Malware Analysis Report

2025-01-22 19:20

Sample ID 240806-pbfwsaydqm
Target 2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat
SHA256 33d81467dabb18a777061bef0143b1ef637e3341d31ec5e224e47055526a88a0
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

33d81467dabb18a777061bef0143b1ef637e3341d31ec5e224e47055526a88a0

Threat Level: Known bad

The file 2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Cobaltstrike family

xmrig

Cobalt Strike reflective loader

XMRig Miner payload

Xmrig family

Cobaltstrike

XMRig Miner payload

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-06 12:09

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-06 12:09

Reported

2024-08-06 12:11

Platform

win7-20240708-en

Max time kernel

141s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\zdFdPHQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KuuWhve.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aiiXRwe.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KYpGXCO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZuQSbvS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dfDBpFm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\akOaDSr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UhTzrQt.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zobsCgP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vfhuDrU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FTdMwmY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\itIYgLo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ozeaOPd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wUdKHZw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SFrjdtO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ncgtUco.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DrAuOmJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tOgOnBV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JSJMuuH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eJiLwoM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nVHIwKX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2092 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wUdKHZw.exe
PID 2092 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wUdKHZw.exe
PID 2092 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wUdKHZw.exe
PID 2092 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SFrjdtO.exe
PID 2092 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SFrjdtO.exe
PID 2092 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SFrjdtO.exe
PID 2092 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UhTzrQt.exe
PID 2092 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UhTzrQt.exe
PID 2092 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UhTzrQt.exe
PID 2092 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tOgOnBV.exe
PID 2092 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tOgOnBV.exe
PID 2092 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tOgOnBV.exe
PID 2092 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zobsCgP.exe
PID 2092 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zobsCgP.exe
PID 2092 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zobsCgP.exe
PID 2092 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JSJMuuH.exe
PID 2092 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JSJMuuH.exe
PID 2092 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JSJMuuH.exe
PID 2092 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vfhuDrU.exe
PID 2092 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vfhuDrU.exe
PID 2092 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vfhuDrU.exe
PID 2092 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FTdMwmY.exe
PID 2092 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FTdMwmY.exe
PID 2092 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FTdMwmY.exe
PID 2092 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zdFdPHQ.exe
PID 2092 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zdFdPHQ.exe
PID 2092 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zdFdPHQ.exe
PID 2092 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ncgtUco.exe
PID 2092 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ncgtUco.exe
PID 2092 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ncgtUco.exe
PID 2092 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KuuWhve.exe
PID 2092 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KuuWhve.exe
PID 2092 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KuuWhve.exe
PID 2092 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aiiXRwe.exe
PID 2092 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aiiXRwe.exe
PID 2092 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aiiXRwe.exe
PID 2092 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eJiLwoM.exe
PID 2092 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eJiLwoM.exe
PID 2092 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eJiLwoM.exe
PID 2092 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\itIYgLo.exe
PID 2092 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\itIYgLo.exe
PID 2092 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\itIYgLo.exe
PID 2092 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ozeaOPd.exe
PID 2092 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ozeaOPd.exe
PID 2092 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ozeaOPd.exe
PID 2092 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DrAuOmJ.exe
PID 2092 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DrAuOmJ.exe
PID 2092 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DrAuOmJ.exe
PID 2092 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KYpGXCO.exe
PID 2092 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KYpGXCO.exe
PID 2092 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KYpGXCO.exe
PID 2092 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nVHIwKX.exe
PID 2092 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nVHIwKX.exe
PID 2092 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nVHIwKX.exe
PID 2092 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\akOaDSr.exe
PID 2092 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\akOaDSr.exe
PID 2092 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\akOaDSr.exe
PID 2092 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZuQSbvS.exe
PID 2092 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZuQSbvS.exe
PID 2092 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZuQSbvS.exe
PID 2092 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dfDBpFm.exe
PID 2092 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dfDBpFm.exe
PID 2092 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dfDBpFm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\wUdKHZw.exe

C:\Windows\System\wUdKHZw.exe

C:\Windows\System\SFrjdtO.exe

C:\Windows\System\SFrjdtO.exe

C:\Windows\System\UhTzrQt.exe

C:\Windows\System\UhTzrQt.exe

C:\Windows\System\tOgOnBV.exe

C:\Windows\System\tOgOnBV.exe

C:\Windows\System\zobsCgP.exe

C:\Windows\System\zobsCgP.exe

C:\Windows\System\JSJMuuH.exe

C:\Windows\System\JSJMuuH.exe

C:\Windows\System\vfhuDrU.exe

C:\Windows\System\vfhuDrU.exe

C:\Windows\System\FTdMwmY.exe

C:\Windows\System\FTdMwmY.exe

C:\Windows\System\zdFdPHQ.exe

C:\Windows\System\zdFdPHQ.exe

C:\Windows\System\ncgtUco.exe

C:\Windows\System\ncgtUco.exe

C:\Windows\System\KuuWhve.exe

C:\Windows\System\KuuWhve.exe

C:\Windows\System\aiiXRwe.exe

C:\Windows\System\aiiXRwe.exe

C:\Windows\System\eJiLwoM.exe

C:\Windows\System\eJiLwoM.exe

C:\Windows\System\itIYgLo.exe

C:\Windows\System\itIYgLo.exe

C:\Windows\System\ozeaOPd.exe

C:\Windows\System\ozeaOPd.exe

C:\Windows\System\DrAuOmJ.exe

C:\Windows\System\DrAuOmJ.exe

C:\Windows\System\KYpGXCO.exe

C:\Windows\System\KYpGXCO.exe

C:\Windows\System\nVHIwKX.exe

C:\Windows\System\nVHIwKX.exe

C:\Windows\System\akOaDSr.exe

C:\Windows\System\akOaDSr.exe

C:\Windows\System\ZuQSbvS.exe

C:\Windows\System\ZuQSbvS.exe

C:\Windows\System\dfDBpFm.exe

C:\Windows\System\dfDBpFm.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2092-0-0x000000013FCF0000-0x0000000140041000-memory.dmp

