Malware Analysis Report

2025-08-06 02:05

Sample ID 241027-hdan8awbqm
Target 2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat
SHA256 0cf3ef2b5d3a03e167031cf19840724f03214ba8cb1e9a59754fcfe2e5492e03
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0cf3ef2b5d3a03e167031cf19840724f03214ba8cb1e9a59754fcfe2e5492e03

Threat Level: Known bad

The file 2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

Cobalt Strike reflective loader

Cobaltstrike family

Cobaltstrike

xmrig

XMRig Miner payload

Xmrig family

XMRig Miner payload

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-10-27 06:36

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-27 06:36

Reported

2024-10-27 06:39

Platform

win7-20240903-en

Max time kernel

142s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

Cobaltstrike family

cobaltstrike

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\giCHNao.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KZGpPCH.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WlPwiDI.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lyWLPoO.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aNvEFfO.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mScyrVQ.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\auceimw.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BTeuGMf.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kGPCbHm.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YIwiDVC.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xKXzxeU.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eoqcsTs.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dLeOTWK.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lzGuYrd.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vqdBgrO.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vWvbGmR.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ECkJcZu.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qvkQGJj.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LdJmUfT.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\evlPuaC.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pfWrJyu.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2528 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xKXzxeU.exe
PID 2528 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xKXzxeU.exe
PID 2528 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xKXzxeU.exe
PID 2528 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ECkJcZu.exe
PID 2528 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ECkJcZu.exe
PID 2528 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ECkJcZu.exe
PID 2528 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qvkQGJj.exe
PID 2528 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qvkQGJj.exe
PID 2528 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qvkQGJj.exe
PID 2528 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LdJmUfT.exe
PID 2528 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LdJmUfT.exe
PID 2528 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LdJmUfT.exe
PID 2528 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mScyrVQ.exe
PID 2528 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mScyrVQ.exe
PID 2528 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mScyrVQ.exe
PID 2528 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\auceimw.exe
PID 2528 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\auceimw.exe
PID 2528 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\auceimw.exe
PID 2528 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\giCHNao.exe
PID 2528 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\giCHNao.exe
PID 2528 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\giCHNao.exe
PID 2528 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\evlPuaC.exe
PID 2528 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\evlPuaC.exe
PID 2528 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\evlPuaC.exe
PID 2528 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BTeuGMf.exe
PID 2528 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BTeuGMf.exe
PID 2528 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BTeuGMf.exe
PID 2528 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kGPCbHm.exe
PID 2528 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kGPCbHm.exe
PID 2528 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kGPCbHm.exe
PID 2528 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pfWrJyu.exe
PID 2528 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pfWrJyu.exe
PID 2528 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pfWrJyu.exe
PID 2528 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YIwiDVC.exe
PID 2528 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YIwiDVC.exe
PID 2528 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YIwiDVC.exe
PID 2528 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eoqcsTs.exe
PID 2528 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eoqcsTs.exe
PID 2528 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eoqcsTs.exe
PID 2528 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dLeOTWK.exe
PID 2528 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dLeOTWK.exe
PID 2528 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dLeOTWK.exe
PID 2528 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vqdBgrO.exe
PID 2528 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vqdBgrO.exe
PID 2528 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vqdBgrO.exe
PID 2528 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WlPwiDI.exe
PID 2528 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WlPwiDI.exe
PID 2528 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WlPwiDI.exe
PID 2528 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lzGuYrd.exe
PID 2528 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lzGuYrd.exe
PID 2528 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lzGuYrd.exe
PID 2528 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vWvbGmR.exe
PID 2528 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vWvbGmR.exe
PID 2528 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vWvbGmR.exe
PID 2528 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lyWLPoO.exe
PID 2528 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lyWLPoO.exe
PID 2528 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lyWLPoO.exe
PID 2528 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KZGpPCH.exe
PID 2528 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KZGpPCH.exe
PID 2528 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KZGpPCH.exe
PID 2528 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aNvEFfO.exe
PID 2528 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aNvEFfO.exe
PID 2528 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aNvEFfO.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\xKXzxeU.exe

C:\Windows\System\xKXzxeU.exe

C:\Windows\System\ECkJcZu.exe

C:\Windows\System\ECkJcZu.exe

C:\Windows\System\qvkQGJj.exe

C:\Windows\System\qvkQGJj.exe

C:\Windows\System\LdJmUfT.exe

C:\Windows\System\LdJmUfT.exe

C:\Windows\System\mScyrVQ.exe

C:\Windows\System\mScyrVQ.exe

C:\Windows\System\auceimw.exe

C:\Windows\System\auceimw.exe

C:\Windows\System\giCHNao.exe

C:\Windows\System\giCHNao.exe

C:\Windows\System\evlPuaC.exe

C:\Windows\System\evlPuaC.exe

C:\Windows\System\BTeuGMf.exe

C:\Windows\System\BTeuGMf.exe

C:\Windows\System\kGPCbHm.exe

C:\Windows\System\kGPCbHm.exe

C:\Windows\System\pfWrJyu.exe

C:\Windows\System\pfWrJyu.exe

C:\Windows\System\YIwiDVC.exe

C:\Windows\System\YIwiDVC.exe

C:\Windows\System\eoqcsTs.exe

C:\Windows\System\eoqcsTs.exe

C:\Windows\System\dLeOTWK.exe

C:\Windows\System\dLeOTWK.exe

C:\Windows\System\vqdBgrO.exe

C:\Windows\System\vqdBgrO.exe

C:\Windows\System\WlPwiDI.exe

C:\Windows\System\WlPwiDI.exe

C:\Windows\System\lzGuYrd.exe

C:\Windows\System\lzGuYrd.exe

C:\Windows\System\vWvbGmR.exe

C:\Windows\System\vWvbGmR.exe

C:\Windows\System\lyWLPoO.exe

C:\Windows\System\lyWLPoO.exe

C:\Windows\System\KZGpPCH.exe

C:\Windows\System\KZGpPCH.exe

C:\Windows\System\aNvEFfO.exe

C:\Windows\System\aNvEFfO.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2528-0-0x000000013F8F0000-0x000000013FC41000-memory.dmp

