Malware Analysis Report

2024-10-24 18:11

Sample ID 240630-gmpn3athmd
Target 2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat
SHA256 6a7bd644a8817e5c2e39d33f553f9177160a8ed0ba4bdd162448710bf9d133b7
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6a7bd644a8817e5c2e39d33f553f9177160a8ed0ba4bdd162448710bf9d133b7

Threat Level: Known bad

The file 2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Detects Reflective DLL injection artifacts

XMRig Miner payload

Xmrig family

Cobaltstrike family

UPX dump on OEP (original entry point)

Cobaltstrike

xmrig

Cobalt Strike reflective loader

Detects Reflective DLL injection artifacts

XMRig Miner payload

UPX dump on OEP (original entry point)

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-30 05:55

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-30 05:55

Reported

2024-06-30 05:58

Platform

win7-20240508-en

Max time kernel

140s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\IlurEjo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hlRWMNy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DFcvBMg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DocSFKL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QSCXTRX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\exQYvJm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vglFdjZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MUEuIAW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nqQtJtN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bMlFVEw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dIljkPr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aGLtBFM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xbqHnph.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ERCjhRg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NSApSca.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lLmKSYV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kpthtVA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZCFPysE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NGdXaGq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yTmunOh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vRgJfkE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2756 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vglFdjZ.exe
PID 2756 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vglFdjZ.exe
PID 2756 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vglFdjZ.exe
PID 2756 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IlurEjo.exe
PID 2756 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IlurEjo.exe
PID 2756 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IlurEjo.exe
PID 2756 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hlRWMNy.exe
PID 2756 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hlRWMNy.exe
PID 2756 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hlRWMNy.exe
PID 2756 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NSApSca.exe
PID 2756 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NSApSca.exe
PID 2756 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NSApSca.exe
PID 2756 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MUEuIAW.exe
PID 2756 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MUEuIAW.exe
PID 2756 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MUEuIAW.exe
PID 2756 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nqQtJtN.exe
PID 2756 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nqQtJtN.exe
PID 2756 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nqQtJtN.exe
PID 2756 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bMlFVEw.exe
PID 2756 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bMlFVEw.exe
PID 2756 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bMlFVEw.exe
PID 2756 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lLmKSYV.exe
PID 2756 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lLmKSYV.exe
PID 2756 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lLmKSYV.exe
PID 2756 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kpthtVA.exe
PID 2756 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kpthtVA.exe
PID 2756 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kpthtVA.exe
PID 2756 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DocSFKL.exe
PID 2756 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DocSFKL.exe
PID 2756 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DocSFKL.exe
PID 2756 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZCFPysE.exe
PID 2756 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZCFPysE.exe
PID 2756 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZCFPysE.exe
PID 2756 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QSCXTRX.exe
PID 2756 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QSCXTRX.exe
PID 2756 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QSCXTRX.exe
PID 2756 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NGdXaGq.exe
PID 2756 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NGdXaGq.exe
PID 2756 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NGdXaGq.exe
PID 2756 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dIljkPr.exe
PID 2756 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dIljkPr.exe
PID 2756 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dIljkPr.exe
PID 2756 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yTmunOh.exe
PID 2756 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yTmunOh.exe
PID 2756 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yTmunOh.exe
PID 2756 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aGLtBFM.exe
PID 2756 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aGLtBFM.exe
PID 2756 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aGLtBFM.exe
PID 2756 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\exQYvJm.exe
PID 2756 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\exQYvJm.exe
PID 2756 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\exQYvJm.exe
PID 2756 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DFcvBMg.exe
PID 2756 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DFcvBMg.exe
PID 2756 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DFcvBMg.exe
PID 2756 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xbqHnph.exe
PID 2756 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xbqHnph.exe
PID 2756 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xbqHnph.exe
PID 2756 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vRgJfkE.exe
PID 2756 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vRgJfkE.exe
PID 2756 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vRgJfkE.exe
PID 2756 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ERCjhRg.exe
PID 2756 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ERCjhRg.exe
PID 2756 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ERCjhRg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\vglFdjZ.exe

C:\Windows\System\vglFdjZ.exe

C:\Windows\System\IlurEjo.exe

C:\Windows\System\IlurEjo.exe

C:\Windows\System\hlRWMNy.exe

C:\Windows\System\hlRWMNy.exe

C:\Windows\System\NSApSca.exe

C:\Windows\System\NSApSca.exe

C:\Windows\System\MUEuIAW.exe

C:\Windows\System\MUEuIAW.exe

C:\Windows\System\nqQtJtN.exe

C:\Windows\System\nqQtJtN.exe

C:\Windows\System\bMlFVEw.exe

C:\Windows\System\bMlFVEw.exe

C:\Windows\System\lLmKSYV.exe

C:\Windows\System\lLmKSYV.exe

C:\Windows\System\kpthtVA.exe

C:\Windows\System\kpthtVA.exe

C:\Windows\System\DocSFKL.exe

C:\Windows\System\DocSFKL.exe

C:\Windows\System\ZCFPysE.exe

C:\Windows\System\ZCFPysE.exe

C:\Windows\System\QSCXTRX.exe

C:\Windows\System\QSCXTRX.exe

C:\Windows\System\NGdXaGq.exe

C:\Windows\System\NGdXaGq.exe

C:\Windows\System\dIljkPr.exe

C:\Windows\System\dIljkPr.exe

C:\Windows\System\yTmunOh.exe

C:\Windows\System\yTmunOh.exe

C:\Windows\System\aGLtBFM.exe

C:\Windows\System\aGLtBFM.exe

C:\Windows\System\exQYvJm.exe

C:\Windows\System\exQYvJm.exe

C:\Windows\System\DFcvBMg.exe

C:\Windows\System\DFcvBMg.exe

C:\Windows\System\xbqHnph.exe

C:\Windows\System\xbqHnph.exe

C:\Windows\System\vRgJfkE.exe

C:\Windows\System\vRgJfkE.exe

C:\Windows\System\ERCjhRg.exe

C:\Windows\System\ERCjhRg.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2756-0-0x000000013F1C0000-0x000000013F514000-memory.dmp

