Malware Analysis Report

2025-08-11 08:12

Sample ID 241025-nwbbcsyemb
Target 2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat
SHA256 a9f13cd1daa00a11d71ce2d1f3fda74900bb4a5be35ebe6d6701df9b1b9308f5
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a9f13cd1daa00a11d71ce2d1f3fda74900bb4a5be35ebe6d6701df9b1b9308f5

Threat Level: Known bad

The file 2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Cobalt Strike reflective loader

Cobaltstrike family

XMRig Miner payload

Xmrig family

Cobaltstrike

xmrig

XMRig Miner payload

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-10-25 11:44

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-25 11:44

Reported

2024-10-25 11:46

Platform

win7-20240729-en

Max time kernel

140s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\MTNncLS.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DUAWMnY.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eQZKIax.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kkYbEBj.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BwVHBZe.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VJgereS.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YEknpJW.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kiDzZgH.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gaXqTmE.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iavwKwo.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ejyMyzZ.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EZXJVvS.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SYWQBRn.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KXwICSN.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZPKODMY.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HEFGNtZ.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eurnuFT.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uUfKaxS.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PxVGxYw.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vbVwIAg.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LVtyELN.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2500 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eurnuFT.exe
PID 2500 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eurnuFT.exe
PID 2500 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eurnuFT.exe
PID 2500 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SYWQBRn.exe
PID 2500 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SYWQBRn.exe
PID 2500 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SYWQBRn.exe
PID 2500 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VJgereS.exe
PID 2500 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VJgereS.exe
PID 2500 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VJgereS.exe
PID 2500 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LVtyELN.exe
PID 2500 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LVtyELN.exe
PID 2500 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LVtyELN.exe
PID 2500 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YEknpJW.exe
PID 2500 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YEknpJW.exe
PID 2500 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YEknpJW.exe
PID 2500 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BwVHBZe.exe
PID 2500 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BwVHBZe.exe
PID 2500 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BwVHBZe.exe
PID 2500 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KXwICSN.exe
PID 2500 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KXwICSN.exe
PID 2500 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KXwICSN.exe
PID 2500 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MTNncLS.exe
PID 2500 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MTNncLS.exe
PID 2500 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MTNncLS.exe
PID 2500 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kiDzZgH.exe
PID 2500 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kiDzZgH.exe
PID 2500 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kiDzZgH.exe
PID 2500 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZPKODMY.exe
PID 2500 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZPKODMY.exe
PID 2500 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZPKODMY.exe
PID 2500 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uUfKaxS.exe
PID 2500 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uUfKaxS.exe
PID 2500 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uUfKaxS.exe
PID 2500 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DUAWMnY.exe
PID 2500 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DUAWMnY.exe
PID 2500 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DUAWMnY.exe
PID 2500 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PxVGxYw.exe
PID 2500 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PxVGxYw.exe
PID 2500 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PxVGxYw.exe
PID 2500 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gaXqTmE.exe
PID 2500 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gaXqTmE.exe
PID 2500 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gaXqTmE.exe
PID 2500 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eQZKIax.exe
PID 2500 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eQZKIax.exe
PID 2500 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eQZKIax.exe
PID 2500 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iavwKwo.exe
PID 2500 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iavwKwo.exe
PID 2500 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iavwKwo.exe
PID 2500 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vbVwIAg.exe
PID 2500 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vbVwIAg.exe
PID 2500 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vbVwIAg.exe
PID 2500 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ejyMyzZ.exe
PID 2500 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ejyMyzZ.exe
PID 2500 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ejyMyzZ.exe
PID 2500 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HEFGNtZ.exe
PID 2500 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HEFGNtZ.exe
PID 2500 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HEFGNtZ.exe
PID 2500 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kkYbEBj.exe
PID 2500 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kkYbEBj.exe
PID 2500 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kkYbEBj.exe
PID 2500 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EZXJVvS.exe
PID 2500 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EZXJVvS.exe
PID 2500 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EZXJVvS.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\eurnuFT.exe

C:\Windows\System\eurnuFT.exe

C:\Windows\System\SYWQBRn.exe

C:\Windows\System\SYWQBRn.exe

C:\Windows\System\VJgereS.exe

C:\Windows\System\VJgereS.exe

C:\Windows\System\LVtyELN.exe

C:\Windows\System\LVtyELN.exe

C:\Windows\System\YEknpJW.exe

C:\Windows\System\YEknpJW.exe

C:\Windows\System\BwVHBZe.exe

C:\Windows\System\BwVHBZe.exe

C:\Windows\System\KXwICSN.exe

C:\Windows\System\KXwICSN.exe

C:\Windows\System\MTNncLS.exe

C:\Windows\System\MTNncLS.exe

C:\Windows\System\kiDzZgH.exe

C:\Windows\System\kiDzZgH.exe

C:\Windows\System\ZPKODMY.exe

C:\Windows\System\ZPKODMY.exe

C:\Windows\System\uUfKaxS.exe

C:\Windows\System\uUfKaxS.exe

C:\Windows\System\DUAWMnY.exe

C:\Windows\System\DUAWMnY.exe

C:\Windows\System\PxVGxYw.exe

C:\Windows\System\PxVGxYw.exe

C:\Windows\System\gaXqTmE.exe

C:\Windows\System\gaXqTmE.exe

C:\Windows\System\eQZKIax.exe

C:\Windows\System\eQZKIax.exe

C:\Windows\System\iavwKwo.exe

C:\Windows\System\iavwKwo.exe

C:\Windows\System\vbVwIAg.exe

C:\Windows\System\vbVwIAg.exe

C:\Windows\System\ejyMyzZ.exe

C:\Windows\System\ejyMyzZ.exe

C:\Windows\System\HEFGNtZ.exe

C:\Windows\System\HEFGNtZ.exe

C:\Windows\System\kkYbEBj.exe

C:\Windows\System\kkYbEBj.exe

C:\Windows\System\EZXJVvS.exe

C:\Windows\System\EZXJVvS.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2500-0-0x000000013F8E0000-0x000000013FC31000-memory.dmp

