Malware Analysis Report

2025-01-22 19:21

Sample ID 240805-mngmqstdpr
Target 2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat
SHA256 f24f07ff3da33479ced4a01582a36d4967f6592ee1dca94068be3b74fcdc347b
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f24f07ff3da33479ced4a01582a36d4967f6592ee1dca94068be3b74fcdc347b

Threat Level: Known bad

The file 2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Cobaltstrike

Cobaltstrike family

xmrig

Cobalt Strike reflective loader

Xmrig family

XMRig Miner payload

XMRig Miner payload

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-05 10:36

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-05 10:36

Reported

2024-08-05 10:39

Platform

win7-20240708-en

Max time kernel

141s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\rmrnTBN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IKynVKG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pAAmuGR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YDwCVzB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DOssgMV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hfyiLCt.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lwnAzcJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vvxCTEy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sTkMQhc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MUFtipL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XhTxnLp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ytYucKO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\paKusyu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pttMcoy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VXPbhul.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NMZBSyf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IEIJkNg.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jAGGdtW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vxGeorS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KzbaoeM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MjcDrhx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2876 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hfyiLCt.exe
PID 2876 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hfyiLCt.exe
PID 2876 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hfyiLCt.exe
PID 2876 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rmrnTBN.exe
PID 2876 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rmrnTBN.exe
PID 2876 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rmrnTBN.exe
PID 2876 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sTkMQhc.exe
PID 2876 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sTkMQhc.exe
PID 2876 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sTkMQhc.exe
PID 2876 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MUFtipL.exe
PID 2876 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MUFtipL.exe
PID 2876 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MUFtipL.exe
PID 2876 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IKynVKG.exe
PID 2876 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IKynVKG.exe
PID 2876 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IKynVKG.exe
PID 2876 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\paKusyu.exe
PID 2876 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\paKusyu.exe
PID 2876 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\paKusyu.exe
PID 2876 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XhTxnLp.exe
PID 2876 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XhTxnLp.exe
PID 2876 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XhTxnLp.exe
PID 2876 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pAAmuGR.exe
PID 2876 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pAAmuGR.exe
PID 2876 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pAAmuGR.exe
PID 2876 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pttMcoy.exe
PID 2876 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pttMcoy.exe
PID 2876 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pttMcoy.exe
PID 2876 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VXPbhul.exe
PID 2876 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VXPbhul.exe
PID 2876 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VXPbhul.exe
PID 2876 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lwnAzcJ.exe
PID 2876 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lwnAzcJ.exe
PID 2876 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lwnAzcJ.exe
PID 2876 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YDwCVzB.exe
PID 2876 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YDwCVzB.exe
PID 2876 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YDwCVzB.exe
PID 2876 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NMZBSyf.exe
PID 2876 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NMZBSyf.exe
PID 2876 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NMZBSyf.exe
PID 2876 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IEIJkNg.exe
PID 2876 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IEIJkNg.exe
PID 2876 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IEIJkNg.exe
PID 2876 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DOssgMV.exe
PID 2876 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DOssgMV.exe
PID 2876 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DOssgMV.exe
PID 2876 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jAGGdtW.exe
PID 2876 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jAGGdtW.exe
PID 2876 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jAGGdtW.exe
PID 2876 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ytYucKO.exe
PID 2876 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ytYucKO.exe
PID 2876 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ytYucKO.exe
PID 2876 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vxGeorS.exe
PID 2876 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vxGeorS.exe
PID 2876 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vxGeorS.exe
PID 2876 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KzbaoeM.exe
PID 2876 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KzbaoeM.exe
PID 2876 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KzbaoeM.exe
PID 2876 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MjcDrhx.exe
PID 2876 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MjcDrhx.exe
PID 2876 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MjcDrhx.exe
PID 2876 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vvxCTEy.exe
PID 2876 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vvxCTEy.exe
PID 2876 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vvxCTEy.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\hfyiLCt.exe

C:\Windows\System\hfyiLCt.exe

C:\Windows\System\rmrnTBN.exe

C:\Windows\System\rmrnTBN.exe

C:\Windows\System\sTkMQhc.exe

C:\Windows\System\sTkMQhc.exe

C:\Windows\System\MUFtipL.exe

C:\Windows\System\MUFtipL.exe

C:\Windows\System\IKynVKG.exe

C:\Windows\System\IKynVKG.exe

C:\Windows\System\paKusyu.exe

C:\Windows\System\paKusyu.exe

C:\Windows\System\XhTxnLp.exe

C:\Windows\System\XhTxnLp.exe

C:\Windows\System\pAAmuGR.exe

C:\Windows\System\pAAmuGR.exe

C:\Windows\System\pttMcoy.exe

C:\Windows\System\pttMcoy.exe

C:\Windows\System\VXPbhul.exe

C:\Windows\System\VXPbhul.exe

C:\Windows\System\lwnAzcJ.exe

C:\Windows\System\lwnAzcJ.exe

C:\Windows\System\YDwCVzB.exe

C:\Windows\System\YDwCVzB.exe

C:\Windows\System\NMZBSyf.exe

C:\Windows\System\NMZBSyf.exe

C:\Windows\System\IEIJkNg.exe

C:\Windows\System\IEIJkNg.exe

C:\Windows\System\DOssgMV.exe

C:\Windows\System\DOssgMV.exe

C:\Windows\System\jAGGdtW.exe

C:\Windows\System\jAGGdtW.exe

C:\Windows\System\ytYucKO.exe

C:\Windows\System\ytYucKO.exe

C:\Windows\System\vxGeorS.exe

C:\Windows\System\vxGeorS.exe

C:\Windows\System\KzbaoeM.exe

C:\Windows\System\KzbaoeM.exe

C:\Windows\System\MjcDrhx.exe

C:\Windows\System\MjcDrhx.exe

C:\Windows\System\vvxCTEy.exe

C:\Windows\System\vvxCTEy.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2876-0-0x0000000000480000-0x0000000000490000-memory.dmp

