Malware Analysis Report

2025-01-22 19:19

Sample ID 240806-n54n9syclr
Target 2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat
SHA256 aaeb92e3ec269fdda5b3500930acf618f19bf5d79489239a5be1abb5efc7ffc7
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

aaeb92e3ec269fdda5b3500930acf618f19bf5d79489239a5be1abb5efc7ffc7

Threat Level: Known bad

The file 2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Cobaltstrike

xmrig

Cobaltstrike family

XMRig Miner payload

Xmrig family

Cobalt Strike reflective loader

XMRig Miner payload

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-06 11:59

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-06 11:59

Reported

2024-08-06 12:02

Platform

win7-20240708-en

Max time kernel

142s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\SExJQGX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fofhzGr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YkRVgAK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BeitdUX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MIsNPbg.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SFZrIAU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VKtGsdZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FctkfEU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RMJkBih.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eOMHEWB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\txdRAcD.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\obMTmDS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kwlXzWj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SnmwhRs.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jsaEjPm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sRxnPHw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WcgnomB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SyoFojA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IOBxvwE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\txOUaLf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RukXppH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1724 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kwlXzWj.exe
PID 1724 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kwlXzWj.exe
PID 1724 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kwlXzWj.exe
PID 1724 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IOBxvwE.exe
PID 1724 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IOBxvwE.exe
PID 1724 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IOBxvwE.exe
PID 1724 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MIsNPbg.exe
PID 1724 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MIsNPbg.exe
PID 1724 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MIsNPbg.exe
PID 1724 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SExJQGX.exe
PID 1724 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SExJQGX.exe
PID 1724 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SExJQGX.exe
PID 1724 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SnmwhRs.exe
PID 1724 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SnmwhRs.exe
PID 1724 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SnmwhRs.exe
PID 1724 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SFZrIAU.exe
PID 1724 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SFZrIAU.exe
PID 1724 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SFZrIAU.exe
PID 1724 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VKtGsdZ.exe
PID 1724 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VKtGsdZ.exe
PID 1724 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VKtGsdZ.exe
PID 1724 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fofhzGr.exe
PID 1724 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fofhzGr.exe
PID 1724 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fofhzGr.exe
PID 1724 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jsaEjPm.exe
PID 1724 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jsaEjPm.exe
PID 1724 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jsaEjPm.exe
PID 1724 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\txOUaLf.exe
PID 1724 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\txOUaLf.exe
PID 1724 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\txOUaLf.exe
PID 1724 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sRxnPHw.exe
PID 1724 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sRxnPHw.exe
PID 1724 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sRxnPHw.exe
PID 1724 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FctkfEU.exe
PID 1724 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FctkfEU.exe
PID 1724 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FctkfEU.exe
PID 1724 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WcgnomB.exe
PID 1724 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WcgnomB.exe
PID 1724 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WcgnomB.exe
PID 1724 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SyoFojA.exe
PID 1724 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SyoFojA.exe
PID 1724 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SyoFojA.exe
PID 1724 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RukXppH.exe
PID 1724 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RukXppH.exe
PID 1724 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RukXppH.exe
PID 1724 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RMJkBih.exe
PID 1724 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RMJkBih.exe
PID 1724 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RMJkBih.exe
PID 1724 wrote to memory of 352 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eOMHEWB.exe
PID 1724 wrote to memory of 352 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eOMHEWB.exe
PID 1724 wrote to memory of 352 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eOMHEWB.exe
PID 1724 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\txdRAcD.exe
PID 1724 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\txdRAcD.exe
PID 1724 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\txdRAcD.exe
PID 1724 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\obMTmDS.exe
PID 1724 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\obMTmDS.exe
PID 1724 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\obMTmDS.exe
PID 1724 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YkRVgAK.exe
PID 1724 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YkRVgAK.exe
PID 1724 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YkRVgAK.exe
PID 1724 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BeitdUX.exe
PID 1724 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BeitdUX.exe
PID 1724 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BeitdUX.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\kwlXzWj.exe

C:\Windows\System\kwlXzWj.exe

C:\Windows\System\IOBxvwE.exe

C:\Windows\System\IOBxvwE.exe

C:\Windows\System\MIsNPbg.exe

C:\Windows\System\MIsNPbg.exe

C:\Windows\System\SExJQGX.exe

C:\Windows\System\SExJQGX.exe

C:\Windows\System\SnmwhRs.exe

C:\Windows\System\SnmwhRs.exe

C:\Windows\System\SFZrIAU.exe

C:\Windows\System\SFZrIAU.exe

C:\Windows\System\VKtGsdZ.exe

C:\Windows\System\VKtGsdZ.exe

C:\Windows\System\fofhzGr.exe

C:\Windows\System\fofhzGr.exe

C:\Windows\System\jsaEjPm.exe

C:\Windows\System\jsaEjPm.exe

C:\Windows\System\txOUaLf.exe

C:\Windows\System\txOUaLf.exe

C:\Windows\System\sRxnPHw.exe

C:\Windows\System\sRxnPHw.exe

C:\Windows\System\FctkfEU.exe

C:\Windows\System\FctkfEU.exe

C:\Windows\System\WcgnomB.exe

C:\Windows\System\WcgnomB.exe

C:\Windows\System\SyoFojA.exe

C:\Windows\System\SyoFojA.exe

C:\Windows\System\RukXppH.exe

C:\Windows\System\RukXppH.exe

C:\Windows\System\RMJkBih.exe

C:\Windows\System\RMJkBih.exe

C:\Windows\System\eOMHEWB.exe

C:\Windows\System\eOMHEWB.exe

C:\Windows\System\txdRAcD.exe

C:\Windows\System\txdRAcD.exe

C:\Windows\System\obMTmDS.exe

C:\Windows\System\obMTmDS.exe

C:\Windows\System\YkRVgAK.exe

C:\Windows\System\YkRVgAK.exe

C:\Windows\System\BeitdUX.exe

C:\Windows\System\BeitdUX.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1724-0-0x000000013F310000-0x000000013F664000-memory.dmp

