Malware Analysis Report

2025-05-28 18:57

Sample ID 241110-s8kssazfkg
Target 2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat
SHA256 c490c4b3257dd8e4ffd0d88f2925c918b5981b48f0b4f9a90078dfac7b190253
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c490c4b3257dd8e4ffd0d88f2925c918b5981b48f0b4f9a90078dfac7b190253

Threat Level: Known bad

The file 2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

Xmrig family

Cobalt Strike reflective loader

xmrig

XMRig Miner payload

Cobaltstrike

Cobaltstrike family

XMRig Miner payload

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-11-10 15:47

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 15:47

Reported

2024-11-10 15:50

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

Cobaltstrike family

cobaltstrike

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\NVZROtJ.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jwSTRpL.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nILWVJc.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hzgSRNz.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SRQAbSA.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yRQwXgw.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HugMGdK.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eVdmJhq.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\czjKqIi.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zaXJqRO.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vLMuxYo.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zBwcUpW.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DOFgpul.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RfDeGLZ.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HZojLuH.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UgCDztf.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZNBAOaf.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yzDPuuV.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eyvWyCX.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cCuOanw.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KpWEqCb.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1020 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jwSTRpL.exe
PID 1020 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jwSTRpL.exe
PID 1020 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZNBAOaf.exe
PID 1020 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZNBAOaf.exe
PID 1020 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zBwcUpW.exe
PID 1020 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zBwcUpW.exe
PID 1020 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yzDPuuV.exe
PID 1020 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yzDPuuV.exe
PID 1020 wrote to memory of 264 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HugMGdK.exe
PID 1020 wrote to memory of 264 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HugMGdK.exe
PID 1020 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eyvWyCX.exe
PID 1020 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eyvWyCX.exe
PID 1020 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DOFgpul.exe
PID 1020 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DOFgpul.exe
PID 1020 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cCuOanw.exe
PID 1020 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cCuOanw.exe
PID 1020 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eVdmJhq.exe
PID 1020 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eVdmJhq.exe
PID 1020 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\czjKqIi.exe
PID 1020 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\czjKqIi.exe
PID 1020 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nILWVJc.exe
PID 1020 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nILWVJc.exe
PID 1020 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RfDeGLZ.exe
PID 1020 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RfDeGLZ.exe
PID 1020 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hzgSRNz.exe
PID 1020 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hzgSRNz.exe
PID 1020 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SRQAbSA.exe
PID 1020 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SRQAbSA.exe
PID 1020 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HZojLuH.exe
PID 1020 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HZojLuH.exe
PID 1020 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yRQwXgw.exe
PID 1020 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yRQwXgw.exe
PID 1020 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NVZROtJ.exe
PID 1020 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NVZROtJ.exe
PID 1020 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KpWEqCb.exe
PID 1020 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KpWEqCb.exe
PID 1020 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UgCDztf.exe
PID 1020 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UgCDztf.exe
PID 1020 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zaXJqRO.exe
PID 1020 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zaXJqRO.exe
PID 1020 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vLMuxYo.exe
PID 1020 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vLMuxYo.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\jwSTRpL.exe

C:\Windows\System\jwSTRpL.exe

C:\Windows\System\ZNBAOaf.exe

C:\Windows\System\ZNBAOaf.exe

C:\Windows\System\zBwcUpW.exe

C:\Windows\System\zBwcUpW.exe

C:\Windows\System\yzDPuuV.exe

C:\Windows\System\yzDPuuV.exe

C:\Windows\System\HugMGdK.exe

C:\Windows\System\HugMGdK.exe

C:\Windows\System\eyvWyCX.exe

C:\Windows\System\eyvWyCX.exe

C:\Windows\System\DOFgpul.exe

C:\Windows\System\DOFgpul.exe

C:\Windows\System\cCuOanw.exe

C:\Windows\System\cCuOanw.exe

C:\Windows\System\eVdmJhq.exe

C:\Windows\System\eVdmJhq.exe

C:\Windows\System\czjKqIi.exe

C:\Windows\System\czjKqIi.exe

C:\Windows\System\nILWVJc.exe

C:\Windows\System\nILWVJc.exe

C:\Windows\System\RfDeGLZ.exe

C:\Windows\System\RfDeGLZ.exe

C:\Windows\System\hzgSRNz.exe

C:\Windows\System\hzgSRNz.exe

C:\Windows\System\SRQAbSA.exe

C:\Windows\System\SRQAbSA.exe

C:\Windows\System\HZojLuH.exe

C:\Windows\System\HZojLuH.exe

C:\Windows\System\yRQwXgw.exe

C:\Windows\System\yRQwXgw.exe

C:\Windows\System\NVZROtJ.exe

C:\Windows\System\NVZROtJ.exe

C:\Windows\System\KpWEqCb.exe

C:\Windows\System\KpWEqCb.exe

C:\Windows\System\UgCDztf.exe

C:\Windows\System\UgCDztf.exe

C:\Windows\System\zaXJqRO.exe

C:\Windows\System\zaXJqRO.exe

C:\Windows\System\vLMuxYo.exe

C:\Windows\System\vLMuxYo.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1020-0-0x00007FF62EBD0000-0x00007FF62EF21000-memory.dmp