memory/2500-1-0x00000000001F0000-0x0000000000200000-memory.dmp

C:\Windows\system\eurnuFT.exe

MD5 f643097666526b3d61b7793f8f9da02d
SHA1 d6cb889a7b72b67794080ea45a6a1f443e5c0d89
SHA256 4c27cfe0ca64601d53c7a09091172c9948cafd4c8678411b82506e783b6bcca5
SHA512 f68ed12bf0ee001a5179c8a029bce9e7bb557978e984acfd79ed2841ae3b642cec5be8f6d1b6fae5ae8b523611f90900b8a1cc3d3fe5d128c5f2289b5ff6c4d6

memory/2500-10-0x00000000022F0000-0x0000000002641000-memory.dmp

C:\Windows\system\VJgereS.exe

MD5 20d3dedd0bf747a54657210f6624bf7b
SHA1 2f5c25be08fafebddcef6e68d17848cbdad6adf8
SHA256 d4b6025d4af5bd0db5f4b1d0efe4aaa114c5d07300363156d427b448b000e8d6
SHA512 2d91ae49305ef2515c0a4f4a34201ce754779b9129e95786a56692f507f6a51bc81dd8c593686bb8f637e7e76775a6964d759842fb42537d28e29cee4f8fed13

\Windows\system\SYWQBRn.exe

MD5 105ad6a10d96566a91a2abafe57a8157
SHA1 7986ae3a0fd924a7d4c535b4dd42e9fd5d3589ee
SHA256 c6333edc330e9fdb88e1a1fd51a2c74a67adbf753591c83c0a6f30eaba16a32a
SHA512 c1dee4cf0fbe22848e479e8afe10acf45e32e3ddaaa24972d72621a9fd0a60de2ae268e64a46b6683cc1414098ff35bd55ff3d6e42124d23368f254248f15c77

\Windows\system\LVtyELN.exe

MD5 c784c3cbfcc054ca886873b03673ad5d
SHA1 33dff63ef5b20e85d34c76b14adcd27a28da361c
SHA256 a3ef5a3f5ca28442d7c4b2e56ebc488f13c0e63d69fd44b08cf874b7cb831af5
SHA512 4842fcff23c884c462a92702fd850b6d04593754e0a50b4248c826e0eaaa6c69022f874eaeaa9d2e5cc474b1251c705dcc0f1383bcdcba6c26ca87ad73a4e742

memory/2500-26-0x000000013FDB0000-0x0000000140101000-memory.dmp

memory/2716-28-0x000000013FDB0000-0x0000000140101000-memory.dmp

memory/1884-22-0x000000013F6E0000-0x000000013FA31000-memory.dmp

memory/1612-18-0x000000013FDE0000-0x0000000140131000-memory.dmp

memory/1684-16-0x000000013FA00000-0x000000013FD51000-memory.dmp

memory/2500-15-0x00000000022F0000-0x0000000002641000-memory.dmp

C:\Windows\system\YEknpJW.exe

MD5 862be89aa680d0ced5ed539babff5b4d
SHA1 7a4b7cc368a09ef00351de664aa1ecaf24f166db
SHA256 248d5795fa121ebeccbd224341a3a6f115aa98da8f1178ba99c79cf6fd117df7
SHA512 3ebf6321af38569816d562e8088962b01648e61294b5a1802cc932b602cdeb3effe0e48208c7b06508e35ce41d845245d0bd948197143f6d80e3510efe8f167d

C:\Windows\system\BwVHBZe.exe

MD5 7c108317990d2a6ad777941a4e8fd056
SHA1 8715d3d2b419d187bb8d644e6a546bcdc26d9289
SHA256 f973a98eef79bbde49045c4151e418b3bd27c77a0cebb24ad7b6561956460e77
SHA512 58c950c22076020c843465133e9388029afe71f5b1b3ef4e2bc5d78648da39f9da15457e5c9dc8cbb2599d2375cb261fc3a0735b4a6d01a99b94ce3bfdc9511c

memory/2500-38-0x000000013FCE0000-0x0000000140031000-memory.dmp

\Windows\system\KXwICSN.exe

MD5 c4e75792d200018f81114cb0fdb2808f
SHA1 7d2006e73a5f9202458f69865ece4476c55b9e6c
SHA256 ee3619010819031f41e4b185d3a743c23119489f28bcbabc4c26de2d0d4f977c
SHA512 2522a120b411f9ecb8d9c91a3108a15bd69394404f9689cabc064f880339875ced98315dd296f646e53167c271c7db8e32e100bdf3063924524713af7f70e4fb