memory/2756-1-0x00000000002F0000-0x0000000000300000-memory.dmp

\Windows\system\vglFdjZ.exe

MD5 cd37a6f74dc1536b82c5e523eccdcccf
SHA1 9c47da06a13662585825ee441fbca39b18a4bd7c
SHA256 3839df782a9003cf8007b716ce43d38a6f3ff48e7d47f158a6e5e167dab16ce9
SHA512 c916ef7ef0e858f4dfc0822364a63914acbc00756b67cc1e2db491b0e9b8bd11191f0857e79af4369e04ede9da5e063cc8d762b5b3bc32623639b81ba5e0281f

\Windows\system\IlurEjo.exe

MD5 7d86801ee399be68b2cb0cd55fadf6c0
SHA1 fa9cb2bab9070c637dad70b774915b0479dccab0
SHA256 6a33115996e77447c867a5cb6c24473b5ef0618e195e16ea0ce6be7d957dcc93
SHA512 5588d75a84b08b2595e961c8184197e46ff589bdd1156cbf1e73527166bdbf29fafc45cd4b9ae4d56783677737008697580a8ebae01e2c7a463d025b75696840

\Windows\system\hlRWMNy.exe

MD5 0ae2f17ced1f4a50b627e6b9b6e57962
SHA1 b84e9984ebc4b64589fa4ac12023ff52e5ec4a8b
SHA256 fbf4022d254401d8b90a358099e6be53db83de5573604e01b0b7cd9eafa07a57
SHA512 11d925541c80226e5133a8e3bc2f2452af320b6f6d276897f7d6f32442de3b2df78149792b423bcad1d6760e4ef343edfd3fcebc5b4fe3bee9885ca031e59c3e

memory/2992-15-0x000000013FD30000-0x0000000140084000-memory.dmp

memory/2624-23-0x000000013FFB0000-0x0000000140304000-memory.dmp

\Windows\system\NSApSca.exe

MD5 fd63ab95680836a9be621002f5d59bf5
SHA1 2f7ccab6e95ca614ff7ef5279fff2dcb0c7eeaa7
SHA256 6bfefd38ba68c740e3eaa8f9b4d095d4442bcb30112b33e0b5e512ee73f62d43
SHA512 a1e21ff3876cbf54fd8399eed8dcfd67f7f0e85ea64a8616f8712e2af44e5d1b93ba92adafcde3d48c53406d8afa81276fae378894a0cd48fb4b02a728f9fdec

C:\Windows\system\nqQtJtN.exe

MD5 3bd0cceccc7a97f1724ae72bee148617
SHA1 396bef6b21996e421ade9d2d58091c441ec7feee
SHA256 4f65440da796831a75240e3610bac4df1e242acd674f150c1dc92c53b788270d
SHA512 e643d851cd1521a27b959e073a5c71a83690e811d755b0c1785fc2ef0490ae2ad047c9052fb143ead0b5f1c1e300f4936409c96870511b3eac30dc8cf9f582a5

memory/2756-40-0x0000000002290000-0x00000000025E4000-memory.dmp

memory/2516-41-0x000000013F0D0000-0x000000013F424000-memory.dmp

C:\Windows\system\bMlFVEw.exe

MD5 4b83783e4ace8b9ade23580208fe3411
SHA1 2018a9ca4e76f25b670ed873af9055adc7a0a3d6
SHA256 a36da6db86fff88c32c5cf1e5ef7b38a8a1d06f871dc3b8cd7a83e22477aae2a
SHA512 d0f2d3a172aae16cc0a2276b484c782054cae10c64efa64088f9d722474c753d4cdbbaa843302b86c9868b9d0c49703c8d4c6eb288a7e2065eae269d8a9e9063

C:\Windows\system\lLmKSYV.exe

MD5 d1fbd16bca4773b71b2a379c4ca18657
SHA1 d9f9ddcb279d4ea121dff3fc01ac94c6441508a7
SHA256 497d05f6a1ca8ebdec25701a7ecd3ac3c2da0d9f4aad81115eb5c5eb1a4dd865
SHA512 dc9aceec7d0dd656c355b5128ecdbabd22970f77d4161d62fe9cd4cf297024656b8a7cf8b606e8d230c428dcac681e97c35077cd0fe13edbd30de6dee8228de7

memory/2496-58-0x000000013FD80000-0x00000001400D4000-memory.dmp

C:\Windows\system\kpthtVA.exe

MD5 225ccc294e5cba89c2ead9525e0061b0
SHA1 b920424b0c2d00618a6876a27405726174e91c7b
SHA256 261a6c061713e93f3587d9a6f93cb44e0034fa5a5de6b122dc45fe0e5a0b9339
SHA512 d09e0cfb3e1e315e06f25b72ee6fbb38798f56fd53e8f672cc5b8916b639a0964fbb3ccc7f105194de4a7c90bcdce58d794789666d306db7c264b2df51ef0a61

