Malware Analysis Report

2024-10-24 18:11

Sample ID 240629-h122zstapf
Target 2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat
SHA256 389c061e1d670e55b89da6a91913b3fb35033855ec9041e669f9113fbcd8270e
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

389c061e1d670e55b89da6a91913b3fb35033855ec9041e669f9113fbcd8270e

Threat Level: Known bad

The file 2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Cobalt Strike reflective loader

Cobaltstrike family

Cobaltstrike

XMRig Miner payload

Xmrig family

xmrig

XMRig Miner payload

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-29 07:13

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-29 07:13

Reported

2024-06-29 07:15

Platform

win7-20240611-en

Max time kernel

128s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\VJKjbAb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wkGBNiM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tAcnUUt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aZqrWwy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TdQoVrl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iOLqonB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XPAhrUW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GaavpUg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FuWExOo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IJvZrBP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eQpczlG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IBLfnjW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\piJwKZN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HimXdlq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\spYgSHa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ImyFhbd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HbusmiI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bvOZzLC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XthwAEd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EMZWvnz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EbAsenw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2420 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eQpczlG.exe
PID 2420 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eQpczlG.exe
PID 2420 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eQpczlG.exe
PID 2420 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tAcnUUt.exe
PID 2420 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tAcnUUt.exe
PID 2420 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tAcnUUt.exe
PID 2420 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XthwAEd.exe
PID 2420 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XthwAEd.exe
PID 2420 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XthwAEd.exe
PID 2420 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aZqrWwy.exe
PID 2420 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aZqrWwy.exe
PID 2420 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aZqrWwy.exe
PID 2420 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\spYgSHa.exe
PID 2420 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\spYgSHa.exe
PID 2420 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\spYgSHa.exe
PID 2420 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TdQoVrl.exe
PID 2420 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TdQoVrl.exe
PID 2420 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TdQoVrl.exe
PID 2420 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iOLqonB.exe
PID 2420 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iOLqonB.exe
PID 2420 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iOLqonB.exe
PID 2420 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EMZWvnz.exe
PID 2420 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EMZWvnz.exe
PID 2420 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EMZWvnz.exe
PID 2420 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IBLfnjW.exe
PID 2420 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IBLfnjW.exe
PID 2420 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IBLfnjW.exe
PID 2420 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EbAsenw.exe
PID 2420 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EbAsenw.exe
PID 2420 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EbAsenw.exe
PID 2420 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\piJwKZN.exe
PID 2420 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\piJwKZN.exe
PID 2420 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\piJwKZN.exe
PID 2420 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VJKjbAb.exe
PID 2420 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VJKjbAb.exe
PID 2420 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VJKjbAb.exe
PID 2420 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HimXdlq.exe
PID 2420 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HimXdlq.exe
PID 2420 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HimXdlq.exe
PID 2420 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ImyFhbd.exe
PID 2420 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ImyFhbd.exe
PID 2420 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ImyFhbd.exe
PID 2420 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HbusmiI.exe
PID 2420 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HbusmiI.exe
PID 2420 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HbusmiI.exe
PID 2420 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XPAhrUW.exe
PID 2420 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XPAhrUW.exe
PID 2420 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XPAhrUW.exe
PID 2420 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GaavpUg.exe
PID 2420 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GaavpUg.exe
PID 2420 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GaavpUg.exe
PID 2420 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FuWExOo.exe
PID 2420 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FuWExOo.exe
PID 2420 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FuWExOo.exe
PID 2420 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bvOZzLC.exe
PID 2420 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bvOZzLC.exe
PID 2420 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bvOZzLC.exe
PID 2420 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wkGBNiM.exe
PID 2420 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wkGBNiM.exe
PID 2420 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wkGBNiM.exe
PID 2420 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IJvZrBP.exe
PID 2420 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IJvZrBP.exe
PID 2420 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IJvZrBP.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\eQpczlG.exe

C:\Windows\System\eQpczlG.exe

C:\Windows\System\tAcnUUt.exe

C:\Windows\System\tAcnUUt.exe

C:\Windows\System\XthwAEd.exe

C:\Windows\System\XthwAEd.exe

C:\Windows\System\aZqrWwy.exe

C:\Windows\System\aZqrWwy.exe

C:\Windows\System\spYgSHa.exe

C:\Windows\System\spYgSHa.exe

C:\Windows\System\TdQoVrl.exe

C:\Windows\System\TdQoVrl.exe

C:\Windows\System\iOLqonB.exe

C:\Windows\System\iOLqonB.exe

C:\Windows\System\EMZWvnz.exe

C:\Windows\System\EMZWvnz.exe

C:\Windows\System\IBLfnjW.exe

C:\Windows\System\IBLfnjW.exe

C:\Windows\System\EbAsenw.exe

C:\Windows\System\EbAsenw.exe

C:\Windows\System\piJwKZN.exe

C:\Windows\System\piJwKZN.exe

C:\Windows\System\VJKjbAb.exe

C:\Windows\System\VJKjbAb.exe

C:\Windows\System\HimXdlq.exe

C:\Windows\System\HimXdlq.exe

C:\Windows\System\ImyFhbd.exe

C:\Windows\System\ImyFhbd.exe

C:\Windows\System\HbusmiI.exe

C:\Windows\System\HbusmiI.exe

C:\Windows\System\XPAhrUW.exe

C:\Windows\System\XPAhrUW.exe

C:\Windows\System\GaavpUg.exe

C:\Windows\System\GaavpUg.exe

C:\Windows\System\FuWExOo.exe

C:\Windows\System\FuWExOo.exe

C:\Windows\System\bvOZzLC.exe

C:\Windows\System\bvOZzLC.exe

C:\Windows\System\wkGBNiM.exe

C:\Windows\System\wkGBNiM.exe

C:\Windows\System\IJvZrBP.exe

C:\Windows\System\IJvZrBP.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2420-0-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