memory/2876-1-0x000000013FE30000-0x0000000140184000-memory.dmp

\Windows\system\hfyiLCt.exe

MD5 e50b0e74a0b5cd6b553e94507373a450
SHA1 c14b7e22672fa4b9dee82247b75be8d2382d4c2d
SHA256 409d0bc8bc719eb423c942a72a12d3de7d9631065163231c4e4a19e0a5ecf019
SHA512 9ac00e474a2946f1ac04ea121dbf87a9e4a1fe6ae17153a6d1be38368b796c34492ec951092bea59d78f0df731f198ac8ff2ed1aaf6600caa7aecabef0c5b895

memory/2752-9-0x000000013F240000-0x000000013F594000-memory.dmp

C:\Windows\system\rmrnTBN.exe

MD5 b5fdabfa0d4ea2d97f732a2f44784625
SHA1 49c262e218d43bd4756c30a084e28b74d5357a75
SHA256 273a160913b5471e60f0d0204fcb4c33367737d772650abcdb52e01016b88dd2
SHA512 6880e68b0bc262d137be6d91f5756bf3fda28d50cb98de59de068376f2361ce803e067507fb57e70d96e367ab98ef9e6004232b2e657bea0cc92def35b40d900

memory/2876-11-0x00000000022E0000-0x0000000002634000-memory.dmp

C:\Windows\system\sTkMQhc.exe

MD5 15b3296a7f068f3523a91df3db74e0a9
SHA1 d5f83649c4447e546631051056245c1cb5886ba6
SHA256 a574a5b5e96246f565065e9e2defb70de03cdfd4799c1771911ce5c0f1df6da1
SHA512 427bc22a5133783abd769b464f79325271bbdc462aa299511f4b90167b86dac6582788902f59c4087ae2fa058dcdb170546ede316f00df7205752313c2476a63

memory/2900-14-0x000000013FC00000-0x000000013FF54000-memory.dmp

C:\Windows\system\MUFtipL.exe

MD5 d67610419b5b3fa939a66c84674506f9
SHA1 e98bbe3f4cde0831ebae46030bb6d82a62b6b869
SHA256 a12b6a15790cd89f09456578b3eb9a372420cb52bc77626e22eccbb2e08e4556
SHA512 f1ab773e2e4b20ca21036a36a97a62aa71188b9100c2284392257b30ac4ae8a730f7886a6276057adf596433bb75cb57d97675e848872ec4f7586a3905109b4e

memory/2916-28-0x000000013F570000-0x000000013F8C4000-memory.dmp

memory/1808-27-0x000000013F160000-0x000000013F4B4000-memory.dmp

memory/2876-19-0x000000013F570000-0x000000013F8C4000-memory.dmp

C:\Windows\system\IKynVKG.exe

MD5 0080fdfb3b3a646a6be8cc3b037159cf
SHA1 87070b1752b8ad001f9c2886d715afb908a0f12c
SHA256 efa9aaab08f7831066cae18091bc62612474c1f3c9edd5e3171a7bee9578ecf8
SHA512 5eccbaa0d0299fa184116b2199e4debf2a868cec90c6419930c5e24ffe7e5e3d2c60afc85072c9596fb329a51365333ea3b340b60f2716a467796e813a76b0a8

memory/2160-35-0x000000013FE40000-0x0000000140194000-memory.dmp

C:\Windows\system\paKusyu.exe

MD5 91bfec24cfd9fe0da421b74f0bcd99ed
SHA1 efb18dc24a5b33d9e605ba91ee13ffecb6ed73cd
SHA256 a526846a4345b0d0830b0e3c697b1d0494a9baab1eddd904e5c2d1dc0dbb879f
SHA512 db6a79e5ebf0b41b4097f3b7efc86d02925ece7a86d10293f7d79e641d7ed475547be5aecf9825a731c720109156555d6229d1942f32cddafc2f86f4431abe6b

memory/2668-40-0x000000013FD60000-0x00000001400B4000-memory.dmp

memory/2876-39-0x00000000022E0000-0x0000000002634000-memory.dmp

C:\Windows\system\XhTxnLp.exe

MD5 a26951d7fe27227d8a8e4b9467c167fc
SHA1 be3891291ed44c7b692cc0eac355576ea7c87715
SHA256 e434521e72a37e109f0ebdaa64999c7fb91fcdbb986ca63202fbbbd40c50b764
SHA512 b4962814dbbfd34f993ca29f9fa993cddff2220cd2ecd1f599d77a7a1f944750fe636913b13a6632161bf206ae3b9c895796c8b5ae83f6c8c032eedf9d0f01f7

