Malware Analysis Report

2025-01-22 19:18

Sample ID 240806-n8qa2sseng
Target 2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat
SHA256 05aa61b199311adfc2541bf46f1aa264ed54ffb684b085d131ec561f78a19778
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

05aa61b199311adfc2541bf46f1aa264ed54ffb684b085d131ec561f78a19778

Threat Level: Known bad

The file 2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Cobaltstrike

Xmrig family

xmrig

XMRig Miner payload

Cobalt Strike reflective loader

Cobaltstrike family

XMRig Miner payload

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-06 12:04

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-06 12:04

Reported

2024-08-06 12:06

Platform

win7-20240729-en

Max time kernel

140s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\KTLVtFK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UZPUoBf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ghFcHVg.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vVFIaZN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\prjRQyC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZTufAeg.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jkoaHXl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tZVCbzw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PwvLyqE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kJtZVey.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zCkiEjq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jCmBUQz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EIGoakW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wSsOZdn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QBbaImr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eGbsGwO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VayUiQX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xlIpMjZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mkFNere.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zggOrkf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CuDpVzQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1760 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zggOrkf.exe
PID 1760 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zggOrkf.exe
PID 1760 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zggOrkf.exe
PID 1760 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vVFIaZN.exe
PID 1760 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vVFIaZN.exe
PID 1760 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vVFIaZN.exe
PID 1760 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wSsOZdn.exe
PID 1760 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wSsOZdn.exe
PID 1760 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wSsOZdn.exe
PID 1760 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CuDpVzQ.exe
PID 1760 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CuDpVzQ.exe
PID 1760 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CuDpVzQ.exe
PID 1760 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QBbaImr.exe
PID 1760 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QBbaImr.exe
PID 1760 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QBbaImr.exe
PID 1760 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\prjRQyC.exe
PID 1760 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\prjRQyC.exe
PID 1760 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\prjRQyC.exe
PID 1760 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KTLVtFK.exe
PID 1760 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KTLVtFK.exe
PID 1760 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KTLVtFK.exe
PID 1760 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PwvLyqE.exe
PID 1760 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PwvLyqE.exe
PID 1760 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PwvLyqE.exe
PID 1760 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kJtZVey.exe
PID 1760 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kJtZVey.exe
PID 1760 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kJtZVey.exe
PID 1760 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jkoaHXl.exe
PID 1760 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jkoaHXl.exe
PID 1760 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jkoaHXl.exe
PID 1760 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eGbsGwO.exe
PID 1760 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eGbsGwO.exe
PID 1760 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eGbsGwO.exe
PID 1760 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UZPUoBf.exe
PID 1760 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UZPUoBf.exe
PID 1760 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UZPUoBf.exe
PID 1760 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zCkiEjq.exe
PID 1760 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zCkiEjq.exe
PID 1760 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zCkiEjq.exe
PID 1760 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jCmBUQz.exe
PID 1760 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jCmBUQz.exe
PID 1760 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jCmBUQz.exe
PID 1760 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VayUiQX.exe
PID 1760 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VayUiQX.exe
PID 1760 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VayUiQX.exe
PID 1760 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EIGoakW.exe
PID 1760 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EIGoakW.exe
PID 1760 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EIGoakW.exe
PID 1760 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ghFcHVg.exe
PID 1760 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ghFcHVg.exe
PID 1760 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ghFcHVg.exe
PID 1760 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tZVCbzw.exe
PID 1760 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tZVCbzw.exe
PID 1760 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tZVCbzw.exe
PID 1760 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZTufAeg.exe
PID 1760 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZTufAeg.exe
PID 1760 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZTufAeg.exe
PID 1760 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xlIpMjZ.exe
PID 1760 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xlIpMjZ.exe
PID 1760 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xlIpMjZ.exe
PID 1760 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mkFNere.exe
PID 1760 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mkFNere.exe
PID 1760 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mkFNere.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\zggOrkf.exe

C:\Windows\System\zggOrkf.exe

C:\Windows\System\vVFIaZN.exe

C:\Windows\System\vVFIaZN.exe

C:\Windows\System\wSsOZdn.exe

C:\Windows\System\wSsOZdn.exe

C:\Windows\System\CuDpVzQ.exe

C:\Windows\System\CuDpVzQ.exe

C:\Windows\System\QBbaImr.exe

C:\Windows\System\QBbaImr.exe

C:\Windows\System\prjRQyC.exe

C:\Windows\System\prjRQyC.exe

C:\Windows\System\KTLVtFK.exe

C:\Windows\System\KTLVtFK.exe

C:\Windows\System\PwvLyqE.exe

C:\Windows\System\PwvLyqE.exe

C:\Windows\System\kJtZVey.exe

C:\Windows\System\kJtZVey.exe

C:\Windows\System\jkoaHXl.exe

C:\Windows\System\jkoaHXl.exe

C:\Windows\System\eGbsGwO.exe

C:\Windows\System\eGbsGwO.exe

C:\Windows\System\UZPUoBf.exe

C:\Windows\System\UZPUoBf.exe

C:\Windows\System\zCkiEjq.exe

C:\Windows\System\zCkiEjq.exe

C:\Windows\System\jCmBUQz.exe

C:\Windows\System\jCmBUQz.exe

C:\Windows\System\VayUiQX.exe

C:\Windows\System\VayUiQX.exe

C:\Windows\System\EIGoakW.exe

C:\Windows\System\EIGoakW.exe

C:\Windows\System\ghFcHVg.exe

C:\Windows\System\ghFcHVg.exe

C:\Windows\System\tZVCbzw.exe

C:\Windows\System\tZVCbzw.exe

C:\Windows\System\ZTufAeg.exe

C:\Windows\System\ZTufAeg.exe

C:\Windows\System\xlIpMjZ.exe

C:\Windows\System\xlIpMjZ.exe

C:\Windows\System\mkFNere.exe

C:\Windows\System\mkFNere.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1760-0-0x000000013FD90000-0x00000001400E4000-memory.dmp