memory/2756-71-0x000000013F1C0000-0x000000013F514000-memory.dmp

memory/2524-73-0x000000013F150000-0x000000013F4A4000-memory.dmp

memory/1596-82-0x000000013F690000-0x000000013F9E4000-memory.dmp

memory/2820-96-0x000000013FA80000-0x000000013FDD4000-memory.dmp

C:\Windows\system\yTmunOh.exe

MD5 a15e2ba2cb2e9186040bee537944a780
SHA1 15b47afe34a14d54f8b926aefce342a515f9de8a
SHA256 cd23b37743b2649c4648b88ada791b2bf0b037d1d5075a45acf97464bbb3a5a2
SHA512 5f1f0f6feccb61000ce683b04b99b37bcec1170eb421aa9b24d2a7b2163a0d3edb53dafd86b3bc55d5dd683d9acf460bd01a1a12b074b8db35854c1f1e4dda01

C:\Windows\system\DFcvBMg.exe

MD5 02e202269766c96f79f736dc3da5452a
SHA1 d0bc2987a05ca64a2e213df07787fbde832d2996
SHA256 d927a45d11f871ab085a27a4ad795d2a86dc53d759b47fdb0a062551acbf28a0
SHA512 67136a9f4172194f30939ee64780656f277a7482f33c0b85d3c162135c66bca737195921b3a0adc9ff57f40161ffa71273a34a629b39d9bfdf9ffdfbb504b006

C:\Windows\system\xbqHnph.exe

MD5 8fbcaa1c22e83794c9c7000ca4c073d3
SHA1 a4ccc58c27fd4d381c2bcfcb00ab27bd7084f8f3
SHA256 b67537f9d5304ef863f31e6decde0f39e2dbb92ad06d8a4693d2aebda8a6e365
SHA512 e7ba1c5e0d32c8be75203eed3699df002ae1987e17b51ff03219b9ae76ff8c89c593367690dc513d73cd64180fffd2eb6b7ef800668b4c5f3220fba4a7b52aee

\Windows\system\ERCjhRg.exe

MD5 59d6648895844aca613841196db29ecf
SHA1 e67eb40aabf4a736a845890e08eb141e2d67d89c
SHA256 95c848836758073a174d4ac07cc4ca30f136c52d1ffe926d776c72281672ef01
SHA512 40f5fbdb5363ade58c060267aca81a92fb0c27ecf6ccdb36d4fdc506fce55ba7f22ed702f1df8bd1f38fafdb8b8d8c57d9824c3558f59e1ab89bef77d69282d5

C:\Windows\system\vRgJfkE.exe

MD5 13d032be7860ca136516887900f9a240
SHA1 7ac5983e8cd4f36d9819927901a84018267b9531
SHA256 73735fb9df4ed13c0307d6a6c9d45c4dc197ee8fc85a613f8ef0ef4f3c9e06d2
SHA512 e8bfcdc688dd8ddfa5ef13937d237f0b3f3850611f2b22fcdff6234abf35edb936478fb4cbedd40c1050f56f44d928b1902db296a41e261f341d3306c8b5a07e

C:\Windows\system\exQYvJm.exe

MD5 69e393a730077a3bb336f8c491bd852a
SHA1 a71f499fda91eccac96165867406a4c1993dc6e8
SHA256 03a5eacab204a3ceadacd8607f5dc72825b26604880c33d0130038f4c79e896f
SHA512 9a02eec19fbf79efddf34c9a4b273d401aa8e9c2f2e4055cf2660f1f3c93d72910a75641afb353c1ed652fb817429b8eeddb202719b3b40854026023cf721969

C:\Windows\system\aGLtBFM.exe

MD5 dfef88503838bcf6037eb83f1152e252
SHA1 3113da8e7dac04aba66393722d65462011dffcb8
SHA256 d376ae861cf6f8c311991c04eb0f5a03a50e60ca46fe860dfcd3bb2b9d40e7d7
SHA512 a7c0222caef152b07b351e18aa5065aeaf197892746ffa5d2169c0c7c330a220f3eeb2a96e51f16c5cb72789dc3d392305b4ca656a815aea198b50ee69fcc846

memory/2756-110-0x0000000002290000-0x00000000025E4000-memory.dmp

memory/2744-109-0x000000013FA30000-0x000000013FD84000-memory.dmp

memory/1968-103-0x000000013F330000-0x000000013F684000-memory.dmp

memory/2756-102-0x0000000002290000-0x00000000025E4000-memory.dmp

C:\Windows\system\dIljkPr.exe

MD5 6ee1b380abcbc59cab24fc750c00acab
SHA1 82af126cfb9fb5dd47a808cc0ddaec900b446363
SHA256 28bcf1cfed1d3911b9e259b6fba6d699eec8288f3fda3153d24fd95c8bc51107
SHA512 5601a6c675b24a330ff77b613137dad4338bdf8ca07395929d59aa8346b693e43d285c24bfbea422224d6b728269c9deba4f1916e1923f76e0c6bdbcaa9a1b35

