Malware Analysis Report

2025-03-15 08:00

Sample ID 240814-zw1rssyhnp
Target 2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat
SHA256 15d6830b17a879ee36eb4f14ea6e9597480679b897b0262a7c4b53f232b59fe5
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

15d6830b17a879ee36eb4f14ea6e9597480679b897b0262a7c4b53f232b59fe5

Threat Level: Known bad

The file 2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Cobaltstrike family

XMRig Miner payload

Cobalt Strike reflective loader

Cobaltstrike

xmrig

Xmrig family

XMRig Miner payload

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-14 21:04

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-14 21:04

Reported

2024-08-14 21:07

Platform

win7-20240704-en

Max time kernel

140s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\HFisDfW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HueECcs.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JxTPJYi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LDExCJZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xhatQTk.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lGCgJNb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MCUeisu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lbiwyXX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mvGnTaU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PHqWRzH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ngcAVtS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\olVwuWL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ERFWURk.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ThtScjb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wVFKsjz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HdMTmEf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\riXNPPo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jAIKwuf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hzUYrSg.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QliQpVJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WXJfaJi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1628 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hzUYrSg.exe
PID 1628 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hzUYrSg.exe
PID 1628 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hzUYrSg.exe
PID 1628 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HueECcs.exe
PID 1628 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HueECcs.exe
PID 1628 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HueECcs.exe
PID 1628 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lbiwyXX.exe
PID 1628 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lbiwyXX.exe
PID 1628 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lbiwyXX.exe
PID 1628 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mvGnTaU.exe
PID 1628 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mvGnTaU.exe
PID 1628 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mvGnTaU.exe
PID 1628 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QliQpVJ.exe
PID 1628 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QliQpVJ.exe
PID 1628 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QliQpVJ.exe
PID 1628 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WXJfaJi.exe
PID 1628 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WXJfaJi.exe
PID 1628 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WXJfaJi.exe
PID 1628 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ngcAVtS.exe
PID 1628 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ngcAVtS.exe
PID 1628 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ngcAVtS.exe
PID 1628 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ThtScjb.exe
PID 1628 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ThtScjb.exe
PID 1628 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ThtScjb.exe
PID 1628 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wVFKsjz.exe
PID 1628 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wVFKsjz.exe
PID 1628 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wVFKsjz.exe
PID 1628 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JxTPJYi.exe
PID 1628 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JxTPJYi.exe
PID 1628 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JxTPJYi.exe
PID 1628 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LDExCJZ.exe
PID 1628 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LDExCJZ.exe
PID 1628 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LDExCJZ.exe
PID 1628 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HFisDfW.exe
PID 1628 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HFisDfW.exe
PID 1628 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HFisDfW.exe
PID 1628 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HdMTmEf.exe
PID 1628 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HdMTmEf.exe
PID 1628 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HdMTmEf.exe
PID 1628 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\olVwuWL.exe
PID 1628 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\olVwuWL.exe
PID 1628 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\olVwuWL.exe
PID 1628 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\riXNPPo.exe
PID 1628 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\riXNPPo.exe
PID 1628 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\riXNPPo.exe
PID 1628 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PHqWRzH.exe
PID 1628 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PHqWRzH.exe
PID 1628 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PHqWRzH.exe
PID 1628 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xhatQTk.exe
PID 1628 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xhatQTk.exe
PID 1628 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xhatQTk.exe
PID 1628 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ERFWURk.exe
PID 1628 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ERFWURk.exe
PID 1628 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ERFWURk.exe
PID 1628 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lGCgJNb.exe
PID 1628 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lGCgJNb.exe
PID 1628 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lGCgJNb.exe
PID 1628 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MCUeisu.exe
PID 1628 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MCUeisu.exe
PID 1628 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MCUeisu.exe
PID 1628 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jAIKwuf.exe
PID 1628 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jAIKwuf.exe
PID 1628 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jAIKwuf.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\hzUYrSg.exe

C:\Windows\System\hzUYrSg.exe

C:\Windows\System\HueECcs.exe

C:\Windows\System\HueECcs.exe

C:\Windows\System\lbiwyXX.exe

C:\Windows\System\lbiwyXX.exe

C:\Windows\System\mvGnTaU.exe

C:\Windows\System\mvGnTaU.exe

C:\Windows\System\QliQpVJ.exe

C:\Windows\System\QliQpVJ.exe

C:\Windows\System\WXJfaJi.exe

C:\Windows\System\WXJfaJi.exe

C:\Windows\System\ngcAVtS.exe

C:\Windows\System\ngcAVtS.exe

C:\Windows\System\ThtScjb.exe

C:\Windows\System\ThtScjb.exe

C:\Windows\System\wVFKsjz.exe

C:\Windows\System\wVFKsjz.exe

C:\Windows\System\JxTPJYi.exe

C:\Windows\System\JxTPJYi.exe

C:\Windows\System\LDExCJZ.exe

C:\Windows\System\LDExCJZ.exe

C:\Windows\System\HFisDfW.exe

C:\Windows\System\HFisDfW.exe

C:\Windows\System\HdMTmEf.exe

C:\Windows\System\HdMTmEf.exe

C:\Windows\System\olVwuWL.exe

C:\Windows\System\olVwuWL.exe

C:\Windows\System\riXNPPo.exe

C:\Windows\System\riXNPPo.exe

C:\Windows\System\PHqWRzH.exe

C:\Windows\System\PHqWRzH.exe

C:\Windows\System\xhatQTk.exe

C:\Windows\System\xhatQTk.exe

C:\Windows\System\ERFWURk.exe

C:\Windows\System\ERFWURk.exe

C:\Windows\System\lGCgJNb.exe

C:\Windows\System\lGCgJNb.exe

C:\Windows\System\MCUeisu.exe

C:\Windows\System\MCUeisu.exe

C:\Windows\System\jAIKwuf.exe

C:\Windows\System\jAIKwuf.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1628-0-0x000000013F680000-0x000000013F9D1000-memory.dmp