memory/2528-1-0x0000000000100000-0x0000000000110000-memory.dmp

\Windows\system\xKXzxeU.exe

MD5 371f7858d0344090b4b652ff1f80e841
SHA1 e22ef271601e96f83b914a660033ea8b2dd62d62
SHA256 df4a2b7a856981ab42003068e9fe806c322c989a0e0f994afd308436689d768f
SHA512 11043dfd3ec5425a7f7c5f6a9ed1367d6c5cd48df5d94d9695051a7baea9f5ab6abe03e4078415a8f4a066174924fdd34b10c0997377b851b4503f64f65c0a45

memory/2528-18-0x000000013F0C0000-0x000000013F411000-memory.dmp

C:\Windows\system\qvkQGJj.exe

MD5 b95797d5ffc568039177d52d473a0ca9
SHA1 e67ea937cfcce1cfdba3743b5d563c821ed922a7
SHA256 7c2c91fd11f1a31216fdc78b8dddf7be6329feace494b3da1aab002bfc0f9100
SHA512 e9ef32ea27958193780a1f5ff7013c5f216c35fd979828642b75b6910dcecbdda3cb1cd80789018cc56cacb4ea3abeb2dcadc8d611de161ecb8fff279b211938

memory/2200-28-0x000000013F6D0000-0x000000013FA21000-memory.dmp

memory/2400-27-0x000000013FB40000-0x000000013FE91000-memory.dmp

memory/2528-24-0x0000000002280000-0x00000000025D1000-memory.dmp

C:\Windows\system\LdJmUfT.exe

MD5 7f81ad3e09f64d48b72e51b4d63a542e
SHA1 8d44a00fa9cd03fbf89c98c52ff0af35b262d86e
SHA256 2a9ba666d6bbf5c1277098e8a6ea6306177c2ae45f45db49f9dc202df66900d3
SHA512 9a8131abbfa7566058ce7ce6dca37cc3d38d16db292d9977b5b9ec3d5284293e2e11d9243021c18d64d6e6d3e72840c0bd3588d7792f6caf4115c3a10bd14c5c

memory/1480-14-0x000000013F0C0000-0x000000013F411000-memory.dmp

memory/2256-13-0x000000013F060000-0x000000013F3B1000-memory.dmp

C:\Windows\system\ECkJcZu.exe

MD5 de907d46ef0d40f3694c372273425190
SHA1 411c9f74ca8295034fb89bc2b24308859efd4ca3
SHA256 b3cd730342045eb6d772d9fb50511039d9bdb5f2cd61e4a08710018e8e2e6567
SHA512 a2297a5028bc1b9a514b329e7f503bfeb70234d9449310d7c1b12f47f5eb8e8b042ae1755b0a67ff1e6be428493a770b5c2328a70f01e2c45521ad8658a32e8c

C:\Windows\system\auceimw.exe

MD5 7f3188f9339576517c0329dbe3b10991
SHA1 d803e0408e1f6ef742c7bbca2a3416acdf3ce233
SHA256 39a4d59bd663129050164728ed71d74792b49b92f25db1fc9dd5e6144a61b3ca
SHA512 32980f5f986361a5c046bcbd980a9c63d9568180854f1b1dfce632de41584f922dab21c78f0ebef3b73b6d9bf7e178106d8332ae2a349c3b9876f332a96ec63c

memory/2776-41-0x000000013FE80000-0x00000001401D1000-memory.dmp

memory/2528-40-0x000000013F8F0000-0x000000013FC41000-memory.dmp

memory/2528-37-0x000000013FE80000-0x00000001401D1000-memory.dmp

\Windows\system\evlPuaC.exe

MD5 f3128509fa09fd3fc85f683054ef794c
SHA1 4227f51a56d8cef512b73b856514e6c7f92bb863
SHA256 c6d584efb93cf2ce13fdab31272b08dd584a9ac439615084b509fe99bbd8cc8f
SHA512 f1ca86806681c84d7525cab956339a486046ee4e6305388fef446319dc35d5ef5e247336eda00f26bb969df7ae05c3d4a3f2b1d07a5fdefb88bcccd3e6215a27

memory/2712-49-0x000000013FC20000-0x000000013FF71000-memory.dmp

memory/2432-54-0x000000013F5F0000-0x000000013F941000-memory.dmp

C:\Windows\system\giCHNao.exe

MD5 819a5e53a61025da86efb548a23ad547
SHA1 918353fb7c526c67d0bfc73c81b2ec89e816cfd5
SHA256 6c6b8f7f53cbbbb26c9ffcc276025dee62a0eb543784ed43e178df37fffe61c3
SHA512 d25911e0b6cbfc1c3fc9f1ca0c5b020964e7cf44de925fbda3e368647acd711fc4331b17008b6b934e714bbf0873a1d942003b58f093eb8f966dd7730da24508

