Malware Analysis Report

2025-01-22 19:27

Sample ID 240806-psbndstaqd
Target 2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat
SHA256 0c5ad5ccdf16e3e5cf96f01762d5c919b816354981f303251e10cee5e3992ae8
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0c5ad5ccdf16e3e5cf96f01762d5c919b816354981f303251e10cee5e3992ae8

Threat Level: Known bad

The file 2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Cobaltstrike

xmrig

Xmrig family

Cobalt Strike reflective loader

XMRig Miner payload

Cobaltstrike family

XMRig Miner payload

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-06 12:35

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-06 12:35

Reported

2024-08-06 12:37

Platform

win7-20240705-en

Max time kernel

136s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\MNOFtHs.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CrrKtyH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nadISpb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lrfacZC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HppnXEo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EQbaVww.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SFLiCBR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EsYDsaK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BiexykG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qPMWvDa.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IcqYWzC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IDrnSgB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iggNMKl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eFgZIFF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TRXygMU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sOUkhFs.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GdMHqfQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cnPddfu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iyLiLHM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WufaZLx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lXrYFLu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2352 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sOUkhFs.exe
PID 2352 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sOUkhFs.exe
PID 2352 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sOUkhFs.exe
PID 2352 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EsYDsaK.exe
PID 2352 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EsYDsaK.exe
PID 2352 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EsYDsaK.exe
PID 2352 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BiexykG.exe
PID 2352 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BiexykG.exe
PID 2352 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BiexykG.exe
PID 2352 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qPMWvDa.exe
PID 2352 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qPMWvDa.exe
PID 2352 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qPMWvDa.exe
PID 2352 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MNOFtHs.exe
PID 2352 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MNOFtHs.exe
PID 2352 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MNOFtHs.exe
PID 2352 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IcqYWzC.exe
PID 2352 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IcqYWzC.exe
PID 2352 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IcqYWzC.exe
PID 2352 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IDrnSgB.exe
PID 2352 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IDrnSgB.exe
PID 2352 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IDrnSgB.exe
PID 2352 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iggNMKl.exe
PID 2352 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iggNMKl.exe
PID 2352 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iggNMKl.exe
PID 2352 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CrrKtyH.exe
PID 2352 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CrrKtyH.exe
PID 2352 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CrrKtyH.exe
PID 2352 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GdMHqfQ.exe
PID 2352 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GdMHqfQ.exe
PID 2352 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GdMHqfQ.exe
PID 2352 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cnPddfu.exe
PID 2352 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cnPddfu.exe
PID 2352 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cnPddfu.exe
PID 2352 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EQbaVww.exe
PID 2352 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EQbaVww.exe
PID 2352 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EQbaVww.exe
PID 2352 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iyLiLHM.exe
PID 2352 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iyLiLHM.exe
PID 2352 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iyLiLHM.exe
PID 2352 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nadISpb.exe
PID 2352 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nadISpb.exe
PID 2352 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nadISpb.exe
PID 2352 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eFgZIFF.exe
PID 2352 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eFgZIFF.exe
PID 2352 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eFgZIFF.exe
PID 2352 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lrfacZC.exe
PID 2352 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lrfacZC.exe
PID 2352 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lrfacZC.exe
PID 2352 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WufaZLx.exe
PID 2352 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WufaZLx.exe
PID 2352 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WufaZLx.exe
PID 2352 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SFLiCBR.exe
PID 2352 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SFLiCBR.exe
PID 2352 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SFLiCBR.exe
PID 2352 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lXrYFLu.exe
PID 2352 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lXrYFLu.exe
PID 2352 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lXrYFLu.exe
PID 2352 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TRXygMU.exe
PID 2352 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TRXygMU.exe
PID 2352 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TRXygMU.exe
PID 2352 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HppnXEo.exe
PID 2352 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HppnXEo.exe
PID 2352 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HppnXEo.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\sOUkhFs.exe

C:\Windows\System\sOUkhFs.exe

C:\Windows\System\EsYDsaK.exe

C:\Windows\System\EsYDsaK.exe

C:\Windows\System\BiexykG.exe

C:\Windows\System\BiexykG.exe

C:\Windows\System\qPMWvDa.exe

C:\Windows\System\qPMWvDa.exe

C:\Windows\System\MNOFtHs.exe

C:\Windows\System\MNOFtHs.exe

C:\Windows\System\IcqYWzC.exe

C:\Windows\System\IcqYWzC.exe

C:\Windows\System\IDrnSgB.exe

C:\Windows\System\IDrnSgB.exe

C:\Windows\System\iggNMKl.exe

C:\Windows\System\iggNMKl.exe

C:\Windows\System\CrrKtyH.exe

C:\Windows\System\CrrKtyH.exe

C:\Windows\System\GdMHqfQ.exe

C:\Windows\System\GdMHqfQ.exe

C:\Windows\System\cnPddfu.exe

C:\Windows\System\cnPddfu.exe

C:\Windows\System\EQbaVww.exe

C:\Windows\System\EQbaVww.exe

C:\Windows\System\iyLiLHM.exe

C:\Windows\System\iyLiLHM.exe

C:\Windows\System\nadISpb.exe

C:\Windows\System\nadISpb.exe

C:\Windows\System\eFgZIFF.exe

C:\Windows\System\eFgZIFF.exe

C:\Windows\System\lrfacZC.exe

C:\Windows\System\lrfacZC.exe

C:\Windows\System\WufaZLx.exe

C:\Windows\System\WufaZLx.exe

C:\Windows\System\SFLiCBR.exe

C:\Windows\System\SFLiCBR.exe

C:\Windows\System\lXrYFLu.exe

C:\Windows\System\lXrYFLu.exe

C:\Windows\System\TRXygMU.exe

C:\Windows\System\TRXygMU.exe

C:\Windows\System\HppnXEo.exe

C:\Windows\System\HppnXEo.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2352-1-0x000000013FE60000-0x00000001401B4000-memory.dmp

