Malware Analysis Report

2025-08-06 02:05

Sample ID 241027-fs9qratgrd
Target 2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat
SHA256 86256cba6711c887e414aaa9acdaac0e92f65adc08fee3717d39253c5859d6b8
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

86256cba6711c887e414aaa9acdaac0e92f65adc08fee3717d39253c5859d6b8

Threat Level: Known bad

The file 2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Cobaltstrike

xmrig

Cobaltstrike family

Cobalt Strike reflective loader

XMRig Miner payload

Xmrig family

XMRig Miner payload

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-10-27 05:09

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-27 05:09

Reported

2024-10-27 05:11

Platform

win7-20241010-en

Max time kernel

147s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

Cobaltstrike family

cobaltstrike

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\NsFEQIL.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MSUPJlJ.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vOqFEka.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZPAUpvi.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aGUXElm.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JXrsZUZ.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qOvEfkM.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TPCffOD.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bwgwOXR.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QEcUMtd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yObhmul.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VKvJykh.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jsfmpib.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZSMURvy.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lOzMiAb.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rxObeFB.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iDLBvqQ.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BKfLtvL.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bIzeGzG.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sivpkWn.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SCKgnmR.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2032 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aGUXElm.exe
PID 2032 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aGUXElm.exe
PID 2032 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aGUXElm.exe
PID 2032 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JXrsZUZ.exe
PID 2032 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JXrsZUZ.exe
PID 2032 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JXrsZUZ.exe
PID 2032 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sivpkWn.exe
PID 2032 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sivpkWn.exe
PID 2032 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sivpkWn.exe
PID 2032 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NsFEQIL.exe
PID 2032 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NsFEQIL.exe
PID 2032 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NsFEQIL.exe
PID 2032 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lOzMiAb.exe
PID 2032 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lOzMiAb.exe
PID 2032 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lOzMiAb.exe
PID 2032 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yObhmul.exe
PID 2032 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yObhmul.exe
PID 2032 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yObhmul.exe
PID 2032 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rxObeFB.exe
PID 2032 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rxObeFB.exe
PID 2032 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rxObeFB.exe
PID 2032 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MSUPJlJ.exe
PID 2032 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MSUPJlJ.exe
PID 2032 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MSUPJlJ.exe
PID 2032 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jsfmpib.exe
PID 2032 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jsfmpib.exe
PID 2032 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jsfmpib.exe
PID 2032 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VKvJykh.exe
PID 2032 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VKvJykh.exe
PID 2032 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VKvJykh.exe
PID 2032 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qOvEfkM.exe
PID 2032 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qOvEfkM.exe
PID 2032 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qOvEfkM.exe
PID 2032 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SCKgnmR.exe
PID 2032 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SCKgnmR.exe
PID 2032 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SCKgnmR.exe
PID 2032 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TPCffOD.exe
PID 2032 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TPCffOD.exe
PID 2032 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TPCffOD.exe
PID 2032 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vOqFEka.exe
PID 2032 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vOqFEka.exe
PID 2032 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vOqFEka.exe
PID 2032 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iDLBvqQ.exe
PID 2032 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iDLBvqQ.exe
PID 2032 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iDLBvqQ.exe
PID 2032 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BKfLtvL.exe
PID 2032 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BKfLtvL.exe
PID 2032 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BKfLtvL.exe
PID 2032 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bwgwOXR.exe
PID 2032 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bwgwOXR.exe
PID 2032 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bwgwOXR.exe
PID 2032 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bIzeGzG.exe
PID 2032 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bIzeGzG.exe
PID 2032 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bIzeGzG.exe
PID 2032 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZPAUpvi.exe
PID 2032 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZPAUpvi.exe
PID 2032 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZPAUpvi.exe
PID 2032 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QEcUMtd.exe
PID 2032 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QEcUMtd.exe
PID 2032 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QEcUMtd.exe
PID 2032 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZSMURvy.exe
PID 2032 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZSMURvy.exe
PID 2032 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZSMURvy.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\aGUXElm.exe

C:\Windows\System\aGUXElm.exe

C:\Windows\System\JXrsZUZ.exe

C:\Windows\System\JXrsZUZ.exe

C:\Windows\System\sivpkWn.exe

C:\Windows\System\sivpkWn.exe

C:\Windows\System\NsFEQIL.exe

C:\Windows\System\NsFEQIL.exe

C:\Windows\System\lOzMiAb.exe

C:\Windows\System\lOzMiAb.exe

C:\Windows\System\yObhmul.exe

C:\Windows\System\yObhmul.exe

C:\Windows\System\rxObeFB.exe

C:\Windows\System\rxObeFB.exe

C:\Windows\System\MSUPJlJ.exe

C:\Windows\System\MSUPJlJ.exe

C:\Windows\System\jsfmpib.exe

C:\Windows\System\jsfmpib.exe

C:\Windows\System\VKvJykh.exe

C:\Windows\System\VKvJykh.exe

C:\Windows\System\qOvEfkM.exe

C:\Windows\System\qOvEfkM.exe

C:\Windows\System\SCKgnmR.exe

C:\Windows\System\SCKgnmR.exe

C:\Windows\System\TPCffOD.exe

C:\Windows\System\TPCffOD.exe

C:\Windows\System\vOqFEka.exe

C:\Windows\System\vOqFEka.exe

C:\Windows\System\iDLBvqQ.exe

C:\Windows\System\iDLBvqQ.exe

C:\Windows\System\BKfLtvL.exe

C:\Windows\System\BKfLtvL.exe

C:\Windows\System\bwgwOXR.exe

C:\Windows\System\bwgwOXR.exe

C:\Windows\System\bIzeGzG.exe

C:\Windows\System\bIzeGzG.exe

C:\Windows\System\ZPAUpvi.exe

C:\Windows\System\ZPAUpvi.exe

C:\Windows\System\QEcUMtd.exe

C:\Windows\System\QEcUMtd.exe

C:\Windows\System\ZSMURvy.exe

C:\Windows\System\ZSMURvy.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2032-0-0x000000013FC40000-0x000000013FF91000-memory.dmp

