Malware Analysis Report

2025-04-03 18:00

Sample ID 241109-ssea3azlen
Target 2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat
SHA256 9f7d37c5cd3f241ddc35fa03b0adc97461e59a21d38a14e348b84abfc658f8dd
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9f7d37c5cd3f241ddc35fa03b0adc97461e59a21d38a14e348b84abfc658f8dd

Threat Level: Known bad

The file 2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

Cobalt Strike reflective loader

XMRig Miner payload

Cobaltstrike family

Xmrig family

Cobaltstrike

xmrig

XMRig Miner payload

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-11-09 15:23

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 15:22

Reported

2024-11-09 15:25

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

Cobaltstrike family

cobaltstrike

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\exWAWRg.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LWplupW.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\InRibHO.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xnadZVo.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EWCvEIm.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mogasaZ.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TdXxNEK.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mFvzqWE.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xOQahEa.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vQSUisE.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tLdYQwK.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IcWKbRA.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GbUOdqU.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mOYDzQA.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RHFrZqt.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UXfgNzG.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZHKYaKQ.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HDphGdg.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FHiymIE.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\caZENHw.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jlAdBeK.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4488 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mogasaZ.exe
PID 4488 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mogasaZ.exe
PID 4488 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TdXxNEK.exe
PID 4488 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TdXxNEK.exe
PID 4488 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FHiymIE.exe
PID 4488 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FHiymIE.exe
PID 4488 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\exWAWRg.exe
PID 4488 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\exWAWRg.exe
PID 4488 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mFvzqWE.exe
PID 4488 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mFvzqWE.exe
PID 4488 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xOQahEa.exe
PID 4488 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xOQahEa.exe
PID 4488 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RHFrZqt.exe
PID 4488 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RHFrZqt.exe
PID 4488 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\caZENHw.exe
PID 4488 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\caZENHw.exe
PID 4488 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jlAdBeK.exe
PID 4488 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jlAdBeK.exe
PID 4488 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LWplupW.exe
PID 4488 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LWplupW.exe
PID 4488 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\InRibHO.exe
PID 4488 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\InRibHO.exe
PID 4488 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UXfgNzG.exe
PID 4488 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UXfgNzG.exe
PID 4488 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZHKYaKQ.exe
PID 4488 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZHKYaKQ.exe
PID 4488 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vQSUisE.exe
PID 4488 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vQSUisE.exe
PID 4488 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tLdYQwK.exe
PID 4488 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tLdYQwK.exe
PID 4488 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IcWKbRA.exe
PID 4488 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IcWKbRA.exe
PID 4488 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HDphGdg.exe
PID 4488 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HDphGdg.exe
PID 4488 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xnadZVo.exe
PID 4488 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xnadZVo.exe
PID 4488 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EWCvEIm.exe
PID 4488 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EWCvEIm.exe
PID 4488 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GbUOdqU.exe
PID 4488 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GbUOdqU.exe
PID 4488 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mOYDzQA.exe
PID 4488 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mOYDzQA.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\mogasaZ.exe

C:\Windows\System\mogasaZ.exe

C:\Windows\System\TdXxNEK.exe

C:\Windows\System\TdXxNEK.exe

C:\Windows\System\FHiymIE.exe

C:\Windows\System\FHiymIE.exe

C:\Windows\System\exWAWRg.exe

C:\Windows\System\exWAWRg.exe

C:\Windows\System\mFvzqWE.exe

C:\Windows\System\mFvzqWE.exe

C:\Windows\System\xOQahEa.exe

C:\Windows\System\xOQahEa.exe

C:\Windows\System\RHFrZqt.exe

C:\Windows\System\RHFrZqt.exe

C:\Windows\System\caZENHw.exe

C:\Windows\System\caZENHw.exe

C:\Windows\System\jlAdBeK.exe

C:\Windows\System\jlAdBeK.exe

C:\Windows\System\LWplupW.exe

C:\Windows\System\LWplupW.exe

C:\Windows\System\InRibHO.exe

C:\Windows\System\InRibHO.exe

C:\Windows\System\UXfgNzG.exe

C:\Windows\System\UXfgNzG.exe

C:\Windows\System\ZHKYaKQ.exe

C:\Windows\System\ZHKYaKQ.exe

C:\Windows\System\vQSUisE.exe

C:\Windows\System\vQSUisE.exe

C:\Windows\System\tLdYQwK.exe

C:\Windows\System\tLdYQwK.exe

C:\Windows\System\IcWKbRA.exe

C:\Windows\System\IcWKbRA.exe

C:\Windows\System\HDphGdg.exe

C:\Windows\System\HDphGdg.exe

C:\Windows\System\xnadZVo.exe

C:\Windows\System\xnadZVo.exe

C:\Windows\System\EWCvEIm.exe

C:\Windows\System\EWCvEIm.exe

C:\Windows\System\GbUOdqU.exe

C:\Windows\System\GbUOdqU.exe

C:\Windows\System\mOYDzQA.exe

C:\Windows\System\mOYDzQA.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp

Files

memory/4488-0-0x00007FF7DDE70000-0x00007FF7DE1C1000-memory.dmp

memory/4488-1-0x0000018428800000-0x0000018428810000-memory.dmp

C:\Windows\System\TdXxNEK.exe

MD5 186c687bbaaafdc159c69c0b9528118e
SHA1 67fd63ec836f567e58a4dd9251e901be0d5e16e5
SHA256 3adb400e212e2a845544b7d29a9619fbeb468dc3b817d5feefe2c60696ce153a
SHA512 706d02800615bd0483d03ae93a76dee91ee676f4d7565b9694db829164faf16ee76337fbcda88228d324c1ac3e5dcb24531e2d97f7ade8a34de53973443f9684

