Malware Analysis Report

2025-03-15 08:02

Sample ID 240814-1brh3awbkf
Target 2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat
SHA256 10b8f937fa5a8a7330af46da1b66d2345971560741562184ac6f662defee5702
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

10b8f937fa5a8a7330af46da1b66d2345971560741562184ac6f662defee5702

Threat Level: Known bad

The file 2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Xmrig family

XMRig Miner payload

Cobaltstrike

xmrig

Cobalt Strike reflective loader

Cobaltstrike family

XMRig Miner payload

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-14 21:28

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-14 21:28

Reported

2024-08-14 21:31

Platform

win7-20240708-en

Max time kernel

140s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\SzxYeTG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mKguZWY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DMWwCaj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eaAVcKd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NLRXMkv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mshZYzR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HEHzlXS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AOxRUtV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\anOFzNr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PzFtQGD.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CApeJMH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yFpElDK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ISFXVdG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BBPkxau.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gKrkxog.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EvWHlsj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OqOXUwa.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\orsNwIo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xzlhFDN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XbDfJVE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fbOGPDE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2692 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HEHzlXS.exe
PID 2692 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HEHzlXS.exe
PID 2692 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HEHzlXS.exe
PID 2692 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gKrkxog.exe
PID 2692 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gKrkxog.exe
PID 2692 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gKrkxog.exe
PID 2692 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yFpElDK.exe
PID 2692 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yFpElDK.exe
PID 2692 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yFpElDK.exe
PID 2692 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SzxYeTG.exe
PID 2692 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SzxYeTG.exe
PID 2692 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SzxYeTG.exe
PID 2692 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EvWHlsj.exe
PID 2692 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EvWHlsj.exe
PID 2692 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EvWHlsj.exe
PID 2692 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mKguZWY.exe
PID 2692 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mKguZWY.exe
PID 2692 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mKguZWY.exe
PID 2692 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OqOXUwa.exe
PID 2692 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OqOXUwa.exe
PID 2692 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OqOXUwa.exe
PID 2692 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\orsNwIo.exe
PID 2692 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\orsNwIo.exe
PID 2692 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\orsNwIo.exe
PID 2692 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DMWwCaj.exe
PID 2692 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DMWwCaj.exe
PID 2692 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DMWwCaj.exe
PID 2692 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AOxRUtV.exe
PID 2692 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AOxRUtV.exe
PID 2692 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AOxRUtV.exe
PID 2692 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eaAVcKd.exe
PID 2692 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eaAVcKd.exe
PID 2692 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eaAVcKd.exe
PID 2692 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xzlhFDN.exe
PID 2692 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xzlhFDN.exe
PID 2692 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xzlhFDN.exe
PID 2692 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XbDfJVE.exe
PID 2692 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XbDfJVE.exe
PID 2692 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XbDfJVE.exe
PID 2692 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\anOFzNr.exe
PID 2692 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\anOFzNr.exe
PID 2692 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\anOFzNr.exe
PID 2692 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PzFtQGD.exe
PID 2692 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PzFtQGD.exe
PID 2692 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PzFtQGD.exe
PID 2692 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NLRXMkv.exe
PID 2692 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NLRXMkv.exe
PID 2692 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NLRXMkv.exe
PID 2692 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mshZYzR.exe
PID 2692 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mshZYzR.exe
PID 2692 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mshZYzR.exe
PID 2692 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ISFXVdG.exe
PID 2692 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ISFXVdG.exe
PID 2692 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ISFXVdG.exe
PID 2692 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CApeJMH.exe
PID 2692 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CApeJMH.exe
PID 2692 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CApeJMH.exe
PID 2692 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fbOGPDE.exe
PID 2692 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fbOGPDE.exe
PID 2692 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fbOGPDE.exe
PID 2692 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BBPkxau.exe
PID 2692 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BBPkxau.exe
PID 2692 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BBPkxau.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\HEHzlXS.exe

C:\Windows\System\HEHzlXS.exe

C:\Windows\System\gKrkxog.exe

C:\Windows\System\gKrkxog.exe

C:\Windows\System\yFpElDK.exe

C:\Windows\System\yFpElDK.exe

C:\Windows\System\SzxYeTG.exe

C:\Windows\System\SzxYeTG.exe

C:\Windows\System\EvWHlsj.exe

C:\Windows\System\EvWHlsj.exe

C:\Windows\System\mKguZWY.exe

C:\Windows\System\mKguZWY.exe

C:\Windows\System\OqOXUwa.exe

C:\Windows\System\OqOXUwa.exe

C:\Windows\System\orsNwIo.exe

C:\Windows\System\orsNwIo.exe

C:\Windows\System\DMWwCaj.exe

C:\Windows\System\DMWwCaj.exe

C:\Windows\System\AOxRUtV.exe

C:\Windows\System\AOxRUtV.exe

C:\Windows\System\eaAVcKd.exe

C:\Windows\System\eaAVcKd.exe

C:\Windows\System\xzlhFDN.exe

C:\Windows\System\xzlhFDN.exe

C:\Windows\System\XbDfJVE.exe

C:\Windows\System\XbDfJVE.exe

C:\Windows\System\anOFzNr.exe

C:\Windows\System\anOFzNr.exe

C:\Windows\System\PzFtQGD.exe

C:\Windows\System\PzFtQGD.exe

C:\Windows\System\NLRXMkv.exe

C:\Windows\System\NLRXMkv.exe

C:\Windows\System\mshZYzR.exe

C:\Windows\System\mshZYzR.exe

C:\Windows\System\ISFXVdG.exe

C:\Windows\System\ISFXVdG.exe

C:\Windows\System\CApeJMH.exe

C:\Windows\System\CApeJMH.exe

C:\Windows\System\fbOGPDE.exe

C:\Windows\System\fbOGPDE.exe

C:\Windows\System\BBPkxau.exe

C:\Windows\System\BBPkxau.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2692-0-0x000000013F690000-0x000000013F9E1000-memory.dmp

