Malware Analysis Report

2025-03-15 08:01

Sample ID 240813-n9td4asdmf
Target 2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat
SHA256 ff60204746603020701de89c59b2e5fe645cd74d9e384f5b911ceef620c0fa48
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ff60204746603020701de89c59b2e5fe645cd74d9e384f5b911ceef620c0fa48

Threat Level: Known bad

The file 2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

xmrig

Cobaltstrike

Xmrig family

Cobalt Strike reflective loader

Cobaltstrike family

XMRig Miner payload

XMRig Miner payload

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-13 12:06

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-13 12:06

Reported

2024-08-13 12:08

Platform

win7-20240705-en

Max time kernel

140s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\bVBvEDl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ogzKPRM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wvJzbhw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DuZOvLc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qFmMGwi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ERrDWNv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jvIuiuC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PeSzhup.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dgIHHBW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eraujBj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IGtTain.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vAGaira.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vDnMyUB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PioGgfk.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nnAVGAq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VbRDnvM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RqSnwoi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qydxbtB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NKXQgdE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KEBUKbw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cxZvpfN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2988 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IGtTain.exe
PID 2988 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IGtTain.exe
PID 2988 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IGtTain.exe
PID 2988 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vAGaira.exe
PID 2988 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vAGaira.exe
PID 2988 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vAGaira.exe
PID 2988 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NKXQgdE.exe
PID 2988 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NKXQgdE.exe
PID 2988 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NKXQgdE.exe
PID 2988 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vDnMyUB.exe
PID 2988 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vDnMyUB.exe
PID 2988 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vDnMyUB.exe
PID 2988 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KEBUKbw.exe
PID 2988 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KEBUKbw.exe
PID 2988 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KEBUKbw.exe
PID 2988 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cxZvpfN.exe
PID 2988 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cxZvpfN.exe
PID 2988 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cxZvpfN.exe
PID 2988 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DuZOvLc.exe
PID 2988 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DuZOvLc.exe
PID 2988 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DuZOvLc.exe
PID 2988 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qFmMGwi.exe
PID 2988 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qFmMGwi.exe
PID 2988 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qFmMGwi.exe
PID 2988 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PioGgfk.exe
PID 2988 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PioGgfk.exe
PID 2988 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PioGgfk.exe
PID 2988 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PeSzhup.exe
PID 2988 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PeSzhup.exe
PID 2988 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PeSzhup.exe
PID 2988 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nnAVGAq.exe
PID 2988 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nnAVGAq.exe
PID 2988 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nnAVGAq.exe
PID 2988 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dgIHHBW.exe
PID 2988 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dgIHHBW.exe
PID 2988 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dgIHHBW.exe
PID 2988 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ERrDWNv.exe
PID 2988 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ERrDWNv.exe
PID 2988 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ERrDWNv.exe
PID 2988 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eraujBj.exe
PID 2988 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eraujBj.exe
PID 2988 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eraujBj.exe
PID 2988 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bVBvEDl.exe
PID 2988 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bVBvEDl.exe
PID 2988 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bVBvEDl.exe
PID 2988 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jvIuiuC.exe
PID 2988 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jvIuiuC.exe
PID 2988 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jvIuiuC.exe
PID 2988 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VbRDnvM.exe
PID 2988 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VbRDnvM.exe
PID 2988 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VbRDnvM.exe
PID 2988 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RqSnwoi.exe
PID 2988 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RqSnwoi.exe
PID 2988 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RqSnwoi.exe
PID 2988 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qydxbtB.exe
PID 2988 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qydxbtB.exe
PID 2988 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qydxbtB.exe
PID 2988 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ogzKPRM.exe
PID 2988 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ogzKPRM.exe
PID 2988 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ogzKPRM.exe
PID 2988 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wvJzbhw.exe
PID 2988 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wvJzbhw.exe
PID 2988 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wvJzbhw.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\IGtTain.exe

C:\Windows\System\IGtTain.exe

C:\Windows\System\vAGaira.exe

C:\Windows\System\vAGaira.exe

C:\Windows\System\NKXQgdE.exe

C:\Windows\System\NKXQgdE.exe

C:\Windows\System\vDnMyUB.exe

C:\Windows\System\vDnMyUB.exe

C:\Windows\System\KEBUKbw.exe

C:\Windows\System\KEBUKbw.exe

C:\Windows\System\cxZvpfN.exe

C:\Windows\System\cxZvpfN.exe

C:\Windows\System\DuZOvLc.exe

C:\Windows\System\DuZOvLc.exe

C:\Windows\System\qFmMGwi.exe

C:\Windows\System\qFmMGwi.exe

C:\Windows\System\PioGgfk.exe

C:\Windows\System\PioGgfk.exe

C:\Windows\System\PeSzhup.exe

C:\Windows\System\PeSzhup.exe

C:\Windows\System\nnAVGAq.exe

C:\Windows\System\nnAVGAq.exe

C:\Windows\System\dgIHHBW.exe

C:\Windows\System\dgIHHBW.exe

C:\Windows\System\ERrDWNv.exe

C:\Windows\System\ERrDWNv.exe

C:\Windows\System\eraujBj.exe

C:\Windows\System\eraujBj.exe

C:\Windows\System\bVBvEDl.exe

C:\Windows\System\bVBvEDl.exe

C:\Windows\System\jvIuiuC.exe

C:\Windows\System\jvIuiuC.exe

C:\Windows\System\VbRDnvM.exe

C:\Windows\System\VbRDnvM.exe

C:\Windows\System\RqSnwoi.exe

C:\Windows\System\RqSnwoi.exe

C:\Windows\System\qydxbtB.exe

C:\Windows\System\qydxbtB.exe

C:\Windows\System\ogzKPRM.exe

C:\Windows\System\ogzKPRM.exe

C:\Windows\System\wvJzbhw.exe

C:\Windows\System\wvJzbhw.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2988-0-0x000000013F030000-0x000000013F381000-memory.dmp

