Malware Analysis Report

2025-01-22 19:30

Sample ID 240807-1nslwsvckk
Target 2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat
SHA256 96248c94d0380804b4ee560efe3ddee2de8111906618cf15ea58ee0bea9edaf5
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

96248c94d0380804b4ee560efe3ddee2de8111906618cf15ea58ee0bea9edaf5

Threat Level: Known bad

The file 2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

XMRig Miner payload

Xmrig family

Cobaltstrike family

Cobalt Strike reflective loader

xmrig

Cobaltstrike

XMRig Miner payload

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-07 21:48

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-07 21:48

Reported

2024-08-07 21:50

Platform

win7-20240704-en

Max time kernel

143s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\PVbOPna.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OMQVvla.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mJHZuiJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QRlZQpY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nXsOhXM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oQywFQj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oGgxeiQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QBJCTBw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PjIxuQh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XXjEtYK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\INFJpdC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dOlmvEU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\igDXBgz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WYBYADY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vUZTkUb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HLIhXKN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cjbOtJQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fmuqJkF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gVVZyIc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ArecPcW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cwIGWVT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2172 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nXsOhXM.exe
PID 2172 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nXsOhXM.exe
PID 2172 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nXsOhXM.exe
PID 2172 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oQywFQj.exe
PID 2172 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oQywFQj.exe
PID 2172 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oQywFQj.exe
PID 2172 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XXjEtYK.exe
PID 2172 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XXjEtYK.exe
PID 2172 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XXjEtYK.exe
PID 2172 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WYBYADY.exe
PID 2172 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WYBYADY.exe
PID 2172 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WYBYADY.exe
PID 2172 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\INFJpdC.exe
PID 2172 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\INFJpdC.exe
PID 2172 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\INFJpdC.exe
PID 2172 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oGgxeiQ.exe
PID 2172 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oGgxeiQ.exe
PID 2172 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oGgxeiQ.exe
PID 2172 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dOlmvEU.exe
PID 2172 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dOlmvEU.exe
PID 2172 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dOlmvEU.exe
PID 2172 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QBJCTBw.exe
PID 2172 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QBJCTBw.exe
PID 2172 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QBJCTBw.exe
PID 2172 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PVbOPna.exe
PID 2172 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PVbOPna.exe
PID 2172 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PVbOPna.exe
PID 2172 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vUZTkUb.exe
PID 2172 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vUZTkUb.exe
PID 2172 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vUZTkUb.exe
PID 2172 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HLIhXKN.exe
PID 2172 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HLIhXKN.exe
PID 2172 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HLIhXKN.exe
PID 2172 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cjbOtJQ.exe
PID 2172 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cjbOtJQ.exe
PID 2172 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cjbOtJQ.exe
PID 2172 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fmuqJkF.exe
PID 2172 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fmuqJkF.exe
PID 2172 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fmuqJkF.exe
PID 2172 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gVVZyIc.exe
PID 2172 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gVVZyIc.exe
PID 2172 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gVVZyIc.exe
PID 2172 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\igDXBgz.exe
PID 2172 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\igDXBgz.exe
PID 2172 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\igDXBgz.exe
PID 2172 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ArecPcW.exe
PID 2172 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ArecPcW.exe
PID 2172 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ArecPcW.exe
PID 2172 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OMQVvla.exe
PID 2172 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OMQVvla.exe
PID 2172 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OMQVvla.exe
PID 2172 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cwIGWVT.exe
PID 2172 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cwIGWVT.exe
PID 2172 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cwIGWVT.exe
PID 2172 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PjIxuQh.exe
PID 2172 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PjIxuQh.exe
PID 2172 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PjIxuQh.exe
PID 2172 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mJHZuiJ.exe
PID 2172 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mJHZuiJ.exe
PID 2172 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mJHZuiJ.exe
PID 2172 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QRlZQpY.exe
PID 2172 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QRlZQpY.exe
PID 2172 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QRlZQpY.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\nXsOhXM.exe