C:\Windows\System\FHiymIE.exe

MD5 9f041ba5fd5418ac0e1ffd67e030d740
SHA1 1364297ae29695c7d116c62590872d89daa07c33
SHA256 b7d8917939067fbbb2112f4dd6b03c9522b49546d655b90fc5efb17bd3c861cf
SHA512 591ca7b0ca6bd43f59390236332bd1964d4153a3aec13ca292379ee8e3b42a4960cec392a8d9a2844fc91088b942a09c3933bd63e24d28686e2b4fad0c267763

memory/2196-12-0x00007FF648470000-0x00007FF6487C1000-memory.dmp

memory/3080-18-0x00007FF640550000-0x00007FF6408A1000-memory.dmp

memory/2892-6-0x00007FF70CAB0000-0x00007FF70CE01000-memory.dmp

C:\Windows\System\mogasaZ.exe

MD5 33a8be3fa4a5e6361bd7e508e35419f2
SHA1 9c73c3352a56c92fe1fea213b70bbd12b745b578
SHA256 20ca1195bb6f501619885b4d2e92218fcd22d088809278269dfd3affa7d29a41
SHA512 d5f6c2e5dab4c0c44e693290aa349bfc09fec1cf5442faf499fc8b54094db1a1d1a3a36f6fc5106394651cb42b4b981c42458f9f84f4208d589683e14c1244b2

C:\Windows\System\exWAWRg.exe

MD5 fb1929ba8f8474ddd6359a521e26e26c
SHA1 b83cb4f0c1d09ae5feb0348fe8c712c9580e1fe3
SHA256 399fe12eda2d7c98f6c9a9a3793c33c6f57b1138b4e54a5e50267f9a5dc583b4
SHA512 4e6d353458cf21aee56bc50177f33666dad80a6d56d190ae9a5b5a444f0fe9dba8e98d83803785ec2dc0eec5ead685a8e650dc5abc1aae01950862ae2917ea42

C:\Windows\System\mFvzqWE.exe

MD5 f6633d9366aae5640914706b12f4da70
SHA1 d6023cf1f05029285e3231d88ecda0a22f43af93
SHA256 a276718d55bf7631bffe29c5b87073289539c0c2c364a2fdefa8d6c7c766b736
SHA512 3949f30ada09da50de9caf7adca88e3915d711d66bb827224379b7062ce38a91b46dbc0048d60d978c60ff3abe536c9757ce6009d71a7e0636f704d48b20dded

memory/4084-37-0x00007FF678390000-0x00007FF6786E1000-memory.dmp

C:\Windows\System\xOQahEa.exe

MD5 0075e5e2db879d8417b169046c2114e8
SHA1 16d0b18443518c3beea5098a017d77173cf866b1
SHA256 7877e8c51e2b4a3752c35e37372d09747256a02e84492d28af93d92cd1bb0a9d
SHA512 abddec63ed600c00d0ff6533b996a7302b897675280a6cff96692d665bb27ab75fe7750ee7e970b9b18625d83444e61ba011e92bab459ad77bda23f244b34b91

C:\Windows\System\caZENHw.exe

MD5 1093b300ef8ae5bbe9df70a1f39068ec
SHA1 862b378e824e432783814c8d8052b82c1ee95933
SHA256 ce1fe2a8c321d6a83d73767d3f3ab30343f1309a3d315292bb85f114b987e2aa
SHA512 b6f00e24ca2cdb4c4b8f6079666f8a13831ae6b422060133f226445529eeb10a548b40841759bf77ac01040d0ad0e4d6cec27347c9eeb0656b5fe39ae6375135

memory/2864-47-0x00007FF6F5CF0000-0x00007FF6F6041000-memory.dmp

memory/4488-53-0x00007FF7DDE70000-0x00007FF7DE1C1000-memory.dmp

C:\Windows\System\jlAdBeK.exe

MD5 6e816221ce53703e4de4ee55c0ffc2ed
SHA1 441c609fee5b3e6ddd267c8cb46d0348a0d7d3e4
SHA256 cb4fe3a731bb041021f9b6bcee322ed350c25371d9e6237456e963990770fdeb
SHA512 ff737e0ff73677f70da3ff57733d0e939ca7dc653ec370da0eaf44dac53beaac211a8dc9681ddd9cdda3136e8676a399b65184b3a2918f14f4dea1fe51bdc4e1

memory/2628-54-0x00007FF6D0D10000-0x00007FF6D1061000-memory.dmp

C:\Windows\System\RHFrZqt.exe

MD5 3cd6025c7c4c8912f65d6d4fe16a3c81
SHA1 01823a3e96c535f1bdefc39f8313f13aade24b18
SHA256 cd8424f336b5be897e8caf0dcfac066420130ff0ead2e472a333ce31a564d408
SHA512 d247058505c1134de186b0d8ce3417425c38efa230b84c156ef9943d4aea34ad4ef0b4b54a83f3e1a697614a5fdf2ba505a66415f6e142b34e605a60ace4298b