memory/2272-49-0x000000013F5B0000-0x000000013F904000-memory.dmp

memory/2876-48-0x000000013FE30000-0x0000000140184000-memory.dmp

memory/2876-34-0x00000000022E0000-0x0000000002634000-memory.dmp

C:\Windows\system\pAAmuGR.exe

MD5 d4a3be7ae8703e870bfa948a1ec19cb2
SHA1 47258d13795ae3dbb9aad17144e375d787e132b8
SHA256 8aeb3cde1c7e64c154b9cd6a8d71246a972cb0a94deee7484f58d48cfb4374c6
SHA512 c644351e9729ca3afb51f271de862fd17f330b39cab8032d2071faed87d7dc108632598535f09f4b6a1e6e558c8e48b503f8c3b4b6c734b4f437aa71dad74c0d

memory/2876-63-0x00000000022E0000-0x0000000002634000-memory.dmp

memory/2812-61-0x000000013FDA0000-0x00000001400F4000-memory.dmp

memory/2876-60-0x00000000022E0000-0x0000000002634000-memory.dmp

C:\Windows\system\pttMcoy.exe

MD5 f476e58c7c4ed6e79eb5a190e5569efe
SHA1 2878bc59185b85648fc0cf57617a6aeb6d03fbe3
SHA256 68d875a97afb5b4c72ca6bf8013aa750be0d22c8373ea68cce17acb3b09073f8
SHA512 a5367aaa5b770cf11a5f5fcfb24490694958b6d2f34ff4adbbb95afe853b8b377a67635edc32758b1925327450e1a229dc84eabbd8b700565d20fc747c85fbd1

C:\Windows\system\VXPbhul.exe

MD5 665f4b169afa0f812f719a3ed0fcbcba
SHA1 8795734029e5a14ffc53f20ca28540790a3db3a1
SHA256 060a1ad059d2069191a1e806b6672948c459d8f18c28d52fef9ee087dbf2c1b2
SHA512 96adf7d3c4df26014c0c554d6e7c97f4bfee91307822452d31193680993bfa3a2c6a72b8433aa91a0e7ad445a12908cff10210c3d66323a0c9444a7542ebc9e5

memory/1096-55-0x000000013F3E0000-0x000000013F734000-memory.dmp

memory/2900-68-0x000000013FC00000-0x000000013FF54000-memory.dmp

\Windows\system\vxGeorS.exe

MD5 7b68c3b6699644fe7670652d4e4c953a
SHA1 eb477d1aaacafd49e10e91538ebd91a4ff0ed6cf
SHA256 85459e8031700f763935f09ce6ef46b4a0df20cc57352ddfe231b413e987a110
SHA512 849ebe48b1195bb3dffc5c92e45ccbd6dee19f657c7bfe2cda3e8df5a25e68e9729e327b3d30e131c63d7e3ffdd439e4e9bb33346a46c4fb9b58deeaeb47a7d5

memory/2876-109-0x000000013F380000-0x000000013F6D4000-memory.dmp

C:\Windows\system\NMZBSyf.exe

MD5 b12686e8860a879e5723c6906c33d8c6
SHA1 c162a9953d2500ed109413733205da9a238a9089
SHA256 d1dbebb954fb7be0e4b78ca386f3d60dcaf970664138328f5ea267b315a1b489
SHA512 3fce8ae2eafbc036854b0a5de5e30d660a74256de630a89d4af04760736006e45bfa6a71384d4f734ab317e68ae82fbb260e1131687cde881b1fa4964d6cc80e

memory/2056-86-0x000000013F630000-0x000000013F984000-memory.dmp

\Windows\system\ytYucKO.exe

MD5 e24228a909a65850a4d494aff7b72f6d
SHA1 9bdc91cedfa425c646e193a5b7d8a7222cd4d0d3
SHA256 acd213feb615f626c3b0416e81f44724b27b7b0d75b626beebfcf67f94666c4a
SHA512 b00a7040d6c1f63b12bea33e00c6db90dd0d5ea3cc9da5637be426349937cc3e7a988eaee875663eda60135c32d192cddfd0e60de68abe6d61c152d81599b7c9

C:\Windows\system\KzbaoeM.exe

MD5 35f498783232dd0deb04d061387f6d59
SHA1 2343e5c8ce71a812c45c21a594f699d4e5afb62c
SHA256 b675a3f4c84afb73c960094cd795486a59760b21e1d6b96ae01bbeac41854a1a
SHA512 0a85af23f2c25b7d4dc3e4ef2e9c4635edce7b63bd49edffaee2317ab7d26b9ffeb22c2da012145f9cfc92576fa68b296c5d2b8c5f0a63b52a2feef762907ed7

\Windows\system\vvxCTEy.exe

MD5 3a0dd2121bc3e5de7a9b93e9d8ee7b80
SHA1 c4575bc1f148448b49a2ec5e3876a7fd0127f65b
SHA256 7bdb41d994bddeb1df9809ed0e49f394141f6b67624aba4875a9733468151938
SHA512 825de0c9902dca5532d60b01ff07fd78962e05bd0a32863f368111a3ea69a4c63b854d95cb29908834648730d63e7b8d2c7becaca1da05035975cf6274236f82