memory/2352-0-0x00000000001F0000-0x0000000000200000-memory.dmp

C:\Windows\system\sOUkhFs.exe

MD5 ae1cc2afd09218ffa622bd6280b123f3
SHA1 4548a086c2fc449cede12c6063b03c681ed76ad0
SHA256 1fad161e1146a312953ea64c9961819cdeb7774679924f5beb673c6bbe354e19
SHA512 12f3f2ed16a6c30b7c0f46ad3999fa01c499cf87397f92e05f391e6265ede3adde113dcb98757b053d1755a2cc213852bd46572cd042ecf3720149bb03cdae5f

\Windows\system\EsYDsaK.exe

MD5 511df3c526428412ccd8381cc58e5795
SHA1 525aa97d4cd94540392eec8ebcfc090f8597df45
SHA256 ee3dbeab3d3237f86483c313b4248ac861e4567fec2508e0bc0c492b8860e1df
SHA512 4d5b8110c5fad4f4f4773bbbb1b745c2620e0af83fbdb5fc439ee70a5203e981fab99fb5c2d604ae74051d762d332ff98d8fe4e7f7dd732b20034149d6d07499

C:\Windows\system\BiexykG.exe

MD5 0725bbb63b46a4dad828bd0f69a95d12
SHA1 260e94334849754835aff8270f2f12211277f714
SHA256 18d68ec594271433d29686ffdec0ddded159cf7003cb47105e04b13d8d7e80bb
SHA512 691a257527885682ea4cf0521f7d47c55b0112c822ab73284e0a95ebee777d76b6beb33be2ea54b55adbb74194f82e223b4fe2b1c54bab6c2ad788bfdb57c1fe

C:\Windows\system\MNOFtHs.exe

MD5 754361ad21563a170b5ed8e0bab39758
SHA1 5e9f77d840099342e2abf6bd4f7795a64fa240a8
SHA256 72b90189be88b2c5638a85ad088fccdb610db0bdbef1be4861dcd6d29e22d07c
SHA512 f5696a6c6e448951b98125ccaeb23932580d027ed7b5916730ef8ba59ce68a79230988a912f4d08e2ab27ea37186c8f5c480b79843f07fe89f98a697a455d22c

C:\Windows\system\IcqYWzC.exe

MD5 33e0dfe5ab8fad1fc0e475cbefc915b2
SHA1 7cb727f245d29ec888a00b6dc5e8af4926418631
SHA256 c98bad83ce19f3534bb3aeb296a4c275a330a3f9ae20f1da9402c6ea040d73d2
SHA512 5f077b02629aefa81d8f1546f92baf7910ba52ed430f842f90f75fdabd1f91c5e5d6a9da715af3f51afc365c40b107159deee66aa9db02e50e98da76e921ea94

C:\Windows\system\IDrnSgB.exe

MD5 894ca33b89ed7691527ba2255c805278
SHA1 16ee14a111d1ed6c239b30fcb1def66bc35f2b70
SHA256 18de127029951943b1204263f070266afd3ca03fa8e490ee7112c7d7fce5c5fc
SHA512 714b8f60e9e8e80e0f3b3ddbe610b0fba26f47262b3dfb2bced3384af903e0736751dc6780acd790a1325bd0253509c1777c33052cbe13f68cd82d14b3ad887d

\Windows\system\iggNMKl.exe

MD5 40d133c9ff726de66091e934e96b4ab7
SHA1 62522900b8196d49f3da3e3b43a97e7802dab27e
SHA256 24d3baec775f21844d74cc642c6eca07a87fd08e780eda19e60fd8a1b835576c
SHA512 9a5d13dc91b6e3426075d053b104c678874f5f465862a32a46f1fce382e2df008f335e35acc771e3404d7da620f97bbe5bcf5412128b61e58ca90a6293b5681e

C:\Windows\system\CrrKtyH.exe

MD5 d39959b157259bf648464b85c30c7b82
SHA1 bc1abe0bf7d72879ed4b98af087378c9109d364d
SHA256 503f14233693a48d18fe2ffa92dfab626e4fcc54faf8b8149cf6dc2fe8a8493f
SHA512 9f137f4a7f7b13d90038d60c2266971a2f7399003c423f8ce3c4727a76205d5e3ef74d9c8d09ec4c4e5ce5c9d3fe9655ce6e95baa6dff985acf4f7297786e334

C:\Windows\system\GdMHqfQ.exe

MD5 06b9ebe9a9aa94d0656684f93c5771a3
SHA1 b204b28e446bd3fb836a5720e2db49240c82a688
SHA256 5e4df3b1eb6af20de2f838e55ee828b4032ff93ed4a23785a870018f32c1be59
SHA512 1d6ce24740942bd5fc41b9e8e0dd8587f0980f836f6ed31ca55e06085e4d5640055c19c5e718928f8ddc9c515264728fc6d6b5b829207a5ed899c4e05dcd1d14