memory/1760-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\zggOrkf.exe

MD5 b467110fb9338f33a5decb718d82c16f
SHA1 e5090a4c96c75a6ed9fca20ff733895b03c34146
SHA256 5a745f676753f3f3ea67f33a174d09f2c539fd3b2137d7c8da0b954926078d88
SHA512 617bda769730cd6837fc1d7a2862b5eb44f9b391ac6fe289bbb9294c46911c646eb6f3718738304c23f4e5f59ac4660d68711dd3c5563726764ff44441031a4b

\Windows\system\vVFIaZN.exe

MD5 763a81abff26387b8c89ca69578ac1d8
SHA1 e89c0898a3e99a6f301cc12ea10eb4a5f3dc1a90
SHA256 c381de94823989ce3aeffd225fdd7502754319dae45703eda80250eb35b23d61
SHA512 d9c53bb8f0dcbb959bc3ed302df4f98a4cdb066acfcbc3d32c67e3257f21f87795608cc4727537dd2e7ffe5916d0c37790d6bac258c10faaa6c402ef47234d1a

C:\Windows\system\wSsOZdn.exe

MD5 671b770e5e2e3b722c667ae10e238c02
SHA1 d11315197462f052e93ac4852100ef29c6607f36
SHA256 27ab9675bbd15902f681f187d4ffb2da71e14d84bf0a4a4632da3b20ea5a2e3d
SHA512 e8ad97b837b6cb6021cba6111a763cccbfe5986bf409cf2d7780df57040d6bdab8007ced24d3b107f0e7fc951b823f05799b2cc42510eb9e439887433e868c8d

memory/1952-20-0x000000013F980000-0x000000013FCD4000-memory.dmp

memory/2968-22-0x000000013F4F0000-0x000000013F844000-memory.dmp

\Windows\system\CuDpVzQ.exe

MD5 56100d4fd690aad70436f6c2be9499f8
SHA1 0b3f307f096f49452340a9853d0fe1b1d8a34fba
SHA256 559c81131c124b022f680076b096876c3eb4944398de00ab21e8e5f7c9dfa4f7
SHA512 5f06836dbe32fd582fcde7ba25f4d6082bdb9b7193fcd495307ba52e3f5b90f1426698c3295a7e7c568555aeeacb3944c1664baf3454210081db021de086e300

memory/1760-21-0x000000013F4F0000-0x000000013F844000-memory.dmp

memory/1760-25-0x000000013F660000-0x000000013F9B4000-memory.dmp

memory/1760-13-0x000000013F980000-0x000000013FCD4000-memory.dmp

memory/2272-9-0x000000013FB80000-0x000000013FED4000-memory.dmp

memory/1760-7-0x00000000023A0000-0x00000000026F4000-memory.dmp

\Windows\system\QBbaImr.exe

MD5 0c3295b8195679b04dfea7757b284223
SHA1 e6241fee447c0cab567030b5e7119939699f33a6
SHA256 04aa90fefde62d82fbc048bd39dfd5f86ae917e478eb520292e5fc22899459b0
SHA512 f4236fdd42d5036490b0e69a2faa218cb40bf845879f60f1de972580dae00cd43edb23c6a82ffdfe0fda03c3e8261aae31d1fd9c0fc30dc9f1d393edfd5da7ed

memory/2952-36-0x000000013F990000-0x000000013FCE4000-memory.dmp

memory/1760-37-0x000000013F990000-0x000000013FCE4000-memory.dmp

memory/2852-34-0x000000013F660000-0x000000013F9B4000-memory.dmp

\Windows\system\prjRQyC.exe

MD5 e3bca7f1051cfd8aeaa5d9c83e3e8500
SHA1 a88a952f01bd171f79a8033cb23e2d27f08979db
SHA256 e83838b83504114045ec9955123196bcb28c64273a92e7e11ee2ed5fc13fc5d2
SHA512 45483d456a0d8527cd50c1e4177768482a466f29bece859e3471872a5b0f7607846e34b5d75dd515e8cce7c7a38b45ff76808fff65fd4d2a5b7e7db1e54aaf6b

memory/1760-39-0x00000000023A0000-0x00000000026F4000-memory.dmp

\Windows\system\KTLVtFK.exe

MD5 63099eb1faa8f3c0661931e563501cda
SHA1 b7f6cdb850fceabddfe3616a80d0e620f44cfdff
SHA256 de1fbc6267469de0608214f13f15dc28ac425c15daa3daa2e37b36c7ef8e1a7a
SHA512 6c9bfe34642f7d6ddf3285f0eedbbea73a95a245f4069e6d1e1f55fcc2ed5cb9047297cfd7b94f5bebf8ba86a664404df26787265734f1a05b1f143b498186fc

