Malware Analysis Report

2025-01-22 19:21

Sample ID 240805-ls5ppasflk
Target 2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat
SHA256 0139dde88261ac9988a420784da0be96b907b70f761d2ac455aed87b45fa737f
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0139dde88261ac9988a420784da0be96b907b70f761d2ac455aed87b45fa737f

Threat Level: Known bad

The file 2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

Cobaltstrike

Cobaltstrike family

XMRig Miner payload

Xmrig family

Cobalt Strike reflective loader

xmrig

XMRig Miner payload

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-05 09:48

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-05 09:48

Reported

2024-08-05 09:51

Platform

win7-20240729-en

Max time kernel

140s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\yWLXDXQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vdZspAU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QyRkIGn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ULmXEsY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vGQjyrm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eHwTKwv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GeWVWgk.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PdmNRyi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IbunImf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YtOnRKT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KHyrpJq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EPyPkcZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ruIoRff.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\shEiLQf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MFOQRmG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cHtrFwy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pXTkuhM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DdCRauJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gCidrhp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eadlUlg.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SPRFDPT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 400 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YtOnRKT.exe
PID 400 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YtOnRKT.exe
PID 400 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YtOnRKT.exe
PID 400 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cHtrFwy.exe
PID 400 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cHtrFwy.exe
PID 400 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cHtrFwy.exe
PID 400 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KHyrpJq.exe
PID 400 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KHyrpJq.exe
PID 400 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KHyrpJq.exe
PID 400 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QyRkIGn.exe
PID 400 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QyRkIGn.exe
PID 400 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QyRkIGn.exe
PID 400 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pXTkuhM.exe
PID 400 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pXTkuhM.exe
PID 400 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pXTkuhM.exe
PID 400 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EPyPkcZ.exe
PID 400 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EPyPkcZ.exe
PID 400 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EPyPkcZ.exe
PID 400 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DdCRauJ.exe
PID 400 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DdCRauJ.exe
PID 400 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DdCRauJ.exe
PID 400 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gCidrhp.exe
PID 400 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gCidrhp.exe
PID 400 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gCidrhp.exe
PID 400 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eadlUlg.exe
PID 400 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eadlUlg.exe
PID 400 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eadlUlg.exe
PID 400 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ruIoRff.exe
PID 400 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ruIoRff.exe
PID 400 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ruIoRff.exe
PID 400 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\shEiLQf.exe
PID 400 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\shEiLQf.exe
PID 400 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\shEiLQf.exe
PID 400 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ULmXEsY.exe
PID 400 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ULmXEsY.exe
PID 400 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ULmXEsY.exe
PID 400 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vGQjyrm.exe
PID 400 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vGQjyrm.exe
PID 400 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vGQjyrm.exe
PID 400 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eHwTKwv.exe
PID 400 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eHwTKwv.exe
PID 400 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eHwTKwv.exe
PID 400 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GeWVWgk.exe
PID 400 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GeWVWgk.exe
PID 400 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GeWVWgk.exe
PID 400 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PdmNRyi.exe
PID 400 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PdmNRyi.exe
PID 400 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PdmNRyi.exe
PID 400 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MFOQRmG.exe
PID 400 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MFOQRmG.exe
PID 400 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MFOQRmG.exe
PID 400 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SPRFDPT.exe
PID 400 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SPRFDPT.exe
PID 400 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SPRFDPT.exe
PID 400 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IbunImf.exe
PID 400 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IbunImf.exe
PID 400 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IbunImf.exe
PID 400 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yWLXDXQ.exe
PID 400 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yWLXDXQ.exe
PID 400 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yWLXDXQ.exe
PID 400 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vdZspAU.exe
PID 400 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vdZspAU.exe
PID 400 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vdZspAU.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\YtOnRKT.exe

C:\Windows\System\YtOnRKT.exe

C:\Windows\System\cHtrFwy.exe

C:\Windows\System\cHtrFwy.exe

C:\Windows\System\KHyrpJq.exe

C:\Windows\System\KHyrpJq.exe

C:\Windows\System\QyRkIGn.exe

C:\Windows\System\QyRkIGn.exe

C:\Windows\System\pXTkuhM.exe

C:\Windows\System\pXTkuhM.exe

C:\Windows\System\EPyPkcZ.exe

C:\Windows\System\EPyPkcZ.exe

C:\Windows\System\DdCRauJ.exe

C:\Windows\System\DdCRauJ.exe

C:\Windows\System\gCidrhp.exe

C:\Windows\System\gCidrhp.exe

C:\Windows\System\eadlUlg.exe

C:\Windows\System\eadlUlg.exe

C:\Windows\System\ruIoRff.exe

C:\Windows\System\ruIoRff.exe

C:\Windows\System\shEiLQf.exe

C:\Windows\System\shEiLQf.exe

C:\Windows\System\ULmXEsY.exe

C:\Windows\System\ULmXEsY.exe

C:\Windows\System\vGQjyrm.exe

C:\Windows\System\vGQjyrm.exe

C:\Windows\System\eHwTKwv.exe

C:\Windows\System\eHwTKwv.exe

C:\Windows\System\GeWVWgk.exe

C:\Windows\System\GeWVWgk.exe

C:\Windows\System\PdmNRyi.exe

C:\Windows\System\PdmNRyi.exe

C:\Windows\System\MFOQRmG.exe

C:\Windows\System\MFOQRmG.exe

C:\Windows\System\SPRFDPT.exe

C:\Windows\System\SPRFDPT.exe

C:\Windows\System\IbunImf.exe

C:\Windows\System\IbunImf.exe

C:\Windows\System\yWLXDXQ.exe

C:\Windows\System\yWLXDXQ.exe

C:\Windows\System\vdZspAU.exe

C:\Windows\System\vdZspAU.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/400-0-0x000000013F450000-0x000000013F7A1000-memory.dmp