memory/2692-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\HEHzlXS.exe

MD5 bdea8d2fe3c9d8a8147fafe3354cf4fa
SHA1 7bf742a5b85535e161658ac38e44ea0dfcd68d4c
SHA256 2643fe15e57661343287652018f36c69efa6ffd71c5c740ed86a9439129891de
SHA512 3847a3a656e71ecaa80103575a5f7ba5e7a574491e7a696e29cb695c43eae5f16464f80c8cdd9b2829dfa64d462ac1b43084f2b714855f8c349bd4737d608b1a

memory/1452-9-0x000000013F6D0000-0x000000013FA21000-memory.dmp

memory/2692-7-0x00000000021A0000-0x00000000024F1000-memory.dmp

\Windows\system\gKrkxog.exe

MD5 bf98a841d8ba0ee49c9680021dbfe742
SHA1 327f6f97ebe85f884bef8e843a5378d7a8856dfc
SHA256 9f3e321f3e1aeb9f4a2edf1c29f3b4b96d77d125a344e68f54ef5fa17de3cf3a
SHA512 4dd83705d6894f2f439b9b29ad775076de13626acdb1524d91cd748604c9a0730dcf1e86b353bdeed2994453a0e36892afe4f79118fc19e7cdc986e22bf5c92e

memory/2692-13-0x000000013FEE0000-0x0000000140231000-memory.dmp

memory/2168-15-0x000000013FEE0000-0x0000000140231000-memory.dmp

C:\Windows\system\yFpElDK.exe

MD5 1e3fd4cac0832d7c17148ec5b538beea
SHA1 0df3f98208fb6c995082beeeeb57b6ec3b8db301
SHA256 8247fa9d019c19a260645feddb48debd12b9af75c9908612650c3e490dbae383
SHA512 a36a768c98404011521733fd9902d8bda72ae7fe4fa29a5311b7e71ae7e50925ec74fc42b1dfe87949d14d3db6346e0f9716843703d57e30e659f8117b7fc786

memory/1924-22-0x000000013FF60000-0x00000001402B1000-memory.dmp

memory/2692-21-0x000000013FF60000-0x00000001402B1000-memory.dmp

C:\Windows\system\EvWHlsj.exe

MD5 e482cba5a776ed36d99125633d06b53e
SHA1 838ffa3ded3b11d77e32ca14e47c098fc7fa6701
SHA256 97a1774ee693d85edb9cb951920ced26ec283c007dbc0ba9f12c0fbf9d330841
SHA512 362f1a6e5ac9f9654bc12df610c7aa160dfd81816a2b6e537a49a646899405c3bd3a0e4da80d7e76c56874b9fe47695033fb8a1e2df5ad17841be45d5b2feb07

C:\Windows\system\SzxYeTG.exe

MD5 330120b4f3e0f5b54cd1f46592eadd4a
SHA1 db12c31c66210119ee0ad1c89de3e41c7dc39deb
SHA256 40c2cb5ff8cd1131599be27ec25f9a6f4de634e6ff82bafb80d4e5de8077680f
SHA512 2d58f62aa006e6a777c491d3d35b48f1490faeb5ab5b6f95adc4a220885b45d3bd37d05e856b945b60283fad0476db8aa5a3a16a9c262b34fe0e89f251c2ec6b

memory/2692-28-0x000000013F280000-0x000000013F5D1000-memory.dmp

memory/800-37-0x000000013F9C0000-0x000000013FD11000-memory.dmp

C:\Windows\system\mKguZWY.exe

MD5 f779ff8b801e9ce7038cf0d2dd64c8f7
SHA1 6a6d0ceb01fcfffd2eee740934569e0158fb6deb
SHA256 84a84c3c655b2e98c4ff45ae2bf9fbde4f07f424972ff3ea9fdcdbc18bc26462
SHA512 84394446581021e28dbe9ba1d637f26e11bf4aa2ff953e76b8b748127310d4d1d508c5cdf9b387a3960cb3bb997ddddd1231b777314fae4fb6d1bf8e40255fd5

\Windows\system\OqOXUwa.exe

MD5 408ff4528977a37918c6b15b42c42c29
SHA1 8aaccbb13fd80c687ce57042a142a8fc9f73ac64
SHA256 c8474fad104364c52a316b75fd232b3c93d3f8c5aef1b394e8ce5e6c6aeb9473
SHA512 3f4348a557eaa7574ba1e253aca5c1855d6cb38139fb858b89c4fe4400430442b1661f959f7eb268aceab29c0cef0912fb2d62a4a5b9cced9b6be510122aec36

memory/2796-36-0x000000013F280000-0x000000013F5D1000-memory.dmp

memory/2692-34-0x00000000021A0000-0x00000000024F1000-memory.dmp

memory/2764-50-0x000000013F0A0000-0x000000013F3F1000-memory.dmp

C:\Windows\system\orsNwIo.exe

MD5 d8c92396faad1b24cd5c00b7760ea91d
SHA1 bacf09df2efe289982308ba383d06511d882a808
SHA256 ea160ea032aa71c24922ff8cfe0ba53c29a0d46426f0688cadf502e10c8c36bf
SHA512 7081328e2ad1b5d7fd35a4e8e4b5ba66e455eff81af9f1a5b03a796ece3f9088c0b113f1781b4d09b8a0a142491ceeca0319edae3100793108a30f9a06488734