memory/3348-44-0x00007FF7D5C20000-0x00007FF7D5F71000-memory.dmp

memory/1464-40-0x00007FF74BA00000-0x00007FF74BD51000-memory.dmp

memory/1240-28-0x00007FF7DF050000-0x00007FF7DF3A1000-memory.dmp

memory/2892-58-0x00007FF70CAB0000-0x00007FF70CE01000-memory.dmp

C:\Windows\System\LWplupW.exe

MD5 c1ac1e07ed171dddca9578a35ac9a16f
SHA1 403c77915b1a82a8f58b4cad9edd2ae6d419ecd6
SHA256 d181b7f8f587d6ea0fb6a98bf88b2e8165b9a2df4f922cd08fda8db71f8be009
SHA512 84a7e3c75030cddc75b2880f0398cfe16c77a9e3c6e380328441fb601ec9f15f1d8d9b6f2b7d98501fdbac778c752b0ab0ca981417d5fc78a9c6fe554d9158a8

memory/3080-63-0x00007FF640550000-0x00007FF6408A1000-memory.dmp

memory/2196-62-0x00007FF648470000-0x00007FF6487C1000-memory.dmp

C:\Windows\System\InRibHO.exe

MD5 75fc73d86e170af589ad77852d7f516e
SHA1 8598e53fb89044657b9ff072b5892a9caf5e1de9
SHA256 7320fd50d202405109e40271524461ec97a049b382b957e13bbd21f7137cb01d
SHA512 ce0132ee747f7e4f87da58f31f7f7ad0864a3c8ec4ca6bc0bb9cc763d27cfbf1cb83a75b6640aaf6a82c366d9e7fb1e9699a8ba8e247cf0073471884b6b70dcf

C:\Windows\System\UXfgNzG.exe

MD5 4d665fdfde4540b6cc6c2fca806ea1d3
SHA1 6fed35c251c505502e338b1ecf2e2949d9e02599
SHA256 3622cb0487323334db58ebb9608d299003277d9addcf7c49a767c2179338c9c9
SHA512 01153232e0acdb6873f6c3e95a54c4a408d4ae54a30e8af57424b0985f749e11b4c73e9a916e1ca75ba858ee94e97c619ec87c06c55164db3e73db816c7b10fd

C:\Windows\System\ZHKYaKQ.exe

MD5 63f4c91855e68e23f8f715ca91eef132
SHA1 95315047b0efde2cf6a1888be1739ceece4470ff
SHA256 19dd8cf5e8c3dd33d5843c8a61c290f05344f8b8cfd1076beca93e64f955fa71
SHA512 d56bf53dfec321d34205909ab9170d81159ab659739b8cc2711dc4228c21e67c38d31cc144c47c6dcb4df0a81854514faaf4416e6c5688297730276b687f83ca

C:\Windows\System\vQSUisE.exe

MD5 fa566b678ab09eb30723f2bd58525a09
SHA1 28c86e3815be7f182b462a7e261f8115dc69cece
SHA256 15de6a917d85e1dbfad9fbbeebfed6a779f2d5229c2f8a64ce89d7861ee98afb
SHA512 a6e60e6c836e4408f809157d2064c8846dcd47cec53922df997472129767a5a03584d324ec1cc304aa5ca0bf2ed33d9c0c5e17630fe6426cfa5bb6317b77e288

memory/1152-88-0x00007FF7F0190000-0x00007FF7F04E1000-memory.dmp

memory/3604-81-0x00007FF791AB0000-0x00007FF791E01000-memory.dmp

memory/2592-77-0x00007FF79E8B0000-0x00007FF79EC01000-memory.dmp

memory/1240-76-0x00007FF7DF050000-0x00007FF7DF3A1000-memory.dmp

memory/756-69-0x00007FF74CA00000-0x00007FF74CD51000-memory.dmp

memory/4028-66-0x00007FF6FF490000-0x00007FF6FF7E1000-memory.dmp

memory/1464-94-0x00007FF74BA00000-0x00007FF74BD51000-memory.dmp

memory/3348-96-0x00007FF7D5C20000-0x00007FF7D5F71000-memory.dmp

memory/4476-101-0x00007FF7F9780000-0x00007FF7F9AD1000-memory.dmp

memory/2864-104-0x00007FF6F5CF0000-0x00007FF6F6041000-memory.dmp

C:\Windows\System\IcWKbRA.exe

MD5 6176bc7f71bb305fd4da4959e8e03eaf
SHA1 b6c205f25fc30807eec4e1e7da27663a194cfc77
SHA256 d252a3457585311b036387debc9e3c8bf07d63e1d66767d57a143d3c886b6218
SHA512 d649718afd465b95460e715cfd10564ac0a1df6b067ae073540b12f504d0cb2c38a7b5794ae660ccb7fc150392f0c6194d18d2d750a7dbd1de97c674ac5ed3d3

memory/2364-105-0x00007FF741550000-0x00007FF7418A1000-memory.dmp

C:\Windows\System\tLdYQwK.exe

MD5 1153f27d8f4da4d25312226c05551974
SHA1 7940dd65cc3664aa0dd7934af4f90722a542fba6
SHA256 0a66b20750ae73e3082caffbbd52f05b0effe913ed7f5b8feba57de5829ca089
SHA512 7af55b0adc4d12b71b1fea5eb13d1e19414017d6429f5c7d5007277b458f013891f6614e6be2da99d0cb30e979fb3a7cf89bc8ef995f9c80a9ef616bcbcc5b45

memory/2628-118-0x00007FF6D0D10000-0x00007FF6D1061000-memory.dmp

C:\Windows\System\HDphGdg.exe

MD5 1837b6b98bd80a32a6735e306cc8ce12
SHA1 684d7107d8d2c05da9f80ab85f778fda42fed72c
SHA256 f476446d04d2083bbecccafcbad0cd47387adaffe76a397776c3238fc028ede4
SHA512 bcacb871b8fca587e2ec0722240c3a31dec2a0076385064e77dca17f5bda53fbb192d744148b97cffce6d3331609512f00989667f104f0d83230e34709b05c6e

