF6081B0000-0x00007FF608504000-memory.dmp

memory/1912-138-0x00007FF78C190000-0x00007FF78C4E4000-memory.dmp

memory/4956-140-0x00007FF6B4680000-0x00007FF6B49D4000-memory.dmp

memory/4044-141-0x00007FF7880D0000-0x00007FF788424000-memory.dmp

memory/2704-142-0x00007FF742190000-0x00007FF7424E4000-memory.dmp

memory/4448-143-0x00007FF7CBAA0000-0x00007FF7CBDF4000-memory.dmp

memory/4628-144-0x00007FF690AF0000-0x00007FF690E44000-memory.dmp

memory/60-145-0x00007FF786020000-0x00007FF786374000-memory.dmp

memory/2652-146-0x00007FF71E650000-0x00007FF71E9A4000-memory.dmp

memory/3180-147-0x00007FF622DF0000-0x00007FF623144000-memory.dmp

memory/5092-148-0x00007FF626FA0000-0x00007FF6272F4000-memory.dmp

memory/2384-149-0x00007FF6889E0000-0x00007FF688D34000-memory.dmp

memory/4164-150-0x00007FF6E6A10000-0x00007FF6E6D64000-memory.dmp

memory/4444-151-0x00007FF649970000-0x00007FF649CC4000-memory.dmp

memory/1624-152-0x00007FF6C85F0000-0x00007FF6C8944000-memory.dmp

memory/4556-153-0x00007FF665270000-0x00007FF6655C4000-memory.dmp

memory/3420-154-0x00007FF694A80000-0x00007FF694DD4000-memory.dmp

memory/644-155-0x00007FF6BE550000-0x00007FF6BE8A4000-memory.dmp

memory/3208-156-0x00007FF62E9A0000-0x00007FF62ECF4000-memory.dmp

memory/3692-157-0x00007FF6D2390000-0x00007FF6D26E4000-memory.dmp