memory/1020-1-0x0000027002770000-0x0000027002780000-memory.dmp

C:\Windows\System\jwSTRpL.exe

MD5 d8c2f21b45570bd29539274d5d84239d
SHA1 6fe12f77e8db6074751e8b68996d079fd79faa9c
SHA256 12d55a24a91dcd56bc1f80b6bf282b81f0d344386f639d04787b8baf3db60f4b
SHA512 ef605362bd20f835d7f667d691ded45c6d23c7d8d109fcf70123265932fc087fe36cf5bba66d73190511c342a7c3d9984dc7906b87594435fed700c3a783eb7e

memory/2364-6-0x00007FF786E60000-0x00007FF7871B1000-memory.dmp

C:\Windows\System\zBwcUpW.exe

MD5 54d00dd9b2673e1486b4397c45d71f98
SHA1 2525894b7cf397a7f9f1975b876422fe1e0a4a2a
SHA256 ff77dec173683acb671292ea620fdd42f02a38e78b2c6bdc617dda05f8e6c4a7
SHA512 0616036685b6fe47f4ed3a87c365f7e2ef2251c5e9082b64303cc4a918a52e92ea032c6581dad64c9d68d448acc9a2f44a4ca6afc7d6eb4275dec255f0e75c31

C:\Windows\System\ZNBAOaf.exe

MD5 df8db4c85906e38ffb787547f2918352
SHA1 ca4e23fcef91600b1ba2fc7bfdd55fc5843a6ab4
SHA256 6aa9bffdbd0142e524549dfa9eacfb3e8a0585f398ac70c4aea1fbf72837023d
SHA512 0c855bb26bff16df03e392c5058d363bf7c9127b5ccb9c0ca9bc1d54ceef1f6b3dfbb1c931ad28a4701799ee83298d54700b70a147d533d433a0a53f78f5c6b7

memory/2616-12-0x00007FF682000000-0x00007FF682351000-memory.dmp

C:\Windows\System\yzDPuuV.exe

MD5 692a1968b756c94a01c829bbf7586c21
SHA1 132146df5a43122e7c4def41cc9ea5febc777533
SHA256 4e3a00c29ccaaaed98fd1220576f216f7af8a77f7a4652878ab092bafa27a48f
SHA512 feebfd8ccc69d8108d5b432344f6b8d519037f3e61cb021a63174c7946a09def69001810eedc842bae855054ceac1a2249e78d874d145fbcca10b7a76edf103b

memory/264-31-0x00007FF6AFF20000-0x00007FF6B0271000-memory.dmp

C:\Windows\System\DOFgpul.exe

MD5 607c3585b10a2f988b3565bc816144a3
SHA1 e4b773e2d24a4271981e87eef911cafc7ee3403e
SHA256 9de468ba1571d5325e212acc188676c1caa0f8a29726d126269e7254d174be6f
SHA512 438e29b0298ababc87ddd3b773ab891b0f3eddb00d0be5f042587bc947bf50b6dd49ffa93c1a0687d67eef47332fb3d45a47e0f3dc1691f41eb742a139f9ee33

C:\Windows\System\cCuOanw.exe

MD5 b009aa3f4132f226f9f4dcd774667c12
SHA1 318948067a773112a06eed6916e17b22be828af4
SHA256 09109a9a1e6ece28704ad2eda2d2eb6bb043d33108934a5088978b44fae63658
SHA512 a3b1799e1e8b500ba9a2e78824c2914bf84704bd7cb2aa2474f4842c5e28847e8846aeaec716f27991e8ed13773678ae56cab13ec39fa4ab006ff6a07ddd7ab7

C:\Windows\System\nILWVJc.exe

MD5 8b2528aa12fb8bbf6977c04521011fd9
SHA1 d2800bc7dcdc677c7871da584ecedff074b38725
SHA256 f970824bc7ee2aa3e9c4742bd2f8517a96eea5bdcf16a48d13c9e1bae66608fb
SHA512 144108401f40c2abb9c77dde3a9757f123b934fc4dd807a3786e44444c4a3ffe230c489239ed15ff45ebf423ced375da4fd0f45d6f62dfa90377220e242478c6

memory/1336-62-0x00007FF6AF8B0000-0x00007FF6AFC01000-memory.dmp

C:\Windows\System\SRQAbSA.exe

MD5 5c58cf265797d79d4e05b89b39c8270d
SHA1 b912dcc8154466e508c2da0b29acbcbb29236ed6
SHA256 961d11307b8cd70b2a78d7b96c508307bc7b15136ce5671d6e85544efc4f0f63
SHA512 e9007b85765e85a42c6761753e614f8564699a190d59dec60cf1cce86b31e85d901ffdd1a749a40b85d0db62c597291eaa11fae714ac30629b6b98eba97e2cc0

memory/3300-84-0x00007FF692050000-0x00007FF6923A1000-memory.dmp

C:\Windows\System\hzgSRNz.exe

MD5 4dad28b94b24fdef04b5150880110563
SHA1 9d034a13e11b301deef3af329f597412a6963a5d
SHA256 adbcc6c6dda0d9fecf5b640e233f29352c7e239f43b7bc86ce30ab62127d4def
SHA512 9bbb20af2e5b03c805578e35afcbd84ee942a8e20ba46ce89daa4e016b0ad80ab8010339ee98c5c98139beb1c3b1be1ffef4465adce9dc2d7e8fdd18f1ba6a23

