Malware Analysis Report

2025-03-15 08:03

Sample ID 240813-n98tsasdpd
Target 2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat
SHA256 27e4768a567a38f5bae2336588a4021de5a7d3e1f5761e5252d14c1ac2bdbf97
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

27e4768a567a38f5bae2336588a4021de5a7d3e1f5761e5252d14c1ac2bdbf97

Threat Level: Known bad

The file 2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Cobaltstrike

xmrig

Cobaltstrike family

XMRig Miner payload

Xmrig family

Cobalt Strike reflective loader

XMRig Miner payload

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-13 12:06

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-13 12:06

Reported

2024-08-13 12:09

Platform

win7-20240708-en

Max time kernel

140s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\DgwMROP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mqVikfR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SzGdlrK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kygzDZq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rZnWTWI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ndsKaEo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\udrGZci.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VfGXmgT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LzXGQMK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tvgFlzu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fRYuURj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gLcbeMl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XsYECbs.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mzpYgyu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rntEvRY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GxXxpDT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oCtTmRs.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RYEoNaU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WuyODxY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XZCVund.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EWfTFdA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2380 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tvgFlzu.exe
PID 2380 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tvgFlzu.exe
PID 2380 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tvgFlzu.exe
PID 2380 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mzpYgyu.exe
PID 2380 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mzpYgyu.exe
PID 2380 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mzpYgyu.exe
PID 2380 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rntEvRY.exe
PID 2380 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rntEvRY.exe
PID 2380 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rntEvRY.exe
PID 2380 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GxXxpDT.exe
PID 2380 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GxXxpDT.exe
PID 2380 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GxXxpDT.exe
PID 2380 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fRYuURj.exe
PID 2380 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fRYuURj.exe
PID 2380 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fRYuURj.exe
PID 2380 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kygzDZq.exe
PID 2380 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kygzDZq.exe
PID 2380 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kygzDZq.exe
PID 2380 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gLcbeMl.exe
PID 2380 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gLcbeMl.exe
PID 2380 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gLcbeMl.exe
PID 2380 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rZnWTWI.exe
PID 2380 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rZnWTWI.exe
PID 2380 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rZnWTWI.exe
PID 2380 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ndsKaEo.exe
PID 2380 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ndsKaEo.exe
PID 2380 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ndsKaEo.exe
PID 2380 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RYEoNaU.exe
PID 2380 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RYEoNaU.exe
PID 2380 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RYEoNaU.exe
PID 2380 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WuyODxY.exe
PID 2380 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WuyODxY.exe
PID 2380 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WuyODxY.exe
PID 2380 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XsYECbs.exe
PID 2380 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XsYECbs.exe
PID 2380 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XsYECbs.exe
PID 2380 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XZCVund.exe
PID 2380 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XZCVund.exe
PID 2380 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XZCVund.exe
PID 2380 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\udrGZci.exe
PID 2380 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\udrGZci.exe
PID 2380 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\udrGZci.exe
PID 2380 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DgwMROP.exe
PID 2380 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DgwMROP.exe
PID 2380 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DgwMROP.exe
PID 2380 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EWfTFdA.exe
PID 2380 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EWfTFdA.exe
PID 2380 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EWfTFdA.exe
PID 2380 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mqVikfR.exe
PID 2380 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mqVikfR.exe
PID 2380 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mqVikfR.exe
PID 2380 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VfGXmgT.exe
PID 2380 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VfGXmgT.exe
PID 2380 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VfGXmgT.exe
PID 2380 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LzXGQMK.exe
PID 2380 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LzXGQMK.exe
PID 2380 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LzXGQMK.exe
PID 2380 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SzGdlrK.exe
PID 2380 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SzGdlrK.exe
PID 2380 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SzGdlrK.exe
PID 2380 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oCtTmRs.exe
PID 2380 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oCtTmRs.exe
PID 2380 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oCtTmRs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\tvgFlzu.exe

C:\Windows\System\tvgFlzu.exe

C:\Windows\System\mzpYgyu.exe

C:\Windows\System\mzpYgyu.exe

C:\Windows\System\rntEvRY.exe

C:\Windows\System\rntEvRY.exe

C:\Windows\System\GxXxpDT.exe

C:\Windows\System\GxXxpDT.exe

C:\Windows\System\fRYuURj.exe

C:\Windows\System\fRYuURj.exe

C:\Windows\System\kygzDZq.exe

C:\Windows\System\kygzDZq.exe

C:\Windows\System\gLcbeMl.exe

C:\Windows\System\gLcbeMl.exe

C:\Windows\System\rZnWTWI.exe

C:\Windows\System\rZnWTWI.exe

C:\Windows\System\ndsKaEo.exe

C:\Windows\System\ndsKaEo.exe

C:\Windows\System\RYEoNaU.exe

C:\Windows\System\RYEoNaU.exe

C:\Windows\System\WuyODxY.exe

C:\Windows\System\WuyODxY.exe

C:\Windows\System\XsYECbs.exe

C:\Windows\System\XsYECbs.exe

C:\Windows\System\XZCVund.exe

C:\Windows\System\XZCVund.exe

C:\Windows\System\udrGZci.exe

C:\Windows\System\udrGZci.exe

C:\Windows\System\DgwMROP.exe

C:\Windows\System\DgwMROP.exe

C:\Windows\System\EWfTFdA.exe

C:\Windows\System\EWfTFdA.exe

C:\Windows\System\mqVikfR.exe

C:\Windows\System\mqVikfR.exe

C:\Windows\System\VfGXmgT.exe

C:\Windows\System\VfGXmgT.exe

C:\Windows\System\LzXGQMK.exe

C:\Windows\System\LzXGQMK.exe

C:\Windows\System\SzGdlrK.exe

C:\Windows\System\SzGdlrK.exe

C:\Windows\System\oCtTmRs.exe

C:\Windows\System\oCtTmRs.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2380-0-0x000000013FFB0000-0x0000000140301000-memory.dmp

