Malware Analysis Report

2025-08-11 08:13

Sample ID 241025-nx89sayepa
Target 2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat
SHA256 1d39195dc8ea0a8a7b208bef28611f846c5567c30f3cc5c3d07f3cb8c831d8c7
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1d39195dc8ea0a8a7b208bef28611f846c5567c30f3cc5c3d07f3cb8c831d8c7

Threat Level: Known bad

The file 2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Cobalt Strike reflective loader

Cobaltstrike

Xmrig family

XMRig Miner payload

Cobaltstrike family

xmrig

XMRig Miner payload

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-10-25 11:47

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-25 11:47

Reported

2024-10-25 11:50

Platform

win7-20240903-en

Max time kernel

143s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\VucMpvt.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WoemvHc.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mbqKTCS.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GIVBNwq.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\biliBRz.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GoXZYaF.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xHRrbtI.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HWAxHEq.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\remvhOe.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gNaudIF.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NvVNjWS.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MMyhMyH.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\msesElz.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MUSwzFL.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MugCTnQ.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CGrozRo.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\APtaoRi.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UVODvOj.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wBIBRIR.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xlbGofo.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tWhygbR.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2232 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UVODvOj.exe
PID 2232 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UVODvOj.exe
PID 2232 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UVODvOj.exe
PID 2232 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wBIBRIR.exe
PID 2232 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wBIBRIR.exe
PID 2232 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wBIBRIR.exe
PID 2232 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xlbGofo.exe
PID 2232 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xlbGofo.exe
PID 2232 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xlbGofo.exe
PID 2232 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xHRrbtI.exe
PID 2232 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xHRrbtI.exe
PID 2232 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xHRrbtI.exe
PID 2232 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\msesElz.exe
PID 2232 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\msesElz.exe
PID 2232 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\msesElz.exe
PID 2232 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HWAxHEq.exe
PID 2232 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HWAxHEq.exe
PID 2232 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HWAxHEq.exe
PID 2232 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MUSwzFL.exe
PID 2232 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MUSwzFL.exe
PID 2232 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MUSwzFL.exe
PID 2232 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VucMpvt.exe
PID 2232 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VucMpvt.exe
PID 2232 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VucMpvt.exe
PID 2232 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MugCTnQ.exe
PID 2232 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MugCTnQ.exe
PID 2232 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MugCTnQ.exe
PID 2232 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\remvhOe.exe
PID 2232 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\remvhOe.exe
PID 2232 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\remvhOe.exe
PID 2232 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CGrozRo.exe
PID 2232 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CGrozRo.exe
PID 2232 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CGrozRo.exe
PID 2232 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WoemvHc.exe
PID 2232 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WoemvHc.exe
PID 2232 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WoemvHc.exe
PID 2232 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gNaudIF.exe
PID 2232 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gNaudIF.exe
PID 2232 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gNaudIF.exe
PID 2232 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tWhygbR.exe
PID 2232 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tWhygbR.exe
PID 2232 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tWhygbR.exe
PID 2232 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mbqKTCS.exe
PID 2232 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mbqKTCS.exe
PID 2232 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mbqKTCS.exe
PID 2232 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\APtaoRi.exe
PID 2232 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\APtaoRi.exe
PID 2232 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\APtaoRi.exe
PID 2232 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GIVBNwq.exe
PID 2232 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GIVBNwq.exe
PID 2232 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GIVBNwq.exe
PID 2232 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NvVNjWS.exe
PID 2232 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NvVNjWS.exe
PID 2232 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NvVNjWS.exe
PID 2232 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\biliBRz.exe
PID 2232 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\biliBRz.exe
PID 2232 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\biliBRz.exe
PID 2232 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MMyhMyH.exe
PID 2232 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MMyhMyH.exe
PID 2232 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MMyhMyH.exe
PID 2232 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GoXZYaF.exe
PID 2232 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GoXZYaF.exe
PID 2232 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GoXZYaF.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\UVODvOj.exe

C:\Windows\System\UVODvOj.exe

C:\Windows\System\wBIBRIR.exe

C:\Windows\System\wBIBRIR.exe

C:\Windows\System\xlbGofo.exe

C:\Windows\System\xlbGofo.exe

C:\Windows\System\xHRrbtI.exe

C:\Windows\System\xHRrbtI.exe

C:\Windows\System\msesElz.exe

C:\Windows\System\msesElz.exe

C:\Windows\System\HWAxHEq.exe

C:\Windows\System\HWAxHEq.exe

C:\Windows\System\MUSwzFL.exe

C:\Windows\System\MUSwzFL.exe

C:\Windows\System\VucMpvt.exe

C:\Windows\System\VucMpvt.exe

C:\Windows\System\MugCTnQ.exe

C:\Windows\System\MugCTnQ.exe

C:\Windows\System\remvhOe.exe

C:\Windows\System\remvhOe.exe

C:\Windows\System\CGrozRo.exe

C:\Windows\System\CGrozRo.exe

C:\Windows\System\WoemvHc.exe

C:\Windows\System\WoemvHc.exe

C:\Windows\System\gNaudIF.exe

C:\Windows\System\gNaudIF.exe

C:\Windows\System\tWhygbR.exe

C:\Windows\System\tWhygbR.exe

C:\Windows\System\mbqKTCS.exe

C:\Windows\System\mbqKTCS.exe

C:\Windows\System\APtaoRi.exe

C:\Windows\System\APtaoRi.exe

C:\Windows\System\GIVBNwq.exe

C:\Windows\System\GIVBNwq.exe

C:\Windows\System\NvVNjWS.exe

C:\Windows\System\NvVNjWS.exe

C:\Windows\System\biliBRz.exe

C:\Windows\System\biliBRz.exe

C:\Windows\System\MMyhMyH.exe

C:\Windows\System\MMyhMyH.exe

C:\Windows\System\GoXZYaF.exe

C:\Windows\System\GoXZYaF.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2232-0-0x000000013F160000-0x000000013F4B1000-memory.dmp