memory/1628-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\hzUYrSg.exe

MD5 691985f9989b52930b8422b4293c798d
SHA1 cbd38ec3262c3a6253c352798ba5b0d3f8979a33
SHA256 6dff1ebdb41e5e4c459ceddfb6fc8cfa90e759150ed6af249400efee07098507
SHA512 3d4b166e770cd6f27e313362261e2ab194b7fd3d04c8e041cf164c360487c338435ae37d7447006189282452ee125060957a63129582484f0ac0c384c7b2260a

\Windows\system\mvGnTaU.exe

MD5 dac290ced9b7f61ba53a7cbd803ab335
SHA1 61cb8ceeae5a785bca2e6cb027b38c33ac8b74dc
SHA256 07660fd577373a0de31e669e8741372bcb7acc46685dfe7d3097796107907731
SHA512 dd9bb0fd8b12e5bcabd6dc38f89532043595521c7d61f0cd0f7070931973cf1cc04e9d3521c0e9133bc2410f1cd9b8630a64e0dfe16c304e438abef8034ed547

memory/1668-28-0x000000013F4C0000-0x000000013F811000-memory.dmp

\Windows\system\QliQpVJ.exe

MD5 569c2e7312f0b1b29ff14efbfc3d07c9
SHA1 de655258ea0088482b7f7947f2df79ce02817282
SHA256 92c4c885c5345d180ddc076ded289ca33c49ccd395ef19eb899a732fe01a6f50
SHA512 1f04855893c87e637559a31cc6b9672b695a68cffabe4044aa86b8e7ddf9e728fd45ed3aaa0ecd4d84747a8eae48dfc7c0ce2777b967cfde30a58bd86d3ae328

memory/1628-27-0x0000000002210000-0x0000000002561000-memory.dmp

memory/1628-25-0x000000013FF50000-0x00000001402A1000-memory.dmp

memory/2796-24-0x000000013F030000-0x000000013F381000-memory.dmp

memory/2104-23-0x000000013FF50000-0x00000001402A1000-memory.dmp

C:\Windows\system\lbiwyXX.exe

MD5 a37b91985b005ef7ed849969d30f0ab2
SHA1 8c4c13e504e64c1dc2eebc04fd3d6563b690f91d
SHA256 277eb02ec285f483346661eb2ae658b8fab439144b2e5ce04be1efa411658407
SHA512 c98a79d5ae0f1cfdcd525a14a29335947e6d0ec737d30210b9e0d23143153ed7eb7770c3d75927e660732a449bf2d5aa1b7895edca4c93d0646577047727e596

memory/1628-19-0x000000013F030000-0x000000013F381000-memory.dmp

C:\Windows\system\HueECcs.exe

MD5 ddca784f53b9f9a4b3be097fe7f3f647
SHA1 75f55617498f590019e2b7cdea688090e4558b79
SHA256 f031127a0507cfc99b8451e6a99aef3703e436ca094325a666ed0c12872259ba
SHA512 9d12a595119168d9a746dd152ad878c15108a2ab1738c8ec4339dd4343ff9d28b395766d6f3cb19dbd636a29c6216c134d474094541df771769aa14f69e6dbea

memory/2856-11-0x000000013F6E0000-0x000000013FA31000-memory.dmp

memory/2912-36-0x000000013FAC0000-0x000000013FE11000-memory.dmp

\Windows\system\WXJfaJi.exe

MD5 b4fbb313c97ec9919da4af9982fbafad
SHA1 43d0eb95539d54190ffae91d4bc7e8fca5c111f0
SHA256 0afd8e5f29d33a303b8a71785a1d71439b4a8c43f5bcd709189dcef399c60c3d
SHA512 dc8a65b6c99ec51dab5a106547cd0b814076f897548ded7337e843dbae69d24e9f6695a6a997d8a2d1738b5eebf938714ce6f7ce511d02fe95a063bc9553d3d0

memory/1628-117-0x000000013F280000-0x000000013F5D1000-memory.dmp

C:\Windows\system\xhatQTk.exe

MD5 36933b75a81d78c2245c3f22721daabc
SHA1 a8bad0c0d0dc0c1617b1c53b9b471ceaa9e2bbe8
SHA256 307db04e6bf9372c5db806361f3e462c85e5224479d3614a236452a6b97fecc1
SHA512 ba0aa6dd40adc4715099dd5e33c8b30b16418f18f2475841d39fc8864661b72f6f0cf95d7cbfedc108cf5c3f82c4bdbf027f67df0f3aa9f1c8e885d4b4ff501f

C:\Windows\system\riXNPPo.exe

MD5 bef6b3dac9df6cd90d38ac22f486ac19
SHA1 0f38eae0bafe49445787fc31a7e8c8856270f3a1
SHA256 718aa8b01f1d609a2deb18059dc50040f95206b92d7acab23570b401083c6033
SHA512 29c1b502d0fc567f622b80a43badce6c9968e016068b1c1441533efaa7509e4df14bbd001c6b50fc408706fdc486c97c30d7f23e2a795b8d71a1626256c241bc

