Malware Analysis Report

2025-01-22 19:21

Sample ID 240805-nhgafsvcnn
Target 2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat
SHA256 b6330aa6ad5b8d4b82f5d67e6c438a659a291023205432918b2857b4f1ebcaa1
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b6330aa6ad5b8d4b82f5d67e6c438a659a291023205432918b2857b4f1ebcaa1

Threat Level: Known bad

The file 2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

XMRig Miner payload

Xmrig family

Cobaltstrike

Cobaltstrike family

xmrig

Cobalt Strike reflective loader

XMRig Miner payload

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-05 11:23

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-05 11:23

Reported

2024-08-05 11:26

Platform

win7-20240704-en

Max time kernel

140s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\aEfeUjL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ANnnJLw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xhbaLTm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qfQuQpS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AIIUfuS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iMinXDB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aeknmhS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TUjQFZR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IPmFYBL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VkYBQVm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bbblEDC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OKYtesG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hFaHaDQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VJIJGtt.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gCOejuO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ImWLZWF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DcVhoMX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xugdbpH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iUQHGOf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rBfcncX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ezGajaz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1940 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aeknmhS.exe
PID 1940 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aeknmhS.exe
PID 1940 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aeknmhS.exe
PID 1940 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bbblEDC.exe
PID 1940 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bbblEDC.exe
PID 1940 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bbblEDC.exe
PID 1940 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aEfeUjL.exe
PID 1940 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aEfeUjL.exe
PID 1940 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aEfeUjL.exe
PID 1940 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OKYtesG.exe
PID 1940 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OKYtesG.exe
PID 1940 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OKYtesG.exe
PID 1940 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ANnnJLw.exe
PID 1940 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ANnnJLw.exe
PID 1940 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ANnnJLw.exe
PID 1940 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hFaHaDQ.exe
PID 1940 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hFaHaDQ.exe
PID 1940 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hFaHaDQ.exe
PID 1940 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VJIJGtt.exe
PID 1940 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VJIJGtt.exe
PID 1940 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VJIJGtt.exe
PID 1940 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xugdbpH.exe
PID 1940 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xugdbpH.exe
PID 1940 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xugdbpH.exe
PID 1940 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gCOejuO.exe
PID 1940 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gCOejuO.exe
PID 1940 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gCOejuO.exe
PID 1940 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xhbaLTm.exe
PID 1940 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xhbaLTm.exe
PID 1940 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xhbaLTm.exe
PID 1940 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qfQuQpS.exe
PID 1940 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qfQuQpS.exe
PID 1940 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qfQuQpS.exe
PID 1940 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iUQHGOf.exe
PID 1940 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iUQHGOf.exe
PID 1940 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iUQHGOf.exe
PID 1940 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rBfcncX.exe
PID 1940 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rBfcncX.exe
PID 1940 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rBfcncX.exe
PID 1940 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TUjQFZR.exe
PID 1940 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TUjQFZR.exe
PID 1940 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TUjQFZR.exe
PID 1940 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AIIUfuS.exe
PID 1940 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AIIUfuS.exe
PID 1940 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AIIUfuS.exe
PID 1940 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IPmFYBL.exe
PID 1940 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IPmFYBL.exe
PID 1940 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IPmFYBL.exe
PID 1940 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ImWLZWF.exe
PID 1940 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ImWLZWF.exe
PID 1940 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ImWLZWF.exe
PID 1940 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DcVhoMX.exe
PID 1940 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DcVhoMX.exe
PID 1940 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DcVhoMX.exe
PID 1940 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ezGajaz.exe
PID 1940 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ezGajaz.exe
PID 1940 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ezGajaz.exe
PID 1940 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iMinXDB.exe
PID 1940 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iMinXDB.exe
PID 1940 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iMinXDB.exe
PID 1940 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VkYBQVm.exe
PID 1940 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VkYBQVm.exe
PID 1940 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VkYBQVm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\aeknmhS.exe

C:\Windows\System\aeknmhS.exe

C:\Windows\System\bbblEDC.exe

C:\Windows\System\bbblEDC.exe

C:\Windows\System\aEfeUjL.exe

C:\Windows\System\aEfeUjL.exe

C:\Windows\System\OKYtesG.exe

C:\Windows\System\OKYtesG.exe

C:\Windows\System\ANnnJLw.exe

C:\Windows\System\ANnnJLw.exe

C:\Windows\System\hFaHaDQ.exe

C:\Windows\System\hFaHaDQ.exe

C:\Windows\System\VJIJGtt.exe

C:\Windows\System\VJIJGtt.exe

C:\Windows\System\xugdbpH.exe

C:\Windows\System\xugdbpH.exe

C:\Windows\System\gCOejuO.exe

C:\Windows\System\gCOejuO.exe

C:\Windows\System\xhbaLTm.exe

C:\Windows\System\xhbaLTm.exe

C:\Windows\System\qfQuQpS.exe

C:\Windows\System\qfQuQpS.exe

C:\Windows\System\iUQHGOf.exe

C:\Windows\System\iUQHGOf.exe

C:\Windows\System\rBfcncX.exe

C:\Windows\System\rBfcncX.exe

C:\Windows\System\TUjQFZR.exe

C:\Windows\System\TUjQFZR.exe

C:\Windows\System\AIIUfuS.exe

C:\Windows\System\AIIUfuS.exe

C:\Windows\System\IPmFYBL.exe

C:\Windows\System\IPmFYBL.exe

C:\Windows\System\ImWLZWF.exe

C:\Windows\System\ImWLZWF.exe

C:\Windows\System\DcVhoMX.exe

C:\Windows\System\DcVhoMX.exe

C:\Windows\System\ezGajaz.exe

C:\Windows\System\ezGajaz.exe

C:\Windows\System\iMinXDB.exe

C:\Windows\System\iMinXDB.exe

C:\Windows\System\VkYBQVm.exe

C:\Windows\System\VkYBQVm.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1940-0-0x000000013F3B0000-0x000000013F701000-memory.dmp

