Malware Analysis Report

2024-10-23 18:48

Sample ID 240628-acrx4ssdqr
Target 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat
SHA256 7e0ad8c2d8110217e8130a8d6cba6fcd287672fb11fda49a0508d5cddde68777
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7e0ad8c2d8110217e8130a8d6cba6fcd287672fb11fda49a0508d5cddde68777

Threat Level: Known bad

The file 2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Cobalt Strike reflective loader

Xmrig family

Cobaltstrike family

Detects Reflective DLL injection artifacts

XMRig Miner payload

Cobaltstrike

xmrig

UPX dump on OEP (original entry point)

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

XMRig Miner payload

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-28 00:04

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-28 00:04

Reported

2024-06-28 00:06

Platform

win7-20240611-en

Max time kernel

140s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\ORJJRxU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vltasxn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UqQajjJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LdnpXhe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bmGZnOz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AfIKQkq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lSkkmgx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SYqRnmI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YkPibec.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DVUzMfy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UtJfWal.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DVwUCzH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZTVtEEm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HiwCTjN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qtQyqvo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kauFuMH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rTlZodY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RJpBvDA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NDCJOrc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BmsBCoH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xhskZQj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1380 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AfIKQkq.exe
PID 1380 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AfIKQkq.exe
PID 1380 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AfIKQkq.exe
PID 1380 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lSkkmgx.exe
PID 1380 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lSkkmgx.exe
PID 1380 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lSkkmgx.exe
PID 1380 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rTlZodY.exe
PID 1380 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rTlZodY.exe
PID 1380 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rTlZodY.exe
PID 1380 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RJpBvDA.exe
PID 1380 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RJpBvDA.exe
PID 1380 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RJpBvDA.exe
PID 1380 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ORJJRxU.exe
PID 1380 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ORJJRxU.exe
PID 1380 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ORJJRxU.exe
PID 1380 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SYqRnmI.exe
PID 1380 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SYqRnmI.exe
PID 1380 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SYqRnmI.exe
PID 1380 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YkPibec.exe
PID 1380 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YkPibec.exe
PID 1380 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YkPibec.exe
PID 1380 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DVUzMfy.exe
PID 1380 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DVUzMfy.exe
PID 1380 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DVUzMfy.exe
PID 1380 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UtJfWal.exe
PID 1380 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UtJfWal.exe
PID 1380 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UtJfWal.exe
PID 1380 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DVwUCzH.exe
PID 1380 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DVwUCzH.exe
PID 1380 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DVwUCzH.exe
PID 1380 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vltasxn.exe
PID 1380 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vltasxn.exe
PID 1380 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vltasxn.exe
PID 1380 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZTVtEEm.exe
PID 1380 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZTVtEEm.exe
PID 1380 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZTVtEEm.exe
PID 1380 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LdnpXhe.exe
PID 1380 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LdnpXhe.exe
PID 1380 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LdnpXhe.exe
PID 1380 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NDCJOrc.exe
PID 1380 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NDCJOrc.exe
PID 1380 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NDCJOrc.exe
PID 1380 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BmsBCoH.exe
PID 1380 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BmsBCoH.exe
PID 1380 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BmsBCoH.exe
PID 1380 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HiwCTjN.exe
PID 1380 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HiwCTjN.exe
PID 1380 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HiwCTjN.exe
PID 1380 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UqQajjJ.exe
PID 1380 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UqQajjJ.exe
PID 1380 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UqQajjJ.exe
PID 1380 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xhskZQj.exe
PID 1380 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xhskZQj.exe
PID 1380 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xhskZQj.exe
PID 1380 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qtQyqvo.exe
PID 1380 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qtQyqvo.exe
PID 1380 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qtQyqvo.exe
PID 1380 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kauFuMH.exe
PID 1380 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kauFuMH.exe
PID 1380 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kauFuMH.exe
PID 1380 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bmGZnOz.exe
PID 1380 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bmGZnOz.exe
PID 1380 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bmGZnOz.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\AfIKQkq.exe

C:\Windows\System\AfIKQkq.exe

C:\Windows\System\lSkkmgx.exe

C:\Windows\System\lSkkmgx.exe

C:\Windows\System\rTlZodY.exe

C:\Windows\System\rTlZodY.exe

C:\Windows\System\RJpBvDA.exe

C:\Windows\System\RJpBvDA.exe

C:\Windows\System\ORJJRxU.exe

C:\Windows\System\ORJJRxU.exe

C:\Windows\System\SYqRnmI.exe

C:\Windows\System\SYqRnmI.exe

C:\Windows\System\YkPibec.exe

C:\Windows\System\YkPibec.exe

C:\Windows\System\DVUzMfy.exe

C:\Windows\System\DVUzMfy.exe

C:\Windows\System\UtJfWal.exe

C:\Windows\System\UtJfWal.exe

C:\Windows\System\DVwUCzH.exe

C:\Windows\System\DVwUCzH.exe

C:\Windows\System\vltasxn.exe

C:\Windows\System\vltasxn.exe

C:\Windows\System\ZTVtEEm.exe

C:\Windows\System\ZTVtEEm.exe

C:\Windows\System\LdnpXhe.exe

C:\Windows\System\LdnpXhe.exe

C:\Windows\System\NDCJOrc.exe

C:\Windows\System\NDCJOrc.exe

C:\Windows\System\BmsBCoH.exe

C:\Windows\System\BmsBCoH.exe

C:\Windows\System\HiwCTjN.exe

C:\Windows\System\HiwCTjN.exe

C:\Windows\System\UqQajjJ.exe

C:\Windows\System\UqQajjJ.exe

C:\Windows\System\xhskZQj.exe

C:\Windows\System\xhskZQj.exe

C:\Windows\System\qtQyqvo.exe

C:\Windows\System\qtQyqvo.exe

C:\Windows\System\kauFuMH.exe

C:\Windows\System\kauFuMH.exe

C:\Windows\System\bmGZnOz.exe

C:\Windows\System\bmGZnOz.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1380-0-0x000000013FE80000-0x00000001401D4000-memory.dmp