C:\Windows\System\NVZROtJ.exe

MD5 f500bf7aa2ca2d835164ce9a191d24a4
SHA1 a68959d34d378dc5ef6b418dbea87d4cdd647cb0
SHA256 6917079efb07db81c6b3537f68880dcdd97608d40df87c946ec2579236249005
SHA512 d7bbf2a19fc11266cda85a1e3409fbddc8154f69b239d2b0758a88417ba0582d326170a5433a99b338b0f8f37fcbb891790b1a480fb8f5cb1763402c58018074

memory/32-104-0x00007FF734F80000-0x00007FF7352D1000-memory.dmp

memory/3224-103-0x00007FF6CBBD0000-0x00007FF6CBF21000-memory.dmp

memory/544-102-0x00007FF6CF410000-0x00007FF6CF761000-memory.dmp

memory/1968-100-0x00007FF7CC060000-0x00007FF7CC3B1000-memory.dmp

C:\Windows\System\yRQwXgw.exe

MD5 1202ffa04af4db451e722b3444ffb84c
SHA1 22f85a756e0189922dcb8ab43a93e2a30f3ecdb1
SHA256 53384c939acbdeca1f50b5fa7bebe473e35168acaca3f173da4223bfcb525e3e
SHA512 1eb310c84415cd259e9f180d4f222abda7529f9254911038d4974171ab79ac8d6b7b7d81d345c410e2582bae6c62177341b3a6b40521e7cbd7db68d431f32317

C:\Windows\System\HZojLuH.exe

MD5 b9d8c46cc26854d2128b44fd570707ed
SHA1 ae17bf9d4a1239e7b2b9bdef374cb95d402783ac
SHA256 021339981794f5ce7bf99dddb70a86c23d3fadfd265f1f6ea94a38d417a4ad6b
SHA512 cbe4c994a2ce2f8e7819e57b6b4ad37101bb636f5d8e707deb5e9dd1bab1df86a7c4ef88ddfbe1206af74bf0104b5de4123946cb03850c449f4d64bc098215ca

memory/3552-94-0x00007FF695200000-0x00007FF695551000-memory.dmp

memory/3672-93-0x00007FF6E7EF0000-0x00007FF6E8241000-memory.dmp

memory/3980-88-0x00007FF745050000-0x00007FF7453A1000-memory.dmp

memory/3696-87-0x00007FF6C7DD0000-0x00007FF6C8121000-memory.dmp

C:\Windows\System\RfDeGLZ.exe

MD5 95511bf425568eac8bb82dc420b94ee3
SHA1 4536015b6d6fee487009e51b5437847050d41dc9
SHA256 a0d2764b43f2fc05ce51616f89d212fe5ed0713df9945f789a8201b0e24b19ff
SHA512 1c9fb6aee1b06a0848f3fc606dba706cd9abf02353d8823d2b71889c941b43b40c8a1056490e2a0e0e5b31bf90175298c56181fa3556552c1996354d84719293

memory/1892-83-0x00007FF761B00000-0x00007FF761E51000-memory.dmp

memory/3236-74-0x00007FF746570000-0x00007FF7468C1000-memory.dmp

C:\Windows\System\czjKqIi.exe

MD5 feda346c902e5bf533def20ab0174610
SHA1 c3459188160d23928a3267c03fc2b3539bedf9f8
SHA256 026df1d5c42fd19d6a62d8abf9011070438e09be5d8b76d9e9bfbf1107c7e48d
SHA512 a5ccb49b96711affec3cfe51113531cefbb1d0e4f041352b31db75ee4c27ac8db8555bec501d6f78b406e54473db864481bf752679141f2d57e15807b6286515

C:\Windows\System\eVdmJhq.exe

MD5 3cd385f9bf1c2fe5553fd18d5a3458fa
SHA1 6955712f2c7b8ede1e77adde0d2c81ae274858f0
SHA256 2f9baffc1608eab36d705d635ddc3f04a479dea4648821f31fe43ba38fc72239
SHA512 fa33e78d624f5b60d5651ecba36b4dfe94d29083c3b9cb120ea7b6f603d299da825d95917a54148226e391a230a8f1f97c551cb566c99cf1fc68c9013962b889

C:\Windows\System\eyvWyCX.exe

MD5 66ea212009d6528e232fc87c160cee3e
SHA1 fdf8332c92a155324a329ef7127b71b020a84faa
SHA256 c56a4136de065e1d080d3bd00cf0350cba8d449a919aa10466b42df34e6ca278
SHA512 f3902139ce6242d8b75237f247e7b66b3bd48260e86ee35dfc1288338cff88fe65a508ec633160d1ea88d0a6f99dfb247d987fd71683b33057112d152284d4e7

C:\Windows\System\HugMGdK.exe

MD5 89df7e3e328e768247d401219a31d082
SHA1 cf734edbfb2a20025e27607992d04b131405fdc2
SHA256 acba578adfd8ad7bc43991055b183593b56ef38fdc872695f022548c77a7267b
SHA512 6e60b9ab4a22144cea29ae93928232038f823261825804e62a69f608f80c6d46f119732bd2e7a19ae1886c412b33411aab48111ec066965fc2ea665c3af31df7

memory/1712-30-0x00007FF71DA20000-0x00007FF71DD71000-memory.dmp

memory/3260-20-0x00007FF691BD0000-0x00007FF691F21000-memory.dmp

memory/1020-105-0x00007FF62EBD0000-0x00007FF62EF21000-memory.dmp

memory/3980-120-0x00007FF745050000-0x00007FF7453A1000-memory.dmp

C:\Windows\System\UgCDztf.exe

MD5 d8f50fce33dc693d9217d3a050d63afe
SHA1 50250bce6a7b1fec39674abfa565e31950331a60
SHA256 b410310eb43f0868af8423eb91e47867262ea351334edaca2a450799b5775b10
SHA512 de578d8d5da30759280f80eb4b0077be141248e4e57672a923fd1448e49f15aae0cb0097fb24d8ab362a23b8e78e9b9ce39f4a48d6d547b8feb9d2a4dcffdd2b

