Malware Analysis Report

2025-03-15 08:02

Sample ID 240814-1a8e7azhkj
Target 2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat
SHA256 674787aabddeafed1b06a7a1ff5c0c476e3c99b1e49049cc91a809c497a6c62a
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

674787aabddeafed1b06a7a1ff5c0c476e3c99b1e49049cc91a809c497a6c62a

Threat Level: Known bad

The file 2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Cobaltstrike

XMRig Miner payload

Xmrig family

Cobaltstrike family

xmrig

Cobalt Strike reflective loader

XMRig Miner payload

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-14 21:27

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-14 21:27

Reported

2024-08-14 21:30

Platform

win7-20240704-en

Max time kernel

140s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\jqigppa.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IvXrUka.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\obmxsuQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QFuZuMt.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WkZBANh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IGNSlAF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pnuwUHq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pzEkNat.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rfgHDMV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CyKeJQN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TGsUsmE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JQJxYFT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZJUOdRS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aiEOBDE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VaORTVS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GbesgbB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BfSTxXk.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cCMAeWt.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RYuUhzB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HPbJgGC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OksvdLa.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2540 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pnuwUHq.exe
PID 2540 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pnuwUHq.exe
PID 2540 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pnuwUHq.exe
PID 2540 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZJUOdRS.exe
PID 2540 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZJUOdRS.exe
PID 2540 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZJUOdRS.exe
PID 2540 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HPbJgGC.exe
PID 2540 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HPbJgGC.exe
PID 2540 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HPbJgGC.exe
PID 2540 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aiEOBDE.exe
PID 2540 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aiEOBDE.exe
PID 2540 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aiEOBDE.exe
PID 2540 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OksvdLa.exe
PID 2540 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OksvdLa.exe
PID 2540 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OksvdLa.exe
PID 2540 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rfgHDMV.exe
PID 2540 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rfgHDMV.exe
PID 2540 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rfgHDMV.exe
PID 2540 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pzEkNat.exe
PID 2540 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pzEkNat.exe
PID 2540 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pzEkNat.exe
PID 2540 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BfSTxXk.exe
PID 2540 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BfSTxXk.exe
PID 2540 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BfSTxXk.exe
PID 2540 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jqigppa.exe
PID 2540 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jqigppa.exe
PID 2540 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jqigppa.exe
PID 2540 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CyKeJQN.exe
PID 2540 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CyKeJQN.exe
PID 2540 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CyKeJQN.exe
PID 2540 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RYuUhzB.exe
PID 2540 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RYuUhzB.exe
PID 2540 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RYuUhzB.exe
PID 2540 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cCMAeWt.exe
PID 2540 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cCMAeWt.exe
PID 2540 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cCMAeWt.exe
PID 2540 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IvXrUka.exe
PID 2540 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IvXrUka.exe
PID 2540 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IvXrUka.exe
PID 2540 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\obmxsuQ.exe
PID 2540 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\obmxsuQ.exe
PID 2540 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\obmxsuQ.exe
PID 2540 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VaORTVS.exe
PID 2540 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VaORTVS.exe
PID 2540 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VaORTVS.exe
PID 2540 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GbesgbB.exe
PID 2540 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GbesgbB.exe
PID 2540 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GbesgbB.exe
PID 2540 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TGsUsmE.exe
PID 2540 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TGsUsmE.exe
PID 2540 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TGsUsmE.exe
PID 2540 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QFuZuMt.exe
PID 2540 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QFuZuMt.exe
PID 2540 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QFuZuMt.exe
PID 2540 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JQJxYFT.exe
PID 2540 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JQJxYFT.exe
PID 2540 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JQJxYFT.exe
PID 2540 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WkZBANh.exe
PID 2540 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WkZBANh.exe
PID 2540 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WkZBANh.exe
PID 2540 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IGNSlAF.exe
PID 2540 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IGNSlAF.exe
PID 2540 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IGNSlAF.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\pnuwUHq.exe

C:\Windows\System\pnuwUHq.exe

C:\Windows\System\ZJUOdRS.exe

C:\Windows\System\ZJUOdRS.exe

C:\Windows\System\HPbJgGC.exe

C:\Windows\System\HPbJgGC.exe

C:\Windows\System\aiEOBDE.exe

C:\Windows\System\aiEOBDE.exe

C:\Windows\System\OksvdLa.exe

C:\Windows\System\OksvdLa.exe

C:\Windows\System\rfgHDMV.exe

C:\Windows\System\rfgHDMV.exe

C:\Windows\System\pzEkNat.exe

C:\Windows\System\pzEkNat.exe

C:\Windows\System\BfSTxXk.exe

C:\Windows\System\BfSTxXk.exe

C:\Windows\System\jqigppa.exe

C:\Windows\System\jqigppa.exe

C:\Windows\System\CyKeJQN.exe

C:\Windows\System\CyKeJQN.exe

C:\Windows\System\RYuUhzB.exe

C:\Windows\System\RYuUhzB.exe

C:\Windows\System\cCMAeWt.exe

C:\Windows\System\cCMAeWt.exe

C:\Windows\System\IvXrUka.exe

C:\Windows\System\IvXrUka.exe

C:\Windows\System\obmxsuQ.exe

C:\Windows\System\obmxsuQ.exe

C:\Windows\System\VaORTVS.exe

C:\Windows\System\VaORTVS.exe

C:\Windows\System\GbesgbB.exe

C:\Windows\System\GbesgbB.exe

C:\Windows\System\TGsUsmE.exe

C:\Windows\System\TGsUsmE.exe

C:\Windows\System\QFuZuMt.exe

C:\Windows\System\QFuZuMt.exe

C:\Windows\System\JQJxYFT.exe

C:\Windows\System\JQJxYFT.exe

C:\Windows\System\WkZBANh.exe

C:\Windows\System\WkZBANh.exe

C:\Windows\System\IGNSlAF.exe

C:\Windows\System\IGNSlAF.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2540-0-0x000000013F4A0000-0x000000013F7F1000-memory.dmp