memory/1940-1-0x0000000000080000-0x0000000000090000-memory.dmp

\Windows\system\aeknmhS.exe

MD5 5c2d9d550b75d7b4355de0f515886458
SHA1 6103bbe14c9e3a6b49b87084bf08951291f0df3e
SHA256 4de5001a72e62b8d09be22c077f9f686fb83a7e52b9e327d77585c5f34ecc98f
SHA512 7317a55d64913363c70c00dbbd5c97073e312f1e1853e5e595b0b43fbbd9d6f79bd7a6c4da1ad34c46131b0b4490319b368da20d385716f53d16acb3d601808f

memory/2184-7-0x000000013F040000-0x000000013F391000-memory.dmp

C:\Windows\system\bbblEDC.exe

MD5 a3746a32643aa1b249d5649fc6865e8c
SHA1 5e86d21ce430266528a78209dac5f897303ede97
SHA256 5b469cf04b91a6254c6721f2946c7aed6c85bd7c5221d75b6f84a22d72a54dbe
SHA512 c309ee360bb18e011d51dbfcbf0d41a94125a5c28f19584229284dc6eba0a4d722c796bd9f3d724dce3639778657fba0b0860ba7a4ba37d4d6f91b65a1bab959

C:\Windows\system\OKYtesG.exe

MD5 0bda62638469949a04223bf5bfb3903d
SHA1 36087c9b9d2c4d73e2210276b1ea028338358878
SHA256 bd0213c13f025428371fee7b62afe79c2dcdb38cdbaf16542a2aa48d2212e5c5
SHA512 a02f2d5c728d45a9624c3ba2c83fc18e237d71047b5db052328718cb82fe7bd3853084dc9132f79d208bdb9ceb14039801da9b725d4b8e8ddd873a577d59095c

\Windows\system\ANnnJLw.exe

MD5 88190df7f2417c27c4d2668882748577
SHA1 9567fa151bfdeb9448a660af43495bdb8aaf9d57
SHA256 1776c5cf75c3dce618fbd10a103b3575949dc4b3d27ee75418bc5be0feed8aca
SHA512 cb295dbff8ad3fd0eabc4a2551791548157c171f20bebbfe42f7fb64b36343df4b8b60bb4892676a81b520a9dbe329aa6889736d83eb32e00dd0e1b25aa64137

memory/1940-39-0x000000013FC50000-0x000000013FFA1000-memory.dmp

\Windows\system\xugdbpH.exe

MD5 41525f7e1a502ce339fcc7eca1bdcfee
SHA1 e874e3a2b520cba08b3ea25285b84182fefaa90d
SHA256 c722e8e5f7c6cc04e0517d22380cbac1e2699ac498de7c5ee53d4dc86fb865f3
SHA512 59f9c70e8362d0c786426c47410be65b56f3736f078515e34a7780a1533f043653fdfe372648eba4eb3b5105588c68ccb74d515adf68e268052c3c5bd247e804

memory/2760-40-0x000000013FC50000-0x000000013FFA1000-memory.dmp

memory/2704-42-0x000000013F2A0000-0x000000013F5F1000-memory.dmp

\Windows\system\VJIJGtt.exe

MD5 eab90b17a7d2639fa26049f4ed456a75
SHA1 65cd164d7f35e7fa429e409621a224c9d42e8989
SHA256 c726c2b48ca3a144fb7f853055d5c85ad4b8d9c697d714c7f42747eda76bc32e
SHA512 374d359f5d00d55e614867ce5cc07edba580813841e22cfead797bb4ad0c3c7ecfd21e7da16321c8c6e94d859becd14e88afc6e2689341cd6d042db27d875927

memory/1940-37-0x0000000002310000-0x0000000002661000-memory.dmp

memory/2076-34-0x000000013FCE0000-0x0000000140031000-memory.dmp

C:\Windows\system\hFaHaDQ.exe

MD5 d0d7767c64e1b85cad927a2259b8cba0
SHA1 e42e4c3cbed153feda3880ae2d980c633849de1c
SHA256 0f330f4fcb43a79962c704393ce3cffeb17d4df861d94cb1861ca571267769a9
SHA512 e07d9df38733ff003d429bd6c0a6aa62b0f10412be83d7dd036d55d412c8501c3805b73445cac541d63a7d9853db02021cd976fd3dd6135ff6148c33c15ae1a8

memory/2404-26-0x000000013F110000-0x000000013F461000-memory.dmp

C:\Windows\system\aEfeUjL.exe

MD5 6112d7daefc031d57fc1e20fbdfc0fb0
SHA1 7bb31bee4bd769a746ee0fd6372ced6cc4d2c2c7
SHA256 e7f06bf6b611546a54e94ceb3276a633c76bcbbc8f7e11f4896669d4df874669
SHA512 54280f34c5313b8f81e036927d39de06d18069743ce4dd665cc589a0b5f41c26e23f19116b6916c8bb73352e0b2ec931f3ccd8aad6324648d61ebfaf862dae49

memory/2632-63-0x000000013FF30000-0x0000000140281000-memory.dmp

\Windows\system\qfQuQpS.exe

MD5 f625939cc7a838a0ef54fcec964897fd
SHA1 585087400cf9bb7b90cfdc2690a8782eb55f21d5
SHA256 3c3a1a981ea2476fd51165e40ee50da6d04b1a7ebf6dee75e1e18a6ac4cfec27
SHA512 6c72f4688286c0561a3aea2c0ce5616dd5c4b625f049b72d1aa7f516e99a4856e82a917743d0eee0b3f4336ceb7af27f29eb2e364531933e4182946b10430203