memory/2032-1-0x00000000000F0000-0x0000000000100000-memory.dmp

memory/2032-7-0x000000013F640000-0x000000013F991000-memory.dmp

C:\Windows\system\aGUXElm.exe

MD5 46bfffe508af3e4919845b6290a5091c
SHA1 b31e7e7a939754d5981fd4b9a44e3d6f4b7835a3
SHA256 1fbe40949d26b4617cf6a429da010e6eb11748c92576474c18c19c4db5e20f1b
SHA512 6439144a251b202233961562ce117df814a5be8c29b70a164f5981610b31f8fb79dcc7f54ff7b8d77445da0f711e6ea42a4878cb5c067cf3b9399711d1d96bd1

C:\Windows\system\JXrsZUZ.exe

MD5 5c9b8f29f518ecf21e4e6477bd63decc
SHA1 17ffb003f319d17753c19a3ebf4fd952e06bfdb4
SHA256 f397adf5fe2e523f7384a4f358dd31fc0954a8365a0e78377bfd7feeafe9adfe
SHA512 db0ebdf2671581e82f468e56c6ca66dabed3e055f5f2ec6c9d11f068479e31602242edfe357c32320619e70f041d84be92b63da696b314dbfe479daa1cf71e7a

C:\Windows\system\sivpkWn.exe

MD5 2486a27c5c17fb3619cc46be78e9dac4
SHA1 1a45684e85d83898b7f73a3e64d8fd00f0b67973
SHA256 a7bd8b35bce7e313e086c3bda29d4cb597380fa16f9e68437f93d349eb9ee6a4
SHA512 b76ddd2b500284dd53e6cb109b75c1a68485cba36f35d6bcb122cc54dcbb3f33906ad0348407c5c8a1cb4eec7577b14aa4416c9fea3869d4991771cd86280944

\Windows\system\lOzMiAb.exe

MD5 20cf1043df2a59fdf15ea0ea9e3bbb41
SHA1 ea46279535d07ae4e0dd295f7cb79e58ef77bae5
SHA256 f95b7e7f02918155c78dbbbf9f6b17c67edbf660e2440b60bd878c111c65fcbe
SHA512 b8530beee0adf654994788b7276c3704558a6a0fb3f4c07f5ca522ac152485516f8ddae8f3a1f73f5fd8b42b728e9d83361e7b4686c273d1c493d721c21aa752

memory/2032-35-0x000000013F560000-0x000000013F8B1000-memory.dmp

memory/2152-31-0x000000013F640000-0x000000013F991000-memory.dmp

C:\Windows\system\MSUPJlJ.exe

MD5 e3ccfccf600350ca682857ced14a09ff
SHA1 59e8c6e828ac3c98c38839584b72826c8740e4ab
SHA256 aafd73e0d1e1181a457b51ba5ce222ec174964cd791aac4630ddefd197178689
SHA512 4d0d321dc0d1e70859e737beda51e6f85d296a0572caa8b3e2f7235c1968b364c538b59d442561d78fbe1d5c50d12059c4a0517956b4120deac84a8b7d491ca3

memory/2852-90-0x000000013FAD0000-0x000000013FE21000-memory.dmp

memory/2032-95-0x000000013FC40000-0x000000013FF91000-memory.dmp

C:\Windows\system\bIzeGzG.exe

MD5 0133a545c70ca1166ab0778aa60a27c4
SHA1 4b8b8a338b18e5756115537c7b2e70e83116d8ad
SHA256 253a57c875442f4a21a3ac9f0651038a6c6cc8b595d2e38c11db37b1d6c671f1
SHA512 2319171f147dd76e48d20131a7c8f0e958ddccf5c7c0836a11923b4cca66b0919bfdb05dc6faa2d64c81364897a0d8cfdc9689bf5f1f0ad7d11a96422178f4e9

\Windows\system\ZSMURvy.exe

MD5 93a5a7a30000ae9a545e63f31ad5b3d6
SHA1 5b4497ac2431c5e22831640edd1dedfc4d2da97f
SHA256 b9a80eec9d0ac3996850a84004b58e5f456ece75b409b91c8d884746f4aec83c
SHA512 d8ba6a374bc4639ec1c3728bba4d3b6a6913a24aecf9d4c6407b53a885b4b664f87cf2f570983e257dec4a84846491687197a61c46084b657800de258176f2fd

C:\Windows\system\QEcUMtd.exe

MD5 b12666d6e2fecb2a09c561bdef3bab1f
SHA1 ace60538ff789b84c652e3f292e7409007736cfa
SHA256 c420b78c39aeb231864bf2eb83436cea18e3b51ee257583df99d7a8e0407bff8
SHA512 ac672be1da05dfb0c7773d34cabb9d6fb6f56cd2fd320cef821141228b3e081ffb7266e3594dd613d0abbf2ad281dc775425eaa40a9457cc6ab154dea477f8bf

