cobaltstrike | 0c390f368e24903e56c06e4c40e10428b3ff3d0ec2f97ccf74d7d6726c2b883f

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-01-2025 00:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-20_cbd2fe6212d7fee2fc20964cbe4ccc23_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.7MB
MD5

cbd2fe6212d7fee2fc20964cbe4ccc23
SHA1

dd634b2b7e30c1fc742f87aa66dbf67c2744b7cb
SHA256

0c390f368e24903e56c06e4c40e10428b3ff3d0ec2f97ccf74d7d6726c2b883f
SHA512

dd2fbd4c456c477c91fa14147c703d1e9a402fe1087484841fc05ef9af8097fcd14a11f0b039cc0b0f3178c099dfe067e3e080a23327ae2fe2ab3e93b1d375ed
SSDEEP

98304:4emTLkNdfE0pZaJ56utgpPFotBER/mQ32lUn:j+R56utgpPF8u/7n

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0018000000023c3b-6.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023cb5-12.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb9-18.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cba-24.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023cb6-30.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbd-35.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbe-41.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbf-46.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc0-52.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc1-59.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc2-64.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc4-71.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc5-76.dat	cobalt_reflective_dll
behavioral2/files/0x000200000001e748-82.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc7-89.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc9-95.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cca-102.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ccb-108.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ccc-113.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ccd-119.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cce-124.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 43 IoCs

miner

resource	yara_rule
behavioral2/memory/3096-0-0x00007FF700540000-0x00007FF70088D000-memory.dmp	xmrig
behavioral2/files/0x0018000000023c3b-6.dat	xmrig
behavioral2/memory/3888-7-0x00007FF70D380000-0x00007FF70D6CD000-memory.dmp	xmrig
behavioral2/files/0x0009000000023cb5-12.dat	xmrig
behavioral2/files/0x0007000000023cb9-18.dat	xmrig
behavioral2/memory/2504-19-0x00007FF64D230000-0x00007FF64D57D000-memory.dmp	xmrig
behavioral2/memory/3648-13-0x00007FF727680000-0x00007FF7279CD000-memory.dmp	xmrig
behavioral2/memory/4884-25-0x00007FF6FDC40000-0x00007FF6FDF8D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cba-24.dat	xmrig
behavioral2/files/0x0008000000023cb6-30.dat	xmrig
behavioral2/files/0x0007000000023cbd-35.dat	xmrig
behavioral2/memory/3892-31-0x00007FF681E40000-0x00007FF68218D000-memory.dmp	xmrig
behavioral2/memory/368-37-0x00007FF7F5750000-0x00007FF7F5A9D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cbe-41.dat	xmrig
behavioral2/memory/2808-43-0x00007FF686650000-0x00007FF68699D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cbf-46.dat	xmrig
behavioral2/memory/544-49-0x00007FF6A70E0000-0x00007FF6A742D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cc0-52.dat	xmrig
behavioral2/memory/2240-55-0x00007FF6E8980000-0x00007FF6E8CCD000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cc1-59.dat	xmrig
behavioral2/memory/3852-61-0x00007FF625360000-0x00007FF6256AD000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cc2-64.dat	xmrig
behavioral2/memory/3812-67-0x00007FF7E9990000-0x00007FF7E9CDD000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cc4-71.dat	xmrig
behavioral2/memory/2212-73-0x00007FF66F760000-0x00007FF66FAAD000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cc5-76.dat	xmrig
behavioral2/files/0x000200000001e748-82.dat	xmrig
behavioral2/memory/3404-85-0x00007FF638190000-0x00007FF6384DD000-memory.dmp	xmrig
behavioral2/memory/4392-81-0x00007FF694CE0000-0x00007FF69502D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cc7-89.dat	xmrig
behavioral2/memory/4412-91-0x00007FF630A10000-0x00007FF630D5D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cc9-95.dat	xmrig
behavioral2/files/0x0007000000023cca-102.dat	xmrig
behavioral2/memory/4740-103-0x00007FF784E00000-0x00007FF78514D000-memory.dmp	xmrig
behavioral2/memory/4664-97-0x00007FF6E63B0000-0x00007FF6E66FD000-memory.dmp	xmrig
behavioral2/files/0x0007000000023ccb-108.dat	xmrig
behavioral2/memory/3396-109-0x00007FF7AA340000-0x00007FF7AA68D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023ccc-113.dat	xmrig
behavioral2/memory/2592-115-0x00007FF6A0740000-0x00007FF6A0A8D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023ccd-119.dat	xmrig
behavioral2/memory/3876-121-0x00007FF61FED0000-0x00007FF62021D000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cce-124.dat	xmrig
behavioral2/memory/3868-126-0x00007FF71A3C0000-0x00007FF71A70D000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3888	MznQYpf.exe
3648	KMuQbgi.exe
2504	cLUXmPl.exe
4884	KbAxWmQ.exe
3892	HdosREd.exe
368	VJGPiIK.exe
2808	RUMOFpr.exe
544	NNoEoWc.exe
2240	aOlFlUr.exe
3852	kFRfAUf.exe
3812	NaWroYx.exe
2212	LbEOWLG.exe
4392	owtReZW.exe
3404	wUOxOEi.exe
4412	lgmsUOm.exe
4664	TEgmLXC.exe
4740	CGYzajr.exe
3396	fhuynJa.exe
2592	qpflgpP.exe
3876	KsdpYkG.exe
3868	rVCCHBB.exe

