Malware Analysis Report

2025-01-22 19:30

Sample ID 240806-nyfzmascjg
Target 2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat
SHA256 4a15551f1333d91c072a7b6e906fbc762b6ae653e2de7d49b603515032be7bef
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4a15551f1333d91c072a7b6e906fbc762b6ae653e2de7d49b603515032be7bef

Threat Level: Known bad

The file 2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Cobalt Strike reflective loader

Cobaltstrike family

XMRig Miner payload

Cobaltstrike

Xmrig family

xmrig

XMRig Miner payload

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-06 11:48

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-06 11:48

Reported

2024-08-06 11:50

Platform

win7-20240704-en

Max time kernel

125s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\VXaiLvd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\Xsanmee.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CToUlyG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qyxbwKZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zepgMvL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EFLyQHK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RColiIL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\msrbUKV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NTqWRZH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kKajgoW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\McHXXIy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dctEOCV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\heKzACg.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lesYhVK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UHjJpwi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LyXAHMQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lXbjlAF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vqBsAZD.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xSYsfEn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XDkNtPd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aDxtuZg.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2152 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NTqWRZH.exe
PID 2152 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NTqWRZH.exe
PID 2152 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NTqWRZH.exe
PID 2152 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LyXAHMQ.exe
PID 2152 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LyXAHMQ.exe
PID 2152 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LyXAHMQ.exe
PID 2152 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lXbjlAF.exe
PID 2152 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lXbjlAF.exe
PID 2152 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lXbjlAF.exe
PID 2152 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CToUlyG.exe
PID 2152 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CToUlyG.exe
PID 2152 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CToUlyG.exe
PID 2152 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vqBsAZD.exe
PID 2152 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vqBsAZD.exe
PID 2152 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vqBsAZD.exe
PID 2152 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qyxbwKZ.exe
PID 2152 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qyxbwKZ.exe
PID 2152 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qyxbwKZ.exe
PID 2152 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kKajgoW.exe
PID 2152 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kKajgoW.exe
PID 2152 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kKajgoW.exe
PID 2152 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zepgMvL.exe
PID 2152 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zepgMvL.exe
PID 2152 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zepgMvL.exe
PID 2152 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\McHXXIy.exe
PID 2152 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\McHXXIy.exe
PID 2152 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\McHXXIy.exe
PID 2152 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dctEOCV.exe
PID 2152 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dctEOCV.exe
PID 2152 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dctEOCV.exe
PID 2152 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\heKzACg.exe
PID 2152 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\heKzACg.exe
PID 2152 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\heKzACg.exe
PID 2152 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VXaiLvd.exe
PID 2152 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VXaiLvd.exe
PID 2152 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VXaiLvd.exe
PID 2152 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EFLyQHK.exe
PID 2152 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EFLyQHK.exe
PID 2152 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EFLyQHK.exe
PID 2152 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xSYsfEn.exe
PID 2152 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xSYsfEn.exe
PID 2152 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xSYsfEn.exe
PID 2152 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XDkNtPd.exe
PID 2152 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XDkNtPd.exe
PID 2152 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XDkNtPd.exe
PID 2152 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RColiIL.exe
PID 2152 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RColiIL.exe
PID 2152 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RColiIL.exe
PID 2152 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aDxtuZg.exe
PID 2152 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aDxtuZg.exe
PID 2152 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aDxtuZg.exe
PID 2152 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lesYhVK.exe
PID 2152 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lesYhVK.exe
PID 2152 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lesYhVK.exe
PID 2152 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UHjJpwi.exe
PID 2152 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UHjJpwi.exe
PID 2152 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UHjJpwi.exe
PID 2152 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Xsanmee.exe
PID 2152 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Xsanmee.exe
PID 2152 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Xsanmee.exe
PID 2152 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\msrbUKV.exe
PID 2152 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\msrbUKV.exe
PID 2152 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\msrbUKV.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\NTqWRZH.exe

C:\Windows\System\NTqWRZH.exe

C:\Windows\System\LyXAHMQ.exe

C:\Windows\System\LyXAHMQ.exe

C:\Windows\System\lXbjlAF.exe

C:\Windows\System\lXbjlAF.exe

C:\Windows\System\CToUlyG.exe

C:\Windows\System\CToUlyG.exe

C:\Windows\System\vqBsAZD.exe

C:\Windows\System\vqBsAZD.exe

C:\Windows\System\qyxbwKZ.exe

C:\Windows\System\qyxbwKZ.exe

C:\Windows\System\kKajgoW.exe

C:\Windows\System\kKajgoW.exe

C:\Windows\System\zepgMvL.exe

C:\Windows\System\zepgMvL.exe

C:\Windows\System\McHXXIy.exe

C:\Windows\System\McHXXIy.exe

C:\Windows\System\dctEOCV.exe

C:\Windows\System\dctEOCV.exe

C:\Windows\System\heKzACg.exe

C:\Windows\System\heKzACg.exe

C:\Windows\System\VXaiLvd.exe

C:\Windows\System\VXaiLvd.exe

C:\Windows\System\EFLyQHK.exe

C:\Windows\System\EFLyQHK.exe

C:\Windows\System\xSYsfEn.exe

C:\Windows\System\xSYsfEn.exe

C:\Windows\System\XDkNtPd.exe

C:\Windows\System\XDkNtPd.exe

C:\Windows\System\RColiIL.exe

C:\Windows\System\RColiIL.exe

C:\Windows\System\aDxtuZg.exe

C:\Windows\System\aDxtuZg.exe

C:\Windows\System\lesYhVK.exe

C:\Windows\System\lesYhVK.exe

C:\Windows\System\UHjJpwi.exe

C:\Windows\System\UHjJpwi.exe

C:\Windows\System\Xsanmee.exe

C:\Windows\System\Xsanmee.exe

C:\Windows\System\msrbUKV.exe

C:\Windows\System\msrbUKV.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2152-0-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

