Malware Analysis Report

2025-01-22 19:22

Sample ID 240806-nn244sxhjp
Target 2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat
SHA256 25eaf9a351b758af2055556819802cebb4f4c8b3936d6e53b68c89c6414c86a4
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

25eaf9a351b758af2055556819802cebb4f4c8b3936d6e53b68c89c6414c86a4

Threat Level: Known bad

The file 2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

Cobaltstrike

Cobalt Strike reflective loader

Cobaltstrike family

Xmrig family

xmrig

XMRig Miner payload

XMRig Miner payload

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-06 11:33

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-06 11:33

Reported

2024-08-06 11:35

Platform

win7-20240705-en

Max time kernel

142s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\LKCPouu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XifonPN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mSeyPxD.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aMMjElo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\APpLIqy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lxOJTIJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TlLUBzA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zJWCOGA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lmMOQXp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dlfeCPN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YpvIXvl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sKwfMnR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mvxBmMx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cHeyWzz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ggtifjM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cvoEuVF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SixYAxL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wqGCkgl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EgoLbgk.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aCDOwzU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XjDsMQv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2088 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cHeyWzz.exe
PID 2088 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cHeyWzz.exe
PID 2088 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cHeyWzz.exe
PID 2088 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ggtifjM.exe
PID 2088 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ggtifjM.exe
PID 2088 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ggtifjM.exe
PID 2088 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EgoLbgk.exe
PID 2088 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EgoLbgk.exe
PID 2088 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EgoLbgk.exe
PID 2088 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zJWCOGA.exe
PID 2088 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zJWCOGA.exe
PID 2088 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zJWCOGA.exe
PID 2088 wrote to memory of 480 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XifonPN.exe
PID 2088 wrote to memory of 480 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XifonPN.exe
PID 2088 wrote to memory of 480 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XifonPN.exe
PID 2088 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lmMOQXp.exe
PID 2088 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lmMOQXp.exe
PID 2088 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lmMOQXp.exe
PID 2088 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aCDOwzU.exe
PID 2088 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aCDOwzU.exe
PID 2088 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aCDOwzU.exe
PID 2088 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dlfeCPN.exe
PID 2088 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dlfeCPN.exe
PID 2088 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dlfeCPN.exe
PID 2088 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XjDsMQv.exe
PID 2088 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XjDsMQv.exe
PID 2088 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XjDsMQv.exe
PID 2088 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cvoEuVF.exe
PID 2088 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cvoEuVF.exe
PID 2088 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cvoEuVF.exe
PID 2088 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YpvIXvl.exe
PID 2088 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YpvIXvl.exe
PID 2088 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YpvIXvl.exe
PID 2088 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\APpLIqy.exe
PID 2088 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\APpLIqy.exe
PID 2088 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\APpLIqy.exe
PID 2088 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SixYAxL.exe
PID 2088 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SixYAxL.exe
PID 2088 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SixYAxL.exe
PID 2088 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sKwfMnR.exe
PID 2088 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sKwfMnR.exe
PID 2088 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sKwfMnR.exe
PID 2088 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lxOJTIJ.exe
PID 2088 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lxOJTIJ.exe
PID 2088 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lxOJTIJ.exe
PID 2088 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mvxBmMx.exe
PID 2088 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mvxBmMx.exe
PID 2088 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mvxBmMx.exe
PID 2088 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wqGCkgl.exe
PID 2088 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wqGCkgl.exe
PID 2088 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wqGCkgl.exe
PID 2088 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mSeyPxD.exe
PID 2088 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mSeyPxD.exe
PID 2088 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mSeyPxD.exe
PID 2088 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aMMjElo.exe
PID 2088 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aMMjElo.exe
PID 2088 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aMMjElo.exe
PID 2088 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LKCPouu.exe
PID 2088 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LKCPouu.exe
PID 2088 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LKCPouu.exe
PID 2088 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TlLUBzA.exe
PID 2088 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TlLUBzA.exe
PID 2088 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TlLUBzA.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\cHeyWzz.exe

C:\Windows\System\cHeyWzz.exe

C:\Windows\System\ggtifjM.exe

C:\Windows\System\ggtifjM.exe

C:\Windows\System\EgoLbgk.exe

C:\Windows\System\EgoLbgk.exe

C:\Windows\System\zJWCOGA.exe

C:\Windows\System\zJWCOGA.exe

C:\Windows\System\XifonPN.exe

C:\Windows\System\XifonPN.exe

C:\Windows\System\lmMOQXp.exe

C:\Windows\System\lmMOQXp.exe

C:\Windows\System\aCDOwzU.exe

C:\Windows\System\aCDOwzU.exe

C:\Windows\System\dlfeCPN.exe

C:\Windows\System\dlfeCPN.exe

C:\Windows\System\XjDsMQv.exe

C:\Windows\System\XjDsMQv.exe

C:\Windows\System\cvoEuVF.exe

C:\Windows\System\cvoEuVF.exe

C:\Windows\System\YpvIXvl.exe

C:\Windows\System\YpvIXvl.exe

C:\Windows\System\APpLIqy.exe

C:\Windows\System\APpLIqy.exe

C:\Windows\System\SixYAxL.exe

C:\Windows\System\SixYAxL.exe

C:\Windows\System\sKwfMnR.exe

C:\Windows\System\sKwfMnR.exe

C:\Windows\System\lxOJTIJ.exe

C:\Windows\System\lxOJTIJ.exe

C:\Windows\System\mvxBmMx.exe

C:\Windows\System\mvxBmMx.exe

C:\Windows\System\wqGCkgl.exe

C:\Windows\System\wqGCkgl.exe

C:\Windows\System\mSeyPxD.exe

C:\Windows\System\mSeyPxD.exe

C:\Windows\System\aMMjElo.exe

C:\Windows\System\aMMjElo.exe

C:\Windows\System\LKCPouu.exe

C:\Windows\System\LKCPouu.exe

C:\Windows\System\TlLUBzA.exe

C:\Windows\System\TlLUBzA.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2088-0-0x000000013FC70000-0x000000013FFC4000-memory.dmp

