Malware Analysis Report

2025-04-03 17:59

Sample ID 241109-ss1t3axckn
Target 2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat
SHA256 777d44c6731dc80ad0a28d9f8f68b33cfd30b0d575614a1d873bc8dd306c4db2
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

777d44c6731dc80ad0a28d9f8f68b33cfd30b0d575614a1d873bc8dd306c4db2

Threat Level: Known bad

The file 2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

Cobaltstrike

xmrig

Cobalt Strike reflective loader

XMRig Miner payload

Xmrig family

Cobaltstrike family

XMRig Miner payload

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-11-09 15:24

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 15:24

Reported

2024-11-09 15:26

Platform

win10v2004-20241007-en

Max time kernel

140s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

Cobaltstrike family

cobaltstrike

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\YOwWovx.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yUIxVRV.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CSWADbW.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yOUQVvF.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qCYNAky.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LkZNiKo.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\raECuRM.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tIAgvWq.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fRSFLAy.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EjBEUBH.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TnHBJsO.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nIDRJWl.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kcRgREk.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KdjXVtU.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wdSQhFs.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kguCWCv.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZasNeGp.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YyVzPKv.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dQZBltq.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sySWomU.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MvYzBCR.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3084 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qCYNAky.exe
PID 3084 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qCYNAky.exe
PID 3084 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YyVzPKv.exe
PID 3084 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YyVzPKv.exe
PID 3084 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TnHBJsO.exe
PID 3084 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TnHBJsO.exe
PID 3084 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LkZNiKo.exe
PID 3084 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LkZNiKo.exe
PID 3084 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dQZBltq.exe
PID 3084 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dQZBltq.exe
PID 3084 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sySWomU.exe
PID 3084 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sySWomU.exe
PID 3084 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wdSQhFs.exe
PID 3084 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wdSQhFs.exe
PID 3084 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nIDRJWl.exe
PID 3084 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nIDRJWl.exe
PID 3084 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MvYzBCR.exe
PID 3084 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MvYzBCR.exe
PID 3084 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\raECuRM.exe
PID 3084 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\raECuRM.exe
PID 3084 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tIAgvWq.exe
PID 3084 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tIAgvWq.exe
PID 3084 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YOwWovx.exe
PID 3084 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YOwWovx.exe
PID 3084 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yUIxVRV.exe
PID 3084 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yUIxVRV.exe
PID 3084 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kcRgREk.exe
PID 3084 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kcRgREk.exe
PID 3084 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CSWADbW.exe
PID 3084 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CSWADbW.exe
PID 3084 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kguCWCv.exe
PID 3084 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kguCWCv.exe
PID 3084 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KdjXVtU.exe
PID 3084 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KdjXVtU.exe
PID 3084 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fRSFLAy.exe
PID 3084 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fRSFLAy.exe
PID 3084 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yOUQVvF.exe
PID 3084 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yOUQVvF.exe
PID 3084 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZasNeGp.exe
PID 3084 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZasNeGp.exe
PID 3084 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EjBEUBH.exe
PID 3084 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EjBEUBH.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\qCYNAky.exe

C:\Windows\System\qCYNAky.exe

C:\Windows\System\YyVzPKv.exe

C:\Windows\System\YyVzPKv.exe

C:\Windows\System\TnHBJsO.exe

C:\Windows\System\TnHBJsO.exe

C:\Windows\System\LkZNiKo.exe

C:\Windows\System\LkZNiKo.exe

C:\Windows\System\dQZBltq.exe

C:\Windows\System\dQZBltq.exe

C:\Windows\System\sySWomU.exe

C:\Windows\System\sySWomU.exe

C:\Windows\System\wdSQhFs.exe

C:\Windows\System\wdSQhFs.exe

C:\Windows\System\nIDRJWl.exe

C:\Windows\System\nIDRJWl.exe

C:\Windows\System\MvYzBCR.exe

C:\Windows\System\MvYzBCR.exe

C:\Windows\System\raECuRM.exe

C:\Windows\System\raECuRM.exe

C:\Windows\System\tIAgvWq.exe

C:\Windows\System\tIAgvWq.exe

C:\Windows\System\YOwWovx.exe

C:\Windows\System\YOwWovx.exe

C:\Windows\System\yUIxVRV.exe

C:\Windows\System\yUIxVRV.exe

C:\Windows\System\kcRgREk.exe

C:\Windows\System\kcRgREk.exe

C:\Windows\System\CSWADbW.exe

C:\Windows\System\CSWADbW.exe

C:\Windows\System\kguCWCv.exe

C:\Windows\System\kguCWCv.exe

C:\Windows\System\KdjXVtU.exe

C:\Windows\System\KdjXVtU.exe

C:\Windows\System\fRSFLAy.exe

C:\Windows\System\fRSFLAy.exe

C:\Windows\System\yOUQVvF.exe

C:\Windows\System\yOUQVvF.exe

C:\Windows\System\ZasNeGp.exe

C:\Windows\System\ZasNeGp.exe

C:\Windows\System\EjBEUBH.exe

C:\Windows\System\EjBEUBH.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3084-0-0x00007FF7F93A0000-0x00007FF7F96F1000-memory.dmp

memory/3084-1-0x0000025D315C0000-0x0000025D315D0000-memory.dmp

C:\Windows\System\qCYNAky.exe

MD5 a5435a4af7e523aa02ffb15c774c0bf3
SHA1 7f5255a3c65fc60a302a363d7bb7521cde2eea28
SHA256 c9fa4ec95b3f39e41e57f7344a6ac1e78c4971f9143193cb4b704aebe5326dfd
SHA512 8dc32339c76816373a524108d38325b63122eb421bac69d9be5804d5c888a6a8bd072f05af329982d86180f80ee104bb7183796819033e086db94052bdbd0beb