memory/2692-56-0x000000013F690000-0x000000013F9E1000-memory.dmp

memory/2724-58-0x000000013FEB0000-0x0000000140201000-memory.dmp

memory/2692-51-0x000000013F0A0000-0x000000013F3F1000-memory.dmp

memory/2836-48-0x000000013FB90000-0x000000013FEE1000-memory.dmp

memory/2692-47-0x000000013FB90000-0x000000013FEE1000-memory.dmp

\Windows\system\AOxRUtV.exe

MD5 175f42652fc80e9760c1629f1d52daf0
SHA1 63cf68456ce2e2aa8f2822e0f1905536a0be1dfa
SHA256 e4d74db54ee4a372948f13cbd324aa092f50a43f2a0310977dee00f36be7fa4c
SHA512 649a2328566baaa9a770cd23e13a1c66b6be7350ed45a50efcd93753bcb59298fa7f837c2faf6ddceb614602e82a597fada97200cc011a84dbb9a0c73f39ab0e

\Windows\system\xzlhFDN.exe

MD5 6f78552563666420c23cbab259ed97be
SHA1 f92ed9bcd4bf90dcc5b27053c9302895c8854ee2
SHA256 9c8826f1861b6cc3038305c06e5ce9797d1046aa70815cd70202d7d44607e0f5
SHA512 d0294cf1563d9086131cb615ccd18510f9be0ac93831f63dc7db3c42910b70ebb0cd65ccec87d38dae462093b50ab717e69e7d3cba970c651407c9f366c3d8ac

memory/2776-78-0x000000013F160000-0x000000013F4B1000-memory.dmp

memory/2692-83-0x000000013F170000-0x000000013F4C1000-memory.dmp

memory/2608-86-0x000000013F170000-0x000000013F4C1000-memory.dmp

memory/2636-85-0x000000013F0F0000-0x000000013F441000-memory.dmp

memory/2168-84-0x000000013FEE0000-0x0000000140231000-memory.dmp

memory/2372-80-0x000000013F9C0000-0x000000013FD11000-memory.dmp

memory/2692-79-0x000000013F0F0000-0x000000013F441000-memory.dmp

memory/2692-74-0x000000013F160000-0x000000013F4B1000-memory.dmp

C:\Windows\system\eaAVcKd.exe

MD5 a4834cc6954431806db1653f0169a735
SHA1 eab947bebcc84689b2c790238ee4f5da1319f772
SHA256 efb89e08952846a2d74f122bfa641e6b8bcf41db810e56392ae274038319374a
SHA512 58818160ab16beac324f97c2c119206a1c358e9d25b3ba23daf255632daff8bf4a1e7a543223fca07ec271f6b8b9e013660062f1ff912e2a474bc5ff4e495d38

C:\Windows\system\DMWwCaj.exe

MD5 447e9c0b4342f838d7a1f5d71a56f6a0
SHA1 c215229a9e6a244f2f4fc60eb2fd8b0d1dc759aa
SHA256 2193c21cca3dc7cd777d2d690e7204fe84dba5b9bf40f786e9e68b6d4b4f8e49
SHA512 13c3fee75b4f0227c41efc971c7352cdefdbcaf6b474ee29396378962e74f3240e3a7c5adbc5913456136816751f0453bb677bcec8ff50633fe49b96b9b4a395

\Windows\system\XbDfJVE.exe

MD5 84c1e4c6824ac913ca1ab20e6241e706
SHA1 11704eab46a443a694985410c2e9eb888db180b9
SHA256 87299f648b2f25f3e1101a756cd484b588881c79a0b0940e644a642abb269e49
SHA512 a0f12f56d57b0f383d66c781ee03c4620c8bb401f5c638533c7eb303b169d9d2b3e5e9b5c6ceae98bfcd62a4c282a64ba1317fbfdb68382a5289b715b3f816aa

memory/1972-93-0x000000013FDE0000-0x0000000140131000-memory.dmp

memory/2692-92-0x000000013FDE0000-0x0000000140131000-memory.dmp

C:\Windows\system\anOFzNr.exe

MD5 adeda8254c1d6b0214fedb58e67f4f2b
SHA1 6856df24be07253877de20c0e71e484962f13320
SHA256 732af5688f208c1547d2fa77dd6c6336359ece1faa2d5a6057b10ce74ad9e7ca
SHA512 8a37c9b2d9722ccdd65a3fbf5e3ab454c1bd24b2543e75491816f3925611d41649fc6ae2d870d88ab4b4ff664aafd81d0c7e5778649402ec154ff177175365a1

C:\Windows\system\PzFtQGD.exe

MD5 83bdfdf81f74b774dbda6bb8279d415a
SHA1 dd51b92a24c9a02e440cb2ea50c62593ebfa5064
SHA256 203b38779253ebfb72aae0dd70491e62812c3e7945bb9f932293d5addd942f06
SHA512 9c03f1bb7ee3f9c8789ab33c7dc08e78bd3d99656f58acfedcee829640249631f3c9502b521c76d5373b2fc8c8c7b64e07f1e03028b6aa8f777e160d238b971f