memory/2088-1-0x00000000000F0000-0x0000000000100000-memory.dmp

C:\Windows\system\cHeyWzz.exe

MD5 eb8a70fb699d85e8cbe3769c63f6e1f6
SHA1 18c44a325794292c71539ee0da2f59068b1c4ea0
SHA256 fc4a7919b51dcfe20d742fba1e644b86825db80d2697cd1f1b126945e56328df
SHA512 ac50ac49bea1e9e715428351297be0770bcc3df8d717a5027b1998deb5de3e6d7fa398af576a235428b557b297a7c75d877118dd7b0f411f5b2bbb51d34eb63e

\Windows\system\ggtifjM.exe

MD5 7580f94b49a61f91cccc27960f7a587b
SHA1 dc77376aa6522ec8e27498b2282db5e3464a2d93
SHA256 192bf856ede3968df19cfef653355f5655cb7259a86259717723bd0c3db63a64
SHA512 5855ed2aeb10214be0eb4302ad7009af35110b8a43fbacfd6cebec2049ae930d9a987ea46f0640eb754feaafde8a1ff12285a605c74f196c9eb294eb8d3e6dfd

memory/2088-14-0x000000013F270000-0x000000013F5C4000-memory.dmp

\Windows\system\XifonPN.exe

MD5 5cb6d507b01f74229b11ae7a4af0c11f
SHA1 4b6f4ab4d84fae14b3e423f8fe71008d4fcdff9a
SHA256 e93fc9cdcb426011cfb8b236f742054ac71253def9b47d261b4c9d681adb578e
SHA512 098e5cb34d5388ee4705dc0c3673b747e93b2d8598debc926e65f00a0d5c841fdfe2eba831f97082def6d0b6795b42695a79fe86f793e3f48a74cb6a78160b84

memory/2088-33-0x000000013F090000-0x000000013F3E4000-memory.dmp

memory/2396-29-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

memory/2088-28-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

memory/1196-26-0x000000013F680000-0x000000013F9D4000-memory.dmp

C:\Windows\system\zJWCOGA.exe

MD5 c1040430d5d0a6c6cd770168bdad3ac2
SHA1 bf99c1fdaa375a4959aa0d42bf67bcbc05d51ec8
SHA256 12267479459a49223e63987876cc39a4f1e88f4e1c439ae1a342e91d53a7860f
SHA512 3f33593bf8854d7d3067c292d7ca69847b1dbe7576f0229403ce5750738989d0b7057d92985b9973d1b851119a1728587cffe8f1cedd5619cc8126e3e310bd28

memory/2532-13-0x000000013FBD0000-0x000000013FF24000-memory.dmp

C:\Windows\system\EgoLbgk.exe

MD5 64813827cd7d3d8c4f197683469b3091
SHA1 7f6811520b5a3f5dcfe7d092a939dd6b723c388b
SHA256 a2d514a7e0797592e0bac493a6333077838813af7d3dea3792f264688b431257
SHA512 b1a947701e6266aa9af22a63c880ab748459384e567082f537d741e7e54efa265d70c52b2430b9dc8c792d2bab8334841d16ee05a433d285f1dce5da9e22f1d3

memory/2088-19-0x000000013F680000-0x000000013F9D4000-memory.dmp

memory/1668-18-0x000000013F270000-0x000000013F5C4000-memory.dmp

memory/2088-51-0x000000013F540000-0x000000013F894000-memory.dmp

\Windows\system\cvoEuVF.exe

MD5 b6f8fffd07d8bb3aede94367b79b6e90
SHA1 37d2ec92a09e918309c7ff6ab4dd50f904e971f4
SHA256 21667025d5593bd673b4b7ca6f244ddc8609753310d002ddcbbbbf39cfef0d90
SHA512 ba5b784fe2407d30a6ccb7ba5a49a8ae261999906a760d1892ad23da2fa8435c5a65cb209d29f9d2979f875e73f2fa4b5a79592acc8ddd6df62173c44d386360

memory/2088-66-0x000000013FC70000-0x000000013FFC4000-memory.dmp

memory/2740-79-0x000000013F920000-0x000000013FC74000-memory.dmp

C:\Windows\system\APpLIqy.exe

MD5 446e40ec33dfb73078d5d7d2ab13c454
SHA1 2af2e1fff0cdc80e026c238db8623e82edb10d6e
SHA256 2ad1105d4731e11a34723141675436076a2f5fdc1cda3dc3f4e903f30d219f4f
SHA512 da93fdbfa19c679173d0f7c7cd1a3d7d01705eda6462a053a43563d09826f0df81e3f30090418edb130db220cc0d00bfdd2e1802eb811b64924d1199bab57543

