Malware Analysis Report

2024-10-23 18:49

Sample ID 240628-ad6gwszele
Target 2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat
SHA256 133733bcdc40011509f82498b38480d38b381133a731d628ae8e2926d2139dcb
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

133733bcdc40011509f82498b38480d38b381133a731d628ae8e2926d2139dcb

Threat Level: Known bad

The file 2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

Cobaltstrike family

xmrig

UPX dump on OEP (original entry point)

Cobalt Strike reflective loader

Detects Reflective DLL injection artifacts

XMRig Miner payload

Xmrig family

Cobaltstrike

Detects Reflective DLL injection artifacts

XMRig Miner payload

UPX dump on OEP (original entry point)

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-28 00:06

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-28 00:06

Reported

2024-06-28 00:09

Platform

win7-20240611-en

Max time kernel

125s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\CGCMggr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iZMgzVh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ouQToyH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ftOheVX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wMnznLA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aELtPHd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qASADpO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IiKBgAn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aemVKzh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SygfcrU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lntIsZJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\houGYMS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zCbJtpo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gEZxQwx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ENTgooL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GVwMGJv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\brjKfGL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\voVQOJk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UmjMXhQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ilXwGWh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dEUvAaT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2580 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ftOheVX.exe
PID 2580 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ftOheVX.exe
PID 2580 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ftOheVX.exe
PID 2580 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wMnznLA.exe
PID 2580 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wMnznLA.exe
PID 2580 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wMnznLA.exe
PID 2580 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\voVQOJk.exe
PID 2580 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\voVQOJk.exe
PID 2580 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\voVQOJk.exe
PID 2580 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UmjMXhQ.exe
PID 2580 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UmjMXhQ.exe
PID 2580 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UmjMXhQ.exe
PID 2580 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aELtPHd.exe
PID 2580 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aELtPHd.exe
PID 2580 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aELtPHd.exe
PID 2580 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ilXwGWh.exe
PID 2580 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ilXwGWh.exe
PID 2580 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ilXwGWh.exe
PID 2580 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dEUvAaT.exe
PID 2580 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dEUvAaT.exe
PID 2580 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dEUvAaT.exe
PID 2580 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SygfcrU.exe
PID 2580 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SygfcrU.exe
PID 2580 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SygfcrU.exe
PID 2580 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gEZxQwx.exe
PID 2580 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gEZxQwx.exe
PID 2580 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gEZxQwx.exe
PID 2580 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ENTgooL.exe
PID 2580 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ENTgooL.exe
PID 2580 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ENTgooL.exe
PID 2580 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qASADpO.exe
PID 2580 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qASADpO.exe
PID 2580 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qASADpO.exe
PID 2580 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IiKBgAn.exe
PID 2580 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IiKBgAn.exe
PID 2580 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IiKBgAn.exe
PID 2580 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aemVKzh.exe
PID 2580 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aemVKzh.exe
PID 2580 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aemVKzh.exe
PID 2580 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CGCMggr.exe
PID 2580 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CGCMggr.exe
PID 2580 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CGCMggr.exe
PID 2580 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GVwMGJv.exe
PID 2580 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GVwMGJv.exe
PID 2580 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GVwMGJv.exe
PID 2580 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\brjKfGL.exe
PID 2580 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\brjKfGL.exe
PID 2580 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\brjKfGL.exe
PID 2580 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lntIsZJ.exe
PID 2580 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lntIsZJ.exe
PID 2580 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lntIsZJ.exe
PID 2580 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iZMgzVh.exe
PID 2580 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iZMgzVh.exe
PID 2580 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iZMgzVh.exe
PID 2580 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ouQToyH.exe
PID 2580 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ouQToyH.exe
PID 2580 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ouQToyH.exe
PID 2580 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\houGYMS.exe
PID 2580 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\houGYMS.exe
PID 2580 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\houGYMS.exe
PID 2580 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zCbJtpo.exe
PID 2580 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zCbJtpo.exe
PID 2580 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zCbJtpo.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\ftOheVX.exe

C:\Windows\System\ftOheVX.exe

C:\Windows\System\wMnznLA.exe

C:\Windows\System\wMnznLA.exe

C:\Windows\System\voVQOJk.exe

C:\Windows\System\voVQOJk.exe

C:\Windows\System\UmjMXhQ.exe

C:\Windows\System\UmjMXhQ.exe

C:\Windows\System\aELtPHd.exe

C:\Windows\System\aELtPHd.exe

C:\Windows\System\ilXwGWh.exe

C:\Windows\System\ilXwGWh.exe

C:\Windows\System\dEUvAaT.exe

C:\Windows\System\dEUvAaT.exe

C:\Windows\System\SygfcrU.exe

C:\Windows\System\SygfcrU.exe

C:\Windows\System\gEZxQwx.exe

C:\Windows\System\gEZxQwx.exe

C:\Windows\System\ENTgooL.exe

C:\Windows\System\ENTgooL.exe

C:\Windows\System\qASADpO.exe

C:\Windows\System\qASADpO.exe

C:\Windows\System\IiKBgAn.exe

C:\Windows\System\IiKBgAn.exe

C:\Windows\System\aemVKzh.exe

C:\Windows\System\aemVKzh.exe

C:\Windows\System\CGCMggr.exe

C:\Windows\System\CGCMggr.exe

C:\Windows\System\GVwMGJv.exe

C:\Windows\System\GVwMGJv.exe

C:\Windows\System\brjKfGL.exe

C:\Windows\System\brjKfGL.exe

C:\Windows\System\lntIsZJ.exe

C:\Windows\System\lntIsZJ.exe

C:\Windows\System\iZMgzVh.exe

C:\Windows\System\iZMgzVh.exe

C:\Windows\System\ouQToyH.exe

C:\Windows\System\ouQToyH.exe

C:\Windows\System\houGYMS.exe

C:\Windows\System\houGYMS.exe

C:\Windows\System\zCbJtpo.exe

C:\Windows\System\zCbJtpo.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2580-0-0x000000013F080000-0x000000013F3D4000-memory.dmp