memory/2420-1-0x0000000000480000-0x0000000000490000-memory.dmp

C:\Windows\system\eQpczlG.exe

MD5 86f31c6245a080a3728dd8e67d9f22b5
SHA1 96471eb7b28372cf491cf2100f4c418556b6972e
SHA256 377881030d8e146f2e624d134c70365e466be1d9ae5e48203a4c7854b9eb5f93
SHA512 0158ca8d74260a5bb370e9f5178c0240df6762fdb5ae13d36d60bf3206ec27d12cc992ace11ca04524062a9a9583fe59ccdf49570d96a2b1474e4cc91f659ebc

\Windows\system\tAcnUUt.exe

MD5 ae778629199e89253caa6b54289a2ed1
SHA1 35c835250456bb725e408f9ca27eafb295082e2d
SHA256 72111bd41978d88eed5a13a1a6df8052a30bfbf0c3db544089c22688a028bc67
SHA512 53b12ee9052bac416f1868f88df0a65660ff7d339cdff77b19b07891e40319631b44ed61b0b62cf782fb3069443189a6f5c4961f896d8501fefbf8229069cadd

memory/2580-21-0x000000013FE20000-0x0000000140174000-memory.dmp

memory/2420-22-0x0000000002300000-0x0000000002654000-memory.dmp

C:\Windows\system\XthwAEd.exe

MD5 253de7b43fea3471863556135b3c2140
SHA1 0e61057d859a2ab768b898fb2a314f6bbdecd152
SHA256 2bf10c7e9148d5adebdbf48d9e445cf5f022790ea3d5c590e4b125fd1f3c5506
SHA512 d5229cf7b0b1f300d664f074c9d61afcdbd248824b9b4db0b703ffadfbf57cf8e81a596f45a2976ffad1b4f3c16be64356df0e9f960ab421a8566d8491bc1484

memory/2420-20-0x000000013FE20000-0x0000000140174000-memory.dmp

memory/2756-19-0x000000013F850000-0x000000013FBA4000-memory.dmp

memory/3032-18-0x000000013FC60000-0x000000013FFB4000-memory.dmp

C:\Windows\system\HimXdlq.exe

MD5 e694782acf642cd9434a34c8cc8fe9bb
SHA1 fb87704252863350945943e3f6c04cc788d97619
SHA256 2f2d6e782dfe1170238f329c8077bbe91addf6b5f05f531e3dccab69bbad381f
SHA512 0178ee141909b47a8d289807725e6947b6dffeaa7c08d48cc5a5eaba7d7f0bdbb6b1ca026bd2684a7e6585a6baf6ebf4395538597e1b4a9372c9e38b4152ca23

memory/2420-33-0x0000000002300000-0x0000000002654000-memory.dmp

memory/1716-89-0x000000013FFF0000-0x0000000140344000-memory.dmp

memory/2760-96-0x000000013FB40000-0x000000013FE94000-memory.dmp

C:\Windows\system\HbusmiI.exe

MD5 5c20b70ab2638502f07aa51323ec85b2
SHA1 55234b1e3e00b01e91c1cfbfe6b74a0dde0e0f5d
SHA256 66b3c51dd29f22085151b9309ac7b77d15d93c1e056def2e8dd05705185e5010
SHA512 a40dbbdb396d400b36fb0841a0eb17861aaf97580de3027e76ee3f899c8df69a8114074e1d92ea2443b310ed2214a5455a3e40ae37f75feb3f1f8bc0c3ac8dd0

C:\Windows\system\GaavpUg.exe

MD5 7b230bb0a4498c5c9198af6319bc859e
SHA1 593d30f0b03ac1d2f532f3e0328d00f976133294
SHA256 821964f0f60742ca7a67ba16aa54f335881e813e71558f5774ffea05741aec87
SHA512 7152e0a9e9182da7b3cd7976884adf4f6e619500a03da51794d69452281ae784fe2a36adad3d0260ee6b5ccc02ccb649da5fa27e269f84fa74e8cc051bc53367

C:\Windows\system\IJvZrBP.exe

MD5 8c5fc407e899b282b57de5df42f75171
SHA1 19eb607323fe65d62e1740272403ff572204a6f4
SHA256 ae95500be345c300a557f689d835c01c01f5458e45af586c92e45247e06c20a0
SHA512 3a12b53dd674ac78dc984fe82fc0d168677765870ff090bcf9b4a374b08e19ad8f7b88b3ca76c096052029c8708c97b5a33f9a17970ffee70553eb082c8f2d82