C:\Windows\system\cnPddfu.exe

MD5 edfc50591cf416cdabb62ab602e26f4d
SHA1 26b566924b1a78f3bf23f2dc29d97d4550768c5d
SHA256 25a6e08523dc2cb8f297bdcc67952b881098a1062b21e74b166037a021392156
SHA512 4d16789885a8fa32568f6a6b7bb0ae9ef132a810c43961d99dbbdd7b548296f9116ee7b368e7c072e927b1989effae6895153eb3c5bdfade4715b2458185f3da

C:\Windows\system\nadISpb.exe

MD5 14891920167cf25150a9d093b38190c8
SHA1 519ce70d7689d8fad23e09cea189a63c77cd5a83
SHA256 b77b58b2c4177cf46a37ac65c8b1f8c5fb7e5a301edc6d2fa14f754a188cf41a
SHA512 13f4618fd4e17bf406695fe382a3efcabe3792142dbb0c0ce0b7e9cd8fba84323c1a34d6fb21b90a9e2b6ca982e5c449155c08d3bbffbc3cce72f2ed419f9535

C:\Windows\system\eFgZIFF.exe

MD5 787d7be1ee56b4e3d72190a91a05bd76
SHA1 9fb533b93a573c73b1cd2e806aad3131ae5b7441
SHA256 032ab393935848e73fc1f98d40f9e326ac9a023f96ee2ceaad702c02afc513ef
SHA512 d1caaa912c4ca0a5f73e1f0f547c520c83242df02e7f1236831c2d8a4a152836e93a8c3dc059ac92d808494d692b370607c5bd3d6c9c7abeb09771ce3214e30a

C:\Windows\system\SFLiCBR.exe

MD5 5aeaee02d0b3f45e6b313b92f5cfda68
SHA1 9909a8e414d2ce01f720f36a1120f85b33843228
SHA256 f6a4c72950a260e7a9aed1e53c563118bbd41744d0b898a159b73060ad4bb0d5
SHA512 52319e2c657dde9bf46e5aa7a199d846715e5328019dfd13774e508a09f71fe0f51ff72734e52b2e6415c28511cc4d6da4bd3acec4a7632874570bcec760e3a3

C:\Windows\system\HppnXEo.exe

MD5 7c0f8749b50bdb3a60012a4cb477cc9a
SHA1 d354258551b6e4b9bb19c8fd0e0190705f5ba5f5
SHA256 775a8a982e441b08429da68ae92fb3bb30def6ba923428992433626195a28391
SHA512 8c6bd1724f02adee44b78b891419d4e59d83eb94f23f6c3ac8c778d207c67b40e215ad7e64e2e5b36d1be9774b087e781d7205a213e804ed3b9f0172f91c8e74

C:\Windows\system\TRXygMU.exe

MD5 156365673e7f87f52b59d06f5ab38904
SHA1 20644e62a60d38ca02190167c2dca6f4c0188c88
SHA256 30b822255b10aebc825640ba695781bdc5363d274d903b840c55af124ac86f7c
SHA512 2e0c022a89b189aa396e99a5049fd4149346ba76721cf56b9efbef79766d9c3da654d688e565a0aa1319e47442e8f72b55cd07db0dfe8a8ebe73e6d24b7b9bc4

C:\Windows\system\lXrYFLu.exe

MD5 4e5297868ab42f322dbb5ca730761dfb
SHA1 66d570ca89e54880a472f96bb4f99d9dc7e115f4
SHA256 c4ad90af5fe2fe20e52805622ca6dcabe710e0326b9768e89757d881a78aaca2
SHA512 4f364c8e8d45f2e13f49dc999d14f79c249fecff87aa129b95cbd8a3246dc641831ac706fef40e218427511c8acec8db1693d9a99886802007383830f116c172

