Malware Analysis Report

2025-08-11 08:11

Sample ID 241025-n15e1azdlm
Target 2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat
SHA256 05066aa15d65559b5c818aae121963f180fcaf7c92b2ae8731c5595b2dedab32
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

05066aa15d65559b5c818aae121963f180fcaf7c92b2ae8731c5595b2dedab32

Threat Level: Known bad

The file 2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

Cobaltstrike

xmrig

Xmrig family

XMRig Miner payload

Cobaltstrike family

Cobalt Strike reflective loader

XMRig Miner payload

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-10-25 11:52

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-25 11:52

Reported

2024-10-25 11:55

Platform

win7-20240903-en

Max time kernel

141s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\muHxujU.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SgaMIyb.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IkOxmuX.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rvooWnR.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pUWcUrb.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yYLuOja.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uhDTbXy.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\Nrwktlg.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vSWSlpR.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wwuXLfG.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kDvNguq.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xbbTrNC.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NYGhZuw.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EbgwMhx.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bypQvlN.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fNjIMJU.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mFaQImn.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\izCZMsm.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HtaNNkL.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UQiTfuI.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cbuVYEi.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1968 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SgaMIyb.exe
PID 1968 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SgaMIyb.exe
PID 1968 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SgaMIyb.exe
PID 1968 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wwuXLfG.exe
PID 1968 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wwuXLfG.exe
PID 1968 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wwuXLfG.exe
PID 1968 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UQiTfuI.exe
PID 1968 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UQiTfuI.exe
PID 1968 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UQiTfuI.exe
PID 1968 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mFaQImn.exe
PID 1968 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mFaQImn.exe
PID 1968 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mFaQImn.exe
PID 1968 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\izCZMsm.exe
PID 1968 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\izCZMsm.exe
PID 1968 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\izCZMsm.exe
PID 1968 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kDvNguq.exe
PID 1968 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kDvNguq.exe
PID 1968 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kDvNguq.exe
PID 1968 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rvooWnR.exe
PID 1968 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rvooWnR.exe
PID 1968 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rvooWnR.exe
PID 1968 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NYGhZuw.exe
PID 1968 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NYGhZuw.exe
PID 1968 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NYGhZuw.exe
PID 1968 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cbuVYEi.exe
PID 1968 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cbuVYEi.exe
PID 1968 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cbuVYEi.exe
PID 1968 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pUWcUrb.exe
PID 1968 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pUWcUrb.exe
PID 1968 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pUWcUrb.exe
PID 1968 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yYLuOja.exe
PID 1968 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yYLuOja.exe
PID 1968 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yYLuOja.exe
PID 1968 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EbgwMhx.exe
PID 1968 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EbgwMhx.exe
PID 1968 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EbgwMhx.exe
PID 1968 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uhDTbXy.exe
PID 1968 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uhDTbXy.exe
PID 1968 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uhDTbXy.exe
PID 1968 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Nrwktlg.exe
PID 1968 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Nrwktlg.exe
PID 1968 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Nrwktlg.exe
PID 1968 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IkOxmuX.exe
PID 1968 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IkOxmuX.exe
PID 1968 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IkOxmuX.exe
PID 1968 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vSWSlpR.exe
PID 1968 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vSWSlpR.exe
PID 1968 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vSWSlpR.exe
PID 1968 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bypQvlN.exe
PID 1968 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bypQvlN.exe
PID 1968 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bypQvlN.exe
PID 1968 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\muHxujU.exe
PID 1968 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\muHxujU.exe
PID 1968 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\muHxujU.exe
PID 1968 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fNjIMJU.exe
PID 1968 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fNjIMJU.exe
PID 1968 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fNjIMJU.exe
PID 1968 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xbbTrNC.exe
PID 1968 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xbbTrNC.exe
PID 1968 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xbbTrNC.exe
PID 1968 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HtaNNkL.exe
PID 1968 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HtaNNkL.exe
PID 1968 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HtaNNkL.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\SgaMIyb.exe

C:\Windows\System\SgaMIyb.exe

C:\Windows\System\wwuXLfG.exe

C:\Windows\System\wwuXLfG.exe

C:\Windows\System\UQiTfuI.exe

C:\Windows\System\UQiTfuI.exe

C:\Windows\System\mFaQImn.exe

C:\Windows\System\mFaQImn.exe

C:\Windows\System\izCZMsm.exe

C:\Windows\System\izCZMsm.exe

C:\Windows\System\kDvNguq.exe

C:\Windows\System\kDvNguq.exe

C:\Windows\System\rvooWnR.exe

C:\Windows\System\rvooWnR.exe

C:\Windows\System\NYGhZuw.exe

C:\Windows\System\NYGhZuw.exe

C:\Windows\System\cbuVYEi.exe

C:\Windows\System\cbuVYEi.exe

C:\Windows\System\pUWcUrb.exe

C:\Windows\System\pUWcUrb.exe

C:\Windows\System\yYLuOja.exe

C:\Windows\System\yYLuOja.exe

C:\Windows\System\EbgwMhx.exe

C:\Windows\System\EbgwMhx.exe

C:\Windows\System\uhDTbXy.exe

C:\Windows\System\uhDTbXy.exe

C:\Windows\System\Nrwktlg.exe

C:\Windows\System\Nrwktlg.exe

C:\Windows\System\IkOxmuX.exe

C:\Windows\System\IkOxmuX.exe

C:\Windows\System\vSWSlpR.exe

C:\Windows\System\vSWSlpR.exe

C:\Windows\System\bypQvlN.exe

C:\Windows\System\bypQvlN.exe

C:\Windows\System\muHxujU.exe

C:\Windows\System\muHxujU.exe

C:\Windows\System\fNjIMJU.exe

C:\Windows\System\fNjIMJU.exe

C:\Windows\System\xbbTrNC.exe

C:\Windows\System\xbbTrNC.exe

C:\Windows\System\HtaNNkL.exe

C:\Windows\System\HtaNNkL.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1968-0-0x000000013F390000-0x000000013F6E1000-memory.dmp