memory/2988-1-0x00000000000F0000-0x0000000000100000-memory.dmp

C:\Windows\system\IGtTain.exe

MD5 edd5a92da720d2fedeaf2b5bc7c01951
SHA1 bf8cec8933236e16c868d6b9538bfd1f6e6f6167
SHA256 c0ad55af1e740ee7e75c8f6e8f9953e734ccf2832883a45f05bd8d7c9b8381a2
SHA512 61aedcd17a617e0085667440f883b073b4cdd4797d73f7848f06f100ddb3fb5144bf70a71813726311294edb1aea658d8fe3d2ac45d1e221a6215af1b3322ff3

\Windows\system\vAGaira.exe

MD5 5792afdac2c72de69d402b54f02bdba5
SHA1 d6ac4bcf1505e12793b82575f126f2050e204560
SHA256 068eb8d39221c89d7bfac80e2acac8607bc356e48d3da9a1aac8fec9a6e4cdca
SHA512 bdc81b56d0efbc21c8c849beb1c4bb7335c60af715e29420e1c96baeed61044513ba75de9853c2c43c0a226e2d53d93e2953cbbee0b538527d52367199fe7d27

\Windows\system\DuZOvLc.exe

MD5 d8cd8b51ce5b9dc8ae3ee4803b3c02e5
SHA1 609561f390297deeafceac958d37745013433028
SHA256 669a21b1a0b07aeb94380d7e0ec64f8de717dac1a87ca455a6cdff9e64cdb371
SHA512 26a78ea726c93a41ddad7511c452898f6cdd2f137d109bbc6bc6665340472318f4ce39dfed3c9c9d8a26b37824b6d81e966e06f76659d59cdfda19145d8ddd98

C:\Windows\system\PioGgfk.exe

MD5 88b83c87c03a59129dd6fea9cc37e122
SHA1 737a6980a34e7b3c4f734b4e05313ba76bec561d
SHA256 2b76a28f15b9438054429bee1468d2cd1e99cc67127b38d66dc5d278151c8dda
SHA512 f29920fc7d856c16e4f4202a55d9d2974989f0ca98ace0fa7fb20b86546777ea57091d1695157964a782d2cae5b0accfd75d983f345712efcc4a7eb61a03ce90

C:\Windows\system\PeSzhup.exe

MD5 1748191102891a33fedbaacb47280833
SHA1 0085a25cc480a54c438b89667537abf6b72e0b3e
SHA256 0b49293d77395cfee6034cbce75f1e914c60dc0277bfb48c04d0121c57efb575
SHA512 c612c205b9e0b370a285b1ec68b286f1ee2a5c81eac200f6d998159a74c7c594f0b1b74e2a024e4a341da726aa1f494b690b02afe077899c1b4859f31f89e116

C:\Windows\system\nnAVGAq.exe

MD5 c440ab0fd8586b63b80dbd1f1d4d15d2
SHA1 6bb0e26c8a3b01b62d2aafe7eb047379f2398236
SHA256 db40624ec63d15e95f0c543ecde35c7bb3591301035425a2873463308e1a29bc
SHA512 4b45736f534ad25524d4f6403cf84a2dcaa88a3fe926799fea282c0810cb587695552f92d551fc428ee916d6999e04d39b0a11cfc8a5aee916b7dbbbd93f4cfd

C:\Windows\system\dgIHHBW.exe

MD5 030508abefb63b213d61438e5bd098e5
SHA1 49ac5535b8da05a83f825271c0c102c17e925412
SHA256 143ec251ff7dfab91303ad99067d59d4a10dbe8fb5da248da90391329f50e5ed
SHA512 4ad9cda070f1734fcb59330c72d5fe88d09c65368b7a143f8f4e3bc8219801be9a7f46dd57d46e0923d9515f52e68ce5e04ab37047de7a01c95e0ee3fd5bdf1e

C:\Windows\system\eraujBj.exe

MD5 da1ed6ec943426e6a3b9a5fb8c1f3b7d
SHA1 3cb69be5dd2c4aa31b982787d15bda49f0ba10e8
SHA256 9211f4e37018356115d8ab5a0eecad391ee088fa854f1df559eeaf15fdc78c49
SHA512 983bce040277b566bafa14dd3735a92c9a1021dc0d1e765b0664b1fb54ff03830b788eb28c59e586fb4211f76f40cd349a900be4f00c76886942cfde851c88dc

C:\Windows\system\bVBvEDl.exe

MD5 00ef40fff59921117f517a6ee4b82394
SHA1 fcb2d521cdbf7cc515219efdaa399abfdccdfa0b
SHA256 3e882acdad555c023c2d2f85d16345696c53d6eb093b182918fd01781a1eb43c
SHA512 941eca7c510d7f04dd6d2890e48479d356fe60d44f126f0d77bd21f703e4a19fbcc0b8278e6150ff34c1be1eab76debeb5648148994863496eb7659606e90ae5