memory/1196-92-0x000000013F680000-0x000000013F9D4000-memory.dmp

memory/2672-95-0x000000013F1C0000-0x000000013F514000-memory.dmp

C:\Windows\system\sKwfMnR.exe

MD5 7332f4b1089c24dc4b740d58d5a81cd0
SHA1 f90f3b2bddc3fc30eb247e4f2635bd8294a3bb04
SHA256 4f3b7d125d9a3277f1de589aafd695b13caacd70b7f254da5d3b77c577df81ce
SHA512 2c1bb9525b60217a5c5b8b57a083c74835ac09b0e5778f13a430ec984318c4a974f24c56412a09f5f1f238b2e7791753f98fb07f10b34c4781e8ea671b67359a

\Windows\system\LKCPouu.exe

MD5 f17a627699a351f14b4b160fcd85e207
SHA1 5636d46444aa5e09457e6481df840de966f0e13c
SHA256 5369dc8bd93bcef0d2a7cf521db8a3c75f7fbc2226fbe5dfc02d0065e87830b6
SHA512 a23f154253f8a9e182ab572857430203becc7c8331b5579ed5c452b538c8c1225cbb12f4f033689ad7c6ff4b4e66badbbdbaa0145c0066baaa88cbc1f79d08f0

\Windows\system\mSeyPxD.exe

MD5 233706f260a580713a1838a124b66666
SHA1 4053a34db31f3e3a07638e46486c95cfaed13614
SHA256 801519c1ba1fd9a92ae6d9b4b7ab58ba6f4526e25e274aba9c39bde88a362886
SHA512 3aaa465ac9fdaa094789a7fdbc6ba2b957a9838944af20ca063c718ed36c7bc1b29ecf9236ae31a39e2ccd1ad6fc37cb45e63d49325cbaae3d324039d8f47832

C:\Windows\system\TlLUBzA.exe

MD5 4a5f4324f0f7b7ab788668148aa64601
SHA1 a66fc69067ab623a333c72286877b14778cff5da
SHA256 b18b261a247196b70ff4b12e82096c66451fdcfba5bf9e02f81b7dfa9640be33
SHA512 21aab0ccbf5a55a68f3f0a8baf485fc3919f4a30c8536b7f628143b4afddc5a77e298fb8e18d55106dcfb7206561277af45a28d32cd83e5336a2ea4a7bfe1448

C:\Windows\system\aMMjElo.exe

MD5 7268b36f572ccc72d7e94975edb02441
SHA1 97c90709e8d6f99b7c1e3bef4f98641de8bdc35b
SHA256 ac5498529541a512f1372f0799d445730ed7df0bcfea9a59e789328b52ddf2bf
SHA512 c5a741bdfe21053ac031c66939cbeca7fba9d7d4dc2b28aa0654e02a83759784e71e4a779fd883410137fd16d10dfbe2908942c2e2993218c8ed9d4ee23a8409

C:\Windows\system\wqGCkgl.exe

MD5 1f95e8542f37e951ceff381548678878
SHA1 39ddf94f97f4cb0ba9cecd71248699475f566d2e
SHA256 2bac7be8c8a344b396b6aace55dbd5d34d9fa013ba0d269f7ca9a7e7f3a990df
SHA512 26eaad2b5a7a4eb7d7e74b81fabe04b9c736079464fd1909828297cca778457682ff3272ceede14bc6edd965da67466044879c6064ef715de0ed81bb4ff01993

C:\Windows\system\mvxBmMx.exe

MD5 053bbb24a84c5999219cc922ac16377d
SHA1 8301a205de36599d08632a0e4d3eb2f9df55c50e
SHA256 1dea3713273e76d833b5968a63ceec454d124941087b9b39ae043c2d8b5e6b38
SHA512 63b79d717b87453682b5b5469e24d2638d0150125b9e59d9b5e56940d5789b0c65448c8bcee5dc431148fe10be08fa5b97e4d8304626a15c1632da2cf54ec53e

memory/2088-107-0x000000013F750000-0x000000013FAA4000-memory.dmp

C:\Windows\system\lxOJTIJ.exe

MD5 e60b3279a564a2e200e7b32b9ae5fc14
SHA1 a583dfb21c55bcf4bb09e46e4dcff5ab7928c29e
SHA256 12dd63e7647c0ac755d027c43b23514e06008ce0207144013087efa53b2cc739
SHA512 7f314023f729e6ab457653540ae2d25367bc5a7ea3912b2f5bd4013eef06c400bdbc86713d6d5a7a5119cfb880b042c0578ffdbb2e78f85f204fc13931c65c33

memory/2156-101-0x000000013F350000-0x000000013F6A4000-memory.dmp

memory/2088-94-0x000000013F1C0000-0x000000013F514000-memory.dmp

memory/480-93-0x000000013F090000-0x000000013F3E4000-memory.dmp

C:\Windows\system\SixYAxL.exe

MD5 fbef7d3462d9a83caa9ec5aa146c6aa0
SHA1 4b0fc8f30be0f47e42f9b1eb91ce0860d8f56fc9
SHA256 f6a37a7b06caf40263b0c8f996957c82fac3335185dbc1d0b4c8b80444eb363b
SHA512 51e48f5210552ad25deb9bb7fa6c148faf94f71a31f9860ad8c1c5dbdefbac371b26374f0ecff67ea5f181e4d800a97b8f00be2cec7f11bb36bb128ff4015e71

