Malware Analysis Report

2025-08-06 02:05

Sample ID 241027-e9hsxsteqc
Target 2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat
SHA256 cdb51c813437685db3fbd116ecd6522a14e57ca10dd958f748b4156fe51fbc64
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cdb51c813437685db3fbd116ecd6522a14e57ca10dd958f748b4156fe51fbc64

Threat Level: Known bad

The file 2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Cobalt Strike reflective loader

Cobaltstrike family

Xmrig family

XMRig Miner payload

Cobaltstrike

xmrig

XMRig Miner payload

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-10-27 04:38

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-27 04:38

Reported

2024-10-27 04:40

Platform

win7-20240903-en

Max time kernel

140s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

Cobaltstrike family

cobaltstrike

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\smlUjnr.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XCMBDxJ.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SzYyHRW.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KYOKlIU.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zZMGLkm.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\weYIamj.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zYRLSqe.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rRVNpIO.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IjfTcZX.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XBEYyIk.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YgdsyZC.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GHKtyld.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VNWUtXU.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DsjwAKj.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UPnUpUX.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rLSXZJl.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yFfJJxH.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ustqoxO.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yOnzGkV.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IFOCDno.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hoEzqbm.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2096 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\smlUjnr.exe
PID 2096 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\smlUjnr.exe
PID 2096 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\smlUjnr.exe
PID 2096 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zYRLSqe.exe
PID 2096 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zYRLSqe.exe
PID 2096 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zYRLSqe.exe
PID 2096 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XCMBDxJ.exe
PID 2096 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XCMBDxJ.exe
PID 2096 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XCMBDxJ.exe
PID 2096 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ustqoxO.exe
PID 2096 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ustqoxO.exe
PID 2096 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ustqoxO.exe
PID 2096 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rRVNpIO.exe
PID 2096 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rRVNpIO.exe
PID 2096 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rRVNpIO.exe
PID 2096 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YgdsyZC.exe
PID 2096 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YgdsyZC.exe
PID 2096 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YgdsyZC.exe
PID 2096 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IjfTcZX.exe
PID 2096 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IjfTcZX.exe
PID 2096 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IjfTcZX.exe
PID 2096 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SzYyHRW.exe
PID 2096 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SzYyHRW.exe
PID 2096 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SzYyHRW.exe
PID 2096 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KYOKlIU.exe
PID 2096 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KYOKlIU.exe
PID 2096 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KYOKlIU.exe
PID 2096 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XBEYyIk.exe
PID 2096 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XBEYyIk.exe
PID 2096 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XBEYyIk.exe
PID 2096 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yOnzGkV.exe
PID 2096 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yOnzGkV.exe
PID 2096 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yOnzGkV.exe
PID 2096 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GHKtyld.exe
PID 2096 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GHKtyld.exe
PID 2096 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GHKtyld.exe
PID 2096 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IFOCDno.exe
PID 2096 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IFOCDno.exe
PID 2096 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IFOCDno.exe
PID 2096 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zZMGLkm.exe
PID 2096 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zZMGLkm.exe
PID 2096 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zZMGLkm.exe
PID 2096 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VNWUtXU.exe
PID 2096 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VNWUtXU.exe
PID 2096 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VNWUtXU.exe
PID 2096 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hoEzqbm.exe
PID 2096 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hoEzqbm.exe
PID 2096 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hoEzqbm.exe
PID 2096 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DsjwAKj.exe
PID 2096 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DsjwAKj.exe
PID 2096 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DsjwAKj.exe
PID 2096 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UPnUpUX.exe
PID 2096 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UPnUpUX.exe
PID 2096 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UPnUpUX.exe
PID 2096 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\weYIamj.exe
PID 2096 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\weYIamj.exe
PID 2096 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\weYIamj.exe
PID 2096 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rLSXZJl.exe
PID 2096 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rLSXZJl.exe
PID 2096 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rLSXZJl.exe
PID 2096 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yFfJJxH.exe
PID 2096 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yFfJJxH.exe
PID 2096 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yFfJJxH.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\smlUjnr.exe

C:\Windows\System\smlUjnr.exe

C:\Windows\System\zYRLSqe.exe

C:\Windows\System\zYRLSqe.exe

C:\Windows\System\XCMBDxJ.exe

C:\Windows\System\XCMBDxJ.exe

C:\Windows\System\ustqoxO.exe

C:\Windows\System\ustqoxO.exe

C:\Windows\System\rRVNpIO.exe

C:\Windows\System\rRVNpIO.exe

C:\Windows\System\YgdsyZC.exe

C:\Windows\System\YgdsyZC.exe

C:\Windows\System\IjfTcZX.exe

C:\Windows\System\IjfTcZX.exe

C:\Windows\System\SzYyHRW.exe

C:\Windows\System\SzYyHRW.exe

C:\Windows\System\KYOKlIU.exe

C:\Windows\System\KYOKlIU.exe

C:\Windows\System\XBEYyIk.exe

C:\Windows\System\XBEYyIk.exe

C:\Windows\System\yOnzGkV.exe

C:\Windows\System\yOnzGkV.exe

C:\Windows\System\GHKtyld.exe

C:\Windows\System\GHKtyld.exe

C:\Windows\System\IFOCDno.exe

C:\Windows\System\IFOCDno.exe

C:\Windows\System\zZMGLkm.exe

C:\Windows\System\zZMGLkm.exe

C:\Windows\System\VNWUtXU.exe

C:\Windows\System\VNWUtXU.exe

C:\Windows\System\hoEzqbm.exe

C:\Windows\System\hoEzqbm.exe

C:\Windows\System\DsjwAKj.exe

C:\Windows\System\DsjwAKj.exe

C:\Windows\System\UPnUpUX.exe

C:\Windows\System\UPnUpUX.exe

C:\Windows\System\weYIamj.exe

C:\Windows\System\weYIamj.exe

C:\Windows\System\rLSXZJl.exe

C:\Windows\System\rLSXZJl.exe

C:\Windows\System\yFfJJxH.exe

C:\Windows\System\yFfJJxH.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2096-0-0x000000013F4C0000-0x000000013F811000-memory.dmp

