Malware Analysis Report

2025-01-22 19:21

Sample ID 240805-lv1hrasgjj
Target 2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat
SHA256 d6fa81219bc189e713fe68f1b2f7e25128987e0b075a2f2e6ce742ce82cdf7ea
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d6fa81219bc189e713fe68f1b2f7e25128987e0b075a2f2e6ce742ce82cdf7ea

Threat Level: Known bad

The file 2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Cobalt Strike reflective loader

XMRig Miner payload

Cobaltstrike

Xmrig family

Cobaltstrike family

xmrig

XMRig Miner payload

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-05 09:51

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-05 09:51

Reported

2024-08-05 09:54

Platform

win7-20240729-en

Max time kernel

142s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\kPpsdoS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mwFujae.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZpnKngi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MVhzxDI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IIxfgyr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GPjFsDr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sPzLPAr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oNnSAwe.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FcdHRoZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MtEkbdA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MDgelcY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sqcUIws.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VleTOWd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ijYMHIB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nyqhQPL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lDXmfov.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ggIcAuW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wzzbiZS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\POpPReH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KBMMZsf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LZBMJhq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1316 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sqcUIws.exe
PID 1316 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sqcUIws.exe
PID 1316 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sqcUIws.exe
PID 1316 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ijYMHIB.exe
PID 1316 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ijYMHIB.exe
PID 1316 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ijYMHIB.exe
PID 1316 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZpnKngi.exe
PID 1316 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZpnKngi.exe
PID 1316 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZpnKngi.exe
PID 1316 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MVhzxDI.exe
PID 1316 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MVhzxDI.exe
PID 1316 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MVhzxDI.exe
PID 1316 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nyqhQPL.exe
PID 1316 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nyqhQPL.exe
PID 1316 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nyqhQPL.exe
PID 1316 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lDXmfov.exe
PID 1316 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lDXmfov.exe
PID 1316 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lDXmfov.exe
PID 1316 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wzzbiZS.exe
PID 1316 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wzzbiZS.exe
PID 1316 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wzzbiZS.exe
PID 1316 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\POpPReH.exe
PID 1316 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\POpPReH.exe
PID 1316 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\POpPReH.exe
PID 1316 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IIxfgyr.exe
PID 1316 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IIxfgyr.exe
PID 1316 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IIxfgyr.exe
PID 1316 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GPjFsDr.exe
PID 1316 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GPjFsDr.exe
PID 1316 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GPjFsDr.exe
PID 1316 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sPzLPAr.exe
PID 1316 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sPzLPAr.exe
PID 1316 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sPzLPAr.exe
PID 1316 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oNnSAwe.exe
PID 1316 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oNnSAwe.exe
PID 1316 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oNnSAwe.exe
PID 1316 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kPpsdoS.exe
PID 1316 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kPpsdoS.exe
PID 1316 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kPpsdoS.exe
PID 1316 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KBMMZsf.exe
PID 1316 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KBMMZsf.exe
PID 1316 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KBMMZsf.exe
PID 1316 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mwFujae.exe
PID 1316 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mwFujae.exe
PID 1316 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mwFujae.exe
PID 1316 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FcdHRoZ.exe
PID 1316 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FcdHRoZ.exe
PID 1316 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FcdHRoZ.exe
PID 1316 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LZBMJhq.exe
PID 1316 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LZBMJhq.exe
PID 1316 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LZBMJhq.exe
PID 1316 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MtEkbdA.exe
PID 1316 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MtEkbdA.exe
PID 1316 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MtEkbdA.exe
PID 1316 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MDgelcY.exe
PID 1316 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MDgelcY.exe
PID 1316 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MDgelcY.exe
PID 1316 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ggIcAuW.exe
PID 1316 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ggIcAuW.exe
PID 1316 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ggIcAuW.exe
PID 1316 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VleTOWd.exe
PID 1316 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VleTOWd.exe
PID 1316 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VleTOWd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\sqcUIws.exe

C:\Windows\System\sqcUIws.exe

C:\Windows\System\ijYMHIB.exe

C:\Windows\System\ijYMHIB.exe

C:\Windows\System\ZpnKngi.exe

C:\Windows\System\ZpnKngi.exe

C:\Windows\System\MVhzxDI.exe

C:\Windows\System\MVhzxDI.exe

C:\Windows\System\nyqhQPL.exe

C:\Windows\System\nyqhQPL.exe

C:\Windows\System\lDXmfov.exe

C:\Windows\System\lDXmfov.exe

C:\Windows\System\wzzbiZS.exe

C:\Windows\System\wzzbiZS.exe

C:\Windows\System\POpPReH.exe

C:\Windows\System\POpPReH.exe

C:\Windows\System\IIxfgyr.exe

C:\Windows\System\IIxfgyr.exe

C:\Windows\System\GPjFsDr.exe

C:\Windows\System\GPjFsDr.exe

C:\Windows\System\sPzLPAr.exe

C:\Windows\System\sPzLPAr.exe

C:\Windows\System\oNnSAwe.exe

C:\Windows\System\oNnSAwe.exe

C:\Windows\System\kPpsdoS.exe

C:\Windows\System\kPpsdoS.exe

C:\Windows\System\KBMMZsf.exe

C:\Windows\System\KBMMZsf.exe

C:\Windows\System\mwFujae.exe

C:\Windows\System\mwFujae.exe

C:\Windows\System\FcdHRoZ.exe

C:\Windows\System\FcdHRoZ.exe

C:\Windows\System\LZBMJhq.exe

C:\Windows\System\LZBMJhq.exe

C:\Windows\System\MtEkbdA.exe

C:\Windows\System\MtEkbdA.exe

C:\Windows\System\MDgelcY.exe

C:\Windows\System\MDgelcY.exe

C:\Windows\System\ggIcAuW.exe

C:\Windows\System\ggIcAuW.exe

C:\Windows\System\VleTOWd.exe

C:\Windows\System\VleTOWd.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1316-0-0x000000013F980000-0x000000013FCD1000-memory.dmp