memory/1724-1-0x0000000001B20000-0x0000000001B30000-memory.dmp

\Windows\system\kwlXzWj.exe

MD5 b077c63916047bbf834397c4bee18690
SHA1 39179b8fbf0fef65ebee8c1bbd32e3ff8bbfe47d
SHA256 c7fb2409546aac0cae678debd97d33b2e6a7db228622e103ec33036d0ea92133
SHA512 85b628c96f7b49d238a4a054d33a549fbf0460c36213734cfab8649b3044c60f7084762d92c0e157b2283dba43a6720371186095cd19def3142f9eba2f413b74

\Windows\system\SnmwhRs.exe

MD5 6d2842244c407ddd62da1519406a72a3
SHA1 fb5ac52419866b7ee6ff6c98be7aea1b7c691c84
SHA256 785714788992af2946a497b9112fc3237bbb8f26ed7889fa210ba329996a788e
SHA512 10c7846c920d5b7e3e4d1602cf1affb9ceacfc9575e3d8369a58c71000cb6d34aade63a22c2b24067a8bef61b2405a00cdd4eab55d3095de2de1d7872a0595a1

memory/1724-8-0x00000000022A0000-0x00000000025F4000-memory.dmp

\Windows\system\SExJQGX.exe

MD5 bcdb0399f3df1a5e54876b55571a1b1e
SHA1 b9a0f838afc0e84cb3b6cad55f26b9f5067e8d2f
SHA256 8c45f2f4582f8decab5cce37528d590ceaf2f129674830c4b22af8f5bd7327a3
SHA512 39eae82aee544888ad8300a48039cb52be2f8e0bc8de0dbba0d4338e84ccf267dd0e13babb347ebc5e57b7da9191b489f699ce2c056d1e3d81fb3671cd7d7090

memory/2404-12-0x000000013F0D0000-0x000000013F424000-memory.dmp

C:\Windows\system\MIsNPbg.exe

MD5 61374f17c62690acad555dafba6853d1
SHA1 8d811092b0416e1ee6822a4ad444ddeccea1691c
SHA256 65b8e681b14fc870c326643c7c3b5a233d12b56bef228fc5fcb8c9d07526c5ee
SHA512 40cbd6b0a2e991f333f7e0aaedd15c202eacd933bd8d163e9080fd3c8392baae850996e63dc12cb151c878ea40e8d6251d1fb847b9d9cf3cfefdd8f09ace83c3

\Windows\system\IOBxvwE.exe

MD5 c9b4c10a7b1395ab884928d05e84d794
SHA1 839f1f4100a4b79eb1ea67ce5a034e78f2b41dc0
SHA256 72f6d33057ddbc8b40fcc2606f222c06f7270cd3053f983912ff8b030f9facb8
SHA512 dea7196aef058343aaa7dbc57dbd5935ff269cb0f1f25990e4b93adf1ca3450a4c113fde1e97dda181001d41a4ff6d45bf3f650f749f0eb09935b10f904eba9f

memory/2068-33-0x000000013F690000-0x000000013F9E4000-memory.dmp

memory/1848-36-0x000000013F6F0000-0x000000013FA44000-memory.dmp

\Windows\system\SFZrIAU.exe

MD5 d1e62d16277aa8ebb6134f03b1d0d548
SHA1 166ee3823c9811f528d26ac899a1732958193ef3
SHA256 ee53ec5838feb69984875b64796097c6273810c8551155e4bbbf83a665b802c0
SHA512 9812767719f0af91df1f483df8128809b846d1ea22cdaaa1eedbed2e7fdaee94775c45d0bcf915a53af178857abca8a64aa077beb8e705f82c437eaa234ea484

memory/1724-38-0x000000013FCE0000-0x0000000140034000-memory.dmp

memory/1724-35-0x000000013F690000-0x000000013F9E4000-memory.dmp

memory/1836-34-0x000000013FA80000-0x000000013FDD4000-memory.dmp

memory/2348-32-0x000000013F7B0000-0x000000013FB04000-memory.dmp

memory/1724-31-0x000000013FA80000-0x000000013FDD4000-memory.dmp

memory/2788-57-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

\Windows\system\txOUaLf.exe

MD5 0757507c12de75255842e15cf94fdbe6
SHA1 f030d6a0676a4702b718771ac5031d5eeff2ba48
SHA256 4f88934c870198928e78b46eeab057e0027ed4c85e1441c5e3093409031854dc
SHA512 31f36e81a1223be0e6a23cd2dd15935bf57812e0053bebe97f2f07218765f6cb617bc1646d17eed6161c8a3f274b62878e99067b898033306b8b990deaa20a6e