\Windows\system\MCUeisu.exe

MD5 993174cce772894629382608884797fc
SHA1 6b5d34b2cf333f70c7413a182937b06507264072
SHA256 e7746c4917314bb50a706c291c6a1606cd6b32af48dae9355a4a0531e1a661ce
SHA512 87ca0ac79cf4b26fed6cafabc868ed48abe2373396e73e8943df6b95310a5c679592a0e5934a99901d8e12ff1e8f8e58d97b67a9fe0566077b85390b2d02ddd9

\Windows\system\ERFWURk.exe

MD5 b32122aa79ccabc3b1e2fb1b2a3dc135
SHA1 7cbd03494e3aec0eaec78b4f7b7d15157d0eaf63
SHA256 5d9dc92b0fdef0f3de4332a4eb649aed78800c3f7caa109846d2ed85be1e405c
SHA512 adb5f58e92699ec46668faed78288eb4e32c40732a9442043a1d2e05d4a4b5e658f350e8d7aef533f5e31dbab6f8bc8d24112bb01a4016ff524c2e64368303e9

\Windows\system\PHqWRzH.exe

MD5 77da16db7bf9479d991385b594fa28a9
SHA1 ecc52c9141b538a69eb88360973cfbc869c0f2eb
SHA256 e1cd0f4b80cf0bff81a1f522b339d8c1e1be54744652a212a5df2262043f4db6
SHA512 fe9e32964680ba00a81168e2a0f7e446446cd5c3ffe1768b451420b083f0750230041b3ef17aeece2441324206c529ff192aa4a09d714dbfe9b0d7dc8f7808a2

\Windows\system\olVwuWL.exe

MD5 e058b011a54d02c95272cc43847144bc
SHA1 672193aa76def1ee83ce3f19c6dad17ea0b47ff0
SHA256 4a4f3ab75571235de2bc09d45b810bd2b985859a416da2ca2f08dd60eafba3cd
SHA512 36a2267ac4709149d8ecb79957f48b019e4a5d8237074f3d16351abec514e7af7430e9d5a6e5499cb016310892ac289b99d520452cb9285f4d7ea0eaebfc9ffc

C:\Windows\system\LDExCJZ.exe

MD5 8bd149b39db32442a747e416bc44d32d
SHA1 21f2b6732728877e14d4ac8c27b8bb3eed30e19a
SHA256 fcebb720570ea0f70b9f56b391c3873cd228b787096eb6999f520cc707d14ee7
SHA512 cab3d6a53001e064bbc1939bfb8a2d33c331e14de8d152d36562f475497a016dfe2f7bc7216ccbbb76677be792c09434adc802bd1f338b21a0a4d66232eed0e7

\Windows\system\HFisDfW.exe

MD5 a1345752bf3f74335a3054541e84114b
SHA1 8534dfc33167cbcdaa7da1b87d369ed8274adeac
SHA256 8a20d01ed78b2afdf821fa24bf378911dafc1d8139a5d17e6c241d97f975ef79
SHA512 dfd943605f90ed86765af92182c1729aad7db24ba8b45a2fa92b7c84e109d6681b8d4ea631c05f89f27f57f9c916a7bc8da49ea33df966650e9b65fdb2d31a4d

C:\Windows\system\wVFKsjz.exe

MD5 9bb307b44a47d1b80be313bd0484b577
SHA1 8c2d89c726a328b6a3a6524a8822c9fa0fe81311
SHA256 39a1f963f68f5a64b3034fc5bea4fae4d0336a10fc91f36241d3e62b968964eb
SHA512 24a5b4548ae87c64def9867daef1b2a93cfec24ef63c223ddfe47fba19564b686d53de3ce0106b862ae57e146790f7884f696f8f51dbd2b4941fdcebc1a53d51

\Windows\system\JxTPJYi.exe

MD5 8033c72fbb0b35609c67f5942379ed63
SHA1 63ceb142ec42410d351dd14c42dae8562d33c20b
SHA256 6423abb87fb46d82f4f669e94644f9e73616e88981f30f0aa78ec544b5df6f31
SHA512 555efcf6b61bdea034c4035afda531813caf46992dcd2a8fe8ef64a640c97c273800902d69595be52ebe73991518383345344b402efe49cdbb90eeb4f54a9d40

memory/1628-53-0x000000013FE90000-0x00000001401E1000-memory.dmp

\Windows\system\ThtScjb.exe

MD5 f9fb8a1ab744c2fb77c2c7540894dd37
SHA1 b038665cc1c44f63ac87c2d72857f373783ccdb3
SHA256 29d324b02d00de215b478fbeae95c1774f2a550c8cfd4377436130664d336e61
SHA512 1d842d84bc6ac0db75a5c31c052c11e0f0c31995e2f643d25dac2b89721be4dfb9ba2d2cb819e25b3c558ac2b7a92070725bcee9e7aca9f5e8b4905c82f93773