memory/4028-122-0x00007FF6FF490000-0x00007FF6FF7E1000-memory.dmp

memory/4076-124-0x00007FF6C03E0000-0x00007FF6C0731000-memory.dmp

C:\Windows\System\xnadZVo.exe

MD5 4d0d389f49fc67600f9bf3a046d032a6
SHA1 0854c2ae85cc7c90cabf79ee143262e64476ef0c
SHA256 0365bb725f2972d638a1c500cdbbfa73febec02c63c6d039045fc8c6d17d5b34
SHA512 5ba747d869ae6fcd556699012a0376569abac662ef48f389d03855a39616568b0470dbe35246698f18f235716565e9129af71213206cdf8fb1fde163ba370dab

memory/4532-128-0x00007FF66A960000-0x00007FF66ACB1000-memory.dmp

C:\Windows\System\EWCvEIm.exe

MD5 288d5a09e6b21c24f923187079a64fc0
SHA1 1fc425ddd1e0b1f4d02768c3ef853ba53af2070e
SHA256 bf6c8d883623a1db96ad40f26936a1ee382d400f4e6961cc4a0c4e42aa0b7028
SHA512 1d669e54e41571e8edda51870e1887a7cfe96afae00ed5b30804bed46e62d14b5e085fc8eb1ff5d7ca118092a4bbd75137dac15cdaa5a99967edd31245bbd551

C:\Windows\System\GbUOdqU.exe

MD5 9e8b18de36645f4fb277c564241bce3c
SHA1 afe3f61b2945dd94bb98563320a8cdb0e4c3183f
SHA256 88acc009a2eaa06d4d0fa32616d7b72364e353885d3501ab9b070c01d7f5e110
SHA512 9cc13426c36ae115df56a24e0b971fb33e0efff8a54625a62f3a8bf5ebee9ee4e56d6a317ac95613b38491ba10d86129ec25bbb6d3b979710707aee675c23ff9

memory/3808-142-0x00007FF621360000-0x00007FF6216B1000-memory.dmp

memory/2592-141-0x00007FF79E8B0000-0x00007FF79EC01000-memory.dmp

memory/4268-135-0x00007FF720190000-0x00007FF7204E1000-memory.dmp

memory/756-134-0x00007FF74CA00000-0x00007FF74CD51000-memory.dmp

C:\Windows\System\mOYDzQA.exe

MD5 6f335b2cb89d515b5c432d68137264cf
SHA1 9bf993a137dbd0ef63432efe4ac5c2097f0e765e
SHA256 93026031869924d4e29a60e225e691da4ca5737f61c99b02e1419bca136e9388
SHA512 5a87272f806d78c03176c022a33feeee8b5978aebc1beb3fb8d3ace8c1f43a308dc40dd49ce3096d24d19e7a66e36399558037c59ca6d151e3abfe9ecf88ecff

memory/936-148-0x00007FF77BB60000-0x00007FF77BEB1000-memory.dmp

memory/3604-147-0x00007FF791AB0000-0x00007FF791E01000-memory.dmp

memory/1152-152-0x00007FF7F0190000-0x00007FF7F04E1000-memory.dmp

memory/4476-157-0x00007FF7F9780000-0x00007FF7F9AD1000-memory.dmp

memory/4488-158-0x00007FF7DDE70000-0x00007FF7DE1C1000-memory.dmp

memory/4076-160-0x00007FF6C03E0000-0x00007FF6C0731000-memory.dmp

memory/2364-161-0x00007FF741550000-0x00007FF7418A1000-memory.dmp

memory/4268-172-0x00007FF720190000-0x00007FF7204E1000-memory.dmp

memory/4532-174-0x00007FF66A960000-0x00007FF66ACB1000-memory.dmp

memory/3808-173-0x00007FF621360000-0x00007FF6216B1000-memory.dmp

memory/936-175-0x00007FF77BB60000-0x00007FF77BEB1000-memory.dmp

memory/4488-182-0x00007FF7DDE70000-0x00007FF7DE1C1000-memory.dmp

memory/2892-212-0x00007FF70CAB0000-0x00007FF70CE01000-memory.dmp

memory/2196-214-0x00007FF648470000-0x00007FF6487C1000-memory.dmp

memory/3080-216-0x00007FF640550000-0x00007FF6408A1000-memory.dmp

memory/1240-227-0x00007FF7DF050000-0x00007FF7DF3A1000-memory.dmp

memory/4084-229-0x00007FF678390000-0x00007FF6786E1000-memory.dmp

memory/1464-231-0x00007FF74BA00000-0x00007FF74BD51000-memory.dmp

memory/3348-233-0x00007FF7D5C20000-0x00007FF7D5F71000-memory.dmp

memory/2864-235-0x00007FF6F5CF0000-0x00007FF6F6041000-memory.dmp

memory/2628-237-0x00007FF6D0D10000-0x00007FF6D1061000-memory.dmp

memory/756-245-0x00007FF74CA00000-0x00007FF74CD51000-memory.dmp

memory/4028-247-0x00007FF6FF490000-0x00007FF6FF7E1000-memory.dmp

memory/3604-251-0x00007FF791AB0000-0x00007FF791E01000-memory.dmp

memory/2592-250-0x00007FF79E8B0000-0x00007FF79EC01000-memory.dmp

memory/1152-253-0x00007FF7F0190000-0x00007FF7F04E1000-memory.dmp

memory/4476-258-0x00007FF7F9780000-0x00007FF7F9AD1000-memory.dmp

memory/2364-260-0x00007FF741550000-0x00007FF7418A1000-memory.dmp

memory/4076-266-0x00007FF6C03E0000-0x00007FF6C0731000-memory.dmp

memory/4532-268-0x00007FF66A960000-0x00007FF66ACB1000-memory.dmp

memory/4268-270-0x00007FF720190000-0x00007FF7204E1000-memory.dmp

memory/3808-272-0x00007FF621360000-0x00007FF6216B1000-memory.dmp

memory/936-274-0x00007FF77BB60000-0x00007FF77BEB1000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 15:22

