Malware Analysis Report

2025-01-22 19:31

Sample ID 240806-n2n5eaybml
Target 2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat
SHA256 f51ef87b6fa51cb4753b3ea1c8ad4c0124ef922ec5563d14e509810845434f49
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f51ef87b6fa51cb4753b3ea1c8ad4c0124ef922ec5563d14e509810845434f49

Threat Level: Known bad

The file 2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Cobaltstrike family

Cobalt Strike reflective loader

XMRig Miner payload

xmrig

Xmrig family

Cobaltstrike

XMRig Miner payload

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-06 11:53

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-06 11:53

Reported

2024-08-06 11:56

Platform

win7-20240708-en

Max time kernel

140s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\vazVQqG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CzpoPoR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sTVOqPa.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GGpAUIK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OpmcMFc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aZZymwz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HYQcgIK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WtXcFLg.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FvOlgxx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BTxsEpo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FCruoHJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SqYpWpE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\njTGBGo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nhCRGOD.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bxYuiAu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aEyVQvD.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cmjKBpI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pgxhDcS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SZTcCSG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ESvxbyz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KTKMURB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2288 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FCruoHJ.exe
PID 2288 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FCruoHJ.exe
PID 2288 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FCruoHJ.exe
PID 2288 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SqYpWpE.exe
PID 2288 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SqYpWpE.exe
PID 2288 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SqYpWpE.exe
PID 2288 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\njTGBGo.exe
PID 2288 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\njTGBGo.exe
PID 2288 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\njTGBGo.exe
PID 2288 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nhCRGOD.exe
PID 2288 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nhCRGOD.exe
PID 2288 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nhCRGOD.exe
PID 2288 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vazVQqG.exe
PID 2288 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vazVQqG.exe
PID 2288 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vazVQqG.exe
PID 2288 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aZZymwz.exe
PID 2288 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aZZymwz.exe
PID 2288 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aZZymwz.exe
PID 2288 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cmjKBpI.exe
PID 2288 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cmjKBpI.exe
PID 2288 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cmjKBpI.exe
PID 2288 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CzpoPoR.exe
PID 2288 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CzpoPoR.exe
PID 2288 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CzpoPoR.exe
PID 2288 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pgxhDcS.exe
PID 2288 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pgxhDcS.exe
PID 2288 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pgxhDcS.exe
PID 2288 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bxYuiAu.exe
PID 2288 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bxYuiAu.exe
PID 2288 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bxYuiAu.exe
PID 2288 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SZTcCSG.exe
PID 2288 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SZTcCSG.exe
PID 2288 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SZTcCSG.exe
PID 2288 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ESvxbyz.exe
PID 2288 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ESvxbyz.exe
PID 2288 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ESvxbyz.exe
PID 2288 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WtXcFLg.exe
PID 2288 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WtXcFLg.exe
PID 2288 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WtXcFLg.exe
PID 2288 wrote to memory of 284 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sTVOqPa.exe
PID 2288 wrote to memory of 284 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sTVOqPa.exe
PID 2288 wrote to memory of 284 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sTVOqPa.exe
PID 2288 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HYQcgIK.exe
PID 2288 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HYQcgIK.exe
PID 2288 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HYQcgIK.exe
PID 2288 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FvOlgxx.exe
PID 2288 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FvOlgxx.exe
PID 2288 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FvOlgxx.exe
PID 2288 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KTKMURB.exe
PID 2288 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KTKMURB.exe
PID 2288 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KTKMURB.exe
PID 2288 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aEyVQvD.exe
PID 2288 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aEyVQvD.exe
PID 2288 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aEyVQvD.exe
PID 2288 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GGpAUIK.exe
PID 2288 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GGpAUIK.exe
PID 2288 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GGpAUIK.exe
PID 2288 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OpmcMFc.exe
PID 2288 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OpmcMFc.exe
PID 2288 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OpmcMFc.exe
PID 2288 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BTxsEpo.exe
PID 2288 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BTxsEpo.exe
PID 2288 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BTxsEpo.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\FCruoHJ.exe

C:\Windows\System\FCruoHJ.exe

C:\Windows\System\SqYpWpE.exe

C:\Windows\System\SqYpWpE.exe

C:\Windows\System\njTGBGo.exe

C:\Windows\System\njTGBGo.exe

C:\Windows\System\nhCRGOD.exe

C:\Windows\System\nhCRGOD.exe

C:\Windows\System\vazVQqG.exe

C:\Windows\System\vazVQqG.exe

C:\Windows\System\aZZymwz.exe

C:\Windows\System\aZZymwz.exe

C:\Windows\System\cmjKBpI.exe

C:\Windows\System\cmjKBpI.exe

C:\Windows\System\CzpoPoR.exe

C:\Windows\System\CzpoPoR.exe

C:\Windows\System\pgxhDcS.exe

C:\Windows\System\pgxhDcS.exe

C:\Windows\System\bxYuiAu.exe

C:\Windows\System\bxYuiAu.exe

C:\Windows\System\SZTcCSG.exe

C:\Windows\System\SZTcCSG.exe

C:\Windows\System\ESvxbyz.exe

C:\Windows\System\ESvxbyz.exe

C:\Windows\System\WtXcFLg.exe

C:\Windows\System\WtXcFLg.exe

C:\Windows\System\sTVOqPa.exe

C:\Windows\System\sTVOqPa.exe

C:\Windows\System\HYQcgIK.exe

C:\Windows\System\HYQcgIK.exe

C:\Windows\System\FvOlgxx.exe

C:\Windows\System\FvOlgxx.exe

C:\Windows\System\KTKMURB.exe

C:\Windows\System\KTKMURB.exe

C:\Windows\System\aEyVQvD.exe

C:\Windows\System\aEyVQvD.exe

C:\Windows\System\GGpAUIK.exe

C:\Windows\System\GGpAUIK.exe

C:\Windows\System\OpmcMFc.exe

C:\Windows\System\OpmcMFc.exe

C:\Windows\System\BTxsEpo.exe

C:\Windows\System\BTxsEpo.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2288-0-0x000000013F2B0000-0x000000013F601000-memory.dmp