memory/2232-1-0x0000000000100000-0x0000000000110000-memory.dmp

C:\Windows\system\UVODvOj.exe

MD5 1068ac6f349c89725d9cac9191966ecb
SHA1 a760ca0a9f17329e4762308ba078dfe2a65bb024
SHA256 50d5991a5f8f329815a1ae26d4a80ff0c91be7aabd147125d5cbbe353ddc484f
SHA512 4fa60087e26bb9e5c3061c12e1812be05bed3a421d13c10efe0c2ebba69c291af8fe689805d505ceed76330261956a142b47a291e2bc04c21d97551a2040ea4a

C:\Windows\system\wBIBRIR.exe

MD5 4c1e9a2236a5af650b21649c6ad8becf
SHA1 3fc80cde0d77ce733f6e8df0e6d2079d639abc72
SHA256 7ebb8c057b3058750293e29c009a4756fdc18f55edb85c11c43a060d3dc9f174
SHA512 36ab3e99d745879daa5d654ee7c1d4bf523a08b9651f8e6eca4afb4a0849e4f5c339e0a934f9f5f1e795c14dba61c495c788036795c84f6b77812c9794b3e9f0

\Windows\system\xlbGofo.exe

MD5 ad9649c76d080a576134ade9feef6822
SHA1 cf4968c6fc89ec7bffa30c4db53d43fabcfa2c64
SHA256 de94ad74f623801d5a7dd11b245885edeb2e7f76073402d43760f32c3266d63b
SHA512 93946e8b643b9251a9aaed3ebb25ab1ce2ed06517991faa2af4c06104794ff0f731157c5d315071ae00336d52b9a07e4d0ad7851db54799ae141b2974d7afde9

memory/2232-44-0x000000013FA90000-0x000000013FDE1000-memory.dmp

C:\Windows\system\HWAxHEq.exe

MD5 413693583d20bb1a1337899999aba1de
SHA1 61587c2a1d2d50ef95402db45ed4e0df6a34d6ff
SHA256 23c5469da711472196bfe723eccc7df425c9ba4a263264bcb470d63591b2dd78
SHA512 e0585e273f6802626f54b136d7456b5c6be3eb74ee8ab463da8b6435419d08029d53b821d83574800ff6a663956ddf9dd420830172313c374bea26d50d7d040e

memory/2872-49-0x000000013F710000-0x000000013FA61000-memory.dmp

C:\Windows\system\VucMpvt.exe

MD5 582cfb94956ee8cfc6de6339b06f4447
SHA1 f10c24ff2c0c4678592e7b9b2ff16c7d8f5a3a09
SHA256 a1f3bb5c6a16bad0e3f2d4caa24a0286f047b0a66abd456f24e993da4ea5a95a
SHA512 9e52eea21acf0e99fef54a069fc96b954f0291c14daa6bd5deecc6333ed26216cbd82d6e0bbcee12029fde17de0306e7b4e0f3c5b5c49ce595b7eee0aae7fe80

memory/3004-63-0x000000013FE50000-0x00000001401A1000-memory.dmp

memory/2892-68-0x000000013F5F0000-0x000000013F941000-memory.dmp

memory/2216-81-0x000000013F0D0000-0x000000013F421000-memory.dmp

memory/2684-88-0x000000013F9D0000-0x000000013FD21000-memory.dmp

memory/620-98-0x000000013F4E0000-0x000000013F831000-memory.dmp

memory/3004-104-0x000000013FE50000-0x00000001401A1000-memory.dmp

C:\Windows\system\APtaoRi.exe

MD5 878b014b824b60ddeb4324a7cc7fa450
SHA1 52115c4a424097175fd47f3355df93d2938f5a59
SHA256 4e27bc4cb80a9a28576d7ae7b981dbadcaacdad9fd2db24ef586d42514f0b588
SHA512 95bae29a24c241ebe711bb29bf0bf15287af7d68770a92546072ffa21952f94351fda523337eb074c700ff06b6fd09980e6603a45a7cf66b9a19c79865e7ce2b

C:\Windows\system\biliBRz.exe

MD5 2282581c45738e3359a8e9f738b552c9
SHA1 f102b190efdbec1258c03d4a55d29378ee95b088
SHA256 0765af7b03ef7debb80feb690dbcd13dee62c81aae61bbff3a8178bc906b5f74
SHA512 1a7e5602399f0e9d58728528186e2c524dce73fba3b7d2cf3bc8b9eaacc3f5863866d7e8ecde54375e44def97fb2e2d091af0a984e66b13459e2c8b255ba28fa

\Windows\system\MMyhMyH.exe

MD5 b563766f414133cf524bfdb27be28f8d
SHA1 ab54986c1955e038f6bc0cf323d5af9354686953
SHA256 bbd0f7450f94159eb1156a85323d55e5715769aff2a7e37e364b2702665969d3
SHA512 d4b2cf6e87d855a022ac206ee1acdb75394d33a7d5de36a97f43692dd042d945df5985ceebc3bd13bbe3737498804704e7e52290cecc5268788c22cb60afe937

C:\Windows\system\GoXZYaF.exe

MD5 796fc14ce45eff131d65e6f0b79599b4
SHA1 108a22166bc3158bc20bcfbce4d37bc4084f8157
SHA256 cb30abf259426c84d84ddd559c30dc2fb54599f4d048d9377460f5cfee4a3f84
SHA512 c45fd219ad1fa0023e74556107749ea5770dd86e6203aed2f7eb58126d73ddb34c1afd95ad08593d265a30519661e16561ec7590527f2e81042409e14146bd7c