memory/400-1-0x0000000000080000-0x0000000000090000-memory.dmp

C:\Windows\system\YtOnRKT.exe

MD5 dd35b9111dad5d1121506e60b8b952a7
SHA1 9d710dcbc91adf9185c59268b5fe7807845fb044
SHA256 d644f31568812f4a62ffa3ffeef2b045e39730e1d2ba239cb6552cdb4b1f0c85
SHA512 71e5c3ab86c5a735712c49716342a97cd5c691d02f84ff473ce56cdb39875c0c3aa428b6cc319ed25c9921b77a26681fcbee724387c8e8a217af566d521c18b1

C:\Windows\system\cHtrFwy.exe

MD5 c967c4408677aaac3dd3c1d61af0a09b
SHA1 14f27aadc921ae58c2d1dd005894b8a7ccb8d87f
SHA256 d4c8cb091a2df780f9ae9db4c461e300cfd1f31190272858b5432bf234e2006d
SHA512 f1e31b4919cb9f47a60c2e0190a8152527964b69930b226c7007c5a04758c49f6b1265a110bb35aad94b216daba8d1ecacdf34e7d9fc766f41232e6b07f2607a

memory/400-10-0x00000000022F0000-0x0000000002641000-memory.dmp

C:\Windows\system\KHyrpJq.exe

MD5 761c50445548d969f5858758dee5ba3b
SHA1 52c7581f6fb67051378d1dab94fbc5b01afcdc5f
SHA256 f9d9685300ae78c08f57d2255db4832678f0441dfdb8e6ea1b3b6e2103fa369f
SHA512 86740b32a7f97ff26106e97ceea8efc3096ed54e0357698a2bcc1563c881e750ebc9729a3b09357bcdefd280e2a5cb387133c816b6b9fecc2c32b83a66bc9b98

C:\Windows\system\QyRkIGn.exe

MD5 ec109eea81d85b2182522aa114abf97d
SHA1 efd634fecd25d8b96308e5737ebf22a9d1aa3643
SHA256 a55eee968ad26e432cf90e149c1431493d120b02d5accb6c96cb866e1c8222b3
SHA512 16eba19f58341a54a2629f84fb676baf5abb89474035fc3dc444c35889eb4a4c682ee4d43788dd53e87f2fd49cc226aad0426636a7926d3cd2d8680f47735482

C:\Windows\system\pXTkuhM.exe

MD5 0311fc49115635485a583afd621c701b
SHA1 5ac7a87846b5e9893c3e28ec283370ccf114eca5
SHA256 251a2cfb6e2749ffedb1d2ecdc29e5f1eab4ffb030f09fb3e4cc0ef74094d950
SHA512 7d1e7d6386cb605c9ef62ecad5b046eee300cd61f9fd64f1bb0c20e66bfa25fc64ef9547fe86813c6ed5108eaaa53fea6c57aca633d80509b61e9558f77480a8

C:\Windows\system\EPyPkcZ.exe

MD5 a9ca099581febaf704a5887217b838a9
SHA1 740e3677636cc595c20ca6c8f9363e7c12a32691
SHA256 d53818ef1ba53a699c3b05825b324a08337bea3111db47b85c3836bae4f82951
SHA512 8aad9455344b926b5abc83ca51d5c21a686f74cce7bef97b3a1373ebd50bac5e1ec6e97c57414be119e77af59528376f45d19143e926dd95ce9c42b0c13cbab8

C:\Windows\system\DdCRauJ.exe

MD5 48530fe23d83e008827a8940b6194e4c
SHA1 9ab3091df11b9240546e67f5cf2e124c87658e5d
SHA256 1992e493ef1d4f8e6204c37951be5c5dcf440a8cff9b9f22dc51aa978d9e7887
SHA512 01d27dfc20c75197233dbd252dd4c537c37a29484e7bf62ecb02ef0e5cf310b87421ca73883c74e6818c16c711d9c79330647d5a415fa93a5d30072ca9e364a5

C:\Windows\system\eadlUlg.exe

MD5 156f4019a14753a7cfefb01f38e96782
SHA1 43e2a5f5dc9424cab922a3d5371d2fdc15a7d330
SHA256 558790c22fa1a7d06287c9fe3f8e058cdccaf7b6347b807b681ffb29b911ebad
SHA512 e8e52db729035831edd1b6ab1576299b2abfffc1cdaef5185928ebcdb81a3f80ae468c8e90699537fbcdf7ea211f89c0b01893e533b1e85464e0df90bd7cae63

C:\Windows\system\vGQjyrm.exe

MD5 1f667da604f1e7b593f3c26bc653c942
SHA1 a2efd7c2d2047fde1b5b8d64a01a437fe41b2d95
SHA256 e4e60775677d91f1e02bf822898e10e9e6b129ec2b0abed9887c634c2d51e65e
SHA512 57fe87cbd0a6ae3fc269180fe98c98ddd11a9ad2848f666e3d776c5efb317e3833d11043862f98d3788862e8b61d24d527d1f914a9424573ef5bbfb6bf5f7514