memory/2380-1-0x0000000000080000-0x0000000000090000-memory.dmp

\Windows\system\tvgFlzu.exe

MD5 0bd627f43568e8f1e2640cc417dee621
SHA1 dd54221c8bb32c7b6f76023d253c03df2d989065
SHA256 99e80d4bafcd86443e7d9115382296178b784955842ae8d36b5bd15b5cb99bfc
SHA512 acee98bf94bdd310647137b7232f0ae8bb58952e4a07759c1cbee8c19974e0f565c8ae7a66d4f7995c2fc6f193d0114cb403ee955d210c7224ef2c3431db0e2e

memory/2380-7-0x000000013F210000-0x000000013F561000-memory.dmp

\Windows\system\mzpYgyu.exe

MD5 39798e228d5fb48afd4dfac350fcc50a
SHA1 53f0e1845352779e911bdc7356802d8456a7d140
SHA256 a5ed13a4cf6b26d5b71f5e77b439857ad28953a58015cfe91d9bc43d90610c2a
SHA512 c57f21839d3a2c386481483b17b33ae6fa763a176365373cc60997208e984de52e9bd6ebc09210d95595ca3fb582462367408917e2ab4fc492e5bcb1c9306ec3

C:\Windows\system\rntEvRY.exe

MD5 af93200f6cba4ea8d280ca5108336fa7
SHA1 945f67832ffb4d9d2eb478192fd28ca554347590
SHA256 28c7178408047d3ef5fa569e17d3f79a78d94882c3319c1d9e6979f5e85f2f61
SHA512 8a9b06c2db477f9af487f02923cb2e959d821ee96dea5b08edfd3a0dc79af602a6f9afe44a0a7d56fb54388bc3cb76821f408e1e72650ec4e61d753c1b06b7c4

memory/2040-22-0x000000013F2B0000-0x000000013F601000-memory.dmp

\Windows\system\GxXxpDT.exe

MD5 50b8a9bff2b93592425c1026e6caba90
SHA1 dce99f00009cae382281d8924eed1bcc9059802f
SHA256 3744b5fc3c6caaea5072b6638f799c78165a8f70e2d3ddf5a76bbd14fb5d8b28
SHA512 1e86d17aa4b8b1727f4df0b419a31707b836afd7b278fae06a2a0133b265d3461aba411c33443ce0785a5217fa47674c44b0ee9f40850b38d2331a59a8a10544

memory/2380-16-0x000000013F9E0000-0x000000013FD31000-memory.dmp

memory/2084-15-0x000000013F9E0000-0x000000013FD31000-memory.dmp

memory/2332-13-0x000000013F210000-0x000000013F561000-memory.dmp

memory/2988-28-0x000000013F500000-0x000000013F851000-memory.dmp

C:\Windows\system\fRYuURj.exe

MD5 ecad4c50104bbac9165f120320dd0258
SHA1 8a12cfadd04ba8a9aead5e5aaf81f5a4ef6994f1
SHA256 fb24997cfd9ae081edd9b14cc9d89b834331352cea143ba4372fcabf17ed70cd
SHA512 25d666e14695790e4a76b86e125c7e1e5ba09a36fbf384c4019561498de78e43a0b1c400576c156212116c3104da534b938e7770a3cef03bd80f951fff957ce0

C:\Windows\system\kygzDZq.exe

MD5 af2e59888d6e42ea1e87333437132709
SHA1 a3a7c76e4332daf9c6f9e182629bb682f4e75f6c
SHA256 245b1e001f4aef09a328b8ee78f6c96f1d61587e32d8ab4fbb0645bc4567c5a7
SHA512 5e4258d7d1ef8be054c2ac071b72d7acb8897a097105b39a6d5ea4fdaeb82f2e2fdbe1cf811db43dd238d5ded65f91896d26e20f4b3121b938728556d354dab1

memory/2380-48-0x000000013F210000-0x000000013F561000-memory.dmp

\Windows\system\rZnWTWI.exe

MD5 920bcd61137f6a23bed3e4bc11346ef7
SHA1 2123dca5f23a5e29b60acc66180be7756e8aad40
SHA256 ac6cf97dd6ef432e3110f8996444ace62df7cc61d06d1988b19144edfe5ba07d
SHA512 4fbcd75f1c933be37314b007b2dfca36ef2178125a9cab3cd7daaaa69ef6389d909ac93d89b919d3433f1edd734a15a8d6cda84f3e93f646d422e16e19ef2457

memory/2332-54-0x000000013F210000-0x000000013F561000-memory.dmp

memory/2796-52-0x000000013F4A0000-0x000000013F7F1000-memory.dmp

memory/2380-49-0x000000013F4A0000-0x000000013F7F1000-memory.dmp

memory/2380-47-0x000000013FFB0000-0x0000000140301000-memory.dmp

C:\Windows\system\gLcbeMl.exe

MD5 f81961949a28fe6bc92235cdb788e2bf
SHA1 6d005ac72c1f1890bb8999ff3beda70e4140d522
SHA256 eb28a93b0ff18087133c876ad082b7be8cbdab87549cc453a42b074121e1334e
SHA512 ce88898eb0fcec6c5ed38462ee646665c67da6ec678b9d3007e331879ccfc28afa10fec14f3c462a5eb1b811322a0a96c243aca6805e3b19063e37ec9a43347b