memory/2288-1-0x00000000002F0000-0x0000000000300000-memory.dmp

C:\Windows\system\FCruoHJ.exe

MD5 0eec8de02a741f0debd4479c0dee85c5
SHA1 b77d32862bab36989c1c9b9cae1057b1998e1234
SHA256 5d98fb9255566ef056795ccd1163f9ba002de6feb9911deefa4bc044cdfcdd6d
SHA512 0cc37ad15255631d54ac7e7fe5552f01498a102a7c654676f4909880f29b4ba3c42303da5d8bb97ccd51b328cd0bdf0cbeed4a10b500f57434ce370690936ca9

\Windows\system\SqYpWpE.exe

MD5 f6044e32819635975117b629fbb8c82b
SHA1 e1ee98de8ebd20e99a67958ad1bb755e9995cc70
SHA256 8a01008e713a581bac6adb000122d19aa09fe3a894e6e41597789f6cf35f9fd0
SHA512 df4e1ebcb764aafe9e32b18668c6a0e2d8952231b0b2dfca0d6b524889c22ecae3fcf79c9af6539923a84c2e213f41938326fc2344f875033ac50e0fd7f329f2

C:\Windows\system\njTGBGo.exe

MD5 014ef89643e088e59729bb9fdcf19102
SHA1 48b18171db63a9e523d0b7c330ac59c04853c32d
SHA256 8dd5e0e427a438b208847315584fcaaf4a8b2342a987c9243607dac7334e04d4
SHA512 aa36bef1d221c87256c83c81d2a9daa1489f4b29115739033ac1fa78fdc1442a0155fb76d1313034893b187f6c619623b1a4f17cba0ad48290913738d30e9f51

memory/2684-21-0x000000013F8F0000-0x000000013FC41000-memory.dmp

memory/2288-22-0x000000013F760000-0x000000013FAB1000-memory.dmp

C:\Windows\system\nhCRGOD.exe

MD5 ee6bf19d879bc3198b897fa985412ed4
SHA1 f703dc3efd5e0500dce82d6a25d71a15f877e11d
SHA256 b37a7a080b22846fcff3a625bf72978c5445fc9719e3ce86ea73c6abdb1a9901
SHA512 7d0166f7e5029cf4453cceb5938edf0b53d031717f6df3926f309c5bdf7750e4c337d4db20ac7b678c4a18ab771678cda43a624a8ce67181813b5eab582f33a5

C:\Windows\system\vazVQqG.exe

MD5 848b688a7be8c6a99c738a9a2202c644
SHA1 29bdcc65ea68a268528291b83a2a45f9b5679525
SHA256 e2861db6cbf8c6611c0921de0cd392bf1c40d10439e29532c00e1297ca579031
SHA512 a812a85d4325558b0b6a3325231d56b46eeeb1ff49b3a0890101ffbe11413fa479977743bdc7320317fe6837a00dc9fa69b1896092a67dc20dfac339a01b353c

memory/2580-36-0x000000013F380000-0x000000013F6D1000-memory.dmp

\Windows\system\aZZymwz.exe

MD5 1f5b2554a12a5519fcbd3559101cef20
SHA1 e24f1734a9ff6fd484a95e3e679451d456b0c0a2
SHA256 9e86e0c00b770244fad39fe2a40cd2d868ea8bdedeaa333603f2424b9376b2f8
SHA512 4759b9470dec7fff2236adfcd5371813187ebea9a2388096ef718b155f0725980aaf5099341cf3a8080a92e946cbdaf991d332db225557e04f8b93893445f5bf

memory/2608-41-0x000000013F480000-0x000000013F7D1000-memory.dmp

\Windows\system\CzpoPoR.exe

MD5 d304bef3c1a2482e482818905cbfceb0
SHA1 fba33592968535e100dbda73e9c958b31b70fa9f
SHA256 6c5e32b1cb55a714b07b411ba5720afd1abe1bc5b0e2ed7354c673e22c49bf53
SHA512 da5b3c2e4d389b3097eb16db560db7459ca2f3482c7fa56821e37116e034f6dcb1c68229cfdbf18eb903fa3b965f49662193389228798bfbb4396959effeb4fd

memory/2624-60-0x000000013F2D0000-0x000000013F621000-memory.dmp

C:\Windows\system\SZTcCSG.exe

MD5 e24c8692d4e565fde31d5a1b20aac982
SHA1 b345083134157ea3a1570277c172fd36b7e3b865
SHA256 a3ea71c9442270bfb4faa39c51ea9027e06cee9500ed5414fec5ad207ba21824
SHA512 0d3990ccdb4b0b023c911d9526b5aad5faad3af8911668a57c38ce3886d1f43c0ba758fc76d1b5f4307742a01fb4a88d54259074e17e64a3702d6768ee280f7d

memory/1060-73-0x000000013F4C0000-0x000000013F811000-memory.dmp

\Windows\system\HYQcgIK.exe

MD5 4e0d1407da6a0739efb274cc36efc9cd
SHA1 8325a4c5328a91574d4b1d9ba55ce92acc22efaa
SHA256 720b1c06c169a1438c520870a23808c2ebed0690c59a4242b5c4a0b815248102
SHA512 c8d49acfb6479f117de739383ef79c074ea6827ae19b8618f1ed372d71d26dd5df52d05311ad4233edb259e4087d47ffd2101880fd59df0b52f978c53ac7fa51