memory/1380-1-0x00000000003F0000-0x0000000000400000-memory.dmp

\Windows\system\AfIKQkq.exe

MD5 a6db5eb50ed8d24cb71292a6f2732398
SHA1 f65db97485c59d03277a229b957c99a84b6a8f93
SHA256 7ff7cdaa1f7ec5836328ad155558aac47e9821d4736e7b93aed71c6650913608
SHA512 af160d40a059c10f64dba978b1f4953dd7b001dff88377bda7224741ad874dd0d1a25301eff5299abb7e2d52151d4121f457dd4d1adae41c31adddcd7a148bc0

memory/1380-6-0x0000000002230000-0x0000000002584000-memory.dmp

\Windows\system\lSkkmgx.exe

MD5 4b15ab14a5e348a227fd941223980dc1
SHA1 60613033e4848839ca4df24431c3eaac4dd43e89
SHA256 c970cc52e895ff624f42326938bb1ed3cd7d69a54bee0f351fcd8288fdbaa153
SHA512 da162a12d7375c6af6137a5c75ba4019c122bd121dda6fe2056a861bc952ff80ce452ca5c05b49a99ddc6502168a33c2e4b3ea3687a348f5ea3386f45de1a0b8

memory/1380-15-0x000000013F220000-0x000000013F574000-memory.dmp

memory/2812-14-0x000000013FD10000-0x0000000140064000-memory.dmp

\Windows\system\rTlZodY.exe

MD5 868ad2d6810b1ec16d62f3634b75d341
SHA1 469e5e3384b3a49cca4b63050009f08fc079bfb4
SHA256 914dfa62c57c36d4a64446df01fc20c75cec9a8b52534520031040c1b8868512
SHA512 b512bda4a5c4921a8544add35c22110a50402da7220fc211037307cf5b68af652ca6c7521cda3547ca852fae833b0c694acadb7437b1c68ba69ee380159cb7f8

memory/2588-17-0x000000013F220000-0x000000013F574000-memory.dmp

C:\Windows\system\SYqRnmI.exe

MD5 50680a4a5bf72d57aee49761c563b2ce
SHA1 fe43416f4e36903105a2e0746332599fd40e008a
SHA256 3ee0e56deb91617402a06510b706745e676355f34abba9eb772ef2d9aa3633d5
SHA512 1e0ee0943a34a1c8181e3ccb66dc8b8ff90d4a71f73ef372c7559e79205cf3e0957d892a31b56a5a93556651def0a55e44eb49516edbee8e1435270562198cac

memory/2504-39-0x000000013FD20000-0x0000000140074000-memory.dmp

C:\Windows\system\ORJJRxU.exe

MD5 6ef5865916026df5ad8820ae718756d0
SHA1 322ee2e91ce2d41ee3df592b47656229eafe73e2
SHA256 1b62b9ca0d42d00988bb117918af8b7e6820cd16d4fb7b493932e61a7c98731b
SHA512 0afc94453bf8ac16e914aae856564cbbad4ff6c055830daddc9c8118e70b343989cc64606802ea6a6806303d40cec53d73f0e495246aeae1af07e06287057109

memory/1380-31-0x000000013F9F0000-0x000000013FD44000-memory.dmp

C:\Windows\system\YkPibec.exe

MD5 03b27faaeeaec5e5f82efb616b9a6687
SHA1 00aebd9848719008e22416e3601040d1aba1fbca
SHA256 51434632f3b376b555ecfda8488dde7cb73a4dadd67092478306e93ba0323e17
SHA512 6223c3b699da528b07937d49cfc0732d109516a0604922a3667e41c32273472b6bc85e19b291510c8676885ec2c6067549c84ee928400a8d695362d41f37e19c

C:\Windows\system\DVUzMfy.exe

MD5 2f31bfef7e3f4565e11e5298f68121fd
SHA1 c0680c23e6491d318afa44a8732b68c1e8b94e0e
SHA256 9a16d0ba26431c001d9e5a8fde1690359819e841e1c24a5551df956864b6e94b
SHA512 f39796bbe5b971cea200310d0192b63618232e5bb85a8b1abe87088acb3eb017f6fb760b112fce918ec0c15674aee9afaf80c7f440705f1587b5b85000e2a0d8