memory/976-9-0x00007FF73F3A0000-0x00007FF73F6F1000-memory.dmp

C:\Windows\System\TnHBJsO.exe

MD5 c80f237c04aac3eb5949252cbbc97b9f
SHA1 d22805cc69008720c4d7bc5436ad3739e66bcce8
SHA256 5458e4a5e814edfbf3c2ddd72d4bd4a6e8751ff7aed62144c94efd27c4d35f83
SHA512 623f7ebefff823718d3110c5713d8762ea3268bdc0d59bb690b328f36e22b9076f1fcd4015bda0e64f30eefa2c72077fc06bd7f7bc2c07e6e2019ba87e79630a

C:\Windows\System\YyVzPKv.exe

MD5 4c577a516b61feec48fe838c7a75eea5
SHA1 613dc08fa9cfe4247f6f10c6b2437f159cf396b7
SHA256 3ee1cd0cf3a7805b45246ba7d6b3e6af016a85f42ad3a984e2bee76ad2ffb4f4
SHA512 46f2d32d464b9cb4a053dbda83246e7c360eb7b61e4ac993f80c4abe27993cc1a3241e249eb5c7e37cd54d7cee352c1a4a96507d6e9a29793a5d368a67394aac

memory/3016-18-0x00007FF7D98F0000-0x00007FF7D9C41000-memory.dmp

C:\Windows\System\LkZNiKo.exe

MD5 5eef210b8795684a7c52c80ec9da6ecc
SHA1 05b314f3d2236d0dc3fdf72d3b2f234fe1eb96eb
SHA256 cc6adf77cee877ce76d72691474e9f048a5baf158253a4204f42d37c660c5d02
SHA512 dc889d939e9bded9278d32e83ef1057722b7856262f99e0ac7eabbd8271843dd67b1ab28c20436818ae2734485c063ee50039dc7ae0180cbb42a2f564a44b700

C:\Windows\System\dQZBltq.exe

MD5 17709c4f5e9bcdabeb309773a9002753
SHA1 8ffb33ed9035fc4e1e910f9ff4b169e8722028ee
SHA256 c624d800959e796ad9e7e59e089622dae27130985657eaa452555d1f33b68216
SHA512 0a3adf929ca898e0d9e4e4a7f2423e67ca44279a0b5776b3ea3d1753538a3336f84f165fec059f015cef7ea37ddb8ff0ce8edd36f9673c33f148948270646b7a

memory/752-30-0x00007FF74D540000-0x00007FF74D891000-memory.dmp

memory/2536-24-0x00007FF71D390000-0x00007FF71D6E1000-memory.dmp

memory/1844-14-0x00007FF670630000-0x00007FF670981000-memory.dmp

C:\Windows\System\sySWomU.exe

MD5 498c87ffa12483517f740eb401b2ad35
SHA1 00cb3ae1fb80f69d4bce00d1edbbb634cb2bd51c
SHA256 0a3d819eb160b680da0776204f4e7a2041132c64f6a188f2d9644ccfcd2fddef
SHA512 7786948dac6b6d8c54e12d9e915fce5887006b66a5bd19dd83cd247b70e7f9a125941e60a3d18f7e58540efa298e64ec44b4a8deb5290437d2317398d5d17799

memory/2424-40-0x00007FF6D0400000-0x00007FF6D0751000-memory.dmp

C:\Windows\System\nIDRJWl.exe

MD5 b51d4791237705022a68a907bda4d14e
SHA1 0cbd87d251562eef1d2527c3b412c8d42c37e831
SHA256 9087a5acc14da017336715b9ef6e0fb9bd9aace249bf9e44734568f8df001989
SHA512 194f631dd6ac9271074fe1e7bc8d75f398112332c91a5dac6bcac8d59df00c44dabb1aa9d5814163aa4c16240e651991e71bc1adc59802ea698d3a9629dc9b4c

C:\Windows\System\raECuRM.exe

MD5 5c948a8981011a500e5f4c15de3b7722
SHA1 f1ab8082b1cf1d739302e576d5e04753896cbbb3
SHA256 e8797eda33b89d0d977905f0c44af8c438d86d50fe3b6bf3580291f5eb500b0b
SHA512 74f0d2aaa0234bcfd2ace5ae53c6710585e44c91c7ccb58e1b4509f76b46ded80b080cbe3829d823082b19f338ce8f37ebdc706cc44c68fd974a07a5a00fb7b5

memory/4960-60-0x00007FF762480000-0x00007FF7627D1000-memory.dmp

C:\Windows\System\tIAgvWq.exe

MD5 808464319ec81dc11501d30caf0b008e
SHA1 0c1d300fb527d2471e289bd73407dfc589c9dce1
SHA256 57e4a492fd8a42d0baaf51547653733a355e9ce70b65d6d0dc88c7e992c1a3ff
SHA512 7eb10ab79d03626bcdf1e765d245b80f4187b8b099c6ca74743dd5dae0a908ec1f8fbf370ca770d2845aafd091e1c296348c13d5f0e59d3835796be2c94bb75f

