Malware Analysis Report

2025-03-15 08:02

Sample ID 240815-ms6sestcmm
Target 2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat
SHA256 d501bdb6f2f87f83525b1fe9fe20c02ad38dbdae6e391a5c8a9dc539ef867781
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d501bdb6f2f87f83525b1fe9fe20c02ad38dbdae6e391a5c8a9dc539ef867781

Threat Level: Known bad

The file 2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Xmrig family

Cobalt Strike reflective loader

Cobaltstrike family

Cobaltstrike

XMRig Miner payload

xmrig

XMRig Miner payload

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-15 10:44

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-15 10:44

Reported

2024-08-15 10:47

Platform

win7-20240705-en

Max time kernel

141s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\pXOasYH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NQEndlz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ruprLVE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GIJGluI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TJOyvlp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vggYLLZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HHfYUai.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RmzSSzf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wVRPawO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ehMKZFv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZyrOSla.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\imCagkN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qtnoiaG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wkVmbhv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FyndwtS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ghQBlsF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IlYUbby.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qjkqSVP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JMtmySY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gcqTvGQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PrxIkPx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1056 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FyndwtS.exe
PID 1056 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FyndwtS.exe
PID 1056 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FyndwtS.exe
PID 1056 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RmzSSzf.exe
PID 1056 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RmzSSzf.exe
PID 1056 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RmzSSzf.exe
PID 1056 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ruprLVE.exe
PID 1056 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ruprLVE.exe
PID 1056 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ruprLVE.exe
PID 1056 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ghQBlsF.exe
PID 1056 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ghQBlsF.exe
PID 1056 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ghQBlsF.exe
PID 1056 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IlYUbby.exe
PID 1056 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IlYUbby.exe
PID 1056 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IlYUbby.exe
PID 1056 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GIJGluI.exe
PID 1056 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GIJGluI.exe
PID 1056 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GIJGluI.exe
PID 1056 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qjkqSVP.exe
PID 1056 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qjkqSVP.exe
PID 1056 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qjkqSVP.exe
PID 1056 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wVRPawO.exe
PID 1056 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wVRPawO.exe
PID 1056 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wVRPawO.exe
PID 1056 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TJOyvlp.exe
PID 1056 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TJOyvlp.exe
PID 1056 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TJOyvlp.exe
PID 1056 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JMtmySY.exe
PID 1056 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JMtmySY.exe
PID 1056 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JMtmySY.exe
PID 1056 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vggYLLZ.exe
PID 1056 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vggYLLZ.exe
PID 1056 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vggYLLZ.exe
PID 1056 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\imCagkN.exe
PID 1056 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\imCagkN.exe
PID 1056 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\imCagkN.exe
PID 1056 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qtnoiaG.exe
PID 1056 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qtnoiaG.exe
PID 1056 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qtnoiaG.exe
PID 1056 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pXOasYH.exe
PID 1056 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pXOasYH.exe
PID 1056 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pXOasYH.exe
PID 1056 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ehMKZFv.exe
PID 1056 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ehMKZFv.exe
PID 1056 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ehMKZFv.exe
PID 1056 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wkVmbhv.exe
PID 1056 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wkVmbhv.exe
PID 1056 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wkVmbhv.exe
PID 1056 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NQEndlz.exe
PID 1056 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NQEndlz.exe
PID 1056 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NQEndlz.exe
PID 1056 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZyrOSla.exe
PID 1056 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZyrOSla.exe
PID 1056 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZyrOSla.exe
PID 1056 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gcqTvGQ.exe
PID 1056 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gcqTvGQ.exe
PID 1056 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gcqTvGQ.exe
PID 1056 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PrxIkPx.exe
PID 1056 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PrxIkPx.exe
PID 1056 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PrxIkPx.exe
PID 1056 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HHfYUai.exe
PID 1056 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HHfYUai.exe
PID 1056 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HHfYUai.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\FyndwtS.exe

C:\Windows\System\FyndwtS.exe

C:\Windows\System\RmzSSzf.exe

C:\Windows\System\RmzSSzf.exe

C:\Windows\System\ruprLVE.exe

C:\Windows\System\ruprLVE.exe

C:\Windows\System\ghQBlsF.exe

C:\Windows\System\ghQBlsF.exe

C:\Windows\System\IlYUbby.exe

C:\Windows\System\IlYUbby.exe

C:\Windows\System\GIJGluI.exe

C:\Windows\System\GIJGluI.exe

C:\Windows\System\qjkqSVP.exe

C:\Windows\System\qjkqSVP.exe

C:\Windows\System\wVRPawO.exe

C:\Windows\System\wVRPawO.exe

C:\Windows\System\TJOyvlp.exe

C:\Windows\System\TJOyvlp.exe

C:\Windows\System\JMtmySY.exe

C:\Windows\System\JMtmySY.exe

C:\Windows\System\vggYLLZ.exe

C:\Windows\System\vggYLLZ.exe

C:\Windows\System\imCagkN.exe

C:\Windows\System\imCagkN.exe

C:\Windows\System\qtnoiaG.exe

C:\Windows\System\qtnoiaG.exe

C:\Windows\System\pXOasYH.exe

C:\Windows\System\pXOasYH.exe

C:\Windows\System\ehMKZFv.exe

C:\Windows\System\ehMKZFv.exe

C:\Windows\System\wkVmbhv.exe

C:\Windows\System\wkVmbhv.exe

C:\Windows\System\NQEndlz.exe

C:\Windows\System\NQEndlz.exe

C:\Windows\System\ZyrOSla.exe

C:\Windows\System\ZyrOSla.exe

C:\Windows\System\gcqTvGQ.exe

C:\Windows\System\gcqTvGQ.exe

C:\Windows\System\PrxIkPx.exe

C:\Windows\System\PrxIkPx.exe

C:\Windows\System\HHfYUai.exe

C:\Windows\System\HHfYUai.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1056-0-0x000000013FAF0000-0x000000013FE41000-memory.dmp