C:\Windows\system\kGPCbHm.exe

MD5 696b0225d00834e1bbdf53c710ba6413
SHA1 0291d196e2b27e660b0e7eb002c135a4dc4941d4
SHA256 e303676973f485db950793ef3c57258163ef2450b79c2fe22d9106de94c07d00
SHA512 1185989c1aa4e9bb1d1ff839d82d692c60f259691194aad93858ad3fdbcb2845abae7d0361cc114d4f623ceba9ca447b86b94ec0a87c7b8b0ff28183e834a0f7

memory/2596-60-0x000000013FDF0000-0x0000000140141000-memory.dmp

memory/2584-71-0x000000013FB50000-0x000000013FEA1000-memory.dmp

C:\Windows\system\BTeuGMf.exe

MD5 e7649f80ccdeace49f104753b92838fa
SHA1 c787fa20eecd1e6c41a3b95d4b95da7b27450d07
SHA256 6bca63bd9595f09d029cd2c974a2cbc858d90047c74209c6d9eb5806dfafa86c
SHA512 fb54edc1537886d9b6b1899aa93c84d3d3bf335773da07b1c50fcd0fce4f86623764c1984787e609fbc06949db849a1d5c642bc0503ad638b01ad6fff5b230df

memory/860-67-0x000000013F300000-0x000000013F651000-memory.dmp

\Windows\system\YIwiDVC.exe

MD5 da90b6b3f38e134226f9df0f640d735c
SHA1 1c9be681b6566cb04e304cb1744662d2365a940e
SHA256 96f371b26d8c5bcbad07cfc146959f7ec52bc627e92b67d3115d6de9b88dd7a0
SHA512 fcc537af6c978c245ea13d55a3dc7592569ee5692deb0bfaa1ecfcbab529e787dcfaa773bea8027098d203ac5985386c989ba2d0236631b3e555bcc6f49b3820

memory/1248-84-0x000000013FC80000-0x000000013FFD1000-memory.dmp

memory/2712-83-0x000000013FC20000-0x000000013FF71000-memory.dmp

memory/2732-78-0x000000013F540000-0x000000013F891000-memory.dmp

memory/2776-77-0x000000013FE80000-0x00000001401D1000-memory.dmp

memory/2528-73-0x000000013F540000-0x000000013F891000-memory.dmp

\Windows\system\pfWrJyu.exe

MD5 bada9e67a265951cd06a910bc6737999
SHA1 f01976a93655f324f106f05e088be11f4ccca8b9
SHA256 78b3e2044b597acee24a3930ec62bef0aa6581e28e4aa9c41d067f4c4246fbba
SHA512 c2c42df516b32d07437dc7112815d3bc03abc04c13f2862032ae8e79f1ca3e32e3e067e4f4e824952478dde4716445a6181d230c3b70a10fcd91fba791efe54c

memory/2528-97-0x000000013FDF0000-0x0000000140141000-memory.dmp

memory/2856-102-0x000000013FE40000-0x0000000140191000-memory.dmp

C:\Windows\system\aNvEFfO.exe

MD5 6b00fb2bc54bcf175a88cd652508791c
SHA1 c30c06b02469d9e73cd04f19be15820c287d54c4
SHA256 3a0ec6eb52ab2fc8d875fa9ac87323da511837a5f3d167b08fca0ffc369bb772
SHA512 a5a7b62899a2388256543cae6a9c2f0dcd4e940bbaad8b8e8e66d2d6aa4108278e50505e9e2f40157208f4344837ca06ffa6b4b6c71e8ca225969defd6b2a13f

C:\Windows\system\KZGpPCH.exe

MD5 813e84e97b06d48065e74404392ea46b
SHA1 4c9e2144e737f1874e29b3d07fe3ecb8a81f352a
SHA256 31d6e95263977e5d0c1b3e0aafaf493eeeb7c496b2a864f5a62410301c58bb14
SHA512 7d35de4304badf96c6f393fffbf0a59503ed35845449bb816065fa3f6f115ad63971602c3503c7bb2ed201d683c141a42ef927656af898e84d3cd42ebe2e5df3

C:\Windows\system\lyWLPoO.exe

MD5 6a65f4cbf72803435e93da8a62b35bcf
SHA1 0da980bf7035a37e5df2b194cafd025ae3f1eb68
SHA256 6b5c19fa7f48f85a9273451f893b95741038d035956acec1cebe7035d416f55d
SHA512 2d7e613ee98d6d2c9e3a32161f020c4a37f783f0ea1f13b36c0ffaae0ff9f6f841df638be765f96381c46a39169e5b69eab4f40404d58a561e3b49df56c766c9

C:\Windows\system\lzGuYrd.exe

MD5 1ae82876564c61d2de80365d5a1f4272
SHA1 318d8b44906143578ea7d593f031ee19b6167843
SHA256 6d617d75c2cbbe6361c6685d3bad17d25766911f4a7d500d18e05e3dcb37e31d
SHA512 c2b72cb588f5d6dc6934fa329f1f59f50042c958ab9b709cb2ecddaf5c2b1e0eb07794bed167c9ee884330237a0e922305bd6b94bef832371cb217dfbc93de16

memory/2584-142-0x000000013FB50000-0x000000013FEA1000-memory.dmp

C:\Windows\system\vWvbGmR.exe

MD5 eafb26be9d30f0c1c80ab19d85c1bbbb
SHA1 c889537bf5b2161619e5087fe5a9f3c98666cab8
SHA256 ac163ad479e2ae4c3877c215001f118ca3f02b14e8b35328cc4291491476ef2b
SHA512 6c45a78dc5ce62a24596075bdc4a52298be1b45e4400a1fef6e6d916cd9ef540fba872089234ee6e9a9b46e5518e219c68d0fe1a2867b9281a959dd2b9718908

C:\Windows\system\vqdBgrO.exe

MD5 53b73836f2a78edb04842186e778b802
SHA1 4fccf941a5ca377298ce306d6f41d73275a85971
SHA256 3a5b53468233974d1a44515c577f584293aabeb4538bc3fd93036ef907be4f96
SHA512 d167a74b1347bd805f7217e0c988b7c200778590b54dfba40024094ec872bf46b6726bfd4816b858b276a1e9542a039a4f40100b0bfabaa43d8816cdf14a3ed0