C:\Windows\System\nXsOhXM.exe

C:\Windows\System\oQywFQj.exe

C:\Windows\System\oQywFQj.exe

C:\Windows\System\XXjEtYK.exe

C:\Windows\System\XXjEtYK.exe

C:\Windows\System\WYBYADY.exe

C:\Windows\System\WYBYADY.exe

C:\Windows\System\INFJpdC.exe

C:\Windows\System\INFJpdC.exe

C:\Windows\System\oGgxeiQ.exe

C:\Windows\System\oGgxeiQ.exe

C:\Windows\System\dOlmvEU.exe

C:\Windows\System\dOlmvEU.exe

C:\Windows\System\QBJCTBw.exe

C:\Windows\System\QBJCTBw.exe

C:\Windows\System\PVbOPna.exe

C:\Windows\System\PVbOPna.exe

C:\Windows\System\vUZTkUb.exe

C:\Windows\System\vUZTkUb.exe

C:\Windows\System\HLIhXKN.exe

C:\Windows\System\HLIhXKN.exe

C:\Windows\System\cjbOtJQ.exe

C:\Windows\System\cjbOtJQ.exe

C:\Windows\System\fmuqJkF.exe

C:\Windows\System\fmuqJkF.exe

C:\Windows\System\gVVZyIc.exe

C:\Windows\System\gVVZyIc.exe

C:\Windows\System\igDXBgz.exe

C:\Windows\System\igDXBgz.exe

C:\Windows\System\ArecPcW.exe

C:\Windows\System\ArecPcW.exe

C:\Windows\System\OMQVvla.exe

C:\Windows\System\OMQVvla.exe

C:\Windows\System\cwIGWVT.exe

C:\Windows\System\cwIGWVT.exe

C:\Windows\System\PjIxuQh.exe

C:\Windows\System\PjIxuQh.exe

C:\Windows\System\mJHZuiJ.exe

C:\Windows\System\mJHZuiJ.exe

C:\Windows\System\QRlZQpY.exe

C:\Windows\System\QRlZQpY.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2172-0-0x000000013FB50000-0x000000013FEA4000-memory.dmp

memory/2172-1-0x0000000000180000-0x0000000000190000-memory.dmp

\Windows\system\nXsOhXM.exe

MD5 c5754cec7f4a1c3b1bf4bffa30e3bff2
SHA1 848fc2e18def9971930cd9a15e95c48ce7a64730
SHA256 eee335a1d812795b419d94b8ccd4393b86abfabfb3ea1dc82953fc8a1bc7edb8
SHA512 31276030e159cec7d81a6ffddae688f0706c25f9ff5be74ac3f2b42470bbe9af1903d5f1eb37620d6a565e98701fbceeed281fe65ab69e3d2453dce2fd3fa3d6

\Windows\system\oQywFQj.exe

MD5 96f0a5eb336485a2cf4ace7d7b47150e
SHA1 596f4ec1d9b159231f3ee2566f9e314ec3533334
SHA256 32ed9dcfceed0eff4d3d0fef2a3d5012d945905c81ce8700427d0e6ca84ddcbe
SHA512 54ee9ef11cbf98c4bd18f28d8521757e08b0208cb8b5e9fa01ea0a0648ec0f22f1fd61f085d7129fc86d7de7ba58d39636b9a105a743d54784e0ec34f98da97e

C:\Windows\system\XXjEtYK.exe

MD5 9bd0e1648e8ac0a7126590791a50c4c3
SHA1 6edb632d96a97c02e56096a7d77594941af9d5ca
SHA256 7fbacf67c6bdc7c859cb33eae052ffb738d9662a59326d1f2399fa0bccbe63a2
SHA512 ffde9e7df923bb5506fb98205206ff775e346160e951451895dbc626d011d0e5079453c914b006563707de34906fd0c9478a02115d2205d465c7d3c7075c4184

\Windows\system\INFJpdC.exe

MD5 f5669dacc0a623e7b055bf51548366a2
SHA1 e9fb88de2ceb57c4c7a1b12056f21aa97fae90c9
SHA256 8894794fdb868029068489ac478f81eb388ebe58c31c88e0e9ed5903208bbfff
SHA512 3bba5ba8b19a2634c086d73ccd5d74c9b88530ed10f422dedba223112441418b6b823460dbf9705a566dd6079ec79ea8ff7a4675575dab5c378bdbca9be2bff0

C:\Windows\system\HLIhXKN.exe

MD5 107387bbbda053349e4a2b4182a38ab3
SHA1 c08bcd6372701e8671232d8d6269937a18912476
SHA256 af1a068f73441a1eb03ca2d572b854beb6aa17d2d88c341d0c54f5ac65ebf8a5
SHA512 7b522b27526eaecae6712193321884e97c6264b46a2e6a43dc805fe3319f57f07a9e505483663d39a4793830ccda7d445adf0457df8da7a65ba7bc40a81d5493

C:\Windows\system\cjbOtJQ.exe

MD5 12fb6ba6b2baa2c0d4efabeb549a320d
SHA1 89328c20c8e65cb29be51613c84e781a42cc959c
SHA256 eda328db0ee2c307e695a12b6ddd3f992fe0f6b6c9ba403ac3551cc6d44009d6
SHA512 61f72e9cc33a51c3c7aa1f7137880fe2cda70319527e63bf1c48caf1ccbe5336d93aae8973147268d6e9e313b2b530d6746b9958febaa4bf14bc01ac9acb25c8

C:\Windows\system\QRlZQpY.exe

MD5 e645cf5742db473a4cfc7f3849d5b31c
SHA1 b4a1c8b16c5626bead98d9f07b507a4f0c92e7aa
SHA256 0efa4b0e0432e4c7b2d31af4391475e651853b245bced2c5f1d0ba626f71e2f5
SHA512 9eb81f5a47e6cbd7a4f734212ca1e9c151fe4b7728024e76862a241a748b850d0f9c9401d15610a930f687ed95b5afae55b45057f8c5cd83147a72a3eed8b030

C:\Windows\system\mJHZuiJ.exe

MD5 8d929d6af605e5aed5cfa5bb693651fd
SHA1 29d3fcc521352e6559aa6521838d108a06aab33e
SHA256 783848f97f6c399c91c3da68043deadc32fa460832332dad9ca7faf5a10a2a7e
SHA512 b709259e6bc91a9ea542dab67f798dd6fba5961a0156146f8138ff5e000fca5286f6eb11342333bcdbbdd51b35299eb0c7a92b12110492abcb4b019ad8175e29