memory/2580-1-0x0000000000090000-0x00000000000A0000-memory.dmp

\Windows\system\ftOheVX.exe

MD5 51be5b80d4cbf8a47b11b9794d2c176a
SHA1 76e20f133905757359a5b585ad19b15600fb7538
SHA256 37f166200d49608bf20c7d25509e052356d92cbe03cf24fd58f69337e52aeb54
SHA512 3cf0e520fab2cecb6320e11b64f0e213af28e177afb44dae8249371e271c890a94f64dd7559f4cc09b85e0d8954e39963d82f57d4b8323a507b3df932e29d4da

memory/2588-9-0x000000013FD80000-0x00000001400D4000-memory.dmp

memory/2580-8-0x000000013FD80000-0x00000001400D4000-memory.dmp

C:\Windows\system\wMnznLA.exe

MD5 aa36cd627643f2510f6732854616b2de
SHA1 4322e66384f5efea105ca1943833496bcada9d93
SHA256 fbe977cb586e12364c011f35109630fc1109540385c03992e18802894a9715f4
SHA512 802ad4646e58bdc2ba8d379e490d9d4177c801a6890fc7e5151ba7dbaf74fe550d33cb57c0d21daf6ac87994cc100d62d6acc504939134916c6a3cd72c414b1f

memory/2644-16-0x000000013F3F0000-0x000000013F744000-memory.dmp

C:\Windows\system\voVQOJk.exe

MD5 d07d1dd6021b827c584b863354fe7946
SHA1 1c592f19b48da1dbcd02e5df1d16cc8efca70d43
SHA256 6575d5e75fe434c43d8ad2b71f14ac7db380cb60d1d71515d69ed3262db53eed
SHA512 7651f95048bcae280d55a96acdbadfaed1d618ecd6209a369ba624c511a121a0f952b489ae85073ded390e9723b111393eea341255b533a97910eff7d74e760b

memory/2580-15-0x000000013F3F0000-0x000000013F744000-memory.dmp

memory/2652-22-0x000000013F380000-0x000000013F6D4000-memory.dmp

memory/2580-20-0x00000000023C0000-0x0000000002714000-memory.dmp

\Windows\system\UmjMXhQ.exe

MD5 138178a1d34a74f69e07dd917b41bc1d
SHA1 450a9157634ccea4d1d6ed45a3b435f9333c89b5
SHA256 a8ce7e96d9a7d119a054e3c933e33beceda75d8c42ddf730df01c2fbe1d4a0a3
SHA512 195392b7b14d2c0facecf5b2d11472955eca45f66db988b2456a645b4142c6b60a0792e3c2e1afcd69404de926f42d74eea7f453ae820de331f3e7f889ebf425

memory/2580-26-0x000000013FB40000-0x000000013FE94000-memory.dmp

memory/2628-32-0x000000013FB40000-0x000000013FE94000-memory.dmp

C:\Windows\system\aELtPHd.exe

MD5 b7a3db72f4bc0a45dde25c740bb09a31
SHA1 8ac2e3f7988048b3f035c3291de627552dfc7bee
SHA256 48a1872d7acdae0c4ce0ec2c0d000d50f085d1a2af5a1aa514d9eb4b4b131655
SHA512 149795b60b354d64a289e585ef0a1985ea1caeab3cda4a8d53d32eefb4d6b01ff601c184679c60eb215cefe03340526d8bb3b26ddaacca8069dae48daa8b9fd8

memory/2784-36-0x000000013F180000-0x000000013F4D4000-memory.dmp

memory/2580-40-0x000000013F080000-0x000000013F3D4000-memory.dmp

memory/2580-43-0x000000013FB10000-0x000000013FE64000-memory.dmp

memory/2520-44-0x000000013FB10000-0x000000013FE64000-memory.dmp

C:\Windows\system\ilXwGWh.exe

MD5 d7a01a591986badceef9b0988d98bc34
SHA1 73ae65b182dd5a200a208d28d9c8957688699982
SHA256 6dcac8adb85522c8b07c23c3d6f81483d7f395c460f0ec7930a30d49ff04bcee
SHA512 35652da1ecb0a52ded8b730a90d77313392f615d68292764e93fdb437020dadf47e2577f769a4e5263fede3245458717f44e1878523657318db08b6f08d121ac

C:\Windows\system\SygfcrU.exe

MD5 2cf2e67010d6a5ead1c658e49623ff33
SHA1 99ed5e17d168e86c1887b087c29890e27a721fca
SHA256 06d2232e31d7a0f2024d6b7108324d81ae1ce7b00f39172bc881e718a4e5bb2c
SHA512 24c4d97149f0939fdf2d88e5c396e7ed16b163148f27f1a8391f9ec353d5ddef04302d8bfdb30d051ade5083e482d8f7f925dde8a50641555b952d0c848e6816