memory/2092-1-0x00000000001F0000-0x0000000000200000-memory.dmp

\Windows\system\wUdKHZw.exe

MD5 c48665e50042755fd19cd3545c9b1403
SHA1 84ff5e1c0386aedddf8a11847492b760a9e1c5f7
SHA256 8ef54ace60e5cb7353c0e26326d491e844fb84fede43e8080b4b064a74d08559
SHA512 68b30634548d7a4ba125459354036d15ae67d918eef66a53d3d147b42d65ffaf4302f5a96bc8a383c26bbc8180300fdc923b44d6a245eddfd0fe0a9a421ae7b1

memory/2092-6-0x0000000002230000-0x0000000002581000-memory.dmp

memory/2524-8-0x000000013FBD0000-0x000000013FF21000-memory.dmp

\Windows\system\SFrjdtO.exe

MD5 a17655d9bdf7ab973192031a459cc283
SHA1 1c6dc291b38ea38066a794fa8180fbba7d37e0f2
SHA256 5a74ef7e58514d433fdc89ee11dcdb6c472980854fbf69932cb63110aa7143e4
SHA512 434675a44d1f2833219a111e4ebd3b721c16f1ecb4e61080c4fa3a2fd6f3abe7632f2dfa9f0f39d88ed472f4d09dbe98c048ecc2dd47db534a35aa13d0dc5c55

C:\Windows\system\UhTzrQt.exe

MD5 1f9d6578fcfbc6d8a201806764c141ca
SHA1 e1955fcbd58223748c87d17c606fa0462871d3b9
SHA256 24393385d3ad3ffe3adf5264300266c017f1d264a8f1189ba5061545b3d0db0f
SHA512 bb25bd9bf71cf61199b71868f7215fc0821177cf6e83afa109e95982161ebff37c146a81d0206f57c5bf761d4ba30c08f22879c041ab01f1a5703da4dbfc3788

C:\Windows\system\tOgOnBV.exe

MD5 9a999330003584a5f12f74d47906d007
SHA1 c67b796afe2f09771b3faa5ece75eb380df2633d
SHA256 d28b274fea84f0134522ad875f22ad720dadf38fe0e7506d3a513bc9985d229a
SHA512 33498f4691e3bce0e91b5a2ffbad27d07069d2471cd247f5cb7ddfb18e35235aa11323e170d2054e3e54fa8c30ee56c729c614f7340f99877ca8ba3c12306e26

memory/2092-32-0x000000013F8E0000-0x000000013FC31000-memory.dmp

memory/2132-26-0x000000013F8E0000-0x000000013FC31000-memory.dmp

\Windows\system\zobsCgP.exe

MD5 08be2903987e85c4e25e1bf69b5e16e9
SHA1 f526f9ce295fff4eec216d6cc0e86dbeb589fd4a
SHA256 291584b629697f8574f2ec3e2019b1268faa761367578c659b2e04e415b31df8
SHA512 2854584b254085c32aacce6f50e967ef3dfb3f0470c428a03f14e51cc357669b8cb4d4a330e044ed0376f67d278826ca37e2612d3246fc357317f87bd991042b

C:\Windows\system\JSJMuuH.exe

MD5 935200058f5998400a2e9efafd15f32e
SHA1 27e1d4843fb7f1426202778ff15a940156b436ab
SHA256 244e1c85fa8baf0cb036d7626b3a5bf9b6ad58e456beb7bf57f53add7f6603e0
SHA512 17a73cb07c42cd224bd04c457bef1f87df9324fb30ede3a2362944c73871714782a8e543d11faddf01fddd501ae1c4f2d69c6a23da826cc4b543bcd012bc1896

memory/2760-39-0x000000013F780000-0x000000013FAD1000-memory.dmp

memory/2836-40-0x000000013F640000-0x000000013F991000-memory.dmp

memory/2960-48-0x000000013F8E0000-0x000000013FC31000-memory.dmp

memory/2092-47-0x000000013F8E0000-0x000000013FC31000-memory.dmp

C:\Windows\system\vfhuDrU.exe

MD5 2d80dc1cf3248d6fbf27507827fd356d
SHA1 ff8b9aa7c2718908379349ab61c09302aa43f1f4
SHA256 a8d7e26c30d53cdc3f730066a8dd7c080e0e48988e42ca9e74346f67e084be46
SHA512 442618859a4e5d6c61284a6c91d69455d8b169f8aff6e929f7c1bfaffd75b1388fcc257ccd5d38a6cdd17179b71448cc19b3c4ea549c9f9398350b1ecc80af9d

