Malware Analysis Report

2025-01-22 19:29

Sample ID 240807-1mxt8avbrq
Target 2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat
SHA256 c77276ec6dd1928c6f3d03deeac5bc7b712612b3845adc049fe71770c529014b
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c77276ec6dd1928c6f3d03deeac5bc7b712612b3845adc049fe71770c529014b

Threat Level: Known bad

The file 2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Xmrig family

XMRig Miner payload

Cobaltstrike

Cobalt Strike reflective loader

xmrig

Cobaltstrike family

XMRig Miner payload

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-07 21:46

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-07 21:46

Reported

2024-08-07 21:49

Platform

win7-20240708-en

Max time kernel

138s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\FuhUpub.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sjCwBXt.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ybeuwjh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vWqAorH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lMQaDdJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aYNEBdE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gxWyPGB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jvHntHS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jkwrxkP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cGsoKFR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xlEPEAP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bxFLcOc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XgffJxT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hTaXfGq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xBWslNS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ijnFSfW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ostxXlA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JRGjtZw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zCtlhRN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xCMXfsp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\maOQgwR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2576 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FuhUpub.exe
PID 2576 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FuhUpub.exe
PID 2576 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FuhUpub.exe
PID 2576 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JRGjtZw.exe
PID 2576 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JRGjtZw.exe
PID 2576 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JRGjtZw.exe
PID 2576 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gxWyPGB.exe
PID 2576 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gxWyPGB.exe
PID 2576 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gxWyPGB.exe
PID 2576 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sjCwBXt.exe
PID 2576 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sjCwBXt.exe
PID 2576 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sjCwBXt.exe
PID 2576 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ybeuwjh.exe
PID 2576 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ybeuwjh.exe
PID 2576 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ybeuwjh.exe
PID 2576 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zCtlhRN.exe
PID 2576 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zCtlhRN.exe
PID 2576 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zCtlhRN.exe
PID 2576 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jvHntHS.exe
PID 2576 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jvHntHS.exe
PID 2576 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jvHntHS.exe
PID 2576 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jkwrxkP.exe
PID 2576 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jkwrxkP.exe
PID 2576 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jkwrxkP.exe
PID 2576 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cGsoKFR.exe
PID 2576 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cGsoKFR.exe
PID 2576 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cGsoKFR.exe
PID 2576 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vWqAorH.exe
PID 2576 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vWqAorH.exe
PID 2576 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vWqAorH.exe
PID 2576 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xlEPEAP.exe
PID 2576 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xlEPEAP.exe
PID 2576 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xlEPEAP.exe
PID 2576 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xCMXfsp.exe
PID 2576 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xCMXfsp.exe
PID 2576 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xCMXfsp.exe
PID 2576 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bxFLcOc.exe
PID 2576 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bxFLcOc.exe
PID 2576 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bxFLcOc.exe
PID 2576 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lMQaDdJ.exe
PID 2576 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lMQaDdJ.exe
PID 2576 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lMQaDdJ.exe
PID 2576 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xBWslNS.exe
PID 2576 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xBWslNS.exe
PID 2576 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xBWslNS.exe
PID 2576 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ijnFSfW.exe
PID 2576 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ijnFSfW.exe
PID 2576 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ijnFSfW.exe
PID 2576 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aYNEBdE.exe
PID 2576 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aYNEBdE.exe
PID 2576 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aYNEBdE.exe
PID 2576 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XgffJxT.exe
PID 2576 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XgffJxT.exe
PID 2576 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XgffJxT.exe
PID 2576 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hTaXfGq.exe
PID 2576 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hTaXfGq.exe
PID 2576 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hTaXfGq.exe
PID 2576 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\maOQgwR.exe
PID 2576 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\maOQgwR.exe
PID 2576 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\maOQgwR.exe
PID 2576 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ostxXlA.exe
PID 2576 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ostxXlA.exe
PID 2576 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ostxXlA.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\FuhUpub.exe