C:\Windows\system\WtXcFLg.exe

MD5 4153e763f2ad5adbf15d2fa30051f92a
SHA1 4c5f12b392c37e9d9da9751160df25cbd7c78f5c
SHA256 438da61d40b5b95ba71cfad7bd4d276b6a59d8b70c55a8387a857f33d68dc5d6
SHA512 e4ce26ed2d4093e88679852f9cf8363a2e0cf8db807c1d82f09698ae0dc28d09740e6438bee1ae10c7c245d2d7276fa76ae1ea6e6474dae82477f30c87d898f3

C:\Windows\system\FvOlgxx.exe

MD5 10edcf11420df28c83b2f4bc8f1c7e08
SHA1 344db61bee92c7a77a0093843f103733603a0ae0
SHA256 de87e11799596e654b387e780caeb48bb42ef7b262b5522c29f44cedb47d11f0
SHA512 780129278a9d1f52285efd017876ff5b983642640ac3a8ac695d854a7bcadd5cf44d32b118f7921f2a7998697dfad08a21953fb0bf4b07a8c83a19deed5cebc3

C:\Windows\system\GGpAUIK.exe

MD5 1a66abe6544d488d2cb4f1767df41394
SHA1 b9507b731360bf539e5aa647680c43fbde964918
SHA256 b154a1f5dd62c52912fbd9afcef2fdd210434a1a2c001f7faf4b1d9c96e422ed
SHA512 5d188d60f8f8cd5f3b73d5d2943338177c7b92427f725fde91c2a4879bef8c48aed775bc7b586c54fbdfb485e577576374a724a9d11e36f42014e56e68c2a0a6

C:\Windows\system\BTxsEpo.exe

MD5 d4087772c813bd4cf3f7910d3252e2fc
SHA1 02ce94350266cfaf72c1975232fafe08538b4b12
SHA256 fa5fc7f8ed6711d741204baebea02b1a5fc6eb78e0d86dbfd24c6eea7162b298
SHA512 5285242959d28d0c7d1f3b2c72857ddd8d92e51e6dc0de25b4c960f7df5d269f8d044e3711d4d49b8fbdd426a44833da7bef96c04bd4bdd622ee3db452753775

C:\Windows\system\OpmcMFc.exe

MD5 1c6dd83688e5f110ed68b6d25811c61a
SHA1 45456e752c6fd129e34ad3971b7fa099a8a19c49
SHA256 643bcf533e61802ec0b80c4eb1db5999752351fd9b557e8d8f1e5cffcef89a73
SHA512 855029293a0a5c86d06af5139c67f4c57d34fdf90e749f1796706d23766d727a1655acfa24072bbcddcbcd349fc51e94f9c84403733e959209d77bcfc9827c65

C:\Windows\system\aEyVQvD.exe

MD5 bdeb879932e12a8e1b44a49b34854f58
SHA1 290b002882662aba64bd0a0eeea66da8147897a6
SHA256 2cea684e94bd7571f33681231da27b959ba360f56440e5b93f5f495a9d020388
SHA512 0efa5cfecc29325940509583961a48f18a3284c05e11ddd1f16c85a58ae07a3b1c69cf9dde4a9902910f13af96655947f0c3cbc5e0a575fa5b0dc198ba89d122

C:\Windows\system\KTKMURB.exe

MD5 d8b4392a55c31875c0bc63a7c16ceb1e
SHA1 b50ec8a56c4eb4b1882df4774d77534d15eb1379
SHA256 0047717e1f8011a052805c5f0a3d15b4df5b39bc86eb4075c41c062d06236c32
SHA512 239b1177ed0ead04f4a1b384c9e51ad75d6a408b15b6606358a8e8063c7c7c3de86df8dfe4457f0bc90a5569f57a2b77e0a7a99fbfbeb128d13e585cf7c92ca8

memory/568-103-0x000000013F960000-0x000000013FCB1000-memory.dmp

memory/2288-102-0x000000013F960000-0x000000013FCB1000-memory.dmp

memory/2876-93-0x000000013F110000-0x000000013F461000-memory.dmp

memory/2288-92-0x0000000002310000-0x0000000002661000-memory.dmp

memory/2288-91-0x0000000002310000-0x0000000002661000-memory.dmp

memory/2276-90-0x000000013F890000-0x000000013FBE1000-memory.dmp

\Windows\system\sTVOqPa.exe

MD5 c93b55111845d703a4d0bd93c90e55d3
SHA1 cec30b20c288eaae73d5f057ca4da939f16dcfcc
SHA256 9a6f465687309b28c786d43da870ed80f9a33ac7ffbe25634f8c0e6d25922a67
SHA512 82cd3bc3d330b05e9856e832b38283604f581965d511551f3e100c9176d82e4074431a39b7250f00235d0a8d105f83ba993708c2f5e3c4bf6e8501d986d05e56

memory/2588-133-0x000000013FB70000-0x000000013FEC1000-memory.dmp

C:\Windows\system\ESvxbyz.exe

MD5 c8edb1669996e8f1be71afb0b623abdf
SHA1 69885fac1b81b9ac0c683aff362f7f08c6473534
SHA256 15027974eb72be839b10ec9ee95d4bf9d04526f6962ca951b1eefa8d2e30539e
SHA512 dba43bd8f6a7f236fbfadbd858e609964282b4e588a59458226c4466f79cd656f51738d7d9eb43e3320c1dc267563dd06f0f38d7d4e77526efe3b16ef8bd6437

