Malware Analysis Report

2025-08-06 02:05

Sample ID 241027-hhlmaavdpb
Target 2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat
SHA256 25476d0e8bc30105d04b4cbebb6f35bfd67aab9a3f3ec39c0d5d5d28ac871d14
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

25476d0e8bc30105d04b4cbebb6f35bfd67aab9a3f3ec39c0d5d5d28ac871d14

Threat Level: Known bad

The file 2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Xmrig family

Cobaltstrike family

xmrig

Cobaltstrike

Cobalt Strike reflective loader

XMRig Miner payload

XMRig Miner payload

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-10-27 06:44

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-27 06:44

Reported

2024-10-27 06:46

Platform

win7-20241023-en

Max time kernel

141s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

Cobaltstrike family

cobaltstrike

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\CEwlwrr.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DnoeiQa.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\npviuaS.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fQatnDL.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ndcMFbn.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KcsGaGr.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zEJKxbB.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PeuyzFE.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hzgAzzF.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CtlJZgI.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\btLndnr.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qccQXQx.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RXThbFM.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VWtMnGB.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wKwjVrG.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WRccnXE.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\clDqlub.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PCRZOXO.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xPaHSYa.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sowPrZc.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aRmmTRA.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2320 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VWtMnGB.exe
PID 2320 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VWtMnGB.exe
PID 2320 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VWtMnGB.exe
PID 2320 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aRmmTRA.exe
PID 2320 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aRmmTRA.exe
PID 2320 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aRmmTRA.exe
PID 2320 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zEJKxbB.exe
PID 2320 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zEJKxbB.exe
PID 2320 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zEJKxbB.exe
PID 2320 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CEwlwrr.exe
PID 2320 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CEwlwrr.exe
PID 2320 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CEwlwrr.exe
PID 2320 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PCRZOXO.exe
PID 2320 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PCRZOXO.exe
PID 2320 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PCRZOXO.exe
PID 2320 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PeuyzFE.exe
PID 2320 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PeuyzFE.exe
PID 2320 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PeuyzFE.exe
PID 2320 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xPaHSYa.exe
PID 2320 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xPaHSYa.exe
PID 2320 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xPaHSYa.exe
PID 2320 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sowPrZc.exe
PID 2320 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sowPrZc.exe
PID 2320 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sowPrZc.exe
PID 2320 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hzgAzzF.exe
PID 2320 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hzgAzzF.exe
PID 2320 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hzgAzzF.exe
PID 2320 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DnoeiQa.exe
PID 2320 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DnoeiQa.exe
PID 2320 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DnoeiQa.exe
PID 2320 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\npviuaS.exe
PID 2320 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\npviuaS.exe
PID 2320 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\npviuaS.exe
PID 2320 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wKwjVrG.exe
PID 2320 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wKwjVrG.exe
PID 2320 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wKwjVrG.exe
PID 2320 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CtlJZgI.exe
PID 2320 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CtlJZgI.exe
PID 2320 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CtlJZgI.exe
PID 2320 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fQatnDL.exe
PID 2320 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fQatnDL.exe
PID 2320 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fQatnDL.exe
PID 2320 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ndcMFbn.exe
PID 2320 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ndcMFbn.exe
PID 2320 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ndcMFbn.exe
PID 2320 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\btLndnr.exe
PID 2320 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\btLndnr.exe
PID 2320 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\btLndnr.exe
PID 2320 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qccQXQx.exe
PID 2320 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qccQXQx.exe
PID 2320 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qccQXQx.exe
PID 2320 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KcsGaGr.exe
PID 2320 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KcsGaGr.exe
PID 2320 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KcsGaGr.exe
PID 2320 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RXThbFM.exe
PID 2320 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RXThbFM.exe
PID 2320 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RXThbFM.exe
PID 2320 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WRccnXE.exe
PID 2320 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WRccnXE.exe
PID 2320 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WRccnXE.exe
PID 2320 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\clDqlub.exe
PID 2320 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\clDqlub.exe
PID 2320 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\clDqlub.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\VWtMnGB.exe

C:\Windows\System\VWtMnGB.exe

C:\Windows\System\aRmmTRA.exe

C:\Windows\System\aRmmTRA.exe

C:\Windows\System\zEJKxbB.exe

C:\Windows\System\zEJKxbB.exe

C:\Windows\System\CEwlwrr.exe

C:\Windows\System\CEwlwrr.exe

C:\Windows\System\PCRZOXO.exe

C:\Windows\System\PCRZOXO.exe

C:\Windows\System\PeuyzFE.exe

C:\Windows\System\PeuyzFE.exe

C:\Windows\System\xPaHSYa.exe

C:\Windows\System\xPaHSYa.exe

C:\Windows\System\sowPrZc.exe

C:\Windows\System\sowPrZc.exe

C:\Windows\System\hzgAzzF.exe

C:\Windows\System\hzgAzzF.exe

C:\Windows\System\DnoeiQa.exe

C:\Windows\System\DnoeiQa.exe

C:\Windows\System\npviuaS.exe

C:\Windows\System\npviuaS.exe

C:\Windows\System\wKwjVrG.exe

C:\Windows\System\wKwjVrG.exe

C:\Windows\System\CtlJZgI.exe

C:\Windows\System\CtlJZgI.exe

C:\Windows\System\fQatnDL.exe

C:\Windows\System\fQatnDL.exe

C:\Windows\System\ndcMFbn.exe

C:\Windows\System\ndcMFbn.exe

C:\Windows\System\btLndnr.exe

C:\Windows\System\btLndnr.exe

C:\Windows\System\qccQXQx.exe

C:\Windows\System\qccQXQx.exe

C:\Windows\System\KcsGaGr.exe

C:\Windows\System\KcsGaGr.exe

C:\Windows\System\RXThbFM.exe

C:\Windows\System\RXThbFM.exe

C:\Windows\System\WRccnXE.exe

C:\Windows\System\WRccnXE.exe

C:\Windows\System\clDqlub.exe

C:\Windows\System\clDqlub.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2320-0-0x000000013FE30000-0x0000000140181000-memory.dmp