memory/2152-1-0x0000000000200000-0x0000000000210000-memory.dmp

\Windows\system\NTqWRZH.exe

MD5 4863766bcfdf1137ca7b69e38262b4f5
SHA1 5da86653babcda688ac9ca60e435b1c53d7d4f78
SHA256 7d666c009d2bbffc1b72e224b914a1fc19d52f350d108766d68d27b007a69dbc
SHA512 702f2d2b800f975bc8b1ee8d654944cfee197b15d8137ddfe30276db7e88865eba57b26a8fc7127326a7b948cf0f99b1247be2ff4610f3929234630db8f8f8c7

memory/2192-8-0x000000013F770000-0x000000013FAC4000-memory.dmp

\Windows\system\LyXAHMQ.exe

MD5 e5ce22fa516229c9bd40ff0831e0736e
SHA1 429d228e5cf3eb75aecfd1b22146ba2f529584ba
SHA256 3b9b7e862babcfe684e455330285371e9ff3cb3e2498ed2399b4babe6af434f6
SHA512 a9af3fd54ac716b28387fae86cd3a7d44dbf8995d611e99813c37ce22d4e69f56802354d5c51f3329264ec19ae7ccc403c08b5ad3c5efde583cb4290440a9270

memory/2152-13-0x000000013F1C0000-0x000000013F514000-memory.dmp

memory/2144-15-0x000000013F1C0000-0x000000013F514000-memory.dmp

C:\Windows\system\lXbjlAF.exe

MD5 1a40092c619e89a527557a811b9aa10f
SHA1 9be1e85387ac0d4188506a7c8ba4a0f9f32f7f50
SHA256 a5f33d32d542e2f43e0a8073714cf86541237070c6e1a382faf7a04945ad6821
SHA512 f7f5b93d1c3068140ee08db7cc4113e769f752c2bcd36869e5ef5b0d93a60e53f9dd3136e15c0304ab8171d2d7086ddd7a805b0a0b6ca50f5c9c942e1df5dac1

\Windows\system\CToUlyG.exe

MD5 10cb4ec70b8bed04094a4de6726f4a0a
SHA1 4d28bf61e401d45c08b6f5cc760cf6f85caa2e66
SHA256 e942e939e30634a841d2b6c6f6548b3ae0270e51a5e88d6c8f1e2eea1ae801e3
SHA512 60c2038981de648e3bbc09f53a223077446b106c35971676c0a8040778200510ad658f63c8e5ee8de63904a9f5cb9bf6a199ad031356634812650e3a36006d0b

memory/2152-20-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

memory/2472-28-0x000000013F490000-0x000000013F7E4000-memory.dmp

memory/2152-24-0x000000013F490000-0x000000013F7E4000-memory.dmp

memory/2152-33-0x00000000022F0000-0x0000000002644000-memory.dmp

memory/2832-35-0x000000013FA00000-0x000000013FD54000-memory.dmp

C:\Windows\system\qyxbwKZ.exe

MD5 3d0b55d576306fc7d5f1f7cfcb28ffdc
SHA1 2dc8728beea1cb398e1a87fec0428df7746b7e3a
SHA256 e30c24d82a002a5574989f254793ee18309456bf095f16cab0f318c68cff5e6e
SHA512 704c555ab29368d1c06bc6c114c551689bb83ca27ea2f73164b6cecc998f37fd63e50e1e4e1210a330cb9b15b042fde3ba2c44af1e16a163e0a4f187dd5e30c7

memory/2836-42-0x000000013F4D0000-0x000000013F824000-memory.dmp

memory/2152-39-0x000000013F4D0000-0x000000013F824000-memory.dmp

C:\Windows\system\zepgMvL.exe

MD5 8d1056575ae83c163f43e1e2e307eb93
SHA1 f3f33b884e99742a54ce5cd672c0e384a057380b
SHA256 8e2f57adae20106002879c7d9b0fb54f6e5c470432bf8d72c600bcb9b7a4421b
SHA512 4466b2751b99909bbfd569644fa0f36fd2cc3db02354b0e4599eaaefb929bf91477e3d8a9a98df6d5dcc86350828462012e1cdef4f7b2c7b52e7c050362a0b03

memory/2152-56-0x000000013F0D0000-0x000000013F424000-memory.dmp

C:\Windows\system\McHXXIy.exe

MD5 73fa09c184be70c4e95b385dedfc6f35
SHA1 e9d18b1c7626f705791bc6364d33b8a2cb0e8271
SHA256 15157ff00df2e0b363e8edd72caf6f2273ea2f894ea14c4acca3655654732864
SHA512 c70240cb2a68052e229661306cd447cb489d4773381323f6f1a1554b01fd6c24d988875e525179faaa002c0a22eb245675759c96b868e7023bfd978243f8b6b9

memory/2688-72-0x000000013FA40000-0x000000013FD94000-memory.dmp

memory/2152-65-0x000000013FEA0000-0x00000001401F4000-memory.dmp

memory/1672-64-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

memory/836-90-0x000000013F120000-0x000000013F474000-memory.dmp

memory/2836-105-0x000000013F4D0000-0x000000013F824000-memory.dmp

C:\Windows\system\lesYhVK.exe

MD5 e979161ea746562965140d3d5c2864fc
SHA1 09fd9646e3555c0929e53004252b3775475ad7e0
SHA256 49f974a0ffcdd2bf03e361f0068f70161def7eed0a47e9da052608126bc9e1ac
SHA512 6617c339bb6e604d2166146546c6fff2cac02be7e6de78be08eaa0305526801de007ae36be9e3143852f742fe3702b7410e6a6c6d0ad63d2ba0b1b08cc5abbda