C:\Windows\system\iUQHGOf.exe

MD5 b08a541804f5d7fb973bf1bf260a3032
SHA1 f9bf3a2e4c0db456f9ecd50eabda8737f093032a
SHA256 cc9ec24374bbbdb382f5764570887aae2da823029403b5c4dbb5612fbd690672
SHA512 8f9a8dd0d7378adc11c606cb8c5678270af53ac202212b735b807e252cb4236474bd8e0a8be0e9e1ce5ab9b8228a40b5e15395ab10b4f9bee921b23a41009f53

\Windows\system\TUjQFZR.exe

MD5 c6c8e8e9aa2c06b6d4d548e2896b3ff9
SHA1 71dcda4e87642d8e14b0c8ad482528b031d45757
SHA256 0375c29727a4ffb9cc2f4f68b09bb698492545a50fb2d906765cda461ef5159e
SHA512 8b2e30b91268ab62cf18d531ae35db9a9a5ec21a771284fc8b29cc7187d0e244782626de1a4f21d7eb8ec05f6b69197c8bb737d0544e0bcb6b8f543c4c06a905

\Windows\system\IPmFYBL.exe

MD5 c52283033339f4c67e17203590a68f1d
SHA1 588f98f444a296148e7887a1a2facb2a73f7b864
SHA256 c4268f3e6fb67321c2db1783fc0a16b7ec1f8316fef90fac1adfe8f2dd6913e0
SHA512 e21849480526ca8a6b8ac43a59fda1badfc8419defbe8719a253f4305c445bed53c1196c0851ea59f54416f0c89985f9154315c6433e9502fcaeb08ba3c1143d

\Windows\system\iMinXDB.exe

MD5 6c841c1947d8cd2bb0a1d560f45dc47e
SHA1 422767a42a35b922cfd68772add17e13b5c6a786
SHA256 7a587171cd36422d0cd267c49aa9e6a5213c4428d240c4efe7e5de223518a013
SHA512 fc6ad92d71767e5df2094b7f0992bc092ce2bd59dd97c9fce460b47cde1d1ecc0f87ca0f166a4e0c08c885ded7d0ba1d0c81dd517e633e6b642fd0b06527b4cc

memory/1940-119-0x0000000002310000-0x0000000002661000-memory.dmp

memory/1940-120-0x000000013FBB0000-0x000000013FF01000-memory.dmp

C:\Windows\system\AIIUfuS.exe

MD5 fb2ad9080e761473a8e84ba08f274fd3
SHA1 47dfbbbc0202f73d45e1ca8e7ebb6294ba058089
SHA256 de59393584af324ee667fd6fb6f3a6248a90fae5b5f509e366efed12ff151f48
SHA512 2bdc1b362bed187720f8b0bcd6d62c1403066561884e833ce973356f20310107cdf59f21ed9f11ee2f803fc490bb9b5beb7780b9e12625006be5cce2cab95e11

\Windows\system\VkYBQVm.exe

MD5 5e66119354062667e8dffb9d28c01322
SHA1 be8cf164a7eebff6d796802661ff239b936c81a6
SHA256 71f115899c1926b75eb62975a07e40214b1f8057f997f4fb45ddd6b68355e494
SHA512 e080a6b9c1b24a7cd5cb91eca74afaa59198a31240d152bff870ffe5ebb4cdd73be4990f2719e48bf5b8fb61043a055c43fd7312c942d27be43b372d8e2a94f7

\Windows\system\ezGajaz.exe

MD5 ec99c61e55b17ed3bf9a9277137c5142
SHA1 91f40b4ae4d585a8b8d170212c167f8b6ea77b96
SHA256 35d4c98d3ffca8c7cda6820d46117c205ada3d9048cdfdec6072d922cb436197
SHA512 25c0a70be64c94dbf26c91da7610179bb77ee072e0cdda0789a8bcc4d512c34c561f0c99db954ed08ac173a9a49bfefb73d488cbb25b3087e02d10ab1bc01ad8

memory/2108-100-0x000000013F7C0000-0x000000013FB11000-memory.dmp

\Windows\system\ImWLZWF.exe

MD5 2997fc5afa9194491bbcf6ecb16b5f0c
SHA1 a142f2fba90615c4b7893a7d79263cfe5f8acb2e
SHA256 d3cd462c26db410448079715beff74796f09a0e0e6c1b4ea10adb390f96fa95a
SHA512 9026b8004b3ae0d5b19530de6e4895c8af8d710f865984ea234dafedbedf974747a709bd20acd362d3f02c24e432d576573774457e23774000600b06033ccfdd