memory/1760-48-0x000000013F0D0000-0x000000013F424000-memory.dmp

memory/1760-47-0x00000000023A0000-0x00000000026F4000-memory.dmp

memory/1760-46-0x000000013FD90000-0x00000001400E4000-memory.dmp

memory/2856-43-0x000000013FC80000-0x000000013FFD4000-memory.dmp

\Windows\system\PwvLyqE.exe

MD5 81895f990587eacf3d73c0a071113ce5
SHA1 1fb64645be959705014e8715ec638a5e82cd94f2
SHA256 2eca30e6c4a47a634aa33537287009028089d856853de33aa681bb83827cb76f
SHA512 9a06fdca074cf0165a4f911c28bcd418871eb5021b52e931e2e905b1f38b6e52b74766baa58373c72380906b938e19cf4c151c41c0b7d38e99194a833d884e92

memory/2744-58-0x000000013F580000-0x000000013F8D4000-memory.dmp

memory/2808-57-0x000000013F0D0000-0x000000013F424000-memory.dmp

\Windows\system\kJtZVey.exe

MD5 0dbd3ed3fe5a5d155331f3dcf756d2f3
SHA1 abfb7f8ea23184f33bfeee0ea95203823d148f52
SHA256 414d7679a560ed635e076a3a0bb2d82e53781f789addcb14d5808b458d3e9fd5
SHA512 15c97835b6eea1d811fe442f7f268f521a188ace0cbb6b78648f5233e1e6d785d8987cc3c84c408217437dbe1829a15711108c9401e6493519dc12b315195d0e

memory/1760-61-0x000000013F580000-0x000000013F8D4000-memory.dmp

memory/1760-68-0x000000013F4F0000-0x000000013F844000-memory.dmp

memory/872-69-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

memory/1968-97-0x000000013FDA0000-0x00000001400F4000-memory.dmp

C:\Windows\system\UZPUoBf.exe

MD5 f716fd6be520759156a6c8021877b67e
SHA1 4c26b610eed7c7c729d52d4aaeba0b71720243cd
SHA256 7d483e5712b63573994981dc41b9ff01d170b767c5a20bb0d5aa7ccaa7d2854d
SHA512 566dd195ae6a9ac225f47353ab90cce59b23abec48f988a66c3d17846ea093ffad1a6e1abbc5857028efd5f034b4cf07b6c12fd87e41092494a0f77fe945df6d

C:\Windows\system\jCmBUQz.exe

MD5 87601552167d328db97bac44aa602cb1
SHA1 9883b8b6f608737bf036b6fe536d8dcef40ae008
SHA256 8175efa799c461f01ddd19e3b27ad65489738a08d61f30b80f80e853570fa3a2
SHA512 42f03413fe1daad939bdbf9a82ea0206486fb65354684f4c77dd4e44ef59a854a57913b7129a87ba8b2060381b4d5dbd868769c107fa33e4f77ecab69a7282ff

memory/568-107-0x000000013F390000-0x000000013F6E4000-memory.dmp

C:\Windows\system\mkFNere.exe

MD5 ebf091e9af65401efcecb3586c6112bc
SHA1 b8bb85ef5964cbea2128303da4c5f2bf346b915f
SHA256 27852c6bf2f43250ecaf848c103c384d1678d03ea4bab77416a37f7427c191e6
SHA512 33dc285e93abcc0db8b08c3bd99cd51d14c00b3ac0c4cff84f9e4c741cc39b729e78ddaa1ab53a27fbb86ddb9759fa346ca6c59aec207529c34268cc15373511

C:\Windows\system\xlIpMjZ.exe

MD5 d61b8d744f3c5f49f8d13de8badb19f3
SHA1 784a4db7419494c3656c945f300da84b291615bd
SHA256 34ab1efc3be17d0c01657d616f78ef004f28a5aeba9b341b6598dbaca6c5eb5f
SHA512 8cea5cec97268fb7280ae28bdd4c8d557b465f2efca186e857963e945b30a21d9250c8cdef1b5b1e39cfa8f902e8f2754bc9b607c85eccac96e982c5656ed458

C:\Windows\system\ZTufAeg.exe

MD5 dec587d9578233220501482ae1a4dcb1
SHA1 abfe4cf55c10db3b20eb9dc76b611200e7bfde22
SHA256 16ef0bb880aaa93dc84d293611729d3ad1983842e598df392c91b847e80110a5
SHA512 1af4f57136179f5b60347073f6222709ab3cb87bcd10967982e64b3e5ccfa357ef217813c2fe709ec6a432868f305e908956e8b757a68c696521a16336d656a7

C:\Windows\system\tZVCbzw.exe

MD5 4f0fc018e109e553970951474411f585
SHA1 109835fae27678ed62b7036f725d1ea1e6a7a5dd
SHA256 e26eab95231445477b4cce7c7695562ff9e6300170f3b837d093278ec33400dc
SHA512 8aaab88950676cab84075b7c8b71536a57e21401c583a0ee544083298f8295be6c36f811d44da0ccdff279c6f51b1c5f83bd88e33c9d0ea1445e24d4f16ea45e

