Malware Analysis Report

2025-08-11 08:12

Sample ID 241025-nxsa9szcrk
Target 2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat
SHA256 9bd8e2de1d92fd326b3e8314dd7dd793599cf03f73413998febb72731bf07e2a
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9bd8e2de1d92fd326b3e8314dd7dd793599cf03f73413998febb72731bf07e2a

Threat Level: Known bad

The file 2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Cobalt Strike reflective loader

xmrig

Cobaltstrike

Xmrig family

XMRig Miner payload

Cobaltstrike family

XMRig Miner payload

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-10-25 11:46

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-25 11:46

Reported

2024-10-25 11:49

Platform

win7-20240903-en

Max time kernel

141s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\aNafrgt.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GQIrzJi.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hHJaMWr.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ceDUBlj.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SUVPotj.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DTwjbuw.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QdudlAd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uhSEQgy.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OxufWsI.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QBgFWac.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sGSvfuQ.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rGHKhBf.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RoaCGdL.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KkLfGFM.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jNwpEeP.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MbvTmkn.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mkoLIzy.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YDqQKQx.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jMxAtqj.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ycAfikw.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dsLOwQj.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2120 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QdudlAd.exe
PID 2120 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QdudlAd.exe
PID 2120 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QdudlAd.exe
PID 2120 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KkLfGFM.exe
PID 2120 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KkLfGFM.exe
PID 2120 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KkLfGFM.exe
PID 2120 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aNafrgt.exe
PID 2120 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aNafrgt.exe
PID 2120 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aNafrgt.exe
PID 2120 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OxufWsI.exe
PID 2120 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OxufWsI.exe
PID 2120 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OxufWsI.exe
PID 2120 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QBgFWac.exe
PID 2120 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QBgFWac.exe
PID 2120 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QBgFWac.exe
PID 2120 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dsLOwQj.exe
PID 2120 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dsLOwQj.exe
PID 2120 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dsLOwQj.exe
PID 2120 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jNwpEeP.exe
PID 2120 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jNwpEeP.exe
PID 2120 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jNwpEeP.exe
PID 2120 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MbvTmkn.exe
PID 2120 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MbvTmkn.exe
PID 2120 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MbvTmkn.exe
PID 2120 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sGSvfuQ.exe
PID 2120 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sGSvfuQ.exe
PID 2120 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sGSvfuQ.exe
PID 2120 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GQIrzJi.exe
PID 2120 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GQIrzJi.exe
PID 2120 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GQIrzJi.exe
PID 2120 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hHJaMWr.exe
PID 2120 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hHJaMWr.exe
PID 2120 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hHJaMWr.exe
PID 2120 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mkoLIzy.exe
PID 2120 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mkoLIzy.exe
PID 2120 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mkoLIzy.exe
PID 2120 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rGHKhBf.exe
PID 2120 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rGHKhBf.exe
PID 2120 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rGHKhBf.exe
PID 2120 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RoaCGdL.exe
PID 2120 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RoaCGdL.exe
PID 2120 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RoaCGdL.exe
PID 2120 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YDqQKQx.exe
PID 2120 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YDqQKQx.exe
PID 2120 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YDqQKQx.exe
PID 2120 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ceDUBlj.exe
PID 2120 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ceDUBlj.exe
PID 2120 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ceDUBlj.exe
PID 2120 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uhSEQgy.exe
PID 2120 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uhSEQgy.exe
PID 2120 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uhSEQgy.exe
PID 2120 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SUVPotj.exe
PID 2120 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SUVPotj.exe
PID 2120 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SUVPotj.exe
PID 2120 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jMxAtqj.exe
PID 2120 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jMxAtqj.exe
PID 2120 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jMxAtqj.exe
PID 2120 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DTwjbuw.exe
PID 2120 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DTwjbuw.exe
PID 2120 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DTwjbuw.exe
PID 2120 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ycAfikw.exe
PID 2120 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ycAfikw.exe
PID 2120 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ycAfikw.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\QdudlAd.exe

C:\Windows\System\QdudlAd.exe

C:\Windows\System\KkLfGFM.exe

C:\Windows\System\KkLfGFM.exe

C:\Windows\System\aNafrgt.exe

C:\Windows\System\aNafrgt.exe

C:\Windows\System\OxufWsI.exe

C:\Windows\System\OxufWsI.exe

C:\Windows\System\QBgFWac.exe

C:\Windows\System\QBgFWac.exe

C:\Windows\System\dsLOwQj.exe

C:\Windows\System\dsLOwQj.exe

C:\Windows\System\jNwpEeP.exe

C:\Windows\System\jNwpEeP.exe

C:\Windows\System\MbvTmkn.exe

C:\Windows\System\MbvTmkn.exe

C:\Windows\System\sGSvfuQ.exe

C:\Windows\System\sGSvfuQ.exe

C:\Windows\System\GQIrzJi.exe

C:\Windows\System\GQIrzJi.exe

C:\Windows\System\hHJaMWr.exe

C:\Windows\System\hHJaMWr.exe

C:\Windows\System\mkoLIzy.exe

C:\Windows\System\mkoLIzy.exe

C:\Windows\System\rGHKhBf.exe

C:\Windows\System\rGHKhBf.exe

C:\Windows\System\RoaCGdL.exe

C:\Windows\System\RoaCGdL.exe

C:\Windows\System\YDqQKQx.exe

C:\Windows\System\YDqQKQx.exe

C:\Windows\System\ceDUBlj.exe

C:\Windows\System\ceDUBlj.exe

C:\Windows\System\uhSEQgy.exe

C:\Windows\System\uhSEQgy.exe

C:\Windows\System\SUVPotj.exe

C:\Windows\System\SUVPotj.exe

C:\Windows\System\jMxAtqj.exe

C:\Windows\System\jMxAtqj.exe

C:\Windows\System\DTwjbuw.exe

C:\Windows\System\DTwjbuw.exe

C:\Windows\System\ycAfikw.exe

C:\Windows\System\ycAfikw.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2120-0-0x000000013F1E0000-0x000000013F531000-memory.dmp