C:\Windows\system\FTdMwmY.exe

MD5 d2125e2f558ba76a07a19cbe50f47e7d
SHA1 66c08d4d876c847d9be7c7de382f3c7db11c1582
SHA256 8a2d113290a9019a92afd2e81c556f64c860170c69f779bcb1aa233f6dc57910
SHA512 e9933212f1c2c013dfd0381c13e2c892062c40bb177fa7bf471320422cf3544c6a229ba702d8737828b32aff4f1463bd4bc6b1acdd7f5e03555bf969bd245c17

memory/2844-56-0x000000013F230000-0x000000013F581000-memory.dmp

memory/2092-54-0x000000013F230000-0x000000013F581000-memory.dmp

memory/2092-34-0x000000013F640000-0x000000013F991000-memory.dmp

memory/2092-33-0x000000013F420000-0x000000013F771000-memory.dmp

memory/2720-31-0x000000013F420000-0x000000013F771000-memory.dmp

memory/2080-20-0x000000013FFA0000-0x00000001402F1000-memory.dmp

C:\Windows\system\zdFdPHQ.exe

MD5 935dcc01409464415a3f26b427f83137
SHA1 8477c06b19d5664c493b2a8766e9817f3c21cb54
SHA256 b69fb0b11fac19f381e4f078733e69823f5eaa269177153618377da8f364dc79
SHA512 9ffb8e4e2f6b2e2feaa1d38bafff81f3e096d9375ae5756402fb0c8df1c7f8441257bf7d7b6de9605958a5e1d4672d49a5c85a6689639a4cdeb7b22877e1eddd

memory/2684-70-0x000000013F670000-0x000000013F9C1000-memory.dmp

C:\Windows\system\aiiXRwe.exe

MD5 78c9f0a2eae7106f92735bda8e35dff1
SHA1 a724e7952a5d3d008d3bbddf293edc59f8e7d622
SHA256 963c96fb17d0684f0141e677bb2532af302b10962da84c1e61b388af0f9aad30
SHA512 61c71aead4f5b6c5fee73b7304dfff609fd188be4368a39f5d2bca6f508b66beb2fe4a64560b1edfa06949e5a5154e009a11cac883940ae946df1a22b08156dd

memory/1812-81-0x000000013FB90000-0x000000013FEE1000-memory.dmp

memory/2660-75-0x000000013F9D0000-0x000000013FD21000-memory.dmp

\Windows\system\itIYgLo.exe

MD5 d9fdb3fbd7234977b8ec5ae4b54440aa
SHA1 a8888978bc1b9adfc4f6ad73a2117ed9a756de6c
SHA256 1f022fa0f8a84bd29408f3d4861bafb68fdb678ab6a75254099e495450725167
SHA512 7b32d44bd7f16151fd2cef02f2f5767f3dfed1f3cbebcc5d58ff902586f44cc6e535a790f2c8c39c4ff2ef28df27c606259e65b4f349a4956e9206901a1320e6

memory/1736-96-0x000000013FAE0000-0x000000013FE31000-memory.dmp

memory/2092-103-0x000000013F040000-0x000000013F391000-memory.dmp

C:\Windows\system\ZuQSbvS.exe

MD5 5173550d7fc3c261297d90763946055d
SHA1 2a994e02258e73cbdb8690af14cea05946aece98
SHA256 67ecdf47594e3b6e7cef86dbfb9a61d6e8f4b45736ee56cc683cd1d0aff0a3bc
SHA512 d5340f0983beee172123b9c16ddf1976b5ee312c4e061483c356430707a5c7114bf9e1c13b8f45d85c875e1d8b999ade56aa901b63e830a819a73c18031a7064

\Windows\system\dfDBpFm.exe

MD5 d5d97f049b3fef7e62f730998a8f1e0a
SHA1 f9739b0280df49dd522e97212d38436c03a21c89
SHA256 3fe69702ab75c6ea779507e964930bdfef16526f5289894b5e459155438a3447
SHA512 7809043e6d0875cb3c69fefd923307312214e8eb4381c756c556c184f8fd786bf815011ce5bfcee9c37bb68c70106a422d5837e70eaaf3940fca9f54d34c9afe

C:\Windows\system\akOaDSr.exe

MD5 208783e2940fc93cd73a107eb39a0825
SHA1 d91d2e84002659cbe4f644b93e3a78ce1d54b4e2
SHA256 274462de7dac0f962641aa2eab6adcb0b701b4105615bf550d8d5ddebd14e14b
SHA512 6e1afa9d52c60d831293390cc3c28de763a73a04b70b68bfcbb3f7e3b9935bee7ab3575bb5aeac334243a10640e239948b55dd0597936607b612f74946da7b42

C:\Windows\system\KYpGXCO.exe

MD5 38049dc88d53f7407908e38361e71cc9
SHA1 dd33b4b332443637b2608fd13fdc4a73afb86f63
SHA256 003a87538879a58b633c57ccb724c7dca3304d7ba34557c8fd423e476dff6f05
SHA512 572e8a9e94c185510e158dce920e67809abe2850071b26f698af21ab3d95906b1ad82d35cc3e45477b4cdd65b58cf50450f8ca6ab070b10526845c62428694c6

C:\Windows\system\nVHIwKX.exe

MD5 722cc13315767efae534b821f7338a86
SHA1 3f130cafa1d0b01e30bd00c000ca63421d905991
SHA256 921353e8e3732f59ded62609bd88b76045ce763038ef2be93fe139e9c5680f41
SHA512 6149a868a60a0c29f9a08cea66e7aa75ed1fd63d4a619f9e2ffcae6e12ba4f296b33fa5e9b993ae0d2a5d1aa56b425a6f876225e47cbaaabd34ce8e4cf7e93bc