memory/2320-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\VWtMnGB.exe

MD5 bba9377d72745cd8b306f780adf44315
SHA1 36a5f6f6a99419efae6f0f87e0355a8634ddf43c
SHA256 4e9fdef7f6c88799ecabe27198c6ecbb3473e42e6bb6f6ba938a1490da99be06
SHA512 a970ef5a5ef8f25e44c7de4ae7d6e241e1edd8ad38df452943c44bbb39098833ecf2c8658b7d825bf27738a8f6ac6ba3231e6c0944d1d4a5dde1eabf11c5ce0b

\Windows\system\aRmmTRA.exe

MD5 e85e663f8bde30a61870682577e1f2d3
SHA1 c5be3b44941aae73747137c0766b2d328a38eefa
SHA256 45bab920ba83d986d176ea15a52b87c9ebb048dba74aec664aaef01d81a6b167
SHA512 cbb9490340997e2cdced00187f6ba2de521afd041afee9db05945e6bdfb060138276972735200fa16d1af4296def1b5ebb035a50c6b7c29c6659d3739f0454f0

memory/2320-16-0x000000013FA20000-0x000000013FD71000-memory.dmp

\Windows\system\CEwlwrr.exe

MD5 8497d754fcf5311238c021680dc72b41
SHA1 7b27828a0ff1760311f8acf782cfa985f887cfeb
SHA256 1d4dfd65d7f4edc16298321e2f855f0176c8f9154caf877623c8c5824dd298b8
SHA512 44d2e83d7a601abc755a84cec83c79de8a35eb40cd62e8ec3a67f0db2fe42be0831d49f18f1467fbaef38d24bd1b82b2cc17585bae81793768fddb0c752d8253

memory/2320-28-0x000000013F6A0000-0x000000013F9F1000-memory.dmp

C:\Windows\system\zEJKxbB.exe

MD5 83583e03634beb31b9c5f87a70b0fb44
SHA1 b4d3528258d816f84ab055639b74f3ca3da3ed74
SHA256 f09676004c55d6c11d781298b6a4d212f27feace4b65377296f5e4c880f82cd1
SHA512 94e947d32ecb0916984ce2c16d61cdc27983a2cae2a57532209187c441caa8ce4da20b4e338dce1c210a0aa669c9ce1d5bea791beb4ae43cf0130af3bb4e8626

memory/2304-27-0x000000013F6A0000-0x000000013F9F1000-memory.dmp

memory/1924-24-0x000000013F660000-0x000000013F9B1000-memory.dmp

memory/2572-14-0x000000013FA20000-0x000000013FD71000-memory.dmp

\Windows\system\PeuyzFE.exe

MD5 3bc41bc1d6181af5e821ea3cc24627b7
SHA1 3e5329745b29302d2a50ce58316e9705d1bfdedd
SHA256 54d533c853b67c0361519458771bdc8fb4254187e5a979ff16d5cbe73a1dbb6f
SHA512 3734dfcd0b060c0910dd29b2a2fa07ecc8736704abd1c39c57adad0c927d257a227c906d4f46de70ebc596fcace97df163b8b434e2e4a2bade686bdfdb085181

memory/2320-40-0x000000013FE30000-0x0000000140181000-memory.dmp

memory/3048-34-0x000000013FB90000-0x000000013FEE1000-memory.dmp

C:\Windows\system\PCRZOXO.exe

MD5 8b8bc9d56c117132540d03dfa90e4e19
SHA1 13b607c9a44154ca2cec08f7548cde83dee6bfbf
SHA256 e62f7e0b90de5bde8900912b3354ca938a9b73429bb31a4183ee7201327dc28a
SHA512 0e4372db586eff6201b13c5e17454777637c3426c378abb535362f0cea01c596ce0d4cb5e5c461f49d58e346c7c320b63fff530bf025095110300dfcc48b85c3

memory/2320-30-0x00000000022D0000-0x0000000002621000-memory.dmp

memory/1800-41-0x000000013FF50000-0x00000001402A1000-memory.dmp

memory/2320-37-0x00000000022D0000-0x0000000002621000-memory.dmp

memory/2080-13-0x000000013F930000-0x000000013FC81000-memory.dmp

memory/2320-50-0x000000013F6E0000-0x000000013FA31000-memory.dmp

\Windows\system\xPaHSYa.exe

MD5 05f9dbc43ae2192b4e2982cc178bcd44
SHA1 23916f26dc257548899019ac8be93207457da61a
SHA256 7261026b82fd53600dc0a185b6730d86db17ee7716f430e63b2a7ba5e9b92b3b
SHA512 094a9e394b90254bc4e4ce5d02577fccaad91bb56a0b69ca9a01d443622689fed910d7f7f1d874c7f81f5c9e2fcf74fb9eaca6f058942c4b95b37ccb08b5090d