C:\Windows\system\dEUvAaT.exe

MD5 ff9a249a2a21bcb5c2d5664036574124
SHA1 e31325bcd9efa457e5e827d59af408a3c4efdc66
SHA256 7688119faf166aae8da7473514edc8a02cbf9e727d464e91aa8d79e50456bc94
SHA512 6bee2113d61fe4c29f60ce239f6daf21a3c88fc316b45925ef6fdd9c5e482811841c6a9edda02ec8089a1207caceda531addba32c9309f570e29f6fbf164d2db

\Windows\system\ENTgooL.exe

MD5 63cb7b819a7539dfc8dc7d12df47b237
SHA1 2da1bd94ebd9cd263e02066a60527e14924a532a
SHA256 b6f9d80451f85009cd6514ac60320010c6b3c17a8bff53fd6c5757b6dd981b67
SHA512 704db969adbff83a66f5ec72effb6cbf676ca88b1fce3b220b4443a439dc8439323b0ddbe01b1c4289fb06de4abc0e55a2660d1e5eb458c5e5bd4a5f7915793d

memory/2608-64-0x000000013FC80000-0x000000013FFD4000-memory.dmp

memory/2580-66-0x000000013F780000-0x000000013FAD4000-memory.dmp

memory/2580-67-0x000000013F480000-0x000000013F7D4000-memory.dmp

memory/2580-69-0x00000000023C0000-0x0000000002714000-memory.dmp

C:\Windows\system\gEZxQwx.exe

MD5 1c940482952c2e8b6c230d480cac0936
SHA1 55744e0f49b8295018d84bf759066d504566d838
SHA256 937a83f3d75710573382c9e9fb91936344a1d847653e4fc45962340c4a160fd3
SHA512 b9da65284a19b16d92e7b1edae77cdebf05a5627401a70ae7cf5fcaa5ba0f80704108d04d972e8306696ae47e80ed4c1cead622f4928ebdd8074692a8762fea9

memory/2652-71-0x000000013F380000-0x000000013F6D4000-memory.dmp

memory/2512-59-0x000000013F050000-0x000000013F3A4000-memory.dmp

memory/2580-57-0x00000000023C0000-0x0000000002714000-memory.dmp

memory/2316-72-0x000000013F780000-0x000000013FAD4000-memory.dmp

memory/2228-68-0x000000013F480000-0x000000013F7D4000-memory.dmp

C:\Windows\system\qASADpO.exe

MD5 54a1c95128e1e85c4daa1ae31d5d20f5
SHA1 f86b161b6a7b17600e7e38438b5f5678241e1e05
SHA256 37d3366221b6fe3f4dd9d62990ef1cf916566dcdd6acb3ce873a5130ba4e5fa2
SHA512 4b1e9baf01e101d24ebf3630d772aa74e150e2c06dc94ae72634837189a2fd39db6ed8efeb62781acc98e91d9837c8b08ff91aaae6dee5c107cac9cc0defac1a

\Windows\system\IiKBgAn.exe

MD5 fbdfaa34778b38dd540812d95d7b38cd
SHA1 0b972a9b9de02cb1a91836bc4386f97765d3513d
SHA256 99a5791040cade5fb28b9beb684371401c43eff5798038599c0e6d2405e02813
SHA512 823b567fee66cd31091f0ce243e79e51273cddfafccde79112d28f84455754a6810ee886ac0b66b2d44050051ff3565d903094d964973c8332779a26df7deb62

memory/800-85-0x000000013F910000-0x000000013FC64000-memory.dmp

C:\Windows\system\aemVKzh.exe

MD5 6e801dc29f89b7217e610df0451d52ca
SHA1 c36a6b83f9a11b2e614fe5f68304a430be754bf5
SHA256 969a66a6bff83e6687bb50a6e5cba4c91d5c7a544b2e191937973f1688360c0f
SHA512 54d6cbf2866a0fa6e4963320b64e43b318544ffd8958e16351ff207030c865750e26166b6fe80c04d46a5cb9c5185bebdadc2d275e720960abfb0e5e642907de

memory/2580-95-0x000000013FC80000-0x000000013FFD4000-memory.dmp

memory/2580-100-0x000000013F780000-0x000000013FAD4000-memory.dmp

\Windows\system\houGYMS.exe

MD5 f0bc4a06fa56c79f74e99eba5b25307f
SHA1 535ecba60252109116af6b31c10c6178742adf20
SHA256 455cb31bb05273d4b3f05d9e98af3cf0aff57a3721948c64affaf5a2759804e6
SHA512 0ec2c6783c4b419efce1bc7277248c92361f493098c7578e4e25c9c3ce9ebd045da61fb8ff7eaaf59d19d8af716856d69387be1b348a1403910c8aee589c9f81

\Windows\system\zCbJtpo.exe

MD5 0d39403bbf6491db9455b60536104733
SHA1 898345a7a089d1c5048c4df35a7ca0743397b7ba
SHA256 7c340d3bb02a3f66660dbae6913aae8977877b87bfecd344c68f429496f79f78
SHA512 346e5d31066147ca8ca1e0cf920a62a9b02798c9c46b7c25afc06f67575a5eb4a8dbc4b4bb2f0b109f63caeeec2617181ee01159b55d2809bb7ae89164935427