memory/2096-1-0x00000000001F0000-0x0000000000200000-memory.dmp

\Windows\system\smlUjnr.exe

MD5 5756d6991c9d3f091efdc8812809b7aa
SHA1 563a747acfcb76f559a046cdcd15e2d28c751cde
SHA256 a3dba698730c7de87a2dfca1dcd2e39e99b452c0ef890ca636bc6e6136f69dca
SHA512 e2a59ded82631fa577f6197a79334dc54dbdf955d82fca68e1dc736d44bfeca5373f6b360323909bd147e175ab397efc6fb866e536c243ea3b9ced7cc6b5b3ad

C:\Windows\system\XCMBDxJ.exe

MD5 93ebb467f9b66f60b49ea98fc3d38d7a
SHA1 5a210f6093cc51feee4dabda1ad6165f24a20327
SHA256 30e975ded8edaa634cdb8e72f7626496e3cc4c753f795b0f4416469cdc5e4b0e
SHA512 d606cbcd0930a858e3dd5814ed49ab8059ca59927b8618900cf41b42575dbf452cd12a3cacd17295b81a574a375631747d45b37f7168aa518972fc7a6a1e31e2

C:\Windows\system\zYRLSqe.exe

MD5 2eea7f32bd3b237ab80c20968761b76b
SHA1 1d207d4091f9401cf23698c1933d9507553fd493
SHA256 a6c07ded74083ad009f52a5a4dc02d7aa42fc39eb1c105a9e4b8b0635174ed24
SHA512 50564b81b9ebf894e6c93a2eaedd63993769f548ba9f94fe7264c59d28e14d69274a94037045b19c8892ef04c2eb134b39d23cae17cb06cf1779fa4f5a5736e5

\Windows\system\ustqoxO.exe

MD5 7c94b56fed2e1c6458d245cbd8b0e217
SHA1 5ca0080eb9de0971b1d25e4737d1753d6b649474
SHA256 b357737c567813098f659c10cdbe95c796726a4dd1ceef4128def600006bbcf6
SHA512 a3d5123a65d477ffd7cdd20e85b8d7914a050e87dc9b2fd040f676920949dbf0bcab7f193083d9b4988166c280eea3deac27af395d24ce7b19146e448950fb75

C:\Windows\system\rRVNpIO.exe

MD5 022ff5d37de9c88d75d37e90c48077f2
SHA1 5bcc19ad9d17a3590a32777db12c5f5988c774c6
SHA256 57acb7a0feec1858e60ee432d356800c35c5a987c80c7d5043778e035aa95ef8
SHA512 711a040da47c9110f2ba14be4346bb1effe266e62104e7923b9e7ffe7c1bff40e4e305c55b12a9c6e991bd1f5407e2de73b23d0ed43d2a4579bc734ca3048e04

C:\Windows\system\YgdsyZC.exe

MD5 140b6f8f138e2e51411a2c2ec199c907
SHA1 61a986a89a06b1bc0f67608dc1aedff179ea28a7
SHA256 5ba64213d862b2bc578538cf6b5b95ab1c0661372c6416114372c3261a52fedb
SHA512 61a1b41c4fa7cde386255f31b2315f12c1efb153a88af3e419c2a7feda2b27867c9ef6f8a2eef8e382c1e050c8826512d132aaae2b6acc5bfc174f5bdf2f223b

C:\Windows\system\IjfTcZX.exe

MD5 2c2640ac9eed8ed79bbad9c6a605f472
SHA1 ec939cd2358849e2676752486c5fe26f0c0cc98f
SHA256 e178c6ccf1237718cee1807e4572379e0130348dea5d20f8de2b598258522a63
SHA512 e03c33fb411317205cbc504d0a294459907c912f8e4d50392477c943de937393dbe63b679fa1a9420de88660c85da40e84efdd5e768584b33f3282538c35839a

C:\Windows\system\SzYyHRW.exe

MD5 217f6b22ca587af978bd39e75080ae57
SHA1 07c35c5a1ae7ac2b723fa1e30f9b2895f6313d0e
SHA256 b8eb1346a991058f139b44edf4b58f235c9d1fe4e272ef4457009985bf1d9e1c
SHA512 a97bcf80fe2edd3ae7bd1b90560a82d42380714debb7517984c24fb8ddaf091fccb9e6ad7b8d7f0ad0233bbac233d79ce5607ca649caab9e48e0ef6ce1d242a8

C:\Windows\system\KYOKlIU.exe

MD5 e9c5bb137f7d493cafe84140f52fd15f
SHA1 d8c567ca4b2f89d2e42d4213e286831668c79619
SHA256 f466c486a32a67fe8e214e2b5a33b91f36b1912475f4c09fa96f4c057e38b3b3
SHA512 54551ac2e0b421fe1e17e154f16822931d34e769b6d26e0a12f26fc6ea1122054361bdfbc3988cb177fcd54a6373e98196136cc798a3edd6448b163122aee5ae