memory/2200-56-0x000000013FE20000-0x0000000140174000-memory.dmp

memory/1380-55-0x0000000002230000-0x0000000002584000-memory.dmp

memory/2532-50-0x000000013F3C0000-0x000000013F714000-memory.dmp

memory/1380-49-0x000000013F3C0000-0x000000013F714000-memory.dmp

memory/2648-42-0x000000013FD60000-0x00000001400B4000-memory.dmp

memory/1380-38-0x0000000002230000-0x0000000002584000-memory.dmp

memory/1380-20-0x000000013FA50000-0x000000013FDA4000-memory.dmp

memory/2700-35-0x000000013F9F0000-0x000000013FD44000-memory.dmp

memory/2596-27-0x000000013FA50000-0x000000013FDA4000-memory.dmp

C:\Windows\system\RJpBvDA.exe

MD5 d002aaba2bbec53adc84f44de2a67901
SHA1 3ce90c916f3aa2c69450d9b3915ef4a32278854a
SHA256 5d47ecd2b40e5f91b5c5edfcbdcf4019028fa5cdca31cfa4dd91fa22d28b9b01
SHA512 cd5e8d419e9a7d77057a247450fb56d560dd05516a6b31ae0fbdb49ef6d83f9e7f3af16f4645eface6d0b0feb0a51fd43ebf38fb89703154752961fb653fe767

\Windows\system\LdnpXhe.exe

MD5 be15b94b14e1fc6937d84ee4c9fc6fae
SHA1 29186b16ec020cfb18b3304247e3f1ddc4b2baf5
SHA256 07b350e44b12ee5e59b398426aa0bbf4547690710058d18af6ec0093a876772f
SHA512 e62295c5395c9d42ec7d7a7e3755f201b5b692ec01a6f2d6350f88add9c7b3031d37bd01a1bac6319c02075a476ac24ad818e4840de364ea095aedf229004918

\Windows\system\vltasxn.exe

MD5 a4c23c7837c24f386b64c7a9338c76cc
SHA1 bcf132a27fe049d8de37575fd4a9b8397c6aa873
SHA256 e6dc0b948d32ee1c72b2d38696da178106c7385132e540204425c382463a0a4e
SHA512 ef9bdf093c2f264ee111ca3ebe9e5a783206ef8c58f4941d8520f847623fcefe15e192d6c8b9e7385a87be8485c6c4062c2371bb930d9c45f0fab5b3f986a510

C:\Windows\system\DVwUCzH.exe

MD5 aae1c3ad9ac20a1d1175a9ac586bc132
SHA1 6e53449e618869c75fbcd8e4cc34665c4442e680
SHA256 68083322c961fc026e0f23807dfff6aec5999c94cd7e0a7b261225c732d63b41
SHA512 8a8f95380cf083003aa1c1ed66a3f3c53901626aa0201420d248f83607bf78de74bbd81b8378bdb74f34a182f43957936f989f7fc4938e2469705b3d85c7e51a

memory/1380-73-0x000000013FE80000-0x00000001401D4000-memory.dmp

\Windows\system\ZTVtEEm.exe

MD5 c70332dd94b180e57b9ed632bc99f399
SHA1 218dba45d147e03cfbd3116c265d67edb778e6c6
SHA256 9b9fe60b4340d83ac622c7d3b4c057029e050159ee59446c4f1aaad11f717d3b
SHA512 816908c25fc848dca5056fe382b3ecacc6471e8bfe29ae1ba7aaab0583dca064986dd6131648c9e6cace076c0baa02168d2f3776ea060fe597c955cdfde54816

memory/2964-90-0x000000013FC60000-0x000000013FFB4000-memory.dmp

memory/1380-89-0x000000013F930000-0x000000013FC84000-memory.dmp

memory/1956-88-0x000000013F930000-0x000000013FC84000-memory.dmp

memory/2804-87-0x000000013FF00000-0x0000000140254000-memory.dmp

memory/1916-86-0x000000013F6B0000-0x000000013FA04000-memory.dmp

memory/1380-85-0x000000013F6B0000-0x000000013FA04000-memory.dmp

memory/1380-84-0x0000000002230000-0x0000000002584000-memory.dmp

memory/2568-82-0x000000013F260000-0x000000013F5B4000-memory.dmp

memory/2812-97-0x000000013FD10000-0x0000000140064000-memory.dmp

memory/2992-99-0x000000013F780000-0x000000013FAD4000-memory.dmp

C:\Windows\system\kauFuMH.exe

MD5 4088a1f998edd0e5fc004e1db9086375
SHA1 987e3c1d87d83b0cdf9b0701aa6896e91fe00f24
SHA256 c3e81740b0380276d18169ae866290eb70a677bd048706fa6dd6e6e9fdcda5cc
SHA512 109f533f4545c95bac0239acf45c80d8ae6dd46418ef66a2f1a67b705c7da02553279c1387572f18d05bc86e0de97b9177fce64c6dd4dc34e7a838ecb6402463

\Windows\system\bmGZnOz.exe

MD5 625da2864aed8ffd76644ebcd8d4962a
SHA1 7acf60deea254c7d6b4432fc9610bbd1bc12d448
SHA256 ce29005612d42f6f4d912686cb938bdbbc122a10ab691efb6b975ea0d35d8317
SHA512 0512943e5933743fb0755c095977daf12df23ffe9506aa6d4ba7102bca1ff2d1e5ccc8c892c68981a0dc551919a4d82f6eaaa7d5ecaefe6a3d8a2d0cc5e4852c

C:\Windows\system\qtQyqvo.exe

MD5 367819c068575f8025139111563376d8
SHA1 602b45b0719ef99c07195b16bbd87c907df06b0d
SHA256 4125453cde213f0e39179b274002deeb450193014e5546e2792c556804bc7574
SHA512 1b8b4561baec060ae0bdc7ec657198b6e0e942db636e4bc8a0ea4cabe84e6adb1c0a9f7f6f6f0556e356f8b97d0810349bd43fea142f417723778ba693998b76