C:\Windows\system\DcVhoMX.exe

MD5 da8a539d038b44e87b02c8b5cdc20a23
SHA1 009ab5098598e2239cc8ae16b21bdb9acd8e45f5
SHA256 76c3fe808b521b1ed96d39c2cf05d62475b751c3cb3f82ea56b82f4ce69b41d5
SHA512 3d91fbb9d17c825cb4945b9c985b51762c2c327717282f9914a2c814919c2b788237f2e08cc2aa137d5b5878ad8b108d2c47da4686321617a4ab3fe34c7d7666

memory/1940-105-0x000000013FCE0000-0x0000000140031000-memory.dmp

C:\Windows\system\rBfcncX.exe

MD5 d425d0a9b011e8cdec3abdc85d95224f
SHA1 7167464abf7570c96eb251dc0f706abe0d4d737e
SHA256 69b89e81033767b0f2f6cb8629319c8398843cc9078a0d7520f2811403f87419
SHA512 81a454193bacf25ce884d8d03c4213979e35bdb1a65d1fa11bee608398115fc33e4dedc7801fda44f39f98ac1976db0b3ea464b9cf23e9d1d1f8551e7cca5a63

memory/2184-88-0x000000013F040000-0x000000013F391000-memory.dmp

memory/2716-82-0x000000013FBB0000-0x000000013FF01000-memory.dmp

memory/1940-81-0x000000013F840000-0x000000013FB91000-memory.dmp

memory/1940-78-0x000000013F3B0000-0x000000013F701000-memory.dmp

memory/2600-77-0x000000013F840000-0x000000013FB91000-memory.dmp

memory/2776-73-0x000000013FB10000-0x000000013FE61000-memory.dmp

memory/2652-72-0x000000013F740000-0x000000013FA91000-memory.dmp

C:\Windows\system\xhbaLTm.exe

MD5 b13a03c333c90cc5cc786cd6b7a236f4
SHA1 00c114f55892dc3d0fc40c4aaedca3d74f68c05f
SHA256 3f27398be80e5cece2e8b69db218a748b06b6419e5fbb03fc5d51a4f1ca2bf7d
SHA512 9b3f3b1f06fb04e45e46437e9c123e92a1d21d1cbd25042f5fa0369856f64083ea677693cbe83789143f668695874a7f7628a0180916b39cd42665ffaf858816

memory/1940-50-0x000000013FBB0000-0x000000013FF01000-memory.dmp

memory/1940-57-0x000000013FF30000-0x0000000140281000-memory.dmp

memory/2504-55-0x000000013F1C0000-0x000000013F511000-memory.dmp

C:\Windows\system\gCOejuO.exe

MD5 c64b8e38e7980de919aeab9733117205
SHA1 52605292a9881b2dc34a0f7b74dcd7d749bc7078
SHA256 12b4b764931785964c021539fb7294d42977f34b2c8043f7eda6e34394c76b80
SHA512 46ae021b6acd4b75eb0fbd6780582f93a09801f046abdbe8a4d3473c24eb261e66a5f3bb82be2e9a8492e3f5a2c0d07a46b6a5cedb7df03e4187c523723375f0

memory/2108-19-0x000000013F7C0000-0x000000013FB11000-memory.dmp

memory/1940-13-0x000000013F7C0000-0x000000013FB11000-memory.dmp

memory/1940-127-0x000000013FC50000-0x000000013FFA1000-memory.dmp

memory/1940-132-0x000000013F3B0000-0x000000013F701000-memory.dmp

memory/2776-142-0x000000013FB10000-0x000000013FE61000-memory.dmp

memory/2600-144-0x000000013F840000-0x000000013FB91000-memory.dmp

memory/2652-143-0x000000013F740000-0x000000013FA91000-memory.dmp

memory/3028-145-0x000000013F470000-0x000000013F7C1000-memory.dmp

memory/2056-146-0x000000013F3C0000-0x000000013F711000-memory.dmp

memory/860-147-0x000000013F060000-0x000000013F3B1000-memory.dmp

memory/804-148-0x000000013F2C0000-0x000000013F611000-memory.dmp

memory/332-152-0x000000013FC10000-0x000000013FF61000-memory.dmp

memory/1720-153-0x000000013FBC0000-0x000000013FF11000-memory.dmp

memory/1820-151-0x000000013F910000-0x000000013FC61000-memory.dmp

memory/1504-150-0x000000013F3D0000-0x000000013F721000-memory.dmp

memory/2680-149-0x000000013FBB0000-0x000000013FF01000-memory.dmp

memory/1940-154-0x000000013F3B0000-0x000000013F701000-memory.dmp

memory/2184-199-0x000000013F040000-0x000000013F391000-memory.dmp

memory/2108-201-0x000000013F7C0000-0x000000013FB11000-memory.dmp

memory/2404-205-0x000000013F110000-0x000000013F461000-memory.dmp

memory/2076-204-0x000000013FCE0000-0x0000000140031000-memory.dmp

memory/2760-207-0x000000013FC50000-0x000000013FFA1000-memory.dmp

memory/2704-209-0x000000013F2A0000-0x000000013F5F1000-memory.dmp

memory/2504-227-0x000000013F1C0000-0x000000013F511000-memory.dmp

memory/2632-229-0x000000013FF30000-0x0000000140281000-memory.dmp

memory/2652-231-0x000000013F740000-0x000000013FA91000-memory.dmp

memory/2776-234-0x000000013FB10000-0x000000013FE61000-memory.dmp

memory/2600-235-0x000000013F840000-0x000000013FB91000-memory.dmp

memory/2716-237-0x000000013FBB0000-0x000000013FF01000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-05 11:23