memory/32-74-0x00007FF76ACE0000-0x00007FF76B031000-memory.dmp

memory/976-77-0x00007FF73F3A0000-0x00007FF73F6F1000-memory.dmp

memory/3060-83-0x00007FF794630000-0x00007FF794981000-memory.dmp

C:\Windows\System\yUIxVRV.exe

MD5 64b341a9fb40d7d921fb567f77568ff9
SHA1 e9aadd91d68f01f32eec724a0d62697e6097e020
SHA256 57eead5eac9860c084b37ad4137c1d7a17081dd02c8d0adf3a24d995568a4a12
SHA512 5ca1061d77b040b316933b8d9def5eff7253aa3f6797b3273e16755509671f7efdbfee605e1d1b2b43e5e9075434eb01c84fadc6c0dc3a18a2fda01c739a163f

memory/3016-93-0x00007FF7D98F0000-0x00007FF7D9C41000-memory.dmp

C:\Windows\System\kguCWCv.exe

MD5 f2fd5e6c1f663d7e65f3013922b807f8
SHA1 fc56b09f265295c931b8b699eb19d63cb6a11208
SHA256 98f18e5a8d33337b73cb89c25290b4f2f33db0ce4885454d6cb05459602cd016
SHA512 7585c670a2c8ed1ef59883d1196f4b0ec8e659f4db802e14dae09a9ea95518116c4a0afb5a3326ecd20a5c83ec90f4dcc7f7d2cfda7061d99510bc593f5467ad

C:\Windows\System\KdjXVtU.exe

MD5 7330adc77c291701db4450b42a276046
SHA1 7351f955f74e201d35a9d4be6f49c8e95f233fe5
SHA256 b3038074f677124c3448296952888c440053a90550b9f1656c596a8e5f7ed1d1
SHA512 b8706ceefd8ebeef033989d758dcc5eccae42457d403d42b2ecc9be6aebd99c91fbe2f10f31d0109ceaa9a29fe703975dd32a46c0bf8dc62cd5680b14252351c

C:\Windows\System\fRSFLAy.exe

MD5 adb0516d191abb689db40ba7c04f4856
SHA1 706a2fb4092780794ca385d40744703670b3b0b0
SHA256 86ee5913c3b522c38d6204912816d6a4b762b30fab3a266e8cf9076e4095ef0a
SHA512 f33b1e3b9735e85cbc41a7b2ca04dc008c4e86f4b1d58922577954393aefb66e7490415ae8569ae5de73856a945f1d5e5e772706f3af7b9674a193e7ef8abff4

C:\Windows\System\ZasNeGp.exe

MD5 4494d5afb8b1b4b651a562ae7083960a
SHA1 22c831f4184b88fd705b69c51730a2e6724c8890
SHA256 5d77e30b1c2077be1762624921d27d7facec28a53b2f82784ae87a97bab945f8
SHA512 5e9c1f0d09d58bbb4c4cdab6be6caea32af10a40eae251ae802358184a1da5e1d3c8c1d506861b62dc352a4d6e9cb6d0e3ee1e057b51ab8aac5a95991d77f31d

C:\Windows\System\EjBEUBH.exe

MD5 4cf96cb4d528f7b5ecb9997f7d203325
SHA1 bdafc296244acda0f3d788794a06478b0b5503d0
SHA256 c516a48f2c7db70e933795600cad7ab98edacd8ca6d0e5db18c07d739f242ae2
SHA512 3854337135c953985925d0f33227033ec354fc57ab81e1fbbbe8b28d5c243eba970f7a8c4e10908435cbe0e4279a3e12381ec2a6ac3a1c852348ab9392fbd4fe

memory/4088-134-0x00007FF756EC0000-0x00007FF757211000-memory.dmp

memory/32-133-0x00007FF76ACE0000-0x00007FF76B031000-memory.dmp

memory/4596-129-0x00007FF741400000-0x00007FF741751000-memory.dmp

memory/2412-128-0x00007FF7DFC50000-0x00007FF7DFFA1000-memory.dmp

C:\Windows\System\yOUQVvF.exe

MD5 0e15b32a3b642c94f8f0ae8f9e7f39ab
SHA1 49077cc6372ee8fcdeab4b7641a7a934d8ceef03
SHA256 25c27d394c70ad99d05787959d74d3cae7f2d4f3b5c81d6b18e9cc6ec8d3802d
SHA512 49d1aef8abf5885dfa5ce7c85a3b621794b0eb9bc5ed6359115b18d3dab3433acb25ef51c20c11765449c3fc72c9439360e23f172be7c96a613aa23aa864ea7e

memory/4984-123-0x00007FF603F30000-0x00007FF604281000-memory.dmp

memory/4916-122-0x00007FF797510000-0x00007FF797861000-memory.dmp

memory/3568-115-0x00007FF700C60000-0x00007FF700FB1000-memory.dmp

memory/3116-114-0x00007FF78D910000-0x00007FF78DC61000-memory.dmp

memory/752-110-0x00007FF74D540000-0x00007FF74D891000-memory.dmp

memory/4624-103-0x00007FF78FCD0000-0x00007FF790021000-memory.dmp

memory/2536-100-0x00007FF71D390000-0x00007FF71D6E1000-memory.dmp

C:\Windows\System\CSWADbW.exe

MD5 36ee7c37918de24ec39b4c46d6acee9b
SHA1 a5250d9ae2d190bf63831db90d4f9618b71b7799
SHA256 067ad2e7fd65c4d200684dab68ca0b37c5bd602092874db1609fd3d58af2f354
SHA512 d22eae05dd0f0fc026055b806816ca8be7c4559a3040dcebe7d288f6aafaab193efa6a7f594c4b00ed2fcce6cf3998e33acd6b1af3894a46269aacfac546a877