C:\Windows\system\jvIuiuC.exe

MD5 2ef8b2eed2d354ce6c3f7ffb1314bc2f
SHA1 68ea8491b39a355381308655de0c077cae8966a2
SHA256 ea96e5a2bf18cb9ca49715eb3e0b4e1d33c4c569fd3fcb7e439731149bda252f
SHA512 09b4fc85f86f39a91d2b654c0a993b9a96f7ecb918d6105f2d09f3326f7ac5bf3d9bf2cc41415db8d6ae76476c3818c217bcda324bbf0cfdb70cc28e2bb7bba7

C:\Windows\system\qydxbtB.exe

MD5 3d1bf965d380e1658f1ce8aa757fc252
SHA1 c326a80e6f296ecc6b76897241a4889f3721820a
SHA256 27188ed5d558e49f381d236f278f4bac2b7f781bcc376faebde17b0974c28cd0
SHA512 f710b47e2d1b7b84b02c993531079f6f822800090792b8b909ada512d31eb8891d49f099846cb40ce598279108034083f5d69a02508845cb4d802c6d22aa3637

C:\Windows\system\ogzKPRM.exe

MD5 d5c76ea2aa6eafc8df041619882d2270
SHA1 3730c457478ca5882cc23fa96436b8ffe50e1bc7
SHA256 a91bb7d6d85d6840f1e66a221488a2230b2ec233e48ecc6b4e7dfc5fa998354d
SHA512 8a67d99ba5b20d430d98f3d2cc11d803c808ed31cbe1db554793978b922a8615600a40263dadd00f9a7d3c08ccff405f078062375fb77fc19499a6ae3534d77c

C:\Windows\system\wvJzbhw.exe

MD5 393943b069ed7fccaea948dd5946523c
SHA1 2b0926b73c923c380c8beb54ac24464fef93a577
SHA256 405c7b9794f13d49e9a288b7e64051526593776ef8da31be5897b272377eb173
SHA512 5872b671db436d44d8e5bb8d9cea42b190ac74b261f504bc063f5bc3ee34a38a3a7998e297e290849b3b9b81388216eb3f01692bf543fb9be31808eb75de4672

C:\Windows\system\RqSnwoi.exe

MD5 5432c4ecca284b6fb0d00c0e8a59b409
SHA1 dc8e64f852ab3d4a25a9236dd297ee6d973d20b4
SHA256 c8fe2f559fa32de5ba1868b8e9e22dba16177f4da77863b6e868846ce30b01a4
SHA512 66debb9a0076898191e330dbf12d21e5d1731f8df3e430024d6e2fa53ae39d7b9bf31fc4c856c5f231f497e5dc245f17883b1dd6ad453f0e8077d875d6e22c9f

C:\Windows\system\VbRDnvM.exe

MD5 303e2976d3fcb24cf149a784f86fcecf
SHA1 8d3d60a87e190eeee06170b03078b8f55c6988ed
SHA256 5de951b7b8191bd6f6cdf92fb908362bd8899b044011dedbfd403e01ceb2be1f
SHA512 aef0710ec3e1b757a8434f5fbc9da09edca587f2ca8ff461560624dd45e0e806ca4a6705affc2d275cd87a0e883682251f2cc42ad3e913ba689bda9d09d4467e

C:\Windows\system\ERrDWNv.exe

MD5 695a5a092f766e0f08f8c2c04713252a
SHA1 dfa6564f91fb409a0ebaa3e28ce7b01cb9230ed5
SHA256 272dcefb45a461f3f446edb963538eebaae24ab84c11b9beea150fce7c0cfb05
SHA512 fd6b6dee748990d7b82dec9f66a035407bd88b2870b7f14ddeb7ed9bce76fca439a119cdc0f6963651de2ffd258cfe67e2ac7aa5db8b9137c5a901d4ea0aafaa

C:\Windows\system\qFmMGwi.exe

MD5 cbe09f0d9c3ac0bb426fb56e5ed97cb0
SHA1 553797f3578926524af4a7b9c6aa25281072cffd
SHA256 d14845380022a7036db765e93a1bc0ded789c03d05e1e2f5b59f03d5c4dc0bbf
SHA512 063c2f89f892abeb9e899e7e111e418d43607984c260971e11999142492bfe4fa87c7414fd963f398aa62a0f6a1cbdb8768ade5e9b10269c68bb149a40c94237

C:\Windows\system\cxZvpfN.exe

MD5 6c18142366d53bf83b94fc9a945365e5
SHA1 18b406350438e378d4d388166b8c9f46f866193d
SHA256 1564bf3c0062edfb6a5f3518336555b461db8f001f60bf4630fb59a6455ebd3e
SHA512 7e8dd7e95d6ccec072487dd13c27cdebc117f59bd2e54c030b736a10d8b6c19b3fd58a9dfe9a2d9a3da6504cee5d7607e29166a7de7b971f78fd826db54ffdf4