memory/2724-141-0x000000013F160000-0x000000013F4B4000-memory.dmp

memory/2516-140-0x000000013F0D0000-0x000000013F424000-memory.dmp

memory/2756-95-0x000000013FA80000-0x000000013FDD4000-memory.dmp

C:\Windows\system\NGdXaGq.exe

MD5 1c61d9714227e679000a2cbaf01851ad
SHA1 8226a4fbc2f376b8cc9d19534f4bdcf853f34a47
SHA256 21a079720aa6ea5637cd7eb7a10d7e240b66b95f2c40104c2140a90b760048fc
SHA512 0ac9a08240e62bcd883eac297978a25007adacd2163e795126911d226389a1e7d9a73645333a74cdf4631cb4cd38316dc777b2d6693c8a59ffb6b7a20a800c27

memory/2576-89-0x000000013FA70000-0x000000013FDC4000-memory.dmp

memory/2756-88-0x000000013FA70000-0x000000013FDC4000-memory.dmp

memory/2696-81-0x000000013F5C0000-0x000000013F914000-memory.dmp

memory/2992-80-0x000000013FD30000-0x0000000140084000-memory.dmp

memory/2756-79-0x000000013FD30000-0x0000000140084000-memory.dmp

C:\Windows\system\QSCXTRX.exe

MD5 cc903842430f829876b32b44e1e59218
SHA1 c17e5f4bdeee670c80d4c2188dcc7a2e7388008c
SHA256 5d1e520af5287f6f34d8683e04cb3f52a48ba83eced37694915cf9a1df7fd483
SHA512 4b2c5835df3f99a54fa5ade20fe89e8d5d40fd7f23ad2c847e109a90b139f4197238e4f5f4a70d9779461117ff170281a8284f13c2fdd8ccb080c847fdf35bcd

C:\Windows\system\ZCFPysE.exe

MD5 65e86e4cc8556623f05fabfc44f6171c
SHA1 215385a0fe45c92450236639226c2fc18a7b2d0b
SHA256 d228274f4f9f3c98274dd6e8874a2e2be65502044c109f606f6c9d2d9132420e
SHA512 aed2223a5091950d1f059cc7295bc33d71fe917ccc5a377d5a5765bb234a423e252703680517ec83185d13a372c3cce9d3bb46f941ca77633a7d91528ac726d0

memory/2756-72-0x0000000002290000-0x00000000025E4000-memory.dmp

C:\Windows\system\DocSFKL.exe

MD5 2da870afda917d4b060a3b236004eef8
SHA1 37e228840290a12c1d4f818d223f292bbb427d75
SHA256 9809f4c4984e5168df79addfc7cf6b5a1b6b9a37c46067df9b8c22392e28764e
SHA512 44432fab2d2ec62a4c69c003d8f10f8b6c01e01dc7695808846f3d0bc068fee6dfcbbd3d7cffa1c6ba28d303ef7d05004f9f3b485b2fb2e6605bbd3f5a5f5195

memory/3008-65-0x000000013F040000-0x000000013F394000-memory.dmp

memory/2756-64-0x0000000002290000-0x00000000025E4000-memory.dmp

memory/2756-57-0x000000013FD80000-0x00000001400D4000-memory.dmp

memory/2724-56-0x000000013F160000-0x000000013F4B4000-memory.dmp

memory/2756-50-0x0000000002290000-0x00000000025E4000-memory.dmp

memory/2744-36-0x000000013FA30000-0x000000013FD84000-memory.dmp

C:\Windows\system\MUEuIAW.exe

MD5 681a63f7e61af6a487b06f2a9a736c0a
SHA1 89fd416aed6fe28b6bc93861609a89cc494746a0
SHA256 da77e550c824f92986488e0c5e373705deb5d603dab05e6a969336c8efef807d
SHA512 cdd23bcf3123d5de657a1e8034e951ce93b3787fc7ba024b2c9ea6cc4a3b8aa0453e2ab5cab78697ce9bec0a0d7e74c0fb028824f9bf88b532b74259c6cdeab7

memory/2600-34-0x000000013F690000-0x000000013F9E4000-memory.dmp

memory/2756-33-0x000000013FA30000-0x000000013FD84000-memory.dmp

memory/2756-31-0x000000013F690000-0x000000013F9E4000-memory.dmp

memory/2756-30-0x000000013F5C0000-0x000000013F914000-memory.dmp

memory/2696-28-0x000000013F5C0000-0x000000013F914000-memory.dmp

memory/2756-19-0x000000013FFB0000-0x0000000140304000-memory.dmp

memory/2756-6-0x000000013FD30000-0x0000000140084000-memory.dmp

memory/2756-142-0x0000000002290000-0x00000000025E4000-memory.dmp

memory/2756-143-0x000000013FA70000-0x000000013FDC4000-memory.dmp

memory/2756-144-0x000000013FA80000-0x000000013FDD4000-memory.dmp

memory/2624-146-0x000000013FFB0000-0x0000000140304000-memory.dmp

memory/2992-145-0x000000013FD30000-0x0000000140084000-memory.dmp

memory/2696-147-0x000000013F5C0000-0x000000013F914000-memory.dmp

memory/2600-148-0x000000013F690000-0x000000013F9E4000-memory.dmp

memory/2516-150-0x000000013F0D0000-0x000000013F424000-memory.dmp

memory/2744-149-0x000000013FA30000-0x000000013FD84000-memory.dmp

memory/2496-151-0x000000013FD80000-0x00000001400D4000-memory.dmp

memory/3008-153-0x000000013F040000-0x000000013F394000-memory.dmp

memory/2724-152-0x000000013F160000-0x000000013F4B4000-memory.dmp

memory/2524-154-0x000000013F150000-0x000000013F4A4000-memory.dmp

memory/1596-155-0x000000013F690000-0x000000013F9E4000-memory.dmp

memory/2576-156-0x000000013FA70000-0x000000013FDC4000-memory.dmp

memory/2820-157-0x000000013FA80000-0x000000013FDD4000-memory.dmp

memory/1968-158-0x000000013F330000-0x000000013F684000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-30 05:55