C:\Windows\system\MjcDrhx.exe

MD5 1c17479c6332f627da7f4bf97e5ccfd6
SHA1 217db7d9bfd1ef64ae48ccd666ebf4c3377ff0ea
SHA256 2943479ead54b3b0def6c2bdf4a2bfcb7a099178cc4b67768cbe1e9bd25c8a38
SHA512 b3577b29276f7737de8a3cf5cd823537c19d8d50649237e998ea74c8acf4ff19e2467ba8ab9d6eea6c0c6e7a75d560b5289136cf81652113bfb046281e8a15b9

\Windows\system\DOssgMV.exe

MD5 0ceeee20163c987f53885b674b95544a
SHA1 ce2beb2fc8d3eaa51512f247ef1f24cdca2ee64a
SHA256 aef4b1489e0295a0d5088a0e47990847451d84b0a97d2cabffe2098bfb9113d9
SHA512 18420f95690539e301bf6c7b67e4b8d253d1d503f7c4f3ed5ba115dfef26a87eebc00c36f35c25fe46628afbff6a19582e69de4a02aab66e2e9afadc06340746

memory/2876-111-0x00000000022E0000-0x0000000002634000-memory.dmp

memory/1808-110-0x000000013F160000-0x000000013F4B4000-memory.dmp

memory/2876-108-0x00000000022E0000-0x0000000002634000-memory.dmp

memory/2876-107-0x00000000022E0000-0x0000000002634000-memory.dmp

C:\Windows\system\jAGGdtW.exe

MD5 02d12ad9094b342aa903823b339b604e
SHA1 e964f7e0c54605bf6b734633c2a09f55cc1830a3
SHA256 49c64371250956565f04f658506dea9b33fede9852341708c7f9232b9445476f
SHA512 06a0839b517dd4d9986f6da41ea7a215ff33d85a8c46fdacd263a6b1ae2a4377c031f8379d8fd479cc65d97f7d2f16df0f68e9605906f5038eb459bafa265969

C:\Windows\system\IEIJkNg.exe

MD5 e75ebec61e3f4f74b281a67057bd79ca
SHA1 a38f28b01b7273da83bd9019452235494ff3925f
SHA256 a4803dfb343325f846f7a82c00e8c81935e79019d6764f68eb68fd893e56c39d
SHA512 50af00ffd9e332b710962f5a5fe5b3c326dca44d6634d471693d40c6a9d8bc8910b3734d85cbcf6fa08194bc5e19a25a6c24cad0be4272cf3e9afe89514108bc

C:\Windows\system\YDwCVzB.exe

MD5 df3fefc4c9bb0fdd29e5431ad2b395dc
SHA1 aad5791b7073726066313c0c1af6e0b9071df7a6
SHA256 ecc9857de31d65355536efabf1e4d0c6b6e54d45b43816a0e39188be184cc250
SHA512 4a39fc1ad2485e6218b26ff70db2156103056ee1bd1b7ad4575f29513c74aaa2726c7ed07763b0ec31a3e1215130511d0e259a990b4d1afec6af9ce9f53526aa

memory/2876-92-0x00000000022E0000-0x0000000002634000-memory.dmp

memory/2064-78-0x000000013FFE0000-0x0000000140334000-memory.dmp

C:\Windows\system\lwnAzcJ.exe

MD5 016ad82a1e54b5caac53f87a8f20ab2f
SHA1 6985e90045a4888d0de290b5233747865b284d5d
SHA256 50de4dbec25bbba11f1e1e490e48ef0724b749f0a37690cc935772904b4c1710
SHA512 381561bf675ee501b54c48ba55dc2a56ddbc0a0e46ec4f8fd4bc9d394e2269929764dfde0bf719ad569cdf5ca3a77f12e085c9fc5af55a50e8004c572de74aa6

memory/2876-132-0x00000000022E0000-0x0000000002634000-memory.dmp

memory/2668-133-0x000000013FD60000-0x00000001400B4000-memory.dmp

memory/2812-134-0x000000013FDA0000-0x00000001400F4000-memory.dmp

memory/2876-135-0x000000013F460000-0x000000013F7B4000-memory.dmp

memory/2752-136-0x000000013F240000-0x000000013F594000-memory.dmp

memory/2900-137-0x000000013FC00000-0x000000013FF54000-memory.dmp

memory/1808-138-0x000000013F160000-0x000000013F4B4000-memory.dmp

memory/2916-139-0x000000013F570000-0x000000013F8C4000-memory.dmp

memory/2160-140-0x000000013FE40000-0x0000000140194000-memory.dmp

memory/2668-141-0x000000013FD60000-0x00000001400B4000-memory.dmp

memory/2272-142-0x000000013F5B0000-0x000000013F904000-memory.dmp

memory/1096-143-0x000000013F3E0000-0x000000013F734000-memory.dmp

memory/2064-144-0x000000013FFE0000-0x0000000140334000-memory.dmp

memory/2812-145-0x000000013FDA0000-0x00000001400F4000-memory.dmp

memory/2056-146-0x000000013F630000-0x000000013F984000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-05 10:36