C:\Windows\system\wkGBNiM.exe

MD5 d0f8fb159d5710a5d49b680eee0d6aa3
SHA1 2f02ab56ab5633383b6daadb91916bfdf38e6810
SHA256 211a64cbb3e94c6c91d877bbe3fceb26052d81acfbe590d7222b60bb28dabcfe
SHA512 d315414834e39de17ac4758184ee823ff4244824553cedcf8491359282e9f89fb66c24d2b8a608e6aa0f4831d66b709c32045df07193adbbea4e9702b6722f7e

C:\Windows\system\bvOZzLC.exe

MD5 a8b928cb4e3aea188ff5907ec6dea98c
SHA1 c9e1f228db0a28942e53af56768743897d2d42a0
SHA256 d912136504474717ba589762a4b2916fc6ae1c8091ef6a987c0ee35ae8e293b5
SHA512 f574441556070971d3d40f861987280623aa32fd383d23f61b26b23789fecff5cb27fcac341f29607f71db4024c82816e7b24b0c2697076727a9ff37a6b43056

C:\Windows\system\FuWExOo.exe

MD5 9111114f0d78b261dd13d7d6271e2ff4
SHA1 e975c26a90decc1e4502df095afc8b67f94dbd2c
SHA256 c6cd1fba544f13b48141fec77476119cd4caf50897e36ab1ae3ad16a177b0b67
SHA512 d53ee11e736e8e89fcbd15b4e629b8c9dc2b50fc52b9fc01e2e6097fe34e75817ca9b5034be5d9dcd4a50c754f7cc89a7c0a85e2fef059674f9b25825de9a803

C:\Windows\system\XPAhrUW.exe

MD5 6764ce62cced274984c3e7185eb600be
SHA1 c793384e9e2c3c0404f6d016cd338aa489220d1a
SHA256 085f5bb88cc660774a8443280fff11b4d7f11ec80b2e401459d47edd5c48d6f0
SHA512 07625ffbed57221e3bcc8e89e95ba5ffe091951f268881496e1d1a932e78bf02ee70e3e968f735143b958ccc74a233347a8920e08e5c60cbcde7a51a02ea55e8

memory/2420-105-0x0000000002300000-0x0000000002654000-memory.dmp

memory/2420-104-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

C:\Windows\system\ImyFhbd.exe

MD5 172bb273f37836f3b79af477f95d2875
SHA1 474591bb62872b27a9f9ac9bbd8df871dba92f79
SHA256 7b4539a65f0cfec75219e119cf72fe433049dca5161ae5c4564ad6bde9dcf95b
SHA512 01a4a4e35af6fac3f6d6c999c3a6fe6196b421091f85fb5064dfd96779ff5a096510ab3c0018bb9852b09082b85e09da02684c135478465ba5734673650bbc9b

memory/2420-94-0x000000013FB40000-0x000000013FE94000-memory.dmp

memory/2988-93-0x000000013F620000-0x000000013F974000-memory.dmp

memory/2468-92-0x000000013FEC0000-0x0000000140214000-memory.dmp

memory/2492-91-0x000000013FE90000-0x00000001401E4000-memory.dmp

memory/2652-90-0x000000013FDF0000-0x0000000140144000-memory.dmp

memory/2420-88-0x000000013FFF0000-0x0000000140344000-memory.dmp

memory/2420-69-0x0000000002300000-0x0000000002654000-memory.dmp

memory/2420-68-0x000000013F3D0000-0x000000013F724000-memory.dmp

memory/2420-67-0x0000000002300000-0x0000000002654000-memory.dmp

memory/2596-66-0x000000013FD70000-0x00000001400C4000-memory.dmp

memory/2512-65-0x000000013F3D0000-0x000000013F724000-memory.dmp

memory/2516-64-0x000000013F9C0000-0x000000013FD14000-memory.dmp

memory/2420-63-0x000000013FEC0000-0x0000000140214000-memory.dmp

memory/2504-62-0x000000013F390000-0x000000013F6E4000-memory.dmp

\Windows\system\VJKjbAb.exe

MD5 406facef8f14099e7446306c2cdc51c4
SHA1 453bd5733aedd847cbaccdd7a021c24f0b1180f4
SHA256 d35af7cced3d7f6e73454e5adf93e5edfc0047fed15c95a8ca0d0f959e132f63
SHA512 e5b148066bcf7be5c3ba58531643c7733e8e18a0996b7a40408a97abfaa4919b6848eaa14ae8009fcbea4ed81725462965f20a1926fd7d803f259fee4e3b3953

memory/2420-52-0x000000013FDF0000-0x0000000140144000-memory.dmp

C:\Windows\system\IBLfnjW.exe

MD5 46e98567d316d7b77338fd72fd4ee41d
SHA1 09a58d7b5134f617d88b9d93f2e92c23f308dde6
SHA256 b78b86aafd0c70a0edf99a6f46d027b71ae57079e2a574255ae73deb009506a8
SHA512 6022e5a80eb844657b2cc093332a34329091201fb58071f43821e5fc8396758a9e3734f3b3b6b6dea8f441d94883e7ea129de0d50caa35e3b6d7134fa1b4adca

