Malware Analysis Report

2025-01-22 19:23

Sample ID 240807-y5rptatdjq
Target 2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat
SHA256 fe976a7e383b394424552a3b9084fefeeab182f64ca5032daa0e9aff4fb6df53
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fe976a7e383b394424552a3b9084fefeeab182f64ca5032daa0e9aff4fb6df53

Threat Level: Known bad

The file 2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Xmrig family

Cobaltstrike family

xmrig

XMRig Miner payload

Cobalt Strike reflective loader

Cobaltstrike

XMRig Miner payload

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-07 20:22

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-07 20:22

Reported

2024-08-07 20:25

Platform

win7-20240704-en

Max time kernel

140s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\TbadXlL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mDEORpd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vwxFCQV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nzLgRVq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GwdPSom.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TSWxiud.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OpPlkXh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aFqbxwl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qSzBtBM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AUJkEUA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jtWmsEd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eypJqcQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wuJlhIc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vanOKdh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aWyJolS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FeNXwnM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tMZyOCT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nxMomeB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PuOybkI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kQRAHwl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ioXjcNK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1696 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vanOKdh.exe
PID 1696 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vanOKdh.exe
PID 1696 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vanOKdh.exe
PID 1696 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nxMomeB.exe
PID 1696 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nxMomeB.exe
PID 1696 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nxMomeB.exe
PID 1696 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nzLgRVq.exe
PID 1696 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nzLgRVq.exe
PID 1696 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nzLgRVq.exe
PID 1696 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aWyJolS.exe
PID 1696 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aWyJolS.exe
PID 1696 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aWyJolS.exe
PID 1696 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GwdPSom.exe
PID 1696 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GwdPSom.exe
PID 1696 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GwdPSom.exe
PID 1696 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AUJkEUA.exe
PID 1696 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AUJkEUA.exe
PID 1696 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AUJkEUA.exe
PID 1696 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TSWxiud.exe
PID 1696 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TSWxiud.exe
PID 1696 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TSWxiud.exe
PID 1696 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OpPlkXh.exe
PID 1696 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OpPlkXh.exe
PID 1696 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OpPlkXh.exe
PID 1696 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jtWmsEd.exe
PID 1696 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jtWmsEd.exe
PID 1696 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jtWmsEd.exe
PID 1696 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PuOybkI.exe
PID 1696 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PuOybkI.exe
PID 1696 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PuOybkI.exe
PID 1696 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FeNXwnM.exe
PID 1696 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FeNXwnM.exe
PID 1696 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FeNXwnM.exe
PID 1696 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aFqbxwl.exe
PID 1696 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aFqbxwl.exe
PID 1696 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aFqbxwl.exe
PID 1696 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kQRAHwl.exe
PID 1696 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kQRAHwl.exe
PID 1696 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kQRAHwl.exe
PID 1696 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eypJqcQ.exe
PID 1696 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eypJqcQ.exe
PID 1696 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eypJqcQ.exe
PID 1696 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TbadXlL.exe
PID 1696 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TbadXlL.exe
PID 1696 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TbadXlL.exe
PID 1696 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tMZyOCT.exe
PID 1696 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tMZyOCT.exe
PID 1696 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tMZyOCT.exe
PID 1696 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ioXjcNK.exe
PID 1696 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ioXjcNK.exe
PID 1696 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ioXjcNK.exe
PID 1696 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mDEORpd.exe
PID 1696 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mDEORpd.exe
PID 1696 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mDEORpd.exe
PID 1696 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vwxFCQV.exe
PID 1696 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vwxFCQV.exe
PID 1696 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vwxFCQV.exe
PID 1696 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wuJlhIc.exe
PID 1696 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wuJlhIc.exe
PID 1696 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wuJlhIc.exe
PID 1696 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qSzBtBM.exe
PID 1696 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qSzBtBM.exe
PID 1696 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qSzBtBM.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\vanOKdh.exe

C:\Windows\System\vanOKdh.exe

C:\Windows\System\nxMomeB.exe

C:\Windows\System\nxMomeB.exe

C:\Windows\System\nzLgRVq.exe

C:\Windows\System\nzLgRVq.exe

C:\Windows\System\aWyJolS.exe

C:\Windows\System\aWyJolS.exe

C:\Windows\System\GwdPSom.exe

C:\Windows\System\GwdPSom.exe

C:\Windows\System\AUJkEUA.exe

C:\Windows\System\AUJkEUA.exe

C:\Windows\System\TSWxiud.exe

C:\Windows\System\TSWxiud.exe

C:\Windows\System\OpPlkXh.exe

C:\Windows\System\OpPlkXh.exe

C:\Windows\System\jtWmsEd.exe

C:\Windows\System\jtWmsEd.exe

C:\Windows\System\PuOybkI.exe

C:\Windows\System\PuOybkI.exe

C:\Windows\System\FeNXwnM.exe

C:\Windows\System\FeNXwnM.exe

C:\Windows\System\aFqbxwl.exe

C:\Windows\System\aFqbxwl.exe

C:\Windows\System\kQRAHwl.exe

C:\Windows\System\kQRAHwl.exe

C:\Windows\System\eypJqcQ.exe

C:\Windows\System\eypJqcQ.exe

C:\Windows\System\TbadXlL.exe

C:\Windows\System\TbadXlL.exe

C:\Windows\System\tMZyOCT.exe

C:\Windows\System\tMZyOCT.exe

C:\Windows\System\ioXjcNK.exe

C:\Windows\System\ioXjcNK.exe

C:\Windows\System\mDEORpd.exe

C:\Windows\System\mDEORpd.exe

C:\Windows\System\vwxFCQV.exe

C:\Windows\System\vwxFCQV.exe

C:\Windows\System\wuJlhIc.exe

C:\Windows\System\wuJlhIc.exe

C:\Windows\System\qSzBtBM.exe

C:\Windows\System\qSzBtBM.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1696-0-0x000000013F770000-0x000000013FAC1000-memory.dmp