memory/2540-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\pnuwUHq.exe

MD5 b73986bd65637c245a861626ae1c03c0
SHA1 6e49be65e63952da5d7e5305b9e3969bc1d9d5b5
SHA256 107da02fbf317aff2b3979a73da188db15a2fa40ee0979bafbc33725cf874f80
SHA512 78caf24ef5f1133da34c9cee7b85a7ff9d411d9f71a5b99d8a4e42b8d118f095bedc6185f6b0482c86c39c88885e3db0a2054042eb0c82c05009e9094b1ffcc2

\Windows\system\ZJUOdRS.exe

MD5 6ce394bb58a1bbcad4c602c162b3be3a
SHA1 379a6769f5bb82cfa351f0f799ab602b79e92c7c
SHA256 f58c4b15d308f6648384389aff9daa84ce65b545c6a157ab0102ba42a6c605b6
SHA512 65bbfe56dac2196681df5ce9c49cd7516ff236bc1870406775f7b928d5be7853ca48e865503f6c59cdcded57fb39d66680434a9fd2e67f802166d4f01a2c0546

C:\Windows\system\HPbJgGC.exe

MD5 ba18ec25ff4ca8cd5ae4e3de5d7b0bd2
SHA1 b941746d4be772bd17a27b8952a8d305d7befa25
SHA256 e1e2b6a97e20f362983b05f3601a68d05ca99caebdb2b22380d91b635a38638e
SHA512 d0a4bc768a8efeddea0e52b372fef50a57b4fdb33b9aca8182392a5fca6c6225cf992ebf43fb5c8ebc760aa552ed68201dbdbf338fbc66b4347cb727ffbe3b6a

memory/2364-22-0x000000013F5E0000-0x000000013F931000-memory.dmp

memory/2540-21-0x00000000021C0000-0x0000000002511000-memory.dmp

memory/2988-15-0x000000013F070000-0x000000013F3C1000-memory.dmp

memory/2292-14-0x000000013F2D0000-0x000000013F621000-memory.dmp

memory/2540-13-0x00000000021C0000-0x0000000002511000-memory.dmp

C:\Windows\system\OksvdLa.exe

MD5 3758852c7da6ccc5cf68ae544f76a610
SHA1 c5937a31109d785c66c8ff6b810e518eab412991
SHA256 9fac3fdee47fd203796a8b138b0273671db9306d0ad0eaf93633106ea36fbab0
SHA512 cc4e4420db7e40f5cf55ca53bc1836c956b13dca013cafce4fef5b0a1c4881e9c9d2b6bfcfdbd4491bb2b16fcc7cceb8d1bc95d655f531ad5b1e560e64c6e4a0

\Windows\system\aiEOBDE.exe

MD5 f3b67ee0ffa2d77f6f6eda23c590989e
SHA1 7c97bb5ab9b7245d3a66795bd801c0b3f32f25c2
SHA256 c93c745f72b649e6bd3d8b8432ef6393ad3d1703c3b68d63ddf2d079fb130689
SHA512 c78f2ea5979e7ca9fafb14991e85325a8027fa83fad1afe0205c5852062fa53dbec1a0e3649799878682a5f42a5b02f035107eb55078d6f4c3cf46813f61b389

memory/536-35-0x000000013F4F0000-0x000000013F841000-memory.dmp

memory/2900-40-0x000000013F170000-0x000000013F4C1000-memory.dmp

memory/2516-50-0x000000013F770000-0x000000013FAC1000-memory.dmp

C:\Windows\system\jqigppa.exe

MD5 88ed67c8163969f63215b5c47c26ca13
SHA1 b5f8ad2f85589ec7fc4dda9d608c1a4049ce65c0
SHA256 f929b74b5bd38b3866916a0191b02816d09d333a4db073b90fd00df7b1de2104
SHA512 1d0f561f1e17f55aa903683252c62eb2df2f74516b5c95a10837aa48d75646127d6fc4bc0abe4934cbb7d0b6d418ce3e9b0b69cd8129f41f93a4cf1191c6d258

memory/2672-63-0x000000013F1E0000-0x000000013F531000-memory.dmp

C:\Windows\system\RYuUhzB.exe

MD5 849e1eb05ebb5bfadf3d1721b9f4f2f0
SHA1 0d63dcc533111a7fbca458a43266655997155705
SHA256 d1798e4dc46c37877359182a02833a205c08d1bf8f5e4c1bc890cfde055f2ffa
SHA512 6354c051ae3d7b57c5db179afd18b1ca620e62c6aaa696e079c33e1768b1fc3e8cf13c50e0634ca2ec3bc25ed584b3d52b0fe6361f2c670c885a854cd848f517

memory/2648-77-0x000000013F690000-0x000000013F9E1000-memory.dmp

\Windows\system\obmxsuQ.exe

MD5 50c34b26e5093d5516c6ff459bcb9493
SHA1 140bfb0a61d503b40198b784afa2a1614f0d89c7
SHA256 ba1c78d0a8cdd4c6279a0e04f29c4c6049e984bb4181f2e0f78a8ceff64c5a1e
SHA512 d62e83cf28d5553ed1a05f5f90eef032bac1ebaab51846edfb345b461769c853bbbe8c6b726d3e286ce05e147c3f7c62f3982d64cab2b1c39de513453d8765eb