memory/1056-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\FyndwtS.exe

MD5 f60eaa4ad8519b8aa7561949a16f882b
SHA1 9da2f8263997ff52aeb9c0418c05e80dbde3eb79
SHA256 cc3bc9c595d2c0e5d2c91f136f11f7ac328d3b6c6777f2b80397e14fda3d9921
SHA512 29de60f338397dc5147d21be291f95fe2938c77bff53599fb77a94fec542bb583437781545955250b198f8b6fcb5069f5d5fc1407ed17572d6c01aee967812dd

\Windows\system\RmzSSzf.exe

MD5 e400d8a74f8e6d7005aa82e1dcef21e4
SHA1 6b40c4988209dbaf27c9a71af2ccedda24e6ca59
SHA256 cf6890fe494a3ff1e1ab283737204441a3d1547a2b166b56e76e43b6f44cc6ac
SHA512 10fe0fe9f53b826e4a8b05655480037009db059fd2d4f0c727329fbcbdac8c5ee9c8c5382547ba15b9a3494d589746796f3cd0f960ebfb0cffc90fcdc8e1e6f4

C:\Windows\system\ghQBlsF.exe

MD5 530113de8256c6e996b0ee38627a2739
SHA1 5d338382b787d040be7f5f11524cb02c7d6f3e39
SHA256 b9f9322d097a9682c197c25cf48149eb70f896642033ff611564827b96ed405b
SHA512 b660140f246abb88c232a36027f4601ada2fa5866d957020e3cd5ebc888916e99e47b362bc7aab5a5fc5a4f987024f0bf5a09c47c7515c5aac480ec302cc6243

C:\Windows\system\IlYUbby.exe

MD5 87a403cd30e50aeb618b988a22ef34eb
SHA1 ebad54f2e0dc09472f2b0bd51d39f54e01a6b7e8
SHA256 f5e14ebf937b57d073a9b0dd29540ca065e76fb066ee414d8981d52f8cc6ee1e
SHA512 1c2d80124497575ea0fbd54d3535257f75e31b98b9712ab2461b6b1cf1c3b94f7839a82174a0da43effa9173065f11b8588757ebe51b02deea4445547fb4b0f2

C:\Windows\system\GIJGluI.exe

MD5 b27b217ef4fb8cc0e859a449d9235fc0
SHA1 1541d1b1dce6bf6382f1932ae6b831d3e1eb1b17
SHA256 d098fb9fe74df4f23f58d92f4a9869ff9e8d39f1440cda8c46e89664dca5a45b
SHA512 a622a78a397b235dd0dbc17bd061c269995fb5fe26ebb7ccb81f471da945fbcab5e67ec8e0329376c05c53fb70b867e40533f85d577c9dcaccc25f2dcd8a36dd

C:\Windows\system\qjkqSVP.exe

MD5 859c687cc7721f4a03474f5907903e1c
SHA1 eafa3c928d7ce9e87d09352959288c3b96f2a861
SHA256 e5b11f46db2d9e4e6cc8a89680417988be845054bfc95ab1d28d66f11f005b56
SHA512 30de955265623dff2fe0a8f6ad44d253e1c705ac0073f657c54d13f8d6ecf4c936140267b67bed1e9664dca8c18f106d61f6c614909f368a8932a9ef71a97182

C:\Windows\system\wVRPawO.exe

MD5 b979a0af1511ee3636a88a9df071d432
SHA1 f27663b45edae5123c39e89128f45b7696ae9aef
SHA256 bc94c59d60b8090ac34eaccdb72e5805313918fe417b519eecbb331fd6437c33
SHA512 bc8fa190759d759e8a942855d288663ca5b113653cdc429e1373bc44e8b9534618760f5efbe7adfd634ec07d5a47decd507b2706f4e06c0912879448eb3182c3

C:\Windows\system\TJOyvlp.exe

MD5 c1525569232ec0201e261dea2aeba682
SHA1 0da13dd9012aaeb39616f12ff9adb0545013b71c
SHA256 9d47b0d1ec6af7eee25979a95d59c60a27ffcc8374426bc23293c48d32a786cc
SHA512 401cf364f90c3a579a471596b58ecde160440168d97b2112cc3afc883fcff035f9b0d3d200727650278538add99e5818f6708f3173097f4047dd6c4a61f9d553

C:\Windows\system\JMtmySY.exe

MD5 edc22d4bc13f87cd9af92775f9748b3b
SHA1 45d82a5071103a038410c9f28b68b6ffb82a9315
SHA256 7984826472d7d7193146e817f2e319c4815d5357fe90ce1a8abcdb58ecc21769
SHA512 2e5b1cfc2d8ce61c1ec94cd71519715cc7010e04d969f9ed20cfd9799ebbb730106efb2e616caee5a79c4632c0ddf6270f30cb1eeaacf633510fe421a1c7ee9c