memory/2936-48-0x000000013F490000-0x000000013F7E1000-memory.dmp

memory/2080-44-0x000000013F930000-0x000000013FC81000-memory.dmp

\Windows\system\sowPrZc.exe

MD5 8e93280a751e79b18e8928ae815eb522
SHA1 cc73c249e17bc32e37eb9bfba185943752666b89
SHA256 15aa174bda50c68ee2e57712f299b4e73d737eb0cd7d109fcc87f30c2b20a009
SHA512 066a6d2aa63d3f9b4eb18bed82a72f0efad004c6d0d49d7029fc297e2630717b0ada46ee2bc9c419af654f5efee07a1a1c4f8abb5f4c64510ec751b7a8edbbf5

memory/1924-55-0x000000013F660000-0x000000013F9B1000-memory.dmp

memory/2728-56-0x000000013F6E0000-0x000000013FA31000-memory.dmp

memory/2304-59-0x000000013F6A0000-0x000000013F9F1000-memory.dmp

memory/3048-68-0x000000013FB90000-0x000000013FEE1000-memory.dmp

memory/2320-72-0x00000000022D0000-0x0000000002621000-memory.dmp

\Windows\system\wKwjVrG.exe

MD5 62e60f26087f6677eb2a5d4a5c62e626
SHA1 06e05340a7ba0b48ee22b62238cb33459656d3e1
SHA256 39125a7ee5dabc16d1d52848fc77739476907c930ba8b3ef87f2e4b664d0d5ec
SHA512 8c26ebea1f93e18536d1908b463941fb7e2005452ddb525b87857ec6891cdc74c6d14fed307ceeb2d629e91062c55aa53aa17e2ebc257d45ab5373e74435c036

C:\Windows\system\hzgAzzF.exe

MD5 3ee0d1cbd13179c61d358709bd6fb716
SHA1 85ab74e07da2f9308fc159f556415ac83129c348
SHA256 4ab5795805562eb41ea4a74f0e4b00269a311872096e8c52fce7a8260133837f
SHA512 3fc38349eb1514244aa857a91c2b8525f37c2b011d57bc407982977129594833b6aee450813541d1a8897334ac06c621104afa427ac9dd01ca5c4d3dfa3e1aa4

\Windows\system\npviuaS.exe

MD5 d1eea845370eed2c614cbfb0ba8d3bd8
SHA1 aeb4b00dbd036c6a1ff91d00e44ff7e66f8afb9b
SHA256 6144b8fca8a46d6e863524561fa0d8fc93260bbd49b2f4558a82c14e93ffe89a
SHA512 3fbdca41b429ec8d014ff920002ef4a9b55e117ba49d5061fd92abb925c4ba56cd6e1e7c4e5ee58a5ce7915ca9b77825c4c53c014ee7c60001d9fd346b08946f

memory/2616-88-0x000000013F290000-0x000000013F5E1000-memory.dmp

memory/1800-86-0x000000013FF50000-0x00000001402A1000-memory.dmp

\Windows\system\CtlJZgI.exe

MD5 188c04d3eef156c9bd6103d77b6d8ef8
SHA1 07e5bb0008415974ef7ab965e2b652cef615b8a4
SHA256 26fd8ef14ef540d5fb576ab70f679702ecf9e683a773dcc3f566fea69c985a2f
SHA512 ae6785143704ee3a55015c16dcce95bdded212717b8b3b4c4cf891c0d0f317d071ee328cc6f81e6f52e7570c682356872da0dfd3aed7d549b0dbe25f19c5f915

memory/2728-103-0x000000013F6E0000-0x000000013FA31000-memory.dmp

\Windows\system\fQatnDL.exe

MD5 1ed23a4c03e18cb87e82b3f4c6f75c8c
SHA1 9856793e633ab5e22d01f60472ec6576f26576ab
SHA256 0cbaa1ef1784e70e3c73456194fc9064e107ec62eb88837d0ab1ead1a6983bbf
SHA512 fd68bf208ff218b9ac40de2fdc3ce23e0da31c2e3511afc61ce8f2afc80b2e18fb0ba4311167df6a60f22a72cb90a285676920be868835a12c0d7bf14fa48c0b

C:\Windows\system\qccQXQx.exe

MD5 e2d71d8d731d2b5a954ccd2f63dccdfe
SHA1 e31f35efbc8f9e4528310c8e73c9df974128725c
SHA256 b05452cb68dcc7a989961d7b12c38cb30f7efd1c74d97baa331602f19d47206b
SHA512 8ed7aab0c77dbed43562f8bc4402249c09286b413d27b4c62d7174cdc5f44414e43405247c97a1aaa6e5e162e817b7e5eab0b3dba7dc6e869788ccf3ede05c9a

C:\Windows\system\KcsGaGr.exe

MD5 4114122921c139f9f0c312954b5c207c
SHA1 641f0adffa4af2600c2574d055ae2b7355f322aa
SHA256 f22945a879580997eded105e3c4bf4e7682326ce518a025cc727ae24d2f2f04c
SHA512 6f558986e3c480479fa69ab0d82f764630ee1eeb08500bda83b02cecf2a775e99d643eec84a29fd96be62a3a4be1c09647c0dbcb06ff869d2342ef6806dfae45

C:\Windows\system\RXThbFM.exe

MD5 73f64cfb42cc8780f30dff90c53956f8
SHA1 1ee6e3f176248cc5d2494872a81af270b4d5cfdc
SHA256 568ed4f7c0e5624056f73087e3436f5c500c4154a50251f08727699261a0ac93
SHA512 b7c23ff1285792d7f022ac58b7a2bc64af42c59242e00fe6770e998f0f8d08ff1c1f0ea801528ca36ac2bb1fdecdf7533d8d14f298d495cb823cb60101079d5f