C:\Windows\system\ghFcHVg.exe

MD5 5f3dc74f4070b04f2f9ad8e17c5d27f3
SHA1 4822488fc15376b69d122b024e7476fb398a3cee
SHA256 920e3f63958fdaf2ccf8ca9cc61080dcd35fec5649e216162cbeb443c9cc3b28
SHA512 20778657398821a94cfc1013f3a3a2d0cb4ac99298c0a855b30d2c69058a34ec63e27ef6d880280eecd4de610e37cb0c6ee3ed00dae202bf1e3fafb7d5f5f851

C:\Windows\system\EIGoakW.exe

MD5 7c5a7d59e2d9195ca4099776c7c9481a
SHA1 87d32c8b96064313572336d8055346e33c527930
SHA256 1ffacdfcd5dff5ffd39bd226cc8c05adbe43c1417081a896bf019dcb97971ac0
SHA512 4613e2f6ac40433ac83efedae2ce19c42d04adc9b5eb746050f8479cbe919f5cd44f8ae27707852e5314b3152b80aee13c010b998803db2ff153fcaae126512f

memory/1760-113-0x000000013F0D0000-0x000000013F424000-memory.dmp

C:\Windows\system\VayUiQX.exe

MD5 8b86267cc6772047a0445b48b049cdcb
SHA1 28d7406a189e78fcfda99f47b8c3dd591932eae3
SHA256 6fd2a151cc408418360a38d78c616f6e2c7f266027967225e39a86afcb28a52d
SHA512 721eba934d587d88d0b8b2e3b4646055e586fe6414620a06a1b6d2aca3ca4329fd90e8dacd93613b5c11add05bbfc29f1841135630c9c40eb6e33c8c26199a24

memory/2744-144-0x000000013F580000-0x000000013F8D4000-memory.dmp

memory/1760-106-0x000000013F390000-0x000000013F6E4000-memory.dmp

memory/2856-105-0x000000013FC80000-0x000000013FFD4000-memory.dmp

memory/2916-84-0x000000013F720000-0x000000013FA74000-memory.dmp

memory/2308-99-0x000000013FD00000-0x0000000140054000-memory.dmp

memory/2852-74-0x000000013F660000-0x000000013F9B4000-memory.dmp

memory/1760-96-0x00000000023A0000-0x00000000026F4000-memory.dmp

memory/564-93-0x000000013FBB0000-0x000000013FF04000-memory.dmp

memory/1760-92-0x00000000023A0000-0x00000000026F4000-memory.dmp

C:\Windows\system\zCkiEjq.exe

MD5 5563b9d2cbd88110cced2096603a8d6e
SHA1 3683994630a149b5dd791b45cce1fd7f94f7565c
SHA256 f855abf9125ada8c9c40f49d342c2ad7b8d1c250c81acccbe89ee496a7716964
SHA512 fa6f38d707629ce99580ad10c3f0fba5baaaf9fc98fc0b794c1b7a03a71ae45558942f03a29ed9a02cd944c35166a1045ff2b3670f9a60612cbbf9e00a7ab92d

memory/1760-88-0x00000000023A0000-0x00000000026F4000-memory.dmp

memory/2952-87-0x000000013F990000-0x000000013FCE4000-memory.dmp

C:\Windows\system\eGbsGwO.exe

MD5 2a63b1e9a57b0081a164f024c6b741d3
SHA1 5c52cefdda3e3817633f49d0615fd21c215c1d59
SHA256 d50770022e6dad8e9de529055b661fb0efb9852b72418cb44b17a087b328cf94
SHA512 db04aedede596771b8f3bc9b96a8671d8f27234db23d047b5811bdf409dbba5780b5ae170dcdc9fb3b0d57e2d3e7576bbeb79f7ee693823fb1b76dd14e78720a

C:\Windows\system\jkoaHXl.exe

MD5 2ba60a724867c167a6686da4714eae5a
SHA1 ec022c19c9bb5f30c8e191eaa1c03079e7e54ddc
SHA256 353a8ffcebe2a4cd51d8bf879223ceb2ef28e4fa50683d7d8e214a6e798e028b
SHA512 f2a98b7fdf7abc085c37606d9b369f52b171877d59dfad0c405fd818662616874a36ff91a8fd2830830092fd70eada072d95585ffc1dde1c64c7d08518c611ad

memory/1760-78-0x000000013F720000-0x000000013FA74000-memory.dmp

memory/1952-67-0x000000013F980000-0x000000013FCD4000-memory.dmp

memory/1760-65-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

memory/2272-60-0x000000013FB80000-0x000000013FED4000-memory.dmp

memory/1760-145-0x000000013F580000-0x000000013F8D4000-memory.dmp

memory/1760-147-0x000000013F720000-0x000000013FA74000-memory.dmp

memory/2916-148-0x000000013F720000-0x000000013FA74000-memory.dmp

memory/872-146-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

memory/1760-149-0x00000000023A0000-0x00000000026F4000-memory.dmp

memory/564-150-0x000000013FBB0000-0x000000013FF04000-memory.dmp

memory/2308-151-0x000000013FD00000-0x0000000140054000-memory.dmp

memory/1760-152-0x000000013F390000-0x000000013F6E4000-memory.dmp

memory/2272-153-0x000000013FB80000-0x000000013FED4000-memory.dmp

memory/2968-154-0x000000013F4F0000-0x000000013F844000-memory.dmp

memory/1952-155-0x000000013F980000-0x000000013FCD4000-memory.dmp

memory/2852-156-0x000000013F660000-0x000000013F9B4000-memory.dmp

memory/2952-157-0x000000013F990000-0x000000013FCE4000-memory.dmp

memory/2856-158-0x000000013FC80000-0x000000013FFD4000-memory.dmp

memory/2808-159-0x000000013F0D0000-0x000000013F424000-memory.dmp

memory/2744-160-0x000000013F580000-0x000000013F8D4000-memory.dmp

memory/872-161-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

memory/2916-162-0x000000013F720000-0x000000013FA74000-memory.dmp

memory/564-163-0x000000013FBB0000-0x000000013FF04000-memory.dmp

memory/1968-164-0x000000013FDA0000-0x00000001400F4000-memory.dmp

memory/568-165-0x000000013F390000-0x000000013F6E4000-memory.dmp

memory/2308-166-0x000000013FD00000-0x0000000140054000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-06 12:04

