Malware Analysis Report

2024-10-23 18:49

Sample ID 240628-agrg5ssfql
Target 2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat
SHA256 3c2f8effbe01c0fe9a5baac25cf0c5f59c189fa468f6b16c1b95d1e4fc8b1819
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3c2f8effbe01c0fe9a5baac25cf0c5f59c189fa468f6b16c1b95d1e4fc8b1819

Threat Level: Known bad

The file 2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Cobaltstrike family

Xmrig family

UPX dump on OEP (original entry point)

XMRig Miner payload

xmrig

Detects Reflective DLL injection artifacts

Cobaltstrike

Cobalt Strike reflective loader

Detects Reflective DLL injection artifacts

XMRig Miner payload

UPX dump on OEP (original entry point)

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-28 00:11

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-28 00:11

Reported

2024-06-28 00:13

Platform

win7-20240611-en

Max time kernel

134s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\IuFgFuP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jirIdKM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iFsOJWX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NmZERlQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nMKQChI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cJGBWLN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gHVxJuA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uSEBNhO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RjMutyh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AtwvJvR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TTkmDRj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GMYHtgi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\INlGxhx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UXRZlVz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WGAxUNc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KMPPZrN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gmaDEBa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VsnVnfP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SyZmZtA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EEZVqkx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jlaTiXV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2424 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WGAxUNc.exe
PID 2424 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WGAxUNc.exe
PID 2424 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WGAxUNc.exe
PID 2424 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TTkmDRj.exe
PID 2424 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TTkmDRj.exe
PID 2424 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TTkmDRj.exe
PID 2424 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KMPPZrN.exe
PID 2424 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KMPPZrN.exe
PID 2424 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KMPPZrN.exe
PID 2424 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GMYHtgi.exe
PID 2424 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GMYHtgi.exe
PID 2424 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GMYHtgi.exe
PID 2424 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\INlGxhx.exe
PID 2424 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\INlGxhx.exe
PID 2424 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\INlGxhx.exe
PID 2424 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gmaDEBa.exe
PID 2424 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gmaDEBa.exe
PID 2424 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gmaDEBa.exe
PID 2424 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IuFgFuP.exe
PID 2424 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IuFgFuP.exe
PID 2424 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IuFgFuP.exe
PID 2424 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VsnVnfP.exe
PID 2424 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VsnVnfP.exe
PID 2424 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VsnVnfP.exe
PID 2424 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jirIdKM.exe
PID 2424 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jirIdKM.exe
PID 2424 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jirIdKM.exe
PID 2424 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iFsOJWX.exe
PID 2424 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iFsOJWX.exe
PID 2424 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iFsOJWX.exe
PID 2424 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NmZERlQ.exe
PID 2424 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NmZERlQ.exe
PID 2424 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NmZERlQ.exe
PID 2424 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nMKQChI.exe
PID 2424 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nMKQChI.exe
PID 2424 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nMKQChI.exe
PID 2424 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SyZmZtA.exe
PID 2424 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SyZmZtA.exe
PID 2424 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SyZmZtA.exe
PID 2424 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cJGBWLN.exe
PID 2424 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cJGBWLN.exe
PID 2424 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cJGBWLN.exe
PID 2424 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gHVxJuA.exe
PID 2424 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gHVxJuA.exe
PID 2424 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gHVxJuA.exe
PID 2424 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EEZVqkx.exe
PID 2424 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EEZVqkx.exe
PID 2424 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EEZVqkx.exe
PID 2424 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jlaTiXV.exe
PID 2424 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jlaTiXV.exe
PID 2424 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jlaTiXV.exe
PID 2424 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uSEBNhO.exe
PID 2424 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uSEBNhO.exe
PID 2424 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uSEBNhO.exe
PID 2424 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RjMutyh.exe
PID 2424 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RjMutyh.exe
PID 2424 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RjMutyh.exe
PID 2424 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UXRZlVz.exe
PID 2424 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UXRZlVz.exe
PID 2424 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UXRZlVz.exe
PID 2424 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AtwvJvR.exe
PID 2424 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AtwvJvR.exe
PID 2424 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AtwvJvR.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\WGAxUNc.exe