C:\Windows\system\WlPwiDI.exe

MD5 b598a0304387f64fb924fcec12340dcc
SHA1 1a0a009ccecaea7e92340e205441dbc1e1b88bd4
SHA256 d3ab0396cfb7e9608a3d6b397f25a345876c2bce31e043b3aa6152dfb9aa6f37
SHA512 32edc0f9de87b0a88a3551a22358780a0e564160be790afe9e1ed678a22aaa5c2e3597075dcb7c6b3b54a82c0d7695b9cac4bea36636650b222064ea1373e690

memory/2528-143-0x000000013F540000-0x000000013F891000-memory.dmp

memory/2528-108-0x0000000002280000-0x00000000025D1000-memory.dmp

memory/2528-107-0x0000000002280000-0x00000000025D1000-memory.dmp

memory/2596-101-0x000000013FDF0000-0x0000000140141000-memory.dmp

memory/1948-94-0x000000013F790000-0x000000013FAE1000-memory.dmp

memory/2432-93-0x000000013F5F0000-0x000000013F941000-memory.dmp

C:\Windows\system\eoqcsTs.exe

MD5 ce8ec242af27db62d8a4e53d8091ee8a
SHA1 b8260724f92fbd302cedcdb551764029e023ae9f
SHA256 2c3dfc8433179ff6918870de90b4791afaf651ba08d08e66252239c8c113fef0
SHA512 ec7279eb5c7c4461b9f304d60115562eb4df7aefc860795e0c928628f3468c6f44d99594dc2a26c2f0e75a33ddf61527b5bf75d6140973fad8d85c422b45df67

memory/2732-144-0x000000013F540000-0x000000013F891000-memory.dmp

memory/2528-90-0x0000000002280000-0x00000000025D1000-memory.dmp

memory/2528-89-0x0000000002280000-0x00000000025D1000-memory.dmp

C:\Windows\system\dLeOTWK.exe

MD5 80f43f0ec3043456e8bbbf9b2e9e4596
SHA1 d98aa36dad090bf1f6e70ad94192cd3a1da4fb84
SHA256 0489fed0844beb7a8db84f9bc08dcc928ac97994098d826997627717455d83c8
SHA512 071e56aeb5fc8322e524bd4df6273ccd6229ad4864dfa858c244818aa36d2faef79717c7078f79d40e353ded0db4f99e9ccea9e6cdf7a46eca263a657155f231

memory/2528-98-0x000000013FE40000-0x0000000140191000-memory.dmp

memory/2528-63-0x0000000002280000-0x00000000025D1000-memory.dmp

memory/2528-57-0x000000013FDF0000-0x0000000140141000-memory.dmp

memory/2528-51-0x0000000002280000-0x00000000025D1000-memory.dmp

memory/2256-46-0x000000013F060000-0x000000013F3B1000-memory.dmp

memory/860-34-0x000000013F300000-0x000000013F651000-memory.dmp

C:\Windows\system\mScyrVQ.exe

MD5 9b0157ba7ccdd3ce9eb3667ec1f5238a
SHA1 d835f6fa3e8eeb656a464cebb9fdbdf11179e3d1
SHA256 ba5635d9700c8dfec9895e812c6e8ee0ba9c06e96594538092532433e8d22522
SHA512 0cb4781280965f0b4e951a8afc71d88e3025b756a58bc2d8531cf3ad85d386499db4bc2c538de2aa8006f1dda58e2dce5489e5cc51c1820767312debab87581c

memory/2528-30-0x000000013F300000-0x000000013F651000-memory.dmp

memory/1248-145-0x000000013FC80000-0x000000013FFD1000-memory.dmp

memory/2528-146-0x0000000002280000-0x00000000025D1000-memory.dmp

memory/1948-147-0x000000013F790000-0x000000013FAE1000-memory.dmp

memory/2528-148-0x000000013F8F0000-0x000000013FC41000-memory.dmp

memory/2528-151-0x000000013FE40000-0x0000000140191000-memory.dmp

memory/2856-160-0x000000013FE40000-0x0000000140191000-memory.dmp

memory/2528-169-0x0000000002280000-0x00000000025D1000-memory.dmp

memory/2876-170-0x000000013FD60000-0x00000001400B1000-memory.dmp

memory/1920-168-0x000000013F790000-0x000000013FAE1000-memory.dmp

memory/304-167-0x000000013F5A0000-0x000000013F8F1000-memory.dmp

memory/1976-166-0x000000013FB60000-0x000000013FEB1000-memory.dmp

memory/1692-165-0x000000013F700000-0x000000013FA51000-memory.dmp

memory/2868-171-0x000000013F950000-0x000000013FCA1000-memory.dmp

memory/1628-172-0x000000013F570000-0x000000013F8C1000-memory.dmp

memory/2528-173-0x000000013F8F0000-0x000000013FC41000-memory.dmp

memory/1480-227-0x000000013F0C0000-0x000000013F411000-memory.dmp

memory/2256-228-0x000000013F060000-0x000000013F3B1000-memory.dmp

memory/2400-231-0x000000013FB40000-0x000000013FE91000-memory.dmp

memory/2200-232-0x000000013F6D0000-0x000000013FA21000-memory.dmp

memory/860-234-0x000000013F300000-0x000000013F651000-memory.dmp

memory/2776-236-0x000000013FE80000-0x00000001401D1000-memory.dmp

memory/2432-244-0x000000013F5F0000-0x000000013F941000-memory.dmp

memory/2584-247-0x000000013FB50000-0x000000013FEA1000-memory.dmp

memory/2712-246-0x000000013FC20000-0x000000013FF71000-memory.dmp

memory/2732-249-0x000000013F540000-0x000000013F891000-memory.dmp

memory/1248-251-0x000000013FC80000-0x000000013FFD1000-memory.dmp

memory/2596-253-0x000000013FDF0000-0x0000000140141000-memory.dmp

memory/2856-264-0x000000013FE40000-0x0000000140191000-memory.dmp

memory/1948-266-0x000000013F790000-0x000000013FAE1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-27 06:36