C:\Windows\system\UHjJpwi.exe

MD5 6e0ecd5e9d17b439a17afc97d6ae9aa3
SHA1 facffd73e1191f81a70b8a51e9703663db711c94
SHA256 cda24408ac1b5ebbf89774e8374ddb052a59a3b9f4e50659db167b8cb92d8e64
SHA512 5c203c918426f9f88b9cb32d7aae591b47102515c92cbcdc63494837b2e9eb067f8f96686dba51cb95d9d5339dc49b20433441f68cb017bb84a27da07f544185

C:\Windows\system\Xsanmee.exe

MD5 dbc510557bb7d2c44c2c0bd26367ce9d
SHA1 5927dbed4ba5afe5e7ac024e3da12a7cbacbcfce
SHA256 a1bdca21420f195296deb42cc925c4393395d065da90b0ea7998943e17cce996
SHA512 30f6ffedd0287184ba9298cf71d57b92e752cb00d647e8025d86d8e841e70b806d1a55481f5a11dc0ddc8643849aa9330bb75af69b0ecd40f6b821a05e3c5b0c

\Windows\system\msrbUKV.exe

MD5 76d5ec88f3e7b4bbac85e2b982fb7db1
SHA1 a54e371b685b76ee347d83e9367a64a3b202e191
SHA256 2461aa13888d060871dc2c2c6e136053cd273e76781fab4d907759bcfbb1a299
SHA512 461cd78bf88ac4a8ea2a8630372979c4ef6c98fa04b7e6fe3d543021422b896d05145375a03faf2480a5280b9045110a29bac1a0074f89a078bf6520db035b74

memory/2812-144-0x000000013F0D0000-0x000000013F424000-memory.dmp

memory/2892-143-0x000000013F740000-0x000000013FA94000-memory.dmp

C:\Windows\system\aDxtuZg.exe

MD5 92087a9fc49c40525c05a533de44c0b8
SHA1 8d611b8c27d84e9c1c80c31102c52e6354ffc91c
SHA256 27b3d78c593af1a2b49675e0eb3509193a1a7f6066d10726cfe593faa74b0df1
SHA512 934263ceee7a58da06c0ddee449f513a1f61cad1e4c64de6ae2a1ffb1ea13ec3292bc0f4495b14065b0c2ca9e6dae6cdc8db299226d64630f03fe4e6cf6e3789

memory/2152-112-0x00000000022F0000-0x0000000002644000-memory.dmp

memory/2152-145-0x000000013FEA0000-0x00000001401F4000-memory.dmp

C:\Windows\system\XDkNtPd.exe

MD5 2834fcca5366e47d14598aca94cb9d6c
SHA1 c9f35c3b2b92d4f8279cf7f64b21ca4763b0f273
SHA256 f8170f18ca30a557bbd86180e60e97c3fccc3e244d3bb52609611bb4da6ade7f
SHA512 71a79dce5ab824b852a18dd9b35984515cbf90ef773cebf34be78b25b12c5bb08f81a61c207444768d2c184971a5103944d460366886a3c38fab87c77c85db64

C:\Windows\system\RColiIL.exe

MD5 7911c12b54822817ec9aa2a4af7fd6ec
SHA1 0be549121fc1df9a042163f7c4d6ed267b199a31
SHA256 7dd49d003c977700927aef2648007cc34d4f67e6e9108d1a0ff3965b13ecb983
SHA512 3e7a72719b2ae9d0b68a880e4a225894c156cca23fe94873791c32943d8c36280a627d06d06ba0792778c2ebc7312b90ea1a721f3ba292f556c2d981aed44bca

memory/2912-106-0x000000013FAF0000-0x000000013FE44000-memory.dmp

C:\Windows\system\xSYsfEn.exe

MD5 5fef29cdfd5e1a0dba717a0327e01d94
SHA1 de58b6e2b94f672d87f74da858a19b2c8329f7bd
SHA256 a5c7457b43c945f2a68e17658c405302239acd0007615ef420d428b1bd62b146
SHA512 dd9b001ec0025981a18b7c71c7a359c7f8b783ddcb0a40149f5e44e11cd00c6d88c77911eb408d4d52be556571e1dda81f2b6a90dc98e628516a105df00bb5d3

memory/2512-99-0x000000013FBA0000-0x000000013FEF4000-memory.dmp

memory/2152-98-0x000000013F4D0000-0x000000013F824000-memory.dmp

C:\Windows\system\EFLyQHK.exe

MD5 a6aa9016f12298b0dec578c3d9b9656f
SHA1 f658caf27bee09b8bebd0d92b4c34c5b26b29e30
SHA256 fa6331ea1c9957190a4c0e80c9676b2d76c1ad4104b4f8cf896224cc241f3940
SHA512 584117dec236a913ead2ff586b05b2478e042e98bee554481447a8de42e3ddddc23640af509fb615c90ac0c2e1a9ef2c732a495625448e9c61047679e213ffb9