memory/2352-115-0x000000013F130000-0x000000013F484000-memory.dmp

memory/2776-116-0x000000013F130000-0x000000013F484000-memory.dmp

memory/2644-114-0x000000013F610000-0x000000013F964000-memory.dmp

memory/2352-113-0x000000013F610000-0x000000013F964000-memory.dmp

memory/2904-112-0x000000013FB80000-0x000000013FED4000-memory.dmp

memory/2900-111-0x000000013FDE0000-0x0000000140134000-memory.dmp

memory/2788-110-0x000000013F370000-0x000000013F6C4000-memory.dmp

memory/2352-109-0x000000013F370000-0x000000013F6C4000-memory.dmp

memory/2884-102-0x000000013FF30000-0x0000000140284000-memory.dmp

memory/1236-101-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

memory/2352-100-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

memory/2840-99-0x000000013F750000-0x000000013FAA4000-memory.dmp

memory/2352-98-0x000000013F750000-0x000000013FAA4000-memory.dmp

memory/2812-97-0x000000013F240000-0x000000013F594000-memory.dmp

memory/2352-96-0x000000013F240000-0x000000013F594000-memory.dmp

memory/1924-95-0x000000013F780000-0x000000013FAD4000-memory.dmp

memory/2352-94-0x000000013F780000-0x000000013FAD4000-memory.dmp

memory/2868-93-0x000000013FDF0000-0x0000000140144000-memory.dmp

memory/2352-92-0x0000000002350000-0x00000000026A4000-memory.dmp

memory/2472-91-0x000000013FC20000-0x000000013FF74000-memory.dmp

memory/2100-90-0x000000013FDA0000-0x00000001400F4000-memory.dmp

memory/2352-89-0x0000000002350000-0x00000000026A4000-memory.dmp

memory/2528-88-0x000000013F550000-0x000000013F8A4000-memory.dmp

memory/2352-87-0x000000013F550000-0x000000013F8A4000-memory.dmp

C:\Windows\system\WufaZLx.exe

MD5 ee30517b8dd5cc2c06d2e1b9a41cf4cb
SHA1 5cf7b144f8809dbc8b082130a1a8464440d51c04
SHA256 5cf6f3fdc753f8d93cdfd9bdfd66a81341f60408797015ace083ee8f1d9bf5bb
SHA512 be6469ab98bf69b63ee5c0f4dcaaf22eeae2a13bd83ae6dbb7cc2228c070c8bd6983532b7c330d5bf1321dd14398d7cb8cd8ff7c466d5671e5e55bde6b9bc1e5

C:\Windows\system\lrfacZC.exe

MD5 88c8a0e8651ce769ae17af2109f63be8
SHA1 f4febfa027504e885c6e58fe4add65ac60db92ba
SHA256 cf3e5464123a6767fab58a9e1ad6f0c43093d9d94525ac12159884fa1c06f1bf
SHA512 5f382ead0ddb61330a4ccc1382f52d6edb04c6673e54a4e42e2daebc12b3a0fad42212ab6bd18016f06d21662e59d8ea6397aba7096a227db65b09da472b3719

C:\Windows\system\iyLiLHM.exe

MD5 9e0295f83255524d4ac9e69fdcc6fc89
SHA1 9802a2f9a5887a3392576fad583d98bcc006a5d8
SHA256 1509c42a8ea69a5983d85a619051f1e363f5b7d0a545f7c4fa1e7328885c5a77
SHA512 fe89c66241d7f283ce0e771b3916b229cf3ff09837a6450d3f274a7e5885287fa5614e163b4cddb3439c29aaf11aae713be692aedb0d069387bc4f53de59a76f

C:\Windows\system\EQbaVww.exe

MD5 21a7c0bff74c9f88f1563e3f1fb0bc75
SHA1 901627c83645a18f59a14829a17a5584000fb94f
SHA256 5097a3d2eea280639735a6b22d4a845aa4b89a3a8f6743139e8a7419dcad545f
SHA512 bd02c11a8c775862ecde52d1e34b76fe49545424de988fb79ea1618ce41f700ca4593fdd0c3df15d7bcb03b1a6bae0ac2c6dd672ef0619b24b13033615303280

C:\Windows\system\qPMWvDa.exe

MD5 3dd926993bba0fe0c7cb3f426d1cce2b
SHA1 1d62b7d2a6041ad62bb7f17fe999e729e7618c8e
SHA256 d71af01c306844b239ff83fe51d40387ee70c006c92bf11930c8b462a6fa569f
SHA512 441912defabc5da0f7527753b4c295dde79a70a161a8bda18f18044f9bb8391490460bfa7b4a80e44acd6b5d2f5f93868d3b4fb48ce58d0f17788a41b6dc5a93

memory/2352-131-0x000000013FE60000-0x00000001401B4000-memory.dmp

memory/2100-132-0x000000013FDA0000-0x00000001400F4000-memory.dmp

memory/2472-133-0x000000013FC20000-0x000000013FF74000-memory.dmp

memory/2868-134-0x000000013FDF0000-0x0000000140144000-memory.dmp

memory/1924-135-0x000000013F780000-0x000000013FAD4000-memory.dmp

memory/2812-136-0x000000013F240000-0x000000013F594000-memory.dmp

memory/2840-137-0x000000013F750000-0x000000013FAA4000-memory.dmp

memory/1236-138-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

memory/2884-139-0x000000013FF30000-0x0000000140284000-memory.dmp

memory/2900-140-0x000000013FDE0000-0x0000000140134000-memory.dmp

memory/2904-141-0x000000013FB80000-0x000000013FED4000-memory.dmp

memory/2644-142-0x000000013F610000-0x000000013F964000-memory.dmp

memory/2776-143-0x000000013F130000-0x000000013F484000-memory.dmp

memory/2528-144-0x000000013F550000-0x000000013F8A4000-memory.dmp

memory/2472-149-0x000000013FC20000-0x000000013FF74000-memory.dmp

memory/1236-148-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

memory/2868-147-0x000000013FDF0000-0x0000000140144000-memory.dmp

memory/2812-146-0x000000013F240000-0x000000013F594000-memory.dmp

memory/2100-145-0x000000013FDA0000-0x00000001400F4000-memory.dmp

memory/2788-150-0x000000013F370000-0x000000013F6C4000-memory.dmp

memory/1924-152-0x000000013F780000-0x000000013FAD4000-memory.dmp

memory/2904-155-0x000000013FB80000-0x000000013FED4000-memory.dmp

memory/2644-156-0x000000013F610000-0x000000013F964000-memory.dmp

memory/2900-154-0x000000013FDE0000-0x0000000140134000-memory.dmp

memory/2884-153-0x000000013FF30000-0x0000000140284000-memory.dmp

memory/2840-151-0x000000013F750000-0x000000013FAA4000-memory.dmp

memory/2776-157-0x000000013F130000-0x000000013F484000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-06 12:35