memory/2504-136-0x000000013F390000-0x000000013F6E4000-memory.dmp

memory/2716-135-0x000000013F6E0000-0x000000013FA34000-memory.dmp

\Windows\system\EbAsenw.exe

MD5 2e72b96836ef4566f6f6b99bc45748ac
SHA1 2b885bfc388005c126d1b80406f1349e96b7a2b9
SHA256 de764f6695b261e9d88dc63aa19953d55c369846165aebe6c273d798497999b0
SHA512 4b043f254f7a09a254b791e63a66ce3e1839ae602c444dae942c78b4f6c6b519baa4a14ff063344b359109d8d7e46cf2522d861d43c7e5d2fbb37365af9eeae4

memory/2716-44-0x000000013F6E0000-0x000000013FA34000-memory.dmp

C:\Windows\system\iOLqonB.exe

MD5 a46d25727b86c1cc2aca188c47605515
SHA1 90ee06081e661da689f005ba883cba318ee55b5f
SHA256 6f9f3efb054e89529cd88cc493422a9c4f10e3d6c0fddfed9993dad61c3b3771
SHA512 a5b76f324e41aeda12954a96d239744f579e44e6943b947a8c3bdb081b865cc227bba30b8a589a21b7a3f08b60cd72a9f5d556edf4742d88488276a208440ba6

\Windows\system\EMZWvnz.exe

MD5 35dc9da2f60f7f331225fdc1f52c606e
SHA1 f225c155b14cade16264675b4196a758a5e4b22e
SHA256 aec70179c3b9a79963f10d515c360c7f49b6f1d22e45f852e5520fc78ebb140d
SHA512 1d1ffa0e8baf209d8fa851b671aae0ff18260d6ff6b6d11d23a4ef3f08a9059f25f850840a0b63c8d7962a8e2aad8e9b2e355cc53e6b3669e1626b5207702d00

C:\Windows\system\aZqrWwy.exe

MD5 7d1fb11a7e27ed573ff074480546780d
SHA1 e198f13f82007e860b7b75b1f9eb002353c77675
SHA256 08a7eb53c609567f2d269a5b5f9a56f05212f4e87dccedb22a1e5a1505d873a0
SHA512 50c685c2687d191483fa407d7821065936a32f9eeb8d8506b2fc417bc7c78446e6cd8c998f1db0aa64f693b45952c3c39d337be0c1578d8c73564e33b129f060

\Windows\system\TdQoVrl.exe

MD5 abc7acb1a671b55bbbafdccb8848954a
SHA1 3a10b6eb53579b6b79878d1adcab1b6431605d3e
SHA256 7499daaba1c09804cf046a9a4e7a5d2b90ce3047ff23663a4b1050630a973341
SHA512 38746f27f00adbdf1001ade35e478931ab7439dd36c9d9e116b9d4e2cdc68c18201e2db369ed3997e08108073b94fed3b063a9efb8a0addac0be78f08b401126

memory/2512-138-0x000000013F3D0000-0x000000013F724000-memory.dmp

memory/2516-137-0x000000013F9C0000-0x000000013FD14000-memory.dmp

memory/2420-58-0x000000013FE90000-0x00000001401E4000-memory.dmp

C:\Windows\system\piJwKZN.exe

MD5 82b2b96ec0108adc30a707b91a2e9568
SHA1 73038fd7dc189c56cc738c20249b29a3041b5a44
SHA256 84fd744187aac7e8c7082592109fa1ffed80941e6b14925501f504c4ba9911d9
SHA512 19102757ba6d9cacb09d7635fefa64aef44910bf9443498db87eff669048d122f2c9b45596cb3440313b2d82edc6b6073f1fc0ca6d51d1d387ba01bc68634e6c

memory/2420-56-0x000000013F390000-0x000000013F6E4000-memory.dmp

C:\Windows\system\spYgSHa.exe

MD5 02bc66bc9662afaf687cf880dd002ce1
SHA1 731565b76e70f65d3c7c549a3d98782d55ac0907
SHA256 c37491f88f4807b4eec3e643298799282a3390a7fe2c6e61d6247ddd66204175
SHA512 24fcbfd4b3fe7ee796c48bdfda6f2126c4379224778057cc2881b4044f212a40e17556875ee51dc43df95dd9fb46bc1cebf061ea1ec72e42c9d2edb0c13dbb64

memory/2420-29-0x000000013FD70000-0x00000001400C4000-memory.dmp

memory/2760-140-0x000000013FB40000-0x000000013FE94000-memory.dmp

memory/2420-141-0x0000000002300000-0x0000000002654000-memory.dmp

memory/3032-142-0x000000013FC60000-0x000000013FFB4000-memory.dmp

memory/2756-143-0x000000013F850000-0x000000013FBA4000-memory.dmp

memory/2580-144-0x000000013FE20000-0x0000000140174000-memory.dmp

memory/2716-145-0x000000013F6E0000-0x000000013FA34000-memory.dmp

memory/2504-146-0x000000013F390000-0x000000013F6E4000-memory.dmp

memory/2512-148-0x000000013F3D0000-0x000000013F724000-memory.dmp

memory/2516-147-0x000000013F9C0000-0x000000013FD14000-memory.dmp

memory/2652-150-0x000000013FDF0000-0x0000000140144000-memory.dmp

memory/1716-149-0x000000013FFF0000-0x0000000140344000-memory.dmp

memory/2468-151-0x000000013FEC0000-0x0000000140214000-memory.dmp

memory/2492-152-0x000000013FE90000-0x00000001401E4000-memory.dmp

memory/2760-153-0x000000013FB40000-0x000000013FE94000-memory.dmp

memory/2988-154-0x000000013F620000-0x000000013F974000-memory.dmp

memory/2596-155-0x000000013FD70000-0x00000001400C4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-29 07:13