\Windows\system\WkZBANh.exe

MD5 e28d5940d1b07bd71945ee4d99fbb634
SHA1 18ea70271de216e09d1e59540530e3cbf9d77f41
SHA256 943e2290745b0d76964b5ca1676457928bf46755323f360598ee9b0d1116438c
SHA512 04e08035bdbc3b8e08b430d5bde6ca747208292e2859b35e035b842cd80eb8e5c196234718b935e564884ed1827591e778c8ffd97baa347ae2e052dbd4f0ecd8

\Windows\system\QFuZuMt.exe

MD5 23f76b8b763b8c8c8335a7cafcf65a1d
SHA1 5f18d50b3df6d7c4f521afe1ef2e603184f1d1e0
SHA256 aa81f34151a26245c378c4cd7b99125f3ebadcd2c9e420234b34337b7f267e56
SHA512 5bc218405d12e168aafdd0aa37d37690caa9bb9d8aae1d140ec3aef98e3d7de6f7d8cbabfd6bb3628dc2ada029622be8efb6c4e9b8e601a474a928e8f2a1ea2e

\Windows\system\GbesgbB.exe

MD5 34d8e39089b7af981ad39419fa5aad5b
SHA1 6f3e6bb8108c9cb3c8b657b41d586d3b2c62c961
SHA256 603287b0f826a7fb23b32a783e3ee24504d72790c7ded9761dd54eb1a95bac36
SHA512 29e2b18ba49b4cdfecea42f61e1d55c17a588d773e9367f029466f678bd58fee02882dec004b3007b4b6d8eca68203286268ea7e1e77f82fc8c2aeb69bbc9c63

C:\Windows\system\IGNSlAF.exe

MD5 4af2e2660d7df1a2f0d3f8c9268a8905
SHA1 eb54e0e03269dbb86e77903ec4647752b59a77c9
SHA256 a4f805335e7e80a6021ba5ccaf29f5919f012ec1e540707b93ea4c46a6ef821b
SHA512 0da00122d718974fffdc5cdbfc21df3344281775774d6eaba91d4bb85fd3286861c6a31545a13de37a0cb6f9887ece4250d034098772fc62bbe74ff16ea53c90

memory/1732-126-0x000000013F920000-0x000000013FC71000-memory.dmp

C:\Windows\system\JQJxYFT.exe

MD5 ff04242b8b6e3a6e16830f9372a856d5
SHA1 5a96317aec88cacfb3e32961bf01916249cecbac
SHA256 6a0b60c9c4ff9c447222306cdcba58bd05650dfe5667269b289c462cd611f6c1
SHA512 6b6eafee79606b4a4e2bd468d562888010d16b5f5760e6ba8901037e2d1ec196bf941bba8fd5452d6a1df050dc05dfb9f8cd250934688505ba17455ebdd861d9

memory/536-119-0x000000013F4F0000-0x000000013F841000-memory.dmp

C:\Windows\system\TGsUsmE.exe

MD5 c5a9e55f0b0c624e5d756dd3addb1682
SHA1 99f29b5f9d3db0e2dcb54789b4ecf784f20ac071
SHA256 20c5edcf6bb9de8804dcc23dd4d2ebe7c4cb7e5e677a1a7c93c812bbc7d21345
SHA512 441f872ed2c2bc17be4fe7e016119146c287f9f7e67f57b3405231da57418c5966a7948bde772c0193fad299f77be050b71edc058090aa006d10ca197591712f

memory/2800-84-0x000000013FF00000-0x0000000140251000-memory.dmp

memory/2540-83-0x000000013FF00000-0x0000000140251000-memory.dmp

C:\Windows\system\VaORTVS.exe

MD5 3fc7445575ec5d85fa7976a6d6e68212
SHA1 3c1b29b0e43b6944ec009d8ea9c4fb251d48c6cb
SHA256 5ea973246194a05941e907912bbfa11059984d8b7143aea7dd440841d2f68e49
SHA512 e87fb9ae18e9a3d264f9f9126bf4ab488e26ddf9c72aaf857a1e4599bbfd2fea87bcb6a0e5aebf5ff0606dba1359c618af7d4ea23e14fb9bb805136acd11496e

memory/2900-136-0x000000013F170000-0x000000013F4C1000-memory.dmp

memory/2540-98-0x000000013F920000-0x000000013FC71000-memory.dmp

memory/2736-97-0x000000013F090000-0x000000013F3E1000-memory.dmp

memory/2540-96-0x000000013FFA0000-0x00000001402F1000-memory.dmp

C:\Windows\system\cCMAeWt.exe

MD5 bd106e52137608e644b0b9f98ccd89a8
SHA1 176bfa45b67c27f5ed79bc55c22828ba5a41c45c
SHA256 79fa42ee6ca7c96485b6587e0950402b69b86184f4b7c5c925cd88764dcbb261
SHA512 08aded0ee1ee146cdd2cc63c43a039c375a7c25cc466a0217d90950023ffdb8a11b1476985b5c225c1502e53504631e8ad1de273c0aa5fa36ac61d9f0d79f50e