memory/2288-72-0x0000000002310000-0x0000000002661000-memory.dmp

memory/2288-71-0x000000013F2B0000-0x000000013F601000-memory.dmp

memory/2732-66-0x000000013F2A0000-0x000000013F5F1000-memory.dmp

memory/2288-65-0x0000000002310000-0x0000000002661000-memory.dmp

C:\Windows\system\bxYuiAu.exe

MD5 0508cace9c650a5e9acef75140a2196e
SHA1 1b5f21c155150d05caa637215f015206fff4cebd
SHA256 990033269682f2e4439aeff3e260c9e374d6b8c7a51b586ead74002041548a14
SHA512 25efd64f700b65f9b0de48bc922001e0d39f13d3cd7471872ee0e30627e97395817355b62783eb6af2e68b7062aa72aab2ebcb4e5cd201bcb7eba8c67794b96e

memory/3060-57-0x000000013F690000-0x000000013F9E1000-memory.dmp

memory/2288-56-0x000000013F690000-0x000000013F9E1000-memory.dmp

memory/2288-55-0x0000000002310000-0x0000000002661000-memory.dmp

memory/2564-54-0x000000013FB90000-0x000000013FEE1000-memory.dmp

memory/2288-53-0x000000013FB90000-0x000000013FEE1000-memory.dmp

C:\Windows\system\pgxhDcS.exe

MD5 a4a64a79ee9d5229f328c0d4dac4d79c
SHA1 aa61bb6572ae1703b3e72ee7f3428e743a03b35d
SHA256 bdee92f1ec6e9183d3a68dd55ebab113aaa62da36dd4bb449eb7c09dd861aba6
SHA512 c6fde72887f79a40cccbb960a588f835f41f349c7c7c004095461deae4dc8afcab88c3bd0a25f1e7f89e89a3e92fb491477acadf933f8ac761198f0aeb709a64

C:\Windows\system\cmjKBpI.exe

MD5 30afb897bfcb2780d68964e4a01c0025
SHA1 a6f078ef42b6a5cc30c60cd8f874df91776c2285
SHA256 27330fb5bb780756eb73bb0716432c234e7b91acfac2aff59cb7287d76253ebc
SHA512 3e170bf27fa32d477257c409b70b0229fe521f365dfeb1ded76fca360c9b8b9566fd679fdeca7c012152f2c2beb14b32dad152f15dc9af1d33798fe31398e6a5

memory/2580-134-0x000000013F380000-0x000000013F6D1000-memory.dmp

memory/2288-33-0x0000000002310000-0x0000000002661000-memory.dmp

memory/2588-28-0x000000013FB70000-0x000000013FEC1000-memory.dmp

memory/2288-27-0x000000013FB70000-0x000000013FEC1000-memory.dmp

memory/2288-20-0x000000013F8F0000-0x000000013FC41000-memory.dmp

memory/2712-19-0x000000013F760000-0x000000013FAB1000-memory.dmp

memory/2800-18-0x000000013FEC0000-0x0000000140211000-memory.dmp

memory/2288-136-0x000000013F2B0000-0x000000013F601000-memory.dmp

memory/2608-148-0x000000013F480000-0x000000013F7D1000-memory.dmp

memory/1060-147-0x000000013F4C0000-0x000000013F811000-memory.dmp

memory/2732-146-0x000000013F2A0000-0x000000013F5F1000-memory.dmp

memory/2624-144-0x000000013F2D0000-0x000000013F621000-memory.dmp

memory/3060-145-0x000000013F690000-0x000000013F9E1000-memory.dmp

memory/284-151-0x000000013F4A0000-0x000000013F7F1000-memory.dmp

memory/1032-154-0x000000013F9D0000-0x000000013FD21000-memory.dmp

memory/1784-155-0x000000013F640000-0x000000013F991000-memory.dmp

memory/2288-159-0x0000000002310000-0x0000000002661000-memory.dmp

memory/2016-157-0x000000013F090000-0x000000013F3E1000-memory.dmp

memory/2880-153-0x000000013FE50000-0x00000001401A1000-memory.dmp

memory/1288-158-0x000000013F8D0000-0x000000013FC21000-memory.dmp

memory/1092-156-0x000000013F420000-0x000000013F771000-memory.dmp

memory/2288-160-0x000000013F2B0000-0x000000013F601000-memory.dmp

memory/2288-182-0x000000013F960000-0x000000013FCB1000-memory.dmp

memory/2800-206-0x000000013FEC0000-0x0000000140211000-memory.dmp

memory/2712-210-0x000000013F760000-0x000000013FAB1000-memory.dmp

memory/2684-209-0x000000013F8F0000-0x000000013FC41000-memory.dmp

memory/2588-214-0x000000013FB70000-0x000000013FEC1000-memory.dmp

memory/2580-213-0x000000013F380000-0x000000013F6D1000-memory.dmp

memory/2564-216-0x000000013FB90000-0x000000013FEE1000-memory.dmp

memory/3060-234-0x000000013F690000-0x000000013F9E1000-memory.dmp

memory/1060-237-0x000000013F4C0000-0x000000013F811000-memory.dmp

memory/2624-240-0x000000013F2D0000-0x000000013F621000-memory.dmp

memory/2608-238-0x000000013F480000-0x000000013F7D1000-memory.dmp

memory/2276-242-0x000000013F890000-0x000000013FBE1000-memory.dmp

memory/2876-244-0x000000013F110000-0x000000013F461000-memory.dmp

memory/568-246-0x000000013F960000-0x000000013FCB1000-memory.dmp

memory/2732-255-0x000000013F2A0000-0x000000013F5F1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-06 11:53