Reported

2024-08-06 12:06

Platform

win10v2004-20240802-en

Max time kernel

139s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\vVFIaZN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CuDpVzQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UZPUoBf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EIGoakW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zggOrkf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jkoaHXl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zCkiEjq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ghFcHVg.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VayUiQX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tZVCbzw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZTufAeg.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xlIpMjZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PwvLyqE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kJtZVey.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eGbsGwO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jCmBUQz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mkFNere.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wSsOZdn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QBbaImr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\prjRQyC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KTLVtFK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3216 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zggOrkf.exe
PID 3216 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zggOrkf.exe
PID 3216 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vVFIaZN.exe
PID 3216 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vVFIaZN.exe
PID 3216 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wSsOZdn.exe
PID 3216 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wSsOZdn.exe
PID 3216 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CuDpVzQ.exe
PID 3216 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CuDpVzQ.exe
PID 3216 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QBbaImr.exe
PID 3216 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QBbaImr.exe
PID 3216 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\prjRQyC.exe
PID 3216 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\prjRQyC.exe
PID 3216 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KTLVtFK.exe
PID 3216 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KTLVtFK.exe
PID 3216 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PwvLyqE.exe
PID 3216 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PwvLyqE.exe
PID 3216 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kJtZVey.exe
PID 3216 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kJtZVey.exe
PID 3216 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jkoaHXl.exe
PID 3216 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jkoaHXl.exe
PID 3216 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eGbsGwO.exe
PID 3216 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eGbsGwO.exe
PID 3216 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UZPUoBf.exe
PID 3216 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UZPUoBf.exe
PID 3216 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zCkiEjq.exe
PID 3216 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zCkiEjq.exe
PID 3216 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jCmBUQz.exe
PID 3216 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jCmBUQz.exe
PID 3216 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VayUiQX.exe
PID 3216 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VayUiQX.exe
PID 3216 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EIGoakW.exe
PID 3216 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EIGoakW.exe
PID 3216 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ghFcHVg.exe
PID 3216 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ghFcHVg.exe
PID 3216 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tZVCbzw.exe
PID 3216 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tZVCbzw.exe
PID 3216 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZTufAeg.exe
PID 3216 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZTufAeg.exe
PID 3216 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xlIpMjZ.exe
PID 3216 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xlIpMjZ.exe
PID 3216 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mkFNere.exe
PID 3216 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mkFNere.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\zggOrkf.exe

C:\Windows\System\zggOrkf.exe

C:\Windows\System\vVFIaZN.exe

C:\Windows\System\vVFIaZN.exe

C:\Windows\System\wSsOZdn.exe

C:\Windows\System\wSsOZdn.exe

C:\Windows\System\CuDpVzQ.exe

C:\Windows\System\CuDpVzQ.exe

C:\Windows\System\QBbaImr.exe

C:\Windows\System\QBbaImr.exe

C:\Windows\System\prjRQyC.exe

C:\Windows\System\prjRQyC.exe

C:\Windows\System\KTLVtFK.exe

C:\Windows\System\KTLVtFK.exe

C:\Windows\System\PwvLyqE.exe

C:\Windows\System\PwvLyqE.exe

C:\Windows\System\kJtZVey.exe

C:\Windows\System\kJtZVey.exe

C:\Windows\System\jkoaHXl.exe

C:\Windows\System\jkoaHXl.exe

C:\Windows\System\eGbsGwO.exe

C:\Windows\System\eGbsGwO.exe

C:\Windows\System\UZPUoBf.exe

C:\Windows\System\UZPUoBf.exe

C:\Windows\System\zCkiEjq.exe

C:\Windows\System\zCkiEjq.exe

C:\Windows\System\jCmBUQz.exe

C:\Windows\System\jCmBUQz.exe

C:\Windows\System\VayUiQX.exe

C:\Windows\System\VayUiQX.exe

C:\Windows\System\EIGoakW.exe

C:\Windows\System\EIGoakW.exe

C:\Windows\System\ghFcHVg.exe

C:\Windows\System\ghFcHVg.exe

C:\Windows\System\tZVCbzw.exe

C:\Windows\System\tZVCbzw.exe

C:\Windows\System\ZTufAeg.exe

C:\Windows\System\ZTufAeg.exe

C:\Windows\System\xlIpMjZ.exe

C:\Windows\System\xlIpMjZ.exe

C:\Windows\System\mkFNere.exe

C:\Windows\System\mkFNere.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 71.190.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3216-0-0x00007FF7166D0000-0x00007FF716A24000-memory.dmp