memory/2596-85-0x000000013F7B0000-0x000000013FB04000-memory.dmp

memory/2088-84-0x000000013F7B0000-0x000000013FB04000-memory.dmp

memory/2088-78-0x0000000002210000-0x0000000002564000-memory.dmp

memory/2088-77-0x000000013F270000-0x000000013F5C4000-memory.dmp

memory/2836-69-0x000000013FC70000-0x000000013FFC4000-memory.dmp

memory/2756-68-0x000000013F540000-0x000000013F894000-memory.dmp

memory/2752-67-0x000000013F1F0000-0x000000013F544000-memory.dmp

memory/2088-76-0x0000000002210000-0x0000000002564000-memory.dmp

C:\Windows\system\YpvIXvl.exe

MD5 a45a788b4aad1b7d0d2b87c2dadfcb37
SHA1 795292f99e7f94c975ca3bd1e01cb4f2143c36c3
SHA256 a463439c1e8be7d8d3a25663c1ce640ebedf70fc2efb95649e8a6f68a7cf3497
SHA512 651c5a453bdefc75e102e84108fc9bbf71a8bcf8c31db2f56762354f57bd4543af0e3411e938e544f963f6c0d086c1f3fac1e024fd1aadad85e588e34295e993

C:\Windows\system\dlfeCPN.exe

MD5 86d25cd84d97fb1f4462f006d0f20bd3
SHA1 6747ecd26fbe2f266e1d2589e6030e041c98e7bc
SHA256 523a0705b3f00e2c1bc49303b96f4731e10cb4ca4f267e2bdd2a53e482e91793
SHA512 d21e51ae8e94ded0f7aaf22c228e24122ed3598839d51f3f9ddc951611ae2f2a9c2c29b90bf6449f805cb6f42bb3dd87de82f1ebed4e47c584da494714c3e42a

C:\Windows\system\lmMOQXp.exe

MD5 012c8393ad1d4c23ede73a70b6106989
SHA1 3a056f76b76835ca413348861037af3670e583c1
SHA256 895667709e1905fd0293614140502fef2404281eff09f96ba624f36d385a58e2
SHA512 b803fa4d8d7502c9b7aecbd8231caf0f64e1304a52a7245fa77b68e24f330ac3a7247249d436d243768d8ff0c25c3fccd2be25a0974e95f006b4c73a8dfd9f9d

memory/3020-60-0x000000013F920000-0x000000013FC74000-memory.dmp

memory/2088-58-0x0000000002210000-0x0000000002564000-memory.dmp

memory/2820-57-0x000000013F6F0000-0x000000013FA44000-memory.dmp

C:\Windows\system\XjDsMQv.exe

MD5 5133fb8c34e8ae71893401b02c73bee4
SHA1 02e9ce13fc5cdea61d3885fc361e4303d2608777
SHA256 4961e606756a39bb4b0ebd1ea2a08b116880258a1ceba7d01e404f723d9d60b5
SHA512 8eb15d00eddce6a9262fb3c2e637207f2670ccac1b07ed85b7a9e09f4810053ffdf77dbe47f4eed52d6a9a96b653f07fa8d20c6004b314bdfb9252df3654c611

C:\Windows\system\aCDOwzU.exe

MD5 a54456fc9076dc3243c77c7641a54852
SHA1 295add3ffd643e63723761cf6d8d109396e22d57
SHA256 40e1a10d75c85651511af0b17c9708bb3bc17d360b14a2b419706e453116d15d
SHA512 3b220a9e6176f32a527b1cb2ed267425f060eef7da8a4c29ca5cf19ac503f7f8b5fe97c7c2ad0ff3fe54775f41288527482d9de4a8386457eb6af101638a8308

memory/480-38-0x000000013F090000-0x000000013F3E4000-memory.dmp

memory/2088-43-0x000000013F1F0000-0x000000013F544000-memory.dmp

memory/2756-137-0x000000013F540000-0x000000013F894000-memory.dmp

memory/2088-138-0x0000000002210000-0x0000000002564000-memory.dmp

memory/2088-139-0x000000013F7B0000-0x000000013FB04000-memory.dmp

memory/2596-140-0x000000013F7B0000-0x000000013FB04000-memory.dmp

memory/2088-141-0x000000013F1C0000-0x000000013F514000-memory.dmp

memory/2088-142-0x000000013F350000-0x000000013F6A4000-memory.dmp

memory/2088-143-0x000000013F750000-0x000000013FAA4000-memory.dmp

memory/2532-144-0x000000013FBD0000-0x000000013FF24000-memory.dmp

memory/1668-145-0x000000013F270000-0x000000013F5C4000-memory.dmp

memory/1196-146-0x000000013F680000-0x000000013F9D4000-memory.dmp

memory/480-148-0x000000013F090000-0x000000013F3E4000-memory.dmp

memory/2396-147-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

memory/2820-149-0x000000013F6F0000-0x000000013FA44000-memory.dmp

memory/3020-150-0x000000013F920000-0x000000013FC74000-memory.dmp

memory/2836-152-0x000000013FC70000-0x000000013FFC4000-memory.dmp

memory/2752-151-0x000000013F1F0000-0x000000013F544000-memory.dmp

memory/2740-153-0x000000013F920000-0x000000013FC74000-memory.dmp

memory/2756-154-0x000000013F540000-0x000000013F894000-memory.dmp

memory/2672-155-0x000000013F1C0000-0x000000013F514000-memory.dmp

memory/2596-157-0x000000013F7B0000-0x000000013FB04000-memory.dmp

memory/2156-156-0x000000013F350000-0x000000013F6A4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-06 11:33