C:\Windows\system\UqQajjJ.exe

MD5 a9e767f35ea616867a204a767c9b8a5e
SHA1 0ba6e0b1d3c3a43ef75c6221337a4b9fb4cdc761
SHA256 f6dbbcf9010aeea7fd6186dc9a037ee8cd18849facba1968f3a048bd6d9838df
SHA512 05f40d0ed5ad2df3783a58a4d7ab55b65e6d545fba52640c9a1210dd6075ec64f23e46d40d7fd1eb25b0c4bccafb68d91114bec2743618ae7eb0d6504e497d4d

C:\Windows\system\BmsBCoH.exe

MD5 b517fbd02688684f67f164568452c3a8
SHA1 09a65321e4bac58b6183b3d49b1d71d28ecf9134
SHA256 86b97b11d1dfd069bc4ffdb211f7d4868fb1fb265767f01f7e908cb330eb0275
SHA512 f1f9c2327ff3fb0439b9eb4d79ab605868100f26b651b5ed6a2ae31e14d10e21aaf32205f2fa894c40180f21209c7e4b767e7045579fda29f7404a2736531e77

memory/1380-103-0x000000013FAE0000-0x000000013FE34000-memory.dmp

C:\Windows\system\xhskZQj.exe

MD5 a9bf57423792668f10d9d046b2f11b65
SHA1 8476cdfb8496f796c5e2d37e7cee9214ad331855
SHA256 bd1859e326dc2ce8d5ede56adff2dc57f8e7bb15b9896d084f84fe70e24ef47a
SHA512 5d9953ef8f8bf12c42c809a10581a4536ac65965f9770e51b075489a8ea5a3aa5c5aa4ed579c8e0ec6cd786146ed1ca2e4a5ff9c3b0439b3ff20cc1e3b970ba9

C:\Windows\system\HiwCTjN.exe

MD5 ddffddf3da95900c6d5f9c930fb0fb19
SHA1 cb1a527f0bb7b683537e72924e07368fb1762df9
SHA256 83c73eb0c3cef536f28333791b155a6c5af4c855d324ed8564d1cc1b78368050
SHA512 eb0e34e5e2e5c3617c28d6d7d32ff56607060493cb7a50042bd371019559edcfd61af2d98807218c267e9d7bd0ae54fbe86058feb900b5ffdd4232ba043bfe29

memory/1380-98-0x000000013F780000-0x000000013FAD4000-memory.dmp

C:\Windows\system\NDCJOrc.exe

MD5 4e86821d63c2a82491ae97921d40dc8f
SHA1 d087402e72b6fab9ed747f4eb7c2eaf39923404b
SHA256 5be8f78eb40817419fa1fb331dac4af871a6c7b2025cfb9c3b6c47f93c20c03d
SHA512 65c28f4008013eb57c8f77b833d05af7ec291fa1a8f67bb3c9f612a328f9745fe8d65d6a09e2eef31f666a8c7e00d3263f03178895c4141236b20c0e3cee2f37

memory/2596-135-0x000000013FA50000-0x000000013FDA4000-memory.dmp

C:\Windows\system\UtJfWal.exe

MD5 68cb329837d9525850082335e7b12e33
SHA1 ad692cccb2330f1a56602f20777de157c332cc15
SHA256 f6f6f67a7a4b6e4df7666fffc8adcd178849250a73d2be0d6c2fda6a9dee9915
SHA512 d809d99fb87dba1d97152c8745e3fb2dbd5ba5d97d666d256e304093865a3ed8cc799bf1c536cb901610dfabf5fed6bc607ef3bdc2a75d4274a85fee2d160c12

memory/2504-136-0x000000013FD20000-0x0000000140074000-memory.dmp

memory/2648-137-0x000000013FD60000-0x00000001400B4000-memory.dmp

memory/1380-138-0x0000000002230000-0x0000000002584000-memory.dmp

memory/2200-139-0x000000013FE20000-0x0000000140174000-memory.dmp

memory/2804-140-0x000000013FF00000-0x0000000140254000-memory.dmp

memory/1380-141-0x000000013F780000-0x000000013FAD4000-memory.dmp

memory/1380-142-0x000000013FAE0000-0x000000013FE34000-memory.dmp

memory/2588-143-0x000000013F220000-0x000000013F574000-memory.dmp

memory/2812-144-0x000000013FD10000-0x0000000140064000-memory.dmp

memory/2700-145-0x000000013F9F0000-0x000000013FD44000-memory.dmp

memory/2596-146-0x000000013FA50000-0x000000013FDA4000-memory.dmp

memory/2504-147-0x000000013FD20000-0x0000000140074000-memory.dmp

memory/2648-148-0x000000013FD60000-0x00000001400B4000-memory.dmp

memory/2532-149-0x000000013F3C0000-0x000000013F714000-memory.dmp

memory/2200-150-0x000000013FE20000-0x0000000140174000-memory.dmp

memory/2568-151-0x000000013F260000-0x000000013F5B4000-memory.dmp

memory/2964-152-0x000000013FC60000-0x000000013FFB4000-memory.dmp

memory/1916-153-0x000000013F6B0000-0x000000013FA04000-memory.dmp

memory/1956-154-0x000000013F930000-0x000000013FC84000-memory.dmp

memory/2804-155-0x000000013FF00000-0x0000000140254000-memory.dmp

memory/2992-156-0x000000013F780000-0x000000013FAD4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-28 00:04