memory/2308-95-0x000000013FC70000-0x000000013FFC1000-memory.dmp

memory/2540-94-0x000000013FC70000-0x000000013FFC1000-memory.dmp

C:\Windows\system\IvXrUka.exe

MD5 047c7c5cc1d57a75d0c731fed242dec3
SHA1 8a465211e29dff0497aae3f3b3ee2e41103df5b2
SHA256 c483d2ba7c3e8b5f1850417bd1dfc3ca045e3e71f9069a04435793b8a853706c
SHA512 fd4e33d00a7ae58b85726b1cad6b8253a86863178c96a3a75a0dc5bbe1ab0be45fd2b09bfa9e1339edeca993466718089257ce7cb1b81f45f48ed7c25c5bd31e

memory/2540-76-0x00000000021C0000-0x0000000002511000-memory.dmp

memory/2680-70-0x000000013F850000-0x000000013FBA1000-memory.dmp

memory/2540-69-0x000000013F850000-0x000000013FBA1000-memory.dmp

C:\Windows\system\CyKeJQN.exe

MD5 c1dc1e7d8afcd7a1fcea0c905dfac014
SHA1 28b20b04b414a77fa07e0b3c9374f4e6a67a9fab
SHA256 49633d563e851539aa9b8162efa9e8699e9432b028b6ca737a38411ef96e83ce
SHA512 c1c85ca55f136bf0fb224d348adf41b7815b61da151653f3cd455d4e88eb03a7fecff6c6c7d5d4bd6599be91eb6039f044fe19fba6a3a322bd2faadb3e6bbb60

memory/2668-57-0x000000013FBF0000-0x000000013FF41000-memory.dmp

memory/2540-56-0x000000013F4A0000-0x000000013F7F1000-memory.dmp

C:\Windows\system\BfSTxXk.exe

MD5 28249796288a3beea7647301b0f4d9cb
SHA1 cd22a3dcddae1160f9317a8387cbb7ac78c4b902
SHA256 765e48d6bf05d71400436bab6189b91b3b0a1c24bbf754a33e6b2dcc1628f359
SHA512 8949b561927c917f137a68e8643492afc5715805bc9e8678c9c16cda007e1f0fe3644491bd52772b0b568f3fea2cc379e8cfd8d140614bcca95dd98c7e7c5b0c

memory/2540-49-0x00000000021C0000-0x0000000002511000-memory.dmp

memory/2540-39-0x00000000021C0000-0x0000000002511000-memory.dmp

C:\Windows\system\pzEkNat.exe

MD5 32dab1fec17377ff6cb9879c2ed8866f
SHA1 8c99d609e476786debcc04dae51a6a8795b93285
SHA256 793d3ae9ebe40d240f86fee75bc2be408d4ca8b66283a5903413f30d13c69eb1
SHA512 3645af7b8d72dba60262256d97382f2e6965e2022225cce307a796e2c22a4a62dd70212851e156d89c30761452a419947d1bd1dd87264cfbc791335b543d1e41

C:\Windows\system\rfgHDMV.exe

MD5 ed5b99ba5303f87dac9c693c2132bb79
SHA1 769805dd1e1b179c327b1070a2b5b13bac3bfba3
SHA256 8932c4a460ca90c341e7a4b6b5040acf5a65e2f8f3bf45fedce82e85a6e93007
SHA512 188ee9fe069fb1631626f1c9a1bb09e4734d43f22e906ef9a7ddc86b1d1ea4e873474ca03c715368d24ea6ad798bf77855d970adcc8376fba6bd9d19f9545410

memory/2736-33-0x000000013F090000-0x000000013F3E1000-memory.dmp

memory/2540-30-0x000000013F090000-0x000000013F3E1000-memory.dmp

memory/2540-27-0x00000000021C0000-0x0000000002511000-memory.dmp

memory/2540-137-0x000000013F4A0000-0x000000013F7F1000-memory.dmp

memory/2540-149-0x00000000021C0000-0x0000000002511000-memory.dmp

memory/2948-155-0x000000013F370000-0x000000013F6C1000-memory.dmp

memory/1004-156-0x000000013F730000-0x000000013FA81000-memory.dmp

memory/2072-159-0x000000013F980000-0x000000013FCD1000-memory.dmp

memory/2540-160-0x000000013F850000-0x000000013FBA1000-memory.dmp

memory/2884-158-0x000000013F330000-0x000000013F681000-memory.dmp

memory/640-157-0x000000013F3B0000-0x000000013F701000-memory.dmp

memory/1444-154-0x000000013F670000-0x000000013F9C1000-memory.dmp

memory/2636-152-0x000000013FFA0000-0x00000001402F1000-memory.dmp

memory/2540-161-0x000000013FF00000-0x0000000140251000-memory.dmp

memory/2540-162-0x000000013F4A0000-0x000000013F7F1000-memory.dmp

memory/2540-170-0x000000013FC70000-0x000000013FFC1000-memory.dmp

memory/2540-185-0x000000013F920000-0x000000013FC71000-memory.dmp

memory/2988-209-0x000000013F070000-0x000000013F3C1000-memory.dmp

memory/2292-211-0x000000013F2D0000-0x000000013F621000-memory.dmp

memory/2364-213-0x000000013F5E0000-0x000000013F931000-memory.dmp

memory/2736-215-0x000000013F090000-0x000000013F3E1000-memory.dmp

memory/2900-217-0x000000013F170000-0x000000013F4C1000-memory.dmp

memory/536-219-0x000000013F4F0000-0x000000013F841000-memory.dmp

memory/2516-221-0x000000013F770000-0x000000013FAC1000-memory.dmp

memory/2668-223-0x000000013FBF0000-0x000000013FF41000-memory.dmp

memory/2672-225-0x000000013F1E0000-0x000000013F531000-memory.dmp

memory/2680-227-0x000000013F850000-0x000000013FBA1000-memory.dmp

memory/2648-229-0x000000013F690000-0x000000013F9E1000-memory.dmp

memory/2800-231-0x000000013FF00000-0x0000000140251000-memory.dmp

memory/2308-243-0x000000013FC70000-0x000000013FFC1000-memory.dmp

memory/1732-245-0x000000013F920000-0x000000013FC71000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-14 21:27