C:\Windows\system\DrAuOmJ.exe

MD5 8b3b1d1d4be4362120a405b0f863b47f
SHA1 10d106616ed8e49fdd6a98dbfa247efd0a1ff3a6
SHA256 c81a059c8ac820e1acd731779542bd406314c8776e90e685fc895e96565087fa
SHA512 f566e4ba49873e2c09cad0ee8f4b7f61697e4d588a6fb8b3f90f1469b5ac7190f01995477b4c4a91a1956d84fb71826d66f1e0d8d258b5dacff0d077a8c4a1bd

C:\Windows\system\ozeaOPd.exe

MD5 e72e0d9ad6555cebdc14ed607296734e
SHA1 ff86e3effea0637546b5c6c12db395cdc56b0d0b
SHA256 c687998e6af4cc71dbfe834866014298b3913443d45b7fa2bf08074c2f573d61
SHA512 acc5003e72f5a0c14e2ad3514891d7be9fc6629c4cca2c50b6250f884a2f07e68b07e69762535dc49a70ee4c267e7f62f869c594899721181eacdf3920780fe8

memory/2092-95-0x0000000002230000-0x0000000002581000-memory.dmp

memory/2720-94-0x000000013F420000-0x000000013F771000-memory.dmp

memory/2836-135-0x000000013F640000-0x000000013F991000-memory.dmp

memory/2760-134-0x000000013F780000-0x000000013FAD1000-memory.dmp

memory/1252-89-0x000000013F460000-0x000000013F7B1000-memory.dmp

memory/2524-88-0x000000013FBD0000-0x000000013FF21000-memory.dmp

C:\Windows\system\eJiLwoM.exe

MD5 14565b68181dfe40b4ac480296184ee9
SHA1 6b8034b56fcfe733eaade74e0a88e27a82653dcb
SHA256 7097fafd16d0a69d147b4625a32ba1a60c01bd01ac61cabb545221914c21b7f5
SHA512 e57602143bd72547b00122d152bdbf133dee1301383c4268421c794ee6d1a2c8832625752c302545178e42fdd2510f92ab297e20935119f7f3b340c047a44362

memory/2092-74-0x000000013FCF0000-0x0000000140041000-memory.dmp

C:\Windows\system\KuuWhve.exe

MD5 5f680e992ce16d2555649f0562ac325a
SHA1 94556cedd3d39d5aac33bf917217ed7706bb5a67
SHA256 3a668d1f4fe6a4ebeff07c1479baa44193703036305b4b468f834af6cab804ef
SHA512 6f788d9cfeb4f6fa8efff775b248ef567ad8bf69db16846368d2994a0d22325c43ce271d0f134ecd8cffdf1e5a07f9f62635078d08aaaf3afc8b7fd346ae57a8

memory/2092-69-0x000000013F670000-0x000000013F9C1000-memory.dmp

memory/2612-62-0x000000013F6E0000-0x000000013FA31000-memory.dmp

memory/2092-61-0x000000013F6E0000-0x000000013FA31000-memory.dmp

C:\Windows\system\ncgtUco.exe

MD5 8dff1632b6e9c0008f746009f45b9699
SHA1 441c510aa15773035d6a321d3a95b788bf87a795
SHA256 ae75eeae447dbaac50f59eb0883e6ac0ffaf2dedfc0920765b0320baba445eea
SHA512 ce67a7e4eae18d9e96d47b2d977d509e8881fcadf03513e2d975ee83bbf64090e75d12123c1e7040d1c363a0471e37198f61e60ced4cade596a7420d83afdde8

memory/2960-136-0x000000013F8E0000-0x000000013FC31000-memory.dmp

memory/2844-137-0x000000013F230000-0x000000013F581000-memory.dmp

memory/2092-138-0x000000013FCF0000-0x0000000140041000-memory.dmp

memory/2612-149-0x000000013F6E0000-0x000000013FA31000-memory.dmp

memory/2864-154-0x000000013F040000-0x000000013F391000-memory.dmp

memory/2660-150-0x000000013F9D0000-0x000000013FD21000-memory.dmp

memory/1856-159-0x000000013FB60000-0x000000013FEB1000-memory.dmp

memory/1772-160-0x000000013FD30000-0x0000000140081000-memory.dmp

memory/1924-158-0x000000013F370000-0x000000013F6C1000-memory.dmp

memory/692-157-0x000000013F810000-0x000000013FB61000-memory.dmp

memory/1104-156-0x000000013F0C0000-0x000000013F411000-memory.dmp

memory/1948-155-0x000000013FBE0000-0x000000013FF31000-memory.dmp

memory/1736-153-0x000000013FAE0000-0x000000013FE31000-memory.dmp

memory/1252-152-0x000000013F460000-0x000000013F7B1000-memory.dmp

memory/1812-151-0x000000013FB90000-0x000000013FEE1000-memory.dmp

memory/2092-161-0x0000000002230000-0x0000000002581000-memory.dmp

memory/2092-162-0x000000013FCF0000-0x0000000140041000-memory.dmp

memory/2092-184-0x000000013F040000-0x000000013F391000-memory.dmp

memory/2524-209-0x000000013FBD0000-0x000000013FF21000-memory.dmp

memory/2080-211-0x000000013FFA0000-0x00000001402F1000-memory.dmp

memory/2132-213-0x000000013F8E0000-0x000000013FC31000-memory.dmp

memory/2720-215-0x000000013F420000-0x000000013F771000-memory.dmp

memory/2760-217-0x000000013F780000-0x000000013FAD1000-memory.dmp

memory/2836-219-0x000000013F640000-0x000000013F991000-memory.dmp

memory/2960-221-0x000000013F8E0000-0x000000013FC31000-memory.dmp

memory/2844-223-0x000000013F230000-0x000000013F581000-memory.dmp

memory/2612-238-0x000000013F6E0000-0x000000013FA31000-memory.dmp

memory/2684-240-0x000000013F670000-0x000000013F9C1000-memory.dmp

memory/1812-242-0x000000013FB90000-0x000000013FEE1000-memory.dmp

memory/2660-244-0x000000013F9D0000-0x000000013FD21000-memory.dmp

memory/1252-246-0x000000013F460000-0x000000013F7B1000-memory.dmp

memory/1736-248-0x000000013FAE0000-0x000000013FE31000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-06 12:09