Reported

2024-08-06 11:35

Platform

win10v2004-20240802-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\mSeyPxD.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LKCPouu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TlLUBzA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YpvIXvl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\APpLIqy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SixYAxL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sKwfMnR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lmMOQXp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aCDOwzU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lxOJTIJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mvxBmMx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cHeyWzz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ggtifjM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zJWCOGA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XifonPN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EgoLbgk.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dlfeCPN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cvoEuVF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XjDsMQv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wqGCkgl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aMMjElo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4948 wrote to memory of 3760 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cHeyWzz.exe
PID 4948 wrote to memory of 3760 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cHeyWzz.exe
PID 4948 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ggtifjM.exe
PID 4948 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ggtifjM.exe
PID 4948 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EgoLbgk.exe
PID 4948 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EgoLbgk.exe
PID 4948 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zJWCOGA.exe
PID 4948 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zJWCOGA.exe
PID 4948 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XifonPN.exe
PID 4948 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XifonPN.exe
PID 4948 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lmMOQXp.exe
PID 4948 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lmMOQXp.exe
PID 4948 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aCDOwzU.exe
PID 4948 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aCDOwzU.exe
PID 4948 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dlfeCPN.exe
PID 4948 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dlfeCPN.exe
PID 4948 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XjDsMQv.exe
PID 4948 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XjDsMQv.exe
PID 4948 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cvoEuVF.exe
PID 4948 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cvoEuVF.exe
PID 4948 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YpvIXvl.exe
PID 4948 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YpvIXvl.exe
PID 4948 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\APpLIqy.exe
PID 4948 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\APpLIqy.exe
PID 4948 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SixYAxL.exe
PID 4948 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SixYAxL.exe
PID 4948 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sKwfMnR.exe
PID 4948 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sKwfMnR.exe
PID 4948 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lxOJTIJ.exe
PID 4948 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lxOJTIJ.exe
PID 4948 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mvxBmMx.exe
PID 4948 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mvxBmMx.exe
PID 4948 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wqGCkgl.exe
PID 4948 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wqGCkgl.exe
PID 4948 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mSeyPxD.exe
PID 4948 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mSeyPxD.exe
PID 4948 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aMMjElo.exe
PID 4948 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aMMjElo.exe
PID 4948 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LKCPouu.exe
PID 4948 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LKCPouu.exe
PID 4948 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TlLUBzA.exe
PID 4948 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TlLUBzA.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\cHeyWzz.exe

C:\Windows\System\cHeyWzz.exe

C:\Windows\System\ggtifjM.exe

C:\Windows\System\ggtifjM.exe

C:\Windows\System\EgoLbgk.exe

C:\Windows\System\EgoLbgk.exe

C:\Windows\System\zJWCOGA.exe

C:\Windows\System\zJWCOGA.exe

C:\Windows\System\XifonPN.exe

C:\Windows\System\XifonPN.exe

C:\Windows\System\lmMOQXp.exe

C:\Windows\System\lmMOQXp.exe

C:\Windows\System\aCDOwzU.exe

C:\Windows\System\aCDOwzU.exe

C:\Windows\System\dlfeCPN.exe

C:\Windows\System\dlfeCPN.exe

C:\Windows\System\XjDsMQv.exe

C:\Windows\System\XjDsMQv.exe

C:\Windows\System\cvoEuVF.exe

C:\Windows\System\cvoEuVF.exe

C:\Windows\System\YpvIXvl.exe

C:\Windows\System\YpvIXvl.exe

C:\Windows\System\APpLIqy.exe

C:\Windows\System\APpLIqy.exe

C:\Windows\System\SixYAxL.exe

C:\Windows\System\SixYAxL.exe

C:\Windows\System\sKwfMnR.exe

C:\Windows\System\sKwfMnR.exe

C:\Windows\System\lxOJTIJ.exe

C:\Windows\System\lxOJTIJ.exe

C:\Windows\System\mvxBmMx.exe

C:\Windows\System\mvxBmMx.exe

C:\Windows\System\wqGCkgl.exe

C:\Windows\System\wqGCkgl.exe

C:\Windows\System\mSeyPxD.exe

C:\Windows\System\mSeyPxD.exe

C:\Windows\System\aMMjElo.exe

C:\Windows\System\aMMjElo.exe

C:\Windows\System\LKCPouu.exe

C:\Windows\System\LKCPouu.exe

C:\Windows\System\TlLUBzA.exe

C:\Windows\System\TlLUBzA.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/4948-0-0x00007FF740410000-0x00007FF740764000-memory.dmp

memory/4948-1-0x000001C7C38D0000-0x000001C7C38E0000-memory.dmp

C:\Windows\System\cHeyWzz.exe

MD5 eb8a70fb699d85e8cbe3769c63f6e1f6
SHA1 18c44a325794292c71539ee0da2f59068b1c4ea0
SHA256 fc4a7919b51dcfe20d742fba1e644b86825db80d2697cd1f1b126945e56328df
SHA512 ac50ac49bea1e9e715428351297be0770bcc3df8d717a5027b1998deb5de3e6d7fa398af576a235428b557b297a7c75d877118dd7b0f411f5b2bbb51d34eb63e