memory/1696-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\vanOKdh.exe

MD5 f30e25b53ddb6b41723e531eeb8daa52
SHA1 9ed22225bfe341beb793dc7e6fb3d12f4d853f59
SHA256 4cdf09602b1e914c126eb4ea6519265efd7361a613484c08ecd5c5110f377547
SHA512 26872bfed607cf8308f2c4bd08f6365e0a19855e86ae1a416011711b1ae828fb22b64bcfe85799419d76ca49ff5bc2335a4f27aba92128fed244c8b200ea93c8

memory/1696-7-0x0000000002250000-0x00000000025A1000-memory.dmp

memory/1696-9-0x0000000002250000-0x00000000025A1000-memory.dmp

C:\Windows\system\nzLgRVq.exe

MD5 2f497bf21fff1b299c2ca016dde2a026
SHA1 b469a392ad6908f6a925b6052d677047b2b160a5
SHA256 ae85e23dac461aa6485fe4fd64b99d4bfba86122b65547e01b2d21d39b8bbc94
SHA512 d817a86db379714ad0b1f63c4ae42482c21f59948676b91774267493b6c99026b61763a55a8840e67b0ccb20b850e142a0a9d33654ec209280de07e967cdc049

memory/1696-22-0x000000013F140000-0x000000013F491000-memory.dmp

C:\Windows\system\aWyJolS.exe

MD5 14b3c9a6242772ad78a86283ce20360c
SHA1 78483ea49e11c79febe0e3782a237fc31b0fbd3f
SHA256 882cf44775bd82b7b2e3df92df12b51e64ee6754f3040bacc900d3c5b976ddcb
SHA512 9acdcb2903992bd4eb3509d3595d35dc559d07a9402841709d44481db1413f31e0028035918d43dcd8253bec3c3f5be7df2fcfc08a3ed54c1836c690e2053001

memory/2832-36-0x000000013F910000-0x000000013FC61000-memory.dmp

C:\Windows\system\AUJkEUA.exe

MD5 891134b54eaedc1348194494268dc804
SHA1 944b1536f5b6cad998bd208df839f566e2fe2102
SHA256 80cc9fa35cb42964baa82e214c9590c17452d302ac1ebcfe2d856e94ba191ead
SHA512 44c73a1acc37df6a74ec42721ecab6ebc18ff5b76c48abf3e738eb564eea6c57c5db80cd749fb1ca9a531be82cbb73e8ae6f76e6301b27a7d10c68b0090c06d1

memory/2876-41-0x000000013FF60000-0x00000001402B1000-memory.dmp

memory/1696-119-0x000000013F2F0000-0x000000013F641000-memory.dmp

memory/1696-122-0x000000013FE80000-0x00000001401D1000-memory.dmp

C:\Windows\system\PuOybkI.exe

MD5 a36bff5f8ce1f17370990e0504fa68c1
SHA1 a159af90d69f3a4ade683609602b56427b8d91c4
SHA256 d3ce1727d4cc1b510e09978b633d030d27659974674bd58e39189a01a1bbd317
SHA512 7abe4b20325db68330320b76e40a0cedf3707bd9f36025a834a83a4cc3e37cf706d63bab40a740f54738142b2bae3b9d1d56d2f864716ab021c0c1ada2c2c813

C:\Windows\system\vwxFCQV.exe

MD5 9b87d59cb76ba7e42dece039996632ca
SHA1 6c58d7580c7b3824643d3192b0fe4cc5714556f5
SHA256 a354f8aaa069fb00a4d42f84d951a6856bdf5344d5d8afe061e6f0e63b6fbf59
SHA512 c617de2809b3c8f2f12f1308b18375e05cf68fe232ccdb469929e546413a513e4e7314ab69d39e5982d436f76dba47f2af087330224d4ab0ba88bf434f6b52b0

C:\Windows\system\ioXjcNK.exe

MD5 3e5c9439cbc3c1800ebf1653dbd3e68a
SHA1 b7fae3d87434ca295b1797a57d7e53005cb7daef
SHA256 16db1af00d7ec8a08fc941a423703ec482586fdcbf1cdd568a4e2ed1850fe88b
SHA512 1fb30cb6f23cd441cedae3244cad4e573f5080fa6bc5f1cf37e8750969a3707ae466e38ca60be4b622cc79a85ef5f6930d73c1323b74eb335f33db03d305ac31

memory/1696-102-0x0000000002250000-0x00000000025A1000-memory.dmp

memory/1696-101-0x000000013FB90000-0x000000013FEE1000-memory.dmp

memory/2752-99-0x000000013F510000-0x000000013F861000-memory.dmp

\Windows\system\wuJlhIc.exe

MD5 75e222420dac26f7f66aefdfabc278fd
SHA1 721d3983d2189188a38b43cec06c9632b472670b
SHA256 cdb72dbec52e31c2b7b1cd122aabe7d620bbd606bd591226664443b0994c8160
SHA512 18d4d51d0a7672624fd80fb108ebb9a389cf7f8c0b6ade89e5c67e7f73cc227bf18cf8ef8fd0c242e709d08f1bcc2aad688095cef46c39ee57f4f1d2e3cb15b6