memory/1968-1-0x00000000000F0000-0x0000000000100000-memory.dmp

C:\Windows\system\SgaMIyb.exe

MD5 cbc42684cf664355a9eb2b178ab550fa
SHA1 545c35e80b58dc75a4d0497794832b974861ac38
SHA256 1d1490d6096532cb190b3fdd7c465c2d0ead4811dbdf8bc7aecf1ea946e5ea10
SHA512 377d4403fef1c216b2cbd8a897b61b2c46c098dd8404ebdd75308639371b1667cd27c4657f4f0e26c4775293fecc6fbf1e378efca3f1a183b3985c064c696e04

C:\Windows\system\wwuXLfG.exe

MD5 cb46fd4cdc102047a4dc26aaedb3df29
SHA1 03c3d1cb16030eae134af993e74e2c944e178055
SHA256 238b3677df86a5fbae905f17e06f03613b994de21550933b0efcda3fb538bd83
SHA512 2133b6dcbcb3d08cd11638a25079aba76544a05f950e9a245a9008c80f4ccfe60dda9380a589422be545921c0078f82270090a926e212f2c2b2da469082204bb

\Windows\system\UQiTfuI.exe

MD5 8a886087d8c96cd1d91a86328a86903c
SHA1 5c442d9ff7f1a1923a600c6cc0b371886509509c
SHA256 5efd46203f7b543475d4c0ea5853de66f77300157c91eb7da29bd4fe26f19b7f
SHA512 8d5adbe450c9943fd30a963f0080bc40dd2939636ec635ad9899e768f5e3901223686abe7e81480cd6362fd9dfd32b6030d1b4702d2dec7329b5582ecfdf68c1

memory/2052-18-0x000000013F180000-0x000000013F4D1000-memory.dmp

memory/1968-22-0x0000000002250000-0x00000000025A1000-memory.dmp

memory/2312-21-0x000000013F450000-0x000000013F7A1000-memory.dmp

memory/1968-20-0x0000000002250000-0x00000000025A1000-memory.dmp

memory/2520-19-0x000000013F500000-0x000000013F851000-memory.dmp

C:\Windows\system\mFaQImn.exe

MD5 8eb05d222c60a2969dd1830044954526
SHA1 de10bd1c7668bdc6a8784a7f24c0450466c1f4e6
SHA256 b4c80f55c2873a097a224477096974e8bc247cf5fe217db97e0cd2eed76a8961
SHA512 eba8b214184bbd15c106dfd91f0aecd9d06251e9d3b5d68e0ee7afc7f51282c9f4aaa96309baa8a6e8f2cdc6b40885f1aa54d4c97d0b894f8f1aaa923ff31ae2

C:\Windows\system\rvooWnR.exe

MD5 d5323b0fc88ff2f3be69f157c6a525ba
SHA1 cd75e9a77e830c605451fb3b2798ffd50b0be3a0
SHA256 0fc64f71de31de81c1e4384fde9593447a51e294e7891306443a63f3a02a8621
SHA512 ae49d2556d5d00ee3cece43fea13e0f8fece5ccd72d0df2dcbdc05679d16aec9d1d8dc3630f968ae1be51b38906da5ba00bcaac518a63b2e4017c5090a6d169e

\Windows\system\kDvNguq.exe

MD5 85a8cedba5afe3f08639cf6ea4452807
SHA1 d52f70c4fad78a20fd68a626db8f41982f6b2dc8
SHA256 0bd1c6d05e7dc3bec43325a7794b2c8e985e6c3cad1720584ec65338b620dfb7
SHA512 353b7aa3128ff32f860d22bff6e0da8cd347c31d945a892c2438401ec8f62ae066b127b8c4d2e0d80e5fa7bade5f0bdb53f7e00c7b2680b9dc01d3ec64dafd0b

C:\Windows\system\NYGhZuw.exe

MD5 136c2ba8617edf0c6533f7d203ed9c66
SHA1 7807b09353a9af93e8c0c7903946c0c96f21df4d
SHA256 1c5173e186150bda15461dc39519662d938b86473d365a962e48d1b365edae32
SHA512 4e270ab7c0c76c01427d40a716724c4bb02b0dc7ccc588c4e1884af9933047719cbf96577212b7ad5d582273a9cc38cc65a7685870772fc9d47703bd93d4c647

memory/2608-64-0x000000013FD30000-0x0000000140081000-memory.dmp

C:\Windows\system\pUWcUrb.exe

MD5 66f502175b4423f24a6f5f28fa91bb28
SHA1 020f9b4c5a4c16ce41fb17ed6a730e15114c630b
SHA256 23e204cee1a3bb47fddf22b54e54fecb7cb8329c1933721b77ce5f306ada6c23
SHA512 aa60a203d32a4d414c720a74181d721bcdedac7d61db12ddbed833dda32d3223ca232bdeaf22aa1e0c794f3f8238e94023360bdb4822d8096f26e055402c8226

memory/2848-79-0x000000013F9C0000-0x000000013FD11000-memory.dmp

memory/1968-85-0x000000013F7B0000-0x000000013FB01000-memory.dmp

memory/1444-96-0x000000013F320000-0x000000013F671000-memory.dmp

memory/620-103-0x000000013F930000-0x000000013FC81000-memory.dmp

memory/1960-114-0x000000013FAB0000-0x000000013FE01000-memory.dmp

C:\Windows\system\xbbTrNC.exe

MD5 e41fd6f2cac962ef694117f017fd6392
SHA1 485e01704d3bc5309b87941ee1853b00926647a5
SHA256 c866081489af3d012d1853e60aab0b6ac6ccbd68cf8b34dddb7ff44bcad27c91
SHA512 bb5cd7a841965f148e253979fe2c3a5762d10652613cc2ddaf14a407303dc321da000e2a51ea89df78db5d4c45f5ed093a284a0309e1786e93f5ed66c7c8404e