C:\Windows\system\ZPAUpvi.exe

MD5 6675e1ac6295e97b56c329dc93f3aec8
SHA1 f7e9db12546be9f39b450dce3f42ef22444d36ef
SHA256 05a42cdbfe9f17493bfc6bfc39178fdd1e52b2cf2ae9262167e2ae4376a99b1c
SHA512 6bf146e3cbb9fca71ac49dd6be040dead8d3271b9a2098ca1675b5b73b2070c9b9f8925fe67043e43697e55c4cdf5e9fe0f4a6c26772fc92e0bb35d1777c8494

C:\Windows\system\bwgwOXR.exe

MD5 4c1cdcb3c99528507283678665750e27
SHA1 d787cbcbc4d19a1f6459a4ef2c578d50a779eb5b
SHA256 b42ba8545b6a7bac6a77048088ec115fd7ab9b4fb17c2439252ec4e2b36a8b13
SHA512 6cccec56081ff979d8a35c499dc7f716ad5486c6bbda5f5eac07e33f452c7736a9f33042ef5b7f24796798e9897e8c37752f819df153c41e338bb566bacfd5bc

C:\Windows\system\BKfLtvL.exe

MD5 c08db4d13178f98f24d7b41718eba25f
SHA1 dc2cd4c08512494d362e32d00406bbd518c8f91b
SHA256 61a91bf5696fe0941984e561190f2614e6cf99656f0a4431fd04ed18669a35d8
SHA512 9b2469da1bfe9ac5307c5204505158ccd8c212b8e421c040f95c0a07f408056c9580c6f035fbc0a867ced6df317a5676a410e515884a4ab517e935f5f1851ad8

memory/2152-101-0x000000013F640000-0x000000013F991000-memory.dmp

C:\Windows\system\iDLBvqQ.exe

MD5 dce23e86801fe30c26449bb088589acb
SHA1 fe54c4806c9673092209587efebaa66d5eab771d
SHA256 528eb957e3cf0c2a8b84d9467d0a6ed49f5ea63cebf69d5aea4cdd3101d24085
SHA512 f54cc0e3e12c8df271e08d7ebf4de963ceb2eba4383d38db3818eb51ae28648bb643160e9836b2e04c49d7f61bc3957a827cf429e510da07a4a97cf29c2315ff

memory/2520-96-0x000000013F720000-0x000000013FA71000-memory.dmp

C:\Windows\system\vOqFEka.exe

MD5 8e3d888aca13cc428fca43db13933a14
SHA1 5e315cd287437d66bcd04fe098815a3121193d34
SHA256 e728a818a56fff80c6f9e2359d9692a8c4aef04877d374d83686c6d0a66716e8
SHA512 ba557527d63b010e35b2ee87a95f7424f55aa27c144e0610cbdc8448505f4da4fd93325d761c3c8753ddb3e58d823ed720e2d71ebbe6b33ac09bf873d18413c9

memory/2704-89-0x000000013FAA0000-0x000000013FDF1000-memory.dmp

C:\Windows\system\qOvEfkM.exe

MD5 fa414d322767d28987a96263889a5b1d
SHA1 42581312d326137c4ca4eb09e1d3b493e5ff82e4
SHA256 58f0e33a922a05b055630e18b914fe2acb1520190ca1a14eb8c94796a9fd4ee2
SHA512 8e9153c7655a4ea4b152c9d40f46741ba4f49294b938f7518b0f0a72076831c7dc037874223a6a58ef3d1cf9f91b169a7dcea5fe17e03a33c2f4603c34bd9849

\Windows\system\SCKgnmR.exe

MD5 0041c76ca6985e45db84ec07701a3881
SHA1 9487b4c36f550f5b3acec2dfc6ec6dcfde9e48ef
SHA256 c08b8ae8fdfa1913033d458da300e13ea5f0e5e464982c2a004d3e7b8d9db978
SHA512 99189195875c1af5ffb038b50a582f4fc0eca9ab3ffbceb6e709215d028246ca8cdce35cd2fcb18330feb2d3cbdbfbb743a219ec2660a8f2c8a7ba86c02a6a40

\Windows\system\VKvJykh.exe

MD5 9178257b8e07c5114fe6870f695c94d4
SHA1 813f3ec5f2ccf016c1493ccfd10c54f53295d228
SHA256 76645e533c09eb5e8d7f46876b10c394b05023fa5ccf328eaf0f27f9b7caa49a
SHA512 3530bb449a7cb3d7935f0bdfa373c3c9eb87d06fcfbc0506fa82a0da45fc9f4c2f607a9427536483af62bcb5198e0dbe4cacadf685e66aec0714a0c1f15895f1

memory/2680-86-0x000000013FD00000-0x0000000140051000-memory.dmp

memory/2032-85-0x00000000021A0000-0x00000000024F1000-memory.dmp

C:\Windows\system\rxObeFB.exe

MD5 22268eddca172f64beb6b5166b62ee8d
SHA1 9a0eebbef2d3f8de4cf26a876582deea427ca364
SHA256 0bd7a241a5cf2030aa5155313a43617ce59f9e26142fcf8775ccf7eac5afafe5
SHA512 76161f391b6a0eecfc2a81ca775d649d5ed35efa61b93f5933caadb2ab44235f7f0a20b9c282540002fdbee5b8e42cd17e410406f8f3a0463039de58b7246ba1

