Malware Analysis Report

2024-10-24 18:11

Sample ID 240629-hjdcassgkd
Target 2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat
SHA256 8311e443f96e95e8a9c1735b352706688e7cf1f34dcfa8e3d7825d5c7db8727d
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8311e443f96e95e8a9c1735b352706688e7cf1f34dcfa8e3d7825d5c7db8727d

Threat Level: Known bad

The file 2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

xmrig

Cobaltstrike family

Xmrig family

Cobaltstrike

XMRig Miner payload

Cobalt Strike reflective loader

XMRig Miner payload

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-29 06:45

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-29 06:45

Reported

2024-06-29 06:48

Platform

win7-20240419-en

Max time kernel

140s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\WkZvXCZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PlUkWHF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pTHtDEr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EHLiXuy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IPiaTdT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mtRLIhc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LDJsWId.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LWjeDdz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VnZRkuE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YvqCuyG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XGWLmgU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AibkyIm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kpNAhsL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nFgKLKM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NDpMeVp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YZAkkum.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KoiGxHp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KnElQBR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZGYxfNf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JDLDquF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EuuFVry.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2944 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IPiaTdT.exe
PID 2944 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IPiaTdT.exe
PID 2944 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IPiaTdT.exe
PID 2944 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KoiGxHp.exe
PID 2944 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KoiGxHp.exe
PID 2944 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KoiGxHp.exe
PID 2944 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JDLDquF.exe
PID 2944 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JDLDquF.exe
PID 2944 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JDLDquF.exe
PID 2944 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AibkyIm.exe
PID 2944 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AibkyIm.exe
PID 2944 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AibkyIm.exe
PID 2944 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KnElQBR.exe
PID 2944 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KnElQBR.exe
PID 2944 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KnElQBR.exe
PID 2944 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kpNAhsL.exe
PID 2944 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kpNAhsL.exe
PID 2944 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kpNAhsL.exe
PID 2944 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mtRLIhc.exe
PID 2944 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mtRLIhc.exe
PID 2944 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mtRLIhc.exe
PID 2944 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nFgKLKM.exe
PID 2944 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nFgKLKM.exe
PID 2944 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nFgKLKM.exe
PID 2944 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WkZvXCZ.exe
PID 2944 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WkZvXCZ.exe
PID 2944 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WkZvXCZ.exe
PID 2944 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PlUkWHF.exe
PID 2944 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PlUkWHF.exe
PID 2944 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PlUkWHF.exe
PID 2944 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NDpMeVp.exe
PID 2944 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NDpMeVp.exe
PID 2944 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NDpMeVp.exe
PID 2944 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EuuFVry.exe
PID 2944 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EuuFVry.exe
PID 2944 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EuuFVry.exe
PID 2944 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LDJsWId.exe
PID 2944 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LDJsWId.exe
PID 2944 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LDJsWId.exe
PID 2944 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LWjeDdz.exe
PID 2944 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LWjeDdz.exe
PID 2944 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LWjeDdz.exe
PID 2944 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VnZRkuE.exe
PID 2944 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VnZRkuE.exe
PID 2944 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VnZRkuE.exe
PID 2944 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pTHtDEr.exe
PID 2944 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pTHtDEr.exe
PID 2944 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pTHtDEr.exe
PID 2944 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YZAkkum.exe
PID 2944 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YZAkkum.exe
PID 2944 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YZAkkum.exe
PID 2944 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YvqCuyG.exe
PID 2944 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YvqCuyG.exe
PID 2944 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YvqCuyG.exe
PID 2944 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EHLiXuy.exe
PID 2944 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EHLiXuy.exe
PID 2944 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EHLiXuy.exe
PID 2944 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XGWLmgU.exe
PID 2944 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XGWLmgU.exe
PID 2944 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XGWLmgU.exe
PID 2944 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZGYxfNf.exe
PID 2944 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZGYxfNf.exe
PID 2944 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZGYxfNf.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\IPiaTdT.exe

C:\Windows\System\IPiaTdT.exe

C:\Windows\System\KoiGxHp.exe

C:\Windows\System\KoiGxHp.exe

C:\Windows\System\JDLDquF.exe

C:\Windows\System\JDLDquF.exe

C:\Windows\System\AibkyIm.exe

C:\Windows\System\AibkyIm.exe

C:\Windows\System\KnElQBR.exe

C:\Windows\System\KnElQBR.exe

C:\Windows\System\kpNAhsL.exe

C:\Windows\System\kpNAhsL.exe

C:\Windows\System\mtRLIhc.exe

C:\Windows\System\mtRLIhc.exe

C:\Windows\System\nFgKLKM.exe

C:\Windows\System\nFgKLKM.exe

C:\Windows\System\WkZvXCZ.exe

C:\Windows\System\WkZvXCZ.exe

C:\Windows\System\PlUkWHF.exe

C:\Windows\System\PlUkWHF.exe

C:\Windows\System\NDpMeVp.exe

C:\Windows\System\NDpMeVp.exe

C:\Windows\System\EuuFVry.exe

C:\Windows\System\EuuFVry.exe

C:\Windows\System\LDJsWId.exe

C:\Windows\System\LDJsWId.exe

C:\Windows\System\LWjeDdz.exe

C:\Windows\System\LWjeDdz.exe

C:\Windows\System\VnZRkuE.exe

C:\Windows\System\VnZRkuE.exe

C:\Windows\System\pTHtDEr.exe

C:\Windows\System\pTHtDEr.exe

C:\Windows\System\YZAkkum.exe

C:\Windows\System\YZAkkum.exe

C:\Windows\System\YvqCuyG.exe

C:\Windows\System\YvqCuyG.exe

C:\Windows\System\EHLiXuy.exe

C:\Windows\System\EHLiXuy.exe

C:\Windows\System\XGWLmgU.exe

C:\Windows\System\XGWLmgU.exe

C:\Windows\System\ZGYxfNf.exe

C:\Windows\System\ZGYxfNf.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2944-0-0x000000013F1D0000-0x000000013F524000-memory.dmp