Reported

2024-08-06 12:11

Platform

win10v2004-20240802-en

Max time kernel

141s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\itIYgLo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SFrjdtO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UhTzrQt.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JSJMuuH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vfhuDrU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eJiLwoM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nVHIwKX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aiiXRwe.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KYpGXCO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\akOaDSr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZuQSbvS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dfDBpFm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ozeaOPd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wUdKHZw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tOgOnBV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zobsCgP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FTdMwmY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zdFdPHQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ncgtUco.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KuuWhve.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DrAuOmJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4604 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wUdKHZw.exe
PID 4604 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wUdKHZw.exe
PID 4604 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SFrjdtO.exe
PID 4604 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SFrjdtO.exe
PID 4604 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UhTzrQt.exe
PID 4604 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UhTzrQt.exe
PID 4604 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tOgOnBV.exe
PID 4604 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tOgOnBV.exe
PID 4604 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zobsCgP.exe
PID 4604 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zobsCgP.exe
PID 4604 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JSJMuuH.exe
PID 4604 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JSJMuuH.exe
PID 4604 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vfhuDrU.exe
PID 4604 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vfhuDrU.exe
PID 4604 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FTdMwmY.exe
PID 4604 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FTdMwmY.exe
PID 4604 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zdFdPHQ.exe
PID 4604 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zdFdPHQ.exe
PID 4604 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ncgtUco.exe
PID 4604 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ncgtUco.exe
PID 4604 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KuuWhve.exe
PID 4604 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KuuWhve.exe
PID 4604 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aiiXRwe.exe
PID 4604 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aiiXRwe.exe
PID 4604 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eJiLwoM.exe
PID 4604 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eJiLwoM.exe
PID 4604 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\itIYgLo.exe
PID 4604 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\itIYgLo.exe
PID 4604 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ozeaOPd.exe
PID 4604 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ozeaOPd.exe
PID 4604 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DrAuOmJ.exe
PID 4604 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DrAuOmJ.exe
PID 4604 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KYpGXCO.exe
PID 4604 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KYpGXCO.exe
PID 4604 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nVHIwKX.exe
PID 4604 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nVHIwKX.exe
PID 4604 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\akOaDSr.exe
PID 4604 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\akOaDSr.exe
PID 4604 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZuQSbvS.exe
PID 4604 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZuQSbvS.exe
PID 4604 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dfDBpFm.exe
PID 4604 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dfDBpFm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\wUdKHZw.exe

C:\Windows\System\wUdKHZw.exe

C:\Windows\System\SFrjdtO.exe

C:\Windows\System\SFrjdtO.exe

C:\Windows\System\UhTzrQt.exe

C:\Windows\System\UhTzrQt.exe

C:\Windows\System\tOgOnBV.exe

C:\Windows\System\tOgOnBV.exe

C:\Windows\System\zobsCgP.exe

C:\Windows\System\zobsCgP.exe

C:\Windows\System\JSJMuuH.exe

C:\Windows\System\JSJMuuH.exe

C:\Windows\System\vfhuDrU.exe

C:\Windows\System\vfhuDrU.exe

C:\Windows\System\FTdMwmY.exe

C:\Windows\System\FTdMwmY.exe

C:\Windows\System\zdFdPHQ.exe

C:\Windows\System\zdFdPHQ.exe

C:\Windows\System\ncgtUco.exe

C:\Windows\System\ncgtUco.exe

C:\Windows\System\KuuWhve.exe

C:\Windows\System\KuuWhve.exe

C:\Windows\System\aiiXRwe.exe

C:\Windows\System\aiiXRwe.exe

C:\Windows\System\eJiLwoM.exe

C:\Windows\System\eJiLwoM.exe

C:\Windows\System\itIYgLo.exe

C:\Windows\System\itIYgLo.exe

C:\Windows\System\ozeaOPd.exe

C:\Windows\System\ozeaOPd.exe

C:\Windows\System\DrAuOmJ.exe

C:\Windows\System\DrAuOmJ.exe

C:\Windows\System\KYpGXCO.exe

C:\Windows\System\KYpGXCO.exe

C:\Windows\System\nVHIwKX.exe

C:\Windows\System\nVHIwKX.exe

C:\Windows\System\akOaDSr.exe

C:\Windows\System\akOaDSr.exe

C:\Windows\System\ZuQSbvS.exe

C:\Windows\System\ZuQSbvS.exe

C:\Windows\System\dfDBpFm.exe

C:\Windows\System\dfDBpFm.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/4604-0-0x00007FF775C40000-0x00007FF775F91000-memory.dmp

memory/4604-1-0x000001F96C8B0000-0x000001F96C8C0000-memory.dmp

C:\Windows\System\wUdKHZw.exe

MD5 c48665e50042755fd19cd3545c9b1403
SHA1 84ff5e1c0386aedddf8a11847492b760a9e1c5f7
SHA256 8ef54ace60e5cb7353c0e26326d491e844fb84fede43e8080b4b064a74d08559
SHA512 68b30634548d7a4ba125459354036d15ae67d918eef66a53d3d147b42d65ffaf4302f5a96bc8a383c26bbc8180300fdc923b44d6a245eddfd0fe0a9a421ae7b1