memory/2152-95-0x00000000022F0000-0x0000000002644000-memory.dmp

memory/2832-94-0x000000013FA00000-0x000000013FD54000-memory.dmp

memory/2152-89-0x000000013F120000-0x000000013F474000-memory.dmp

C:\Windows\system\VXaiLvd.exe

MD5 60a20ea7f62b3d22446eb74e2f936f9d
SHA1 9194711ebf634f3dff2135119bf54bbbcb7c6e7c
SHA256 df6b0d22a8f4a6a758f43ccf1d53f40d233c76f1ff87091e9262e389f6a06fab
SHA512 d7e655857460f2f3235b904fb7d5bfc6a53c79b0c9aa203574ec2ed3abda71d08ec2b6fe0fcb407e7bbc76af74a35f17b3172771a7c176bdaea20ae9e6c2fb5e

memory/1660-148-0x000000013FEA0000-0x00000001401F4000-memory.dmp

memory/2688-147-0x000000013FA40000-0x000000013FD94000-memory.dmp

memory/2152-146-0x00000000022F0000-0x0000000002644000-memory.dmp

memory/2748-83-0x000000013F0F0000-0x000000013F444000-memory.dmp

memory/2472-82-0x000000013F490000-0x000000013F7E4000-memory.dmp

C:\Windows\system\heKzACg.exe

MD5 e83b8f723ea171e67483c0dbf87cc188
SHA1 cc87f60f4dfe750ee70d9b85c82cae4f03e29fdd
SHA256 571afa213ef5372c1feb902d4aa57597d591d2e9a16df9a27b9abc3c48689981
SHA512 944223a148f924a54c21c150f2a58b3c6adf0db81e8d9a05be113d1a10b8902813afdbee14cf99c6a466d1533dbce1cb1a28fb0a67f91c50fcfb914ebdaa3061

memory/2152-80-0x000000013F0F0000-0x000000013F444000-memory.dmp

memory/2144-63-0x000000013F1C0000-0x000000013F514000-memory.dmp

memory/1660-73-0x000000013FEA0000-0x00000001401F4000-memory.dmp

memory/2152-71-0x00000000022F0000-0x0000000002644000-memory.dmp

C:\Windows\system\kKajgoW.exe

MD5 42952cc5e71965364d9b7b8fc06627d3
SHA1 09c2adb84748186ed070854a17d0bfa380a9386c
SHA256 ba05a6034bb1983175ed22804ac8d231cd15b8d1f0f0634077f2d3ab5d59b242
SHA512 1162a41e3dd7b5f7d8de2132fe58f82b96d898a5e01815dbacae1784903e8533b4ad2a87d68a81c712d8da385f01bd626c568fad23db4d0472162e477b6baceb

memory/2152-49-0x00000000022F0000-0x0000000002644000-memory.dmp

memory/2192-48-0x000000013F770000-0x000000013FAC4000-memory.dmp

memory/2152-70-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

C:\Windows\system\dctEOCV.exe

MD5 255bb88495070c31e3e6f6b7c5c990c9
SHA1 75a7b687800a47c52807fc4f78f18ba48b1d7945
SHA256 2c3a909531bfe9b4c9cba3b0636a1f64b0fa94c958a17e309bf73bc63b113ee3
SHA512 3761c15a2a993a785f6e86d3d543c020d8184b28ccfb88287b27eab1117d440397d86219631a359e644b1a8e161bdde97b9682f364b59507711d740aaf779c7d

memory/2152-149-0x000000013F0F0000-0x000000013F444000-memory.dmp

memory/2812-57-0x000000013F0D0000-0x000000013F424000-memory.dmp

memory/2892-55-0x000000013F740000-0x000000013FA94000-memory.dmp

C:\Windows\system\vqBsAZD.exe

MD5 f31f1db461a750804e8a3082db8e8b98
SHA1 06e6061b652160c26deb36f5eb773967770e4651
SHA256 6165d2fdfee3f0150c7adf4bcd8536dfec91c508bed70cd3ff9d77614fed0fb8
SHA512 4f3cfc499eed372138207fb44e5733856ef1ba6cdf8f9c0c283bfa68fad3beaa995ea16fc2f29e06fbd4c43a331b3f5eef80a95ca097629dd595c92806822a2b

memory/2152-38-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

memory/1672-21-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

memory/2748-150-0x000000013F0F0000-0x000000013F444000-memory.dmp

memory/2152-151-0x000000013F120000-0x000000013F474000-memory.dmp

memory/836-152-0x000000013F120000-0x000000013F474000-memory.dmp

memory/2152-153-0x00000000022F0000-0x0000000002644000-memory.dmp

memory/2512-154-0x000000013FBA0000-0x000000013FEF4000-memory.dmp

memory/2912-155-0x000000013FAF0000-0x000000013FE44000-memory.dmp

memory/2192-156-0x000000013F770000-0x000000013FAC4000-memory.dmp

memory/2144-157-0x000000013F1C0000-0x000000013F514000-memory.dmp

memory/1672-158-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

memory/2472-159-0x000000013F490000-0x000000013F7E4000-memory.dmp

memory/2832-160-0x000000013FA00000-0x000000013FD54000-memory.dmp

memory/2836-161-0x000000013F4D0000-0x000000013F824000-memory.dmp

memory/2812-162-0x000000013F0D0000-0x000000013F424000-memory.dmp

memory/2892-163-0x000000013F740000-0x000000013FA94000-memory.dmp

memory/2688-164-0x000000013FA40000-0x000000013FD94000-memory.dmp

memory/1660-165-0x000000013FEA0000-0x00000001401F4000-memory.dmp

memory/2748-166-0x000000013F0F0000-0x000000013F444000-memory.dmp

memory/836-167-0x000000013F120000-0x000000013F474000-memory.dmp

memory/2512-168-0x000000013FBA0000-0x000000013FEF4000-memory.dmp

memory/2912-169-0x000000013FAF0000-0x000000013FE44000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-06 11:48