C:\Windows\system\ouQToyH.exe

MD5 55a168336cdbeb94690af31fd4fda5e3
SHA1 5bd5f366539265deaef43df0e38cfc24051c7c07
SHA256 966d1227b75e20d7790f511e56dc63f85e3fb621390ded5530304a77bc3fba29
SHA512 b99964580b692f470a30c5c32ea6794596f6e5a0e31e5a6919460e182a24a26527b505930a8adcf77cbce063d1d558d175df9f51e383f483cd13b0c951c9b5f0

C:\Windows\system\iZMgzVh.exe

MD5 8a13ce5b4fafcf9bb845a8bde5071f25
SHA1 e1f43a52438ae95601d89ac201964d02330eddb3
SHA256 8ae6e88cad511b76eea56f2255c2c959d7a44aca30a6ae22a7948885c916e53d
SHA512 2da4f5386a31d89c30e2dd800a9c235e413d1b5d4633e79aafba0626e6901ace26381730d5de6b0485b5caf2fd9fa13948b2682930d18b8c90a23d063ca58105

C:\Windows\system\lntIsZJ.exe

MD5 b6a91782a672f2b72b82ad834c6608f7
SHA1 539b3c77c3d471235fdc932b89d83d6aada80597
SHA256 1e49528f81355f68343e29dba51adb58daf30a77e81ae67f4ccc7ec70ea2d735
SHA512 b54bc4df1d53018e42df14cb34d69c50acfaba73717d203aa97e3f90c32f6bbf203cbc4af69184968c966ea7145fb2fde1c752acb9085d29ba6c391922ee9634

C:\Windows\system\brjKfGL.exe

MD5 48aede63f1ef6c345e6575abf54a854e
SHA1 a8b4885fb37d9b17e4444f0ad26bb727f033ff61
SHA256 34b93e5c2deb29e0e9a2d3b2cefc98c4bb16dfe5ffbfaed40f5e3c2f668376ac
SHA512 6197f3d7805a2b292a4fbc0ab6fb9eb5031982f3980f34ce5eb46f81af76ff9f979843cf32730092e7f555b358e888e8439f1591972bd44c2e6c2153fbc9dfbc

C:\Windows\system\GVwMGJv.exe

MD5 0f9672eb44033f2a8c1217c1bba66ff2
SHA1 1965985b540c0fccebe92fb74df552fbfed10ac4
SHA256 8d1ce83adf2889f80ac8e126ee2f0919ac26e844cf52de8c8183b563c6a7e8f2
SHA512 48daecdd08b1c16c1df6f0186d5c56a4f549b4f4a319811e45eb7c0327f57f45af8c8f6dca5043f6ffed7fbd7945142576dc46f4f4aa0c44eef4f30c0af3a39a

memory/2580-105-0x000000013F3F0000-0x000000013F744000-memory.dmp

memory/2844-102-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

memory/2580-101-0x000000013F480000-0x000000013F7D4000-memory.dmp

C:\Windows\system\CGCMggr.exe

MD5 345dd3be472ca8cb765d53c2a495aa3b
SHA1 d3a16315d9f32f9b2add6703c17a6497cbe240c6
SHA256 46ab59a52edd7039e4ee355ed1eb5b2b668d6bbf5628c7643d6e455d1efba6d3
SHA512 9c9482032473fab963759338eae3792c7fd454b26c77037635fced2c966f38ffdc0b25e9459a3ba78703e9e208ae2f27ea7cea94c93888dfc280f0751601344b

memory/2580-96-0x00000000023C0000-0x0000000002714000-memory.dmp

memory/1668-91-0x000000013FDE0000-0x0000000140134000-memory.dmp

memory/2580-139-0x000000013F940000-0x000000013FC94000-memory.dmp

memory/2580-82-0x000000013F910000-0x000000013FC64000-memory.dmp

memory/2784-81-0x000000013F180000-0x000000013F4D4000-memory.dmp

memory/2480-77-0x000000013F940000-0x000000013FC94000-memory.dmp

memory/2580-74-0x000000013F940000-0x000000013FC94000-memory.dmp

memory/2480-140-0x000000013F940000-0x000000013FC94000-memory.dmp

memory/2580-141-0x000000013F910000-0x000000013FC64000-memory.dmp

memory/800-143-0x000000013F910000-0x000000013FC64000-memory.dmp

memory/1668-144-0x000000013FDE0000-0x0000000140134000-memory.dmp

memory/2580-145-0x00000000023C0000-0x0000000002714000-memory.dmp

memory/2844-146-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

memory/2580-147-0x000000013F3F0000-0x000000013F744000-memory.dmp

memory/2588-148-0x000000013FD80000-0x00000001400D4000-memory.dmp

memory/2644-149-0x000000013F3F0000-0x000000013F744000-memory.dmp

memory/2652-150-0x000000013F380000-0x000000013F6D4000-memory.dmp

memory/2628-151-0x000000013FB40000-0x000000013FE94000-memory.dmp

memory/2520-152-0x000000013FB10000-0x000000013FE64000-memory.dmp

memory/2784-153-0x000000013F180000-0x000000013F4D4000-memory.dmp

memory/2608-155-0x000000013FC80000-0x000000013FFD4000-memory.dmp

memory/2512-154-0x000000013F050000-0x000000013F3A4000-memory.dmp

memory/2228-156-0x000000013F480000-0x000000013F7D4000-memory.dmp

memory/2480-157-0x000000013F940000-0x000000013FC94000-memory.dmp

memory/800-158-0x000000013F910000-0x000000013FC64000-memory.dmp

memory/1668-159-0x000000013FDE0000-0x0000000140134000-memory.dmp

memory/2844-160-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

memory/2316-161-0x000000013F780000-0x000000013FAD4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-28 00:06