Reported

2024-06-29 07:15

Platform

win10v2004-20240508-en

Max time kernel

144s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\SRjWhlT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SqvWtbA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ETfZVCY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YRZbLfq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DbnvNRs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JXZEoNx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xoVzKSM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YvsROsV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EapfQBP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FJWeSjW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\Eoctara.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aPqtcpC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MnmqbAc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OCHNtkN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PAReEQr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wLxGkrX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VRTKHrC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uRGzhaK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZZOVpVV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KBVwYYV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tOgnjfZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1804 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YvsROsV.exe
PID 1804 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YvsROsV.exe
PID 1804 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EapfQBP.exe
PID 1804 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EapfQBP.exe
PID 1804 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FJWeSjW.exe
PID 1804 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FJWeSjW.exe
PID 1804 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SRjWhlT.exe
PID 1804 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SRjWhlT.exe
PID 1804 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MnmqbAc.exe
PID 1804 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MnmqbAc.exe
PID 1804 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OCHNtkN.exe
PID 1804 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OCHNtkN.exe
PID 1804 wrote to memory of 348 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PAReEQr.exe
PID 1804 wrote to memory of 348 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PAReEQr.exe
PID 1804 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SqvWtbA.exe
PID 1804 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SqvWtbA.exe
PID 1804 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Eoctara.exe
PID 1804 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Eoctara.exe
PID 1804 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YRZbLfq.exe
PID 1804 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YRZbLfq.exe
PID 1804 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wLxGkrX.exe
PID 1804 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wLxGkrX.exe
PID 1804 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VRTKHrC.exe
PID 1804 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VRTKHrC.exe
PID 1804 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uRGzhaK.exe
PID 1804 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uRGzhaK.exe
PID 1804 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DbnvNRs.exe
PID 1804 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DbnvNRs.exe
PID 1804 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JXZEoNx.exe
PID 1804 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JXZEoNx.exe
PID 1804 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ETfZVCY.exe
PID 1804 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ETfZVCY.exe
PID 1804 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZZOVpVV.exe
PID 1804 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZZOVpVV.exe
PID 1804 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KBVwYYV.exe
PID 1804 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KBVwYYV.exe
PID 1804 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xoVzKSM.exe
PID 1804 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xoVzKSM.exe
PID 1804 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aPqtcpC.exe
PID 1804 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aPqtcpC.exe
PID 1804 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tOgnjfZ.exe
PID 1804 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tOgnjfZ.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\YvsROsV.exe

C:\Windows\System\YvsROsV.exe

C:\Windows\System\EapfQBP.exe

C:\Windows\System\EapfQBP.exe

C:\Windows\System\FJWeSjW.exe

C:\Windows\System\FJWeSjW.exe

C:\Windows\System\SRjWhlT.exe

C:\Windows\System\SRjWhlT.exe

C:\Windows\System\MnmqbAc.exe

C:\Windows\System\MnmqbAc.exe

C:\Windows\System\OCHNtkN.exe

C:\Windows\System\OCHNtkN.exe

C:\Windows\System\PAReEQr.exe

C:\Windows\System\PAReEQr.exe

C:\Windows\System\SqvWtbA.exe

C:\Windows\System\SqvWtbA.exe

C:\Windows\System\Eoctara.exe

C:\Windows\System\Eoctara.exe

C:\Windows\System\YRZbLfq.exe

C:\Windows\System\YRZbLfq.exe

C:\Windows\System\wLxGkrX.exe

C:\Windows\System\wLxGkrX.exe

C:\Windows\System\VRTKHrC.exe

C:\Windows\System\VRTKHrC.exe

C:\Windows\System\uRGzhaK.exe

C:\Windows\System\uRGzhaK.exe

C:\Windows\System\DbnvNRs.exe

C:\Windows\System\DbnvNRs.exe

C:\Windows\System\JXZEoNx.exe

C:\Windows\System\JXZEoNx.exe

C:\Windows\System\ETfZVCY.exe

C:\Windows\System\ETfZVCY.exe

C:\Windows\System\ZZOVpVV.exe

C:\Windows\System\ZZOVpVV.exe

C:\Windows\System\KBVwYYV.exe

C:\Windows\System\KBVwYYV.exe

C:\Windows\System\xoVzKSM.exe

C:\Windows\System\xoVzKSM.exe

C:\Windows\System\aPqtcpC.exe

C:\Windows\System\aPqtcpC.exe

C:\Windows\System\tOgnjfZ.exe

C:\Windows\System\tOgnjfZ.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1804-0-0x00007FF7CEE20000-0x00007FF7CF174000-memory.dmp

memory/1804-1-0x000001EE71640000-0x000001EE71650000-memory.dmp

C:\Windows\System\YvsROsV.exe

MD5 9a67570d4605f94d18783a145b1289c1
SHA1 eb5ab4db74cf64828ff2e81f332af7d7654b0d47
SHA256 b142dd84d9e0adf0d44c23a6efa9a5142e75779e175ff097c611fed40e3fea24
SHA512 a12f23ddb929299da3e5cb54ac25aa11375d70a77eee7ce88b362019e082207213384ccea1351712336e6ebba3b7a66b2a8bb567ca707042edaf19128bc1d8b2

memory/3392-10-0x00007FF6AD760000-0x00007FF6ADAB4000-memory.dmp

C:\Windows\System\FJWeSjW.exe

MD5 8d4c49a4998d290817879ed727925ce2
SHA1 cec053524033be00d9e6751bf4d3d5b0a0b36fed
SHA256 7586be07b75f0f4fa1832df623e52312b3f00b4d8f2eadeecc47a206cb24ceac
SHA512 e80f0c21cdaae57dd8cdfed6f29394658848853d09bebe72b6cc8c9d1c382bdda864913accac419b62a16daf25113c72675336dddda42148d8fd90586b7dde75