Reported

2024-08-14 21:30

Platform

win10v2004-20240802-en

Max time kernel

145s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\aSBVkKt.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GPUXBBG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pnJZpzg.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zqNyXmM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uaKMkcw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VzClKcX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JCVJMNG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IvbYajS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UUzQeNB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bUUjkJs.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RIRdNGu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qnkbAZM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZwBjDJa.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zkLtQjT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QqxBMqU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TdjYpzS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TyvopfN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FJaPouE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oPmjucd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hCnNJVB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QxXmiCo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 972 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zkLtQjT.exe
PID 972 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zkLtQjT.exe
PID 972 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aSBVkKt.exe
PID 972 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aSBVkKt.exe
PID 972 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zqNyXmM.exe
PID 972 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zqNyXmM.exe
PID 972 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QqxBMqU.exe
PID 972 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QqxBMqU.exe
PID 972 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TdjYpzS.exe
PID 972 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TdjYpzS.exe
PID 972 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GPUXBBG.exe
PID 972 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GPUXBBG.exe
PID 972 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TyvopfN.exe
PID 972 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TyvopfN.exe
PID 972 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FJaPouE.exe
PID 972 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FJaPouE.exe
PID 972 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pnJZpzg.exe
PID 972 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pnJZpzg.exe
PID 972 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uaKMkcw.exe
PID 972 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uaKMkcw.exe
PID 972 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oPmjucd.exe
PID 972 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oPmjucd.exe
PID 972 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UUzQeNB.exe
PID 972 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UUzQeNB.exe
PID 972 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bUUjkJs.exe
PID 972 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bUUjkJs.exe
PID 972 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VzClKcX.exe
PID 972 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VzClKcX.exe
PID 972 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JCVJMNG.exe
PID 972 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JCVJMNG.exe
PID 972 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hCnNJVB.exe
PID 972 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hCnNJVB.exe
PID 972 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RIRdNGu.exe
PID 972 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RIRdNGu.exe
PID 972 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IvbYajS.exe
PID 972 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IvbYajS.exe
PID 972 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZwBjDJa.exe
PID 972 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZwBjDJa.exe
PID 972 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QxXmiCo.exe
PID 972 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QxXmiCo.exe
PID 972 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qnkbAZM.exe
PID 972 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qnkbAZM.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\zkLtQjT.exe

C:\Windows\System\zkLtQjT.exe

C:\Windows\System\aSBVkKt.exe

C:\Windows\System\aSBVkKt.exe

C:\Windows\System\zqNyXmM.exe

C:\Windows\System\zqNyXmM.exe

C:\Windows\System\QqxBMqU.exe

C:\Windows\System\QqxBMqU.exe

C:\Windows\System\TdjYpzS.exe

C:\Windows\System\TdjYpzS.exe

C:\Windows\System\GPUXBBG.exe

C:\Windows\System\GPUXBBG.exe

C:\Windows\System\TyvopfN.exe

C:\Windows\System\TyvopfN.exe

C:\Windows\System\FJaPouE.exe

C:\Windows\System\FJaPouE.exe

C:\Windows\System\pnJZpzg.exe

C:\Windows\System\pnJZpzg.exe

C:\Windows\System\uaKMkcw.exe

C:\Windows\System\uaKMkcw.exe

C:\Windows\System\oPmjucd.exe

C:\Windows\System\oPmjucd.exe

C:\Windows\System\UUzQeNB.exe

C:\Windows\System\UUzQeNB.exe

C:\Windows\System\bUUjkJs.exe

C:\Windows\System\bUUjkJs.exe

C:\Windows\System\VzClKcX.exe

C:\Windows\System\VzClKcX.exe

C:\Windows\System\JCVJMNG.exe

C:\Windows\System\JCVJMNG.exe

C:\Windows\System\hCnNJVB.exe

C:\Windows\System\hCnNJVB.exe

C:\Windows\System\RIRdNGu.exe

C:\Windows\System\RIRdNGu.exe

C:\Windows\System\IvbYajS.exe

C:\Windows\System\IvbYajS.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4336,i,16316361669272684588,6171287487746154806,262144 --variations-seed-version --mojo-platform-channel-handle=3776 /prefetch:8

C:\Windows\System\ZwBjDJa.exe

C:\Windows\System\ZwBjDJa.exe

C:\Windows\System\QxXmiCo.exe

C:\Windows\System\QxXmiCo.exe

C:\Windows\System\qnkbAZM.exe

C:\Windows\System\qnkbAZM.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
DE 3.120.209.58:8080 tcp

Files

memory/972-0-0x00007FF7D5930000-0x00007FF7D5C81000-memory.dmp

memory/972-1-0x0000018E8B9D0000-0x0000018E8B9E0000-memory.dmp

C:\Windows\System\zkLtQjT.exe

MD5 665b01f96bbdda83f4dfa9196dc656c9
SHA1 de61bcb3b4fcfad7a162f300859f08507cdc6ba5
SHA256 2b96830fcf106a1986eaf94d177bd448a171963eaca8a3757892b92e684e2b25
SHA512 b5937ce97f2dbcba44dfd7c8f8ed2458d5a5a7406b8b376fd29ca2796567e696b083432eb82f54d778961d17455b2526184a898b73a41f1dfe0eb4a45632d994

memory/4708-8-0x00007FF6978A0000-0x00007FF697BF1000-memory.dmp

C:\Windows\System\aSBVkKt.exe

MD5 54f74d696adf274bd2fdb769efec51c8
SHA1 34e8f66c180104d42fcff35160af60a54442cc45
SHA256 6590aa8668138ff8d32375364e2e1830816b6ae00135f0bfb96a303f16290a33
SHA512 611e7172fb6b09bd87e1424d0e054fbccc79db3a2755608da2fc825b03970f527a0f772bb90545af26c2fab3c2d05d2a2dd4f6116f922e03f30ca6d3cbd5c7bf