memory/2808-72-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

\Windows\system\FctkfEU.exe

MD5 a58bb251e72e1c9b3a05a35cf8a61c9c
SHA1 4fc6001e64e691f5a9461aa107447b578c0c2f4e
SHA256 9d088691d4fd5a1e38167d0246a88d38b6435aad23e05be0cf2e4ad70dcd752e
SHA512 b86df42bf520be8c186565603e7cccd93a9021029fa6c411fb63d05dcd0308a3afbb8471e4b1a47f94b2635f54ca01da17f89026c50df7f15570644cf722a5db

memory/3056-85-0x000000013F430000-0x000000013F784000-memory.dmp

C:\Windows\system\SyoFojA.exe

MD5 2753e10624764e4d381bc296f95a56e3
SHA1 7f8a2e5e550992d1d4a975e503e6e62336b753c8
SHA256 2a49217223a756c37477cea9ecbb21de9c195ba47ec3ccc8b12122fd0121bf48
SHA512 2de97f42f4d76b76facc2fde32ff07cbc97cd2a8ba1f386fb6af23475688c38c9b17726a8807ae444a548a957054ec8b980f88ece804a502fd928bed29703acf

\Windows\system\eOMHEWB.exe

MD5 dfc90b15e325138fa3b3f3059b18d4d0
SHA1 ccaf193ae3e3a6a5bb169919e65f4e0ca2baf395
SHA256 3171804cb4c4da1cc6c11b4bf893fea9b0e9fa0c1bb7707c38f9da974266ea6c
SHA512 9471b6c8f878e070d3252bf43f8a74343aca41aa3736de31da0311a992c6149f90f4046356f7c9e0b625208f14d1e172c241a70b701560c7109d6fcd506c0889

C:\Windows\system\RMJkBih.exe

MD5 a5f26c48053509f7492d4198cb9ac4b2
SHA1 6fde3a3ebfe76648579f6d29c3256fdbdd0d2b46
SHA256 566615b6fb26a467c0d82360692c8441612b6de12a16860f206387d2e881561f
SHA512 459c2cc9bfa850d58ca097092dba1df6a867ef43ee6f524d034a8772981262f81c5ac5f339f38fd74f0c17b9227df3d87115d676b64994fa039d28f2bc2899dc

\Windows\system\BeitdUX.exe

MD5 b611e2ba11240492148efa8d867b1a1f
SHA1 19d6eed3f58d093c3deff512f1a9e3b9d1437b82
SHA256 5bea161cf97ec0b8a3d122c503e203b7f5c751239566a61b061af88e250e00bb
SHA512 891e76c068e9d7f20768699b0701844703cdba8914c5cbdf305883a41530d4b1fee3a2758ce9ed7bba467edd7c30e4f7625a993f305fbce03d333fbf555c79b4

C:\Windows\system\YkRVgAK.exe

MD5 8a979be17ae1336fad4e8f1e9e33d8e6
SHA1 312c79f9bf393e126486ff443ef53034d45fffef
SHA256 573eb71dfdaaa27a7bdd6775a49383e778639fae3ccc15d5001f66b87690f53d
SHA512 32d05f54da7243ab95e56ffcf0f3eb2d7757a6045e404d1223dfec2d55ba985f41fe31380ba5cf1e020a82add7ce9571c439a55db00a0608ace1963d32cbe75e

C:\Windows\system\obMTmDS.exe

MD5 68b03f92ddeeb199522aee9a911c9559
SHA1 3c0960231ef993d1f8e3da6b64b42502bc2a102d
SHA256 335d1b151caba25f5edcd457c72ccaf5a70b7cc73e4d2e98e902e475be8eed84
SHA512 fe24d46bba2edb254c4ead8fed6b1f2f1c36619f642b9f41eab3905e2b953700a9e326e2b703929227e4d92d445130a49a6857f97ce19d6734c652cd23d20f7b

C:\Windows\system\txdRAcD.exe

MD5 d5bc41d227d93a5fd4be107ceb9bda65
SHA1 0b0712b6b3e5b27f4304528565208a8978d05ca1
SHA256 38b3191e57ca2d4fcecd3637acd3f0f4ae062a6dacc3bd8de748b7183f7db227
SHA512 c920f5e226a632f0a0c510ac362e078e5300c9399f6d28d886e4f70b53a344fab86d60fe63ab90e1fb9aca26cf68d2725a58d0249eb264829577d5c2a418cb74

C:\Windows\system\RukXppH.exe

MD5 8d0a30237663b29002c29aabe3a73af1
SHA1 42a79da21426aef4b0161fbaf683e0ff406d00fd
SHA256 81bd9744563a71a287cfc9be16091cc167b4446972de07ff485bec4b943ffdae
SHA512 d91ff480eba000a942a671200b16601462f6e8072ff8909a998d9b27472890cdea391bb281d32752e5c81f4fee66548e61f490e3acf4049f5716d4b1cc2bdb6d