C:\Windows\system\NvVNjWS.exe

MD5 d5d8d408f28e05269b70747da70e73fa
SHA1 4d599d74170b0a21dff567be1eb2ee62b4124de2
SHA256 4a92b8ff02fd4a5222f78f75e6007e82f44d3d1a11dba7c7864ef6f17ad10e42
SHA512 b631424878d9592192f87aff18b7dfd8200bf0b3a90f644ad74e0312300e945e38acb24db8b9ed8771eb30738eda3e2d0a8be1bfab6528388592808574985c21

C:\Windows\system\GIVBNwq.exe

MD5 4c2627985bc9d161e5539cf6ec9426e9
SHA1 97192b4411cf9d09eba3c8612ed11b7420b7563f
SHA256 7b405f3df79f2e4b9876706146f0dbbb17d9f457d2afbcb24f20d463b40df228
SHA512 7342af3204aa3f61fadc8e0e5ab276dc4818eaaa08dbf19ebaa71d2666ec2b66ac9221c55a819757d9ded7a12262b3cdb0b8f9b675f4264daf5f5876c9cc9b8d

memory/2216-146-0x000000013F0D0000-0x000000013F421000-memory.dmp

memory/2232-145-0x0000000002160000-0x00000000024B1000-memory.dmp

memory/2232-115-0x000000013FC70000-0x000000013FFC1000-memory.dmp

memory/2892-114-0x000000013F5F0000-0x000000013F941000-memory.dmp

C:\Windows\system\mbqKTCS.exe

MD5 982d30082ff9fde2795fde691619aaf5
SHA1 5e354f05ebd05118951774ac67564d07ce9e61a6
SHA256 dec76b742dd5f32c3c15d5bfa9f3410f5fb8716dbf127bf3adbfb73debde20d9
SHA512 4b2c5d2e75ee9b441254c2c8b6ef0026c9e7026eba9d8fd9c1dedf7627546e8c3a893e948c277bf8d4541528294ad5cc8c1f6e465db728cfd6c04a036368aa67

memory/1744-106-0x000000013F030000-0x000000013F381000-memory.dmp

memory/2232-147-0x000000013F550000-0x000000013F8A1000-memory.dmp

memory/2232-105-0x0000000002160000-0x00000000024B1000-memory.dmp

memory/2232-103-0x000000013FE50000-0x00000001401A1000-memory.dmp

C:\Windows\system\tWhygbR.exe

MD5 0b9ddf121bc98e70e56280961075fa7d
SHA1 25bab8152299b38d10b01be5f7384bc50e6f9ef1
SHA256 c4e10886b599e885e1a0dc788d69d58fdc2da8123a35ab8e0ecf3c10c01ea8dd
SHA512 cede29bcf66fbb7b8a743b4d647e7dd8008ed5ccad4b7eb873df99d249787a2f31c035178f56cd26ee29a6af3635ca582034f6941257a68b5627348844c75944

memory/2232-97-0x000000013F4E0000-0x000000013F831000-memory.dmp

memory/2232-96-0x000000013F6A0000-0x000000013F9F1000-memory.dmp

C:\Windows\system\gNaudIF.exe

MD5 1984fec2f8ca74e863c6865cc8fea283
SHA1 badfa53fdcbc48df4e685597b3d196ab5a1a47f5
SHA256 9688b12b5cb72c1f6dcafc1e9deb38775e410597a31ffe59b114e6ea23f2c40d
SHA512 e2a63c54b97c13642992236f4702145b769c3b1c6347f9178f291f87c6d3374d6761884476c54eefbe2eafac2d8cad68ccf623db55c2a9e0164c5f8c4df77c0a

memory/2872-91-0x000000013F710000-0x000000013FA61000-memory.dmp

memory/620-149-0x000000013F4E0000-0x000000013F831000-memory.dmp

memory/2232-148-0x000000013F4E0000-0x000000013F831000-memory.dmp

memory/2356-90-0x000000013F550000-0x000000013F8A1000-memory.dmp

memory/2232-89-0x000000013F550000-0x000000013F8A1000-memory.dmp

C:\Windows\system\WoemvHc.exe

MD5 0f239a47768b2157d10c0da4b1e5398e
SHA1 739ad2bc729e5e0cb4a922080afe254bf9e27e59
SHA256 a13e8fba8784d21fa5be4e6e7f1059e3e110686c44905a9bd77efdeff7261969
SHA512 ff44d9734de3c430d2f29880ffcf115aabee8db297f4becff7a42d9e03334f5b83ced28c624482ba4fe299820ff6464dc9de6870fc087210162ac1667f757888

memory/2796-70-0x000000013FCB0000-0x0000000140001000-memory.dmp

memory/2232-69-0x000000013F160000-0x000000013F4B1000-memory.dmp

memory/2232-67-0x000000013F5F0000-0x000000013F941000-memory.dmp

C:\Windows\system\remvhOe.exe

MD5 dd12975eae881464253af4e31f868905
SHA1 d857c59b60846cb761173d36812192225e2df4a0
SHA256 7d8389e383b327f4cae54dd9067144a0144f2e48b47876c54bfb00aa61b9b444
SHA512 0d97b374d5732601cc00af72dc49c0331ec245055860d276b92a1a4df032ed1676d9e661b044cb825106040fdeb0e3ebffcd7ac22bbc913b9733ef09499aa3d0