C:\Windows\system\NLRXMkv.exe

MD5 2874666e94c864dc6e87b02e7776d10b
SHA1 39f8c7721c7eaf498693324f55f646d14a041377
SHA256 0990ca65d2ed7cc90ff650aba913b5045c054680885aaccbe9f054ee2bda81cb
SHA512 0cd2797f0b339286852c77250bf23a05e4f55be4217f840d25129d3eb443dc0870b1d16427565f40ac7d3a106428ca2bf6a3c2c0241b6a57c26de4956374138d

C:\Windows\system\ISFXVdG.exe

MD5 8749fb606c991f689d4dc9f50ec22683
SHA1 9570fbb8da8a4f9e562e0e7a27a7cf25f2a6f825
SHA256 400ef8af55e96caf849ee032877c63551973d3dd46452435a0c7690eaa80d0e8
SHA512 a9def0e0806ff8685d2ea1d69a4d2fa89eaae0596bede518a64c8c74083c753f01905f6585e407d7f9267b4d8c5a6a641b543078615aded134429939a1d67c7c

C:\Windows\system\CApeJMH.exe

MD5 51a83cb2a9d78dcdec8043ded81572f6
SHA1 bab787de9b2e1fd6d2aa32b1f354b8998ae5969c
SHA256 7b3a02e6523072cd882e1bfe9ca7da06f8f3d36f58d53dde6309ccafbfd9af17
SHA512 010fb6f86037df76b880a5b8df2316abe8afc54550d61721853def1c0f7f5b3a63b830399a992ab24cd9464ddf9f516c6ac86b3b3b0c9c5c8c867a8d24153423

\Windows\system\BBPkxau.exe

MD5 5072bb07750e7e407532efe518af793e
SHA1 34e0d1554cb0d74b364fd962a94634ff33b2ef6d
SHA256 3fb59f0299d6334fedfd098adb635abd7fd54dc8fabefeb06e64306e6a072902
SHA512 e5d76384b45e371f177333f861baae813d539bcfa8bd131a7e5ec91030b65617a9787080fd0fd48eecd373bc7219d68866add54dd48713dba8221a042d173739

C:\Windows\system\fbOGPDE.exe

MD5 44a6cfa3b598e175bfd33ea4466bb312
SHA1 a0a95a32b49b5bece94391db45d6e206b3150887
SHA256 23028ef6a7b2d81f551ebd9386bd7fe262d6764edbf08693393dca19563a8a33
SHA512 22a12e44d929c0f048713453ffe9fcf43f1b4618cfa20e0736f2ea23736873586b7dbd9e2baa454aa5c7402b8cfe7a5bc6e5978a89e2eff01f17dc378bc93ce0

C:\Windows\system\mshZYzR.exe

MD5 8db826b8c8e6b908cd7ca6eb7c61485c
SHA1 afd8ce53dc6f7966d30aa8bf162cd708493a339e
SHA256 43695a22445086402ffc3743a93b172124c0ff7bc266f538b0d8fc8e369385ea
SHA512 7f8857e5b5ffa4eca8c8cc3e050fa73343f6d83f469adaf0f2cf38deaf1d35da086d21fe27858bbdd5cc357c77b40a74854eefda27f5bfa3c30a368d9d455814

memory/2692-134-0x000000013FDE0000-0x0000000140131000-memory.dmp

memory/2692-136-0x00000000021A0000-0x00000000024F1000-memory.dmp

memory/340-135-0x000000013FDE0000-0x0000000140131000-memory.dmp

memory/1924-133-0x000000013FF60000-0x00000001402B1000-memory.dmp

memory/2692-137-0x000000013F690000-0x000000013F9E1000-memory.dmp

memory/2372-149-0x000000013F9C0000-0x000000013FD11000-memory.dmp

memory/1444-153-0x000000013FC00000-0x000000013FF51000-memory.dmp

memory/2516-154-0x000000013F300000-0x000000013F651000-memory.dmp

memory/824-158-0x000000013F650000-0x000000013F9A1000-memory.dmp

memory/1648-157-0x000000013FA90000-0x000000013FDE1000-memory.dmp

memory/1584-155-0x000000013F880000-0x000000013FBD1000-memory.dmp

memory/1312-156-0x000000013FF00000-0x0000000140251000-memory.dmp

memory/2592-152-0x000000013FE00000-0x0000000140151000-memory.dmp

memory/2692-159-0x000000013F690000-0x000000013F9E1000-memory.dmp

memory/2692-181-0x000000013FDE0000-0x0000000140131000-memory.dmp

memory/1452-205-0x000000013F6D0000-0x000000013FA21000-memory.dmp

memory/2168-207-0x000000013FEE0000-0x0000000140231000-memory.dmp

memory/1924-210-0x000000013FF60000-0x00000001402B1000-memory.dmp

memory/2796-211-0x000000013F280000-0x000000013F5D1000-memory.dmp

memory/800-213-0x000000013F9C0000-0x000000013FD11000-memory.dmp

memory/2836-215-0x000000013FB90000-0x000000013FEE1000-memory.dmp

memory/2764-224-0x000000013F0A0000-0x000000013F3F1000-memory.dmp

memory/2724-226-0x000000013FEB0000-0x0000000140201000-memory.dmp

memory/2776-228-0x000000013F160000-0x000000013F4B1000-memory.dmp

memory/2636-230-0x000000013F0F0000-0x000000013F441000-memory.dmp

memory/2372-232-0x000000013F9C0000-0x000000013FD11000-memory.dmp

memory/2608-234-0x000000013F170000-0x000000013F4C1000-memory.dmp

memory/1972-245-0x000000013FDE0000-0x0000000140131000-memory.dmp

memory/340-249-0x000000013FDE0000-0x0000000140131000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-14 21:28