memory/1724-101-0x00000000022A0000-0x00000000025F4000-memory.dmp

memory/1648-100-0x000000013F020000-0x000000013F374000-memory.dmp

memory/1724-99-0x00000000022A0000-0x00000000025F4000-memory.dmp

memory/1808-92-0x000000013FFF0000-0x0000000140344000-memory.dmp

memory/1724-91-0x000000013FFF0000-0x0000000140344000-memory.dmp

C:\Windows\system\WcgnomB.exe

MD5 82f6c343180dbea581bfd185c59eebd5
SHA1 e2d08b7971932111a8564c6ad9e50c992e4d5a28
SHA256 77acc30979e07ca6e2f6d049ecd9fe9351c49195b432e5ce231aa088ad493f77
SHA512 871f4fe3e3aa7e6639e52cad0adb02b861ca9de3462db5214fa0b229314e4ba798644d2bcb828372e0befc5659d6c688e18fac81c9d41363b95c1d4abae7a6af

memory/1724-80-0x00000000022A0000-0x00000000025F4000-memory.dmp

memory/2684-79-0x000000013F330000-0x000000013F684000-memory.dmp

memory/1724-71-0x000000013F310000-0x000000013F664000-memory.dmp

memory/1724-66-0x00000000022A0000-0x00000000025F4000-memory.dmp

C:\Windows\system\sRxnPHw.exe

MD5 7b7df619ce4dd6019233698960e47682
SHA1 6ffb67ed7fa6b168b5c47beee3081b167155ef9b
SHA256 8b3167f583e2ed3cc8a69dd98a4079f3170c8b12e82e7e2dbaf2411e17eb2e4c
SHA512 3b42d4d3fa855d06d757fb8deaa19aff84ba5cba9367bd7293f7fc3dce51384bfad2e1e3c0d0fcc1d926a89a547e4d730a847aaa301206e1aed6a1fd6013bb03

memory/1956-64-0x000000013F2B0000-0x000000013F604000-memory.dmp

memory/1724-63-0x00000000022A0000-0x00000000025F4000-memory.dmp

memory/1724-56-0x00000000022A0000-0x00000000025F4000-memory.dmp

C:\Windows\system\jsaEjPm.exe

MD5 4c3ce5c051f6a7cf9353a50fd74f4b1e
SHA1 b5044c4b830481e9f5932eff1dc7b47497a4ca80
SHA256 9985d7b50a5e76421c12a8ca85fc7d78cde70ec60ae0ba3007bb697846021ec7
SHA512 85696273fc4fc52306cf9aac63c8964eb8d787d8d61ec3dcd7a145673e7368b620938acd7dc3becf7f7f80e5a2e99f2df7e2a8fa2b440c418e6d2d8a197a72ec

C:\Windows\system\fofhzGr.exe

MD5 e0c7f9e02073c1d0928daaa71dde9f72
SHA1 d98fbcad3b36bd0a49f87dc69b9a6491f3220986
SHA256 db652b160ba3e24c1eda60a9ccd6631e78019f9dd59ff8a302828c5b4d199024
SHA512 1f2e0ec5365e0e28a53f8ad5baed7c1bdbd57f65e4f4df5465848bb4a87177fa9a6a79c4de18ae41a3a6254010e7410f09918b5a25dc9d383c6ddb356453e666

memory/2984-43-0x000000013FCE0000-0x0000000140034000-memory.dmp

memory/2176-50-0x000000013F020000-0x000000013F374000-memory.dmp

memory/1724-49-0x00000000022A0000-0x00000000025F4000-memory.dmp

C:\Windows\system\VKtGsdZ.exe

MD5 5aa3f82d0219a87fc831c877499a92b0
SHA1 cbe831acd878b2cc8e8b84206719e41cfd3d8875
SHA256 f7d2fd505a09869dfa85e14d673ea199754d55fab20fd9171e9531d0f19b01df
SHA512 5768501840121e8e5c5ec0bd5c1b6290126b8c56cb90ed86430c2407c4fd1f5324893db2fc0a7db4355f8f217eed1a3a5131430c46623de67cbc92fb32bd2ea6

memory/1724-30-0x000000013F7B0000-0x000000013FB04000-memory.dmp

memory/1724-135-0x00000000022A0000-0x00000000025F4000-memory.dmp

memory/1724-136-0x000000013FFF0000-0x0000000140344000-memory.dmp

memory/2404-137-0x000000013F0D0000-0x000000013F424000-memory.dmp

memory/1836-138-0x000000013FA80000-0x000000013FDD4000-memory.dmp

memory/2068-139-0x000000013F690000-0x000000013F9E4000-memory.dmp

memory/2348-141-0x000000013F7B0000-0x000000013FB04000-memory.dmp

memory/1848-140-0x000000013F6F0000-0x000000013FA44000-memory.dmp

memory/2984-142-0x000000013FCE0000-0x0000000140034000-memory.dmp

memory/2176-143-0x000000013F020000-0x000000013F374000-memory.dmp

memory/2788-144-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

memory/1956-145-0x000000013F2B0000-0x000000013F604000-memory.dmp

memory/2808-146-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

memory/2684-147-0x000000013F330000-0x000000013F684000-memory.dmp

memory/3056-148-0x000000013F430000-0x000000013F784000-memory.dmp

memory/1808-149-0x000000013FFF0000-0x0000000140344000-memory.dmp

memory/1648-150-0x000000013F020000-0x000000013F374000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-06 11:59