memory/2588-116-0x000000013F680000-0x000000013F9D1000-memory.dmp

memory/1628-115-0x000000013F310000-0x000000013F661000-memory.dmp

memory/1628-114-0x0000000002210000-0x0000000002561000-memory.dmp

memory/1628-113-0x000000013FDD0000-0x0000000140121000-memory.dmp

memory/1628-133-0x000000013F680000-0x000000013F9D1000-memory.dmp

C:\Windows\system\jAIKwuf.exe

MD5 966d489e647681e9f630ece01a2318d0
SHA1 7dfdf92c3ccc471322cc4c742f9d0d95feece552
SHA256 7bb619a809d3912cb4015977858930989bc35c906b3fb22d69bb5f91c5d84e02
SHA512 3314d2b4f0cfc38bdc9f137b38c9ec60f25c82410a2fd3bd4f6b2036d0edaf3f3c23ac9c0f710ac8f663a52f76b2d3ae9b34824e26cf3bf7f56876c8258b1573

memory/1628-111-0x000000013F200000-0x000000013F551000-memory.dmp

memory/1628-110-0x000000013F0B0000-0x000000013F401000-memory.dmp

memory/1628-109-0x000000013FDB0000-0x0000000140101000-memory.dmp

C:\Windows\system\lGCgJNb.exe

MD5 edb783f0c3e173fedc567e701ce822fd
SHA1 863acbdeb5c85f84a35f8d7e2edf5d31a551e301
SHA256 f26c9f80efa532ab2acb6afc86a36561caae42d6b1cb2f3a922ebf2430ed1f6b
SHA512 a4fe7c215124a5db4e446f16ccccb9ef1f9f1445a272afb3f8c52d093b789ce600cfdfb400018967fe9fc7f76619e4005b1238f663b458f2ece8ca596149defd

memory/1628-97-0x000000013FD80000-0x00000001400D1000-memory.dmp

memory/2696-83-0x000000013F770000-0x000000013FAC1000-memory.dmp

C:\Windows\system\HdMTmEf.exe

MD5 fde495e7555101c1e06df7e3060b1fd3
SHA1 856e552a134af3639d0e279a63adb39e13eb7b09
SHA256 5d2ff19ce60ba5002a95145e659e522c4e7097d55e64dc9236f991f32120d121
SHA512 0dcc09e39261db3aabd543cac8ebf66a1ec60255bd15032c7ed453284018c20a8e271640dfa02af1470125229c946723a509fdb8b679da55a2e8f8abaebc0b69

memory/1628-41-0x0000000002210000-0x0000000002561000-memory.dmp

memory/1628-79-0x0000000002210000-0x0000000002561000-memory.dmp

memory/1628-72-0x000000013FF70000-0x00000001402C1000-memory.dmp

memory/2248-64-0x000000013F2E0000-0x000000013F631000-memory.dmp

memory/2220-47-0x000000013FE90000-0x00000001401E1000-memory.dmp

memory/2668-46-0x000000013F9A0000-0x000000013FCF1000-memory.dmp

C:\Windows\system\ngcAVtS.exe

MD5 f3b7e26fad643c4e6a5f91298c73c40a
SHA1 9352663571545378a9cd896376da836b9510a2d2
SHA256 7586d8d3809150a1a9d6146af233bfc76ab7739f09bb27da7444be0863fb6b46
SHA512 ffe761b4d7f37b596bcb4064682a9a37a4d73c98a238cf5c6f9a75a47bc14ff36a09f1d9e6e958decba1a39f1360629aee92f7691248552fec0454d7f1c287f9

memory/1628-33-0x000000013FAC0000-0x000000013FE11000-memory.dmp

memory/2912-139-0x000000013FAC0000-0x000000013FE11000-memory.dmp

memory/1628-134-0x000000013F680000-0x000000013F9D1000-memory.dmp

memory/1668-150-0x000000013F4C0000-0x000000013F811000-memory.dmp

memory/3056-148-0x000000013F310000-0x000000013F661000-memory.dmp

memory/2872-146-0x000000013FDD0000-0x0000000140121000-memory.dmp

memory/2096-144-0x000000013FF70000-0x00000001402C1000-memory.dmp

memory/2264-142-0x000000013F0E0000-0x000000013F431000-memory.dmp

memory/2220-141-0x000000013FE90000-0x00000001401E1000-memory.dmp

memory/2668-140-0x000000013F9A0000-0x000000013FCF1000-memory.dmp

memory/2764-149-0x000000013FD80000-0x00000001400D1000-memory.dmp

memory/2288-156-0x000000013FD20000-0x0000000140071000-memory.dmp

memory/2516-155-0x000000013FEB0000-0x0000000140201000-memory.dmp

memory/2760-154-0x000000013F200000-0x000000013F551000-memory.dmp

memory/2532-153-0x000000013F0B0000-0x000000013F401000-memory.dmp

memory/2524-152-0x000000013FDB0000-0x0000000140101000-memory.dmp

memory/2708-151-0x000000013F280000-0x000000013F5D1000-memory.dmp

memory/1628-157-0x000000013F680000-0x000000013F9D1000-memory.dmp

memory/2856-202-0x000000013F6E0000-0x000000013FA31000-memory.dmp

memory/2104-206-0x000000013FF50000-0x00000001402A1000-memory.dmp

memory/2796-205-0x000000013F030000-0x000000013F381000-memory.dmp

memory/1668-209-0x000000013F4C0000-0x000000013F811000-memory.dmp

memory/2912-210-0x000000013FAC0000-0x000000013FE11000-memory.dmp

memory/2220-212-0x000000013FE90000-0x00000001401E1000-memory.dmp

memory/2668-214-0x000000013F9A0000-0x000000013FCF1000-memory.dmp

memory/2248-216-0x000000013F2E0000-0x000000013F631000-memory.dmp

memory/2696-218-0x000000013F770000-0x000000013FAC1000-memory.dmp

memory/2588-220-0x000000013F680000-0x000000013F9D1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-14 21:04