Reported

2024-08-05 10:39

Platform

win10v2004-20240802-en

Max time kernel

145s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\PtPqxvn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JwGLYqI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\acaBVSb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JbJhzWQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mMcjNOa.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YdALpRS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HEIpqst.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fzufeqK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\isLDGhb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pAcegaF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZZbVpLn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fJfGWQi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nItxwWw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EqHukyt.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\Fzvhuks.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kCpfLta.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WDxfRaY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NwWNvVg.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PcHbEhO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eDevBkI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kjBszdL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4116 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eDevBkI.exe
PID 4116 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eDevBkI.exe
PID 4116 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WDxfRaY.exe
PID 4116 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WDxfRaY.exe
PID 4116 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JbJhzWQ.exe
PID 4116 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JbJhzWQ.exe
PID 4116 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mMcjNOa.exe
PID 4116 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mMcjNOa.exe
PID 4116 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kjBszdL.exe
PID 4116 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kjBszdL.exe
PID 4116 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fJfGWQi.exe
PID 4116 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fJfGWQi.exe
PID 4116 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NwWNvVg.exe
PID 4116 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NwWNvVg.exe
PID 4116 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PtPqxvn.exe
PID 4116 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PtPqxvn.exe
PID 4116 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nItxwWw.exe
PID 4116 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nItxwWw.exe
PID 4116 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JwGLYqI.exe
PID 4116 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JwGLYqI.exe
PID 4116 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PcHbEhO.exe
PID 4116 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PcHbEhO.exe
PID 4116 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YdALpRS.exe
PID 4116 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YdALpRS.exe
PID 4116 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HEIpqst.exe
PID 4116 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HEIpqst.exe
PID 4116 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fzufeqK.exe
PID 4116 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fzufeqK.exe
PID 4116 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EqHukyt.exe
PID 4116 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EqHukyt.exe
PID 4116 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\acaBVSb.exe
PID 4116 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\acaBVSb.exe
PID 4116 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\isLDGhb.exe
PID 4116 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\isLDGhb.exe
PID 4116 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pAcegaF.exe
PID 4116 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pAcegaF.exe
PID 4116 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZZbVpLn.exe
PID 4116 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZZbVpLn.exe
PID 4116 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Fzvhuks.exe
PID 4116 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Fzvhuks.exe
PID 4116 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kCpfLta.exe
PID 4116 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kCpfLta.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\eDevBkI.exe

C:\Windows\System\eDevBkI.exe

C:\Windows\System\WDxfRaY.exe

C:\Windows\System\WDxfRaY.exe

C:\Windows\System\JbJhzWQ.exe

C:\Windows\System\JbJhzWQ.exe

C:\Windows\System\mMcjNOa.exe

C:\Windows\System\mMcjNOa.exe

C:\Windows\System\kjBszdL.exe

C:\Windows\System\kjBszdL.exe

C:\Windows\System\fJfGWQi.exe

C:\Windows\System\fJfGWQi.exe

C:\Windows\System\NwWNvVg.exe

C:\Windows\System\NwWNvVg.exe

C:\Windows\System\PtPqxvn.exe

C:\Windows\System\PtPqxvn.exe

C:\Windows\System\nItxwWw.exe

C:\Windows\System\nItxwWw.exe

C:\Windows\System\JwGLYqI.exe

C:\Windows\System\JwGLYqI.exe

C:\Windows\System\PcHbEhO.exe

C:\Windows\System\PcHbEhO.exe

C:\Windows\System\YdALpRS.exe

C:\Windows\System\YdALpRS.exe

C:\Windows\System\HEIpqst.exe

C:\Windows\System\HEIpqst.exe

C:\Windows\System\fzufeqK.exe

C:\Windows\System\fzufeqK.exe

C:\Windows\System\EqHukyt.exe

C:\Windows\System\EqHukyt.exe

C:\Windows\System\acaBVSb.exe

C:\Windows\System\acaBVSb.exe

C:\Windows\System\isLDGhb.exe

C:\Windows\System\isLDGhb.exe

C:\Windows\System\pAcegaF.exe

C:\Windows\System\pAcegaF.exe

C:\Windows\System\ZZbVpLn.exe

C:\Windows\System\ZZbVpLn.exe

C:\Windows\System\Fzvhuks.exe

C:\Windows\System\Fzvhuks.exe

C:\Windows\System\kCpfLta.exe

C:\Windows\System\kCpfLta.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/4116-0-0x00007FF7DA940000-0x00007FF7DAC94000-memory.dmp

memory/4116-1-0x000001E7F7C70000-0x000001E7F7C80000-memory.dmp

C:\Windows\System\eDevBkI.exe

MD5 27cbc8a03db7ae9a28cfe16399beaf76
SHA1 fe70df2be18ae57f0444c8ab9ab86f5b04203860
SHA256 b25ea7c4c1b38858cf40bcc2f0be4f2f135b373127ff4f88cb8fa260c98b30a6
SHA512 925d8bb8a1da09f14787a45a9a87c480e191fa452d65ee46e2818a3c73d6e00e51d5d902928e63ac99544e231e1e1a3b79594851f7d8937b3e25c85b742a5138

memory/4144-8-0x00007FF763DA0000-0x00007FF7640F4000-memory.dmp

C:\Windows\System\WDxfRaY.exe

MD5 a3a163f5ee9474e31ec724951b7299d4
SHA1 c42f25d7eeee306eeaa3215df1f508bf01fa9bbc
SHA256 05a1cc4688a055c748ab5084341991ec8cc9120541ce05c05ba25751dc46dbdf
SHA512 8c172eb77481a60d7936cf709261ba87e5e7359f5fb291e8b64005c373c4fa48122bf0bb7e7aadd696978bcd687a3e800c70680ddc343d0a90cd2b640799ddfd