C:\Windows\System\EapfQBP.exe

MD5 41e1ac32c00d022c548688cb36b93be9
SHA1 a84c3ffcd80d651d326e7c7d03753d2ba9958ad8
SHA256 10aa076fe09a922a27d8f91868a22f01b426f13ce99370581551424b8dd62b42
SHA512 ffd4470f7b7493948f4c382e7f2db47c5e5f6a1d2b38cfeafb112d4a8655fa13f95017e6ee59f3dcbaefaf6cc10c0d71a5d13d41bca6dac78c297e55f75346e8

C:\Windows\System\MnmqbAc.exe

MD5 40f0527191182ae9dbdb38149c7863bc
SHA1 0d4c2bdecb9770183fb80316c82d0e634de7d6c5
SHA256 720246ca3b7595fde0f4f81b0af67b96ce4a4f7c1eb0ec5dcc1c68cac7f990b4
SHA512 62e90c41f58e4a1f165937276fda5f4e0d90e5150b152dec788b3986e141abdb33986a346d7a0b02ebf1af546da11909d24952127d7a0defb1ffd0559b1430bb

C:\Windows\System\SRjWhlT.exe

MD5 84b419a45f406b3a365c8a3b1918d1df
SHA1 5d7ba50012b315f318042c8b5ee872119e70e488
SHA256 74ec317a3f7a91b2c12b224c92dc9a4b3570b46ec48ae7fa1273aae23b84ae81
SHA512 ea7cda772897bf9b7101fcf4370be2cda55776cc872b2c44c07fd4682fb624ecdfcb013d977d4e9be1301966ff58b1d1658024b27db9dde77657be0fec8a620b

memory/3540-24-0x00007FF7B62B0000-0x00007FF7B6604000-memory.dmp

memory/4508-23-0x00007FF682D60000-0x00007FF6830B4000-memory.dmp

memory/2824-14-0x00007FF6A33E0000-0x00007FF6A3734000-memory.dmp

C:\Windows\System\OCHNtkN.exe

MD5 63d6ded8b477aa427a95c1cce27b96b2
SHA1 d67078663c7dfbff584de502cc7620101b418503
SHA256 17c5478fa16747c17aae4815c448e8aa91e6c0c274cc8ad924a20833e309d567
SHA512 627883fb8f6b72fbeb4f6ba6c8ee8d7dcfd77996370dc250cf60b18c7aee996ed43c9bf8bc7f5bb6b9700718649ea5a84cfa3524529fc52fd15e1c6d5ed58f56

memory/1492-35-0x00007FF70D8A0000-0x00007FF70DBF4000-memory.dmp

memory/4432-36-0x00007FF68CCF0000-0x00007FF68D044000-memory.dmp

C:\Windows\System\PAReEQr.exe

MD5 71569d3463a630406e74144381b9d010
SHA1 e15a64c6cf2e2637d309bd9dfc9f7d410f24d266
SHA256 adbca39c20d394e95167a2ef0b33a0f6c33660d67bb97f895d81ebcfa22efef0
SHA512 4c57e6900c841215a33796ca227144a79cbda79f252e0d63505824a1f945db119a0a9c3e424c2aa2d13b052d11d75f34876e126383d18a004b9a4af1c4b00606

memory/348-44-0x00007FF698F10000-0x00007FF699264000-memory.dmp

memory/4956-48-0x00007FF7D1BF0000-0x00007FF7D1F44000-memory.dmp

C:\Windows\System\SqvWtbA.exe

MD5 f3ff0ed4f1959e90d87fa7604eed531c
SHA1 016948642d8ac207d1925b693167b90e140f1539
SHA256 80fa60efbd261650c9de15dfeb70fc4b7b4141d41b4b839610e77ed66002ae2f
SHA512 db123275b132789c2f1036fc152fc171e5eebf8460a9f110e4dcde647109979dfbc6d464a01af2eaf608969f625dbda1f3f089dcde6fe323a6405a209807ba3e