C:\Windows\System\WGAxUNc.exe

C:\Windows\System\TTkmDRj.exe

C:\Windows\System\TTkmDRj.exe

C:\Windows\System\KMPPZrN.exe

C:\Windows\System\KMPPZrN.exe

C:\Windows\System\GMYHtgi.exe

C:\Windows\System\GMYHtgi.exe

C:\Windows\System\INlGxhx.exe

C:\Windows\System\INlGxhx.exe

C:\Windows\System\gmaDEBa.exe

C:\Windows\System\gmaDEBa.exe

C:\Windows\System\IuFgFuP.exe

C:\Windows\System\IuFgFuP.exe

C:\Windows\System\VsnVnfP.exe

C:\Windows\System\VsnVnfP.exe

C:\Windows\System\jirIdKM.exe

C:\Windows\System\jirIdKM.exe

C:\Windows\System\iFsOJWX.exe

C:\Windows\System\iFsOJWX.exe

C:\Windows\System\NmZERlQ.exe

C:\Windows\System\NmZERlQ.exe

C:\Windows\System\nMKQChI.exe

C:\Windows\System\nMKQChI.exe

C:\Windows\System\SyZmZtA.exe

C:\Windows\System\SyZmZtA.exe

C:\Windows\System\cJGBWLN.exe

C:\Windows\System\cJGBWLN.exe

C:\Windows\System\gHVxJuA.exe

C:\Windows\System\gHVxJuA.exe

C:\Windows\System\EEZVqkx.exe

C:\Windows\System\EEZVqkx.exe

C:\Windows\System\jlaTiXV.exe

C:\Windows\System\jlaTiXV.exe

C:\Windows\System\uSEBNhO.exe

C:\Windows\System\uSEBNhO.exe

C:\Windows\System\RjMutyh.exe

C:\Windows\System\RjMutyh.exe

C:\Windows\System\UXRZlVz.exe

C:\Windows\System\UXRZlVz.exe

C:\Windows\System\AtwvJvR.exe

C:\Windows\System\AtwvJvR.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2424-0-0x000000013FA20000-0x000000013FD74000-memory.dmp

memory/2424-1-0x0000000000080000-0x0000000000090000-memory.dmp

\Windows\system\WGAxUNc.exe

MD5 0abcb36fbfde006be1ead7e7e306ea13
SHA1 9b226dd2006c3b426e5ab8a6944c43955e59547e
SHA256 31f95f0df97e94d9aa1e80bd6079be6442ca5b5995e9c653a955e2e731071934
SHA512 0c208ff130bd82a523ed9b8b0a06c3df70957f6f985e2bd7dc352ef8526021869f40e199568a0819e16d3d3321d16f60b78d23854b0eeba9d7a1c2e844b84a24

C:\Windows\system\TTkmDRj.exe

MD5 5edd47916cb6941872a8e38cab2a1531
SHA1 937db0ee47cc1f2cac0b49d7a233ad4ff70e8cf1
SHA256 5a36fca304e283be6bcf02e0781a68eff6f71ffebc392d697190a9cf44fa3d51
SHA512 647869e1c8a7b22cb201b047c7b47cd30151d3764845b14eda8ea3dc3dfb964d790485fb02330664ee0b5740ec2ef93053183d40baba7f4ea2a6af675bfe4ed3

C:\Windows\system\KMPPZrN.exe

MD5 fad8ffa31b4e6689a4b33b2a9d633718
SHA1 cef1ec3978a1f64036cfcbd2bd9aa73ca73850b6
SHA256 cfd4419dde3a4c7c0d29429a1d9c55c477c18df5cea5e00048d9d06866d84f34
SHA512 4ac171b137c9ba4af7795f77e2ee717fb20101e6b0a724c3324c3b939a398e912ae2f891a264644a62f4344099ebf8f0622b564161c93bff3eea9a855de4fbaa

C:\Windows\system\GMYHtgi.exe

MD5 bd52a45ff622b5b94a12f033b39cd55e
SHA1 f915a8df7dd3a5080ecfd1ce25f9a3e20d8f84b0
SHA256 03dee971679b0da0ab50e05d425c12b6d880affeb65df7861a195a1bc2fea6e8
SHA512 0203a7b7a0aed8b8762968e6886a6f7c1a761478298642c7126ad3e09ae4376a90b7296be3f329fcff893d891d48a83d7327e4e7dcf4707abc28d028c3538a2e

C:\Windows\system\gmaDEBa.exe

MD5 940752a67bc8d32ca6ea3ebbae154299
SHA1 d5dc1292d53e45bcfda35805b3d6fab20e2d742d
SHA256 0b026e5bc15130c0c399b5be2c95f3ab6337becfe3f12ce6499b14a38b08ce11
SHA512 2f97fe6c8f5e97a1cfa514b46c07acfac8f4ac534e18ebd83a865d2d4dabd9352864b48b7b14237c60dd10fbca3f6ff7205876e7d79ccb9e1777aa8d3d402c46

C:\Windows\system\VsnVnfP.exe

MD5 a6a032d8297e8afa5d65f93481f57e36
SHA1 2f1762af5baebbbd4771b7cb0468c0c2e99ce40d
SHA256 aab5e6ba35018860aa165fa3130062e9534b71f2bceec87dfebf406388a212cf
SHA512 99d5d589776b28c7316557abdfd0207ca42e87a4c194eedc9fe694ae276fdb919881f06d8a67bf81bc317717ae10ef6c8702a113187131e6a573496e5f509c14

C:\Windows\system\jirIdKM.exe

MD5 a9a5b9472afedb3fcec3af260b96cadb
SHA1 86e421dcefe3365d95afaf90838a15f55783677a
SHA256 d07bdae91015e13792d70faf3e9f2699f255f1b22e68131e97133003e5410e99
SHA512 a2af93434d08803f27308dae93faf5610864777c791a92fa930561c81ceaea592986e8b01fde45df7ace83603bf60f859bd4853f7f9317e550067cde24e5aa1d

C:\Windows\system\NmZERlQ.exe

MD5 433306bd33551dd04d024f28ec820e24
SHA1 77e7d0783810a959e024c4f43af49e91b84531b0
SHA256 54f4e0e55a98664b0a089d4506dd1cbc7c1f18dc799367ba9fc2f09f004d2186
SHA512 7f9dbfc975f0ae9ba558eed92c1bd6905067d5a97f769818724dbb1b15b40193975a717c3cf45048311aa97d7af2b4fd68e7fc3db9f3ad1e91bfc264c5bed61c