\Windows\system\GHKtyld.exe

MD5 c8c2b8a67f81a7519331476a0e26ba00
SHA1 f42d00836fc843cd3e9f5a5707709403728acd5f
SHA256 c725e46fe08ecb396356181830003f2bd65d83041faffd9613c8db5ef2f09388
SHA512 c119fafcfd2a04112f13af23761704b8045408c87134237b18daa4661f94674cc5aa9482c4c5d2a3d5db8bcb25d5e9087db399bf5cdde19ea1084cdf60853336

C:\Windows\system\DsjwAKj.exe

MD5 772435871c1ae1dafb756d130d46339a
SHA1 c82e7cf5578cda9877b7249cff04aa328526c2c9
SHA256 91bb1ca6e2d63025610ffb57856ca805e1f3f9399a4d44b50a7e0b3e7ee6da64
SHA512 2c595f4ada0b27cded5296a16bf04cc1a125e55d5dffbe6f299704b978fca420f64e7101d94f12420851a10d2f5928f4e937b56e3efc047917953eb5644b9584

C:\Windows\system\yFfJJxH.exe

MD5 4e4e71a1b0e55eebf40722b576d61c22
SHA1 af62eb20e2d8d2ac5f6aaf08552ab9894c0d2b51
SHA256 a86424af3dc60f5b3a0a2f66dfe1b95ac7017f058f6b38f62445d8410ef532ed
SHA512 8a02fc17734d43cbdc17a5337f70b7352e93f876ec83a2cef981cc566c8d9a113ea1d3749dc77b52090961455ac7a44ac02b5de8f717831d9946c5dd5e50d869

C:\Windows\system\rLSXZJl.exe

MD5 1f7dd2c68833ca454faba85da3652cfe
SHA1 bf2c7f45302279c10f332eb07dae49a9a5d38f1d
SHA256 71a8ea5f29fcc6836bd10867840f6b426785399554a6f486c500978224938a2f
SHA512 6d3592b99d3c67f64f329ad6f6ad86a9fad083ea45bef450d347243e7af953d1cb69656e998f2a0f02ca8dca87431bc3743176d50926140b0d1393e76cc59200

C:\Windows\system\weYIamj.exe

MD5 d4e01206b136492ba1873f82eef288f3
SHA1 823e537fc4879c1a5633af6a74e33df84f9e866f
SHA256 9ca099e315ddb10e22201195e66420b024ad59973e3fede6035437d9fa3ff0e1
SHA512 eb8a44eb1ff713c86b25d925abb5b309e3747a2b85796cb34269e43877632a846e7bb8eb896aa4f141b8d5e9638d61da3b398685d4dcade8490804b42e7dc9a0

C:\Windows\system\UPnUpUX.exe

MD5 cbc737f339a9d7bd6e77d34b89368eaf
SHA1 d0a74499f28c665f7723b16b66f97027b708a67a
SHA256 c1b9a5a8a2bd575c9195fab67bdcaf88ebe30b95f447982fb716b32f40b86976
SHA512 568111174ab5645fe0852eb5d970a5097e007923434bc537647133ff497adf5e9b49e3794c0090610efe23aec06aab4d535b84c55fa44733d5c75b96313d10b8

C:\Windows\system\hoEzqbm.exe

MD5 0260c5d41cce7411666ec923d9e21531
SHA1 14a0ae976b74eeff372998bc5e274f98a4327698
SHA256 33ff2accfd8dea886f77655c3cbe3015a9d29abb14fb81c609ab555ee6043c5a
SHA512 145e27a3bb5ea69d4de4248d388b1c584f9f4a1b64449ce0a64a7c994cac3f6ca8fde7641c77b6e9e4251abf8c66b718fdcd827c4e21c6f08bb9cbcae03b0cc6

C:\Windows\system\VNWUtXU.exe

MD5 8ed47bd4484fac484f6c9ffe960e1b9c
SHA1 9736cec0c9582cecc473bc4eb0137ac7718b8aef
SHA256 73e3e14099460293a139109eef08bb541a18e11d83c4ddc6b4eabba275ca3772
SHA512 2868e057f9f569d960d5ef2e74d932c52bac47ae11b69b0066dc7192544ea4f92e22e770bb7ff14ef375be720d6294709e33377a39f1a77b53bf4db8bb945196

C:\Windows\system\zZMGLkm.exe

MD5 ce92e3b12e4e21c205e2d8d03120a7a9
SHA1 5f750aa332f998586f908cc0ec3048ee9c345d95
SHA256 f4ce984df512c92fc3935061d40478ef7908ebfc79ab6bb69df37ae25a7de409
SHA512 0036c70c883cf675942ee0e56dd0a843dde96c562fcb010d84fb142bb8f2623c768500abfa9026f88155fb80bc22d34e8abd13cd37a9729c2369c971fa48b625

C:\Windows\system\IFOCDno.exe

MD5 f518981dfbd9eaabfb1169c1cbbe8589
SHA1 a2e7a07d06f339041d8d100bb58717cf1db6911d
SHA256 e1b901ef9f1685b2b0cf5b05681f97e32d333e784a6c2d2af57a9be2696f6d04
SHA512 f26a6ae8c1ae07bdde48021b96acc12f723305946363b6e54edb548c1131aa488e3493db2a816c222d4cf259eca3fcf16c112c79ac44a6c9569508e63597edd4