C:\Windows\System\JbJhzWQ.exe

MD5 4e513726e21683dad85088742b7164b8
SHA1 9a11db260dbaca14cde1ce0aa8d18a26dbecccb4
SHA256 ec56ff910cf726d8f714a82db7c9319a0cf699a92c236e483ad08e789789ef75
SHA512 22df05a9d5e6651f3140ade8d617c242a58c81d164e625bd37b583e5f625f8711f86f92f30e8a611e56c3e42a748c285b987b94bb77389234966a6f3c0ec46ed

memory/928-14-0x00007FF648690000-0x00007FF6489E4000-memory.dmp

C:\Windows\System\mMcjNOa.exe

MD5 79fee50f2ea0952d4e2937d221bd850b
SHA1 7ecc340006d562b21e17643a9af72cff7b2be455
SHA256 a5d249232aed4673137b0ee91eaf861ef793950a6bb3a2fb5e7a151d140f3af8
SHA512 e8a77b3fafe37d25c740f00399757d985088262d018fe411e7544c1c9d9d5b59c5bfafdc4f2e3d8624cf19fd629732c8bf9d4564c9578cb36bd7c3e01b051aef

C:\Windows\System\kjBszdL.exe

MD5 679f416b752fa33db5ea06cce2cb4278
SHA1 b89b7b194da1d66910c1fe2cc4481a93e3dfcfd6
SHA256 b10e77d91a28b714aea355eeaad7bd16bcbf007f44de0538f2073f7774ad5418
SHA512 5e645cfef6d46859c901b031bdb4cea91ca7c9f0f70d5a0bdfdc8776e92acd642016abe361d5ca4dbca844ab2e2e52e56d4551a02b22fea24e8e55e185210892

memory/2688-35-0x00007FF6CCD70000-0x00007FF6CD0C4000-memory.dmp

memory/4576-40-0x00007FF789A80000-0x00007FF789DD4000-memory.dmp

C:\Windows\System\NwWNvVg.exe

MD5 ac5a3684f204873002a93cc9449bd03a
SHA1 332c256a3c04dc9695a7dca7dc584b15aa023825
SHA256 e26209cd5307b0b95de066f892608024fe57cd10b13965152096d7e6b72506f9
SHA512 140b5dcfd8cdbb4b4e240bd83719ee4ec4df020d538d9cffff13b329611156c9cf5c00d87aaca3ff6ffce9752a3597f4b1449e671b469d481681c8a2ddf6ed7d

memory/2940-42-0x00007FF73A310000-0x00007FF73A664000-memory.dmp

C:\Windows\System\fJfGWQi.exe

MD5 d340aafea1ef0720acfa72b892441941
SHA1 0d37c4a8505be53f36dbe6918ae0696ba1f153b2
SHA256 345defe4c0dd08dfecbcb0002fafcfb090aa81ca7b9b2a8f911d4f4c4afbcf45
SHA512 d36b338e1dd72a66d909a11cacdbc47e27e4d0c69b50c9ce21fc92ecef4500120e89564216e9d9a3690e7670d51070ab43c801f15f54fce45a0680fdec9e0f2e

memory/1856-28-0x00007FF759230000-0x00007FF759584000-memory.dmp

memory/3732-21-0x00007FF66DDA0000-0x00007FF66E0F4000-memory.dmp

C:\Windows\System\PtPqxvn.exe

MD5 447384fc31a0d23bfe969e417fba27af
SHA1 19bbd48069f717fbeea272781289d880c5014582
SHA256 3bab9f64ec6129e515e9488bd4ed84a546bb6560e79468d75a62484b5de1c389
SHA512 6737f769daade005586ad0ee8f36ba2b7deebdfcfaee53c463c2b059d108eed4152302eb5b1bba853ba64f332c815b4fb524601669b5602baa299775c685426d

memory/5116-50-0x00007FF61C490000-0x00007FF61C7E4000-memory.dmp

C:\Windows\System\nItxwWw.exe

MD5 b086f28b2fcf82db32d96c48a9b29358
SHA1 6a5fcbd9e3040dd38c0c44664fe0e83f3bbfc0e7
SHA256 ce3bcc45f2b9393eda7095fa212051a21db5cb45485ec624cba41bcdc83eb698
SHA512 68d80eaca7a2429786d7f456621d0eabae28c2227b1f81dd2eebabd33eb30c6194a22666c320ca8ac23d6662751614421c780126f4023d2c9f3f582b263a9eb7

memory/2012-56-0x00007FF66F520000-0x00007FF66F874000-memory.dmp

C:\Windows\System\JwGLYqI.exe

MD5 30ba34e5c8e92daf076a7d5f97dacca8
SHA1 0b4aedbd8017669425bbd71e4b1a26d274477ae1
SHA256 520cf3e448bc542c2a8465f7dbd0ad7b0028a588f9e71763bbf3c59a76c178c8
SHA512 1b8e23e20d96a6e87698c19a11ab9eb485371843609f3a9d8e40aed7e865acf5b3577ff1d6dd33ee67d9db0765b394623281e30ef5c8310c073b1a48dcf2229e