memory/2944-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\IPiaTdT.exe

MD5 5bf7550d674eab4e17396cfce7c2e136
SHA1 588e887bad3e231153a2c10624e042b4a30785eb
SHA256 327bb8327ce36cad82272e9780a5c443285a6c0db821b46c395d22750e914e07
SHA512 8a85d0c1a7b82358f8963e17e49650c1ef22563e8a2ef0869e41d5521338b4f5b8fc6daf61529a5edcd8cbbced192548ed655f9565bb627ef5c24160073ba6ae

memory/2944-6-0x000000013FD80000-0x00000001400D4000-memory.dmp

memory/2416-9-0x000000013FD80000-0x00000001400D4000-memory.dmp

C:\Windows\system\KoiGxHp.exe

MD5 8a3db8d9c9841d7f46f72e32c4854a8c
SHA1 ab75dd6ef13e762f60bb3280dee3966766795ead
SHA256 b19aca7a208f78d5d7fb41df8bcc6fb2880c8054bebf6d3be66e9c80a5f6cc86
SHA512 e09fd7ee4e24a5e363a3ef5a2c74ed5323d662ff6fde172600fcf2bb73a6fdaa83b5df0ed72d085e0cb84cd9157c23cba918df98e34b224c129fb553f60d8fab

memory/2944-14-0x000000013FFD0000-0x0000000140324000-memory.dmp

memory/2892-15-0x000000013FFD0000-0x0000000140324000-memory.dmp

C:\Windows\system\JDLDquF.exe

MD5 9e9ce53df2798b69354a7c5536599d3d
SHA1 a90614843895a0d9b562e7e0ed4503dfed2cde12
SHA256 e25666022bb77059e8f6b24c9b7421dc6ef1251f6ef3fcf51772d990a6076068
SHA512 165e3ace5f1cd0317b497da35c6104d33400f20ad91ff083803d9fb1b09f1e2c2ac37b07e178fc15d89397beb141a31f336ce1e433c370facdb79a9abe46a546

memory/2696-22-0x000000013F280000-0x000000013F5D4000-memory.dmp

\Windows\system\AibkyIm.exe

MD5 4d11f5ec1dc3e5b0218571b56e43e968
SHA1 4dabad53127790b58a0a497665d0dba877c0f739
SHA256 d7605906ae2c5f1d52b2d6b838128ccac61ffc48208f9868bc199fc7c3640856
SHA512 485aa8d73dd4e44a2ef0f4a38855e3bff64f912f392696b2f3b3df1e7d0c1d52a45dfd7d91a7b1df599c97a6594d0513336cfbe5368abdebbe7b86f38b0e01d5

memory/2916-29-0x000000013F500000-0x000000013F854000-memory.dmp

memory/2944-27-0x0000000002370000-0x00000000026C4000-memory.dmp

\Windows\system\KnElQBR.exe

MD5 b9f4aca0988610cc1eb78a844106af28
SHA1 d49bb143ca5a34fea7b4855342bfe62fc4431d44
SHA256 59e3c9541b00cc2f6fe35a6745a09a4c8549643129513435e029b1498ed4c1cb
SHA512 159050c801e5bd9534f7cdaf0925f8bcb520e0998d379e634ba2d8529d357b8691f331dd01728f0c64232a314da5b2dac031aa465209d7e1b8bcc02db41b0ab5

\Windows\system\kpNAhsL.exe

MD5 6272febeb13e1c3e1b4648a6e7946643
SHA1 b9f33e7bb4af8846bdf62deb068c7b529d530da3
SHA256 bf8f459d6e132ea7e019bff7d784f244364d43d82d6e360b98c6d4d5b9ebc8cc
SHA512 3cc4ca8d20e24b3a29bda953bde8bb9f8f464f0b0ab67f37652b8c90fa6fcb93408a14ea79b68e9fe0a706c6f2e76de90d0e5ea3fee5b743f9216f633aa1c5b1

memory/2944-48-0x000000013FB60000-0x000000013FEB4000-memory.dmp

memory/2944-52-0x0000000002370000-0x00000000026C4000-memory.dmp

memory/2944-41-0x000000013FA20000-0x000000013FD74000-memory.dmp

memory/2540-56-0x000000013F110000-0x000000013F464000-memory.dmp

\Windows\system\mtRLIhc.exe

MD5 b16c918a253da40eda9793b31c58d8b2
SHA1 e7e776a9b325af75065ab1dc2f360c12292d645e
SHA256 77140501003351280d658d88a6ddcc06ef3a188dd4c47426c534c5a9eafff926
SHA512 8d3792fc09464c3fb24b944fdd71766fb04c44e3a86eeb3fabaeb2122eb3754dae56a3daecb7ef4502f43c698f7554b6fa0fe1f24503f894e92743705b38cdaa