C:\Windows\system\HtaNNkL.exe

MD5 9dfccee05509e85c6991de8fbb4f1479
SHA1 312c9b49cb075ae3dee531f002768b76ffc2ee8b
SHA256 d87495ac6823b62442dc0783df97f5ab303d2870500d935a55282820b1f6329e
SHA512 f74db84c76047a590da05a832ff7f1b20eeabd9f5482a39229882e8e6304ce10f00a11cc2b1fdc5d928216ad104f2b9cee1ade356e1355fcdc0dafe089467609

C:\Windows\system\muHxujU.exe

MD5 588a6b77af6955a59d7a27ec87c44b23
SHA1 bead06a1f95df5ed4f2f0928a425f15271ba6886
SHA256 3cfb9d079bc5fc54fc44227dc90cd88227f0f7bab7de9e405395f886daaae38a
SHA512 7b066d594a631e48b67e1f1346133530c8bb4f7ec1bfe41617d22d8857daa0e63347a666fcf6851f93ed06035a36307e79f8d0482c044d7d5f21f19c5bc52b30

C:\Windows\system\vSWSlpR.exe

MD5 450d578f1f6d9fb578ce5b707a3c77b3
SHA1 2e39149ce46adba90a730ea36ab37066a810d5f8
SHA256 ffd169d67da5991b1778f105201004ff4348fa01d07a237c8251085f2853b5cb
SHA512 2d745272087a9140b6d9f13c078e4bf35f5d6a3eff8c3d772134f2735e2e9c5548de3643134412f7ac3426bed901489985cb428d60ef0144cfdfb0933317f6c1

C:\Windows\system\fNjIMJU.exe

MD5 ad1484d9b4eca25978da34e84bfb13bc
SHA1 599788ec0842752b412b8bab67b396ca820797e8
SHA256 0d92082e26b3c56c6894a83b0171d86b5f2a001f8cd9cf2f8c45ef623b9f3181
SHA512 7d726f76efe9d7ff06b4e080ac07f81622990cbf397c0cee32e97e3587dced4cc103c74bdd9c45a42a7ae7cf3d3ab8267e88a0a7bf889a2099c468180ed39ea0

memory/1968-119-0x000000013FB00000-0x000000013FE51000-memory.dmp

memory/2468-144-0x000000013F750000-0x000000013FAA1000-memory.dmp

memory/1968-143-0x000000013F750000-0x000000013FAA1000-memory.dmp

C:\Windows\system\bypQvlN.exe

MD5 bb9ea8b3d0f8555ded8c97a84db6c744
SHA1 3b15ae12a23f0ec20511d7777cbaead66497ea4e
SHA256 978bf47cd74973eeb4254fb7b5d11d47623a8cefd1f58252f6a95e2fd4db80aa
SHA512 b40f588e1f69ec45974c6dd1289820d119b80baa6561b1cf8eb4fd5a31becf22330f3d4a2a520a68c59828dabcbf236ac0972f6c86e1aac2a5c58d7aff47011f

memory/1968-110-0x000000013FAB0000-0x000000013FE01000-memory.dmp

memory/1968-102-0x000000013F930000-0x000000013FC81000-memory.dmp

memory/2608-101-0x000000013FD30000-0x0000000140081000-memory.dmp

C:\Windows\system\Nrwktlg.exe

MD5 f7ffc246f246462b25768cc6acb30d6d
SHA1 646648a085d15a2dace928e3a3026ec69b3f6ceb
SHA256 2c82350af3cd30bf457e0e993be9e257d73190a83addf036f7ba6450d2c61f6f
SHA512 eda5ad683a4111507599164c068033e868ac1e7592ee64fa19a4d170047cfd3c5e6f347edf5bdf1fe5f3e951ab9b84a1f45e63fad67ba18752724e837440a98f

C:\Windows\system\IkOxmuX.exe

MD5 badb60d76f13bc8fa1084486fba315bd
SHA1 a08eb8112d2a7ef7408faf5aa4a19f89b113c8c7
SHA256 a5b929fa61b9319702d78a947a663824d430a37fafeef627c190ccd4b1a77a0e
SHA512 affa579ef281b30493db35b1454dbd97bf38f4a3e02a27706fdd8351f65f5285ca98a00410a3792c690c59a6541ae1356ceda91e744d60985d74f2fe734ca7bd

memory/1968-95-0x0000000002250000-0x00000000025A1000-memory.dmp

memory/2096-94-0x000000013FA60000-0x000000013FDB1000-memory.dmp

memory/1632-146-0x000000013F7B0000-0x000000013FB01000-memory.dmp

memory/1968-145-0x000000013F7B0000-0x000000013FB01000-memory.dmp

C:\Windows\system\uhDTbXy.exe

MD5 ec86b75bd3c93ceee97b392dea4a032a
SHA1 24cc0ea7ec49e6a9174273767fd478d61b07f638
SHA256 ef7c2bc20f5b01f7ff4cd9a9b5029938c677120f8470eedc5b008a9552dd4aea
SHA512 aa89d459c56898b7f6b25f18072b6ffc40eb9c3d676e8289d2e17cb77956a9067224fc9e56f4a968ee804f19387d9cae39a64cb1856b90026a8635d22ee44ec7