Reported

2024-08-06 11:50

Platform

win10v2004-20240802-en

Max time kernel

141s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\zFKPolL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jOJLyVo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VEnTLEW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tgGPzqs.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aalUrXi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ctYkYNi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ULvpiLp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OTieEbC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OXYWeys.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SmSlnZv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LLcSFlP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DWSYWEm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vAilNgr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QuAEFWf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\efcBEpQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mhMQJGt.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ESiXKsb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JxqtBTx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\swqulVo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dsBevqm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ibeREOL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4312 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DWSYWEm.exe
PID 4312 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DWSYWEm.exe
PID 4312 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JxqtBTx.exe
PID 4312 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JxqtBTx.exe
PID 4312 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\swqulVo.exe
PID 4312 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\swqulVo.exe
PID 4312 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ULvpiLp.exe
PID 4312 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ULvpiLp.exe
PID 4312 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zFKPolL.exe
PID 4312 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zFKPolL.exe
PID 4312 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jOJLyVo.exe
PID 4312 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jOJLyVo.exe
PID 4312 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OTieEbC.exe
PID 4312 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OTieEbC.exe
PID 4312 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vAilNgr.exe
PID 4312 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vAilNgr.exe
PID 4312 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OXYWeys.exe
PID 4312 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OXYWeys.exe
PID 4312 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dsBevqm.exe
PID 4312 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dsBevqm.exe
PID 4312 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SmSlnZv.exe
PID 4312 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SmSlnZv.exe
PID 4312 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VEnTLEW.exe
PID 4312 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VEnTLEW.exe
PID 4312 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tgGPzqs.exe
PID 4312 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tgGPzqs.exe
PID 4312 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QuAEFWf.exe
PID 4312 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QuAEFWf.exe
PID 4312 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aalUrXi.exe
PID 4312 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aalUrXi.exe
PID 4312 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ibeREOL.exe
PID 4312 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ibeREOL.exe
PID 4312 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ctYkYNi.exe
PID 4312 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ctYkYNi.exe
PID 4312 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mhMQJGt.exe
PID 4312 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mhMQJGt.exe
PID 4312 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ESiXKsb.exe
PID 4312 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ESiXKsb.exe
PID 4312 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\efcBEpQ.exe
PID 4312 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\efcBEpQ.exe
PID 4312 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LLcSFlP.exe
PID 4312 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LLcSFlP.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\DWSYWEm.exe

C:\Windows\System\DWSYWEm.exe

C:\Windows\System\JxqtBTx.exe

C:\Windows\System\JxqtBTx.exe

C:\Windows\System\swqulVo.exe

C:\Windows\System\swqulVo.exe

C:\Windows\System\ULvpiLp.exe

C:\Windows\System\ULvpiLp.exe

C:\Windows\System\zFKPolL.exe

C:\Windows\System\zFKPolL.exe

C:\Windows\System\jOJLyVo.exe

C:\Windows\System\jOJLyVo.exe

C:\Windows\System\OTieEbC.exe

C:\Windows\System\OTieEbC.exe

C:\Windows\System\vAilNgr.exe

C:\Windows\System\vAilNgr.exe

C:\Windows\System\OXYWeys.exe

C:\Windows\System\OXYWeys.exe

C:\Windows\System\dsBevqm.exe

C:\Windows\System\dsBevqm.exe

C:\Windows\System\SmSlnZv.exe

C:\Windows\System\SmSlnZv.exe

C:\Windows\System\VEnTLEW.exe

C:\Windows\System\VEnTLEW.exe

C:\Windows\System\tgGPzqs.exe

C:\Windows\System\tgGPzqs.exe

C:\Windows\System\QuAEFWf.exe

C:\Windows\System\QuAEFWf.exe

C:\Windows\System\aalUrXi.exe

C:\Windows\System\aalUrXi.exe

C:\Windows\System\ibeREOL.exe

C:\Windows\System\ibeREOL.exe

C:\Windows\System\ctYkYNi.exe

C:\Windows\System\ctYkYNi.exe

C:\Windows\System\mhMQJGt.exe

C:\Windows\System\mhMQJGt.exe

C:\Windows\System\ESiXKsb.exe

C:\Windows\System\ESiXKsb.exe

C:\Windows\System\efcBEpQ.exe

C:\Windows\System\efcBEpQ.exe

C:\Windows\System\LLcSFlP.exe

C:\Windows\System\LLcSFlP.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 71.190.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/4312-0-0x00007FF7BC0A0000-0x00007FF7BC3F4000-memory.dmp

memory/4312-1-0x0000025B8C460000-0x0000025B8C470000-memory.dmp

C:\Windows\System\DWSYWEm.exe

MD5 11cd214f43f9f1d1466fda83edcfe64d
SHA1 d8ba68c242a65c3a00bf33abe984adcc744afb3c
SHA256 ac78afc25fb657b12662dfc6a5b9baa9137e8ee6800e3fbc731c13db17776766
SHA512 238e546713fcf3750ea2bb8de51222fc956c520f1828e0d3eca1daa465ead1019f01b5b1455ec5ef26f0888a100f53721034052ae95e8476448c79667b97672b