C:\Windows\system\yOnzGkV.exe

MD5 d70c4650764d59b421e4b848dc2448fc
SHA1 7e5977afcc39621fe32ce024abccfb883a37be25
SHA256 0dbace26a16580e700cc140d10991ef67dc36f5240a39b432cb1e9b77b3134e2
SHA512 749a5b2c3e5f358ccb309e55091620367769a15f02759086afd01426f5b64873fb9b4685162b4568cf6973801fd275027302028caba82a428981fa50fc56f051

C:\Windows\system\XBEYyIk.exe

MD5 78594d1b93326a67781d1bb490cb50a2
SHA1 338d49f13222146cdda7f62bd201752be06f423e
SHA256 86788bb1d369f0683bac2ef54ba61e7e71faed4fa4239c6eeb6bee96c575d580
SHA512 da1ee6d4413a91d7631734971489d4144dd136cb7a29fe53bdbfd86d422df656287be81a1a63438dfdb826a259dea97aedb7958d2b53d48a57906f42bfa99d3e

memory/2264-108-0x000000013F240000-0x000000013F591000-memory.dmp

memory/2424-106-0x000000013F740000-0x000000013FA91000-memory.dmp

memory/2096-105-0x0000000002280000-0x00000000025D1000-memory.dmp

memory/3048-104-0x000000013FD60000-0x00000001400B1000-memory.dmp

memory/2476-112-0x000000013F820000-0x000000013FB71000-memory.dmp

memory/2096-110-0x000000013F820000-0x000000013FB71000-memory.dmp

memory/2776-119-0x000000013F170000-0x000000013F4C1000-memory.dmp

memory/2916-118-0x000000013F9D0000-0x000000013FD21000-memory.dmp

memory/2908-121-0x000000013FCF0000-0x0000000140041000-memory.dmp

memory/2096-120-0x000000013FCF0000-0x0000000140041000-memory.dmp

memory/2096-115-0x000000013FCA0000-0x000000013FFF1000-memory.dmp

memory/2512-122-0x000000013F800000-0x000000013FB51000-memory.dmp

memory/2360-114-0x000000013F3B0000-0x000000013F701000-memory.dmp

memory/1728-128-0x000000013F960000-0x000000013FCB1000-memory.dmp

memory/2096-127-0x000000013F960000-0x000000013FCB1000-memory.dmp

memory/2648-126-0x000000013FAE0000-0x000000013FE31000-memory.dmp

memory/2096-125-0x000000013FAE0000-0x000000013FE31000-memory.dmp

memory/2532-124-0x000000013F850000-0x000000013FBA1000-memory.dmp

memory/2096-123-0x000000013F850000-0x000000013FBA1000-memory.dmp

memory/2096-117-0x000000013F9D0000-0x000000013FD21000-memory.dmp

memory/2868-116-0x000000013FCA0000-0x000000013FFF1000-memory.dmp

memory/2936-109-0x000000013F640000-0x000000013F991000-memory.dmp

memory/2096-129-0x000000013F4C0000-0x000000013F811000-memory.dmp

memory/3048-130-0x000000013FD60000-0x00000001400B1000-memory.dmp

memory/1340-150-0x000000013F4A0000-0x000000013F7F1000-memory.dmp

memory/672-149-0x000000013F850000-0x000000013FBA1000-memory.dmp

memory/2472-148-0x000000013F510000-0x000000013F861000-memory.dmp

memory/1704-147-0x000000013F220000-0x000000013F571000-memory.dmp

memory/2684-146-0x000000013F310000-0x000000013F661000-memory.dmp

memory/2732-144-0x000000013F1A0000-0x000000013F4F1000-memory.dmp

memory/2636-145-0x000000013F920000-0x000000013FC71000-memory.dmp

memory/2096-151-0x000000013F4C0000-0x000000013F811000-memory.dmp

memory/2096-152-0x000000013FD60000-0x00000001400B1000-memory.dmp

memory/2096-153-0x000000013F4C0000-0x000000013F811000-memory.dmp

memory/3048-219-0x000000013FD60000-0x00000001400B1000-memory.dmp

memory/2424-222-0x000000013F740000-0x000000013FA91000-memory.dmp

memory/2264-226-0x000000013F240000-0x000000013F591000-memory.dmp

memory/2476-225-0x000000013F820000-0x000000013FB71000-memory.dmp

memory/2868-230-0x000000013FCA0000-0x000000013FFF1000-memory.dmp

memory/2936-236-0x000000013F640000-0x000000013F991000-memory.dmp

memory/2908-239-0x000000013FCF0000-0x0000000140041000-memory.dmp

memory/2648-244-0x000000013FAE0000-0x000000013FE31000-memory.dmp

memory/2776-248-0x000000013F170000-0x000000013F4C1000-memory.dmp

memory/2512-246-0x000000013F800000-0x000000013FB51000-memory.dmp

memory/2532-242-0x000000013F850000-0x000000013FBA1000-memory.dmp

memory/2916-235-0x000000013F9D0000-0x000000013FD21000-memory.dmp

memory/2360-228-0x000000013F3B0000-0x000000013F701000-memory.dmp

memory/1728-252-0x000000013F960000-0x000000013FCB1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-27 04:38