C:\Windows\System\FuhUpub.exe

C:\Windows\System\JRGjtZw.exe

C:\Windows\System\JRGjtZw.exe

C:\Windows\System\gxWyPGB.exe

C:\Windows\System\gxWyPGB.exe

C:\Windows\System\sjCwBXt.exe

C:\Windows\System\sjCwBXt.exe

C:\Windows\System\ybeuwjh.exe

C:\Windows\System\ybeuwjh.exe

C:\Windows\System\zCtlhRN.exe

C:\Windows\System\zCtlhRN.exe

C:\Windows\System\jvHntHS.exe

C:\Windows\System\jvHntHS.exe

C:\Windows\System\jkwrxkP.exe

C:\Windows\System\jkwrxkP.exe

C:\Windows\System\cGsoKFR.exe

C:\Windows\System\cGsoKFR.exe

C:\Windows\System\vWqAorH.exe

C:\Windows\System\vWqAorH.exe

C:\Windows\System\xlEPEAP.exe

C:\Windows\System\xlEPEAP.exe

C:\Windows\System\xCMXfsp.exe

C:\Windows\System\xCMXfsp.exe

C:\Windows\System\bxFLcOc.exe

C:\Windows\System\bxFLcOc.exe

C:\Windows\System\lMQaDdJ.exe

C:\Windows\System\lMQaDdJ.exe

C:\Windows\System\xBWslNS.exe

C:\Windows\System\xBWslNS.exe

C:\Windows\System\ijnFSfW.exe

C:\Windows\System\ijnFSfW.exe

C:\Windows\System\aYNEBdE.exe

C:\Windows\System\aYNEBdE.exe

C:\Windows\System\XgffJxT.exe

C:\Windows\System\XgffJxT.exe

C:\Windows\System\hTaXfGq.exe

C:\Windows\System\hTaXfGq.exe

C:\Windows\System\maOQgwR.exe

C:\Windows\System\maOQgwR.exe

C:\Windows\System\ostxXlA.exe

C:\Windows\System\ostxXlA.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2576-2-0x000000013FB00000-0x000000013FE54000-memory.dmp

memory/2576-0-0x00000000000F0000-0x0000000000100000-memory.dmp

C:\Windows\system\FuhUpub.exe

MD5 930d7e8e91e8a0c1219cd617278204fa
SHA1 a05158124bb4ed9a8d92ca5d4e6c16070aaa0aa1
SHA256 64c53379a40fa62f37504ea5c37e240baec1847ef92b19945a876cd1c231e54a
SHA512 554d11eb0c117ab98bd54d69e080a5e4f73afe170eac2da7668715ee5d053d02b5df8b27427a527852ae54d4ab3c41dd9295d6e488f2453f3a0ce66fe4270e6a

C:\Windows\system\JRGjtZw.exe

MD5 6e1a614582d6e5efea223bfdb3fbd7e2
SHA1 a21c81c18b54215dcbe65604b50b5feaa3595e86
SHA256 52c77bc2b44747621a05f2623f25c26299df92976dac302aca663f8592d30fae
SHA512 ed0da5f241cc331a8aa9d62d118593624b11865914907446ef713d2502e11d4744c7b634c95901a25d75b3e1116d4e15c1d5d81c48753a14a8f43554a877ea10

C:\Windows\system\gxWyPGB.exe

MD5 f700dad73d9fd011b4832ca6973f52d0
SHA1 1e086dece80b644c338b29a6c82c2be3f6685df5
SHA256 62000c5b55a5ede909f6b4fa59be80458824265e725bc60c8d8c33343853a020
SHA512 47148258edf932e1c20e48b7d8a0d1bff52228f0aadddf6231f44b96a82260a4ca42ae3ac85263dd06e0527fe3bf5ea453b404d9c51da188eb5bf9688c2b1d24

\Windows\system\sjCwBXt.exe

MD5 5f313ed858543fe06e2d9f46f11b711c
SHA1 87737c2c3e525534445bfa3070162f10e5eb7989
SHA256 5dbffb2f77d2cc750ac7f2cf68cb55b491647804ea3f1f8fc20db04271a55459
SHA512 09edee560a41165a224adbba680ec12996c461a631320e99ab177ef5672193d22c458eadb50002cf9bc2ab31f7aed41586ecdbf59413637077e204b9fac19703

C:\Windows\system\jvHntHS.exe

MD5 dc4bd519e5145aa08cb348f94d26c8c2
SHA1 c10a384ffdb81aff62b95db3b68c50231ca7a37d
SHA256 1b058db252e513b272bc670a3e30f332677830ed14c287b500e911ac7cb3fede
SHA512 2f456e06b7c38270ad8f8dc69edeb2bb22b094f98214e55d05735711e79a8e8408478e060842ea163f6f04ed1322bea412fd813c977e7f15d4511dc0707ff5b2

C:\Windows\system\cGsoKFR.exe

MD5 be6d47993f423fbafca4eda7ade4a25b
SHA1 30f5d922e66550500e9b16ae3da962bf7170e08a
SHA256 f80ead8a69551c7f0a12757aa5cd6ce8f34487b9dca1b933cd6883354429a671
SHA512 edfb05574d77194368199e1a95d79a0e07dd0c8c101543753eb47981c95f0735452c09f6309f06b883628970a363afd16c40127c8b842c30e4564231451e62e6

C:\Windows\system\vWqAorH.exe

MD5 9113c1d9c8211ff5fa38b89503dde6be
SHA1 297029f81320b7b86e31943f4534c9f21b1b37c1
SHA256 43b3206ff8d7cdac8b236ad51c019d2cdc1382391e745faece2857ba7818cdb5
SHA512 7f58c00b699a434ce696304a718f25f3e713acd4519ad5087547460ae955d3b81621b1eef7d4829b4a7764f7fb7de09610facdf4b8e734a6ac4eec0243cdd8d6

C:\Windows\system\bxFLcOc.exe

MD5 8de1b0bc90f3e7d56b5619d69723880b
SHA1 0185f5e85e00e92a3cb87606601f83069d1e0eea
SHA256 e6d90c18b1c45ff6e23cb99843646b611a6d7c4ac799b450467457e27741697a
SHA512 7d565803b02ed66f1dbdeee85c71b33892a4787ec1d0dd7248fe3ae503b4511db1d34dfb0e134f7c09350363ef1da5772df71eed5717a8f2d8e48cb0ec32b65e