C:\Windows\system\MTNncLS.exe

MD5 352ab7a7c63cba482381dd8ceb0efc8e
SHA1 932d8277bc7a8a1937c9de4c45cc2db98cbad8aa
SHA256 c4f5c29fbc9bcc1e32aa318012e7cbaff51e963bd8d69211fbec84aad2ff5d79
SHA512 29de69fdf7e7ef9c4330b5c612d382d8d846524c10cb19feba50da906a9eb461b3e0943f9387cf6b51aad9eb1abb6de1bb28c472771aed1b6c31b669a4c363d4

C:\Windows\system\kiDzZgH.exe

MD5 4145f3c2d89991be684aa790d627ec3c
SHA1 14f1911850a03ef3e23536bc5b0df6c3222efa1f
SHA256 61c2896ce5c4efaa5608255d049bc0032396385003164cf8b45ddd3531b814b9
SHA512 4df6a6ebad4ed4b960a89672fef4c307e77f2dc1821a6104dfa8390f642763b718afd82bb25ac76ae57248a7d62868cedbac4719b3601116fe61b4ac40133449

C:\Windows\system\ZPKODMY.exe

MD5 63ba3bf55885790b3b3d94eee70a80c6
SHA1 8dd53a4fc20de32f406f227595764ccd0088e7f8
SHA256 9a9925dea58f95c693d7acc97ac70dd3e79fdd386518ccf1446bc023e24e0bc6
SHA512 0cdbba2784e279a226e814ffb078446112b268c3bc02c63b4f5f1be7d3f7e990342491e3cea207318c8700e94eeec39861e0d71ad1e3fca23eabaf34d0504ea2

C:\Windows\system\vbVwIAg.exe

MD5 06fab3b5755a755a293663b36428f5ae
SHA1 4bc37af8ff502533e6bb09ed1f0be7f29787cd39
SHA256 be02c671b0e12c5b407da04375806e64ef4409891106b0f1cd62e2b64e00a252
SHA512 38f5edc294bc5088906e3e4605af509e8aa3cbed6036508f654d117e77abfe9d38054116a6e9dfb568e55e6a5992ea2c04446a68c8103f5c7ed6ef705e0c642a

C:\Windows\system\HEFGNtZ.exe

MD5 5b5fbdce4e49a7e2b4d2068abe6b914d
SHA1 846b4370e791973980ea9ecb4ea2ddf23dda77a4
SHA256 d4cf82cf5635163df3904672c18a85956b023e8d328f295cf6be1a0c1a14e4d0
SHA512 72dd87956996510574fe53e5391630b95a8f18d20017b964c3da34c6c68ca2365dad7957c80269aa7d54fdf5f45f5352f0c3fc5a3ca2c7ff401a217064b0d6e0

\Windows\system\EZXJVvS.exe

MD5 a40a020ad368dbe3193de0300557f83f
SHA1 079fde7041e048504f134b68f84a4a95c0f5f611
SHA256 b4540c79b07cb9573c1b78d6882b964633dc39a69101d451140a5c58f4e7910a
SHA512 4dc44bb0ad4814342eda3eba8f97cb14a30958b8522e485e18d77fc969a5bd350f8fe6741d19e928926ddacffab95105b5e85b8e32834fa40bdc1a8d294ab609

C:\Windows\system\kkYbEBj.exe

MD5 af9de6cebf3020f315db5d7572f0ef0e
SHA1 a0f8438912683a047ef92b959350adba9a84de35
SHA256 dde80c1d8b0a14f383093155315a63b9d83eed2296fb2100b5926ce574e0f030
SHA512 6e7cb2d98d480136957aa8907b2d274a5d89b07b3089c9127d0b2470affc4b5dab46371322de215bcb2b3dc18c43ede500868b6de04386dd55711ffe9369916a

C:\Windows\system\ejyMyzZ.exe

MD5 a0e005e436d56420898a36de73e24966
SHA1 87f73522540a3fa8baed8defc2eacd65e6efe7bc
SHA256 50c12f91fd5f1c7158d2c446d3bac40abac86ebff5897d2d6c0cad9d8bf1d6ef
SHA512 cbaefaae7aed3a825d8517c94a6404a2c0dd8484313423292214b00d7bb41aaa286318be9dcce9725e1d0e7b096e57c5fdb0b5144ce831d288ab444b5db585d0

memory/2760-117-0x000000013FC30000-0x000000013FF81000-memory.dmp

memory/2764-123-0x000000013F340000-0x000000013F691000-memory.dmp

memory/2500-126-0x000000013F080000-0x000000013F3D1000-memory.dmp

memory/2500-128-0x000000013FCA0000-0x000000013FFF1000-memory.dmp

memory/888-130-0x000000013F9F0000-0x000000013FD41000-memory.dmp

memory/2732-129-0x000000013FCA0000-0x000000013FFF1000-memory.dmp

memory/1716-127-0x000000013F080000-0x000000013F3D1000-memory.dmp

memory/2836-125-0x000000013FF30000-0x0000000140281000-memory.dmp

memory/2500-124-0x000000013FF30000-0x0000000140281000-memory.dmp

memory/2500-122-0x000000013F340000-0x000000013F691000-memory.dmp

memory/2784-121-0x000000013FC20000-0x000000013FF71000-memory.dmp

memory/2500-120-0x00000000022F0000-0x0000000002641000-memory.dmp

memory/2864-119-0x000000013FD90000-0x00000001400E1000-memory.dmp

memory/2500-118-0x000000013FD90000-0x00000001400E1000-memory.dmp

memory/2216-116-0x000000013FCE0000-0x0000000140031000-memory.dmp

memory/2904-115-0x000000013F290000-0x000000013F5E1000-memory.dmp

memory/2500-131-0x000000013F8E0000-0x000000013FC31000-memory.dmp

C:\Windows\system\iavwKwo.exe

MD5 f125520a980f1700b6978cf8b809a305
SHA1 228c5e21307e36656cb3010d3e543eef55e60936
SHA256 f30295607308280f2c7b07fd4a57cfea728b23cee6c05389f3ce3b215277c356
SHA512 4ae4dcbf931fe3f5892f4ff09244d4b40aee136bf922e78b36cb6f345c815933efe7bd5c9ffe33bc294702c9e43a3353e8fe73d60cb01b6fdf69ee35ec77d0d1