Reported

2024-10-27 04:40

Platform

win10v2004-20241007-en

Max time kernel

144s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

Cobaltstrike family

cobaltstrike

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\YgdsyZC.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SzYyHRW.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XBEYyIk.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zZMGLkm.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UPnUpUX.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rRVNpIO.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IjfTcZX.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yOnzGkV.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hoEzqbm.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DsjwAKj.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rLSXZJl.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zYRLSqe.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XCMBDxJ.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ustqoxO.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KYOKlIU.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\weYIamj.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yFfJJxH.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\smlUjnr.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GHKtyld.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IFOCDno.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VNWUtXU.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4960 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\smlUjnr.exe
PID 4960 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\smlUjnr.exe
PID 4960 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zYRLSqe.exe
PID 4960 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zYRLSqe.exe
PID 4960 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XCMBDxJ.exe
PID 4960 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XCMBDxJ.exe
PID 4960 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ustqoxO.exe
PID 4960 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ustqoxO.exe
PID 4960 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rRVNpIO.exe
PID 4960 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rRVNpIO.exe
PID 4960 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YgdsyZC.exe
PID 4960 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YgdsyZC.exe
PID 4960 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IjfTcZX.exe
PID 4960 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IjfTcZX.exe
PID 4960 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SzYyHRW.exe
PID 4960 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SzYyHRW.exe
PID 4960 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KYOKlIU.exe
PID 4960 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KYOKlIU.exe
PID 4960 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XBEYyIk.exe
PID 4960 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XBEYyIk.exe
PID 4960 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yOnzGkV.exe
PID 4960 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yOnzGkV.exe
PID 4960 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GHKtyld.exe
PID 4960 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GHKtyld.exe
PID 4960 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IFOCDno.exe
PID 4960 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IFOCDno.exe
PID 4960 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zZMGLkm.exe
PID 4960 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zZMGLkm.exe
PID 4960 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VNWUtXU.exe
PID 4960 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VNWUtXU.exe
PID 4960 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hoEzqbm.exe
PID 4960 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hoEzqbm.exe
PID 4960 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DsjwAKj.exe
PID 4960 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DsjwAKj.exe
PID 4960 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UPnUpUX.exe
PID 4960 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UPnUpUX.exe
PID 4960 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\weYIamj.exe
PID 4960 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\weYIamj.exe
PID 4960 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rLSXZJl.exe
PID 4960 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rLSXZJl.exe
PID 4960 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yFfJJxH.exe
PID 4960 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yFfJJxH.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\smlUjnr.exe

C:\Windows\System\smlUjnr.exe

C:\Windows\System\zYRLSqe.exe

C:\Windows\System\zYRLSqe.exe

C:\Windows\System\XCMBDxJ.exe

C:\Windows\System\XCMBDxJ.exe

C:\Windows\System\ustqoxO.exe

C:\Windows\System\ustqoxO.exe

C:\Windows\System\rRVNpIO.exe

C:\Windows\System\rRVNpIO.exe

C:\Windows\System\YgdsyZC.exe

C:\Windows\System\YgdsyZC.exe

C:\Windows\System\IjfTcZX.exe

C:\Windows\System\IjfTcZX.exe

C:\Windows\System\SzYyHRW.exe

C:\Windows\System\SzYyHRW.exe

C:\Windows\System\KYOKlIU.exe

C:\Windows\System\KYOKlIU.exe

C:\Windows\System\XBEYyIk.exe

C:\Windows\System\XBEYyIk.exe

C:\Windows\System\yOnzGkV.exe

C:\Windows\System\yOnzGkV.exe

C:\Windows\System\GHKtyld.exe

C:\Windows\System\GHKtyld.exe

C:\Windows\System\IFOCDno.exe

C:\Windows\System\IFOCDno.exe

C:\Windows\System\zZMGLkm.exe

C:\Windows\System\zZMGLkm.exe

C:\Windows\System\VNWUtXU.exe

C:\Windows\System\VNWUtXU.exe

C:\Windows\System\hoEzqbm.exe

C:\Windows\System\hoEzqbm.exe

C:\Windows\System\DsjwAKj.exe

C:\Windows\System\DsjwAKj.exe

C:\Windows\System\UPnUpUX.exe

C:\Windows\System\UPnUpUX.exe

C:\Windows\System\weYIamj.exe

C:\Windows\System\weYIamj.exe

C:\Windows\System\rLSXZJl.exe

C:\Windows\System\rLSXZJl.exe

C:\Windows\System\yFfJJxH.exe

C:\Windows\System\yFfJJxH.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
DE 3.120.209.58:8080 tcp

Files

memory/4960-0-0x00007FF7E6D30000-0x00007FF7E7081000-memory.dmp

memory/4960-1-0x000001E27CB20000-0x000001E27CB30000-memory.dmp

C:\Windows\System\smlUjnr.exe

MD5 5756d6991c9d3f091efdc8812809b7aa
SHA1 563a747acfcb76f559a046cdcd15e2d28c751cde
SHA256 a3dba698730c7de87a2dfca1dcd2e39e99b452c0ef890ca636bc6e6136f69dca
SHA512 e2a59ded82631fa577f6197a79334dc54dbdf955d82fca68e1dc736d44bfeca5373f6b360323909bd147e175ab397efc6fb866e536c243ea3b9ced7cc6b5b3ad

memory/4936-8-0x00007FF6C0210000-0x00007FF6C0561000-memory.dmp

C:\Windows\System\XCMBDxJ.exe

MD5 93ebb467f9b66f60b49ea98fc3d38d7a
SHA1 5a210f6093cc51feee4dabda1ad6165f24a20327
SHA256 30e975ded8edaa634cdb8e72f7626496e3cc4c753f795b0f4416469cdc5e4b0e
SHA512 d606cbcd0930a858e3dd5814ed49ab8059ca59927b8618900cf41b42575dbf452cd12a3cacd17295b81a574a375631747d45b37f7168aa518972fc7a6a1e31e2