C:\Windows\system\WRccnXE.exe

MD5 47833f7bf8e79130be5d3b7c2ae611cf
SHA1 bbb55c9b1fea07c6a43f877ef8b252f3ad6a1743
SHA256 1f585dd15914c906bc44e96a9f43892c8080384132f915240fd2053fd642fa79
SHA512 fef48f690f7a12b340741cdbd0122784292485ac76082191ce91e4bc13fb87699bb89e9f48063d37efa31210d97b498a909293d7de9092cd7134c27979ce798d

C:\Windows\system\clDqlub.exe

MD5 bb4410b585a098a413c9c0671eeb3e58
SHA1 622c44d197f0c6d26b2350f8f7c462895474bef7
SHA256 6c570e919ab81f1ad8ca40c4eca1f7930a79d3e6bf1e564db9c741206b09f715
SHA512 a28abb28d0faf38e6f2630e32c656d233a383487966641c832a1be6a090099ca6771f5d4e27f66c415123685d51069da9f70527b918cc1e0ca69d9ad0cc4e018

C:\Windows\system\btLndnr.exe

MD5 89e2989c71080140100d87e98a36c881
SHA1 5484229ef67d614f60893de2ec3e4e72cc8c0a82
SHA256 459ac8425b211cb86e2c4c3d79602c29cb1585fbeaa5561e331a04bbc5e2d206
SHA512 60f597203e8eb3b7109cb1a2fcd8f993d14c1e6206106c529dda1a237d969c5ef9c748af3b70f8c327db34f510393b18bb2253c32f3b45291916050f705af41e

memory/2320-140-0x00000000022D0000-0x0000000002621000-memory.dmp

memory/2320-111-0x00000000022D0000-0x0000000002621000-memory.dmp

memory/2320-109-0x00000000022D0000-0x0000000002621000-memory.dmp

C:\Windows\system\ndcMFbn.exe

MD5 f640cc207e6cfa229aa6aca1a7d30c91
SHA1 573d4067441a2555178bd87e99b8e95e4084e455
SHA256 f336e04cf14c5126bd36ce28611d73c6adb8e83101dd3c3ad296645c3afccb03
SHA512 78b7c4d959e5ccbcf1e00332370b0b9c78e0aed6f4ad6298ce405ce4bbc3fea4a9d3274fa06717fe27a6f78bedb032eb2bb5f3937600c8c11f63a54dc1c30a8d

memory/2320-107-0x00000000022D0000-0x0000000002621000-memory.dmp

memory/2440-95-0x000000013F250000-0x000000013F5A1000-memory.dmp

memory/2320-91-0x000000013F250000-0x000000013F5A1000-memory.dmp

memory/2936-90-0x000000013F490000-0x000000013F7E1000-memory.dmp

memory/2760-85-0x000000013FD90000-0x00000001400E1000-memory.dmp

memory/2320-141-0x00000000022D0000-0x0000000002621000-memory.dmp

memory/2664-83-0x000000013F2C0000-0x000000013F611000-memory.dmp

memory/2320-82-0x000000013F290000-0x000000013F5E1000-memory.dmp

memory/2320-79-0x000000013F2C0000-0x000000013F611000-memory.dmp

C:\Windows\system\DnoeiQa.exe

MD5 d72187433cbbe4389623c096738eec96
SHA1 5e2014733bd71926a57b2bde1a69642e2784d077
SHA256 99589e6ab6115eecfb8d0968c90383665756c66736ac484767a59f7bd66e86f0
SHA512 fa0700cdc72ff6b893d627580ea9042846c578ab94a48949ad06d27a827b7bf2fcee3ebb774f732276af9a650191767d53ced078abbb41d536126caf0ccfae0a

memory/2960-76-0x000000013FC90000-0x000000013FFE1000-memory.dmp

memory/2320-142-0x000000013F290000-0x000000013F5E1000-memory.dmp

memory/2320-143-0x000000013FE30000-0x0000000140181000-memory.dmp

memory/2616-150-0x000000013F290000-0x000000013F5E1000-memory.dmp

memory/2320-153-0x000000013F250000-0x000000013F5A1000-memory.dmp

memory/2440-154-0x000000013F250000-0x000000013F5A1000-memory.dmp

memory/2320-155-0x00000000022D0000-0x0000000002621000-memory.dmp

memory/2712-162-0x000000013FC00000-0x000000013FF51000-memory.dmp

memory/1908-163-0x000000013FFD0000-0x0000000140321000-memory.dmp

memory/2980-167-0x000000013FEC0000-0x0000000140211000-memory.dmp

memory/1964-168-0x000000013F860000-0x000000013FBB1000-memory.dmp

memory/2096-165-0x000000013F1D0000-0x000000013F521000-memory.dmp

memory/2840-164-0x000000013F760000-0x000000013FAB1000-memory.dmp

memory/848-161-0x000000013FB50000-0x000000013FEA1000-memory.dmp

memory/2056-166-0x000000013FD70000-0x00000001400C1000-memory.dmp

memory/2320-169-0x000000013FE30000-0x0000000140181000-memory.dmp

memory/2572-220-0x000000013FA20000-0x000000013FD71000-memory.dmp

memory/2080-222-0x000000013F930000-0x000000013FC81000-memory.dmp

memory/2304-225-0x000000013F6A0000-0x000000013F9F1000-memory.dmp

memory/1924-226-0x000000013F660000-0x000000013F9B1000-memory.dmp

memory/3048-228-0x000000013FB90000-0x000000013FEE1000-memory.dmp

memory/1800-233-0x000000013FF50000-0x00000001402A1000-memory.dmp

memory/2728-235-0x000000013F6E0000-0x000000013FA31000-memory.dmp

memory/2936-237-0x000000013F490000-0x000000013F7E1000-memory.dmp

memory/2960-247-0x000000013FC90000-0x000000013FFE1000-memory.dmp

memory/2664-251-0x000000013F2C0000-0x000000013F611000-memory.dmp

memory/2760-250-0x000000013FD90000-0x00000001400E1000-memory.dmp

memory/2440-253-0x000000013F250000-0x000000013F5A1000-memory.dmp

memory/2616-255-0x000000013F290000-0x000000013F5E1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-27 06:44