Reported

2024-10-27 06:39

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

Cobaltstrike family

cobaltstrike

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\gDafbKx.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ozBMmoc.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jaiWjkb.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\moCTHqA.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wXDJfYR.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fYdIJAb.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QBXVDDS.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JmrCQAc.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cpQuocK.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uKIysLq.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mIPqLPP.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\REEvpab.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HLxZxNg.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aPGTrEQ.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gvidqzI.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hLFMPXQ.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bsnFqyA.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GNvyzoj.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TZHSWgD.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qHLrMtQ.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QcPciEV.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4492 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\REEvpab.exe
PID 4492 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\REEvpab.exe
PID 4492 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HLxZxNg.exe
PID 4492 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HLxZxNg.exe
PID 4492 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cpQuocK.exe
PID 4492 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cpQuocK.exe
PID 4492 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bsnFqyA.exe
PID 4492 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bsnFqyA.exe
PID 4492 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\moCTHqA.exe
PID 4492 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\moCTHqA.exe
PID 4492 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wXDJfYR.exe
PID 4492 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wXDJfYR.exe
PID 4492 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fYdIJAb.exe
PID 4492 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fYdIJAb.exe
PID 4492 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uKIysLq.exe
PID 4492 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uKIysLq.exe
PID 4492 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GNvyzoj.exe
PID 4492 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GNvyzoj.exe
PID 4492 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TZHSWgD.exe
PID 4492 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TZHSWgD.exe
PID 4492 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aPGTrEQ.exe
PID 4492 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aPGTrEQ.exe
PID 4492 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QBXVDDS.exe
PID 4492 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QBXVDDS.exe
PID 4492 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JmrCQAc.exe
PID 4492 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JmrCQAc.exe
PID 4492 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qHLrMtQ.exe
PID 4492 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qHLrMtQ.exe
PID 4492 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gDafbKx.exe
PID 4492 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gDafbKx.exe
PID 4492 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gvidqzI.exe
PID 4492 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gvidqzI.exe
PID 4492 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hLFMPXQ.exe
PID 4492 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hLFMPXQ.exe
PID 4492 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mIPqLPP.exe
PID 4492 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mIPqLPP.exe
PID 4492 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QcPciEV.exe
PID 4492 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QcPciEV.exe
PID 4492 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ozBMmoc.exe
PID 4492 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ozBMmoc.exe
PID 4492 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jaiWjkb.exe
PID 4492 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jaiWjkb.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\REEvpab.exe

C:\Windows\System\REEvpab.exe

C:\Windows\System\HLxZxNg.exe

C:\Windows\System\HLxZxNg.exe

C:\Windows\System\cpQuocK.exe

C:\Windows\System\cpQuocK.exe

C:\Windows\System\bsnFqyA.exe

C:\Windows\System\bsnFqyA.exe

C:\Windows\System\moCTHqA.exe

C:\Windows\System\moCTHqA.exe

C:\Windows\System\wXDJfYR.exe

C:\Windows\System\wXDJfYR.exe

C:\Windows\System\fYdIJAb.exe

C:\Windows\System\fYdIJAb.exe

C:\Windows\System\uKIysLq.exe

C:\Windows\System\uKIysLq.exe

C:\Windows\System\GNvyzoj.exe

C:\Windows\System\GNvyzoj.exe

C:\Windows\System\TZHSWgD.exe

C:\Windows\System\TZHSWgD.exe

C:\Windows\System\aPGTrEQ.exe

C:\Windows\System\aPGTrEQ.exe

C:\Windows\System\QBXVDDS.exe

C:\Windows\System\QBXVDDS.exe

C:\Windows\System\JmrCQAc.exe

C:\Windows\System\JmrCQAc.exe

C:\Windows\System\qHLrMtQ.exe

C:\Windows\System\qHLrMtQ.exe

C:\Windows\System\gDafbKx.exe

C:\Windows\System\gDafbKx.exe

C:\Windows\System\gvidqzI.exe

C:\Windows\System\gvidqzI.exe

C:\Windows\System\hLFMPXQ.exe

C:\Windows\System\hLFMPXQ.exe

C:\Windows\System\mIPqLPP.exe

C:\Windows\System\mIPqLPP.exe

C:\Windows\System\QcPciEV.exe

C:\Windows\System\QcPciEV.exe

C:\Windows\System\ozBMmoc.exe

C:\Windows\System\ozBMmoc.exe

C:\Windows\System\jaiWjkb.exe

C:\Windows\System\jaiWjkb.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 214.143.182.52.in-addr.arpa udp