\Windows\system\mDEORpd.exe

MD5 f89328d32c4b8d4df9e461b65a7c48d0
SHA1 19d73e2d2c7ea9ac509ac6553a87f60184c9fc99
SHA256 919b075672a4eba080146551892eb2c4cb3ac4b717333ad4b27c90ab547e85e6
SHA512 00d4ecdfa7bb3bd53d7601490030ad2a08b8e5d56cbde4678b2c2460338d63cf608549c1240d3fa418b345e7aa7a909b607190d8f6e58b66a88f6d1b364e8516

C:\Windows\system\TbadXlL.exe

MD5 a8aaa48fc4ebd1a62bac3395dfd8e469
SHA1 10defb0154d39a1b08dcf147de65d55eb43183b5
SHA256 0288af5168baee5315bbd9135448d08da716186703f00501093db677ba658d33
SHA512 604aa31f7a356925ee4625d6b7ead019b606089028976114ff8c5debe314efbe1b41b93c0036a30d2a6e34cc0b93586aed829f7b9b0a3597911fe83fcb5b923d

\Windows\system\tMZyOCT.exe

MD5 5f3fca2ae661fad154955a864c2a8515
SHA1 f42444459b4a64e11c670649cd357f2ae55d7186
SHA256 618d228214da04bae21a34839cce8664ace245c79c216063350318910e95e6b1
SHA512 071a4c6a484b137f757bbfa6f01ee6a735775fc6a785ae3261f7ab80458774e52eeb0198ab09a4ddaac896bb9267b9f8fe0def26bd78ab64fd4f7dfeed3b18a4

memory/1696-72-0x000000013FD30000-0x0000000140081000-memory.dmp

\Windows\system\eypJqcQ.exe

MD5 d686232a09ab9dc964210a75263dc591
SHA1 879c78799bccfc0e6291af8118cb669225744249
SHA256 fd87dc8dd5d2e651a786289384e582851c93ff48747379ed3e7cbc7517c70be0
SHA512 654cd971a07e177c6670859aa1c9e243264f361503074059106c3d4b19e7db86001dc0a486b2b36ccd9d68840b2607455e6a25e9918fc37cc2ef74c02aa711e3

\Windows\system\aFqbxwl.exe

MD5 ee6e1913dc112d9595cc10f2900e5c16
SHA1 fc1853660c86b4f3e8550ef743b025f30f5138cd
SHA256 c57325972fc3319e71a2d9ed74c5779952880674d53a1a3bb58aa384f860e251
SHA512 65c77193cdcc8a825f8def9e6c8249ec4bcc137338836d712328ff45346d48ea36c240a47c1863c535edc25aee814dc948048de8143f4d018522a364540f223a

memory/1696-121-0x000000013FE20000-0x0000000140171000-memory.dmp

memory/1696-120-0x000000013F1C0000-0x000000013F511000-memory.dmp

memory/1696-118-0x0000000002250000-0x00000000025A1000-memory.dmp

memory/1696-117-0x000000013FF40000-0x0000000140291000-memory.dmp

memory/1696-128-0x000000013F770000-0x000000013FAC1000-memory.dmp

memory/2192-116-0x000000013FE80000-0x00000001401D1000-memory.dmp

memory/1696-115-0x000000013FFB0000-0x0000000140301000-memory.dmp

C:\Windows\system\qSzBtBM.exe

MD5 eefb6878c95ed783a06fab5be3c4c4f6
SHA1 8009df40bd16d0053a971307f203752466a62bf5
SHA256 da970c7b300388c8f7e4971765b7d5699915dc69863ddafc05555bd05d1b61cc
SHA512 25b01b55b4daf92e6f6869bb0865491bebed9311d8b263b5d8aa3383304a54116834ac00191c603175e481507a7e0e8bf274b4e57e62ad4b282b17c89dcbe5ee

memory/2784-113-0x000000013F680000-0x000000013F9D1000-memory.dmp

memory/2620-112-0x000000013FB90000-0x000000013FEE1000-memory.dmp

memory/2956-108-0x000000013FD30000-0x0000000140081000-memory.dmp

C:\Windows\system\jtWmsEd.exe

MD5 12557229ff93d056ed5b4f6d4624aa8f
SHA1 90bafc65caf94c2af65418d9470c5983102e6397
SHA256 3a677fe30a17e851e400da187dccaeb0eaa6d49df40c2e199b872f55caf784d8
SHA512 0be6ba7d88dbbf6243070240eed52a66dfb98065e38e49edaecfa8643394a610bb505c2ab9ed84038050d6d040da4665d8a71855de2ad297c52291c0a686d922

C:\Windows\system\kQRAHwl.exe

MD5 47e2e5396949c2bf8358e8710a984770
SHA1 5abcdcb269bc12862fdd161bfd0360a0e541c83a
SHA256 7741669427c34982b00066edf967d141bc697563959ec1b3f6179e88e70e29ad
SHA512 6829f3ac1f090c9f3f0f1c66d1517f86544a8b371982b050fc5c84fc36bbd3ffb59aecdfcc50564cf1d6f34d54975739439ccd9498204c6b84101f65d454f647