Reported

2024-08-14 21:07

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\VXlYSdL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BNkecqp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WgCtzfs.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bnBIfwz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UDsFoBF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YfeaYiC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hPkWxET.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NmcfGJR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QrabAth.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kjoDJsY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cdXEELh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hhoTorv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xJZkNib.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yFxZYJB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qGILSdQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NigcuoQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\utQZDxE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MTJbPia.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gMfLKvE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\loeOZmw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zfeijFF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3920 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kjoDJsY.exe
PID 3920 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kjoDJsY.exe
PID 3920 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cdXEELh.exe
PID 3920 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cdXEELh.exe
PID 3920 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MTJbPia.exe
PID 3920 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MTJbPia.exe
PID 3920 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UDsFoBF.exe
PID 3920 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UDsFoBF.exe
PID 3920 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gMfLKvE.exe
PID 3920 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gMfLKvE.exe
PID 3920 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hhoTorv.exe
PID 3920 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hhoTorv.exe
PID 3920 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xJZkNib.exe
PID 3920 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xJZkNib.exe
PID 3920 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\loeOZmw.exe
PID 3920 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\loeOZmw.exe
PID 3920 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yFxZYJB.exe
PID 3920 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yFxZYJB.exe
PID 3920 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VXlYSdL.exe
PID 3920 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VXlYSdL.exe
PID 3920 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hPkWxET.exe
PID 3920 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hPkWxET.exe
PID 3920 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zfeijFF.exe
PID 3920 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zfeijFF.exe
PID 3920 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NmcfGJR.exe
PID 3920 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NmcfGJR.exe
PID 3920 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QrabAth.exe
PID 3920 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QrabAth.exe
PID 3920 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qGILSdQ.exe
PID 3920 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qGILSdQ.exe
PID 3920 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YfeaYiC.exe
PID 3920 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YfeaYiC.exe
PID 3920 wrote to memory of 100 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NigcuoQ.exe
PID 3920 wrote to memory of 100 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NigcuoQ.exe
PID 3920 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BNkecqp.exe
PID 3920 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BNkecqp.exe
PID 3920 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WgCtzfs.exe
PID 3920 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WgCtzfs.exe
PID 3920 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bnBIfwz.exe
PID 3920 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bnBIfwz.exe
PID 3920 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\utQZDxE.exe
PID 3920 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\utQZDxE.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\kjoDJsY.exe

C:\Windows\System\kjoDJsY.exe

C:\Windows\System\cdXEELh.exe

C:\Windows\System\cdXEELh.exe

C:\Windows\System\MTJbPia.exe

C:\Windows\System\MTJbPia.exe

C:\Windows\System\UDsFoBF.exe

C:\Windows\System\UDsFoBF.exe

C:\Windows\System\gMfLKvE.exe

C:\Windows\System\gMfLKvE.exe

C:\Windows\System\hhoTorv.exe

C:\Windows\System\hhoTorv.exe

C:\Windows\System\xJZkNib.exe

C:\Windows\System\xJZkNib.exe

C:\Windows\System\loeOZmw.exe

C:\Windows\System\loeOZmw.exe

C:\Windows\System\yFxZYJB.exe

C:\Windows\System\yFxZYJB.exe

C:\Windows\System\VXlYSdL.exe

C:\Windows\System\VXlYSdL.exe

C:\Windows\System\hPkWxET.exe

C:\Windows\System\hPkWxET.exe

C:\Windows\System\zfeijFF.exe

C:\Windows\System\zfeijFF.exe

C:\Windows\System\NmcfGJR.exe

C:\Windows\System\NmcfGJR.exe

C:\Windows\System\QrabAth.exe

C:\Windows\System\QrabAth.exe

C:\Windows\System\qGILSdQ.exe

C:\Windows\System\qGILSdQ.exe

C:\Windows\System\YfeaYiC.exe

C:\Windows\System\YfeaYiC.exe

C:\Windows\System\NigcuoQ.exe

C:\Windows\System\NigcuoQ.exe

C:\Windows\System\BNkecqp.exe

C:\Windows\System\BNkecqp.exe

C:\Windows\System\WgCtzfs.exe

C:\Windows\System\WgCtzfs.exe

C:\Windows\System\bnBIfwz.exe

C:\Windows\System\bnBIfwz.exe

C:\Windows\System\utQZDxE.exe

C:\Windows\System\utQZDxE.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3920-0-0x00007FF7E1700000-0x00007FF7E1A51000-memory.dmp

memory/3920-1-0x000001A601A50000-0x000001A601A60000-memory.dmp

memory/528-8-0x00007FF6EE920000-0x00007FF6EEC71000-memory.dmp

C:\Windows\System\MTJbPia.exe

MD5 8e437ca2982b704f439eb6066a2f6256
SHA1 bd8dd67d231ad3d24ddb5e705b9fb32a2ca19b50
SHA256 5f3f3d62c8a6ad819611d92192897c7c8c23927c672a16aecb833570a477b332
SHA512 db7cdbf66f9059a136b0fc259760e08cff417bd347a1b6027761d389f0829afdea01d15e2f0e4cbe5871b9f91e11f0e7c3a5d244fc07d1d07a062e02fd663a49