memory/2032-49-0x00000000021A0000-0x00000000024F1000-memory.dmp

memory/2032-48-0x000000013F840000-0x000000013FB91000-memory.dmp

memory/2608-47-0x000000013FD60000-0x00000001400B1000-memory.dmp

memory/2032-46-0x00000000021A0000-0x00000000024F1000-memory.dmp

memory/2032-45-0x000000013FFF0000-0x0000000140341000-memory.dmp

memory/2144-44-0x000000013FED0000-0x0000000140221000-memory.dmp

memory/2032-43-0x00000000021A0000-0x00000000024F1000-memory.dmp

memory/2952-42-0x000000013F950000-0x000000013FCA1000-memory.dmp

memory/2032-41-0x00000000021A0000-0x00000000024F1000-memory.dmp

memory/1328-40-0x000000013F560000-0x000000013F8B1000-memory.dmp

C:\Windows\system\TPCffOD.exe

MD5 68c36b2274298b76c2273813338ba3d9
SHA1 c44c157dfc3f6eae2a3b2b6dba69d1ca00473c3d
SHA256 623256c562224f177f1c1c2f5a27c185dce06966ff0965d867fd754bdf0c658c
SHA512 5b7fcc96ae5d7cd4d206c2ab5bb5a83001164ce78c94e8af4387db45b521b77ed50beb209103fb2f7ff505e4bcd8c80c4d89b9a9816a6cbfb43bba6fba9653ca

memory/2032-125-0x000000013FC40000-0x000000013FF91000-memory.dmp

memory/2820-83-0x000000013FD70000-0x00000001400C1000-memory.dmp

memory/2032-82-0x00000000021A0000-0x00000000024F1000-memory.dmp

memory/2032-81-0x00000000021A0000-0x00000000024F1000-memory.dmp

memory/2032-80-0x00000000021A0000-0x00000000024F1000-memory.dmp

memory/2904-79-0x000000013F720000-0x000000013FA71000-memory.dmp

memory/2032-78-0x000000013F720000-0x000000013FA71000-memory.dmp

memory/2896-76-0x000000013FF40000-0x0000000140291000-memory.dmp

memory/2812-75-0x000000013FFF0000-0x0000000140341000-memory.dmp

\Windows\system\yObhmul.exe

MD5 39ea365966a13bf3adff43a7d4814589
SHA1 0a26421afedc495070aafd82382a75d8115a28dd
SHA256 3b003cc951ca2af7a2236e104f776ced7fce3091be8e188caf9e8e837ad95abb
SHA512 d084b9c0717c20a4e9e6dcb687c882c33c554d0abd19e6340edf1524a14da1f4d81af5cbecc716b702e3c2edc528b2386c0e403c6d1c6ff7af1760e269ac29fe

memory/2916-74-0x000000013F840000-0x000000013FB91000-memory.dmp

C:\Windows\system\jsfmpib.exe

MD5 1f1ca02c2151fc024ae3b6d46741bd1a
SHA1 ba89004f757508d9ff93136046825a009b4cad2d
SHA256 5cad2a08aa47adbf7358016f4b4a86ca1f82083dee265847254b10fa6bbb3db5
SHA512 ae46362c0cac1d8b66f6511145ac1f7c1f0facfbd54360e9da8584e2351fabeebde00f3566c6bd76d28ef363ac248d9a3668b3596122076082b0e899070257de

C:\Windows\system\NsFEQIL.exe

MD5 655c296f773dd484a8aa23dd347a27ef
SHA1 befc10a58f048baace5a6563c7122f88f48626eb
SHA256 98aeaf181007a6d4cb1fddbb02f5e5b5c488ffff4160b5aae4ed8d2ba870d327
SHA512 91cece5eb644aa7434c54cdafdd25072288dc3296b3d8ca1f265707545d76fb8b4731a9b742373b4f9a308bceeaa5305bddba47465b0d89e9b1babc37e52f940

memory/2032-147-0x000000013FC40000-0x000000013FF91000-memory.dmp

memory/2680-160-0x000000013FD00000-0x0000000140051000-memory.dmp

memory/2852-159-0x000000013FAD0000-0x000000013FE21000-memory.dmp

memory/2704-157-0x000000013FAA0000-0x000000013FDF1000-memory.dmp

memory/2520-161-0x000000013F720000-0x000000013FA71000-memory.dmp

memory/2960-167-0x000000013F510000-0x000000013F861000-memory.dmp

memory/1980-168-0x000000013F6C0000-0x000000013FA11000-memory.dmp

memory/1220-166-0x000000013FDD0000-0x0000000140121000-memory.dmp

memory/1820-165-0x000000013F9A0000-0x000000013FCF1000-memory.dmp

memory/2668-164-0x000000013F9F0000-0x000000013FD41000-memory.dmp

memory/1244-163-0x000000013FA60000-0x000000013FDB1000-memory.dmp

memory/624-162-0x000000013F900000-0x000000013FC51000-memory.dmp

memory/2032-169-0x000000013FC40000-0x000000013FF91000-memory.dmp

memory/2152-207-0x000000013F640000-0x000000013F991000-memory.dmp

memory/1328-209-0x000000013F560000-0x000000013F8B1000-memory.dmp

memory/2144-213-0x000000013FED0000-0x0000000140221000-memory.dmp

memory/2608-212-0x000000013FD60000-0x00000001400B1000-memory.dmp

memory/2812-216-0x000000013FFF0000-0x0000000140341000-memory.dmp

memory/2896-219-0x000000013FF40000-0x0000000140291000-memory.dmp

memory/2904-221-0x000000013F720000-0x000000013FA71000-memory.dmp

memory/2916-223-0x000000013F840000-0x000000013FB91000-memory.dmp

memory/2820-225-0x000000013FD70000-0x00000001400C1000-memory.dmp

memory/2952-217-0x000000013F950000-0x000000013FCA1000-memory.dmp

memory/2680-247-0x000000013FD00000-0x0000000140051000-memory.dmp

memory/2704-249-0x000000013FAA0000-0x000000013FDF1000-memory.dmp

memory/2852-254-0x000000013FAD0000-0x000000013FE21000-memory.dmp

memory/2520-257-0x000000013F720000-0x000000013FA71000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-27 05:09