C:\Windows\system\hTaXfGq.exe

MD5 1942858845c616b276c18fea57b91ab2
SHA1 ac1dad18457b88e0847f213d0cf33dddef3f6fa3
SHA256 ca4acb712c663cb05afc09e3c406e7af3ecda63b162bd69b408b5f75356c33e3
SHA512 21b2db86502f20f894ea686601643fb9de5d64d2bfa2735815ab218181b80760be9fa4ffc6017dd5f6347c4d61c51e87ffa25a86b0a37ced6e1ae840a21de351

C:\Windows\system\ostxXlA.exe

MD5 0b31011328c580e0ab3744004ad1a6f0
SHA1 954484f68964b24608053e677410a68b0ebc9b45
SHA256 b77df57dc87a1969de8f93391c6baba23c12e53a62886846acf6d33539f55e05
SHA512 91b2f90def507932c6dc8882abd140eeb6712b945546693fe016593ba0f673114c4e60d28ae729ec15a5bd3b1ea62eb7bacd19e45ae32dd03060991dd39236a8

C:\Windows\system\maOQgwR.exe

MD5 951d3ba945e049e67b175e0c8b1ac65d
SHA1 9cac3f5e9f076ebb39701116d761ed0dc9891b28
SHA256 edd39ed5a99ed774d15dc560995f35fa2b970f39de5676846a1a8c0da29014fe
SHA512 8cd4c0f53a5bd1d4d9087fdd00d20c6b998cba5ea3c0e8c42c61a8560f0f6b04981a9acf2b450c06334af5ea2c7bd49a3a019457a74585b5222da7274be5b880

C:\Windows\system\XgffJxT.exe

MD5 4ff4984efe94a3d37a141f94d6dd9c40
SHA1 f0c5d7b5d11bb46f38b510714b4757de2ddda6c9
SHA256 a9d55f45c753449e5ba4d5594ac24dd52171c0bff23cd411af4fdd74e2c555a8
SHA512 668d0279504b0ee50aceea8b050eae730ca8e8ea2782f5e08e090381744b54e7b6a626b4804edc6fe867762a85f6ade6be38ac6835c5c9911394d9a254354323

C:\Windows\system\aYNEBdE.exe

MD5 7e8afde485baf31689609efddf07c33f
SHA1 46f6f278c8ea57653eb928c45aec1c27e38af139
SHA256 72b95a569f50027d1b63dc29658b2768156644468e82ac8132dc8d7b994631b9
SHA512 bb58df5db1d57a536ff42a6d521be8d11daae8d7357f50732311dfcd8c080ca915700f2c59e217d16847e0081d55cfdc61922e5cbc8dbccedd833ba345190612

memory/2852-114-0x000000013F140000-0x000000013F494000-memory.dmp

memory/2576-113-0x000000013F140000-0x000000013F494000-memory.dmp

memory/1972-127-0x000000013FC60000-0x000000013FFB4000-memory.dmp

memory/2576-128-0x000000013F060000-0x000000013F3B4000-memory.dmp

memory/2680-126-0x000000013F040000-0x000000013F394000-memory.dmp

memory/2576-125-0x000000013F040000-0x000000013F394000-memory.dmp

memory/2084-124-0x000000013FF60000-0x00000001402B4000-memory.dmp

memory/2576-123-0x000000013FF60000-0x00000001402B4000-memory.dmp

memory/1708-122-0x000000013F940000-0x000000013FC94000-memory.dmp

memory/2892-121-0x000000013F820000-0x000000013FB74000-memory.dmp

memory/2944-120-0x000000013F1A0000-0x000000013F4F4000-memory.dmp

memory/2576-119-0x000000013F1A0000-0x000000013F4F4000-memory.dmp

memory/2668-118-0x000000013FC10000-0x000000013FF64000-memory.dmp

memory/2208-117-0x000000013F320000-0x000000013F674000-memory.dmp

memory/2576-116-0x000000013F320000-0x000000013F674000-memory.dmp

memory/2912-115-0x000000013FE30000-0x0000000140184000-memory.dmp

memory/2808-112-0x000000013FE50000-0x00000001401A4000-memory.dmp

memory/2532-111-0x000000013FCC0000-0x0000000140014000-memory.dmp

memory/2576-110-0x0000000002280000-0x00000000025D4000-memory.dmp

memory/2480-109-0x000000013F060000-0x000000013F3B4000-memory.dmp

memory/2288-108-0x000000013FAD0000-0x000000013FE24000-memory.dmp

C:\Windows\system\ijnFSfW.exe

MD5 deef49fef1bda3717b2b6002d89a6cd8
SHA1 d9f785fdb058d6759a367461e9321ef13e314166
SHA256 49d8a63dba94d87a18723515fdb570ae52467116786c07f57852265a50c301ce
SHA512 3d5831a4db367fa0ee9747919e03355bb0c0ab8f7c9e02b3cb997f87d820d7c6bb94050e746488117df602f2dfb9a84dfb465a5c93e0e9fb9d7bfae755b827c8