C:\Windows\system\PjIxuQh.exe

MD5 b078410f886884464f625a5c0af95bd7
SHA1 fbe9537ee5bad1e735d3766db407a5991f3f0b1d
SHA256 4390c002983bf2973536556078f07d3760f929aa1bc079d9657c801b3b22556d
SHA512 bec09a592d44d102fd83516e37f1ee297ce54d621b727560dd3ed20372bf26a4a6d7eb60bc31c9364a1c77cfaf96d9a6afe8464a300083797c926027384f7750

C:\Windows\system\cwIGWVT.exe

MD5 57a1138a471a9d0df82b6f846c99c86a
SHA1 52418d911d6b77b540b3b3afdec17a19b819fee0
SHA256 f23abe67883baff02b92ca82c8e0570a2acc9700ef00463396b4df929472f91b
SHA512 b9b6c55f8b555b8a65907f34f135270be2952b48e7d481e9c60d3151d98248873fa04b19350ebcead3b47e66d2d2b2d717253a0d6e8e1bf94909f5ed0dbeb7a0

C:\Windows\system\OMQVvla.exe

MD5 7b755ddbe22c39c5b6851fa40ecdb09a
SHA1 0327c2dad2d3dafbf9d46965bbd376478e1b5647
SHA256 3f5d0793ace28cedf24c6364e0029c5a6b6c5c0a9a29078f9ea01a9c985c41d7
SHA512 5aa503e871418973aed4501a56cc4159ff4d135b218374572aba9662917a861a41fae72062421e7402d156e35dcf8b24179a0cbd8995e800cf1935f4dbec2719

C:\Windows\system\ArecPcW.exe

MD5 afd0724294f1718f593a40c1cc199828
SHA1 85fe062ba6b0158de4b2952d5bf3fb4eb8100fb8
SHA256 8084aceb2691f0c0bceef0dfd05b3c5c765879d2ce08e8d72a7e12f99ea85d4a
SHA512 88471ff0fe0635d97fb4181bdeeb322d5cb655c9b18de539cc5a9a0b9d51864c98069882d2fbc046c822c413c4f3a1301e9babd6c190aefa1693b9100f050755

C:\Windows\system\igDXBgz.exe

MD5 b5a3203c2bf454f4ac6c31f9be4bd771
SHA1 4f5001c207ccd603a38b567cdb11aabf2573cb7c
SHA256 e7fa7e059ddd03a90095807b9ce30152f4ac5c23750dd9962c395ead25bb5d9f
SHA512 00bd75c97cf9b471e40e89271ae2688f7cf96e53124dc667a73402ae38f162a75dcfbefefdb8a2b51d015980c77b580896560b2304b251a78e874784b08be71b

C:\Windows\system\gVVZyIc.exe

MD5 68c75f6da3b47c8446eaa4504c4f0146
SHA1 3ef214af59383405aeaaf80d28970fe909d40dbc
SHA256 cfdc483a2ae36ae2c98b0ac75888443cf170302b2a2417b45f063d43285098ac
SHA512 9f656ce646ce4a0dd51407c603f90e4875cbb8e8c60c3a781e028e904e05bca75296f7f80636f9f078efee038d9e177a2418547db972d4c0e1fbc057d4b39430

C:\Windows\system\fmuqJkF.exe

MD5 4f6e765b5974ead088c8631030a85d0d
SHA1 01ae2a226ed2a320e55838b75a2df2a9fb2dca90
SHA256 a3abb3209f8ab6cbf1e554fd6209dd19a4a8c70e96d2fc959310d082b36885cb
SHA512 429a1cb3ef42984378e1edbda9d1a8e621b87498f893de1729be940952ff35a748124c85321ee7b356b7b0677314050565661daf3170ec372b7430699e9b3bf3

C:\Windows\system\vUZTkUb.exe

MD5 490e13ddead724dcf3ff0dbe05d92634
SHA1 22c98500de7cc99b1ba62c1ca69d49b00248e4c8
SHA256 b2f70ed7bfe4bee6505884f4db286774e86b268a3a43dc7ff48ba9698b393253
SHA512 4c8360e6cc7d38143c7885380b13da39981678fdf0672ed83cfa4cad3dddbb16331892d4c81278912b8305d18791e2f48a2ceb1dd2720adeee364e4a60e17deb

C:\Windows\system\PVbOPna.exe

MD5 a869a50e94b058a858fb70f51812d115
SHA1 a582f5c09c3c1e38b401d06fd32ab12f430722cd
SHA256 fc92367b14e847f5d9b38c82f1dadc8d943baa90312a2c6414f79ee2f395475e
SHA512 679f442a18d30fa6769f47f04de4721cf82c52a62b6bfa57ff2dd1839363a93b13a9abaa2c790500af424a0a1173df74b46d7001464954348ab2113aa5d31d92

C:\Windows\system\QBJCTBw.exe

MD5 be3f0621aec174f49e81c0ac58d98112
SHA1 41995aed948fd00afb56808dcfb521ed55c7e9d7
SHA256 abd1af79aeacf506f155476ba91bbc5eff08af68ac8fc1987f2f28513eda9c09
SHA512 c4bad43b025414ffc10a0834cf61b1757baf85c70a589b53b0de64e9308e26a95101f1268bea5eb4125b42ae4eb955f620e2a377ccedb9a392a4b64d9635740c