Reported

2024-08-05 11:26

Platform

win10v2004-20240802-en

Max time kernel

141s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\TDtxaEz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VeZgqws.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KvWxVVi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KDuhgRH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EjSfmKr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uJolzlY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NCRQppb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ekrFrJA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iLJpBqO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AsOBupJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MXKehdQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cqfsXCK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZYBJtDg.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PBYGtPg.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ypQPJHw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TJwUBgp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QVUUuOF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xHEEiHc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qTZimxG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\blKlifm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JjTZXWE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2028 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TJwUBgp.exe
PID 2028 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TJwUBgp.exe
PID 2028 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uJolzlY.exe
PID 2028 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uJolzlY.exe
PID 2028 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QVUUuOF.exe
PID 2028 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QVUUuOF.exe
PID 2028 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NCRQppb.exe
PID 2028 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NCRQppb.exe
PID 2028 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TDtxaEz.exe
PID 2028 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TDtxaEz.exe
PID 2028 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VeZgqws.exe
PID 2028 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VeZgqws.exe
PID 2028 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KvWxVVi.exe
PID 2028 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KvWxVVi.exe
PID 2028 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MXKehdQ.exe
PID 2028 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MXKehdQ.exe
PID 2028 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cqfsXCK.exe
PID 2028 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cqfsXCK.exe
PID 2028 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZYBJtDg.exe
PID 2028 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZYBJtDg.exe
PID 2028 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xHEEiHc.exe
PID 2028 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xHEEiHc.exe
PID 2028 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qTZimxG.exe
PID 2028 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qTZimxG.exe
PID 2028 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ekrFrJA.exe
PID 2028 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ekrFrJA.exe
PID 2028 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PBYGtPg.exe
PID 2028 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PBYGtPg.exe
PID 2028 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KDuhgRH.exe
PID 2028 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KDuhgRH.exe
PID 2028 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iLJpBqO.exe
PID 2028 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iLJpBqO.exe
PID 2028 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\blKlifm.exe
PID 2028 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\blKlifm.exe
PID 2028 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JjTZXWE.exe
PID 2028 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JjTZXWE.exe
PID 2028 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AsOBupJ.exe
PID 2028 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AsOBupJ.exe
PID 2028 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EjSfmKr.exe
PID 2028 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EjSfmKr.exe
PID 2028 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ypQPJHw.exe
PID 2028 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ypQPJHw.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-05_4c651e70262f4aad02792a7447307c10_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\TJwUBgp.exe

C:\Windows\System\TJwUBgp.exe

C:\Windows\System\uJolzlY.exe

C:\Windows\System\uJolzlY.exe

C:\Windows\System\QVUUuOF.exe

C:\Windows\System\QVUUuOF.exe

C:\Windows\System\NCRQppb.exe

C:\Windows\System\NCRQppb.exe

C:\Windows\System\TDtxaEz.exe

C:\Windows\System\TDtxaEz.exe

C:\Windows\System\VeZgqws.exe

C:\Windows\System\VeZgqws.exe

C:\Windows\System\KvWxVVi.exe

C:\Windows\System\KvWxVVi.exe

C:\Windows\System\MXKehdQ.exe

C:\Windows\System\MXKehdQ.exe

C:\Windows\System\cqfsXCK.exe

C:\Windows\System\cqfsXCK.exe

C:\Windows\System\ZYBJtDg.exe

C:\Windows\System\ZYBJtDg.exe

C:\Windows\System\xHEEiHc.exe

C:\Windows\System\xHEEiHc.exe

C:\Windows\System\qTZimxG.exe

C:\Windows\System\qTZimxG.exe

C:\Windows\System\ekrFrJA.exe

C:\Windows\System\ekrFrJA.exe

C:\Windows\System\PBYGtPg.exe

C:\Windows\System\PBYGtPg.exe

C:\Windows\System\KDuhgRH.exe

C:\Windows\System\KDuhgRH.exe

C:\Windows\System\iLJpBqO.exe

C:\Windows\System\iLJpBqO.exe

C:\Windows\System\blKlifm.exe

C:\Windows\System\blKlifm.exe

C:\Windows\System\JjTZXWE.exe

C:\Windows\System\JjTZXWE.exe

C:\Windows\System\AsOBupJ.exe

C:\Windows\System\AsOBupJ.exe

C:\Windows\System\EjSfmKr.exe

C:\Windows\System\EjSfmKr.exe

C:\Windows\System\ypQPJHw.exe

C:\Windows\System\ypQPJHw.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 6.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2028-0-0x00007FF62CAC0000-0x00007FF62CE11000-memory.dmp

memory/2028-1-0x0000021535000000-0x0000021535010000-memory.dmp

C:\Windows\System\TJwUBgp.exe

MD5 99081566ff0b8e31ea1f702437a9360e
SHA1 de10623132f3dac16f4c6b7d35e4db4905b1a5e6
SHA256 e069275d9e36938bbd0f322bfd9288d7e74244274f000934e7917bc87b61cd4c
SHA512 59a7e989a7625300b8b59dc3179768725607e09e6b1a57a72c4bda281a16c7e94757af2a955311a6e04fdd76cba70d340437df39592a461f87f30109b67e377f

memory/2120-6-0x00007FF7F9FC0000-0x00007FF7FA311000-memory.dmp

memory/2748-12-0x00007FF778B60000-0x00007FF778EB1000-memory.dmp

C:\Windows\System\uJolzlY.exe

MD5 588cabc79193e5d2dda9c814c778b5ec
SHA1 7631a05ed48c24b67a230b3ada34c548dfe28f8f
SHA256 966de14d03ecc6db10658833abebfd04c366cdebd4d88da03883638c22955d7c
SHA512 f632b0960d132f542bc8449a5982950dd69fcc2e685aae7fd2da27af722197049afe80dd6e5b495e88c8f0934df34f15b9ffbb831cf7484176809286b4ea12f2