memory/2840-87-0x000000013F780000-0x000000013FAD1000-memory.dmp

memory/1632-86-0x000000013F7B0000-0x000000013FB01000-memory.dmp

memory/2816-84-0x000000013F750000-0x000000013FAA1000-memory.dmp

C:\Windows\system\EbgwMhx.exe

MD5 864801ef498e802017e001cf0259ca43
SHA1 53a58c1a55d877afb228e9513707efc3b0c0a668
SHA256 7c32fe53132304a35e7dac7f7697696c018d2f9ebc049a55245d4b202a49c8c0
SHA512 da641845eb21ce8a35eff5f262710ebe734a305c769ce08922a8285fba2251dc3b3e9230d2e07e0da5ee90089be7b1f11374b8adbb883e6c53b8e810db96e2f4

memory/2468-78-0x000000013F750000-0x000000013FAA1000-memory.dmp

memory/1968-77-0x000000013F750000-0x000000013FAA1000-memory.dmp

memory/2188-69-0x000000013F8F0000-0x000000013FC41000-memory.dmp

memory/1960-68-0x000000013FAB0000-0x000000013FE01000-memory.dmp

C:\Windows\system\yYLuOja.exe

MD5 5cb04d47d2f6e6b3cd4f9fefab80e30a
SHA1 0b8a8fd2b9dd3809e1b763b4c7d6fa3d6a91a3a4
SHA256 dda3e036ce6d478f9a3ee46668e40a551c80e184d9a185753a11ea7be9b2822e
SHA512 097a257fe54edf6594bac0d8b4ae2331624005839feae6a45c0fba12cc6ddbda77a961852af188b48f9981ba5a9cd6c62021ba705f2f68aaf9fcaf0709a9e4e2

memory/2052-63-0x000000013F180000-0x000000013F4D1000-memory.dmp

memory/1968-62-0x000000013F390000-0x000000013F6E1000-memory.dmp

C:\Windows\system\cbuVYEi.exe

MD5 586d8690616d8d9411dfb3e50c701159
SHA1 4a56ec116d0d194a8154057379630e5251d5d081
SHA256 9c4262d33206a47fcebfc2bc6477a7ae38d0bf3414cdc88f55adcf3f38dfee5b
SHA512 0211bf29552541a73050fbcc53d286dcbca3c3242a1714ba8147ce30c1e2ef2c257712863d03d753a9fa7a6924d9380051334ab8ff5993d2b7d795747db36f53

memory/2096-54-0x000000013FA60000-0x000000013FDB1000-memory.dmp

memory/1968-53-0x000000013FA60000-0x000000013FDB1000-memory.dmp

memory/1444-148-0x000000013F320000-0x000000013F671000-memory.dmp

memory/1968-147-0x0000000002250000-0x00000000025A1000-memory.dmp

memory/2840-49-0x000000013F780000-0x000000013FAD1000-memory.dmp

memory/2816-47-0x000000013F750000-0x000000013FAA1000-memory.dmp

memory/1968-45-0x000000013F750000-0x000000013FAA1000-memory.dmp

memory/1968-44-0x000000013F780000-0x000000013FAD1000-memory.dmp

memory/2848-42-0x000000013F9C0000-0x000000013FD11000-memory.dmp

memory/1968-40-0x000000013F9C0000-0x000000013FD11000-memory.dmp

C:\Windows\system\izCZMsm.exe

MD5 d54f80a23e9bc31c5e58a8f57328cbdc
SHA1 aa08fd7efc06e7c1101eb4d3ef0f6c68f19e7a84
SHA256 c9a884ec294695845a89c36d847e484fa2d8c49a47cc108be6c4784e57d9b7aa
SHA512 2d871492c6fda64b34758c48de19a9b523cb16937cec45f7cae62f16378ced65a160e3ee589a8c87e437159d47546fda86ac9841548ab79b26123dfbc82b2450

memory/2188-28-0x000000013F8F0000-0x000000013FC41000-memory.dmp

memory/1968-27-0x000000013F8F0000-0x000000013FC41000-memory.dmp

memory/620-150-0x000000013F930000-0x000000013FC81000-memory.dmp

memory/1968-149-0x000000013F930000-0x000000013FC81000-memory.dmp

memory/1968-151-0x000000013F390000-0x000000013F6E1000-memory.dmp

memory/1888-167-0x000000013F440000-0x000000013F791000-memory.dmp

memory/1656-170-0x000000013FC30000-0x000000013FF81000-memory.dmp

memory/2156-172-0x000000013FC60000-0x000000013FFB1000-memory.dmp

memory/1788-171-0x000000013F8F0000-0x000000013FC41000-memory.dmp

memory/2788-169-0x000000013FE70000-0x00000001401C1000-memory.dmp

memory/1796-168-0x000000013F710000-0x000000013FA61000-memory.dmp

memory/2028-166-0x000000013FB00000-0x000000013FE51000-memory.dmp

memory/1968-173-0x000000013FB00000-0x000000013FE51000-memory.dmp

memory/1968-174-0x000000013F390000-0x000000013F6E1000-memory.dmp

memory/2052-223-0x000000013F180000-0x000000013F4D1000-memory.dmp

memory/2312-225-0x000000013F450000-0x000000013F7A1000-memory.dmp

memory/2520-227-0x000000013F500000-0x000000013F851000-memory.dmp

memory/2188-238-0x000000013F8F0000-0x000000013FC41000-memory.dmp

memory/2848-240-0x000000013F9C0000-0x000000013FD11000-memory.dmp

memory/2816-242-0x000000013F750000-0x000000013FAA1000-memory.dmp

memory/2096-244-0x000000013FA60000-0x000000013FDB1000-memory.dmp

memory/2840-246-0x000000013F780000-0x000000013FAD1000-memory.dmp

memory/2608-250-0x000000013FD30000-0x0000000140081000-memory.dmp

memory/1960-249-0x000000013FAB0000-0x000000013FE01000-memory.dmp

memory/2468-252-0x000000013F750000-0x000000013FAA1000-memory.dmp

memory/1632-257-0x000000013F7B0000-0x000000013FB01000-memory.dmp

memory/1444-265-0x000000013F320000-0x000000013F671000-memory.dmp

memory/620-267-0x000000013F930000-0x000000013FC81000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-25 11:52