memory/5016-6-0x00007FF7012B0000-0x00007FF701604000-memory.dmp

C:\Windows\System\swqulVo.exe

MD5 5df1343fcd6ba8cee5a5efab539ed0a4
SHA1 b849d63831d15cd2f56f4470f8655c5404cde8ff
SHA256 e661e1c61f4fd128264def833e106b9ae55f2d5d286fc8ded59ed405e62ffb4e
SHA512 e36474bf246be737a8b763c32c43c6d0bc0d7cdd3747b0626e5a491e2ecbb7d25ec70baab45969e2b2576a496d4092d50d43c79faddf8a455adf8bf359ecfdc0

C:\Windows\System\JxqtBTx.exe

MD5 908126ec112989102266e6e2533ceaa6
SHA1 c459591206d11c36c718f7a6507b8148b3b08167
SHA256 4128d18f4016c408930a4ebc92b923550d88491f897e1c937c4541ac6a375e7c
SHA512 01b828851097396eef2f615183d76b0c73913a9e9d5feae0077307808d4797f8b2c9312ff25316687679a6300367a6573e1dda083105dc6b5fd04aba14f7a0c4

memory/4868-14-0x00007FF771A60000-0x00007FF771DB4000-memory.dmp

C:\Windows\System\ULvpiLp.exe

MD5 cabe945f88074d039cf580735d5a30c8
SHA1 ddd03583d7bf214ce41dd2b4f5a3bf0636f54a1c
SHA256 95d6b68499e0ac395caac73591939aa27f5668e4bf1b7d91b83dbe367cd4d5c2
SHA512 24870ddf2cc9de6c4fbc374b47dba9d169fb4cc9871a25f7c9e4aa0fa0982fb50191369d89e5bd33801205c875ae0c9ba46e6f8b3eef232bc6d8a4767c809928

C:\Windows\System\zFKPolL.exe

MD5 1547f22b312d34baf2fe6ef010340813
SHA1 f805ed540146c198b0cfe71519d1bd74401545bb
SHA256 a29463d8ad4c5c940ef97bff81e895668337d431f3f69ca4c7a93427213d1571
SHA512 e10af60af098d8d21494b9662ebdeb3e210d3df677fd02400e26df23bc4c55953909a2131dbff73018ccb8386420ef2ec526e6e0b0341718b6d6344b1cae3a4f

C:\Windows\System\vAilNgr.exe

MD5 ed76945c1ab28e80613d162135e8957f
SHA1 304cf333a6e4dac7242a7c58ffef0cde329f0bb8
SHA256 e31c6020d054b233974c459de5c9045a23b00894a0d5f45ec65c6f3af8c8f3af
SHA512 be6562c2816b939fb6322b808ca2a2e8d2fd4eec740f10f925420a6323ebe374187a43715ae84dbc61babeb151c2588a417f0602d0053b771c65fc6f619959f5

memory/1072-43-0x00007FF70F1A0000-0x00007FF70F4F4000-memory.dmp

C:\Windows\System\dsBevqm.exe

MD5 d264b340d98ec88b2ff3214077eba5a9
SHA1 69584e686c46581f49a05abf385d3603b7149628
SHA256 fe0fd8c2446f2fbb2012397f4fdcadbee1bc6fcab55a4bf6faf13c0f7440b567
SHA512 56080b71ee12f1b74d3ce4e3a2c0fe43dde975009d3bf59f44d04da36ae39004cf6212d0e8178da3e04aa0e0a40a54fd259aac794afc28a6a6ce13a02a1a313b

C:\Windows\System\SmSlnZv.exe

MD5 6fa424e5b57e4e468e8bb03f8e1b7c41
SHA1 cbe16b72aec2b8023d4abf35105419f4b419cdbe
SHA256 27c28ffc6d740b27b9c8d747c86dadcef0007ba500df53a4d0a30a44ae585f5f
SHA512 e321e48e87f69c504d4ad3bb67acee2824444639fd4f0511ebf462659c364eaec49d2e8c63eadacb7bd89f196f1b949ae29741bbe43bf256135e5bad9f2b2ee8

C:\Windows\System\tgGPzqs.exe

MD5 0f733dbc49f4e627b4e5704144b1db87
SHA1 914e763f78a9987cece6ebbfeb46f1aeee24530d
SHA256 435ccd0a0925e084f02ea802ea730de03bff6aa6a6593d76752e2ed882c1078e
SHA512 2f1991625943f71aac77f194ddea9363fc34968a137841e9895c2fe6890d533c49524777ddcc8023b2ca6fafa8b0d01f8c07801cf6e87846dd973dcc463b149c

C:\Windows\System\aalUrXi.exe

MD5 b097e9f6f830b09d8ddda4c4c79654be
SHA1 4d0e0f2faf17b1a595e2e6f78ad4903375df3b68
SHA256 19742d9a6ab3d3662e7aff1403a01c398e835ad7d712379048e4d8e80f8f9993
SHA512 efb41aaa77f323ca69e198d3af49c0bd2f3f241db5be89ca8ba6b57b71692d40a6a1e49811b4df2d8a38cf80ae7a038e65c3761982732274c3e3c1dc8eeb12fd