C:\Windows\system\GeWVWgk.exe

MD5 16f10df314b8d5d564af6bc657665d75
SHA1 32a78ed54c80512df35b1ff4f4f866bd6f6c252a
SHA256 78b55b2d3bb1c49cc65a3f6d6c4c22ca9466362113bcfbd62a3e43f7636af79f
SHA512 a6fd7bfeb781caeda61d290b25e0af1f6767ed5f5bc59889d885131185d6598fe677aeb658c3f527d64141bf1d93dab296f312937e6c6b77a894f27a85a3a1e7

memory/316-78-0x000000013F1B0000-0x000000013F501000-memory.dmp

memory/2840-92-0x000000013F940000-0x000000013FC91000-memory.dmp

memory/1740-111-0x000000013F980000-0x000000013FCD1000-memory.dmp

memory/400-110-0x000000013F980000-0x000000013FCD1000-memory.dmp

memory/400-109-0x00000000022F0000-0x0000000002641000-memory.dmp

memory/2648-108-0x000000013F710000-0x000000013FA61000-memory.dmp

memory/400-107-0x00000000022F0000-0x0000000002641000-memory.dmp

memory/2756-106-0x000000013F3F0000-0x000000013F741000-memory.dmp

memory/400-104-0x00000000022F0000-0x0000000002641000-memory.dmp

memory/3000-103-0x000000013F7D0000-0x000000013FB21000-memory.dmp

memory/400-102-0x000000013F7D0000-0x000000013FB21000-memory.dmp

memory/2628-101-0x000000013F430000-0x000000013F781000-memory.dmp

memory/400-100-0x00000000022F0000-0x0000000002641000-memory.dmp

C:\Windows\system\SPRFDPT.exe

MD5 7a0934434fec4294a2f8ac9447f28970
SHA1 4f5fbc85b5555e4c7d7c1e05018a5c0f5bc818fe
SHA256 d06c28813d83ac9369b305c1dee8b3006898881cc8dc62259c226ceb000b0d74
SHA512 d8a3053a84900b13c0d74d84ad562e2c6bb395e95f69f1df46f407b684ba8407ffa411c7bb743a2f7b7d8273cb8b8d991b22ebf5e647bdef757e707668347d49

C:\Windows\system\yWLXDXQ.exe

MD5 d078063dccc65b6cb4d593e0a951b826
SHA1 398c929d55df426f93a0c84a7c847b7d6bb0dd07
SHA256 e4e694e4404cf689f70e70f473a65f7cd138e80ec0c1179ea7bf63a9517b7cc6
SHA512 102b284c5d28e7ecd701752e12e9feeb1d3ee8e3a6491ecf2d0cbfebc5db14be718528bd9da6e71de77e386e0c3516dcad9e71560965b5b41ccf2fec75de1a8a

C:\Windows\system\vdZspAU.exe

MD5 ebd4dae49467190ec708f5a8635ed128
SHA1 c136b45ade04e3a5d958a0491a53ca40ee341c67
SHA256 80eabb6615b4923b5c8cdd844cf88895b6d9dfbe41fb56a805cbb829521e388d
SHA512 55ac694db4993707db3edf55f21ae0f0af19eba8f3a8c86fcf3f274e11614aa43a0b0ffe23ffab8c8a3f80d9ff8e9cb5b85d0ba3c2c71935d1c06b53c7a01685

C:\Windows\system\IbunImf.exe

MD5 e53c14640dfbbc8d3b55719008c69dba
SHA1 0515466056153bedd91b520eaaf222186def4907
SHA256 862481926ba8442f3b82d623578ae06c0c868b696079cae58f193137e75f5182
SHA512 0d8d5cbd42b6ef2224f3d03c46659b094ffcfcb54a0b7cc96c885128808c382ae8f39781dad147bdaffcf50642f77e40c58351ed6dd36beb6de2c90428fa1062

C:\Windows\system\MFOQRmG.exe

MD5 13b3faf727d4a166eb908f58e813d45c
SHA1 85dc4ad737e062e71fe56101578f6c48713ccc33
SHA256 442cb836cfd5704c72073d2b8dab8c7c652a9988a840ca4b39e8c80f5adca047
SHA512 1682152fc350d40bf88837f9cae903b769f382f0f95ecccac7863de6717fb9c69bc587d3b12eecd5e16199706334e225a81ecb74e4401b40bb34fa77097985fd

memory/2300-99-0x000000013F340000-0x000000013F691000-memory.dmp

memory/400-98-0x00000000022F0000-0x0000000002641000-memory.dmp

memory/2808-97-0x000000013F770000-0x000000013FAC1000-memory.dmp

memory/400-96-0x00000000022F0000-0x0000000002641000-memory.dmp

C:\Windows\system\PdmNRyi.exe

MD5 57d1a0f6d8281bed16bd712d016d0b8c
SHA1 bbfdead8e0eca366ea173c5fb9728c6d5a854a99
SHA256 da4a76011c1cbeeb8d1b040c87ebe9e3c5ca8c05f315132cfeee2d40ed30fd26
SHA512 ec2d46961185a9ef86492c4a0b5f17c005705145cb2c9dead607b9bdb85cca40faada0e65e5bb0d3ef3171f9457b3c68fd360fb7344056d8e441820ab88861bd