Reported

2024-10-27 05:11

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

Cobaltstrike family

cobaltstrike

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\bZWUChq.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nZFLGnf.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eVWJdId.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hbwyyFA.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lLUrZGP.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dioKWDf.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AYFVATx.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BaLMWvK.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RcFOTMH.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SiUPAeO.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XpKyJpi.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nAiXdkx.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gkMSHoC.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XTwkKQo.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KpAggWA.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dGkAbDO.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BxwHviW.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NabdSfH.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZXarzTp.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rFufkAx.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YFVmWYL.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1936 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dioKWDf.exe
PID 1936 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dioKWDf.exe
PID 1936 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dGkAbDO.exe
PID 1936 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dGkAbDO.exe
PID 1936 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bZWUChq.exe
PID 1936 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bZWUChq.exe
PID 1936 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nAiXdkx.exe
PID 1936 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nAiXdkx.exe
PID 1936 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BxwHviW.exe
PID 1936 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BxwHviW.exe
PID 1936 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AYFVATx.exe
PID 1936 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AYFVATx.exe
PID 1936 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BaLMWvK.exe
PID 1936 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BaLMWvK.exe
PID 1936 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nZFLGnf.exe
PID 1936 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nZFLGnf.exe
PID 1936 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eVWJdId.exe
PID 1936 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eVWJdId.exe
PID 1936 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gkMSHoC.exe
PID 1936 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gkMSHoC.exe
PID 1936 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NabdSfH.exe
PID 1936 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NabdSfH.exe
PID 1936 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RcFOTMH.exe
PID 1936 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RcFOTMH.exe
PID 1936 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZXarzTp.exe
PID 1936 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZXarzTp.exe
PID 1936 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XTwkKQo.exe
PID 1936 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XTwkKQo.exe
PID 1936 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hbwyyFA.exe
PID 1936 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hbwyyFA.exe
PID 1936 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SiUPAeO.exe
PID 1936 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SiUPAeO.exe
PID 1936 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rFufkAx.exe
PID 1936 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rFufkAx.exe
PID 1936 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YFVmWYL.exe
PID 1936 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YFVmWYL.exe
PID 1936 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KpAggWA.exe
PID 1936 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KpAggWA.exe
PID 1936 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XpKyJpi.exe
PID 1936 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XpKyJpi.exe
PID 1936 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lLUrZGP.exe
PID 1936 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lLUrZGP.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\dioKWDf.exe

C:\Windows\System\dioKWDf.exe

C:\Windows\System\dGkAbDO.exe

C:\Windows\System\dGkAbDO.exe

C:\Windows\System\bZWUChq.exe

C:\Windows\System\bZWUChq.exe

C:\Windows\System\nAiXdkx.exe

C:\Windows\System\nAiXdkx.exe

C:\Windows\System\BxwHviW.exe

C:\Windows\System\BxwHviW.exe

C:\Windows\System\AYFVATx.exe

C:\Windows\System\AYFVATx.exe

C:\Windows\System\BaLMWvK.exe

C:\Windows\System\BaLMWvK.exe

C:\Windows\System\nZFLGnf.exe

C:\Windows\System\nZFLGnf.exe

C:\Windows\System\eVWJdId.exe

C:\Windows\System\eVWJdId.exe

C:\Windows\System\gkMSHoC.exe

C:\Windows\System\gkMSHoC.exe

C:\Windows\System\NabdSfH.exe

C:\Windows\System\NabdSfH.exe

C:\Windows\System\RcFOTMH.exe

C:\Windows\System\RcFOTMH.exe

C:\Windows\System\ZXarzTp.exe

C:\Windows\System\ZXarzTp.exe

C:\Windows\System\XTwkKQo.exe

C:\Windows\System\XTwkKQo.exe

C:\Windows\System\hbwyyFA.exe

C:\Windows\System\hbwyyFA.exe

C:\Windows\System\SiUPAeO.exe

C:\Windows\System\SiUPAeO.exe

C:\Windows\System\rFufkAx.exe

C:\Windows\System\rFufkAx.exe

C:\Windows\System\YFVmWYL.exe

C:\Windows\System\YFVmWYL.exe

C:\Windows\System\KpAggWA.exe

C:\Windows\System\KpAggWA.exe

C:\Windows\System\XpKyJpi.exe

C:\Windows\System\XpKyJpi.exe

C:\Windows\System\lLUrZGP.exe

C:\Windows\System\lLUrZGP.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp

Files

memory/1936-0-0x00007FF63B1F0000-0x00007FF63B541000-memory.dmp

memory/1936-1-0x000001E343020000-0x000001E343030000-memory.dmp

C:\Windows\System\dioKWDf.exe

MD5 39482f6df253b06f26e7df52b88f62cb
SHA1 844c011c8fe099a36ab0ff4bc2551d25e74fbe2f
SHA256 c74deb546ffb90e41fad9fac7cc03331b4e255623e687d7c58674f1493325b31
SHA512 81256c58df67a3eefd5386b02cf6a056f8c771f5d60fecfc4eaa1b0c57f53b55d656e5ffcb5f803ad397fb8d9e3ad994a316f9215c6346e2bd13c75df0ced48f