memory/4116-60-0x00007FF7DA940000-0x00007FF7DAC94000-memory.dmp

memory/1724-63-0x00007FF7053E0000-0x00007FF705734000-memory.dmp

C:\Windows\System\PcHbEhO.exe

MD5 0863d1ef6929c14eae4c645d76ac6676
SHA1 06d4ae1447319c1c29ec101d8c24dfec674ffeed
SHA256 c092ad0df978e716d82833d83885298bcc0b562fb0d6b3e2cbce1ab6e8a601e2
SHA512 2c7317c2d1f36dd3b0b985f35fb1bf8fa0a6c3f674f0ddacb9013719395df167e343cdbe6ae9d789f3ed60fdf0ef0c709494c67b0063a80d9cae3c254985e1e1

memory/2044-69-0x00007FF722DA0000-0x00007FF7230F4000-memory.dmp

memory/4144-68-0x00007FF763DA0000-0x00007FF7640F4000-memory.dmp

C:\Windows\System\YdALpRS.exe

MD5 fade728dc1afdd25f4a911baa4692330
SHA1 4e9f66dde138efd6af15d97750dbb055c753ba66
SHA256 cb2a4fbbf7afc61f4faed00b580050d55e4cb904384c833dfacd0b56f574d233
SHA512 e4f771c929f79316f6234fb98b65a6ef94c16c9389cc2c38ebb38f0aeaf295b4b38d772c5d3486314df5cc420115d64bc04091f7a75bfcc7ba0c1c54f1bf384f

memory/4204-75-0x00007FF68FA70000-0x00007FF68FDC4000-memory.dmp

memory/928-74-0x00007FF648690000-0x00007FF6489E4000-memory.dmp

C:\Windows\System\HEIpqst.exe

MD5 790ba18bd0c146ed19f71d7202918c7c
SHA1 cfd24c1c8b3bddb272654187de0cea85a3905cd8
SHA256 99692a0fec64f8c7cb4b99ce587faac4bd1a27a9123c4b73e1b4c75c4e0f3900
SHA512 67500f55ed943a19c6453151f40032e39087ee54ca7b8c4a25ad924b809b6dfcca3c57dd1c5007ece21a10327dba0bfdd989010ba25580cc48f1aae5605969b2

C:\Windows\System\fzufeqK.exe

MD5 1bc243a71f9ca159c35ca5e1ed850de0
SHA1 9035a61027ec5669f5dee415f22bb10fc239dbb7
SHA256 012cc6c5793258bd05a8f644097979b363f8296cc6eba9e9adea1b316ea540d4
SHA512 e86b7e9fe7cd2aabee342425455c1095751e8583a0c9434bdcc0ec81ed47ae85aaf3344d664a4ed60a06589c458d73d37e4c06d6985e7ea1693c1376e97b437c

C:\Windows\System\EqHukyt.exe

MD5 39b2fab8cc08e315c61919ee1f61cd64
SHA1 391eccda7809d3dc39fc26493e35b65b8d766134
SHA256 87784feef616c5de49a54354755b54dfad4af8273659d2e0a1f9b0d852c7c3b0
SHA512 e2a8cf6b07309e8efbd4aa07a962ba74fdd020043ebddfa0d206f1b4b5a27a66f839b1f9ebb03020c058ec8c84565a530f0c957469f15b0f8e92c756106ddce9

memory/5100-89-0x00007FF6CC0D0000-0x00007FF6CC424000-memory.dmp

memory/2688-88-0x00007FF6CCD70000-0x00007FF6CD0C4000-memory.dmp

C:\Windows\System\acaBVSb.exe

MD5 b91a5ba06e0e0cdd83e24a21995467ea
SHA1 b269c0ed122155d34c0962a89286c85a38016b07
SHA256 3a5a451aeba2a8d3ff59ffa5069be709357aedae517e35826cd697a0c04242dc
SHA512 5c3fd5800625c4a2fb77f7a217d629c0b6e76f2b6dcb975ebde9f3114c2fced44f0921b2e5971b80dfe4063e7ee9d26745f8b572d3cb624d7b67d5f86cb2f195

C:\Windows\System\isLDGhb.exe

MD5 ad9960552b8caec28910d6625ab1303f
SHA1 6d3413133c01308931756f22976a8bb9107002a9
SHA256 3ed7e7241a63d0c34f2f46ece45f6c30809526fe4e72129c9ccaf124963b9a40
SHA512 483fcfd6b9e9e4f30696bfe4521d1d6f3f152b90180e4dd7746045098e4c3121fc68a715d3f0b3d14e7e3732b5a4bf1fa0ac95c9c76ed9f5e64df1b0e011ced9

memory/2940-106-0x00007FF73A310000-0x00007FF73A664000-memory.dmp

memory/1184-108-0x00007FF6F52D0000-0x00007FF6F5624000-memory.dmp

memory/3608-105-0x00007FF7C6000000-0x00007FF7C6354000-memory.dmp

memory/4576-100-0x00007FF789A80000-0x00007FF789DD4000-memory.dmp

memory/3872-94-0x00007FF7CF880000-0x00007FF7CFBD4000-memory.dmp

memory/1300-83-0x00007FF7162A0000-0x00007FF7165F4000-memory.dmp

C:\Windows\System\pAcegaF.exe

MD5 8886377602fd38eb7e690b4cea61d7d3
SHA1 0920864dbfa5e3eaac20ea8fb18bfa5d534e96c0
SHA256 d56a80a403f579145b08d4399675a40c089e63620d5c5d8fa0dac836215c6010
SHA512 33b9ca37c139ce70a0afaf134c2bad48fc85aca53b97b59cdc7ac86c34f6d2957942192bd1408d49299d8e3fbc676a4ef2c94fde18a1713957d8c62449143b67