C:\Windows\System\ggtifjM.exe

MD5 7580f94b49a61f91cccc27960f7a587b
SHA1 dc77376aa6522ec8e27498b2282db5e3464a2d93
SHA256 192bf856ede3968df19cfef653355f5655cb7259a86259717723bd0c3db63a64
SHA512 5855ed2aeb10214be0eb4302ad7009af35110b8a43fbacfd6cebec2049ae930d9a987ea46f0640eb754feaafde8a1ff12285a605c74f196c9eb294eb8d3e6dfd

C:\Windows\System\EgoLbgk.exe

MD5 64813827cd7d3d8c4f197683469b3091
SHA1 7f6811520b5a3f5dcfe7d092a939dd6b723c388b
SHA256 a2d514a7e0797592e0bac493a6333077838813af7d3dea3792f264688b431257
SHA512 b1a947701e6266aa9af22a63c880ab748459384e567082f537d741e7e54efa265d70c52b2430b9dc8c792d2bab8334841d16ee05a433d285f1dce5da9e22f1d3

C:\Windows\System\zJWCOGA.exe

MD5 c1040430d5d0a6c6cd770168bdad3ac2
SHA1 bf99c1fdaa375a4959aa0d42bf67bcbc05d51ec8
SHA256 12267479459a49223e63987876cc39a4f1e88f4e1c439ae1a342e91d53a7860f
SHA512 3f33593bf8854d7d3067c292d7ca69847b1dbe7576f0229403ce5750738989d0b7057d92985b9973d1b851119a1728587cffe8f1cedd5619cc8126e3e310bd28

C:\Windows\System\XifonPN.exe

MD5 5cb6d507b01f74229b11ae7a4af0c11f
SHA1 4b6f4ab4d84fae14b3e423f8fe71008d4fcdff9a
SHA256 e93fc9cdcb426011cfb8b236f742054ac71253def9b47d261b4c9d681adb578e
SHA512 098e5cb34d5388ee4705dc0c3673b747e93b2d8598debc926e65f00a0d5c841fdfe2eba831f97082def6d0b6795b42695a79fe86f793e3f48a74cb6a78160b84

C:\Windows\System\aCDOwzU.exe

MD5 a54456fc9076dc3243c77c7641a54852
SHA1 295add3ffd643e63723761cf6d8d109396e22d57
SHA256 40e1a10d75c85651511af0b17c9708bb3bc17d360b14a2b419706e453116d15d
SHA512 3b220a9e6176f32a527b1cb2ed267425f060eef7da8a4c29ca5cf19ac503f7f8b5fe97c7c2ad0ff3fe54775f41288527482d9de4a8386457eb6af101638a8308

C:\Windows\System\XjDsMQv.exe

MD5 5133fb8c34e8ae71893401b02c73bee4
SHA1 02e9ce13fc5cdea61d3885fc361e4303d2608777
SHA256 4961e606756a39bb4b0ebd1ea2a08b116880258a1ceba7d01e404f723d9d60b5
SHA512 8eb15d00eddce6a9262fb3c2e637207f2670ccac1b07ed85b7a9e09f4810053ffdf77dbe47f4eed52d6a9a96b653f07fa8d20c6004b314bdfb9252df3654c611

C:\Windows\System\lmMOQXp.exe

MD5 012c8393ad1d4c23ede73a70b6106989
SHA1 3a056f76b76835ca413348861037af3670e583c1
SHA256 895667709e1905fd0293614140502fef2404281eff09f96ba624f36d385a58e2
SHA512 b803fa4d8d7502c9b7aecbd8231caf0f64e1304a52a7245fa77b68e24f330ac3a7247249d436d243768d8ff0c25c3fccd2be25a0974e95f006b4c73a8dfd9f9d

C:\Windows\System\YpvIXvl.exe

MD5 a45a788b4aad1b7d0d2b87c2dadfcb37
SHA1 795292f99e7f94c975ca3bd1e01cb4f2143c36c3
SHA256 a463439c1e8be7d8d3a25663c1ce640ebedf70fc2efb95649e8a6f68a7cf3497
SHA512 651c5a453bdefc75e102e84108fc9bbf71a8bcf8c31db2f56762354f57bd4543af0e3411e938e544f963f6c0d086c1f3fac1e024fd1aadad85e588e34295e993

C:\Windows\System\APpLIqy.exe

MD5 446e40ec33dfb73078d5d7d2ab13c454
SHA1 2af2e1fff0cdc80e026c238db8623e82edb10d6e
SHA256 2ad1105d4731e11a34723141675436076a2f5fdc1cda3dc3f4e903f30d219f4f
SHA512 da93fdbfa19c679173d0f7c7cd1a3d7d01705eda6462a053a43563d09826f0df81e3f30090418edb130db220cc0d00bfdd2e1802eb811b64924d1199bab57543