C:\Windows\system\eQZKIax.exe

MD5 a633c7c1056b81af6f1952063867d3ad
SHA1 4faa9210b48c2f1e56375c7904492f56457f392d
SHA256 0c1ba497e19b3ceb52899348d703f11dc1845273e14f9afa25c0a16833cbb7fc
SHA512 56736bc02482a7c390ae9863b21306b00b6f85360eb7e368b04f307d6f508d26e1f787b8daea68c248ea30a37f4f1844c6a3f04791300eef5d8cc232296609db

C:\Windows\system\gaXqTmE.exe

MD5 e4384778f97cee6be2e62609d9d8ae05
SHA1 69d851a86fa3f649833ca1673b8837d1362ff8e6
SHA256 ee2c4ee7d8da75280014168b0c2448ccb5341bf25cb9278d037900ee8ab3da37
SHA512 679bd56d6c8e9ba908c6fe389de7508ef96f212187b9ac5195a7565b355f7b83c1910318e4aaeeb8621d3f06d1e154ed043972e2750a3113867a0cd8ee41b091

C:\Windows\system\PxVGxYw.exe

MD5 dc5112913e77adceae7b8610181306d4
SHA1 eeeec035c996f8b161afeddf0f1dee484b6036f8
SHA256 e6862a43534836efcaab449052a43de5192fbe6a3495694e9e46ad6b6a12ca4e
SHA512 38cf56a6091076b3de912ee0d3f2292013c56129bfa6c7a22a7c21d3c1f6388d6a86072201c1d7d711a0adfaad1013d6910d0b1110dbcec2996fcba076782f76

C:\Windows\system\DUAWMnY.exe

MD5 5fba68a0372033232d3a5dd67bac6fde
SHA1 717964c50edc434510beb8e30ca7eb36846a4b80
SHA256 0f6ff7d5754688ef83cc6b744f56fccd74de0544d5e7f8c56d424cbd7510d686
SHA512 4e67f37432bc3b9fa152c8b2059a1410f84b48ff39715044fb0c58d7db5058702744330cad49226878c229c6d73d80f7847c76cd729c220095d58805a63454de

C:\Windows\system\uUfKaxS.exe

MD5 03903582d9cf404d0e3911a89915091f
SHA1 f6a8e583a6d8b1aa64e352327b0fcb0fc29b7847
SHA256 ebbdd1f95bbce464f5c0c5e451fcbf1d1cb6727469d980a0b7591773d9b63b88
SHA512 e2bc635fcd420d6cfbad57b65a50cac54eb6f92c6103546254c77ea92c3d18e843bd286ed57d2766bfd16607426c9fca25121ecc07d0bc469a4726193703b8d1

memory/1612-132-0x000000013FDE0000-0x0000000140131000-memory.dmp

memory/1884-133-0x000000013F6E0000-0x000000013FA31000-memory.dmp

memory/2716-134-0x000000013FDB0000-0x0000000140101000-memory.dmp

memory/2500-135-0x000000013F8E0000-0x000000013FC31000-memory.dmp

memory/2904-140-0x000000013F290000-0x000000013F5E1000-memory.dmp

memory/2664-153-0x000000013FE00000-0x0000000140151000-memory.dmp

memory/2500-158-0x000000013FCA0000-0x000000013FFF1000-memory.dmp

memory/1128-157-0x000000013F1B0000-0x000000013F501000-memory.dmp

memory/1888-156-0x000000013F440000-0x000000013F791000-memory.dmp

memory/2488-155-0x000000013F090000-0x000000013F3E1000-memory.dmp

memory/2288-154-0x000000013FF10000-0x0000000140261000-memory.dmp

memory/2636-152-0x000000013FFE0000-0x0000000140331000-memory.dmp

memory/1880-151-0x000000013FA70000-0x000000013FDC1000-memory.dmp

memory/2500-159-0x000000013F8E0000-0x000000013FC31000-memory.dmp

memory/1684-226-0x000000013FA00000-0x000000013FD51000-memory.dmp

memory/1612-228-0x000000013FDE0000-0x0000000140131000-memory.dmp

memory/1884-230-0x000000013F6E0000-0x000000013FA31000-memory.dmp

memory/2716-232-0x000000013FDB0000-0x0000000140101000-memory.dmp

memory/2904-234-0x000000013F290000-0x000000013F5E1000-memory.dmp

memory/2764-237-0x000000013F340000-0x000000013F691000-memory.dmp

memory/2784-243-0x000000013FC20000-0x000000013FF71000-memory.dmp

memory/888-242-0x000000013F9F0000-0x000000013FD41000-memory.dmp

memory/2732-257-0x000000013FCA0000-0x000000013FFF1000-memory.dmp

memory/2864-246-0x000000013FD90000-0x00000001400E1000-memory.dmp

memory/2760-258-0x000000013FC30000-0x000000013FF81000-memory.dmp

memory/2836-253-0x000000013FF30000-0x0000000140281000-memory.dmp

memory/1716-248-0x000000013F080000-0x000000013F3D1000-memory.dmp

memory/2216-241-0x000000013FCE0000-0x0000000140031000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-25 11:44