memory/2120-1-0x00000000001F0000-0x0000000000200000-memory.dmp

\Windows\system\QdudlAd.exe

MD5 dd025472bba6e592e623479fe42e09b0
SHA1 4d3ba66432eab299a77aca8a5c29a97628f233e5
SHA256 926d84c12512578cf3769f8fa64d101dc6ffe65dd4e2bc205ae9a85ea14dd351
SHA512 b958f5e1a41a0736ae397e4ec059ccdecbcf4535a631ec95ca6c4b0ef20ed6811f3a291c6fe365f64ca7d30b64cd85bf487a70d4ecc5ad2742db18bd8a995360

C:\Windows\system\KkLfGFM.exe

MD5 189ab21b01ed3377a51be3c575939e9b
SHA1 cb364a0880c9ceeeda0188bdf2bb57e191648994
SHA256 94e18a3d7e11b7b0a058db1157314c4d27e492f5500c623a89f6888ec1617850
SHA512 75cac9e295b2ab2c9b86ce1aefbe5ecd2f6eeae64a9cb553f2d14e665999a14f7525edaf7a411579aff7a2cb5930c138a7052f084c1148faee89437fcdcf67e7

\Windows\system\aNafrgt.exe

MD5 8c44a9ffb7fba9db9c20f8f9f55d24c3
SHA1 529f40f25fbc29d37e0b42d46104f60c43d79e54
SHA256 e3a6f8e75918ec3afc1977476f4033aa6d83a931a092a0b5d32dd7fd27f6a492
SHA512 fcdfc6e2d6d49c29e1a613e4a2d6238197879796c177aee2fcc8da1f55fb22fefebf7f7273fb4af3c5c994b8657b7e3a09bae5d98b015cf5e57964a90dea3c87

C:\Windows\system\OxufWsI.exe

MD5 02387e2a734c020dcf0df7904e866a1c
SHA1 2637984f4d92bc0462c0c9f4a31b05a284e071d8
SHA256 aa9c880e114845b4e5d4aafac0dc277b2422d7cb0b67b2da443b9a1f12342663
SHA512 932be74e93ff490ab81890d76301eae7fd14e1190105db0faed4b3bef83aa9223f3525be90078f5ba6e41955b3ffb2e9df886b0996a8106c746dece3d0c7da66

memory/3004-29-0x000000013F340000-0x000000013F691000-memory.dmp

memory/2120-12-0x00000000023C0000-0x0000000002711000-memory.dmp

memory/2976-28-0x000000013F4F0000-0x000000013F841000-memory.dmp

memory/2344-26-0x000000013F3E0000-0x000000013F731000-memory.dmp

memory/2120-23-0x00000000023C0000-0x0000000002711000-memory.dmp

memory/2120-21-0x00000000023C0000-0x0000000002711000-memory.dmp

memory/2120-6-0x00000000023C0000-0x0000000002711000-memory.dmp

\Windows\system\dsLOwQj.exe

MD5 e9187230eb440806057b075004506e44
SHA1 cd6048f6db9cb8a28caf9b902fb92b051042cdb6
SHA256 b994dedf31bca3367d62a4a9e4175f47ae4a05dee05ee292d5123fe2cb933106
SHA512 faa0247fe68636443c88325de2a4e112a5b95e2f4042875839501a6e7fa0c383e71539c30e2b921a024ae30d5489b7adf74e76113a8be4fd156d9c3380aa1dc0

memory/2200-41-0x000000013FE50000-0x00000001401A1000-memory.dmp

memory/2120-31-0x000000013FB20000-0x000000013FE71000-memory.dmp

\Windows\system\QBgFWac.exe

MD5 77d51b4de19fbb38c809e30b894af765
SHA1 657d1313ee61956d9aca2c556dec108cb446edbf
SHA256 d5b3d236e75528a5d7530ea3bf9c67cf8b42ca018250c1f3fca3002724d43bc2
SHA512 450b88f9c3093208d9795526f875e7d1f3e8d9bc26245e9643b77eb865595ce1b74149020ce61ed349ac605bea39ec0aeddbdea902804acc7d4093186a664814

memory/2120-38-0x000000013FE50000-0x00000001401A1000-memory.dmp

memory/2760-35-0x000000013FB20000-0x000000013FE71000-memory.dmp

memory/2712-51-0x000000013F800000-0x000000013FB51000-memory.dmp

memory/2120-50-0x00000000023C0000-0x0000000002711000-memory.dmp

memory/2120-49-0x000000013F1E0000-0x000000013F531000-memory.dmp

C:\Windows\system\jNwpEeP.exe

MD5 1bbd1eb71217a6562ad6300a40e11662
SHA1 9ec3d053b8d209da18cb8dc19cddf3b100ba9bcf
SHA256 84d08dcb72a202d7e16d141f81f00072b17d90408400e6d9433f44e6cd8c1a32
SHA512 ad4cfebda61fd445291e530d439924f2fe80b952fe2c5bfc93fbf4cd6902d27e52854c7299b4713d091a801f62618374a9cdee1d94fabb603bddd864c0816114