Files

memory/4492-0-0x00007FF6CF400000-0x00007FF6CF751000-memory.dmp

memory/4492-1-0x00000239FAE70000-0x00000239FAE80000-memory.dmp

C:\Windows\System\REEvpab.exe

MD5 f72cbbbf686f81ebabc23252ac7aeb7b
SHA1 87098c09a2f829563841e118ec1efb288398f718
SHA256 0e4c733ad4d8c0bd6392065baeba831fa40198a0216e6e35938bbadeb690f852
SHA512 fe6df8794bde67896d38b563ffc84d0f18892f492e7120d7874e31d534f5d8a4e2a8a3e487e8d271ee80f9fc6ac8bbd36c6421820706e588cbe62e5dbcf7512b

memory/4520-7-0x00007FF734400000-0x00007FF734751000-memory.dmp

C:\Windows\System\cpQuocK.exe

MD5 905edd8c977a24a4a54272327e33d76d
SHA1 36387748787931d9b83d686ddf43dd697a96afe1
SHA256 a457e9d615583800831490ec65216a208ada7671f3f3383e1c0ab354d02e4700
SHA512 33bad3aded3495005c53461159d3bff9452585e0fa14dba5c368f78d3055f3f5203179e6492630633207e2cf7888c56b2ecb93b9faa8a465a8cebf50b316305a

C:\Windows\System\HLxZxNg.exe

MD5 c226c4a793e532cdddbcb6eab02e65ff
SHA1 48d06c9d3d6c09efacf2941ce94c7a10219684b5
SHA256 3a170fb3ea26aec8ef6992bf35bba6169413e8573b8e28828c42e92fbdb733d7
SHA512 252bc14c6e634dd9030a8e87249b2c42eb3d1c3af15a2bc68c1900367b501d62492335897d46a7ba51b19086058c9b7842d15b6a3789d2ae3537021afef9ffcc

memory/1140-12-0x00007FF737ED0000-0x00007FF738221000-memory.dmp

memory/1728-18-0x00007FF74A310000-0x00007FF74A661000-memory.dmp

memory/5020-24-0x00007FF7BDF90000-0x00007FF7BE2E1000-memory.dmp

C:\Windows\System\bsnFqyA.exe

MD5 14bf91da3603fd349bbba121711563d6
SHA1 4858e142b233c8931b95a3a427b2fdf94b83765f
SHA256 a4eb03c8520a239adb4eb50031ddc4465dd1f72c43fa5ac723239991d22b47ef
SHA512 e8d7d75f583c37e16177250f69843b6d14d9dda92610a7c7573547cc903947997dffa7226b087651800ae2daea52bb1b91405cafbe1d549d65073d77366bffe4

C:\Windows\System\moCTHqA.exe

MD5 7c426409871a0240fca054e04bdeefd7
SHA1 2c4964a4ff6d4ee2f867c30bd0a312fde8010c47
SHA256 87153fedc1ae604f1e8f91bdc43648eacceed42d072c3b12722a98e5dc986836
SHA512 e209b3f876d90dee7ef1f772df7d5f60530326f64a622f480aa92e733d266c1cb6858d3f0ca585d963d06590fb59f4734bdf75c078ff3d52527f5abc18daf950

memory/5028-29-0x00007FF7F73F0000-0x00007FF7F7741000-memory.dmp

C:\Windows\System\wXDJfYR.exe

MD5 5c15806a07c61df9d50ff0550d289a3c
SHA1 c38a4049cabc1d9b82542015e1f59ee88ec64a15
SHA256 ad19fee7173c6b17fb1d5b7224a68fb1ef9a651db67a8e496f8f3b504991f091
SHA512 26636242647ff7002623712ae2a25fb1d89478471b8510f201888d5c7ac7936046eba6d3b4fd070dc6232770f07da1b0bfd68bc6a5acbdd12add9e41e3253380

memory/4480-36-0x00007FF73A6E0000-0x00007FF73AA31000-memory.dmp

C:\Windows\System\uKIysLq.exe

MD5 80e8b9e21d517d54922ccd579c0be708
SHA1 6aee4de544e97e36134c1dc6c38ce681b15db545
SHA256 ceaa3dfb352966fc5d146eaa8654a5fe37e57cc8d109c7b4d15e46b807e65002
SHA512 7b745636846987e2c46e215dafac67edc92bf972c568cf334897611d736998d8ae57b6fad561d3cd2d422bec921f3b7dccc9f8b4688f149239b905d2f0d7f7d3

C:\Windows\System\GNvyzoj.exe

MD5 d1919ecff259ac1a2229e3eaec8782de
SHA1 2e5a06074b25cb410fc962ab71edce4068176cb6
SHA256 844cd34f68b5195a0ab4ac7391fe986946d5e3c0e9cff05108f417da837973e3
SHA512 2cafb29ca50fb91bff52bda82fc1d9b21fd0be64ca8ef0d9b2ea45885cd7c6cf84cebce3c28934532ce8a645808b6c51949ab4756160ed883242645baa7c01f3

memory/4520-54-0x00007FF734400000-0x00007FF734751000-memory.dmp

C:\Windows\System\TZHSWgD.exe

MD5 c5b64e1c51e0f8243f0028ba24a592ec
SHA1 55640b9098fd8c70a0c06f3639a22d35392a19a4
SHA256 8561678b78ab3e32b2820b2883fe9eb69b1d6390baebf131f24fbd2cada15b87
SHA512 a00b00c8d11ca190372b8fefa006b3a4d986c4fa71401ccbfd1de7e52bd5de0591e2917ec6e124237ae7dfcd970a0a933d7c1734a98d60f09905bc3204795718

memory/2672-64-0x00007FF7A5850000-0x00007FF7A5BA1000-memory.dmp

memory/1728-63-0x00007FF74A310000-0x00007FF74A661000-memory.dmp

memory/1140-62-0x00007FF737ED0000-0x00007FF738221000-memory.dmp

memory/4456-55-0x00007FF768F60000-0x00007FF7692B1000-memory.dmp

memory/4980-52-0x00007FF79F3F0000-0x00007FF79F741000-memory.dmp

memory/4492-48-0x00007FF6CF400000-0x00007FF6CF751000-memory.dmp

memory/3608-45-0x00007FF7F84A0000-0x00007FF7F87F1000-memory.dmp

C:\Windows\System\fYdIJAb.exe

MD5 87fab2e9d189500aff27ae2950946e42
SHA1 1e1ab35d64ef66c9b40b6d9c7c64aa2dee4a9e5e
SHA256 7e2b97e76f54ed393a37cbd9238693ec596c4db2db6d6941c6ef93d0dbeb8b08
SHA512 16a7f0749c15ddbbf8db0d2fa2c5bbb1c453b69cf2cae3f82d57badf407b5d294e9eb72383d1aa2df0daf6a44b098f9b77bcab49ea364ea8ce3e60470955ce43