Reported

2024-06-30 05:58

Platform

win10v2004-20240508-en

Max time kernel

139s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\DFcvBMg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xbqHnph.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bMlFVEw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lLmKSYV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DocSFKL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yTmunOh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aGLtBFM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MUEuIAW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nqQtJtN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QSCXTRX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\exQYvJm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vRgJfkE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ERCjhRg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vglFdjZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZCFPysE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NGdXaGq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kpthtVA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dIljkPr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IlurEjo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hlRWMNy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NSApSca.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3192 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vglFdjZ.exe
PID 3192 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vglFdjZ.exe
PID 3192 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IlurEjo.exe
PID 3192 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IlurEjo.exe
PID 3192 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hlRWMNy.exe
PID 3192 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hlRWMNy.exe
PID 3192 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NSApSca.exe
PID 3192 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NSApSca.exe
PID 3192 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MUEuIAW.exe
PID 3192 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MUEuIAW.exe
PID 3192 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nqQtJtN.exe
PID 3192 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nqQtJtN.exe
PID 3192 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bMlFVEw.exe
PID 3192 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bMlFVEw.exe
PID 3192 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lLmKSYV.exe
PID 3192 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lLmKSYV.exe
PID 3192 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kpthtVA.exe
PID 3192 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kpthtVA.exe
PID 3192 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DocSFKL.exe
PID 3192 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DocSFKL.exe
PID 3192 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZCFPysE.exe
PID 3192 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZCFPysE.exe
PID 3192 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QSCXTRX.exe
PID 3192 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QSCXTRX.exe
PID 3192 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NGdXaGq.exe
PID 3192 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NGdXaGq.exe
PID 3192 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dIljkPr.exe
PID 3192 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dIljkPr.exe
PID 3192 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yTmunOh.exe
PID 3192 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yTmunOh.exe
PID 3192 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aGLtBFM.exe
PID 3192 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aGLtBFM.exe
PID 3192 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\exQYvJm.exe
PID 3192 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\exQYvJm.exe
PID 3192 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DFcvBMg.exe
PID 3192 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DFcvBMg.exe
PID 3192 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xbqHnph.exe
PID 3192 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xbqHnph.exe
PID 3192 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vRgJfkE.exe
PID 3192 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vRgJfkE.exe
PID 3192 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ERCjhRg.exe
PID 3192 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ERCjhRg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\vglFdjZ.exe

C:\Windows\System\vglFdjZ.exe

C:\Windows\System\IlurEjo.exe

C:\Windows\System\IlurEjo.exe

C:\Windows\System\hlRWMNy.exe

C:\Windows\System\hlRWMNy.exe

C:\Windows\System\NSApSca.exe

C:\Windows\System\NSApSca.exe

C:\Windows\System\MUEuIAW.exe

C:\Windows\System\MUEuIAW.exe

C:\Windows\System\nqQtJtN.exe

C:\Windows\System\nqQtJtN.exe

C:\Windows\System\bMlFVEw.exe

C:\Windows\System\bMlFVEw.exe

C:\Windows\System\lLmKSYV.exe

C:\Windows\System\lLmKSYV.exe

C:\Windows\System\kpthtVA.exe

C:\Windows\System\kpthtVA.exe

C:\Windows\System\DocSFKL.exe

C:\Windows\System\DocSFKL.exe

C:\Windows\System\ZCFPysE.exe

C:\Windows\System\ZCFPysE.exe

C:\Windows\System\QSCXTRX.exe

C:\Windows\System\QSCXTRX.exe

C:\Windows\System\NGdXaGq.exe

C:\Windows\System\NGdXaGq.exe

C:\Windows\System\dIljkPr.exe

C:\Windows\System\dIljkPr.exe

C:\Windows\System\yTmunOh.exe

C:\Windows\System\yTmunOh.exe

C:\Windows\System\aGLtBFM.exe

C:\Windows\System\aGLtBFM.exe

C:\Windows\System\exQYvJm.exe

C:\Windows\System\exQYvJm.exe

C:\Windows\System\DFcvBMg.exe

C:\Windows\System\DFcvBMg.exe

C:\Windows\System\xbqHnph.exe

C:\Windows\System\xbqHnph.exe

C:\Windows\System\vRgJfkE.exe

C:\Windows\System\vRgJfkE.exe

C:\Windows\System\ERCjhRg.exe

C:\Windows\System\ERCjhRg.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3192-0-0x00007FF74A200000-0x00007FF74A554000-memory.dmp