Reported

2024-10-25 11:55

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\BvgkdvE.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WRCrTZM.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IfoXNPv.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DAJywEL.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\onrdWxS.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eMukEVk.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rqewCzZ.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QvjVCbl.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\Aibevck.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HIzvhJz.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EqKWsQU.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MTJxnJH.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SmicNvk.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UFEadOY.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zazUhRg.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nUaBubK.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BYlYOda.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ckrSBeV.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vBUmsPf.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pwBOzQv.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\szvHRHA.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4756 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WRCrTZM.exe
PID 4756 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WRCrTZM.exe
PID 4756 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IfoXNPv.exe
PID 4756 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IfoXNPv.exe
PID 4756 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DAJywEL.exe
PID 4756 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DAJywEL.exe
PID 4756 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UFEadOY.exe
PID 4756 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UFEadOY.exe
PID 4756 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zazUhRg.exe
PID 4756 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zazUhRg.exe
PID 4756 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nUaBubK.exe
PID 4756 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nUaBubK.exe
PID 4756 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BYlYOda.exe
PID 4756 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BYlYOda.exe
PID 4756 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\onrdWxS.exe
PID 4756 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\onrdWxS.exe
PID 4756 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eMukEVk.exe
PID 4756 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eMukEVk.exe
PID 4756 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BvgkdvE.exe
PID 4756 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BvgkdvE.exe
PID 4756 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ckrSBeV.exe
PID 4756 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ckrSBeV.exe
PID 4756 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vBUmsPf.exe
PID 4756 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vBUmsPf.exe
PID 4756 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Aibevck.exe
PID 4756 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Aibevck.exe
PID 4756 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pwBOzQv.exe
PID 4756 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pwBOzQv.exe
PID 4756 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HIzvhJz.exe
PID 4756 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HIzvhJz.exe
PID 4756 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EqKWsQU.exe
PID 4756 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EqKWsQU.exe
PID 4756 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\szvHRHA.exe
PID 4756 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\szvHRHA.exe
PID 4756 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rqewCzZ.exe
PID 4756 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rqewCzZ.exe
PID 4756 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QvjVCbl.exe
PID 4756 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QvjVCbl.exe
PID 4756 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MTJxnJH.exe
PID 4756 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MTJxnJH.exe
PID 4756 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SmicNvk.exe
PID 4756 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SmicNvk.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\WRCrTZM.exe

C:\Windows\System\WRCrTZM.exe

C:\Windows\System\IfoXNPv.exe

C:\Windows\System\IfoXNPv.exe

C:\Windows\System\DAJywEL.exe

C:\Windows\System\DAJywEL.exe

C:\Windows\System\UFEadOY.exe

C:\Windows\System\UFEadOY.exe

C:\Windows\System\zazUhRg.exe

C:\Windows\System\zazUhRg.exe

C:\Windows\System\nUaBubK.exe

C:\Windows\System\nUaBubK.exe

C:\Windows\System\BYlYOda.exe

C:\Windows\System\BYlYOda.exe

C:\Windows\System\onrdWxS.exe

C:\Windows\System\onrdWxS.exe

C:\Windows\System\eMukEVk.exe

C:\Windows\System\eMukEVk.exe

C:\Windows\System\BvgkdvE.exe

C:\Windows\System\BvgkdvE.exe

C:\Windows\System\ckrSBeV.exe

C:\Windows\System\ckrSBeV.exe

C:\Windows\System\vBUmsPf.exe

C:\Windows\System\vBUmsPf.exe

C:\Windows\System\Aibevck.exe

C:\Windows\System\Aibevck.exe

C:\Windows\System\pwBOzQv.exe

C:\Windows\System\pwBOzQv.exe

C:\Windows\System\HIzvhJz.exe

C:\Windows\System\HIzvhJz.exe

C:\Windows\System\EqKWsQU.exe

C:\Windows\System\EqKWsQU.exe

C:\Windows\System\szvHRHA.exe

C:\Windows\System\szvHRHA.exe

C:\Windows\System\rqewCzZ.exe

C:\Windows\System\rqewCzZ.exe

C:\Windows\System\QvjVCbl.exe

C:\Windows\System\QvjVCbl.exe

C:\Windows\System\MTJxnJH.exe

C:\Windows\System\MTJxnJH.exe

C:\Windows\System\SmicNvk.exe

C:\Windows\System\SmicNvk.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/4756-0-0x00007FF7A9690000-0x00007FF7A99E1000-memory.dmp

memory/4756-1-0x00000187A51B0000-0x00000187A51C0000-memory.dmp

C:\Windows\System\WRCrTZM.exe

MD5 2a9d3c25d58f53e71529a30712a7da5c
SHA1 4dba39333b183840a78af07e5f6b39e2815066cf
SHA256 91ba557101cbb8e8944524609658fef9c37a65c6273dc235a713b7721939289f
SHA512 465a4904e58e576e05bbe07d141514b42d748e68089cda10f897e676f9d311a8a151adfbfe4d34eee889749ffd8b8f73678caae37c6c9aee0b434db1b61d9959

memory/4764-9-0x00007FF648E90000-0x00007FF6491E1000-memory.dmp

C:\Windows\System\IfoXNPv.exe

MD5 d7e7603ecc1017ca6159ccc2e5062079
SHA1 e327647005b9f9f9b8efd7b5da5134cc3b99b9b3
SHA256 c87fa5562d24cc2608a75befaabe0b9fc88ffce9643a1c13f55b0e26c6acafb6
SHA512 4cfcd014b32bc6bbe54c92e4a72d93fbff319aa40182d5a4ac88aa1c3c61c58fb2c12436d3c32e0cde722de31ffd3d70736e67493228bc124d0223bc2fc5c528