memory/1316-1-0x00000000003F0000-0x0000000000400000-memory.dmp

C:\Windows\system\sqcUIws.exe

MD5 1eeb9a736cc42fafe5f450f8e8cdd241
SHA1 e106cf09c2606509b6e8eb1d4d0f699a9928722a
SHA256 f229d84d4b1f73a58ab539022a8f8ef2ed5993a651acf4d9dcbb3c6252690f31
SHA512 7968c83ad002a3d1a950c5a2fa8b7abb3162ca728b6468460d0c2a0eb6b79294ce66d6d81c5c75d60987ce990b387afd2c05bec6696ca35ca8a3f6b3ae7dc4c1

memory/1316-7-0x00000000022B0000-0x0000000002601000-memory.dmp

memory/1500-9-0x000000013F9F0000-0x000000013FD41000-memory.dmp

C:\Windows\system\ijYMHIB.exe

MD5 588a6bc8291f425b67feb758997f9f07
SHA1 9fb66f11c1401d4d9dff7f822a366b091bf7eff7
SHA256 dc7424c23e40fe6273de7f98d1683dec1978a0b6ce4b7d15410f0ab8fd300045
SHA512 1a710964e6299e7fa3ba0e7da93b9966d2cba24bf77565ee700800c9a6ce0d2c192a7646b49563fe82e70bfdf283ee709865db7ad280a96529a0bc512e100b10

memory/2248-15-0x000000013F480000-0x000000013F7D1000-memory.dmp

memory/1316-14-0x000000013F480000-0x000000013F7D1000-memory.dmp

C:\Windows\system\ZpnKngi.exe

MD5 5f72ce968e7394cac98644fe01952058
SHA1 ef6049eaf659f7a9bb565e024e75e7ce59279b42
SHA256 53c242aedd97dcf6f2a520259a4c8da9538d58047837511926ff7099f73f03a3
SHA512 4096879b8d741607fb3ddd80d87526fd069d78a2e86b640cd5fd7eeadc9fde6c80c21ea0cd4abd845a08de3b9a15c0916dc4eb284f634e9d22c464ed99e12a0d

memory/2796-22-0x000000013F290000-0x000000013F5E1000-memory.dmp

memory/1316-21-0x000000013F290000-0x000000013F5E1000-memory.dmp

C:\Windows\system\MVhzxDI.exe

MD5 068cc7f6456a6b356d696bdcefb59f5b
SHA1 d274cd511cde6b3966213d8f4a3b9ab787cd7868
SHA256 fba4ff89fc4c463274c21172b42a3ae7e4fe611b46922449bdf8aade05509373
SHA512 e8ca9187cebce14eec789d6a3c28c6611c1f2e82487209fc9080f1ec738b2ccf33d1fec8f933059908a28be2b5194c8071f110d973bc733b9f3559e4c7d7ee68

memory/1316-28-0x000000013F490000-0x000000013F7E1000-memory.dmp

memory/2800-30-0x000000013F490000-0x000000013F7E1000-memory.dmp

C:\Windows\system\nyqhQPL.exe

MD5 7ce47363c24bd9d4a7fb1d7d81887a80
SHA1 39a1dd5faa2afe06f2660d56e669dea14d8c6e74
SHA256 effcc71a1d992e2427816f1d7cc4abf10aff5070eae2d08cb98f326a8361673f
SHA512 8d6769faad288ca13067f049381a971375f2aa6079196cb5cb744c762747d8b3f576a1a43b991e1d2b6f982729f4e805e06c25ac433043646eb1d0eef81bc7aa

memory/1316-35-0x000000013FCF0000-0x0000000140041000-memory.dmp

\Windows\system\lDXmfov.exe

MD5 2ba17871ab767a44da44447432280fb7
SHA1 2973f78568bc69c1637fc7b431609338136e154c
SHA256 07ea08bff7cb404ec432150983ba93b626d26ab80591e04ddc13552f3db51d8e
SHA512 966a0eb8c9e7a41ffda94cb9d1fbdc4c5aae9fe89de3934c3e15df62244bc0b71753d71e2ca6f309e07245d7612b15f5d6d6822243517bfe3e9813096007e747

memory/1316-44-0x00000000022B0000-0x0000000002601000-memory.dmp

memory/2988-43-0x000000013FAD0000-0x000000013FE21000-memory.dmp

memory/2728-42-0x000000013FCF0000-0x0000000140041000-memory.dmp

\Windows\system\POpPReH.exe

MD5 5b8685af10faf03f48050e4c301a6066
SHA1 b9170ae00fe8d4a2accbfcd8f90341b5fba6bb93
SHA256 439fcd60caffa88ea91d353dbddd980840b86087052fb317f56f551fc3cad8f4
SHA512 60228698aef133d3afcd2597eeb31ee5786a270ce94669b301578b646537d5df7892b6b9834eaef741693a877045ae1a72e6f14db6a1ca599336a66a08dd021b