Reported

2024-08-06 11:56

Platform

win10v2004-20240802-en

Max time kernel

140s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\Vhgcbqo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\Uhatwvo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bbYvyng.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\roqNLbj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TJwQlXJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mXgutWS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nYhCrEW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EsrnHYp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VZUGABZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NMFHMAF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ObClSRs.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kjDlAeU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\otzBpNB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OTCpngA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YAdVZMJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GwtRbXm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ImLZHaB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nhSpZYt.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UGajMqv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rQpwkuM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UuooZQS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2556 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ImLZHaB.exe
PID 2556 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ImLZHaB.exe
PID 2556 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nhSpZYt.exe
PID 2556 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nhSpZYt.exe
PID 2556 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ObClSRs.exe
PID 2556 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ObClSRs.exe
PID 2556 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Vhgcbqo.exe
PID 2556 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Vhgcbqo.exe
PID 2556 wrote to memory of 724 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TJwQlXJ.exe
PID 2556 wrote to memory of 724 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TJwQlXJ.exe
PID 2556 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kjDlAeU.exe
PID 2556 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kjDlAeU.exe
PID 2556 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mXgutWS.exe
PID 2556 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mXgutWS.exe
PID 2556 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UGajMqv.exe
PID 2556 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UGajMqv.exe
PID 2556 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rQpwkuM.exe
PID 2556 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rQpwkuM.exe
PID 2556 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nYhCrEW.exe
PID 2556 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nYhCrEW.exe
PID 2556 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\otzBpNB.exe
PID 2556 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\otzBpNB.exe
PID 2556 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EsrnHYp.exe
PID 2556 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EsrnHYp.exe
PID 2556 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UuooZQS.exe
PID 2556 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UuooZQS.exe
PID 2556 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Uhatwvo.exe
PID 2556 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Uhatwvo.exe
PID 2556 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GwtRbXm.exe
PID 2556 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GwtRbXm.exe
PID 2556 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OTCpngA.exe
PID 2556 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OTCpngA.exe
PID 2556 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bbYvyng.exe
PID 2556 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bbYvyng.exe
PID 2556 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YAdVZMJ.exe
PID 2556 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YAdVZMJ.exe
PID 2556 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\roqNLbj.exe
PID 2556 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\roqNLbj.exe
PID 2556 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VZUGABZ.exe
PID 2556 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VZUGABZ.exe
PID 2556 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NMFHMAF.exe
PID 2556 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NMFHMAF.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\ImLZHaB.exe

C:\Windows\System\ImLZHaB.exe

C:\Windows\System\nhSpZYt.exe

C:\Windows\System\nhSpZYt.exe

C:\Windows\System\ObClSRs.exe

C:\Windows\System\ObClSRs.exe

C:\Windows\System\Vhgcbqo.exe

C:\Windows\System\Vhgcbqo.exe

C:\Windows\System\TJwQlXJ.exe

C:\Windows\System\TJwQlXJ.exe

C:\Windows\System\kjDlAeU.exe

C:\Windows\System\kjDlAeU.exe

C:\Windows\System\mXgutWS.exe

C:\Windows\System\mXgutWS.exe

C:\Windows\System\UGajMqv.exe

C:\Windows\System\UGajMqv.exe

C:\Windows\System\rQpwkuM.exe

C:\Windows\System\rQpwkuM.exe

C:\Windows\System\nYhCrEW.exe

C:\Windows\System\nYhCrEW.exe

C:\Windows\System\otzBpNB.exe

C:\Windows\System\otzBpNB.exe

C:\Windows\System\EsrnHYp.exe

C:\Windows\System\EsrnHYp.exe

C:\Windows\System\UuooZQS.exe

C:\Windows\System\UuooZQS.exe

C:\Windows\System\Uhatwvo.exe

C:\Windows\System\Uhatwvo.exe

C:\Windows\System\GwtRbXm.exe

C:\Windows\System\GwtRbXm.exe

C:\Windows\System\OTCpngA.exe

C:\Windows\System\OTCpngA.exe

C:\Windows\System\bbYvyng.exe

C:\Windows\System\bbYvyng.exe

C:\Windows\System\YAdVZMJ.exe

C:\Windows\System\YAdVZMJ.exe

C:\Windows\System\roqNLbj.exe

C:\Windows\System\roqNLbj.exe

C:\Windows\System\VZUGABZ.exe

C:\Windows\System\VZUGABZ.exe

C:\Windows\System\NMFHMAF.exe

C:\Windows\System\NMFHMAF.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 21.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 71.190.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2556-0-0x00007FF630120000-0x00007FF630471000-memory.dmp

memory/2556-1-0x00000174754A0000-0x00000174754B0000-memory.dmp

C:\Windows\System\ImLZHaB.exe

MD5 63d83167f3b9246ca6e6739a4367ca73
SHA1 8208f60937dcb8dffb2a87e32b0c1bd5fb817852
SHA256 f91e680118bdc80e78b2e1cfbb9381dd9330d40df5e5bd732915be933beff8c8
SHA512 246f8df6bcf5d1694869c00095754e8899338e39e81c67230ddeab28df607e639ca3783da0c2435b596c3de516f4fb9000713296f3b928c961440d2edd7c1911

memory/3988-8-0x00007FF75CAF0000-0x00007FF75CE41000-memory.dmp

C:\Windows\System\nhSpZYt.exe

MD5 08d92e8560bce9a13f3dd4fccf6f515a
SHA1 e0a30647f8a8dcf0d389bd86c1eb89cf4b20cd1c
SHA256 548ca2ba8a68ac30c11375321c8d1994e94d2817bbcac5aeaaf0a4b342629d37
SHA512 b8cf41314db5425e567be9995487ebc83b682e427cd559b43b218d935fb5a717d420e06a4b59d41385140b292b236670584473938a1f8e8ee0afc1f65e20c1f9