memory/2120-45-0x000000013F800000-0x000000013FB51000-memory.dmp

\Windows\system\MbvTmkn.exe

MD5 e394f7fcd6046ddf136e019334d5b63f
SHA1 94ec2abade8542ab2c8125cd63b23c355652c2bf
SHA256 e48b7b440c354ca579255bf6f09fede2aad57c0635362bffae5c7649da6bcefa
SHA512 19eb7897f2e87b1f4512ae1b28082243e7b3ba3924ba9fa70347fe1cda706ab994657dcee150d33c39a00001ef340edd0833db7684ca8c2d1bc09b88e00c5615

memory/2960-56-0x000000013F3E0000-0x000000013F731000-memory.dmp

\Windows\system\sGSvfuQ.exe

MD5 258b5740001aae64eccccede232aa45b
SHA1 84dffcc3c64bc6e86c7366141d6b1fc6aa296931
SHA256 430447edb4ef9b6f41807dbe663be8e210733ab2abe3bac76afec28d77f685f7
SHA512 459e1e1b91bca435f628359d6213d0451938bbb796167f8c3858774125b8f982ee0c0507480f39a72fec5c593933df85c324f6587ab69edfda8311b1f2f1f672

memory/2888-59-0x000000013F0C0000-0x000000013F411000-memory.dmp

memory/2348-66-0x000000013F100000-0x000000013F451000-memory.dmp

memory/2120-64-0x00000000023C0000-0x0000000002711000-memory.dmp

\Windows\system\GQIrzJi.exe

MD5 1a5076b3f5eeea334266e49f52effa0a
SHA1 87d15eb14fd585509d66bfe9f4af0c5c9cd8686d
SHA256 34c357011e099f0096ac8855e6d848ce56fceb7222286a38b190b460c4071434
SHA512 2d9660138954b8384490231d6baf2df590221843ab659c091f3538c301d8c5a681241e94b2d0667fd5a1bdc92d2b6b39dd3bda5daba27c82c3a806fc042b8f69

memory/2760-72-0x000000013FB20000-0x000000013FE71000-memory.dmp

memory/2548-73-0x000000013F340000-0x000000013F691000-memory.dmp

memory/2120-70-0x00000000023C0000-0x0000000002711000-memory.dmp

\Windows\system\hHJaMWr.exe

MD5 b20f3111483101de215aa90aa8c9f566
SHA1 5f7ae6756ad7bee6849d328168cc09a85e38ac83
SHA256 12a176c60c36278d27164c0c80d06d8f55a0bf79ce318b98c7d8b47a1c517912
SHA512 03825584ff516d73782a714ff784a24db2ce93ad52940a7f8e43d2ef104011dca6d7bbfcf4530968d8f885e0709a7c1f62a0c5d2deec31ff489f3c6e7a09507d

memory/2980-81-0x000000013F460000-0x000000013F7B1000-memory.dmp

memory/2200-80-0x000000013FE50000-0x00000001401A1000-memory.dmp

memory/2120-77-0x00000000023C0000-0x0000000002711000-memory.dmp

\Windows\system\mkoLIzy.exe

MD5 8af275f30d752f3455c448f0231c5d60
SHA1 0e534c87a61066be055f449d08f3dda004c41046
SHA256 c7dca2ac16c60ff580e92913c594c3ec4eaa99dc4a710dbee1418966e51ceed2
SHA512 8b7fa8a3ba43f2bfae94f9ea7246820eea326e691b80579aa5b25037de67d95ed783c96a078fc2e7a34a59c68794869224215f0ddd15788b93bbf80b72d85a2f

memory/2712-86-0x000000013F800000-0x000000013FB51000-memory.dmp

memory/2996-89-0x000000013FE30000-0x0000000140181000-memory.dmp

memory/2888-94-0x000000013F0C0000-0x000000013F411000-memory.dmp

memory/1700-97-0x000000013F6F0000-0x000000013FA41000-memory.dmp

C:\Windows\system\rGHKhBf.exe

MD5 60831d30c07d4befef05fee997b8c473
SHA1 3faa8dae04edb268b0f5eacdacc11eed3b180c0f
SHA256 2a1c53d42b2aa4a93735aee7bb45f24957da7fc6e61eec0e1e33057f4132b980
SHA512 eaef674c41538e488724891fa1b92ad82e3499708db4436266192f7de86f246db8f5ccb2e2d87541ad223b99620c62869b5e72397986ac20f7720db4b03ec15d

memory/2120-91-0x00000000023C0000-0x0000000002711000-memory.dmp

memory/2120-83-0x000000013FE30000-0x0000000140181000-memory.dmp

C:\Windows\system\RoaCGdL.exe

MD5 e9b65c50f0cc30482b5fd4b368f1a251
SHA1 2cd8d6db9fcc32ee5573623657f6f3246eefcc0e
SHA256 c7c5162be65e39a6b79e8d3ab608e216a139386c2907f2f1c9fe92cf76b7b9d6
SHA512 6fb32127701c8410d2f951569d3cb43b4dd17ef9d8294103cffcad231494b5da669c833bd9cdd183db2b0eabd192a3f073edb87f6051de77895c5644fa609961

C:\Windows\system\SUVPotj.exe

MD5 bf61f45a45a828f994c1f768985177cd
SHA1 394f3bd759995a2b6b9ce8f0e684c571fc2e618e
SHA256 755d86c56191575cb3dba4b95eb9d81a09b4ec2de44bba0d5512a77b5a2db801
SHA512 ca379440e2ce73d879c26c078a18de3f0d248aab1aaed7707c240b6e8dd312f22be3df4b835f1ba6db78c65e64db3d1007794bf3a2eca56ade0da8c9f57225ba

