Malware Analysis Report

2025-04-03 17:59

Sample ID 241109-svcv1sxcnk
Target 2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat
SHA256 4d314d0d6ad2e348cb8ee7ccce4c24584d8a66f28edb0c7e0d1d4a1ceb9d89ba
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4d314d0d6ad2e348cb8ee7ccce4c24584d8a66f28edb0c7e0d1d4a1ceb9d89ba

Threat Level: Known bad

The file 2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Xmrig family

Cobaltstrike

xmrig

Cobalt Strike reflective loader

Cobaltstrike family

XMRig Miner payload

XMRig Miner payload

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-11-09 15:26

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 15:26

Reported

2024-11-09 15:28

Platform

win7-20241010-en

Max time kernel

147s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

Cobaltstrike family

cobaltstrike

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\LonQnje.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mBpeirY.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CWCYbYg.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iDuUlws.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cPDitjp.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AtpNFyh.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\Lxdgula.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XZlMAbs.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gdYTCvo.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QjvttAT.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bDaWWdr.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fsBwxTK.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JUccupJ.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LkouLZi.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fzEXKsg.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YIhPsoM.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wyRjevo.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dmRSYzc.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rPQUHCY.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aRUoyel.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hbdSkJS.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2464 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cPDitjp.exe
PID 2464 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cPDitjp.exe
PID 2464 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cPDitjp.exe
PID 2464 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wyRjevo.exe
PID 2464 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wyRjevo.exe
PID 2464 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wyRjevo.exe
PID 2464 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hbdSkJS.exe
PID 2464 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hbdSkJS.exe
PID 2464 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hbdSkJS.exe
PID 2464 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QjvttAT.exe
PID 2464 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QjvttAT.exe
PID 2464 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QjvttAT.exe
PID 2464 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AtpNFyh.exe
PID 2464 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AtpNFyh.exe
PID 2464 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AtpNFyh.exe
PID 2464 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LonQnje.exe
PID 2464 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LonQnje.exe
PID 2464 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LonQnje.exe
PID 2464 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bDaWWdr.exe
PID 2464 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bDaWWdr.exe
PID 2464 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bDaWWdr.exe
PID 2464 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mBpeirY.exe
PID 2464 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mBpeirY.exe
PID 2464 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mBpeirY.exe
PID 2464 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Lxdgula.exe
PID 2464 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Lxdgula.exe
PID 2464 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Lxdgula.exe
PID 2464 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dmRSYzc.exe
PID 2464 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dmRSYzc.exe
PID 2464 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dmRSYzc.exe
PID 2464 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XZlMAbs.exe
PID 2464 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XZlMAbs.exe
PID 2464 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XZlMAbs.exe
PID 2464 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fsBwxTK.exe
PID 2464 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fsBwxTK.exe
PID 2464 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fsBwxTK.exe
PID 2464 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rPQUHCY.exe
PID 2464 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rPQUHCY.exe
PID 2464 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rPQUHCY.exe
PID 2464 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JUccupJ.exe
PID 2464 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JUccupJ.exe
PID 2464 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JUccupJ.exe
PID 2464 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CWCYbYg.exe
PID 2464 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CWCYbYg.exe
PID 2464 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CWCYbYg.exe
PID 2464 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aRUoyel.exe
PID 2464 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aRUoyel.exe
PID 2464 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aRUoyel.exe
PID 2464 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LkouLZi.exe
PID 2464 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LkouLZi.exe
PID 2464 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LkouLZi.exe
PID 2464 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fzEXKsg.exe
PID 2464 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fzEXKsg.exe
PID 2464 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fzEXKsg.exe
PID 2464 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YIhPsoM.exe
PID 2464 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YIhPsoM.exe
PID 2464 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YIhPsoM.exe
PID 2464 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iDuUlws.exe
PID 2464 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iDuUlws.exe
PID 2464 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iDuUlws.exe
PID 2464 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gdYTCvo.exe
PID 2464 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gdYTCvo.exe
PID 2464 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gdYTCvo.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\cPDitjp.exe

C:\Windows\System\cPDitjp.exe

C:\Windows\System\wyRjevo.exe

C:\Windows\System\wyRjevo.exe

C:\Windows\System\hbdSkJS.exe

C:\Windows\System\hbdSkJS.exe

C:\Windows\System\QjvttAT.exe

C:\Windows\System\QjvttAT.exe

C:\Windows\System\AtpNFyh.exe

C:\Windows\System\AtpNFyh.exe

C:\Windows\System\LonQnje.exe

C:\Windows\System\LonQnje.exe

C:\Windows\System\bDaWWdr.exe

C:\Windows\System\bDaWWdr.exe

C:\Windows\System\mBpeirY.exe

C:\Windows\System\mBpeirY.exe

C:\Windows\System\Lxdgula.exe

C:\Windows\System\Lxdgula.exe

C:\Windows\System\dmRSYzc.exe

C:\Windows\System\dmRSYzc.exe

C:\Windows\System\XZlMAbs.exe

C:\Windows\System\XZlMAbs.exe

C:\Windows\System\fsBwxTK.exe

C:\Windows\System\fsBwxTK.exe

C:\Windows\System\rPQUHCY.exe

C:\Windows\System\rPQUHCY.exe

C:\Windows\System\JUccupJ.exe

C:\Windows\System\JUccupJ.exe

C:\Windows\System\CWCYbYg.exe

C:\Windows\System\CWCYbYg.exe

C:\Windows\System\aRUoyel.exe

C:\Windows\System\aRUoyel.exe

C:\Windows\System\LkouLZi.exe

C:\Windows\System\LkouLZi.exe

C:\Windows\System\fzEXKsg.exe

C:\Windows\System\fzEXKsg.exe

C:\Windows\System\YIhPsoM.exe

C:\Windows\System\YIhPsoM.exe

C:\Windows\System\iDuUlws.exe

C:\Windows\System\iDuUlws.exe

C:\Windows\System\gdYTCvo.exe

C:\Windows\System\gdYTCvo.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2464-0-0x000000013F820000-0x000000013FB71000-memory.dmp