C:\Windows\system\nMKQChI.exe

MD5 fe91f93a07407fc6d69bad246a767d96
SHA1 21ef35ded0000e652ea072df1a75c5b0052d13d3
SHA256 0ff5359b725515e9c663f1b78e7ce09903e96137d1e6606d969fa307681ba597
SHA512 2d92ba54c36d3a77c1fdded3e92dd3d8ee624bb36771d29d311ba2d964819ffe2bee077c9e2fe2c8c9c759ceceb2706daa1ee15450a243f65492c23555a1a3bb

C:\Windows\system\SyZmZtA.exe

MD5 eead0e592bf64191850673374422f927
SHA1 502591d4194bf79d3261b04630abe26accee51a7
SHA256 c355b50a9c0bb3bca51237b43a5ae64e4e5c8371cee8c7c077c1373274db6f56
SHA512 9ae6de2fdba4e6752dacba64b9454bdcb57fd09ea183174a92a3907741aa2be5d8fa95369429e9a9e030439d45d4ba0d83f09d5764cc4e6a00e7212c691c9a58

C:\Windows\system\jlaTiXV.exe

MD5 30d78bdc76522ccf31c91e0034cc1511
SHA1 d83dec1c094e1e3d4093b55277a1a36a4c81794a
SHA256 dac068b298970af44bded6e3c75f44df48e29ae582044493d18e44de6de45b5d
SHA512 6dc45ca7c61edeb4992cbb0111089113e5a81d4c7f8e9220d33cd4b1083d6e111e1b325af7d7ce2df7c2616011967514e10bbad9d955fb2dd97d2cd6ec500104

C:\Windows\system\RjMutyh.exe

MD5 e575f356a7b6427e3b49d854215e5c5f
SHA1 6e737333f4894d04cdb9bd24e18c1b6025fbe07a
SHA256 17e8e7af142b6de6697957104c7f0debf742c792e6bcf1e1b87fea40a4568f64
SHA512 4e624a06b47b84577d1aa6835035f283b59d3154014861016b55743c0a55ee8b386323882c6c8d4e8122ffdbcf7de8244c393c5ce29f5711c26734d45cc25a0d

C:\Windows\system\AtwvJvR.exe

MD5 3b73c350a9955ca3b90342b8dcacfd58
SHA1 60b90604c0503e151ece5a861e9a7ac889582390
SHA256 2617ff3eac81c0ff6e21c42c8556381931ffbdf62c5d8e103879574743659e58
SHA512 4a3c85c1e871f06d68e7887adff497966fe42fd8d9f280a9490fe0d2c26768ef4013250a6fa2b4f0b28e7cea528f679eea973a76e25c6a63413dfdaaa9a226e2

C:\Windows\system\UXRZlVz.exe

MD5 9138c672f64ba376557af0a8071627f8
SHA1 f119d19fca8ff00b6f637e962210b330e71dac6e
SHA256 fe3cec22639d5ac209db8bff70ec753aab548e6e1b14a22e820567c21fb20dc4
SHA512 24d46679fc23532a68e08ca60383e68f1eaa08c6b11e10490266e629bfd99b4e6550b32e802ce0b6486f3803f10e988eb209ac4f5e21499ad7873ed7143c1106

C:\Windows\system\uSEBNhO.exe

MD5 80eba98a4c25e942a58b46fd1acf6cf8
SHA1 97777443d7e5431fb57046a247171f61d56215f4
SHA256 ff1e9d0f1c1512c65f89963628760089c62cfb5fb64a1d805464dafbeca512bd
SHA512 0455a1d3edfabc48078a6366e8e73d527d7e850499607239eb733ccad420065ab56233e9fc846b67ff7c2f4ae82942889c297483917faae58e6b4322d8a8753e

C:\Windows\system\EEZVqkx.exe

MD5 84dbfafb62965da1e5c66ea922b8c4cf
SHA1 3a354839155421002174205b9ade5b19376ca31a
SHA256 48461d0dedb4bd2f326815a2d07eced40abd0caba9c52927af04e29aebc2338c
SHA512 a4431d4a016c405c7f5ff0a1a27366d05cd1075b15f12d204a164ab73a8e8a2eb49825cda583941008f4130d014cceffb243854cc2129a7ad585d8b773dfb956

C:\Windows\system\gHVxJuA.exe

MD5 fec8148493519d314fba31508bf3cec2
SHA1 9c5934ea498488c65e0063fced75c305ab0e153b
SHA256 9065aa2ec74846d3048a8a7fb53d81a85f0b0cee04d00d86a587213402b604ab
SHA512 3595f8f2ab0e69791d80756bc991166199806ad6147f6b0ab39166a15da8a4083b4457e2283328c01b28dee188ba4076acec3d28f8925ee3b85fbe9dc31ca1a9