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\NNoEoWc.exe	2025-01-20_cbd2fe6212d7fee2fc20964cbe4ccc23_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aOlFlUr.exe	2025-01-20_cbd2fe6212d7fee2fc20964cbe4ccc23_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NaWroYx.exe	2025-01-20_cbd2fe6212d7fee2fc20964cbe4ccc23_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KsdpYkG.exe	2025-01-20_cbd2fe6212d7fee2fc20964cbe4ccc23_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KMuQbgi.exe	2025-01-20_cbd2fe6212d7fee2fc20964cbe4ccc23_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VJGPiIK.exe	2025-01-20_cbd2fe6212d7fee2fc20964cbe4ccc23_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kFRfAUf.exe	2025-01-20_cbd2fe6212d7fee2fc20964cbe4ccc23_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LbEOWLG.exe	2025-01-20_cbd2fe6212d7fee2fc20964cbe4ccc23_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wUOxOEi.exe	2025-01-20_cbd2fe6212d7fee2fc20964cbe4ccc23_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lgmsUOm.exe	2025-01-20_cbd2fe6212d7fee2fc20964cbe4ccc23_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rVCCHBB.exe	2025-01-20_cbd2fe6212d7fee2fc20964cbe4ccc23_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MznQYpf.exe	2025-01-20_cbd2fe6212d7fee2fc20964cbe4ccc23_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HdosREd.exe	2025-01-20_cbd2fe6212d7fee2fc20964cbe4ccc23_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fhuynJa.exe	2025-01-20_cbd2fe6212d7fee2fc20964cbe4ccc23_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cLUXmPl.exe	2025-01-20_cbd2fe6212d7fee2fc20964cbe4ccc23_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CGYzajr.exe	2025-01-20_cbd2fe6212d7fee2fc20964cbe4ccc23_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\owtReZW.exe	2025-01-20_cbd2fe6212d7fee2fc20964cbe4ccc23_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TEgmLXC.exe	2025-01-20_cbd2fe6212d7fee2fc20964cbe4ccc23_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qpflgpP.exe	2025-01-20_cbd2fe6212d7fee2fc20964cbe4ccc23_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KbAxWmQ.exe	2025-01-20_cbd2fe6212d7fee2fc20964cbe4ccc23_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RUMOFpr.exe	2025-01-20_cbd2fe6212d7fee2fc20964cbe4ccc23_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3096	2025-01-20_cbd2fe6212d7fee2fc20964cbe4ccc23_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3096	2025-01-20_cbd2fe6212d7fee2fc20964cbe4ccc23_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3096 wrote to memory of 3888	3096	2025-01-20_cbd2fe6212d7fee2fc20964cbe4ccc23_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3096 wrote to memory of 3888	3096	2025-01-20_cbd2fe6212d7fee2fc20964cbe4ccc23_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3096 wrote to memory of 3648	3096	2025-01-20_cbd2fe6212d7fee2fc20964cbe4ccc23_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3096 wrote to memory of 3648	3096	2025-01-20_cbd2fe6212d7fee2fc20964cbe4ccc23_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3096 wrote to memory of 2504	3096	2025-01-20_cbd2fe6212d7fee2fc20964cbe4ccc23_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3096 wrote to memory of 2504	3096	2025-01-20_cbd2fe6212d7fee2fc20964cbe4ccc23_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3096 wrote to memory of 4884	3096	2025-01-20_cbd2fe6212d7fee2fc20964cbe4ccc23_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3096 wrote to memory of 4884	3096	2025-01-20_cbd2fe6212d7fee2fc20964cbe4ccc23_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3096 wrote to memory of 3892	3096	2025-01-20_cbd2fe6212d7fee2fc20964cbe4ccc23_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3096 wrote to memory of 3892	3096	2025-01-20_cbd2fe6212d7fee2fc20964cbe4ccc23_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3096 wrote to memory of 368	3096	2025-01-20_cbd2fe6212d7fee2fc20964cbe4ccc23_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3096 wrote to memory of 368	3096	