\Windows\system\IIxfgyr.exe

MD5 c3e838b2b4840828cd7d0a65f55e1c2b
SHA1 250253f2c59847a06693bcf870fb426987fbc5b2
SHA256 cde4f849643a58d30068e8758717f00ba111e0e4e7762c4720675e9b53b5fcc1
SHA512 9c2d7b64d5d8c4dd711962732c08f6238e8398ae4185a92ece257337247c3b5e5138d04c8229cdcded4ee38811da0ea8301dba2e805a5364e06f71e5d8fecfc7

memory/2716-56-0x000000013F050000-0x000000013F3A1000-memory.dmp

memory/2668-64-0x000000013F330000-0x000000013F681000-memory.dmp

memory/2616-63-0x000000013FB30000-0x000000013FE81000-memory.dmp

memory/1316-61-0x000000013F330000-0x000000013F681000-memory.dmp

memory/1316-58-0x00000000022B0000-0x0000000002601000-memory.dmp

C:\Windows\system\wzzbiZS.exe

MD5 de87a6b75084272b7fcca478ec43e970
SHA1 dbc8b4d47a7455a07a18a35ae0b8c3a8133781f9
SHA256 2dc08d680c3d4fa4b4693d18f51d9deb3d01ec7d2426fa5b909ef6e5e43292f9
SHA512 2606f1932ad396fe49d1a076894cc39a0a8b6d5d52487ce5c7a80134b24d95ae143e658927b7a9ce9c04488052bb9e44ca4b19fd096a6ae9d7a760f10affa2f8

C:\Windows\system\GPjFsDr.exe

MD5 4f63f7085c3f39eb7fec3133390dc201
SHA1 271a3059ec25696f476ab1ecbeaa2f97cc41eda8
SHA256 39c75658eb8bb851e1bbeefcb83d9a13ede0b0120f21cb37a49d53e7ab8ec3c7
SHA512 9340e2f70bae21236be6225ca1034d2ca3742a8eb4da9929ef90af6e7870ea34d71c615f3b1d9a7bf509d548db07c68607c022aa9782b3b29a6ac216a5556e24

\Windows\system\sPzLPAr.exe

MD5 99d252b5abed7c3344d4d81752aa9a45
SHA1 00bec83742dd0eeeb974eb85ef1069e3ba98a1d1
SHA256 916bb540396cf3c75d00169982484beaaeb1bf93f040853f94ebd5474316d4a4
SHA512 12fddf0a9b9ba7c1a2abd82d74c8131f9580a23d4f383d8dad54f6e132231eb14c7fea494e0fb9ee93820538738d84f72161f514d163445e4ad15a2fd0335507

memory/1316-78-0x000000013F1F0000-0x000000013F541000-memory.dmp

memory/1500-76-0x000000013F9F0000-0x000000013FD41000-memory.dmp

memory/1040-79-0x000000013F1F0000-0x000000013F541000-memory.dmp

memory/2248-80-0x000000013F480000-0x000000013F7D1000-memory.dmp

memory/1640-71-0x000000013F990000-0x000000013FCE1000-memory.dmp

memory/1316-70-0x000000013F980000-0x000000013FCD1000-memory.dmp

\Windows\system\oNnSAwe.exe

MD5 801bebdd46901a90e4b1614f52913d03
SHA1 cba5e46ac56130ef58a8da389e5bd68110897198
SHA256 7c79c95f946b0700f13cccfbe797c1a1084ab17ae68cf30649cc6b44bce4fe2f
SHA512 5c35109d5053d341f541835351ecbe795f5a636baf3911948d1933f4334409176b127b6913010309254a79bbb3deecc53c9ae7cbb637f37e1738c4c7c9f9eb0f

memory/2796-90-0x000000013F290000-0x000000013F5E1000-memory.dmp

memory/1316-95-0x000000013F4A0000-0x000000013F7F1000-memory.dmp

memory/2728-97-0x000000013FCF0000-0x0000000140041000-memory.dmp

C:\Windows\system\KBMMZsf.exe

MD5 a42bc2993aa90277d37445b995db29bb
SHA1 415c45c04d61712859891d8cd2f0bd0ce146e086
SHA256 ed039caa11c5cb8bedc78f73c9333ca17b00405cf67f648952d1d2b2f3b08594
SHA512 8664582b6415484ff5861554800df508314d2537db05f78014cc2345d7fef50ba1b2f22d4463bdfb92878fe4b8d11dead1d8685d444f5362f8d6cfa239d697b4

memory/3020-104-0x000000013F3A0000-0x000000013F6F1000-memory.dmp

memory/1316-103-0x000000013F3A0000-0x000000013F6F1000-memory.dmp

memory/2800-96-0x000000013F490000-0x000000013F7E1000-memory.dmp

memory/2132-94-0x000000013F4A0000-0x000000013F7F1000-memory.dmp

memory/1800-93-0x000000013F9A0000-0x000000013FCF1000-memory.dmp

memory/1316-92-0x00000000022B0000-0x0000000002601000-memory.dmp

C:\Windows\system\kPpsdoS.exe

MD5 55f9d4b8e6fd4e6a45618ed5c2c7a232
SHA1 62fdda2bfac01bfbfdaa9e0ae13b95e5964559c8
SHA256 34609c2f2b45a4e00b067e7dcae95fe4a27cc298a6ca55803124fc699e15963c
SHA512 99007ca8c213438153efe4d09b177924d7105353b077da9bb767e20093b0538277e543371c838b91301eb3d61dd6f6710d245449a99503a1c98d9d70c58f6f4d