C:\Windows\system\xBWslNS.exe

MD5 42322f7445b50f5db96b1264fd366952
SHA1 d4956a0065bce43c35030a61a9b16a6798be5717
SHA256 277e82a63efe3b78e7a55f2538b895a73e0119cb52d64112967eb6d66c6bc770
SHA512 7db0a046ad7e955512d0290cd4d81d96fb31f7ec425f2cc93e3db3baf46835b162a67e6ca7326ff2c9f1d5a16ef2c7f6e83708cf5bf84032055009b851fc17eb

C:\Windows\system\lMQaDdJ.exe

MD5 0e3ed9a9aa9d63be5effd7269db3f51f
SHA1 4d86d77e0db0e8f72577ab29ff1a62a15892b10b
SHA256 f51614b985da19e4191e395702e1ecb090d2283541684da5b9a8e7b5363d2323
SHA512 dade94df301306ed2539d8fa1fc0c5ae2bdba8d6eef77f6c1cb855bf7c55f1a7618fa9f1e63335bb8fa01923651b8512f048f655cd30c8ba297d6d31f0b032f4

C:\Windows\system\xCMXfsp.exe

MD5 70e355b3e3d388bd13a1e645d6e21761
SHA1 e02f4e8b73dece7064bb182a77a00999e6db076e
SHA256 01da36ac89d05ad42dab7fdab7bad61d2e62f1ec832c4b70d7839186a8e24f3c
SHA512 b1ea5bcc67706a87533366d7d3fbdc6dd5ff240218a46f444b6a970ccf77cc2c3d52cf8b6a44e2f00e12badfa8e1750a2301e7ae1d349dcbd7e3032c4afc6c2e

C:\Windows\system\xlEPEAP.exe

MD5 4e10b50c9fd23119f9479e8abd3130b4
SHA1 d95aa1152939a40483306e5d08f1a8c417730254
SHA256 fb2d9b7bc44d0e498b232ec309959a5c903af7dfda5264c130d58130c4aa6aa1
SHA512 cf2e84825856b5b2a4f0a648e94280a6d092c1a472cdc02e2ecf72133b8e6b9c06e2a616ce04c9d9e475f762895e9dd989ed96d929d6c64177c1365cbeaa8518

C:\Windows\system\jkwrxkP.exe

MD5 8b4ea0b0e66db5778e9ee9c359c5f428
SHA1 f94d024a7c67b5cdb130138327cb7d9b188cd5c0
SHA256 e63977f841072c0832d7b9b3ffb5c2f5b5c8f92e8d62b29bfe4e84b3b362d57f
SHA512 4add58c9e2c1d078ba9aac3b4b6e0d7584802fc35fb9a1dc159b38d8e375ef1d9b97e9a46cef938ed4d7cc7e07fbebd106495d7c22fd02a68ddced21f6d2467e

C:\Windows\system\zCtlhRN.exe

MD5 5d02e6b0fee44d15de85596d62bdfaf1
SHA1 1f2a21b7b78a56c89efe95c7836449f3ef52c0d0
SHA256 99f82fec37608b9a612d8885791a9aa1b1dab318c4d5ba9ea3671d22cd390308
SHA512 d2bb96a584287b06a7399fa3904ec870cecc07169ece9c5ef7b00f9d75edb635714de48e22038ad8ec9fddbd1353caba307c47d934d50f5aa71bf36b78823eff

C:\Windows\system\ybeuwjh.exe

MD5 3619db178033144f0bbe44984f638a55
SHA1 54b8668757b05c7fc3d09397f184bf6a47219673
SHA256 bedab5b2781960f02cac681d88001df185c1821afe3a91cd6c50900857778e40
SHA512 d429e17c332ecbda40147b7d5148f45466dbcd4b8d2ca3902e18919f734096d263ca47bb91bbbfccf7fcde2bc26cc5eb504dc90708991ff48b6d3c25091373cd

memory/2576-8-0x0000000002280000-0x00000000025D4000-memory.dmp

memory/2576-129-0x000000013FB00000-0x000000013FE54000-memory.dmp

memory/2288-130-0x000000013FAD0000-0x000000013FE24000-memory.dmp

memory/2480-131-0x000000013F060000-0x000000013F3B4000-memory.dmp

memory/2532-132-0x000000013FCC0000-0x0000000140014000-memory.dmp

memory/2808-133-0x000000013FE50000-0x00000001401A4000-memory.dmp

memory/2852-134-0x000000013F140000-0x000000013F494000-memory.dmp

memory/2912-135-0x000000013FE30000-0x0000000140184000-memory.dmp

memory/2208-136-0x000000013F320000-0x000000013F674000-memory.dmp

memory/2668-137-0x000000013FC10000-0x000000013FF64000-memory.dmp

memory/2944-138-0x000000013F1A0000-0x000000013F4F4000-memory.dmp

memory/2892-139-0x000000013F820000-0x000000013FB74000-memory.dmp

memory/2084-141-0x000000013FF60000-0x00000001402B4000-memory.dmp

memory/1972-143-0x000000013FC60000-0x000000013FFB4000-memory.dmp

memory/2680-142-0x000000013F040000-0x000000013F394000-memory.dmp

memory/1708-140-0x000000013F940000-0x000000013FC94000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-07 21:46