2025-01-20_cbd2fe6212d7fee2fc20964cbe4ccc23_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3096 wrote to memory of 2808	3096	2025-01-20_cbd2fe6212d7fee2fc20964cbe4ccc23_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3096 wrote to memory of 2808	3096	2025-01-20_cbd2fe6212d7fee2fc20964cbe4ccc23_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3096 wrote to memory of 544	3096	2025-01-20_cbd2fe6212d7fee2fc20964cbe4ccc23_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3096 wrote to memory of 544	3096	2025-01-20_cbd2fe6212d7fee2fc20964cbe4ccc23_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3096 wrote to memory of 2240	3096	2025-01-20_cbd2fe6212d7fee2fc20964cbe4ccc23_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3096 wrote to memory of 2240	3096	2025-01-20_cbd2fe6212d7fee2fc20964cbe4ccc23_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3096 wrote to memory of 3852	3096	2025-01-20_cbd2fe6212d7fee2fc20964cbe4ccc23_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3096 wrote to memory of 3852	3096	2025-01-20_cbd2fe6212d7fee2fc20964cbe4ccc23_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3096 wrote to memory of 3812	3096	2025-01-20_cbd2fe6212d7fee2fc20964cbe4ccc23_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3096 wrote to memory of 3812	3096	2025-01-20_cbd2fe6212d7fee2fc20964cbe4ccc23_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3096 wrote to memory of 2212	3096	2025-01-20_cbd2fe6212d7fee2fc20964cbe4ccc23_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3096 wrote to memory of 2212	3096	2025-01-20_cbd2fe6212d7fee2fc20964cbe4ccc23_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3096 wrote to memory of 4392	3096	2025-01-20_cbd2fe6212d7fee2fc20964cbe4ccc23_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3096 wrote to memory of 4392	3096	2025-01-20_cbd2fe6212d7fee2fc20964cbe4ccc23_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3096 wrote to memory of 3404	3096	2025-01-20_cbd2fe6212d7fee2fc20964cbe4ccc23_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3096 wrote to memory of 3404	3096	2025-01-20_cbd2fe6212d7fee2fc20964cbe4ccc23_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3096 wrote to memory of 4412	3096	2025-01-20_cbd2fe6212d7fee2fc20964cbe4ccc23_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3096 wrote to memory of 4412	3096	2025-01-20_cbd2fe6212d7fee2fc20964cbe4ccc23_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3096 wrote to memory of 4664	3096	2025-01-20_cbd2fe6212d7fee2fc20964cbe4ccc23_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3096 wrote to memory of 4664	3096	2025-01-20_cbd2fe6212d7fee2fc20964cbe4ccc23_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3096 wrote to memory of 4740	3096	2025-01-20_cbd2fe6212d7fee2fc20964cbe4ccc23_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3096 wrote to memory of 4740	3096	2025-01-20_cbd2fe6212d7fee2fc20964cbe4ccc23_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3096 wrote to memory of 3396	3096	2025-01-20_cbd2fe6212d7fee2fc20964cbe4ccc23_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3096 wrote to memory of 3396	3096	2025-01-20_cbd2fe6212d7fee2fc20964cbe4ccc23_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3096 wrote to memory of 2592	3096	2025-01-20_cbd2fe6212d7fee2fc20964cbe4ccc23_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3096 wrote to memory of 2592	3096	2025-01-20_cbd2fe6212d7fee2fc20964cbe4ccc23_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3096 wrote to memory of 3876	3096	2025-01-20_cbd2fe6212d7fee2fc20964cbe4ccc23_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 3096 wrote to memory of 3876	3096	2025-01-20_cbd2fe6212d7fee2fc20964cbe4ccc23_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 3096 wrote to memory of 3868	3096	2025-01-20_cbd2fe6212d7fee2fc20964cbe4ccc23_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 3096 wrote to memory of 3868	3096	2025-01-20_cbd2fe6212d7fee2fc20964cbe4ccc23_cobalt-strike_cobaltstrike_poet-rat.exe	106