Reported

2024-08-06 12:02

Platform

win10v2004-20240802-en

Max time kernel

142s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\OcdMCCr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vEBkuOX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nUzycwP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fnqrkLa.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qCIRIBJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sEjTlhQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iOjrDrn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UODfWio.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xvRlwIV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ddZTXpo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FYXdjQI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FDpaTmC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dkwzQrn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\Vxvxxft.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\asxoIRj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QSVNsEj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nzTsgls.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uPSyarg.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZAEfcWj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NXqQkfo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ohFCRwU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4560 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ohFCRwU.exe
PID 4560 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ohFCRwU.exe
PID 4560 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Vxvxxft.exe
PID 4560 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Vxvxxft.exe
PID 4560 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nzTsgls.exe
PID 4560 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nzTsgls.exe
PID 4560 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sEjTlhQ.exe
PID 4560 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sEjTlhQ.exe
PID 4560 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iOjrDrn.exe
PID 4560 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iOjrDrn.exe
PID 4560 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UODfWio.exe
PID 4560 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UODfWio.exe
PID 4560 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fnqrkLa.exe
PID 4560 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fnqrkLa.exe
PID 4560 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xvRlwIV.exe
PID 4560 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xvRlwIV.exe
PID 4560 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ddZTXpo.exe
PID 4560 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ddZTXpo.exe
PID 4560 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FYXdjQI.exe
PID 4560 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FYXdjQI.exe
PID 4560 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OcdMCCr.exe
PID 4560 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OcdMCCr.exe
PID 4560 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FDpaTmC.exe
PID 4560 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FDpaTmC.exe
PID 4560 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dkwzQrn.exe
PID 4560 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dkwzQrn.exe
PID 4560 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vEBkuOX.exe
PID 4560 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vEBkuOX.exe
PID 4560 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QSVNsEj.exe
PID 4560 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QSVNsEj.exe
PID 4560 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\asxoIRj.exe
PID 4560 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\asxoIRj.exe
PID 4560 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uPSyarg.exe
PID 4560 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uPSyarg.exe
PID 4560 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qCIRIBJ.exe
PID 4560 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qCIRIBJ.exe
PID 4560 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZAEfcWj.exe
PID 4560 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZAEfcWj.exe
PID 4560 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nUzycwP.exe
PID 4560 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nUzycwP.exe
PID 4560 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NXqQkfo.exe
PID 4560 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NXqQkfo.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\ohFCRwU.exe

C:\Windows\System\ohFCRwU.exe

C:\Windows\System\Vxvxxft.exe

C:\Windows\System\Vxvxxft.exe

C:\Windows\System\nzTsgls.exe

C:\Windows\System\nzTsgls.exe

C:\Windows\System\sEjTlhQ.exe

C:\Windows\System\sEjTlhQ.exe

C:\Windows\System\iOjrDrn.exe

C:\Windows\System\iOjrDrn.exe

C:\Windows\System\UODfWio.exe

C:\Windows\System\UODfWio.exe

C:\Windows\System\fnqrkLa.exe

C:\Windows\System\fnqrkLa.exe

C:\Windows\System\xvRlwIV.exe

C:\Windows\System\xvRlwIV.exe

C:\Windows\System\ddZTXpo.exe

C:\Windows\System\ddZTXpo.exe

C:\Windows\System\FYXdjQI.exe

C:\Windows\System\FYXdjQI.exe

C:\Windows\System\OcdMCCr.exe

C:\Windows\System\OcdMCCr.exe

C:\Windows\System\FDpaTmC.exe

C:\Windows\System\FDpaTmC.exe

C:\Windows\System\dkwzQrn.exe

C:\Windows\System\dkwzQrn.exe

C:\Windows\System\vEBkuOX.exe

C:\Windows\System\vEBkuOX.exe

C:\Windows\System\QSVNsEj.exe

C:\Windows\System\QSVNsEj.exe

C:\Windows\System\asxoIRj.exe

C:\Windows\System\asxoIRj.exe

C:\Windows\System\uPSyarg.exe

C:\Windows\System\uPSyarg.exe

C:\Windows\System\qCIRIBJ.exe

C:\Windows\System\qCIRIBJ.exe

C:\Windows\System\ZAEfcWj.exe

C:\Windows\System\ZAEfcWj.exe

C:\Windows\System\nUzycwP.exe

C:\Windows\System\nUzycwP.exe

C:\Windows\System\NXqQkfo.exe

C:\Windows\System\NXqQkfo.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/4560-0-0x00007FF6A1E30000-0x00007FF6A2184000-memory.dmp

memory/4560-1-0x000001DF9D340000-0x000001DF9D350000-memory.dmp

C:\Windows\System\ohFCRwU.exe

MD5 9242d7334153eeacfa5ddf0165e41e83
SHA1 ed3dc1f0f7f68ccb00a8c672c15fd3e00c942ebd
SHA256 2d18930236b0df202c6e01586c37869bac9d6f278dd3dcbad4e309b95beb67c4
SHA512 8910d021811bc890ac127fd2a7d79f0cc1c301e7879e5cb99528bedfd0c7f1aa350edfa051861084a111eadc0b9f7c851c491a5776c38de8b24f23c655052a79

memory/1508-6-0x00007FF6BDD30000-0x00007FF6BE084000-memory.dmp

C:\Windows\System\nzTsgls.exe

MD5 236be2cef6cc50f6a9d011c981399f6c
SHA1 e69150fdfd004c55d848bc5453b329b9736c0314
SHA256 47ba7c8918fd4f0b54a60bdf00e54629141fb73734b0e1adfd54c8e998bca042
SHA512 19072c0a36144f2f6236776461a25906ac5322ee0ee7bbc82eee2c9c3b746d3fd048be47b61bb3c5efd8b426f392d9435afbb3ad21937120218dd73612047864