C:\Windows\System\DAJywEL.exe

MD5 496b17b255960d2c0154780c52244585
SHA1 5abc43f03c3a5cc73b92eaf78baa1ff484ece05d
SHA256 0ff5a8161357bc1adb1038dd37c00d02fa054c6e899be05728f9d278d1de4646
SHA512 b495b6254f50ae6c0a54fbf5f06ab3d0358b6d7e3a05bc2c0e680dfef649f8aab234fe0f089b7dd0cf31170b6de3fb004b354ddce411cfd827c54701a73304cd

memory/3000-14-0x00007FF782F30000-0x00007FF783281000-memory.dmp

memory/2716-18-0x00007FF779790000-0x00007FF779AE1000-memory.dmp

C:\Windows\System\UFEadOY.exe

MD5 2293bb4b6a3971b4f4c458899c2b194b
SHA1 878b8888aaa637e2ad2e96fc723892c12395a039
SHA256 b99589a1126c52149f9eb546d8797a280eb9d71a888d6fc4a2393210864ebd01
SHA512 8156c70edc6b6f2ae81875edfc1fd0f3af502e7e0c56068621d987694ddd932c90d0f41c0bb1af6d71c25f9759efc04fd9565c0bb722c6e38739912373a43598

C:\Windows\System\zazUhRg.exe

MD5 3dc7b841075983cf7b28651dfa946bf8
SHA1 266195a29b025cb34ddbce60d90ece7ea7ea3849
SHA256 9a26e46568676c2126895689940d16bceb38a80c61752e25423c074627922635
SHA512 b682f249f9ff5742bf4a9e98f8aec2bc5b1af784a56195ccc47927e00607b026ce8d8708726bc25b0893d600941489181cb11729ff49652896d8a292211e006e

memory/1236-30-0x00007FF7911E0000-0x00007FF791531000-memory.dmp

memory/4028-34-0x00007FF71D030000-0x00007FF71D381000-memory.dmp

memory/3764-39-0x00007FF6EC0D0000-0x00007FF6EC421000-memory.dmp

C:\Windows\System\onrdWxS.exe

MD5 5bf3ecb47da7af8b90bfa63b59ceac67
SHA1 c0a98e367d9c9e17a95c1337e57bdd20574a8a25
SHA256 1c74ba63945e604077fe225976d638c14e34870c07853ce4abb724cac56fbb88
SHA512 c6a67914543f714c7f8d526a5ce3fabe4857a69b6fca96b58988cbd708327fd82ad5609c9510656ba721ac6a6159f6ce10de4d58810b5002b0312c2f127a3615

memory/2360-47-0x00007FF7215B0000-0x00007FF721901000-memory.dmp

C:\Windows\System\BvgkdvE.exe

MD5 c0e53197663531b8a997711b327dcb11
SHA1 83a601b0cc8de324f48777c9221fecb79bb48a91
SHA256 f3369068f4a9d15333c1f389ede8520cdeb94de02d91852437116e1805c9ab0e
SHA512 b6dbf0becfe2c31b6f1e030b9aecd7a805a646b8c54deaece1703418345d29cb77e21145ec77dbc64009d6a31d747234333e2f725c5ef72c7099f5c4d13295a4

C:\Windows\System\eMukEVk.exe

MD5 434d351eea9a1397dda6157c8b37b2b6
SHA1 bef27e60423fdcf1e3fca5ba8ed6e70377f32663
SHA256 be52405ba8362e2e5f41f5192ba8ee81c68fa5071902e767bfd199b7886f8052
SHA512 5d5c6018efa9b12c356759c8988b25e068cd9307d7a00dc067b46f19fcaee4251902decadb42436913603a196fea9551a78377e486550147aa9821b28d26b943

C:\Windows\System\ckrSBeV.exe

MD5 43cbee0d0fafd641511ca5588fb06080
SHA1 7d5634537373ae9a33f7659bd16f63519466a726
SHA256 5f87a6f28ac3f62092891f391f8ce56bc28a2c4cfd9108a35fb0e0d0dfddd8ca
SHA512 1a3d97181e1b59149de6c135bdd1546ff9b7687c164683ef50fd9bd61395f990c9f8a98cd959f5aa98582662109a1fbf03b2d052a4f3d46e69554eb9f95dc03a