Reported

2024-08-06 12:37

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\yzDCQSp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SixJXHF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RbRLvJz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cZFcPvJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SgoXKNK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BnSJJMH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wUrZZYJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\COTerBF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jBFcVIR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vqpPrgk.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SmVMkgO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SEVPzrt.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oHjufMG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PgjmYUq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WxjdwdM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YPqgQfL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\coLzPhv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ddQPDTh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nvtJvgc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PJiqSZX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ErXRJWf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2508 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vqpPrgk.exe
PID 2508 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vqpPrgk.exe
PID 2508 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RbRLvJz.exe
PID 2508 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RbRLvJz.exe
PID 2508 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cZFcPvJ.exe
PID 2508 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cZFcPvJ.exe
PID 2508 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YPqgQfL.exe
PID 2508 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YPqgQfL.exe
PID 2508 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\coLzPhv.exe
PID 2508 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\coLzPhv.exe
PID 2508 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SmVMkgO.exe
PID 2508 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SmVMkgO.exe
PID 2508 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SgoXKNK.exe
PID 2508 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SgoXKNK.exe
PID 2508 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BnSJJMH.exe
PID 2508 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BnSJJMH.exe
PID 2508 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wUrZZYJ.exe
PID 2508 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wUrZZYJ.exe
PID 2508 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SEVPzrt.exe
PID 2508 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SEVPzrt.exe
PID 2508 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yzDCQSp.exe
PID 2508 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yzDCQSp.exe
PID 2508 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ErXRJWf.exe
PID 2508 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ErXRJWf.exe
PID 2508 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oHjufMG.exe
PID 2508 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oHjufMG.exe
PID 2508 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PgjmYUq.exe
PID 2508 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PgjmYUq.exe
PID 2508 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ddQPDTh.exe
PID 2508 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ddQPDTh.exe
PID 2508 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\COTerBF.exe
PID 2508 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\COTerBF.exe
PID 2508 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nvtJvgc.exe
PID 2508 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nvtJvgc.exe
PID 2508 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PJiqSZX.exe
PID 2508 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PJiqSZX.exe
PID 2508 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WxjdwdM.exe
PID 2508 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WxjdwdM.exe
PID 2508 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jBFcVIR.exe
PID 2508 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jBFcVIR.exe
PID 2508 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SixJXHF.exe
PID 2508 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SixJXHF.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\vqpPrgk.exe

C:\Windows\System\vqpPrgk.exe

C:\Windows\System\RbRLvJz.exe

C:\Windows\System\RbRLvJz.exe

C:\Windows\System\cZFcPvJ.exe

C:\Windows\System\cZFcPvJ.exe

C:\Windows\System\YPqgQfL.exe

C:\Windows\System\YPqgQfL.exe

C:\Windows\System\coLzPhv.exe

C:\Windows\System\coLzPhv.exe

C:\Windows\System\SmVMkgO.exe

C:\Windows\System\SmVMkgO.exe

C:\Windows\System\SgoXKNK.exe

C:\Windows\System\SgoXKNK.exe

C:\Windows\System\BnSJJMH.exe

C:\Windows\System\BnSJJMH.exe

C:\Windows\System\wUrZZYJ.exe

C:\Windows\System\wUrZZYJ.exe

C:\Windows\System\SEVPzrt.exe

C:\Windows\System\SEVPzrt.exe

C:\Windows\System\yzDCQSp.exe

C:\Windows\System\yzDCQSp.exe

C:\Windows\System\ErXRJWf.exe

C:\Windows\System\ErXRJWf.exe

C:\Windows\System\oHjufMG.exe

C:\Windows\System\oHjufMG.exe

C:\Windows\System\PgjmYUq.exe

C:\Windows\System\PgjmYUq.exe

C:\Windows\System\ddQPDTh.exe

C:\Windows\System\ddQPDTh.exe

C:\Windows\System\COTerBF.exe

C:\Windows\System\COTerBF.exe

C:\Windows\System\nvtJvgc.exe

C:\Windows\System\nvtJvgc.exe

C:\Windows\System\PJiqSZX.exe

C:\Windows\System\PJiqSZX.exe

C:\Windows\System\WxjdwdM.exe

C:\Windows\System\WxjdwdM.exe

C:\Windows\System\jBFcVIR.exe

C:\Windows\System\jBFcVIR.exe

C:\Windows\System\SixJXHF.exe

C:\Windows\System\SixJXHF.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 19.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2508-0-0x00007FF797AF0000-0x00007FF797E44000-memory.dmp

memory/2508-1-0x000001F191E00000-0x000001F191E10000-memory.dmp

C:\Windows\System\vqpPrgk.exe

MD5 97d7c4ced8ac48703838e202999c2741
SHA1 0510c2868aa0076818a386e7a05cc9f3566273cf
SHA256 97d23d97b141d868151affe1f32a83b3486bb3b8c681efced5f8064bbd22bc36
SHA512 fcbd4043633b7ed725521c768b1469b2194d9321e41370be91425c9ea69c2525a05c4b55d305f84b5c1ae9e247e3b9f91a5631f06f7a5fe9ef2118018b35e509

memory/3348-8-0x00007FF707D00000-0x00007FF708054000-memory.dmp

C:\Windows\System\cZFcPvJ.exe

MD5 ba344c26a6c7e5182f032048e848b54f
SHA1 792799880e0210409ebb95b62670ea515b513a7b
SHA256 ae4252b75c7f55357ec0ad308d2df409a20d445d0b5e43a1b254e4bd1088b2c1
SHA512 7705f49396ae003964855c46f1682581cc565b2a7a6529a0b8cf08364287dcdec0411fa43e4c9dea3f7e09db06290f64d25ea7689f42737a9ba772ae1d776198