Reported

2024-06-28 00:09

Platform

win10v2004-20240508-en

Max time kernel

140s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\cCPCWUu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cIrqTqM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xbvhJtW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CGzjJix.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iggrPjb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MIvRKlL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eOlCwAg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DrIvdFf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QpjXYSg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MyZlmZR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JuqmgqJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wWxlKPj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EQiYNrs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RQXvVqs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rvsRukj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tCZkaXG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ailXrmt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NBbRtPC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wglDeKx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wKNjwJk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZhRdYKK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3044 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MyZlmZR.exe
PID 3044 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MyZlmZR.exe
PID 3044 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tCZkaXG.exe
PID 3044 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tCZkaXG.exe
PID 3044 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JuqmgqJ.exe
PID 3044 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JuqmgqJ.exe
PID 3044 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wWxlKPj.exe
PID 3044 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wWxlKPj.exe
PID 3044 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ailXrmt.exe
PID 3044 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ailXrmt.exe
PID 3044 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MIvRKlL.exe
PID 3044 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MIvRKlL.exe
PID 3044 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eOlCwAg.exe
PID 3044 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eOlCwAg.exe
PID 3044 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DrIvdFf.exe
PID 3044 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DrIvdFf.exe
PID 3044 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cCPCWUu.exe
PID 3044 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cCPCWUu.exe
PID 3044 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NBbRtPC.exe
PID 3044 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NBbRtPC.exe
PID 3044 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EQiYNrs.exe
PID 3044 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EQiYNrs.exe
PID 3044 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QpjXYSg.exe
PID 3044 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QpjXYSg.exe
PID 3044 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wglDeKx.exe
PID 3044 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wglDeKx.exe
PID 3044 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wKNjwJk.exe
PID 3044 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wKNjwJk.exe
PID 3044 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cIrqTqM.exe
PID 3044 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cIrqTqM.exe
PID 3044 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZhRdYKK.exe
PID 3044 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZhRdYKK.exe
PID 3044 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xbvhJtW.exe
PID 3044 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xbvhJtW.exe
PID 3044 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rvsRukj.exe
PID 3044 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rvsRukj.exe
PID 3044 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RQXvVqs.exe
PID 3044 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RQXvVqs.exe
PID 3044 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CGzjJix.exe
PID 3044 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CGzjJix.exe
PID 3044 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iggrPjb.exe
PID 3044 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iggrPjb.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\MyZlmZR.exe

C:\Windows\System\MyZlmZR.exe

C:\Windows\System\tCZkaXG.exe

C:\Windows\System\tCZkaXG.exe

C:\Windows\System\JuqmgqJ.exe

C:\Windows\System\JuqmgqJ.exe

C:\Windows\System\wWxlKPj.exe

C:\Windows\System\wWxlKPj.exe

C:\Windows\System\ailXrmt.exe

C:\Windows\System\ailXrmt.exe

C:\Windows\System\MIvRKlL.exe

C:\Windows\System\MIvRKlL.exe

C:\Windows\System\eOlCwAg.exe

C:\Windows\System\eOlCwAg.exe

C:\Windows\System\DrIvdFf.exe

C:\Windows\System\DrIvdFf.exe

C:\Windows\System\cCPCWUu.exe

C:\Windows\System\cCPCWUu.exe

C:\Windows\System\NBbRtPC.exe

C:\Windows\System\NBbRtPC.exe

C:\Windows\System\EQiYNrs.exe

C:\Windows\System\EQiYNrs.exe

C:\Windows\System\QpjXYSg.exe

C:\Windows\System\QpjXYSg.exe

C:\Windows\System\wglDeKx.exe

C:\Windows\System\wglDeKx.exe

C:\Windows\System\wKNjwJk.exe

C:\Windows\System\wKNjwJk.exe

C:\Windows\System\cIrqTqM.exe

C:\Windows\System\cIrqTqM.exe

C:\Windows\System\ZhRdYKK.exe

C:\Windows\System\ZhRdYKK.exe

C:\Windows\System\xbvhJtW.exe

C:\Windows\System\xbvhJtW.exe

C:\Windows\System\rvsRukj.exe

C:\Windows\System\rvsRukj.exe

C:\Windows\System\RQXvVqs.exe

C:\Windows\System\RQXvVqs.exe

C:\Windows\System\CGzjJix.exe

C:\Windows\System\CGzjJix.exe

C:\Windows\System\iggrPjb.exe

C:\Windows\System\iggrPjb.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3044-0-0x00007FF6D8D20000-0x00007FF6D9074000-memory.dmp

memory/3044-1-0x00000223F66B0000-0x00000223F66C0000-memory.dmp

C:\Windows\System\MyZlmZR.exe

MD5 ef1db4519b689b0aaa8f4d9c4acaacb8
SHA1 1cba9e23b4f879f9359a66575e89f2c0a4ea9300
SHA256 5bbae32cebb9d4b515b92c27a0c86cc98645e42563070c55cabdc1db0aba54e3
SHA512 d973269516316a96e628156b051a8fcfe023094770f1387cfb8165985af3c406bd228dbb68dcb44bd9abab861a42a2ad8c94ed40105e9dbb22e52cc413e352e7