C:\Windows\System\Vxvxxft.exe

MD5 47e6bf1ff77518216c264bd016aa0075
SHA1 6f7d852ec0a640be905cf5685554c8e1635895cd
SHA256 5a56269e2bd48ae5062f5d8f5d247631dd9d83f01826e970da927855bc9c3421
SHA512 e51574914e1d30217067c25acaf5b8161de45f41f99fc98f16bd191ce773e1ce579798c89ef8f653b352845f3db5782b86aae15a85ee88f83c99e69987cc6863

memory/1308-14-0x00007FF7B20E0000-0x00007FF7B2434000-memory.dmp

memory/3016-20-0x00007FF77EED0000-0x00007FF77F224000-memory.dmp

C:\Windows\System\sEjTlhQ.exe

MD5 6b2de3396f11b61a3c00521dcffe3807
SHA1 89d0cab4ffac08fec82e488608c0b14c72556f36
SHA256 c3cf61653a843ab3add70710fe77d6f11c01e4a43409bf08c8f22186238b6740
SHA512 720c7054eaf06563d488f0ab10ec34275d05e8291073824c874ab3188da95c4ae5cef20e6b669d1596c35e46a9dc7aba32f9b3a3a11d6fa7a7005595ac87f4d0

C:\Windows\System\iOjrDrn.exe

MD5 443eaf10338d31ac8c9638404604533b
SHA1 c7a4942da504f346b6544647b3a6b438aa980d07
SHA256 1c88b98d0c0df0c70e5f46968c4793333cd1f2cf2e32e247945dae15c8dc6e6e
SHA512 0db37dadf07ced148c9566d96e465278313524721039702b24ff0783df9b51f1d47a62e55ffaadc251347cb91df63056a1aedfc202dfa4a25a591b1460260eec

memory/2220-26-0x00007FF6E30E0000-0x00007FF6E3434000-memory.dmp

C:\Windows\System\UODfWio.exe

MD5 5bd8a8563df95bda5c9b3ec1716ef2c6
SHA1 61afc98fa711d0be9e1be07ed38bc22da7a914ef
SHA256 1c4649974366696642cc5a587baea2a794d0b5196b7e570a4a17754ab3583b2f
SHA512 f31ebf0a8a74cfc99754359daf7da577d05aaf68319f67daa8cc757925c6fe85b433c8378622af81788db7b21c5a01734b8f6f4f436d92fdd1f023197e18b709

C:\Windows\System\fnqrkLa.exe

MD5 535129b9d3cc4b502ff4a04fbb360b7c
SHA1 7e264ccd091b160bae6a30c05ae6170997510f3b
SHA256 838fb954a5d0093bbe37f39ab215526b738bfa0957eb279b734e781fbb0645fe
SHA512 c18a0484a3a96390e95b99bec1c235633eaed4b022999fad5ae5447f21f30cbaf8c89e2b5167a6b99c87f05f5c0244c785ca4cc43b4a687c9a087aad7fb3b374

C:\Windows\System\xvRlwIV.exe

MD5 88310f6835f2c59f2f6b3510d6ee8275
SHA1 480a59090443b7d98bf40568dc2d36236dbc42f4
SHA256 f386996513c5494866ccc52a0104dad0f5f46e973dddc71b7b4a6c7d19ccbba0
SHA512 8ea3971bb983b645c9c08f85f318b27717c537dcaeeede1c65b0e6e5588fae90c0d7f857c697d766ceda57e291e0043e7b4bc0c6e9204a47e6b832b2058aeb27

C:\Windows\System\FYXdjQI.exe

MD5 cbbe942b444b3875b00c44cec614370f
SHA1 94dfb76ef75294bdbfd7de946823d150c8a96d74
SHA256 a745e3204d66cf57bd6c294a06dac6c79e92d266da0e595368aa3ba6a0790533
SHA512 0de0d630fd13ff016f910a9effb6ec88d040e7386d2b24223252acbdf2bb26395071f2c4a680aa59f4ecd3ea24046f5c38ccdcf7d842f5d36262ead92d8c8c95

memory/4796-58-0x00007FF791F90000-0x00007FF7922E4000-memory.dmp

C:\Windows\System\FDpaTmC.exe

MD5 1c9cd85fdca8f64533d451429acb4111
SHA1 23db6830c86fa7c934bc836e907afc6211e9cd95
SHA256 859dd468d177628e3c47a40984d209807e69830c99084ef17b61e0145979a974
SHA512 facc28bdf078a88008bed6a490a975413055891d581558ac5796c34bf28435ea40276ccb8cc5edef5c1a5e520240527a707e35cad0461f0332d34bde17c8c0cd