Reported

2024-10-27 06:46

Platform

win10v2004-20241007-en

Max time kernel

144s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

Cobaltstrike family

cobaltstrike

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\wRLLqvx.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EorhFsS.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hMMTHJU.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\caSuaKT.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rfCzoOT.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uXfDJcJ.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nljyViO.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\omCaskv.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LSTzAbh.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lMqZzWH.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TOSEumu.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WOiOpCo.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fwHusQD.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KgowPDD.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NSpspFa.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cFixHKi.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LUUIHhr.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eTJKjae.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LnIKSLG.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JRZOHUQ.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HeZGVNK.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4232 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eTJKjae.exe
PID 4232 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eTJKjae.exe
PID 4232 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\caSuaKT.exe
PID 4232 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\caSuaKT.exe
PID 4232 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rfCzoOT.exe
PID 4232 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rfCzoOT.exe
PID 4232 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lMqZzWH.exe
PID 4232 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lMqZzWH.exe
PID 4232 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LnIKSLG.exe
PID 4232 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LnIKSLG.exe
PID 4232 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WOiOpCo.exe
PID 4232 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WOiOpCo.exe
PID 4232 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TOSEumu.exe
PID 4232 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TOSEumu.exe
PID 4232 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wRLLqvx.exe
PID 4232 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wRLLqvx.exe
PID 4232 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fwHusQD.exe
PID 4232 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fwHusQD.exe
PID 4232 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uXfDJcJ.exe
PID 4232 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uXfDJcJ.exe
PID 4232 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KgowPDD.exe
PID 4232 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KgowPDD.exe
PID 4232 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nljyViO.exe
PID 4232 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nljyViO.exe
PID 4232 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NSpspFa.exe
PID 4232 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NSpspFa.exe
PID 4232 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EorhFsS.exe
PID 4232 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EorhFsS.exe
PID 4232 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cFixHKi.exe
PID 4232 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cFixHKi.exe
PID 4232 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LUUIHhr.exe
PID 4232 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LUUIHhr.exe
PID 4232 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\omCaskv.exe
PID 4232 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\omCaskv.exe
PID 4232 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JRZOHUQ.exe
PID 4232 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JRZOHUQ.exe
PID 4232 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hMMTHJU.exe
PID 4232 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hMMTHJU.exe
PID 4232 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HeZGVNK.exe
PID 4232 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HeZGVNK.exe
PID 4232 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LSTzAbh.exe
PID 4232 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LSTzAbh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\eTJKjae.exe

C:\Windows\System\eTJKjae.exe

C:\Windows\System\caSuaKT.exe

C:\Windows\System\caSuaKT.exe

C:\Windows\System\rfCzoOT.exe

C:\Windows\System\rfCzoOT.exe

C:\Windows\System\lMqZzWH.exe

C:\Windows\System\lMqZzWH.exe

C:\Windows\System\LnIKSLG.exe

C:\Windows\System\LnIKSLG.exe

C:\Windows\System\WOiOpCo.exe

C:\Windows\System\WOiOpCo.exe

C:\Windows\System\TOSEumu.exe

C:\Windows\System\TOSEumu.exe

C:\Windows\System\wRLLqvx.exe

C:\Windows\System\wRLLqvx.exe

C:\Windows\System\fwHusQD.exe

C:\Windows\System\fwHusQD.exe

C:\Windows\System\uXfDJcJ.exe

C:\Windows\System\uXfDJcJ.exe

C:\Windows\System\KgowPDD.exe

C:\Windows\System\KgowPDD.exe

C:\Windows\System\nljyViO.exe

C:\Windows\System\nljyViO.exe

C:\Windows\System\NSpspFa.exe

C:\Windows\System\NSpspFa.exe

C:\Windows\System\EorhFsS.exe

C:\Windows\System\EorhFsS.exe

C:\Windows\System\cFixHKi.exe

C:\Windows\System\cFixHKi.exe

C:\Windows\System\LUUIHhr.exe

C:\Windows\System\LUUIHhr.exe

C:\Windows\System\omCaskv.exe

C:\Windows\System\omCaskv.exe

C:\Windows\System\JRZOHUQ.exe

C:\Windows\System\JRZOHUQ.exe

C:\Windows\System\hMMTHJU.exe

C:\Windows\System\hMMTHJU.exe

C:\Windows\System\HeZGVNK.exe

C:\Windows\System\HeZGVNK.exe

C:\Windows\System\LSTzAbh.exe

C:\Windows\System\LSTzAbh.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/4232-0-0x00007FF7E9580000-0x00007FF7E98D1000-memory.dmp

memory/4232-1-0x000001A703060000-0x000001A703070000-memory.dmp

C:\Windows\System\eTJKjae.exe

MD5 af6ade01546970237fb6412937110730
SHA1 a6244651a78c862d452294e1ef69ed9920a85ee1
SHA256 75204497a3f48159ce480e7edd98b88447606e64b558b21e5dae8589d8239ec9
SHA512 6f85ee2c86639b60c22319b91c4cb81fef3b1eb56d1edc5a53ebf6be15d1191e94ae70c0fc86c3f652afef41b313eb5ad20fb0b3000813d73054e8476cd397c0