Reported

2024-06-28 00:06

Platform

win10v2004-20240611-en

Max time kernel

141s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\DVUzMfy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xhskZQj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AfIKQkq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SYqRnmI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RJpBvDA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ORJJRxU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YkPibec.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZTVtEEm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LdnpXhe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HiwCTjN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lSkkmgx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rTlZodY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BmsBCoH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UqQajjJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qtQyqvo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kauFuMH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vltasxn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NDCJOrc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bmGZnOz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UtJfWal.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DVwUCzH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4976 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AfIKQkq.exe
PID 4976 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AfIKQkq.exe
PID 4976 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lSkkmgx.exe
PID 4976 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lSkkmgx.exe
PID 4976 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rTlZodY.exe
PID 4976 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rTlZodY.exe
PID 4976 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RJpBvDA.exe
PID 4976 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RJpBvDA.exe
PID 4976 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ORJJRxU.exe
PID 4976 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ORJJRxU.exe
PID 4976 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SYqRnmI.exe
PID 4976 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SYqRnmI.exe
PID 4976 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YkPibec.exe
PID 4976 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YkPibec.exe
PID 4976 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DVUzMfy.exe
PID 4976 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DVUzMfy.exe
PID 4976 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UtJfWal.exe
PID 4976 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UtJfWal.exe
PID 4976 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DVwUCzH.exe
PID 4976 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DVwUCzH.exe
PID 4976 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vltasxn.exe
PID 4976 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vltasxn.exe
PID 4976 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZTVtEEm.exe
PID 4976 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZTVtEEm.exe
PID 4976 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LdnpXhe.exe
PID 4976 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LdnpXhe.exe
PID 4976 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NDCJOrc.exe
PID 4976 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NDCJOrc.exe
PID 4976 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BmsBCoH.exe
PID 4976 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BmsBCoH.exe
PID 4976 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HiwCTjN.exe
PID 4976 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HiwCTjN.exe
PID 4976 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UqQajjJ.exe
PID 4976 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UqQajjJ.exe
PID 4976 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xhskZQj.exe
PID 4976 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xhskZQj.exe
PID 4976 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qtQyqvo.exe
PID 4976 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qtQyqvo.exe
PID 4976 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kauFuMH.exe
PID 4976 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kauFuMH.exe
PID 4976 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bmGZnOz.exe
PID 4976 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bmGZnOz.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\AfIKQkq.exe

C:\Windows\System\AfIKQkq.exe

C:\Windows\System\lSkkmgx.exe

C:\Windows\System\lSkkmgx.exe

C:\Windows\System\rTlZodY.exe

C:\Windows\System\rTlZodY.exe

C:\Windows\System\RJpBvDA.exe

C:\Windows\System\RJpBvDA.exe

C:\Windows\System\ORJJRxU.exe

C:\Windows\System\ORJJRxU.exe

C:\Windows\System\SYqRnmI.exe

C:\Windows\System\SYqRnmI.exe

C:\Windows\System\YkPibec.exe

C:\Windows\System\YkPibec.exe

C:\Windows\System\DVUzMfy.exe

C:\Windows\System\DVUzMfy.exe

C:\Windows\System\UtJfWal.exe

C:\Windows\System\UtJfWal.exe

C:\Windows\System\DVwUCzH.exe

C:\Windows\System\DVwUCzH.exe

C:\Windows\System\vltasxn.exe

C:\Windows\System\vltasxn.exe

C:\Windows\System\ZTVtEEm.exe

C:\Windows\System\ZTVtEEm.exe

C:\Windows\System\LdnpXhe.exe

C:\Windows\System\LdnpXhe.exe

C:\Windows\System\NDCJOrc.exe

C:\Windows\System\NDCJOrc.exe

C:\Windows\System\BmsBCoH.exe

C:\Windows\System\BmsBCoH.exe

C:\Windows\System\HiwCTjN.exe

C:\Windows\System\HiwCTjN.exe

C:\Windows\System\UqQajjJ.exe

C:\Windows\System\UqQajjJ.exe

C:\Windows\System\xhskZQj.exe

C:\Windows\System\xhskZQj.exe

C:\Windows\System\qtQyqvo.exe

C:\Windows\System\qtQyqvo.exe

C:\Windows\System\kauFuMH.exe

C:\Windows\System\kauFuMH.exe

C:\Windows\System\bmGZnOz.exe

C:\Windows\System\bmGZnOz.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
DE 3.120.209.58:8080 tcp

Files

memory/4976-0-0x00007FF6282D0000-0x00007FF628624000-memory.dmp

memory/4976-1-0x000001AA65140000-0x000001AA65150000-memory.dmp

C:\Windows\System\AfIKQkq.exe

MD5 a6db5eb50ed8d24cb71292a6f2732398
SHA1 f65db97485c59d03277a229b957c99a84b6a8f93
SHA256 7ff7cdaa1f7ec5836328ad155558aac47e9821d4736e7b93aed71c6650913608
SHA512 af160d40a059c10f64dba978b1f4953dd7b001dff88377bda7224741ad874dd0d1a25301eff5299abb7e2d52151d4121f457dd4d1adae41c31adddcd7a148bc0