C:\Users\Admin\AppData\Local\Temp\2025-01-20_cbd2fe6212d7fee2fc20964cbe4ccc23_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-20_cbd2fe6212d7fee2fc20964cbe4ccc23_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3096
- C:\Windows\System\MznQYpf.exe
  C:\Windows\System\MznQYpf.exe
  2⤵
  - Executes dropped EXE
  PID:3888
- C:\Windows\System\KMuQbgi.exe
  C:\Windows\System\KMuQbgi.exe
  2⤵
  - Executes dropped EXE
  PID:3648
- C:\Windows\System\cLUXmPl.exe
  C:\Windows\System\cLUXmPl.exe
  2⤵
  - Executes dropped EXE
  PID:2504
- C:\Windows\System\KbAxWmQ.exe
  C:\Windows\System\KbAxWmQ.exe
  2⤵
  - Executes dropped EXE
  PID:4884
- C:\Windows\System\HdosREd.exe
  C:\Windows\System\HdosREd.exe
  2⤵
  - Executes dropped EXE
  PID:3892
- C:\Windows\System\VJGPiIK.exe
  C:\Windows\System\VJGPiIK.exe
  2⤵
  - Executes dropped EXE
  PID:368
- C:\Windows\System\RUMOFpr.exe
  C:\Windows\System\RUMOFpr.exe
  2⤵
  - Executes dropped EXE
  PID:2808
- C:\Windows\System\NNoEoWc.exe
  C:\Windows\System\NNoEoWc.exe
  2⤵
  - Executes dropped EXE
  PID:544
- C:\Windows\System\aOlFlUr.exe
  C:\Windows\System\aOlFlUr.exe
  2⤵
  - Executes dropped EXE
  PID:2240
- C:\Windows\System\kFRfAUf.exe
  C:\Windows\System\kFRfAUf.exe
  2⤵
  - Executes dropped EXE
  PID:3852
- C:\Windows\System\NaWroYx.exe
  C:\Windows\System\NaWroYx.exe
  2⤵
  - Executes dropped EXE
  PID:3812
- C:\Windows\System\LbEOWLG.exe
  C:\Windows\System\LbEOWLG.exe
  2⤵
  - Executes dropped EXE
  PID:2212
- C:\Windows\System\owtReZW.exe
  C:\Windows\System\owtReZW.exe
  2⤵
  - Executes dropped EXE
  PID:4392
- C:\Windows\System\wUOxOEi.exe
  C:\Windows\System\wUOxOEi.exe
  2⤵
  - Executes dropped EXE
  PID:3404
- C:\Windows\System\lgmsUOm.exe
  C:\Windows\System\lgmsUOm.exe
  2⤵
  - Executes dropped EXE
  PID:4412
- C:\Windows\System\TEgmLXC.exe
  C:\Windows\System\TEgmLXC.exe
  2⤵
  - Executes dropped EXE
  PID:4664
- C:\Windows\System\CGYzajr.exe
  C:\Windows\System\CGYzajr.exe
  2⤵
  - Executes dropped EXE
  PID:4740
- C:\Windows\System\fhuynJa.exe
  C:\Windows\System\fhuynJa.exe
  2⤵
  - Executes dropped EXE
  PID:3396
- C:\Windows\System\qpflgpP.exe
  C:\Windows\System\qpflgpP.exe
  2⤵
  - Executes dropped EXE
  PID:2592
- C:\Windows\System\KsdpYkG.exe
  C:\Windows\System\KsdpYkG.exe
  2⤵
  - Executes dropped EXE
  PID:3876
- C:\Windows\System\rVCCHBB.exe
  C:\Windows\System\rVCCHBB.exe
  2⤵
  - Executes dropped EXE
  PID:3868