C:\Windows\system\cJGBWLN.exe

MD5 7f57f0fb2e2be7b4c4b9cad4807dd928
SHA1 5feadd0a0c0f8ddab73cabce1cbb192a4c248df0
SHA256 3069218205b165b2e0245202991a6858554de5ed1b0ca8380ff0d1b395d04526
SHA512 87b67ee10bef7327c17528cd748aa6ce03ab023476debeedc1580c30c7daf2c6717f746dc01c70d305d0e65cdbfc0f5738139c0c76bdef6c94e751c48a90a411

memory/2564-126-0x000000013F830000-0x000000013FB84000-memory.dmp

memory/2064-128-0x000000013F0C0000-0x000000013F414000-memory.dmp

memory/2228-127-0x000000013F8D0000-0x000000013FC24000-memory.dmp

memory/2800-125-0x000000013F990000-0x000000013FCE4000-memory.dmp

memory/2724-124-0x000000013F690000-0x000000013F9E4000-memory.dmp

memory/2424-123-0x000000013F690000-0x000000013F9E4000-memory.dmp

memory/2744-122-0x000000013FFB0000-0x0000000140304000-memory.dmp

memory/2424-121-0x000000013FFB0000-0x0000000140304000-memory.dmp

memory/2732-120-0x000000013F050000-0x000000013F3A4000-memory.dmp

memory/2424-119-0x000000013F050000-0x000000013F3A4000-memory.dmp

memory/2884-118-0x000000013FBA0000-0x000000013FEF4000-memory.dmp

memory/2808-117-0x000000013FD50000-0x00000001400A4000-memory.dmp

memory/2788-116-0x000000013F320000-0x000000013F674000-memory.dmp

memory/2424-115-0x000000013F320000-0x000000013F674000-memory.dmp

memory/2628-114-0x000000013F2B0000-0x000000013F604000-memory.dmp

memory/2424-113-0x000000013F2B0000-0x000000013F604000-memory.dmp

memory/3024-112-0x000000013F080000-0x000000013F3D4000-memory.dmp

memory/2424-111-0x000000013F080000-0x000000013F3D4000-memory.dmp

memory/2124-110-0x000000013F6D0000-0x000000013FA24000-memory.dmp

memory/2424-109-0x0000000002480000-0x00000000027D4000-memory.dmp

memory/2364-108-0x000000013F1C0000-0x000000013F514000-memory.dmp

memory/2424-107-0x000000013F0C0000-0x000000013F414000-memory.dmp

C:\Windows\system\iFsOJWX.exe

MD5 5cbc9181ef5193292cdaccea96f536a9
SHA1 e4d79e134d163c39764ef469c77f26aaad914d8a
SHA256 81de7102ce44a54a2f8e3eb9caf8a1bfe87014daaa8cfa1482d9cfc4206826a0
SHA512 4b0a35fdc0abca830a388ffe6ebe5b58d9bd0ce5146edacd241e2a85cccf1045f9c5e349b87fb13b545f6ede9647634d0a78b39d6a70ed015a9d58e425ea76ad

C:\Windows\system\IuFgFuP.exe

MD5 e194b31fa86aca5e32753e34f7f44463
SHA1 43ec437c95a4c7904588073c173ba93769ce227e
SHA256 78058e6ebad1b0dfdf18ffd306e584b75a6bcb0bacdfa8ec5de2f326938cdc2d
SHA512 0d149ac5b4a060d4cc23c0061f65b3161a207dfd0db401e7dbb8400177d73f96474e8db166c2f12d736fabad690afa68f0d36bba8aba3c1d0b50133b7aa61443

C:\Windows\system\INlGxhx.exe

MD5 39a787adeeeba5e17146f933d7359fd8
SHA1 974957b68961bf887102db0cf4fc92d349aed700
SHA256 c03c99a3dbe059d2f49946f40d5e90429af87e78f8f3fcdf207629adc22633fe
SHA512 e158c9010bf3da45d73134569676d9361107092af50fa474e4e6c4b22cabab81dbba390fb06cdeedf259015bcad4f7cb94ae66fc6f130b8f36500aadffe147a5

memory/2424-129-0x000000013FA20000-0x000000013FD74000-memory.dmp

memory/2228-130-0x000000013F8D0000-0x000000013FC24000-memory.dmp

memory/2064-132-0x000000013F0C0000-0x000000013F414000-memory.dmp

memory/2364-131-0x000000013F1C0000-0x000000013F514000-memory.dmp

memory/2124-133-0x000000013F6D0000-0x000000013FA24000-memory.dmp

memory/3024-134-0x000000013F080000-0x000000013F3D4000-memory.dmp

memory/2628-135-0x000000013F2B0000-0x000000013F604000-memory.dmp

memory/2788-136-0x000000013F320000-0x000000013F674000-memory.dmp

memory/2808-137-0x000000013FD50000-0x00000001400A4000-memory.dmp

memory/2884-138-0x000000013FBA0000-0x000000013FEF4000-memory.dmp

memory/2744-140-0x000000013FFB0000-0x0000000140304000-memory.dmp

memory/2724-141-0x000000013F690000-0x000000013F9E4000-memory.dmp

memory/2732-139-0x000000013F050000-0x000000013F3A4000-memory.dmp

memory/2564-143-0x000000013F830000-0x000000013FB84000-memory.dmp

memory/2800-142-0x000000013F990000-0x000000013FCE4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-28 00:11