C:\Windows\System\QVUUuOF.exe

MD5 bc10305abedecebdd342ecec86003fc0
SHA1 2de3bf97caba8073ceff6b59426c4d125114dc28
SHA256 67593e80d75e7f75b28bb16cbce22e833e63894979fe7687f761af94cb32bd10
SHA512 ecd8dee76af4e557bcd9ad5535b69d62cedc03fa1b28ed58cd171f51009a74b257efd68fbf570017dc92bf55ae369b0262f7dd971bd8c4119b4477112df173e3

C:\Windows\System\NCRQppb.exe

MD5 4b3cca69d4ee454590a0ecdda2f58513
SHA1 41d7aab6299a5766f1f21d65fee21770423f321f
SHA256 19585e04fe11cb0574801c0c17582dd96cee961c5b58bb313c2efefa91d4b463
SHA512 39c8a1c9aac779d0e813a8fd5145939912ad18e74990fe215e50ba22f890655ac375699ca595e91af90aec2164342d2a1fb1248589ae025543f7e0dc17c269a6

C:\Windows\System\TDtxaEz.exe

MD5 bae66519fbddb6bf24b35c84c562dfce
SHA1 22a6e83d36608c0fd8b7745190578a1a2ca21a34
SHA256 4f2ddbb97a0a8f8665bc609db2cf7df5761642ca107400887fb276f122c7ff14
SHA512 d1ff3d68574e743a849d4bad2164aa5e5762f16c3a4c9fedb1b74d143cd057b903083d363626d5f76887a4e2889fd7b143d62c1ff12ede739487b2629b6715a6

C:\Windows\System\VeZgqws.exe

MD5 8aff5769580635dadea083bc4abf8e8a
SHA1 88f20f891a014b5ef8fec137e1628a292a715d68
SHA256 e85d4fcdd871d35f8ddc1ce2bc50e0f127509558c6719b85ee6ddb46ed3f5b08
SHA512 65c036f31f55f7d3ea1486c6f7783945eb7ed4df68a55f77eca88a154f1de147f00fff70a8e0f8fc77f8ceccd95a18ee4b8d0f965297e30c29e139f20ad55a6b

memory/4508-37-0x00007FF69A2C0000-0x00007FF69A611000-memory.dmp

C:\Windows\System\MXKehdQ.exe

MD5 e8c45b2843795bb3fe9c0dab58f9684a
SHA1 1b60d5e5a52339589cf13a06dbcc7a8e672601a5
SHA256 55d68921e9eebe7369df8634fbf8c0e83f935a5980e0050a1841d1b4b37a9a54
SHA512 9097797a6ee43f05a4e760584b1d4bf9490eb9becfb27fe404272d671f0e761f7b43d4d84863d7c00b88685fa42b1c378aa319802dad241ea744130bbdc65317

C:\Windows\System\ZYBJtDg.exe

MD5 ad03569993e240bc85c84bef0f9d4d91
SHA1 0eba77a10f3121f6f74d839cf7f4a06a8cb93d16
SHA256 f1946f94cc7e965bf120342f5a01b9c8feb408b89e639dc62518c9a62c9b1e12
SHA512 e8e744a8468f81b13d27eb3123b7d5f13c91b6ab7547c18d0b43b6fe9d092301eec870db9462aadb02b6d0cec83fc7062c30ee570e91a4d8e82508d0411235a3

C:\Windows\System\ekrFrJA.exe

MD5 8c693235125736ebac96fb56dbf55dcb
SHA1 a8cd3ed46acc8047f6d289aeb74bf58bc9ca6237
SHA256 efd289945de86e5fa8e9215481338aaa56c1af3efbe60aab83afe386363cfcb3
SHA512 497729ed4d174b756460bc32050e7eb2aae2d1f8bb67dae2cd6117aae3db89ef52244853a26e8342809d6da36be3ffaf48f49921aab752677250a1124b372174

C:\Windows\System\PBYGtPg.exe

MD5 0de64edbdb394547d613250f90c793bf
SHA1 d3d2a5c3f1992be8b2713feeee94bdceb59ebb84
SHA256 3c616d33d84b1f2559231467fd257fe8f7a7c65c139bee7c4fd2c876e5bdd0da
SHA512 5f95a441888e3d54fef5384b9a70b8eda0b7056998ae27de1c97152f04cbc827bf2a727ad35ba13cb1be66123d21fc0cf75bd02ea2bac46255e385d0628145c3

memory/2888-95-0x00007FF6D2EB0000-0x00007FF6D3201000-memory.dmp

memory/4992-99-0x00007FF7E3E20000-0x00007FF7E4171000-memory.dmp

C:\Windows\System\iLJpBqO.exe

MD5 097fec3a77c348796131110131335c35
SHA1 04d24e460c3e912d7f9386e8a56c5bb7dd745579
SHA256 a24c1a7b52dac98279aedbefa9a2b6b156ce8e2123742a84ea0697f158fbfe11
SHA512 19784e1c843c27773cd2e4b280d1ee6516d5d4f2ee17d847c66d3797344b0757cb1371214d14d0d06f622bdac82324b74b263532c6886e493a6e6b1ac1a3ed72