memory/1728-94-0x00007FF7D4E10000-0x00007FF7D5161000-memory.dmp

C:\Windows\System\kcRgREk.exe

MD5 152393789d05cd98e6224c84d2bb2616
SHA1 e96872e0ff03d008317bf31d485f60f967d6738e
SHA256 adb9332a4ecefd2fca65967d1fb8c675aa2136f1dc76df01bac4ce44024b340e
SHA512 28abf84b9e401dbe0c8ce3dd17b95b062aa5da4c1389b7cd1a41fde75d5f2450d072a3cad336d01532c31af40e96042adc88f1756d838cff1366a1e842ad2a87

memory/644-85-0x00007FF6875F0000-0x00007FF687941000-memory.dmp

memory/1844-84-0x00007FF670630000-0x00007FF670981000-memory.dmp

memory/3188-80-0x00007FF7DEE30000-0x00007FF7DF181000-memory.dmp

memory/3976-76-0x00007FF718820000-0x00007FF718B71000-memory.dmp

C:\Windows\System\YOwWovx.exe

MD5 45ae0640e800c5d09cc35e1d21240f27
SHA1 e6652fd165cf32e5c84953f6754d9f521ec5e82b
SHA256 4beff2c068feac7498d5a29374aa83250b3103202d50cd2390e9f3682f66d292
SHA512 1c6a4f0ed86c2714ee8309fa6212aafb0b54c1bb25e5c0a5f8f9f55869879ee6887abd0ca8e16c22cda74ddcb2863dac37f4dc8771a757cb68c304813bd71828

memory/3084-61-0x00007FF7F93A0000-0x00007FF7F96F1000-memory.dmp

C:\Windows\System\MvYzBCR.exe

MD5 9fcb88b35aa520aabee5e6ee9f5b297a
SHA1 4a6bab462413ab5a2e6058b0015ac42cb6eb9cc2
SHA256 dee4d2b2e1fc1aeb8613fbf5910e7e1ce283ff382523e94c3bb031cd6f195be8
SHA512 e1e7561e81dba390db5f6ee2e13132fda941b83751c2c434a03b851d8194b3480e31671fd0da02c38f844925284fd2915464bfb334dfe18b36ba3f4794617f3c

C:\Windows\System\wdSQhFs.exe

MD5 c29fb264942a93efa869d7b6fdedc65b
SHA1 384fdeee1edeb286e909e204e12d5ffe6d7de7c5
SHA256 1cb447c7ea498abd9f72709485638b602cf849f11f4149e073ce6e471a8cdac7
SHA512 dc531cdf8769b8d3edb0836c7d3bff62e00ac23ba5bcead57de9d2cd221a1ec2441bc56ea37df2ce1d5f89be37db1927ea4bff12c48b59f7e053be5c3b92b920

memory/4984-47-0x00007FF603F30000-0x00007FF604281000-memory.dmp

memory/2412-45-0x00007FF7DFC50000-0x00007FF7DFFA1000-memory.dmp

memory/3084-137-0x00007FF7F93A0000-0x00007FF7F96F1000-memory.dmp

memory/3060-150-0x00007FF794630000-0x00007FF794981000-memory.dmp

memory/4624-153-0x00007FF78FCD0000-0x00007FF790021000-memory.dmp

memory/3568-155-0x00007FF700C60000-0x00007FF700FB1000-memory.dmp

memory/3084-159-0x00007FF7F93A0000-0x00007FF7F96F1000-memory.dmp

memory/4916-156-0x00007FF797510000-0x00007FF797861000-memory.dmp

memory/4088-158-0x00007FF756EC0000-0x00007FF757211000-memory.dmp

memory/4596-157-0x00007FF741400000-0x00007FF741751000-memory.dmp

memory/3116-154-0x00007FF78D910000-0x00007FF78DC61000-memory.dmp

memory/1728-152-0x00007FF7D4E10000-0x00007FF7D5161000-memory.dmp

memory/644-151-0x00007FF6875F0000-0x00007FF687941000-memory.dmp

memory/976-211-0x00007FF73F3A0000-0x00007FF73F6F1000-memory.dmp

memory/1844-213-0x00007FF670630000-0x00007FF670981000-memory.dmp

memory/3016-216-0x00007FF7D98F0000-0x00007FF7D9C41000-memory.dmp

memory/2536-217-0x00007FF71D390000-0x00007FF71D6E1000-memory.dmp

memory/752-219-0x00007FF74D540000-0x00007FF74D891000-memory.dmp

memory/2424-223-0x00007FF6D0400000-0x00007FF6D0751000-memory.dmp

memory/2412-234-0x00007FF7DFC50000-0x00007FF7DFFA1000-memory.dmp

memory/4960-236-0x00007FF762480000-0x00007FF7627D1000-memory.dmp

memory/4984-238-0x00007FF603F30000-0x00007FF604281000-memory.dmp

memory/3188-241-0x00007FF7DEE30000-0x00007FF7DF181000-memory.dmp

memory/3976-242-0x00007FF718820000-0x00007FF718B71000-memory.dmp

memory/3060-251-0x00007FF794630000-0x00007FF794981000-memory.dmp

memory/4624-252-0x00007FF78FCD0000-0x00007FF790021000-memory.dmp

memory/3116-258-0x00007FF78D910000-0x00007FF78DC61000-memory.dmp

memory/644-256-0x00007FF6875F0000-0x00007FF687941000-memory.dmp

memory/3568-260-0x00007FF700C60000-0x00007FF700FB1000-memory.dmp

memory/1728-254-0x00007FF7D4E10000-0x00007FF7D5161000-memory.dmp

memory/32-246-0x00007FF76ACE0000-0x00007FF76B031000-memory.dmp

memory/4088-266-0x00007FF756EC0000-0x00007FF757211000-memory.dmp

memory/4916-264-0x00007FF797510000-0x00007FF797861000-memory.dmp

memory/4596-263-0x00007FF741400000-0x00007FF741751000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 15:24