C:\Windows\System\RbRLvJz.exe

MD5 7ca416be53c6b2bfb9a5fa9d2408d6eb
SHA1 5708b81d281a84d622c73eb9ee523bcc786c41e4
SHA256 06c97a3a36463c838f79d265e62e2985adfe316527e55926100f0b93991edd1b
SHA512 4e4bf2acbd8cb0e3617a13f4a6e10e3868a15038e2271f328104d752e663cd9f2a7d08d24a5740707ac1b998528480e72c92145562afb9d275b5bd7d92a59440

memory/860-12-0x00007FF6D6640000-0x00007FF6D6994000-memory.dmp

memory/2312-18-0x00007FF754310000-0x00007FF754664000-memory.dmp

C:\Windows\System\YPqgQfL.exe

MD5 ca576f60d85c005e6240fd44e5ebd564
SHA1 433c5f2f0873817d87ce893a1b4bbc090be9f729
SHA256 91ca2678fa2e77d2fd5b8f94174a82d2c653d63ca99b77083090d569c3ebcd8f
SHA512 66e12b0e9ef0bfca415bb221e3eca36188035c8b9abb5ccd72ebdca51bc7846f0b1133a130c40620c68d685586d08dd9109822ee3e394dc140138f64ac5516a8

memory/2680-26-0x00007FF601810000-0x00007FF601B64000-memory.dmp

C:\Windows\System\coLzPhv.exe

MD5 5925b876ede3016b536f55b1962f6aa5
SHA1 3c64ef1452acfab93bea8a1ae724abfd4879d8e3
SHA256 f6aadedf26b9c73a27d522743f72c5ed7d34b01d9478e37f93ed605556826417
SHA512 7d95d8d96122fb3a9e215837868dbb95c0815d13fa4c42789aa0c0321675b234632585a820e6ad95bd4e470f057071c74d0f2b64aca772f63c140cbff0d7183c

C:\Windows\System\SmVMkgO.exe

MD5 b3e268f5bb51675065f28210497407ef
SHA1 0c356da81a73d53e53ab35ddcc5480c49ff2ff02
SHA256 e1afa4ee6a99b4eb3dcedfbae11bfc81d0d40f9be43176de6155a340242825f6
SHA512 d42f2e3f598f53f806485fced0d21ded8971c52e64b09f9cf790eb66f58eadd09225b9701052a9b2ddc72ce21ac78318dd5090255d13f8097ba5b61f5a1bb2d6

memory/2908-32-0x00007FF6276A0000-0x00007FF6279F4000-memory.dmp

C:\Windows\System\SgoXKNK.exe

MD5 71cf37dbde6471a5ec705c8562a3de92
SHA1 b5499f0f73b07c8e079c0aaf04c7735ac0b4e194
SHA256 1dc1819c1f419fa0e5882ee915d3dcbffdadd2dbd06aa9e935ccb5cbb83e0965
SHA512 8a94c93fa272b9b6cfa3bb1f6eb05d5dd19b4f3b89e619bd5bf478a0ada9e714c9d75d0d87a8caece341fc2f68a830b8a92b8da7738c0a692b476f5079a34285

memory/5048-39-0x00007FF7E8A30000-0x00007FF7E8D84000-memory.dmp

C:\Windows\System\BnSJJMH.exe

MD5 4d47442799969d7a48d4c4d7d5c06647
SHA1 9a81d036f9374f8a0ba4916a49c18d5d677a0257
SHA256 20aad9519459b22a0787a3264dd0298f651fe86f22e743b86e01a58e453fd8dc
SHA512 76726bdbe8bd419cc214f42135098a896cce5edb86f5056bfe8d5543594efb94b8f261ccb6dee5ebe8717a379fc3ff5c61f1636226b5a923948e38c5d3163c38

memory/3084-44-0x00007FF6196A0000-0x00007FF6199F4000-memory.dmp

C:\Windows\System\wUrZZYJ.exe

MD5 491cde0475954cf5fef23d5f0d4793b7
SHA1 b04b1e788c8cebf1d22bdaf94829643db28a4361
SHA256 f160a67147c5e61aabc5967cdcaa09e698ab65cffc4b7e683fc234ec632decc2
SHA512 ddebc0c1bd6dd073ddc80a1ae289b91f85bf1badecdb2786b7a290fff00b920ce4fbe8604489fd820a447a18d45213165f67c10f23acb4781c81343476716a30

memory/4332-54-0x00007FF7C51B0000-0x00007FF7C5504000-memory.dmp

memory/3684-51-0x00007FF60B8A0000-0x00007FF60BBF4000-memory.dmp

C:\Windows\System\SEVPzrt.exe

MD5 59dc44cbc701683a2f921ed20c595637
SHA1 97ac1dd27fbb87d2680e98d44775ee336fbdd622
SHA256 6f126ca659136a1ecf5372b49628b1b487af7e1960f135ef6d56e33768d45c89
SHA512 c75ef773b6dc507d1ed6cacbd70221f8fbd8c90da8f19cbb988645b59d4a74a28286acc2e42bf6313a752c1dae504043f124f57291c19427bf6ce8d807858bbc