memory/2964-42-0x000000013F200000-0x000000013F551000-memory.dmp

memory/2380-40-0x000000013F200000-0x000000013F551000-memory.dmp

memory/2124-38-0x000000013FB30000-0x000000013FE81000-memory.dmp

memory/2380-33-0x000000013FB30000-0x000000013FE81000-memory.dmp

memory/2380-27-0x000000013F500000-0x000000013F851000-memory.dmp

memory/2084-58-0x000000013F9E0000-0x000000013FD31000-memory.dmp

memory/2756-60-0x000000013F070000-0x000000013F3C1000-memory.dmp

\Windows\system\ndsKaEo.exe

MD5 a2cd55275a319e74c39937e531ad1c5b
SHA1 14898b884201c680c00f5f7c7d85b355f193e143
SHA256 2090e61300920af43a5fdd2d442f125b10c908727e505aad7489b6d36ee5ee9c
SHA512 868a430a15b31b1b576391034a55c478fa767820eb09d7f3aa77cf13d2e37c349dfa8d6b421ff24ec74ef00bb21c8af57faf765eeedf2fddff6bb36d60a445e5

memory/2740-66-0x000000013F450000-0x000000013F7A1000-memory.dmp

memory/2380-64-0x000000013F450000-0x000000013F7A1000-memory.dmp

C:\Windows\system\RYEoNaU.exe

MD5 6e086a3419617075420028b4a749b0af
SHA1 df400656289f54a6ee8b724f43204d0900932a0a
SHA256 d70ae2d406950967ca3180f01c12a740dbdba4b1187bf9055becbbfbc449b91a
SHA512 bd5ffe718a4e97339bf55fd0d06319676e0518ba1da3c887bfa548efeb7597ecb171c599a2ea03219b338356769a4bce81cf2d068625bd49b27c3ec8bf5b0379

memory/2380-71-0x000000013F450000-0x000000013F7A1000-memory.dmp

memory/2380-74-0x000000013F4E0000-0x000000013F831000-memory.dmp

\Windows\system\WuyODxY.exe

MD5 2fa133df7f366fb1d60d05bd1e85d8e3
SHA1 8794a1674c83ffb1dbe80f38bdc9314cb03d6dd6
SHA256 8a9fbed79d4c33fb9e1ad252f787d512b05a31fc9d13ce542bd4ca3bf100a7b6
SHA512 e69f1e82e459286c3cc0954bafb6e41dedb5e6bd18a01f0fab796b2f9e82e44360b3f31b7f92e15d5a98aceaaad18f7d4389651bb55869fbf79a14dd4a81002e

memory/2168-81-0x000000013F4E0000-0x000000013F831000-memory.dmp

memory/2380-83-0x000000013F4B0000-0x000000013F801000-memory.dmp

\Windows\system\XsYECbs.exe

MD5 53146f93631eea9e5a548138f09249a6
SHA1 e1b5d48cd559222cc64f3d300af8f53745f26dbf
SHA256 53b1e1d4172f79600d640d9390cc6bf21efb8d8f3c6d71e876fa2ccdabf01c94
SHA512 69374054274f0a36c27f9e20203f3578a14310c9ca9e354043b663255214d128cb2b920ae047f42b7789a83ae9af98ffbc735dbf3454fbe7e6f1c5531804113b

memory/2988-79-0x000000013F500000-0x000000013F851000-memory.dmp

\Windows\system\XZCVund.exe

MD5 c4d0806b22b708817e732f0f548570ed
SHA1 e96180364984832f33ca8dfd448afcc7b7e7c9d5
SHA256 4b4936b88c8e02777f9f19781161e4398075fbf993347232dbd95a553f6d8207
SHA512 f47dbcea544e2b6ee2f6002087199e927ca48aa8ac99a835e203a58143b463bae306916e347f9bece9556b0c3a61563fdd5206487dd00dede292da13851d32ba

memory/2124-92-0x000000013FB30000-0x000000013FE81000-memory.dmp

\Windows\system\udrGZci.exe

MD5 75c7d34d3d069a2f64ec7d99bba4a2b9
SHA1 a1ab80ce764cc35277ce6ae71052901a8625900e
SHA256 4d27531f1a1b9bf27e4f82a74e13bb38818988ea756f686760a5af7c64973477
SHA512 d91fe1b72a3102b03eed3c2c78a8bd757bb96b6e4a3cd67a722f4f756c4e0fc4d03b0c893334c639d0a009f22051df0ff3dfbd7bcc0b6336173a6fc4713add6b

C:\Windows\system\DgwMROP.exe

MD5 2b86d08f2ac434aba099115edbe3f54c
SHA1 99dad65c3d09f1ff4abc32e72766d1f463f2c550
SHA256 d65e70c0cb8747c452a7796a84efae3628f7013aab363ab214e236412ab41edb
SHA512 2004418e87c1ee497b9cddecd5f7e860044697183ab492edfd2c8be99347654a4732b16df4d218e9f2c5a90b1f7a6dd3b79523fd18dc037697fc3c1e86df1eed

memory/952-128-0x000000013F4B0000-0x000000013F801000-memory.dmp

memory/2964-127-0x000000013F200000-0x000000013F551000-memory.dmp

C:\Windows\system\VfGXmgT.exe

MD5 7752081149451de1521633db2d37b9be
SHA1 5e0e802661831830fa42d7a73dc978e655f7b1ac
SHA256 5ed35c6aa8c685104f113548d4b027dfc68b94e329adff5ae43ca0e109373fe6
SHA512 3721efda13a0bb8c7014de76345f189edcf60c7ab159654436238f5a0e296a6eaf5e545cd1cb8a21002c02a4e6eedeaab70be88bacd5987b3f3ee1c84bdbd859