C:\Windows\system\vggYLLZ.exe

MD5 0ab5c8c9014fc73a231b00530261be22
SHA1 ec8ed059fb0cdb44465f62c321379b23335544b7
SHA256 812afc57d51dbe125ac558839250ae724624bf0ab5082e3d08f6cc5873b48ea1
SHA512 9a1023fe95765ee5c1de28b7c0fa482e1858216631a41f1b0bede1440262df0b8abc0a65ca505f0f2eb7fd888322c8dbdc49b02ee2db54ef12a9efa226226ea8

\Windows\system\imCagkN.exe

MD5 9eac613751a594a5160c761c58ce9dec
SHA1 7dce162f87c13e69cfff6bedd16e8ade7d551002
SHA256 bf0ac2263599e0454d49d0430338dd88d20f5b718cb91d87b427c1a0f8320d95
SHA512 bf14356849df743328a8af25906b743340fb753a72a32f8400aacb38e5c51b1f735b21c02c46ee676ba2e26741697bb8d06e88060e2d2d69c42aaf6d0e14e723

C:\Windows\system\ehMKZFv.exe

MD5 c52fa641d4ec326147da6ed2b2629562
SHA1 1984162032ee380bb06a0be325c5035d757bdaa5
SHA256 68d207cdc87bd27f23ebde62d507c6e76a5d07452806c920d6b3caa7a41d039e
SHA512 534b3d6eb2a353e62f7b1aedf7aff746da53940e72d59515488909a23891eae32a5118615ab23e9f77a0a2c6aa19d21bdae9bfdb7e0999be0379345545038be5

\Windows\system\HHfYUai.exe

MD5 0b15a6c8bd4c879fd12f733ece8376e6
SHA1 ca97d6864f0b163b4b6a9d71ddb93a416d8a1076
SHA256 04479b52930abefce7ab49ff5e4df3be46c26d7363b6c69edbdbf99b8cd79c32
SHA512 d495c333b215401eef89b5dbcbacfa3a535d745884cad30b1b20f357aa606f8eb34343e98ff80049946fc8dbf6c861df91af56fbe57787746a3ccb504c3ad55d

\Windows\system\PrxIkPx.exe

MD5 857b5291e383ab3b1cee4359820edd54
SHA1 1fec72eb708b5d48d3d02c6579849c5014c4898b
SHA256 3f26564e6e7c1102006a93e9b011534b7aa1353d55b84b99eeead05892405373
SHA512 919f3edeb02168216a0f1e50b260aa928b39a9bd7f2196f02b5fe1085c69fab22ddf7fdd5b087ddc51ce8dd3134abc949c44b6a71b933c27c517a5a1d66daa30

C:\Windows\system\ZyrOSla.exe

MD5 7f03acc4e5175e2e35588804b59fa95e
SHA1 936fa7defad190358b47beb38c065c8680c1fa13
SHA256 1d28d0ca2c2b2720f02cb1643880069edb0208cdb4406c4f4ec4eecc88243f2f
SHA512 5e5e0e12b8aa5525183127bd517005e2a64ac77476c65e043d41c43ed15be5df5efb3caf10f80cb8b09113ad8d0fb2af5372f27f0731ae024187855e9777eef1

C:\Windows\system\wkVmbhv.exe

MD5 a0b80bd2f70e75966d1ef83a44300661
SHA1 0f943611c71a6cfb2a6984ff3a6ae93501a52db3
SHA256 5a71bd05b805a868a99cea3f234cc4f09ae0c8731e015e9f04f2a894021ff34d
SHA512 6545a6fec98ef3912ff162ce4ac4bb9e6f62a79c8a97d1f99e612285dd1518393a7f1e3b8ca3107d0a356681c7951bbe66210c47d9d9d126b0f0acf1a424d0a9

memory/1056-107-0x0000000002340000-0x0000000002691000-memory.dmp

C:\Windows\system\gcqTvGQ.exe

MD5 18957cdf96caa83e026d195ed1c77f0f
SHA1 05982ead283d20f182db8244ccd8c6f1fb6abd17
SHA256 7331158e53e66d69bf9a17525b101d68d6bd2876d8d17f27852f479fa5908bf5
SHA512 1ce20c96a5cf864b04870d81485cab25a709d94bb576c6eadcbd819177c246bc04cd885e3f0880d719e97b1bdfcc9b5adfb4ec8c239243ce27d8f9866a7044e4

C:\Windows\system\NQEndlz.exe

MD5 1bc5396e909710ad0bb992111433af3f
SHA1 2585f0cc2e3522e2488be1b259f6b7d2f5fc694a
SHA256 b8182f1e4e0551ee3e92979e5291db06079ef70a247f9edab779077f6d661bab
SHA512 89b4a57828e0a36a868472b2c9d39e83e69881421da48d461edf8e667256fddb79a25bf5d009217597db8ec0d06eb9f0f6e69f916e50720e55807509702ef738

C:\Windows\system\pXOasYH.exe

MD5 577fa5a3a5d5827aef1e05ac3ee19b68
SHA1 6a135ec97ecedcb267cc0566bf9c3bd34a489728
SHA256 261ba643a202d874e22db39519d54b7e0bb83d504620954c4857c34d389757ca
SHA512 080bd66c307fcfa494be72d10504edbcd6a17a3b63ce779cc278134e535af5116ee7a2c82d79442342113f9b507322f62242d0854242a91b8e0be24dfe5bba75