memory/2232-80-0x0000000002160000-0x00000000024B1000-memory.dmp

memory/2232-79-0x000000013F710000-0x000000013FA61000-memory.dmp

memory/2232-78-0x000000013F990000-0x000000013FCE1000-memory.dmp

C:\Windows\system\CGrozRo.exe

MD5 887498d539056a496ebab188f5138ef8
SHA1 0e201c20a98a552f88a80af5167b650ae31554a5
SHA256 ae2411d5de74b12a64ead0ba00739b3f9be02587ef312e2a1386b774c6f9d9a8
SHA512 c07bde08f0a6916ffc35950812a51103dcb052017106f4d46f33836d035198cfa708f5198cad8caec5c46f333f173fce1b45bd14ef6ed7fc0427e701a865b009

memory/2232-62-0x000000013FE50000-0x00000001401A1000-memory.dmp

C:\Windows\system\MugCTnQ.exe

MD5 af02cbaef61d08b1b6eea6fe1f83b2ae
SHA1 071f78c9213f88c9e28d33afb2d947db2f9afa35
SHA256 16c4a89eaaf2331351c4853aebda6e3c8343dceab58571cdd10e53b919419dd1
SHA512 ef44d8cb23cf04ab9a27d52b92739d9fec9b22a88c7dca303ec36b0c6707841efa2e2fd640f502d2f79054105098967692ea7ca27517427990634070864bb5a2

memory/1856-57-0x000000013F6A0000-0x000000013F9F1000-memory.dmp

memory/2232-56-0x000000013F6A0000-0x000000013F9F1000-memory.dmp

memory/2232-32-0x000000013FEA0000-0x00000001401F1000-memory.dmp

memory/2232-30-0x000000013F9D0000-0x000000013FD21000-memory.dmp

memory/2684-46-0x000000013F9D0000-0x000000013FD21000-memory.dmp

memory/2664-45-0x000000013FA90000-0x000000013FDE1000-memory.dmp

memory/2232-43-0x000000013F710000-0x000000013FA61000-memory.dmp

C:\Windows\system\xHRrbtI.exe

MD5 b1c5abff5df0b3d7d4f48a4df1086af9
SHA1 7f78b2696f80ddfd4aa4541cd1eb9e76c4e3fcfc
SHA256 4624cdb775d64c23562b7191296d5ab74b6dc40eee7b1c48102ee034a2b09962
SHA512 a779cfbeb7f2bb37b320f63631c15d9ea26c7fe1a63e272d83f2adadc93a330699083a47cd3d6db29698d8cf7436909f395ae51351495e453266b142d1052673

memory/2824-40-0x000000013F320000-0x000000013F671000-memory.dmp

memory/2232-39-0x0000000002160000-0x00000000024B1000-memory.dmp

C:\Windows\system\MUSwzFL.exe

MD5 63fd3e7ec12bacee686a6991c33bb8dc
SHA1 b4652bd73932b79dc87058924f9f2bc892a6d24b
SHA256 bba4d8de7eead872a81cbc823f4f53d506d342f3853b9e504ab60b1cd61efd7b
SHA512 ff1b4bc20d62a55dac91134b4548443383c98d620579ffea872c6284c0d3b0f136c645e5377d1d3f3d75d2150335eff3a16e9d5fbaf1963f25d9d718f514ca29

memory/1744-151-0x000000013F030000-0x000000013F381000-memory.dmp

memory/2232-150-0x0000000002160000-0x00000000024B1000-memory.dmp

memory/2744-37-0x000000013FEA0000-0x00000001401F1000-memory.dmp

memory/2656-28-0x000000013F990000-0x000000013FCE1000-memory.dmp

memory/2232-27-0x000000013F990000-0x000000013FCE1000-memory.dmp

memory/2796-25-0x000000013FCB0000-0x0000000140001000-memory.dmp

C:\Windows\system\msesElz.exe

MD5 2bae1da1ed3745ac0311f22ffa128cbb
SHA1 c2db1f615bd253fc4a5c9fe62a0fd38a968cb4ce
SHA256 de32e68111d625d409a82851175821aa1dcff2eb4061154489fb8acca7675d79
SHA512 e3366870d0cc371b8b1bdf7effd8d832d398ebd4e9bfba2361f803761656b42684b844d0afe6a07e099d8eb6d509f1d31e1592f602e306ec3f682a2751ed8d6c

memory/2232-152-0x000000013F160000-0x000000013F4B1000-memory.dmp

memory/2232-172-0x000000013FC70000-0x000000013FFC1000-memory.dmp

memory/1936-171-0x000000013F230000-0x000000013F581000-memory.dmp

memory/592-170-0x000000013FCF0000-0x0000000140041000-memory.dmp

memory/1760-169-0x000000013F1F0000-0x000000013F541000-memory.dmp

memory/2640-167-0x000000013FC70000-0x000000013FFC1000-memory.dmp

memory/2848-168-0x000000013F470000-0x000000013F7C1000-memory.dmp

memory/2032-173-0x000000013F6E0000-0x000000013FA31000-memory.dmp

memory/2188-174-0x000000013F560000-0x000000013F8B1000-memory.dmp

memory/2232-175-0x000000013F160000-0x000000013F4B1000-memory.dmp

memory/2796-226-0x000000013FCB0000-0x0000000140001000-memory.dmp

memory/2656-228-0x000000013F990000-0x000000013FCE1000-memory.dmp

memory/2744-236-0x000000013FEA0000-0x00000001401F1000-memory.dmp

memory/2824-240-0x000000013F320000-0x000000013F671000-memory.dmp

memory/2664-242-0x000000013FA90000-0x000000013FDE1000-memory.dmp

memory/2684-244-0x000000013F9D0000-0x000000013FD21000-memory.dmp

memory/1856-246-0x000000013F6A0000-0x000000013F9F1000-memory.dmp

memory/2872-248-0x000000013F710000-0x000000013FA61000-memory.dmp

memory/2892-250-0x000000013F5F0000-0x000000013F941000-memory.dmp

memory/3004-252-0x000000013FE50000-0x00000001401A1000-memory.dmp

memory/2216-254-0x000000013F0D0000-0x000000013F421000-memory.dmp

memory/2356-256-0x000000013F550000-0x000000013F8A1000-memory.dmp

memory/620-258-0x000000013F4E0000-0x000000013F831000-memory.dmp

memory/1744-265-0x000000013F030000-0x000000013F381000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-25 11:47