C:\Windows\system\mwFujae.exe

MD5 e159cce3d8915d0107c614c703122c62
SHA1 421d24b09a090f3e54c843c230c06a7e0a7216ec
SHA256 2fd81b388cf83519efc385779a80f7006c3517b057d4022037c0aa4883ef659a
SHA512 dd6bdce6ddc2fab3ee32f2b6d286714d8973e88557a2a9cf04b3f9825cdf3eb05bb036170d245ea8d610046fc25887165f51744e29daa037aed95cc70031917d

memory/1316-110-0x00000000022B0000-0x0000000002601000-memory.dmp

\Windows\system\MtEkbdA.exe

MD5 225dae27cc840f2abb4b37c56b1090ef
SHA1 fc18c472a82e62c98a9759deef0c88186a9cafca
SHA256 07c8e2b2b47682b451c429e05450ab08f85c142d43343fc66d87232aefbcf7ab
SHA512 234ca3ffe89dd4e512bf99ce40e05cf27a246980fa1f3c91c609ad100cefdd33a50809b195afcf19566bdea20e130aa521dadb8ae509845156f03ba3934e108c

C:\Windows\system\ggIcAuW.exe

MD5 2eb3bb4f180fe0f43f5cc95027af6822
SHA1 b79165dbf44da70cf8a23706ad640d17814b9f12
SHA256 173ead8c9a50309e97251bb9fee5c69d2a4217be6c92c071eeb66b360cf4bce3
SHA512 d2957c79ddbd08f392778025f292bd091ad971c7420b2f1917bfb9c123495377d10b958cc6d2bed1fcd9b7a705c7aee8c53b24e584a6e7ceb0abce019f8a56e3

C:\Windows\system\MDgelcY.exe

MD5 50d3448a041ff3290dd39eb9ac227489
SHA1 4de101865f988e701463d8b96566b9a8e5a7468b
SHA256 76bc502cd45e8f5d7be84ec3596d2d20018b102ef874880824e49ddd7311d214
SHA512 9be3e9946432924bd3694452d1f7abe666c4a8ba42a3cef807443e6dbc5574aaba4eb4461d927f9f99541255b405bc2e9484b2bef4ff8083e4c42148f78f318a

\Windows\system\VleTOWd.exe

MD5 4211f8a0594a25631dbcbeb73cee8767
SHA1 b9998ae4cb50e829cd6b7781ced57564b62d3037
SHA256 9653ad91e9388e36a19134d26207119547a2cd67d36bafb7bd196c790d0fb839
SHA512 7ad7f8f5bbac9f90af63ce0f5fc53d7159c9230839842b800011b49b70b2ea163f27980ec4ede3b10608cba66d4879de451fb7df1c94f7d1b1b28b2b3c0a5442

C:\Windows\system\LZBMJhq.exe

MD5 8912542331e92b7617ec576bd4d32685
SHA1 a0d984f76e07339e227e757fc21a3afa65dd2f19
SHA256 614dc45c0f7017cba2e1994126dc083f30b350e6dad3524cc04db353e23ece07
SHA512 94b2d409bff1d3d22bb73e3e5aae444fa0729d94c61a63791139a3fa8f375b6417bde6714e4c80b289a4812aa21186a91f26d4a0addf4f65e99719e50560b06a

C:\Windows\system\FcdHRoZ.exe

MD5 074c71162e0c8fcc630aa649af1ad21a
SHA1 a4033f94bc0d6bc2854ce6bf6bf8769b1728dd87
SHA256 953de87a6b40f543c5903e2b5aa754a4f90b80110a75881561c9b6ebbcafdb79
SHA512 96ed5e6fc6fdbfa2887dfa3b925d5d930d64ca389c6c11be8d15b5ba54bbe42e6e92f2f2170905b9fa0f6216ea77ce397ce930457c50c0476ccfec6b5100117d

memory/2716-140-0x000000013F050000-0x000000013F3A1000-memory.dmp

memory/1316-141-0x000000013F980000-0x000000013FCD1000-memory.dmp

memory/1316-155-0x00000000022B0000-0x0000000002601000-memory.dmp

memory/2780-158-0x000000013F7C0000-0x000000013FB11000-memory.dmp

memory/2500-157-0x000000013F6A0000-0x000000013F9F1000-memory.dmp

memory/1940-161-0x000000013F6A0000-0x000000013F9F1000-memory.dmp

memory/1524-163-0x000000013F3A0000-0x000000013F6F1000-memory.dmp

memory/1316-164-0x000000013F1F0000-0x000000013F541000-memory.dmp

memory/1916-162-0x000000013FC00000-0x000000013FF51000-memory.dmp

memory/3048-160-0x000000013F2B0000-0x000000013F601000-memory.dmp

memory/2784-159-0x000000013FC00000-0x000000013FF51000-memory.dmp

memory/1316-165-0x000000013F980000-0x000000013FCD1000-memory.dmp

memory/1316-187-0x000000013F3A0000-0x000000013F6F1000-memory.dmp

memory/1500-211-0x000000013F9F0000-0x000000013FD41000-memory.dmp

memory/2248-219-0x000000013F480000-0x000000013F7D1000-memory.dmp

memory/2796-221-0x000000013F290000-0x000000013F5E1000-memory.dmp

memory/2800-223-0x000000013F490000-0x000000013F7E1000-memory.dmp

memory/2988-225-0x000000013FAD0000-0x000000013FE21000-memory.dmp

memory/2728-227-0x000000013FCF0000-0x0000000140041000-memory.dmp

memory/2716-229-0x000000013F050000-0x000000013F3A1000-memory.dmp

memory/2616-231-0x000000013FB30000-0x000000013FE81000-memory.dmp

memory/2668-233-0x000000013F330000-0x000000013F681000-memory.dmp

memory/1640-237-0x000000013F990000-0x000000013FCE1000-memory.dmp

memory/1040-239-0x000000013F1F0000-0x000000013F541000-memory.dmp

memory/1800-241-0x000000013F9A0000-0x000000013FCF1000-memory.dmp

memory/2132-248-0x000000013F4A0000-0x000000013F7F1000-memory.dmp

memory/3020-250-0x000000013F3A0000-0x000000013F6F1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-05 09:51