C:\Windows\system\vDnMyUB.exe

MD5 ff46a37572e620536d9e6332e9bac1f5
SHA1 8bf944cd917bc35a81cacbf513553f1bf5ca1604
SHA256 c605e740b0fb9e84c6c4d30bf103e8d2ecc55aba427911b78c994db8358d8750
SHA512 dfa8f5710941947c166ee8ecad58d8290da4c4d6d5ac2ab31206a38b8ec535b753c1a0f768207daa2b565b8e78285c4697bcdacc313c942f5fe273b8c3a3f675

memory/2276-33-0x000000013FF20000-0x0000000140271000-memory.dmp

C:\Windows\system\KEBUKbw.exe

MD5 a42259fe93f4aa01761bc38c9929845e
SHA1 cb7cffaa3dd8f532af1ad3b7b6271066d08cfe66
SHA256 3c6f719590e66619b3f3ceccbe1ea266f23117f1c5fbe4d06fc7f5de0d5496cf
SHA512 ed6f51f3b7e25be410fd25e5cca733bdd7c36f1e4cdd3d253e6f523b3267d7a807a7573b999a9e92fb1b97117839706ffe44ae14527136813e9fb12bbe8b1033

memory/2988-96-0x000000013FC30000-0x000000013FF81000-memory.dmp

memory/2988-124-0x000000013FF70000-0x00000001402C1000-memory.dmp

memory/2960-123-0x000000013F170000-0x000000013F4C1000-memory.dmp

memory/2988-130-0x000000013F6D0000-0x000000013FA21000-memory.dmp

memory/1320-129-0x000000013F9F0000-0x000000013FD41000-memory.dmp

memory/2876-131-0x000000013FC30000-0x000000013FF81000-memory.dmp

memory/2988-128-0x000000013F760000-0x000000013FAB1000-memory.dmp

memory/2888-127-0x000000013FC70000-0x000000013FFC1000-memory.dmp

memory/2988-126-0x000000013FC70000-0x000000013FFC1000-memory.dmp

memory/2828-125-0x000000013FF70000-0x00000001402C1000-memory.dmp

memory/2148-122-0x000000013F6A0000-0x000000013F9F1000-memory.dmp

memory/2988-120-0x000000013F6A0000-0x000000013F9F1000-memory.dmp

memory/2996-119-0x000000013F240000-0x000000013F591000-memory.dmp

memory/2988-118-0x0000000002290000-0x00000000025E1000-memory.dmp

memory/2852-117-0x000000013FF30000-0x0000000140281000-memory.dmp

memory/2988-116-0x000000013FF30000-0x0000000140281000-memory.dmp

memory/1236-115-0x000000013FA00000-0x000000013FD51000-memory.dmp

memory/2812-114-0x000000013FFF0000-0x0000000140341000-memory.dmp

memory/2868-113-0x000000013F900000-0x000000013FC51000-memory.dmp

memory/2988-112-0x000000013FA00000-0x000000013FD51000-memory.dmp

memory/2196-93-0x000000013F6D0000-0x000000013FA21000-memory.dmp

memory/2988-91-0x000000013F900000-0x000000013FC51000-memory.dmp

memory/2472-90-0x000000013FD20000-0x0000000140071000-memory.dmp

memory/2988-17-0x000000013F9F0000-0x000000013FD41000-memory.dmp

C:\Windows\system\NKXQgdE.exe

MD5 9bbc61bc83471e0bad79ec1607d78033
SHA1 75e7cd3101ae13f0ed0cefcafe558d1afcf8c441
SHA256 3b94eeb0c4a93f0fedf8ab794ab7078089cfba4db9b5612662ada3b75293d9c5
SHA512 c5fd62404e5b6d20c166cfb99d56c8f12206a57e387ba7878eb940c9473684ef23a7fd61f391908f317801721752647811dd1dd306d115823fc4a429cce2f739

memory/2988-132-0x000000013F030000-0x000000013F381000-memory.dmp

memory/2680-148-0x000000013F300000-0x000000013F651000-memory.dmp

memory/2812-138-0x000000013FFF0000-0x0000000140341000-memory.dmp

memory/2276-134-0x000000013FF20000-0x0000000140271000-memory.dmp

memory/2332-150-0x000000013F6E0000-0x000000013FA31000-memory.dmp

memory/1528-151-0x000000013F520000-0x000000013F871000-memory.dmp

memory/2204-149-0x000000013FD10000-0x0000000140061000-memory.dmp

memory/2620-147-0x000000013F760000-0x000000013FAB1000-memory.dmp

memory/824-152-0x000000013F470000-0x000000013F7C1000-memory.dmp

memory/980-153-0x000000013F770000-0x000000013FAC1000-memory.dmp

memory/2988-154-0x000000013F030000-0x000000013F381000-memory.dmp

memory/2988-176-0x000000013F900000-0x000000013FC51000-memory.dmp

memory/2988-177-0x000000013FC30000-0x000000013FF81000-memory.dmp

memory/1320-201-0x000000013F9F0000-0x000000013FD41000-memory.dmp

memory/2472-203-0x000000013FD20000-0x0000000140071000-memory.dmp

memory/2196-225-0x000000013F6D0000-0x000000013FA21000-memory.dmp

memory/2852-229-0x000000013FF30000-0x0000000140281000-memory.dmp

memory/2876-227-0x000000013FC30000-0x000000013FF81000-memory.dmp

memory/2148-232-0x000000013F6A0000-0x000000013F9F1000-memory.dmp

memory/2960-248-0x000000013F170000-0x000000013F4C1000-memory.dmp

memory/2996-246-0x000000013F240000-0x000000013F591000-memory.dmp

memory/2888-250-0x000000013FC70000-0x000000013FFC1000-memory.dmp

memory/1236-244-0x000000013FA00000-0x000000013FD51000-memory.dmp

memory/2276-242-0x000000013FF20000-0x0000000140271000-memory.dmp

memory/2868-241-0x000000013F900000-0x000000013FC51000-memory.dmp

memory/2828-235-0x000000013FF70000-0x00000001402C1000-memory.dmp

memory/2812-254-0x000000013FFF0000-0x0000000140341000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-13 12:06