C:\Windows\system\dOlmvEU.exe

MD5 8cbb54798607f8963d5b86ccf646562a
SHA1 b0a60013924c9ee786fba8cdae38e8ae8435e748
SHA256 419e3c642e8007753f05378c0291b8d75cc6c45eb54b820e441e118d1351bded
SHA512 ff8ebc515bf17ff55815deb72f85bf8aa94042eac8784272af20c5869b4a891cc1bda2f528e4fc9e4b69805da00a69d33f09641395a04aeb43acd53fd9a580d7

C:\Windows\system\oGgxeiQ.exe

MD5 1f1d1ecddbec4355c858c09d93d48d83
SHA1 66f28c30dc4a6216ce65b7d6d764a163255c6d66
SHA256 7195ff397f1b83237b22dbf78445934e688c581992d35ef983d279557458a22d
SHA512 779903bfb4b6726dcd1bc1ac08ff4fe804916b494be55c2979474472c83d31d62220923be305ec73dc8c1d6a30baff23b1e3bdbf171efae25ce8bd8846fc38e6

memory/2172-28-0x000000013F270000-0x000000013F5C4000-memory.dmp

C:\Windows\system\WYBYADY.exe

MD5 dc3b796774550421003cb6350e97380b
SHA1 31bb49ea716dacf7c4e0173e9465dbd06eccbbc7
SHA256 4f94113bd5c45d119ff088cbccbe1dedcd8920aee3544da55f5811e4e68327b8
SHA512 70da4907d938f5b0dca923b2761412099f5a9aea6a8ab6c829ff683b7c6fd004b4b34ea3d7d371b424d685ade24e1d431d6ab04a42f9ab1c6c0c97c0bb739831

memory/736-119-0x000000013F720000-0x000000013FA74000-memory.dmp

memory/2172-118-0x000000013F720000-0x000000013FA74000-memory.dmp

memory/772-117-0x000000013F250000-0x000000013F5A4000-memory.dmp

memory/2172-116-0x000000013F250000-0x000000013F5A4000-memory.dmp

memory/1092-115-0x000000013FF10000-0x0000000140264000-memory.dmp

memory/2172-114-0x000000013FF10000-0x0000000140264000-memory.dmp

memory/1924-113-0x000000013F5E0000-0x000000013F934000-memory.dmp

memory/2172-112-0x000000013F5E0000-0x000000013F934000-memory.dmp

memory/2944-111-0x000000013FB30000-0x000000013FE84000-memory.dmp

memory/2172-110-0x00000000023A0000-0x00000000026F4000-memory.dmp

memory/2396-109-0x000000013F310000-0x000000013F664000-memory.dmp

memory/3068-108-0x000000013F270000-0x000000013F5C4000-memory.dmp

memory/2876-120-0x000000013FB60000-0x000000013FEB4000-memory.dmp

memory/3036-123-0x000000013F5D0000-0x000000013F924000-memory.dmp

memory/2172-122-0x000000013F5D0000-0x000000013F924000-memory.dmp

memory/2172-124-0x000000013F3C0000-0x000000013F714000-memory.dmp

memory/3048-121-0x000000013FD70000-0x00000001400C4000-memory.dmp

memory/2920-127-0x000000013F720000-0x000000013FA74000-memory.dmp

memory/2172-132-0x000000013F310000-0x000000013F664000-memory.dmp

memory/2172-131-0x000000013FFF0000-0x0000000140344000-memory.dmp

memory/2780-130-0x000000013F1B0000-0x000000013F504000-memory.dmp

memory/2172-129-0x000000013F1B0000-0x000000013F504000-memory.dmp

memory/2204-128-0x000000013FC40000-0x000000013FF94000-memory.dmp

memory/2172-126-0x000000013F720000-0x000000013FA74000-memory.dmp

memory/2952-125-0x000000013F3C0000-0x000000013F714000-memory.dmp

memory/2172-133-0x000000013FB50000-0x000000013FEA4000-memory.dmp

memory/3068-134-0x000000013F270000-0x000000013F5C4000-memory.dmp

memory/2944-135-0x000000013FB30000-0x000000013FE84000-memory.dmp

memory/1924-136-0x000000013F5E0000-0x000000013F934000-memory.dmp

memory/1092-137-0x000000013FF10000-0x0000000140264000-memory.dmp

memory/2396-138-0x000000013F310000-0x000000013F664000-memory.dmp

memory/736-139-0x000000013F720000-0x000000013FA74000-memory.dmp

memory/2876-140-0x000000013FB60000-0x000000013FEB4000-memory.dmp

memory/2952-143-0x000000013F3C0000-0x000000013F714000-memory.dmp

memory/2920-144-0x000000013F720000-0x000000013FA74000-memory.dmp

memory/2204-145-0x000000013FC40000-0x000000013FF94000-memory.dmp

memory/2780-146-0x000000013F1B0000-0x000000013F504000-memory.dmp

memory/3036-142-0x000000013F5D0000-0x000000013F924000-memory.dmp

memory/3048-141-0x000000013FD70000-0x00000001400C4000-memory.dmp

memory/772-147-0x000000013F250000-0x000000013F5A4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-07 21:48