C:\Windows\System\lxOJTIJ.exe

MD5 e60b3279a564a2e200e7b32b9ae5fc14
SHA1 a583dfb21c55bcf4bb09e46e4dcff5ab7928c29e
SHA256 12dd63e7647c0ac755d027c43b23514e06008ce0207144013087efa53b2cc739
SHA512 7f314023f729e6ab457653540ae2d25367bc5a7ea3912b2f5bd4013eef06c400bdbc86713d6d5a7a5119cfb880b042c0578ffdbb2e78f85f204fc13931c65c33

memory/2168-86-0x00007FF791970000-0x00007FF791CC4000-memory.dmp

memory/3064-98-0x00007FF7057E0000-0x00007FF705B34000-memory.dmp

memory/3280-101-0x00007FF6854F0000-0x00007FF685844000-memory.dmp

memory/3880-104-0x00007FF7347D0000-0x00007FF734B24000-memory.dmp

memory/208-103-0x00007FF66ECB0000-0x00007FF66F004000-memory.dmp

memory/3472-102-0x00007FF664B90000-0x00007FF664EE4000-memory.dmp

memory/1528-100-0x00007FF7409E0000-0x00007FF740D34000-memory.dmp

memory/1664-99-0x00007FF741D80000-0x00007FF7420D4000-memory.dmp

C:\Windows\System\wqGCkgl.exe

MD5 1f95e8542f37e951ceff381548678878
SHA1 39ddf94f97f4cb0ba9cecd71248699475f566d2e
SHA256 2bac7be8c8a344b396b6aace55dbd5d34d9fa013ba0d269f7ca9a7e7f3a990df
SHA512 26eaad2b5a7a4eb7d7e74b81fabe04b9c736079464fd1909828297cca778457682ff3272ceede14bc6edd965da67466044879c6064ef715de0ed81bb4ff01993

C:\Windows\System\mvxBmMx.exe

MD5 053bbb24a84c5999219cc922ac16377d
SHA1 8301a205de36599d08632a0e4d3eb2f9df55c50e
SHA256 1dea3713273e76d833b5968a63ceec454d124941087b9b39ae043c2d8b5e6b38
SHA512 63b79d717b87453682b5b5469e24d2638d0150125b9e59d9b5e56940d5789b0c65448c8bcee5dc431148fe10be08fa5b97e4d8304626a15c1632da2cf54ec53e

memory/3728-93-0x00007FF7E4F50000-0x00007FF7E52A4000-memory.dmp

C:\Windows\System\sKwfMnR.exe

MD5 7332f4b1089c24dc4b740d58d5a81cd0
SHA1 f90f3b2bddc3fc30eb247e4f2635bd8294a3bb04
SHA256 4f3b7d125d9a3277f1de589aafd695b13caacd70b7f254da5d3b77c577df81ce
SHA512 2c1bb9525b60217a5c5b8b57a083c74835ac09b0e5778f13a430ec984318c4a974f24c56412a09f5f1f238b2e7791753f98fb07f10b34c4781e8ea671b67359a

memory/3764-83-0x00007FF690920000-0x00007FF690C74000-memory.dmp

C:\Windows\System\SixYAxL.exe

MD5 fbef7d3462d9a83caa9ec5aa146c6aa0
SHA1 4b0fc8f30be0f47e42f9b1eb91ce0860d8f56fc9
SHA256 f6a37a7b06caf40263b0c8f996957c82fac3335185dbc1d0b4c8b80444eb363b
SHA512 51e48f5210552ad25deb9bb7fa6c148faf94f71a31f9860ad8c1c5dbdefbac371b26374f0ecff67ea5f181e4d800a97b8f00be2cec7f11bb36bb128ff4015e71

memory/3580-76-0x00007FF638710000-0x00007FF638A64000-memory.dmp

memory/2336-72-0x00007FF7B92E0000-0x00007FF7B9634000-memory.dmp

C:\Windows\System\cvoEuVF.exe

MD5 b6f8fffd07d8bb3aede94367b79b6e90
SHA1 37d2ec92a09e918309c7ff6ab4dd50f904e971f4
SHA256 21667025d5593bd673b4b7ca6f244ddc8609753310d002ddcbbbbf39cfef0d90
SHA512 ba5b784fe2407d30a6ccb7ba5a49a8ae261999906a760d1892ad23da2fa8435c5a65cb209d29f9d2979f875e73f2fa4b5a79592acc8ddd6df62173c44d386360

C:\Windows\System\dlfeCPN.exe

MD5 86d25cd84d97fb1f4462f006d0f20bd3
SHA1 6747ecd26fbe2f266e1d2589e6030e041c98e7bc
SHA256 523a0705b3f00e2c1bc49303b96f4731e10cb4ca4f267e2bdd2a53e482e91793
SHA512 d21e51ae8e94ded0f7aaf22c228e24122ed3598839d51f3f9ddc951611ae2f2a9c2c29b90bf6449f805cb6f42bb3dd87de82f1ebed4e47c584da494714c3e42a