Reported

2024-08-13 12:08

Platform

win10v2004-20240802-en

Max time kernel

142s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\cxZvpfN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dgIHHBW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RqSnwoi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qydxbtB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VbRDnvM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ogzKPRM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NKXQgdE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DuZOvLc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qFmMGwi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ERrDWNv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bVBvEDl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vAGaira.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vDnMyUB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KEBUKbw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PioGgfk.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eraujBj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IGtTain.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PeSzhup.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nnAVGAq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jvIuiuC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wvJzbhw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4124 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IGtTain.exe
PID 4124 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IGtTain.exe
PID 4124 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vAGaira.exe
PID 4124 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vAGaira.exe
PID 4124 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NKXQgdE.exe
PID 4124 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NKXQgdE.exe
PID 4124 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vDnMyUB.exe
PID 4124 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vDnMyUB.exe
PID 4124 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KEBUKbw.exe
PID 4124 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KEBUKbw.exe
PID 4124 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cxZvpfN.exe
PID 4124 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cxZvpfN.exe
PID 4124 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DuZOvLc.exe
PID 4124 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DuZOvLc.exe
PID 4124 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qFmMGwi.exe
PID 4124 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qFmMGwi.exe
PID 4124 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PioGgfk.exe
PID 4124 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PioGgfk.exe
PID 4124 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PeSzhup.exe
PID 4124 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PeSzhup.exe
PID 4124 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nnAVGAq.exe
PID 4124 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nnAVGAq.exe
PID 4124 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dgIHHBW.exe
PID 4124 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dgIHHBW.exe
PID 4124 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ERrDWNv.exe
PID 4124 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ERrDWNv.exe
PID 4124 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eraujBj.exe
PID 4124 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eraujBj.exe
PID 4124 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bVBvEDl.exe
PID 4124 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bVBvEDl.exe
PID 4124 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jvIuiuC.exe
PID 4124 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jvIuiuC.exe
PID 4124 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VbRDnvM.exe
PID 4124 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VbRDnvM.exe
PID 4124 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RqSnwoi.exe
PID 4124 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RqSnwoi.exe
PID 4124 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qydxbtB.exe
PID 4124 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qydxbtB.exe
PID 4124 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ogzKPRM.exe
PID 4124 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ogzKPRM.exe
PID 4124 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wvJzbhw.exe
PID 4124 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wvJzbhw.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\IGtTain.exe

C:\Windows\System\IGtTain.exe

C:\Windows\System\vAGaira.exe

C:\Windows\System\vAGaira.exe

C:\Windows\System\NKXQgdE.exe

C:\Windows\System\NKXQgdE.exe

C:\Windows\System\vDnMyUB.exe

C:\Windows\System\vDnMyUB.exe

C:\Windows\System\KEBUKbw.exe

C:\Windows\System\KEBUKbw.exe

C:\Windows\System\cxZvpfN.exe

C:\Windows\System\cxZvpfN.exe

C:\Windows\System\DuZOvLc.exe

C:\Windows\System\DuZOvLc.exe

C:\Windows\System\qFmMGwi.exe

C:\Windows\System\qFmMGwi.exe

C:\Windows\System\PioGgfk.exe

C:\Windows\System\PioGgfk.exe

C:\Windows\System\PeSzhup.exe

C:\Windows\System\PeSzhup.exe

C:\Windows\System\nnAVGAq.exe

C:\Windows\System\nnAVGAq.exe

C:\Windows\System\dgIHHBW.exe

C:\Windows\System\dgIHHBW.exe

C:\Windows\System\ERrDWNv.exe

C:\Windows\System\ERrDWNv.exe

C:\Windows\System\eraujBj.exe

C:\Windows\System\eraujBj.exe

C:\Windows\System\bVBvEDl.exe

C:\Windows\System\bVBvEDl.exe

C:\Windows\System\jvIuiuC.exe

C:\Windows\System\jvIuiuC.exe

C:\Windows\System\VbRDnvM.exe

C:\Windows\System\VbRDnvM.exe

C:\Windows\System\RqSnwoi.exe

C:\Windows\System\RqSnwoi.exe

C:\Windows\System\qydxbtB.exe

C:\Windows\System\qydxbtB.exe

C:\Windows\System\ogzKPRM.exe

C:\Windows\System\ogzKPRM.exe

C:\Windows\System\wvJzbhw.exe

C:\Windows\System\wvJzbhw.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/4124-0-0x00007FF76B950000-0x00007FF76BCA1000-memory.dmp

memory/4124-1-0x0000021681870000-0x0000021681880000-memory.dmp

C:\Windows\System\IGtTain.exe

MD5 edd5a92da720d2fedeaf2b5bc7c01951
SHA1 bf8cec8933236e16c868d6b9538bfd1f6e6f6167
SHA256 c0ad55af1e740ee7e75c8f6e8f9953e734ccf2832883a45f05bd8d7c9b8381a2
SHA512 61aedcd17a617e0085667440f883b073b4cdd4797d73f7848f06f100ddb3fb5144bf70a71813726311294edb1aea658d8fe3d2ac45d1e221a6215af1b3322ff3