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CGYzajr.exe

Filesize
5.7MB

MD5
41129ba3cfeebbf7eb54f9fbefa8398f

SHA1
7ba6af2bd5d3adca0ec12b9a95a65548124d96d2

SHA256
f8cd000c264bff796ac600fd81759b4722ee764b8394836031d06fed00f02aed

SHA512
524d5f7946040badb6020847e750b11231ec60fd300ccf41ca4ec1dfb2c13b3bf74c23fcf6fc4f5b1136fefa708af5a014f5516773028d2fe4fc9a59acfa1e26

Download Submit
C:\Windows\System\HdosREd.exe

Filesize
5.7MB

MD5
e6706a21ce3efafaa2422e7b2ce5ea82

SHA1
81ba7a9efe8188430d149fe535c290171c7d0db2

SHA256
b2a031e35f3f80b11f67f4270bd9dbba80578a3876d039252389567578a3317a

SHA512
052cb4292d0c71f80a9d78e9871c550e4996d4c2c2ae27b0482629509e84ec96edaa3603daa46e89e58536afd63cbdea2f36dae8335c5bebf5cbfde7e7aefdd2

Download Submit
C:\Windows\System\KMuQbgi.exe

Filesize
5.7MB

MD5
17fb536a37f4df26ca20f17510e95b50

SHA1
da98b3bba61afc32c3c62ad3e8cc247845e5808b

SHA256
0ffd3108ee4491e27ab2e911dec192ec2179f2e5edafb06cc9cac409690b61be

SHA512
6272080357c336dae917584b7d7f6c265c3d4d04da971c4373b2b5d22c695fa9c5146bf5b4949a88804dfdad22fb0bda2313148c576bc7dab79501f174b7def6

Download Submit
C:\Windows\System\KbAxWmQ.exe

Filesize
5.7MB

MD5
652c8bd2cb654092eb4169e40e8c844f

SHA1
8a88909dc682a69184514bdf44ca74558f0f73b0

SHA256
5da20029b32c7c9c79e514196d32d97bd75730dd1e61d18363b1d01ec61c1971

SHA512
ec49e13f789cf85cfa05b3745be020454591ba7475e01257bebc336473903a43c4a385933fbae5f6ae2f339dca06669096c6540d977beddb624783cdde7cd241

Download Submit
C:\Windows\System\KsdpYkG.exe

Filesize
5.7MB

MD5
a211d76d53c6af72d1e47cf66ec4b05d

SHA1
70c5241adf0b6e6963e7184d4b1175c81b7b3ff2

SHA256
0eb7cee1d1dc20b0c56f95efe5f6c3b888f33d40f07d41f3fa118dc4110c6de3

SHA512
ec1c5515c00737db851f1c0337eb761e8a0870ad39a162f3d4657172183b70ce279062f719e54396a9a9de1cdc47667ed1187db4d096e0991ea47072ca7d7250