C:\Windows\System\ibeREOL.exe

MD5 bc2f866539525d442a8724361c3fdbb9
SHA1 1b454aa3e6dd6ea315f96a6f62cc3508cd2c3cd9
SHA256 3e45c478f68d8bc8c236852c945e5d0cb75b1dd84e3878069c5760ea51c19de6
SHA512 7f25cbb088acffd0a9092c7e2cdc5b9640ee3e9998659af9a8225bdb74a95eacdc0e85671411e99847912f4691d18e04054337cbae225f9dc75851fd0267b3c8

memory/2716-99-0x00007FF668A80000-0x00007FF668DD4000-memory.dmp

memory/2096-103-0x00007FF63E880000-0x00007FF63EBD4000-memory.dmp

memory/3800-104-0x00007FF6EC230000-0x00007FF6EC584000-memory.dmp

memory/4876-102-0x00007FF67B3F0000-0x00007FF67B744000-memory.dmp

memory/1068-101-0x00007FF7D1E70000-0x00007FF7D21C4000-memory.dmp

memory/4584-100-0x00007FF7D7080000-0x00007FF7D73D4000-memory.dmp

C:\Windows\System\QuAEFWf.exe

MD5 2aa14126ae39508b7f822c557587eb9e
SHA1 a734ef06ad54a368ca961b42ba4b475134a57903
SHA256 822e88d7fda5420030c57b5d4c6ad8e2e1e65f5dc6c3a27f1f89d0a53081c2c5
SHA512 0ebf44d209ca9302d87c3bc461e149ee05b84d69c520829ad48d5d5e0243f7677098fea8b8705e07a8d4a86efc5ee6a5b2d4d0744e5a0c247ab620778b438c60

memory/4196-96-0x00007FF64E360000-0x00007FF64E6B4000-memory.dmp

C:\Windows\System\ctYkYNi.exe

MD5 706559a6499a211caa84207b4d5f1b65
SHA1 9fa934be222e3166722ce07576f6834eb3945429
SHA256 641e5d647dc102893614ffbeec4264494f4b79a08f43bb373e2cf57208283f63
SHA512 3160f031f937f679f96f7d8ac512d212524e60c5ef7420412b3eff6b9fe55cec8f6270fc01e7882ea5828731a9b565942f729782d5a40c2c5ba9349357d7cd8b

memory/3148-89-0x00007FF65C950000-0x00007FF65CCA4000-memory.dmp

C:\Windows\System\VEnTLEW.exe

MD5 90845e57e4d8d525b3abbdb346dc4858
SHA1 16dd1bf5e7baef7380157762651a8f1ccd21616c
SHA256 018037a3ba643a64cf41cb4478a625367cf84f245909130c9fb81602276cd136
SHA512 861db115609a1fe690cdd16b82c5df5b3262580ea923f61ea07022f511f447a20667d67ff764dd534892e94f4a4bfd9f7e199663effc5ddae2033958ea30e3f4

memory/5028-84-0x00007FF6DBCE0000-0x00007FF6DC034000-memory.dmp

memory/2680-71-0x00007FF6A5B60000-0x00007FF6A5EB4000-memory.dmp

C:\Windows\System\OXYWeys.exe

MD5 38a70b7ad957ba55544ad496135ede7e
SHA1 29261fcb46aa48edf57cfdb4518d95aab87d618a
SHA256 a22af28a564fb4b3eb22eae0f0294c46d6231d4ddf904b234d18ca00f120fc10
SHA512 5a1f89fa4465010b4aba71ec123ceed5195da3b91090e7ecea378575bfd97c3b6998594c12832fe6a0d53d3fe307c8aaa2dc834bf6ef8af12323cb2d9946c557

C:\Windows\System\OTieEbC.exe

MD5 17541ed5f48daf62655483b6baed792d
SHA1 71a88fdc93be87906a61c6696d5c876aae3f2511
SHA256 ea6f2cc33c907ce5ddeaa49fb550522cbf1359115fdee46bfbd6700e5c4834e0
SHA512 315fa21e3a87ba8e44346a6961cc6ac2f4a091f36c94fef0c693f52eaf38d0d9d9897ded14ad124f8de88710e55b72d981d5e200e83d588bc8db0c9187db5a48

memory/4660-44-0x00007FF7B82C0000-0x00007FF7B8614000-memory.dmp

C:\Windows\System\jOJLyVo.exe

MD5 64f3dfdbc29ce9ec7d5bd3c2565075d7
SHA1 fb54a64dea4fa3f75d377c6df87c4c7b792bcd34
SHA256 aa39f09437ffe6268dcf1ef7d74a0f16835f3b0f2d2e10f203ed89cb5b09bcb9
SHA512 d36d0f6a420c2e11eb1531a0479e1cc099763b2c7e973582be30337eba23384fc752e98e6994c83d223aa35824831a9aac4701a3c834cea3c2bf9e3d3dacb4f6

memory/4512-36-0x00007FF6A5B40000-0x00007FF6A5E94000-memory.dmp

memory/2032-29-0x00007FF7FD880000-0x00007FF7FDBD4000-memory.dmp

memory/3512-23-0x00007FF6A81E0000-0x00007FF6A8534000-memory.dmp

C:\Windows\System\mhMQJGt.exe

MD5 33d0781a26a686da787f82889a72c919
SHA1 1d320b8ab71e116cc185bfbddb06ebda5cf3cd9c
SHA256 9c4f9353d8b43a5c0a4c027e68274af631cc14a06cf24f66f75bb37365a893c0
SHA512 523e3cedce2de8874a24dbac9d52ebb5de003f3fb22963ad50cf4758305e5e68dafa098f975abd4b061f77fb123264321fde57964ae328f8ad753c8826a63de9