memory/3216-1-0x0000022805A70000-0x0000022805A80000-memory.dmp

C:\Windows\System\zggOrkf.exe

MD5 b467110fb9338f33a5decb718d82c16f
SHA1 e5090a4c96c75a6ed9fca20ff733895b03c34146
SHA256 5a745f676753f3f3ea67f33a174d09f2c539fd3b2137d7c8da0b954926078d88
SHA512 617bda769730cd6837fc1d7a2862b5eb44f9b391ac6fe289bbb9294c46911c646eb6f3718738304c23f4e5f59ac4660d68711dd3c5563726764ff44441031a4b

memory/3164-8-0x00007FF766530000-0x00007FF766884000-memory.dmp

C:\Windows\System\vVFIaZN.exe

MD5 763a81abff26387b8c89ca69578ac1d8
SHA1 e89c0898a3e99a6f301cc12ea10eb4a5f3dc1a90
SHA256 c381de94823989ce3aeffd225fdd7502754319dae45703eda80250eb35b23d61
SHA512 d9c53bb8f0dcbb959bc3ed302df4f98a4cdb066acfcbc3d32c67e3257f21f87795608cc4727537dd2e7ffe5916d0c37790d6bac258c10faaa6c402ef47234d1a

C:\Windows\System\wSsOZdn.exe

MD5 671b770e5e2e3b722c667ae10e238c02
SHA1 d11315197462f052e93ac4852100ef29c6607f36
SHA256 27ab9675bbd15902f681f187d4ffb2da71e14d84bf0a4a4632da3b20ea5a2e3d
SHA512 e8ad97b837b6cb6021cba6111a763cccbfe5986bf409cf2d7780df57040d6bdab8007ced24d3b107f0e7fc951b823f05799b2cc42510eb9e439887433e868c8d

memory/2164-12-0x00007FF735240000-0x00007FF735594000-memory.dmp

memory/2216-20-0x00007FF783790000-0x00007FF783AE4000-memory.dmp

memory/1740-26-0x00007FF61F400000-0x00007FF61F754000-memory.dmp

C:\Windows\System\CuDpVzQ.exe

MD5 56100d4fd690aad70436f6c2be9499f8
SHA1 0b3f307f096f49452340a9853d0fe1b1d8a34fba
SHA256 559c81131c124b022f680076b096876c3eb4944398de00ab21e8e5f7c9dfa4f7
SHA512 5f06836dbe32fd582fcde7ba25f4d6082bdb9b7193fcd495307ba52e3f5b90f1426698c3295a7e7c568555aeeacb3944c1664baf3454210081db021de086e300

C:\Windows\System\QBbaImr.exe

MD5 0c3295b8195679b04dfea7757b284223
SHA1 e6241fee447c0cab567030b5e7119939699f33a6
SHA256 04aa90fefde62d82fbc048bd39dfd5f86ae917e478eb520292e5fc22899459b0
SHA512 f4236fdd42d5036490b0e69a2faa218cb40bf845879f60f1de972580dae00cd43edb23c6a82ffdfe0fda03c3e8261aae31d1fd9c0fc30dc9f1d393edfd5da7ed

memory/2092-31-0x00007FF7821D0000-0x00007FF782524000-memory.dmp

C:\Windows\System\prjRQyC.exe

MD5 e3bca7f1051cfd8aeaa5d9c83e3e8500
SHA1 a88a952f01bd171f79a8033cb23e2d27f08979db
SHA256 e83838b83504114045ec9955123196bcb28c64273a92e7e11ee2ed5fc13fc5d2
SHA512 45483d456a0d8527cd50c1e4177768482a466f29bece859e3471872a5b0f7607846e34b5d75dd515e8cce7c7a38b45ff76808fff65fd4d2a5b7e7db1e54aaf6b

memory/5076-38-0x00007FF73FAC0000-0x00007FF73FE14000-memory.dmp

C:\Windows\System\KTLVtFK.exe

MD5 63099eb1faa8f3c0661931e563501cda
SHA1 b7f6cdb850fceabddfe3616a80d0e620f44cfdff
SHA256 de1fbc6267469de0608214f13f15dc28ac425c15daa3daa2e37b36c7ef8e1a7a
SHA512 6c9bfe34642f7d6ddf3285f0eedbbea73a95a245f4069e6d1e1f55fcc2ed5cb9047297cfd7b94f5bebf8ba86a664404df26787265734f1a05b1f143b498186fc

memory/2772-42-0x00007FF64EF30000-0x00007FF64F284000-memory.dmp

C:\Windows\System\kJtZVey.exe

MD5 0dbd3ed3fe5a5d155331f3dcf756d2f3
SHA1 abfb7f8ea23184f33bfeee0ea95203823d148f52
SHA256 414d7679a560ed635e076a3a0bb2d82e53781f789addcb14d5808b458d3e9fd5
SHA512 15c97835b6eea1d811fe442f7f268f521a188ace0cbb6b78648f5233e1e6d785d8987cc3c84c408217437dbe1829a15711108c9401e6493519dc12b315195d0e

C:\Windows\System\eGbsGwO.exe

MD5 2a63b1e9a57b0081a164f024c6b741d3
SHA1 5c52cefdda3e3817633f49d0615fd21c215c1d59
SHA256 d50770022e6dad8e9de529055b661fb0efb9852b72418cb44b17a087b328cf94
SHA512 db04aedede596771b8f3bc9b96a8671d8f27234db23d047b5811bdf409dbba5780b5ae170dcdc9fb3b0d57e2d3e7576bbeb79f7ee693823fb1b76dd14e78720a