memory/2464-1-0x00000000002F0000-0x0000000000300000-memory.dmp

C:\Windows\system\cPDitjp.exe

MD5 449ac1d4fba787970d6716f6529d292e
SHA1 ddaa13876816e035539674961a9bf18fd51287d3
SHA256 457f4e44d9414b744a974be77f6dea789c22b61631adcaa9db1d6a4a9c57d509
SHA512 27b601160e4c5856afa5ee711ec747cf35717ce89e6087972f795258d46964173e5368f036ce9b4b49378d7bf9cbff710cde9ae82d3c6160d662d18ecf22a228

memory/2464-7-0x000000013F4A0000-0x000000013F7F1000-memory.dmp

C:\Windows\system\wyRjevo.exe

MD5 6a1c0b13dbaccf9079f114dc058a7b57
SHA1 65ca9e7d031ccf66ce5c02db664cc203030813b4
SHA256 a8420c91317666f3a5e99e92e6873ee5ce8a33563083d8a1708ad87e89e9136a
SHA512 c9d62f2f2b4c6284d1819a48121f8504c0e91744bc8145cad85947ef363f540659c78668b52298cb677349a0d5457bb29e8d3947ed83e89eb95789bf29af73c8

C:\Windows\system\QjvttAT.exe

MD5 8df235e75b3bc8e91092415dc3591105
SHA1 d77bfc57e28612b7a8a6b410e4852212eaf42819
SHA256 c815b5dc93bf23dd6d2bae2b04ae248364b81116909086809da269f2556d1054
SHA512 abb66eb836b131693969d7162d527defcaaceb03a547b76db34b3fd1d55631984b2ef68d6faed3e0dfbb147139db9ea6e6178c34cf24f21830088849f27d5716

\Windows\system\AtpNFyh.exe

MD5 b6f046410876011bb325aab04c3edc6f
SHA1 945bf12d5be691f4f09771430709ec66cb231201
SHA256 c8fbcd57f9abd120d3f194bdd1d6d508c56b3c6540e7f7c23f851f413f7953ba
SHA512 115c5ea34fdbc149974a02293d1d17df9f5114b73682fa18dfd2fbabb27040a21da0263870420f0ae633107748b69b13e4933321cc81ebbdbf1d4dd870ae7e41

C:\Windows\system\hbdSkJS.exe

MD5 9b8d41f3e670f923d04dff3488073658
SHA1 3143b5e0b69d2a66d396d25f36c3ebb1ace18612
SHA256 45b93a1899ba562d1d6dbcec96f5253a1c21c9daff2743972a9406477c67f2b8
SHA512 527f5d1116c11fae1096ac5a076a7c03f07fc7d4514c3e4d873584fcf9b70c303321c59298b5d776f92aaf6e57896ae63e5db06a5da86252409a218b10731b90

\Windows\system\bDaWWdr.exe

MD5 f611ca873d7cec0a871cd4046fcc28fa
SHA1 b294d7b60b9dda2ea27c19d14934f7bd5621bd4c
SHA256 a5a87ea6f45fc3f2fc39a5042135449b53cfe2018dd6d6701ba6c19c20437b20
SHA512 e42d769ca31ffd270e2e365e770ce91fb1f713f9d2c991284342844d46fa3df077fac3990563a133ac981bfbfa060d8221eff284f669cc9456a729c00e78f79d

\Windows\system\Lxdgula.exe

MD5 85b049193d161c2f0b9601ba72c478aa
SHA1 cd015b7a971b3a7403ca247d22aa3fcc5e983aa9
SHA256 6bffd60fb1310796a44912d4896d5f94671ec8868689b1922134ce1c0e0ad0b0
SHA512 7bb8bbb21d57ebcde6b919fcfc2cd24d097fbf2b0d9a22a679fbaefdb8570542e041650fc618720edac2ac34f7a93eec94ff2915651b61a77d8c6bc25ed7aef2

C:\Windows\system\dmRSYzc.exe

MD5 59727371ecd8ca5039019ad8dfa0965d
SHA1 2a0a10d23c8e02c3e50959af010d3626ab52729d
SHA256 f61b78dfe0fe730e7fa2c7cc084b4cded33ff0ed14e5f2f11b2060b5a9d6ebcb
SHA512 1205d6fc4e45f463c0c8adfc6f2ee822eb653e9422d820ecd9d943ce19f5272ca3e1af1afbc1280dc5ce2fb13cf6b78fc467c3a3c2e2cd2219f55e78292757c5