memory/4972-9-0x00007FF69E330000-0x00007FF69E681000-memory.dmp

C:\Windows\System\dGkAbDO.exe

MD5 5773764c26ed9d5368519c905ca756fa
SHA1 f118f48fbe73f3feec8c450590068ded5075f0d8
SHA256 d3d71e53d38c07d04278616853415b97dd24177803c7a9aee2071dcf1d27d0b1
SHA512 2506aa18df9c0d54058b9dc0575639cdf80fda76954e282c22ce07fb2f8f22591725690a1e1e05b53734d072aa39ff2a10fc80b587003f9ac516fdceb66e3583

memory/3144-34-0x00007FF712B60000-0x00007FF712EB1000-memory.dmp

C:\Windows\System\nZFLGnf.exe

MD5 2c1441bc0909cc8a0007c9468d4fe6a6
SHA1 47475b7decc703ad2248bfff39b8625b882bc9c2
SHA256 bbdfc2ba69408928a703b99571c92707f17b77c871c0f67688cdfeda70fe93ee
SHA512 c8ef2407a34d083bba08fde84a8fb826183b88ae6ad0c2bfdbf1e7bd2bafddd99e3ac089de056cf8942e3033e228d96fac4c250a9980edffd43573ad2f8a5eb6

C:\Windows\System\gkMSHoC.exe

MD5 9f3cac22287d5a7ca07391fe7eb5c48f
SHA1 589dca361830a0539bdb5eb411cc63a566e7d1d6
SHA256 cd7b723e1c256512923f36db40b97cc4a3ad3ef05713e7d87fd4625af3ee9a14
SHA512 d12fefe605a7415ebe739905ed4b897a267100ff044c6f1690e6a9c047359692ff51398959816a3e1a9501d84954634c27df311fea36011ce1adf9fc991aae76

C:\Windows\System\ZXarzTp.exe

MD5 1b190420d3e8e719fd17588b7dec41bb
SHA1 a575d19c2095919b3c81241cff683303b357d112
SHA256 027cb3972c5d368a50e2e1e32256de0d62ef73ecfae46bd0fef435e11092ef17
SHA512 8d5a2dbb42034721268e22a32c11970f50ed0f7683982d9d445b2e0f0d3ee43934d813efe9bb21d049400ba84c53cc111f0ca5d498edaab699c19a433039538a

C:\Windows\System\XTwkKQo.exe

MD5 4c94fe49795e0d6be48022ad8b5902db
SHA1 fa1143dcca5089d2f0d3818521bb7e18d33585fa
SHA256 acdb3d95cf30e1372c05adc7b4d2c957a74d1eb47145c9aeaeef91a173454e8e
SHA512 6f9d582bfa7112414a2c0c5727e077321ffcc296e214e76ceb5bdea49586a40846f896d0d652daab2efaa2e8f281a823248c330065760ab69959455e5dd8bd02

C:\Windows\System\XpKyJpi.exe

MD5 399e029107c74168559b21ac0d83efb5
SHA1 a6fcf4782af02f147a23d0850dfd8dc690f92970
SHA256 8077d2956bc4bb6905b71bc4b962c352c0eaf1ecd845042b6605d62573056a04
SHA512 f63c70b4226284fa5869fd34e8814770533721e0abab003e2e6f8013924e9de53d341633ec155fc8dbadda1878f8c69570ae978a92900b1d0a393789ea9e6bc6

C:\Windows\System\lLUrZGP.exe

MD5 c9f671b8a638c78c3bbb4d51ed34ec59
SHA1 c7e2ea688c6a6521c548d0a224240aa3c64ce024
SHA256 781f2605c85e391b04319f5cfebc3befca548084cd0488bbc29088d3ad4e81ad
SHA512 06240ed7eb9e8ce830998396d3bd7ea15f606b0f49014ec2a771a32795c2e00ba9a2df9810a9bae7fb3da79abf3e2306b2a374d1768011fdd6f7346b1a4eb940

C:\Windows\System\KpAggWA.exe

MD5 bf0c8bfd7f22e6ff8e552a28e862fe48
SHA1 c460ab22a49c17daeb088a99bb52e40d28b4368b
SHA256 34edd75c920861f68d0f7fdb6e67a6039859431bc673fcc8ef897447e77d3473
SHA512 8e64027e0fff581c3af3328f7e4bd0c57d66d0414486f2e4b9d3cca2444701ffca730f897afcff820e7d0d5da59669af70b87ae2e139e2a221d8d219ccbb2186

C:\Windows\System\YFVmWYL.exe

MD5 0dddfd823e31748767b1d701941e577a
SHA1 b64b12354b912d5aef54702e485970a63dffd64b
SHA256 afa9ecb554496dcbf700fe5c51b4e97013d0c0d262d40c81e6b917a21ae5c885
SHA512 f1c6213acace074511452636323e2be4207785140081670da2bbdf6dc04573626bbedf6bae42f9a3ed21ae88e1dee8c7ebfdfc294046b017222b8efc10f127a9