C:\Windows\system\FeNXwnM.exe

MD5 8cf603dc15d0a06c41821d2abbbe5b7d
SHA1 086c7906b7beab3433beb2dacfd5144dd8fe4ed3
SHA256 9dab7efa2a4a711b7d8e0f7429c28aab996ec280fe14d83e0239a60123fd4d7e
SHA512 2f40ec4241fb8274b6875b17ddafd5a01ab9ff1028dfd39b3f7a5da4ff3741d953867ca80496d682a52df8d15bc845b6b3e0daa0281a9e9a4757279d22577051

C:\Windows\system\OpPlkXh.exe

MD5 31d538006e59b0820c051a8499602770
SHA1 f096361d1dd05fcbbd79e121b9778bc103b42bdd
SHA256 b1a7a101f21e39c9bea2e68b90c76bfb41bbc0aeaf18beab600ff6553a475ce4
SHA512 a196a3efbd2e56b45c9e482e5b79b04ec4c00aed1698dde7dfbffb8fa4aac7089887cd4a80ce3f20dd8e882665bdfa89a87d095350d328b194c45ae05b3a2b5a

memory/2652-68-0x000000013F260000-0x000000013F5B1000-memory.dmp

memory/1696-61-0x000000013F260000-0x000000013F5B1000-memory.dmp

C:\Windows\system\TSWxiud.exe

MD5 b2ee4a5cd332fb1ced91b03cf07442f6
SHA1 9480aab380663236af8a6b631477ffee320131e9
SHA256 86d49fcf70ff27d0dabdf441fddf331abd6367a5f2c897f6c10e72c4e7675b55
SHA512 c66c3805c79f981034bd6a912fb1640965a10f6fe6d4e70fd7332dd89ed9bdeb0fa5bfd32dd4c878b88d2b39e8dff17e26e08b61c78fd0a9446b43f5d769e30e

memory/3008-34-0x000000013FF70000-0x00000001402C1000-memory.dmp

memory/2568-26-0x000000013F140000-0x000000013F491000-memory.dmp

C:\Windows\system\GwdPSom.exe

MD5 a8b5f5c289ff0c97bce699eec1bf0743
SHA1 cef2afac54e74d61684b795a657d1cbba3436e1e
SHA256 a5b7a192e4622ef2810a4b4979849512c8d9ed91d4f9f5687262e212993461de
SHA512 960e0a7de17c53648248368fe3957bde90b2ce6d06328ff173747677611d2186d3f2f14d7e44eff9ca1f676cbf5feb4b12c11060ab81bd7e5109fe003fd02417

memory/1696-30-0x000000013FF70000-0x00000001402C1000-memory.dmp

memory/2900-20-0x000000013F7E0000-0x000000013FB31000-memory.dmp

C:\Windows\system\nxMomeB.exe

MD5 7272f0c02e115bee98b94361724701f9
SHA1 a9a3474dee888613ca311b1a335e1af7ac258790
SHA256 58b3309193e71958868fe3e3126604718de92a1ac298d619b6f7330cba70d271
SHA512 b2ff4fb481a28ac44ca49da79f713346804b7d5b5d9150a4bf93e8987843b149877d801f6e1129bfc9c8c776399a36677a2d5d234ff73bf7a810a1891e7da00d

memory/2560-13-0x000000013F4B0000-0x000000013F801000-memory.dmp

memory/2900-133-0x000000013F7E0000-0x000000013FB31000-memory.dmp

memory/2560-136-0x000000013F4B0000-0x000000013F801000-memory.dmp

memory/1696-137-0x000000013F770000-0x000000013FAC1000-memory.dmp

memory/3008-142-0x000000013FF70000-0x00000001402C1000-memory.dmp

memory/2876-143-0x000000013FF60000-0x00000001402B1000-memory.dmp

memory/2680-149-0x000000013F1C0000-0x000000013F511000-memory.dmp

memory/2672-147-0x000000013F2F0000-0x000000013F641000-memory.dmp

memory/2444-156-0x000000013F750000-0x000000013FAA1000-memory.dmp

memory/2676-158-0x000000013F050000-0x000000013F3A1000-memory.dmp

memory/388-157-0x000000013F670000-0x000000013F9C1000-memory.dmp

memory/2916-155-0x000000013FF90000-0x00000001402E1000-memory.dmp

memory/1644-154-0x000000013FF40000-0x0000000140291000-memory.dmp

memory/400-153-0x000000013FFB0000-0x0000000140301000-memory.dmp

memory/2312-151-0x000000013FE20000-0x0000000140171000-memory.dmp

memory/1696-159-0x000000013F770000-0x000000013FAC1000-memory.dmp

memory/1696-181-0x000000013F1C0000-0x000000013F511000-memory.dmp

memory/2560-205-0x000000013F4B0000-0x000000013F801000-memory.dmp

memory/2568-207-0x000000013F140000-0x000000013F491000-memory.dmp

memory/2900-209-0x000000013F7E0000-0x000000013FB31000-memory.dmp

memory/2832-211-0x000000013F910000-0x000000013FC61000-memory.dmp

memory/3008-213-0x000000013FF70000-0x00000001402C1000-memory.dmp

memory/2652-215-0x000000013F260000-0x000000013F5B1000-memory.dmp

memory/2752-217-0x000000013F510000-0x000000013F861000-memory.dmp

memory/2784-219-0x000000013F680000-0x000000013F9D1000-memory.dmp

memory/2192-221-0x000000013FE80000-0x00000001401D1000-memory.dmp

memory/2956-227-0x000000013FD30000-0x0000000140081000-memory.dmp

memory/2620-225-0x000000013FB90000-0x000000013FEE1000-memory.dmp

memory/2876-223-0x000000013FF60000-0x00000001402B1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-07 20:22