C:\Windows\System\zqNyXmM.exe

MD5 3842541def1b004ce4bd581afa852c26
SHA1 0e975bf66d413b4e2effb6f3c4979b305295de4e
SHA256 eb0d27bcdc48a6e4d8630029c234aae32294d19e193098c6cdd6cb3ba6557805
SHA512 c072b6a39d94c5f110e374b3d9e010cbb929f988e52c1adc7693a60e9bc48430748dc7ad5613fd4332bd417ff64f819dc797a4ca3d66f47ff69c38011ab45367

memory/2836-18-0x00007FF78F380000-0x00007FF78F6D1000-memory.dmp

memory/4460-17-0x00007FF6D43A0000-0x00007FF6D46F1000-memory.dmp

C:\Windows\System\QqxBMqU.exe

MD5 38865d571df1888788c3cd365be95a96
SHA1 7db4de6920127dd94f399c15feacbdc6c6f47493
SHA256 089ddd91489e89a50784b6299b7a84660c209baf7ac16fd5f2d9a00c12851f7d
SHA512 3c20293892717c1b59ac3d692152243a85cb456e27af92c84ae3cd4372d90f150ab9593d165aebaa0568ad0519b3ebad3c9c534768a95b026a23605fdf5b6d96

C:\Windows\System\TdjYpzS.exe

MD5 bd195dfa51fef086ad2699f8ef2082d3
SHA1 74c36fa823f8f20eb41233bbbaebabddb60b28e5
SHA256 a02e7461863c897142a31458326c58c6c38e5ff08ebe874384baaf3e3aff91fa
SHA512 1c7c73a5876a4fcedfbaa44e1a88053ef48e1e503031de74d69b0deb243fe9ec2da069dc1846fb277ef70cc41a2163353d1aabc023baf8fda06dbe66492af692

C:\Windows\System\TyvopfN.exe

MD5 7abfa6c8629f6f3abf848e4ad2267909
SHA1 cae09597d7acbfbc8b972394abe1003e6b7ac836
SHA256 ff9d545e06b3d83ffa1b454732e32470f9b6d9c474a16db77d6a122f8f7a5d1b
SHA512 9fe01cfce903228f1336c43575a901d8c9dedff243829403c6737949b72d57b2b29c8d0261f1b73db4804c2032360a6fc7dba224a6f446e738230395fa6e53c1

C:\Windows\System\FJaPouE.exe

MD5 60585c8023078cb182c62dcc9fe5fbb3
SHA1 fe007c855c6d74e8bbb9e29b7a4711ad82d8ed40
SHA256 306f36b76ed00dfa1bf385da1121cbdea333dbb3b5e934506da2d4d6f854bcb5
SHA512 f86fac394461c0671a504a0f04a785e52030777bd0b0f1231de4954b5a92fbdaf4c43c574e5fbce00cfe6d5abefec7f3a105cecb2f2e94efe620898bdbf9cdc7

C:\Windows\System\uaKMkcw.exe

MD5 4981453496952490952b45c0742f464e
SHA1 1f45184071be522b119ff617d4e87d427a18b5d0
SHA256 ad6c5ddf10de58b9f131d83871a1ea000d0e04e94bed81225c5b738722a3d5ff
SHA512 fd9fbaa7426428dac8973926ed91790ab4c7b9ef772029418b678b6228257a9f68d155c84e5ac8cf481ae2cc11d6dabd0216580dce000e5845c57581da3069e5

memory/3588-53-0x00007FF745B40000-0x00007FF745E91000-memory.dmp

C:\Windows\System\oPmjucd.exe

MD5 16e636daebfd2e5bc386de640c32a9ac
SHA1 570c83da5a335ef87281460a0df3f1a2e49867cc
SHA256 bac7fc45d415ab080839530deeec10bbfd1854ae4be82c6685d8132b2d95cd75
SHA512 f38563c08b808b9e0f0eb50404d4a75841e84b8cc2f529a49f65bf52be21e92550db1c29514a1dacbd2f5e71fb0b2dc932795886c88eab966f18b35d17dc29cd

C:\Windows\System\UUzQeNB.exe

MD5 f0792a066bbb2ad3345ee03e426c131d
SHA1 52635bc6c5c3bf8f39b503eb9fba9d6339a1e8fb
SHA256 2444f5cab751f9d52e24174b11232bbd5a64e35958d0cdd32bf3ef3c7aff9449
SHA512 95b796f06ab80f48dd581d4c11c97156274b5eff9c60bc6ea6062b4f96720c1ac6266b9eebe8864df40bf6b66e1929d79d31a0e5e5cd67a0c6b2c0ef6d1d747a