C:\Windows\System\ObClSRs.exe

MD5 75169dea1173387d0174afd8cdd771db
SHA1 77b0ad6c3ba983ed7a9a959e634c4e10dd76697c
SHA256 35b814d33bb7fbd6b980c92d4ccfb8ea032c3766886dcef14ea31353a5257140
SHA512 1a251ef3c9c11d113b065398cec3565b01f0fea34977bcc40509be8e595f6a8bae7650db8ac624b154b5fcee33ff1c6fcf054903c440e43478bd2ace2cd07bb3

memory/1816-20-0x00007FF70F8F0000-0x00007FF70FC41000-memory.dmp

memory/4844-13-0x00007FF781460000-0x00007FF7817B1000-memory.dmp

memory/2424-25-0x00007FF693960000-0x00007FF693CB1000-memory.dmp

C:\Windows\System\Vhgcbqo.exe

MD5 6167d5e247789f82e2d40d6028477c42
SHA1 388482b719cf46993291d6738c8598e15a499782
SHA256 d9fe160eb698fe8ab0d92d53a0a3e70fe97b69692e61211c5fee9968a7a45913
SHA512 4f85328ce02f48e27936ffa0b45cdf1de0ee8222b3a9e116b687010b4e21beb827db619d5a949c0fc8f31d7f11c7dd2f7def52d591ad1b2f99f3c38b7bcbe516

C:\Windows\System\TJwQlXJ.exe

MD5 096d43ae7c030af60170c5a55b73a805
SHA1 4130b22e4838d631daba5de4c1a3b690ffac0e0d
SHA256 37ed42d0e3f9e0c2c4c4c7b00c0688503ebc1d1dad27a5c23ecfa0ffc3f4aff1
SHA512 7895364f5d76b954936e897323345c6fabc10dae63a2268867c8ee77df5c9a9746df39e5b7ea148e4b7c838628d79bcd0d0d03b14e1f4cfe707cd6a0a7b44a78

C:\Windows\System\kjDlAeU.exe

MD5 b3b1afcddf53b65bcc236e183fd61c89
SHA1 1e19bc3dea7f7ab356c19f399686a4d7dea74185
SHA256 3946ce14a644dffcb85799402728a549d80c12cb16bdb99552186f30b67cb7d7
SHA512 56f0b78b8db81a2134fee7123940d5d5b4604691e189ccd8f88278c89b3e44050fe73ea79d9a1d7271a8c9a32b770a968594a27dd42b85d24a4499a53c4f0d8f

C:\Windows\System\mXgutWS.exe

MD5 7374ee1347a32faefa7503d4824f11f1
SHA1 aa94b3603c9a70742c7c7cf4a8b1069571ac221d
SHA256 9ee5edfcbeb76af4edf5872b0697110538bdf28889db92f8a22ae602ef78eca5
SHA512 78af621a2282abf06cd198212988343fb458d53fb7e05d9ee85ae86109be27296773e72fb092d3ddce11ec68d08b19c5daaf8e6c9d2b91893672049072b890a7

C:\Windows\System\UGajMqv.exe

MD5 bae4c67a2dd37482fa0cac2b7be19fee
SHA1 6d8d95ad25365c637db123d5f27d258cbdc05397
SHA256 823de1ae2d503b324315efcbc5edf38d74fdb41be756ef8b19aa116bc419b49d
SHA512 a7c5cb0034472e327f24a9798d2bd4d65be3f87b233cb51296cc2a691a95243f33ca2452fd181dd6247d55718783af0d14b1dd78eea21eba7e38d9b62f578631

memory/1524-58-0x00007FF7EF8C0000-0x00007FF7EFC11000-memory.dmp

C:\Windows\System\rQpwkuM.exe

MD5 91d3cb7a812b156a7905882b7b2c0e77
SHA1 260ef31c9125bf971eae5fc110e340b3db57e102
SHA256 ba6966d492e73fc1fe1972c36f2ea4cc8cde7d7d5b088808d8937293339c044d
SHA512 d08c8a6adb6950a9405e569e5845fbe4fd989adf073c057ff24959738b179bde13f04894c3e93cc926dd8836f2add9efa00baec4c5b78f65dc73defc21bdb38a

C:\Windows\System\EsrnHYp.exe

MD5 3ed5a0b7888b6f9dcfecb4896fafb010
SHA1 062d31c134e735f1c7cb12a20d88b1f59dd1ebf4
SHA256 209592c2c01f7b77f021048acd1ec07e272331b5d0bf489d38c2e6567de57286
SHA512 c30211fca8da674b2532ec57c389ab7fe38863e2591c46d343bba2b55b7c770caf86d399434635c874eea7914138ad94d8d854aef46c8918fcd395c8b009784e

memory/2556-73-0x00007FF630120000-0x00007FF630471000-memory.dmp

C:\Windows\System\UuooZQS.exe

MD5 22dcc506f594707db0d5df3668b3e646
SHA1 dce5ead8f6b11de3aa0460f02c6644053057975e
SHA256 99a852593fb9a124956208c720b809c27ad5e2fbbabe2d573bfb56a47dcb87d9
SHA512 98bcd94458f0b1e5b45050cee6ebb74b2879dfd4ec8a53e04a5ed95279b84ad84cfe0f61650b3cd45932a35c48179ed495daeb14a3bd621c3760bb61f7d1db54