memory/1624-62-0x00007FF6B7C00000-0x00007FF6B7F54000-memory.dmp

C:\Windows\System\yzDCQSp.exe

MD5 90c9d496784268ad79b2d4827751a10d
SHA1 025d5073c7ec5adb3293a3fcf241e0df5272259a
SHA256 17af81308c6176be6fcbd0bedfee6b46771278dd1c21a3e73849da82dc5af0f5
SHA512 4c8dd728e7ef012cc2ceae90e3d95af52d1abcf859a57367819c315a1952a7fb2274785de0aa8a53eafdffee1da051cf48ae4e95a6aea3f066538a0072c96210

memory/2508-59-0x00007FF797AF0000-0x00007FF797E44000-memory.dmp

memory/2292-70-0x00007FF60C8D0000-0x00007FF60CC24000-memory.dmp

C:\Windows\System\ErXRJWf.exe

MD5 d20b7165b47bf45f7f3f12c0756dc881
SHA1 702e6e9a1babea7985ddede8b9026e5dc992fbcc
SHA256 5d66c2278a52eff1015c79464b52eee8d840fd0f94375a88faff286001eef139
SHA512 a0d1b202057206c847e16b9788e2407ad5ba39df1bcf776d3b040d32106b881dbda6a7071ec8f35882174437411f5206e5faa215f3df59a0b055271dd95dcfae

memory/3348-69-0x00007FF707D00000-0x00007FF708054000-memory.dmp

memory/448-77-0x00007FF6D7B10000-0x00007FF6D7E64000-memory.dmp

memory/860-76-0x00007FF6D6640000-0x00007FF6D6994000-memory.dmp

C:\Windows\System\oHjufMG.exe

MD5 e02a0062aef7cd6240c72cf0cd0e02dd
SHA1 97ca42fca9d3f435c39333c44e0bc8d4ac1edde1
SHA256 8f7cb6f3f904cd51acf9219fefbd75c65a949eac502d1e66f2de8eef59ba7dd3
SHA512 3cb27bf3de1c452694d93b7968d04f89bada538f1c83595a848463dd16ce4b194432df71d4c31ca1c4fee2d9c48c7623d3d2a9260f9fb114f85c4a3b160ab07a

C:\Windows\System\PgjmYUq.exe

MD5 592bf2c5a0b5c1e12dcc3ecb11a19f0d
SHA1 f0b870fa99aeed439f5f2338e9e1f6310090f417
SHA256 c298a35e73bdb1be77d5a51e67fe5d07d545e62ef1dff6f01d1b59f6381638d9
SHA512 85f2a7bdf7cd4573094aa2abc2a6411e589c40e9658c5c3ae49ceb1f4ea35643e4b38b3d1146a63d675243844adeb99cb7fe4c7ce4ec9f59f385d5dc7e9599b8

memory/3628-90-0x00007FF6ABB10000-0x00007FF6ABE64000-memory.dmp

C:\Windows\System\ddQPDTh.exe

MD5 ed3a86f8a354cd45e64ae836f28c09ee
SHA1 e832e87a87f6cd7ad581c5782416df7b74f4ea5a
SHA256 e6f7dcdefd549e0b2e3ad7601f3fb4883216666e54a44c015dbc68634d8390bf
SHA512 f7c463ece5c4c4a1bb07bd74440efc5b87705cb465082cd0a163cf94a6eceef57e90eef824e617c9144e9132a8e308d1e095d28146ad5fdb85ea7d1485683fd5

memory/2312-88-0x00007FF754310000-0x00007FF754664000-memory.dmp

C:\Windows\System\COTerBF.exe

MD5 5ec9de73e3028d7194c057bee0c5f66a
SHA1 4a80419e7d96bf9aaea43ecac9cb9398ec7465c0
SHA256 b626b488ad44676daab06c6032f53eeb9a7b2efb64b9c9e17867871fc79e9733
SHA512 3e14699332ac31eaf93dac776a76c108c63363d3b8ee9dd1ea535e9577d2dc4bb60ea915f7992605cf980d0c2d220cd6543deded79479c6a3c592f28c7ab82c3

C:\Windows\System\nvtJvgc.exe

MD5 b30f0420f48418ae8f26a69e91fabad5
SHA1 f674a05157f95a94128e87efc10900a8639eb57f
SHA256 8f5663fc27f35af210be8e6c03065baf694fdb03164d8fd63c7b73de6674f895
SHA512 63a1f501c8b5f9af785d7e346e1c881c6b40c94bde155d7d5a1314ef20cba29cc71ecf48e3907f85cbcc51949b49ced1508a63dd1489572d257b524440c3a10d

memory/4776-105-0x00007FF67F8D0000-0x00007FF67FC24000-memory.dmp

C:\Windows\System\PJiqSZX.exe

MD5 e0182b4f5e3a7233105dfe48c41d5ce4
SHA1 22e9d14068d6f916a078ab5e4fd59c9a0eaf701a
SHA256 358299a826dc636a48e5228132c10487c49c034187e6f9a978a519c1189e38c7
SHA512 d290c6e1db1b0007e570159d7e9f46e01ca0b4aa8210b84826b2328cf4381540d20e3dea4761ab652284d15e64c7d4fe7377398d78256af4c12bb34dea3e4835