memory/4416-119-0x00007FF7493E0000-0x00007FF749734000-memory.dmp

C:\Windows\System\ZZbVpLn.exe

MD5 13486a5ae0ef3c280ee7c64fad0ad8d5
SHA1 f01fdb106e35719a829a2ae07e57253e97b6313e
SHA256 6926da48a692bffc840a8e2c5d86ef3b0615926a1d4279ef0dd32ce71da917f9
SHA512 53eef38a33550c0caf5a503a843e2c77bfa63511f049b5cea6e1d7f965500df972f612a57abe5a38389847c2b1faed1d263c0ada6da10c4723c5cbf93e01677d

C:\Windows\System\Fzvhuks.exe

MD5 94da278c45b57b5fcf50b95cf154b442
SHA1 5a94c5ce468a0311a9c6fa5569bccbb24dd054dd
SHA256 d14e0481d63050066bb6a0c4c70031e983adbd036e593490bfa1cc6ec29e2a2c
SHA512 e599c4e4c3d392d61ad1f6c8590f4d9b6b288974fcd3f59f2ebdc4dae0005be30bd38337b74edadc661d571531aac6d5b484b6a842eac2c7b981dd2e47d66671

memory/3156-126-0x00007FF6014E0000-0x00007FF601834000-memory.dmp

memory/3948-130-0x00007FF64E710000-0x00007FF64EA64000-memory.dmp

memory/4744-132-0x00007FF74A520000-0x00007FF74A874000-memory.dmp

C:\Windows\System\kCpfLta.exe

MD5 0278932217198932283875e9c38cc92f
SHA1 43f4ee9ea335dec4b91692a86fe7727128e38e44
SHA256 134a97df01c3503de06cbfdbc9a5407052c9d8b962f7cf303c5731b0c3df33ca
SHA512 c30b4008ba669b3dadb07f46c99395609028b3ec39e3c82c36b139fe699a67435c54582bf31b4009e7021de6332350e8ca0c3287083f00c6e3ca95358f672315

memory/2044-131-0x00007FF722DA0000-0x00007FF7230F4000-memory.dmp

memory/4204-135-0x00007FF68FA70000-0x00007FF68FDC4000-memory.dmp

memory/1300-136-0x00007FF7162A0000-0x00007FF7165F4000-memory.dmp

memory/3872-137-0x00007FF7CF880000-0x00007FF7CFBD4000-memory.dmp

memory/3608-138-0x00007FF7C6000000-0x00007FF7C6354000-memory.dmp

memory/1184-139-0x00007FF6F52D0000-0x00007FF6F5624000-memory.dmp

memory/3156-140-0x00007FF6014E0000-0x00007FF601834000-memory.dmp

memory/4744-141-0x00007FF74A520000-0x00007FF74A874000-memory.dmp

memory/4144-142-0x00007FF763DA0000-0x00007FF7640F4000-memory.dmp

memory/928-143-0x00007FF648690000-0x00007FF6489E4000-memory.dmp

memory/3732-144-0x00007FF66DDA0000-0x00007FF66E0F4000-memory.dmp

memory/1856-145-0x00007FF759230000-0x00007FF759584000-memory.dmp

memory/2688-146-0x00007FF6CCD70000-0x00007FF6CD0C4000-memory.dmp

memory/4576-147-0x00007FF789A80000-0x00007FF789DD4000-memory.dmp

memory/2940-148-0x00007FF73A310000-0x00007FF73A664000-memory.dmp

memory/5116-149-0x00007FF61C490000-0x00007FF61C7E4000-memory.dmp

memory/2012-150-0x00007FF66F520000-0x00007FF66F874000-memory.dmp

memory/1724-151-0x00007FF7053E0000-0x00007FF705734000-memory.dmp

memory/2044-152-0x00007FF722DA0000-0x00007FF7230F4000-memory.dmp

memory/4204-153-0x00007FF68FA70000-0x00007FF68FDC4000-memory.dmp

memory/5100-154-0x00007FF6CC0D0000-0x00007FF6CC424000-memory.dmp

memory/1300-155-0x00007FF7162A0000-0x00007FF7165F4000-memory.dmp

memory/3872-156-0x00007FF7CF880000-0x00007FF7CFBD4000-memory.dmp

memory/3608-157-0x00007FF7C6000000-0x00007FF7C6354000-memory.dmp

memory/1184-158-0x00007FF6F52D0000-0x00007FF6F5624000-memory.dmp

memory/4416-159-0x00007FF7493E0000-0x00007FF749734000-memory.dmp

memory/3948-160-0x00007FF64E710000-0x00007FF64EA64000-memory.dmp

memory/3156-161-0x00007FF6014E0000-0x00007FF601834000-memory.dmp

memory/4744-162-0x00007FF74A520000-0x00007FF74A874000-memory.dmp