Reported

2024-08-14 21:31

Platform

win10v2004-20240802-en

Max time kernel

142s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\jhGcwBm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xaYwFuV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zLftRCy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LkEmJpz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jintMzA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hTXsLiz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AHjMpGW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AgNrxgb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sVIAweI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BRskxnO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rAHOZuW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AHmeCrg.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZoMrxAT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qhjtcrc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xuaspev.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kCGitLH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QBgxgzv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JJFyCkg.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rypzvGD.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RphQpQP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BDUJXLJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3732 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QBgxgzv.exe
PID 3732 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QBgxgzv.exe
PID 3732 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hTXsLiz.exe
PID 3732 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hTXsLiz.exe
PID 3732 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qhjtcrc.exe
PID 3732 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qhjtcrc.exe
PID 3732 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AHjMpGW.exe
PID 3732 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AHjMpGW.exe
PID 3732 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AgNrxgb.exe
PID 3732 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AgNrxgb.exe
PID 3732 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BDUJXLJ.exe
PID 3732 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BDUJXLJ.exe
PID 3732 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jhGcwBm.exe
PID 3732 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jhGcwBm.exe
PID 3732 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sVIAweI.exe
PID 3732 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sVIAweI.exe
PID 3732 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JJFyCkg.exe
PID 3732 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JJFyCkg.exe
PID 3732 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rypzvGD.exe
PID 3732 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rypzvGD.exe
PID 3732 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BRskxnO.exe
PID 3732 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BRskxnO.exe
PID 3732 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xaYwFuV.exe
PID 3732 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xaYwFuV.exe
PID 3732 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rAHOZuW.exe
PID 3732 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rAHOZuW.exe
PID 3732 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zLftRCy.exe
PID 3732 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zLftRCy.exe
PID 3732 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LkEmJpz.exe
PID 3732 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LkEmJpz.exe
PID 3732 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xuaspev.exe
PID 3732 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xuaspev.exe
PID 3732 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kCGitLH.exe
PID 3732 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kCGitLH.exe
PID 3732 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AHmeCrg.exe
PID 3732 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AHmeCrg.exe
PID 3732 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RphQpQP.exe
PID 3732 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RphQpQP.exe
PID 3732 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZoMrxAT.exe
PID 3732 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZoMrxAT.exe
PID 3732 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jintMzA.exe
PID 3732 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jintMzA.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\QBgxgzv.exe

C:\Windows\System\QBgxgzv.exe

C:\Windows\System\hTXsLiz.exe

C:\Windows\System\hTXsLiz.exe

C:\Windows\System\qhjtcrc.exe

C:\Windows\System\qhjtcrc.exe

C:\Windows\System\AHjMpGW.exe

C:\Windows\System\AHjMpGW.exe

C:\Windows\System\AgNrxgb.exe

C:\Windows\System\AgNrxgb.exe

C:\Windows\System\BDUJXLJ.exe

C:\Windows\System\BDUJXLJ.exe

C:\Windows\System\jhGcwBm.exe

C:\Windows\System\jhGcwBm.exe

C:\Windows\System\sVIAweI.exe

C:\Windows\System\sVIAweI.exe

C:\Windows\System\JJFyCkg.exe

C:\Windows\System\JJFyCkg.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4112,i,9445584274764997943,12714240264001792460,262144 --variations-seed-version --mojo-platform-channel-handle=4124 /prefetch:8

C:\Windows\System\rypzvGD.exe

C:\Windows\System\rypzvGD.exe

C:\Windows\System\BRskxnO.exe

C:\Windows\System\BRskxnO.exe

C:\Windows\System\xaYwFuV.exe

C:\Windows\System\xaYwFuV.exe

C:\Windows\System\rAHOZuW.exe

C:\Windows\System\rAHOZuW.exe

C:\Windows\System\zLftRCy.exe

C:\Windows\System\zLftRCy.exe

C:\Windows\System\LkEmJpz.exe

C:\Windows\System\LkEmJpz.exe

C:\Windows\System\xuaspev.exe

C:\Windows\System\xuaspev.exe

C:\Windows\System\kCGitLH.exe

C:\Windows\System\kCGitLH.exe

C:\Windows\System\AHmeCrg.exe

C:\Windows\System\AHmeCrg.exe

C:\Windows\System\RphQpQP.exe

C:\Windows\System\RphQpQP.exe

C:\Windows\System\ZoMrxAT.exe

C:\Windows\System\ZoMrxAT.exe

C:\Windows\System\jintMzA.exe

C:\Windows\System\jintMzA.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 34.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 34.56.20.217.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp

Files

memory/3732-0-0x00007FF74F890000-0x00007FF74FBE1000-memory.dmp

memory/3732-1-0x00000297879D0000-0x00000297879E0000-memory.dmp

C:\Windows\System\QBgxgzv.exe

MD5 7cb5357446f0bbca777558a7df9bcd98
SHA1 cf023f4bc452b144877a47964426e0202a1f3e95
SHA256 e5bdeee96b2f7a4cc4713f8cda4c1ad32b908e66e7e0126db83d9d0b8550ad8c
SHA512 48220067a525686627c491f21e25691ac553d8ce262b72e5bd1fbae833024143e5b8ce3a55cc599a349d853468b27c4a9dbbef33e1170c11fca5c8900229d0e1