memory/1508-77-0x00007FF6BDD30000-0x00007FF6BE084000-memory.dmp

C:\Windows\System\dkwzQrn.exe

MD5 c8df9717d0f17ef43c7bb77e853f006f
SHA1 1ca9e8a599fa5936f62e605e9708da015b2680ab
SHA256 b04409ee3e1ac0497b158070b997ae78d841734c25f0af9f376280dcb1b84590
SHA512 42705394dff6a05eb09e38610e3e1fd404e53a5d4a7c5ee09d5629e9c5bb121268f7df5f0a71d5ad263906bf530728033e5bd641ed19012a1635b6eaadebb886

memory/764-80-0x00007FF62B870000-0x00007FF62BBC4000-memory.dmp

memory/4964-76-0x00007FF756880000-0x00007FF756BD4000-memory.dmp

memory/812-74-0x00007FF6826D0000-0x00007FF682A24000-memory.dmp

memory/4560-73-0x00007FF6A1E30000-0x00007FF6A2184000-memory.dmp

C:\Windows\System\ddZTXpo.exe

MD5 719da2687fb2bf419f5d0e84d76bd1b3
SHA1 549597dc88c79d490da98944e167e927836a0ecd
SHA256 50562fb5bb40db192e819edbc624858844d1b86d88938479307c4818372b5225
SHA512 a52582bfcd105a02683b40b075b1d54509d74b0dc48f0a2ca659ed8310cf4034ce3e828e31361b4c4e489919ebfbdc8c3ca7b8577184b811ac06b1e4326bb8e0

C:\Windows\System\OcdMCCr.exe

MD5 487be1f6aa69aa625e158d2532a8df98
SHA1 70a0e7e20ace4133e4c8967bdcdf8875de78ba09
SHA256 66c4fdcf4c09e07867c30ebe4a92b6dd48fe020a29b1fc63071b8f72454f3eee
SHA512 77e069401f1af78f6e79f42d499480e86019e4ec9c0d04282781c4137b2677bd12be803f089bc275c974a69b21c6b9c9a757b1cd727ecbfb204115eecabb3c66

memory/1928-55-0x00007FF66C480000-0x00007FF66C7D4000-memory.dmp

memory/1064-54-0x00007FF7F22E0000-0x00007FF7F2634000-memory.dmp

memory/2256-46-0x00007FF6F4570000-0x00007FF6F48C4000-memory.dmp

memory/5064-41-0x00007FF6B2260000-0x00007FF6B25B4000-memory.dmp

memory/4812-32-0x00007FF62E660000-0x00007FF62E9B4000-memory.dmp

C:\Windows\System\vEBkuOX.exe

MD5 56007edcbb761e90858f733004640e06
SHA1 bac4479596a5279baca6e33643cc32cee772022f
SHA256 21dc82de43bd5003780e080dcd346efe5c3b87e49e4c963e223eaeadbf1c0044
SHA512 3484388b5e1c7fb6d9a0ec8c970b14899d1e98edf27413a409199156e2c11b6362ca94c4182624ba1fe40724e3d504a5c55a736a34a471f0a5713727a7a5ab3c

memory/3016-91-0x00007FF77EED0000-0x00007FF77F224000-memory.dmp

memory/3028-98-0x00007FF7339C0000-0x00007FF733D14000-memory.dmp

memory/1112-107-0x00007FF69D2B0000-0x00007FF69D604000-memory.dmp

C:\Windows\System\qCIRIBJ.exe

MD5 8c0949e797d4733488df1e1df3ad9e9a
SHA1 0d594cda7be66225747ba4457e9ea567e34316c4
SHA256 01715c3fd9a9022d7a47dc650eb5e2e5f0112fabd35a82d89a885b897710646a
SHA512 66844bbaa59d958ee1939624040054e931873c6f73c32baac74aac84235c6857ca245d254ba38bb7ba77c4f3f1d204a9ea0160687598ad82ee0baeb5b01b930e

C:\Windows\System\ZAEfcWj.exe

MD5 f4c45f579cf33e137ae9a881836d79e1
SHA1 37fd374f98f69be505511d3017a469a491dd6ef8
SHA256 246da814c0c89077b0568d5316ba4a9f1de899179f878eac8b25f738fb5795ad
SHA512 0d777b1c2dadaad124dc639e167be2985c33744474158453aef02b7996ad5df298b2623b05b565f5976008f8516815cc9fc0d1628cf7a8dae65f4388d7a4b7a5

memory/4076-118-0x00007FF69BFB0000-0x00007FF69C304000-memory.dmp

memory/1928-117-0x00007FF66C480000-0x00007FF66C7D4000-memory.dmp

memory/1064-111-0x00007FF7F22E0000-0x00007FF7F2634000-memory.dmp

C:\Windows\System\uPSyarg.exe

MD5 3196b09d7b0b404564e151ff3e27586e
SHA1 77eba251f10dd2fd125890fb340026e690f08e0a
SHA256 6341ed6a4257fa5885894a8c842cd08b82370fbda47c7751dc006261485a45bb
SHA512 c2e765ec4d68940113fca371ac393f62f8c64967775b9f3345b0b675c356ecfdefc306999e6e17ff17cf8bdce0f2af39b9c1e53e66bcab31e14bc2751158fc68