C:\Windows\system\fsBwxTK.exe

MD5 1206a76e4b266bb16e3276b91ec1fd47
SHA1 2337bf9c4fd81e58f5cea746796311d5f7514747
SHA256 2d47e4fd8cf1031b3b69ecedd2c24f167e7a45c0e86e46e24c78c60f37e00aa7
SHA512 47135bd666f0892d5064caa4ffbb254e22dcf94e3b3da812d162f9bd952931725c2aacd15a4d608a80ed571de18b6baf89931726d6e32b5efc1f9dc7d0631bfc

memory/2464-90-0x000000013FC70000-0x000000013FFC1000-memory.dmp

memory/2448-89-0x000000013F0B0000-0x000000013F401000-memory.dmp

\Windows\system\rPQUHCY.exe

MD5 de0a45ffef70641cce66b3533b6a9974
SHA1 4bb02e15f8e32e08bc04a2ab890dd514cf6a2653
SHA256 bc11e9465503962bd7ec06203b1ad0d9ecc47a5290677429ca9b5c53af6678db
SHA512 c814b4e7b18c5ffcd84b2620c8cf8dd97a6a865cc82fc193522decc4a55c05cb8c4b53cd61e892c049c9445a736f7fdc375afd0568d1cdce9e33c6a87c5ca1ff

memory/2380-84-0x000000013FE60000-0x00000001401B1000-memory.dmp

memory/2768-83-0x000000013F4A0000-0x000000013F7F1000-memory.dmp

memory/2464-82-0x000000013F820000-0x000000013FB71000-memory.dmp

memory/1676-77-0x000000013FCF0000-0x0000000140041000-memory.dmp

memory/2464-76-0x000000013FCF0000-0x0000000140041000-memory.dmp

C:\Windows\system\XZlMAbs.exe

MD5 f71b5b92f3f669dbfd7837d05304e586
SHA1 948aaf019a7eea405c592ae2a8bf5baf17edfc9f
SHA256 ea421976139248b493c29c805e2ad34f58b84395296ff0304b85021265cb2a2c
SHA512 6bf113a3c7b566089891a4f81c4a64cea447bb4bbb2ec738462145bb8973f33c34c598f4dc2eb76942c9ae5ed046e3edd25d0f1f4f3e15922fe51d3ea35faf82

memory/2740-71-0x000000013F940000-0x000000013FC91000-memory.dmp

memory/2612-70-0x000000013F700000-0x000000013FA51000-memory.dmp

memory/2672-69-0x000000013FDE0000-0x0000000140131000-memory.dmp

memory/2732-68-0x000000013FE80000-0x00000001401D1000-memory.dmp

C:\Windows\system\mBpeirY.exe

MD5 854df6ae5721f36f121b03036032d08c
SHA1 1d926055efb8a9ba6a212b781b58b20ffe1e9ecf
SHA256 8d2105ac7147020919558e897601ff7370e82dc7999a14ff83ef789ead661467
SHA512 b0af54fe7ad3bc639d3ac96f6a24188ef402f33e9ae2f6005b5b11a885a7364720232406e5315dde025a5f7c8a4a30b776a7893f391c32ac08a7ec3264f3b530

memory/2464-60-0x000000013FDE0000-0x0000000140131000-memory.dmp

memory/2464-59-0x00000000021C0000-0x0000000002511000-memory.dmp

memory/2464-57-0x00000000021C0000-0x0000000002511000-memory.dmp

memory/2464-55-0x000000013FE80000-0x00000001401D1000-memory.dmp

memory/2464-42-0x000000013F0B0000-0x000000013F401000-memory.dmp

memory/2448-46-0x000000013F0B0000-0x000000013F401000-memory.dmp

\Windows\system\LonQnje.exe

MD5 e755d224ab12ac51a4145d2b3f287e93
SHA1 44b31151872cf4ebcc5c207e5001514a2cde34d5
SHA256 086147c89cb09cffc36f0cbbbbceef8faf334b79234e221e8ddc69be0b4faf68
SHA512 0e738272248b0cd8aca4332429895c7ec664b4e563e1dc29bc0684a70f7560883e1a17c086cc70eaf2a7cde84685a48e82ce373350a38c62986dbfb175d17c9b

memory/2732-91-0x000000013FE80000-0x00000001401D1000-memory.dmp

memory/2464-37-0x000000013FE90000-0x00000001401E1000-memory.dmp

memory/2360-36-0x000000013F840000-0x000000013FB91000-memory.dmp

memory/2464-35-0x00000000021C0000-0x0000000002511000-memory.dmp

memory/2936-34-0x000000013F950000-0x000000013FCA1000-memory.dmp

memory/2464-33-0x00000000021C0000-0x0000000002511000-memory.dmp

memory/2780-32-0x000000013F930000-0x000000013FC81000-memory.dmp

memory/2464-31-0x00000000021C0000-0x0000000002511000-memory.dmp

memory/2904-30-0x000000013FE90000-0x00000001401E1000-memory.dmp

memory/1676-93-0x000000013FCF0000-0x0000000140041000-memory.dmp

memory/2464-92-0x000000013FCF0000-0x0000000140041000-memory.dmp

memory/2768-28-0x000000013F4A0000-0x000000013F7F1000-memory.dmp

memory/2380-94-0x000000013FE60000-0x00000001401B1000-memory.dmp

memory/2464-104-0x000000013FC70000-0x000000013FFC1000-memory.dmp

memory/2960-106-0x000000013FC70000-0x000000013FFC1000-memory.dmp

C:\Windows\system\JUccupJ.exe

MD5 21070b12d8cce5cadbe734f971f80aba
SHA1 c7f5b02b0dd3aefe6d34ed0170c5f7479f5a328b
SHA256 126a0ca407ff42d9662d3ea68f1e359218834f338d8f15b23d30641053e26e41
SHA512 ab6944e6c912396f6382d49765dcaaa840d03548c04a938c012a33eff4e6de1435ce3f913ecfa42d01287d293ead637274758c5ec77787ef070f0852d1e8acf7