C:\Windows\system\qtnoiaG.exe

MD5 e192a766a0e52417ffd91d3dfc33a183
SHA1 2c63d17f7fd24061271f5e733df6f05d1a8305c6
SHA256 10e496b5647d904de0f60a7e6c64ee540219b9180349e88586a4e7f5bd4a5562
SHA512 15ff83523672f79300d4f0d61d4a35f223ae966a214c75f884a97c62c44a9993a86e63428998d3913c3a118b9e1bd7a6d35fb3ba945922898d1f546c01dc5318

C:\Windows\system\ruprLVE.exe

MD5 e11387698c1e80efb2c748ef33d84736
SHA1 5bb6ec425c491aa3f8082acfa3d0a5840a906f59
SHA256 2e0e8a0faade73813f2e94a19bb31573c299b966b13e5e0441bf1a717b84ab5b
SHA512 9c1190b68a194e61e83ff2ce77baf4056600533c805b5251eab7aa60f81c08440187f936bcb84678e934460607e034e916fd9948269fe6fd9e3e87e7d1c6805b

memory/2732-114-0x000000013F360000-0x000000013F6B1000-memory.dmp

memory/1056-113-0x000000013F360000-0x000000013F6B1000-memory.dmp

memory/2160-112-0x000000013F8E0000-0x000000013FC31000-memory.dmp

memory/1056-111-0x0000000002340000-0x0000000002691000-memory.dmp

memory/2012-110-0x000000013F470000-0x000000013F7C1000-memory.dmp

memory/1056-109-0x000000013F470000-0x000000013F7C1000-memory.dmp

memory/2212-108-0x000000013F9D0000-0x000000013FD21000-memory.dmp

memory/1056-116-0x000000013F1E0000-0x000000013F531000-memory.dmp

memory/2860-115-0x000000013FA20000-0x000000013FD71000-memory.dmp

memory/2780-119-0x000000013F370000-0x000000013F6C1000-memory.dmp

memory/1056-118-0x000000013F370000-0x000000013F6C1000-memory.dmp

memory/2880-117-0x000000013F1E0000-0x000000013F531000-memory.dmp

memory/1056-122-0x000000013F150000-0x000000013F4A1000-memory.dmp

memory/2888-121-0x000000013F5C0000-0x000000013F911000-memory.dmp

memory/1056-120-0x000000013F5C0000-0x000000013F911000-memory.dmp

memory/2096-123-0x000000013F150000-0x000000013F4A1000-memory.dmp

memory/1988-131-0x000000013F5F0000-0x000000013F941000-memory.dmp

memory/1256-130-0x000000013F160000-0x000000013F4B1000-memory.dmp

memory/2628-129-0x000000013F4E0000-0x000000013F831000-memory.dmp

memory/2660-128-0x000000013F5F0000-0x000000013F941000-memory.dmp

memory/1056-127-0x000000013F4E0000-0x000000013F831000-memory.dmp

memory/2340-126-0x000000013F170000-0x000000013F4C1000-memory.dmp

memory/1056-125-0x000000013F170000-0x000000013F4C1000-memory.dmp

memory/1056-124-0x000000013F5F0000-0x000000013F941000-memory.dmp

memory/1056-132-0x000000013FAF0000-0x000000013FE41000-memory.dmp

memory/936-151-0x000000013F250000-0x000000013F5A1000-memory.dmp

memory/2940-153-0x000000013F890000-0x000000013FBE1000-memory.dmp

memory/2948-152-0x000000013F4C0000-0x000000013F811000-memory.dmp

memory/1640-150-0x000000013FA50000-0x000000013FDA1000-memory.dmp

memory/2528-149-0x000000013F410000-0x000000013F761000-memory.dmp

memory/2052-148-0x000000013F440000-0x000000013F791000-memory.dmp

memory/2700-147-0x000000013FE30000-0x0000000140181000-memory.dmp

memory/1056-154-0x000000013FAF0000-0x000000013FE41000-memory.dmp

memory/1056-155-0x000000013FAF0000-0x000000013FE41000-memory.dmp

memory/1256-222-0x000000013F160000-0x000000013F4B1000-memory.dmp

memory/1988-224-0x000000013F5F0000-0x000000013F941000-memory.dmp

memory/2096-232-0x000000013F150000-0x000000013F4A1000-memory.dmp

memory/2780-230-0x000000013F370000-0x000000013F6C1000-memory.dmp

memory/2860-228-0x000000013FA20000-0x000000013FD71000-memory.dmp

memory/2160-226-0x000000013F8E0000-0x000000013FC31000-memory.dmp

memory/2628-248-0x000000013F4E0000-0x000000013F831000-memory.dmp

memory/2660-246-0x000000013F5F0000-0x000000013F941000-memory.dmp

memory/2888-245-0x000000013F5C0000-0x000000013F911000-memory.dmp

memory/2732-240-0x000000013F360000-0x000000013F6B1000-memory.dmp

memory/2012-238-0x000000013F470000-0x000000013F7C1000-memory.dmp

memory/2880-242-0x000000013F1E0000-0x000000013F531000-memory.dmp

memory/2212-236-0x000000013F9D0000-0x000000013FD21000-memory.dmp

memory/2340-234-0x000000013F170000-0x000000013F4C1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-15 10:44