C:\Windows\system\uhSEQgy.exe

MD5 bb0c5dc94c5ed591d468516640ce70f5
SHA1 59525d9444acdbd5b4d0a89286d9b23779d8d9d4
SHA256 b4114d62aad4e47fe6f62c83748f0af258fb0e6645af030f8d91a384f9521f51
SHA512 0b9244fa99982e252bea21d8d608782434609366aa2561d85d6a03fe007463e966d057569f14fbabc659866733afbe4a15da4e01e76ba0ae893b0e7ed1e25fd9

C:\Windows\system\YDqQKQx.exe

MD5 5ddcae08ed93dbb60b6f2e7d3c2ab63f
SHA1 f0e4f85de3949738b77d45f96ffc19960c256409
SHA256 cac0238ffeba1da452ec82ff63ea571e1778107aeaf24dd7afb98a5699d4cb5a
SHA512 a9b38ffc22e13c10234b7704ab870cff53eb223cb6473802d7ed9d72fe3d5372170d98ad9c953bf20d88a8d794a5e001bd51810a25fffe9256e4fa1e42bd63d9

memory/2120-107-0x000000013FC30000-0x000000013FF81000-memory.dmp

memory/2120-106-0x00000000023C0000-0x0000000002711000-memory.dmp

C:\Windows\system\ceDUBlj.exe

MD5 7b2b71adeb52507a36fcc31403c8dd31
SHA1 32171ca8af05823f968bc22f3f647e8127223ec0
SHA256 49c2c84e170a800779a6966efab2fdefa679d5a3dfdce81b5a04af761aa28d83
SHA512 2816fc170191c1990eb9f02f1d810794b6041bd1f8f465713e728873a0cddf6ae67b8884c592b2c70e1bdfca4663025f3e293f23486ab21ef098b046aa4c5e2c

memory/1644-102-0x000000013F670000-0x000000013F9C1000-memory.dmp

memory/2120-99-0x000000013F670000-0x000000013F9C1000-memory.dmp

memory/2548-127-0x000000013F340000-0x000000013F691000-memory.dmp

memory/2120-128-0x00000000023C0000-0x0000000002711000-memory.dmp

C:\Windows\system\jMxAtqj.exe

MD5 f8d90a28471b0fc29d83bc68d64cc448
SHA1 578282f0848fc878edae008fb92a526f2a835628
SHA256 39252b734cf67e5127c6239ab3a68f4953510b483b1e0eaaac3901749fe234b3
SHA512 2f40a4f1de72146ba9a699ffe8a17ceba28426f202d5d800556c25144241ee08fd705bc0fd3707ee7ba3b49ad4cc708cb70cf5971e89f9039066222547acd717

C:\Windows\system\DTwjbuw.exe

MD5 d04ffed4e2c95ac963902983535a4934
SHA1 3d80ddb6db3b92203802219c435db034def7249e
SHA256 d70d0441c0e964001bc56ccaa3dbea2b395b21907f0737e3fbbb675b8ffb6c0e
SHA512 2e1491932dfbd63c412368252613d3fa3f64832c9b785dedb636f3aa79dd340dbf1d8bc7ace1d1d004ee6c8903563d344decdce77766d68ca088131cb75d4947

memory/2980-140-0x000000013F460000-0x000000013F7B1000-memory.dmp

C:\Windows\system\ycAfikw.exe

MD5 faefe76c74cf04f80cd5825b01c4be82
SHA1 f189fcb06e791edcc108995641d94efb87151f85
SHA256 dce9ee0a64b0e124cc689c88e1b81433f91adb65ebe5db209f2d2db63e0a6526
SHA512 2a7e303731446c61065b6bf79b067231f3a49d3633c967ed524688399d6d962701850348a22d8dd21afd9eee53ac47cc59e26702c844ed08e89c510bdde1e8c6

memory/2120-145-0x000000013FE30000-0x0000000140181000-memory.dmp

memory/2996-146-0x000000013FE30000-0x0000000140181000-memory.dmp

memory/2120-147-0x000000013F1E0000-0x000000013F531000-memory.dmp

memory/2120-148-0x000000013F6F0000-0x000000013FA41000-memory.dmp

memory/1700-156-0x000000013F6F0000-0x000000013FA41000-memory.dmp

memory/1644-163-0x000000013F670000-0x000000013F9C1000-memory.dmp

memory/2332-166-0x000000013F960000-0x000000013FCB1000-memory.dmp

memory/2120-169-0x000000013FC30000-0x000000013FF81000-memory.dmp

memory/1688-168-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

memory/1676-167-0x000000013FA20000-0x000000013FD71000-memory.dmp

memory/1956-165-0x000000013FC30000-0x000000013FF81000-memory.dmp

memory/1144-170-0x000000013FAD0000-0x000000013FE21000-memory.dmp

memory/2820-172-0x000000013F420000-0x000000013F771000-memory.dmp

memory/1516-171-0x000000013F420000-0x000000013F771000-memory.dmp

memory/2120-173-0x000000013F1E0000-0x000000013F531000-memory.dmp

memory/2960-223-0x000000013F3E0000-0x000000013F731000-memory.dmp

memory/2344-225-0x000000013F3E0000-0x000000013F731000-memory.dmp

memory/3004-228-0x000000013F340000-0x000000013F691000-memory.dmp

memory/2976-229-0x000000013F4F0000-0x000000013F841000-memory.dmp

memory/2760-234-0x000000013FB20000-0x000000013FE71000-memory.dmp

memory/2200-236-0x000000013FE50000-0x00000001401A1000-memory.dmp

memory/2712-242-0x000000013F800000-0x000000013FB51000-memory.dmp

memory/2888-244-0x000000013F0C0000-0x000000013F411000-memory.dmp

memory/2348-246-0x000000013F100000-0x000000013F451000-memory.dmp

memory/2548-248-0x000000013F340000-0x000000013F691000-memory.dmp

memory/2980-252-0x000000013F460000-0x000000013F7B1000-memory.dmp

memory/2996-254-0x000000013FE30000-0x0000000140181000-memory.dmp

memory/1644-261-0x000000013F670000-0x000000013F9C1000-memory.dmp

memory/1700-265-0x000000013F6F0000-0x000000013FA41000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-25 11:46