Reported

2024-08-07 21:49

Platform

win10v2004-20240802-en

Max time kernel

142s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\xBWslNS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hTaXfGq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FuhUpub.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cGsoKFR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xlEPEAP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xCMXfsp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jvHntHS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gxWyPGB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zCtlhRN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jkwrxkP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vWqAorH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bxFLcOc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lMQaDdJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XgffJxT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JRGjtZw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\maOQgwR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ybeuwjh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ijnFSfW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aYNEBdE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ostxXlA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sjCwBXt.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4528 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FuhUpub.exe
PID 4528 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FuhUpub.exe
PID 4528 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JRGjtZw.exe
PID 4528 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JRGjtZw.exe
PID 4528 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gxWyPGB.exe
PID 4528 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gxWyPGB.exe
PID 4528 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sjCwBXt.exe
PID 4528 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sjCwBXt.exe
PID 4528 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ybeuwjh.exe
PID 4528 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ybeuwjh.exe
PID 4528 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zCtlhRN.exe
PID 4528 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zCtlhRN.exe
PID 4528 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jvHntHS.exe
PID 4528 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jvHntHS.exe
PID 4528 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jkwrxkP.exe
PID 4528 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jkwrxkP.exe
PID 4528 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cGsoKFR.exe
PID 4528 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cGsoKFR.exe
PID 4528 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vWqAorH.exe
PID 4528 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vWqAorH.exe
PID 4528 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xlEPEAP.exe
PID 4528 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xlEPEAP.exe
PID 4528 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xCMXfsp.exe
PID 4528 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xCMXfsp.exe
PID 4528 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bxFLcOc.exe
PID 4528 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bxFLcOc.exe
PID 4528 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lMQaDdJ.exe
PID 4528 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lMQaDdJ.exe
PID 4528 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xBWslNS.exe
PID 4528 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xBWslNS.exe
PID 4528 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ijnFSfW.exe
PID 4528 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ijnFSfW.exe
PID 4528 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aYNEBdE.exe
PID 4528 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aYNEBdE.exe
PID 4528 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XgffJxT.exe
PID 4528 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XgffJxT.exe
PID 4528 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hTaXfGq.exe
PID 4528 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hTaXfGq.exe
PID 4528 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\maOQgwR.exe
PID 4528 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\maOQgwR.exe
PID 4528 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ostxXlA.exe
PID 4528 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ostxXlA.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\FuhUpub.exe

C:\Windows\System\FuhUpub.exe

C:\Windows\System\JRGjtZw.exe

C:\Windows\System\JRGjtZw.exe

C:\Windows\System\gxWyPGB.exe

C:\Windows\System\gxWyPGB.exe

C:\Windows\System\sjCwBXt.exe

C:\Windows\System\sjCwBXt.exe

C:\Windows\System\ybeuwjh.exe

C:\Windows\System\ybeuwjh.exe

C:\Windows\System\zCtlhRN.exe

C:\Windows\System\zCtlhRN.exe

C:\Windows\System\jvHntHS.exe

C:\Windows\System\jvHntHS.exe

C:\Windows\System\jkwrxkP.exe

C:\Windows\System\jkwrxkP.exe

C:\Windows\System\cGsoKFR.exe

C:\Windows\System\cGsoKFR.exe

C:\Windows\System\vWqAorH.exe

C:\Windows\System\vWqAorH.exe

C:\Windows\System\xlEPEAP.exe

C:\Windows\System\xlEPEAP.exe

C:\Windows\System\xCMXfsp.exe

C:\Windows\System\xCMXfsp.exe

C:\Windows\System\bxFLcOc.exe

C:\Windows\System\bxFLcOc.exe

C:\Windows\System\lMQaDdJ.exe

C:\Windows\System\lMQaDdJ.exe

C:\Windows\System\xBWslNS.exe

C:\Windows\System\xBWslNS.exe

C:\Windows\System\ijnFSfW.exe

C:\Windows\System\ijnFSfW.exe

C:\Windows\System\aYNEBdE.exe

C:\Windows\System\aYNEBdE.exe

C:\Windows\System\XgffJxT.exe

C:\Windows\System\XgffJxT.exe

C:\Windows\System\hTaXfGq.exe

C:\Windows\System\hTaXfGq.exe

C:\Windows\System\maOQgwR.exe

C:\Windows\System\maOQgwR.exe

C:\Windows\System\ostxXlA.exe

C:\Windows\System\ostxXlA.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 44.56.20.217.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/4528-0-0x00007FF77A7C0000-0x00007FF77AB14000-memory.dmp

memory/4528-1-0x000001285D3D0000-0x000001285D3E0000-memory.dmp

C:\Windows\System\FuhUpub.exe

MD5 930d7e8e91e8a0c1219cd617278204fa
SHA1 a05158124bb4ed9a8d92ca5d4e6c16070aaa0aa1
SHA256 64c53379a40fa62f37504ea5c37e240baec1847ef92b19945a876cd1c231e54a
SHA512 554d11eb0c117ab98bd54d69e080a5e4f73afe170eac2da7668715ee5d053d02b5df8b27427a527852ae54d4ab3c41dd9295d6e488f2453f3a0ce66fe4270e6a

memory/1404-7-0x00007FF783080000-0x00007FF7833D4000-memory.dmp

C:\Windows\System\JRGjtZw.exe

MD5 6e1a614582d6e5efea223bfdb3fbd7e2
SHA1 a21c81c18b54215dcbe65604b50b5feaa3595e86
SHA256 52c77bc2b44747621a05f2623f25c26299df92976dac302aca663f8592d30fae
SHA512 ed0da5f241cc331a8aa9d62d118593624b11865914907446ef713d2502e11d4744c7b634c95901a25d75b3e1116d4e15c1d5d81c48753a14a8f43554a877ea10