Reported

2024-08-07 21:50

Platform

win10v2004-20240802-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\vUZTkUb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gVVZyIc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QRlZQpY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mJHZuiJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nXsOhXM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WYBYADY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\INFJpdC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fmuqJkF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ArecPcW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PjIxuQh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oQywFQj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dOlmvEU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HLIhXKN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cjbOtJQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cwIGWVT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XXjEtYK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oGgxeiQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QBJCTBw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PVbOPna.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\igDXBgz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OMQVvla.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1708 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nXsOhXM.exe
PID 1708 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nXsOhXM.exe
PID 1708 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oQywFQj.exe
PID 1708 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oQywFQj.exe
PID 1708 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XXjEtYK.exe
PID 1708 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XXjEtYK.exe
PID 1708 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WYBYADY.exe
PID 1708 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WYBYADY.exe
PID 1708 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\INFJpdC.exe
PID 1708 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\INFJpdC.exe
PID 1708 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oGgxeiQ.exe
PID 1708 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oGgxeiQ.exe
PID 1708 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dOlmvEU.exe
PID 1708 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dOlmvEU.exe
PID 1708 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QBJCTBw.exe
PID 1708 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QBJCTBw.exe
PID 1708 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PVbOPna.exe
PID 1708 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PVbOPna.exe
PID 1708 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vUZTkUb.exe
PID 1708 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vUZTkUb.exe
PID 1708 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HLIhXKN.exe
PID 1708 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HLIhXKN.exe
PID 1708 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cjbOtJQ.exe
PID 1708 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cjbOtJQ.exe
PID 1708 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fmuqJkF.exe
PID 1708 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fmuqJkF.exe
PID 1708 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gVVZyIc.exe
PID 1708 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gVVZyIc.exe
PID 1708 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\igDXBgz.exe
PID 1708 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\igDXBgz.exe
PID 1708 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ArecPcW.exe
PID 1708 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ArecPcW.exe
PID 1708 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OMQVvla.exe
PID 1708 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OMQVvla.exe
PID 1708 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cwIGWVT.exe
PID 1708 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cwIGWVT.exe
PID 1708 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PjIxuQh.exe
PID 1708 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PjIxuQh.exe
PID 1708 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mJHZuiJ.exe
PID 1708 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mJHZuiJ.exe
PID 1708 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QRlZQpY.exe
PID 1708 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QRlZQpY.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\nXsOhXM.exe

C:\Windows\System\nXsOhXM.exe

C:\Windows\System\oQywFQj.exe

C:\Windows\System\oQywFQj.exe

C:\Windows\System\XXjEtYK.exe

C:\Windows\System\XXjEtYK.exe

C:\Windows\System\WYBYADY.exe

C:\Windows\System\WYBYADY.exe

C:\Windows\System\INFJpdC.exe

C:\Windows\System\INFJpdC.exe

C:\Windows\System\oGgxeiQ.exe

C:\Windows\System\oGgxeiQ.exe

C:\Windows\System\dOlmvEU.exe

C:\Windows\System\dOlmvEU.exe

C:\Windows\System\QBJCTBw.exe

C:\Windows\System\QBJCTBw.exe

C:\Windows\System\PVbOPna.exe

C:\Windows\System\PVbOPna.exe

C:\Windows\System\vUZTkUb.exe

C:\Windows\System\vUZTkUb.exe

C:\Windows\System\HLIhXKN.exe

C:\Windows\System\HLIhXKN.exe

C:\Windows\System\cjbOtJQ.exe

C:\Windows\System\cjbOtJQ.exe

C:\Windows\System\fmuqJkF.exe

C:\Windows\System\fmuqJkF.exe

C:\Windows\System\gVVZyIc.exe

C:\Windows\System\gVVZyIc.exe

C:\Windows\System\igDXBgz.exe

C:\Windows\System\igDXBgz.exe

C:\Windows\System\ArecPcW.exe

C:\Windows\System\ArecPcW.exe

C:\Windows\System\OMQVvla.exe

C:\Windows\System\OMQVvla.exe

C:\Windows\System\cwIGWVT.exe

C:\Windows\System\cwIGWVT.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4116,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=1296 /prefetch:8

C:\Windows\System\PjIxuQh.exe

C:\Windows\System\PjIxuQh.exe

C:\Windows\System\mJHZuiJ.exe

C:\Windows\System\mJHZuiJ.exe

C:\Windows\System\QRlZQpY.exe

C:\Windows\System\QRlZQpY.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1708-0-0x00007FF7D4E90000-0x00007FF7D51E4000-memory.dmp

memory/1708-1-0x0000019824EB0000-0x0000019824EC0000-memory.dmp

C:\Windows\System\nXsOhXM.exe

MD5 c5754cec7f4a1c3b1bf4bffa30e3bff2
SHA1 848fc2e18def9971930cd9a15e95c48ce7a64730
SHA256 eee335a1d812795b419d94b8ccd4393b86abfabfb3ea1dc82953fc8a1bc7edb8
SHA512 31276030e159cec7d81a6ffddae688f0706c25f9ff5be74ac3f2b42470bbe9af1903d5f1eb37620d6a565e98701fbceeed281fe65ab69e3d2453dce2fd3fa3d6

memory/4788-6-0x00007FF6D88C0000-0x00007FF6D8C14000-memory.dmp

C:\Windows\System\XXjEtYK.exe

MD5 9bd0e1648e8ac0a7126590791a50c4c3
SHA1 6edb632d96a97c02e56096a7d77594941af9d5ca
SHA256 7fbacf67c6bdc7c859cb33eae052ffb738d9662a59326d1f2399fa0bccbe63a2
SHA512 ffde9e7df923bb5506fb98205206ff775e346160e951451895dbc626d011d0e5079453c914b006563707de34906fd0c9478a02115d2205d465c7d3c7075c4184