\Windows\system\CWCYbYg.exe

MD5 3509bdb74205b1d6d9eb06fa3499e043
SHA1 c67b9876f5d291a8661355e8092631d7d2a810a0
SHA256 571600c9cae2321bb55a5ee66f910d5f22cbb8ae6fd1c9d1aabe08694ae9000a
SHA512 ec80409e19fd4e0e6564e21abbfc003350b2d07158623174cd2d9eb35db95b08e33c5b7a74219b3b0146f4cd97ab31e6e268460d74f5571f15735540f6d34b99

C:\Windows\system\LkouLZi.exe

MD5 37dec2448fc595f42b9f2630232b8641
SHA1 4f5ea9a4ed7c9087ee6bfe3fdd4f3cce64468bc2
SHA256 8d676c8644f55fe624d8bafb34b711b4b2ac6085c0ac108985a89a500873b662
SHA512 aa308ddc92c2a0e544b4024e8f89df5339b7a1c2684f38cb302bbdbd83bcc6247cf7270e6fbc9d1018404bbee5b3734ebc99e0aa3087cf55bcb4531d022e827a

C:\Windows\system\aRUoyel.exe

MD5 53876e8e06a7ce014daca01ec5edbd37
SHA1 cfe151e4606c49ac8c35ecc34fac6084fba34c79
SHA256 4dfe74f3dd93e137a856bb2e2bc17918ea9ccd873b555cc687642b2f09a8553d
SHA512 1b38c945333cfb05efdeb97757280cf29adfc3a12642b02762440659a03eaab7a3a0da295211ca4d6281585b54f08b2ae7957694952c694e644fc76d5259e2e9

C:\Windows\system\fzEXKsg.exe

MD5 e7397767c1a8a642f796cebfc72a3bfc
SHA1 5d796ed4b0c006dfc587896ebeb8435c776d088b
SHA256 77f135b9eae239630feca98e9ef6c9c5d9b15eb7edad3dd4e42d1c9b3249530d
SHA512 16c550ddfca2c5e92d112aa5469eda451637a04ef5ca8ef1cc4ee6b40df8347107ec693cc118242d827df8c6a61027c43f9bb9225785aa1a1e477a57bde6b9c1

C:\Windows\system\YIhPsoM.exe

MD5 63ff4901cee99b8b97cbcdd6a7785190
SHA1 374dcdd23130b988aad3a7881bd28ae48a4155bd
SHA256 90637be964f0966deabc6d0c8b7e443816c121308a7cd3986a05b4c64a50e3a4
SHA512 c14c4a165f6032b114a44ff93c3f75cea4a4b25c5422192a0f9e89e1a2821f50ae2dffa29847b8d025058af671c32ea3d46a0d10a057d69c11a8b34b11deeda0

C:\Windows\system\iDuUlws.exe

MD5 ea68bae9d42b06cd1f3d8671eb865094
SHA1 3c2988ee75d7a2ec9939724f39478552148b5554
SHA256 23d01686f945858d80a5d9487f49d22a9dcaa44311f4e7867f9a36da576288b6
SHA512 817a57d04437a844b61bdfdeb8a5302a99c0241adfc5dcaacb8aee2bdbe8539184d7478326662013cf7fda319fab2df055388a3f8d36eed94cb43681f7084fa8

C:\Windows\system\gdYTCvo.exe

MD5 d005a3f71c342cb987262f3db41bc505
SHA1 327c1715a6518c8baeabfe92ab8feead470cf122
SHA256 ff3ab2caf601ed402f7c49bb39f80e0e525a33473bc170ce8bae62b5809a52bb
SHA512 06effc657c47c30056cfd5e9c242e46b950f3b1fc2c9a7bd18e570bd6413c5e944aacc18d1a21bc980fbd82a5ce1572c46840a387832b0ad519b49fb05cf13b5

memory/2808-123-0x000000013F440000-0x000000013F791000-memory.dmp

memory/2464-120-0x000000013F440000-0x000000013F791000-memory.dmp

memory/2960-150-0x000000013FC70000-0x000000013FFC1000-memory.dmp

memory/2808-156-0x000000013F440000-0x000000013F791000-memory.dmp

memory/2464-157-0x000000013F820000-0x000000013FB71000-memory.dmp

memory/548-172-0x000000013F370000-0x000000013F6C1000-memory.dmp

memory/1208-170-0x000000013FE50000-0x00000001401A1000-memory.dmp

memory/2248-171-0x000000013F050000-0x000000013F3A1000-memory.dmp

memory/908-177-0x000000013FA30000-0x000000013FD81000-memory.dmp

memory/1940-178-0x000000013F550000-0x000000013F8A1000-memory.dmp

memory/772-175-0x000000013F3F0000-0x000000013F741000-memory.dmp

memory/1768-176-0x000000013F490000-0x000000013F7E1000-memory.dmp

memory/2464-179-0x000000013F820000-0x000000013FB71000-memory.dmp

memory/2768-224-0x000000013F4A0000-0x000000013F7F1000-memory.dmp

memory/2780-226-0x000000013F930000-0x000000013FC81000-memory.dmp

memory/2360-230-0x000000013F840000-0x000000013FB91000-memory.dmp

memory/2936-232-0x000000013F950000-0x000000013FCA1000-memory.dmp

memory/2904-229-0x000000013FE90000-0x00000001401E1000-memory.dmp

memory/2672-235-0x000000013FDE0000-0x0000000140131000-memory.dmp

memory/2612-238-0x000000013F700000-0x000000013FA51000-memory.dmp

memory/2448-237-0x000000013F0B0000-0x000000013F401000-memory.dmp

memory/2740-242-0x000000013F940000-0x000000013FC91000-memory.dmp

memory/1676-244-0x000000013FCF0000-0x0000000140041000-memory.dmp

memory/2732-241-0x000000013FE80000-0x00000001401D1000-memory.dmp

memory/2380-246-0x000000013FE60000-0x00000001401B1000-memory.dmp

memory/2808-256-0x000000013F440000-0x000000013F791000-memory.dmp

memory/2960-255-0x000000013FC70000-0x000000013FFC1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 15:26