Download Submit
C:\Windows\System\LbEOWLG.exe

Filesize
5.7MB

MD5
25bf3628344e9970f944b3a476977e78

SHA1
4632cdcd3637433e54a3181a4338a5d8ff3f038a

SHA256
eefe92459de0676fc1b3148ccddf6c8109bcf9ad251da06ef05dfbd6c4fc08b3

SHA512
acfbb43783516b7457aca970e86137584feb19274381906571326dbcab1b8a5de57ee20c066ffe4a7b93630c3e1a4468581ef18e4c34c74e31d7add5220772ad

Download Submit
C:\Windows\System\MznQYpf.exe

Filesize
5.7MB

MD5
eebc8ae5853e701da055952c7f877648

SHA1
bc9e32169d1ccca0d030909789c2d96342041bb4

SHA256
60238e8ca78406951a04dd575c3bf9a483fb121fb79bd157ce0e38148a577691

SHA512
f9782830f5418c0f24f927d32b862852ea0dd1e2d6e0c5652c7ecf86c41c7c4aea8a84ec0d4e68d4354d3f5e7185aa93d5b0da7af28797665613f8dbd25dd316

Download Submit
C:\Windows\System\NNoEoWc.exe

Filesize
5.7MB

MD5
4a583a09818cc3f397a65b638bfa2a8e

SHA1
9c1a251bba855ea63f50455cb2624ace4363f44b

SHA256
1d571bc86d81a85bde91d19c584418a5e5c7def65d0b41eb78d4a29290ef25cc

SHA512
4375da677e05d55f879e3ba7995be4688af3a2ab6cdce781c173f7700eb574f6e36d4da018fc4ed8650c5aa0d65f9415192c204d6e8b59906e8a78070f3fb4f3

Download Submit
C:\Windows\System\NaWroYx.exe

Filesize
5.7MB

MD5
e15d8c0cfc45b23bda5fe71fe1510b18

SHA1
c74e4ecc6c98e866eb86b323d4c0ae953303b2d4

SHA256
8d09a9fed4543db1453a44c94b4adfdb3869c49cfb39d1216253ba2876e0eef9

SHA512
11d863124306ed8a5f9ea843552acb1e4f8ba697f571a5178ac897d1f48d72a1bbaa72e8272a6db729c677e6f71c54ee5198ca9036d5dbb275fca316b8bf10b8

Download Submit
C:\Windows\System\RUMOFpr.exe

Filesize
5.7MB

MD5
4cf99900246b20bcc6b4eda988b7f5e4

SHA1
24c67f8b7f228f2d567661b1986226fde2a6b4e4

SHA256
d022ea60a8824af0a29a59359018b59cedcc1f9e16b83776cc690711595c8fcf

SHA512
3848bcec121077b07b933977132089afc397f18f1ef7ea440fa47dbc65225b661ee0d2f43bf13214ba1be1ae6355e9fd495a5103ad219f5bc909fe66600e42fe

Download Submit
C:\Windows\System\TEgmLXC.exe

Filesize
5.7MB

MD5
58798b8cd3c6c382d86746c46125f6b4

SHA1
f51324080b6659c20ecbd8629dc63347ed395a6e

SHA256
35ae186051e775a48ec57ea934b2340b495df9ca017721ff73baeffa661061bb

SHA512
0cd356debf9c11ae24224c03e9f8b7ebea120727218852694650cd776054e8d3da48a6838db3ea37d3d8086f21728ec33c8044f8c7b9273e9823ef7c58b61737

Download Submit
C:\Windows\System\VJGPiIK.exe

Filesize
5.7MB

MD5
5b8b91af2b8a9a390cb689809721f999

SHA1
dd4ac72c264571b8203946bea4a15b854e8277c8

SHA256
4195447b58b634a4a69f6596941e8bf6d2130cc953bc3bc55e25b2197edd78e2

SHA512
2e3acb483324ddcd4b248a6475858044a22336290c75f221a0a1c2dc52ab11c55b3acdd8df08e136c6a3ddaa4b63b9e274189a781d5fec4e1edde6036b457e3a