\Windows\system\SzGdlrK.exe

MD5 d85532cf001b4a16567c6c599085156c
SHA1 51242d1225a30bf8043b6af3e2096026ef6f026d
SHA256 abc9eca68f47af789bb658af7b1c97141bbafcc5a600ceed1f38cdafcf7d06ff
SHA512 363025e6793988e59a4e8b7c8e43bda8296a8d9cfdf071b677b1ea887a1bc44f6e0bcff708c0aeebd1d76529edf899970d6dbebe7e5abc26b3e2b7510095bb4d

C:\Windows\system\mqVikfR.exe

MD5 50fb721466ba732d86cbb05fe715e1a3
SHA1 780d86c4b978b6ade17db09ea9523877c3aa064e
SHA256 bf4e769f06887dfd38185d3e872a177cded293d56bba1dd9253c0a5b342fd88a
SHA512 8e1cd01386562b6f043750748376f6e2e3ea34504462497e998099d444ee40d4df41dfe5c7e72bb17483818a6c86737c61a960b43ed5eaad22fa8c1e4419c91f

memory/2796-138-0x000000013F4A0000-0x000000013F7F1000-memory.dmp

memory/2380-137-0x000000013F4A0000-0x000000013F7F1000-memory.dmp

memory/2380-135-0x000000013F4D0000-0x000000013F821000-memory.dmp

memory/2380-134-0x0000000002390000-0x00000000026E1000-memory.dmp

memory/2380-133-0x000000013F7A0000-0x000000013FAF1000-memory.dmp

memory/2420-131-0x000000013F4D0000-0x000000013F821000-memory.dmp

memory/3048-130-0x000000013FE00000-0x0000000140151000-memory.dmp

C:\Windows\system\oCtTmRs.exe

MD5 a5234dee213901a665dd61a269d1c091
SHA1 660721a3737d583df0418a3182c7ba62ce2ffb78
SHA256 ce70acf5581745fade183dee2fd48bca5c0740b8e1f763a6ebe4b1f1fb3c6b8e
SHA512 feb733cd33b325edbbf4af9dd0ce1f5139427a1366ef7acd8d1b5bcec2ceb649df3c02e767e6c7e67c082f04a362de7b112e92de487d3166739d2c3c54b47c2b

C:\Windows\system\EWfTFdA.exe

MD5 14a3ab15149971d90e41302300a34831
SHA1 af060473015e7b6a8860bc6b325ed22afff9f8f0
SHA256 f431c4ceff858aed18f6964bf82818b5f418123777d06e44743d9a6be13bb46e
SHA512 c58660272a9b21f4a21b541723bc0391d90a4c6eaa620b9a15bcf6e461792a34962b820c3dc744a5575912986f975f055fbd957c3ee25a6be0a362a0a83aacd6

C:\Windows\system\LzXGQMK.exe

MD5 631bc2d74318062576ef79d1dadca639
SHA1 d3af2fa37e2b0f8d0d17e508cb2c726a8a5063a6
SHA256 d138e2d6056a5ec1acb143d5478cadaa119faf78fd2900779d826b6aa5e0cff2
SHA512 7ea5ee5c005a6b8408eadb9812ce0895d7a3261f555e9be2a0c05c5443f6f71708eb6e9242da0b9b70a02aec2e7f5dbd6c8291a5285a78a2657b717fe277d764

memory/2756-142-0x000000013F070000-0x000000013F3C1000-memory.dmp

memory/2380-143-0x000000013FFB0000-0x0000000140301000-memory.dmp

memory/2380-152-0x000000013F450000-0x000000013F7A1000-memory.dmp

memory/2740-153-0x000000013F450000-0x000000013F7A1000-memory.dmp

memory/2280-154-0x000000013F450000-0x000000013F7A1000-memory.dmp

memory/2380-166-0x000000013F450000-0x000000013F7A1000-memory.dmp

memory/2928-165-0x000000013F200000-0x000000013F551000-memory.dmp

memory/1788-164-0x000000013F6D0000-0x000000013FA21000-memory.dmp

memory/1988-162-0x000000013F350000-0x000000013F6A1000-memory.dmp

memory/2288-161-0x000000013FFB0000-0x0000000140301000-memory.dmp

memory/1192-160-0x000000013F650000-0x000000013F9A1000-memory.dmp

memory/1048-159-0x000000013F7A0000-0x000000013FAF1000-memory.dmp

memory/1612-163-0x000000013FCD0000-0x0000000140021000-memory.dmp

memory/2380-167-0x000000013FFB0000-0x0000000140301000-memory.dmp

memory/2380-180-0x000000013F4B0000-0x000000013F801000-memory.dmp

memory/2332-213-0x000000013F210000-0x000000013F561000-memory.dmp

memory/2084-215-0x000000013F9E0000-0x000000013FD31000-memory.dmp

memory/2040-217-0x000000013F2B0000-0x000000013F601000-memory.dmp

memory/2988-219-0x000000013F500000-0x000000013F851000-memory.dmp

memory/2124-229-0x000000013FB30000-0x000000013FE81000-memory.dmp

memory/2964-232-0x000000013F200000-0x000000013F551000-memory.dmp

memory/2796-233-0x000000013F4A0000-0x000000013F7F1000-memory.dmp

memory/2756-235-0x000000013F070000-0x000000013F3C1000-memory.dmp

memory/2740-237-0x000000013F450000-0x000000013F7A1000-memory.dmp

memory/2168-239-0x000000013F4E0000-0x000000013F831000-memory.dmp

memory/2280-241-0x000000013F450000-0x000000013F7A1000-memory.dmp

memory/952-253-0x000000013F4B0000-0x000000013F801000-memory.dmp

memory/3048-255-0x000000013FE00000-0x0000000140151000-memory.dmp

memory/2420-257-0x000000013F4D0000-0x000000013F821000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-13 12:06