C:\Windows\System\lSkkmgx.exe

MD5 4b15ab14a5e348a227fd941223980dc1
SHA1 60613033e4848839ca4df24431c3eaac4dd43e89
SHA256 c970cc52e895ff624f42326938bb1ed3cd7d69a54bee0f351fcd8288fdbaa153
SHA512 da162a12d7375c6af6137a5c75ba4019c122bd121dda6fe2056a861bc952ff80ce452ca5c05b49a99ddc6502168a33c2e4b3ea3687a348f5ea3386f45de1a0b8

C:\Windows\System\rTlZodY.exe

MD5 868ad2d6810b1ec16d62f3634b75d341
SHA1 469e5e3384b3a49cca4b63050009f08fc079bfb4
SHA256 914dfa62c57c36d4a64446df01fc20c75cec9a8b52534520031040c1b8868512
SHA512 b512bda4a5c4921a8544add35c22110a50402da7220fc211037307cf5b68af652ca6c7521cda3547ca852fae833b0c694acadb7437b1c68ba69ee380159cb7f8

memory/1632-12-0x00007FF722B70000-0x00007FF722EC4000-memory.dmp

memory/1528-14-0x00007FF6AE7B0000-0x00007FF6AEB04000-memory.dmp

memory/4816-20-0x00007FF736C30000-0x00007FF736F84000-memory.dmp

C:\Windows\System\RJpBvDA.exe

MD5 d002aaba2bbec53adc84f44de2a67901
SHA1 3ce90c916f3aa2c69450d9b3915ef4a32278854a
SHA256 5d47ecd2b40e5f91b5c5edfcbdcf4019028fa5cdca31cfa4dd91fa22d28b9b01
SHA512 cd5e8d419e9a7d77057a247450fb56d560dd05516a6b31ae0fbdb49ef6d83f9e7f3af16f4645eface6d0b0feb0a51fd43ebf38fb89703154752961fb653fe767

memory/4456-26-0x00007FF613C20000-0x00007FF613F74000-memory.dmp

C:\Windows\System\ORJJRxU.exe

MD5 6ef5865916026df5ad8820ae718756d0
SHA1 322ee2e91ce2d41ee3df592b47656229eafe73e2
SHA256 1b62b9ca0d42d00988bb117918af8b7e6820cd16d4fb7b493932e61a7c98731b
SHA512 0afc94453bf8ac16e914aae856564cbbad4ff6c055830daddc9c8118e70b343989cc64606802ea6a6806303d40cec53d73f0e495246aeae1af07e06287057109

memory/2556-32-0x00007FF7BE910000-0x00007FF7BEC64000-memory.dmp

C:\Windows\System\SYqRnmI.exe

MD5 50680a4a5bf72d57aee49761c563b2ce
SHA1 fe43416f4e36903105a2e0746332599fd40e008a
SHA256 3ee0e56deb91617402a06510b706745e676355f34abba9eb772ef2d9aa3633d5
SHA512 1e0ee0943a34a1c8181e3ccb66dc8b8ff90d4a71f73ef372c7559e79205cf3e0957d892a31b56a5a93556651def0a55e44eb49516edbee8e1435270562198cac

memory/3736-37-0x00007FF7B2D10000-0x00007FF7B3064000-memory.dmp

C:\Windows\System\YkPibec.exe

MD5 03b27faaeeaec5e5f82efb616b9a6687
SHA1 00aebd9848719008e22416e3601040d1aba1fbca
SHA256 51434632f3b376b555ecfda8488dde7cb73a4dadd67092478306e93ba0323e17
SHA512 6223c3b699da528b07937d49cfc0732d109516a0604922a3667e41c32273472b6bc85e19b291510c8676885ec2c6067549c84ee928400a8d695362d41f37e19c

C:\Windows\System\DVUzMfy.exe

MD5 2f31bfef7e3f4565e11e5298f68121fd
SHA1 c0680c23e6491d318afa44a8732b68c1e8b94e0e
SHA256 9a16d0ba26431c001d9e5a8fde1690359819e841e1c24a5551df956864b6e94b
SHA512 f39796bbe5b971cea200310d0192b63618232e5bb85a8b1abe87088acb3eb017f6fb760b112fce918ec0c15674aee9afaf80c7f440705f1587b5b85000e2a0d8

memory/3472-50-0x00007FF6B6920000-0x00007FF6B6C74000-memory.dmp

memory/2836-54-0x00007FF6F3580000-0x00007FF6F38D4000-memory.dmp

C:\Windows\System\UtJfWal.exe

MD5 68cb329837d9525850082335e7b12e33
SHA1 ad692cccb2330f1a56602f20777de157c332cc15
SHA256 f6f6f67a7a4b6e4df7666fffc8adcd178849250a73d2be0d6c2fda6a9dee9915
SHA512 d809d99fb87dba1d97152c8745e3fb2dbd5ba5d97d666d256e304093865a3ed8cc799bf1c536cb901610dfabf5fed6bc607ef3bdc2a75d4274a85fee2d160c12