Reported

2024-06-28 00:13

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\gmaDEBa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IuFgFuP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SyZmZtA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EEZVqkx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AtwvJvR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\INlGxhx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VsnVnfP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iFsOJWX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NmZERlQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gHVxJuA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uSEBNhO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UXRZlVz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GMYHtgi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TTkmDRj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KMPPZrN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jirIdKM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RjMutyh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WGAxUNc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cJGBWLN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jlaTiXV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nMKQChI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1016 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WGAxUNc.exe
PID 1016 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WGAxUNc.exe
PID 1016 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TTkmDRj.exe
PID 1016 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TTkmDRj.exe
PID 1016 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KMPPZrN.exe
PID 1016 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KMPPZrN.exe
PID 1016 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GMYHtgi.exe
PID 1016 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GMYHtgi.exe
PID 1016 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\INlGxhx.exe
PID 1016 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\INlGxhx.exe
PID 1016 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gmaDEBa.exe
PID 1016 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gmaDEBa.exe
PID 1016 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IuFgFuP.exe
PID 1016 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IuFgFuP.exe
PID 1016 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VsnVnfP.exe
PID 1016 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VsnVnfP.exe
PID 1016 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jirIdKM.exe
PID 1016 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jirIdKM.exe
PID 1016 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iFsOJWX.exe
PID 1016 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iFsOJWX.exe
PID 1016 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NmZERlQ.exe
PID 1016 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NmZERlQ.exe
PID 1016 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nMKQChI.exe
PID 1016 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nMKQChI.exe
PID 1016 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SyZmZtA.exe
PID 1016 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SyZmZtA.exe
PID 1016 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cJGBWLN.exe
PID 1016 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cJGBWLN.exe
PID 1016 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gHVxJuA.exe
PID 1016 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gHVxJuA.exe
PID 1016 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EEZVqkx.exe
PID 1016 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EEZVqkx.exe
PID 1016 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jlaTiXV.exe
PID 1016 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jlaTiXV.exe
PID 1016 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uSEBNhO.exe
PID 1016 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uSEBNhO.exe
PID 1016 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RjMutyh.exe
PID 1016 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RjMutyh.exe
PID 1016 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UXRZlVz.exe
PID 1016 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UXRZlVz.exe
PID 1016 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AtwvJvR.exe
PID 1016 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AtwvJvR.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\WGAxUNc.exe

C:\Windows\System\WGAxUNc.exe

C:\Windows\System\TTkmDRj.exe

C:\Windows\System\TTkmDRj.exe

C:\Windows\System\KMPPZrN.exe

C:\Windows\System\KMPPZrN.exe

C:\Windows\System\GMYHtgi.exe

C:\Windows\System\GMYHtgi.exe

C:\Windows\System\INlGxhx.exe

C:\Windows\System\INlGxhx.exe

C:\Windows\System\gmaDEBa.exe

C:\Windows\System\gmaDEBa.exe

C:\Windows\System\IuFgFuP.exe

C:\Windows\System\IuFgFuP.exe

C:\Windows\System\VsnVnfP.exe

C:\Windows\System\VsnVnfP.exe

C:\Windows\System\jirIdKM.exe

C:\Windows\System\jirIdKM.exe

C:\Windows\System\iFsOJWX.exe

C:\Windows\System\iFsOJWX.exe

C:\Windows\System\NmZERlQ.exe

C:\Windows\System\NmZERlQ.exe

C:\Windows\System\nMKQChI.exe

C:\Windows\System\nMKQChI.exe

C:\Windows\System\SyZmZtA.exe

C:\Windows\System\SyZmZtA.exe

C:\Windows\System\cJGBWLN.exe

C:\Windows\System\cJGBWLN.exe

C:\Windows\System\gHVxJuA.exe

C:\Windows\System\gHVxJuA.exe

C:\Windows\System\EEZVqkx.exe

C:\Windows\System\EEZVqkx.exe

C:\Windows\System\jlaTiXV.exe

C:\Windows\System\jlaTiXV.exe

C:\Windows\System\uSEBNhO.exe

C:\Windows\System\uSEBNhO.exe

C:\Windows\System\RjMutyh.exe

C:\Windows\System\RjMutyh.exe

C:\Windows\System\UXRZlVz.exe

C:\Windows\System\UXRZlVz.exe

C:\Windows\System\AtwvJvR.exe

C:\Windows\System\AtwvJvR.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 52.111.227.11:443 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 udp

Files

memory/1016-0-0x00007FF686EE0000-0x00007FF687234000-memory.dmp

memory/1016-1-0x000001D144B90000-0x000001D144BA0000-memory.dmp

C:\Windows\System\WGAxUNc.exe

MD5 0abcb36fbfde006be1ead7e7e306ea13
SHA1 9b226dd2006c3b426e5ab8a6944c43955e59547e
SHA256 31f95f0df97e94d9aa1e80bd6079be6442ca5b5995e9c653a955e2e731071934
SHA512 0c208ff130bd82a523ed9b8b0a06c3df70957f6f985e2bd7dc352ef8526021869f40e199568a0819e16d3d3321d16f60b78d23854b0eeba9d7a1c2e844b84a24

memory/2072-8-0x00007FF634780000-0x00007FF634AD4000-memory.dmp

C:\Windows\System\TTkmDRj.exe

MD5 5edd47916cb6941872a8e38cab2a1531
SHA1 937db0ee47cc1f2cac0b49d7a233ad4ff70e8cf1
SHA256 5a36fca304e283be6bcf02e0781a68eff6f71ffebc392d697190a9cf44fa3d51
SHA512 647869e1c8a7b22cb201b047c7b47cd30151d3764845b14eda8ea3dc3dfb964d790485fb02330664ee0b5740ec2ef93053183d40baba7f4ea2a6af675bfe4ed3