C:\Windows\System\jkoaHXl.exe

MD5 2ba60a724867c167a6686da4714eae5a
SHA1 ec022c19c9bb5f30c8e191eaa1c03079e7e54ddc
SHA256 353a8ffcebe2a4cd51d8bf879223ceb2ef28e4fa50683d7d8e214a6e798e028b
SHA512 f2a98b7fdf7abc085c37606d9b369f52b171877d59dfad0c405fd818662616874a36ff91a8fd2830830092fd70eada072d95585ffc1dde1c64c7d08518c611ad

memory/4144-66-0x00007FF66FBE0000-0x00007FF66FF34000-memory.dmp

memory/3216-70-0x00007FF7166D0000-0x00007FF716A24000-memory.dmp

C:\Windows\System\UZPUoBf.exe

MD5 f716fd6be520759156a6c8021877b67e
SHA1 4c26b610eed7c7c729d52d4aaeba0b71720243cd
SHA256 7d483e5712b63573994981dc41b9ff01d170b767c5a20bb0d5aa7ccaa7d2854d
SHA512 566dd195ae6a9ac225f47353ab90cce59b23abec48f988a66c3d17846ea093ffad1a6e1abbc5857028efd5f034b4cf07b6c12fd87e41092494a0f77fe945df6d

C:\Windows\System\zCkiEjq.exe

MD5 5563b9d2cbd88110cced2096603a8d6e
SHA1 3683994630a149b5dd791b45cce1fd7f94f7565c
SHA256 f855abf9125ada8c9c40f49d342c2ad7b8d1c250c81acccbe89ee496a7716964
SHA512 fa6f38d707629ce99580ad10c3f0fba5baaaf9fc98fc0b794c1b7a03a71ae45558942f03a29ed9a02cd944c35166a1045ff2b3670f9a60612cbbf9e00a7ab92d

C:\Windows\System\jCmBUQz.exe

MD5 87601552167d328db97bac44aa602cb1
SHA1 9883b8b6f608737bf036b6fe536d8dcef40ae008
SHA256 8175efa799c461f01ddd19e3b27ad65489738a08d61f30b80f80e853570fa3a2
SHA512 42f03413fe1daad939bdbf9a82ea0206486fb65354684f4c77dd4e44ef59a854a57913b7129a87ba8b2060381b4d5dbd868769c107fa33e4f77ecab69a7282ff

C:\Windows\System\VayUiQX.exe

MD5 8b86267cc6772047a0445b48b049cdcb
SHA1 28d7406a189e78fcfda99f47b8c3dd591932eae3
SHA256 6fd2a151cc408418360a38d78c616f6e2c7f266027967225e39a86afcb28a52d
SHA512 721eba934d587d88d0b8b2e3b4646055e586fe6414620a06a1b6d2aca3ca4329fd90e8dacd93613b5c11add05bbfc29f1841135630c9c40eb6e33c8c26199a24

C:\Windows\System\ghFcHVg.exe

MD5 5f3dc74f4070b04f2f9ad8e17c5d27f3
SHA1 4822488fc15376b69d122b024e7476fb398a3cee
SHA256 920e3f63958fdaf2ccf8ca9cc61080dcd35fec5649e216162cbeb443c9cc3b28
SHA512 20778657398821a94cfc1013f3a3a2d0cb4ac99298c0a855b30d2c69058a34ec63e27ef6d880280eecd4de610e37cb0c6ee3ed00dae202bf1e3fafb7d5f5f851

C:\Windows\System\tZVCbzw.exe

MD5 4f0fc018e109e553970951474411f585
SHA1 109835fae27678ed62b7036f725d1ea1e6a7a5dd
SHA256 e26eab95231445477b4cce7c7695562ff9e6300170f3b837d093278ec33400dc
SHA512 8aaab88950676cab84075b7c8b71536a57e21401c583a0ee544083298f8295be6c36f811d44da0ccdff279c6f51b1c5f83bd88e33c9d0ea1445e24d4f16ea45e

C:\Windows\System\ZTufAeg.exe

MD5 dec587d9578233220501482ae1a4dcb1
SHA1 abfe4cf55c10db3b20eb9dc76b611200e7bfde22
SHA256 16ef0bb880aaa93dc84d293611729d3ad1983842e598df392c91b847e80110a5
SHA512 1af4f57136179f5b60347073f6222709ab3cb87bcd10967982e64b3e5ccfa357ef217813c2fe709ec6a432868f305e908956e8b757a68c696521a16336d656a7

C:\Windows\System\mkFNere.exe

MD5 ebf091e9af65401efcecb3586c6112bc
SHA1 b8bb85ef5964cbea2128303da4c5f2bf346b915f
SHA256 27852c6bf2f43250ecaf848c103c384d1678d03ea4bab77416a37f7427c191e6
SHA512 33dc285e93abcc0db8b08c3bd99cd51d14c00b3ac0c4cff84f9e4c741cc39b729e78ddaa1ab53a27fbb86ddb9759fa346ca6c59aec207529c34268cc15373511