Reported

2024-10-25 11:49

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\uhSEQgy.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QBgFWac.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GQIrzJi.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hHJaMWr.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YDqQKQx.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SUVPotj.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jMxAtqj.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KkLfGFM.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OxufWsI.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jNwpEeP.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mkoLIzy.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ceDUBlj.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ycAfikw.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QdudlAd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MbvTmkn.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sGSvfuQ.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rGHKhBf.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aNafrgt.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dsLOwQj.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RoaCGdL.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DTwjbuw.exe C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4416 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QdudlAd.exe
PID 4416 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QdudlAd.exe
PID 4416 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KkLfGFM.exe
PID 4416 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KkLfGFM.exe
PID 4416 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aNafrgt.exe
PID 4416 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aNafrgt.exe
PID 4416 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OxufWsI.exe
PID 4416 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OxufWsI.exe
PID 4416 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QBgFWac.exe
PID 4416 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QBgFWac.exe
PID 4416 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dsLOwQj.exe
PID 4416 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dsLOwQj.exe
PID 4416 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jNwpEeP.exe
PID 4416 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jNwpEeP.exe
PID 4416 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MbvTmkn.exe
PID 4416 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MbvTmkn.exe
PID 4416 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sGSvfuQ.exe
PID 4416 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sGSvfuQ.exe
PID 4416 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GQIrzJi.exe
PID 4416 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GQIrzJi.exe
PID 4416 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hHJaMWr.exe
PID 4416 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hHJaMWr.exe
PID 4416 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mkoLIzy.exe
PID 4416 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mkoLIzy.exe
PID 4416 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rGHKhBf.exe
PID 4416 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rGHKhBf.exe
PID 4416 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RoaCGdL.exe
PID 4416 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RoaCGdL.exe
PID 4416 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YDqQKQx.exe
PID 4416 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YDqQKQx.exe
PID 4416 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ceDUBlj.exe
PID 4416 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ceDUBlj.exe
PID 4416 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uhSEQgy.exe
PID 4416 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uhSEQgy.exe
PID 4416 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SUVPotj.exe
PID 4416 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SUVPotj.exe
PID 4416 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jMxAtqj.exe
PID 4416 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jMxAtqj.exe
PID 4416 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DTwjbuw.exe
PID 4416 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DTwjbuw.exe
PID 4416 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ycAfikw.exe
PID 4416 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ycAfikw.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\QdudlAd.exe

C:\Windows\System\QdudlAd.exe

C:\Windows\System\KkLfGFM.exe

C:\Windows\System\KkLfGFM.exe

C:\Windows\System\aNafrgt.exe

C:\Windows\System\aNafrgt.exe

C:\Windows\System\OxufWsI.exe

C:\Windows\System\OxufWsI.exe

C:\Windows\System\QBgFWac.exe

C:\Windows\System\QBgFWac.exe

C:\Windows\System\dsLOwQj.exe

C:\Windows\System\dsLOwQj.exe

C:\Windows\System\jNwpEeP.exe

C:\Windows\System\jNwpEeP.exe

C:\Windows\System\MbvTmkn.exe

C:\Windows\System\MbvTmkn.exe

C:\Windows\System\sGSvfuQ.exe

C:\Windows\System\sGSvfuQ.exe

C:\Windows\System\GQIrzJi.exe

C:\Windows\System\GQIrzJi.exe

C:\Windows\System\hHJaMWr.exe

C:\Windows\System\hHJaMWr.exe

C:\Windows\System\mkoLIzy.exe

C:\Windows\System\mkoLIzy.exe

C:\Windows\System\rGHKhBf.exe

C:\Windows\System\rGHKhBf.exe

C:\Windows\System\RoaCGdL.exe

C:\Windows\System\RoaCGdL.exe

C:\Windows\System\YDqQKQx.exe

C:\Windows\System\YDqQKQx.exe

C:\Windows\System\ceDUBlj.exe

C:\Windows\System\ceDUBlj.exe

C:\Windows\System\uhSEQgy.exe

C:\Windows\System\uhSEQgy.exe

C:\Windows\System\SUVPotj.exe

C:\Windows\System\SUVPotj.exe

C:\Windows\System\jMxAtqj.exe

C:\Windows\System\jMxAtqj.exe

C:\Windows\System\DTwjbuw.exe

C:\Windows\System\DTwjbuw.exe

C:\Windows\System\ycAfikw.exe

C:\Windows\System\ycAfikw.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 udp

Files

memory/4416-0-0x00007FF7E78D0000-0x00007FF7E7C21000-memory.dmp

memory/4416-1-0x00000201EF090000-0x00000201EF0A0000-memory.dmp

C:\Windows\System\QdudlAd.exe

MD5 dd025472bba6e592e623479fe42e09b0
SHA1 4d3ba66432eab299a77aca8a5c29a97628f233e5
SHA256 926d84c12512578cf3769f8fa64d101dc6ffe65dd4e2bc205ae9a85ea14dd351
SHA512 b958f5e1a41a0736ae397e4ec059ccdecbcf4535a631ec95ca6c4b0ef20ed6811f3a291c6fe365f64ca7d30b64cd85bf487a70d4ecc5ad2742db18bd8a995360