memory/2660-8-0x00007FF71A530000-0x00007FF71A881000-memory.dmp

C:\Windows\System\caSuaKT.exe

MD5 188a80ecf98ace53cdbbc0700992e33d
SHA1 d6ab1327faf60f57b18b25545e33d02b0afe21c8
SHA256 b5e8bcb41a7d70aa30c39e3032bfa2f5baf2f5cba0461be299e647b60e056c0a
SHA512 3ce261ed9d09396cf7b2153db0e3684d874e5272a110b4b06d73baabd5e4164ad3d2c2ff75618b407a3ab88fd8f0c74e2b206426dc4aa384300e0d235d737fc5

memory/4116-17-0x00007FF69BE50000-0x00007FF69C1A1000-memory.dmp

C:\Windows\System\rfCzoOT.exe

MD5 8f4fcc97a3d28f623f2255d32fd36665
SHA1 4acddd906f5bd94b314d7e6105397f49425a3c9f
SHA256 d50358feed4d6902fe3036450f8233759a3ec879f55b2dc0f6eb26be8feebd28
SHA512 5f0c77e6bef0080d222902a9ea2733831cd4bdce171736232b29dcd4e4c4a3442641e727a35fda67df1c52b0f0cc1e9b618e6c0f4313c145ada39eb10a0b32d9

C:\Windows\System\lMqZzWH.exe

MD5 c5b8ea1f4c44e11b5a9b230e7d141dcd
SHA1 2e84a37d9df036d0c38a44867b37990f29ffe532
SHA256 bafadf1b2955106832f4fa84143390a7fb937b547f8c6297cea02c2d303ad5f5
SHA512 69f06fa801f8914aadb2f8e90aa1a8f4c1a69f98dc7b9a7b2513f5de2e9715324b9546dfb6d4d3b6774f76092da076a309508ee005c3984dbe7689b8a7abe794

memory/3016-27-0x00007FF7ABC20000-0x00007FF7ABF71000-memory.dmp

memory/4064-29-0x00007FF62EB30000-0x00007FF62EE81000-memory.dmp

C:\Windows\System\WOiOpCo.exe

MD5 61706d96cdc7ecac81a0b6ead9f2cf83
SHA1 daa3ee5b5e2a46fa5ad9c9eaf7f13b1fd757105c
SHA256 2bebc59fd9dd16a5cf539bb5d717ed95603d27bec59abc19211582451b6e346a
SHA512 30855b477bf77bb48d46f42109feaf94726f278aabd76cbd06fb8810f9a6975726fe0081219bf8ad2735aa5e5cb7845963c3462bda946207f47c7851d6da28c0

C:\Windows\System\TOSEumu.exe

MD5 6978241ab22a6163026f28138f7ab81a
SHA1 6c2e15b7b1b068d4a6221d6991a1e7e062f7707f
SHA256 5776031cda5eded2eff4a0c83a1fa47ebd1fafe5d120e2fc24c7c1b4db3d889b
SHA512 a67dbe202ed7466e0e4ef8b9cf1d88ded57acf47be77baf2096e4e7233a0b60f65eaaba1288faf78ddf42dc978528bb2bfcd9ba7a66f2be8f66cd0967e9620b8

memory/1272-55-0x00007FF683060000-0x00007FF6833B1000-memory.dmp

memory/4232-71-0x00007FF7E9580000-0x00007FF7E98D1000-memory.dmp

C:\Windows\System\NSpspFa.exe

MD5 56b61729e58617b403f15a051b3a569f
SHA1 02b807440ad41a387db057f43edbd4931f2ac62c
SHA256 2d1a04532a31039d63f0a9d4cd2b8437614a822a401997dd56fcf7733b5717f2
SHA512 601a3fd4eff16e893da265676973c0194d4527459c8bc93347d50904be8b17a301dda53486286d34e1fcef6c73d3e2880bcdf13c730088f5fbd9ceee18572adf

C:\Windows\System\JRZOHUQ.exe

MD5 8850f5d5d50b724ac02eaa1cf898460f
SHA1 6e555dd8a79b895479752a83db7fd7ed7dd2da5c
SHA256 b9471ad9ce6379e01967c6fb7fc019d67f51c2ac52944aa1016f8d8d38098efb
SHA512 e8382fe0347442cf423948e07dc30e3c6adf6da69851146337b733550bbe6ecc87fa7b017f267c8d8b25909b72a54f05da8500fd4d8f198e43f0f7377066746b

C:\Windows\System\LUUIHhr.exe

MD5 925602a9d3ead9e366a404336f3185cf
SHA1 bdbae2e2ccf6dfa65c9f6b5f50f5c8c63036a9e7
SHA256 362b6d2d60742ac9c91efad72e12574f69b6823aac099af1e9101f1b71f9d262
SHA512 32495e25d3a0977254da9888a4160e777f6b0c3182199eae93ee2d4dba707eada006384c902dbcf13581214f73aa48c1ecb1e948d79ab6020e6a7de7c6e5db32

memory/468-109-0x00007FF6E1880000-0x00007FF6E1BD1000-memory.dmp

C:\Windows\System\omCaskv.exe

MD5 886b926a87ec9e9f23b921798a21babc
SHA1 6e4dfd1f0e4a07f21a86704667f5cdd121d32815
SHA256 bdf8037f6adc59c73daa00a8154f90d51f82536c9476def86ed2dd8e7db0260c
SHA512 ba8ccafb0176723f359d7f62b917c2718b0b92b83fe4e24db88a19a35115dacc45116506f9d790212b1c6f275b9de472399f8bde5dd49cd78a932b88c8cf406d