memory/3860-46-0x00007FF634F40000-0x00007FF635294000-memory.dmp

C:\Windows\System\DVwUCzH.exe

MD5 aae1c3ad9ac20a1d1175a9ac586bc132
SHA1 6e53449e618869c75fbcd8e4cc34665c4442e680
SHA256 68083322c961fc026e0f23807dfff6aec5999c94cd7e0a7b261225c732d63b41
SHA512 8a8f95380cf083003aa1c1ed66a3f3c53901626aa0201420d248f83607bf78de74bbd81b8378bdb74f34a182f43957936f989f7fc4938e2469705b3d85c7e51a

memory/2844-61-0x00007FF62C2F0000-0x00007FF62C644000-memory.dmp

memory/4976-60-0x00007FF6282D0000-0x00007FF628624000-memory.dmp

C:\Windows\System\vltasxn.exe

MD5 a4c23c7837c24f386b64c7a9338c76cc
SHA1 bcf132a27fe049d8de37575fd4a9b8397c6aa873
SHA256 e6dc0b948d32ee1c72b2d38696da178106c7385132e540204425c382463a0a4e
SHA512 ef9bdf093c2f264ee111ca3ebe9e5a783206ef8c58f4941d8520f847623fcefe15e192d6c8b9e7385a87be8485c6c4062c2371bb930d9c45f0fab5b3f986a510

memory/4636-68-0x00007FF72D380000-0x00007FF72D6D4000-memory.dmp

C:\Windows\System\ZTVtEEm.exe

MD5 c70332dd94b180e57b9ed632bc99f399
SHA1 218dba45d147e03cfbd3116c265d67edb778e6c6
SHA256 9b9fe60b4340d83ac622c7d3b4c057029e050159ee59446c4f1aaad11f717d3b
SHA512 816908c25fc848dca5056fe382b3ecacc6471e8bfe29ae1ba7aaab0583dca064986dd6131648c9e6cace076c0baa02168d2f3776ea060fe597c955cdfde54816

memory/856-75-0x00007FF6918F0000-0x00007FF691C44000-memory.dmp

C:\Windows\System\LdnpXhe.exe

MD5 be15b94b14e1fc6937d84ee4c9fc6fae
SHA1 29186b16ec020cfb18b3304247e3f1ddc4b2baf5
SHA256 07b350e44b12ee5e59b398426aa0bbf4547690710058d18af6ec0093a876772f
SHA512 e62295c5395c9d42ec7d7a7e3755f201b5b692ec01a6f2d6350f88add9c7b3031d37bd01a1bac6319c02075a476ac24ad818e4840de364ea095aedf229004918

memory/3020-80-0x00007FF702D40000-0x00007FF703094000-memory.dmp

C:\Windows\System\NDCJOrc.exe

MD5 4e86821d63c2a82491ae97921d40dc8f
SHA1 d087402e72b6fab9ed747f4eb7c2eaf39923404b
SHA256 5be8f78eb40817419fa1fb331dac4af871a6c7b2025cfb9c3b6c47f93c20c03d
SHA512 65c28f4008013eb57c8f77b833d05af7ec291fa1a8f67bb3c9f612a328f9745fe8d65d6a09e2eef31f666a8c7e00d3263f03178895c4141236b20c0e3cee2f37

memory/3248-85-0x00007FF751B00000-0x00007FF751E54000-memory.dmp

C:\Windows\System\BmsBCoH.exe

MD5 b517fbd02688684f67f164568452c3a8
SHA1 09a65321e4bac58b6183b3d49b1d71d28ecf9134
SHA256 86b97b11d1dfd069bc4ffdb211f7d4868fb1fb265767f01f7e908cb330eb0275
SHA512 f1f9c2327ff3fb0439b9eb4d79ab605868100f26b651b5ed6a2ae31e14d10e21aaf32205f2fa894c40180f21209c7e4b767e7045579fda29f7404a2736531e77

memory/3140-94-0x00007FF6F1C20000-0x00007FF6F1F74000-memory.dmp

memory/2556-93-0x00007FF7BE910000-0x00007FF7BEC64000-memory.dmp

C:\Windows\System\HiwCTjN.exe

MD5 ddffddf3da95900c6d5f9c930fb0fb19
SHA1 cb1a527f0bb7b683537e72924e07368fb1762df9
SHA256 83c73eb0c3cef536f28333791b155a6c5af4c855d324ed8564d1cc1b78368050
SHA512 eb0e34e5e2e5c3617c28d6d7d32ff56607060493cb7a50042bd371019559edcfd61af2d98807218c267e9d7bd0ae54fbe86058feb900b5ffdd4232ba043bfe29

C:\Windows\System\UqQajjJ.exe

MD5 a9e767f35ea616867a204a767c9b8a5e
SHA1 0ba6e0b1d3c3a43ef75c6221337a4b9fb4cdc761
SHA256 f6dbbcf9010aeea7fd6186dc9a037ee8cd18849facba1968f3a048bd6d9838df
SHA512 05f40d0ed5ad2df3783a58a4d7ab55b65e6d545fba52640c9a1210dd6075ec64f23e46d40d7fd1eb25b0c4bccafb68d91114bec2743618ae7eb0d6504e497d4d

memory/660-102-0x00007FF74CCC0000-0x00007FF74D014000-memory.dmp

memory/3736-100-0x00007FF7B2D10000-0x00007FF7B3064000-memory.dmp

C:\Windows\System\xhskZQj.exe

MD5 a9bf57423792668f10d9d046b2f11b65
SHA1 8476cdfb8496f796c5e2d37e7cee9214ad331855
SHA256 bd1859e326dc2ce8d5ede56adff2dc57f8e7bb15b9896d084f84fe70e24ef47a
SHA512 5d9953ef8f8bf12c42c809a10581a4536ac65965f9770e51b075489a8ea5a3aa5c5aa4ed579c8e0ec6cd786146ed1ca2e4a5ff9c3b0439b3ff20cc1e3b970ba9