Reported

2024-11-09 15:28

Platform

win10v2004-20241007-en

Max time kernel

141s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

Cobaltstrike family

cobaltstrike

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\NiVDbLU.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\joIsNNo.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cwbXTRm.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RihbiHd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xncyisx.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QTNxBTd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yjYDGbE.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\loXGOTA.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rWgiKGF.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xMaiiDF.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lahHBUY.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BvfOWnI.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NxSEJRq.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ulRcvWn.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fSwfdtt.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\btCdhuW.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fzYNEKh.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JhLjgWd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QUmHaXc.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EQiafCt.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yYggjHK.exe C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3928 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fzYNEKh.exe
PID 3928 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fzYNEKh.exe
PID 3928 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JhLjgWd.exe
PID 3928 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JhLjgWd.exe
PID 3928 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QTNxBTd.exe
PID 3928 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QTNxBTd.exe
PID 3928 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yjYDGbE.exe
PID 3928 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yjYDGbE.exe
PID 3928 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QUmHaXc.exe
PID 3928 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QUmHaXc.exe
PID 3928 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NxSEJRq.exe
PID 3928 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NxSEJRq.exe
PID 3928 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\loXGOTA.exe
PID 3928 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\loXGOTA.exe
PID 3928 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EQiafCt.exe
PID 3928 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EQiafCt.exe
PID 3928 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NiVDbLU.exe
PID 3928 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NiVDbLU.exe
PID 3928 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xMaiiDF.exe
PID 3928 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xMaiiDF.exe
PID 3928 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ulRcvWn.exe
PID 3928 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ulRcvWn.exe
PID 3928 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fSwfdtt.exe
PID 3928 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fSwfdtt.exe
PID 3928 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yYggjHK.exe
PID 3928 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yYggjHK.exe
PID 3928 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lahHBUY.exe
PID 3928 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lahHBUY.exe
PID 3928 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BvfOWnI.exe
PID 3928 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BvfOWnI.exe
PID 3928 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\joIsNNo.exe
PID 3928 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\joIsNNo.exe
PID 3928 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\btCdhuW.exe
PID 3928 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\btCdhuW.exe
PID 3928 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cwbXTRm.exe
PID 3928 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cwbXTRm.exe
PID 3928 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RihbiHd.exe
PID 3928 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RihbiHd.exe
PID 3928 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xncyisx.exe
PID 3928 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xncyisx.exe
PID 3928 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rWgiKGF.exe
PID 3928 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rWgiKGF.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\fzYNEKh.exe

C:\Windows\System\fzYNEKh.exe

C:\Windows\System\JhLjgWd.exe

C:\Windows\System\JhLjgWd.exe

C:\Windows\System\QTNxBTd.exe

C:\Windows\System\QTNxBTd.exe

C:\Windows\System\yjYDGbE.exe

C:\Windows\System\yjYDGbE.exe

C:\Windows\System\QUmHaXc.exe

C:\Windows\System\QUmHaXc.exe

C:\Windows\System\NxSEJRq.exe

C:\Windows\System\NxSEJRq.exe

C:\Windows\System\loXGOTA.exe

C:\Windows\System\loXGOTA.exe

C:\Windows\System\EQiafCt.exe

C:\Windows\System\EQiafCt.exe

C:\Windows\System\NiVDbLU.exe

C:\Windows\System\NiVDbLU.exe

C:\Windows\System\xMaiiDF.exe

C:\Windows\System\xMaiiDF.exe

C:\Windows\System\ulRcvWn.exe

C:\Windows\System\ulRcvWn.exe

C:\Windows\System\fSwfdtt.exe

C:\Windows\System\fSwfdtt.exe

C:\Windows\System\yYggjHK.exe

C:\Windows\System\yYggjHK.exe

C:\Windows\System\lahHBUY.exe

C:\Windows\System\lahHBUY.exe

C:\Windows\System\BvfOWnI.exe

C:\Windows\System\BvfOWnI.exe

C:\Windows\System\joIsNNo.exe

C:\Windows\System\joIsNNo.exe

C:\Windows\System\btCdhuW.exe

C:\Windows\System\btCdhuW.exe

C:\Windows\System\cwbXTRm.exe

C:\Windows\System\cwbXTRm.exe

C:\Windows\System\RihbiHd.exe

C:\Windows\System\RihbiHd.exe

C:\Windows\System\xncyisx.exe

C:\Windows\System\xncyisx.exe

C:\Windows\System\rWgiKGF.exe

C:\Windows\System\rWgiKGF.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 68.209.201.84.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3928-0-0x00007FF739970000-0x00007FF739CC1000-memory.dmp

memory/3928-1-0x000001E2D9980000-0x000001E2D9990000-memory.dmp

C:\Windows\System\fzYNEKh.exe

MD5 f10f40912cda9fb9032d1fdc1368e604
SHA1 5a47d9a1c2e2f3287dfa47d85ee5ec02000cd6b4
SHA256 1d80eaac2b63970e15c9acd26134ad88e20e3fce9fe32e5e41391f7bd6a4ab51
SHA512 f7aae34c0bdd21c77dcb2fc89f63e46a9227a75c7fe7b9d80e69367a3facd29ed827945fd3faa4c02c4f4315be8d314d6d79dff1eb42467704ba431b550b7d3e

memory/2364-6-0x00007FF7E4190000-0x00007FF7E44E1000-memory.dmp

C:\Windows\System\JhLjgWd.exe

MD5 99b4b7df3ca4be0fdcf0dcd48bf6f95f
SHA1 d8c339aeadc4430d9fbedfcd0a46c14420d8c350
SHA256 789406f8f488df45cca38174e6fb80d4be5201e198967ed26fa7d3051db9fdd5
SHA512 78035ef781628b89c1314b6060a286a4e780f3e43d7d196a60fc06e39ec510651e910a45d923f33b75a2b57229f47645d317ef3e92f0e78f8fd36e958a5f06c4