C:\Windows\System\zYRLSqe.exe

MD5 2eea7f32bd3b237ab80c20968761b76b
SHA1 1d207d4091f9401cf23698c1933d9507553fd493
SHA256 a6c07ded74083ad009f52a5a4dc02d7aa42fc39eb1c105a9e4b8b0635174ed24
SHA512 50564b81b9ebf894e6c93a2eaedd63993769f548ba9f94fe7264c59d28e14d69274a94037045b19c8892ef04c2eb134b39d23cae17cb06cf1779fa4f5a5736e5

C:\Windows\System\ustqoxO.exe

MD5 7c94b56fed2e1c6458d245cbd8b0e217
SHA1 5ca0080eb9de0971b1d25e4737d1753d6b649474
SHA256 b357737c567813098f659c10cdbe95c796726a4dd1ceef4128def600006bbcf6
SHA512 a3d5123a65d477ffd7cdd20e85b8d7914a050e87dc9b2fd040f676920949dbf0bcab7f193083d9b4988166c280eea3deac27af395d24ce7b19146e448950fb75

memory/384-24-0x00007FF7E8EE0000-0x00007FF7E9231000-memory.dmp

memory/4664-15-0x00007FF7CF580000-0x00007FF7CF8D1000-memory.dmp

memory/2552-13-0x00007FF665010000-0x00007FF665361000-memory.dmp

C:\Windows\System\YgdsyZC.exe

MD5 140b6f8f138e2e51411a2c2ec199c907
SHA1 61a986a89a06b1bc0f67608dc1aedff179ea28a7
SHA256 5ba64213d862b2bc578538cf6b5b95ab1c0661372c6416114372c3261a52fedb
SHA512 61a1b41c4fa7cde386255f31b2315f12c1efb153a88af3e419c2a7feda2b27867c9ef6f8a2eef8e382c1e050c8826512d132aaae2b6acc5bfc174f5bdf2f223b

memory/1936-33-0x00007FF66B1B0000-0x00007FF66B501000-memory.dmp

memory/2832-34-0x00007FF7E65C0000-0x00007FF7E6911000-memory.dmp

C:\Windows\System\IjfTcZX.exe

MD5 2c2640ac9eed8ed79bbad9c6a605f472
SHA1 ec939cd2358849e2676752486c5fe26f0c0cc98f
SHA256 e178c6ccf1237718cee1807e4572379e0130348dea5d20f8de2b598258522a63
SHA512 e03c33fb411317205cbc504d0a294459907c912f8e4d50392477c943de937393dbe63b679fa1a9420de88660c85da40e84efdd5e768584b33f3282538c35839a

memory/1796-49-0x00007FF6642C0000-0x00007FF664611000-memory.dmp

C:\Windows\System\KYOKlIU.exe

MD5 e9c5bb137f7d493cafe84140f52fd15f
SHA1 d8c567ca4b2f89d2e42d4213e286831668c79619
SHA256 f466c486a32a67fe8e214e2b5a33b91f36b1912475f4c09fa96f4c057e38b3b3
SHA512 54551ac2e0b421fe1e17e154f16822931d34e769b6d26e0a12f26fc6ea1122054361bdfbc3988cb177fcd54a6373e98196136cc798a3edd6448b163122aee5ae

C:\Windows\System\XBEYyIk.exe

MD5 78594d1b93326a67781d1bb490cb50a2
SHA1 338d49f13222146cdda7f62bd201752be06f423e
SHA256 86788bb1d369f0683bac2ef54ba61e7e71faed4fa4239c6eeb6bee96c575d580
SHA512 da1ee6d4413a91d7631734971489d4144dd136cb7a29fe53bdbfd86d422df656287be81a1a63438dfdb826a259dea97aedb7958d2b53d48a57906f42bfa99d3e

C:\Windows\System\GHKtyld.exe

MD5 c8c2b8a67f81a7519331476a0e26ba00
SHA1 f42d00836fc843cd3e9f5a5707709403728acd5f
SHA256 c725e46fe08ecb396356181830003f2bd65d83041faffd9613c8db5ef2f09388
SHA512 c119fafcfd2a04112f13af23761704b8045408c87134237b18daa4661f94674cc5aa9482c4c5d2a3d5db8bcb25d5e9087db399bf5cdde19ea1084cdf60853336

C:\Windows\System\VNWUtXU.exe

MD5 8ed47bd4484fac484f6c9ffe960e1b9c
SHA1 9736cec0c9582cecc473bc4eb0137ac7718b8aef
SHA256 73e3e14099460293a139109eef08bb541a18e11d83c4ddc6b4eabba275ca3772
SHA512 2868e057f9f569d960d5ef2e74d932c52bac47ae11b69b0066dc7192544ea4f92e22e770bb7ff14ef375be720d6294709e33377a39f1a77b53bf4db8bb945196