Reported

2024-08-05 09:54

Platform

win10v2004-20240802-en

Max time kernel

140s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\oNnSAwe.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FcdHRoZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZpnKngi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lDXmfov.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wzzbiZS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\POpPReH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GPjFsDr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sPzLPAr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LZBMJhq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MDgelcY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nyqhQPL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kPpsdoS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MtEkbdA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VleTOWd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sqcUIws.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ijYMHIB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MVhzxDI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KBMMZsf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mwFujae.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ggIcAuW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IIxfgyr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1280 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sqcUIws.exe
PID 1280 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sqcUIws.exe
PID 1280 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ijYMHIB.exe
PID 1280 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ijYMHIB.exe
PID 1280 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZpnKngi.exe
PID 1280 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZpnKngi.exe
PID 1280 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MVhzxDI.exe
PID 1280 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MVhzxDI.exe
PID 1280 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nyqhQPL.exe
PID 1280 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nyqhQPL.exe
PID 1280 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lDXmfov.exe
PID 1280 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lDXmfov.exe
PID 1280 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wzzbiZS.exe
PID 1280 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wzzbiZS.exe
PID 1280 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\POpPReH.exe
PID 1280 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\POpPReH.exe
PID 1280 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IIxfgyr.exe
PID 1280 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IIxfgyr.exe
PID 1280 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GPjFsDr.exe
PID 1280 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GPjFsDr.exe
PID 1280 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sPzLPAr.exe
PID 1280 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sPzLPAr.exe
PID 1280 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oNnSAwe.exe
PID 1280 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oNnSAwe.exe
PID 1280 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kPpsdoS.exe
PID 1280 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kPpsdoS.exe
PID 1280 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KBMMZsf.exe
PID 1280 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KBMMZsf.exe
PID 1280 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mwFujae.exe
PID 1280 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mwFujae.exe
PID 1280 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FcdHRoZ.exe
PID 1280 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FcdHRoZ.exe
PID 1280 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LZBMJhq.exe
PID 1280 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LZBMJhq.exe
PID 1280 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MtEkbdA.exe
PID 1280 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MtEkbdA.exe
PID 1280 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MDgelcY.exe
PID 1280 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MDgelcY.exe
PID 1280 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ggIcAuW.exe
PID 1280 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ggIcAuW.exe
PID 1280 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VleTOWd.exe
PID 1280 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VleTOWd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\sqcUIws.exe

C:\Windows\System\sqcUIws.exe

C:\Windows\System\ijYMHIB.exe

C:\Windows\System\ijYMHIB.exe

C:\Windows\System\ZpnKngi.exe

C:\Windows\System\ZpnKngi.exe

C:\Windows\System\MVhzxDI.exe

C:\Windows\System\MVhzxDI.exe

C:\Windows\System\nyqhQPL.exe

C:\Windows\System\nyqhQPL.exe

C:\Windows\System\lDXmfov.exe

C:\Windows\System\lDXmfov.exe

C:\Windows\System\wzzbiZS.exe

C:\Windows\System\wzzbiZS.exe

C:\Windows\System\POpPReH.exe

C:\Windows\System\POpPReH.exe

C:\Windows\System\IIxfgyr.exe

C:\Windows\System\IIxfgyr.exe

C:\Windows\System\GPjFsDr.exe

C:\Windows\System\GPjFsDr.exe

C:\Windows\System\sPzLPAr.exe

C:\Windows\System\sPzLPAr.exe

C:\Windows\System\oNnSAwe.exe

C:\Windows\System\oNnSAwe.exe

C:\Windows\System\kPpsdoS.exe

C:\Windows\System\kPpsdoS.exe

C:\Windows\System\KBMMZsf.exe

C:\Windows\System\KBMMZsf.exe

C:\Windows\System\mwFujae.exe

C:\Windows\System\mwFujae.exe

C:\Windows\System\FcdHRoZ.exe

C:\Windows\System\FcdHRoZ.exe

C:\Windows\System\LZBMJhq.exe

C:\Windows\System\LZBMJhq.exe

C:\Windows\System\MtEkbdA.exe

C:\Windows\System\MtEkbdA.exe

C:\Windows\System\MDgelcY.exe

C:\Windows\System\MDgelcY.exe

C:\Windows\System\ggIcAuW.exe

C:\Windows\System\ggIcAuW.exe

C:\Windows\System\VleTOWd.exe

C:\Windows\System\VleTOWd.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1280-0-0x00007FF6A1630000-0x00007FF6A1981000-memory.dmp

memory/1280-1-0x000001D0E0420000-0x000001D0E0430000-memory.dmp

C:\Windows\System\sqcUIws.exe

MD5 1eeb9a736cc42fafe5f450f8e8cdd241
SHA1 e106cf09c2606509b6e8eb1d4d0f699a9928722a
SHA256 f229d84d4b1f73a58ab539022a8f8ef2ed5993a651acf4d9dcbb3c6252690f31
SHA512 7968c83ad002a3d1a950c5a2fa8b7abb3162ca728b6468460d0c2a0eb6b79294ce66d6d81c5c75d60987ce990b387afd2c05bec6696ca35ca8a3f6b3ae7dc4c1