C:\Windows\System\KMPPZrN.exe

MD5 fad8ffa31b4e6689a4b33b2a9d633718
SHA1 cef1ec3978a1f64036cfcbd2bd9aa73ca73850b6
SHA256 cfd4419dde3a4c7c0d29429a1d9c55c477c18df5cea5e00048d9d06866d84f34
SHA512 4ac171b137c9ba4af7795f77e2ee717fb20101e6b0a724c3324c3b939a398e912ae2f891a264644a62f4344099ebf8f0622b564161c93bff3eea9a855de4fbaa

memory/1700-14-0x00007FF698BC0000-0x00007FF698F14000-memory.dmp

memory/992-21-0x00007FF70B720000-0x00007FF70BA74000-memory.dmp

C:\Windows\System\GMYHtgi.exe

MD5 bd52a45ff622b5b94a12f033b39cd55e
SHA1 f915a8df7dd3a5080ecfd1ce25f9a3e20d8f84b0
SHA256 03dee971679b0da0ab50e05d425c12b6d880affeb65df7861a195a1bc2fea6e8
SHA512 0203a7b7a0aed8b8762968e6886a6f7c1a761478298642c7126ad3e09ae4376a90b7296be3f329fcff893d891d48a83d7327e4e7dcf4707abc28d028c3538a2e

C:\Windows\System\gmaDEBa.exe

MD5 940752a67bc8d32ca6ea3ebbae154299
SHA1 d5dc1292d53e45bcfda35805b3d6fab20e2d742d
SHA256 0b026e5bc15130c0c399b5be2c95f3ab6337becfe3f12ce6499b14a38b08ce11
SHA512 2f97fe6c8f5e97a1cfa514b46c07acfac8f4ac534e18ebd83a865d2d4dabd9352864b48b7b14237c60dd10fbca3f6ff7205876e7d79ccb9e1777aa8d3d402c46

C:\Windows\System\IuFgFuP.exe

MD5 e194b31fa86aca5e32753e34f7f44463
SHA1 43ec437c95a4c7904588073c173ba93769ce227e
SHA256 78058e6ebad1b0dfdf18ffd306e584b75a6bcb0bacdfa8ec5de2f326938cdc2d
SHA512 0d149ac5b4a060d4cc23c0061f65b3161a207dfd0db401e7dbb8400177d73f96474e8db166c2f12d736fabad690afa68f0d36bba8aba3c1d0b50133b7aa61443

C:\Windows\System\VsnVnfP.exe

MD5 a6a032d8297e8afa5d65f93481f57e36
SHA1 2f1762af5baebbbd4771b7cb0468c0c2e99ce40d
SHA256 aab5e6ba35018860aa165fa3130062e9534b71f2bceec87dfebf406388a212cf
SHA512 99d5d589776b28c7316557abdfd0207ca42e87a4c194eedc9fe694ae276fdb919881f06d8a67bf81bc317717ae10ef6c8702a113187131e6a573496e5f509c14

C:\Windows\System\jirIdKM.exe

MD5 a9a5b9472afedb3fcec3af260b96cadb
SHA1 86e421dcefe3365d95afaf90838a15f55783677a
SHA256 d07bdae91015e13792d70faf3e9f2699f255f1b22e68131e97133003e5410e99
SHA512 a2af93434d08803f27308dae93faf5610864777c791a92fa930561c81ceaea592986e8b01fde45df7ace83603bf60f859bd4853f7f9317e550067cde24e5aa1d

C:\Windows\System\NmZERlQ.exe

MD5 433306bd33551dd04d024f28ec820e24
SHA1 77e7d0783810a959e024c4f43af49e91b84531b0
SHA256 54f4e0e55a98664b0a089d4506dd1cbc7c1f18dc799367ba9fc2f09f004d2186
SHA512 7f9dbfc975f0ae9ba558eed92c1bd6905067d5a97f769818724dbb1b15b40193975a717c3cf45048311aa97d7af2b4fd68e7fc3db9f3ad1e91bfc264c5bed61c

memory/1496-68-0x00007FF7297D0000-0x00007FF729B24000-memory.dmp

C:\Windows\System\nMKQChI.exe

MD5 fe91f93a07407fc6d69bad246a767d96
SHA1 21ef35ded0000e652ea072df1a75c5b0052d13d3
SHA256 0ff5359b725515e9c663f1b78e7ce09903e96137d1e6606d969fa307681ba597
SHA512 2d92ba54c36d3a77c1fdded3e92dd3d8ee624bb36771d29d311ba2d964819ffe2bee077c9e2fe2c8c9c759ceceb2706daa1ee15450a243f65492c23555a1a3bb

memory/992-83-0x00007FF70B720000-0x00007FF70BA74000-memory.dmp

C:\Windows\System\cJGBWLN.exe

MD5 7f57f0fb2e2be7b4c4b9cad4807dd928
SHA1 5feadd0a0c0f8ddab73cabce1cbb192a4c248df0
SHA256 3069218205b165b2e0245202991a6858554de5ed1b0ca8380ff0d1b395d04526
SHA512 87b67ee10bef7327c17528cd748aa6ce03ab023476debeedc1580c30c7daf2c6717f746dc01c70d305d0e65cdbfc0f5738139c0c76bdef6c94e751c48a90a411