C:\Windows\System\vAGaira.exe

MD5 5792afdac2c72de69d402b54f02bdba5
SHA1 d6ac4bcf1505e12793b82575f126f2050e204560
SHA256 068eb8d39221c89d7bfac80e2acac8607bc356e48d3da9a1aac8fec9a6e4cdca
SHA512 bdc81b56d0efbc21c8c849beb1c4bb7335c60af715e29420e1c96baeed61044513ba75de9853c2c43c0a226e2d53d93e2953cbbee0b538527d52367199fe7d27

C:\Windows\System\NKXQgdE.exe

MD5 9bbc61bc83471e0bad79ec1607d78033
SHA1 75e7cd3101ae13f0ed0cefcafe558d1afcf8c441
SHA256 3b94eeb0c4a93f0fedf8ab794ab7078089cfba4db9b5612662ada3b75293d9c5
SHA512 c5fd62404e5b6d20c166cfb99d56c8f12206a57e387ba7878eb940c9473684ef23a7fd61f391908f317801721752647811dd1dd306d115823fc4a429cce2f739

C:\Windows\System\KEBUKbw.exe

MD5 a42259fe93f4aa01761bc38c9929845e
SHA1 cb7cffaa3dd8f532af1ad3b7b6271066d08cfe66
SHA256 3c6f719590e66619b3f3ceccbe1ea266f23117f1c5fbe4d06fc7f5de0d5496cf
SHA512 ed6f51f3b7e25be410fd25e5cca733bdd7c36f1e4cdd3d253e6f523b3267d7a807a7573b999a9e92fb1b97117839706ffe44ae14527136813e9fb12bbe8b1033

C:\Windows\System\cxZvpfN.exe

MD5 6c18142366d53bf83b94fc9a945365e5
SHA1 18b406350438e378d4d388166b8c9f46f866193d
SHA256 1564bf3c0062edfb6a5f3518336555b461db8f001f60bf4630fb59a6455ebd3e
SHA512 7e8dd7e95d6ccec072487dd13c27cdebc117f59bd2e54c030b736a10d8b6c19b3fd58a9dfe9a2d9a3da6504cee5d7607e29166a7de7b971f78fd826db54ffdf4

C:\Windows\System\vDnMyUB.exe

MD5 ff46a37572e620536d9e6332e9bac1f5
SHA1 8bf944cd917bc35a81cacbf513553f1bf5ca1604
SHA256 c605e740b0fb9e84c6c4d30bf103e8d2ecc55aba427911b78c994db8358d8750
SHA512 dfa8f5710941947c166ee8ecad58d8290da4c4d6d5ac2ab31206a38b8ec535b753c1a0f768207daa2b565b8e78285c4697bcdacc313c942f5fe273b8c3a3f675

memory/676-37-0x00007FF79DD40000-0x00007FF79E091000-memory.dmp

C:\Windows\System\DuZOvLc.exe

MD5 d8cd8b51ce5b9dc8ae3ee4803b3c02e5
SHA1 609561f390297deeafceac958d37745013433028
SHA256 669a21b1a0b07aeb94380d7e0ec64f8de717dac1a87ca455a6cdff9e64cdb371
SHA512 26a78ea726c93a41ddad7511c452898f6cdd2f137d109bbc6bc6665340472318f4ce39dfed3c9c9d8a26b37824b6d81e966e06f76659d59cdfda19145d8ddd98

memory/1720-46-0x00007FF6E6360000-0x00007FF6E66B1000-memory.dmp

C:\Windows\System\qFmMGwi.exe

MD5 cbe09f0d9c3ac0bb426fb56e5ed97cb0
SHA1 553797f3578926524af4a7b9c6aa25281072cffd
SHA256 d14845380022a7036db765e93a1bc0ded789c03d05e1e2f5b59f03d5c4dc0bbf
SHA512 063c2f89f892abeb9e899e7e111e418d43607984c260971e11999142492bfe4fa87c7414fd963f398aa62a0f6a1cbdb8768ade5e9b10269c68bb149a40c94237

C:\Windows\System\PioGgfk.exe

MD5 88b83c87c03a59129dd6fea9cc37e122
SHA1 737a6980a34e7b3c4f734b4e05313ba76bec561d
SHA256 2b76a28f15b9438054429bee1468d2cd1e99cc67127b38d66dc5d278151c8dda
SHA512 f29920fc7d856c16e4f4202a55d9d2974989f0ca98ace0fa7fb20b86546777ea57091d1695157964a782d2cae5b0accfd75d983f345712efcc4a7eb61a03ce90

memory/4724-53-0x00007FF74AB90000-0x00007FF74AEE1000-memory.dmp

memory/3432-47-0x00007FF761E40000-0x00007FF762191000-memory.dmp

memory/1532-40-0x00007FF6A2DC0000-0x00007FF6A3111000-memory.dmp

memory/2412-27-0x00007FF6EEE60000-0x00007FF6EF1B1000-memory.dmp

memory/4964-22-0x00007FF6A9BC0000-0x00007FF6A9F11000-memory.dmp

memory/2524-16-0x00007FF65F640000-0x00007FF65F991000-memory.dmp

memory/4420-7-0x00007FF6C9FF0000-0x00007FF6CA341000-memory.dmp

C:\Windows\System\PeSzhup.exe

MD5 1748191102891a33fedbaacb47280833
SHA1 0085a25cc480a54c438b89667537abf6b72e0b3e
SHA256 0b49293d77395cfee6034cbce75f1e914c60dc0277bfb48c04d0121c57efb575
SHA512 c612c205b9e0b370a285b1ec68b286f1ee2a5c81eac200f6d998159a74c7c594f0b1b74e2a024e4a341da726aa1f494b690b02afe077899c1b4859f31f89e116

memory/5008-60-0x00007FF75FB80000-0x00007FF75FED1000-memory.dmp

memory/116-69-0x00007FF72E5C0000-0x00007FF72E911000-memory.dmp

C:\Windows\System\bVBvEDl.exe

MD5 00ef40fff59921117f517a6ee4b82394
SHA1 fcb2d521cdbf7cc515219efdaa399abfdccdfa0b
SHA256 3e882acdad555c023c2d2f85d16345696c53d6eb093b182918fd01781a1eb43c
SHA512 941eca7c510d7f04dd6d2890e48479d356fe60d44f126f0d77bd21f703e4a19fbcc0b8278e6150ff34c1be1eab76debeb5648148994863496eb7659606e90ae5