C:\Windows\System\rFufkAx.exe

MD5 ace24cf805a15e0d7b56efa9e90d2fc9
SHA1 02e838588072b89202c2617b031ead98bcae891f
SHA256 dc661e1cad58b100e8cbb1fdd4118ceab5606ba2efc15163c621f8a806f18bd1
SHA512 5a71b619d4c223cbbf61f1ddcf010d53173c34ce550f533ab5b9f530d6af00a1b04815abf6b438b1f891e5f956d47e253e57c71b5789d93b9f3b29149324bf96

memory/4820-100-0x00007FF6C1FA0000-0x00007FF6C22F1000-memory.dmp

C:\Windows\System\SiUPAeO.exe

MD5 2cfc7fc8fcd083ede56767e5de3838d2
SHA1 b406cf747831e78351df07ab4b655cd797f87ca7
SHA256 97b4c4f8d3c3a3896fc4a1f36f4c0b42823255a3c3e56d489783cf0cb335119e
SHA512 0981252e2a132711ab04c128bce674b96b3bcb43d16561a0c0ad947752b0939fa11ec48933d9bf070c21222cb2be7c6fb6d80d72e74336cf61c7f903d90a5455

C:\Windows\System\NabdSfH.exe

MD5 8bd0e9b54931884bb46b2d740a6514ef
SHA1 2ff2c8c63dd839afe3e7ae8990e370487e5fe1a7
SHA256 a510297fe96b37f880bef41578aff3c27ba0bc2e685d100999c2aef33c299f58
SHA512 1a1ec044228e933f7ab1f5a9854e56abbeba25f542af593b4f249473d7e7232fb137d1076e7ec0d5cb87f1fab481ff53933ce3b343915d52e139817825263f19

C:\Windows\System\RcFOTMH.exe

MD5 f48157a9adff1091b37d4c7e4db4d78d
SHA1 929f0598320fe66b20db7c4df6b3e6590ac1ff2f
SHA256 63d109f1f03ce774eeff23e3c9a43d23ebe939b5b949a55d5d247495e5419c92
SHA512 f1a5dd1826992362ac753aaa9aba83c3e88e90f9817227b2a52be51c7f89f6a1228d759347b0f42314d393c944075b554d5154842709a9886d1debb4287c0d72

memory/4928-82-0x00007FF730CE0000-0x00007FF731031000-memory.dmp

C:\Windows\System\hbwyyFA.exe

MD5 61cc04584aac211a6f70fa0b019b6536
SHA1 8ca7013c06a3a952c309a325242a0ab302a36b3b
SHA256 d52c9eed94e35ffb1ed46f5cdebefa0a94e64f0a0dcff49103cec498857c020c
SHA512 92752a680649b4acee36632c62788fff8296eac8fa7ca41e9be045348e66d6a97e2f910b768404aa49a6db8584a77a089e1d59e6e8710efc362fbce759a6bb4a

memory/2404-64-0x00007FF76E830000-0x00007FF76EB81000-memory.dmp

C:\Windows\System\eVWJdId.exe

MD5 0ef7f836c40f6a9ee72f186658caf266
SHA1 9e4fc784ad7e2ddd052c9052e6fab3cf72bf6364
SHA256 8c4a71c71b6287a6409ff7a6974d1f10afac0b0463c95163364361867fca8051
SHA512 e05956865482d3fcad12972da495192a93419239eb02f750e4270c1bb12b948e2c66aac8dbba17d1281a3bfe57d342cbc09adf0b4285275072e4b0486242119c

memory/2280-54-0x00007FF7D6940000-0x00007FF7D6C91000-memory.dmp

C:\Windows\System\BaLMWvK.exe

MD5 5c7a9eb27baf41bd10c0c59857ffc101
SHA1 6ce4e94ae9ee220c4a34188df0c3ce9a7706979a
SHA256 8f4eacc0cf2f7b41803b4dd9958535af711595b4011ef9692e4debfe1f0432f7
SHA512 351788bfa6be17ea411ac7558b8ff13854e223fb60542bc13e0422982adef715d6f5e5172b3d5e2ebe7440b82677a556d3b742e91ac211e03cdcef2a7ba502a1

C:\Windows\System\BxwHviW.exe

MD5 1fe3f4c70b409662980e63cc0528d7c4
SHA1 21dd63392fb55f454ee1ff5a257e887c30f0fb2d
SHA256 8e1032b3f9db429c87eb610c31c9625f84459dc93c50232b4d3fb1de896c73a1
SHA512 8b8cda9b0a427e7d3d666c3f7d5e6cc15c57a6c06e05362a7bfca30d1e067619ef7ce33fc21c93dbf61901c87a5ab7a8a5cadc5637f4145c916c63714d904b30

memory/1776-44-0x00007FF73F7C0000-0x00007FF73FB11000-memory.dmp

C:\Windows\System\nAiXdkx.exe

MD5 798776519caf580bc16b615ee42396a9
SHA1 b9701e5de037ba91c42b9de96c25047a1fcd9452
SHA256 92ff3dadcf213576eaa7242632b014853c985f0c268707894538a01543011480
SHA512 a80c597e217db1ee02cb9cf6e398a000709353119b28ace61995d04acbb8d6423e888012b6be5f7de0acd8f4342e7f7d98e31b2279394028bc3d9dc79e1f5e59