C:\Windows\System\gxWyPGB.exe

MD5 f700dad73d9fd011b4832ca6973f52d0
SHA1 1e086dece80b644c338b29a6c82c2be3f6685df5
SHA256 62000c5b55a5ede909f6b4fa59be80458824265e725bc60c8d8c33343853a020
SHA512 47148258edf932e1c20e48b7d8a0d1bff52228f0aadddf6231f44b96a82260a4ca42ae3ac85263dd06e0527fe3bf5ea453b404d9c51da188eb5bf9688c2b1d24

C:\Windows\System\sjCwBXt.exe

MD5 5f313ed858543fe06e2d9f46f11b711c
SHA1 87737c2c3e525534445bfa3070162f10e5eb7989
SHA256 5dbffb2f77d2cc750ac7f2cf68cb55b491647804ea3f1f8fc20db04271a55459
SHA512 09edee560a41165a224adbba680ec12996c461a631320e99ab177ef5672193d22c458eadb50002cf9bc2ab31f7aed41586ecdbf59413637077e204b9fac19703

C:\Windows\System\zCtlhRN.exe

MD5 5d02e6b0fee44d15de85596d62bdfaf1
SHA1 1f2a21b7b78a56c89efe95c7836449f3ef52c0d0
SHA256 99f82fec37608b9a612d8885791a9aa1b1dab318c4d5ba9ea3671d22cd390308
SHA512 d2bb96a584287b06a7399fa3904ec870cecc07169ece9c5ef7b00f9d75edb635714de48e22038ad8ec9fddbd1353caba307c47d934d50f5aa71bf36b78823eff

C:\Windows\System\ybeuwjh.exe

MD5 3619db178033144f0bbe44984f638a55
SHA1 54b8668757b05c7fc3d09397f184bf6a47219673
SHA256 bedab5b2781960f02cac681d88001df185c1821afe3a91cd6c50900857778e40
SHA512 d429e17c332ecbda40147b7d5148f45466dbcd4b8d2ca3902e18919f734096d263ca47bb91bbbfccf7fcde2bc26cc5eb504dc90708991ff48b6d3c25091373cd

memory/3136-38-0x00007FF7D47C0000-0x00007FF7D4B14000-memory.dmp

C:\Windows\System\jvHntHS.exe

MD5 dc4bd519e5145aa08cb348f94d26c8c2
SHA1 c10a384ffdb81aff62b95db3b68c50231ca7a37d
SHA256 1b058db252e513b272bc670a3e30f332677830ed14c287b500e911ac7cb3fede
SHA512 2f456e06b7c38270ad8f8dc69edeb2bb22b094f98214e55d05735711e79a8e8408478e060842ea163f6f04ed1322bea412fd813c977e7f15d4511dc0707ff5b2

C:\Windows\System\cGsoKFR.exe

MD5 be6d47993f423fbafca4eda7ade4a25b
SHA1 30f5d922e66550500e9b16ae3da962bf7170e08a
SHA256 f80ead8a69551c7f0a12757aa5cd6ce8f34487b9dca1b933cd6883354429a671
SHA512 edfb05574d77194368199e1a95d79a0e07dd0c8c101543753eb47981c95f0735452c09f6309f06b883628970a363afd16c40127c8b842c30e4564231451e62e6

C:\Windows\System\vWqAorH.exe

MD5 9113c1d9c8211ff5fa38b89503dde6be
SHA1 297029f81320b7b86e31943f4534c9f21b1b37c1
SHA256 43b3206ff8d7cdac8b236ad51c019d2cdc1382391e745faece2857ba7818cdb5
SHA512 7f58c00b699a434ce696304a718f25f3e713acd4519ad5087547460ae955d3b81621b1eef7d4829b4a7764f7fb7de09610facdf4b8e734a6ac4eec0243cdd8d6

memory/3100-58-0x00007FF62DCD0000-0x00007FF62E024000-memory.dmp

memory/1728-62-0x00007FF60AD80000-0x00007FF60B0D4000-memory.dmp

C:\Windows\System\bxFLcOc.exe

MD5 8de1b0bc90f3e7d56b5619d69723880b
SHA1 0185f5e85e00e92a3cb87606601f83069d1e0eea
SHA256 e6d90c18b1c45ff6e23cb99843646b611a6d7c4ac799b450467457e27741697a
SHA512 7d565803b02ed66f1dbdeee85c71b33892a4787ec1d0dd7248fe3ae503b4511db1d34dfb0e134f7c09350363ef1da5772df71eed5717a8f2d8e48cb0ec32b65e