C:\Windows\System\QTNxBTd.exe

MD5 84e5db288f70a1cbb0e68b7c6669638b
SHA1 52bfbe5fdbeeac3a4b4b9410c2fe4cd4970696bc
SHA256 3a4bf2759be6deedc2a9e671aa97a43b4383535c55035b3c636923aa12f1fc31
SHA512 5d088d4b687e7a669d8de689590af40e1394dcfeabe67a28876036446b15c8cdcf527524802949c10b4c8aa147a5dded954c930b3c71180aa26fa174b7d5c233

memory/1880-24-0x00007FF7EDA90000-0x00007FF7EDDE1000-memory.dmp

C:\Windows\System\QUmHaXc.exe

MD5 1f223a01b9784383fa5150f04576f386
SHA1 d55a253d622b361bdfb96648d205db6c570ef8b9
SHA256 1fda00d557d5a2e787b5cba37a39b9f5d399032370841f63e06a5bcc08ed7620
SHA512 812c3a41008750ef9273fe70023b8567cb471dd7fb1eaf0ea2e818c40c24f9f5f11993ca54178c1e3bab3a3a423e4fdaca8c507c5ae54fa9a811bb583d7f52c8

memory/3480-29-0x00007FF6C4C20000-0x00007FF6C4F71000-memory.dmp

C:\Windows\System\yjYDGbE.exe

MD5 e8b768b11ce4287ba3944c084e8a0b1b
SHA1 f60768d0c966fccedb6c0219a1fb427fe307fa1e
SHA256 eff49a52fad3b22fdf73610dfc9501af034888041bcb6ef67e3734fbfccc2057
SHA512 eb83ba70068f582147f7a9df336f629bafb42c67c22a4c1cf3cf112f3c85588ec883e845beae91b31391ee4fec26184b89d89408a68f498e96caa0ccfcf7c6ee

memory/4556-18-0x00007FF637000000-0x00007FF637351000-memory.dmp

memory/3108-14-0x00007FF7611C0000-0x00007FF761511000-memory.dmp

C:\Windows\System\NxSEJRq.exe

MD5 a01418edd5b12cc90845500693305a60
SHA1 40da102e3ad6c53d2ad858890406f5c53a8121d1
SHA256 f075be445f82e8f54bcee4f128817fba9cd8943bc2be223fae141ba1f672fcf6
SHA512 28891969f79cdceb839c5704c7d774153121b04d80bc053be11b46f68e29ec6a165f5586103bb5f035052e0563ba85f4be295f29aa0191c1dbc5a1d2279f773f

memory/1968-36-0x00007FF672A00000-0x00007FF672D51000-memory.dmp

C:\Windows\System\loXGOTA.exe

MD5 176ff77df88b2502c5891269f02e2f9b
SHA1 feb8b505d6dca7be969ae46bf12ffebff50b743c
SHA256 eda185607a0ea184807f101c1d0db4e997ca854632fc0d09cae2cdbde790a1fb
SHA512 79507c466d43938a391fb709e1121b59ad92225f40756542629ac77b88ff5deb47b8d4bfcfb26421e46f3ddfe0cb6f54c3278b74b3cd7e173034bd8f3bf52f77

memory/4200-42-0x00007FF665EA0000-0x00007FF6661F1000-memory.dmp

C:\Windows\System\EQiafCt.exe

MD5 97e5ce3685ebff1d9bc45233c930039f
SHA1 0c616dae1c947d3c5aa362d11e3e5cd99b63f20f
SHA256 6265bf5a7f5808c37df806120f79e6510ffedf10e6df8b25d8ba33ece290ea10
SHA512 7fd72aacc7109fa265175d3583ee763f9b2fd3337428d147597d013edb2442c4792d3ffb11eadc6a7d0d7239c0fea5e2295aae5771f6fb52db63c716af091b57

memory/3192-50-0x00007FF62EF10000-0x00007FF62F261000-memory.dmp

C:\Windows\System\NiVDbLU.exe

MD5 8b592da54af18cdcb82b2782c9f152e1
SHA1 3374716cc4dcc77a7c2fc8f026d0902806844ab6
SHA256 4664aea3ea70d87face04f8a06b4ec36744edd926876a6e4145ee411c0fb1b15
SHA512 89894d655ce477a3334a1d386c8afcd7f3dacc7120d19463d409fe2b4c25bf7fdf6dd559a6a40fe68b78b073b957e379973a06de10a17bb92f20da086da1738e

memory/3928-54-0x00007FF739970000-0x00007FF739CC1000-memory.dmp

memory/232-60-0x00007FF659210000-0x00007FF659561000-memory.dmp

C:\Windows\System\xMaiiDF.exe

MD5 68c1af30c80d0fd17c30b597f297c496
SHA1 90899df164ea03aabb1e1db1fbcefa5314189894
SHA256 1d0d2f95d62aa655b7cf0c074096f63a57970874a7a1a7e9af565a705c70675e
SHA512 f929466361ff3ae1cfe8994be2abac455908b7c33e438331f99d57d842e5ac088bf185403c58806a94040082b58f4c9040d355a9f1f9b13be068d94d1b4f9d6f