memory/4788-42-0x00007FF78BAC0000-0x00007FF78BE14000-memory.dmp

memory/4600-32-0x00007FF60EFE0000-0x00007FF60F334000-memory.dmp

memory/4664-24-0x00007FF6656E0000-0x00007FF665A34000-memory.dmp

memory/4796-12-0x00007FF7D6150000-0x00007FF7D64A4000-memory.dmp

memory/3760-7-0x00007FF7D2A80000-0x00007FF7D2DD4000-memory.dmp

C:\Windows\System\mSeyPxD.exe

MD5 233706f260a580713a1838a124b66666
SHA1 4053a34db31f3e3a07638e46486c95cfaed13614
SHA256 801519c1ba1fd9a92ae6d9b4b7ab58ba6f4526e25e274aba9c39bde88a362886
SHA512 3aaa465ac9fdaa094789a7fdbc6ba2b957a9838944af20ca063c718ed36c7bc1b29ecf9236ae31a39e2ccd1ad6fc37cb45e63d49325cbaae3d324039d8f47832

memory/3640-108-0x00007FF711A80000-0x00007FF711DD4000-memory.dmp

C:\Windows\System\aMMjElo.exe

MD5 7268b36f572ccc72d7e94975edb02441
SHA1 97c90709e8d6f99b7c1e3bef4f98641de8bdc35b
SHA256 ac5498529541a512f1372f0799d445730ed7df0bcfea9a59e789328b52ddf2bf
SHA512 c5a741bdfe21053ac031c66939cbeca7fba9d7d4dc2b28aa0654e02a83759784e71e4a779fd883410137fd16d10dfbe2908942c2e2993218c8ed9d4ee23a8409

memory/1692-114-0x00007FF612E00000-0x00007FF613154000-memory.dmp

C:\Windows\System\LKCPouu.exe

MD5 f17a627699a351f14b4b160fcd85e207
SHA1 5636d46444aa5e09457e6481df840de966f0e13c
SHA256 5369dc8bd93bcef0d2a7cf521db8a3c75f7fbc2226fbe5dfc02d0065e87830b6
SHA512 a23f154253f8a9e182ab572857430203becc7c8331b5579ed5c452b538c8c1225cbb12f4f033689ad7c6ff4b4e66badbbdbaa0145c0066baaa88cbc1f79d08f0

memory/1772-122-0x00007FF7746F0000-0x00007FF774A44000-memory.dmp

C:\Windows\System\TlLUBzA.exe

MD5 4a5f4324f0f7b7ab788668148aa64601
SHA1 a66fc69067ab623a333c72286877b14778cff5da
SHA256 b18b261a247196b70ff4b12e82096c66451fdcfba5bf9e02f81b7dfa9640be33
SHA512 21aab0ccbf5a55a68f3f0a8baf485fc3919f4a30c8536b7f628143b4afddc5a77e298fb8e18d55106dcfb7206561277af45a28d32cd83e5336a2ea4a7bfe1448

memory/4948-127-0x00007FF740410000-0x00007FF740764000-memory.dmp

memory/3760-128-0x00007FF7D2A80000-0x00007FF7D2DD4000-memory.dmp

memory/4084-129-0x00007FF7A2220000-0x00007FF7A2574000-memory.dmp

memory/4796-130-0x00007FF7D6150000-0x00007FF7D64A4000-memory.dmp

memory/4664-131-0x00007FF6656E0000-0x00007FF665A34000-memory.dmp

memory/4600-132-0x00007FF60EFE0000-0x00007FF60F334000-memory.dmp

memory/3640-133-0x00007FF711A80000-0x00007FF711DD4000-memory.dmp

memory/1692-134-0x00007FF612E00000-0x00007FF613154000-memory.dmp

memory/1772-135-0x00007FF7746F0000-0x00007FF774A44000-memory.dmp

memory/3760-136-0x00007FF7D2A80000-0x00007FF7D2DD4000-memory.dmp

memory/4796-137-0x00007FF7D6150000-0x00007FF7D64A4000-memory.dmp

memory/4788-139-0x00007FF78BAC0000-0x00007FF78BE14000-memory.dmp

memory/4664-138-0x00007FF6656E0000-0x00007FF665A34000-memory.dmp

memory/3728-144-0x00007FF7E4F50000-0x00007FF7E52A4000-memory.dmp

memory/3064-146-0x00007FF7057E0000-0x00007FF705B34000-memory.dmp

memory/2336-145-0x00007FF7B92E0000-0x00007FF7B9634000-memory.dmp

memory/1664-143-0x00007FF741D80000-0x00007FF7420D4000-memory.dmp

memory/1528-142-0x00007FF7409E0000-0x00007FF740D34000-memory.dmp

memory/3580-141-0x00007FF638710000-0x00007FF638A64000-memory.dmp

memory/4600-140-0x00007FF60EFE0000-0x00007FF60F334000-memory.dmp

memory/3880-147-0x00007FF7347D0000-0x00007FF734B24000-memory.dmp

memory/3764-151-0x00007FF690920000-0x00007FF690C74000-memory.dmp

memory/208-152-0x00007FF66ECB0000-0x00007FF66F004000-memory.dmp

memory/3472-150-0x00007FF664B90000-0x00007FF664EE4000-memory.dmp

memory/3280-148-0x00007FF6854F0000-0x00007FF685844000-memory.dmp

memory/2168-149-0x00007FF791970000-0x00007FF791CC4000-memory.dmp

memory/3640-153-0x00007FF711A80000-0x00007FF711DD4000-memory.dmp

memory/1772-155-0x00007FF7746F0000-0x00007FF774A44000-memory.dmp

memory/1692-154-0x00007FF612E00000-0x00007FF613154000-memory.dmp

memory/4084-156-0x00007FF7A2220000-0x00007FF7A2574000-memory.dmp