Reported

2024-10-25 11:50

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\wBIBRIR.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VucMpvt.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CGrozRo.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WoemvHc.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GIVBNwq.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\biliBRz.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UVODvOj.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xlbGofo.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\msesElz.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mbqKTCS.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MMyhMyH.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GoXZYaF.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xHRrbtI.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HWAxHEq.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MUSwzFL.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MugCTnQ.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gNaudIF.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NvVNjWS.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\remvhOe.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tWhygbR.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\APtaoRi.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4364 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UVODvOj.exe
PID 4364 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UVODvOj.exe
PID 4364 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wBIBRIR.exe
PID 4364 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wBIBRIR.exe
PID 4364 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xlbGofo.exe
PID 4364 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xlbGofo.exe
PID 4364 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xHRrbtI.exe
PID 4364 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xHRrbtI.exe
PID 4364 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\msesElz.exe
PID 4364 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\msesElz.exe
PID 4364 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HWAxHEq.exe
PID 4364 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HWAxHEq.exe
PID 4364 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MUSwzFL.exe
PID 4364 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MUSwzFL.exe
PID 4364 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VucMpvt.exe
PID 4364 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VucMpvt.exe
PID 4364 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MugCTnQ.exe
PID 4364 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MugCTnQ.exe
PID 4364 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\remvhOe.exe
PID 4364 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\remvhOe.exe
PID 4364 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CGrozRo.exe
PID 4364 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CGrozRo.exe
PID 4364 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WoemvHc.exe
PID 4364 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WoemvHc.exe
PID 4364 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gNaudIF.exe
PID 4364 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gNaudIF.exe
PID 4364 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tWhygbR.exe
PID 4364 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tWhygbR.exe
PID 4364 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mbqKTCS.exe
PID 4364 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mbqKTCS.exe
PID 4364 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\APtaoRi.exe
PID 4364 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\APtaoRi.exe
PID 4364 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GIVBNwq.exe
PID 4364 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GIVBNwq.exe
PID 4364 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NvVNjWS.exe
PID 4364 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NvVNjWS.exe
PID 4364 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\biliBRz.exe
PID 4364 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\biliBRz.exe
PID 4364 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MMyhMyH.exe
PID 4364 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MMyhMyH.exe
PID 4364 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GoXZYaF.exe
PID 4364 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GoXZYaF.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\UVODvOj.exe

C:\Windows\System\UVODvOj.exe

C:\Windows\System\wBIBRIR.exe

C:\Windows\System\wBIBRIR.exe

C:\Windows\System\xlbGofo.exe

C:\Windows\System\xlbGofo.exe

C:\Windows\System\xHRrbtI.exe

C:\Windows\System\xHRrbtI.exe

C:\Windows\System\msesElz.exe

C:\Windows\System\msesElz.exe

C:\Windows\System\HWAxHEq.exe

C:\Windows\System\HWAxHEq.exe

C:\Windows\System\MUSwzFL.exe

C:\Windows\System\MUSwzFL.exe

C:\Windows\System\VucMpvt.exe

C:\Windows\System\VucMpvt.exe

C:\Windows\System\MugCTnQ.exe

C:\Windows\System\MugCTnQ.exe

C:\Windows\System\remvhOe.exe

C:\Windows\System\remvhOe.exe

C:\Windows\System\CGrozRo.exe

C:\Windows\System\CGrozRo.exe

C:\Windows\System\WoemvHc.exe

C:\Windows\System\WoemvHc.exe

C:\Windows\System\gNaudIF.exe

C:\Windows\System\gNaudIF.exe

C:\Windows\System\tWhygbR.exe

C:\Windows\System\tWhygbR.exe

C:\Windows\System\mbqKTCS.exe

C:\Windows\System\mbqKTCS.exe

C:\Windows\System\APtaoRi.exe

C:\Windows\System\APtaoRi.exe

C:\Windows\System\GIVBNwq.exe

C:\Windows\System\GIVBNwq.exe

C:\Windows\System\NvVNjWS.exe

C:\Windows\System\NvVNjWS.exe

C:\Windows\System\biliBRz.exe

C:\Windows\System\biliBRz.exe

C:\Windows\System\MMyhMyH.exe

C:\Windows\System\MMyhMyH.exe

C:\Windows\System\GoXZYaF.exe

C:\Windows\System\GoXZYaF.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/4364-0-0x00007FF75A280000-0x00007FF75A5D1000-memory.dmp

memory/4364-1-0x0000014E454B0000-0x0000014E454C0000-memory.dmp

C:\Windows\System\UVODvOj.exe

MD5 1068ac6f349c89725d9cac9191966ecb
SHA1 a760ca0a9f17329e4762308ba078dfe2a65bb024
SHA256 50d5991a5f8f329815a1ae26d4a80ff0c91be7aabd147125d5cbbe353ddc484f
SHA512 4fa60087e26bb9e5c3061c12e1812be05bed3a421d13c10efe0c2ebba69c291af8fe689805d505ceed76330261956a142b47a291e2bc04c21d97551a2040ea4a

