Malware Analysis Report

2025-03-15 08:05

Sample ID 240813-n53rzasblf
Target 2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat
SHA256 adf076728ddc0e5cf38abf623659ae147a59d622ba6042734548073eb36eb102
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

adf076728ddc0e5cf38abf623659ae147a59d622ba6042734548073eb36eb102

Threat Level: Known bad

The file 2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

XMRig Miner payload

Cobaltstrike

Cobaltstrike family

Cobalt Strike reflective loader

Xmrig family

xmrig

XMRig Miner payload

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-13 11:59

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-13 11:59

Reported

2024-08-13 12:02

Platform

win7-20240705-en

Max time kernel

140s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\cTVQVUS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UfrNVhJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QqzzqoX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RFbrkdy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rODwLxb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uzSHrlQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LhwdWks.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VkwWxhT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LSOjtLS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UHXTSur.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RErTTXC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RKDgBfH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aUsrkKb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FFueDxL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ocCdYDg.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EuFwBsw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MLCPKbp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dAhWWgU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gvdxgXO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PNGAbMs.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ChVPPZS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2988 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cTVQVUS.exe
PID 2988 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cTVQVUS.exe
PID 2988 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cTVQVUS.exe
PID 2988 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RFbrkdy.exe
PID 2988 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RFbrkdy.exe
PID 2988 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RFbrkdy.exe
PID 2988 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rODwLxb.exe
PID 2988 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rODwLxb.exe
PID 2988 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rODwLxb.exe
PID 2988 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UHXTSur.exe
PID 2988 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UHXTSur.exe
PID 2988 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UHXTSur.exe
PID 2988 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MLCPKbp.exe
PID 2988 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MLCPKbp.exe
PID 2988 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MLCPKbp.exe
PID 2988 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RErTTXC.exe
PID 2988 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RErTTXC.exe
PID 2988 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RErTTXC.exe
PID 2988 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dAhWWgU.exe
PID 2988 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dAhWWgU.exe
PID 2988 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dAhWWgU.exe
PID 2988 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RKDgBfH.exe
PID 2988 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RKDgBfH.exe
PID 2988 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RKDgBfH.exe
PID 2988 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UfrNVhJ.exe
PID 2988 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UfrNVhJ.exe
PID 2988 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UfrNVhJ.exe
PID 2988 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QqzzqoX.exe
PID 2988 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QqzzqoX.exe
PID 2988 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QqzzqoX.exe
PID 2988 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gvdxgXO.exe
PID 2988 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gvdxgXO.exe
PID 2988 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gvdxgXO.exe
PID 2988 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aUsrkKb.exe
PID 2988 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aUsrkKb.exe
PID 2988 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aUsrkKb.exe
PID 2988 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uzSHrlQ.exe
PID 2988 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uzSHrlQ.exe
PID 2988 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uzSHrlQ.exe
PID 2988 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PNGAbMs.exe
PID 2988 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PNGAbMs.exe
PID 2988 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PNGAbMs.exe
PID 2988 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LhwdWks.exe
PID 2988 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LhwdWks.exe
PID 2988 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LhwdWks.exe
PID 2988 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VkwWxhT.exe
PID 2988 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VkwWxhT.exe
PID 2988 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VkwWxhT.exe
PID 2988 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FFueDxL.exe
PID 2988 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FFueDxL.exe
PID 2988 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FFueDxL.exe
PID 2988 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ocCdYDg.exe
PID 2988 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ocCdYDg.exe
PID 2988 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ocCdYDg.exe
PID 2988 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EuFwBsw.exe
PID 2988 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EuFwBsw.exe
PID 2988 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EuFwBsw.exe
PID 2988 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ChVPPZS.exe
PID 2988 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ChVPPZS.exe
PID 2988 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ChVPPZS.exe
PID 2988 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LSOjtLS.exe
PID 2988 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LSOjtLS.exe
PID 2988 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LSOjtLS.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\cTVQVUS.exe