memory/2748-94-0x000000013F6F0000-0x000000013FA41000-memory.dmp

memory/400-93-0x00000000022F0000-0x0000000002641000-memory.dmp

memory/400-90-0x000000013F940000-0x000000013FC91000-memory.dmp

memory/2804-89-0x000000013F8A0000-0x000000013FBF1000-memory.dmp

memory/400-86-0x000000013F8A0000-0x000000013FBF1000-memory.dmp

memory/2192-85-0x000000013F420000-0x000000013F771000-memory.dmp

memory/400-84-0x00000000022F0000-0x0000000002641000-memory.dmp

memory/2312-83-0x000000013F3C0000-0x000000013F711000-memory.dmp

memory/400-82-0x00000000022F0000-0x0000000002641000-memory.dmp

memory/3028-80-0x000000013F940000-0x000000013FC91000-memory.dmp

memory/400-79-0x000000013F940000-0x000000013FC91000-memory.dmp

C:\Windows\system\eHwTKwv.exe

MD5 a1a21eba3bc40aedd4292be70d67939c
SHA1 b80b288881835546521083306530e674a1fc11f6
SHA256 6c5e9ccfad0225e344f8efdae9081dd9988f2ef7f8f0fcd23f7fa7b6aea06826
SHA512 1ff46cc474eba5b9f8c976e5cf464a26e315760e6f4c25ad671dea544dd32f178f030996d193355d1567e3085f13931e931697736fec042cf5e303bd5620092d

C:\Windows\system\ULmXEsY.exe

MD5 1a88db7e5403bb2d509270c2d089a2bd
SHA1 e0ad533e7aa050a45572f5ed19b8cd25e50ad08f
SHA256 7ee473a6348ad0ae3f3adf81e787c27212986c391fd5043ec17e84a7e133f573
SHA512 b711b095fa1e47ef6da8aca7e5d781a900886d925c293c92f6a7b90f19f80371c3bbcdcf11f4cb393cf59063a0dce7011d74b25e9c1a65ce2aff7df3d26aef1f

C:\Windows\system\shEiLQf.exe

MD5 234924307eca8bcdd47b4024c3db53ed
SHA1 ed9fd4a807e0542461f9ed2e891c84905f7e0f5b
SHA256 667466e9a041d759283c9b4cf27d08328c63ca8235a286a1bd20368d5f1c84de
SHA512 e34bcab83fd7e183dd5f290320df1acee9f30f14a60fecdf6da4bb039b11ee589c1c990592dc96f76d8fc6169627d7b9882cb169f21c4a2ba9b2e37e3d1cfd39

C:\Windows\system\ruIoRff.exe

MD5 bf4efe38db702aa9cf5d44c57e7ebaa1
SHA1 6c6ec8b351c44a2e20e5c818e03fc551074e1506
SHA256 672355c026a838a39d5dbebdd03e2c8e60660f8363fd1db89f5d8d6c79de5dc1
SHA512 6c292906bf2158602702eb6cde4564defe80d457ee24f001a2af6bf6805d85b13e93f8457e3e5af81601e20294eeae9a526aa326399bdf96332e047c41687900

C:\Windows\system\gCidrhp.exe

MD5 e9bdc7399201725ffe4ba8c243d76e07
SHA1 fed114396174dd164ad249c4d8cdcbdd5535006f
SHA256 e27468230ba33ca2a4aea131a0ac9b5ec792045b7b7c335562ca2fe3c4d8a9e0
SHA512 aceb1cbd8691a4fc0785f0ab5c31775f74cd86bf65e104b3d9ff569da4f2816c021a2b26ef0f92484192c76e5433ba970cff335b19189cc6f20abdb9b367362a

memory/400-136-0x000000013F450000-0x000000013F7A1000-memory.dmp

memory/316-137-0x000000013F1B0000-0x000000013F501000-memory.dmp

memory/2604-151-0x000000013F380000-0x000000013F6D1000-memory.dmp

memory/2924-155-0x000000013FA60000-0x000000013FDB1000-memory.dmp

memory/2988-157-0x000000013FA00000-0x000000013FD51000-memory.dmp

memory/2984-156-0x000000013F160000-0x000000013F4B1000-memory.dmp

memory/2856-154-0x000000013F130000-0x000000013F481000-memory.dmp

memory/1520-153-0x000000013F0C0000-0x000000013F411000-memory.dmp

memory/2324-152-0x000000013FD40000-0x0000000140091000-memory.dmp

memory/400-158-0x000000013F450000-0x000000013F7A1000-memory.dmp

memory/400-167-0x00000000022F0000-0x0000000002641000-memory.dmp

memory/400-166-0x000000013F450000-0x000000013F7A1000-memory.dmp

memory/316-205-0x000000013F1B0000-0x000000013F501000-memory.dmp

memory/3028-224-0x000000013F940000-0x000000013FC91000-memory.dmp

memory/2192-226-0x000000013F420000-0x000000013F771000-memory.dmp

memory/2840-228-0x000000013F940000-0x000000013FC91000-memory.dmp

memory/2312-247-0x000000013F3C0000-0x000000013F711000-memory.dmp

memory/3000-244-0x000000013F7D0000-0x000000013FB21000-memory.dmp

memory/2300-242-0x000000013F340000-0x000000013F691000-memory.dmp

memory/2748-239-0x000000013F6F0000-0x000000013FA41000-memory.dmp

memory/2628-236-0x000000013F430000-0x000000013F781000-memory.dmp

memory/2804-235-0x000000013F8A0000-0x000000013FBF1000-memory.dmp

memory/1740-232-0x000000013F980000-0x000000013FCD1000-memory.dmp

memory/2808-231-0x000000013F770000-0x000000013FAC1000-memory.dmp

memory/2756-241-0x000000013F3F0000-0x000000013F741000-memory.dmp

memory/2648-250-0x000000013F710000-0x000000013FA61000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-05 09:48