Reported

2024-10-25 11:46

Platform

win10v2004-20241007-en

Max time kernel

140s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\FXeidgD.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DUsvgvx.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kliznop.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\clpXIry.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hcAUOws.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xqjmWYR.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FYtfVUd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bFJetjc.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lLGfCfI.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zyJQFjR.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fsqoRzg.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\guudmYD.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TUuFGvR.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aNnvcJH.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IdQMgPl.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GNojxul.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kHnGXGw.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LUITuWs.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MOecgQT.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WlrdmpY.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nArzAfI.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4944 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kHnGXGw.exe
PID 4944 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kHnGXGw.exe
PID 4944 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zyJQFjR.exe
PID 4944 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zyJQFjR.exe
PID 4944 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fsqoRzg.exe
PID 4944 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fsqoRzg.exe
PID 4944 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LUITuWs.exe
PID 4944 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LUITuWs.exe
PID 4944 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MOecgQT.exe
PID 4944 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MOecgQT.exe
PID 4944 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FXeidgD.exe
PID 4944 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FXeidgD.exe
PID 4944 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WlrdmpY.exe
PID 4944 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WlrdmpY.exe
PID 4944 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xqjmWYR.exe
PID 4944 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xqjmWYR.exe
PID 4944 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\guudmYD.exe
PID 4944 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\guudmYD.exe
PID 4944 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FYtfVUd.exe
PID 4944 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FYtfVUd.exe
PID 4944 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nArzAfI.exe
PID 4944 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nArzAfI.exe
PID 4944 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DUsvgvx.exe
PID 4944 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DUsvgvx.exe
PID 4944 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bFJetjc.exe
PID 4944 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bFJetjc.exe
PID 4944 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kliznop.exe
PID 4944 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kliznop.exe
PID 4944 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TUuFGvR.exe
PID 4944 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TUuFGvR.exe
PID 4944 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IdQMgPl.exe
PID 4944 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IdQMgPl.exe
PID 4944 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\clpXIry.exe
PID 4944 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\clpXIry.exe
PID 4944 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hcAUOws.exe
PID 4944 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hcAUOws.exe
PID 4944 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lLGfCfI.exe
PID 4944 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lLGfCfI.exe
PID 4944 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GNojxul.exe
PID 4944 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GNojxul.exe
PID 4944 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aNnvcJH.exe
PID 4944 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aNnvcJH.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\kHnGXGw.exe

C:\Windows\System\kHnGXGw.exe

C:\Windows\System\zyJQFjR.exe

C:\Windows\System\zyJQFjR.exe

C:\Windows\System\fsqoRzg.exe

C:\Windows\System\fsqoRzg.exe

C:\Windows\System\LUITuWs.exe

C:\Windows\System\LUITuWs.exe

C:\Windows\System\MOecgQT.exe

C:\Windows\System\MOecgQT.exe

C:\Windows\System\FXeidgD.exe

C:\Windows\System\FXeidgD.exe

C:\Windows\System\WlrdmpY.exe

C:\Windows\System\WlrdmpY.exe

C:\Windows\System\xqjmWYR.exe

C:\Windows\System\xqjmWYR.exe

C:\Windows\System\guudmYD.exe

C:\Windows\System\guudmYD.exe

C:\Windows\System\FYtfVUd.exe

C:\Windows\System\FYtfVUd.exe

C:\Windows\System\nArzAfI.exe

C:\Windows\System\nArzAfI.exe

C:\Windows\System\DUsvgvx.exe

C:\Windows\System\DUsvgvx.exe

C:\Windows\System\bFJetjc.exe

C:\Windows\System\bFJetjc.exe

C:\Windows\System\kliznop.exe

C:\Windows\System\kliznop.exe

C:\Windows\System\TUuFGvR.exe

C:\Windows\System\TUuFGvR.exe

C:\Windows\System\IdQMgPl.exe

C:\Windows\System\IdQMgPl.exe

C:\Windows\System\clpXIry.exe

C:\Windows\System\clpXIry.exe

C:\Windows\System\hcAUOws.exe

C:\Windows\System\hcAUOws.exe

C:\Windows\System\lLGfCfI.exe

C:\Windows\System\lLGfCfI.exe

C:\Windows\System\GNojxul.exe

C:\Windows\System\GNojxul.exe

C:\Windows\System\aNnvcJH.exe

C:\Windows\System\aNnvcJH.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/4944-0-0x00007FF708FA0000-0x00007FF7092F1000-memory.dmp

memory/4944-1-0x00000179A1850000-0x00000179A1860000-memory.dmp

C:\Windows\System\kHnGXGw.exe

MD5 e7d16f9a8a05bf96ef6eb43d779975a9
SHA1 7176efa9a9506da232d1b1854ee1facf12b154e1
SHA256 d6d8c6c75a3bed7e1bb5df2774d131b53a6feff1afc469d4c60641984069cc74
SHA512 98cdf57e822ddd917623ae82e2dcf53a9bb883ae6c526ff38c3a8905e05e12b7f7eef77ed6b39a4d8e479ec1fbb799d96f994f0e9b922eee2c5f66859ad9b008

memory/1048-8-0x00007FF7379D0000-0x00007FF737D21000-memory.dmp

C:\Windows\System\zyJQFjR.exe

MD5 d33a46878c6deaa4255661190d831125
SHA1 a6f0d4db0f4ba889c4a337844dfcb8736abe227d
SHA256 a3f00c4c5a7e3300384c705639d25b8bd4abdd136b9fb7c88d3b9b2b3c1413ee
SHA512 fd2924b7d66912a972d17ff341f6740abfdc8943346a6f8762539ec5781f120f3be9b94e9d83b4cf51d114149638fe9613fbd41c39ec03ab904e3504b5ce8948