memory/5000-6-0x00007FF6D0820000-0x00007FF6D0B71000-memory.dmp

C:\Windows\System\xlbGofo.exe

MD5 ad9649c76d080a576134ade9feef6822
SHA1 cf4968c6fc89ec7bffa30c4db53d43fabcfa2c64
SHA256 de94ad74f623801d5a7dd11b245885edeb2e7f76073402d43760f32c3266d63b
SHA512 93946e8b643b9251a9aaed3ebb25ab1ce2ed06517991faa2af4c06104794ff0f731157c5d315071ae00336d52b9a07e4d0ad7851db54799ae141b2974d7afde9

memory/4360-12-0x00007FF7BF4D0000-0x00007FF7BF821000-memory.dmp

C:\Windows\System\wBIBRIR.exe

MD5 4c1e9a2236a5af650b21649c6ad8becf
SHA1 3fc80cde0d77ce733f6e8df0e6d2079d639abc72
SHA256 7ebb8c057b3058750293e29c009a4756fdc18f55edb85c11c43a060d3dc9f174
SHA512 36ab3e99d745879daa5d654ee7c1d4bf523a08b9651f8e6eca4afb4a0849e4f5c339e0a934f9f5f1e795c14dba61c495c788036795c84f6b77812c9794b3e9f0

C:\Windows\System\msesElz.exe

MD5 2bae1da1ed3745ac0311f22ffa128cbb
SHA1 c2db1f615bd253fc4a5c9fe62a0fd38a968cb4ce
SHA256 de32e68111d625d409a82851175821aa1dcff2eb4061154489fb8acca7675d79
SHA512 e3366870d0cc371b8b1bdf7effd8d832d398ebd4e9bfba2361f803761656b42684b844d0afe6a07e099d8eb6d509f1d31e1592f602e306ec3f682a2751ed8d6c

C:\Windows\System\VucMpvt.exe

MD5 582cfb94956ee8cfc6de6339b06f4447
SHA1 f10c24ff2c0c4678592e7b9b2ff16c7d8f5a3a09
SHA256 a1f3bb5c6a16bad0e3f2d4caa24a0286f047b0a66abd456f24e993da4ea5a95a
SHA512 9e52eea21acf0e99fef54a069fc96b954f0291c14daa6bd5deecc6333ed26216cbd82d6e0bbcee12029fde17de0306e7b4e0f3c5b5c49ce595b7eee0aae7fe80

C:\Windows\System\MugCTnQ.exe

MD5 af02cbaef61d08b1b6eea6fe1f83b2ae
SHA1 071f78c9213f88c9e28d33afb2d947db2f9afa35
SHA256 16c4a89eaaf2331351c4853aebda6e3c8343dceab58571cdd10e53b919419dd1
SHA512 ef44d8cb23cf04ab9a27d52b92739d9fec9b22a88c7dca303ec36b0c6707841efa2e2fd640f502d2f79054105098967692ea7ca27517427990634070864bb5a2

C:\Windows\System\CGrozRo.exe

MD5 887498d539056a496ebab188f5138ef8
SHA1 0e201c20a98a552f88a80af5167b650ae31554a5
SHA256 ae2411d5de74b12a64ead0ba00739b3f9be02587ef312e2a1386b774c6f9d9a8
SHA512 c07bde08f0a6916ffc35950812a51103dcb052017106f4d46f33836d035198cfa708f5198cad8caec5c46f333f173fce1b45bd14ef6ed7fc0427e701a865b009

C:\Windows\System\remvhOe.exe

MD5 dd12975eae881464253af4e31f868905
SHA1 d857c59b60846cb761173d36812192225e2df4a0
SHA256 7d8389e383b327f4cae54dd9067144a0144f2e48b47876c54bfb00aa61b9b444
SHA512 0d97b374d5732601cc00af72dc49c0331ec245055860d276b92a1a4df032ed1676d9e661b044cb825106040fdeb0e3ebffcd7ac22bbc913b9733ef09499aa3d0

C:\Windows\System\WoemvHc.exe

MD5 0f239a47768b2157d10c0da4b1e5398e
SHA1 739ad2bc729e5e0cb4a922080afe254bf9e27e59
SHA256 a13e8fba8784d21fa5be4e6e7f1059e3e110686c44905a9bd77efdeff7261969
SHA512 ff44d9734de3c430d2f29880ffcf115aabee8db297f4becff7a42d9e03334f5b83ced28c624482ba4fe299820ff6464dc9de6870fc087210162ac1667f757888

memory/1772-89-0x00007FF77F650000-0x00007FF77F9A1000-memory.dmp

memory/1812-101-0x00007FF7320D0000-0x00007FF732421000-memory.dmp

C:\Windows\System\GIVBNwq.exe

MD5 4c2627985bc9d161e5539cf6ec9426e9
SHA1 97192b4411cf9d09eba3c8612ed11b7420b7563f
SHA256 7b405f3df79f2e4b9876706146f0dbbb17d9f457d2afbcb24f20d463b40df228
SHA512 7342af3204aa3f61fadc8e0e5ab276dc4818eaaa08dbf19ebaa71d2666ec2b66ac9221c55a819757d9ded7a12262b3cdb0b8f9b675f4264daf5f5876c9cc9b8d

memory/3924-116-0x00007FF732090000-0x00007FF7323E1000-memory.dmp

C:\Windows\System\NvVNjWS.exe

MD5 d5d8d408f28e05269b70747da70e73fa
SHA1 4d599d74170b0a21dff567be1eb2ee62b4124de2
SHA256 4a92b8ff02fd4a5222f78f75e6007e82f44d3d1a11dba7c7864ef6f17ad10e42
SHA512 b631424878d9592192f87aff18b7dfd8200bf0b3a90f644ad74e0312300e945e38acb24db8b9ed8771eb30738eda3e2d0a8be1bfab6528388592808574985c21

memory/3996-131-0x00007FF6050C0000-0x00007FF605411000-memory.dmp

C:\Windows\System\GoXZYaF.exe

MD5 796fc14ce45eff131d65e6f0b79599b4
SHA1 108a22166bc3158bc20bcfbce4d37bc4084f8157
SHA256 cb30abf259426c84d84ddd559c30dc2fb54599f4d048d9377460f5cfee4a3f84
SHA512 c45fd219ad1fa0023e74556107749ea5770dd86e6203aed2f7eb58126d73ddb34c1afd95ad08593d265a30519661e16561ec7590527f2e81042409e14146bd7c