C:\Windows\System\jvIuiuC.exe

MD5 2ef8b2eed2d354ce6c3f7ffb1314bc2f
SHA1 68ea8491b39a355381308655de0c077cae8966a2
SHA256 ea96e5a2bf18cb9ca49715eb3e0b4e1d33c4c569fd3fcb7e439731149bda252f
SHA512 09b4fc85f86f39a91d2b654c0a993b9a96f7ecb918d6105f2d09f3326f7ac5bf3d9bf2cc41415db8d6ae76476c3818c217bcda324bbf0cfdb70cc28e2bb7bba7

C:\Windows\System\RqSnwoi.exe

MD5 5432c4ecca284b6fb0d00c0e8a59b409
SHA1 dc8e64f852ab3d4a25a9236dd297ee6d973d20b4
SHA256 c8fe2f559fa32de5ba1868b8e9e22dba16177f4da77863b6e868846ce30b01a4
SHA512 66debb9a0076898191e330dbf12d21e5d1731f8df3e430024d6e2fa53ae39d7b9bf31fc4c856c5f231f497e5dc245f17883b1dd6ad453f0e8077d875d6e22c9f

memory/5060-114-0x00007FF717DC0000-0x00007FF718111000-memory.dmp

memory/1544-118-0x00007FF61BCC0000-0x00007FF61C011000-memory.dmp

memory/3352-128-0x00007FF75CB40000-0x00007FF75CE91000-memory.dmp

memory/3232-129-0x00007FF6DD490000-0x00007FF6DD7E1000-memory.dmp

memory/3704-127-0x00007FF78B030000-0x00007FF78B381000-memory.dmp

memory/2524-126-0x00007FF65F640000-0x00007FF65F991000-memory.dmp

C:\Windows\System\wvJzbhw.exe

MD5 393943b069ed7fccaea948dd5946523c
SHA1 2b0926b73c923c380c8beb54ac24464fef93a577
SHA256 405c7b9794f13d49e9a288b7e64051526593776ef8da31be5897b272377eb173
SHA512 5872b671db436d44d8e5bb8d9cea42b190ac74b261f504bc063f5bc3ee34a38a3a7998e297e290849b3b9b81388216eb3f01692bf543fb9be31808eb75de4672

C:\Windows\System\ogzKPRM.exe

MD5 d5c76ea2aa6eafc8df041619882d2270
SHA1 3730c457478ca5882cc23fa96436b8ffe50e1bc7
SHA256 a91bb7d6d85d6840f1e66a221488a2230b2ec233e48ecc6b4e7dfc5fa998354d
SHA512 8a67d99ba5b20d430d98f3d2cc11d803c808ed31cbe1db554793978b922a8615600a40263dadd00f9a7d3c08ccff405f078062375fb77fc19499a6ae3534d77c

memory/4320-120-0x00007FF60CD40000-0x00007FF60D091000-memory.dmp

C:\Windows\System\qydxbtB.exe

MD5 3d1bf965d380e1658f1ce8aa757fc252
SHA1 c326a80e6f296ecc6b76897241a4889f3721820a
SHA256 27188ed5d558e49f381d236f278f4bac2b7f781bcc376faebde17b0974c28cd0
SHA512 f710b47e2d1b7b84b02c993531079f6f822800090792b8b909ada512d31eb8891d49f099846cb40ce598279108034083f5d69a02508845cb4d802c6d22aa3637

memory/232-109-0x00007FF74DBA0000-0x00007FF74DEF1000-memory.dmp

C:\Windows\System\VbRDnvM.exe

MD5 303e2976d3fcb24cf149a784f86fcecf
SHA1 8d3d60a87e190eeee06170b03078b8f55c6988ed
SHA256 5de951b7b8191bd6f6cdf92fb908362bd8899b044011dedbfd403e01ceb2be1f
SHA512 aef0710ec3e1b757a8434f5fbc9da09edca587f2ca8ff461560624dd45e0e806ca4a6705affc2d275cd87a0e883682251f2cc42ad3e913ba689bda9d09d4467e

memory/2124-99-0x00007FF7228C0000-0x00007FF722C11000-memory.dmp

C:\Windows\System\ERrDWNv.exe

MD5 695a5a092f766e0f08f8c2c04713252a
SHA1 dfa6564f91fb409a0ebaa3e28ce7b01cb9230ed5
SHA256 272dcefb45a461f3f446edb963538eebaae24ab84c11b9beea150fce7c0cfb05
SHA512 fd6b6dee748990d7b82dec9f66a035407bd88b2870b7f14ddeb7ed9bce76fca439a119cdc0f6963651de2ffd258cfe67e2ac7aa5db8b9137c5a901d4ea0aafaa