C:\Windows\System\Eoctara.exe

MD5 6233eefa6a40ba893c3a5c355e75e2e2
SHA1 c9beaab6e37a511053366c29a83691add4a21d1f
SHA256 47f2789f40797ed321341d7a5bd5214a4838c8e0bbbe1a80121b9fb559c932ed
SHA512 bae07d44f0229e40bc74f9bfa9b58be3625b6a637fdf7286ab945bdf1e5b0e49c7fba1e155e2f49b0fe1cf13d11add576637b0e24af4a23a7a8775bce7992d8c

memory/4636-56-0x00007FF7692F0000-0x00007FF769644000-memory.dmp

C:\Windows\System\YRZbLfq.exe

MD5 e88a43050ba615e5fbc0b7a0ec27b805
SHA1 38789cd6333474a11652d676c11d85ad92a6376c
SHA256 1c5269d85decd736abdd9a22bff2e3fc7733244dc49bc22ffae4d070e49376ea
SHA512 f60bae003928ff4557d6d0022ffe3f16ed069e5a55ed0f7c67c665f164ef25c5d25223da0ceb2d5d6edfb5759868a809398692c0c479630bf85eec7a05581683

memory/1804-61-0x00007FF7CEE20000-0x00007FF7CF174000-memory.dmp

memory/4264-63-0x00007FF7AE010000-0x00007FF7AE364000-memory.dmp

C:\Windows\System\wLxGkrX.exe

MD5 82cf2f8614792ac6641ffde841d9b147
SHA1 7042c4a0b9af761dbec0abe3914da3583bb76b27
SHA256 73455b8a84bb4591eff7a12ddee23c45ee3f5b904d9b7870a93e5adf61bec5f7
SHA512 99bdbb9a8a64e9d7b8c811e23ca0c241b3aab49ce47e92e6e86d1b7593c7a0273e72b26f38789a848d349b78d04cb8e4b25f9df8882a7e28bdccda8258c2db66

C:\Windows\System\VRTKHrC.exe

MD5 e92fd2d9e1839036543faea3b5e45c4f
SHA1 bbde7fca2ea94242823936c0fe5c362d69f3a400
SHA256 e0346180876325055fa92e5b05776f8fd30fc52db34485fa9b2db3491d8624b4
SHA512 a8f4250dd78f709b90e648c171e5cc16a9c51769ad0f57f5e78e7c18b25cfbe878d140e71c72d52c9da3dd75932f8d614f1339313cfed402dce93e6b90451291

memory/3392-70-0x00007FF6AD760000-0x00007FF6ADAB4000-memory.dmp

memory/996-77-0x00007FF77ED20000-0x00007FF77F074000-memory.dmp

C:\Windows\System\DbnvNRs.exe

MD5 3cba8851ef1e0c576d22e97a75e7545d
SHA1 9cf10e35c04f29642002ea832c8214e7fdc39ddc
SHA256 36a693c910f66d9f693d1a9877c1d3a37d3c1010cce308db0d53f795f4e821bc
SHA512 30f183f14de7793c495ceb78e98c43c4d7ecb09b1243b4eb855e3e5cba3d9205650f79b3a9662a19c52925b6472b50d19a13558be69b27eb9fc381807b92cc7f

C:\Windows\System\JXZEoNx.exe

MD5 e356ef8734972dec9b34ce9d9c842389
SHA1 85240d07b80e71a40adeb681e23ccc1df48bbf4f
SHA256 619cf454b876998a82d8d4ab43c51a45f5da7bcde2cad2c79877fdb55dc7f012
SHA512 855c07fc60cfd0654928cbcdd9d82c2b8f227922fc564b4b71f88f715557118268dac3c392c2ed32fc06bf56a8fbd721f980a28e0e20376029bbcb8183a91619

memory/3764-90-0x00007FF787470000-0x00007FF7877C4000-memory.dmp

memory/860-89-0x00007FF72C300000-0x00007FF72C654000-memory.dmp

memory/4508-86-0x00007FF682D60000-0x00007FF6830B4000-memory.dmp

C:\Windows\System\ETfZVCY.exe

MD5 be0ff8753f51b18085411142cc5c8f7f
SHA1 e5f94eeab69be931e78cb60cfe75eb229d5158b0
SHA256 6bc94c695f27c1d973ce0213ce06804b645fdcd5316b540990dde1ac0c1cf1cf
SHA512 174b09df6e5a6c6c2307546600d7083414063d9b4c8d49ce3a21cf324733aad73337a4969faa137d435ce39685f8519fc2c968bfa007ecbf74c997ef02339dbf

C:\Windows\System\KBVwYYV.exe

MD5 c1d61b12e7bf24598369865f9b9560b0
SHA1 8d324c8a0a700bf2c860104cd62e023ef2b3e473
SHA256 d1eaad72a2bb3c9be3b208cf0d78b99baabfcfadd65c7efd55c08e350f85e937
SHA512 596e22b2e99ecccca7104ff7c7611fa69c0b2fa7f3a32e61e31bb9dfd8853fc3fd33f833db53e890d4b5a09e2e2a852c21620cbd43a40d204c76da48812d103a

C:\Windows\System\aPqtcpC.exe

MD5 66aff8fe3291a4bd604eb0704a44af9e
SHA1 aa79d692dbad3fee17b56f893b4f03b2667909d2
SHA256 6f64083d4627eeabed28521401659c27fd5ab73c09c7d6397bb6151a6d86d92c
SHA512 0030ec4af65252d52a912eefe4f825a141b8a9cf45cfc1ee1d2bccd32157e2aee32186715215b3332475c04f94b563673a77f0ae9c0e4e3abbc81436f970116d