memory/1540-8-0x00007FF6D98B0000-0x00007FF6D9C01000-memory.dmp

C:\Windows\System\UhTzrQt.exe

MD5 1f9d6578fcfbc6d8a201806764c141ca
SHA1 e1955fcbd58223748c87d17c606fa0462871d3b9
SHA256 24393385d3ad3ffe3adf5264300266c017f1d264a8f1189ba5061545b3d0db0f
SHA512 bb25bd9bf71cf61199b71868f7215fc0821177cf6e83afa109e95982161ebff37c146a81d0206f57c5bf761d4ba30c08f22879c041ab01f1a5703da4dbfc3788

memory/3608-16-0x00007FF6F27B0000-0x00007FF6F2B01000-memory.dmp

C:\Windows\System\zobsCgP.exe

MD5 08be2903987e85c4e25e1bf69b5e16e9
SHA1 f526f9ce295fff4eec216d6cc0e86dbeb589fd4a
SHA256 291584b629697f8574f2ec3e2019b1268faa761367578c659b2e04e415b31df8
SHA512 2854584b254085c32aacce6f50e967ef3dfb3f0470c428a03f14e51cc357669b8cb4d4a330e044ed0376f67d278826ca37e2612d3246fc357317f87bd991042b

C:\Windows\System\tOgOnBV.exe

MD5 9a999330003584a5f12f74d47906d007
SHA1 c67b796afe2f09771b3faa5ece75eb380df2633d
SHA256 d28b274fea84f0134522ad875f22ad720dadf38fe0e7506d3a513bc9985d229a
SHA512 33498f4691e3bce0e91b5a2ffbad27d07069d2471cd247f5cb7ddfb18e35235aa11323e170d2054e3e54fa8c30ee56c729c614f7340f99877ca8ba3c12306e26

C:\Windows\System\vfhuDrU.exe

MD5 2d80dc1cf3248d6fbf27507827fd356d
SHA1 ff8b9aa7c2718908379349ab61c09302aa43f1f4
SHA256 a8d7e26c30d53cdc3f730066a8dd7c080e0e48988e42ca9e74346f67e084be46
SHA512 442618859a4e5d6c61284a6c91d69455d8b169f8aff6e929f7c1bfaffd75b1388fcc257ccd5d38a6cdd17179b71448cc19b3c4ea549c9f9398350b1ecc80af9d

C:\Windows\System\zdFdPHQ.exe

MD5 935dcc01409464415a3f26b427f83137
SHA1 8477c06b19d5664c493b2a8766e9817f3c21cb54
SHA256 b69fb0b11fac19f381e4f078733e69823f5eaa269177153618377da8f364dc79
SHA512 9ffb8e4e2f6b2e2feaa1d38bafff81f3e096d9375ae5756402fb0c8df1c7f8441257bf7d7b6de9605958a5e1d4672d49a5c85a6689639a4cdeb7b22877e1eddd

memory/3924-66-0x00007FF7FAFE0000-0x00007FF7FB331000-memory.dmp

memory/1796-50-0x00007FF75F250000-0x00007FF75F5A1000-memory.dmp

C:\Windows\System\FTdMwmY.exe

MD5 d2125e2f558ba76a07a19cbe50f47e7d
SHA1 66c08d4d876c847d9be7c7de382f3c7db11c1582
SHA256 8a2d113290a9019a92afd2e81c556f64c860170c69f779bcb1aa233f6dc57910
SHA512 e9933212f1c2c013dfd0381c13e2c892062c40bb177fa7bf471320422cf3544c6a229ba702d8737828b32aff4f1463bd4bc6b1acdd7f5e03555bf969bd245c17

memory/3944-43-0x00007FF63B330000-0x00007FF63B681000-memory.dmp

memory/3280-33-0x00007FF7951D0000-0x00007FF795521000-memory.dmp

C:\Windows\System\JSJMuuH.exe

MD5 935200058f5998400a2e9efafd15f32e
SHA1 27e1d4843fb7f1426202778ff15a940156b436ab
SHA256 244e1c85fa8baf0cb036d7626b3a5bf9b6ad58e456beb7bf57f53add7f6603e0
SHA512 17a73cb07c42cd224bd04c457bef1f87df9324fb30ede3a2362944c73871714782a8e543d11faddf01fddd501ae1c4f2d69c6a23da826cc4b543bcd012bc1896

memory/1836-20-0x00007FF7A60B0000-0x00007FF7A6401000-memory.dmp

C:\Windows\System\SFrjdtO.exe

MD5 a17655d9bdf7ab973192031a459cc283
SHA1 1c6dc291b38ea38066a794fa8180fbba7d37e0f2
SHA256 5a74ef7e58514d433fdc89ee11dcdb6c472980854fbf69932cb63110aa7143e4
SHA512 434675a44d1f2833219a111e4ebd3b721c16f1ecb4e61080c4fa3a2fd6f3abe7632f2dfa9f0f39d88ed472f4d09dbe98c048ecc2dd47db534a35aa13d0dc5c55

C:\Windows\System\aiiXRwe.exe

MD5 78c9f0a2eae7106f92735bda8e35dff1
SHA1 a724e7952a5d3d008d3bbddf293edc59f8e7d622
SHA256 963c96fb17d0684f0141e677bb2532af302b10962da84c1e61b388af0f9aad30
SHA512 61c71aead4f5b6c5fee73b7304dfff609fd188be4368a39f5d2bca6f508b66beb2fe4a64560b1edfa06949e5a5154e009a11cac883940ae946df1a22b08156dd