C:\Windows\System\DsjwAKj.exe

MD5 772435871c1ae1dafb756d130d46339a
SHA1 c82e7cf5578cda9877b7249cff04aa328526c2c9
SHA256 91bb1ca6e2d63025610ffb57856ca805e1f3f9399a4d44b50a7e0b3e7ee6da64
SHA512 2c595f4ada0b27cded5296a16bf04cc1a125e55d5dffbe6f299704b978fca420f64e7101d94f12420851a10d2f5928f4e937b56e3efc047917953eb5644b9584

memory/1916-124-0x00007FF701F10000-0x00007FF702261000-memory.dmp

memory/4664-130-0x00007FF7CF580000-0x00007FF7CF8D1000-memory.dmp

memory/4616-129-0x00007FF73CF90000-0x00007FF73D2E1000-memory.dmp

memory/4928-128-0x00007FF7D3BF0000-0x00007FF7D3F41000-memory.dmp

C:\Windows\System\rLSXZJl.exe

MD5 1f7dd2c68833ca454faba85da3652cfe
SHA1 bf2c7f45302279c10f332eb07dae49a9a5d38f1d
SHA256 71a8ea5f29fcc6836bd10867840f6b426785399554a6f486c500978224938a2f
SHA512 6d3592b99d3c67f64f329ad6f6ad86a9fad083ea45bef450d347243e7af953d1cb69656e998f2a0f02ca8dca87431bc3743176d50926140b0d1393e76cc59200

memory/2824-125-0x00007FF747660000-0x00007FF7479B1000-memory.dmp

C:\Windows\System\yFfJJxH.exe

MD5 4e4e71a1b0e55eebf40722b576d61c22
SHA1 af62eb20e2d8d2ac5f6aaf08552ab9894c0d2b51
SHA256 a86424af3dc60f5b3a0a2f66dfe1b95ac7017f058f6b38f62445d8410ef532ed
SHA512 8a02fc17734d43cbdc17a5337f70b7352e93f876ec83a2cef981cc566c8d9a113ea1d3749dc77b52090961455ac7a44ac02b5de8f717831d9946c5dd5e50d869

C:\Windows\System\UPnUpUX.exe

MD5 cbc737f339a9d7bd6e77d34b89368eaf
SHA1 d0a74499f28c665f7723b16b66f97027b708a67a
SHA256 c1b9a5a8a2bd575c9195fab67bdcaf88ebe30b95f447982fb716b32f40b86976
SHA512 568111174ab5645fe0852eb5d970a5097e007923434bc537647133ff497adf5e9b49e3794c0090610efe23aec06aab4d535b84c55fa44733d5c75b96313d10b8

C:\Windows\System\weYIamj.exe

MD5 d4e01206b136492ba1873f82eef288f3
SHA1 823e537fc4879c1a5633af6a74e33df84f9e866f
SHA256 9ca099e315ddb10e22201195e66420b024ad59973e3fede6035437d9fa3ff0e1
SHA512 eb8a44eb1ff713c86b25d925abb5b309e3747a2b85796cb34269e43877632a846e7bb8eb896aa4f141b8d5e9638d61da3b398685d4dcade8490804b42e7dc9a0

memory/4568-118-0x00007FF638FD0000-0x00007FF639321000-memory.dmp

memory/4116-113-0x00007FF705F00000-0x00007FF706251000-memory.dmp

memory/2584-112-0x00007FF709D20000-0x00007FF70A071000-memory.dmp

C:\Windows\System\zZMGLkm.exe

MD5 ce92e3b12e4e21c205e2d8d03120a7a9
SHA1 5f750aa332f998586f908cc0ec3048ee9c345d95
SHA256 f4ce984df512c92fc3935061d40478ef7908ebfc79ab6bb69df37ae25a7de409
SHA512 0036c70c883cf675942ee0e56dd0a843dde96c562fcb010d84fb142bb8f2623c768500abfa9026f88155fb80bc22d34e8abd13cd37a9729c2369c971fa48b625

memory/3224-102-0x00007FF744000000-0x00007FF744351000-memory.dmp

memory/3404-101-0x00007FF762790000-0x00007FF762AE1000-memory.dmp

C:\Windows\System\hoEzqbm.exe

MD5 0260c5d41cce7411666ec923d9e21531
SHA1 14a0ae976b74eeff372998bc5e274f98a4327698
SHA256 33ff2accfd8dea886f77655c3cbe3015a9d29abb14fb81c609ab555ee6043c5a
SHA512 145e27a3bb5ea69d4de4248d388b1c584f9f4a1b64449ce0a64a7c994cac3f6ca8fde7641c77b6e9e4251abf8c66b718fdcd827c4e21c6f08bb9cbcae03b0cc6

C:\Windows\System\IFOCDno.exe

MD5 f518981dfbd9eaabfb1169c1cbbe8589
SHA1 a2e7a07d06f339041d8d100bb58717cf1db6911d
SHA256 e1b901ef9f1685b2b0cf5b05681f97e32d333e784a6c2d2af57a9be2696f6d04
SHA512 f26a6ae8c1ae07bdde48021b96acc12f723305946363b6e54edb548c1131aa488e3493db2a816c222d4cf259eca3fcf16c112c79ac44a6c9569508e63597edd4

memory/1132-92-0x00007FF65D6E0000-0x00007FF65DA31000-memory.dmp

C:\Windows\System\yOnzGkV.exe

MD5 d70c4650764d59b421e4b848dc2448fc
SHA1 7e5977afcc39621fe32ce024abccfb883a37be25
SHA256 0dbace26a16580e700cc140d10991ef67dc36f5240a39b432cb1e9b77b3134e2
SHA512 749a5b2c3e5f358ccb309e55091620367769a15f02759086afd01426f5b64873fb9b4685162b4568cf6973801fd275027302028caba82a428981fa50fc56f051