C:\Windows\System\qhjtcrc.exe

MD5 b0dcf62d5edde090ff74f12af8f0a6d5
SHA1 119d4484b606091dbe70b679c84379b216d03fc6
SHA256 87340dc127d669ae70b3806e1a1650cf9d401e67095dcd6eca209c51519f0c69
SHA512 c5515faaa65b6333e5c3e919a947783b2bf42622f81e0c15c07b21d7f17b1fd1e21e773519d239104fd25bbbcd1c31399fade4ad3d6e7c53d39f40166015da0f

C:\Windows\System\hTXsLiz.exe

MD5 8e445f23e9b03ff02a3b4d47b4c2842f
SHA1 4877028d7f55c750a37d5513d1228a5fa4fe4051
SHA256 4ef2160515766d3888003e244bf0b44e9313c32d98186157f3b364df5887a48e
SHA512 6aa10a03ea9cde29b5a0c0122c1a95f69396dbd1bd74325b5931e0845677202357ccbf28e60f844ed6e3569b8b4477b73699e3172789e089b3c98c75e8f2f9b6

memory/1720-36-0x00007FF7C4A10000-0x00007FF7C4D61000-memory.dmp

C:\Windows\System\AgNrxgb.exe

MD5 2cdbd69048dd7f1236e41931748f8e9b
SHA1 f07062fcb83213350b827326b4adc1609e596ed7
SHA256 ab65e79a396fd0f670f5777e6e72da0cb396530e8a080fdbcdfeda6ebe3ff01d
SHA512 6410039175bec05410ac7290bcf34cecefb5b82b4e10631a1775d1480d10e93a517b28221499ca12455aacca1fd879a446d0c69c4f964958dfbf5727240ec609

memory/4044-44-0x00007FF613E50000-0x00007FF6141A1000-memory.dmp

C:\Windows\System\jhGcwBm.exe

MD5 529880b4e46db2ec8ce94e8b89d7fe61
SHA1 4cb151d82b7d06ee70dbd521afe8eda5cda79a2a
SHA256 5a874ec7f1addb3b69ffcfa5194d028bfd73318af145221564de93ce56038ff0
SHA512 57c8af3bae89b8960320b4979ba82cac4275b3781df534e20d1ec02710b657c0f9092eed259a58e1a64fe13d22d2e4be52db092b7022f89b3f8547896623b04c

C:\Windows\System\sVIAweI.exe

MD5 1303a0c9822c5f8c873220f4e1055f78
SHA1 6f0ef8d8d718621a5d1f01a2bfe1b9e1bd1004ae
SHA256 645277f5fb5ae5b72010532ab0c98d5dc10550f7744f5ab0f26f45d6b52c1193
SHA512 38bf2cd57cae625ced60292d432d84d44485f5fa158876fd2b12a80caf9aca6e933e922ee0034dca748d9d3aa643316e8100d27b2938b3d275b7dc795b80f2e1

memory/1100-46-0x00007FF7544C0000-0x00007FF754811000-memory.dmp

memory/1976-45-0x00007FF6DE700000-0x00007FF6DEA51000-memory.dmp

memory/4588-43-0x00007FF7B9FC0000-0x00007FF7BA311000-memory.dmp

C:\Windows\System\BDUJXLJ.exe

MD5 0dc5541f6c238f45eb2b70ba03fa9ed9
SHA1 c36840707aade436a2d0da24fd0b7509c5d038b3
SHA256 cdbbb0b3012b008cf0f1de242322359a9f05d4a6dc3331fff9c0f568a4770fae
SHA512 6f5928384a28a0d264a08d236b4a93d065d6e7ccaa3c7c98b48e411c18330aeb61b17dd6d6ea9cdfccba7b8316b706c5927cb998b1c7f487827e3990a346cbdb

memory/3268-30-0x00007FF7D7810000-0x00007FF7D7B61000-memory.dmp

C:\Windows\System\AHjMpGW.exe

MD5 7d9fea9028b328a28a9b88d53b6546ce
SHA1 b14047bb95a103dc4910aa103a232e671b7641e3
SHA256 e35a0841c8152cfdec4b2258fa71f556de4d8dc82179cd704a7609f66ec934c7
SHA512 2d00843198b2f6dffa3f9d61a9170dd62353f7a181614fdcaeef3a34b93a0f0993939b67a25e708fefc6fe3919d81d11aabf31ed9ab68eacc08066927d2f99c0

memory/2344-18-0x00007FF6F2E50000-0x00007FF6F31A1000-memory.dmp

memory/2812-9-0x00007FF60B8C0000-0x00007FF60BC11000-memory.dmp

C:\Windows\System\JJFyCkg.exe

MD5 61624e7e800e87a7ac632ec464dbf743
SHA1 562817b329c4c7573689acd59d0ebe6b9c000d2c
SHA256 f896edb9e98b9d2ca103963574d059b98ae2cbf19bd6e7a8f80a9cbbae4a7a81
SHA512 5dc8a3e8f44f262e558d24e7b194e045c5bfb228637195840c6fa9d8516bf1a21b1636976ab1e2086b3bbb5114dab1919345edcb665adba09b81464060a5e45e

memory/2544-56-0x00007FF798C70000-0x00007FF798FC1000-memory.dmp

C:\Windows\System\rypzvGD.exe

MD5 c7363edf941c2867932f092305c01a68
SHA1 68fe14071a6b578bbc43dbb05efc037e282e8ed9
SHA256 64319e04fe14ca6167d518b00e113599beb4156fa0ebef8a71f82e7c3b48018c
SHA512 5bfadcb2f82c271c467c2d2978639597c9d65af33dacf3cccfb3c320fae5f25f90e0bbde0627f2eb241e279f9a32fa0b304544f3a4f36de614d262e4f967e8ef