C:\Windows\System\ncgtUco.exe

MD5 8dff1632b6e9c0008f746009f45b9699
SHA1 441c510aa15773035d6a321d3a95b788bf87a795
SHA256 ae75eeae447dbaac50f59eb0883e6ac0ffaf2dedfc0920765b0320baba445eea
SHA512 ce67a7e4eae18d9e96d47b2d977d509e8881fcadf03513e2d975ee83bbf64090e75d12123c1e7040d1c363a0471e37198f61e60ced4cade596a7420d83afdde8

C:\Windows\System\eJiLwoM.exe

MD5 14565b68181dfe40b4ac480296184ee9
SHA1 6b8034b56fcfe733eaade74e0a88e27a82653dcb
SHA256 7097fafd16d0a69d147b4625a32ba1a60c01bd01ac61cabb545221914c21b7f5
SHA512 e57602143bd72547b00122d152bdbf133dee1301383c4268421c794ee6d1a2c8832625752c302545178e42fdd2510f92ab297e20935119f7f3b340c047a44362

C:\Windows\System\ozeaOPd.exe

MD5 e72e0d9ad6555cebdc14ed607296734e
SHA1 ff86e3effea0637546b5c6c12db395cdc56b0d0b
SHA256 c687998e6af4cc71dbfe834866014298b3913443d45b7fa2bf08074c2f573d61
SHA512 acc5003e72f5a0c14e2ad3514891d7be9fc6629c4cca2c50b6250f884a2f07e68b07e69762535dc49a70ee4c267e7f62f869c594899721181eacdf3920780fe8

C:\Windows\System\KYpGXCO.exe

MD5 38049dc88d53f7407908e38361e71cc9
SHA1 dd33b4b332443637b2608fd13fdc4a73afb86f63
SHA256 003a87538879a58b633c57ccb724c7dca3304d7ba34557c8fd423e476dff6f05
SHA512 572e8a9e94c185510e158dce920e67809abe2850071b26f698af21ab3d95906b1ad82d35cc3e45477b4cdd65b58cf50450f8ca6ab070b10526845c62428694c6

memory/5060-97-0x00007FF693B40000-0x00007FF693E91000-memory.dmp

C:\Windows\System\DrAuOmJ.exe

MD5 8b3b1d1d4be4362120a405b0f863b47f
SHA1 10d106616ed8e49fdd6a98dbfa247efd0a1ff3a6
SHA256 c81a059c8ac820e1acd731779542bd406314c8776e90e685fc895e96565087fa
SHA512 f566e4ba49873e2c09cad0ee8f4b7f61697e4d588a6fb8b3f90f1469b5ac7190f01995477b4c4a91a1956d84fb71826d66f1e0d8d258b5dacff0d077a8c4a1bd

memory/3908-98-0x00007FF70AB90000-0x00007FF70AEE1000-memory.dmp

memory/2084-96-0x00007FF7919D0000-0x00007FF791D21000-memory.dmp

memory/1676-95-0x00007FF6D33C0000-0x00007FF6D3711000-memory.dmp

memory/4172-94-0x00007FF793350000-0x00007FF7936A1000-memory.dmp

C:\Windows\System\itIYgLo.exe

MD5 d9fdb3fbd7234977b8ec5ae4b54440aa
SHA1 a8888978bc1b9adfc4f6ad73a2117ed9a756de6c
SHA256 1f022fa0f8a84bd29408f3d4861bafb68fdb678ab6a75254099e495450725167
SHA512 7b32d44bd7f16151fd2cef02f2f5767f3dfed1f3cbebcc5d58ff902586f44cc6e535a790f2c8c39c4ff2ef28df27c606259e65b4f349a4956e9206901a1320e6

memory/1556-89-0x00007FF79C200000-0x00007FF79C551000-memory.dmp

memory/2384-88-0x00007FF700A10000-0x00007FF700D61000-memory.dmp

memory/1436-81-0x00007FF6D10F0000-0x00007FF6D1441000-memory.dmp

memory/3304-73-0x00007FF6D66B0000-0x00007FF6D6A01000-memory.dmp

C:\Windows\System\KuuWhve.exe

MD5 5f680e992ce16d2555649f0562ac325a
SHA1 94556cedd3d39d5aac33bf917217ed7706bb5a67
SHA256 3a668d1f4fe6a4ebeff07c1479baa44193703036305b4b468f834af6cab804ef
SHA512 6f788d9cfeb4f6fa8efff775b248ef567ad8bf69db16846368d2994a0d22325c43ce271d0f134ecd8cffdf1e5a07f9f62635078d08aaaf3afc8b7fd346ae57a8

memory/1424-60-0x00007FF7AF9D0000-0x00007FF7AFD21000-memory.dmp

C:\Windows\System\nVHIwKX.exe

MD5 722cc13315767efae534b821f7338a86
SHA1 3f130cafa1d0b01e30bd00c000ca63421d905991
SHA256 921353e8e3732f59ded62609bd88b76045ce763038ef2be93fe139e9c5680f41
SHA512 6149a868a60a0c29f9a08cea66e7aa75ed1fd63d4a619f9e2ffcae6e12ba4f296b33fa5e9b993ae0d2a5d1aa56b425a6f876225e47cbaaabd34ce8e4cf7e93bc