C:\Windows\System\xBWslNS.exe

MD5 42322f7445b50f5db96b1264fd366952
SHA1 d4956a0065bce43c35030a61a9b16a6798be5717
SHA256 277e82a63efe3b78e7a55f2538b895a73e0119cb52d64112967eb6d66c6bc770
SHA512 7db0a046ad7e955512d0290cd4d81d96fb31f7ec425f2cc93e3db3baf46835b162a67e6ca7326ff2c9f1d5a16ef2c7f6e83708cf5bf84032055009b851fc17eb

memory/3552-95-0x00007FF704AA0000-0x00007FF704DF4000-memory.dmp

memory/4512-102-0x00007FF71F500000-0x00007FF71F854000-memory.dmp

memory/3952-104-0x00007FF6FC1B0000-0x00007FF6FC504000-memory.dmp

memory/756-103-0x00007FF6FA590000-0x00007FF6FA8E4000-memory.dmp

C:\Windows\System\aYNEBdE.exe

MD5 7e8afde485baf31689609efddf07c33f
SHA1 46f6f278c8ea57653eb928c45aec1c27e38af139
SHA256 72b95a569f50027d1b63dc29658b2768156644468e82ac8132dc8d7b994631b9
SHA512 bb58df5db1d57a536ff42a6d521be8d11daae8d7357f50732311dfcd8c080ca915700f2c59e217d16847e0081d55cfdc61922e5cbc8dbccedd833ba345190612

C:\Windows\System\ijnFSfW.exe

MD5 deef49fef1bda3717b2b6002d89a6cd8
SHA1 d9f785fdb058d6759a367461e9321ef13e314166
SHA256 49d8a63dba94d87a18723515fdb570ae52467116786c07f57852265a50c301ce
SHA512 3d5831a4db367fa0ee9747919e03355bb0c0ab8f7c9e02b3cb997f87d820d7c6bb94050e746488117df602f2dfb9a84dfb465a5c93e0e9fb9d7bfae755b827c8

memory/3668-97-0x00007FF797F40000-0x00007FF798294000-memory.dmp

memory/3384-96-0x00007FF615F40000-0x00007FF616294000-memory.dmp

memory/1992-94-0x00007FF70B4B0000-0x00007FF70B804000-memory.dmp

C:\Windows\System\lMQaDdJ.exe

MD5 0e3ed9a9aa9d63be5effd7269db3f51f
SHA1 4d86d77e0db0e8f72577ab29ff1a62a15892b10b
SHA256 f51614b985da19e4191e395702e1ecb090d2283541684da5b9a8e7b5363d2323
SHA512 dade94df301306ed2539d8fa1fc0c5ae2bdba8d6eef77f6c1cb855bf7c55f1a7618fa9f1e63335bb8fa01923651b8512f048f655cd30c8ba297d6d31f0b032f4

C:\Windows\System\xCMXfsp.exe

MD5 70e355b3e3d388bd13a1e645d6e21761
SHA1 e02f4e8b73dece7064bb182a77a00999e6db076e
SHA256 01da36ac89d05ad42dab7fdab7bad61d2e62f1ec832c4b70d7839186a8e24f3c
SHA512 b1ea5bcc67706a87533366d7d3fbdc6dd5ff240218a46f444b6a970ccf77cc2c3d52cf8b6a44e2f00e12badfa8e1750a2301e7ae1d349dcbd7e3032c4afc6c2e

C:\Windows\System\xlEPEAP.exe

MD5 4e10b50c9fd23119f9479e8abd3130b4
SHA1 d95aa1152939a40483306e5d08f1a8c417730254
SHA256 fb2d9b7bc44d0e498b232ec309959a5c903af7dfda5264c130d58130c4aa6aa1
SHA512 cf2e84825856b5b2a4f0a648e94280a6d092c1a472cdc02e2ecf72133b8e6b9c06e2a616ce04c9d9e475f762895e9dd989ed96d929d6c64177c1365cbeaa8518

memory/3536-61-0x00007FF6D3600000-0x00007FF6D3954000-memory.dmp

memory/4656-55-0x00007FF709170000-0x00007FF7094C4000-memory.dmp

memory/3688-49-0x00007FF6F36A0000-0x00007FF6F39F4000-memory.dmp

memory/4980-48-0x00007FF7F5D20000-0x00007FF7F6074000-memory.dmp

C:\Windows\System\jkwrxkP.exe

MD5 8b4ea0b0e66db5778e9ee9c359c5f428
SHA1 f94d024a7c67b5cdb130138327cb7d9b188cd5c0
SHA256 e63977f841072c0832d7b9b3ffb5c2f5b5c8f92e8d62b29bfe4e84b3b362d57f
SHA512 4add58c9e2c1d078ba9aac3b4b6e0d7584802fc35fb9a1dc159b38d8e375ef1d9b97e9a46cef938ed4d7cc7e07fbebd106495d7c22fd02a68ddced21f6d2467e

memory/1008-26-0x00007FF6359B0000-0x00007FF635D04000-memory.dmp

memory/412-18-0x00007FF7D8CB0000-0x00007FF7D9004000-memory.dmp

C:\Windows\System\XgffJxT.exe

MD5 4ff4984efe94a3d37a141f94d6dd9c40
SHA1 f0c5d7b5d11bb46f38b510714b4757de2ddda6c9
SHA256 a9d55f45c753449e5ba4d5594ac24dd52171c0bff23cd411af4fdd74e2c555a8
SHA512 668d0279504b0ee50aceea8b050eae730ca8e8ea2782f5e08e090381744b54e7b6a626b4804edc6fe867762a85f6ade6be38ac6835c5c9911394d9a254354323