memory/1976-79-0x00007FF64AAD0000-0x00007FF64AE21000-memory.dmp

memory/1444-78-0x00007FF615C00000-0x00007FF615F51000-memory.dmp

memory/1536-74-0x00007FF672170000-0x00007FF6724C1000-memory.dmp

C:\Windows\System\nYhCrEW.exe

MD5 bfdacab612713940bb103e62b581df7b
SHA1 b1f41373a6cee6615a239a62a7bc92fe015f69a5
SHA256 4a7d2cbd88211296581c3e20a5a93da5731ce8311f84c2c6f034929007056791
SHA512 ca8bb54054ffd417b2f3267885d64f53db858d5234f05c2fb68f9d416e6ada3e27e40152085b2ffb57a215260406e1b65faf2d440eb42192458992a4da4caf81

memory/624-67-0x00007FF6EA4C0000-0x00007FF6EA811000-memory.dmp

C:\Windows\System\otzBpNB.exe

MD5 f1afcb8085bf6a656866c59a1dc02c89
SHA1 b1270e17a4c6e5506b4f9e34f04d4c4efee9b95c
SHA256 c8978b70eced3136d481fa8a2e6c178e4710fa209687f5391072edcd4ff15051
SHA512 369582324626e5746de9307c001b295046e1a977baab253a0f807c88b861374a815e4a24d7bb8857f80a08fec73a572c3899ebcf594f947051ddf6665a26c740

memory/2892-51-0x00007FF7CF190000-0x00007FF7CF4E1000-memory.dmp

memory/4068-44-0x00007FF7FB060000-0x00007FF7FB3B1000-memory.dmp

memory/4928-36-0x00007FF67CC40000-0x00007FF67CF91000-memory.dmp

memory/724-30-0x00007FF65BCE0000-0x00007FF65C031000-memory.dmp

C:\Windows\System\Uhatwvo.exe

MD5 f3cc5d8b19a050d7a278132378f617db
SHA1 c541297ecc36712a571ae5da221927bd80865afe
SHA256 85c5f589661e8f1ec233f94df2b54c969fb40ab13ec19a31559a4162c1d977d4
SHA512 0d5bc32ef96bfa3facd05303db14ff3854075027d802786b4f9654c0874872857502817f44ed4ec886fc13d4e24e2b6c0f0fa49ebdf0dcb93d88cea3322bd4d1

memory/1816-90-0x00007FF70F8F0000-0x00007FF70FC41000-memory.dmp

C:\Windows\System\GwtRbXm.exe

MD5 857865f2edeeb2c92df4d6f671033a11
SHA1 510e6f221bf542d56348c6b1c4c4264818ce51e0
SHA256 d0e3f1dbede444c0022f8ed0d62301194b9a1264a6eccc8a553cd3934a5a4056
SHA512 d899c2872dcb8a1914d35ffc709142e4de21e1050d5617717a7cbf12690ddbbbb9403b8c2c8cc860b909af2bc96425c38ffb135a1ade32c54b01fab2ed58991b

memory/724-112-0x00007FF65BCE0000-0x00007FF65C031000-memory.dmp

C:\Windows\System\bbYvyng.exe

MD5 46286fff00dd13bbf9c9e4b9cd50b6d7
SHA1 476ecf0b9b738ddbfffce4268903c94e877de74f
SHA256 6b5be7a804712937ec2b3ce67b9b5cefa375b742e5ea28239f86a1976208ed04
SHA512 6d12cf36ef712df26fc804db6aa9c64806b0ffe118d2d887c8b8ff3f6260fe7f7f0ba1dbb3f82c3282caefd44c5c804c7b3302e1a7f9a11a1f9e2eadb1c52b2e

C:\Windows\System\roqNLbj.exe

MD5 d0b7fc320e6ef05c0335183bed57926a
SHA1 c67b511effb8d4e5169e35ef4fc342a04f4eb571
SHA256 2ac725cba23995886aad979a036b0caf5bf3aefb96cd30ff1f9dee1db3db178d
SHA512 b5ee5a85f6f62f455b2778aefd18debae7deaa667a3a0b451d1979408b8e961f4797bad6a009dfffadd0192aed421ecbc3d5a5a10a347b29b0d58364ff6ee33c

C:\Windows\System\NMFHMAF.exe

MD5 edaa44cb876727b3451b7d2d3925b221
SHA1 8667c2ad82879fc8a34b71aa923aab88a5df5544
SHA256 79b8726567f3f62999ce875f35bed3fadaf045b52f2fef417616d5bef6b5ffeb
SHA512 9d9cda9d8224ecc4fc4d96e55174c9592e5d0401125b4090b3436f16b31b8cf5b30226408e4f05840d5ba325ae0d61950373d5d8313ac08b224fe701eeb18c19

memory/4068-132-0x00007FF7FB060000-0x00007FF7FB3B1000-memory.dmp

memory/432-133-0x00007FF64F390000-0x00007FF64F6E1000-memory.dmp

memory/4928-131-0x00007FF67CC40000-0x00007FF67CF91000-memory.dmp

memory/1924-128-0x00007FF618D30000-0x00007FF619081000-memory.dmp

memory/3836-127-0x00007FF6766D0000-0x00007FF676A21000-memory.dmp

C:\Windows\System\VZUGABZ.exe

MD5 c38ce40978e2dee3ab4aebe5b40004e2
SHA1 8507e09759072d876b5e6c8ffe9835ad1eb817b5
SHA256 ed3ca485c15ee567122c583cb5526f29262e072bf6a5842d1f47746bc50af75b
SHA512 d1d985315d8945aaab7143eab1cd2a1d0e082b5d9006a2b9cec0a429ddcc099675205cfba241d69cedec6217e750b9faa2ae9f1d933ea76ef5019fa737003052