C:\Windows\System\oQywFQj.exe

MD5 96f0a5eb336485a2cf4ace7d7b47150e
SHA1 596f4ec1d9b159231f3ee2566f9e314ec3533334
SHA256 32ed9dcfceed0eff4d3d0fef2a3d5012d945905c81ce8700427d0e6ca84ddcbe
SHA512 54ee9ef11cbf98c4bd18f28d8521757e08b0208cb8b5e9fa01ea0a0648ec0f22f1fd61f085d7129fc86d7de7ba58d39636b9a105a743d54784e0ec34f98da97e

C:\Windows\System\WYBYADY.exe

MD5 dc3b796774550421003cb6350e97380b
SHA1 31bb49ea716dacf7c4e0173e9465dbd06eccbbc7
SHA256 4f94113bd5c45d119ff088cbccbe1dedcd8920aee3544da55f5811e4e68327b8
SHA512 70da4907d938f5b0dca923b2761412099f5a9aea6a8ab6c829ff683b7c6fd004b4b34ea3d7d371b424d685ade24e1d431d6ab04a42f9ab1c6c0c97c0bb739831

C:\Windows\System\oGgxeiQ.exe

MD5 1f1d1ecddbec4355c858c09d93d48d83
SHA1 66f28c30dc4a6216ce65b7d6d764a163255c6d66
SHA256 7195ff397f1b83237b22dbf78445934e688c581992d35ef983d279557458a22d
SHA512 779903bfb4b6726dcd1bc1ac08ff4fe804916b494be55c2979474472c83d31d62220923be305ec73dc8c1d6a30baff23b1e3bdbf171efae25ce8bd8846fc38e6

memory/3152-37-0x00007FF78DF70000-0x00007FF78E2C4000-memory.dmp

memory/1136-41-0x00007FF70D640000-0x00007FF70D994000-memory.dmp

C:\Windows\System\PVbOPna.exe

MD5 a869a50e94b058a858fb70f51812d115
SHA1 a582f5c09c3c1e38b401d06fd32ab12f430722cd
SHA256 fc92367b14e847f5d9b38c82f1dadc8d943baa90312a2c6414f79ee2f395475e
SHA512 679f442a18d30fa6769f47f04de4721cf82c52a62b6bfa57ff2dd1839363a93b13a9abaa2c790500af424a0a1173df74b46d7001464954348ab2113aa5d31d92

memory/4832-52-0x00007FF609440000-0x00007FF609794000-memory.dmp

C:\Windows\System\HLIhXKN.exe

MD5 107387bbbda053349e4a2b4182a38ab3
SHA1 c08bcd6372701e8671232d8d6269937a18912476
SHA256 af1a068f73441a1eb03ca2d572b854beb6aa17d2d88c341d0c54f5ac65ebf8a5
SHA512 7b522b27526eaecae6712193321884e97c6264b46a2e6a43dc805fe3319f57f07a9e505483663d39a4793830ccda7d445adf0457df8da7a65ba7bc40a81d5493

C:\Windows\System\cjbOtJQ.exe

MD5 12fb6ba6b2baa2c0d4efabeb549a320d
SHA1 89328c20c8e65cb29be51613c84e781a42cc959c
SHA256 eda328db0ee2c307e695a12b6ddd3f992fe0f6b6c9ba403ac3551cc6d44009d6
SHA512 61f72e9cc33a51c3c7aa1f7137880fe2cda70319527e63bf1c48caf1ccbe5336d93aae8973147268d6e9e313b2b530d6746b9958febaa4bf14bc01ac9acb25c8

memory/2568-82-0x00007FF6BD350000-0x00007FF6BD6A4000-memory.dmp

memory/2360-92-0x00007FF650C00000-0x00007FF650F54000-memory.dmp

memory/2924-100-0x00007FF715730000-0x00007FF715A84000-memory.dmp

memory/4920-109-0x00007FF7659A0000-0x00007FF765CF4000-memory.dmp

C:\Windows\System\cwIGWVT.exe

MD5 57a1138a471a9d0df82b6f846c99c86a
SHA1 52418d911d6b77b540b3b3afdec17a19b819fee0
SHA256 f23abe67883baff02b92ca82c8e0570a2acc9700ef00463396b4df929472f91b
SHA512 b9b6c55f8b555b8a65907f34f135270be2952b48e7d481e9c60d3151d98248873fa04b19350ebcead3b47e66d2d2b2d717253a0d6e8e1bf94909f5ed0dbeb7a0

memory/1688-106-0x00007FF680470000-0x00007FF6807C4000-memory.dmp

C:\Windows\System\OMQVvla.exe

MD5 7b755ddbe22c39c5b6851fa40ecdb09a
SHA1 0327c2dad2d3dafbf9d46965bbd376478e1b5647
SHA256 3f5d0793ace28cedf24c6364e0029c5a6b6c5c0a9a29078f9ea01a9c985c41d7
SHA512 5aa503e871418973aed4501a56cc4159ff4d135b218374572aba9662917a861a41fae72062421e7402d156e35dcf8b24179a0cbd8995e800cf1935f4dbec2719