C:\Windows\System\KkLfGFM.exe

MD5 189ab21b01ed3377a51be3c575939e9b
SHA1 cb364a0880c9ceeeda0188bdf2bb57e191648994
SHA256 94e18a3d7e11b7b0a058db1157314c4d27e492f5500c623a89f6888ec1617850
SHA512 75cac9e295b2ab2c9b86ce1aefbe5ecd2f6eeae64a9cb553f2d14e665999a14f7525edaf7a411579aff7a2cb5930c138a7052f084c1148faee89437fcdcf67e7

memory/452-15-0x00007FF7716C0000-0x00007FF771A11000-memory.dmp

memory/2960-18-0x00007FF61FDF0000-0x00007FF620141000-memory.dmp

C:\Windows\System\dsLOwQj.exe

MD5 e9187230eb440806057b075004506e44
SHA1 cd6048f6db9cb8a28caf9b902fb92b051042cdb6
SHA256 b994dedf31bca3367d62a4a9e4175f47ae4a05dee05ee292d5123fe2cb933106
SHA512 faa0247fe68636443c88325de2a4e112a5b95e2f4042875839501a6e7fa0c383e71539c30e2b921a024ae30d5489b7adf74e76113a8be4fd156d9c3380aa1dc0

memory/4448-35-0x00007FF79A280000-0x00007FF79A5D1000-memory.dmp

memory/4660-37-0x00007FF7758C0000-0x00007FF775C11000-memory.dmp

C:\Windows\System\jNwpEeP.exe

MD5 1bbd1eb71217a6562ad6300a40e11662
SHA1 9ec3d053b8d209da18cb8dc19cddf3b100ba9bcf
SHA256 84d08dcb72a202d7e16d141f81f00072b17d90408400e6d9433f44e6cd8c1a32
SHA512 ad4cfebda61fd445291e530d439924f2fe80b952fe2c5bfc93fbf4cd6902d27e52854c7299b4713d091a801f62618374a9cdee1d94fabb603bddd864c0816114

C:\Windows\System\QBgFWac.exe

MD5 77d51b4de19fbb38c809e30b894af765
SHA1 657d1313ee61956d9aca2c556dec108cb446edbf
SHA256 d5b3d236e75528a5d7530ea3bf9c67cf8b42ca018250c1f3fca3002724d43bc2
SHA512 450b88f9c3093208d9795526f875e7d1f3e8d9bc26245e9643b77eb865595ce1b74149020ce61ed349ac605bea39ec0aeddbdea902804acc7d4093186a664814

memory/4220-33-0x00007FF627890000-0x00007FF627BE1000-memory.dmp

C:\Windows\System\OxufWsI.exe

MD5 02387e2a734c020dcf0df7904e866a1c
SHA1 2637984f4d92bc0462c0c9f4a31b05a284e071d8
SHA256 aa9c880e114845b4e5d4aafac0dc277b2422d7cb0b67b2da443b9a1f12342663
SHA512 932be74e93ff490ab81890d76301eae7fd14e1190105db0faed4b3bef83aa9223f3525be90078f5ba6e41955b3ffb2e9df886b0996a8106c746dece3d0c7da66

memory/4428-25-0x00007FF72C6E0000-0x00007FF72CA31000-memory.dmp

C:\Windows\System\aNafrgt.exe

MD5 8c44a9ffb7fba9db9c20f8f9f55d24c3
SHA1 529f40f25fbc29d37e0b42d46104f60c43d79e54
SHA256 e3a6f8e75918ec3afc1977476f4033aa6d83a931a092a0b5d32dd7fd27f6a492
SHA512 fcdfc6e2d6d49c29e1a613e4a2d6238197879796c177aee2fcc8da1f55fb22fefebf7f7273fb4af3c5c994b8657b7e3a09bae5d98b015cf5e57964a90dea3c87

memory/4884-10-0x00007FF7AB0A0000-0x00007FF7AB3F1000-memory.dmp

C:\Windows\System\MbvTmkn.exe

MD5 e394f7fcd6046ddf136e019334d5b63f
SHA1 94ec2abade8542ab2c8125cd63b23c355652c2bf
SHA256 e48b7b440c354ca579255bf6f09fede2aad57c0635362bffae5c7649da6bcefa
SHA512 19eb7897f2e87b1f4512ae1b28082243e7b3ba3924ba9fa70347fe1cda706ab994657dcee150d33c39a00001ef340edd0833db7684ca8c2d1bc09b88e00c5615

memory/2992-49-0x00007FF752390000-0x00007FF7526E1000-memory.dmp

C:\Windows\System\sGSvfuQ.exe

MD5 258b5740001aae64eccccede232aa45b
SHA1 84dffcc3c64bc6e86c7366141d6b1fc6aa296931
SHA256 430447edb4ef9b6f41807dbe663be8e210733ab2abe3bac76afec28d77f685f7
SHA512 459e1e1b91bca435f628359d6213d0451938bbb796167f8c3858774125b8f982ee0c0507480f39a72fec5c593933df85c324f6587ab69edfda8311b1f2f1f672