C:\Windows\System\fsqoRzg.exe

MD5 88d4f75a5d506c5600036073c7705b4a
SHA1 47e86ab7f424bf219b35496f68cd4e4a8ad5aa61
SHA256 0507ee181a373f11b913abfbcaff06e7856869f9a839d09e1bd38f679762a1f4
SHA512 8939f6ff1bc3aea98825b7b267bf1eff81113e0ec1e3a1b5700c30c1cce4fc6323d41c90c8caec21ff0168e9ca9e0dacd79b62e36b851e0c33745c8dccf4d017

memory/2316-32-0x00007FF791330000-0x00007FF791681000-memory.dmp

C:\Windows\System\MOecgQT.exe

MD5 e0593249f634e3955f2155286488077a
SHA1 f9751469dbb2a5593be958acd97bbebd995bd0be
SHA256 27e3181c0c5d67db2b19edddd0c707560b51ff4fbcedf7249d9767c00f94e636
SHA512 0213b7c6bc217edc7274206cb99d74feb00f302cd462910135276a75c58d2e41a4c3a00394b8cd840fec17da4e03ae22432e3eba9882d54d8b7a6a8bb1bc89af

C:\Windows\System\LUITuWs.exe

MD5 c2fc36a9db23ea0978ac726b62f8192e
SHA1 8ba77b3114d17115068a023b28d7b35763ddc3b1
SHA256 944f90b089578a8106158e1de707a9e91ea8d2d981702e9f524323c494daa502
SHA512 7f30b56d575811a01a7607a049256d0d600b359df8c5778b220564ed91e527ce1b335c864a642cd01124d4817d45787632b3bf6963762a3653b9f882fd25ceb8

C:\Windows\System\WlrdmpY.exe

MD5 f961c87fecdb9152a73891daca92e28f
SHA1 74d050cf5f3fe422afd3b0d4d1af835733a448f8
SHA256 6c92def8ed7e4a5821a5a6d9932692aa30d36571081582692829cfe4a9490dc2
SHA512 d4960034ea16e1998e6ec233934eb93c20c85dc763aff49d431dfa635452276d236439cae0d2499b52344222f7e5e6473d06029ed5c829c90087f6f77f7e69cc

C:\Windows\System\FXeidgD.exe

MD5 4bf793afc3e04b654cc428e016644963
SHA1 97b75fa97a8cc76d0e04adff890bf546e7e18896
SHA256 b2c141096f0141960a98e7af6bfe2d7d5d8b72e4a0f4fe18e76f217b4874ccb5
SHA512 6fbe452064bd424d4488a7e50e48e7524aa986d3ab768e2c96ce8dedbac30c2f398b5771cc67d81a518ef8ec0752fe17c173285e19677fe1edbe05319d19b64d

C:\Windows\System\FYtfVUd.exe

MD5 1b43a9b88ae8b364ed7a1234ebebb3ee
SHA1 86bb8b5e38fa2ca333f5da80b5a511e493a5fc85
SHA256 bcf39f4a1095e09a623a819b75d5dc331e99e9be0a02bec6860944e0fb296fd8
SHA512 38975aa61a336ada2e32471951c946a8c7888abd1810b2450ded089b58ef8edbbf7e0111cd29907454d9b2763d237e5b874de3f5266ba73abd57a50e84463929

C:\Windows\System\guudmYD.exe

MD5 1b1ea34a4aa8c6a28258b49cc28cda49
SHA1 8c61d60cbc56153a6cd90af199d4ddf7862ea8a7
SHA256 3b79f2c26613614e5d330ef1377aad673772e93c952a89380cdc2dd646551449
SHA512 8dcf884f564b86356b7497e0c77dfa3a31c8f9acfebad3ac2fde5b643a2971db9dca28fc86798ec43664f500c3710ef7657da7d10393e2b4124f4ffdc4447a62

memory/4140-74-0x00007FF7A37A0000-0x00007FF7A3AF1000-memory.dmp

C:\Windows\System\clpXIry.exe

MD5 703aa7e5c87549cbd5ffb47fda3045d4
SHA1 e49c720e11cf2d2e54da87c98cafd92daf4a3435
SHA256 de16d21357872e867139266a8c400b11e5a62711a77980b2c213919439bad0ce
SHA512 f2d6b43e90278530b5e9b194e54aebb86b77850e1bcf7a5c0baf31b96d128074b2169dbdc44a89e186b779e4e00f78e57d43425f03d53ee2ebc32a10ddb9a3b4

memory/4820-103-0x00007FF664390000-0x00007FF6646E1000-memory.dmp

C:\Windows\System\aNnvcJH.exe

MD5 e9478fa5e44b8e44bd3900030b878c30
SHA1 dfcaf787d34ddda5c6fd9e4b15038f04c58fd8d6
SHA256 331dc2f04544c5330c7813c720890901b34ee223900593ab96468f3f23418b73
SHA512 a1bba36409cf18efe875f703df21d80a7d1610d553c526e4beb528accb8b04a408efb9db266b177214a3bd238df646cfc1b6afd5d5788a1e06e1b875fa7d3ae4