C:\Windows\System\ArecPcW.exe

MD5 afd0724294f1718f593a40c1cc199828
SHA1 85fe062ba6b0158de4b2952d5bf3fb4eb8100fb8
SHA256 8084aceb2691f0c0bceef0dfd05b3c5c765879d2ce08e8d72a7e12f99ea85d4a
SHA512 88471ff0fe0635d97fb4181bdeeb322d5cb655c9b18de539cc5a9a0b9d51864c98069882d2fbc046c822c413c4f3a1301e9babd6c190aefa1693b9100f050755

memory/1368-101-0x00007FF62FAF0000-0x00007FF62FE44000-memory.dmp

memory/3600-98-0x00007FF7A7750000-0x00007FF7A7AA4000-memory.dmp

memory/2528-97-0x00007FF709F60000-0x00007FF70A2B4000-memory.dmp

memory/4828-93-0x00007FF73A480000-0x00007FF73A7D4000-memory.dmp

C:\Windows\System\igDXBgz.exe

MD5 b5a3203c2bf454f4ac6c31f9be4bd771
SHA1 4f5001c207ccd603a38b567cdb11aabf2573cb7c
SHA256 e7fa7e059ddd03a90095807b9ce30152f4ac5c23750dd9962c395ead25bb5d9f
SHA512 00bd75c97cf9b471e40e89271ae2688f7cf96e53124dc667a73402ae38f162a75dcfbefefdb8a2b51d015980c77b580896560b2304b251a78e874784b08be71b

C:\Windows\System\gVVZyIc.exe

MD5 68c75f6da3b47c8446eaa4504c4f0146
SHA1 3ef214af59383405aeaaf80d28970fe909d40dbc
SHA256 cfdc483a2ae36ae2c98b0ac75888443cf170302b2a2417b45f063d43285098ac
SHA512 9f656ce646ce4a0dd51407c603f90e4875cbb8e8c60c3a781e028e904e05bca75296f7f80636f9f078efee038d9e177a2418547db972d4c0e1fbc057d4b39430

C:\Windows\System\fmuqJkF.exe

MD5 4f6e765b5974ead088c8631030a85d0d
SHA1 01ae2a226ed2a320e55838b75a2df2a9fb2dca90
SHA256 a3abb3209f8ab6cbf1e554fd6209dd19a4a8c70e96d2fc959310d082b36885cb
SHA512 429a1cb3ef42984378e1edbda9d1a8e621b87498f893de1729be940952ff35a748124c85321ee7b356b7b0677314050565661daf3170ec372b7430699e9b3bf3

memory/3176-78-0x00007FF753270000-0x00007FF7535C4000-memory.dmp

memory/2616-75-0x00007FF695910000-0x00007FF695C64000-memory.dmp

C:\Windows\System\vUZTkUb.exe

MD5 490e13ddead724dcf3ff0dbe05d92634
SHA1 22c98500de7cc99b1ba62c1ca69d49b00248e4c8
SHA256 b2f70ed7bfe4bee6505884f4db286774e86b268a3a43dc7ff48ba9698b393253
SHA512 4c8360e6cc7d38143c7885380b13da39981678fdf0672ed83cfa4cad3dddbb16331892d4c81278912b8305d18791e2f48a2ceb1dd2720adeee364e4a60e17deb

C:\Windows\System\QBJCTBw.exe

MD5 be3f0621aec174f49e81c0ac58d98112
SHA1 41995aed948fd00afb56808dcfb521ed55c7e9d7
SHA256 abd1af79aeacf506f155476ba91bbc5eff08af68ac8fc1987f2f28513eda9c09
SHA512 c4bad43b025414ffc10a0834cf61b1757baf85c70a589b53b0de64e9308e26a95101f1268bea5eb4125b42ae4eb955f620e2a377ccedb9a392a4b64d9635740c

C:\Windows\System\dOlmvEU.exe

MD5 8cbb54798607f8963d5b86ccf646562a
SHA1 b0a60013924c9ee786fba8cdae38e8ae8435e748
SHA256 419e3c642e8007753f05378c0291b8d75cc6c45eb54b820e441e118d1351bded
SHA512 ff8ebc515bf17ff55815deb72f85bf8aa94042eac8784272af20c5869b4a891cc1bda2f528e4fc9e4b69805da00a69d33f09641395a04aeb43acd53fd9a580d7