Reported

2024-08-13 12:09

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\uPKnRHC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XSUuiBb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uMhJNcr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SbkfuFZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zwBqucR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wgAkEam.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yijgihj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dhSgOsX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hjoHinH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qoRLWCu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KhhaQYd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DqiZGIw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vsVpqre.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dyWwWex.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hFkiHWi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sGenysT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WjxlfHw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NuUYVNv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wYXTOfb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aXcjMcb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gxAIKfF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3240 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wgAkEam.exe
PID 3240 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wgAkEam.exe
PID 3240 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yijgihj.exe
PID 3240 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yijgihj.exe
PID 3240 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aXcjMcb.exe
PID 3240 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aXcjMcb.exe
PID 3240 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gxAIKfF.exe
PID 3240 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gxAIKfF.exe
PID 3240 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vsVpqre.exe
PID 3240 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vsVpqre.exe
PID 3240 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uPKnRHC.exe
PID 3240 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uPKnRHC.exe
PID 3240 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qoRLWCu.exe
PID 3240 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qoRLWCu.exe
PID 3240 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KhhaQYd.exe
PID 3240 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KhhaQYd.exe
PID 3240 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hFkiHWi.exe
PID 3240 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hFkiHWi.exe
PID 3240 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dyWwWex.exe
PID 3240 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dyWwWex.exe
PID 3240 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sGenysT.exe
PID 3240 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sGenysT.exe
PID 3240 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XSUuiBb.exe
PID 3240 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XSUuiBb.exe
PID 3240 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dhSgOsX.exe
PID 3240 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dhSgOsX.exe
PID 3240 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WjxlfHw.exe
PID 3240 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WjxlfHw.exe
PID 3240 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uMhJNcr.exe
PID 3240 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uMhJNcr.exe
PID 3240 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NuUYVNv.exe
PID 3240 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NuUYVNv.exe
PID 3240 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DqiZGIw.exe
PID 3240 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DqiZGIw.exe
PID 3240 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SbkfuFZ.exe
PID 3240 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SbkfuFZ.exe
PID 3240 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wYXTOfb.exe
PID 3240 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wYXTOfb.exe
PID 3240 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hjoHinH.exe
PID 3240 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hjoHinH.exe
PID 3240 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zwBqucR.exe
PID 3240 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zwBqucR.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\wgAkEam.exe

C:\Windows\System\wgAkEam.exe

C:\Windows\System\yijgihj.exe

C:\Windows\System\yijgihj.exe

C:\Windows\System\aXcjMcb.exe

C:\Windows\System\aXcjMcb.exe

C:\Windows\System\gxAIKfF.exe

C:\Windows\System\gxAIKfF.exe

C:\Windows\System\vsVpqre.exe

C:\Windows\System\vsVpqre.exe

C:\Windows\System\uPKnRHC.exe

C:\Windows\System\uPKnRHC.exe

C:\Windows\System\qoRLWCu.exe

C:\Windows\System\qoRLWCu.exe

C:\Windows\System\KhhaQYd.exe

C:\Windows\System\KhhaQYd.exe

C:\Windows\System\hFkiHWi.exe

C:\Windows\System\hFkiHWi.exe

C:\Windows\System\dyWwWex.exe

C:\Windows\System\dyWwWex.exe

C:\Windows\System\sGenysT.exe

C:\Windows\System\sGenysT.exe

C:\Windows\System\XSUuiBb.exe

C:\Windows\System\XSUuiBb.exe

C:\Windows\System\dhSgOsX.exe

C:\Windows\System\dhSgOsX.exe

C:\Windows\System\WjxlfHw.exe

C:\Windows\System\WjxlfHw.exe

C:\Windows\System\uMhJNcr.exe

C:\Windows\System\uMhJNcr.exe

C:\Windows\System\NuUYVNv.exe

C:\Windows\System\NuUYVNv.exe

C:\Windows\System\DqiZGIw.exe

C:\Windows\System\DqiZGIw.exe

C:\Windows\System\SbkfuFZ.exe

C:\Windows\System\SbkfuFZ.exe

C:\Windows\System\wYXTOfb.exe

C:\Windows\System\wYXTOfb.exe

C:\Windows\System\hjoHinH.exe

C:\Windows\System\hjoHinH.exe

C:\Windows\System\zwBqucR.exe

C:\Windows\System\zwBqucR.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 23.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 105.193.132.51.in-addr.arpa udp

Files

memory/3240-0-0x00007FF676F90000-0x00007FF6772E1000-memory.dmp

memory/3240-1-0x000001DF72340000-0x000001DF72350000-memory.dmp

C:\Windows\System\wgAkEam.exe

MD5 241ed7f461b9bfed03d59453b963fd3c
SHA1 fe04f5cabfb1d152769519475f7aefe7cf2bf0d9
SHA256 de0be3b5c7fca76283bdea06ea294c3f9b5c7a8f5773129f47fe25b7fbb4ed8c
SHA512 628e8251d91fd6c713a67dec659c63cf0ea26ab19c308f9caad8dad8121780d7ad80d9e226af441c9d71350799e22494d7152654f5c013e65c20ddf6d212fe8b