Reported

2024-11-09 15:26

Platform

win7-20240903-en

Max time kernel

141s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

Cobaltstrike family

cobaltstrike

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\IXLBLZO.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bAGyPas.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uVWozYp.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\msdopXj.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JKhkUkP.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XzmtlNj.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EHbzNbG.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\llvuNiD.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FhcGQMn.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LmlCINu.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nSvihJO.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\svfWshL.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rLrlBMb.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YoAgIMO.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iUnFCbk.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NgUDWco.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KiKjiJk.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tqthMqi.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ipoiaEI.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VtRVMMI.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WoUHIbv.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2716 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nSvihJO.exe
PID 2716 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nSvihJO.exe
PID 2716 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nSvihJO.exe
PID 2716 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EHbzNbG.exe
PID 2716 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EHbzNbG.exe
PID 2716 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EHbzNbG.exe
PID 2716 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\svfWshL.exe
PID 2716 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\svfWshL.exe
PID 2716 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\svfWshL.exe
PID 2716 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\llvuNiD.exe
PID 2716 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\llvuNiD.exe
PID 2716 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\llvuNiD.exe
PID 2716 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FhcGQMn.exe
PID 2716 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FhcGQMn.exe
PID 2716 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FhcGQMn.exe
PID 2716 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ipoiaEI.exe
PID 2716 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ipoiaEI.exe
PID 2716 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ipoiaEI.exe
PID 2716 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\msdopXj.exe
PID 2716 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\msdopXj.exe
PID 2716 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\msdopXj.exe
PID 2716 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VtRVMMI.exe
PID 2716 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VtRVMMI.exe
PID 2716 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VtRVMMI.exe
PID 2716 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JKhkUkP.exe
PID 2716 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JKhkUkP.exe
PID 2716 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JKhkUkP.exe
PID 2716 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XzmtlNj.exe
PID 2716 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XzmtlNj.exe
PID 2716 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XzmtlNj.exe
PID 2716 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WoUHIbv.exe
PID 2716 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WoUHIbv.exe
PID 2716 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WoUHIbv.exe
PID 2716 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YoAgIMO.exe
PID 2716 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YoAgIMO.exe
PID 2716 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YoAgIMO.exe
PID 2716 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rLrlBMb.exe
PID 2716 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rLrlBMb.exe
PID 2716 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rLrlBMb.exe
PID 2716 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IXLBLZO.exe
PID 2716 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IXLBLZO.exe
PID 2716 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IXLBLZO.exe
PID 2716 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LmlCINu.exe
PID 2716 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LmlCINu.exe
PID 2716 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LmlCINu.exe
PID 2716 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bAGyPas.exe
PID 2716 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bAGyPas.exe
PID 2716 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bAGyPas.exe
PID 2716 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uVWozYp.exe
PID 2716 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uVWozYp.exe
PID 2716 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uVWozYp.exe
PID 2716 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iUnFCbk.exe
PID 2716 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iUnFCbk.exe
PID 2716 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iUnFCbk.exe
PID 2716 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NgUDWco.exe
PID 2716 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NgUDWco.exe
PID 2716 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NgUDWco.exe
PID 2716 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KiKjiJk.exe
PID 2716 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KiKjiJk.exe
PID 2716 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KiKjiJk.exe
PID 2716 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tqthMqi.exe
PID 2716 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tqthMqi.exe
PID 2716 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tqthMqi.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\nSvihJO.exe

C:\Windows\System\nSvihJO.exe

C:\Windows\System\EHbzNbG.exe

C:\Windows\System\EHbzNbG.exe

C:\Windows\System\svfWshL.exe

C:\Windows\System\svfWshL.exe

C:\Windows\System\llvuNiD.exe

C:\Windows\System\llvuNiD.exe

C:\Windows\System\FhcGQMn.exe

C:\Windows\System\FhcGQMn.exe

C:\Windows\System\ipoiaEI.exe

C:\Windows\System\ipoiaEI.exe

C:\Windows\System\msdopXj.exe

C:\Windows\System\msdopXj.exe

C:\Windows\System\VtRVMMI.exe

C:\Windows\System\VtRVMMI.exe

C:\Windows\System\JKhkUkP.exe

C:\Windows\System\JKhkUkP.exe

C:\Windows\System\XzmtlNj.exe

C:\Windows\System\XzmtlNj.exe

C:\Windows\System\WoUHIbv.exe

C:\Windows\System\WoUHIbv.exe

C:\Windows\System\YoAgIMO.exe

C:\Windows\System\YoAgIMO.exe

C:\Windows\System\rLrlBMb.exe

C:\Windows\System\rLrlBMb.exe

C:\Windows\System\IXLBLZO.exe

C:\Windows\System\IXLBLZO.exe

C:\Windows\System\LmlCINu.exe

C:\Windows\System\LmlCINu.exe

C:\Windows\System\bAGyPas.exe

C:\Windows\System\bAGyPas.exe

C:\Windows\System\uVWozYp.exe

C:\Windows\System\uVWozYp.exe

C:\Windows\System\iUnFCbk.exe

C:\Windows\System\iUnFCbk.exe

C:\Windows\System\NgUDWco.exe

C:\Windows\System\NgUDWco.exe

C:\Windows\System\KiKjiJk.exe

C:\Windows\System\KiKjiJk.exe

C:\Windows\System\tqthMqi.exe

C:\Windows\System\tqthMqi.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2716-0-0x000000013F410000-0x000000013F761000-memory.dmp

memory/2716-1-0x00000000001F0000-0x0000000000200000-memory.dmp

C:\Windows\system\nSvihJO.exe

MD5 bfff38e495f36b2fdc4f9b37d5ba84da
SHA1 b88381c90b5b6cb8fda0761fc276b225a5adde3f
SHA256 175f17fed6c01820e7f621f6976f8fde9dda0f5da70b6db45bcf8863459a4ee8
SHA512 5ea89d3f5a12dd7c45e56cb72fff3ed6ce148dacc60ae2188b504afe99587e668f1c92d1b49f53c879287e97f71f40faf42f8678b05a4554071ac2150f19e923