C:\Windows\System\AYFVATx.exe

MD5 b22a605671e71f6fec34da692835cf9b
SHA1 1aa09dbb8c804db873a5670e50b8cd8f0a3c243a
SHA256 481f85bbc6e57169403d8faf16ae5eb912442ce3d73296cae3102ef153a68d74
SHA512 3012b27527706ae376886db708dc603134437f63ec081787c1711c41ef47fb23c07df56d41e39dced3a688baba18d0249d4b51c55da70dff6f18b9fbc6637bf7

C:\Windows\System\bZWUChq.exe

MD5 7df7c44b2a73500f44936264e179d93e
SHA1 6b376badba3082a1e6290172d86031e4573ff1d1
SHA256 3a43c2916988b2563faf4fbfa69d9f0ba22cc1986e5b9c5e4d28e27b9fc1c3a0
SHA512 368b07f4cd468ac6a8299cf067c9f524d898c7d30b0acf3f552ddff6d6ad5d8c05214aa730eddc355bd3ea2f38d7b1a84ce0c5fd61100d80d730275bd8f9ee84

memory/4824-22-0x00007FF7A9AF0000-0x00007FF7A9E41000-memory.dmp

memory/3400-18-0x00007FF7AB900000-0x00007FF7ABC51000-memory.dmp

memory/1936-116-0x00007FF63B1F0000-0x00007FF63B541000-memory.dmp

memory/3400-118-0x00007FF7AB900000-0x00007FF7ABC51000-memory.dmp

memory/4824-119-0x00007FF7A9AF0000-0x00007FF7A9E41000-memory.dmp

memory/2280-124-0x00007FF7D6940000-0x00007FF7D6C91000-memory.dmp

memory/4276-131-0x00007FF67B6F0000-0x00007FF67BA41000-memory.dmp

memory/1828-133-0x00007FF778A50000-0x00007FF778DA1000-memory.dmp

memory/3856-132-0x00007FF68E310000-0x00007FF68E661000-memory.dmp

memory/1136-130-0x00007FF75E450000-0x00007FF75E7A1000-memory.dmp

memory/4928-129-0x00007FF730CE0000-0x00007FF731031000-memory.dmp

memory/876-128-0x00007FF611E40000-0x00007FF612191000-memory.dmp

memory/4820-127-0x00007FF6C1FA0000-0x00007FF6C22F1000-memory.dmp

memory/1076-126-0x00007FF7644A0000-0x00007FF7647F1000-memory.dmp

memory/2404-125-0x00007FF76E830000-0x00007FF76EB81000-memory.dmp

memory/4700-123-0x00007FF6DD5B0000-0x00007FF6DD901000-memory.dmp

memory/1476-121-0x00007FF6B6A80000-0x00007FF6B6DD1000-memory.dmp

memory/3144-120-0x00007FF712B60000-0x00007FF712EB1000-memory.dmp

memory/4972-117-0x00007FF69E330000-0x00007FF69E681000-memory.dmp

memory/2320-134-0x00007FF778510000-0x00007FF778861000-memory.dmp

memory/3048-137-0x00007FF68B4B0000-0x00007FF68B801000-memory.dmp

memory/4832-136-0x00007FF6472C0000-0x00007FF647611000-memory.dmp

memory/3444-135-0x00007FF691AE0000-0x00007FF691E31000-memory.dmp

memory/1936-138-0x00007FF63B1F0000-0x00007FF63B541000-memory.dmp

memory/1936-139-0x00007FF63B1F0000-0x00007FF63B541000-memory.dmp

memory/4972-191-0x00007FF69E330000-0x00007FF69E681000-memory.dmp

memory/3400-193-0x00007FF7AB900000-0x00007FF7ABC51000-memory.dmp

memory/4824-206-0x00007FF7A9AF0000-0x00007FF7A9E41000-memory.dmp

memory/1776-214-0x00007FF73F7C0000-0x00007FF73FB11000-memory.dmp

memory/3144-213-0x00007FF712B60000-0x00007FF712EB1000-memory.dmp

memory/4700-216-0x00007FF6DD5B0000-0x00007FF6DD901000-memory.dmp

memory/1136-228-0x00007FF75E450000-0x00007FF75E7A1000-memory.dmp

memory/2404-230-0x00007FF76E830000-0x00007FF76EB81000-memory.dmp

memory/876-232-0x00007FF611E40000-0x00007FF612191000-memory.dmp

memory/4820-234-0x00007FF6C1FA0000-0x00007FF6C22F1000-memory.dmp

memory/4928-224-0x00007FF730CE0000-0x00007FF731031000-memory.dmp

memory/1476-226-0x00007FF6B6A80000-0x00007FF6B6DD1000-memory.dmp

memory/1076-219-0x00007FF7644A0000-0x00007FF7647F1000-memory.dmp

memory/2280-223-0x00007FF7D6940000-0x00007FF7D6C91000-memory.dmp

memory/4276-221-0x00007FF67B6F0000-0x00007FF67BA41000-memory.dmp

memory/4832-243-0x00007FF6472C0000-0x00007FF647611000-memory.dmp

memory/1828-245-0x00007FF778A50000-0x00007FF778DA1000-memory.dmp

memory/3856-246-0x00007FF68E310000-0x00007FF68E661000-memory.dmp

memory/2320-241-0x00007FF778510000-0x00007FF778861000-memory.dmp

memory/3048-238-0x00007FF68B4B0000-0x00007FF68B801000-memory.dmp

memory/3444-236-0x00007FF691AE0000-0x00007FF691E31000-memory.dmp