C:\Windows\System\aXcjMcb.exe

MD5 f2b91ede8487059cbd69423567fb3199
SHA1 264939e9517c348d4b815aaa60484afabbc0f69c
SHA256 8abcb28ad05db1e056fef53d7ab358b7bf96b632a0d388eaa525f5d8530a06c2
SHA512 f9fc715623c3a5d2968c838ca58659b27dd496d0dde1c84efef92a3388880e6568a1a8a22821ba7e6d3a59adfb7befaf378b6eaa94bcd377c8bea570aabb5a1b

C:\Windows\System\vsVpqre.exe

MD5 e047fd53e3283d150be12e8bc63e478f
SHA1 ddc046dd4cb03853fca42f4ce5ed5e64d8938a3a
SHA256 3dda5f39718ad9bd6ee4f5d3413c73c9326b014aa0f1a87080c69167bce1a87e
SHA512 cae790613a47e311324536604872b01ab05712d2247597c660416f7d379cd294dbada847403a137890660db9dee5e7ede680abfb4a3908aabc64602e3d974cb4

memory/4812-41-0x00007FF6AD380000-0x00007FF6AD6D1000-memory.dmp

C:\Windows\System\hFkiHWi.exe

MD5 626df3f140bfb81ddd6c4f568e0dd5ac
SHA1 ee35d76f3d9b56cc6a891f133ecea9af89cf8d51
SHA256 1007508939c9482dcb5e7d2526eb5282b489b7298dc33bcccd8647c1d9d5730d
SHA512 f1763eb44134ea849f752c991b36d8f65b2466a74114b293200c013ee7f24a23bfd90c0646058199281a210af6f6b3163c5066f6ce296b028814c25674457b93

C:\Windows\System\KhhaQYd.exe

MD5 abcbd2ec613ab308b753b5d38dc48003
SHA1 024d350f874d2db552c9d70451dab7f37013f1c4
SHA256 9d91b0ac6beb3406559ee15d8d8c6fa706430a93325fa4c8324fb7c1888e38ce
SHA512 6c60884f21bbf890da7f6645f67494aebc1e1063b46628e5d421c42b1d3266c4aaabb6f3d8672e12371582c030cab672658ff852b622b9e3131a0397b77325b2

C:\Windows\System\qoRLWCu.exe

MD5 fd66cfbfc1336324246dc0d7c3eb5910
SHA1 f22bde4f5f884ddfde62980d26a9154373111cbf
SHA256 2be00b5f177b10104099bb4501b77c6897844c05ea2edfb3af550188143d56b8
SHA512 51296924085fa6c9e4203e4ec66da7dffee39e3328e9ac40f64d3ad4f7b6e0d8abb8c736d635ac7ec11bee5ee59c7e3297f1444494c488f5bd75dd5a2d42cd29

memory/4300-38-0x00007FF65C150000-0x00007FF65C4A1000-memory.dmp

C:\Windows\System\uPKnRHC.exe

MD5 5ab3bb9eedbe560e5a5de3900f3a6312
SHA1 c439cb81a976219b50c3b813991d53b8d39f2ca0
SHA256 a6cc13b31ec499251db099edf8f0ce9a5a3d5798913808a18522cc5d9cebced8
SHA512 c22b12d9270834e8a0d0a7862642b7a2ee1811716958351435df5267fdace14cae2ffda66327b1e731c40f149b8aae8110327a7c5c056f03c75e254f5abe850e

memory/4308-32-0x00007FF7D8BB0000-0x00007FF7D8F01000-memory.dmp

memory/3908-25-0x00007FF743090000-0x00007FF7433E1000-memory.dmp

memory/396-20-0x00007FF651E30000-0x00007FF652181000-memory.dmp

C:\Windows\System\gxAIKfF.exe

MD5 76f65ff8d6af68a62dbf39e146707887
SHA1 a0b89574470fd276c82ec7084a94dd851b578cd0
SHA256 3c4bbc1d7a4e37fbad1e8abd2de9bb9d4d1555d4cb7e2e15bcf862e6e98f43c0
SHA512 55b8c8ce2aed4d30f3546e86e1690b8e5ab0d2f0de3608c786afb8671243eaa3ebcb70700c48505a59177a74b2d233796c7d84a2dda426e65e1e6320dcb8030b

C:\Windows\System\yijgihj.exe

MD5 634ca7303131e4a74b2334f3b892d5f3
SHA1 b92bfaafffe382a423c474375bd1ee159cd0b15e
SHA256 8cce443f349c3858837ee7358439a4763a21be4df1c15b6350eb17b15aeb0674
SHA512 20680f0ea1f40fd0b66af9f061a7eb9c728cef738184712e6cd5677e5d26e6eae5f8a6233d81801dab802a8d835ba4269c4b05e2e41c5cd079f9f7f5ee866221

memory/4628-6-0x00007FF701370000-0x00007FF7016C1000-memory.dmp

C:\Windows\System\sGenysT.exe

MD5 32f1b9f67374cf108570bb9771653585
SHA1 42b8a0973d92a8f5c72f4e03be1fcc30b0623a39
SHA256 36e61b9c8a59c11cdfd9d50df7bfce19e58049ae0068d4f3f3ea3dc10d5760cc
SHA512 65299f5b022a4b94dbf84da4f37abbcf607aa274c8203400ab46fe76c5c393fae3fadcdaaea1892ffae8972246927e13de201e383dca294689078a26c239be44