C:\Windows\System\ulRcvWn.exe

MD5 38e182c3d994c6f58ee4cf67e2710099
SHA1 4a6f4f44fe66633adfb7c7a90e2da8f066f4a542
SHA256 df40d7e7be7433d0c315f93af443deb53fc21cbad6a83ede6a1a60adca2cb72a
SHA512 693e489cc8887dc2175d6bd879f3acc2c2cbcc950407f51e1f01797ae1ba74db9d3f92921fa520fb6e46e44bb79f9b6bcb03ba702419a08bbc1c1208ccefdbe9

memory/1392-68-0x00007FF701510000-0x00007FF701861000-memory.dmp

memory/3108-67-0x00007FF7611C0000-0x00007FF761511000-memory.dmp

memory/2364-59-0x00007FF7E4190000-0x00007FF7E44E1000-memory.dmp

memory/3268-56-0x00007FF701500000-0x00007FF701851000-memory.dmp

C:\Windows\System\fSwfdtt.exe

MD5 bcb82174a6fa9aa821b7b8e7a30e3625
SHA1 ba4e8625bfa0f9a671453a54c78db7d4b105656d
SHA256 7308fa0ff8c0de35177b58136a7fcddac32b3749798671491d72ffc58eeeb313
SHA512 beebd4f49f4b39f577f3283a2b33dacde519b467d6dd8245d69ad8ebb8583d4eb5c2f12bf2d2c4d8ecf1dce65ce0baf0dd1896395181a257b181a0efb54d7313

memory/644-90-0x00007FF7E0870000-0x00007FF7E0BC1000-memory.dmp

memory/1284-97-0x00007FF62BC50000-0x00007FF62BFA1000-memory.dmp

C:\Windows\System\joIsNNo.exe

MD5 5cc107861591663f14d6e904bfc931fc
SHA1 87d26ea88d8c123e054bccc5e330f92e919cc325
SHA256 22f2086d3acdab05cea2e6357f8e8f99538b054a0f8cf25d52623d10a9818d76
SHA512 42ca7db3aa585dadd56408b12784999bf1242db124b0601f0c39cda9f56eff656dda7151a9c6a11e85b8badf4b0e328125ac6bb1d43bd5416ece97d9b629379d

C:\Windows\System\xncyisx.exe

MD5 3f004d49ff7abf058aec525d3d0d8986
SHA1 f18a0edc6ce85db2184d2dc654042f90e5beb5c4
SHA256 b770a01b91ae2bb2a8745a1c6e66d455a7f8749fadd808bd2874596fd7bf3bd3
SHA512 b84c67738a78c558c3566115086ccf355a2456915f0655029cc74246db96049ba222a6851cb5d136947b15e70c2b7ba0c1e12fe8025d80899f8e478ff115304b

C:\Windows\System\cwbXTRm.exe

MD5 4c943382c34c656830ecad8ea2056003
SHA1 ec1e7bf037afa5781a6b85f98b9f3a7348c68d85
SHA256 f082550226c757cd5f83a85f26d54c71694d81e3e15d629d7832950b3328698c
SHA512 4bceb1d5c4af5ec3971eab616b70fb21048c473b9640d9d194b6499ed57ff72d0a8d9dc05394674d901de189855d1c469e7bb12b6c65409ec969de35a7f7e194

memory/2868-127-0x00007FF6DA6B0000-0x00007FF6DAA01000-memory.dmp

memory/4200-135-0x00007FF665EA0000-0x00007FF6661F1000-memory.dmp

C:\Windows\System\rWgiKGF.exe

MD5 d38a1e3e5029a07e3fcfac2a221dbde6
SHA1 76c7e3cc227e825e08b3dbd54516715bdf26f734
SHA256 3fef88c9609e746603e5adcdd46508a237f7168d6b1a1653749ed3f0e7032f68
SHA512 4e50678115d3b2a103cc950550b1ca3e3ede144f8ac4cfb222913a0490f856c95183ec21ca734e4074b3137bc49571615e286166f18f5a8d4b289ea548d2d57f

memory/1620-132-0x00007FF7DD910000-0x00007FF7DDC61000-memory.dmp

memory/396-128-0x00007FF6F7B00000-0x00007FF6F7E51000-memory.dmp

C:\Windows\System\RihbiHd.exe

MD5 c7af5b65d594ab6fef22c3d354d77e30
SHA1 b41bdfa165b51a9a082ac62bb9eca3f72ac57709
SHA256 43625ae72550ae6be782ec19b87dbbc6c402e15a731a58ad19f275bff84add02
SHA512 9005b103b7bcfb281194ecc28b4322cfe94538cdd30ea0495463956548cc3190dfd4132f6161eb30ab9a579e165f038de3518e98109a8015b164fa32a0cc85ac

memory/860-124-0x00007FF632E30000-0x00007FF633181000-memory.dmp

memory/1968-123-0x00007FF672A00000-0x00007FF672D51000-memory.dmp

memory/2972-117-0x00007FF781C90000-0x00007FF781FE1000-memory.dmp

C:\Windows\System\btCdhuW.exe

MD5 7d341aaecc018f462ed8daf3cee66d1e
SHA1 e36692080131322dc0d5f7c436a8a7e51652388d
SHA256 d868d08bb00fc444e3767477b38fb4f4c8aa6d435a8e511d831fdd9f6fb9a8ce
SHA512 908a6d4d6117c77508571a6966d6aaed7d466a5c54cb4cdbec178dd8d62b2245c727e781f42de31f34b5087f610eb28458c67e909d296c26dd6414e8beba453b