memory/3084-112-0x00007FF6196A0000-0x00007FF6199F4000-memory.dmp

memory/2604-107-0x00007FF7D67B0000-0x00007FF7D6B04000-memory.dmp

memory/2908-106-0x00007FF6276A0000-0x00007FF6279F4000-memory.dmp

memory/2400-104-0x00007FF6D9D00000-0x00007FF6DA054000-memory.dmp

memory/1788-96-0x00007FF7052B0000-0x00007FF705604000-memory.dmp

memory/2600-121-0x00007FF645480000-0x00007FF6457D4000-memory.dmp

C:\Windows\System\WxjdwdM.exe

MD5 07a4a66ebf774706d9c1ecfb6cf67bba
SHA1 b000b895abbda05369230e08d933d989ffb165fc
SHA256 6a512212de6578fa58cdcd2fa42cdddb1f163d82ad66989042de5a21fcb95117
SHA512 a574e993f6304a9c64425c54380960af676014be25c6c5fee1f85ba6238aff2feb8a514a976dee5d7ad0e789311b90a379022293b9070f5643f982083f2815c4

memory/2616-119-0x00007FF6130F0000-0x00007FF613444000-memory.dmp

memory/3684-116-0x00007FF60B8A0000-0x00007FF60BBF4000-memory.dmp

C:\Windows\System\jBFcVIR.exe

MD5 629c96c18d6b1beaa0338596c421686a
SHA1 a29ee082f7cb3cfb5e678901b104f0e95aa090b7
SHA256 811e3d15e4bd5ab8a35fd567ac37b3f3c134881d66cda23a8606306b5f9634b5
SHA512 ab9fa2444ef87b2ed0b6e5f2b11254d14bdf8a95084778d54734a6124edb3936660f5c77a4c91fc5367c84f87a3d22268ed35507dc88f23695434302cbf43319

memory/848-128-0x00007FF75DBB0000-0x00007FF75DF04000-memory.dmp

memory/4332-127-0x00007FF7C51B0000-0x00007FF7C5504000-memory.dmp

C:\Windows\System\SixJXHF.exe

MD5 c94d7ac4ebb804912af88d1803599a92
SHA1 ff2a93b6bc0ecf8b325240d110cfc4e544855753
SHA256 ad95cac7fdca8786f60b9f2c42f87a4075dd2a0d8f32d489f94088cda79e4efa
SHA512 736793a5c61e8351eb9276e86cbbf331440a64014bcea7c02af7948aedcf15b07afd4c29e917a9f1fdb139575115ced1a8d65e0b16b546a23e87fb3303c75587

memory/1624-135-0x00007FF6B7C00000-0x00007FF6B7F54000-memory.dmp

memory/2204-136-0x00007FF644A40000-0x00007FF644D94000-memory.dmp

memory/2604-137-0x00007FF7D67B0000-0x00007FF7D6B04000-memory.dmp

memory/2600-138-0x00007FF645480000-0x00007FF6457D4000-memory.dmp

memory/848-139-0x00007FF75DBB0000-0x00007FF75DF04000-memory.dmp

memory/3348-140-0x00007FF707D00000-0x00007FF708054000-memory.dmp

memory/860-141-0x00007FF6D6640000-0x00007FF6D6994000-memory.dmp

memory/2312-142-0x00007FF754310000-0x00007FF754664000-memory.dmp

memory/2680-143-0x00007FF601810000-0x00007FF601B64000-memory.dmp

memory/2908-144-0x00007FF6276A0000-0x00007FF6279F4000-memory.dmp

memory/5048-145-0x00007FF7E8A30000-0x00007FF7E8D84000-memory.dmp

memory/3084-146-0x00007FF6196A0000-0x00007FF6199F4000-memory.dmp

memory/3684-147-0x00007FF60B8A0000-0x00007FF60BBF4000-memory.dmp

memory/4332-148-0x00007FF7C51B0000-0x00007FF7C5504000-memory.dmp

memory/2292-149-0x00007FF60C8D0000-0x00007FF60CC24000-memory.dmp

memory/1624-150-0x00007FF6B7C00000-0x00007FF6B7F54000-memory.dmp

memory/448-151-0x00007FF6D7B10000-0x00007FF6D7E64000-memory.dmp

memory/3628-152-0x00007FF6ABB10000-0x00007FF6ABE64000-memory.dmp

memory/1788-153-0x00007FF7052B0000-0x00007FF705604000-memory.dmp

memory/2400-154-0x00007FF6D9D00000-0x00007FF6DA054000-memory.dmp

memory/4776-155-0x00007FF67F8D0000-0x00007FF67FC24000-memory.dmp

memory/2604-156-0x00007FF7D67B0000-0x00007FF7D6B04000-memory.dmp

memory/2616-157-0x00007FF6130F0000-0x00007FF613444000-memory.dmp

memory/2600-158-0x00007FF645480000-0x00007FF6457D4000-memory.dmp

memory/848-159-0x00007FF75DBB0000-0x00007FF75DF04000-memory.dmp

memory/2204-160-0x00007FF644A40000-0x00007FF644D94000-memory.dmp