Download Submit
C:\Windows\System\aOlFlUr.exe

Filesize
5.7MB

MD5
5069db56026b98e40649624100f714a0

SHA1
269df2243b247be7604f24c5047052c0657a5bc3

SHA256
c6c36cfdc1ae5e96c012cfb69b957d66b7e2f416d55f25bd0b6e131e25e4227a

SHA512
5095ad90adb3bffab15d1f5140a6ca68eab537ac14eb4674e7f60504ecd908f28d3e84a8d961904f5fc37191802f23d706931c31673349fd9da1591e5f3c857b

Download Submit
C:\Windows\System\cLUXmPl.exe

Filesize
5.7MB

MD5
9f9008247fdcb96db042d2fe9e9ae801

SHA1
b1870700e52fc617ecbe869b7585babaabf341d0

SHA256
4068e36536ca799871490db6fd037c867387cfc13a844950f32b4dcea5d78b4f

SHA512
ddea6a0454f359e9e210a24e49c856ed56062a85b4a53c901b1bb87c78933d5b14043be34ea08255dd2a7def5a161414859adb3fa3461c041c52edc50ada66fd

Download Submit
C:\Windows\System\fhuynJa.exe

Filesize
5.7MB

MD5
afd54f411871f4816de485bcc8fef4ed

SHA1
ff8ef28e995cc01f1b5516d586c220cc5188a7a5

SHA256
76e74b4e6bb4ab42b159cba2b90cf714aa37fc6f791ac9fdb6ae7a35098904c2

SHA512
48b6a80f1909c96ea89c3a123a3924eb54821266f2960ac13afdf5e3f1b2a35e061c213b7df9a2423a33d0f8354a4f33ca69e0d21b97b7af264eb20fe392e15b

Download Submit
C:\Windows\System\kFRfAUf.exe

Filesize
5.7MB

MD5
0bba0a30d986da3fa56f7d063dcc9d89

SHA1
ffe5c303d29fec2ff28af28e10b2a69df01a4112

SHA256
6dec05a05c07bb2612d5e72569553f477b83e169babcb4148bf4951e240fcf4d

SHA512
2e9fbdac1aeb2e0126f1df22f0d5b12193b6e73697245aa0340d799307931133a201b729745d28a57fa52717d2e477989b1703e448e2ee127d02523edf96ff6b

Download Submit
C:\Windows\System\lgmsUOm.exe

Filesize
5.7MB

MD5
8b89c4d5a027859ea127d408d8ae15eb

SHA1
dadba0e2366b354a464442cc28c6ccde99616f7c

SHA256
6e8e498957910c78c6db7a02d9de47294b3b270a360c5128b523c2e7e1acb765

SHA512
0beaf82b7812d388ba98424560e928192c9f2e7ff2621d7a3ded626fe5bc8bf30d49ddb08cf13d83f66c675719c7bc7f115dcacd9e079df49060961eab147209

Download Submit
C:\Windows\System\owtReZW.exe

Filesize
5.7MB

MD5
2307cd26a9223665db6c67689a12e41d

SHA1
ceae8fc2bc3127a6073d6dbf864131d2d403b0c1

SHA256
257e8a62d1772d1e6fc244cb28a68f8e5bbc095bee9cdeae292eceb8634a955c

SHA512
dc36ca07531d592cee5426ed6c00ae7be0ff789ab22709fc8e73d4be9d98f2b2c9f581f483895547d1a974e8884443c815eb56e6f6932e18a6e0c43860202dc8

Download Submit
C:\Windows\System\qpflgpP.exe

Filesize
5.7MB

MD5
5505e3234c0a79e77ae7eb420db9e3e2

SHA1
56ed0a27483610a166acfd637e2caeda6cf07474

SHA256
aed4f9c02f3b8118a56c98e6b6db992f8a7ff58e4ee48358560937facc8c6cd6

SHA512
4583e3264e48b881d4145299d2c0b61c0bc4999de8c94235305d6514350b7002bd2474e9a0acb7395db453940aa5be50fda6aca7526f1a4693a203d64c3006bb