Reported

2024-08-05 09:51

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\cHtrFwy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yWLXDXQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QyRkIGn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gCidrhp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\shEiLQf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vGQjyrm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PdmNRyi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IbunImf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YtOnRKT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pXTkuhM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DdCRauJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eadlUlg.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ruIoRff.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vdZspAU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SPRFDPT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KHyrpJq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EPyPkcZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ULmXEsY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eHwTKwv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GeWVWgk.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MFOQRmG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4720 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YtOnRKT.exe
PID 4720 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YtOnRKT.exe
PID 4720 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cHtrFwy.exe
PID 4720 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cHtrFwy.exe
PID 4720 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KHyrpJq.exe
PID 4720 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KHyrpJq.exe
PID 4720 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QyRkIGn.exe
PID 4720 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QyRkIGn.exe
PID 4720 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pXTkuhM.exe
PID 4720 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pXTkuhM.exe
PID 4720 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EPyPkcZ.exe
PID 4720 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EPyPkcZ.exe
PID 4720 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DdCRauJ.exe
PID 4720 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DdCRauJ.exe
PID 4720 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gCidrhp.exe
PID 4720 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gCidrhp.exe
PID 4720 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eadlUlg.exe
PID 4720 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eadlUlg.exe
PID 4720 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ruIoRff.exe
PID 4720 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ruIoRff.exe
PID 4720 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\shEiLQf.exe
PID 4720 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\shEiLQf.exe
PID 4720 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ULmXEsY.exe
PID 4720 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ULmXEsY.exe
PID 4720 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vGQjyrm.exe
PID 4720 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vGQjyrm.exe
PID 4720 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eHwTKwv.exe
PID 4720 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eHwTKwv.exe
PID 4720 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GeWVWgk.exe
PID 4720 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GeWVWgk.exe
PID 4720 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PdmNRyi.exe
PID 4720 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PdmNRyi.exe
PID 4720 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MFOQRmG.exe
PID 4720 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MFOQRmG.exe
PID 4720 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SPRFDPT.exe
PID 4720 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SPRFDPT.exe
PID 4720 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IbunImf.exe
PID 4720 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IbunImf.exe
PID 4720 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yWLXDXQ.exe
PID 4720 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yWLXDXQ.exe
PID 4720 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vdZspAU.exe
PID 4720 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vdZspAU.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\YtOnRKT.exe

C:\Windows\System\YtOnRKT.exe

C:\Windows\System\cHtrFwy.exe

C:\Windows\System\cHtrFwy.exe

C:\Windows\System\KHyrpJq.exe

C:\Windows\System\KHyrpJq.exe

C:\Windows\System\QyRkIGn.exe

C:\Windows\System\QyRkIGn.exe

C:\Windows\System\pXTkuhM.exe

C:\Windows\System\pXTkuhM.exe

C:\Windows\System\EPyPkcZ.exe

C:\Windows\System\EPyPkcZ.exe

C:\Windows\System\DdCRauJ.exe

C:\Windows\System\DdCRauJ.exe

C:\Windows\System\gCidrhp.exe

C:\Windows\System\gCidrhp.exe

C:\Windows\System\eadlUlg.exe

C:\Windows\System\eadlUlg.exe

C:\Windows\System\ruIoRff.exe

C:\Windows\System\ruIoRff.exe

C:\Windows\System\shEiLQf.exe

C:\Windows\System\shEiLQf.exe

C:\Windows\System\ULmXEsY.exe

C:\Windows\System\ULmXEsY.exe

C:\Windows\System\vGQjyrm.exe

C:\Windows\System\vGQjyrm.exe

C:\Windows\System\eHwTKwv.exe

C:\Windows\System\eHwTKwv.exe

C:\Windows\System\GeWVWgk.exe

C:\Windows\System\GeWVWgk.exe

C:\Windows\System\PdmNRyi.exe

C:\Windows\System\PdmNRyi.exe

C:\Windows\System\MFOQRmG.exe

C:\Windows\System\MFOQRmG.exe

C:\Windows\System\SPRFDPT.exe

C:\Windows\System\SPRFDPT.exe

C:\Windows\System\IbunImf.exe

C:\Windows\System\IbunImf.exe

C:\Windows\System\yWLXDXQ.exe

C:\Windows\System\yWLXDXQ.exe

C:\Windows\System\vdZspAU.exe

C:\Windows\System\vdZspAU.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 175.117.168.52.in-addr.arpa udp

Files

memory/4720-0-0x00007FF797970000-0x00007FF797CC1000-memory.dmp

memory/4720-1-0x000001870A2D0000-0x000001870A2E0000-memory.dmp

C:\Windows\System\YtOnRKT.exe

MD5 dd35b9111dad5d1121506e60b8b952a7
SHA1 9d710dcbc91adf9185c59268b5fe7807845fb044
SHA256 d644f31568812f4a62ffa3ffeef2b045e39730e1d2ba239cb6552cdb4b1f0c85
SHA512 71e5c3ab86c5a735712c49716342a97cd5c691d02f84ff473ce56cdb39875c0c3aa428b6cc319ed25c9921b77a26681fcbee724387c8e8a217af566d521c18b1