C:\Windows\System\cdXEELh.exe

MD5 bd869351799d1cef85888dbc8c8187ce
SHA1 07347084e96351d191be0cea0d0ab4bc183963e2
SHA256 c12433ab949eb8ff62ed3c230d0a9f13d2d81cffb3d9dcbed1588169d71e337e
SHA512 4bc0eb581a26ee4f2845a78098615c080cd0863f2150ca6b0a56d225395af889287b5aa3f16c251ac43848441392800879441e064c3ade55b5d12ae9a842df0e

C:\Windows\System\hhoTorv.exe

MD5 09e27e351afd51464124b1ad9735f0d1
SHA1 cca2425a7a31fdcf18345b002d1fe4b0eec8b240
SHA256 c0892aad7af0bcfac82e106b2929e7f49f1c3c5452953f3780b84e1bde227022
SHA512 f419a9c1d5ac7e4a7a2d3caccae6791c2fe00673cbca54c8a78d669a8ba945395c6f1c667adc62780dc776a6579bf8d5914f98a1d93acf02af67230ac0a38088

C:\Windows\System\yFxZYJB.exe

MD5 52bbc5f741f3d86284f36f03b317c435
SHA1 a04787aca5e710b8f017c8c8d46a17758dc7a324
SHA256 2335d0beceacd22df07cac3a6b0ff009fb382fad14909ab338ba8693938aad3b
SHA512 98c96ef0af80a09640f322ad5b544808e695c74b0b7e978c562d860ced82434a9e2dd5e16ce4f84c72b67f9173a1643f2af3d8d51b0105bb4dfe9b09c42ba3b1

C:\Windows\System\NmcfGJR.exe

MD5 bc1a85e3d87d79c47dc945d61bc9e72c
SHA1 51946991883c05bd9060324106989d36c1765bb3
SHA256 81c1f86ffc17e6065cbac2c045c88060583300beee541490a4075c7646ab6970
SHA512 836f97bc7bbc7d891169d8c80c41307cb1a21b66b02c0f3a9625a2ec694ec5d212cf9cb018758b5f3feb6e63933f80e99d6deee79a7437f0c774778a5c225cdc

C:\Windows\System\hPkWxET.exe

MD5 e54acdea613c89dd33f91f46e1022ed9
SHA1 d21e4d3bc5590304fecaed426f5afc692d9ac71b
SHA256 c821561057e49dc0245558e33d0dac5477cc92820e46c025925650de9976ef7d
SHA512 f34ca1dcf67a6ef98b05d235929bf284008fcffdacdff11a9c3af6034f0bdd5cbe9eefdcf61bc2e909b5e7b921e127b87788de233cfda8f21037cd74a8422da4

memory/1576-91-0x00007FF7E8150000-0x00007FF7E84A1000-memory.dmp

memory/4540-96-0x00007FF7B83F0000-0x00007FF7B8741000-memory.dmp

C:\Windows\System\NigcuoQ.exe

MD5 f83d4ab429cc3a7ed02dfeeeb9d0770f
SHA1 e724482cf16fde1f9350e1c8f7ab474858a30770
SHA256 30afc026e6a1f4f5085beefb313871beea2f66270590db3791c12ae9505bc94a
SHA512 7aacbce5ef25dfa0c6a3a1f3a4625c38831e1eefb927e81b2881c8158f23153f864d2c8a03204b05b0ab1dc606dff619981e2b95e74aad690c18db0316a8797e

C:\Windows\System\BNkecqp.exe

MD5 b879d73df74303fa0429d8fd872dc68c
SHA1 0050e111d67f8f04a2ad0cf8c928db5f3800544a
SHA256 eed07830050032b8d518aae5312e085638cc96dbbd8985069c96b4f900bceb1f
SHA512 2070466077841c2d4b5a4186956f48aafe3c9ab1660496ebaf40fd882985d00f6a3881475bc85ead5a7cd7872d5d3f9cb7c3a1d36721dc7e2f0059d70c46d9db

C:\Windows\System\bnBIfwz.exe

MD5 984ec1c7d7831beba4ccfb0ad1cf72b8
SHA1 9154cc40e8a0fa9a916988b00f8b99abb2f3652d
SHA256 40d35216de7cac7f97cca60ddd6b448b285fb5bfdb2ce5cb2bdd080a1b509933
SHA512 876ffd325d9876cf719987acfa058fe0c1d30d437fc6c9863dadd4ce80f94ca6b864af3858e239b3779ac4fe4328d407526ce960127c39f94b7874e71a759281

C:\Windows\System\utQZDxE.exe

MD5 f292b33bac174da1ae30a66a4f1d89a5
SHA1 54809d7b0b9661a209312e966b67fb02f4615d0e
SHA256 f1bdfb62164f790b964df5f64bebc897dd753707b438dc30895fc75f72f33e30
SHA512 90ba7b1719f874f5f2ae942cf75196f861286a169a775efbd746eb5d88d3b4725706c8a14799b867fb21d09831f896c4198d33f0181b18a4930254f1816dbee1