memory/4776-79-0x00007FF605350000-0x00007FF6056A1000-memory.dmp

memory/5108-80-0x00007FF673C10000-0x00007FF673F61000-memory.dmp

C:\Windows\System\bUUjkJs.exe

MD5 e1c420e0d0d0339f6ab4b43187a0bd47
SHA1 62304ae7758a801650bdc4d2f9cd0c01a406264b
SHA256 f26bac1208d6dd5d0259a57b045889742f7aacee54b2d6219c510a17ef8dd77b
SHA512 d9711379e786ec8cd54babbfba81d9e908df4cf14e061f5178fe8f4ed94b1902ee5d08bac020163523afdbf26d9b1e94a1f40c225913b501fcb45587f5c050a7

memory/4064-66-0x00007FF7474C0000-0x00007FF747811000-memory.dmp

memory/4680-65-0x00007FF7DE320000-0x00007FF7DE671000-memory.dmp

memory/3652-63-0x00007FF7D5830000-0x00007FF7D5B81000-memory.dmp

memory/1080-58-0x00007FF7DFA70000-0x00007FF7DFDC1000-memory.dmp

memory/3468-57-0x00007FF679F80000-0x00007FF67A2D1000-memory.dmp

C:\Windows\System\pnJZpzg.exe

MD5 f0f596a3a2c065c48309dad4757c7ba0
SHA1 8250e5961ec0f2990d06dda3bcf757a3f6bce029
SHA256 4235441ce5d915789501e593d7e63e36eb4ca1cc99e1a53a4eb516cdcaca3aa2
SHA512 b1ba8ac38bb9cae5f96a9ad385cda2336420a818f66088dc5eb0c67ad0189b1bc1a26b3cdd16e0bf057c8256aab42933d50e12aeda6f1c4e7ee56f0e8184a19c

C:\Windows\System\GPUXBBG.exe

MD5 9e16079b3f6ce32a9e62e7b4ed031e9d
SHA1 bd3dd1ae2508b9681eead9b6855acbde80989785
SHA256 0d99d5d0dc6e66634a55760b4fbc00febe8e59fd6d265e2b0c53b14c3ee0cf6b
SHA512 179bd0e028dde69bab5478b1450b669cb7a7ac63668f370d91d7b63fd14e3fad0a7ce2e03a5805a03764ad6a696486d42445fc3e2569418bcd0d9b9fe156cd94

memory/2488-33-0x00007FF7ED040000-0x00007FF7ED391000-memory.dmp

memory/3844-25-0x00007FF7C9ED0000-0x00007FF7CA221000-memory.dmp

C:\Windows\System\VzClKcX.exe

MD5 0ead14bd0e3624fbab8d4451a614ec1b
SHA1 5ad39803193b31834602ca3e038cb7650a3deb02
SHA256 5e199756825c4ab85497103d77be7fd78f50137e55fc985cfcbc1c16c955f1fc
SHA512 c641daf9ac10f30b39c6f2c7bedfb8c0e7a48df3120da229696ce77e040bf10d91e1909f5ec8aae9ee41c7647b0f637498cd042993c90ff5cfc3ac5d4c9fa039

C:\Windows\System\JCVJMNG.exe

MD5 69bcecac8690590b1ae6e4d8fbd4ddd2
SHA1 be4ee85223ef3fe1bd8b22ffbc88cb99efd783d3
SHA256 cc720dda53960f67d61670b76bf7b1295ecb90199b0930cc012e56192390e611
SHA512 90320d4d4c5a6f0d0e973a5cbdd3c514b422a5c594d468bf6a1b1b017ec1e5f8b8f32df0668f0345dca3910105945287f127dba02fc664d41731684ed7a05c05

C:\Windows\System\hCnNJVB.exe

MD5 7855dd5a33f7ad4723a0548c6047104d
SHA1 b743f1990c8f87a65b0d1816c36288f3c35b6b51
SHA256 0e34e128eb005e8c27491b37458f7073d3565f2f444f92ea7cb4506525847f6b
SHA512 2643b92f06f0396146c3bea208ccd1c5450ce495962cc20177981e46afc8a8b452dd382aa9616cdd883a85e9a98403d8bb009e71ec91b5d0e8e7af296c290038

memory/4848-98-0x00007FF67B390000-0x00007FF67B6E1000-memory.dmp

C:\Windows\System\RIRdNGu.exe

MD5 838b60e1baebdf366f46d8f90ba5c33e
SHA1 4a93c1944ce620a71472771c0c2239816e8b2ac8
SHA256 965cb7998b0d9c9a14fbe92c0fc1b05fa46d7aff71fe41b17ad06f6bf3131354
SHA512 18cb70434dd210c9f67c86cc9792af7386082d7c9782dc271bb29282c9f977a06077418f5eecf9a4b1c159c570bc2b6c63f5e7336aa0be60a72e2b6d8877ef20

memory/1728-107-0x00007FF784BB0000-0x00007FF784F01000-memory.dmp

memory/2488-105-0x00007FF7ED040000-0x00007FF7ED391000-memory.dmp

memory/2836-102-0x00007FF78F380000-0x00007FF78F6D1000-memory.dmp

memory/5028-99-0x00007FF73D270000-0x00007FF73D5C1000-memory.dmp

memory/4460-96-0x00007FF6D43A0000-0x00007FF6D46F1000-memory.dmp

memory/4708-95-0x00007FF6978A0000-0x00007FF697BF1000-memory.dmp

memory/4384-86-0x00007FF6C5A00000-0x00007FF6C5D51000-memory.dmp

memory/972-84-0x00007FF7D5930000-0x00007FF7D5C81000-memory.dmp

memory/3844-121-0x00007FF7C9ED0000-0x00007FF7CA221000-memory.dmp

memory/3468-131-0x00007FF679F80000-0x00007FF67A2D1000-memory.dmp

memory/4880-133-0x00007FF662090000-0x00007FF6623E1000-memory.dmp

C:\Windows\System\QxXmiCo.exe

MD5 780b59fbaa143ec5737b28d9c676d868
SHA1 eea2e7c7b39353923f3e47b5b4b9c8b8e311d8e3
SHA256 060b06e9842896ba4f9561b2e35eef06ab9f36ce796ac3ec5020f05911e0f035
SHA512 70b52f5d6d5a515ef8d6492a76a4487bb76baafa7177532139b273479783e7c859c5907c4e1c2dff411314f16e9b7ee3496df973ee2b9a2fd29cdfadb99d106a