memory/2028-96-0x00007FF62CAC0000-0x00007FF62CE11000-memory.dmp

C:\Windows\System\KDuhgRH.exe

MD5 e3d36813ed312dd5d5d98c0e96c71986
SHA1 17f4415901a1e4ae05f9ff6ea686f0d9d0467d7a
SHA256 e8cf52cb284852c1985baca0c39973435c1fbd4f2d93b502dcbd9ab35cca7423
SHA512 cf967dbaec63a9334b86104e38b9e8d173239baa75e38a1bdfe583af1001919fa8ffafacceb460e6f47c5b46c608fb309e2e8a862e144bbcc1dbb5abc8b8f3a8

memory/4776-90-0x00007FF62CB00000-0x00007FF62CE51000-memory.dmp

memory/2452-86-0x00007FF768E70000-0x00007FF7691C1000-memory.dmp

memory/1800-85-0x00007FF7F3770000-0x00007FF7F3AC1000-memory.dmp

C:\Windows\System\qTZimxG.exe

MD5 b3afcb72c6d9844851f1ed50d51c57a1
SHA1 0319b64c13200169646be0ec584f888199d4527b
SHA256 d08d8a1e475dff08890fd5dd4332477c1190d976c8737f30b92accfa561008ba
SHA512 dd58f4a3230082461b11bacc4cc2dd5986e6b2c2482cb026efa781bc904fbb2c39d9384b61d21b3fcf8c0d9c15e75f1f7d2abe525c98702e5d9cd22fff1a715a

memory/880-78-0x00007FF617080000-0x00007FF6173D1000-memory.dmp

C:\Windows\System\xHEEiHc.exe

MD5 a1a0c6d4a816774c9a4712a0c824493e
SHA1 e2ae0d6b80bc5bff43c01f08a2323e7c4a21a19b
SHA256 f792f0451774f15bb7c9e72fe632d9fa7a4d6a3ec89b720b0fdbb693a81194f8
SHA512 072c819737eb4495d2841d44b60a23e3f2f70a5ce8349d42dfca1ba478d0084ab803046c1ecc70de086b3cc4cbdd7ba8bed6fbe5f7a6aecbfa3b848208f80972

memory/2032-69-0x00007FF62A210000-0x00007FF62A561000-memory.dmp

memory/3844-68-0x00007FF6B3F40000-0x00007FF6B4291000-memory.dmp

memory/4016-61-0x00007FF6899A0000-0x00007FF689CF1000-memory.dmp

C:\Windows\System\cqfsXCK.exe

MD5 cc29fa5cb94a0160b7a0dac5c2cda1f1
SHA1 505d7cd1a3050d007ac1ca9f29851e9938483777
SHA256 dd93d49d357e0cd3a69ec893570b6d8bead1dd603949a2a7eeba57734a288dc8
SHA512 193a0caf26405df1edace3b02227a218d6250b8ef0fc02b6b58f8e3597c1e9486bfb44c39b5cb36ed73405fed444e5516337b6753960cebce69d7b403d5e804e

C:\Windows\System\KvWxVVi.exe

MD5 3abc36ff98617802eac1f38c7f5ad277
SHA1 c413eb7136156818a8371e9709cafdc336c2dd0b
SHA256 ae0fbbb37d722a582b5b5753509e258abfae91a1a2ecdba24904918c7136ed92
SHA512 a7696227306d987f09e370d4290da5faf22a5ff4979560cdc1504a7784032baa9fd97b9df60390e4fe7c9b3630b64af693787f603c6ff54e544b3ee60ec10ceb

memory/2636-43-0x00007FF70FBC0000-0x00007FF70FF11000-memory.dmp

memory/3512-40-0x00007FF763080000-0x00007FF7633D1000-memory.dmp

memory/2092-28-0x00007FF699D60000-0x00007FF69A0B1000-memory.dmp

memory/2940-18-0x00007FF787180000-0x00007FF7874D1000-memory.dmp

C:\Windows\System\blKlifm.exe

MD5 1661aca162b6216dc1b34ff1f23c3cc0
SHA1 f9e7f4744e38812a158ec26fee3be678fb6412c7
SHA256 66e29798fbab8e09ab4601cad75348c62c5a1229265f27439f39ded76cb62ab5
SHA512 b934f4692ec1230a1fec1da6bfb3abdc37fa2a0da6d4d4f40fc208d15fe74c5b1e269ee950330f64444fd15c14d3964929c28ace6da51f161b47e30759e94c60

C:\Windows\System\JjTZXWE.exe

MD5 2845eb077d94280ac9d4a663873d34c2
SHA1 886d6813bd0a7b90fb44ca2443729a65c7b7e208
SHA256 c8c51366ad215b27d1752ec487505b4609d6035e2debb40f3f339aa6e771f465
SHA512 99e21f498b41cb81a0db2b3d0c6a2b641812b2242c23068cbc0913e02c587563d6e4f3a357cad877afb57ae111d761d583626e0a3f159755f747f27cd1d87077

memory/5032-108-0x00007FF6A11E0000-0x00007FF6A1531000-memory.dmp

C:\Windows\System\EjSfmKr.exe

MD5 cad8f98d54188d32b9bcd2c77e357717
SHA1 374632b1394f4b8b210c3fdcf93fc9850f6f989a
SHA256 0307cc93c7185a17d85c9a73f26e0d067f3ba2b112e81d17063f8787c36b133a
SHA512 3c1c28abd888c98c3fb5d121d15579706604134f1c6327a7b2d3dbb49481f386b097e5cbf752f5051a51d48c6a57b4bc5d1636130b601a92438cf4683134a68b