memory/5040-105-0x00007FF771760000-0x00007FF771AB1000-memory.dmp

memory/4116-104-0x00007FF69BE50000-0x00007FF69C1A1000-memory.dmp

memory/2660-103-0x00007FF71A530000-0x00007FF71A881000-memory.dmp

memory/4448-102-0x00007FF6A4E00000-0x00007FF6A5151000-memory.dmp

memory/1316-101-0x00007FF61F5C0000-0x00007FF61F911000-memory.dmp

memory/2860-99-0x00007FF6861E0000-0x00007FF686531000-memory.dmp

memory/2980-98-0x00007FF67EA30000-0x00007FF67ED81000-memory.dmp

C:\Windows\System\EorhFsS.exe

MD5 d635b33c67eaf598e4ff9b27281e5cdf
SHA1 15132dd008e21cff75eb273461f9bb1aa684e1da
SHA256 d5731cf0ed4273ed7b5f2468f37ac60fb2b12cbb844bb274f5234d1cbf4bbcc9
SHA512 394a3ea82714d6553e972c748c3053eb200697342adb431c504d1114aadea605772d26a5c1036746e36a7f0ec29d91b6bb03ccf15054238fca447d1d36d892c7

memory/4124-87-0x00007FF631D00000-0x00007FF632051000-memory.dmp

C:\Windows\System\cFixHKi.exe

MD5 9205cc1f4be3d5eeebfc497852bed321
SHA1 ec513fad660440e1cd970be14058b84735164ea9
SHA256 8268910baaea6d069683975da0f566c3b8061f305db23cfa3711ba882078da72
SHA512 bf8d680d4ece284e7b7b94bbf659ec36b2c4743aad1f4484e481e47da284de7920523962062c54f8d60beb46db108c6ea624f03edb997203d34c0d85c0d7dbb8

C:\Windows\System\nljyViO.exe

MD5 cf527c2a434065cf984df8e93027857b
SHA1 cae80891491f40c458b224b4cb827581bcc984be
SHA256 57106d90214c028d751969b7355cca45a4010eae9ab99338d27a365b459f951a
SHA512 c499aa20ab5d5463e7223d23b06f6e93adec1315c443cdea0fec86435c96ad4c36256e2cdcf493558d1c5404b6afbd69b344681e9990dc7208a3e5be05c4427f

memory/3592-80-0x00007FF689890000-0x00007FF689BE1000-memory.dmp

C:\Windows\System\KgowPDD.exe

MD5 3229ba6c46608ed83f496fa329f7bec6
SHA1 ffe9b3b34a90aa1102933f3a392bcd7c2476e2a6
SHA256 00f31e8fe142258dce08614601e4f24aed57e50209cbcba2c5d7b9ae1601377f
SHA512 ed711da86039a94329336087ab906f1b062522fb6c8c34282e38e55de6e36a7f1be4f1a8812af39de62e76a193715c7dd2fabea21fb317b4e06bada33d09dc06

C:\Windows\System\uXfDJcJ.exe

MD5 2220adb418f76484378d42aabb9f3e9a
SHA1 257b802efe1a332bc082cdf996a1ea53a079cd3f
SHA256 1f6c8b389e84e1ae0c855ee0207924346625e2c6c32fe3b751c735f81ffa06b4
SHA512 e8ff13f457aaebcfabdd5ede33dedd0209043a0e50f59f9c4f045702a5203a9b2a64e62394ac11d37dd3fa56ef2f4f969d184110f221ac3923e7c3b9904ec92f

C:\Windows\System\fwHusQD.exe

MD5 e0dfa4ad43ed0aeafbb444f74d4618da
SHA1 769f15fef0c6452ea35b6eea0721f2386741778b
SHA256 af509f84790740402ef491b83e30ca3121dbdd76fd400ff8a38006b984aeda45
SHA512 c0de574a78e20e9efd752ea16254f45e23af7e1b2c16cc2599277e9a226e37a3cd6b9892f3c4538019c19916454941f505e6c658707577e2cc99e13bd6218cf4

C:\Windows\System\wRLLqvx.exe

MD5 a75f5bbde698aeb4a98dba83c490b0bf
SHA1 6f0288bb1edadf9a75953a291bcc840e29b386b8
SHA256 bdd8870abd6550e1cb88da9c0debc97ad15fde689fa636c017892180d48fe3fd
SHA512 0590e0c51b935e0d16058aa971a7e30e60afd6853ed75d9b289941131b99ecb1c13808e0fc7a0beb563f1e96593475609d7f1b74b8d8d670dab34f8d6f23b4e2

memory/2948-56-0x00007FF62DF20000-0x00007FF62E271000-memory.dmp

memory/2192-53-0x00007FF6A6BB0000-0x00007FF6A6F01000-memory.dmp

memory/1848-41-0x00007FF7D36D0000-0x00007FF7D3A21000-memory.dmp

memory/2640-37-0x00007FF6B9DC0000-0x00007FF6BA111000-memory.dmp

C:\Windows\System\LnIKSLG.exe

MD5 c6e95377072358030e1c9ec11ae3b4ff
SHA1 040a012a25fc978c9fbc5ab6870ca8ea1d63fb4f
SHA256 842dfb0bcdc0f03f1bd7709778fdc5268eff3026bfd51e8f041984bb38ccb289
SHA512 311bd9b95bb878723a4cf3d853d4fd55f686b59729e0b9552206191262611f3faf0e70fa7f1b77a951ddcfaf2f88159e171ab1f37fcdabb24622a8b553c70435