C:\Windows\System\aPGTrEQ.exe

MD5 52675f4ab5ec8513ecf507c4655ddf78
SHA1 88d9bc40a590c61629d1f99e3976b6c5ca2666d8
SHA256 97652f2ea3c8997cdfd6651bb6792de47cf3793f9a5d3436572ff12d480246b8
SHA512 a4d462dc312fd877b21f0f009f8ec8995c11c8ef0158da0c185ca82739922e747ed279a0be005a8548ba3d302375a7ca22c8c1137c11c49c436198d3edb118f0

C:\Windows\System\QBXVDDS.exe

MD5 b3eed2f9b9ea32596f62d0d423013b16
SHA1 b5c01f9f5f4002c0dc1215a80b9ab88df9578050
SHA256 5f044e86bd5dc982d9c8420999581da80be04e22bf6014bb5ffd2051b4283671
SHA512 f755349df980420421e232b2795b1bbdddc81db068f2de19dcfd3a98b1f0ebd88f1b58d770d2abb2fef55ebefd2cf34d5ba693d8a805f1dd6df34cd1341e526b

memory/2780-77-0x00007FF767870000-0x00007FF767BC1000-memory.dmp

C:\Windows\System\JmrCQAc.exe

MD5 0e811e25105f06fd703efa76094a0172
SHA1 dc191ce7141d0fbac06b45fb56e56a51baedd8d1
SHA256 d5e68ae252262decf21e93f9225a7bf0d28e2931f76f7337082b0373dc2fd755
SHA512 e66de1ec15525152d9839136d36cbb275be84e879200d8f284029c30764bde31cdc5013f6e419008053afa6fa8f9e75cf718cf10335bd893ababd7fba38e0e9e

memory/3616-85-0x00007FF642050000-0x00007FF6423A1000-memory.dmp

C:\Windows\System\qHLrMtQ.exe

MD5 bdad01dd6d071e03cc2455a246989d10
SHA1 83729ffdab11661c3008387d16ec3ea016150193
SHA256 faf9df1e168f7916ef4920cea772288bc349227a51ab29eae0dbebfa0b0da30b
SHA512 ad216c516a3e82343e3f60aa87b3b7fe9d975ca70e9526c3e5a6ee5a8c53203f750be3294d74fe2578b10b3d1904dc0c2ff9023ba433e02a32e958f42f61617f

memory/4868-90-0x00007FF7CFC10000-0x00007FF7CFF61000-memory.dmp

memory/5028-83-0x00007FF7F73F0000-0x00007FF7F7741000-memory.dmp

memory/3648-75-0x00007FF75DD10000-0x00007FF75E061000-memory.dmp

memory/5020-71-0x00007FF7BDF90000-0x00007FF7BE2E1000-memory.dmp

C:\Windows\System\gDafbKx.exe

MD5 ef6109cccfca1d7c1191ca99413f1ee7
SHA1 10fca5f9b551c0220f63fb4368a0dcb15893acfd
SHA256 c54fc13d73d517517dbc77c6a31d815892bebd34785a89e6334f04ee98c00e40
SHA512 b05ad0be48c86fed176ea687f1a287467744b25ca69486dcf189720413c3928692180184af38308bb7d0791f685cd412df762ea996b3f022a62246a5dfedf06c

C:\Windows\System\gvidqzI.exe

MD5 5545fd5d54df4b4e9920dcf7b9402e18
SHA1 081113b1ccc72803bf213229241f02ae66533247
SHA256 4c8bbea5e8e3bc6912c4e317b90f555cab16c765a77f03c76d73169c0b0528d9
SHA512 3f8da1a573570300959f478ffdac77376da57882e141289394fcf522770f852771e35411029eae60cfffc049d77f129ad48795c98f9f5d745e0feb62e79f32ab

memory/4980-111-0x00007FF79F3F0000-0x00007FF79F741000-memory.dmp

memory/1112-113-0x00007FF796EE0000-0x00007FF797231000-memory.dmp

memory/3608-108-0x00007FF7F84A0000-0x00007FF7F87F1000-memory.dmp

memory/3440-107-0x00007FF77D890000-0x00007FF77DBE1000-memory.dmp

memory/4480-104-0x00007FF73A6E0000-0x00007FF73AA31000-memory.dmp

memory/3288-123-0x00007FF625010000-0x00007FF625361000-memory.dmp

C:\Windows\System\mIPqLPP.exe

MD5 36b8c4f1c36996fb3c1a722975fb3cc6
SHA1 e35f73f534b3b7581b37c0d3d84b80570361c033
SHA256 e5f2e79ec221efe355dddf4c0d7db9dd8555f1d9511e4fb69e224683fbdb90e1
SHA512 1888a905fbde245a96206e4ff61b0b6b8bab9634ecb54b035643f9bcf1a2b80b8470ff4e7190a6c1aa3861c98074526f9a44f3bc02e509fc9a3beb745d4d7fad