C:\Windows\System\dhSgOsX.exe

MD5 17dc9b750b2e08fad1f5ce747fd0bd39
SHA1 40dc4e89f8b16c747a92b47c1ad2c89d74f46cb4
SHA256 73baa9f65ee30575f1bab01737056b3ccc5c65dfd917b97427c79e0c48b0048f
SHA512 1b7c36b046b0d0b79a446b60bc87242506ffd43ae6af5bce5894bbd209f258322e532705d0f2f35e10c450f92ac02235eee804c94abdce9c3588163a3ef738a3

C:\Windows\System\WjxlfHw.exe

MD5 00d4679133107d98cf10737b58092240
SHA1 b00b50e96d1940217686c44bc99bc0b04d8ecf90
SHA256 9ed9a7e208d8f1db7049c2c75d75dbf26647abfff412fb0a94817ca3c2499289
SHA512 0bbc3f6738f2d8d23e9eff8671a27898fd4ff2d087201f764d1c9277a01d2840e06cf17b8c91a0dc2af06a1d1adf812ff6cba90f223c1a80c510042989131b6e

memory/1568-89-0x00007FF681410000-0x00007FF681761000-memory.dmp

memory/2440-92-0x00007FF64E070000-0x00007FF64E3C1000-memory.dmp

C:\Windows\System\NuUYVNv.exe

MD5 3cbfc9d6a15e0027e36cdc0d25c507d2
SHA1 a48bc1094b32cd09cdb6e2fd4b13457ebdde03e8
SHA256 8c415c6de28be74a4ee6ad7dc9cb01e97d8f46cd802b54bb83fd45546c74b3a5
SHA512 17a400a67ac9892286acf07847829f05f16b54772ba2c1b3a10e81417b78983ab53b1d2fce4a53705823dbd087099a3ee10729b8e5604d65cecb266d29be47ed

C:\Windows\System\uMhJNcr.exe

MD5 4995fe14bd36f550e6f5cc4d11e8f104
SHA1 4c2e87adcc9b6dd938108a19def1d85685cacdeb
SHA256 c440af61d06ece8090a1c336ce57e2cb1967b8a9295988033e9c5da2bb45ddbc
SHA512 1ce76475966ff166090d50b1b3300d6198dcbae79682631aa13e6276d7f85c151549083a027991006704b8d5a770add6c7f319f18fb71465fcabbbaec285472b

memory/4776-94-0x00007FF611570000-0x00007FF6118C1000-memory.dmp

memory/3924-93-0x00007FF7BD890000-0x00007FF7BDBE1000-memory.dmp

memory/3956-91-0x00007FF7D87F0000-0x00007FF7D8B41000-memory.dmp

memory/5080-90-0x00007FF741710000-0x00007FF741A61000-memory.dmp

memory/3560-88-0x00007FF75F110000-0x00007FF75F461000-memory.dmp

C:\Windows\System\dyWwWex.exe

MD5 2fe723fe4d864cb97418a4f16050f2d4
SHA1 8cf4647f8812d6948df9bfc4924a8cd5fdb23bab
SHA256 0fa5c2bcdfcefc83c0581ff380a330123466478ec7228747b61ad1d844587c88
SHA512 7593c894cc9879d6b79df4b5e6f02fa8ca3aeb68a3dfc8415c88da0d441b3c928f5db347c4b27b83eaa0d511e1b5d9a06ce475e2adfe561d2029ae9725c46ae2

C:\Windows\System\XSUuiBb.exe

MD5 61b0c0de3d9024fe30d6e6694a14df6c
SHA1 b190b86c0e502136b17412cb89b6a08542c5b6f5
SHA256 e086a634fadc3053a4f27caaba1039eba29513f0aba6da2e80f67797e6742ff6
SHA512 d88102668650ec13a4fbd9146fb5530c97bac49c6a4a16d07510b02815dec3af8a77d870c694e60bd02a865fb1e3c5d06a3eca22ddc7d0cc70e3c90e41cd4b14

memory/3608-67-0x00007FF7818F0000-0x00007FF781C41000-memory.dmp

memory/3412-60-0x00007FF7D20D0000-0x00007FF7D2421000-memory.dmp

memory/5104-50-0x00007FF682B20000-0x00007FF682E71000-memory.dmp

C:\Windows\System\DqiZGIw.exe

MD5 a25ec57e554fece67f65821b2fb76a20
SHA1 523b9dd548d328e8eff8e8c4616fa38cb25b0004
SHA256 4de55082c86144a91bad373bf4f58069105c0ce8fe1f4e5994a98d837519b1fa
SHA512 1ae184d92126b17e94e17cfba91425cb540d7bc45b026a699c9d012b3dd50636266524194f05e0a2b2c62ba79d600b008118c2ef03ca4b30324505e66634d86b

memory/3780-102-0x00007FF7BBDE0000-0x00007FF7BC131000-memory.dmp

C:\Windows\System\wYXTOfb.exe

MD5 60d5bc78cd31e553d5f9aa9cb7c3856a
SHA1 8e58708550e37b9f07976f3e9c6cda9b17786c95
SHA256 4fd176a1883ddc243d2509f43383d80e9d169f1b791c2b13ace57ae66d32fd03
SHA512 5b075a24d996ea5cf2436cccc7ad991f6341c909df5a9dd43bbd7647807bcafc3758d1f42a564678549b7538073c42b9f8a7ed19143bfb773fdf477b435e3985