C:\Windows\System\AsOBupJ.exe

MD5 ba25260e54b9eb85d4bf4c95804fb222
SHA1 e426cd21ab45dfbf7eb38be1cf1a6a7059e15bef
SHA256 c0c61115270de1374d621976bb9ae6a1d4f7f5056d7d708a840586093c5c73db
SHA512 c20397b4924277903ba845e72216ba6ae33695790fb1db6197d3991443ccdf85fbd6ed51996fcc5f37c2265d05d296f245f38797259c2e2b8235a63b4506f4dd

C:\Windows\System\ypQPJHw.exe

MD5 e1eda213dde9e076ae8bb700c5a8da7d
SHA1 f95712596b2a06a317aeab14430407bffb450c82
SHA256 b7307bafb003cfdf0b5eda31978373498a6d7112486c3a46fd086e4e530e4be8
SHA512 a288b0a8ca149cce9f9c3e949d23725736116c812b9a6e73dcf0c494e454d2e2a002ababc8cafbb43d41109ed43e85edb66cb4bff83b886eaab2150846ba617b

memory/212-122-0x00007FF6D4B10000-0x00007FF6D4E61000-memory.dmp

memory/2940-120-0x00007FF787180000-0x00007FF7874D1000-memory.dmp

memory/2268-118-0x00007FF701BE0000-0x00007FF701F31000-memory.dmp

memory/2748-114-0x00007FF778B60000-0x00007FF778EB1000-memory.dmp

memory/2120-107-0x00007FF7F9FC0000-0x00007FF7FA311000-memory.dmp

memory/4500-130-0x00007FF6C3DC0000-0x00007FF6C4111000-memory.dmp

memory/2028-131-0x00007FF62CAC0000-0x00007FF62CE11000-memory.dmp

memory/2032-142-0x00007FF62A210000-0x00007FF62A561000-memory.dmp

memory/2888-145-0x00007FF6D2EB0000-0x00007FF6D3201000-memory.dmp

memory/4388-147-0x00007FF73DCF0000-0x00007FF73E041000-memory.dmp

memory/4776-144-0x00007FF62CB00000-0x00007FF62CE51000-memory.dmp

memory/1800-143-0x00007FF7F3770000-0x00007FF7F3AC1000-memory.dmp

memory/3844-140-0x00007FF6B3F40000-0x00007FF6B4291000-memory.dmp

memory/4016-139-0x00007FF6899A0000-0x00007FF689CF1000-memory.dmp

memory/2636-138-0x00007FF70FBC0000-0x00007FF70FF11000-memory.dmp

memory/2452-146-0x00007FF768E70000-0x00007FF7691C1000-memory.dmp

memory/4992-148-0x00007FF7E3E20000-0x00007FF7E4171000-memory.dmp

memory/4500-152-0x00007FF6C3DC0000-0x00007FF6C4111000-memory.dmp

memory/212-151-0x00007FF6D4B10000-0x00007FF6D4E61000-memory.dmp

memory/2028-154-0x00007FF62CAC0000-0x00007FF62CE11000-memory.dmp

memory/2120-213-0x00007FF7F9FC0000-0x00007FF7FA311000-memory.dmp

memory/2748-215-0x00007FF778B60000-0x00007FF778EB1000-memory.dmp

memory/2940-217-0x00007FF787180000-0x00007FF7874D1000-memory.dmp

memory/2092-219-0x00007FF699D60000-0x00007FF69A0B1000-memory.dmp

memory/3512-222-0x00007FF763080000-0x00007FF7633D1000-memory.dmp

memory/4508-223-0x00007FF69A2C0000-0x00007FF69A611000-memory.dmp

memory/2636-225-0x00007FF70FBC0000-0x00007FF70FF11000-memory.dmp

memory/4016-227-0x00007FF6899A0000-0x00007FF689CF1000-memory.dmp

memory/3844-229-0x00007FF6B3F40000-0x00007FF6B4291000-memory.dmp

memory/880-231-0x00007FF617080000-0x00007FF6173D1000-memory.dmp

memory/1800-235-0x00007FF7F3770000-0x00007FF7F3AC1000-memory.dmp

memory/2032-234-0x00007FF62A210000-0x00007FF62A561000-memory.dmp

memory/4776-239-0x00007FF62CB00000-0x00007FF62CE51000-memory.dmp

memory/2888-241-0x00007FF6D2EB0000-0x00007FF6D3201000-memory.dmp

memory/4992-243-0x00007FF7E3E20000-0x00007FF7E4171000-memory.dmp

memory/2452-238-0x00007FF768E70000-0x00007FF7691C1000-memory.dmp

memory/5032-250-0x00007FF6A11E0000-0x00007FF6A1531000-memory.dmp

memory/2268-252-0x00007FF701BE0000-0x00007FF701F31000-memory.dmp

memory/4388-255-0x00007FF73DCF0000-0x00007FF73E041000-memory.dmp

memory/212-256-0x00007FF6D4B10000-0x00007FF6D4E61000-memory.dmp

memory/4500-258-0x00007FF6C3DC0000-0x00007FF6C4111000-memory.dmp