C:\Windows\System\KpWEqCb.exe

MD5 ede7f241a1b1a4f30eaa92849a8d4541
SHA1 e49228e13bbcb804e6f37745957ec570e2f3ce6f
SHA256 a24fea66cda3f6b8112ce86b376671cfff2cb2e555b1e46e01888f58834703a2
SHA512 a20c4b090cb78faf65f1b331cfe22301e2082dbb1eadf9cacb881c0628d9d32180b3e6f82f223aa9a5567fc6fb076d72696e864e38319e485bfac05491f6967d

memory/1968-129-0x00007FF7CC060000-0x00007FF7CC3B1000-memory.dmp

memory/3552-128-0x00007FF695200000-0x00007FF695551000-memory.dmp

memory/3672-127-0x00007FF6E7EF0000-0x00007FF6E8241000-memory.dmp

memory/3260-109-0x00007FF691BD0000-0x00007FF691F21000-memory.dmp

memory/2364-106-0x00007FF786E60000-0x00007FF7871B1000-memory.dmp

memory/1336-113-0x00007FF6AF8B0000-0x00007FF6AFC01000-memory.dmp

memory/264-112-0x00007FF6AFF20000-0x00007FF6B0271000-memory.dmp

memory/1712-111-0x00007FF71DA20000-0x00007FF71DD71000-memory.dmp

memory/2616-108-0x00007FF682000000-0x00007FF682351000-memory.dmp

C:\Windows\System\zaXJqRO.exe

MD5 fb2ff3ac017367d4e073b1bcf5f512c0
SHA1 c2af5b040d8261288e457ff71373333f49449414
SHA256 7def57faef0364eafb47033c3fa2cf9dcf5026fa8ac61e62b4e690e324d4f97d
SHA512 e20bb723fdec5fcf62fef727818423b917677b9d7e67b02b81bc17466ce9b4742bceef92f1cfe9eeb9def58c9cef4d95cf7c900dc236cc337b22773f6c3a4c3e

C:\Windows\System\vLMuxYo.exe

MD5 d345d826ffe47407ea8755e8cd30b7be
SHA1 dad54e11fee29d6e62ea613a86c9b931ab091240
SHA256 141f4b45b68d931927eb74c00279e36266bdf5fa5e7542f5e1e43631325d5385
SHA512 2adda326dc2377118c651aed6c18677be55eb9165001ac9813228c8e8546d4bc8eaa6900638727fa99d0a36195982305f92fd29cec62e01c9cad5fa06b0aec87

memory/1632-141-0x00007FF6F60A0000-0x00007FF6F63F1000-memory.dmp

memory/1220-140-0x00007FF7C7860000-0x00007FF7C7BB1000-memory.dmp

memory/3280-135-0x00007FF6F6B10000-0x00007FF6F6E61000-memory.dmp

memory/2944-134-0x00007FF7488C0000-0x00007FF748C11000-memory.dmp

memory/1020-146-0x00007FF62EBD0000-0x00007FF62EF21000-memory.dmp

memory/1020-147-0x00007FF62EBD0000-0x00007FF62EF21000-memory.dmp

memory/2944-165-0x00007FF7488C0000-0x00007FF748C11000-memory.dmp

memory/3280-166-0x00007FF6F6B10000-0x00007FF6F6E61000-memory.dmp

memory/1632-168-0x00007FF6F60A0000-0x00007FF6F63F1000-memory.dmp

memory/1220-167-0x00007FF7C7860000-0x00007FF7C7BB1000-memory.dmp

memory/1020-169-0x00007FF62EBD0000-0x00007FF62EF21000-memory.dmp

memory/2364-209-0x00007FF786E60000-0x00007FF7871B1000-memory.dmp

memory/2616-211-0x00007FF682000000-0x00007FF682351000-memory.dmp

memory/3260-213-0x00007FF691BD0000-0x00007FF691F21000-memory.dmp

memory/1712-216-0x00007FF71DA20000-0x00007FF71DD71000-memory.dmp

memory/264-217-0x00007FF6AFF20000-0x00007FF6B0271000-memory.dmp

memory/1336-223-0x00007FF6AF8B0000-0x00007FF6AFC01000-memory.dmp

memory/544-222-0x00007FF6CF410000-0x00007FF6CF761000-memory.dmp

memory/3236-220-0x00007FF746570000-0x00007FF7468C1000-memory.dmp

memory/1892-227-0x00007FF761B00000-0x00007FF761E51000-memory.dmp

memory/3300-229-0x00007FF692050000-0x00007FF6923A1000-memory.dmp

memory/3696-231-0x00007FF6C7DD0000-0x00007FF6C8121000-memory.dmp

memory/3224-233-0x00007FF6CBBD0000-0x00007FF6CBF21000-memory.dmp

memory/1968-236-0x00007FF7CC060000-0x00007FF7CC3B1000-memory.dmp

memory/3980-243-0x00007FF745050000-0x00007FF7453A1000-memory.dmp

memory/3552-242-0x00007FF695200000-0x00007FF695551000-memory.dmp

memory/32-240-0x00007FF734F80000-0x00007FF7352D1000-memory.dmp

memory/3672-238-0x00007FF6E7EF0000-0x00007FF6E8241000-memory.dmp

memory/3280-254-0x00007FF6F6B10000-0x00007FF6F6E61000-memory.dmp

memory/1220-255-0x00007FF7C7860000-0x00007FF7C7BB1000-memory.dmp

memory/1632-259-0x00007FF6F60A0000-0x00007FF6F63F1000-memory.dmp

memory/2944-258-0x00007FF7488C0000-0x00007FF748C11000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 15:47