C:\Windows\System\akOaDSr.exe

MD5 208783e2940fc93cd73a107eb39a0825
SHA1 d91d2e84002659cbe4f644b93e3a78ce1d54b4e2
SHA256 274462de7dac0f962641aa2eab6adcb0b701b4105615bf550d8d5ddebd14e14b
SHA512 6e1afa9d52c60d831293390cc3c28de763a73a04b70b68bfcbb3f7e3b9935bee7ab3575bb5aeac334243a10640e239948b55dd0597936607b612f74946da7b42

C:\Windows\System\ZuQSbvS.exe

MD5 5173550d7fc3c261297d90763946055d
SHA1 2a994e02258e73cbdb8690af14cea05946aece98
SHA256 67ecdf47594e3b6e7cef86dbfb9a61d6e8f4b45736ee56cc683cd1d0aff0a3bc
SHA512 d5340f0983beee172123b9c16ddf1976b5ee312c4e061483c356430707a5c7114bf9e1c13b8f45d85c875e1d8b999ade56aa901b63e830a819a73c18031a7064

C:\Windows\System\dfDBpFm.exe

MD5 d5d97f049b3fef7e62f730998a8f1e0a
SHA1 f9739b0280df49dd522e97212d38436c03a21c89
SHA256 3fe69702ab75c6ea779507e964930bdfef16526f5289894b5e459155438a3447
SHA512 7809043e6d0875cb3c69fefd923307312214e8eb4381c756c556c184f8fd786bf815011ce5bfcee9c37bb68c70106a422d5837e70eaaf3940fca9f54d34c9afe

memory/1540-126-0x00007FF6D98B0000-0x00007FF6D9C01000-memory.dmp

memory/1620-125-0x00007FF760100000-0x00007FF760451000-memory.dmp

memory/2380-123-0x00007FF73BF30000-0x00007FF73C281000-memory.dmp

memory/4604-122-0x00007FF775C40000-0x00007FF775F91000-memory.dmp

memory/4512-116-0x00007FF68F3D0000-0x00007FF68F721000-memory.dmp

memory/1812-109-0x00007FF6B30C0000-0x00007FF6B3411000-memory.dmp

memory/3280-134-0x00007FF7951D0000-0x00007FF795521000-memory.dmp

memory/1424-137-0x00007FF7AF9D0000-0x00007FF7AFD21000-memory.dmp

memory/3944-135-0x00007FF63B330000-0x00007FF63B681000-memory.dmp

memory/1836-133-0x00007FF7A60B0000-0x00007FF7A6401000-memory.dmp

memory/4604-130-0x00007FF775C40000-0x00007FF775F91000-memory.dmp

memory/5060-145-0x00007FF693B40000-0x00007FF693E91000-memory.dmp

memory/3304-142-0x00007FF6D66B0000-0x00007FF6D6A01000-memory.dmp

memory/2084-146-0x00007FF7919D0000-0x00007FF791D21000-memory.dmp

memory/1812-148-0x00007FF6B30C0000-0x00007FF6B3411000-memory.dmp

memory/3908-147-0x00007FF70AB90000-0x00007FF70AEE1000-memory.dmp

memory/4512-149-0x00007FF68F3D0000-0x00007FF68F721000-memory.dmp

memory/1620-151-0x00007FF760100000-0x00007FF760451000-memory.dmp

memory/2380-150-0x00007FF73BF30000-0x00007FF73C281000-memory.dmp

memory/4604-152-0x00007FF775C40000-0x00007FF775F91000-memory.dmp

memory/1540-197-0x00007FF6D98B0000-0x00007FF6D9C01000-memory.dmp

memory/3608-199-0x00007FF6F27B0000-0x00007FF6F2B01000-memory.dmp

memory/1836-201-0x00007FF7A60B0000-0x00007FF7A6401000-memory.dmp

memory/1796-203-0x00007FF75F250000-0x00007FF75F5A1000-memory.dmp

memory/3280-205-0x00007FF7951D0000-0x00007FF795521000-memory.dmp

memory/3944-207-0x00007FF63B330000-0x00007FF63B681000-memory.dmp

memory/3924-209-0x00007FF7FAFE0000-0x00007FF7FB331000-memory.dmp

memory/1436-213-0x00007FF6D10F0000-0x00007FF6D1441000-memory.dmp

memory/1424-212-0x00007FF7AF9D0000-0x00007FF7AFD21000-memory.dmp

memory/3304-229-0x00007FF6D66B0000-0x00007FF6D6A01000-memory.dmp

memory/1556-227-0x00007FF79C200000-0x00007FF79C551000-memory.dmp

memory/2384-226-0x00007FF700A10000-0x00007FF700D61000-memory.dmp

memory/4172-231-0x00007FF793350000-0x00007FF7936A1000-memory.dmp

memory/1676-233-0x00007FF6D33C0000-0x00007FF6D3711000-memory.dmp

memory/5060-235-0x00007FF693B40000-0x00007FF693E91000-memory.dmp

memory/2084-239-0x00007FF7919D0000-0x00007FF791D21000-memory.dmp

memory/3908-238-0x00007FF70AB90000-0x00007FF70AEE1000-memory.dmp

memory/1812-244-0x00007FF6B30C0000-0x00007FF6B3411000-memory.dmp

memory/4512-246-0x00007FF68F3D0000-0x00007FF68F721000-memory.dmp

memory/2380-248-0x00007FF73BF30000-0x00007FF73C281000-memory.dmp

memory/1620-250-0x00007FF760100000-0x00007FF760451000-memory.dmp