memory/2416-66-0x000000013FD80000-0x00000001400D4000-memory.dmp

C:\Windows\system\PlUkWHF.exe

MD5 ca58d7f923dcd8f62a8838a67b9434dc
SHA1 51b9fb8da43165c93c24c0adb81d5b0aac85e21d
SHA256 27d63b2d6025ce2292547cb5887e544122f60409b814e1d4fbcfaee352f64d93
SHA512 218b638d86ff60002ad87126d6f484a5dccff0992c3fe33d39f68c604647b550f8b0cc197ea77da022c476a7220be01898304709317c76374f0dfcf9a3499652

memory/2580-73-0x000000013F830000-0x000000013FB84000-memory.dmp

memory/2892-72-0x000000013FFD0000-0x0000000140324000-memory.dmp

\Windows\system\NDpMeVp.exe

MD5 84f38381f3f035bf14f74848aad8668e
SHA1 a46efb84e91b9b2529ee0bdf04529b6016575274
SHA256 b2d24b02489b4345f6db3772d34e250a8e51e0f2b8de491550deccc2c2ba4010
SHA512 9bbf830983dbf5bd57b0d833f18aeaa92d1c1dd12f2f32c1d19a68e1af10220e65df5060ddb441f39f5c6fc255a98125c4b9d2dc3e32bc8ea19584d5dda60eea

memory/2992-80-0x000000013F8E0000-0x000000013FC34000-memory.dmp

memory/2916-75-0x000000013F500000-0x000000013F854000-memory.dmp

memory/2508-64-0x000000013F850000-0x000000013FBA4000-memory.dmp

memory/2944-63-0x000000013FD80000-0x00000001400D4000-memory.dmp

C:\Windows\system\WkZvXCZ.exe

MD5 30b2c6d99c64ad9f43a6ad07d74f7cf8
SHA1 b03d8e63f86c4e264adb2d75145511e6b9561a8c
SHA256 e91538c6f9518da80b0d951bde89b846d0385e3a382a09108d222642f3aee289
SHA512 eb9e4fdb3716b5559c2ee27609ef1f288febd16fffc4acb0b7186ff812717b123e1164027b49b987824b9948ce1d390956645ed2d6df51ef6622ae2994c2b986

memory/2944-58-0x000000013F1D0000-0x000000013F524000-memory.dmp

memory/2620-54-0x000000013FB60000-0x000000013FEB4000-memory.dmp

memory/2528-53-0x000000013F130000-0x000000013F484000-memory.dmp

memory/2944-49-0x0000000002370000-0x00000000026C4000-memory.dmp

C:\Windows\system\nFgKLKM.exe

MD5 03e0866a5082215286dc039032d6bbd5
SHA1 613a1687ec2a38ae16320ce6f7a1615a28c69928
SHA256 5030592b8d87156c1e5355c2aa6e17cf9152d653a14f65bc7da94e95c205dd42
SHA512 772a2fb7e606d583b2bcb1156d54036e4903d3371a27c1bf91d82c20e4c1637544dd4e1a19912e81f3041b4509e7755891418f7ff1a19b5ec3c3aa1667682a7f

memory/2904-45-0x000000013FA20000-0x000000013FD74000-memory.dmp

C:\Windows\system\EuuFVry.exe

MD5 0a428a0d270000de051b97fa71457564
SHA1 b2e822a4bed50563d25271eb41e7465a9300066d
SHA256 e470b1adc3996a80f4e97d9b2571633ce5ffaee88fdba894ad0ac2d80c8f2746
SHA512 3463133e21dc147def9c428663269f1bba16d82fce0b0eeeda68b6e284cfd627f35e4cbb38c004bacf59774d2c8b68133c8dabd9729c8da95925ef4203e237be

memory/2776-87-0x000000013FD30000-0x0000000140084000-memory.dmp

memory/2944-86-0x000000013FD30000-0x0000000140084000-memory.dmp

\Windows\system\LDJsWId.exe

MD5 1618bed45ea7817a0a11bbfa0eb4f71c
SHA1 93867f8103155708db696b92981a32bfb7347f51
SHA256 109d6e3bba34c62ae650b7ce4975feb61b044946d9a138d6bfc1fe8eaa838ba1
SHA512 f50f23e28fb29308e7ea704f04d9012edfb57124202aabc7231e652817c51f77531b147b3e56341841451b6c47628e7077f0d2782477f1792a268e053485c445

memory/2944-93-0x000000013F880000-0x000000013FBD4000-memory.dmp

memory/2844-94-0x000000013F880000-0x000000013FBD4000-memory.dmp

C:\Windows\system\LWjeDdz.exe

MD5 84192b6acca4103f42df46f1128b04e9
SHA1 c66aafd0fbea385a432405db47d7276877cf09fa
SHA256 b0d968eeb9097b23ab5becd35bac8589dc0b20d61971d81536f73fe96dc8cd05
SHA512 0e0c3ce9760136a5cb5b6dd343097b9e4af50c6acdfcbddfbb4f20a64d0fba3ce98d11e5926cb65cb93000345547f28575390e50df42b218e2fc24a5339b14eb

memory/2884-100-0x000000013F6F0000-0x000000013FA44000-memory.dmp

C:\Windows\system\VnZRkuE.exe

MD5 fa078a60994cb2a930e5ed4b8e1ba7e5
SHA1 cc15849250f15b50141a972db342acf7d4f00a5a
SHA256 ad7ae085289e1f714d27bd056bfb816927e3035024406db77034726ecb2e37ba
SHA512 b1f676926d74385eded3f064976ecf16d07660ad8e3e52ca515c54ddd7c4593f4f7a8b47b3cc66e2e97a3c8a6fc803dcfd8af4d1f0e5dad06928e3e1b5c15e0b