C:\Windows\System\SyZmZtA.exe

MD5 eead0e592bf64191850673374422f927
SHA1 502591d4194bf79d3261b04630abe26accee51a7
SHA256 c355b50a9c0bb3bca51237b43a5ae64e4e5c8371cee8c7c077c1373274db6f56
SHA512 9ae6de2fdba4e6752dacba64b9454bdcb57fd09ea183174a92a3907741aa2be5d8fa95369429e9a9e030439d45d4ba0d83f09d5764cc4e6a00e7212c691c9a58

memory/4352-84-0x00007FF72A330000-0x00007FF72A684000-memory.dmp

memory/5064-81-0x00007FF792010000-0x00007FF792364000-memory.dmp

memory/3956-73-0x00007FF78C1D0000-0x00007FF78C524000-memory.dmp

memory/1016-72-0x00007FF686EE0000-0x00007FF687234000-memory.dmp

C:\Windows\System\gHVxJuA.exe

MD5 fec8148493519d314fba31508bf3cec2
SHA1 9c5934ea498488c65e0063fced75c305ab0e153b
SHA256 9065aa2ec74846d3048a8a7fb53d81a85f0b0cee04d00d86a587213402b604ab
SHA512 3595f8f2ab0e69791d80756bc991166199806ad6147f6b0ab39166a15da8a4083b4457e2283328c01b28dee188ba4076acec3d28f8925ee3b85fbe9dc31ca1a9

C:\Windows\System\EEZVqkx.exe

MD5 84dbfafb62965da1e5c66ea922b8c4cf
SHA1 3a354839155421002174205b9ade5b19376ca31a
SHA256 48461d0dedb4bd2f326815a2d07eced40abd0caba9c52927af04e29aebc2338c
SHA512 a4431d4a016c405c7f5ff0a1a27366d05cd1075b15f12d204a164ab73a8e8a2eb49825cda583941008f4130d014cceffb243854cc2129a7ad585d8b773dfb956

C:\Windows\System\jlaTiXV.exe

MD5 30d78bdc76522ccf31c91e0034cc1511
SHA1 d83dec1c094e1e3d4093b55277a1a36a4c81794a
SHA256 dac068b298970af44bded6e3c75f44df48e29ae582044493d18e44de6de45b5d
SHA512 6dc45ca7c61edeb4992cbb0111089113e5a81d4c7f8e9220d33cd4b1083d6e111e1b325af7d7ce2df7c2616011967514e10bbad9d955fb2dd97d2cd6ec500104

memory/2356-114-0x00007FF784520000-0x00007FF784874000-memory.dmp

memory/2520-117-0x00007FF7AE0D0000-0x00007FF7AE424000-memory.dmp

C:\Windows\System\UXRZlVz.exe

MD5 9138c672f64ba376557af0a8071627f8
SHA1 f119d19fca8ff00b6f637e962210b330e71dac6e
SHA256 fe3cec22639d5ac209db8bff70ec753aab548e6e1b14a22e820567c21fb20dc4
SHA512 24d46679fc23532a68e08ca60383e68f1eaa08c6b11e10490266e629bfd99b4e6550b32e802ce0b6486f3803f10e988eb209ac4f5e21499ad7873ed7143c1106

C:\Windows\System\RjMutyh.exe

MD5 e575f356a7b6427e3b49d854215e5c5f
SHA1 6e737333f4894d04cdb9bd24e18c1b6025fbe07a
SHA256 17e8e7af142b6de6697957104c7f0debf742c792e6bcf1e1b87fea40a4568f64
SHA512 4e624a06b47b84577d1aa6835035f283b59d3154014861016b55743c0a55ee8b386323882c6c8d4e8122ffdbcf7de8244c393c5ce29f5711c26734d45cc25a0d

C:\Windows\System\uSEBNhO.exe

MD5 80eba98a4c25e942a58b46fd1acf6cf8
SHA1 97777443d7e5431fb57046a247171f61d56215f4
SHA256 ff1e9d0f1c1512c65f89963628760089c62cfb5fb64a1d805464dafbeca512bd
SHA512 0455a1d3edfabc48078a6366e8e73d527d7e850499607239eb733ccad420065ab56233e9fc846b67ff7c2f4ae82942889c297483917faae58e6b4322d8a8753e

memory/4564-119-0x00007FF7C1830000-0x00007FF7C1B84000-memory.dmp

memory/3928-118-0x00007FF75C350000-0x00007FF75C6A4000-memory.dmp

memory/4508-116-0x00007FF658280000-0x00007FF6585D4000-memory.dmp

memory/4580-115-0x00007FF6510B0000-0x00007FF651404000-memory.dmp

memory/2576-110-0x00007FF62CBE0000-0x00007FF62CF34000-memory.dmp

memory/612-109-0x00007FF68D2C0000-0x00007FF68D614000-memory.dmp

memory/5080-67-0x00007FF769900000-0x00007FF769C54000-memory.dmp

C:\Windows\System\iFsOJWX.exe

MD5 5cbc9181ef5193292cdaccea96f536a9
SHA1 e4d79e134d163c39764ef469c77f26aaad914d8a
SHA256 81de7102ce44a54a2f8e3eb9caf8a1bfe87014daaa8cfa1482d9cfc4206826a0
SHA512 4b0a35fdc0abca830a388ffe6ebe5b58d9bd0ce5146edacd241e2a85cccf1045f9c5e349b87fb13b545f6ede9647634d0a78b39d6a70ed015a9d58e425ea76ad