memory/440-123-0x00007FF679D70000-0x00007FF67A0C1000-memory.dmp

memory/2668-122-0x00007FF67EC40000-0x00007FF67EF91000-memory.dmp

C:\Windows\System\YAdVZMJ.exe

MD5 e1b3affdd6e62f84ca7711c64634ed0e
SHA1 8508c328d5d5c86f79b789c507ef8ffc30a031c1
SHA256 074ee02d6f10e2aa08c08d0b41c9a62e7c9fe352b43a10e32b0f254c691a8581
SHA512 0cf81c3d57f45d6f10cd3a4bcb2044f38eeffb0bdfa007f982947418f35e8020dd2c4657179c84b4cda5d3b3bed876328fd888a5e178a2ae20890ad826cfc8ef

C:\Windows\System\OTCpngA.exe

MD5 7a74178ebfa8fcd9edc55aa04016ca2f
SHA1 8a751cabf1d00b22eb6d3efcaa4881225e34635f
SHA256 424576bc6d906d433c45698546bfdc4496e9e646143c1d4c91f32b87b0f17d21
SHA512 67f8a19a004c18989b14a873073c8f6d46a364d53a659b5d1d1e19074025e0f8bde187d7f82530acfda02691fc15f51cd295b5a7b35b8c0b987dce748795df4e

memory/3844-100-0x00007FF6E0710000-0x00007FF6E0A61000-memory.dmp

memory/2424-98-0x00007FF693960000-0x00007FF693CB1000-memory.dmp

memory/4160-91-0x00007FF6FDDF0000-0x00007FF6FE141000-memory.dmp

memory/4432-89-0x00007FF69BEE0000-0x00007FF69C231000-memory.dmp

memory/4844-85-0x00007FF781460000-0x00007FF7817B1000-memory.dmp

memory/2556-135-0x00007FF630120000-0x00007FF630471000-memory.dmp

memory/2892-143-0x00007FF7CF190000-0x00007FF7CF4E1000-memory.dmp

memory/1976-148-0x00007FF64AAD0000-0x00007FF64AE21000-memory.dmp

memory/4432-149-0x00007FF69BEE0000-0x00007FF69C231000-memory.dmp

memory/1444-147-0x00007FF615C00000-0x00007FF615F51000-memory.dmp

memory/624-145-0x00007FF6EA4C0000-0x00007FF6EA811000-memory.dmp

memory/1524-144-0x00007FF7EF8C0000-0x00007FF7EFC11000-memory.dmp

memory/4160-150-0x00007FF6FDDF0000-0x00007FF6FE141000-memory.dmp

memory/3836-155-0x00007FF6766D0000-0x00007FF676A21000-memory.dmp

memory/2668-152-0x00007FF67EC40000-0x00007FF67EF91000-memory.dmp

memory/1924-156-0x00007FF618D30000-0x00007FF619081000-memory.dmp

memory/3844-151-0x00007FF6E0710000-0x00007FF6E0A61000-memory.dmp

memory/2556-157-0x00007FF630120000-0x00007FF630471000-memory.dmp

memory/3988-207-0x00007FF75CAF0000-0x00007FF75CE41000-memory.dmp

memory/4844-209-0x00007FF781460000-0x00007FF7817B1000-memory.dmp

memory/1816-211-0x00007FF70F8F0000-0x00007FF70FC41000-memory.dmp

memory/2424-213-0x00007FF693960000-0x00007FF693CB1000-memory.dmp

memory/724-215-0x00007FF65BCE0000-0x00007FF65C031000-memory.dmp

memory/4928-217-0x00007FF67CC40000-0x00007FF67CF91000-memory.dmp

memory/4068-219-0x00007FF7FB060000-0x00007FF7FB3B1000-memory.dmp

memory/2892-221-0x00007FF7CF190000-0x00007FF7CF4E1000-memory.dmp

memory/1536-223-0x00007FF672170000-0x00007FF6724C1000-memory.dmp

memory/1524-226-0x00007FF7EF8C0000-0x00007FF7EFC11000-memory.dmp

memory/624-229-0x00007FF6EA4C0000-0x00007FF6EA811000-memory.dmp

memory/1444-228-0x00007FF615C00000-0x00007FF615F51000-memory.dmp

memory/1976-231-0x00007FF64AAD0000-0x00007FF64AE21000-memory.dmp

memory/4432-241-0x00007FF69BEE0000-0x00007FF69C231000-memory.dmp

memory/4160-243-0x00007FF6FDDF0000-0x00007FF6FE141000-memory.dmp

memory/3844-245-0x00007FF6E0710000-0x00007FF6E0A61000-memory.dmp

memory/440-247-0x00007FF679D70000-0x00007FF67A0C1000-memory.dmp

memory/2668-249-0x00007FF67EC40000-0x00007FF67EF91000-memory.dmp

memory/432-251-0x00007FF64F390000-0x00007FF64F6E1000-memory.dmp

memory/1924-253-0x00007FF618D30000-0x00007FF619081000-memory.dmp

memory/3836-255-0x00007FF6766D0000-0x00007FF676A21000-memory.dmp