C:\Windows\System\tCZkaXG.exe

MD5 76eb5edd19648d326bb486f191f3619b
SHA1 9c253b3b3329e079de0adf64f6d6be1088abb116
SHA256 090a92548f32dfc6b825458d31c71abf9b13fb30792bd16a56b0cfc1d9b8b1dc
SHA512 99c2acd0fd4f5aebb383313ca5981529033aab8ae576b905097a451c670032cc13e95e549ce7b138a29f5fd068ede2dbbea21c2879c8ef3254e4935aad13652a

C:\Windows\System\JuqmgqJ.exe

MD5 656871cbb4b77e82f28940499d8f943e
SHA1 c5b39057e21cd45f3122c9d7e79e0d21846b52c3
SHA256 975c727217e17d6a0ee3a55931616687cf7c7733969c383d875686d15ba42e52
SHA512 e41b2e9d17f9049cc20b2c6a123add83e4c1e60fd679e5dab7116670d773d61433d7ccb84fd126730214aacfbbcf71ef79b9a68c8bd2a107acc7d0bcf7bf6d32

memory/32-11-0x00007FF6DC970000-0x00007FF6DCCC4000-memory.dmp

memory/116-14-0x00007FF7A8010000-0x00007FF7A8364000-memory.dmp

memory/2916-20-0x00007FF7D64B0000-0x00007FF7D6804000-memory.dmp

C:\Windows\System\wWxlKPj.exe

MD5 dfd4938c9dd94d1e2cf744bd224ffa38
SHA1 fef2bfcd4477e32bb8c93d14600849fff5a6a6b4
SHA256 084a0e7e0b5d47b9a37fda581d22dfa645c827b7e9e715a134b0421bc606c561
SHA512 40c22cafbac809b22692691bad2d69a5d6f364cf9d6cbbf3f396eac52c25305fcee6d592059e9fac1bda087ccb39d25e2a9321301c8054b6ea36a8f13cd601ac

memory/3036-26-0x00007FF6C0CA0000-0x00007FF6C0FF4000-memory.dmp

C:\Windows\System\ailXrmt.exe

MD5 fbd24f96248df4e8416ab7fb3b353c7a
SHA1 686f2b98213856b394717da01bf15fd2fb0079d9
SHA256 db7a667248f17955b014b007163280efa357d6dc74b89f259e547bd13ff23922
SHA512 af9f4a2b05b3ba7036f943c7f9325a669821d7b3d3108c1602e761e07d5b24d0929e41a7a2102e449b18d53bb2057e232a0b1bb87d7cb1815bd81c4f9a130660

memory/3576-31-0x00007FF60F260000-0x00007FF60F5B4000-memory.dmp

C:\Windows\System\MIvRKlL.exe

MD5 eb9957c8e25d9cbdcc96597c57d4009a
SHA1 1986cf0fb004232351a5ce94b2c529ce6ea7a880
SHA256 6ec4fdb662f2dc979c226ad322db1d612a36f559b7a249d4cd90abc9ed5fbb2e
SHA512 7e3db253d99c0cbc4d9de49e9deece23cdb74c5a54543cc7b4cb7dfd40cd5049a5edf6be5d9853766b5caa37db9715e012670be80868a4a71b18cf02b70f1629

C:\Windows\System\eOlCwAg.exe

MD5 8b55be21b3c84e832c4b139e59a8594f
SHA1 0ba085ffeed2bd9624e11e4269a2d036602843d5
SHA256 4903c4e92f4d587aa3c9e29594dbfc3a9b444aedbe5d8789866cfb2a65e1c899
SHA512 0e5f3b559b4fce7e819859efa4b7c811e2381f233f9ee9df1ae88c24dbda6866c086e7f37dc8202ad1e906ca91aa4983cdd59b9f6fd4d8e67a5d41d7912017f2

C:\Windows\System\DrIvdFf.exe

MD5 f7b8051cd2bd4e73c2c78b36d305aa75
SHA1 9a29ee7ff2e319ebb82aa107c5d80a1970fb9ac6
SHA256 e720bb414e33963ede7e66e0d5e63adc4e04e06148c954be3540db2f1c04389d
SHA512 66842bd9bb08a291bd7fa0b126a837566f5d11a84a518d2b52693fb460ba06c43f350b780d3c90c4af3adfea0a5c9d060700bc169f6c196c7f9a9f7b9e73b544

memory/4092-47-0x00007FF6AFF70000-0x00007FF6B02C4000-memory.dmp

memory/2632-44-0x00007FF62F610000-0x00007FF62F964000-memory.dmp

memory/756-40-0x00007FF6B2860000-0x00007FF6B2BB4000-memory.dmp

C:\Windows\System\cCPCWUu.exe

MD5 b8d7bca9824c7a62d7252db08e97dd7d
SHA1 6c2f45fed22a5e3cc0efb862a079ff4f8705f6a5
SHA256 13c71e66b91476e92ebbdc5b9c582c380a8717879d4a7e1d3b6a933066910220
SHA512 5b7902f618768aa9cccbe0c82415024c339e71dc0080a9b060c5bcef2f86704541cb0bfc375f266bf005f82ab6e6268a329fd4ec4e379ba94b4f44684aa2ace7