Download Submit
C:\Windows\System\rVCCHBB.exe

Filesize
5.7MB

MD5
cfce349188b20e45a760004c9c5ff8fa

SHA1
a2c7599a662a57031f886cd8e6adf97f2bed4a03

SHA256
225989c3269c73661d7f1f56d5f53025dd8861245b8e59d26a8b81efdd8758a7

SHA512
04d0970ee8588cbd24ba94b6f59767be748e673cbe3adc2945fade8ba60b9bf0d58417144ea5974a906fdccf32960d68007a080968eb781cc8af452858944b67

Download Submit
C:\Windows\System\wUOxOEi.exe

Filesize
5.7MB

MD5
1c20157da214fbbc3f8944589aa47023

SHA1
fe8da8f23fbd86031a47c86c8f0fecee9d4c4d92

SHA256
5b6f08e4369e610fdb78a7f4b3300800751282f4adb88183745b80555c467d85

SHA512
ccc6f9da70ce3939a2f5510ebca79e3a3b8e28b81be1b18ea50490978da386bb42152ca2794f00853895f11597c7ce496eb68cd7da2b256f1aeceed6c1cbd733

Download Submit
memory/368-37-0x00007FF7F5750000-0x00007FF7F5A9D000-memory.dmp

Filesize
3.3MB

Download
memory/544-49-0x00007FF6A70E0000-0x00007FF6A742D000-memory.dmp

Filesize
3.3MB

Download
memory/2212-73-0x00007FF66F760000-0x00007FF66FAAD000-memory.dmp

Filesize
3.3MB

Download
memory/2240-55-0x00007FF6E8980000-0x00007FF6E8CCD000-memory.dmp

Filesize
3.3MB

Download
memory/2504-19-0x00007FF64D230000-0x00007FF64D57D000-memory.dmp

Filesize
3.3MB

Download
memory/2592-115-0x00007FF6A0740000-0x00007FF6A0A8D000-memory.dmp

Filesize
3.3MB

Download
memory/2808-43-0x00007FF686650000-0x00007FF68699D000-memory.dmp

Filesize
3.3MB

Download
memory/3096-0-0x00007FF700540000-0x00007FF70088D000-memory.dmp

Filesize
3.3MB

Download
memory/3096-1-0x0000020F73F40000-0x0000020F73F50000-memory.dmp

Filesize
64KB

Download
memory/3396-109-0x00007FF7AA340000-0x00007FF7AA68D000-memory.dmp

Filesize
3.3MB

Download
memory/3404-85-0x00007FF638190000-0x00007FF6384DD000-memory.dmp

Filesize
3.3MB

Download
memory/3648-13-0x00007FF727680000-0x00007FF7279CD000-memory.dmp

Filesize
3.3MB

Download
memory/3812-67-0x00007FF7E9990000-0x00007FF7E9CDD000-memory.dmp

Filesize
3.3MB

Download
memory/3852-61-0x00007FF625360000-0x00007FF6256AD000-memory.dmp

Filesize
3.3MB

Download
memory/3868-126-0x00007FF71A3C0000-0x00007FF71A70D000-memory.dmp

Filesize
3.3MB

Download
memory/3876-121-0x00007FF61FED0000-0x00007FF62021D000-memory.dmp

Filesize
3.3MB

Download
memory/3888-7-0x00007FF70D380000-0x00007FF70D6CD000-memory.dmp

Filesize
3.3MB

Download
memory/3892-31-0x00007FF681E40000-0x00007FF68218D000-memory.dmp

Filesize
3.3MB

Download
memory/4392-81-0x00007FF694CE0000-0x00007FF69502D000-memory.dmp

Filesize
3.3MB

Download
memory/4412-91-0x00007FF630A10000-0x00007FF630D5D000-memory.dmp

Filesize
3.3MB

Download
memory/4664-97-0x00007FF6E63B0000-0x00007FF6E66FD000-memory.dmp

Filesize
3.3MB

Download
memory/4740-103-0x00007FF784E00000-0x00007FF78514D000-memory.dmp

Filesize
3.3MB

Download
memory/4884-25-0x00007FF6FDC40000-0x00007FF6FDF8D000-memory.dmp

Filesize
3.3MB

Download