C:\Windows\System\cHtrFwy.exe

MD5 c967c4408677aaac3dd3c1d61af0a09b
SHA1 14f27aadc921ae58c2d1dd005894b8a7ccb8d87f
SHA256 d4c8cb091a2df780f9ae9db4c461e300cfd1f31190272858b5432bf234e2006d
SHA512 f1e31b4919cb9f47a60c2e0190a8152527964b69930b226c7007c5a04758c49f6b1265a110bb35aad94b216daba8d1ecacdf34e7d9fc766f41232e6b07f2607a

memory/1144-8-0x00007FF64EBE0000-0x00007FF64EF31000-memory.dmp

C:\Windows\System\KHyrpJq.exe

MD5 761c50445548d969f5858758dee5ba3b
SHA1 52c7581f6fb67051378d1dab94fbc5b01afcdc5f
SHA256 f9d9685300ae78c08f57d2255db4832678f0441dfdb8e6ea1b3b6e2103fa369f
SHA512 86740b32a7f97ff26106e97ceea8efc3096ed54e0357698a2bcc1563c881e750ebc9729a3b09357bcdefd280e2a5cb387133c816b6b9fecc2c32b83a66bc9b98

memory/2884-14-0x00007FF7224B0000-0x00007FF722801000-memory.dmp

memory/2404-20-0x00007FF7B1CD0000-0x00007FF7B2021000-memory.dmp

C:\Windows\System\QyRkIGn.exe

MD5 ec109eea81d85b2182522aa114abf97d
SHA1 efd634fecd25d8b96308e5737ebf22a9d1aa3643
SHA256 a55eee968ad26e432cf90e149c1431493d120b02d5accb6c96cb866e1c8222b3
SHA512 16eba19f58341a54a2629f84fb676baf5abb89474035fc3dc444c35889eb4a4c682ee4d43788dd53e87f2fd49cc226aad0426636a7926d3cd2d8680f47735482

memory/2984-28-0x00007FF7B46A0000-0x00007FF7B49F1000-memory.dmp

C:\Windows\System\pXTkuhM.exe

MD5 0311fc49115635485a583afd621c701b
SHA1 5ac7a87846b5e9893c3e28ec283370ccf114eca5
SHA256 251a2cfb6e2749ffedb1d2ecdc29e5f1eab4ffb030f09fb3e4cc0ef74094d950
SHA512 7d1e7d6386cb605c9ef62ecad5b046eee300cd61f9fd64f1bb0c20e66bfa25fc64ef9547fe86813c6ed5108eaaa53fea6c57aca633d80509b61e9558f77480a8

memory/552-30-0x00007FF6FA180000-0x00007FF6FA4D1000-memory.dmp

C:\Windows\System\EPyPkcZ.exe

MD5 a9ca099581febaf704a5887217b838a9
SHA1 740e3677636cc595c20ca6c8f9363e7c12a32691
SHA256 d53818ef1ba53a699c3b05825b324a08337bea3111db47b85c3836bae4f82951
SHA512 8aad9455344b926b5abc83ca51d5c21a686f74cce7bef97b3a1373ebd50bac5e1ec6e97c57414be119e77af59528376f45d19143e926dd95ce9c42b0c13cbab8

memory/920-52-0x00007FF790D30000-0x00007FF791081000-memory.dmp

C:\Windows\System\gCidrhp.exe

MD5 e9bdc7399201725ffe4ba8c243d76e07
SHA1 fed114396174dd164ad249c4d8cdcbdd5535006f
SHA256 e27468230ba33ca2a4aea131a0ac9b5ec792045b7b7c335562ca2fe3c4d8a9e0
SHA512 aceb1cbd8691a4fc0785f0ab5c31775f74cd86bf65e104b3d9ff569da4f2816c021a2b26ef0f92484192c76e5433ba970cff335b19189cc6f20abdb9b367362a

C:\Windows\System\vGQjyrm.exe

MD5 1f667da604f1e7b593f3c26bc653c942
SHA1 a2efd7c2d2047fde1b5b8d64a01a437fe41b2d95
SHA256 e4e60775677d91f1e02bf822898e10e9e6b129ec2b0abed9887c634c2d51e65e
SHA512 57fe87cbd0a6ae3fc269180fe98c98ddd11a9ad2848f666e3d776c5efb317e3833d11043862f98d3788862e8b61d24d527d1f914a9424573ef5bbfb6bf5f7514

C:\Windows\System\eHwTKwv.exe

MD5 a1a21eba3bc40aedd4292be70d67939c
SHA1 b80b288881835546521083306530e674a1fc11f6
SHA256 6c5e9ccfad0225e344f8efdae9081dd9988f2ef7f8f0fcd23f7fa7b6aea06826
SHA512 1ff46cc474eba5b9f8c976e5cf464a26e315760e6f4c25ad671dea544dd32f178f030996d193355d1567e3085f13931e931697736fec042cf5e303bd5620092d

memory/992-79-0x00007FF7A7DE0000-0x00007FF7A8131000-memory.dmp

C:\Windows\System\IbunImf.exe

MD5 e53c14640dfbbc8d3b55719008c69dba
SHA1 0515466056153bedd91b520eaaf222186def4907
SHA256 862481926ba8442f3b82d623578ae06c0c868b696079cae58f193137e75f5182
SHA512 0d8d5cbd42b6ef2224f3d03c46659b094ffcfcb54a0b7cc96c885128808c382ae8f39781dad147bdaffcf50642f77e40c58351ed6dd36beb6de2c90428fa1062