C:\Windows\System\rAHOZuW.exe

MD5 1ea632188f9ed2ebd8d314c221618cb1
SHA1 9fac5f38f79332c3d4a23b4ac0d80f338c881748
SHA256 9ad04e4180325b7a171ebad3bb3b775984db9dea4d7f3ea0a038be22a62d65a8
SHA512 8a042207e7290dcb40e68951765be8c856e6c95c88b7a5b8fdfac5a8d0c2534deda649c1ca71886a2b17122e2ca86efcc4aeed3f757081fc3d319fe5c8ff0ed5

C:\Windows\System\LkEmJpz.exe

MD5 d58d9a0792dd53464ea7cc140616d6d9
SHA1 a5c0d34fc335b39e72a8d42d1a710ff9053652ca
SHA256 d7421c226eaea136f79dfb6c23fcf59608616f150893eec521ca82c4a24a4ef3
SHA512 912063d6f40805058c453373e7eca9a83342512dcd28d1f7a13a194dc397cb4fec44a6db570b87399ac9100655dc86b0fbc4eaf4defc0f262f06e90351f0d33a

C:\Windows\System\AHmeCrg.exe

MD5 8fbafda7e76943e614a80e252ae5fce5
SHA1 c9860618aaa98c4568e9ebba4df46bcaad865cca
SHA256 225dd6173e33576932cf4439a48880c223bbd3a5f3b3da5edcd714b3cf42901a
SHA512 9a7f832aa841d7e8e21b0ec8babd5b0b436262b10cbdfdecf5c1445c203869a5402429ac145dbc80c209763482b7ba4027cc55a7b2b8a7bc29398a2a640cbc63

C:\Windows\System\xuaspev.exe

MD5 39455ce5f91a4b43bed4a5231760c48e
SHA1 843800bc4acfe22738b0c57aa5160ec0f418b72a
SHA256 60c5ece67143923d06ee2000b279ec83a7f0a27f54ddbe7e752e394e9c3d1156
SHA512 a7e3551f96c2d8ec8a5c3cb803c1625e402970bfde090be69c809fcfd9b9fb36030e3850d7578d5500b6e2fb16abb251574d32b78b82e1e4d2f9cc508eb05baa

C:\Windows\System\kCGitLH.exe

MD5 d92c30a17c81d84a6a7f7014c2df8fb7
SHA1 4059039e3eefed7135e45f682fca71f3cf61fb58
SHA256 bbdfc550cf7e61bdd3500a8fdb63ca6ec0af5e8caf8c48601ab496f6324a1bd9
SHA512 15905becc23762da9ebf41c41a1c52431ccc9907f0b51716f2d8a2834e476e4c3262ed762000bbff146f548aba4d9f32293d25a7458be24356ee3dbb44c3de9c

C:\Windows\System\ZoMrxAT.exe

MD5 b39b3130069fa474556ae6689c3f17d1
SHA1 2423aea18ad2f4c8328b020676c060a40e974304
SHA256 6c3f4b9039258087dbeaa9f5356e182bf9df408fa507991f624a56e018d1d10e
SHA512 151469a2721fb7fc1310312d61118b4cbdf15c365dde482b6d25fc187bef3030a94c9b071790d3b9a79af0f8fa55115b76acf2283ddcd48c73a9e5a8c7ce1172

C:\Windows\System\jintMzA.exe

MD5 305238969b1a4627680ce5a0737b1628
SHA1 0a16fbbf20af6f2b6202e6a4c3947f0956b9aafc
SHA256 edc7bdfe8c2a7b58d16274d5f68d51d18634540a4da908cb577b17389d4672db
SHA512 d649b983e3795f624a4a62a01099a47e408ec382eb3f6eea3a3e1a8a0d2a8c03ed29f4d683ed271ce3604ae18f561d8f624848a5da58fcdd6ae93112d1d27739

memory/456-119-0x00007FF73ADF0000-0x00007FF73B141000-memory.dmp

memory/1984-118-0x00007FF668C30000-0x00007FF668F81000-memory.dmp

memory/3468-112-0x00007FF71EAD0000-0x00007FF71EE21000-memory.dmp

C:\Windows\System\RphQpQP.exe

MD5 ec579c046b9b2c328e3bdf4928209da7
SHA1 53a6e7e81a06127743a60f5012458614695f8911
SHA256 d075bd2d911bc1cbf17f0517da9c05c6a33c70a4d8b643f7e17c437b1e33c9ff
SHA512 93f96b04ba24ef9f0cbd7f0b61f5192744ccf9e378b071cb6f39a6af9d9de6d3f7fa688130d394a33b9ef0714efb1bb03d1f950727356713b55c208ff8b4ad56

memory/2520-101-0x00007FF7E2DA0000-0x00007FF7E30F1000-memory.dmp

memory/1596-99-0x00007FF7FF110000-0x00007FF7FF461000-memory.dmp

memory/4812-94-0x00007FF670590000-0x00007FF6708E1000-memory.dmp

C:\Windows\System\zLftRCy.exe

MD5 2dc8220ddb092d1b0eb11e33d29b1fbc
SHA1 05fbb440fcadb56a04267e28d08674a63318b82e
SHA256 35bd0ea876cc5022c086c6fa5ec1eee22f3054a15c89564a99e9bf33ca1bd23c
SHA512 7505ee587c7000ccd68d0c82639f5831f2392528a25ac9f3d31d30df535f192ac7fe489933cb00e6f598da0aab3903360900fdb1e608205b78b9ba78acbec663