C:\Windows\system\ZGYxfNf.exe

MD5 8a0469a52a8eead038269787dbe28012
SHA1 09ecf0ad5b7eea1ea1804d07917ff6cdaaaa58a9
SHA256 c787b21c44d0a5bb735f497fbe8d4141de6ddad092fcf6c8dd5cd9ad8010f2f4
SHA512 3813596a42a15e039285018646f039cd2f2d8b36375320230bcea62fec250a83279310b7b53ab74f9f1ff3ccd11d66d51f18525674312856c2f328b1468e4d81

C:\Windows\system\XGWLmgU.exe

MD5 5851a5344d9e2d390c782875d1bc73a3
SHA1 17131ad4e0c648a54d786b82a1ff0c72f4ca9d0a
SHA256 a42bdf32a9c51e58bf7d1fe9887d7bbbe5b7971dfe3e510a9a120a2965848d73
SHA512 9065c702d1982a99b945619fa99714e43b8164998052dfdcc3257e791a7370e5f028625a929e04ae7834b6d91ede50fb4ce19d2dc8c34cadd66cae2dc0a50fa3

C:\Windows\system\EHLiXuy.exe

MD5 4d911ae1760b8ca3af0c4dc9fa87ea8b
SHA1 b9a6d3268814c74e93bacc5e9e6afdbedc4c9f3e
SHA256 3912c86c5b1acc1e5a4814dacdc0f21e2b5e2c8c519428a4802f238137260af6
SHA512 eac4f6e0ad8ccd7ab7e612ec6ee22e0a7bbab0357b0052db158bb68bd5e925ac33bdc4bd809f2eaab73265c2d1277ee0be8f6f0cd40718199790e164628edcba

C:\Windows\system\YvqCuyG.exe

MD5 6327594a6e43e899d4417f3c2086a8b6
SHA1 caaacfbc1224529340da3ff37397218b9879224f
SHA256 5f7b808f04745afe0c212699a2863b0241773f6553b9c324ec7db7adfa59e2f7
SHA512 e01febdea7e7ea64273e74a7892110f8d1cb1f2ea489410f3d16281492c7ca2ea4ead4965f94bcd146b627a1e78f04adef755efdb6dce6bb0c532c0ee2e53f05

C:\Windows\system\YZAkkum.exe

MD5 838fe44710393f419c4f569d82bacc83
SHA1 05b57d3b6dfda904a86f2a08c4da7fd98fe2aa55
SHA256 2ff59d354810fdb5dffc6e46d0c87ab0b8d96479bb1d07cf1f0b57eb79255cd8
SHA512 c7a3198be3b96fb6be3a63aee1122313c3c67a1bd3b989569f4ea29fad795d19c8a9cda09dcccf6fcc984b0627e68f0ff921134824c91e1e7dfafa35dcddf9aa

C:\Windows\system\pTHtDEr.exe

MD5 89dcc12c83fdc8b5a5eb2229b2a9fb46
SHA1 7953703c76a55e28afc7837bdd6f7eebf27b4ef6
SHA256 71c442a1cef41ebe2bb542f3cf6390fba808f0c4b837c4ec706c20fe279b7a26
SHA512 f03fc0e217ab4671a4a74011f4539628be86602ac5fe4fd86bc15c0fee14482738890f208777fdbb473082ed898a08dc7d1d3b95cf16306e1cb9e6d0e68ba440

memory/2944-104-0x000000013FE90000-0x00000001401E4000-memory.dmp

memory/2540-103-0x000000013F110000-0x000000013F464000-memory.dmp

memory/2944-99-0x000000013F6F0000-0x000000013FA44000-memory.dmp

memory/2944-138-0x000000013F8E0000-0x000000013FC34000-memory.dmp

memory/2944-139-0x000000013FD30000-0x0000000140084000-memory.dmp

memory/2944-140-0x000000013F880000-0x000000013FBD4000-memory.dmp

memory/2944-141-0x000000013F6F0000-0x000000013FA44000-memory.dmp

memory/2884-142-0x000000013F6F0000-0x000000013FA44000-memory.dmp

memory/2944-143-0x000000013FE90000-0x00000001401E4000-memory.dmp

memory/2416-144-0x000000013FD80000-0x00000001400D4000-memory.dmp

memory/2892-145-0x000000013FFD0000-0x0000000140324000-memory.dmp

memory/2696-146-0x000000013F280000-0x000000013F5D4000-memory.dmp

memory/2916-147-0x000000013F500000-0x000000013F854000-memory.dmp

memory/2904-148-0x000000013FA20000-0x000000013FD74000-memory.dmp

memory/2528-150-0x000000013F130000-0x000000013F484000-memory.dmp

memory/2620-149-0x000000013FB60000-0x000000013FEB4000-memory.dmp

memory/2508-151-0x000000013F850000-0x000000013FBA4000-memory.dmp

memory/2540-152-0x000000013F110000-0x000000013F464000-memory.dmp

memory/2580-153-0x000000013F830000-0x000000013FB84000-memory.dmp

memory/2992-154-0x000000013F8E0000-0x000000013FC34000-memory.dmp

memory/2776-155-0x000000013FD30000-0x0000000140084000-memory.dmp

memory/2844-156-0x000000013F880000-0x000000013FBD4000-memory.dmp

memory/2884-157-0x000000013F6F0000-0x000000013FA44000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-29 06:45