memory/3284-102-0x00007FF633E20000-0x00007FF634171000-memory.dmp

C:\Windows\System\SPRFDPT.exe

MD5 7a0934434fec4294a2f8ac9447f28970
SHA1 4f5fbc85b5555e4c7d7c1e05018a5c0f5bc818fe
SHA256 d06c28813d83ac9369b305c1dee8b3006898881cc8dc62259c226ceb000b0d74
SHA512 d8a3053a84900b13c0d74d84ad562e2c6bb395e95f69f1df46f407b684ba8407ffa411c7bb743a2f7b7d8273cb8b8d991b22ebf5e647bdef757e707668347d49

memory/4708-122-0x00007FF657C00000-0x00007FF657F51000-memory.dmp

memory/1388-128-0x00007FF7D20E0000-0x00007FF7D2431000-memory.dmp

memory/4720-127-0x00007FF797970000-0x00007FF797CC1000-memory.dmp

C:\Windows\System\vdZspAU.exe

MD5 ebd4dae49467190ec708f5a8635ed128
SHA1 c136b45ade04e3a5d958a0491a53ca40ee341c67
SHA256 80eabb6615b4923b5c8cdd844cf88895b6d9dfbe41fb56a805cbb829521e388d
SHA512 55ac694db4993707db3edf55f21ae0f0af19eba8f3a8c86fcf3f274e11614aa43a0b0ffe23ffab8c8a3f80d9ff8e9cb5b85d0ba3c2c71935d1c06b53c7a01685

C:\Windows\System\yWLXDXQ.exe

MD5 d078063dccc65b6cb4d593e0a951b826
SHA1 398c929d55df426f93a0c84a7c847b7d6bb0dd07
SHA256 e4e694e4404cf689f70e70f473a65f7cd138e80ec0c1179ea7bf63a9517b7cc6
SHA512 102b284c5d28e7ecd701752e12e9feeb1d3ee8e3a6491ecf2d0cbfebc5db14be718528bd9da6e71de77e386e0c3516dcad9e71560965b5b41ccf2fec75de1a8a

memory/472-121-0x00007FF710300000-0x00007FF710651000-memory.dmp

memory/3972-120-0x00007FF607610000-0x00007FF607961000-memory.dmp

memory/1756-115-0x00007FF6BB520000-0x00007FF6BB871000-memory.dmp

memory/1712-114-0x00007FF705160000-0x00007FF7054B1000-memory.dmp

C:\Windows\System\MFOQRmG.exe

MD5 13b3faf727d4a166eb908f58e813d45c
SHA1 85dc4ad737e062e71fe56101578f6c48713ccc33
SHA256 442cb836cfd5704c72073d2b8dab8c7c652a9988a840ca4b39e8c80f5adca047
SHA512 1682152fc350d40bf88837f9cae903b769f382f0f95ecccac7863de6717fb9c69bc587d3b12eecd5e16199706334e225a81ecb74e4401b40bb34fa77097985fd

C:\Windows\System\PdmNRyi.exe

MD5 57d1a0f6d8281bed16bd712d016d0b8c
SHA1 bbfdead8e0eca366ea173c5fb9728c6d5a854a99
SHA256 da4a76011c1cbeeb8d1b040c87ebe9e3c5ca8c05f315132cfeee2d40ed30fd26
SHA512 ec2d46961185a9ef86492c4a0b5f17c005705145cb2c9dead607b9bdb85cca40faada0e65e5bb0d3ef3171f9457b3c68fd360fb7344056d8e441820ab88861bd

C:\Windows\System\GeWVWgk.exe

MD5 16f10df314b8d5d564af6bc657665d75
SHA1 32a78ed54c80512df35b1ff4f4f866bd6f6c252a
SHA256 78b55b2d3bb1c49cc65a3f6d6c4c22ca9466362113bcfbd62a3e43f7636af79f
SHA512 a6fd7bfeb781caeda61d290b25e0af1f6767ed5f5bc59889d885131185d6598fe677aeb658c3f527d64141bf1d93dab296f312937e6c6b77a894f27a85a3a1e7

memory/4420-101-0x00007FF7FD0F0000-0x00007FF7FD441000-memory.dmp

memory/3692-94-0x00007FF769560000-0x00007FF7698B1000-memory.dmp

C:\Windows\System\ULmXEsY.exe

MD5 1a88db7e5403bb2d509270c2d089a2bd
SHA1 e0ad533e7aa050a45572f5ed19b8cd25e50ad08f
SHA256 7ee473a6348ad0ae3f3adf81e787c27212986c391fd5043ec17e84a7e133f573
SHA512 b711b095fa1e47ef6da8aca7e5d781a900886d925c293c92f6a7b90f19f80371c3bbcdcf11f4cb393cf59063a0dce7011d74b25e9c1a65ce2aff7df3d26aef1f

memory/1308-76-0x00007FF7D3660000-0x00007FF7D39B1000-memory.dmp

C:\Windows\System\shEiLQf.exe

MD5 234924307eca8bcdd47b4024c3db53ed
SHA1 ed9fd4a807e0542461f9ed2e891c84905f7e0f5b
SHA256 667466e9a041d759283c9b4cf27d08328c63ca8235a286a1bd20368d5f1c84de
SHA512 e34bcab83fd7e183dd5f290320df1acee9f30f14a60fecdf6da4bb039b11ee589c1c990592dc96f76d8fc6169627d7b9882cb169f21c4a2ba9b2e37e3d1cfd39

memory/4852-71-0x00007FF75BF20000-0x00007FF75C271000-memory.dmp

memory/1196-70-0x00007FF6EF230000-0x00007FF6EF581000-memory.dmp

C:\Windows\System\ruIoRff.exe

MD5 bf4efe38db702aa9cf5d44c57e7ebaa1
SHA1 6c6ec8b351c44a2e20e5c818e03fc551074e1506
SHA256 672355c026a838a39d5dbebdd03e2c8e60660f8363fd1db89f5d8d6c79de5dc1
SHA512 6c292906bf2158602702eb6cde4564defe80d457ee24f001a2af6bf6805d85b13e93f8457e3e5af81601e20294eeae9a526aa326399bdf96332e047c41687900