C:\Windows\System\GNojxul.exe

MD5 d565fcb8821455db31e8b78c8bc22d14
SHA1 4e9f50ca6d79eee16efb04312f778a8f096ce032
SHA256 5a400feaae7fed720609b1e8cbf75a845c7a8559f443f8cd14d8a2150ec38ff6
SHA512 1d86d5af6c462b835b965395bc9f57a2db03f46d98790070c3176da47bf72d8292889f503e00adc6040fe39b0faef078ed90d4683600d779a42cc82464c190bf

memory/1576-123-0x00007FF65F130000-0x00007FF65F481000-memory.dmp

C:\Windows\System\lLGfCfI.exe

MD5 d915d8327df222365fb0f4323eca1932
SHA1 467537fed5980ddbb16645c4397a983c88ed3d58
SHA256 d27a2ea3abc708ea2c0a8e33ba24129b8aa7c4f8bf6638ea3f1213117e46eb98
SHA512 b770eecdb48065a21f0e847ffafb667c9a33e0e35f6dfaf353f0980f78f4a8cdb210adc3a83c5f70b15a196e3d802fb1fbd9f1c109210de15d85f61939935333

C:\Windows\System\hcAUOws.exe

MD5 54d1e4c391c4310ef5877f53c2ed4147
SHA1 c41ca2e2e1db09e29cd555041c8c6fb63d88dad6
SHA256 5145ac0230ac5ef70e069c960d356462743c7d645638872c18c1731532977b9d
SHA512 818a209c8cb670377a40da03ebc38fa08d82d9f966a41501833da41deaff9aeeef951cb2c8a496cd3b84eb813edce33e530ebb33da1ac6809b3385d2b779c594

memory/1076-114-0x00007FF7AC800000-0x00007FF7ACB51000-memory.dmp

memory/4816-113-0x00007FF75EB00000-0x00007FF75EE51000-memory.dmp

memory/1612-110-0x00007FF60D910000-0x00007FF60DC61000-memory.dmp

C:\Windows\System\IdQMgPl.exe

MD5 d7fd38ac14bd146288e517b62c2af468
SHA1 1dff7b858f9a60b680be37f37293c185f4f7713c
SHA256 0aa38476efd525ed435e6dc20d20f827edb5a7314d754383d23e50a0debd2bfc
SHA512 f0f05e6164c517483cbe103b44a6358da94195fa6094dddac019406348ae255da1974029dba324ba42c90c3e99be7cddcb7d4cd11c4299cc62b16b1ee8042285

memory/3636-102-0x00007FF6359F0000-0x00007FF635D41000-memory.dmp

C:\Windows\System\DUsvgvx.exe

MD5 db1dcabcc46b096b7c0bf41c0b11621b
SHA1 9fe838ee8590fbb7b050d4da8d43756b0498046d
SHA256 6ef909208da4df854aea4dba292b24f427f92dc607133a094698f35bb114c005
SHA512 aa56162f1c0e318876aa0559a44a7f0554da4b56f01f7106dd50482e71448dd27eaf191a1fdc315fea0643162e5b061986daa391cd3b7ccfcfd2b2edc1b7089e

C:\Windows\System\bFJetjc.exe

MD5 e4810fd7256dfbf89fea97b94ad548ad
SHA1 f3badfe9d8629d60833007e6eca3bc2a1d6eef19
SHA256 b8953d567e91177ac50ca92d308cf88a46eb59fd629ac37470e412b2b40686f1
SHA512 4a38d229a8de4338baf3ea6521b7b319d07cd624ba1901f2326fc522af6dbd08428fc4f9600cd7ba68331d808c6f07afdfb16918f2f757da9436c2c8642c06ce

C:\Windows\System\kliznop.exe

MD5 367e21b07be9a369c2939a9fef7ffbc3
SHA1 32adb0f2fae1d63a9b625b7538e595696226e9ae
SHA256 027a2884461c15803178b01d290c975d91f876cd576dfd66f0ef6baa7c2362ac
SHA512 e67487137b69e36cc2eb1f72c0ae0416276ad8b2ec481db9632dbe9a90bbc943d3d1c43e96869717e89d0650c00101bb310346755badda998bddcb584f63bafe

memory/2920-86-0x00007FF6CBC10000-0x00007FF6CBF61000-memory.dmp

memory/3216-85-0x00007FF709E10000-0x00007FF70A161000-memory.dmp

C:\Windows\System\TUuFGvR.exe

MD5 b9c819155e5ebcb8bd2dd69ed0a077c0
SHA1 ddcf8cf7687c9e5ecfe5b7598f70906b82f9c84b
SHA256 fcb6843770b9572de55a8e433e6d1fa13540fea2d4d81fb5dd912a314385fe53
SHA512 2312cc73f8534f8e8012bb40b88e7998b6dd8482dec5e61a2a8bb78ccd6af481eee972d60302927358c575ffc403a2897fead1c56ad81fd7f3d015a7cdd0eac1