Reported

2024-06-29 06:48

Platform

win10v2004-20240508-en

Max time kernel

139s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\wWOvAXm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FMRGIVh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oaObGXR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SMZEyWX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\myEpjcZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\suuizFR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aiFCTkg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aWBglaM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YVYKDUb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GynxLnm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kzgMnYw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UTKOfIo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LzCFmEM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eXbOzqe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uHrovZX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bMltfMi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jOVdRIk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EUpwJap.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nbpJKIV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VsVBCXT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yhDvNNP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3760 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LzCFmEM.exe
PID 3760 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LzCFmEM.exe
PID 3760 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eXbOzqe.exe
PID 3760 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eXbOzqe.exe
PID 3760 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\suuizFR.exe
PID 3760 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\suuizFR.exe
PID 3760 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aiFCTkg.exe
PID 3760 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aiFCTkg.exe
PID 3760 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aWBglaM.exe
PID 3760 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aWBglaM.exe
PID 3760 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uHrovZX.exe
PID 3760 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uHrovZX.exe
PID 3760 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wWOvAXm.exe
PID 3760 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wWOvAXm.exe
PID 3760 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FMRGIVh.exe
PID 3760 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FMRGIVh.exe
PID 3760 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YVYKDUb.exe
PID 3760 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YVYKDUb.exe
PID 3760 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bMltfMi.exe
PID 3760 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bMltfMi.exe
PID 3760 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jOVdRIk.exe
PID 3760 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jOVdRIk.exe
PID 3760 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EUpwJap.exe
PID 3760 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EUpwJap.exe
PID 3760 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SMZEyWX.exe
PID 3760 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SMZEyWX.exe
PID 3760 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nbpJKIV.exe
PID 3760 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nbpJKIV.exe
PID 3760 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UTKOfIo.exe
PID 3760 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UTKOfIo.exe
PID 3760 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GynxLnm.exe
PID 3760 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GynxLnm.exe
PID 3760 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oaObGXR.exe
PID 3760 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oaObGXR.exe
PID 3760 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VsVBCXT.exe
PID 3760 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VsVBCXT.exe
PID 3760 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yhDvNNP.exe
PID 3760 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yhDvNNP.exe
PID 3760 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\myEpjcZ.exe
PID 3760 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\myEpjcZ.exe
PID 3760 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kzgMnYw.exe
PID 3760 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kzgMnYw.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\LzCFmEM.exe

C:\Windows\System\LzCFmEM.exe

C:\Windows\System\eXbOzqe.exe

C:\Windows\System\eXbOzqe.exe

C:\Windows\System\suuizFR.exe

C:\Windows\System\suuizFR.exe

C:\Windows\System\aiFCTkg.exe

C:\Windows\System\aiFCTkg.exe

C:\Windows\System\aWBglaM.exe

C:\Windows\System\aWBglaM.exe

C:\Windows\System\uHrovZX.exe

C:\Windows\System\uHrovZX.exe

C:\Windows\System\wWOvAXm.exe

C:\Windows\System\wWOvAXm.exe

C:\Windows\System\FMRGIVh.exe

C:\Windows\System\FMRGIVh.exe

C:\Windows\System\YVYKDUb.exe

C:\Windows\System\YVYKDUb.exe

C:\Windows\System\bMltfMi.exe

C:\Windows\System\bMltfMi.exe

C:\Windows\System\jOVdRIk.exe

C:\Windows\System\jOVdRIk.exe

C:\Windows\System\EUpwJap.exe

C:\Windows\System\EUpwJap.exe

C:\Windows\System\SMZEyWX.exe

C:\Windows\System\SMZEyWX.exe

C:\Windows\System\nbpJKIV.exe

C:\Windows\System\nbpJKIV.exe

C:\Windows\System\UTKOfIo.exe

C:\Windows\System\UTKOfIo.exe

C:\Windows\System\GynxLnm.exe

C:\Windows\System\GynxLnm.exe

C:\Windows\System\oaObGXR.exe

C:\Windows\System\oaObGXR.exe

C:\Windows\System\VsVBCXT.exe

C:\Windows\System\VsVBCXT.exe

C:\Windows\System\yhDvNNP.exe

C:\Windows\System\yhDvNNP.exe

C:\Windows\System\myEpjcZ.exe

C:\Windows\System\myEpjcZ.exe

C:\Windows\System\kzgMnYw.exe

C:\Windows\System\kzgMnYw.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3760-0-0x00007FF752000000-0x00007FF752354000-memory.dmp

memory/3760-1-0x0000028E283A0000-0x0000028E283B0000-memory.dmp

C:\Windows\System\LzCFmEM.exe

MD5 8c4add64c1e5350e3d8b3faeba233486
SHA1 7c4a4643d74a4a033a1e765ee659ed04dedcdde9
SHA256 43c6b9f16aead7873b68721d86d79673102c947cb3daf74e30dc8f0a63f88c99
SHA512 37be5f4db501429a85fbd9eeeb9528374eaad5583b6a523f2cfae6731a93c64c928a4b556dae2fa467db23544405668004e240fd8649cf7510d71f41b198563d