Reported

2024-11-10 15:50

Platform

win7-20241010-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

Cobaltstrike family

cobaltstrike

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\ItMmIff.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EeHBMrq.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YzaFZSc.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tlIwFEc.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JnJTdcS.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bteXdHw.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZNHwacj.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jrIGpIF.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gUygyPS.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QofFaWh.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ptjsQwt.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kSFXpNX.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jLjRlwP.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\coQikUL.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IYSBgEF.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qLKVVnd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YRUxDXT.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wVMitYd.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NsrFhdV.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\izByBbG.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kqpfBVJ.exe C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2932 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gUygyPS.exe
PID 2932 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gUygyPS.exe
PID 2932 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gUygyPS.exe
PID 2932 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EeHBMrq.exe
PID 2932 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EeHBMrq.exe
PID 2932 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EeHBMrq.exe
PID 2932 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YRUxDXT.exe
PID 2932 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YRUxDXT.exe
PID 2932 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YRUxDXT.exe
PID 2932 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YzaFZSc.exe
PID 2932 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YzaFZSc.exe
PID 2932 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YzaFZSc.exe
PID 2932 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jLjRlwP.exe
PID 2932 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jLjRlwP.exe
PID 2932 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jLjRlwP.exe
PID 2932 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\coQikUL.exe
PID 2932 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\coQikUL.exe
PID 2932 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\coQikUL.exe
PID 2932 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tlIwFEc.exe
PID 2932 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tlIwFEc.exe
PID 2932 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tlIwFEc.exe
PID 2932 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JnJTdcS.exe
PID 2932 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JnJTdcS.exe
PID 2932 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JnJTdcS.exe
PID 2932 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bteXdHw.exe
PID 2932 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bteXdHw.exe
PID 2932 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bteXdHw.exe
PID 2932 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IYSBgEF.exe
PID 2932 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IYSBgEF.exe
PID 2932 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IYSBgEF.exe
PID 2932 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QofFaWh.exe
PID 2932 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QofFaWh.exe
PID 2932 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QofFaWh.exe
PID 2932 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZNHwacj.exe
PID 2932 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZNHwacj.exe
PID 2932 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZNHwacj.exe
PID 2932 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jrIGpIF.exe
PID 2932 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jrIGpIF.exe
PID 2932 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jrIGpIF.exe
PID 2932 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qLKVVnd.exe
PID 2932 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qLKVVnd.exe
PID 2932 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qLKVVnd.exe
PID 2932 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ItMmIff.exe
PID 2932 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ItMmIff.exe
PID 2932 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ItMmIff.exe
PID 2932 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ptjsQwt.exe
PID 2932 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ptjsQwt.exe
PID 2932 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ptjsQwt.exe
PID 2932 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wVMitYd.exe
PID 2932 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wVMitYd.exe
PID 2932 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wVMitYd.exe
PID 2932 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NsrFhdV.exe
PID 2932 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NsrFhdV.exe
PID 2932 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NsrFhdV.exe
PID 2932 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\izByBbG.exe
PID 2932 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\izByBbG.exe
PID 2932 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\izByBbG.exe
PID 2932 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kqpfBVJ.exe
PID 2932 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kqpfBVJ.exe
PID 2932 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kqpfBVJ.exe
PID 2932 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kSFXpNX.exe
PID 2932 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kSFXpNX.exe
PID 2932 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kSFXpNX.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\gUygyPS.exe

C:\Windows\System\gUygyPS.exe

C:\Windows\System\EeHBMrq.exe

C:\Windows\System\EeHBMrq.exe

C:\Windows\System\YRUxDXT.exe

C:\Windows\System\YRUxDXT.exe

C:\Windows\System\YzaFZSc.exe

C:\Windows\System\YzaFZSc.exe

C:\Windows\System\jLjRlwP.exe

C:\Windows\System\jLjRlwP.exe

C:\Windows\System\coQikUL.exe

C:\Windows\System\coQikUL.exe

C:\Windows\System\tlIwFEc.exe

C:\Windows\System\tlIwFEc.exe

C:\Windows\System\JnJTdcS.exe

C:\Windows\System\JnJTdcS.exe

C:\Windows\System\bteXdHw.exe

C:\Windows\System\bteXdHw.exe

C:\Windows\System\IYSBgEF.exe

C:\Windows\System\IYSBgEF.exe

C:\Windows\System\QofFaWh.exe

C:\Windows\System\QofFaWh.exe

C:\Windows\System\ZNHwacj.exe

C:\Windows\System\ZNHwacj.exe

C:\Windows\System\jrIGpIF.exe

C:\Windows\System\jrIGpIF.exe

C:\Windows\System\qLKVVnd.exe

C:\Windows\System\qLKVVnd.exe

C:\Windows\System\ItMmIff.exe

C:\Windows\System\ItMmIff.exe

C:\Windows\System\ptjsQwt.exe

C:\Windows\System\ptjsQwt.exe

C:\Windows\System\wVMitYd.exe

C:\Windows\System\wVMitYd.exe

C:\Windows\System\NsrFhdV.exe

C:\Windows\System\NsrFhdV.exe

C:\Windows\System\izByBbG.exe

C:\Windows\System\izByBbG.exe

C:\Windows\System\kqpfBVJ.exe

C:\Windows\System\kqpfBVJ.exe

C:\Windows\System\kSFXpNX.exe

C:\Windows\System\kSFXpNX.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2932-0-0x000000013F0C0000-0x000000013F411000-memory.dmp