memory/3192-1-0x000001906B2D0000-0x000001906B2E0000-memory.dmp

C:\Windows\System\vglFdjZ.exe

MD5 cd37a6f74dc1536b82c5e523eccdcccf
SHA1 9c47da06a13662585825ee441fbca39b18a4bd7c
SHA256 3839df782a9003cf8007b716ce43d38a6f3ff48e7d47f158a6e5e167dab16ce9
SHA512 c916ef7ef0e858f4dfc0822364a63914acbc00756b67cc1e2db491b0e9b8bd11191f0857e79af4369e04ede9da5e063cc8d762b5b3bc32623639b81ba5e0281f

memory/2624-7-0x00007FF7F0CB0000-0x00007FF7F1004000-memory.dmp

C:\Windows\System\IlurEjo.exe

MD5 7d86801ee399be68b2cb0cd55fadf6c0
SHA1 fa9cb2bab9070c637dad70b774915b0479dccab0
SHA256 6a33115996e77447c867a5cb6c24473b5ef0618e195e16ea0ce6be7d957dcc93
SHA512 5588d75a84b08b2595e961c8184197e46ff589bdd1156cbf1e73527166bdbf29fafc45cd4b9ae4d56783677737008697580a8ebae01e2c7a463d025b75696840

C:\Windows\System\hlRWMNy.exe

MD5 0ae2f17ced1f4a50b627e6b9b6e57962
SHA1 b84e9984ebc4b64589fa4ac12023ff52e5ec4a8b
SHA256 fbf4022d254401d8b90a358099e6be53db83de5573604e01b0b7cd9eafa07a57
SHA512 11d925541c80226e5133a8e3bc2f2452af320b6f6d276897f7d6f32442de3b2df78149792b423bcad1d6760e4ef343edfd3fcebc5b4fe3bee9885ca031e59c3e

memory/1100-14-0x00007FF664A70000-0x00007FF664DC4000-memory.dmp

memory/2064-20-0x00007FF72E390000-0x00007FF72E6E4000-memory.dmp

C:\Windows\System\NSApSca.exe

MD5 fd63ab95680836a9be621002f5d59bf5
SHA1 2f7ccab6e95ca614ff7ef5279fff2dcb0c7eeaa7
SHA256 6bfefd38ba68c740e3eaa8f9b4d095d4442bcb30112b33e0b5e512ee73f62d43
SHA512 a1e21ff3876cbf54fd8399eed8dcfd67f7f0e85ea64a8616f8712e2af44e5d1b93ba92adafcde3d48c53406d8afa81276fae378894a0cd48fb4b02a728f9fdec

memory/740-24-0x00007FF7B7940000-0x00007FF7B7C94000-memory.dmp

C:\Windows\System\MUEuIAW.exe

MD5 681a63f7e61af6a487b06f2a9a736c0a
SHA1 89fd416aed6fe28b6bc93861609a89cc494746a0
SHA256 da77e550c824f92986488e0c5e373705deb5d603dab05e6a969336c8efef807d
SHA512 cdd23bcf3123d5de657a1e8034e951ce93b3787fc7ba024b2c9ea6cc4a3b8aa0453e2ab5cab78697ce9bec0a0d7e74c0fb028824f9bf88b532b74259c6cdeab7

memory/4132-32-0x00007FF751460000-0x00007FF7517B4000-memory.dmp

C:\Windows\System\nqQtJtN.exe

MD5 3bd0cceccc7a97f1724ae72bee148617
SHA1 396bef6b21996e421ade9d2d58091c441ec7feee
SHA256 4f65440da796831a75240e3610bac4df1e242acd674f150c1dc92c53b788270d
SHA512 e643d851cd1521a27b959e073a5c71a83690e811d755b0c1785fc2ef0490ae2ad047c9052fb143ead0b5f1c1e300f4936409c96870511b3eac30dc8cf9f582a5

memory/1120-38-0x00007FF6F1430000-0x00007FF6F1784000-memory.dmp

C:\Windows\System\bMlFVEw.exe

MD5 4b83783e4ace8b9ade23580208fe3411
SHA1 2018a9ca4e76f25b670ed873af9055adc7a0a3d6
SHA256 a36da6db86fff88c32c5cf1e5ef7b38a8a1d06f871dc3b8cd7a83e22477aae2a
SHA512 d0f2d3a172aae16cc0a2276b484c782054cae10c64efa64088f9d722474c753d4cdbbaa843302b86c9868b9d0c49703c8d4c6eb288a7e2065eae269d8a9e9063

memory/1296-44-0x00007FF735570000-0x00007FF7358C4000-memory.dmp

C:\Windows\System\lLmKSYV.exe

MD5 d1fbd16bca4773b71b2a379c4ca18657
SHA1 d9f9ddcb279d4ea121dff3fc01ac94c6441508a7
SHA256 497d05f6a1ca8ebdec25701a7ecd3ac3c2da0d9f4aad81115eb5c5eb1a4dd865
SHA512 dc9aceec7d0dd656c355b5128ecdbabd22970f77d4161d62fe9cd4cf297024656b8a7cf8b606e8d230c428dcac681e97c35077cd0fe13edbd30de6dee8228de7

memory/4792-48-0x00007FF728200000-0x00007FF728554000-memory.dmp

C:\Windows\System\kpthtVA.exe

MD5 225ccc294e5cba89c2ead9525e0061b0
SHA1 b920424b0c2d00618a6876a27405726174e91c7b
SHA256 261a6c061713e93f3587d9a6f93cb44e0034fa5a5de6b122dc45fe0e5a0b9339
SHA512 d09e0cfb3e1e315e06f25b72ee6fbb38798f56fd53e8f672cc5b8916b639a0964fbb3ccc7f105194de4a7c90bcdce58d794789666d306db7c264b2df51ef0a61