C:\Windows\System\hTaXfGq.exe

MD5 1942858845c616b276c18fea57b91ab2
SHA1 ac1dad18457b88e0847f213d0cf33dddef3f6fa3
SHA256 ca4acb712c663cb05afc09e3c406e7af3ecda63b162bd69b408b5f75356c33e3
SHA512 21b2db86502f20f894ea686601643fb9de5d64d2bfa2735815ab218181b80760be9fa4ffc6017dd5f6347c4d61c51e87ffa25a86b0a37ced6e1ae840a21de351

memory/3836-116-0x00007FF6FF0E0000-0x00007FF6FF434000-memory.dmp

C:\Windows\System\maOQgwR.exe

MD5 951d3ba945e049e67b175e0c8b1ac65d
SHA1 9cac3f5e9f076ebb39701116d761ed0dc9891b28
SHA256 edd39ed5a99ed774d15dc560995f35fa2b970f39de5676846a1a8c0da29014fe
SHA512 8cd4c0f53a5bd1d4d9087fdd00d20c6b998cba5ea3c0e8c42c61a8560f0f6b04981a9acf2b450c06334af5ea2c7bd49a3a019457a74585b5222da7274be5b880

memory/4452-122-0x00007FF65F580000-0x00007FF65F8D4000-memory.dmp

memory/4856-108-0x00007FF77D330000-0x00007FF77D684000-memory.dmp

C:\Windows\System\ostxXlA.exe

MD5 0b31011328c580e0ab3744004ad1a6f0
SHA1 954484f68964b24608053e677410a68b0ebc9b45
SHA256 b77df57dc87a1969de8f93391c6baba23c12e53a62886846acf6d33539f55e05
SHA512 91b2f90def507932c6dc8882abd140eeb6712b945546693fe016593ba0f673114c4e60d28ae729ec15a5bd3b1ea62eb7bacd19e45ae32dd03060991dd39236a8

memory/2272-127-0x00007FF62E260000-0x00007FF62E5B4000-memory.dmp

memory/4528-128-0x00007FF77A7C0000-0x00007FF77AB14000-memory.dmp

memory/1404-129-0x00007FF783080000-0x00007FF7833D4000-memory.dmp

memory/412-130-0x00007FF7D8CB0000-0x00007FF7D9004000-memory.dmp

memory/3688-131-0x00007FF6F36A0000-0x00007FF6F39F4000-memory.dmp

memory/1008-132-0x00007FF6359B0000-0x00007FF635D04000-memory.dmp

memory/4656-133-0x00007FF709170000-0x00007FF7094C4000-memory.dmp

memory/4856-134-0x00007FF77D330000-0x00007FF77D684000-memory.dmp

memory/1404-135-0x00007FF783080000-0x00007FF7833D4000-memory.dmp

memory/412-136-0x00007FF7D8CB0000-0x00007FF7D9004000-memory.dmp

memory/3136-137-0x00007FF7D47C0000-0x00007FF7D4B14000-memory.dmp

memory/1008-138-0x00007FF6359B0000-0x00007FF635D04000-memory.dmp

memory/4980-139-0x00007FF7F5D20000-0x00007FF7F6074000-memory.dmp

memory/3100-141-0x00007FF62DCD0000-0x00007FF62E024000-memory.dmp

memory/3688-142-0x00007FF6F36A0000-0x00007FF6F39F4000-memory.dmp

memory/4656-143-0x00007FF709170000-0x00007FF7094C4000-memory.dmp

memory/3536-140-0x00007FF6D3600000-0x00007FF6D3954000-memory.dmp

memory/4512-144-0x00007FF71F500000-0x00007FF71F854000-memory.dmp

memory/1992-148-0x00007FF70B4B0000-0x00007FF70B804000-memory.dmp

memory/3552-147-0x00007FF704AA0000-0x00007FF704DF4000-memory.dmp

memory/3384-146-0x00007FF615F40000-0x00007FF616294000-memory.dmp

memory/3668-145-0x00007FF797F40000-0x00007FF798294000-memory.dmp

memory/1728-149-0x00007FF60AD80000-0x00007FF60B0D4000-memory.dmp

memory/3952-150-0x00007FF6FC1B0000-0x00007FF6FC504000-memory.dmp

memory/756-151-0x00007FF6FA590000-0x00007FF6FA8E4000-memory.dmp

memory/4856-152-0x00007FF77D330000-0x00007FF77D684000-memory.dmp

memory/3836-153-0x00007FF6FF0E0000-0x00007FF6FF434000-memory.dmp

memory/4452-154-0x00007FF65F580000-0x00007FF65F8D4000-memory.dmp

memory/2272-155-0x00007FF62E260000-0x00007FF62E5B4000-memory.dmp