C:\Windows\System\xaYwFuV.exe

MD5 18605f94e586782ec66b3528bdc9374a
SHA1 fa74ac79df401a7e571549ca70f0fc61220a5061
SHA256 d38e16b5b3aee1b03ff07ad982e4dbb5f5641e4ac5e3399e63477b09695c100e
SHA512 a059520e84e836eadf12eb695914ab465113c7e69cf3a76237258c1ba61de94f7470cee093de887e8d5c49f8cba5ad9f1794385f6a8cd7626af6a1df4f945d39

memory/4908-85-0x00007FF76E710000-0x00007FF76EA61000-memory.dmp

C:\Windows\System\BRskxnO.exe

MD5 5e2a98f7fec85232b2bd915e92211070
SHA1 0448f702df880d0449e3ddb16516b802a4969b33
SHA256 a471d656f7eb6e6cb41300ad0443d2c9148a8d1c21a95f2540d9bac1843df9ed
SHA512 c2389bca6d51651e545dd884f9178071f95452060ea9114d3442658be53781705cc3bb9b27b943f6731e9d03b3e5ffaa3de1b79351ed927c2bf417dea2a71c6c

memory/3952-74-0x00007FF694B60000-0x00007FF694EB1000-memory.dmp

memory/1152-73-0x00007FF7973B0000-0x00007FF797701000-memory.dmp

memory/3088-65-0x00007FF7A2780000-0x00007FF7A2AD1000-memory.dmp

memory/2812-127-0x00007FF60B8C0000-0x00007FF60BC11000-memory.dmp

memory/3732-136-0x00007FF74F890000-0x00007FF74FBE1000-memory.dmp

memory/2544-135-0x00007FF798C70000-0x00007FF798FC1000-memory.dmp

memory/3724-137-0x00007FF7368C0000-0x00007FF736C11000-memory.dmp

memory/4044-134-0x00007FF613E50000-0x00007FF6141A1000-memory.dmp

memory/3268-130-0x00007FF7D7810000-0x00007FF7D7B61000-memory.dmp

memory/2344-128-0x00007FF6F2E50000-0x00007FF6F31A1000-memory.dmp

memory/1100-133-0x00007FF7544C0000-0x00007FF754811000-memory.dmp

memory/4588-131-0x00007FF7B9FC0000-0x00007FF7BA311000-memory.dmp

memory/3732-126-0x00007FF74F890000-0x00007FF74FBE1000-memory.dmp

memory/1956-138-0x00007FF6736A0000-0x00007FF6739F1000-memory.dmp

memory/3952-142-0x00007FF694B60000-0x00007FF694EB1000-memory.dmp

memory/1596-144-0x00007FF7FF110000-0x00007FF7FF461000-memory.dmp

memory/3468-146-0x00007FF71EAD0000-0x00007FF71EE21000-memory.dmp

memory/456-150-0x00007FF73ADF0000-0x00007FF73B141000-memory.dmp

memory/2520-145-0x00007FF7E2DA0000-0x00007FF7E30F1000-memory.dmp

memory/4908-141-0x00007FF76E710000-0x00007FF76EA61000-memory.dmp

memory/1152-140-0x00007FF7973B0000-0x00007FF797701000-memory.dmp

memory/3088-139-0x00007FF7A2780000-0x00007FF7A2AD1000-memory.dmp

memory/3732-151-0x00007FF74F890000-0x00007FF74FBE1000-memory.dmp

memory/2812-198-0x00007FF60B8C0000-0x00007FF60BC11000-memory.dmp

memory/2344-199-0x00007FF6F2E50000-0x00007FF6F31A1000-memory.dmp

memory/1720-203-0x00007FF7C4A10000-0x00007FF7C4D61000-memory.dmp

memory/3268-202-0x00007FF7D7810000-0x00007FF7D7B61000-memory.dmp

memory/4588-208-0x00007FF7B9FC0000-0x00007FF7BA311000-memory.dmp

memory/4044-206-0x00007FF613E50000-0x00007FF6141A1000-memory.dmp

memory/1100-211-0x00007FF7544C0000-0x00007FF754811000-memory.dmp

memory/1976-210-0x00007FF6DE700000-0x00007FF6DEA51000-memory.dmp

memory/2544-214-0x00007FF798C70000-0x00007FF798FC1000-memory.dmp

memory/3088-216-0x00007FF7A2780000-0x00007FF7A2AD1000-memory.dmp

memory/1152-218-0x00007FF7973B0000-0x00007FF797701000-memory.dmp

memory/4908-224-0x00007FF76E710000-0x00007FF76EA61000-memory.dmp

memory/3952-222-0x00007FF694B60000-0x00007FF694EB1000-memory.dmp

memory/4812-221-0x00007FF670590000-0x00007FF6708E1000-memory.dmp

memory/1956-228-0x00007FF6736A0000-0x00007FF6739F1000-memory.dmp

memory/2520-238-0x00007FF7E2DA0000-0x00007FF7E30F1000-memory.dmp

memory/1984-237-0x00007FF668C30000-0x00007FF668F81000-memory.dmp

memory/3468-235-0x00007FF71EAD0000-0x00007FF71EE21000-memory.dmp

memory/1596-233-0x00007FF7FF110000-0x00007FF7FF461000-memory.dmp

memory/456-231-0x00007FF73ADF0000-0x00007FF73B141000-memory.dmp

memory/3724-226-0x00007FF7368C0000-0x00007FF736C11000-memory.dmp