C:\Windows\System\GQIrzJi.exe

MD5 1a5076b3f5eeea334266e49f52effa0a
SHA1 87d15eb14fd585509d66bfe9f4af0c5c9cd8686d
SHA256 34c357011e099f0096ac8855e6d848ce56fceb7222286a38b190b460c4071434
SHA512 2d9660138954b8384490231d6baf2df590221843ab659c091f3538c301d8c5a681241e94b2d0667fd5a1bdc92d2b6b39dd3bda5daba27c82c3a806fc042b8f69

memory/4140-63-0x00007FF7100E0000-0x00007FF710431000-memory.dmp

memory/452-62-0x00007FF7716C0000-0x00007FF771A11000-memory.dmp

C:\Windows\System\hHJaMWr.exe

MD5 b20f3111483101de215aa90aa8c9f566
SHA1 5f7ae6756ad7bee6849d328168cc09a85e38ac83
SHA256 12a176c60c36278d27164c0c80d06d8f55a0bf79ce318b98c7d8b47a1c517912
SHA512 03825584ff516d73782a714ff784a24db2ce93ad52940a7f8e43d2ef104011dca6d7bbfcf4530968d8f885e0709a7c1f62a0c5d2deec31ff489f3c6e7a09507d

C:\Windows\System\mkoLIzy.exe

MD5 8af275f30d752f3455c448f0231c5d60
SHA1 0e534c87a61066be055f449d08f3dda004c41046
SHA256 c7dca2ac16c60ff580e92913c594c3ec4eaa99dc4a710dbee1418966e51ceed2
SHA512 8b7fa8a3ba43f2bfae94f9ea7246820eea326e691b80579aa5b25037de67d95ed783c96a078fc2e7a34a59c68794869224215f0ddd15788b93bbf80b72d85a2f

memory/3220-83-0x00007FF66DB60000-0x00007FF66DEB1000-memory.dmp

C:\Windows\System\rGHKhBf.exe

MD5 60831d30c07d4befef05fee997b8c473
SHA1 3faa8dae04edb268b0f5eacdacc11eed3b180c0f
SHA256 2a1c53d42b2aa4a93735aee7bb45f24957da7fc6e61eec0e1e33057f4132b980
SHA512 eaef674c41538e488724891fa1b92ad82e3499708db4436266192f7de86f246db8f5ccb2e2d87541ad223b99620c62869b5e72397986ac20f7720db4b03ec15d

memory/4428-82-0x00007FF72C6E0000-0x00007FF72CA31000-memory.dmp

memory/4636-78-0x00007FF63C5A0000-0x00007FF63C8F1000-memory.dmp

memory/2960-77-0x00007FF61FDF0000-0x00007FF620141000-memory.dmp

memory/3688-69-0x00007FF740FA0000-0x00007FF7412F1000-memory.dmp

memory/4884-60-0x00007FF7AB0A0000-0x00007FF7AB3F1000-memory.dmp

memory/2236-55-0x00007FF7E8930000-0x00007FF7E8C81000-memory.dmp

memory/4416-54-0x00007FF7E78D0000-0x00007FF7E7C21000-memory.dmp

C:\Windows\System\RoaCGdL.exe

MD5 e9b65c50f0cc30482b5fd4b368f1a251
SHA1 2cd8d6db9fcc32ee5573623657f6f3246eefcc0e
SHA256 c7c5162be65e39a6b79e8d3ab608e216a139386c2907f2f1c9fe92cf76b7b9d6
SHA512 6fb32127701c8410d2f951569d3cb43b4dd17ef9d8294103cffcad231494b5da669c833bd9cdd183db2b0eabd192a3f073edb87f6051de77895c5644fa609961

memory/1816-96-0x00007FF704B30000-0x00007FF704E81000-memory.dmp

C:\Windows\System\YDqQKQx.exe

MD5 5ddcae08ed93dbb60b6f2e7d3c2ab63f
SHA1 f0e4f85de3949738b77d45f96ffc19960c256409
SHA256 cac0238ffeba1da452ec82ff63ea571e1778107aeaf24dd7afb98a5699d4cb5a
SHA512 a9b38ffc22e13c10234b7704ab870cff53eb223cb6473802d7ed9d72fe3d5372170d98ad9c953bf20d88a8d794a5e001bd51810a25fffe9256e4fa1e42bd63d9

memory/4660-98-0x00007FF7758C0000-0x00007FF775C11000-memory.dmp

memory/3248-95-0x00007FF6A4A80000-0x00007FF6A4DD1000-memory.dmp

memory/4448-90-0x00007FF79A280000-0x00007FF79A5D1000-memory.dmp

memory/4220-88-0x00007FF627890000-0x00007FF627BE1000-memory.dmp

C:\Windows\System\ceDUBlj.exe

MD5 7b2b71adeb52507a36fcc31403c8dd31
SHA1 32171ca8af05823f968bc22f3f647e8127223ec0
SHA256 49c2c84e170a800779a6966efab2fdefa679d5a3dfdce81b5a04af761aa28d83
SHA512 2816fc170191c1990eb9f02f1d810794b6041bd1f8f465713e728873a0cddf6ae67b8884c592b2c70e1bdfca4663025f3e293f23486ab21ef098b046aa4c5e2c

C:\Windows\System\uhSEQgy.exe

MD5 bb0c5dc94c5ed591d468516640ce70f5
SHA1 59525d9444acdbd5b4d0a89286d9b23779d8d9d4
SHA256 b4114d62aad4e47fe6f62c83748f0af258fb0e6645af030f8d91a384f9521f51
SHA512 0b9244fa99982e252bea21d8d608782434609366aa2561d85d6a03fe007463e966d057569f14fbabc659866733afbe4a15da4e01e76ba0ae893b0e7ed1e25fd9

C:\Windows\System\SUVPotj.exe

MD5 bf61f45a45a828f994c1f768985177cd
SHA1 394f3bd759995a2b6b9ce8f0e684c571fc2e618e
SHA256 755d86c56191575cb3dba4b95eb9d81a09b4ec2de44bba0d5512a77b5a2db801
SHA512 ca379440e2ce73d879c26c078a18de3f0d248aab1aaed7707c240b6e8dd312f22be3df4b835f1ba6db78c65e64db3d1007794bf3a2eca56ade0da8c9f57225ba