C:\Windows\System\MMyhMyH.exe

MD5 b563766f414133cf524bfdb27be28f8d
SHA1 ab54986c1955e038f6bc0cf323d5af9354686953
SHA256 bbd0f7450f94159eb1156a85323d55e5715769aff2a7e37e364b2702665969d3
SHA512 d4b2cf6e87d855a022ac206ee1acdb75394d33a7d5de36a97f43692dd042d945df5985ceebc3bd13bbe3737498804704e7e52290cecc5268788c22cb60afe937

memory/3960-136-0x00007FF6559C0000-0x00007FF655D11000-memory.dmp

memory/2324-135-0x00007FF78F3A0000-0x00007FF78F6F1000-memory.dmp

memory/2668-134-0x00007FF658B10000-0x00007FF658E61000-memory.dmp

memory/5060-133-0x00007FF7BCBD0000-0x00007FF7BCF21000-memory.dmp

memory/5104-130-0x00007FF7492A0000-0x00007FF7495F1000-memory.dmp

C:\Windows\System\biliBRz.exe

MD5 2282581c45738e3359a8e9f738b552c9
SHA1 f102b190efdbec1258c03d4a55d29378ee95b088
SHA256 0765af7b03ef7debb80feb690dbcd13dee62c81aae61bbff3a8178bc906b5f74
SHA512 1a7e5602399f0e9d58728528186e2c524dce73fba3b7d2cf3bc8b9eaacc3f5863866d7e8ecde54375e44def97fb2e2d091af0a984e66b13459e2c8b255ba28fa

memory/3532-125-0x00007FF718020000-0x00007FF718371000-memory.dmp

memory/4416-120-0x00007FF6DCC30000-0x00007FF6DCF81000-memory.dmp

memory/1300-119-0x00007FF656310000-0x00007FF656661000-memory.dmp

memory/3932-117-0x00007FF704440000-0x00007FF704791000-memory.dmp

memory/3584-110-0x00007FF7A02F0000-0x00007FF7A0641000-memory.dmp

memory/3952-109-0x00007FF730F00000-0x00007FF731251000-memory.dmp

C:\Windows\System\APtaoRi.exe

MD5 878b014b824b60ddeb4324a7cc7fa450
SHA1 52115c4a424097175fd47f3355df93d2938f5a59
SHA256 4e27bc4cb80a9a28576d7ae7b981dbadcaacdad9fd2db24ef586d42514f0b588
SHA512 95bae29a24c241ebe711bb29bf0bf15287af7d68770a92546072ffa21952f94351fda523337eb074c700ff06b6fd09980e6603a45a7cf66b9a19c79865e7ce2b

memory/768-100-0x00007FF72FC40000-0x00007FF72FF91000-memory.dmp

C:\Windows\System\mbqKTCS.exe

MD5 982d30082ff9fde2795fde691619aaf5
SHA1 5e354f05ebd05118951774ac67564d07ce9e61a6
SHA256 dec76b742dd5f32c3c15d5bfa9f3410f5fb8716dbf127bf3adbfb73debde20d9
SHA512 4b2c5d2e75ee9b441254c2c8b6ef0026c9e7026eba9d8fd9c1dedf7627546e8c3a893e948c277bf8d4541528294ad5cc8c1f6e465db728cfd6c04a036368aa67

memory/2336-94-0x00007FF777040000-0x00007FF777391000-memory.dmp

memory/3420-93-0x00007FF6216F0000-0x00007FF621A41000-memory.dmp

C:\Windows\System\tWhygbR.exe

MD5 0b9ddf121bc98e70e56280961075fa7d
SHA1 25bab8152299b38d10b01be5f7384bc50e6f9ef1
SHA256 c4e10886b599e885e1a0dc788d69d58fdc2da8123a35ab8e0ecf3c10c01ea8dd
SHA512 cede29bcf66fbb7b8a743b4d647e7dd8008ed5ccad4b7eb873df99d249787a2f31c035178f56cd26ee29a6af3635ca582034f6941257a68b5627348844c75944

memory/4360-90-0x00007FF7BF4D0000-0x00007FF7BF821000-memory.dmp

C:\Windows\System\gNaudIF.exe

MD5 1984fec2f8ca74e863c6865cc8fea283
SHA1 badfa53fdcbc48df4e685597b3d196ab5a1a47f5
SHA256 9688b12b5cb72c1f6dcafc1e9deb38775e410597a31ffe59b114e6ea23f2c40d
SHA512 e2a63c54b97c13642992236f4702145b769c3b1c6347f9178f291f87c6d3374d6761884476c54eefbe2eafac2d8cad68ccf623db55c2a9e0164c5f8c4df77c0a