\Windows\system\EHbzNbG.exe

MD5 5c9855da31f15e9c4b2fb3600ebd2acb
SHA1 1ca0fbac318fbcc0501b19ac435c12e07396bb81
SHA256 17311adfb389af311f7120247450f6cfb3396aba7554380995fc6475d4d733d4
SHA512 800c16067a8e615d06091cb1ea30cd29d751eb81b97ed597e970428e4a16520ca9838203c65fc97485d93ce08d6cbe32258cd6af84bd0740ec6a91fedb67ab72

\Windows\system\svfWshL.exe

MD5 4097379e418f506e4cab1e2200fa5d6b
SHA1 2e2a7c1426558df3d8dfb97784eeaedf30c5b927
SHA256 d5057f3d88c32943e0ade247d68e4036f70f11f5fa4569d58d9e11d53564af41
SHA512 eb622f1147e4f24a59addc9fbd2dba0a2d05009f2af7e77038b46394e611c5fc05679efcf8b9bb7c53df4bf9545f7bd4e1f8699d0836fd2adb2255a99abd9d82

\Windows\system\llvuNiD.exe

MD5 0a54d5e11bcd14101e2537a56ed6d6be
SHA1 23e7daaac04d0aec6036999fc5d7b991c986cfaa
SHA256 96796b3d4562c82c6b9c90725cef74fef5daa406a6ade465db66ef2eae79172e
SHA512 240aeda3ed11e42308d4fbf91989a1c88d221f977b09422b693c482fc2576320d643680ea5a3e708c453259086380cadef3b963132608aa9465f15ed4e4b8eef

memory/2676-22-0x000000013FA20000-0x000000013FD71000-memory.dmp

memory/2900-29-0x000000013F740000-0x000000013FA91000-memory.dmp

C:\Windows\system\FhcGQMn.exe

MD5 999a13ed4c008900cb168f491e4965b1
SHA1 7a9af4744d9d0ec9c03d18ce8af6dc35ad0e5894
SHA256 55e97836c00c562087a245735c89e42663ada1e59ce995465ec2e6699af62dde
SHA512 85cceb6db12d6873ec21b4382695266962e3babfd78fba5f44579d5c285431ff2bb3c4882f5174dac2e8c6e9c18deb16d8014c7e2dbfa4762899e2e553e550e0

memory/2844-37-0x000000013F850000-0x000000013FBA1000-memory.dmp

memory/2672-44-0x000000013FA70000-0x000000013FDC1000-memory.dmp

memory/2716-42-0x000000013FA70000-0x000000013FDC1000-memory.dmp

C:\Windows\system\ipoiaEI.exe

MD5 d3f602dc95992e685fd9f30146226d06
SHA1 b73b06022f58750358aef673e2bff0e404591be2
SHA256 fe965d7d362124ab9e95676c0b4bdc61c9ee902f3a18700bb3886c27e8047c97
SHA512 2503abbbe5e877211b4f5ab2c5fe37eb9de2c94b3b3251e9ff01477eda2d03301aee013b77093422f307cbbbf2e7e4110bc55ca9e3ecd7130319a01c8118e368

\Windows\system\msdopXj.exe

MD5 0d859b18a245c197b8ee4f60d6f03230
SHA1 f7b727e6ad6bd5f1a87d93372df615209fd37a60
SHA256 ee8cad6aa55b3d973d03f7e56416866ba874a2586b31fa5217a32c09f2cd4003
SHA512 d070c64c9fc7248e082ab673ed0ac51c207005d9e4e8aac5a15b63055c7e4014775ecaadc7d5b4bb9792ba07b9df26282fad5cdeaebd5f042a1ed29f9888bc18

memory/2752-49-0x000000013F890000-0x000000013FBE1000-memory.dmp

memory/2716-54-0x0000000002280000-0x00000000025D1000-memory.dmp

C:\Windows\system\VtRVMMI.exe

MD5 5892465b3369af382d38c84e50a0a6cb
SHA1 f712cfd96e429e3f4a547c8227339670e2dd722d
SHA256 a4b7b1775f4c7805c1428a517f21338f9e8b5dcf39347a50c349e07709a365ca
SHA512 67051d115d5e0179aeb0f84ac7eece6c29eabe1ae0a1ebd47664903a37c048fd5d1812ef4bdd4a105a0c33969d7014a28852368a0bfc024231e52fdefa0da946