memory/2552-78-0x00007FF665010000-0x00007FF665361000-memory.dmp

memory/4936-77-0x00007FF6C0210000-0x00007FF6C0561000-memory.dmp

memory/1172-70-0x00007FF65EB50000-0x00007FF65EEA1000-memory.dmp

memory/2064-69-0x00007FF771C00000-0x00007FF771F51000-memory.dmp

memory/4960-62-0x00007FF7E6D30000-0x00007FF7E7081000-memory.dmp

memory/2004-61-0x00007FF6E2F60000-0x00007FF6E32B1000-memory.dmp

C:\Windows\System\SzYyHRW.exe

MD5 217f6b22ca587af978bd39e75080ae57
SHA1 07c35c5a1ae7ac2b723fa1e30f9b2895f6313d0e
SHA256 b8eb1346a991058f139b44edf4b58f235c9d1fe4e272ef4457009985bf1d9e1c
SHA512 a97bcf80fe2edd3ae7bd1b90560a82d42380714debb7517984c24fb8ddaf091fccb9e6ad7b8d7f0ad0233bbac233d79ce5607ca649caab9e48e0ef6ce1d242a8

memory/4620-42-0x00007FF7DFD40000-0x00007FF7E0091000-memory.dmp

C:\Windows\System\rRVNpIO.exe

MD5 022ff5d37de9c88d75d37e90c48077f2
SHA1 5bcc19ad9d17a3590a32777db12c5f5988c774c6
SHA256 57acb7a0feec1858e60ee432d356800c35c5a987c80c7d5043778e035aa95ef8
SHA512 711a040da47c9110f2ba14be4346bb1effe266e62104e7923b9e7ffe7c1bff40e4e305c55b12a9c6e991bd1f5407e2de73b23d0ed43d2a4579bc734ca3048e04

memory/384-132-0x00007FF7E8EE0000-0x00007FF7E9231000-memory.dmp

memory/4960-133-0x00007FF7E6D30000-0x00007FF7E7081000-memory.dmp

memory/1936-138-0x00007FF66B1B0000-0x00007FF66B501000-memory.dmp

memory/2832-139-0x00007FF7E65C0000-0x00007FF7E6911000-memory.dmp

memory/1796-140-0x00007FF6642C0000-0x00007FF664611000-memory.dmp

memory/2004-142-0x00007FF6E2F60000-0x00007FF6E32B1000-memory.dmp

memory/4620-141-0x00007FF7DFD40000-0x00007FF7E0091000-memory.dmp

memory/3404-148-0x00007FF762790000-0x00007FF762AE1000-memory.dmp

memory/3224-150-0x00007FF744000000-0x00007FF744351000-memory.dmp

memory/4616-152-0x00007FF73CF90000-0x00007FF73D2E1000-memory.dmp

memory/1172-145-0x00007FF65EB50000-0x00007FF65EEA1000-memory.dmp

memory/1132-144-0x00007FF65D6E0000-0x00007FF65DA31000-memory.dmp

memory/1916-153-0x00007FF701F10000-0x00007FF702261000-memory.dmp

memory/2064-143-0x00007FF771C00000-0x00007FF771F51000-memory.dmp

memory/4960-155-0x00007FF7E6D30000-0x00007FF7E7081000-memory.dmp

memory/4936-204-0x00007FF6C0210000-0x00007FF6C0561000-memory.dmp

memory/2552-208-0x00007FF665010000-0x00007FF665361000-memory.dmp

memory/4664-210-0x00007FF7CF580000-0x00007FF7CF8D1000-memory.dmp

memory/384-212-0x00007FF7E8EE0000-0x00007FF7E9231000-memory.dmp

memory/1936-226-0x00007FF66B1B0000-0x00007FF66B501000-memory.dmp

memory/2832-228-0x00007FF7E65C0000-0x00007FF7E6911000-memory.dmp

memory/4620-232-0x00007FF7DFD40000-0x00007FF7E0091000-memory.dmp

memory/1796-231-0x00007FF6642C0000-0x00007FF664611000-memory.dmp

memory/2004-234-0x00007FF6E2F60000-0x00007FF6E32B1000-memory.dmp

memory/1132-236-0x00007FF65D6E0000-0x00007FF65DA31000-memory.dmp

memory/2064-242-0x00007FF771C00000-0x00007FF771F51000-memory.dmp

memory/1172-244-0x00007FF65EB50000-0x00007FF65EEA1000-memory.dmp

memory/2584-246-0x00007FF709D20000-0x00007FF70A071000-memory.dmp

memory/4116-248-0x00007FF705F00000-0x00007FF706251000-memory.dmp

memory/3404-252-0x00007FF762790000-0x00007FF762AE1000-memory.dmp

memory/3224-254-0x00007FF744000000-0x00007FF744351000-memory.dmp

memory/4568-251-0x00007FF638FD0000-0x00007FF639321000-memory.dmp

memory/4928-260-0x00007FF7D3BF0000-0x00007FF7D3F41000-memory.dmp

memory/4616-259-0x00007FF73CF90000-0x00007FF73D2E1000-memory.dmp

memory/2824-262-0x00007FF747660000-0x00007FF7479B1000-memory.dmp

memory/1916-257-0x00007FF701F10000-0x00007FF702261000-memory.dmp