memory/2008-19-0x00007FF7A5EF0000-0x00007FF7A6241000-memory.dmp

C:\Windows\System\hMMTHJU.exe

MD5 f3020f3fa78d1a28d9de72da3c4bc563
SHA1 affecacaa25493e1c18a2d97009c099569f04003
SHA256 f09b8a2e7367fb2fd2e7cb6ce6658f84e8993f3b8cf941437fd9adc1013082cc
SHA512 ee46a106f584b138fcd9cee6227eefedff34f042e2d79a1189953f57b747f2214142f5f7aa341b422f28f72d3d53e9f6ebddc79ceabdcb1cbb00b5b40b48bdc1

memory/2008-119-0x00007FF7A5EF0000-0x00007FF7A6241000-memory.dmp

C:\Windows\System\HeZGVNK.exe

MD5 5ae99ebac97340823a9790e5fef8c38b
SHA1 47aad008c47850d6006e64cf8b0a68640ff2b616
SHA256 df111c848b3e1d38f128ee51f12452b0317ff8f6c1a1cefc9d1fd79c052a616a
SHA512 6cce6e420970b3152d6c795d78819a311fa1311ab02838b6c784c7714444425584474cf25665986690653fd41cbadceb6e77c1a99702e9776aa7a5f7a36b33df

C:\Windows\System\LSTzAbh.exe

MD5 ceaeb28848711d83ca3b8b4414839e40
SHA1 93a0d970f23918d444cf722c560c10dd3cfce232
SHA256 1cf3b4539dcbff47aaf39000d12e133e279e45d871f2ea6a76f282291121c735
SHA512 aad28cd5c7014f7e0a444257355e90e4c150c708257301cb99af3001b1f35ae9510d06074853e79c0d1386abbc9976db9b4bc45ef7dc2f93522c231e13dde3c9

memory/1760-133-0x00007FF680D00000-0x00007FF681051000-memory.dmp

memory/4064-130-0x00007FF62EB30000-0x00007FF62EE81000-memory.dmp

memory/4092-129-0x00007FF6B6920000-0x00007FF6B6C71000-memory.dmp

memory/2824-125-0x00007FF632490000-0x00007FF6327E1000-memory.dmp

memory/3016-122-0x00007FF7ABC20000-0x00007FF7ABF71000-memory.dmp

memory/2192-142-0x00007FF6A6BB0000-0x00007FF6A6F01000-memory.dmp

memory/2640-145-0x00007FF6B9DC0000-0x00007FF6BA111000-memory.dmp

memory/2948-144-0x00007FF62DF20000-0x00007FF62E271000-memory.dmp

memory/1848-141-0x00007FF7D36D0000-0x00007FF7D3A21000-memory.dmp

memory/4232-134-0x00007FF7E9580000-0x00007FF7E98D1000-memory.dmp

memory/1272-143-0x00007FF683060000-0x00007FF6833B1000-memory.dmp

memory/4124-147-0x00007FF631D00000-0x00007FF632051000-memory.dmp

memory/468-153-0x00007FF6E1880000-0x00007FF6E1BD1000-memory.dmp

memory/4448-152-0x00007FF6A4E00000-0x00007FF6A5151000-memory.dmp

memory/1316-151-0x00007FF61F5C0000-0x00007FF61F911000-memory.dmp

memory/3592-146-0x00007FF689890000-0x00007FF689BE1000-memory.dmp

memory/4092-154-0x00007FF6B6920000-0x00007FF6B6C71000-memory.dmp

memory/1760-159-0x00007FF680D00000-0x00007FF681051000-memory.dmp

memory/4232-155-0x00007FF7E9580000-0x00007FF7E98D1000-memory.dmp

memory/4232-178-0x00007FF7E9580000-0x00007FF7E98D1000-memory.dmp

memory/2660-221-0x00007FF71A530000-0x00007FF71A881000-memory.dmp

memory/4116-223-0x00007FF69BE50000-0x00007FF69C1A1000-memory.dmp

memory/2008-225-0x00007FF7A5EF0000-0x00007FF7A6241000-memory.dmp

memory/4064-228-0x00007FF62EB30000-0x00007FF62EE81000-memory.dmp

memory/3016-229-0x00007FF7ABC20000-0x00007FF7ABF71000-memory.dmp

memory/2640-232-0x00007FF6B9DC0000-0x00007FF6BA111000-memory.dmp

memory/1848-233-0x00007FF7D36D0000-0x00007FF7D3A21000-memory.dmp

memory/1272-237-0x00007FF683060000-0x00007FF6833B1000-memory.dmp

memory/2192-236-0x00007FF6A6BB0000-0x00007FF6A6F01000-memory.dmp

memory/2948-239-0x00007FF62DF20000-0x00007FF62E271000-memory.dmp

memory/3592-243-0x00007FF689890000-0x00007FF689BE1000-memory.dmp

memory/2860-245-0x00007FF6861E0000-0x00007FF686531000-memory.dmp

memory/2980-247-0x00007FF67EA30000-0x00007FF67ED81000-memory.dmp

memory/4124-250-0x00007FF631D00000-0x00007FF632051000-memory.dmp

memory/5040-251-0x00007FF771760000-0x00007FF771AB1000-memory.dmp

memory/1316-253-0x00007FF61F5C0000-0x00007FF61F911000-memory.dmp

memory/4448-255-0x00007FF6A4E00000-0x00007FF6A5151000-memory.dmp

memory/468-257-0x00007FF6E1880000-0x00007FF6E1BD1000-memory.dmp

memory/2824-263-0x00007FF632490000-0x00007FF6327E1000-memory.dmp

memory/4092-265-0x00007FF6B6920000-0x00007FF6B6C71000-memory.dmp

memory/1760-267-0x00007FF680D00000-0x00007FF681051000-memory.dmp