C:\Windows\System\qtQyqvo.exe

MD5 367819c068575f8025139111563376d8
SHA1 602b45b0719ef99c07195b16bbd87c907df06b0d
SHA256 4125453cde213f0e39179b274002deeb450193014e5546e2792c556804bc7574
SHA512 1b8b4561baec060ae0bdc7ec657198b6e0e942db636e4bc8a0ea4cabe84e6adb1c0a9f7f6f6f0556e356f8b97d0810349bd43fea142f417723778ba693998b76

memory/2836-117-0x00007FF6F3580000-0x00007FF6F38D4000-memory.dmp

memory/3576-118-0x00007FF743790000-0x00007FF743AE4000-memory.dmp

memory/2748-112-0x00007FF652010000-0x00007FF652364000-memory.dmp

memory/4808-106-0x00007FF6A1BD0000-0x00007FF6A1F24000-memory.dmp

memory/3860-105-0x00007FF634F40000-0x00007FF635294000-memory.dmp

C:\Windows\System\kauFuMH.exe

MD5 4088a1f998edd0e5fc004e1db9086375
SHA1 987e3c1d87d83b0cdf9b0701aa6896e91fe00f24
SHA256 c3e81740b0380276d18169ae866290eb70a677bd048706fa6dd6e6e9fdcda5cc
SHA512 109f533f4545c95bac0239acf45c80d8ae6dd46418ef66a2f1a67b705c7da02553279c1387572f18d05bc86e0de97b9177fce64c6dd4dc34e7a838ecb6402463

memory/2844-125-0x00007FF62C2F0000-0x00007FF62C644000-memory.dmp

C:\Windows\System\bmGZnOz.exe

MD5 625da2864aed8ffd76644ebcd8d4962a
SHA1 7acf60deea254c7d6b4432fc9610bbd1bc12d448
SHA256 ce29005612d42f6f4d912686cb938bdbbc122a10ab691efb6b975ea0d35d8317
SHA512 0512943e5933743fb0755c095977daf12df23ffe9506aa6d4ba7102bca1ff2d1e5ccc8c892c68981a0dc551919a4d82f6eaaa7d5ecaefe6a3d8a2d0cc5e4852c

memory/4528-132-0x00007FF7B5970000-0x00007FF7B5CC4000-memory.dmp

memory/4636-133-0x00007FF72D380000-0x00007FF72D6D4000-memory.dmp

memory/2204-134-0x00007FF7045F0000-0x00007FF704944000-memory.dmp

memory/3020-135-0x00007FF702D40000-0x00007FF703094000-memory.dmp

memory/3248-136-0x00007FF751B00000-0x00007FF751E54000-memory.dmp

memory/4808-137-0x00007FF6A1BD0000-0x00007FF6A1F24000-memory.dmp

memory/2748-138-0x00007FF652010000-0x00007FF652364000-memory.dmp

memory/3576-139-0x00007FF743790000-0x00007FF743AE4000-memory.dmp

memory/4528-140-0x00007FF7B5970000-0x00007FF7B5CC4000-memory.dmp

memory/1632-141-0x00007FF722B70000-0x00007FF722EC4000-memory.dmp

memory/1528-142-0x00007FF6AE7B0000-0x00007FF6AEB04000-memory.dmp

memory/4816-143-0x00007FF736C30000-0x00007FF736F84000-memory.dmp

memory/4456-144-0x00007FF613C20000-0x00007FF613F74000-memory.dmp

memory/2556-145-0x00007FF7BE910000-0x00007FF7BEC64000-memory.dmp

memory/3736-146-0x00007FF7B2D10000-0x00007FF7B3064000-memory.dmp

memory/3860-147-0x00007FF634F40000-0x00007FF635294000-memory.dmp

memory/3472-148-0x00007FF6B6920000-0x00007FF6B6C74000-memory.dmp

memory/2836-149-0x00007FF6F3580000-0x00007FF6F38D4000-memory.dmp

memory/2844-150-0x00007FF62C2F0000-0x00007FF62C644000-memory.dmp

memory/4636-151-0x00007FF72D380000-0x00007FF72D6D4000-memory.dmp

memory/856-152-0x00007FF6918F0000-0x00007FF691C44000-memory.dmp

memory/3020-153-0x00007FF702D40000-0x00007FF703094000-memory.dmp

memory/3248-154-0x00007FF751B00000-0x00007FF751E54000-memory.dmp

memory/3140-155-0x00007FF6F1C20000-0x00007FF6F1F74000-memory.dmp

memory/660-156-0x00007FF74CCC0000-0x00007FF74D014000-memory.dmp

memory/4808-157-0x00007FF6A1BD0000-0x00007FF6A1F24000-memory.dmp

memory/2748-158-0x00007FF652010000-0x00007FF652364000-memory.dmp

memory/3576-159-0x00007FF743790000-0x00007FF743AE4000-memory.dmp

memory/4528-160-0x00007FF7B5970000-0x00007FF7B5CC4000-memory.dmp

memory/2204-161-0x00007FF7045F0000-0x00007FF704944000-memory.dmp