C:\Windows\system\JKhkUkP.exe

MD5 f6f10912291702acc4db7f7e091b6cf6
SHA1 9ff70a2c9f2f0424395ad7b1b9a47f51cb977d83
SHA256 8a1bb2538fb45a1377b51fff59dee2746fd11cf758dc8f1189242c20ef38403b
SHA512 ca981f0f68ecebe9358a1530e6e680571ae1fecdf82996fe4622f9b90ccc7b666512f5d89cd9248bfb3225504eebc6b1e6fe777b02cad80cbd699931355662ae

memory/1312-65-0x000000013F610000-0x000000013F961000-memory.dmp

memory/2716-68-0x0000000002280000-0x00000000025D1000-memory.dmp

memory/2900-67-0x000000013F740000-0x000000013FA91000-memory.dmp

\Windows\system\XzmtlNj.exe

MD5 07575673a99761f940b6833e278f0bfe
SHA1 bc2039b856d5c111b86f814d7d8b04520276b167
SHA256 0e55f5794f1c8cbe3f5a19c2e562469ee12a698060c11e378647b5dec99f543d
SHA512 6a2460138c35977af41c6da6a5bfd87edc909a75d7510d891638d6151a5be80f36e8dd07fcab8d574b2c4894d9ac1f66aff84eb9fe57725f20611e7a4179bf8d

memory/2716-64-0x0000000002280000-0x00000000025D1000-memory.dmp

memory/2716-56-0x000000013F410000-0x000000013F761000-memory.dmp

memory/2596-55-0x000000013F630000-0x000000013F981000-memory.dmp

memory/2716-36-0x000000013F850000-0x000000013FBA1000-memory.dmp

memory/2716-27-0x000000013FA50000-0x000000013FDA1000-memory.dmp

memory/2716-26-0x0000000002280000-0x00000000025D1000-memory.dmp

memory/2788-25-0x000000013FE40000-0x0000000140191000-memory.dmp

memory/2716-24-0x000000013FE40000-0x0000000140191000-memory.dmp

memory/2736-23-0x000000013FA50000-0x000000013FDA1000-memory.dmp

memory/2716-19-0x000000013FA20000-0x000000013FD71000-memory.dmp

memory/2596-94-0x000000013F630000-0x000000013F981000-memory.dmp

\Windows\system\YoAgIMO.exe

MD5 8aa5188472899096d6449766f0cb79dd
SHA1 db05b97c99c997934d31d1c7642a603caaebb050
SHA256 6c3ba50851bc57536118fe253ef946f801e1382aaa7a3be3f8496eb982781fe6
SHA512 5258d11d729a5903f281e730aceaa5d66d48f2a2ceac80146b8606e2961a01f9f56f863e37381021ff93571b4aac928b84c4f5bf3eef134ed6dc5e72fb460073

memory/2716-108-0x0000000002280000-0x00000000025D1000-memory.dmp

C:\Windows\system\bAGyPas.exe

MD5 a095a3a0b7fab481cddabc04e725b376
SHA1 b57bd27399003eb0593ac6f3ae8c6948810ae08d
SHA256 8e5156bce06ffc9f2548cbbe9f398e5c2680e3075518641db7c1cb713c7d2f56
SHA512 3de184e4d46f00cb2bc7d09af9e7e8e28da958f18db4211a4be6423b33db93f2ad9deb8602576904d0d7baebe70e32f656841424e34e3ef1d9015f1c64fbfcb5

C:\Windows\system\NgUDWco.exe

MD5 842fdd3aec0fc263050dcf3112dd1982
SHA1 6212b94d0850ad35cdc965025d89e69586be85d7
SHA256 27a8e25c3b9f211140517cf2f9fc29fb0323f7788f631970c29465d43c9df11b
SHA512 fadcf2c5d375d7cb6fc18bc8e161d4e8544ecb0d678a563883a0cf447b3d08aaf8621d587a673b458d5de9a7f070f6076d4212b1005a1bd152417eab04f1c7b3

\Windows\system\KiKjiJk.exe

MD5 acdef8ed343001f1a4d8e91d1455c67e
SHA1 3840c13b75c597ab82e36073a575cf34b09ff5fa
SHA256 97b5d7ffdaa5ffc84624581fc7a3f8d0821e606ca1c5e417fbff908f87b8c422
SHA512 d037c9d33b9f046cdefe14f420677529d18928dfae336fee68cce0563268a3a5a5694c125603c44ccf1601fc3406a65aa7be5ce1b11af1c02799778763a8e9d1

C:\Windows\system\iUnFCbk.exe

MD5 2cbc0f8e3ee063baaf634d7c92910466
SHA1 a994538b7bb96cd0bc653609c66d609e2b24db55
SHA256 27de94b8f5512dc84337342f55efd21506fe5d718066dc32b588c335d958c5ec
SHA512 4ace9818d09fc0b365e71310470d06521553168c646cd93dfbcedb92de5c57a11f1660f37629af67c972023ff51fe8154450e54d148496281ca48955d814a751

C:\Windows\system\tqthMqi.exe

MD5 726177a965b370f7e896dd75fb003b37
SHA1 f9026cbee2d0c15f21814895a72ef3dcba396129
SHA256 1c9c5330e61514749ef6679a6a5423e752cfaa3f8cca08f0357fac50bf1b58bf
SHA512 75fd93f91be2bfdbb0985d1596d77dbded1b4fcabed93c5eee7a064129202f3a329d2bec24abc0b543b40c36001a6c8fe8702ed96e030d4fdd9d912ab7b9108e