C:\Windows\System\WgCtzfs.exe

MD5 e50d353df4ada4880a619f7d1f87217d
SHA1 559d97533c43ac42da7d4863f8719e4e8f50e7f2
SHA256 36cefa0fcfa63700a3b2d3886ec40d64f52046cee45446f280c14cd960cdbeb5
SHA512 48691b5975481a8d9430dd3c16f218f794c72a2d7cd6c4d2639cc82aa09c78d2c2ed8656b3719a5dac7a5c50e4a69e3856d72b0e47d5b015383c9a4429088c44

memory/100-104-0x00007FF781440000-0x00007FF781791000-memory.dmp

memory/2208-103-0x00007FF765810000-0x00007FF765B61000-memory.dmp

memory/4384-102-0x00007FF697820000-0x00007FF697B71000-memory.dmp

memory/1620-99-0x00007FF6EC8D0000-0x00007FF6ECC21000-memory.dmp

C:\Windows\System\YfeaYiC.exe

MD5 6fc8a76c4606f4e0c199162161ab6854
SHA1 42ff5e6e1f1178a29c3fe720c248170256f83d9a
SHA256 ccbc6a74626567264f1bc84237621a994a248191018940efe1c82043a8a95c2a
SHA512 5b35200c0391ab13626d1aecb801fddd00ea21cebfb2bb367c0d3c50cd4b5ca4cae1aebe317e729ffdf6866b78bd12c3dc406f1b46a0cac80660719dc51437e4

C:\Windows\System\qGILSdQ.exe

MD5 372b056158c2b35c571a2ffb8f660b65
SHA1 17c21a7c077eaa980212775011a6d1c801319560
SHA256 edecfbb018b0035a50ebaba9c6262ac433561994979a99b639f37209f80c5642
SHA512 68efa700b90b0a311833597e5829fd3bb5b6369fb4f852c3e4bdd864fde8a00cd29129971498d7268fc5650aa6fcd0128e5d495d35069219791a256174baf3a5

C:\Windows\System\QrabAth.exe

MD5 7e43a3296d65461aa258f65529831b58
SHA1 288c834bc4c5aa956a9ccd932c246a3f2d625108
SHA256 fe97853e98c09de2719d6f1f0210d7f6775c071ed732d9bc7751faa178153512
SHA512 d08559d41bd204ac38ca8488e0bd0404b3e43efeb80689624e12fe197f9154da1dd33247c40613cbfb8e73ca817ebddcf2bfa6386bf3b9cdf91bcb6db5d0a633

C:\Windows\System\zfeijFF.exe

MD5 da05abc8a2c2a0dd39d7c25c4a754f0d
SHA1 d02c7241816b624c2264791c2be7f22afd32f09e
SHA256 5b8e3f0cbc0b0b7ad3dbbc6b32efc45012c8bdb61ea44f0e52dc52bf4ba13524
SHA512 2a638af7fb06ce837752391fff753a1dab4c75b203b4be257c91775df5cde4225d7b1be8b2a529b2dc4f9ad967f16935f0980f92c8636542cfb8ddee4c6e066a

memory/228-79-0x00007FF7FD410000-0x00007FF7FD761000-memory.dmp

C:\Windows\System\VXlYSdL.exe

MD5 19777df9b6c6ad0be0b81b84f18a8e6d
SHA1 e6beea9077b4e5f2c993af602108d61f3e83ada1
SHA256 5bca855bdf8101528e62ff0c15ea84ed48f3fb33e8cabf4b8363efa9fa119418
SHA512 f7494c6c39196b93f70bc4f2164691dd47b3b3339b13955bc03f8174b7076a7cc0104e4e582d9cd374262d61bf6d3068408f954e52d9616eff094d5650084c2f

memory/848-78-0x00007FF75EF90000-0x00007FF75F2E1000-memory.dmp

memory/1148-64-0x00007FF6AECB0000-0x00007FF6AF001000-memory.dmp

C:\Windows\System\loeOZmw.exe

MD5 529f4a038cdb4a12b53ddc6eeba61c85
SHA1 529af4aecb5bd9b78d46b2afc9575ac30ff841d0
SHA256 5cd820fa8ed9a5cfa3d7c9374a20e9d6d325dd5e1faa77315b8f135884c44e1c
SHA512 ee8ddbe80e7544f2620ea564e789558fff23f73383e27f3ebbf9ed264a35af0f702ffac965c364b96d853ebf4be54ec9de67b9fc10843e8e44981a031975d74c

memory/4116-51-0x00007FF719100000-0x00007FF719451000-memory.dmp

memory/3948-48-0x00007FF686450000-0x00007FF6867A1000-memory.dmp

memory/4604-43-0x00007FF6FA2A0000-0x00007FF6FA5F1000-memory.dmp

C:\Windows\System\xJZkNib.exe

MD5 0fcd6d5054f75ca8bb83e31006edfb0e
SHA1 d12d61a078f64f4b228754847e37e63197205cb6
SHA256 ed598494c1d15f9240606172faab3f817c87e1a527af8fef9fe0ab5351f020d5
SHA512 3725b73bd33003f6a0155cc0d059529010f7e9e0b71277cf072a70107c6ba01c6a24a9f1e97e7e871e951ec5a06fab16cbc34fd082ba98c327323ebb4ba51ddb

memory/3972-35-0x00007FF62BAE0000-0x00007FF62BE31000-memory.dmp

C:\Windows\System\gMfLKvE.exe

MD5 b02bd766152ac90996b419cf56322d0e
SHA1 2fcd538f57973ff279ed1b8b0bc89d3f82b4d356
SHA256 310cfc7bde44f3da8f0dd10653d68749a26f7c3be9e7c9fbfc90bd0507200cb5
SHA512 16520285639b1c8c020ca3fa777bdd1de0cdaa4d55d79eeb7a6844ba560a1a5fd8584b56bea47146667a741da510a1744d437d7bacfd3849884abbcefbc224e4