memory/2932-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\gUygyPS.exe

MD5 1154e35513db8e8cae76415062e0a101
SHA1 a3be51eb262de1a567d158114e77ce464383d768
SHA256 f0d9fe32ecae6da5a9989bda077726ff41448f8bfc7b66b4d60643879952c117
SHA512 bae29efc1f87880faeb20086416d88e21ad020f0d7deb6c4960f651ab47b8504beffdc440d0b3f8a9f98507fef48a0413c5538559317d103a2a2a50cb7716b14

memory/2332-9-0x000000013F7A0000-0x000000013FAF1000-memory.dmp

memory/2932-8-0x000000013F7A0000-0x000000013FAF1000-memory.dmp

C:\Windows\system\EeHBMrq.exe

MD5 f47b39ec41d9d1d5beef148de58ec782
SHA1 26d7f6d4f46d9f3f20fad4409568772b16c15811
SHA256 ae5206e5d0f087f1231777db6421bb1afcc41497c5de1847c2a1194574506781
SHA512 6df5a296ad2f21538ee0bd1cc00c8dcb251e1ee7cbaba4cd8256d6414a0d2c14a20cb1271bfe39de8f22abac33c58870de013507e9778f7489868351b775cc22

C:\Windows\system\YRUxDXT.exe

MD5 aa85b800c4da91c6c7b354c2383bb994
SHA1 39deba03bd9b70d73cad090a0cfba1640f5d930c
SHA256 b19ebc0f5cb8897c3c96cab1f80373492382b64973fcbfadbcf951f0f7bce0f9
SHA512 bbb98852a8457c106f47ff704e3d9b3fa6922c6f196833d96b94d0f53f82765913544450946f41220f010e7a88ba1d1cfc20cebfea746aa0f8b3bde7689992e0

C:\Windows\system\jLjRlwP.exe

MD5 d6e62b5dd83d35bd255e2f029230d354
SHA1 2c58ce2e8b8d70ea26216b327bd30f406711fe9d
SHA256 c7585d581dbb0daa9530870bb5a30e6e0057991b50ff1db3364dd036915da7c5
SHA512 980296e718a9268e8f175085967506e8e42b9562a54e250e839bcefeb35964a399fb7712b84968283d72381a374585ca5bd064d1952635ed6f790b9dc5050e02

memory/2724-57-0x000000013F5B0000-0x000000013F901000-memory.dmp

\Windows\system\IYSBgEF.exe

MD5 14f90809360a939d44d73c6247a4478e
SHA1 6ecc9c0154a22ad361d9ae1c50faf728f94e1003
SHA256 18f7473d941029fe82188089ec4c3e89a97a83c89f2b39556af7af3edf0c3a79
SHA512 7e552ba919393d0732ad016d2247bd94555ef7406aeb2c4918cd43c925c9569b83b12eb7e2e4d7c13e0e533da70588ca1059525805d820fb2bc3d678fbe8cbd6

memory/2932-91-0x000000013F540000-0x000000013F891000-memory.dmp

C:\Windows\system\qLKVVnd.exe

MD5 b7a481c6da5332364180fc85f9a78a20
SHA1 3b6f4c0ba3bd620c51d763710780df3a5ea6bc1e
SHA256 b016b939c9c139e22fd1ad11db32a1dc2d5ba80808be8cf57642be2e719c957c
SHA512 406ce270be67a69b8d6ca9f728930bdeca82506104637098b706863357f27d592bab8a999dd29d788275203711fedb7009846a59e5b3c4fb438de175ba89f6de

memory/2932-105-0x00000000021D0000-0x0000000002521000-memory.dmp

C:\Windows\system\wVMitYd.exe

MD5 01c5fb61e1109377c09007f52ecdcfa2
SHA1 73cecde72253291604a53ec4bce11323a936b416
SHA256 2044eb01e3d0d80d52accdd38f75a0abe0bb7b41e33dd0db87ef1af6cb964789
SHA512 9015777737ec920d18a1a1152fffa6f2b2ecf34e2042b28ce17866082f8c536aafd5b318d5b3bd7433fd70b7e40291b9d656212dc586a94608c34a134786731d

C:\Windows\system\kqpfBVJ.exe

MD5 61a2413463a7fd067c66483222124f80
SHA1 acf0d744a929d2d491c5bdc422b4c935aafe9499
SHA256 91a4b552b9ae5ccd4a6f9f2983bae47886ae68a4b055db66176a0e340bccdc28
SHA512 52e2e180e07085e68507c46b6c84b310c50f3c3ced422c63a8e3831cad22e815c6ef49ce5268da589b6203c85405030f551591e46c96b009113b50be3bdb68d7

C:\Windows\system\kSFXpNX.exe

MD5 58080a693b2883ba5e23f9c6bafd000f
SHA1 4615d399cae5faae0cc09095e7ebdd04489b6da5
SHA256 9e37232d6f4bce4e99a2e9abdad491c67cf052b548b366e8b11ab8e2ac86f464
SHA512 b3bd2ab938523279b4e6e72af356685f60454d2b9fcd4f588a2ca5c66358ffd326e05410e813187f85b1a7bc916142162e9e85c1d5d393430fe79b3010a5f010