C:\Windows\System\tOgnjfZ.exe

MD5 a60d7868cf4a46e547892a49334b2f21
SHA1 27f528480f3f2a26ff8b496c57df26b3a147a95c
SHA256 f454ad8bcf7797084e4860221e7687a28131597ba3a810ab0ec002a8986cab00
SHA512 26b0650de512160db41e5ec105987b521d9745bbbb0c03c761591115470c05c2ca1efc2e8cf44192f81110d3e2c40d039aaabe0dc09385960623ed470da2505b

C:\Windows\System\xoVzKSM.exe

MD5 3c15df2c3bed91834825bb594eb03abc
SHA1 05ebfcb9e62daa504d0caa8de7eada304bbe8361
SHA256 b9ef1a8c0c0db5ec97d8949a3cd23d6306ca7d7d074550c700de2679c39d8896
SHA512 83017c0f95f2dd20dfc65d902c0aee817874a751a9be1851dc1aa5d45ed5a2003cdc3c6691134ef1f5d6fb4b42a76a5798af181bb50087820a69d6b480b1962e

C:\Windows\System\ZZOVpVV.exe

MD5 e0f659fa11e66941fad0cf3351e30eca
SHA1 e4916bd9c41d4e23bbf04880f40d0a078892df94
SHA256 6373b88fa2bd934b793e035b2523fd44dc13848685eee592596e2db93d385d38
SHA512 f7e5722122a7379f53a0c6faa994bebbd710b19c1cea85615a193693d2af97c90c4b2b010de7c694f2777789e3daf2bb5366783c15a9df4e44d87036d74602ea

memory/3192-84-0x00007FF7A83A0000-0x00007FF7A86F4000-memory.dmp

memory/2824-83-0x00007FF6A33E0000-0x00007FF6A3734000-memory.dmp

C:\Windows\System\uRGzhaK.exe

MD5 ff99fecb45880f011c6529053959c8fc
SHA1 48ccd8c836ab7c71d7e6d4489d42f6a7ba3a5e88
SHA256 96f054597066f60fefe0a36a9fefa39904e54f034a2bf82a2e0326ff7c14276b
SHA512 81a7ffc9bfeec8a6b6224bb82001df180308c2cee328d7b8eb6b99d639f087f04d5f7c9660edfdd0c016f65c06e900a09184069faa99229e84635e4341fcfa6b

memory/3540-125-0x00007FF7B62B0000-0x00007FF7B6604000-memory.dmp

memory/4844-126-0x00007FF7B3F30000-0x00007FF7B4284000-memory.dmp

memory/3912-127-0x00007FF7FF9A0000-0x00007FF7FFCF4000-memory.dmp

memory/832-128-0x00007FF731D30000-0x00007FF732084000-memory.dmp

memory/4656-129-0x00007FF637750000-0x00007FF637AA4000-memory.dmp

memory/4532-131-0x00007FF7F4A10000-0x00007FF7F4D64000-memory.dmp

memory/1464-130-0x00007FF748220000-0x00007FF748574000-memory.dmp

memory/3476-132-0x00007FF6CCB00000-0x00007FF6CCE54000-memory.dmp

memory/4432-133-0x00007FF68CCF0000-0x00007FF68D044000-memory.dmp

memory/4956-134-0x00007FF7D1BF0000-0x00007FF7D1F44000-memory.dmp

memory/4636-135-0x00007FF7692F0000-0x00007FF769644000-memory.dmp

memory/3392-136-0x00007FF6AD760000-0x00007FF6ADAB4000-memory.dmp

memory/2824-137-0x00007FF6A33E0000-0x00007FF6A3734000-memory.dmp

memory/4508-138-0x00007FF682D60000-0x00007FF6830B4000-memory.dmp

memory/3540-140-0x00007FF7B62B0000-0x00007FF7B6604000-memory.dmp

memory/1492-139-0x00007FF70D8A0000-0x00007FF70DBF4000-memory.dmp

memory/4432-141-0x00007FF68CCF0000-0x00007FF68D044000-memory.dmp

memory/348-142-0x00007FF698F10000-0x00007FF699264000-memory.dmp

memory/4956-143-0x00007FF7D1BF0000-0x00007FF7D1F44000-memory.dmp

memory/4636-144-0x00007FF7692F0000-0x00007FF769644000-memory.dmp

memory/4264-145-0x00007FF7AE010000-0x00007FF7AE364000-memory.dmp

memory/996-146-0x00007FF77ED20000-0x00007FF77F074000-memory.dmp

memory/3192-147-0x00007FF7A83A0000-0x00007FF7A86F4000-memory.dmp

memory/860-148-0x00007FF72C300000-0x00007FF72C654000-memory.dmp

memory/3764-149-0x00007FF787470000-0x00007FF7877C4000-memory.dmp

memory/3476-150-0x00007FF6CCB00000-0x00007FF6CCE54000-memory.dmp

memory/4844-151-0x00007FF7B3F30000-0x00007FF7B4284000-memory.dmp

memory/3912-152-0x00007FF7FF9A0000-0x00007FF7FFCF4000-memory.dmp

memory/832-153-0x00007FF731D30000-0x00007FF732084000-memory.dmp

memory/1464-154-0x00007FF748220000-0x00007FF748574000-memory.dmp

memory/4656-155-0x00007FF637750000-0x00007FF637AA4000-memory.dmp

memory/4532-156-0x00007FF7F4A10000-0x00007FF7F4D64000-memory.dmp