memory/5000-85-0x00007FF6D0820000-0x00007FF6D0B71000-memory.dmp

memory/5040-84-0x00007FF6AEC30000-0x00007FF6AEF81000-memory.dmp

memory/4364-77-0x00007FF75A280000-0x00007FF75A5D1000-memory.dmp

memory/2324-76-0x00007FF78F3A0000-0x00007FF78F6F1000-memory.dmp

memory/2668-69-0x00007FF658B10000-0x00007FF658E61000-memory.dmp

memory/3996-65-0x00007FF6050C0000-0x00007FF605411000-memory.dmp

memory/5104-56-0x00007FF7492A0000-0x00007FF7495F1000-memory.dmp

memory/3932-55-0x00007FF704440000-0x00007FF704791000-memory.dmp

memory/4416-49-0x00007FF6DCC30000-0x00007FF6DCF81000-memory.dmp

C:\Windows\System\MUSwzFL.exe

MD5 63fd3e7ec12bacee686a6991c33bb8dc
SHA1 b4652bd73932b79dc87058924f9f2bc892a6d24b
SHA256 bba4d8de7eead872a81cbc823f4f53d506d342f3853b9e504ab60b1cd61efd7b
SHA512 ff1b4bc20d62a55dac91134b4548443383c98d620579ffea872c6284c0d3b0f136c645e5377d1d3f3d75d2150335eff3a16e9d5fbaf1963f25d9d718f514ca29

C:\Windows\System\HWAxHEq.exe

MD5 413693583d20bb1a1337899999aba1de
SHA1 61587c2a1d2d50ef95402db45ed4e0df6a34d6ff
SHA256 23c5469da711472196bfe723eccc7df425c9ba4a263264bcb470d63591b2dd78
SHA512 e0585e273f6802626f54b136d7456b5c6be3eb74ee8ab463da8b6435419d08029d53b821d83574800ff6a663956ddf9dd420830172313c374bea26d50d7d040e

memory/3924-37-0x00007FF732090000-0x00007FF7323E1000-memory.dmp

memory/3952-35-0x00007FF730F00000-0x00007FF731251000-memory.dmp

memory/768-34-0x00007FF72FC40000-0x00007FF72FF91000-memory.dmp

C:\Windows\System\xHRrbtI.exe

MD5 b1c5abff5df0b3d7d4f48a4df1086af9
SHA1 7f78b2696f80ddfd4aa4541cd1eb9e76c4e3fcfc
SHA256 4624cdb775d64c23562b7191296d5ab74b6dc40eee7b1c48102ee034a2b09962
SHA512 a779cfbeb7f2bb37b320f63631c15d9ea26c7fe1a63e272d83f2adadc93a330699083a47cd3d6db29698d8cf7436909f395ae51351495e453266b142d1052673

memory/3420-24-0x00007FF6216F0000-0x00007FF621A41000-memory.dmp

memory/1812-157-0x00007FF7320D0000-0x00007FF732421000-memory.dmp

memory/1772-155-0x00007FF77F650000-0x00007FF77F9A1000-memory.dmp

memory/3584-158-0x00007FF7A02F0000-0x00007FF7A0641000-memory.dmp

memory/3960-162-0x00007FF6559C0000-0x00007FF655D11000-memory.dmp

memory/3532-160-0x00007FF718020000-0x00007FF718371000-memory.dmp

memory/5060-161-0x00007FF7BCBD0000-0x00007FF7BCF21000-memory.dmp

memory/1300-159-0x00007FF656310000-0x00007FF656661000-memory.dmp

memory/2336-156-0x00007FF777040000-0x00007FF777391000-memory.dmp

memory/5040-154-0x00007FF6AEC30000-0x00007FF6AEF81000-memory.dmp

memory/4364-141-0x00007FF75A280000-0x00007FF75A5D1000-memory.dmp

memory/4364-163-0x00007FF75A280000-0x00007FF75A5D1000-memory.dmp

memory/5000-215-0x00007FF6D0820000-0x00007FF6D0B71000-memory.dmp

memory/4360-217-0x00007FF7BF4D0000-0x00007FF7BF821000-memory.dmp

memory/3420-228-0x00007FF6216F0000-0x00007FF621A41000-memory.dmp

memory/768-230-0x00007FF72FC40000-0x00007FF72FF91000-memory.dmp

memory/3924-232-0x00007FF732090000-0x00007FF7323E1000-memory.dmp

memory/3952-238-0x00007FF730F00000-0x00007FF731251000-memory.dmp

memory/4416-240-0x00007FF6DCC30000-0x00007FF6DCF81000-memory.dmp

memory/5104-235-0x00007FF7492A0000-0x00007FF7495F1000-memory.dmp

memory/3932-237-0x00007FF704440000-0x00007FF704791000-memory.dmp

memory/3996-242-0x00007FF6050C0000-0x00007FF605411000-memory.dmp

memory/2668-246-0x00007FF658B10000-0x00007FF658E61000-memory.dmp

memory/2324-245-0x00007FF78F3A0000-0x00007FF78F6F1000-memory.dmp

memory/1772-249-0x00007FF77F650000-0x00007FF77F9A1000-memory.dmp

memory/5040-250-0x00007FF6AEC30000-0x00007FF6AEF81000-memory.dmp

memory/2336-258-0x00007FF777040000-0x00007FF777391000-memory.dmp

memory/1812-260-0x00007FF7320D0000-0x00007FF732421000-memory.dmp

memory/3584-262-0x00007FF7A02F0000-0x00007FF7A0641000-memory.dmp

memory/1300-264-0x00007FF656310000-0x00007FF656661000-memory.dmp

memory/3532-270-0x00007FF718020000-0x00007FF718371000-memory.dmp

memory/3960-269-0x00007FF6559C0000-0x00007FF655D11000-memory.dmp

memory/5060-268-0x00007FF7BCBD0000-0x00007FF7BCF21000-memory.dmp