Reported

2024-08-07 20:25

Platform

win10v2004-20240802-en

Max time kernel

142s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\WXaKnOp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lVNCYWf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cqtoraH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\agmRdfb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KzLbSAn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LerOdFh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yKPudEa.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HgGnpFq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qZhMbBf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HEvnwHm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BMHYBEd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ClnYSCM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dDThacf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yocSFip.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oexSsrm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OrmLigu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hwBhhiK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CkOCVlW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kHiNZGj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IWcTIMM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bUgPkol.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2060 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yKPudEa.exe
PID 2060 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yKPudEa.exe
PID 2060 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HgGnpFq.exe
PID 2060 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HgGnpFq.exe
PID 2060 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OrmLigu.exe
PID 2060 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OrmLigu.exe
PID 2060 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IWcTIMM.exe
PID 2060 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IWcTIMM.exe
PID 2060 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WXaKnOp.exe
PID 2060 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WXaKnOp.exe
PID 2060 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ClnYSCM.exe
PID 2060 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ClnYSCM.exe
PID 2060 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dDThacf.exe
PID 2060 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dDThacf.exe
PID 2060 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hwBhhiK.exe
PID 2060 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hwBhhiK.exe
PID 2060 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lVNCYWf.exe
PID 2060 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lVNCYWf.exe
PID 2060 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bUgPkol.exe
PID 2060 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bUgPkol.exe
PID 2060 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cqtoraH.exe
PID 2060 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cqtoraH.exe
PID 2060 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\agmRdfb.exe
PID 2060 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\agmRdfb.exe
PID 2060 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qZhMbBf.exe
PID 2060 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qZhMbBf.exe
PID 2060 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HEvnwHm.exe
PID 2060 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HEvnwHm.exe
PID 2060 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KzLbSAn.exe
PID 2060 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KzLbSAn.exe
PID 2060 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CkOCVlW.exe
PID 2060 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CkOCVlW.exe
PID 2060 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yocSFip.exe
PID 2060 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yocSFip.exe
PID 2060 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kHiNZGj.exe
PID 2060 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kHiNZGj.exe
PID 2060 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oexSsrm.exe
PID 2060 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oexSsrm.exe
PID 2060 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LerOdFh.exe
PID 2060 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LerOdFh.exe
PID 2060 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BMHYBEd.exe
PID 2060 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BMHYBEd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\yKPudEa.exe

C:\Windows\System\yKPudEa.exe

C:\Windows\System\HgGnpFq.exe

C:\Windows\System\HgGnpFq.exe

C:\Windows\System\OrmLigu.exe

C:\Windows\System\OrmLigu.exe

C:\Windows\System\IWcTIMM.exe

C:\Windows\System\IWcTIMM.exe

C:\Windows\System\WXaKnOp.exe

C:\Windows\System\WXaKnOp.exe

C:\Windows\System\ClnYSCM.exe

C:\Windows\System\ClnYSCM.exe

C:\Windows\System\dDThacf.exe

C:\Windows\System\dDThacf.exe

C:\Windows\System\hwBhhiK.exe

C:\Windows\System\hwBhhiK.exe

C:\Windows\System\lVNCYWf.exe

C:\Windows\System\lVNCYWf.exe

C:\Windows\System\bUgPkol.exe

C:\Windows\System\bUgPkol.exe

C:\Windows\System\cqtoraH.exe

C:\Windows\System\cqtoraH.exe

C:\Windows\System\agmRdfb.exe

C:\Windows\System\agmRdfb.exe

C:\Windows\System\qZhMbBf.exe

C:\Windows\System\qZhMbBf.exe

C:\Windows\System\HEvnwHm.exe

C:\Windows\System\HEvnwHm.exe

C:\Windows\System\KzLbSAn.exe

C:\Windows\System\KzLbSAn.exe

C:\Windows\System\CkOCVlW.exe

C:\Windows\System\CkOCVlW.exe

C:\Windows\System\yocSFip.exe

C:\Windows\System\yocSFip.exe

C:\Windows\System\kHiNZGj.exe

C:\Windows\System\kHiNZGj.exe

C:\Windows\System\oexSsrm.exe

C:\Windows\System\oexSsrm.exe

C:\Windows\System\LerOdFh.exe

C:\Windows\System\LerOdFh.exe

C:\Windows\System\BMHYBEd.exe

C:\Windows\System\BMHYBEd.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 38.58.20.217.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2060-0-0x00007FF74D4E0000-0x00007FF74D831000-memory.dmp

memory/2060-1-0x000001FBA6800000-0x000001FBA6810000-memory.dmp

C:\Windows\System\yKPudEa.exe

MD5 c3d8374b316a48a1909286f1b6a458e5
SHA1 ed9a876c2ed2464e0e49bc450ed6134935d4ba05
SHA256 9ec14e614a2181f36e5d3aa4067fa01b35b25bafedbd1c956f403e52a4a663c1
SHA512 3a57fb4956913547884ff0beb8d0f01526c95421433dbc9d6b64b17ff724a3b1df4d55d8ca1f4f8eb043159da78c70c6c1dcc3f257a0e349cf055781ef1f83a9