C:\Windows\system\izByBbG.exe

MD5 9dd85975dd7c6867726b9579aa526293
SHA1 9f67ee4db1f5093d56a4d40404e709d509bfe346
SHA256 df359165f1cc67db709541f0dff53e99cb001790f9a62d496ac985d10a0d370a
SHA512 b856c9bd5176cad498b2994523d83cfffee0d0afdfd68883e1096c20b37c167b97162171cdb4c3dc738de7d4ab36bb085acc431223020730b9ff662858c90d62

C:\Windows\system\NsrFhdV.exe

MD5 d7a5e751a81c3c1b09a336584a95807b
SHA1 e79bc985c53d424d0ee7909c1841e67d6ff60e07
SHA256 efeb2db5c0ccd4140bcc30d4cb569c7ed783b176b2321d8b145fc149baec75d9
SHA512 920b5ea84f0d058dfd43173c3d4914bce95b42555e8cdfe6bbd679fd61e5bd070e826c167153e200f4f8bebf11ae44f26bc27acb7d68e17e78d348f853d14b0b

memory/2344-135-0x000000013FF20000-0x0000000140271000-memory.dmp

C:\Windows\system\ptjsQwt.exe

MD5 0664f3e6efd9fc268df8d42b560050bc
SHA1 673a98d0a8e49791f57180e8949d1132a273e10d
SHA256 cd4589c081b6d19ec31ed00d605d89af2950d2377c6c3cd9bc5e8b4c8c9536f3
SHA512 7890c1e9cb00d2f42aac8c804f71fb295a533679df2922e2b7da4f5df86a9e3971060337bbae3e77c12d7405be51f9ec2748c9219ea64fb98d25f2d442cab5bd

memory/2948-104-0x000000013F190000-0x000000013F4E1000-memory.dmp

C:\Windows\system\ItMmIff.exe

MD5 2c6faa5094ad0a9918433acd313fec35
SHA1 ff95dce56de2e8a785de3a1b7181a61bfa589aec
SHA256 23b2fe16736d247165cb94db588dd50bd8ea248934a377c3d3f5c6e20c825356
SHA512 f4b3f250ef0b7ac669e8e4046e69effe2f7ddd219a63fee66dc4395e99474cb6f400ba059a9bdecee5749235d8c443aff449c22697e14905b6c58e74e51de3d1

memory/592-98-0x000000013F8B0000-0x000000013FC01000-memory.dmp

memory/2932-97-0x000000013F8B0000-0x000000013FC01000-memory.dmp

memory/2016-90-0x000000013FA50000-0x000000013FDA1000-memory.dmp

memory/2288-89-0x000000013FE60000-0x00000001401B1000-memory.dmp

memory/2888-88-0x000000013F290000-0x000000013F5E1000-memory.dmp

\Windows\system\ZNHwacj.exe

MD5 a630c4531dab21b806782cb015dda367
SHA1 3207c65bfde87283275a952251b3b1a3747ea8a3
SHA256 75053e5675213b9413fe63bf2e1190d154fc0d080ab23a59fb4fc08da8294e08
SHA512 e70074169ddffd135314d2ecbeb50844260a430bf92df51a970e9b5ca882de65be903f461c1bef26331425dc187e83b7cda4b6c35b268a0480620ee664caed99

memory/2344-65-0x000000013FF20000-0x0000000140271000-memory.dmp

memory/1800-84-0x000000013F4A0000-0x000000013F7F1000-memory.dmp

memory/2200-83-0x000000013F5E0000-0x000000013F931000-memory.dmp

memory/2932-81-0x000000013FA50000-0x000000013FDA1000-memory.dmp

memory/3064-56-0x000000013F540000-0x000000013F891000-memory.dmp

memory/2840-55-0x000000013FA40000-0x000000013FD91000-memory.dmp

memory/2732-53-0x000000013F210000-0x000000013F561000-memory.dmp

memory/2904-51-0x000000013FC00000-0x000000013FF51000-memory.dmp

memory/2948-47-0x000000013F190000-0x000000013F4E1000-memory.dmp

C:\Windows\system\jrIGpIF.exe

MD5 6d6c32faee31d9c330aaa45840589f9d
SHA1 362e56d3eb8bc58b22332e443b31738084fccf50
SHA256 55ea776f95ff134a88cf32af0a14ccf4689c306477b426b850a4df19a8d4c249
SHA512 042390b87a2ad96ee502828053bf121df92a48a23d50f72668de05697c309c8fe73e8d540e4d8cfb18c36b0e364e328821c5a429ab39c2862645033d2337d966