C:\Windows\System\vBUmsPf.exe

MD5 43642a3f965c7043c0d267783141c507
SHA1 15706fd02738dec99d7232b2b3bed7b431dc3a89
SHA256 2b390360fec2ae653c3b6e54ed82fa0c988333eeceb0707cfc8d977e8e047aca
SHA512 ef9f62c8b8fda9cfe69f662a65d6c4a0784b7b28ea63a95b6c7171b375e8567a19557153429000465cbf7498a8d00fdfd52751866890f8ad6f42626c77aecb82

memory/3752-73-0x00007FF6BBBA0000-0x00007FF6BBEF1000-memory.dmp

memory/2716-72-0x00007FF779790000-0x00007FF779AE1000-memory.dmp

memory/1776-70-0x00007FF7EE0B0000-0x00007FF7EE401000-memory.dmp

memory/3000-66-0x00007FF782F30000-0x00007FF783281000-memory.dmp

memory/208-65-0x00007FF75EB20000-0x00007FF75EE71000-memory.dmp

memory/4764-63-0x00007FF648E90000-0x00007FF6491E1000-memory.dmp

memory/3468-57-0x00007FF75CFF0000-0x00007FF75D341000-memory.dmp

memory/4756-54-0x00007FF7A9690000-0x00007FF7A99E1000-memory.dmp

C:\Windows\System\BYlYOda.exe

MD5 1b15a58e83fc1c148b03de638712b0fa
SHA1 f44812e37fb4b5c9887039f2d855aae3b1fa54f9
SHA256 2d608cbb4d928089d6f8a41121a457d1dd84686b07bae0f2376a6409580cee1f
SHA512 52bfd8b1bf6ad1f77317206713ceca5022ff72f5a648852f9513a7b75243563173e379208727c815d235608cba7e28b89ee9771193c75b63a5473f10d5bf310e

C:\Windows\System\nUaBubK.exe

MD5 9124d618f93ab8ef7b2556b3644bcc23
SHA1 569da2255fc2ed8aba6d2af8e9c586bdc6755bbb
SHA256 334a292b7c2ed2f325b05f553dd9867ba8711a800f01d16cecceab7652bf3e01
SHA512 1207d6219e698e02a887bcdde1c7f20c90b54a2c0fe58ce0e7699332c099e32b6b5169988559cb1bf84a2bec16182da5f01407476548e37f0497ed83ab9fd681

memory/3804-40-0x00007FF642350000-0x00007FF6426A1000-memory.dmp

C:\Windows\System\Aibevck.exe

MD5 d103042c8f0210620305b9797c055cfd
SHA1 de9ac4cbcea0fff593c56fdc914b641b23476490
SHA256 adec7bab2d1b37fc5ff8d3b3dc6680aa5e3408e60a9647b1478b4686398cd4a2
SHA512 d029fab067b5c7fcd73046eeef304a435408097d5282acabe420dfd7d8bbe95a7cb4bbc1fa4201f0d6ba75837184fa06e28ec8d84a7c74ebf1fc7974ff172fcf

memory/3764-85-0x00007FF6EC0D0000-0x00007FF6EC421000-memory.dmp

memory/3856-92-0x00007FF79FCB0000-0x00007FF7A0001000-memory.dmp

memory/3804-96-0x00007FF642350000-0x00007FF6426A1000-memory.dmp

C:\Windows\System\HIzvhJz.exe

MD5 e79023d6c905ec09cb9b70941a36ae36
SHA1 96e36e5c848ac48af1e5c30d322c9f5a8afb799e
SHA256 3eae3e8cebc52c0c6cbb82bb68cd13b1e43c9c1c72a1c4e76741416a17e45e11
SHA512 2448d83be3d2c3a47469580f58aea6d7f9fe7d8fc2d9150cee1dd066e251bf43cdf04641529a3208c5315a661b293ccf6e3da8aa2317a028d227f6c399813903

C:\Windows\System\EqKWsQU.exe

MD5 6cdb8f380c0a0163e9967b6a8478e04a
SHA1 f7d34ef43a7273680cb31645d634839d815ee54f
SHA256 064fcaf1e8af7da83f70788f3e9ffffdcbe23eda486788908b58f862e3c0e804
SHA512 1b607d21c9b7a3b84d07c7fa3cee8fc2cb8d82148b351f1817ac6436dd0e1a2f87d2ab8cdcaa5bd51f41cfff69c308c30402d39a1544ccb7bc45f9904a1a7cdd

memory/208-113-0x00007FF75EB20000-0x00007FF75EE71000-memory.dmp

C:\Windows\System\szvHRHA.exe

MD5 065ff471c444ffe026bcdc2134c88d16
SHA1 aa6ffacb0db804f25dc1537a0a10bd5107bc1e32
SHA256 ae8f62e1fadb0c5c43756ad2c41d6ebdebc0bdb14f4e947b2142583d2ee544fe
SHA512 09bf4fd95c757b8586f351684cafc1a39914e3d8377d38b92e18802ab4422b4da2020aadbca0ec49e5c2aa0aed103142362b7e68dcf421c5f707e3b1e00f348b

C:\Windows\System\MTJxnJH.exe

MD5 1830477be1ffd84727037558535ea630
SHA1 4faadb4e222e062ba1ed1e121ae0d8d008977801
SHA256 72bd094ad9cfa69e45b6aee2a3e12d723688b47ab681d4369c659cbaab75f74b
SHA512 8d43193b355d05efdc6a63897c5e965d4093d9a05ebec0bd2b0c4026e59a695ceab658ea1478544792405c8e8c546003b57fa5bcfd92e55ff9ed92501a2180e2

C:\Windows\System\SmicNvk.exe

MD5 2fc40aed2432a24d5d0cf2e967cb740d
SHA1 9c195c05bf50569fd7f792096b8ae25abb8ce9b7
SHA256 d5a249d4063262f852db3b168c551db9efecadb328e3ee8509d422fb6fc2dbf8
SHA512 0be5f65b8f3dccb0747ed78a92c0cb7d6eceda0a2c1d5d1f4498606df6fec9bb160b44ceb1e981925ce4b8a4d1e535fa3c31d52487ca74a26f2d27837babbc87