C:\Windows\System\BvfOWnI.exe

MD5 409a7088392ff9dffd3ad370eee2933e
SHA1 a05a7f3fd9fd9022bdc0621880fd47316ca72764
SHA256 3e649f45d76113996e3ff4b484787754623d7a1bc990ef918e1e0fc0978cb9fc
SHA512 dcbea86179a0baff4e5067be431bc6c310f4e67fc1d5ee7586571fded17bd6dfa478b3d26eb236e8627ce7aba3164cb7b90fe68a77b0fc94bad02a21f09ba882

memory/836-107-0x00007FF70C900000-0x00007FF70CC51000-memory.dmp

memory/3312-105-0x00007FF6A8A40000-0x00007FF6A8D91000-memory.dmp

memory/3480-103-0x00007FF6C4C20000-0x00007FF6C4F71000-memory.dmp

C:\Windows\System\lahHBUY.exe

MD5 1502ea099020ce15a04188622592e324
SHA1 d9e868cd92770b8bdc77cd2b4a6e043212d9ad4c
SHA256 175cfe70380cc3ee50ff5f69d78d22bf70a4fc43bc2b40eb38ca71d39be84f4d
SHA512 7f3dc2f24648a8465df5d9fb2d3eae19fba0893adc3d8b937ba7835fac9b1248bf2dd71ecd230535c6861f799c5fd2c0a16dfdb23df7e3cb80f4ac010687e030

memory/1880-89-0x00007FF7EDA90000-0x00007FF7EDDE1000-memory.dmp

C:\Windows\System\yYggjHK.exe

MD5 c3294bde900e034865ff1ba1d8a2e878
SHA1 21c232a7257686f7663e135a18edf0c678f7738e
SHA256 81d033ca5fa7bf48c8e2b62cf302f1c9e197ff0578c0365034843bc7be747288
SHA512 ff27f35a32312ed7bdbce579d43534bc8550e35f400e180b781ad3c933912f4f4a1ef356f83807a3dbd05b88df9cb510aa8b282ebe9016081daff69439580009

memory/4780-81-0x00007FF75BEF0000-0x00007FF75C241000-memory.dmp

memory/4556-77-0x00007FF637000000-0x00007FF637351000-memory.dmp

memory/3928-136-0x00007FF739970000-0x00007FF739CC1000-memory.dmp

memory/3192-141-0x00007FF62EF10000-0x00007FF62F261000-memory.dmp

memory/3268-145-0x00007FF701500000-0x00007FF701851000-memory.dmp

memory/232-146-0x00007FF659210000-0x00007FF659561000-memory.dmp

memory/1392-149-0x00007FF701510000-0x00007FF701861000-memory.dmp

memory/4780-150-0x00007FF75BEF0000-0x00007FF75C241000-memory.dmp

memory/2972-158-0x00007FF781C90000-0x00007FF781FE1000-memory.dmp

memory/396-161-0x00007FF6F7B00000-0x00007FF6F7E51000-memory.dmp

memory/860-160-0x00007FF632E30000-0x00007FF633181000-memory.dmp

memory/3312-157-0x00007FF6A8A40000-0x00007FF6A8D91000-memory.dmp

memory/1284-155-0x00007FF62BC50000-0x00007FF62BFA1000-memory.dmp

memory/836-156-0x00007FF70C900000-0x00007FF70CC51000-memory.dmp

memory/1620-162-0x00007FF7DD910000-0x00007FF7DDC61000-memory.dmp

memory/3928-163-0x00007FF739970000-0x00007FF739CC1000-memory.dmp

memory/2364-215-0x00007FF7E4190000-0x00007FF7E44E1000-memory.dmp

memory/3108-217-0x00007FF7611C0000-0x00007FF761511000-memory.dmp

memory/4556-219-0x00007FF637000000-0x00007FF637351000-memory.dmp

memory/1880-221-0x00007FF7EDA90000-0x00007FF7EDDE1000-memory.dmp

memory/3480-223-0x00007FF6C4C20000-0x00007FF6C4F71000-memory.dmp

memory/1968-226-0x00007FF672A00000-0x00007FF672D51000-memory.dmp

memory/4200-231-0x00007FF665EA0000-0x00007FF6661F1000-memory.dmp

memory/3192-233-0x00007FF62EF10000-0x00007FF62F261000-memory.dmp

memory/3268-237-0x00007FF701500000-0x00007FF701851000-memory.dmp

memory/1392-240-0x00007FF701510000-0x00007FF701861000-memory.dmp

memory/232-241-0x00007FF659210000-0x00007FF659561000-memory.dmp

memory/644-252-0x00007FF7E0870000-0x00007FF7E0BC1000-memory.dmp

memory/4780-254-0x00007FF75BEF0000-0x00007FF75C241000-memory.dmp

memory/1284-256-0x00007FF62BC50000-0x00007FF62BFA1000-memory.dmp

memory/836-258-0x00007FF70C900000-0x00007FF70CC51000-memory.dmp

memory/3312-260-0x00007FF6A8A40000-0x00007FF6A8D91000-memory.dmp

memory/2868-264-0x00007FF6DA6B0000-0x00007FF6DAA01000-memory.dmp

memory/2972-263-0x00007FF781C90000-0x00007FF781FE1000-memory.dmp

memory/860-269-0x00007FF632E30000-0x00007FF633181000-memory.dmp

memory/396-270-0x00007FF6F7B00000-0x00007FF6F7E51000-memory.dmp

memory/1620-267-0x00007FF7DD910000-0x00007FF7DDC61000-memory.dmp