C:\Windows\System\efcBEpQ.exe

MD5 8a8953755729d89371af9c97ffd7a7b8
SHA1 3711eff160b10a8ba6ef177226f6433ace16ad5f
SHA256 3db8d0064c71f1dfb0cc95ad163ad10fbf349f1bea17e07e3fc151648ffae740
SHA512 575347e92a2c6028ee1a97f21088d5223a23ed5e92602d0b3a71dfb5a7578c963a46b9141e47610e1047e9a19dd313d2c75e34977a4553a2d7d31e44f48431a0

C:\Windows\System\LLcSFlP.exe

MD5 fbe8ea95b531d411cc9f5ddcbb286391
SHA1 313203c890ffec5119391c6b54ba0137a3c6e720
SHA256 f77df977c72641d693c710081ed187be22323b79a6beaf3456f79e199d31b4e1
SHA512 9a500be921827222e30e57ac28cc2788b1caf91f3de00da74f23d633fc893d8ba80d8cfb1b7dea4cebf8ea8838e18cbc4ed15b176af19ec15a595969e0fb3d78

memory/1716-126-0x00007FF7BF0A0000-0x00007FF7BF3F4000-memory.dmp

memory/4312-127-0x00007FF7BC0A0000-0x00007FF7BC3F4000-memory.dmp

memory/4396-117-0x00007FF670740000-0x00007FF670A94000-memory.dmp

C:\Windows\System\ESiXKsb.exe

MD5 0895ab5bcf5948a1a1fae075a8923ed0
SHA1 95d7f769728df1ff1cc25ac09e543df91d41e994
SHA256 7f38632a70471fc729022cec7f81ad61c718e9301dc2957667a7293f21836e80
SHA512 2fbad4ce48241b0062e81b0bbc346d3dfcc04ccd14a4f59177a8732630a424f33bfb48150e3af8582291f01b6c9cc00dd31ce3bbd539b7d374cdeddee1cf33ef

memory/1976-112-0x00007FF6E8120000-0x00007FF6E8474000-memory.dmp

memory/2996-128-0x00007FF6CEA80000-0x00007FF6CEDD4000-memory.dmp

memory/5016-129-0x00007FF7012B0000-0x00007FF701604000-memory.dmp

memory/4868-130-0x00007FF771A60000-0x00007FF771DB4000-memory.dmp

memory/2032-132-0x00007FF7FD880000-0x00007FF7FDBD4000-memory.dmp

memory/3512-131-0x00007FF6A81E0000-0x00007FF6A8534000-memory.dmp

memory/4512-133-0x00007FF6A5B40000-0x00007FF6A5E94000-memory.dmp

memory/1072-134-0x00007FF70F1A0000-0x00007FF70F4F4000-memory.dmp

memory/2680-135-0x00007FF6A5B60000-0x00007FF6A5EB4000-memory.dmp

memory/4660-136-0x00007FF7B82C0000-0x00007FF7B8614000-memory.dmp

memory/4196-137-0x00007FF64E360000-0x00007FF64E6B4000-memory.dmp

memory/4396-138-0x00007FF670740000-0x00007FF670A94000-memory.dmp

memory/1716-139-0x00007FF7BF0A0000-0x00007FF7BF3F4000-memory.dmp

memory/5016-140-0x00007FF7012B0000-0x00007FF701604000-memory.dmp

memory/4868-141-0x00007FF771A60000-0x00007FF771DB4000-memory.dmp

memory/3512-142-0x00007FF6A81E0000-0x00007FF6A8534000-memory.dmp

memory/4512-143-0x00007FF6A5B40000-0x00007FF6A5E94000-memory.dmp

memory/1072-144-0x00007FF70F1A0000-0x00007FF70F4F4000-memory.dmp

memory/2032-147-0x00007FF7FD880000-0x00007FF7FDBD4000-memory.dmp

memory/4876-146-0x00007FF67B3F0000-0x00007FF67B744000-memory.dmp

memory/4660-145-0x00007FF7B82C0000-0x00007FF7B8614000-memory.dmp

memory/2716-148-0x00007FF668A80000-0x00007FF668DD4000-memory.dmp

memory/2096-153-0x00007FF63E880000-0x00007FF63EBD4000-memory.dmp

memory/4584-155-0x00007FF7D7080000-0x00007FF7D73D4000-memory.dmp

memory/3800-154-0x00007FF6EC230000-0x00007FF6EC584000-memory.dmp

memory/2680-152-0x00007FF6A5B60000-0x00007FF6A5EB4000-memory.dmp

memory/5028-151-0x00007FF6DBCE0000-0x00007FF6DC034000-memory.dmp

memory/3148-150-0x00007FF65C950000-0x00007FF65CCA4000-memory.dmp

memory/1068-149-0x00007FF7D1E70000-0x00007FF7D21C4000-memory.dmp

memory/4196-156-0x00007FF64E360000-0x00007FF64E6B4000-memory.dmp

memory/1976-157-0x00007FF6E8120000-0x00007FF6E8474000-memory.dmp

memory/2996-158-0x00007FF6CEA80000-0x00007FF6CEDD4000-memory.dmp

memory/4396-159-0x00007FF670740000-0x00007FF670A94000-memory.dmp

memory/1716-160-0x00007FF7BF0A0000-0x00007FF7BF3F4000-memory.dmp