Reported

2024-08-15 10:47

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\nRrFaSX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NsxVjjA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\Ticnvij.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AyhLRTq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YoXWrzz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LSewzxp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AEuuSMM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qoCgjzh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SvfaYty.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aGpzwvv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WvfOKNO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TRTvSpj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kWjgCJO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aEppgbU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CKsYyqY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KYYmgoK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gLfzEbv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PvDbrOv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OpJooXW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EWHEnIq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JwtUZeH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3452 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PvDbrOv.exe
PID 3452 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PvDbrOv.exe
PID 3452 wrote to memory of 6084 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SvfaYty.exe
PID 3452 wrote to memory of 6084 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SvfaYty.exe
PID 3452 wrote to memory of 5356 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kWjgCJO.exe
PID 3452 wrote to memory of 5356 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kWjgCJO.exe
PID 3452 wrote to memory of 5168 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OpJooXW.exe
PID 3452 wrote to memory of 5168 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OpJooXW.exe
PID 3452 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EWHEnIq.exe
PID 3452 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EWHEnIq.exe
PID 3452 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NsxVjjA.exe
PID 3452 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NsxVjjA.exe
PID 3452 wrote to memory of 5656 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Ticnvij.exe
PID 3452 wrote to memory of 5656 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Ticnvij.exe
PID 3452 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AyhLRTq.exe
PID 3452 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AyhLRTq.exe
PID 3452 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aGpzwvv.exe
PID 3452 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aGpzwvv.exe
PID 3452 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JwtUZeH.exe
PID 3452 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JwtUZeH.exe
PID 3452 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KYYmgoK.exe
PID 3452 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KYYmgoK.exe
PID 3452 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aEppgbU.exe
PID 3452 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aEppgbU.exe
PID 3452 wrote to memory of 5888 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CKsYyqY.exe
PID 3452 wrote to memory of 5888 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CKsYyqY.exe
PID 3452 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WvfOKNO.exe
PID 3452 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WvfOKNO.exe
PID 3452 wrote to memory of 5624 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TRTvSpj.exe
PID 3452 wrote to memory of 5624 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TRTvSpj.exe
PID 3452 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gLfzEbv.exe
PID 3452 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gLfzEbv.exe
PID 3452 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LSewzxp.exe
PID 3452 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LSewzxp.exe
PID 3452 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YoXWrzz.exe
PID 3452 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YoXWrzz.exe
PID 3452 wrote to memory of 5772 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nRrFaSX.exe
PID 3452 wrote to memory of 5772 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nRrFaSX.exe
PID 3452 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AEuuSMM.exe
PID 3452 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AEuuSMM.exe
PID 3452 wrote to memory of 5660 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qoCgjzh.exe
PID 3452 wrote to memory of 5660 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qoCgjzh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\PvDbrOv.exe

C:\Windows\System\PvDbrOv.exe

C:\Windows\System\SvfaYty.exe

C:\Windows\System\SvfaYty.exe

C:\Windows\System\kWjgCJO.exe

C:\Windows\System\kWjgCJO.exe

C:\Windows\System\OpJooXW.exe

C:\Windows\System\OpJooXW.exe

C:\Windows\System\EWHEnIq.exe

C:\Windows\System\EWHEnIq.exe

C:\Windows\System\NsxVjjA.exe

C:\Windows\System\NsxVjjA.exe

C:\Windows\System\Ticnvij.exe

C:\Windows\System\Ticnvij.exe

C:\Windows\System\AyhLRTq.exe

C:\Windows\System\AyhLRTq.exe

C:\Windows\System\aGpzwvv.exe

C:\Windows\System\aGpzwvv.exe

C:\Windows\System\JwtUZeH.exe

C:\Windows\System\JwtUZeH.exe

C:\Windows\System\KYYmgoK.exe

C:\Windows\System\KYYmgoK.exe

C:\Windows\System\aEppgbU.exe

C:\Windows\System\aEppgbU.exe

C:\Windows\System\CKsYyqY.exe

C:\Windows\System\CKsYyqY.exe

C:\Windows\System\WvfOKNO.exe

C:\Windows\System\WvfOKNO.exe

C:\Windows\System\TRTvSpj.exe

C:\Windows\System\TRTvSpj.exe

C:\Windows\System\gLfzEbv.exe

C:\Windows\System\gLfzEbv.exe

C:\Windows\System\LSewzxp.exe

C:\Windows\System\LSewzxp.exe

C:\Windows\System\YoXWrzz.exe

C:\Windows\System\YoXWrzz.exe

C:\Windows\System\nRrFaSX.exe

C:\Windows\System\nRrFaSX.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3820,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=4768 /prefetch:8

C:\Windows\System\AEuuSMM.exe

C:\Windows\System\AEuuSMM.exe

C:\Windows\System\qoCgjzh.exe

C:\Windows\System\qoCgjzh.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3452-0-0x00007FF65D890000-0x00007FF65DBE1000-memory.dmp

memory/3452-1-0x00000138CCAE0000-0x00000138CCAF0000-memory.dmp

C:\Windows\System\kWjgCJO.exe

MD5 0a80b8de65808f94864ddfa1d191b178
SHA1 31a1da37f85a86e38e6f28781cd72a6f505801a5
SHA256 b93e9513061d363e5b6df9805fff987265947c029dd95a00b55f31355660fa58
SHA512 63785f0fc55c1eb5ff09da6011e0f9621412f62b18c6b5f600bcdc7ff1d05250fa09e83ac51ff1afbd19f9caf9e6a6f85e5dbffd52b19894eb863cf616a60ae7

C:\Windows\System\PvDbrOv.exe

MD5 aed81308851d99e02d3cb40f91015e6a
SHA1 6a49030b72daa4dda6d9731ce9753fbeb9dc1a46
SHA256 e12d7735c7e946b07b08808514d110cddb6224fbe3ffe8d77c0b11eed49c7c10
SHA512 f6e2bc6c4362dd45c1d731cb497eac1c411fdae6f628e9ff675909690b32ba8c112c9287d84e0d4127a6f60786405e08eb4919f8966e3ffae9f0da214c040a52