C:\Windows\System\cTVQVUS.exe

C:\Windows\System\RFbrkdy.exe

C:\Windows\System\RFbrkdy.exe

C:\Windows\System\rODwLxb.exe

C:\Windows\System\rODwLxb.exe

C:\Windows\System\UHXTSur.exe

C:\Windows\System\UHXTSur.exe

C:\Windows\System\MLCPKbp.exe

C:\Windows\System\MLCPKbp.exe

C:\Windows\System\RErTTXC.exe

C:\Windows\System\RErTTXC.exe

C:\Windows\System\dAhWWgU.exe

C:\Windows\System\dAhWWgU.exe

C:\Windows\System\RKDgBfH.exe

C:\Windows\System\RKDgBfH.exe

C:\Windows\System\UfrNVhJ.exe

C:\Windows\System\UfrNVhJ.exe

C:\Windows\System\QqzzqoX.exe

C:\Windows\System\QqzzqoX.exe

C:\Windows\System\gvdxgXO.exe

C:\Windows\System\gvdxgXO.exe

C:\Windows\System\aUsrkKb.exe

C:\Windows\System\aUsrkKb.exe

C:\Windows\System\uzSHrlQ.exe

C:\Windows\System\uzSHrlQ.exe

C:\Windows\System\PNGAbMs.exe

C:\Windows\System\PNGAbMs.exe

C:\Windows\System\LhwdWks.exe

C:\Windows\System\LhwdWks.exe

C:\Windows\System\VkwWxhT.exe

C:\Windows\System\VkwWxhT.exe

C:\Windows\System\FFueDxL.exe

C:\Windows\System\FFueDxL.exe

C:\Windows\System\ocCdYDg.exe

C:\Windows\System\ocCdYDg.exe

C:\Windows\System\EuFwBsw.exe

C:\Windows\System\EuFwBsw.exe

C:\Windows\System\ChVPPZS.exe

C:\Windows\System\ChVPPZS.exe

C:\Windows\System\LSOjtLS.exe

C:\Windows\System\LSOjtLS.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2988-0-0x000000013FE30000-0x0000000140181000-memory.dmp

memory/2988-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\cTVQVUS.exe

MD5 ecf9ed2f46c976d3256f616d1abb7560
SHA1 2398a12ca5b8d0efd6398b5cffca4a84e745056b
SHA256 111cfd80165710cc18fc268178e6c353ec00334b7fc1c145a5dcb41d09fcac95
SHA512 85523b51fe9c950be48e3e13c18aef5829f15488c6031a83abb3ced472666021b0b46aea9619091898fd55a12c3d61b23213b3ae9ccbcdb59b4048febf8d3b87

\Windows\system\RFbrkdy.exe

MD5 61d5165ada89e2de42a027fbf0e7460a
SHA1 c478903d5815d5dff18c1438ba24678914e45754
SHA256 27eff5905196158bd3daecdb39c2e4038eedba75f5854825139d736045f1b528
SHA512 c01fcc7b7960665ef89f19180b655aa926204b997b6d826cbc0060ac022a628154e5cdd79271ed2e664a854ed9ac4c2d188c4d494c5af02655fb476c9160609e

\Windows\system\UfrNVhJ.exe

MD5 3cca4cc473b7e1fee792cdf0113311b8
SHA1 33ee9ac7f830787a412f5c7f642165bed64a499c
SHA256 e61463aca450338e6eee3024ec09f9458c4d7fb83646434a874df482cf493799
SHA512 91af1545e7362908430f103b3ca2707c6ef850b54f1d28c0e2a18c47ce24457acf15938eaf537a9a59a74d01c9391bb498fe64565416050fceba196e47ec1eed

\Windows\system\dAhWWgU.exe

MD5 3eced770f6cb05ba9b0eb798209d8759
SHA1 b5916790cbb6d1f5c1b87c9d9068c043231b206f
SHA256 d09f858103ac80dc88dfb1bb8051bc5d8e8c8f455329757919112937975580f2
SHA512 d5a7d8fbb593e9362774ac379184841e1ec2ddf83b4720cd2b17ba9ed3c5a3969931691be6508bf898dc299b449d199f5b8e613867188fbc3b8ffa0a77350cc7

memory/1192-24-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

\Windows\system\MLCPKbp.exe

MD5 881668b4e3786e6c499b4aa421a10558
SHA1 1ef70e3abca5ef45d33922b9d735d10c622df11d
SHA256 3602f1f38ac32fbd2c95ce788ecce504f57e35780427897e174c08820ffe5dc1
SHA512 7b5b54aae1cee0a0ec9e6cf5276f424e8a2a3dc74592ef4e244e9283c48c0df7bf841fe6ee9e40658a8a51f3f4d3c3a780f88e0d66a8d5153e3f8a5bc690bc81

\Windows\system\RErTTXC.exe

MD5 75027e1ba2a7b7718a43f5faf01803cf
SHA1 5e8170c29d065ccf5bce490f576d16b95788884a
SHA256 eaec94936d1f986dbec794df34e488973f0652fee2867bd389ab4f11fa5f9d6e
SHA512 912814a941c3f58fd2cf05c3d12b8a13e4716d86eafa4085094ea92b5bf3093fae4da043cc2667646ba468baefedd62977fdaf20fb04f6e840a28f19d14d5e26

C:\Windows\system\rODwLxb.exe

MD5 2011e088a1b8ce40b59c710801ecc925
SHA1 c58c4bd3ebfeb38f710c12411809c0f54ff8a5ec
SHA256 86e345bb528bf39e3e2b1fc8576af1a263132b03f990883c7815aa4daa733749
SHA512 d58be39a841f2ddc57671d075bb78e090d29451ab6b8f67c3e832d0f71da68366555ba9a6d6743095ee444b62a50885ffba05dc4505e3ede5feeb2600a327072