C:\Windows\System\nArzAfI.exe

MD5 f5b556fe4c61a164211e5598e4bf789d
SHA1 7269f1f6e44048ccae2c1702512a549d03638c5a
SHA256 0ace602c353d36e5e06af206f6d314c911171c2770a3d21b1531eaf64690b97f
SHA512 ef4cdf6e2b3fcd347f73ef99ba54e049182fdd12c81beb4592187c9b6e5657510727bd24e094b85174cfdbc6bb0babc258b2a485c14d04c8d2f031b8b9900184

memory/3884-61-0x00007FF70CA50000-0x00007FF70CDA1000-memory.dmp

memory/5060-58-0x00007FF7CCC30000-0x00007FF7CCF81000-memory.dmp

C:\Windows\System\xqjmWYR.exe

MD5 f18ec446fed7b1fdbb997d7d08a6817a
SHA1 f0be1d74808ecb30be7bc42786bb320309ce447b
SHA256 0997bb93d743401af54e4a8826aa00550b830aebfb046939ec5951e5e5c7677d
SHA512 9d0bd9443f70c9e48356c2383f2980570fa4fdb1ccba6359ac4a633427bf7f7c870a4fafede9174691b850e1cd2298c8ce4b9e23f1abd1ff01fe26536532967d

memory/2620-53-0x00007FF6D9740000-0x00007FF6D9A91000-memory.dmp

memory/2876-50-0x00007FF655480000-0x00007FF6557D1000-memory.dmp

memory/1460-42-0x00007FF6B9500000-0x00007FF6B9851000-memory.dmp

memory/2928-19-0x00007FF7B1940000-0x00007FF7B1C91000-memory.dmp

memory/1476-124-0x00007FF715DE0000-0x00007FF716131000-memory.dmp

memory/2368-125-0x00007FF6A06D0000-0x00007FF6A0A21000-memory.dmp

memory/2412-127-0x00007FF7475A0000-0x00007FF7478F1000-memory.dmp

memory/4944-126-0x00007FF708FA0000-0x00007FF7092F1000-memory.dmp

memory/4524-128-0x00007FF686900000-0x00007FF686C51000-memory.dmp

memory/2928-130-0x00007FF7B1940000-0x00007FF7B1C91000-memory.dmp

memory/1048-129-0x00007FF7379D0000-0x00007FF737D21000-memory.dmp

memory/2620-136-0x00007FF6D9740000-0x00007FF6D9A91000-memory.dmp

memory/4140-137-0x00007FF7A37A0000-0x00007FF7A3AF1000-memory.dmp

memory/1612-146-0x00007FF60D910000-0x00007FF60DC61000-memory.dmp

memory/3216-139-0x00007FF709E10000-0x00007FF70A161000-memory.dmp

memory/2876-135-0x00007FF655480000-0x00007FF6557D1000-memory.dmp

memory/1460-133-0x00007FF6B9500000-0x00007FF6B9851000-memory.dmp

memory/4820-144-0x00007FF664390000-0x00007FF6646E1000-memory.dmp

memory/2920-140-0x00007FF6CBC10000-0x00007FF6CBF61000-memory.dmp

memory/2316-132-0x00007FF791330000-0x00007FF791681000-memory.dmp

memory/4944-150-0x00007FF708FA0000-0x00007FF7092F1000-memory.dmp

memory/4944-151-0x00007FF708FA0000-0x00007FF7092F1000-memory.dmp

memory/1048-212-0x00007FF7379D0000-0x00007FF737D21000-memory.dmp

memory/2928-214-0x00007FF7B1940000-0x00007FF7B1C91000-memory.dmp

memory/5060-216-0x00007FF7CCC30000-0x00007FF7CCF81000-memory.dmp

memory/2316-218-0x00007FF791330000-0x00007FF791681000-memory.dmp

memory/1460-221-0x00007FF6B9500000-0x00007FF6B9851000-memory.dmp

memory/2876-222-0x00007FF655480000-0x00007FF6557D1000-memory.dmp

memory/3884-224-0x00007FF70CA50000-0x00007FF70CDA1000-memory.dmp

memory/4140-226-0x00007FF7A37A0000-0x00007FF7A3AF1000-memory.dmp

memory/2620-234-0x00007FF6D9740000-0x00007FF6D9A91000-memory.dmp

memory/3216-242-0x00007FF709E10000-0x00007FF70A161000-memory.dmp

memory/1076-244-0x00007FF7AC800000-0x00007FF7ACB51000-memory.dmp

memory/2920-246-0x00007FF6CBC10000-0x00007FF6CBF61000-memory.dmp

memory/1576-240-0x00007FF65F130000-0x00007FF65F481000-memory.dmp

memory/4816-239-0x00007FF75EB00000-0x00007FF75EE51000-memory.dmp

memory/3636-237-0x00007FF6359F0000-0x00007FF635D41000-memory.dmp

memory/4524-257-0x00007FF686900000-0x00007FF686C51000-memory.dmp

memory/2368-258-0x00007FF6A06D0000-0x00007FF6A0A21000-memory.dmp

memory/2412-255-0x00007FF7475A0000-0x00007FF7478F1000-memory.dmp

memory/1476-251-0x00007FF715DE0000-0x00007FF716131000-memory.dmp

memory/1612-253-0x00007FF60D910000-0x00007FF60DC61000-memory.dmp

memory/4820-249-0x00007FF664390000-0x00007FF6646E1000-memory.dmp