C:\Windows\System\eXbOzqe.exe

MD5 706c7b184ade147e67b2491a30bcfb8c
SHA1 de6486f0ba6e26ba76235cc81dabf6469b57d747
SHA256 9036ab4b06843b479d25c5a333f933b19a9734f8a7387bd781eeebf5b96566b7
SHA512 fd18de3a604552f490b7fda24b25da574dbc8dfe11335811a9266a4fe83184af537dfcf015611c5d621551d26521ab3edef9ab85afb5641750261e4f48213aa7

C:\Windows\System\suuizFR.exe

MD5 a81334358994239ac59f61975b1c5fae
SHA1 7ba11a9659f2f87e60970aee068836517a560fbf
SHA256 afc46914b6f5b2da67dec8862934d940fe240d34fcc83584c6f0930c8f324c38
SHA512 96ab565598b2db6a3749a6a2a48970812c2c0d469b6b714300df53847eda283dcc5136cafaedae31b32b6cfc46469edbcc6678b158073974e7b0b1b1c28d0f96

C:\Windows\System\aiFCTkg.exe

MD5 9229a2dfebde72e87526c9419aa113be
SHA1 51678b941bfa23245d353b426f81160052bd9f63
SHA256 e2af5883f8e196f33a0a0be10ba8ad82fd44a35ad97ad26398c1ee876b354de8
SHA512 cef5a28b03a797644ff401375f2eb9f6e0d01bfd07c42682dfda84c7dff460c7e8be17985cd04d135b178f2e292ca60a0dba436a28935d2f0068fd9f7b6876a9

C:\Windows\System\aWBglaM.exe

MD5 08e76806c93813d37eb2bca2a1e4d783
SHA1 5dbb08adade72ea0ef0ed77c080a177f78dd4721
SHA256 49acbfebb90e9d80556cc072578d0d81deea4c6b0a50265f4f34b1f7b14cf342
SHA512 11907a6e0ce83c4064a1c74dc50ce71926b5a4c86b947b00616511042a9c7302efe13643a41922c33fcc006e6a9b0a3268fc6df055a3ce0b5c799b00a2b9444c

memory/1436-40-0x00007FF636BA0000-0x00007FF636EF4000-memory.dmp

C:\Windows\System\YVYKDUb.exe

MD5 3bc93546776079eb9d7cdbf454ef81eb
SHA1 41130d6f723aac8bd284ecc68f6212f7c4dade97
SHA256 664f6508376026db6f09b22bf30ddf29205f683cbc76d6d78f56da1c5c963144
SHA512 412922577631e737f51102a52c5fdecfdfb9ca893356e2e9a18f29eebc6cc1e8c528e877c52d587cc44bd8eb870149ccef84135883bce2073ae1c6c91e0db862

C:\Windows\System\FMRGIVh.exe

MD5 61c1f14960949639993010e6f24320d9
SHA1 7cb324f1756d70cff2dff593a207cfd75927d089
SHA256 fa620d2a095a168d4d95dfa88b49e6b1ce7d11763d47bbd3393410863f255920
SHA512 201c1aa42d2d284d0916ea33ec4b73a5f112c923529604d29234e2cff290c71c3a64fb8ae3d8f5b9b0dc8e15c653ffdf38f0d76d495a54eb1c847036ff8fda2a

C:\Windows\System\bMltfMi.exe

MD5 1b91228accc8baef822539895271674d
SHA1 3d32c72816942e5dd7f5c3dea81328347df6f26b
SHA256 8f10c6779a7379a6feced57d2a10f276175aa96676037a1375ed4490929ee843
SHA512 3b31406568dddea32d725f9d4275a3ca8f68f3e2d09977f28a4f03bca2404d60fb3d032c4be7109bd27ca5b4072e7dac0e2c1b968c60d919c4330412ae2c3962

memory/1676-60-0x00007FF7A00F0000-0x00007FF7A0444000-memory.dmp

memory/3256-57-0x00007FF727EB0000-0x00007FF728204000-memory.dmp

memory/3684-53-0x00007FF6FE1A0000-0x00007FF6FE4F4000-memory.dmp

memory/3540-49-0x00007FF7EC6F0000-0x00007FF7ECA44000-memory.dmp

C:\Windows\System\uHrovZX.exe

MD5 5c38284ba12718fec44cd68ec11c0833
SHA1 b9c6991b2cdc4a8fad94f4b19a06091270fdbfaf
SHA256 fd34758e091833ec1cd3806d8080dc9eb1a97350aee3d4620b12650b767403b5
SHA512 deb9d0015368f4e19c98f277b7eee3e782f8f1a9c5b97c6fb208a977d2c522850571d3009d6011a0d1adfb048cd7f0ac0cc0cb0b2c59f57c85ce91a08b9437b7