C:\Windows\System\ZpnKngi.exe

MD5 5f72ce968e7394cac98644fe01952058
SHA1 ef6049eaf659f7a9bb565e024e75e7ce59279b42
SHA256 53c242aedd97dcf6f2a520259a4c8da9538d58047837511926ff7099f73f03a3
SHA512 4096879b8d741607fb3ddd80d87526fd069d78a2e86b640cd5fd7eeadc9fde6c80c21ea0cd4abd845a08de3b9a15c0916dc4eb284f634e9d22c464ed99e12a0d

memory/1312-20-0x00007FF6AE9C0000-0x00007FF6AED11000-memory.dmp

C:\Windows\System\MVhzxDI.exe

MD5 068cc7f6456a6b356d696bdcefb59f5b
SHA1 d274cd511cde6b3966213d8f4a3b9ab787cd7868
SHA256 fba4ff89fc4c463274c21172b42a3ae7e4fe611b46922449bdf8aade05509373
SHA512 e8ca9187cebce14eec789d6a3c28c6611c1f2e82487209fc9080f1ec738b2ccf33d1fec8f933059908a28be2b5194c8071f110d973bc733b9f3559e4c7d7ee68

memory/2988-38-0x00007FF7E5630000-0x00007FF7E5981000-memory.dmp

C:\Windows\System\IIxfgyr.exe

MD5 c3e838b2b4840828cd7d0a65f55e1c2b
SHA1 250253f2c59847a06693bcf870fb426987fbc5b2
SHA256 cde4f849643a58d30068e8758717f00ba111e0e4e7762c4720675e9b53b5fcc1
SHA512 9c2d7b64d5d8c4dd711962732c08f6238e8398ae4185a92ece257337247c3b5e5138d04c8229cdcded4ee38811da0ea8301dba2e805a5364e06f71e5d8fecfc7

memory/2608-58-0x00007FF618000000-0x00007FF618351000-memory.dmp

C:\Windows\System\sPzLPAr.exe

MD5 99d252b5abed7c3344d4d81752aa9a45
SHA1 00bec83742dd0eeeb974eb85ef1069e3ba98a1d1
SHA256 916bb540396cf3c75d00169982484beaaeb1bf93f040853f94ebd5474316d4a4
SHA512 12fddf0a9b9ba7c1a2abd82d74c8131f9580a23d4f383d8dad54f6e132231eb14c7fea494e0fb9ee93820538738d84f72161f514d163445e4ad15a2fd0335507

C:\Windows\System\kPpsdoS.exe

MD5 55f9d4b8e6fd4e6a45618ed5c2c7a232
SHA1 62fdda2bfac01bfbfdaa9e0ae13b95e5964559c8
SHA256 34609c2f2b45a4e00b067e7dcae95fe4a27cc298a6ca55803124fc699e15963c
SHA512 99007ca8c213438153efe4d09b177924d7105353b077da9bb767e20093b0538277e543371c838b91301eb3d61dd6f6710d245449a99503a1c98d9d70c58f6f4d

memory/4060-87-0x00007FF724E90000-0x00007FF7251E1000-memory.dmp

C:\Windows\System\FcdHRoZ.exe

MD5 074c71162e0c8fcc630aa649af1ad21a
SHA1 a4033f94bc0d6bc2854ce6bf6bf8769b1728dd87
SHA256 953de87a6b40f543c5903e2b5aa754a4f90b80110a75881561c9b6ebbcafdb79
SHA512 96ed5e6fc6fdbfa2887dfa3b925d5d930d64ca389c6c11be8d15b5ba54bbe42e6e92f2f2170905b9fa0f6216ea77ce397ce930457c50c0476ccfec6b5100117d

C:\Windows\System\MtEkbdA.exe

MD5 225dae27cc840f2abb4b37c56b1090ef
SHA1 fc18c472a82e62c98a9759deef0c88186a9cafca
SHA256 07c8e2b2b47682b451c429e05450ab08f85c142d43343fc66d87232aefbcf7ab
SHA512 234ca3ffe89dd4e512bf99ce40e05cf27a246980fa1f3c91c609ad100cefdd33a50809b195afcf19566bdea20e130aa521dadb8ae509845156f03ba3934e108c

memory/4904-106-0x00007FF729EA0000-0x00007FF72A1F1000-memory.dmp

C:\Windows\System\LZBMJhq.exe

MD5 8912542331e92b7617ec576bd4d32685
SHA1 a0d984f76e07339e227e757fc21a3afa65dd2f19
SHA256 614dc45c0f7017cba2e1994126dc083f30b350e6dad3524cc04db353e23ece07
SHA512 94b2d409bff1d3d22bb73e3e5aae444fa0729d94c61a63791139a3fa8f375b6417bde6714e4c80b289a4812aa21186a91f26d4a0addf4f65e99719e50560b06a

C:\Windows\System\MDgelcY.exe

MD5 50d3448a041ff3290dd39eb9ac227489
SHA1 4de101865f988e701463d8b96566b9a8e5a7468b
SHA256 76bc502cd45e8f5d7be84ec3596d2d20018b102ef874880824e49ddd7311d214
SHA512 9be3e9946432924bd3694452d1f7abe666c4a8ba42a3cef807443e6dbc5574aaba4eb4461d927f9f99541255b405bc2e9484b2bef4ff8083e4c42148f78f318a