C:\Windows\System\SvfaYty.exe

MD5 14d924295176c6d9db03eec60bd90918
SHA1 5b84a992a76c2dd5dd2bb9b7a3caa27cf4477fdc
SHA256 4d1c3a5c9347929e63f3314fbf47b15429437192a57f98705c3282fdf7070e10
SHA512 3f7ee8d75be238957771031d0a3f2b05a9b893d01fc138808481f0393b48693299fc7cf747aebd318fa9a59d7b41733bd23ec686c4b7ede23d1319cb1fca41a8

memory/4136-9-0x00007FF7D97A0000-0x00007FF7D9AF1000-memory.dmp

memory/6084-17-0x00007FF6326F0000-0x00007FF632A41000-memory.dmp

C:\Windows\System\OpJooXW.exe

MD5 08cd8adad853e96e596c4f5effb57fe9
SHA1 4f4b8ac72c2ed283468936ae0f7fefd648d60e31
SHA256 e332782ed5744b00d2be9cd569ef01eb1abad3e7ced3d5217f179ceeadf1d721
SHA512 f88db728021b2cc4c1385839dc9796c6bc28580d12e875fb9afb60d8c40010369cbfc0ec6190885dc76f13e6e4e208c6e080b88bdc5fccfb235931d45db36e47

memory/5356-21-0x00007FF696210000-0x00007FF696561000-memory.dmp

C:\Windows\System\EWHEnIq.exe

MD5 b25c3cd928a5913f1226b9728ec1ce91
SHA1 ed5cacf531fb3cf7bdd55f6441778dfce96bd340
SHA256 308d0df60751b4f6928c49943dabedd3546eed91d60788ef2803548e354d1caa
SHA512 406b1486525c95e3407eaa6d25cd286994fe442f4769f4bdd52ff4715330964198bfcf76a50d1f5af1b28540a15d9a814a455767d6b198d6a690420d0b4378ab

C:\Windows\System\NsxVjjA.exe

MD5 0008f1dc6b96ef2d051e9d79261cbe86
SHA1 3e03580414de63f2188393f4d5317b0893fd0530
SHA256 9d0de3fe8134c860df01c46949b2cf2f14bbfe9d99308236cb22890a9687aa83
SHA512 c2a0ddcd8262ea4a2a3846255169a7792c3f60321becf77b970ec5dafaae6af1df6ab7a38e158d63fa2f4aa5a427fe797338813c521fef35a99cb8a26050f701

C:\Windows\System\AyhLRTq.exe

MD5 d3c8a80791120b1dd2bb0afa9d74a3ea
SHA1 daee4b299b0e6c0e49695d9b549eb13de8f88773
SHA256 97395ffdeaa05be8b082d805427529c3440842a55804628b3b3b969e134ee2b9
SHA512 90245a4144e3ca9a64547457a3f8caae576445cdbef56736ded51092b44f2a7723101b17991a7665913e4d5fee21ce7d7e2e2abd0225c61fd14e2b62bdec0359

C:\Windows\System\Ticnvij.exe

MD5 f94f19ea188d3dfde2ea04fe2ecc7ab4
SHA1 13dc58e3c8e993e66aa5c3043cede8c3c074eb6d
SHA256 acece87119ec5b00f2ff8df2c183d24c4d4403b69bfa13e3da49aebd52fd8b6e
SHA512 c4f7c6261a52859fe5bb8955fab9ca6994299f8d8043a6fc3ece316f12b5e3b9607b7422c881454d1ee994ebd565dd03f5a82de0b3d68e2b6512379a941039a0

C:\Windows\System\KYYmgoK.exe

MD5 7a219fcbed816501886e9b4500da27e4
SHA1 dca431b44a696f92f6ddecf72647ab2e513f4302
SHA256 a651a0780f80423f081385eaaf1ad9dbcd0abcdca6ebf8b8948a4ef577fcbef7
SHA512 b764319d821fd7c1cc5b9daacb05b55067690905faeab71fdf1338c3047c57d9e6b175280c2678a09d556edf8cf8bf882ee986d9dc14fabbf6714579e8480296

C:\Windows\System\CKsYyqY.exe

MD5 f2fa89edbc59bab58ac4d551385c46ef
SHA1 1919c0cc52908fd8308aed625d15772aacfa3a24
SHA256 dedfbc0d0459cf30386b2d5409c677ba8246bc91da62288828387080d7fb4c92
SHA512 65903c1f150e8e990fbf22e293c0d14b18d8432657239952fd53b1216b258680aef3bc651c83e68d51398f31ebf7e826a771ca48a0641b9dadeae1126fb13ab8

memory/4132-72-0x00007FF6334E0000-0x00007FF633831000-memory.dmp

memory/5888-77-0x00007FF6655D0000-0x00007FF665921000-memory.dmp

memory/1944-90-0x00007FF651570000-0x00007FF6518C1000-memory.dmp

memory/4136-102-0x00007FF7D97A0000-0x00007FF7D9AF1000-memory.dmp

C:\Windows\System\WvfOKNO.exe

MD5 29a17f28c41f82b15607deb593d2480a
SHA1 0690fad0e99c86b8d8e69118d7e1af978b1b691e
SHA256 4f82c2ada016de0045a7cb04ab7fa6df8faa02f165c4fc7abdb2491c7562a1f6
SHA512 f8119bfc98e377a5a2cefe3ab58f298a5e7f08aae14df7c95586b679849ed77766d8ac75141164460c0a74ed5dea0c80fdbec92ee3e62ba044c4440bc13668ee