memory/1968-58-0x00007FF6B9010000-0x00007FF6B9364000-memory.dmp

memory/3568-50-0x00007FF7EF0E0000-0x00007FF7EF434000-memory.dmp

memory/928-48-0x00007FF6E5240000-0x00007FF6E5594000-memory.dmp

C:\Windows\System\INlGxhx.exe

MD5 39a787adeeeba5e17146f933d7359fd8
SHA1 974957b68961bf887102db0cf4fc92d349aed700
SHA256 c03c99a3dbe059d2f49946f40d5e90429af87e78f8f3fcdf207629adc22633fe
SHA512 e158c9010bf3da45d73134569676d9361107092af50fa474e4e6c4b22cabab81dbba390fb06cdeedf259015bcad4f7cb94ae66fc6f130b8f36500aadffe147a5

memory/1984-34-0x00007FF7AD760000-0x00007FF7ADAB4000-memory.dmp

memory/3928-30-0x00007FF75C350000-0x00007FF75C6A4000-memory.dmp

memory/612-29-0x00007FF68D2C0000-0x00007FF68D614000-memory.dmp

C:\Windows\System\AtwvJvR.exe

MD5 3b73c350a9955ca3b90342b8dcacfd58
SHA1 60b90604c0503e151ece5a861e9a7ac889582390
SHA256 2617ff3eac81c0ff6e21c42c8556381931ffbdf62c5d8e103879574743659e58
SHA512 4a3c85c1e871f06d68e7887adff497966fe42fd8d9f280a9490fe0d2c26768ef4013250a6fa2b4f0b28e7cea528f679eea973a76e25c6a63413dfdaaa9a226e2

memory/5096-131-0x00007FF771CF0000-0x00007FF772044000-memory.dmp

memory/1984-132-0x00007FF7AD760000-0x00007FF7ADAB4000-memory.dmp

memory/5080-133-0x00007FF769900000-0x00007FF769C54000-memory.dmp

memory/1968-134-0x00007FF6B9010000-0x00007FF6B9364000-memory.dmp

memory/1496-135-0x00007FF7297D0000-0x00007FF729B24000-memory.dmp

memory/3956-136-0x00007FF78C1D0000-0x00007FF78C524000-memory.dmp

memory/5064-137-0x00007FF792010000-0x00007FF792364000-memory.dmp

memory/4352-138-0x00007FF72A330000-0x00007FF72A684000-memory.dmp

memory/4508-139-0x00007FF658280000-0x00007FF6585D4000-memory.dmp

memory/2520-140-0x00007FF7AE0D0000-0x00007FF7AE424000-memory.dmp

memory/4564-141-0x00007FF7C1830000-0x00007FF7C1B84000-memory.dmp

memory/2072-142-0x00007FF634780000-0x00007FF634AD4000-memory.dmp

memory/1700-143-0x00007FF698BC0000-0x00007FF698F14000-memory.dmp

memory/992-144-0x00007FF70B720000-0x00007FF70BA74000-memory.dmp

memory/3928-145-0x00007FF75C350000-0x00007FF75C6A4000-memory.dmp

memory/612-146-0x00007FF68D2C0000-0x00007FF68D614000-memory.dmp

memory/3568-148-0x00007FF7EF0E0000-0x00007FF7EF434000-memory.dmp

memory/1984-149-0x00007FF7AD760000-0x00007FF7ADAB4000-memory.dmp

memory/928-147-0x00007FF6E5240000-0x00007FF6E5594000-memory.dmp

memory/5080-150-0x00007FF769900000-0x00007FF769C54000-memory.dmp

memory/1968-151-0x00007FF6B9010000-0x00007FF6B9364000-memory.dmp

memory/3956-152-0x00007FF78C1D0000-0x00007FF78C524000-memory.dmp

memory/1496-153-0x00007FF7297D0000-0x00007FF729B24000-memory.dmp

memory/4352-154-0x00007FF72A330000-0x00007FF72A684000-memory.dmp

memory/5064-155-0x00007FF792010000-0x00007FF792364000-memory.dmp

memory/2576-156-0x00007FF62CBE0000-0x00007FF62CF34000-memory.dmp

memory/2356-157-0x00007FF784520000-0x00007FF784874000-memory.dmp

memory/4580-158-0x00007FF6510B0000-0x00007FF651404000-memory.dmp

memory/4508-159-0x00007FF658280000-0x00007FF6585D4000-memory.dmp

memory/2520-160-0x00007FF7AE0D0000-0x00007FF7AE424000-memory.dmp

memory/4564-161-0x00007FF7C1830000-0x00007FF7C1B84000-memory.dmp

memory/5096-162-0x00007FF771CF0000-0x00007FF772044000-memory.dmp