C:\Windows\System\VleTOWd.exe

MD5 4211f8a0594a25631dbcbeb73cee8767
SHA1 b9998ae4cb50e829cd6b7781ced57564b62d3037
SHA256 9653ad91e9388e36a19134d26207119547a2cd67d36bafb7bd196c790d0fb839
SHA512 7ad7f8f5bbac9f90af63ce0f5fc53d7159c9230839842b800011b49b70b2ea163f27980ec4ede3b10608cba66d4879de451fb7df1c94f7d1b1b28b2b3c0a5442

C:\Windows\System\ggIcAuW.exe

MD5 2eb3bb4f180fe0f43f5cc95027af6822
SHA1 b79165dbf44da70cf8a23706ad640d17814b9f12
SHA256 173ead8c9a50309e97251bb9fee5c69d2a4217be6c92c071eeb66b360cf4bce3
SHA512 d2957c79ddbd08f392778025f292bd091ad971c7420b2f1917bfb9c123495377d10b958cc6d2bed1fcd9b7a705c7aee8c53b24e584a6e7ceb0abce019f8a56e3

memory/2096-115-0x00007FF7A3B00000-0x00007FF7A3E51000-memory.dmp

memory/4836-99-0x00007FF7F28A0000-0x00007FF7F2BF1000-memory.dmp

C:\Windows\System\mwFujae.exe

MD5 e159cce3d8915d0107c614c703122c62
SHA1 421d24b09a090f3e54c843c230c06a7e0a7216ec
SHA256 2fd81b388cf83519efc385779a80f7006c3517b057d4022037c0aa4883ef659a
SHA512 dd6bdce6ddc2fab3ee32f2b6d286714d8973e88557a2a9cf04b3f9825cdf3eb05bb036170d245ea8d610046fc25887165f51744e29daa037aed95cc70031917d

memory/5004-94-0x00007FF61E080000-0x00007FF61E3D1000-memory.dmp

C:\Windows\System\KBMMZsf.exe

MD5 a42bc2993aa90277d37445b995db29bb
SHA1 415c45c04d61712859891d8cd2f0bd0ce146e086
SHA256 ed039caa11c5cb8bedc78f73c9333ca17b00405cf67f648952d1d2b2f3b08594
SHA512 8664582b6415484ff5861554800df508314d2537db05f78014cc2345d7fef50ba1b2f22d4463bdfb92878fe4b8d11dead1d8685d444f5362f8d6cfa239d697b4

memory/1280-83-0x00007FF6A1630000-0x00007FF6A1981000-memory.dmp

C:\Windows\System\oNnSAwe.exe

MD5 801bebdd46901a90e4b1614f52913d03
SHA1 cba5e46ac56130ef58a8da389e5bd68110897198
SHA256 7c79c95f946b0700f13cccfbe797c1a1084ab17ae68cf30649cc6b44bce4fe2f
SHA512 5c35109d5053d341f541835351ecbe795f5a636baf3911948d1933f4334409176b127b6913010309254a79bbb3deecc53c9ae7cbb637f37e1738c4c7c9f9eb0f

memory/3484-72-0x00007FF7D7D80000-0x00007FF7D80D1000-memory.dmp

memory/4980-69-0x00007FF78C130000-0x00007FF78C481000-memory.dmp

C:\Windows\System\GPjFsDr.exe

MD5 4f63f7085c3f39eb7fec3133390dc201
SHA1 271a3059ec25696f476ab1ecbeaa2f97cc41eda8
SHA256 39c75658eb8bb851e1bbeefcb83d9a13ede0b0120f21cb37a49d53e7ab8ec3c7
SHA512 9340e2f70bae21236be6225ca1034d2ca3742a8eb4da9929ef90af6e7870ea34d71c615f3b1d9a7bf509d548db07c68607c022aa9782b3b29a6ac216a5556e24

memory/4332-60-0x00007FF755EA0000-0x00007FF7561F1000-memory.dmp

memory/3464-59-0x00007FF6D0BE0000-0x00007FF6D0F31000-memory.dmp

memory/1424-55-0x00007FF6A71A0000-0x00007FF6A74F1000-memory.dmp

memory/836-48-0x00007FF63CE00000-0x00007FF63D151000-memory.dmp

C:\Windows\System\lDXmfov.exe

MD5 2ba17871ab767a44da44447432280fb7
SHA1 2973f78568bc69c1637fc7b431609338136e154c
SHA256 07ea08bff7cb404ec432150983ba93b626d26ab80591e04ddc13552f3db51d8e
SHA512 966a0eb8c9e7a41ffda94cb9d1fbdc4c5aae9fe89de3934c3e15df62244bc0b71753d71e2ca6f309e07245d7612b15f5d6d6822243517bfe3e9813096007e747

C:\Windows\System\POpPReH.exe

MD5 5b8685af10faf03f48050e4c301a6066
SHA1 b9170ae00fe8d4a2accbfcd8f90341b5fba6bb93
SHA256 439fcd60caffa88ea91d353dbddd980840b86087052fb317f56f551fc3cad8f4
SHA512 60228698aef133d3afcd2597eeb31ee5786a270ce94669b301578b646537d5df7892b6b9834eaef741693a877045ae1a72e6f14db6a1ca599336a66a08dd021b