Reported

2024-11-09 15:25

Platform

win7-20240729-en

Max time kernel

141s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

Cobaltstrike family

cobaltstrike

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\mOYDzQA.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mogasaZ.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\exWAWRg.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mFvzqWE.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EWCvEIm.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TdXxNEK.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vQSUisE.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tLdYQwK.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UXfgNzG.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZHKYaKQ.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HDphGdg.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GbUOdqU.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xOQahEa.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RHFrZqt.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LWplupW.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\InRibHO.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xnadZVo.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FHiymIE.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\caZENHw.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jlAdBeK.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IcWKbRA.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2604 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mogasaZ.exe
PID 2604 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mogasaZ.exe
PID 2604 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mogasaZ.exe
PID 2604 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TdXxNEK.exe
PID 2604 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TdXxNEK.exe
PID 2604 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TdXxNEK.exe
PID 2604 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FHiymIE.exe
PID 2604 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FHiymIE.exe
PID 2604 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FHiymIE.exe
PID 2604 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\exWAWRg.exe
PID 2604 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\exWAWRg.exe
PID 2604 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\exWAWRg.exe
PID 2604 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mFvzqWE.exe
PID 2604 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mFvzqWE.exe
PID 2604 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mFvzqWE.exe
PID 2604 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xOQahEa.exe
PID 2604 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xOQahEa.exe
PID 2604 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xOQahEa.exe
PID 2604 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RHFrZqt.exe
PID 2604 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RHFrZqt.exe
PID 2604 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RHFrZqt.exe
PID 2604 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\caZENHw.exe
PID 2604 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\caZENHw.exe
PID 2604 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\caZENHw.exe
PID 2604 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jlAdBeK.exe
PID 2604 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jlAdBeK.exe
PID 2604 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jlAdBeK.exe
PID 2604 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LWplupW.exe
PID 2604 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LWplupW.exe
PID 2604 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LWplupW.exe
PID 2604 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\InRibHO.exe
PID 2604 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\InRibHO.exe
PID 2604 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\InRibHO.exe
PID 2604 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UXfgNzG.exe
PID 2604 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UXfgNzG.exe
PID 2604 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UXfgNzG.exe
PID 2604 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZHKYaKQ.exe
PID 2604 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZHKYaKQ.exe
PID 2604 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZHKYaKQ.exe
PID 2604 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vQSUisE.exe
PID 2604 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vQSUisE.exe
PID 2604 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vQSUisE.exe
PID 2604 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tLdYQwK.exe
PID 2604 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tLdYQwK.exe
PID 2604 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tLdYQwK.exe
PID 2604 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IcWKbRA.exe
PID 2604 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IcWKbRA.exe
PID 2604 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IcWKbRA.exe
PID 2604 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HDphGdg.exe
PID 2604 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HDphGdg.exe
PID 2604 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HDphGdg.exe
PID 2604 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xnadZVo.exe
PID 2604 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xnadZVo.exe
PID 2604 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xnadZVo.exe
PID 2604 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EWCvEIm.exe
PID 2604 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EWCvEIm.exe
PID 2604 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EWCvEIm.exe
PID 2604 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GbUOdqU.exe
PID 2604 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GbUOdqU.exe
PID 2604 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GbUOdqU.exe
PID 2604 wrote to memory of 288 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mOYDzQA.exe
PID 2604 wrote to memory of 288 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mOYDzQA.exe
PID 2604 wrote to memory of 288 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mOYDzQA.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-09_49f6ae0c40468086b91733c2d977d391_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\mogasaZ.exe

C:\Windows\System\mogasaZ.exe

C:\Windows\System\TdXxNEK.exe

C:\Windows\System\TdXxNEK.exe

C:\Windows\System\FHiymIE.exe

C:\Windows\System\FHiymIE.exe

C:\Windows\System\exWAWRg.exe

C:\Windows\System\exWAWRg.exe

C:\Windows\System\mFvzqWE.exe

C:\Windows\System\mFvzqWE.exe

C:\Windows\System\xOQahEa.exe

C:\Windows\System\xOQahEa.exe

C:\Windows\System\RHFrZqt.exe

C:\Windows\System\RHFrZqt.exe

C:\Windows\System\caZENHw.exe

C:\Windows\System\caZENHw.exe

C:\Windows\System\jlAdBeK.exe

C:\Windows\System\jlAdBeK.exe

C:\Windows\System\LWplupW.exe

C:\Windows\System\LWplupW.exe

C:\Windows\System\InRibHO.exe

C:\Windows\System\InRibHO.exe

C:\Windows\System\UXfgNzG.exe

C:\Windows\System\UXfgNzG.exe

C:\Windows\System\ZHKYaKQ.exe

C:\Windows\System\ZHKYaKQ.exe

C:\Windows\System\vQSUisE.exe

C:\Windows\System\vQSUisE.exe

C:\Windows\System\tLdYQwK.exe

C:\Windows\System\tLdYQwK.exe

C:\Windows\System\IcWKbRA.exe

C:\Windows\System\IcWKbRA.exe

C:\Windows\System\HDphGdg.exe

C:\Windows\System\HDphGdg.exe

C:\Windows\System\xnadZVo.exe

C:\Windows\System\xnadZVo.exe

C:\Windows\System\EWCvEIm.exe

C:\Windows\System\EWCvEIm.exe

C:\Windows\System\GbUOdqU.exe

C:\Windows\System\GbUOdqU.exe

C:\Windows\System\mOYDzQA.exe

C:\Windows\System\mOYDzQA.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2604-0-0x000000013FD10000-0x0000000140061000-memory.dmp