memory/3588-130-0x00007FF745B40000-0x00007FF745E91000-memory.dmp

C:\Windows\System\ZwBjDJa.exe

MD5 06796a4c7b75a6a77d52dd6c08e7ab98
SHA1 eaa11391a16a9fc161b964528e79c483080137d0
SHA256 bc8d6f339828b13c013c6898b588be8dc51892a1b2d05ce44f52badd5120c3c9
SHA512 50af591342605c40b8288bea58684f183571e8020192bd80d0262e852f75bd8cf3cdeb2c1f8a34b3fa48dddd5c66d55543cec07580a52031fd8d6bdef8bccb6c

memory/232-129-0x00007FF62A150000-0x00007FF62A4A1000-memory.dmp

C:\Windows\System\IvbYajS.exe

MD5 f16365f62993a65ab946e3f093f92b0f
SHA1 513235a72f9a851de4d4385bb7ded96fa4582166
SHA256 00f9519ec2b7f62fff58444f26dfc9cc8aa9589428d779c0b137daedc7f726fe
SHA512 ebe0bdb7d99f751c7af33075c4bd82ca537842922cf0ed09e600888649a45b8ddee427a71cb8a6276f88b2dba3cd903e2de078d2487d4d0fe2afe69292d7e5c4

memory/832-139-0x00007FF7B68B0000-0x00007FF7B6C01000-memory.dmp

C:\Windows\System\qnkbAZM.exe

MD5 2dbbeae13dd0e09943148d1ad9959a57
SHA1 6dd4b4cbc0feba07ed21a9fcd0fa84c8f6e34a12
SHA256 8c6715c49ae5d2b6302b669e73615af7c6a7a4c4879d363683de7eb0d8775b36
SHA512 feee48feb531f9f8cd983da2086ece201defa041522d09fd2729c7d3141b0b305b049695c5047a4ccb978f929b2d02c4b5be911176e742861d8b0bd1f0c39908

memory/1668-142-0x00007FF74F6C0000-0x00007FF74FA11000-memory.dmp

memory/5028-150-0x00007FF73D270000-0x00007FF73D5C1000-memory.dmp

memory/1728-151-0x00007FF784BB0000-0x00007FF784F01000-memory.dmp

memory/232-152-0x00007FF62A150000-0x00007FF62A4A1000-memory.dmp

memory/4384-148-0x00007FF6C5A00000-0x00007FF6C5D51000-memory.dmp

memory/4064-145-0x00007FF7474C0000-0x00007FF747811000-memory.dmp

memory/972-153-0x00007FF7D5930000-0x00007FF7D5C81000-memory.dmp

memory/4880-169-0x00007FF662090000-0x00007FF6623E1000-memory.dmp

memory/1668-170-0x00007FF74F6C0000-0x00007FF74FA11000-memory.dmp

memory/972-175-0x00007FF7D5930000-0x00007FF7D5C81000-memory.dmp

memory/4708-203-0x00007FF6978A0000-0x00007FF697BF1000-memory.dmp

memory/4460-205-0x00007FF6D43A0000-0x00007FF6D46F1000-memory.dmp

memory/2836-207-0x00007FF78F380000-0x00007FF78F6D1000-memory.dmp

memory/3844-218-0x00007FF7C9ED0000-0x00007FF7CA221000-memory.dmp

memory/2488-220-0x00007FF7ED040000-0x00007FF7ED391000-memory.dmp

memory/3588-223-0x00007FF745B40000-0x00007FF745E91000-memory.dmp

memory/1080-224-0x00007FF7DFA70000-0x00007FF7DFDC1000-memory.dmp

memory/4680-230-0x00007FF7DE320000-0x00007FF7DE671000-memory.dmp

memory/3468-228-0x00007FF679F80000-0x00007FF67A2D1000-memory.dmp

memory/3652-227-0x00007FF7D5830000-0x00007FF7D5B81000-memory.dmp

memory/4064-233-0x00007FF7474C0000-0x00007FF747811000-memory.dmp

memory/4776-236-0x00007FF605350000-0x00007FF6056A1000-memory.dmp

memory/5108-235-0x00007FF673C10000-0x00007FF673F61000-memory.dmp

memory/4384-243-0x00007FF6C5A00000-0x00007FF6C5D51000-memory.dmp

memory/4848-245-0x00007FF67B390000-0x00007FF67B6E1000-memory.dmp

memory/5028-249-0x00007FF73D270000-0x00007FF73D5C1000-memory.dmp

memory/1728-248-0x00007FF784BB0000-0x00007FF784F01000-memory.dmp

memory/832-252-0x00007FF7B68B0000-0x00007FF7B6C01000-memory.dmp

memory/4880-254-0x00007FF662090000-0x00007FF6623E1000-memory.dmp

memory/232-256-0x00007FF62A150000-0x00007FF62A4A1000-memory.dmp

memory/1668-258-0x00007FF74F6C0000-0x00007FF74FA11000-memory.dmp