C:\Windows\system\QofFaWh.exe

MD5 357aeca07b2ee6a38422d54a60ca3217
SHA1 24069402d09b73f0b0705ac5b7ddb604f04dd126
SHA256 56673e6969025f53a356c6e2e91f4e508fcc75f779803154d36a4afb3663a87a
SHA512 50db3cfee9c2abc7ee769dbd8e3f2227914a0c604e7063142ba11268fdc5b795cb6736d8beaacf5b4347096b1329e050923ea2c159226e38f1368f2f4c9ab32e

memory/2932-77-0x000000013F0C0000-0x000000013F411000-memory.dmp

memory/2932-76-0x000000013FE60000-0x00000001401B1000-memory.dmp

C:\Windows\system\bteXdHw.exe

MD5 691c760c3c2ac9db013a00d3f180f6cc
SHA1 e280d8395192d3f25e84539d53c6808d9ac0688f
SHA256 950a61bf43f9a47d498f0889329b50170cccefa23702fe0b1e2977dbc35715ed
SHA512 d9cac517492975655bf3ffcf1eadd42034ca457ad743f2eba8bca80e82bea23aa295f430edee3774f2887603ac6719da07143ee9fb33503cbe146794fadf9f82

memory/2932-136-0x000000013F0C0000-0x000000013F411000-memory.dmp

memory/2932-152-0x00000000021D0000-0x0000000002521000-memory.dmp

memory/1752-151-0x000000013F5F0000-0x000000013F941000-memory.dmp

memory/792-150-0x000000013F170000-0x000000013F4C1000-memory.dmp

C:\Windows\system\JnJTdcS.exe

MD5 e9daabb2a9402e5ee394b071906b6987
SHA1 394a04bcfd021018c3bda73731869989a88a5ffc
SHA256 5bee7de41bdb6d0e0105afb7d49989dd09272ee858e07f85d2e6cfe72ed46f5d
SHA512 24dec39cc10d511fc007284dc9d5ebd74d2f846badbeabb84308fcc3200cbb101a559f42af9fcf880cf9e38cdec06b3c8b25242c0a5fca6954e0997f5b3a5f84

C:\Windows\system\coQikUL.exe

MD5 7b8ce52c5b0655bebe11cc332d75b6d9
SHA1 47c43111339c62f078b6967e2ea2d21cde2a369c
SHA256 9e957b9f399d17f9c1e91a00f7817653ca7c95981b7bc2e90e32a54980894d3f
SHA512 e0f176d03dddb8c90b2233bf3d7bc90b8b830c8b265f4b0cb39d17650134252209ab4ba7ae5184ce904d73e9fa84806f7c8a02d4cd7ffcf889dc556ba97e1152

C:\Windows\system\YzaFZSc.exe

MD5 d1b99e9e471abde89b9349a80eba13c2
SHA1 cf7d6e50ea58c45c6f82172960da5a76fcb94482
SHA256 31bb27d859de46ca0f9f30b778c70164398b4aa64a1c53b47f923325444578f1
SHA512 0e6ac47e17d1908f47d31ada4b444d4f78c0489afc4dc1a40c84ac2d1cf97729f78f68e34f12e9c035d8c16f9796e34f134849f891d476ac832b1fce7788689d

C:\Windows\system\tlIwFEc.exe

MD5 c6cca7431c3c661d47366ad95195bd97
SHA1 999cdda9e82cb970f930ebcaf75d7ec6fc50b4c0
SHA256 e71150849c85564e4ad75822b8e615041fee77d0af05672fb7c3a021ffd4e82c
SHA512 4555c63af82d38f7f2c2e35d023a844870bbc86bd35fc0aebbbc0da0706c4ae68fca015473ca9e955bd9243f21e05a7b9b99da11dcda0ac3d0b7a0c575e9ef64

memory/1904-157-0x000000013FA30000-0x000000013FD81000-memory.dmp

memory/1596-156-0x000000013F2E0000-0x000000013F631000-memory.dmp

memory/2500-155-0x000000013F0E0000-0x000000013F431000-memory.dmp

memory/1568-154-0x000000013F610000-0x000000013F961000-memory.dmp

memory/2124-153-0x000000013F7D0000-0x000000013FB21000-memory.dmp

memory/2932-39-0x000000013F5B0000-0x000000013F901000-memory.dmp

memory/2932-38-0x00000000021D0000-0x0000000002521000-memory.dmp

memory/2932-37-0x000000013FC00000-0x000000013FF51000-memory.dmp

memory/2932-28-0x00000000021D0000-0x0000000002521000-memory.dmp

memory/2888-21-0x000000013F290000-0x000000013F5E1000-memory.dmp

memory/2932-33-0x000000013FA40000-0x000000013FD91000-memory.dmp

memory/2932-17-0x00000000021D0000-0x0000000002521000-memory.dmp

memory/2932-159-0x000000013F0C0000-0x000000013F411000-memory.dmp

memory/2016-171-0x000000013FA50000-0x000000013FDA1000-memory.dmp

memory/2332-218-0x000000013F7A0000-0x000000013FAF1000-memory.dmp

memory/2888-220-0x000000013F290000-0x000000013F5E1000-memory.dmp

memory/2904-222-0x000000013FC00000-0x000000013FF51000-memory.dmp

memory/2948-224-0x000000013F190000-0x000000013F4E1000-memory.dmp

memory/2732-226-0x000000013F210000-0x000000013F561000-memory.dmp

memory/2840-228-0x000000013FA40000-0x000000013FD91000-memory.dmp

memory/2724-232-0x000000013F5B0000-0x000000013F901000-memory.dmp

memory/3064-230-0x000000013F540000-0x000000013F891000-memory.dmp

memory/2344-234-0x000000013FF20000-0x0000000140271000-memory.dmp

memory/2200-236-0x000000013F5E0000-0x000000013F931000-memory.dmp

memory/1800-238-0x000000013F4A0000-0x000000013F7F1000-memory.dmp

memory/2288-240-0x000000013FE60000-0x00000001401B1000-memory.dmp

memory/592-242-0x000000013F8B0000-0x000000013FC01000-memory.dmp

memory/2016-260-0x000000013FA50000-0x000000013FDA1000-memory.dmp