memory/2604-1-0x0000000000580000-0x0000000000590000-memory.dmp

\Windows\system\mogasaZ.exe

MD5 33a8be3fa4a5e6361bd7e508e35419f2
SHA1 9c73c3352a56c92fe1fea213b70bbd12b745b578
SHA256 20ca1195bb6f501619885b4d2e92218fcd22d088809278269dfd3affa7d29a41
SHA512 d5f6c2e5dab4c0c44e693290aa349bfc09fec1cf5442faf499fc8b54094db1a1d1a3a36f6fc5106394651cb42b4b981c42458f9f84f4208d589683e14c1244b2

C:\Windows\system\TdXxNEK.exe

MD5 186c687bbaaafdc159c69c0b9528118e
SHA1 67fd63ec836f567e58a4dd9251e901be0d5e16e5
SHA256 3adb400e212e2a845544b7d29a9619fbeb468dc3b817d5feefe2c60696ce153a
SHA512 706d02800615bd0483d03ae93a76dee91ee676f4d7565b9694db829164faf16ee76337fbcda88228d324c1ac3e5dcb24531e2d97f7ade8a34de53973443f9684

C:\Windows\system\FHiymIE.exe

MD5 9f041ba5fd5418ac0e1ffd67e030d740
SHA1 1364297ae29695c7d116c62590872d89daa07c33
SHA256 b7d8917939067fbbb2112f4dd6b03c9522b49546d655b90fc5efb17bd3c861cf
SHA512 591ca7b0ca6bd43f59390236332bd1964d4153a3aec13ca292379ee8e3b42a4960cec392a8d9a2844fc91088b942a09c3933bd63e24d28686e2b4fad0c267763

C:\Windows\system\exWAWRg.exe

MD5 fb1929ba8f8474ddd6359a521e26e26c
SHA1 b83cb4f0c1d09ae5feb0348fe8c712c9580e1fe3
SHA256 399fe12eda2d7c98f6c9a9a3793c33c6f57b1138b4e54a5e50267f9a5dc583b4
SHA512 4e6d353458cf21aee56bc50177f33666dad80a6d56d190ae9a5b5a444f0fe9dba8e98d83803785ec2dc0eec5ead685a8e650dc5abc1aae01950862ae2917ea42

C:\Windows\system\mFvzqWE.exe

MD5 f6633d9366aae5640914706b12f4da70
SHA1 d6023cf1f05029285e3231d88ecda0a22f43af93
SHA256 a276718d55bf7631bffe29c5b87073289539c0c2c364a2fdefa8d6c7c766b736
SHA512 3949f30ada09da50de9caf7adca88e3915d711d66bb827224379b7062ce38a91b46dbc0048d60d978c60ff3abe536c9757ce6009d71a7e0636f704d48b20dded

C:\Windows\system\xOQahEa.exe

MD5 0075e5e2db879d8417b169046c2114e8
SHA1 16d0b18443518c3beea5098a017d77173cf866b1
SHA256 7877e8c51e2b4a3752c35e37372d09747256a02e84492d28af93d92cd1bb0a9d
SHA512 abddec63ed600c00d0ff6533b996a7302b897675280a6cff96692d665bb27ab75fe7750ee7e970b9b18625d83444e61ba011e92bab459ad77bda23f244b34b91

C:\Windows\system\InRibHO.exe

MD5 75fc73d86e170af589ad77852d7f516e
SHA1 8598e53fb89044657b9ff072b5892a9caf5e1de9
SHA256 7320fd50d202405109e40271524461ec97a049b382b957e13bbd21f7137cb01d
SHA512 ce0132ee747f7e4f87da58f31f7f7ad0864a3c8ec4ca6bc0bb9cc763d27cfbf1cb83a75b6640aaf6a82c366d9e7fb1e9699a8ba8e247cf0073471884b6b70dcf

C:\Windows\system\UXfgNzG.exe

MD5 4d665fdfde4540b6cc6c2fca806ea1d3
SHA1 6fed35c251c505502e338b1ecf2e2949d9e02599
SHA256 3622cb0487323334db58ebb9608d299003277d9addcf7c49a767c2179338c9c9
SHA512 01153232e0acdb6873f6c3e95a54c4a408d4ae54a30e8af57424b0985f749e11b4c73e9a916e1ca75ba858ee94e97c619ec87c06c55164db3e73db816c7b10fd

C:\Windows\system\tLdYQwK.exe

MD5 1153f27d8f4da4d25312226c05551974
SHA1 7940dd65cc3664aa0dd7934af4f90722a542fba6
SHA256 0a66b20750ae73e3082caffbbd52f05b0effe913ed7f5b8feba57de5829ca089
SHA512 7af55b0adc4d12b71b1fea5eb13d1e19414017d6429f5c7d5007277b458f013891f6614e6be2da99d0cb30e979fb3a7cf89bc8ef995f9c80a9ef616bcbcc5b45