C:\Windows\System\OrmLigu.exe

MD5 971beef3f248dde96d06e81c518defba
SHA1 b425ca24d47a29b805c4e8cfb531e9f67c799d85
SHA256 65fc08128e708ed4f714a3f0a97954fe7b5ed8f693c9206260c53b24e05c0dab
SHA512 5179bf118e93ffad8db6a85c1ddcb1ca0d417e2de9ece5bafe198ab0fa65dcfd7054a4b0202203614c0c2c0cfa0ba2c9d589c9d5da932c6bf925eb0e50acfce8

C:\Windows\System\HgGnpFq.exe

MD5 2c5e80756ae8e6c2e5237561d6c5a1ae
SHA1 c2e1435ee2fe43b9e712b66ffc10664a70eb1b1a
SHA256 d862e3e1696a173f2860e820a8bf73cdff9c010c4f10a43ce01e362b50498f6c
SHA512 482da4f9c92adfa964f7477393a25190a19742ab625eb66092bec815efe6dbafd17d44e3f5c0cc43a310108a4e9db533c1f59d9caf1725f00517268d88766d2e

memory/3480-12-0x00007FF65C900000-0x00007FF65CC51000-memory.dmp

memory/4380-7-0x00007FF67E6F0000-0x00007FF67EA41000-memory.dmp

memory/1240-20-0x00007FF6FD9F0000-0x00007FF6FDD41000-memory.dmp

C:\Windows\System\IWcTIMM.exe

MD5 7bfe750f8cbf9199a2fc9e00ddc0d67a
SHA1 7c9469ce346a127e8db4cf180155a2ef4e9c696c
SHA256 94dd1e19255b114b55e645862c1ddcca2ec0dd480e927b0a47b526a35e0d37a8
SHA512 489127f977c6cb3333393438a5967932fbb36bb1c9dab8f984ef82ac2c9fac70ab47d500b4c1610b78a151bfd4f4cf3e3292f7ffe01954e78d9adf3d1d56a3c0

memory/1936-26-0x00007FF712A20000-0x00007FF712D71000-memory.dmp

C:\Windows\System\WXaKnOp.exe

MD5 b32fb0f1c3b226e39ebaed88562bc27f
SHA1 a8e0c0d0e955d854eb0e696887c13f1a999c1686
SHA256 908a723bfabdf76853982f1282a4e220efc1c0e9112aefadcaede13adc2caa56
SHA512 616b11e60397504a6cfe5d7374bdd3279028eac49ecc0d670f302ef730715cd18a76e04f8ff0754eaf746406f32c10f64cf0fe92804d991b472d27793dd554ba

memory/4940-30-0x00007FF70B700000-0x00007FF70BA51000-memory.dmp

C:\Windows\System\ClnYSCM.exe

MD5 f6d6b546ab1c204b98a186cf46971238
SHA1 ebdfc9a06923cb909beac9f43150f21d5119799e
SHA256 b3b98d8d19efebc7768a698574527d9fa890dec4c5f402cceb47c08395f15c69
SHA512 12cdded0e2292b000442224bfe88c82fe2faf9503807937e25f6cfa9a012b01f292d7b85d6b71651e1710f99437fd863ff614b2c643156948a997639ed5f6a5c

memory/1244-37-0x00007FF7D3470000-0x00007FF7D37C1000-memory.dmp

C:\Windows\System\dDThacf.exe

MD5 edd247ca954096c0bfbf325a097b0791
SHA1 db113359b82b49a63446d73a1d6e274c07271639
SHA256 2ed4fe46a4ee304433dd5354a1349d24e20a4ace2174f5f4d9bfbe115ad20648
SHA512 a42bf622cb2ab273f1e4803d0b2cda067805d789f9f6818187abebb3217eef32f8076380dd6abcf88ca7801082915bb5d0eebb76a0220a32d24f8f64f00215b3

memory/1636-44-0x00007FF76ACC0000-0x00007FF76B011000-memory.dmp

C:\Windows\System\hwBhhiK.exe

MD5 26ceb4dea678500e2bcd4f7a06bf1dfc
SHA1 37cd1a4c48e6db4860344d0c5893ef3af2c8e0b1
SHA256 cb998e14818ff377bfae2a8d4b6d527c6aee6ae364bf545e3cb3b8b937a8d57a
SHA512 722952324492ba650aceaa96923fea31f384d240ae5c51901a4a5cc34cba13f08c06fb96ac0b6293b9d1991d70e4caa2f9ee02b64a8a7a34db45f9bffb237e18

memory/2756-50-0x00007FF636D00000-0x00007FF637051000-memory.dmp

C:\Windows\System\lVNCYWf.exe

MD5 662695c32943f6fb2f8e4e4392aefbf1
SHA1 f3595bc8d7a614a8ec3fd43a74bf39ee94349242
SHA256 171fa27bf69e17a07cdce6643a46eae22cfc0406f9aebda15ebaf367419887ce
SHA512 627eb8bc5603a2b17f4a82dc5b794add35143ac102f0b4fbef47b603736680c6490516df32443d0e77516c23e1f415bfdeaa429b40c0991c83e5aa4a9fa190ea

C:\Windows\System\bUgPkol.exe

MD5 423e356a9b1adf0b96e1cd9bbabfd61c
SHA1 3f065b149725044bf9e71a7197b1eae51a62c6d9
SHA256 4f597c778918ebd976f025a8f29fc801153ae8ff7a475d9d99d0aa1ad91a56eb
SHA512 725c5c378d9d679dca99f719b9dbf6c80bd80ff78bd80e590abca6443092ab24e553002a6fae78ef6a6cef711da4731cc8e38c6707602eeb27dc374bf5168c58