C:\Windows\System\YoXWrzz.exe

MD5 9c43bcac662a6982b537079e78de26ab
SHA1 04a33e308849d12708376b76165874159262f850
SHA256 1dd69b4a6844911161d0d991744dbb539763d62eb7107184c9ec7ff605f118dc
SHA512 f536fd66fde28bc8c954e53b53d5396863e6711123b3556382354c2cb3bd916fb2962b29d336665add903d3d32a6f5da2d470788b471761fb4b6bdd73b4fb15b

C:\Windows\System\LSewzxp.exe

MD5 d424e829f392686e2d44276a7b72898a
SHA1 8d5d0105c6ffbdd7452fc3ad5cb924173c86d925
SHA256 0d20b15cd55a79fc2f09b3dff81bdc7a8126861e45c0d8501056f6f2d2aad335
SHA512 9379cd7ca2893e578b5c4576a82fe295ddc9e0d09d948b01a5245fb28f6e36fb24d89b3705c3ccce79beb395e6b0b11a1e70f8d1e8437b73616a2eb5ed58a3cd

C:\Windows\System\gLfzEbv.exe

MD5 1a46842517217924e92f6478685cae44
SHA1 786161c1f4b2c870dddac1535dc02cc8a1b6cef0
SHA256 443a181cd080c4172a9c7caa2299b1293e635240bb09be1cf393212301b8bd68
SHA512 d969d4fba174baaf0b583834c87b40f6024657b12a5db166b23f26c5f0baa110128a67f8b871652579c332a33a627755ca220dba574e32720dc3c1d0636ddb3d

memory/3600-104-0x00007FF60FEE0000-0x00007FF610231000-memory.dmp

memory/5624-103-0x00007FF7C0D70000-0x00007FF7C10C1000-memory.dmp

C:\Windows\System\TRTvSpj.exe

MD5 04cccd73fcb19d1aca19d54cbdd05dcf
SHA1 ad5588556bd3e6e5f86c7b627e2c1425dc9f95dc
SHA256 7b036c97feaee6c74c41734fcc50e2ea08fbb0c2baaf8ed825650131634d7a56
SHA512 91ac0e0781f9365f67c185443d29e57b4308e90d9c791a061435a5516fca90bafc931570aef2798c873e46774c158d14201335a9609425de45c71215f7c5b576

C:\Windows\System\aEppgbU.exe

MD5 e295738d39545db9e63080634ed41931
SHA1 c01503ad8d8b72e3bd7d990b31bc4cb1eabc904e
SHA256 3b822db1057fd65bcf4e29c3a326a41ba09897f656403dbc9f054647be58efef
SHA512 22a16ba68d235f50c47e06f740d125d6cb408650e650640efcbe1e6eb397c8904dfdef985702864efe4c0f8908c339278f80051801e26992df187786fdf5d766

memory/3452-95-0x00007FF65D890000-0x00007FF65DBE1000-memory.dmp

memory/1488-94-0x00007FF6328E0000-0x00007FF632C31000-memory.dmp

memory/1048-91-0x00007FF7AE420000-0x00007FF7AE771000-memory.dmp

memory/3224-82-0x00007FF6CFF50000-0x00007FF6D02A1000-memory.dmp

C:\Windows\System\JwtUZeH.exe

MD5 bea3be3215e0b678e3d919fe858f84c3
SHA1 a7c2827ea40f7a8852d048b567efb2d4fb145b96
SHA256 8c0f19c002623675326cc6618b8e1337c083f4cb7b4048b0c45f7e1e552758b0
SHA512 4338458a404cfae0045345eda5bf3a5130683609dd943c2b5bffa5f2ba4948ec4902469425b940b7ae73ab413bcdc4cefd76082990f7ded24caaa258b3c6d6af

memory/3592-67-0x00007FF7F1D50000-0x00007FF7F20A1000-memory.dmp

memory/4968-64-0x00007FF73BF70000-0x00007FF73C2C1000-memory.dmp

C:\Windows\System\aGpzwvv.exe

MD5 ecda2f41318f2ae7af1631708cd1dc30
SHA1 724ab899aff7776e1917259a5807c706db808da1
SHA256 0174a24d398a0366de4126b35966bee29838ad7ddda97b16a6e0f216ab35d9e9
SHA512 ae2329a9b87bfc111a8d89c5e59e945ed9e3252f44ca17c6f1c7040a1be6668cb0065493c29a0a3818fc243b130f4123046ca065b5edbbce7e1bd66db1367f06

memory/1432-53-0x00007FF6CD7F0000-0x00007FF6CDB41000-memory.dmp

memory/5656-48-0x00007FF64B5F0000-0x00007FF64B941000-memory.dmp

memory/3448-41-0x00007FF725C00000-0x00007FF725F51000-memory.dmp

memory/4524-29-0x00007FF617CC0000-0x00007FF618011000-memory.dmp

memory/5168-26-0x00007FF6A85A0000-0x00007FF6A88F1000-memory.dmp

memory/1048-132-0x00007FF7AE420000-0x00007FF7AE771000-memory.dmp

memory/3600-133-0x00007FF60FEE0000-0x00007FF610231000-memory.dmp

C:\Windows\System\AEuuSMM.exe

MD5 6937d03f3b8815f814f613f662f0d3f5
SHA1 a0193f94de6fb9f294d2d36fb542d9507eb74c7f
SHA256 7f70a40d056952a1d8b6e0ac1ca75ec0fd3ea569817b5cc78fdf4b58a1d67868
SHA512 f517ef8d03368d56d259dc1b32b97a2d3f22e45d35e0eb967cd02392d57d7d88ee421053c3a39557c08e80bdf1938d2bcb5bbe8b257e43c5c5c37c08438676d9