C:\Windows\System\DTwjbuw.exe

MD5 d04ffed4e2c95ac963902983535a4934
SHA1 3d80ddb6db3b92203802219c435db034def7249e
SHA256 d70d0441c0e964001bc56ccaa3dbea2b395b21907f0737e3fbbb675b8ffb6c0e
SHA512 2e1491932dfbd63c412368252613d3fa3f64832c9b785dedb636f3aa79dd340dbf1d8bc7ace1d1d004ee6c8903563d344decdce77766d68ca088131cb75d4947

memory/3476-135-0x00007FF7CD0D0000-0x00007FF7CD421000-memory.dmp

memory/1764-140-0x00007FF7FEE40000-0x00007FF7FF191000-memory.dmp

C:\Windows\System\ycAfikw.exe

MD5 faefe76c74cf04f80cd5825b01c4be82
SHA1 f189fcb06e791edcc108995641d94efb87151f85
SHA256 dce9ee0a64b0e124cc689c88e1b81433f91adb65ebe5db209f2d2db63e0a6526
SHA512 2a7e303731446c61065b6bf79b067231f3a49d3633c967ed524688399d6d962701850348a22d8dd21afd9eee53ac47cc59e26702c844ed08e89c510bdde1e8c6

C:\Windows\System\jMxAtqj.exe

MD5 f8d90a28471b0fc29d83bc68d64cc448
SHA1 578282f0848fc878edae008fb92a526f2a835628
SHA256 39252b734cf67e5127c6239ab3a68f4953510b483b1e0eaaac3901749fe234b3
SHA512 2f40a4f1de72146ba9a699ffe8a17ceba28426f202d5d800556c25144241ee08fd705bc0fd3707ee7ba3b49ad4cc708cb70cf5971e89f9039066222547acd717

memory/3828-130-0x00007FF6EAF80000-0x00007FF6EB2D1000-memory.dmp

memory/2992-129-0x00007FF752390000-0x00007FF7526E1000-memory.dmp

memory/5000-121-0x00007FF73DB10000-0x00007FF73DE61000-memory.dmp

memory/4952-143-0x00007FF798E30000-0x00007FF799181000-memory.dmp

memory/2236-145-0x00007FF7E8930000-0x00007FF7E8C81000-memory.dmp

memory/1692-146-0x00007FF7159C0000-0x00007FF715D11000-memory.dmp

memory/4636-149-0x00007FF63C5A0000-0x00007FF63C8F1000-memory.dmp

memory/3248-151-0x00007FF6A4A80000-0x00007FF6A4DD1000-memory.dmp

memory/3220-150-0x00007FF66DB60000-0x00007FF66DEB1000-memory.dmp

memory/3688-148-0x00007FF740FA0000-0x00007FF7412F1000-memory.dmp

memory/4140-147-0x00007FF7100E0000-0x00007FF710431000-memory.dmp

memory/1816-152-0x00007FF704B30000-0x00007FF704E81000-memory.dmp

memory/5000-153-0x00007FF73DB10000-0x00007FF73DE61000-memory.dmp

memory/4416-154-0x00007FF7E78D0000-0x00007FF7E7C21000-memory.dmp

memory/3476-164-0x00007FF7CD0D0000-0x00007FF7CD421000-memory.dmp

memory/1764-166-0x00007FF7FEE40000-0x00007FF7FF191000-memory.dmp

memory/4416-176-0x00007FF7E78D0000-0x00007FF7E7C21000-memory.dmp

memory/4884-207-0x00007FF7AB0A0000-0x00007FF7AB3F1000-memory.dmp

memory/452-209-0x00007FF7716C0000-0x00007FF771A11000-memory.dmp

memory/2960-211-0x00007FF61FDF0000-0x00007FF620141000-memory.dmp

memory/4428-213-0x00007FF72C6E0000-0x00007FF72CA31000-memory.dmp

memory/4220-215-0x00007FF627890000-0x00007FF627BE1000-memory.dmp

memory/4448-217-0x00007FF79A280000-0x00007FF79A5D1000-memory.dmp

memory/4660-219-0x00007FF7758C0000-0x00007FF775C11000-memory.dmp

memory/2992-228-0x00007FF752390000-0x00007FF7526E1000-memory.dmp

memory/2236-235-0x00007FF7E8930000-0x00007FF7E8C81000-memory.dmp

memory/4140-237-0x00007FF7100E0000-0x00007FF710431000-memory.dmp

memory/3688-239-0x00007FF740FA0000-0x00007FF7412F1000-memory.dmp

memory/4636-241-0x00007FF63C5A0000-0x00007FF63C8F1000-memory.dmp

memory/3220-243-0x00007FF66DB60000-0x00007FF66DEB1000-memory.dmp

memory/3248-247-0x00007FF6A4A80000-0x00007FF6A4DD1000-memory.dmp

memory/1816-249-0x00007FF704B30000-0x00007FF704E81000-memory.dmp

memory/3828-259-0x00007FF6EAF80000-0x00007FF6EB2D1000-memory.dmp

memory/5000-258-0x00007FF73DB10000-0x00007FF73DE61000-memory.dmp

memory/4952-262-0x00007FF798E30000-0x00007FF799181000-memory.dmp

memory/3476-264-0x00007FF7CD0D0000-0x00007FF7CD421000-memory.dmp

memory/1692-265-0x00007FF7159C0000-0x00007FF715D11000-memory.dmp

memory/1764-267-0x00007FF7FEE40000-0x00007FF7FF191000-memory.dmp