C:\Windows\system\uVWozYp.exe

MD5 23523987e153f5fb850173610a8d006c
SHA1 d652a6fd3bc5c6af41852bbfa8f9c636dd785b31
SHA256 d65c60944590d7d8a6f637d380ccca38b095177968d52d8ee14ef68c66990907
SHA512 b71b3c959607e30f647d8fe9263696325e2a2fd2a29e31ff58669086660f17320ef46a97fb8e991ee26d331b01c4112465043dae372356be930b17e3784f1a2e

memory/2872-140-0x000000013F1F0000-0x000000013F541000-memory.dmp

memory/2716-109-0x0000000002280000-0x00000000025D1000-memory.dmp

memory/1892-102-0x000000013F020000-0x000000013F371000-memory.dmp

C:\Windows\system\IXLBLZO.exe

MD5 48f45f5c9e8986c2bc4d469b7b950b48
SHA1 a85c9d53a868dbb711513844d3aa77ef9d4454ef
SHA256 b4d117cd0b51e71ea1db47f53129942a6e4dad6ff4ba29190c39b9cdeea9f286
SHA512 38498e770ee0ee51131ed0521df6077eae24cc5833ac6185773014386d0459078f2055afa5bc164f65b375a43ed1fc345b33aae76d4ee39141d18dee0c0954c4

C:\Windows\system\LmlCINu.exe

MD5 9d9a75631f50955663e4783de814a3f5
SHA1 8e42dc09b81d2446b3527de577008a6b4858e094
SHA256 d222e52a0ad5ba81310e38189e3fcccf18eac6e7903fe07827fa75439bf69053
SHA512 c2df211344058466832bfef1146047e2213ff75ccdbae69e792db14c1943edaf28686298d213e9bef241f241c56ba272e4195590e4fcb2b52054358e89393cc1

memory/2572-96-0x000000013F7C0000-0x000000013FB11000-memory.dmp

memory/2488-92-0x000000013F500000-0x000000013F851000-memory.dmp

memory/2716-91-0x0000000002280000-0x00000000025D1000-memory.dmp

memory/2752-90-0x000000013F890000-0x000000013FBE1000-memory.dmp

C:\Windows\system\rLrlBMb.exe

MD5 96947ec401985778eae4af026b8949df
SHA1 777eeb169b490ee4e685a5d44590f39074e7e502
SHA256 e096bef5de17d59c8819f4a6a462d594282f151d970afdaca1451edd5567febb
SHA512 e42d37ddd5d5177f4dd1b5b8b45f356332eb3b3334e810ccfc50d1e524d0a801df749c3f0358d249f8c161eb56f6e0ff9b83b4b9b0f26d0335d9945b1a4ac42e

memory/2672-69-0x000000013FA70000-0x000000013FDC1000-memory.dmp

memory/2716-88-0x000000013F7C0000-0x000000013FB11000-memory.dmp

memory/3032-87-0x000000013FF90000-0x00000001402E1000-memory.dmp

memory/2716-79-0x000000013FF90000-0x00000001402E1000-memory.dmp

memory/2872-77-0x000000013F1F0000-0x000000013F541000-memory.dmp

C:\Windows\system\WoUHIbv.exe

MD5 703349b9d571fbfbdb2f91a0a4a2584a
SHA1 7f519f450cffcb84e1ffe4a2a4431fc2b95cd13e
SHA256 d2e01be4da8637d7b54933a17a8005d6ec34b37f75dfb32aa39686a9c9c4503d
SHA512 9f99b5976f2b5e49e0e9d8f97d689e9b73df60ae521cc9003fb5d0590d8abed4e259452bb30391aad2f561b6151a7f19092c0b0e62085986fc8924803502e784

memory/2716-141-0x0000000002280000-0x00000000025D1000-memory.dmp

memory/2488-142-0x000000013F500000-0x000000013F851000-memory.dmp

memory/2572-151-0x000000013F7C0000-0x000000013FB11000-memory.dmp

memory/2716-143-0x000000013F410000-0x000000013F761000-memory.dmp

memory/1892-155-0x000000013F020000-0x000000013F371000-memory.dmp

memory/1180-161-0x000000013F1A0000-0x000000013F4F1000-memory.dmp

memory/2100-164-0x000000013FE10000-0x0000000140161000-memory.dmp

memory/2856-163-0x000000013F990000-0x000000013FCE1000-memory.dmp

memory/2824-162-0x000000013FF40000-0x0000000140291000-memory.dmp

memory/780-160-0x000000013F300000-0x000000013F651000-memory.dmp

memory/2716-165-0x0000000002280000-0x00000000025D1000-memory.dmp

memory/1524-166-0x000000013F770000-0x000000013FAC1000-memory.dmp

memory/1912-167-0x000000013F260000-0x000000013F5B1000-memory.dmp

memory/2716-168-0x000000013F410000-0x000000013F761000-memory.dmp

memory/2676-219-0x000000013FA20000-0x000000013FD71000-memory.dmp

memory/2736-223-0x000000013FA50000-0x000000013FDA1000-memory.dmp

memory/2788-222-0x000000013FE40000-0x0000000140191000-memory.dmp

memory/2900-225-0x000000013F740000-0x000000013FA91000-memory.dmp

memory/2844-228-0x000000013F850000-0x000000013FBA1000-memory.dmp

memory/2672-234-0x000000013FA70000-0x000000013FDC1000-memory.dmp

memory/2752-236-0x000000013F890000-0x000000013FBE1000-memory.dmp

memory/1312-239-0x000000013F610000-0x000000013F961000-memory.dmp

memory/2596-240-0x000000013F630000-0x000000013F981000-memory.dmp

memory/3032-245-0x000000013FF90000-0x00000001402E1000-memory.dmp

memory/2872-247-0x000000013F1F0000-0x000000013F541000-memory.dmp

memory/2572-259-0x000000013F7C0000-0x000000013FB11000-memory.dmp

memory/2488-258-0x000000013F500000-0x000000013F851000-memory.dmp

memory/1892-268-0x000000013F020000-0x000000013F371000-memory.dmp