C:\Windows\System\cqtoraH.exe

MD5 f9a070844afafb05fa60e8a2cdc04275
SHA1 8f0a76d45e75cdd546fd38b4d1377296a541f9d9
SHA256 f33a9796d7db30a16f69c7a8c37456c213cf2a95e88a7a02098586919b2b4589
SHA512 cc13e443f3ad69d19dab45508ebae484637546004587ebc4f68443fc2dddd8aadde2193810bee4d81e59e7ffdc565adb61c1d759ac60e90dca41eecadbddf43f

memory/2060-61-0x00007FF74D4E0000-0x00007FF74D831000-memory.dmp

C:\Windows\System\agmRdfb.exe

MD5 7b86ae4e359a6571e615bcb82e467a7a
SHA1 05345c0add0f2174f7742cabcace80817ffcd916
SHA256 08245a6a8208f08f36cb15c1d99b79fb1f5f5acb49d6e01c2376b9ecf3c1c60f
SHA512 db323ed9bc4f0b145b84b74e4c50ff8e0691972594fe12c4d7afb0a29212d38a75e207f5c530e3ee87cba24ed862ae0a4f23af93bd1c23a5f09f533b85abe067

C:\Windows\System\HEvnwHm.exe

MD5 0edf1a3bd3a5184333db1fee24c8efe2
SHA1 509931f204e6ea021e106457feeedebe3b015666
SHA256 fe3b1b03a8d9e85556c76cb18bdc9fd762392bef25d2cb01d6caea959c973fb4
SHA512 5e9eab2bd109b22409c2725d14aaaf6613be5a622506ef236f18395379c70b06838933996524bfa80fa1e976eed337f3b6b762278512ac2515fe5d73db56f6f2

C:\Windows\System\KzLbSAn.exe

MD5 b82735eb8854277cdfdbb4ffd9eed451
SHA1 f11906528242e4f3cd9cbc99327192a249b3a114
SHA256 47e116d17744b89a4e15c0b94f8a19dc3a40ffdd72b24d58fc8fe1a402bfcef5
SHA512 ab499e67c5ede7f70336892805dacf31ba917089ea9fb084d05b67808cb45cbefd7ba895b98dd362f51b15f11a32374b6391465583af58086e366317f6b42dc2

memory/3780-91-0x00007FF74C330000-0x00007FF74C681000-memory.dmp

C:\Windows\System\CkOCVlW.exe

MD5 55d8380f1dce015d4ff865eda13e6768
SHA1 a043fa7b652a2b00a85055affba5e4b7efb20ed3
SHA256 6fcceb973cc3ae373aafce35f159c8d69cf7d20060ee255e481bb7b3f47369dc
SHA512 baccf9503086ba4e7defe19fad803e08580f63805b85155a9d6e4751536bcbdd7f53ab0d1f2402c67ced69c1e981a8d92d2dee09be0213d8c15813984cc18970

memory/1040-96-0x00007FF632EC0000-0x00007FF633211000-memory.dmp

memory/4532-92-0x00007FF7C8FA0000-0x00007FF7C92F1000-memory.dmp

memory/1752-90-0x00007FF68BC30000-0x00007FF68BF81000-memory.dmp

memory/3480-89-0x00007FF65C900000-0x00007FF65CC51000-memory.dmp

C:\Windows\System\qZhMbBf.exe

MD5 afdd59fa1339f11bf36b82ac7abb060d
SHA1 0ef2e3029f0c0f2400b5069deaea497cf0489695
SHA256 d0925c226e5661f10f31c67b7fb10dafb15e6fbcd3a6502f4af28673260d2aa2
SHA512 bc0c91a76a93ef35f5abb449c06a98c689f58b34b9b9815ceedecbd712ee4c0329a1b7b64d8840e5e9d2fd00040dc9fdf941f1d0091b62d54eb35ad4a1e0750a

memory/960-72-0x00007FF7E4F90000-0x00007FF7E52E1000-memory.dmp

memory/4380-68-0x00007FF67E6F0000-0x00007FF67EA41000-memory.dmp

memory/2956-66-0x00007FF7A3460000-0x00007FF7A37B1000-memory.dmp

memory/3228-53-0x00007FF6954B0000-0x00007FF695801000-memory.dmp

memory/1240-101-0x00007FF6FD9F0000-0x00007FF6FDD41000-memory.dmp

memory/4492-102-0x00007FF7127A0000-0x00007FF712AF1000-memory.dmp

C:\Windows\System\yocSFip.exe

MD5 526f11bd8e792948204083ae6a504874
SHA1 5b66dfe61cc726b4e2879678bb058a87a845f203
SHA256 31b40f30b2a153df60b11b960bdc3254eae374fca0871e057d68552f2eed4613
SHA512 52172237a0d12ccb890f3c46515bbcc2b85645377a624f833209acec24aa688fbc0f0cd08464846d7e4db1f31b781ed55c3ef3d109b495f2724ae404db2c543d