C:\Windows\system\mOYDzQA.exe

MD5 6f335b2cb89d515b5c432d68137264cf
SHA1 9bf993a137dbd0ef63432efe4ac5c2097f0e765e
SHA256 93026031869924d4e29a60e225e691da4ca5737f61c99b02e1419bca136e9388
SHA512 5a87272f806d78c03176c022a33feeee8b5978aebc1beb3fb8d3ace8c1f43a308dc40dd49ce3096d24d19e7a66e36399558037c59ca6d151e3abfe9ecf88ecff

C:\Windows\system\GbUOdqU.exe

MD5 9e8b18de36645f4fb277c564241bce3c
SHA1 afe3f61b2945dd94bb98563320a8cdb0e4c3183f
SHA256 88acc009a2eaa06d4d0fa32616d7b72364e353885d3501ab9b070c01d7f5e110
SHA512 9cc13426c36ae115df56a24e0b971fb33e0efff8a54625a62f3a8bf5ebee9ee4e56d6a317ac95613b38491ba10d86129ec25bbb6d3b979710707aee675c23ff9

C:\Windows\system\EWCvEIm.exe

MD5 288d5a09e6b21c24f923187079a64fc0
SHA1 1fc425ddd1e0b1f4d02768c3ef853ba53af2070e
SHA256 bf6c8d883623a1db96ad40f26936a1ee382d400f4e6961cc4a0c4e42aa0b7028
SHA512 1d669e54e41571e8edda51870e1887a7cfe96afae00ed5b30804bed46e62d14b5e085fc8eb1ff5d7ca118092a4bbd75137dac15cdaa5a99967edd31245bbd551

C:\Windows\system\xnadZVo.exe

MD5 4d0d389f49fc67600f9bf3a046d032a6
SHA1 0854c2ae85cc7c90cabf79ee143262e64476ef0c
SHA256 0365bb725f2972d638a1c500cdbbfa73febec02c63c6d039045fc8c6d17d5b34
SHA512 5ba747d869ae6fcd556699012a0376569abac662ef48f389d03855a39616568b0470dbe35246698f18f235716565e9129af71213206cdf8fb1fde163ba370dab

C:\Windows\system\HDphGdg.exe

MD5 1837b6b98bd80a32a6735e306cc8ce12
SHA1 684d7107d8d2c05da9f80ab85f778fda42fed72c
SHA256 f476446d04d2083bbecccafcbad0cd47387adaffe76a397776c3238fc028ede4
SHA512 bcacb871b8fca587e2ec0722240c3a31dec2a0076385064e77dca17f5bda53fbb192d744148b97cffce6d3331609512f00989667f104f0d83230e34709b05c6e

C:\Windows\system\IcWKbRA.exe

MD5 6176bc7f71bb305fd4da4959e8e03eaf
SHA1 b6c205f25fc30807eec4e1e7da27663a194cfc77
SHA256 d252a3457585311b036387debc9e3c8bf07d63e1d66767d57a143d3c886b6218
SHA512 d649718afd465b95460e715cfd10564ac0a1df6b067ae073540b12f504d0cb2c38a7b5794ae660ccb7fc150392f0c6194d18d2d750a7dbd1de97c674ac5ed3d3

C:\Windows\system\vQSUisE.exe

MD5 fa566b678ab09eb30723f2bd58525a09
SHA1 28c86e3815be7f182b462a7e261f8115dc69cece
SHA256 15de6a917d85e1dbfad9fbbeebfed6a779f2d5229c2f8a64ce89d7861ee98afb
SHA512 a6e60e6c836e4408f809157d2064c8846dcd47cec53922df997472129767a5a03584d324ec1cc304aa5ca0bf2ed33d9c0c5e17630fe6426cfa5bb6317b77e288

C:\Windows\system\ZHKYaKQ.exe

MD5 63f4c91855e68e23f8f715ca91eef132
SHA1 95315047b0efde2cf6a1888be1739ceece4470ff
SHA256 19dd8cf5e8c3dd33d5843c8a61c290f05344f8b8cfd1076beca93e64f955fa71
SHA512 d56bf53dfec321d34205909ab9170d81159ab659739b8cc2711dc4228c21e67c38d31cc144c47c6dcb4df0a81854514faaf4416e6c5688297730276b687f83ca

C:\Windows\system\LWplupW.exe

MD5 c1ac1e07ed171dddca9578a35ac9a16f
SHA1 403c77915b1a82a8f58b4cad9edd2ae6d419ecd6
SHA256 d181b7f8f587d6ea0fb6a98bf88b2e8165b9a2df4f922cd08fda8db71f8be009
SHA512 84a7e3c75030cddc75b2880f0398cfe16c77a9e3c6e380328441fb601ec9f15f1d8d9b6f2b7d98501fdbac778c752b0ab0ca981417d5fc78a9c6fe554d9158a8

C:\Windows\system\jlAdBeK.exe

MD5 6e816221ce53703e4de4ee55c0ffc2ed
SHA1 441c609fee5b3e6ddd267c8cb46d0348a0d7d3e4
SHA256 cb4fe3a731bb041021f9b6bcee322ed350c25371d9e6237456e963990770fdeb
SHA512 ff737e0ff73677f70da3ff57733d0e939ca7dc653ec370da0eaf44dac53beaac211a8dc9681ddd9cdda3136e8676a399b65184b3a2918f14f4dea1fe51bdc4e1