memory/1556-27-0x00007FF64B7D0000-0x00007FF64BB21000-memory.dmp

memory/2388-24-0x00007FF7A4BF0000-0x00007FF7A4F41000-memory.dmp

C:\Windows\System\UDsFoBF.exe

MD5 7291ac4a140590c82eeb9404a2078a82
SHA1 604e3dcc561152fffb94c451decc42119b500189
SHA256 d70eefbe972348229d8cc89493be04a2dfd41b105589d0319c04864255b44e58
SHA512 b9f6be1a6d993ff02ff87cf7c8e6b33938acb8b016f51aab328b3524489f2b3a7e679cbe0aae204e18ccb57ce3e04f7cd017375fb970b3c19b1a5bb5ef902698

memory/1016-13-0x00007FF745C80000-0x00007FF745FD1000-memory.dmp

C:\Windows\System\kjoDJsY.exe

MD5 1dcf143d8abd965ed74c66c6879b881e
SHA1 9dc553fb0d0989084dc7843ede39360b3ffad0d3
SHA256 e7becec63235324355e4eed45936b2b5bb9f989444b6ca5a0a48023a59b350f7
SHA512 2e1ffb75779bdafa91b7c97da7ad34c27c44d4798f2a79df6759d2d3331d8c19df05749eb2ff4a38b492c688380e739dfd327da5a57c418d8c7d03a29c37a87d

memory/4148-126-0x00007FF68BEC0000-0x00007FF68C211000-memory.dmp

memory/1004-127-0x00007FF7AB880000-0x00007FF7ABBD1000-memory.dmp

memory/1500-125-0x00007FF6E11B0000-0x00007FF6E1501000-memory.dmp

memory/4048-124-0x00007FF7620D0000-0x00007FF762421000-memory.dmp

memory/1016-130-0x00007FF745C80000-0x00007FF745FD1000-memory.dmp

memory/2388-131-0x00007FF7A4BF0000-0x00007FF7A4F41000-memory.dmp

memory/1148-137-0x00007FF6AECB0000-0x00007FF6AF001000-memory.dmp

memory/848-139-0x00007FF75EF90000-0x00007FF75F2E1000-memory.dmp

memory/4540-144-0x00007FF7B83F0000-0x00007FF7B8741000-memory.dmp

memory/3920-150-0x00007FF7E1700000-0x00007FF7E1A51000-memory.dmp

memory/1576-142-0x00007FF7E8150000-0x00007FF7E84A1000-memory.dmp

memory/228-140-0x00007FF7FD410000-0x00007FF7FD761000-memory.dmp

memory/4116-136-0x00007FF719100000-0x00007FF719451000-memory.dmp

memory/3972-134-0x00007FF62BAE0000-0x00007FF62BE31000-memory.dmp

memory/528-129-0x00007FF6EE920000-0x00007FF6EEC71000-memory.dmp

memory/3920-128-0x00007FF7E1700000-0x00007FF7E1A51000-memory.dmp

memory/3920-151-0x00007FF7E1700000-0x00007FF7E1A51000-memory.dmp

memory/528-196-0x00007FF6EE920000-0x00007FF6EEC71000-memory.dmp

memory/1016-198-0x00007FF745C80000-0x00007FF745FD1000-memory.dmp

memory/1556-200-0x00007FF64B7D0000-0x00007FF64BB21000-memory.dmp

memory/4604-202-0x00007FF6FA2A0000-0x00007FF6FA5F1000-memory.dmp

memory/2388-204-0x00007FF7A4BF0000-0x00007FF7A4F41000-memory.dmp

memory/3948-206-0x00007FF686450000-0x00007FF6867A1000-memory.dmp

memory/3972-208-0x00007FF62BAE0000-0x00007FF62BE31000-memory.dmp

memory/4116-210-0x00007FF719100000-0x00007FF719451000-memory.dmp

memory/1148-213-0x00007FF6AECB0000-0x00007FF6AF001000-memory.dmp

memory/1620-218-0x00007FF6EC8D0000-0x00007FF6ECC21000-memory.dmp

memory/848-217-0x00007FF75EF90000-0x00007FF75F2E1000-memory.dmp

memory/1576-220-0x00007FF7E8150000-0x00007FF7E84A1000-memory.dmp

memory/228-215-0x00007FF7FD410000-0x00007FF7FD761000-memory.dmp

memory/4540-226-0x00007FF7B83F0000-0x00007FF7B8741000-memory.dmp

memory/100-225-0x00007FF781440000-0x00007FF781791000-memory.dmp

memory/2208-223-0x00007FF765810000-0x00007FF765B61000-memory.dmp

memory/4384-228-0x00007FF697820000-0x00007FF697B71000-memory.dmp

memory/4048-235-0x00007FF7620D0000-0x00007FF762421000-memory.dmp

memory/4148-240-0x00007FF68BEC0000-0x00007FF68C211000-memory.dmp

memory/1004-238-0x00007FF7AB880000-0x00007FF7ABBD1000-memory.dmp

memory/1500-241-0x00007FF6E11B0000-0x00007FF6E1501000-memory.dmp