memory/2256-106-0x00007FF6F4570000-0x00007FF6F48C4000-memory.dmp

memory/4812-104-0x00007FF62E660000-0x00007FF62E9B4000-memory.dmp

C:\Windows\System\asxoIRj.exe

MD5 a4bcac3f0c44ba25cfb3c83e172a3e3b
SHA1 b66dc31a92d82da505c96ecf4a9a48701a3eca8e
SHA256 6f08d42ce93b26e1bd0850d8b3e8570eebf93f7649a2fe64cf9fc18efa664d78
SHA512 94fdea3cfc646bf951547414f77aa283d5443649c73ad0fd29c38cc2e27de41c0d1b612efbc40e7b22f1a8ec0214d32dd94b65ca628f7ad8ca61f430a9464ee6

memory/4676-101-0x00007FF624F40000-0x00007FF625294000-memory.dmp

memory/228-93-0x00007FF7F9B90000-0x00007FF7F9EE4000-memory.dmp

C:\Windows\System\QSVNsEj.exe

MD5 bd03df8c383ab49bbff63b91d511d5f5
SHA1 bf16405176a425458a6dd5adb3385e2495dc70e9
SHA256 ea01c63d32a7b8867d3e3da8fc79aedd4b0febaa0a200142806f7894a7cb64a6
SHA512 f6b6af1fbc510064f95030512f68c9f370f3ce2963e8c014341a0e9993a06938f096693db596085aa6712e9d71b8166931c6e1300e7bfc3e38a1d285dce8f2f9

C:\Windows\System\nUzycwP.exe

MD5 4f4dfc5282b60f2da299b3f666cf36c5
SHA1 2039beb7927bc15c287cdc883ab02070237a893e
SHA256 a6e15def425552829ad5a35b909f7dc199bc7fa8326e8c8cfe9f0a681552f39a
SHA512 993268ba0b3a798958f77a0ed13f32927ea9863c8c961da9821e915ce633a755c76ce2c67a6547cd631e61af425688810cb7e5f1dc078dae1f3f0ae20752d98b

C:\Windows\System\NXqQkfo.exe

MD5 f39f3deb14b2bbc01bc24877ba5efc0f
SHA1 3ce3f1413952ae2bc52bae75874b68b81c3cc264
SHA256 f915b01c8bdbba43a63fd7dea5d3550faec220a4209802006f4cd2bb5be1e4a4
SHA512 7ed7541544b2382c0c2d4f90f5e8992afd0b4a5ab11c8ced5722a9315c3da76a9c05628b6ebdc4814c50de913ae9cdd7ba2e538bb3b8f7fcc5ec8d12b93f1a67

memory/3356-128-0x00007FF7CBAA0000-0x00007FF7CBDF4000-memory.dmp

memory/2816-126-0x00007FF668BF0000-0x00007FF668F44000-memory.dmp

memory/3744-135-0x00007FF634E50000-0x00007FF6351A4000-memory.dmp

memory/4796-134-0x00007FF791F90000-0x00007FF7922E4000-memory.dmp

memory/4964-136-0x00007FF756880000-0x00007FF756BD4000-memory.dmp

memory/764-137-0x00007FF62B870000-0x00007FF62BBC4000-memory.dmp

memory/228-138-0x00007FF7F9B90000-0x00007FF7F9EE4000-memory.dmp

memory/4676-139-0x00007FF624F40000-0x00007FF625294000-memory.dmp

memory/1112-140-0x00007FF69D2B0000-0x00007FF69D604000-memory.dmp

memory/3356-141-0x00007FF7CBAA0000-0x00007FF7CBDF4000-memory.dmp

memory/1508-142-0x00007FF6BDD30000-0x00007FF6BE084000-memory.dmp

memory/1308-143-0x00007FF7B20E0000-0x00007FF7B2434000-memory.dmp

memory/3016-144-0x00007FF77EED0000-0x00007FF77F224000-memory.dmp

memory/2220-145-0x00007FF6E30E0000-0x00007FF6E3434000-memory.dmp

memory/4812-146-0x00007FF62E660000-0x00007FF62E9B4000-memory.dmp

memory/5064-147-0x00007FF6B2260000-0x00007FF6B25B4000-memory.dmp

memory/2256-148-0x00007FF6F4570000-0x00007FF6F48C4000-memory.dmp

memory/1064-149-0x00007FF7F22E0000-0x00007FF7F2634000-memory.dmp

memory/812-150-0x00007FF6826D0000-0x00007FF682A24000-memory.dmp

memory/1928-151-0x00007FF66C480000-0x00007FF66C7D4000-memory.dmp

memory/4796-152-0x00007FF791F90000-0x00007FF7922E4000-memory.dmp

memory/764-154-0x00007FF62B870000-0x00007FF62BBC4000-memory.dmp

memory/4964-153-0x00007FF756880000-0x00007FF756BD4000-memory.dmp

memory/3028-155-0x00007FF7339C0000-0x00007FF733D14000-memory.dmp

memory/228-156-0x00007FF7F9B90000-0x00007FF7F9EE4000-memory.dmp

memory/4676-157-0x00007FF624F40000-0x00007FF625294000-memory.dmp

memory/1112-158-0x00007FF69D2B0000-0x00007FF69D604000-memory.dmp

memory/4076-159-0x00007FF69BFB0000-0x00007FF69C304000-memory.dmp

memory/2816-160-0x00007FF668BF0000-0x00007FF668F44000-memory.dmp

memory/3356-161-0x00007FF7CBAA0000-0x00007FF7CBDF4000-memory.dmp

memory/3744-162-0x00007FF634E50000-0x00007FF6351A4000-memory.dmp