C:\Windows\System\NBbRtPC.exe

MD5 51064964f182989c9672e8d758b59007
SHA1 b474b8dff201c1ff5aca14fe68af6160db72f4e2
SHA256 1fe0398dfdaae3aa09c33bb2f778e2cbd8eff44eb9482dc997aa00695bdef0d0
SHA512 ed07bce2ddb65d1d302bab071016d8d182ffec3da4cac2a3543a3fe053920405293dde8dda73d995da0af497f029c69ef6b3cafea297a7a750872304d030c73e

memory/3044-60-0x00007FF6D8D20000-0x00007FF6D9074000-memory.dmp

memory/2592-61-0x00007FF6EDBB0000-0x00007FF6EDF04000-memory.dmp

memory/4084-54-0x00007FF6B2540000-0x00007FF6B2894000-memory.dmp

C:\Windows\System\EQiYNrs.exe

MD5 42618e2a689ac370ad3cecec46b7ae00
SHA1 78f9c6088e437d37ae2a7f19d4827d623e598736
SHA256 6b6f431f1d5e4250cdc729dbda1130c58d4bcf589cb217771f7ad0e5bb989b5f
SHA512 52c42daed65bedcea13f93b50aa26af91eabb0e9a73058c83d7cb391627fd54ab023b17c6d59d5d78e8c9c45c76a725fd60c79eca12d583a19b598e2c942370f

C:\Windows\System\QpjXYSg.exe

MD5 6b3b76efc46f06d209292a6c26001ca6
SHA1 0248588d24dbc7224e1bcff3f7128295e826cb45
SHA256 7d8d3321a58098c4eabdd27c071ff56d30a7757e1b32db0b02c502a1ec16e47c
SHA512 aa17577092d230bd7db7947854a39bfe76e8e48a4a772f6f968307da7e74a179cf56befaaa8f82041de5bd2bec7862fac5fedf959753689905aa59233a560d8b

memory/644-70-0x00007FF69BE10000-0x00007FF69C164000-memory.dmp

memory/116-75-0x00007FF7A8010000-0x00007FF7A8364000-memory.dmp

C:\Windows\System\wglDeKx.exe

MD5 715ee81e2ebc73f0d0faae3c9039da7e
SHA1 fe96921eabeed79c7474896624ca97d328a0a5d8
SHA256 7ed094ca646ed355a0b48bd5a6cd38fed674b0c6dfc1e02fc79b3640bda96f21
SHA512 069e0b9e4c2bafc0266e7a047522d3283fb0d5b81876cf3addcfb35b2ea01927fa6e9c1259860e611cdd33f0f0bead6e597f1ecc5ee04080c4816bac295b301a

memory/4296-77-0x00007FF7007C0000-0x00007FF700B14000-memory.dmp

memory/2772-82-0x00007FF6A0360000-0x00007FF6A06B4000-memory.dmp

C:\Windows\System\wKNjwJk.exe

MD5 8e877045c3ac34ec6f1ce8dbdeeaa03f
SHA1 339e8f21602713e2d26ca8c6d244580941dc0033
SHA256 01e83bce1ae5d26c464975a197c285b7b829d0bf9758f4506563f623a67b5100
SHA512 a58d2bd40575e77deb51ab765a6d264427598a8a286902df630455c2dbd56a19e959b62976980a04ba06133b01fe7f249a68b13c6340a0b7a695217e9dc1fd35

memory/1132-86-0x00007FF6BCB30000-0x00007FF6BCE84000-memory.dmp

C:\Windows\System\cIrqTqM.exe

MD5 27b862f07fb7967bd400a3f6467694e8
SHA1 7237c7ff4dd42805986904f44f7a5064441e05ba
SHA256 63f7783401edf7f807db3fac53b361ba7b23bec1ab720158326cab7bc72df808
SHA512 eedfd3eb15fe0b2a89d83fb41fe519ff7c3305d6b3695492118c666c4646c88dc92bdcbfeb13f184a4fe3a143cc67a9ef040f92eb8c200239db11d0bef28e019

memory/3576-92-0x00007FF60F260000-0x00007FF60F5B4000-memory.dmp

C:\Windows\System\ZhRdYKK.exe

MD5 1fc9369a0f7b51bdf02fa288c0170193
SHA1 38bab2a3993d427b5557474fecd7a8d61243c5e9
SHA256 869fa3bd90e3aefe56cb56934f92dae45a130660a1d5c6fd3d2e151ffe8aa43a
SHA512 5ef0acf9aea25b323ff9fc63b9e23a8d31f25fde9f81adac5c3ca8482562bc857c6f2e651c474fd4472b0115b308a88417da08657c5fd645435decc9dac176bc

memory/4012-93-0x00007FF73B400000-0x00007FF73B754000-memory.dmp

memory/3372-101-0x00007FF71C220000-0x00007FF71C574000-memory.dmp

C:\Windows\System\xbvhJtW.exe

MD5 f45a3693a92de2e8d86516fcd34e451c
SHA1 4c586b8fc022c2996df4102b9c80d809096fc00e
SHA256 f607fe509d6ad83b2f1e371228b0411a57362d3d780432b68dba797b3759b9e6
SHA512 985283800c71697090b2a97b72243c395a12c52e9383f7190a91636a33bcc7189bd289197cca2e741e16f532909c3cd271e1e2f13b9f443460d703f228b5b593