memory/3648-135-0x00007FF797260000-0x00007FF7975B1000-memory.dmp

memory/3752-134-0x00007FF6BBBA0000-0x00007FF6BBEF1000-memory.dmp

memory/3080-133-0x00007FF6A1CC0000-0x00007FF6A2011000-memory.dmp

C:\Windows\System\QvjVCbl.exe

MD5 13cba1e97417690f79ea0f7ac74a582c
SHA1 41ac0f876647fac78e20ac88501dafc860a734a6
SHA256 410f3ec0e9d04ee699d4cd6336b3097f8721ffdb4a0c34bc2bbc9a15ce7008a3
SHA512 15c5dff7f689f68ed8283d741baed4dc43f87c1fbc3cb1589334652cc23fed3866f1436ec1230354a7cef8543569ab2c66d2d996115542d7ed5d9f35679fb1b9

memory/1432-129-0x00007FF667BE0000-0x00007FF667F31000-memory.dmp

memory/1776-128-0x00007FF7EE0B0000-0x00007FF7EE401000-memory.dmp

C:\Windows\System\rqewCzZ.exe

MD5 6c3e621ec6e4228e7f1994e2743a3c85
SHA1 7a97532bbc76cc25844bec695d4415d455728716
SHA256 3e93393d9cbf89f919a576632a8d43512679877f5e7a7dee883e16d9b86d6089
SHA512 3710213e69216af4e3c2903e354d38982d67b45ee69ad0be81535b0acf82b87cd50d730429de50e87cb0676540ab24e6d54090e9b57a3f784d1cad6d33f85281

memory/4404-120-0x00007FF6FCD40000-0x00007FF6FD091000-memory.dmp

memory/3376-114-0x00007FF639F90000-0x00007FF63A2E1000-memory.dmp

memory/3468-112-0x00007FF75CFF0000-0x00007FF75D341000-memory.dmp

memory/2284-103-0x00007FF635450000-0x00007FF6357A1000-memory.dmp

memory/2360-102-0x00007FF7215B0000-0x00007FF721901000-memory.dmp

memory/2420-98-0x00007FF744B60000-0x00007FF744EB1000-memory.dmp

C:\Windows\System\pwBOzQv.exe

MD5 04c371aca299b2c8dc64bee20cc050f9
SHA1 4957578b11fd55eb6ed5472267c9931303206b11
SHA256 c25d26e41792ae0b08b35d60c2e425169e4f409c53d4cc2f5220a6cac92c9a67
SHA512 778c09a309008d1a1845ad0a3a611384557d67c9764ecbcc6494b5d9be4c2f01c44fa4fbfc9faca4a5e68cd466a61e7a64c4c65e93d82ea155059277e3e80a97

memory/1696-91-0x00007FF63ABC0000-0x00007FF63AF11000-memory.dmp

memory/4028-82-0x00007FF71D030000-0x00007FF71D381000-memory.dmp

memory/1696-144-0x00007FF63ABC0000-0x00007FF63AF11000-memory.dmp

memory/4756-140-0x00007FF7A9690000-0x00007FF7A99E1000-memory.dmp

memory/3856-154-0x00007FF79FCB0000-0x00007FF7A0001000-memory.dmp

memory/2420-155-0x00007FF744B60000-0x00007FF744EB1000-memory.dmp

memory/2284-156-0x00007FF635450000-0x00007FF6357A1000-memory.dmp

memory/3376-161-0x00007FF639F90000-0x00007FF63A2E1000-memory.dmp

memory/3080-165-0x00007FF6A1CC0000-0x00007FF6A2011000-memory.dmp

memory/3648-166-0x00007FF797260000-0x00007FF7975B1000-memory.dmp

memory/4404-167-0x00007FF6FCD40000-0x00007FF6FD091000-memory.dmp

memory/1432-164-0x00007FF667BE0000-0x00007FF667F31000-memory.dmp

memory/4756-168-0x00007FF7A9690000-0x00007FF7A99E1000-memory.dmp

memory/4764-217-0x00007FF648E90000-0x00007FF6491E1000-memory.dmp

memory/3000-220-0x00007FF782F30000-0x00007FF783281000-memory.dmp

memory/2716-222-0x00007FF779790000-0x00007FF779AE1000-memory.dmp

memory/1236-232-0x00007FF7911E0000-0x00007FF791531000-memory.dmp

memory/4028-234-0x00007FF71D030000-0x00007FF71D381000-memory.dmp

memory/3804-236-0x00007FF642350000-0x00007FF6426A1000-memory.dmp

memory/3764-238-0x00007FF6EC0D0000-0x00007FF6EC421000-memory.dmp

memory/2360-240-0x00007FF7215B0000-0x00007FF721901000-memory.dmp

memory/3468-242-0x00007FF75CFF0000-0x00007FF75D341000-memory.dmp

memory/208-244-0x00007FF75EB20000-0x00007FF75EE71000-memory.dmp

memory/1776-248-0x00007FF7EE0B0000-0x00007FF7EE401000-memory.dmp

memory/3752-247-0x00007FF6BBBA0000-0x00007FF6BBEF1000-memory.dmp

memory/1696-256-0x00007FF63ABC0000-0x00007FF63AF11000-memory.dmp

memory/3856-258-0x00007FF79FCB0000-0x00007FF7A0001000-memory.dmp

memory/2420-260-0x00007FF744B60000-0x00007FF744EB1000-memory.dmp

memory/2284-262-0x00007FF635450000-0x00007FF6357A1000-memory.dmp

memory/3376-267-0x00007FF639F90000-0x00007FF63A2E1000-memory.dmp

memory/4404-269-0x00007FF6FCD40000-0x00007FF6FD091000-memory.dmp

memory/1432-271-0x00007FF667BE0000-0x00007FF667F31000-memory.dmp

memory/3080-273-0x00007FF6A1CC0000-0x00007FF6A2011000-memory.dmp

memory/3648-275-0x00007FF797260000-0x00007FF7975B1000-memory.dmp