C:\Windows\System\wWOvAXm.exe

MD5 3108cb3326bf01b9c312d559eaedf4a0
SHA1 3ed0e84897f7fe330c288c39e0bb607a6194d60a
SHA256 4fbc51ee9b41cdf5eaef971f64de6e5e4accaec76082ee4b5d42a2d593e2e2e4
SHA512 7e34d37c262c94accdf13a62de4edd5433386f73f98f5ba549df5ba9ab7c24387711b4ab23a2c091864ca6fad211c6e1143a12bd885e7633cb35aa2a5d99b53c

memory/2264-35-0x00007FF658CA0000-0x00007FF658FF4000-memory.dmp

memory/1760-34-0x00007FF7A16B0000-0x00007FF7A1A04000-memory.dmp

memory/3448-28-0x00007FF71EB10000-0x00007FF71EE64000-memory.dmp

memory/4084-19-0x00007FF6EFA60000-0x00007FF6EFDB4000-memory.dmp

C:\Windows\System\EUpwJap.exe

MD5 2cb5ec22def54a743414249a7dc25e74
SHA1 17a00846108b1fb9abde10fc3f5e09f65a5dc3c6
SHA256 20a4f049320ebaaef95da98646f63d58f783fa426f160ff9de598a6f2d3e5e0f
SHA512 44043969b552cf1cb23879c3f276d4c5c681410e423698f90603a21ef9b93321000e673fcd84fb89e1b1a608d359d3fa5f11b40fb0ee3de47a9f2a50d9d94324

C:\Windows\System\SMZEyWX.exe

MD5 a2e1243d572244a35eb3a6112b79b580
SHA1 b9430e0bb5fb0cfc670a228d7d766fc76697d11c
SHA256 43655e87a6022edd597774632310cbd27558d8e4a0d5ea86b29620b40030319d
SHA512 0db95e44b7f4a2660bbb63f72710b39e1eb84ae7adbe24834a637e039d996146616080c1e09f9e72c5766d2f79b4247a76994c5254cc7d726604dad32d98a064

memory/1912-86-0x00007FF6DA860000-0x00007FF6DABB4000-memory.dmp

memory/4200-84-0x00007FF7C9500000-0x00007FF7C9854000-memory.dmp

memory/1736-81-0x00007FF7D4000000-0x00007FF7D4354000-memory.dmp

C:\Windows\System\UTKOfIo.exe

MD5 5a6df708637e6fe8d65a7c9d98c4c1e7
SHA1 e0498273745a657674beb0ba987d92170e113383
SHA256 403a95c15ff07d5d54184e80477acc3522b193007653edeea3b2f5e847b4e9f5
SHA512 e1aa356d10710fd4b8943cb25a2047cacccfb7920f6b473d309bc5f3f577f0a6c3d334b9ec1a56b90c1af7a564b532e7c2bc5344fa8da12a25df5c86ff160473

C:\Windows\System\GynxLnm.exe

MD5 39854d1e6a3857b8ee6830860ce5ad90
SHA1 2c7e5fc68e9b2b0bb54f808c3232cd573e1c2336
SHA256 0b552f1003e66836dc805b24f8716fe6dfbf0607bb4cc25c3c412efb4ab58cb7
SHA512 265d52a5127771f763f208b95cd3e79f892c2be0d340ee0de50a5ed70a3c9cac90ebcb6a54a814123e4ffa935c9c91d7dde2159135ee9c0fc81ea4eeb8d21534

C:\Windows\System\yhDvNNP.exe

MD5 c1d5808a958e994e62a1fd2200398afc
SHA1 531a38398f11993de8aacc2a5bd5895d91fe01e3
SHA256 a218a73a00f4d3bacb1e1b45c094cd2b7356a56cc031da7c9c497f65604f34a1
SHA512 37baf93dafd651a70afdd3702803163b548321ef8edc5d7e464d6864c12c841dc4007f097368a7c35e03f0b02b02cba16e2c41d0c60ef0cb62e7665f5b3e49af

memory/2108-115-0x00007FF623FD0000-0x00007FF624324000-memory.dmp

memory/2852-120-0x00007FF7BE010000-0x00007FF7BE364000-memory.dmp

memory/3416-131-0x00007FF773C60000-0x00007FF773FB4000-memory.dmp

C:\Windows\System\kzgMnYw.exe

MD5 1b955eb68a34782a5171a49f15576a0b
SHA1 c116aa212a1f604b4751909dfc393551bacdfc78
SHA256 5ed2c776666e1de0d9d99fb2312df31183a7c47bb794059f8a4d7be5ad3092c8
SHA512 558078ce3d0e2d016572c070a7214a6349ad9019632218175b87eedbe3b24d92202dbf5bde59823636dc8eb8244ca5949a59b36c4c915bda58daa408b474bea9

memory/2264-128-0x00007FF658CA0000-0x00007FF658FF4000-memory.dmp

memory/460-127-0x00007FF6063A0000-0x00007FF6066F4000-memory.dmp

C:\Windows\System\myEpjcZ.exe

MD5 b1bc0046d28f3f673bc48037f64d8a51
SHA1 b55b6451fe4e53b0ea45effce3ff26a513f69d15
SHA256 d6b2119324cf316e7a855221633558978d336901d546219a855936a357f4ebca
SHA512 805f554d7dc548cf53b269fd106c3cd0b9126e897893b4a765c51427524e0dbb540793f39530e439317eb6604199b996b70071189f7edc52febb2a6bd424519e