C:\Windows\System\eadlUlg.exe

MD5 156f4019a14753a7cfefb01f38e96782
SHA1 43e2a5f5dc9424cab922a3d5371d2fdc15a7d330
SHA256 558790c22fa1a7d06287c9fe3f8e058cdccaf7b6347b807b681ffb29b911ebad
SHA512 e8e52db729035831edd1b6ab1576299b2abfffc1cdaef5185928ebcdb81a3f80ae468c8e90699537fbcdf7ea211f89c0b01893e533b1e85464e0df90bd7cae63

memory/4276-59-0x00007FF7C7E40000-0x00007FF7C8191000-memory.dmp

C:\Windows\System\DdCRauJ.exe

MD5 48530fe23d83e008827a8940b6194e4c
SHA1 9ab3091df11b9240546e67f5cf2e124c87658e5d
SHA256 1992e493ef1d4f8e6204c37951be5c5dcf440a8cff9b9f22dc51aa978d9e7887
SHA512 01d27dfc20c75197233dbd252dd4c537c37a29484e7bf62ecb02ef0e5cf310b87421ca73883c74e6818c16c711d9c79330647d5a415fa93a5d30072ca9e364a5

memory/4120-38-0x00007FF6C8A10000-0x00007FF6C8D61000-memory.dmp

memory/3692-141-0x00007FF769560000-0x00007FF7698B1000-memory.dmp

memory/1712-147-0x00007FF705160000-0x00007FF7054B1000-memory.dmp

memory/1756-148-0x00007FF6BB520000-0x00007FF6BB871000-memory.dmp

memory/3284-146-0x00007FF633E20000-0x00007FF634171000-memory.dmp

memory/4852-142-0x00007FF75BF20000-0x00007FF75C271000-memory.dmp

memory/1196-140-0x00007FF6EF230000-0x00007FF6EF581000-memory.dmp

memory/4276-137-0x00007FF7C7E40000-0x00007FF7C8191000-memory.dmp

memory/4120-135-0x00007FF6C8A10000-0x00007FF6C8D61000-memory.dmp

memory/2984-133-0x00007FF7B46A0000-0x00007FF7B49F1000-memory.dmp

memory/920-136-0x00007FF790D30000-0x00007FF791081000-memory.dmp

memory/552-134-0x00007FF6FA180000-0x00007FF6FA4D1000-memory.dmp

memory/2404-132-0x00007FF7B1CD0000-0x00007FF7B2021000-memory.dmp

memory/1144-130-0x00007FF64EBE0000-0x00007FF64EF31000-memory.dmp

memory/4720-129-0x00007FF797970000-0x00007FF797CC1000-memory.dmp

memory/4708-150-0x00007FF657C00000-0x00007FF657F51000-memory.dmp

memory/4720-151-0x00007FF797970000-0x00007FF797CC1000-memory.dmp

memory/1144-200-0x00007FF64EBE0000-0x00007FF64EF31000-memory.dmp

memory/2884-202-0x00007FF7224B0000-0x00007FF722801000-memory.dmp

memory/2404-204-0x00007FF7B1CD0000-0x00007FF7B2021000-memory.dmp

memory/2984-206-0x00007FF7B46A0000-0x00007FF7B49F1000-memory.dmp

memory/552-208-0x00007FF6FA180000-0x00007FF6FA4D1000-memory.dmp

memory/4120-210-0x00007FF6C8A10000-0x00007FF6C8D61000-memory.dmp

memory/920-212-0x00007FF790D30000-0x00007FF791081000-memory.dmp

memory/4276-214-0x00007FF7C7E40000-0x00007FF7C8191000-memory.dmp

memory/1308-216-0x00007FF7D3660000-0x00007FF7D39B1000-memory.dmp

memory/992-218-0x00007FF7A7DE0000-0x00007FF7A8131000-memory.dmp

memory/1196-220-0x00007FF6EF230000-0x00007FF6EF581000-memory.dmp

memory/4852-224-0x00007FF75BF20000-0x00007FF75C271000-memory.dmp

memory/3692-223-0x00007FF769560000-0x00007FF7698B1000-memory.dmp

memory/4420-226-0x00007FF7FD0F0000-0x00007FF7FD441000-memory.dmp

memory/3972-230-0x00007FF607610000-0x00007FF607961000-memory.dmp

memory/472-229-0x00007FF710300000-0x00007FF710651000-memory.dmp

memory/3284-232-0x00007FF633E20000-0x00007FF634171000-memory.dmp

memory/1712-234-0x00007FF705160000-0x00007FF7054B1000-memory.dmp

memory/1388-240-0x00007FF7D20E0000-0x00007FF7D2431000-memory.dmp

memory/1756-238-0x00007FF6BB520000-0x00007FF6BB871000-memory.dmp

memory/4708-237-0x00007FF657C00000-0x00007FF657F51000-memory.dmp