C:\Windows\System\QcPciEV.exe

MD5 789a05f9b6e8e7345afe1642e8d37d32
SHA1 c97e923274732b6ce834aeede176c5bb5b31f17d
SHA256 aa9985456e9723b411ee231494b3626c40e741aca0bceb6b105fbe09c6dda859
SHA512 54fb9b1a1043283dfe93bde18ff81088fd9b0faa2c399a9803bf7e2941d3b24654f67ffc385e28cd4d4542e4402b24c2778c08a647b99534bbe8e3caddd7b8ba

memory/2780-138-0x00007FF767870000-0x00007FF767BC1000-memory.dmp

C:\Windows\System\ozBMmoc.exe

MD5 edd7c433e42ee7473657fa3e6a9db27a
SHA1 63a7bad2107b5706474440b31ce480d41cecd7d9
SHA256 96ceb81fcc33d049947a10be5a002622a8c6e6ae1dc9cc58726393cc8f2ed4a1
SHA512 a23eb6a87fb0f7a6eff484599a3d90a02d0160febacd8db23dc8c0f4b2d57c013eeae8fb00d1dcd70af61ceb6b0ff48fb77338d9b309f12f9bf7b79fffdc49ab

memory/1640-139-0x00007FF725AF0000-0x00007FF725E41000-memory.dmp

memory/4924-132-0x00007FF6A72B0000-0x00007FF6A7601000-memory.dmp

memory/1388-126-0x00007FF6D4D90000-0x00007FF6D50E1000-memory.dmp

memory/2672-125-0x00007FF7A5850000-0x00007FF7A5BA1000-memory.dmp

memory/4456-120-0x00007FF768F60000-0x00007FF7692B1000-memory.dmp

C:\Windows\System\hLFMPXQ.exe

MD5 c4d1afaeacdfbb0bae4c3ce5f59f61a9
SHA1 4f2268e3993d127269307f29b64bbca21c8ee3c1
SHA256 0e8ba8f3352e52c6c808187866ed1157308c81423b26d769f15437bd8052f45a
SHA512 3176f6f63a8ddb3b9c5120717f7b4bb5ea82fa3d0e07620ddffc85de189b35f4698aca220f883eef04e59175ee6f055b86182495652d1b58fdb4478fcd99314a

memory/3160-152-0x00007FF6CFD80000-0x00007FF6D00D1000-memory.dmp

memory/4868-153-0x00007FF7CFC10000-0x00007FF7CFF61000-memory.dmp

memory/3616-150-0x00007FF642050000-0x00007FF6423A1000-memory.dmp

C:\Windows\System\jaiWjkb.exe

MD5 9b80ca68c41d236bee400b74bce759f6
SHA1 745e6d218103a5dde73da619c1ac7f5c3f05680f
SHA256 62a1cb7134826e3824d12f67b7df53b058778642c355c0b7d2d97409b70b8ff9
SHA512 902fdf43dde008fb753a59a9a53093cdbe7c4ef101713c811368c4c8bbd5c040bd92eeb937e81917cb0989bfe4ecddfa117a3c9e9f88a6afc96d070a996edf06

memory/4492-157-0x00007FF6CF400000-0x00007FF6CF751000-memory.dmp

memory/1112-159-0x00007FF796EE0000-0x00007FF797231000-memory.dmp

memory/1388-168-0x00007FF6D4D90000-0x00007FF6D50E1000-memory.dmp

memory/1640-171-0x00007FF725AF0000-0x00007FF725E41000-memory.dmp

memory/4924-173-0x00007FF6A72B0000-0x00007FF6A7601000-memory.dmp

memory/4492-183-0x00007FF6CF400000-0x00007FF6CF751000-memory.dmp

memory/4520-212-0x00007FF734400000-0x00007FF734751000-memory.dmp

memory/1140-214-0x00007FF737ED0000-0x00007FF738221000-memory.dmp

memory/1728-216-0x00007FF74A310000-0x00007FF74A661000-memory.dmp

memory/5020-218-0x00007FF7BDF90000-0x00007FF7BE2E1000-memory.dmp

memory/5028-223-0x00007FF7F73F0000-0x00007FF7F7741000-memory.dmp

memory/4480-234-0x00007FF73A6E0000-0x00007FF73AA31000-memory.dmp

memory/3608-236-0x00007FF7F84A0000-0x00007FF7F87F1000-memory.dmp

memory/2672-239-0x00007FF7A5850000-0x00007FF7A5BA1000-memory.dmp

memory/4456-242-0x00007FF768F60000-0x00007FF7692B1000-memory.dmp

memory/4980-241-0x00007FF79F3F0000-0x00007FF79F741000-memory.dmp

memory/3648-248-0x00007FF75DD10000-0x00007FF75E061000-memory.dmp

memory/2780-250-0x00007FF767870000-0x00007FF767BC1000-memory.dmp

memory/3616-252-0x00007FF642050000-0x00007FF6423A1000-memory.dmp

memory/4868-254-0x00007FF7CFC10000-0x00007FF7CFF61000-memory.dmp

memory/3440-259-0x00007FF77D890000-0x00007FF77DBE1000-memory.dmp

memory/1112-261-0x00007FF796EE0000-0x00007FF797231000-memory.dmp

memory/3288-267-0x00007FF625010000-0x00007FF625361000-memory.dmp

memory/1388-269-0x00007FF6D4D90000-0x00007FF6D50E1000-memory.dmp

memory/4924-271-0x00007FF6A72B0000-0x00007FF6A7601000-memory.dmp

memory/1640-273-0x00007FF725AF0000-0x00007FF725E41000-memory.dmp

memory/3160-275-0x00007FF6CFD80000-0x00007FF6D00D1000-memory.dmp