memory/3264-114-0x00007FF7D2080000-0x00007FF7D23D1000-memory.dmp

C:\Windows\System\hjoHinH.exe

MD5 dbd3d2e8157875bc050e0f598ba2b4d0
SHA1 c5bb4b69d98f6613f3329c271010fdf0c057d656
SHA256 d02d1403eac7aaaee032c93099dd929db6ae9b0143a7f2b864725c8aff96423f
SHA512 5971ee43a46f4895ee20a2d80f2de1fcc40227da88bfb0a9fdc067adabc72555e6988efaa90a384ec6730a97341d440fd8017f67c6d6884d314a4f4a22292e44

memory/928-118-0x00007FF7214F0000-0x00007FF721841000-memory.dmp

C:\Windows\System\zwBqucR.exe

MD5 90e8422f08af7617ef559c8ca6752c17
SHA1 e9d1c6e11631e4f7399f5c3e4199ce50accd9fa3
SHA256 7bfa97b5d986fd00db06fa701cb789347e0e8859adca234209a0592b3b141c8c
SHA512 2160051f2b099b2b4aecffd22d3d7077e61a62e1f1c2b8aae8410a747323c7bf24f364e39a2854b078f22b643f5a208d1ba164e0b8a66e90c6d5d534d12c7d46

memory/4028-126-0x00007FF728550000-0x00007FF7288A1000-memory.dmp

C:\Windows\System\SbkfuFZ.exe

MD5 ba3c23b6f6b877824aa4a8942790f3cc
SHA1 ed887073791b06db28e2bbadff4efc1bea2ac578
SHA256 deab2d6f7f3264aedf6b7d1c4a12250bf6bc4780689fe5028ee5b90a5b980b85
SHA512 ae1bfe29df15ae06161fc65581e6711b5141aef052961891106e6bdd20b14242ba05a5093a21bed85cb159143694a93804ad6a71ba8b3ebb66347296a4e9d2bb

memory/3240-115-0x00007FF676F90000-0x00007FF6772E1000-memory.dmp

memory/1656-111-0x00007FF79F4E0000-0x00007FF79F831000-memory.dmp

memory/4300-134-0x00007FF65C150000-0x00007FF65C4A1000-memory.dmp

memory/4628-130-0x00007FF701370000-0x00007FF7016C1000-memory.dmp

memory/5104-137-0x00007FF682B20000-0x00007FF682E71000-memory.dmp

memory/3608-139-0x00007FF7818F0000-0x00007FF781C41000-memory.dmp

memory/3412-136-0x00007FF7D20D0000-0x00007FF7D2421000-memory.dmp

memory/3240-129-0x00007FF676F90000-0x00007FF6772E1000-memory.dmp

memory/3908-133-0x00007FF743090000-0x00007FF7433E1000-memory.dmp

memory/3956-145-0x00007FF7D87F0000-0x00007FF7D8B41000-memory.dmp

memory/3780-146-0x00007FF7BBDE0000-0x00007FF7BC131000-memory.dmp

memory/5080-144-0x00007FF741710000-0x00007FF741A61000-memory.dmp

memory/3560-141-0x00007FF75F110000-0x00007FF75F461000-memory.dmp

memory/3264-148-0x00007FF7D2080000-0x00007FF7D23D1000-memory.dmp

memory/4028-150-0x00007FF728550000-0x00007FF7288A1000-memory.dmp

memory/928-149-0x00007FF7214F0000-0x00007FF721841000-memory.dmp

memory/1656-147-0x00007FF79F4E0000-0x00007FF79F831000-memory.dmp

memory/3240-151-0x00007FF676F90000-0x00007FF6772E1000-memory.dmp

memory/4628-206-0x00007FF701370000-0x00007FF7016C1000-memory.dmp

memory/396-208-0x00007FF651E30000-0x00007FF652181000-memory.dmp

memory/4308-210-0x00007FF7D8BB0000-0x00007FF7D8F01000-memory.dmp

memory/3908-212-0x00007FF743090000-0x00007FF7433E1000-memory.dmp

memory/4812-218-0x00007FF6AD380000-0x00007FF6AD6D1000-memory.dmp

memory/4300-216-0x00007FF65C150000-0x00007FF65C4A1000-memory.dmp

memory/5104-215-0x00007FF682B20000-0x00007FF682E71000-memory.dmp

memory/3412-222-0x00007FF7D20D0000-0x00007FF7D2421000-memory.dmp

memory/2440-221-0x00007FF64E070000-0x00007FF64E3C1000-memory.dmp

memory/1568-225-0x00007FF681410000-0x00007FF681761000-memory.dmp

memory/3608-230-0x00007FF7818F0000-0x00007FF781C41000-memory.dmp

memory/3560-229-0x00007FF75F110000-0x00007FF75F461000-memory.dmp

memory/4776-226-0x00007FF611570000-0x00007FF6118C1000-memory.dmp

memory/3924-232-0x00007FF7BD890000-0x00007FF7BDBE1000-memory.dmp

memory/3956-236-0x00007FF7D87F0000-0x00007FF7D8B41000-memory.dmp

memory/5080-234-0x00007FF741710000-0x00007FF741A61000-memory.dmp

memory/3780-239-0x00007FF7BBDE0000-0x00007FF7BC131000-memory.dmp

memory/1656-241-0x00007FF79F4E0000-0x00007FF79F831000-memory.dmp

memory/3264-243-0x00007FF7D2080000-0x00007FF7D23D1000-memory.dmp

memory/928-245-0x00007FF7214F0000-0x00007FF721841000-memory.dmp

memory/4028-247-0x00007FF728550000-0x00007FF7288A1000-memory.dmp