C:\Windows\System\nRrFaSX.exe

MD5 64a19f816bde15a998d49a487404f48a
SHA1 aef7efe4363c7e4592947d59a270abe543f553d0
SHA256 1a5d51b18a40afc2bd190df2c9f63042d74b558f747987740516a09607e14ce4
SHA512 42098acaee81ddc013627f8013b83c9640ea6ee7eb8f7f0ddb6348add4621ee9dae17aed213c37924f9d3dc3402d2b1ed027df2def833fd0eab38a40b42f145d

C:\Windows\System\qoCgjzh.exe

MD5 54c5993bdec767624f0cbdac19d51d17
SHA1 30d32832cba2d16ef96eee760550e605219c47ce
SHA256 018691614bb8ed18c8bcefdda99092edbe1d3ca72b936fbba559aef1c78448b3
SHA512 94862303d9d2c09c737d10d15f29465c37a2fdb09958dc516a016d35586883aad9db78f8e2af347db32715fb249fb7e5f3d3af5d87ca1aac811c4b60423b1a2a

memory/5772-139-0x00007FF7146F0000-0x00007FF714A41000-memory.dmp

memory/6084-138-0x00007FF6326F0000-0x00007FF632A41000-memory.dmp

memory/1944-131-0x00007FF651570000-0x00007FF6518C1000-memory.dmp

memory/1488-129-0x00007FF6328E0000-0x00007FF632C31000-memory.dmp

memory/5888-128-0x00007FF6655D0000-0x00007FF665921000-memory.dmp

memory/3224-127-0x00007FF6CFF50000-0x00007FF6D02A1000-memory.dmp

memory/3592-126-0x00007FF7F1D50000-0x00007FF7F20A1000-memory.dmp

memory/4132-125-0x00007FF6334E0000-0x00007FF633831000-memory.dmp

memory/4968-123-0x00007FF73BF70000-0x00007FF73C2C1000-memory.dmp

memory/5656-122-0x00007FF64B5F0000-0x00007FF64B941000-memory.dmp

memory/3448-121-0x00007FF725C00000-0x00007FF725F51000-memory.dmp

memory/4524-120-0x00007FF617CC0000-0x00007FF618011000-memory.dmp

memory/5168-118-0x00007FF6A85A0000-0x00007FF6A88F1000-memory.dmp

memory/1432-124-0x00007FF6CD7F0000-0x00007FF6CDB41000-memory.dmp

memory/5356-117-0x00007FF696210000-0x00007FF696561000-memory.dmp

memory/5660-148-0x00007FF6DA610000-0x00007FF6DA961000-memory.dmp

memory/4532-149-0x00007FF76E0D0000-0x00007FF76E421000-memory.dmp

memory/3452-150-0x00007FF65D890000-0x00007FF65DBE1000-memory.dmp

memory/5772-169-0x00007FF7146F0000-0x00007FF714A41000-memory.dmp

memory/5660-171-0x00007FF6DA610000-0x00007FF6DA961000-memory.dmp

memory/3452-172-0x00007FF65D890000-0x00007FF65DBE1000-memory.dmp

memory/4136-205-0x00007FF7D97A0000-0x00007FF7D9AF1000-memory.dmp

memory/6084-207-0x00007FF6326F0000-0x00007FF632A41000-memory.dmp

memory/5356-209-0x00007FF696210000-0x00007FF696561000-memory.dmp

memory/5168-211-0x00007FF6A85A0000-0x00007FF6A88F1000-memory.dmp

memory/4524-213-0x00007FF617CC0000-0x00007FF618011000-memory.dmp

memory/3448-225-0x00007FF725C00000-0x00007FF725F51000-memory.dmp

memory/1432-227-0x00007FF6CD7F0000-0x00007FF6CDB41000-memory.dmp

memory/5656-231-0x00007FF64B5F0000-0x00007FF64B941000-memory.dmp

memory/4968-230-0x00007FF73BF70000-0x00007FF73C2C1000-memory.dmp

memory/4132-233-0x00007FF6334E0000-0x00007FF633831000-memory.dmp

memory/1048-240-0x00007FF7AE420000-0x00007FF7AE771000-memory.dmp

memory/3224-247-0x00007FF6CFF50000-0x00007FF6D02A1000-memory.dmp

memory/3592-249-0x00007FF7F1D50000-0x00007FF7F20A1000-memory.dmp

memory/1488-246-0x00007FF6328E0000-0x00007FF632C31000-memory.dmp

memory/5624-243-0x00007FF7C0D70000-0x00007FF7C10C1000-memory.dmp

memory/5888-242-0x00007FF6655D0000-0x00007FF665921000-memory.dmp

memory/1944-238-0x00007FF651570000-0x00007FF6518C1000-memory.dmp

memory/3600-236-0x00007FF60FEE0000-0x00007FF610231000-memory.dmp

memory/5772-259-0x00007FF7146F0000-0x00007FF714A41000-memory.dmp

memory/4532-258-0x00007FF76E0D0000-0x00007FF76E421000-memory.dmp

memory/5660-261-0x00007FF6DA610000-0x00007FF6DA961000-memory.dmp