C:\Windows\System\xlIpMjZ.exe

MD5 d61b8d744f3c5f49f8d13de8badb19f3
SHA1 784a4db7419494c3656c945f300da84b291615bd
SHA256 34ab1efc3be17d0c01657d616f78ef004f28a5aeba9b341b6598dbaca6c5eb5f
SHA512 8cea5cec97268fb7280ae28bdd4c8d557b465f2efca186e857963e945b30a21d9250c8cdef1b5b1e39cfa8f902e8f2754bc9b607c85eccac96e982c5656ed458

C:\Windows\System\EIGoakW.exe

MD5 7c5a7d59e2d9195ca4099776c7c9481a
SHA1 87d32c8b96064313572336d8055346e33c527930
SHA256 1ffacdfcd5dff5ffd39bd226cc8c05adbe43c1417081a896bf019dcb97971ac0
SHA512 4613e2f6ac40433ac83efedae2ce19c42d04adc9b5eb746050f8479cbe919f5cd44f8ae27707852e5314b3152b80aee13c010b998803db2ff153fcaae126512f

memory/3164-75-0x00007FF766530000-0x00007FF766884000-memory.dmp

memory/1220-73-0x00007FF70EF70000-0x00007FF70F2C4000-memory.dmp

memory/4832-63-0x00007FF752450000-0x00007FF7527A4000-memory.dmp

C:\Windows\System\PwvLyqE.exe

MD5 81895f990587eacf3d73c0a071113ce5
SHA1 1fb64645be959705014e8715ec638a5e82cd94f2
SHA256 2eca30e6c4a47a634aa33537287009028089d856853de33aa681bb83827cb76f
SHA512 9a06fdca074cf0165a4f911c28bcd418871eb5021b52e931e2e905b1f38b6e52b74766baa58373c72380906b938e19cf4c151c41c0b7d38e99194a833d884e92

memory/3564-48-0x00007FF67E7C0000-0x00007FF67EB14000-memory.dmp

memory/2584-120-0x00007FF7519F0000-0x00007FF751D44000-memory.dmp

memory/1652-122-0x00007FF78B9F0000-0x00007FF78BD44000-memory.dmp

memory/2232-124-0x00007FF7C0BE0000-0x00007FF7C0F34000-memory.dmp

memory/3108-123-0x00007FF796E10000-0x00007FF797164000-memory.dmp

memory/4668-121-0x00007FF605B00000-0x00007FF605E54000-memory.dmp

memory/3268-126-0x00007FF6EBD40000-0x00007FF6EC094000-memory.dmp

memory/2156-127-0x00007FF6C7290000-0x00007FF6C75E4000-memory.dmp

memory/3720-125-0x00007FF7F1F10000-0x00007FF7F2264000-memory.dmp

memory/2424-128-0x00007FF7680F0000-0x00007FF768444000-memory.dmp

memory/2164-129-0x00007FF735240000-0x00007FF735594000-memory.dmp

memory/2640-130-0x00007FF70C010000-0x00007FF70C364000-memory.dmp

memory/2216-131-0x00007FF783790000-0x00007FF783AE4000-memory.dmp

memory/1740-132-0x00007FF61F400000-0x00007FF61F754000-memory.dmp

memory/2092-133-0x00007FF7821D0000-0x00007FF782524000-memory.dmp

memory/2772-134-0x00007FF64EF30000-0x00007FF64F284000-memory.dmp

memory/3564-135-0x00007FF67E7C0000-0x00007FF67EB14000-memory.dmp

memory/2584-136-0x00007FF7519F0000-0x00007FF751D44000-memory.dmp

memory/3164-137-0x00007FF766530000-0x00007FF766884000-memory.dmp

memory/2164-138-0x00007FF735240000-0x00007FF735594000-memory.dmp

memory/2216-139-0x00007FF783790000-0x00007FF783AE4000-memory.dmp

memory/1740-140-0x00007FF61F400000-0x00007FF61F754000-memory.dmp

memory/2092-141-0x00007FF7821D0000-0x00007FF782524000-memory.dmp

memory/5076-142-0x00007FF73FAC0000-0x00007FF73FE14000-memory.dmp

memory/2772-143-0x00007FF64EF30000-0x00007FF64F284000-memory.dmp

memory/3564-144-0x00007FF67E7C0000-0x00007FF67EB14000-memory.dmp

memory/4832-145-0x00007FF752450000-0x00007FF7527A4000-memory.dmp

memory/4144-146-0x00007FF66FBE0000-0x00007FF66FF34000-memory.dmp

memory/1220-147-0x00007FF70EF70000-0x00007FF70F2C4000-memory.dmp

memory/2584-148-0x00007FF7519F0000-0x00007FF751D44000-memory.dmp

memory/2640-149-0x00007FF70C010000-0x00007FF70C364000-memory.dmp

memory/1652-150-0x00007FF78B9F0000-0x00007FF78BD44000-memory.dmp

memory/3108-152-0x00007FF796E10000-0x00007FF797164000-memory.dmp

memory/4668-151-0x00007FF605B00000-0x00007FF605E54000-memory.dmp

memory/3720-153-0x00007FF7F1F10000-0x00007FF7F2264000-memory.dmp

memory/2232-154-0x00007FF7C0BE0000-0x00007FF7C0F34000-memory.dmp

memory/2156-156-0x00007FF6C7290000-0x00007FF6C75E4000-memory.dmp

memory/2424-155-0x00007FF7680F0000-0x00007FF768444000-memory.dmp

memory/3268-157-0x00007FF6EBD40000-0x00007FF6EC094000-memory.dmp