C:\Windows\System\DocSFKL.exe

MD5 2da870afda917d4b060a3b236004eef8
SHA1 37e228840290a12c1d4f818d223f292bbb427d75
SHA256 9809f4c4984e5168df79addfc7cf6b5a1b6b9a37c46067df9b8c22392e28764e
SHA512 44432fab2d2ec62a4c69c003d8f10f8b6c01e01dc7695808846f3d0bc068fee6dfcbbd3d7cffa1c6ba28d303ef7d05004f9f3b485b2fb2e6605bbd3f5a5f5195

C:\Windows\System\ZCFPysE.exe

MD5 65e86e4cc8556623f05fabfc44f6171c
SHA1 215385a0fe45c92450236639226c2fc18a7b2d0b
SHA256 d228274f4f9f3c98274dd6e8874a2e2be65502044c109f606f6c9d2d9132420e
SHA512 aed2223a5091950d1f059cc7295bc33d71fe917ccc5a377d5a5765bb234a423e252703680517ec83185d13a372c3cce9d3bb46f941ca77633a7d91528ac726d0

memory/932-70-0x00007FF7B0FD0000-0x00007FF7B1324000-memory.dmp

memory/2624-67-0x00007FF7F0CB0000-0x00007FF7F1004000-memory.dmp

memory/3192-62-0x00007FF74A200000-0x00007FF74A554000-memory.dmp

memory/4392-66-0x00007FF638A70000-0x00007FF638DC4000-memory.dmp

memory/4612-58-0x00007FF72BD50000-0x00007FF72C0A4000-memory.dmp

C:\Windows\System\QSCXTRX.exe

MD5 cc903842430f829876b32b44e1e59218
SHA1 c17e5f4bdeee670c80d4c2188dcc7a2e7388008c
SHA256 5d1e520af5287f6f34d8683e04cb3f52a48ba83eced37694915cf9a1df7fd483
SHA512 4b2c5835df3f99a54fa5ade20fe89e8d5d40fd7f23ad2c847e109a90b139f4197238e4f5f4a70d9779461117ff170281a8284f13c2fdd8ccb080c847fdf35bcd

memory/3004-76-0x00007FF66ABC0000-0x00007FF66AF14000-memory.dmp

C:\Windows\System\NGdXaGq.exe

MD5 1c61d9714227e679000a2cbaf01851ad
SHA1 8226a4fbc2f376b8cc9d19534f4bdcf853f34a47
SHA256 21a079720aa6ea5637cd7eb7a10d7e240b66b95f2c40104c2140a90b760048fc
SHA512 0ac9a08240e62bcd883eac297978a25007adacd2163e795126911d226389a1e7d9a73645333a74cdf4631cb4cd38316dc777b2d6693c8a59ffb6b7a20a800c27

memory/4908-82-0x00007FF796540000-0x00007FF796894000-memory.dmp

C:\Windows\System\dIljkPr.exe

MD5 6ee1b380abcbc59cab24fc750c00acab
SHA1 82af126cfb9fb5dd47a808cc0ddaec900b446363
SHA256 28bcf1cfed1d3911b9e259b6fba6d699eec8288f3fda3153d24fd95c8bc51107
SHA512 5601a6c675b24a330ff77b613137dad4338bdf8ca07395929d59aa8346b693e43d285c24bfbea422224d6b728269c9deba4f1916e1923f76e0c6bdbcaa9a1b35

C:\Windows\System\yTmunOh.exe

MD5 a15e2ba2cb2e9186040bee537944a780
SHA1 15b47afe34a14d54f8b926aefce342a515f9de8a
SHA256 cd23b37743b2649c4648b88ada791b2bf0b037d1d5075a45acf97464bbb3a5a2
SHA512 5f1f0f6feccb61000ce683b04b99b37bcec1170eb421aa9b24d2a7b2163a0d3edb53dafd86b3bc55d5dd683d9acf460bd01a1a12b074b8db35854c1f1e4dda01

memory/2480-101-0x00007FF6ABA90000-0x00007FF6ABDE4000-memory.dmp

C:\Windows\System\exQYvJm.exe

MD5 69e393a730077a3bb336f8c491bd852a
SHA1 a71f499fda91eccac96165867406a4c1993dc6e8
SHA256 03a5eacab204a3ceadacd8607f5dc72825b26604880c33d0130038f4c79e896f
SHA512 9a02eec19fbf79efddf34c9a4b273d401aa8e9c2f2e4055cf2660f1f3c93d72910a75641afb353c1ed652fb817429b8eeddb202719b3b40854026023cf721969