C:\Windows\system\caZENHw.exe

MD5 1093b300ef8ae5bbe9df70a1f39068ec
SHA1 862b378e824e432783814c8d8052b82c1ee95933
SHA256 ce1fe2a8c321d6a83d73767d3f3ab30343f1309a3d315292bb85f114b987e2aa
SHA512 b6f00e24ca2cdb4c4b8f6079666f8a13831ae6b422060133f226445529eeb10a548b40841759bf77ac01040d0ad0e4d6cec27347c9eeb0656b5fe39ae6375135

C:\Windows\system\RHFrZqt.exe

MD5 3cd6025c7c4c8912f65d6d4fe16a3c81
SHA1 01823a3e96c535f1bdefc39f8313f13aade24b18
SHA256 cd8424f336b5be897e8caf0dcfac066420130ff0ead2e472a333ce31a564d408
SHA512 d247058505c1134de186b0d8ce3417425c38efa230b84c156ef9943d4aea34ad4ef0b4b54a83f3e1a697614a5fdf2ba505a66415f6e142b34e605a60ace4298b

memory/2604-107-0x0000000002120000-0x0000000002471000-memory.dmp

memory/2804-111-0x000000013F530000-0x000000013F881000-memory.dmp

memory/2604-110-0x000000013F530000-0x000000013F881000-memory.dmp

memory/2752-109-0x000000013F7A0000-0x000000013FAF1000-memory.dmp

memory/2604-108-0x000000013F7A0000-0x000000013FAF1000-memory.dmp

memory/2984-115-0x000000013F6C0000-0x000000013FA11000-memory.dmp

memory/2604-114-0x000000013F6C0000-0x000000013FA11000-memory.dmp

memory/2868-113-0x000000013F3A0000-0x000000013F6F1000-memory.dmp

memory/2604-112-0x000000013F3A0000-0x000000013F6F1000-memory.dmp

memory/2784-117-0x000000013FC00000-0x000000013FF51000-memory.dmp

memory/2604-116-0x0000000002120000-0x0000000002471000-memory.dmp

memory/2852-120-0x000000013F070000-0x000000013F3C1000-memory.dmp

memory/2604-119-0x000000013F070000-0x000000013F3C1000-memory.dmp

memory/2940-118-0x000000013FE70000-0x00000001401C1000-memory.dmp

memory/2724-131-0x000000013F360000-0x000000013F6B1000-memory.dmp

memory/2616-132-0x000000013FC40000-0x000000013FF91000-memory.dmp

memory/2604-130-0x000000013F360000-0x000000013F6B1000-memory.dmp

memory/2672-129-0x000000013F3A0000-0x000000013F6F1000-memory.dmp

memory/2604-128-0x000000013F3A0000-0x000000013F6F1000-memory.dmp

memory/2772-127-0x000000013F650000-0x000000013F9A1000-memory.dmp

memory/2604-126-0x000000013F650000-0x000000013F9A1000-memory.dmp

memory/2796-125-0x000000013F280000-0x000000013F5D1000-memory.dmp

memory/2604-124-0x000000013F280000-0x000000013F5D1000-memory.dmp

memory/2884-123-0x000000013F660000-0x000000013F9B1000-memory.dmp

memory/2604-122-0x000000013F660000-0x000000013F9B1000-memory.dmp

memory/2696-121-0x000000013FAF0000-0x000000013FE41000-memory.dmp

memory/288-154-0x000000013FE40000-0x0000000140191000-memory.dmp

memory/1340-153-0x000000013F420000-0x000000013F771000-memory.dmp

memory/1932-152-0x000000013FD10000-0x0000000140061000-memory.dmp

memory/1908-151-0x000000013F960000-0x000000013FCB1000-memory.dmp

memory/2156-150-0x000000013FAB0000-0x000000013FE01000-memory.dmp

memory/2468-149-0x000000013F940000-0x000000013FC91000-memory.dmp

memory/2604-133-0x000000013FD10000-0x0000000140061000-memory.dmp

memory/3044-148-0x000000013FFB0000-0x0000000140301000-memory.dmp

memory/2604-155-0x000000013FD10000-0x0000000140061000-memory.dmp

memory/2604-156-0x000000013F7A0000-0x000000013FAF1000-memory.dmp

memory/2604-157-0x000000013FD10000-0x0000000140061000-memory.dmp

memory/2616-224-0x000000013FC40000-0x000000013FF91000-memory.dmp

memory/2804-226-0x000000013F530000-0x000000013F881000-memory.dmp

memory/2696-231-0x000000013FAF0000-0x000000013FE41000-memory.dmp

memory/2984-228-0x000000013F6C0000-0x000000013FA11000-memory.dmp

memory/2672-236-0x000000013F3A0000-0x000000013F6F1000-memory.dmp

memory/2940-232-0x000000013FE70000-0x00000001401C1000-memory.dmp

memory/2796-234-0x000000013F280000-0x000000013F5D1000-memory.dmp

memory/2752-242-0x000000013F7A0000-0x000000013FAF1000-memory.dmp

memory/2784-245-0x000000013FC00000-0x000000013FF51000-memory.dmp

memory/2868-246-0x000000013F3A0000-0x000000013F6F1000-memory.dmp

memory/2772-252-0x000000013F650000-0x000000013F9A1000-memory.dmp

memory/2852-250-0x000000013F070000-0x000000013F3C1000-memory.dmp

memory/2884-249-0x000000013F660000-0x000000013F9B1000-memory.dmp

memory/2724-257-0x000000013F360000-0x000000013F6B1000-memory.dmp