memory/4176-94-0x00007FF65C430000-0x00007FF65C781000-memory.dmp

C:\Windows\System\eraujBj.exe

MD5 da1ed6ec943426e6a3b9a5fb8c1f3b7d
SHA1 3cb69be5dd2c4aa31b982787d15bda49f0ba10e8
SHA256 9211f4e37018356115d8ab5a0eecad391ee088fa854f1df559eeaf15fdc78c49
SHA512 983bce040277b566bafa14dd3735a92c9a1021dc0d1e765b0664b1fb54ff03830b788eb28c59e586fb4211f76f40cd349a900be4f00c76886942cfde851c88dc

memory/4420-87-0x00007FF6C9FF0000-0x00007FF6CA341000-memory.dmp

C:\Windows\System\dgIHHBW.exe

MD5 030508abefb63b213d61438e5bd098e5
SHA1 49ac5535b8da05a83f825271c0c102c17e925412
SHA256 143ec251ff7dfab91303ad99067d59d4a10dbe8fb5da248da90391329f50e5ed
SHA512 4ad9cda070f1734fcb59330c72d5fe88d09c65368b7a143f8f4e3bc8219801be9a7f46dd57d46e0923d9515f52e68ce5e04ab37047de7a01c95e0ee3fd5bdf1e

memory/4044-77-0x00007FF603AA0000-0x00007FF603DF1000-memory.dmp

memory/4124-70-0x00007FF76B950000-0x00007FF76BCA1000-memory.dmp

C:\Windows\System\nnAVGAq.exe

MD5 c440ab0fd8586b63b80dbd1f1d4d15d2
SHA1 6bb0e26c8a3b01b62d2aafe7eb047379f2398236
SHA256 db40624ec63d15e95f0c543ecde35c7bb3591301035425a2873463308e1a29bc
SHA512 4b45736f534ad25524d4f6403cf84a2dcaa88a3fe926799fea282c0810cb587695552f92d551fc428ee916d6999e04d39b0a11cfc8a5aee916b7dbbbd93f4cfd

memory/4124-131-0x00007FF76B950000-0x00007FF76BCA1000-memory.dmp

memory/116-142-0x00007FF72E5C0000-0x00007FF72E911000-memory.dmp

memory/4044-143-0x00007FF603AA0000-0x00007FF603DF1000-memory.dmp

memory/4176-144-0x00007FF65C430000-0x00007FF65C781000-memory.dmp

memory/5008-141-0x00007FF75FB80000-0x00007FF75FED1000-memory.dmp

memory/3432-139-0x00007FF761E40000-0x00007FF762191000-memory.dmp

memory/4724-140-0x00007FF74AB90000-0x00007FF74AEE1000-memory.dmp

memory/2412-135-0x00007FF6EEE60000-0x00007FF6EF1B1000-memory.dmp

memory/232-146-0x00007FF74DBA0000-0x00007FF74DEF1000-memory.dmp

memory/4320-152-0x00007FF60CD40000-0x00007FF60D091000-memory.dmp

memory/1544-150-0x00007FF61BCC0000-0x00007FF61C011000-memory.dmp

memory/2124-145-0x00007FF7228C0000-0x00007FF722C11000-memory.dmp

memory/5060-149-0x00007FF717DC0000-0x00007FF718111000-memory.dmp

memory/4124-153-0x00007FF76B950000-0x00007FF76BCA1000-memory.dmp

memory/4420-209-0x00007FF6C9FF0000-0x00007FF6CA341000-memory.dmp

memory/2524-211-0x00007FF65F640000-0x00007FF65F991000-memory.dmp

memory/4964-213-0x00007FF6A9BC0000-0x00007FF6A9F11000-memory.dmp

memory/2412-215-0x00007FF6EEE60000-0x00007FF6EF1B1000-memory.dmp

memory/676-218-0x00007FF79DD40000-0x00007FF79E091000-memory.dmp

memory/1532-219-0x00007FF6A2DC0000-0x00007FF6A3111000-memory.dmp

memory/1720-221-0x00007FF6E6360000-0x00007FF6E66B1000-memory.dmp

memory/3432-223-0x00007FF761E40000-0x00007FF762191000-memory.dmp

memory/4724-225-0x00007FF74AB90000-0x00007FF74AEE1000-memory.dmp

memory/5008-227-0x00007FF75FB80000-0x00007FF75FED1000-memory.dmp

memory/116-240-0x00007FF72E5C0000-0x00007FF72E911000-memory.dmp

memory/4044-242-0x00007FF603AA0000-0x00007FF603DF1000-memory.dmp

memory/4176-244-0x00007FF65C430000-0x00007FF65C781000-memory.dmp

memory/2124-246-0x00007FF7228C0000-0x00007FF722C11000-memory.dmp

memory/3352-248-0x00007FF75CB40000-0x00007FF75CE91000-memory.dmp

memory/5060-250-0x00007FF717DC0000-0x00007FF718111000-memory.dmp

memory/3704-252-0x00007FF78B030000-0x00007FF78B381000-memory.dmp

memory/3232-258-0x00007FF6DD490000-0x00007FF6DD7E1000-memory.dmp

memory/232-256-0x00007FF74DBA0000-0x00007FF74DEF1000-memory.dmp

memory/1544-255-0x00007FF61BCC0000-0x00007FF61C011000-memory.dmp

memory/4320-260-0x00007FF60CD40000-0x00007FF60D091000-memory.dmp