C:\Windows\System\aGLtBFM.exe

MD5 dfef88503838bcf6037eb83f1152e252
SHA1 3113da8e7dac04aba66393722d65462011dffcb8
SHA256 d376ae861cf6f8c311991c04eb0f5a03a50e60ca46fe860dfcd3bb2b9d40e7d7
SHA512 a7c0222caef152b07b351e18aa5065aeaf197892746ffa5d2169c0c7c330a220f3eeb2a96e51f16c5cb72789dc3d392305b4ca656a815aea198b50ee69fcc846

memory/4732-97-0x00007FF7F94A0000-0x00007FF7F97F4000-memory.dmp

memory/4000-91-0x00007FF6F98D0000-0x00007FF6F9C24000-memory.dmp

memory/740-90-0x00007FF7B7940000-0x00007FF7B7C94000-memory.dmp

memory/2760-107-0x00007FF647140000-0x00007FF647494000-memory.dmp

memory/4792-119-0x00007FF728200000-0x00007FF728554000-memory.dmp

C:\Windows\System\vRgJfkE.exe

MD5 13d032be7860ca136516887900f9a240
SHA1 7ac5983e8cd4f36d9819927901a84018267b9531
SHA256 73735fb9df4ed13c0307d6a6c9d45c4dc197ee8fc85a613f8ef0ef4f3c9e06d2
SHA512 e8bfcdc688dd8ddfa5ef13937d237f0b3f3850611f2b22fcdff6234abf35edb936478fb4cbedd40c1050f56f44d928b1902db296a41e261f341d3306c8b5a07e

memory/4692-120-0x00007FF706630000-0x00007FF706984000-memory.dmp

memory/4552-127-0x00007FF6F9DF0000-0x00007FF6FA144000-memory.dmp

memory/4392-126-0x00007FF638A70000-0x00007FF638DC4000-memory.dmp

C:\Windows\System\xbqHnph.exe

MD5 8fbcaa1c22e83794c9c7000ca4c073d3
SHA1 a4ccc58c27fd4d381c2bcfcb00ab27bd7084f8f3
SHA256 b67537f9d5304ef863f31e6decde0f39e2dbb92ad06d8a4693d2aebda8a6e365
SHA512 e7ba1c5e0d32c8be75203eed3699df002ae1987e17b51ff03219b9ae76ff8c89c593367690dc513d73cd64180fffd2eb6b7ef800668b4c5f3220fba4a7b52aee

C:\Windows\System\DFcvBMg.exe

MD5 02e202269766c96f79f736dc3da5452a
SHA1 d0bc2987a05ca64a2e213df07787fbde832d2996
SHA256 d927a45d11f871ab085a27a4ad795d2a86dc53d759b47fdb0a062551acbf28a0
SHA512 67136a9f4172194f30939ee64780656f277a7482f33c0b85d3c162135c66bca737195921b3a0adc9ff57f40161ffa71273a34a629b39d9bfdf9ffdfbb504b006

memory/2580-111-0x00007FF60F0D0000-0x00007FF60F424000-memory.dmp

C:\Windows\System\ERCjhRg.exe

MD5 59d6648895844aca613841196db29ecf
SHA1 e67eb40aabf4a736a845890e08eb141e2d67d89c
SHA256 95c848836758073a174d4ac07cc4ca30f136c52d1ffe926d776c72281672ef01
SHA512 40f5fbdb5363ade58c060267aca81a92fb0c27ecf6ccdb36d4fdc506fce55ba7f22ed702f1df8bd1f38fafdb8b8d8c57d9824c3558f59e1ab89bef77d69282d5

memory/3076-132-0x00007FF7311A0000-0x00007FF7314F4000-memory.dmp

memory/932-133-0x00007FF7B0FD0000-0x00007FF7B1324000-memory.dmp

memory/4732-134-0x00007FF7F94A0000-0x00007FF7F97F4000-memory.dmp

memory/2480-135-0x00007FF6ABA90000-0x00007FF6ABDE4000-memory.dmp

memory/2580-136-0x00007FF60F0D0000-0x00007FF60F424000-memory.dmp

memory/2624-137-0x00007FF7F0CB0000-0x00007FF7F1004000-memory.dmp

memory/1100-138-0x00007FF664A70000-0x00007FF664DC4000-memory.dmp

memory/2064-139-0x00007FF72E390000-0x00007FF72E6E4000-memory.dmp

memory/740-140-0x00007FF7B7940000-0x00007FF7B7C94000-memory.dmp

memory/4132-141-0x00007FF751460000-0x00007FF7517B4000-memory.dmp

memory/1120-142-0x00007FF6F1430000-0x00007FF6F1784000-memory.dmp

memory/1296-143-0x00007FF735570000-0x00007FF7358C4000-memory.dmp

memory/4792-144-0x00007FF728200000-0x00007FF728554000-memory.dmp

memory/4612-145-0x00007FF72BD50000-0x00007FF72C0A4000-memory.dmp

memory/4392-146-0x00007FF638A70000-0x00007FF638DC4000-memory.dmp

memory/932-147-0x00007FF7B0FD0000-0x00007FF7B1324000-memory.dmp

memory/3004-148-0x00007FF66ABC0000-0x00007FF66AF14000-memory.dmp

memory/4908-149-0x00007FF796540000-0x00007FF796894000-memory.dmp

memory/4000-150-0x00007FF6F98D0000-0x00007FF6F9C24000-memory.dmp

memory/4732-151-0x00007FF7F94A0000-0x00007FF7F97F4000-memory.dmp

memory/2760-153-0x00007FF647140000-0x00007FF647494000-memory.dmp

memory/2480-152-0x00007FF6ABA90000-0x00007FF6ABDE4000-memory.dmp

memory/2580-154-0x00007FF60F0D0000-0x00007FF60F424000-memory.dmp

memory/4692-155-0x00007FF706630000-0x00007FF706984000-memory.dmp

memory/4552-156-0x00007FF6F9DF0000-0x00007FF6FA144000-memory.dmp

memory/3076-157-0x00007FF7311A0000-0x00007FF7314F4000-memory.dmp