memory/1032-43-0x00007FF64F7F0000-0x00007FF64FB44000-memory.dmp

C:\Windows\System\INFJpdC.exe

MD5 f5669dacc0a623e7b055bf51548366a2
SHA1 e9fb88de2ceb57c4c7a1b12056f21aa97fae90c9
SHA256 8894794fdb868029068489ac478f81eb388ebe58c31c88e0e9ed5903208bbfff
SHA512 3bba5ba8b19a2634c086d73ccd5d74c9b88530ed10f422dedba223112441418b6b823460dbf9705a566dd6079ec79ea8ff7a4675575dab5c378bdbca9be2bff0

memory/796-28-0x00007FF732040000-0x00007FF732394000-memory.dmp

memory/1316-23-0x00007FF6AB5F0000-0x00007FF6AB944000-memory.dmp

C:\Windows\System\PjIxuQh.exe

MD5 b078410f886884464f625a5c0af95bd7
SHA1 fbe9537ee5bad1e735d3766db407a5991f3f0b1d
SHA256 4390c002983bf2973536556078f07d3760f929aa1bc079d9657c801b3b22556d
SHA512 bec09a592d44d102fd83516e37f1ee297ce54d621b727560dd3ed20372bf26a4a6d7eb60bc31c9364a1c77cfaf96d9a6afe8464a300083797c926027384f7750

C:\Windows\System\mJHZuiJ.exe

MD5 8d929d6af605e5aed5cfa5bb693651fd
SHA1 29d3fcc521352e6559aa6521838d108a06aab33e
SHA256 783848f97f6c399c91c3da68043deadc32fa460832332dad9ca7faf5a10a2a7e
SHA512 b709259e6bc91a9ea542dab67f798dd6fba5961a0156146f8138ff5e000fca5286f6eb11342333bcdbbdd51b35299eb0c7a92b12110492abcb4b019ad8175e29

memory/4052-119-0x00007FF6FC4D0000-0x00007FF6FC824000-memory.dmp

C:\Windows\System\QRlZQpY.exe

MD5 e645cf5742db473a4cfc7f3849d5b31c
SHA1 b4a1c8b16c5626bead98d9f07b507a4f0c92e7aa
SHA256 0efa4b0e0432e4c7b2d31af4391475e651853b245bced2c5f1d0ba626f71e2f5
SHA512 9eb81f5a47e6cbd7a4f734212ca1e9c151fe4b7728024e76862a241a748b850d0f9c9401d15610a930f687ed95b5afae55b45057f8c5cd83147a72a3eed8b030

memory/888-123-0x00007FF78FFC0000-0x00007FF790314000-memory.dmp

memory/220-127-0x00007FF7E1100000-0x00007FF7E1454000-memory.dmp

memory/1708-128-0x00007FF7D4E90000-0x00007FF7D51E4000-memory.dmp

memory/4788-129-0x00007FF6D88C0000-0x00007FF6D8C14000-memory.dmp

memory/1316-130-0x00007FF6AB5F0000-0x00007FF6AB944000-memory.dmp

memory/3152-131-0x00007FF78DF70000-0x00007FF78E2C4000-memory.dmp

memory/1032-132-0x00007FF64F7F0000-0x00007FF64FB44000-memory.dmp

memory/2360-133-0x00007FF650C00000-0x00007FF650F54000-memory.dmp

memory/2924-134-0x00007FF715730000-0x00007FF715A84000-memory.dmp

memory/4920-135-0x00007FF7659A0000-0x00007FF765CF4000-memory.dmp

memory/4788-136-0x00007FF6D88C0000-0x00007FF6D8C14000-memory.dmp

memory/796-137-0x00007FF732040000-0x00007FF732394000-memory.dmp

memory/1316-139-0x00007FF6AB5F0000-0x00007FF6AB944000-memory.dmp

memory/1136-138-0x00007FF70D640000-0x00007FF70D994000-memory.dmp

memory/4832-140-0x00007FF609440000-0x00007FF609794000-memory.dmp

memory/3152-141-0x00007FF78DF70000-0x00007FF78E2C4000-memory.dmp

memory/2616-143-0x00007FF695910000-0x00007FF695C64000-memory.dmp

memory/3176-142-0x00007FF753270000-0x00007FF7535C4000-memory.dmp

memory/1032-144-0x00007FF64F7F0000-0x00007FF64FB44000-memory.dmp

memory/2568-145-0x00007FF6BD350000-0x00007FF6BD6A4000-memory.dmp

memory/1368-146-0x00007FF62FAF0000-0x00007FF62FE44000-memory.dmp

memory/2924-147-0x00007FF715730000-0x00007FF715A84000-memory.dmp

memory/1688-148-0x00007FF680470000-0x00007FF6807C4000-memory.dmp

memory/4828-153-0x00007FF73A480000-0x00007FF73A7D4000-memory.dmp

memory/2528-152-0x00007FF709F60000-0x00007FF70A2B4000-memory.dmp

memory/4920-151-0x00007FF7659A0000-0x00007FF765CF4000-memory.dmp

memory/3600-150-0x00007FF7A7750000-0x00007FF7A7AA4000-memory.dmp

memory/2360-149-0x00007FF650C00000-0x00007FF650F54000-memory.dmp

memory/4052-154-0x00007FF6FC4D0000-0x00007FF6FC824000-memory.dmp

memory/888-155-0x00007FF78FFC0000-0x00007FF790314000-memory.dmp

memory/220-156-0x00007FF7E1100000-0x00007FF7E1454000-memory.dmp