C:\Windows\System\VsVBCXT.exe

MD5 5913462cc5166fe520272ace21a3d8e2
SHA1 ae1302888aea2675a48bf51210f610f4b02d7784
SHA256 5044ee7935f9d41aab6eddeea9845c62b2ae64d3ae415146ccc099b7f5c4d6fb
SHA512 e07270057a474e95e1f2a517c2b476d7ad3a4fe4a0d2aec0078200e851e3ccd963ecc420dee4ab48e15277c84d688c461ce1bb62baf73be4be98f4d8d6f7c5a4

memory/5080-118-0x00007FF6D1D10000-0x00007FF6D2064000-memory.dmp

memory/1436-114-0x00007FF636BA0000-0x00007FF636EF4000-memory.dmp

C:\Windows\System\oaObGXR.exe

MD5 65aeb1f03dd7cb1e8849e8db3a869782
SHA1 95c0f05b9e97a04433519edfee8f915bfebbc66a
SHA256 c051a39d999741e1f25552be7de09df9efb55183ce2a2b6e1bccb5f25107c9db
SHA512 4d5c9da14a3bcf3b0814c6d25c0aa5f6d570f1e70a7e7e449d55d545e0071cfbdd4a2cf57a3ee04d1ff94292c455f4262ea5cf3f7de18071102790fcd0ee0b9f

memory/4652-98-0x00007FF709B10000-0x00007FF709E64000-memory.dmp

memory/1760-97-0x00007FF7A16B0000-0x00007FF7A1A04000-memory.dmp

memory/4388-90-0x00007FF686780000-0x00007FF686AD4000-memory.dmp

C:\Windows\System\nbpJKIV.exe

MD5 0e90db32ac3688955d212816dea0d21f
SHA1 598652480d0385aa4f1e266ae166ca3c0e0f0545
SHA256 86571819530179ec61523ee8afb7cd0dba35c0b18baec5b219819f2243d85357
SHA512 9b4a4d4da5c42f4d4dddd9f78c9eda2ed3bf0e4d11b45ed5aac24ae173020f15f8add36ab8b815d8275b53cc4c687721cd57ff235856b06e074f460a223e63d8

memory/3760-76-0x00007FF752000000-0x00007FF752354000-memory.dmp

memory/4548-70-0x00007FF6D27A0000-0x00007FF6D2AF4000-memory.dmp

C:\Windows\System\jOVdRIk.exe

MD5 7c8069bf951cc7f995d78bf6c05c5734
SHA1 5e353938785b282081ac020f3da30f753866ab1d
SHA256 03e01cfa084cf79fcb0338b6d4cb4606c13cb0fc70e4e400c9d032d58e2cf7cd
SHA512 0805d1d0e3ac8374e2a80a4c98401888c074ad67f058bd39678b8b360179aa32301313b69502c8a730e9f6b26fe3030f266c0703253f5b113e1db191f2c024a2

memory/2412-8-0x00007FF6A3E40000-0x00007FF6A4194000-memory.dmp

memory/3684-132-0x00007FF6FE1A0000-0x00007FF6FE4F4000-memory.dmp

memory/3256-133-0x00007FF727EB0000-0x00007FF728204000-memory.dmp

memory/1676-134-0x00007FF7A00F0000-0x00007FF7A0444000-memory.dmp

memory/4200-135-0x00007FF7C9500000-0x00007FF7C9854000-memory.dmp

memory/1912-136-0x00007FF6DA860000-0x00007FF6DABB4000-memory.dmp

memory/4388-137-0x00007FF686780000-0x00007FF686AD4000-memory.dmp

memory/4652-138-0x00007FF709B10000-0x00007FF709E64000-memory.dmp

memory/2852-139-0x00007FF7BE010000-0x00007FF7BE364000-memory.dmp

memory/5080-140-0x00007FF6D1D10000-0x00007FF6D2064000-memory.dmp

memory/460-141-0x00007FF6063A0000-0x00007FF6066F4000-memory.dmp

memory/2412-142-0x00007FF6A3E40000-0x00007FF6A4194000-memory.dmp

memory/4084-143-0x00007FF6EFA60000-0x00007FF6EFDB4000-memory.dmp

memory/3448-144-0x00007FF71EB10000-0x00007FF71EE64000-memory.dmp

memory/1760-145-0x00007FF7A16B0000-0x00007FF7A1A04000-memory.dmp

memory/2264-146-0x00007FF658CA0000-0x00007FF658FF4000-memory.dmp

memory/3540-147-0x00007FF7EC6F0000-0x00007FF7ECA44000-memory.dmp

memory/1436-148-0x00007FF636BA0000-0x00007FF636EF4000-memory.dmp

memory/3684-149-0x00007FF6FE1A0000-0x00007FF6FE4F4000-memory.dmp

memory/3256-150-0x00007FF727EB0000-0x00007FF728204000-memory.dmp

memory/1676-151-0x00007FF7A00F0000-0x00007FF7A0444000-memory.dmp

memory/4548-152-0x00007FF6D27A0000-0x00007FF6D2AF4000-memory.dmp

memory/1736-153-0x00007FF7D4000000-0x00007FF7D4354000-memory.dmp

memory/4200-154-0x00007FF7C9500000-0x00007FF7C9854000-memory.dmp

memory/1912-155-0x00007FF6DA860000-0x00007FF6DABB4000-memory.dmp

memory/4388-158-0x00007FF686780000-0x00007FF686AD4000-memory.dmp

memory/4652-157-0x00007FF709B10000-0x00007FF709E64000-memory.dmp

memory/2108-156-0x00007FF623FD0000-0x00007FF624324000-memory.dmp

memory/2852-159-0x00007FF7BE010000-0x00007FF7BE364000-memory.dmp

memory/5080-160-0x00007FF6D1D10000-0x00007FF6D2064000-memory.dmp

memory/460-161-0x00007FF6063A0000-0x00007FF6066F4000-memory.dmp

memory/3416-162-0x00007FF773C60000-0x00007FF773FB4000-memory.dmp