C:\Windows\System\kHiNZGj.exe

MD5 6f19bcf308c528fe1239ad242f4dc64f
SHA1 7e1de3368ecb2cad839d5d5363658db1ba374325
SHA256 a0d550508955df26024f6460ede526e985ea83867be93bc80722c5b98fc84acf
SHA512 f1ff3cb6e1dafb8637c6dc9163162f7855b158e60d04f5568d59b5a9597810384ca9d5ccd1ce976709963bd3dc7f5206346d193e937bfc0330f2ed34ab59b01d

memory/4036-112-0x00007FF74F6D0000-0x00007FF74FA21000-memory.dmp

memory/4940-111-0x00007FF70B700000-0x00007FF70BA51000-memory.dmp

memory/4388-107-0x00007FF66A040000-0x00007FF66A391000-memory.dmp

C:\Windows\System\oexSsrm.exe

MD5 f7ff76f804d5b14966985e2ff126cea0
SHA1 0c7523395d6fb0debf8e8add4ab6346c85b84760
SHA256 32ad235c799279b63443b86f170f717e075df68213325d81c5b4e1c4e72af8a4
SHA512 b8e2409894f5e7c1b9b49a190b2dbfe283eec90eed954923920cf56745b9f17b11e1c4f6691cd55be53118da43120f83bda72fa40c4de867a2eb20aa2bb881e6

C:\Windows\System\LerOdFh.exe

MD5 6118e86418ff089e578c56b030209ca0
SHA1 5fde8e50e1f365ed08d76eb0a7cea032494de2e1
SHA256 533e106eae3ebedc98d2865c8f5a9582ddefe854846777db7f612288b7b48c53
SHA512 a949eae3547132bc2bc9f56294e7458ca24652a56da27a0bede2c220e343367958d50c1c8021592f431e79588e62433b7038d303f732f57260c1ec4f761ec234

memory/3896-120-0x00007FF7A95F0000-0x00007FF7A9941000-memory.dmp

memory/1244-119-0x00007FF7D3470000-0x00007FF7D37C1000-memory.dmp

memory/1636-128-0x00007FF76ACC0000-0x00007FF76B011000-memory.dmp

C:\Windows\System\BMHYBEd.exe

MD5 b4eaa00d0c4749e3d28d2f569c965580
SHA1 6a441dd508e49860f6f199cf7a62703bdf8393e9
SHA256 aa682b6514e7dcdbe1aae4b1b5dfd9e8e72f165711a01600d653f5574d72b162
SHA512 407342f52504d0b07d8a1d5f4a3da480c62ff600d5689c3fc999b3c559db9cfa4da0121413c8ddf0a38929867cee251d00b1a6f7229234301b0b5e13286a1fab

memory/4448-130-0x00007FF671190000-0x00007FF6714E1000-memory.dmp

memory/2428-134-0x00007FF785E40000-0x00007FF786191000-memory.dmp

memory/2060-135-0x00007FF74D4E0000-0x00007FF74D831000-memory.dmp

memory/3228-140-0x00007FF6954B0000-0x00007FF695801000-memory.dmp

memory/2956-141-0x00007FF7A3460000-0x00007FF7A37B1000-memory.dmp

memory/960-148-0x00007FF7E4F90000-0x00007FF7E52E1000-memory.dmp

memory/1040-152-0x00007FF632EC0000-0x00007FF633211000-memory.dmp

memory/4388-154-0x00007FF66A040000-0x00007FF66A391000-memory.dmp

memory/3896-156-0x00007FF7A95F0000-0x00007FF7A9941000-memory.dmp

memory/4036-155-0x00007FF74F6D0000-0x00007FF74FA21000-memory.dmp

memory/2060-159-0x00007FF74D4E0000-0x00007FF74D831000-memory.dmp

memory/4380-207-0x00007FF67E6F0000-0x00007FF67EA41000-memory.dmp

memory/3480-209-0x00007FF65C900000-0x00007FF65CC51000-memory.dmp

memory/1240-211-0x00007FF6FD9F0000-0x00007FF6FDD41000-memory.dmp

memory/1936-213-0x00007FF712A20000-0x00007FF712D71000-memory.dmp

memory/4940-215-0x00007FF70B700000-0x00007FF70BA51000-memory.dmp

memory/1244-217-0x00007FF7D3470000-0x00007FF7D37C1000-memory.dmp

memory/1636-229-0x00007FF76ACC0000-0x00007FF76B011000-memory.dmp

memory/2756-231-0x00007FF636D00000-0x00007FF637051000-memory.dmp

memory/3228-233-0x00007FF6954B0000-0x00007FF695801000-memory.dmp

memory/2956-235-0x00007FF7A3460000-0x00007FF7A37B1000-memory.dmp

memory/960-237-0x00007FF7E4F90000-0x00007FF7E52E1000-memory.dmp

memory/1752-239-0x00007FF68BC30000-0x00007FF68BF81000-memory.dmp

memory/3780-241-0x00007FF74C330000-0x00007FF74C681000-memory.dmp

memory/4532-243-0x00007FF7C8FA0000-0x00007FF7C92F1000-memory.dmp

memory/1040-245-0x00007FF632EC0000-0x00007FF633211000-memory.dmp

memory/4492-247-0x00007FF7127A0000-0x00007FF712AF1000-memory.dmp

memory/4388-249-0x00007FF66A040000-0x00007FF66A391000-memory.dmp

memory/4036-251-0x00007FF74F6D0000-0x00007FF74FA21000-memory.dmp

memory/3896-254-0x00007FF7A95F0000-0x00007FF7A9941000-memory.dmp

memory/4448-256-0x00007FF671190000-0x00007FF6714E1000-memory.dmp

memory/2428-258-0x00007FF785E40000-0x00007FF786191000-memory.dmp