C:\Windows\System\rvsRukj.exe

MD5 5eb231e3604fa468ef9a932f7d38b337
SHA1 35e17c0fed798c332ee6a262662521ecc0713dcc
SHA256 4f1b849a9bfdd728201719d5dc729435800fbcd3b7059966a3adb28607534f41
SHA512 cd5cdd85f674da108d17ee365927beb05c4e821342450a55327dec13c96c66054bdaff9a946f27a77a7b5cc319d4770e71aefef3d89dc66746b63398e19f360d

memory/4808-106-0x00007FF691DC0000-0x00007FF692114000-memory.dmp

memory/4084-114-0x00007FF6B2540000-0x00007FF6B2894000-memory.dmp

C:\Windows\System\RQXvVqs.exe

MD5 66ba21d5069d6807b75fba3d407c45eb
SHA1 572a5c3c4f50469ffe307666ff8039bf2beafaa8
SHA256 eb5b5697ad2272c593f79f37fc728c0bcec0a2aa88084298b1e7a19f050fe980
SHA512 0405dd095858d04597d8c19ff937596616a5b1d4daa37e66e9efcfaf8b5d1c01f870c58bd37fdce513522a21e339c0a64e3247424f7e45f0a08b97b76188a741

memory/3200-117-0x00007FF7177D0000-0x00007FF717B24000-memory.dmp

memory/532-121-0x00007FF6CDDA0000-0x00007FF6CE0F4000-memory.dmp

C:\Windows\System\CGzjJix.exe

MD5 ce6a23b79d6f3e27cfcd5cb736a444d3
SHA1 fcff04e9d64a9d0fb0b3976c0d213d5bfaa4f700
SHA256 bd87760da5ea5deed5a5a94e6d9bbe72602867472b872acc54ff69cb9216c20c
SHA512 01d00ca4c7abe370f98d48092aa25c944de0d3d1b9a711b9b7381fa23f47f9c9c302c31201ef0b5b8df39dac9db280b2d80ce757285f4cdd81396b6e96f091b1

memory/1044-126-0x00007FF74AD30000-0x00007FF74B084000-memory.dmp

C:\Windows\System\iggrPjb.exe

MD5 153e8aa2950d590337316f57414776df
SHA1 b833536383ae68d24085c38987a11179d61179b4
SHA256 66dcd9bf80e473d3d47cc14656ba267aa87dbedbc63e202d8593862769905739
SHA512 d561444c68f0639daad99eadbb7d11ed63eea0445d8f7fad9362461fb347f8b7da22a69f7a504bb57ab887d045c74a57103e5a4acd5393fdf57ef96033b73547

memory/2592-125-0x00007FF6EDBB0000-0x00007FF6EDF04000-memory.dmp

memory/4092-113-0x00007FF6AFF70000-0x00007FF6B02C4000-memory.dmp

memory/2620-133-0x00007FF761A10000-0x00007FF761D64000-memory.dmp

memory/1132-134-0x00007FF6BCB30000-0x00007FF6BCE84000-memory.dmp

memory/4012-135-0x00007FF73B400000-0x00007FF73B754000-memory.dmp

memory/4808-136-0x00007FF691DC0000-0x00007FF692114000-memory.dmp

memory/1044-137-0x00007FF74AD30000-0x00007FF74B084000-memory.dmp

memory/32-138-0x00007FF6DC970000-0x00007FF6DCCC4000-memory.dmp

memory/116-139-0x00007FF7A8010000-0x00007FF7A8364000-memory.dmp

memory/2916-140-0x00007FF7D64B0000-0x00007FF7D6804000-memory.dmp

memory/3036-141-0x00007FF6C0CA0000-0x00007FF6C0FF4000-memory.dmp

memory/3576-142-0x00007FF60F260000-0x00007FF60F5B4000-memory.dmp

memory/756-143-0x00007FF6B2860000-0x00007FF6B2BB4000-memory.dmp

memory/2632-144-0x00007FF62F610000-0x00007FF62F964000-memory.dmp

memory/4092-145-0x00007FF6AFF70000-0x00007FF6B02C4000-memory.dmp

memory/4084-146-0x00007FF6B2540000-0x00007FF6B2894000-memory.dmp

memory/2592-147-0x00007FF6EDBB0000-0x00007FF6EDF04000-memory.dmp

memory/644-148-0x00007FF69BE10000-0x00007FF69C164000-memory.dmp

memory/4296-149-0x00007FF7007C0000-0x00007FF700B14000-memory.dmp

memory/2772-150-0x00007FF6A0360000-0x00007FF6A06B4000-memory.dmp

memory/1132-151-0x00007FF6BCB30000-0x00007FF6BCE84000-memory.dmp

memory/4012-152-0x00007FF73B400000-0x00007FF73B754000-memory.dmp

memory/3372-153-0x00007FF71C220000-0x00007FF71C574000-memory.dmp

memory/4808-154-0x00007FF691DC0000-0x00007FF692114000-memory.dmp

memory/3200-155-0x00007FF7177D0000-0x00007FF717B24000-memory.dmp

memory/532-156-0x00007FF6CDDA0000-0x00007FF6CE0F4000-memory.dmp

memory/2620-157-0x00007FF761A10000-0x00007FF761D64000-memory.dmp

memory/1044-158-0x00007FF74AD30000-0x00007FF74B084000-memory.dmp