C:\Windows\System\wzzbiZS.exe

MD5 de87a6b75084272b7fcca478ec43e970
SHA1 dbc8b4d47a7455a07a18a35ae0b8c3a8133781f9
SHA256 2dc08d680c3d4fa4b4693d18f51d9deb3d01ec7d2426fa5b909ef6e5e43292f9
SHA512 2606f1932ad396fe49d1a076894cc39a0a8b6d5d52487ce5c7a80134b24d95ae143e658927b7a9ce9c04488052bb9e44ca4b19fd096a6ae9d7a760f10affa2f8

memory/4704-29-0x00007FF6C6320000-0x00007FF6C6671000-memory.dmp

C:\Windows\System\nyqhQPL.exe

MD5 7ce47363c24bd9d4a7fb1d7d81887a80
SHA1 39a1dd5faa2afe06f2660d56e669dea14d8c6e74
SHA256 effcc71a1d992e2427816f1d7cc4abf10aff5070eae2d08cb98f326a8361673f
SHA512 8d6769faad288ca13067f049381a971375f2aa6079196cb5cb744c762747d8b3f576a1a43b991e1d2b6f982729f4e805e06c25ac433043646eb1d0eef81bc7aa

C:\Windows\System\ijYMHIB.exe

MD5 588a6bc8291f425b67feb758997f9f07
SHA1 9fb66f11c1401d4d9dff7f822a366b091bf7eff7
SHA256 dc7424c23e40fe6273de7f98d1683dec1978a0b6ce4b7d15410f0ab8fd300045
SHA512 1a710964e6299e7fa3ba0e7da93b9966d2cba24bf77565ee700800c9a6ce0d2c192a7646b49563fe82e70bfdf283ee709865db7ad280a96529a0bc512e100b10

memory/2864-12-0x00007FF6B1800000-0x00007FF6B1B51000-memory.dmp

memory/4836-7-0x00007FF7F28A0000-0x00007FF7F2BF1000-memory.dmp

memory/5016-128-0x00007FF71FFF0000-0x00007FF720341000-memory.dmp

memory/4548-126-0x00007FF7416A0000-0x00007FF7419F1000-memory.dmp

memory/4216-129-0x00007FF7C16C0000-0x00007FF7C1A11000-memory.dmp

memory/4664-130-0x00007FF7F5210000-0x00007FF7F5561000-memory.dmp

memory/2864-127-0x00007FF6B1800000-0x00007FF6B1B51000-memory.dmp

memory/3708-125-0x00007FF6B4C50000-0x00007FF6B4FA1000-memory.dmp

memory/4704-135-0x00007FF6C6320000-0x00007FF6C6671000-memory.dmp

memory/1424-137-0x00007FF6A71A0000-0x00007FF6A74F1000-memory.dmp

memory/4332-141-0x00007FF755EA0000-0x00007FF7561F1000-memory.dmp

memory/2096-147-0x00007FF7A3B00000-0x00007FF7A3E51000-memory.dmp

memory/5004-145-0x00007FF61E080000-0x00007FF61E3D1000-memory.dmp

memory/3484-143-0x00007FF7D7D80000-0x00007FF7D80D1000-memory.dmp

memory/2988-136-0x00007FF7E5630000-0x00007FF7E5981000-memory.dmp

memory/1312-134-0x00007FF6AE9C0000-0x00007FF6AED11000-memory.dmp

memory/836-138-0x00007FF63CE00000-0x00007FF63D151000-memory.dmp

memory/1280-131-0x00007FF6A1630000-0x00007FF6A1981000-memory.dmp

memory/1280-153-0x00007FF6A1630000-0x00007FF6A1981000-memory.dmp

memory/4836-199-0x00007FF7F28A0000-0x00007FF7F2BF1000-memory.dmp

memory/2864-201-0x00007FF6B1800000-0x00007FF6B1B51000-memory.dmp

memory/1312-203-0x00007FF6AE9C0000-0x00007FF6AED11000-memory.dmp

memory/4704-205-0x00007FF6C6320000-0x00007FF6C6671000-memory.dmp

memory/2988-207-0x00007FF7E5630000-0x00007FF7E5981000-memory.dmp

memory/836-209-0x00007FF63CE00000-0x00007FF63D151000-memory.dmp

memory/2608-212-0x00007FF618000000-0x00007FF618351000-memory.dmp

memory/1424-213-0x00007FF6A71A0000-0x00007FF6A74F1000-memory.dmp

memory/3464-215-0x00007FF6D0BE0000-0x00007FF6D0F31000-memory.dmp

memory/4332-221-0x00007FF755EA0000-0x00007FF7561F1000-memory.dmp

memory/4980-219-0x00007FF78C130000-0x00007FF78C481000-memory.dmp

memory/3484-218-0x00007FF7D7D80000-0x00007FF7D80D1000-memory.dmp

memory/4060-225-0x00007FF724E90000-0x00007FF7251E1000-memory.dmp

memory/5004-227-0x00007FF61E080000-0x00007FF61E3D1000-memory.dmp

memory/4904-224-0x00007FF729EA0000-0x00007FF72A1F1000-memory.dmp

memory/4548-234-0x00007FF7416A0000-0x00007FF7419F1000-memory.dmp

memory/4664-237-0x00007FF7F5210000-0x00007FF7F5561000-memory.dmp

memory/4216-239-0x00007FF7C16C0000-0x00007FF7C1A11000-memory.dmp

memory/2096-235-0x00007FF7A3B00000-0x00007FF7A3E51000-memory.dmp

memory/3708-231-0x00007FF6B4C50000-0x00007FF6B4FA1000-memory.dmp

memory/5016-229-0x00007FF71FFF0000-0x00007FF720341000-memory.dmp