\Windows\system\UHXTSur.exe

MD5 091d4a75397d8b6f9749a7efaae1c0a5
SHA1 c06aaee3807e056537c75637eacdc5987534087d
SHA256 9116f7dd82b621ed5d55e328399703262120f5e1b05af893c5130a0079465e7f
SHA512 109f0efbadeb4dd58a55762890051d425ce8a0d4c83065d0fc548ccd95ad283b5b80b7faada90cea6620ebbe2533ac19c2b5ff048600702a359460a310384f21

memory/1320-12-0x000000013F550000-0x000000013F8A1000-memory.dmp

memory/2056-41-0x000000013FF30000-0x0000000140281000-memory.dmp

memory/2988-71-0x0000000002240000-0x0000000002591000-memory.dmp

memory/2960-81-0x000000013F750000-0x000000013FAA1000-memory.dmp

memory/2988-84-0x000000013F8F0000-0x000000013FC41000-memory.dmp

C:\Windows\system\aUsrkKb.exe

MD5 093352fd4e55d8cdf8de534a8c5b6ac0
SHA1 f5c1a9f079f973d6b5d90c7ddbb506153afd95c3
SHA256 cc6d4af4623375957d2b62a67dfaee114956da0d25d2c5a5dd49c80d1aa72ea1
SHA512 fc597c962524343f0898814fbbc45ef302695ca6bd668ccd09f56426a8fd9d7ee27e1b92f0aa99eeccef0be2227c356115704ea95005c7d567eee00a0e63dd2d

memory/2788-79-0x000000013FB30000-0x000000013FE81000-memory.dmp

memory/2716-78-0x000000013F170000-0x000000013F4C1000-memory.dmp

memory/2148-76-0x000000013F4F0000-0x000000013F841000-memory.dmp

memory/2988-75-0x000000013F750000-0x000000013FAA1000-memory.dmp

C:\Windows\system\QqzzqoX.exe

MD5 7e7761185543b37fe4c65f0c65cd2fa0
SHA1 4d7730ed46aeb2dc06f4bfcbfe05324ea947548d
SHA256 c3c46eab60dcfcd2b966bf7e49c8b3c6f70b7f722eced74be41fe9d344c4489a
SHA512 7bbab9666dffaeb59d5dfb5f94064e9c88dd306a4fd5b360642a7e3ec825f49828497bc7fcff88d406686695a49dc43383f68e8b7b92ace9f22ecf1b0ea71b30

\Windows\system\uzSHrlQ.exe

MD5 3253831737a5e4adf0ae366925e7dd71
SHA1 9d9556517744e57b5ebd1010e3f44435a622f27e
SHA256 b43992c51db3add51713ee86b8e98ccaa97a7095962e02aa05de9e12b6fb06f0
SHA512 ebfb3f62ab88aa5f43c0560fdad59a6da3899ddc22623a7b6418913a0161611037b3723e34523a591fa8f77c9b81d15a280407df4cc94838b936580fe00909ea

memory/2568-73-0x000000013F300000-0x000000013F651000-memory.dmp

memory/2816-70-0x000000013FCC0000-0x0000000140011000-memory.dmp

memory/2988-69-0x000000013F4F0000-0x000000013F841000-memory.dmp

memory/3000-68-0x000000013FD40000-0x0000000140091000-memory.dmp

C:\Windows\system\RKDgBfH.exe

MD5 13067b910ae200e7b637dd2972a8525b
SHA1 26a4793dc2c89a655282e1f1d46c44f8cea5bb77
SHA256 844d04efe91b17da27b7c86ebd9d8b676b8f4f235e32c61585b9ef6b55ff7c23
SHA512 14f677ceae1e6d837239d9e7d9ec7aea2c0ad7aaacbee31fd92dfe44e706e3cba261ab1731a2dfab9348d13dbaa3cee57c312be35c236809b8b76b760dedfcc5

memory/2876-66-0x000000013F290000-0x000000013F5E1000-memory.dmp

memory/2196-64-0x000000013FC10000-0x000000013FF61000-memory.dmp

C:\Windows\system\gvdxgXO.exe

MD5 08d8c98c413a6cb9e765d9cb00719bb2
SHA1 d3aa871a74061c519d7b0b73d1e0e1993ffa1296
SHA256 7dde317d74bae535332780f47f8778ca5172d8294d85322fb3ac5f4844e1de65
SHA512 532ba0ebcd96ac7ba47073e52b361cf6f963e81c5a61b0b34d4064467f128927af6ad02348e83713e5e905f933af1bf1fe9677f03c91aaca94e471f04b21ff1c

memory/2988-62-0x0000000002240000-0x0000000002591000-memory.dmp

memory/2988-61-0x000000013F170000-0x000000013F4C1000-memory.dmp

memory/2988-59-0x000000013F290000-0x000000013F5E1000-memory.dmp

memory/2988-35-0x0000000002240000-0x0000000002591000-memory.dmp

memory/2988-50-0x0000000002240000-0x0000000002591000-memory.dmp

\Windows\system\PNGAbMs.exe

MD5 b188757be2090e607985bb405275203b
SHA1 d26b22ee429f4f3a3b45d1a018d0cd5c5754afc4
SHA256 efa9547337910f4c5fc26eae8ce139c67bfb188c6a716f459b7c6dcb7ad9cd0f
SHA512 686cb2446df14aca0b2839f033ea314f1e23c4fd0393df41ddd2e9b728963f965d3a2b0f435e77aef32ad794bcdc0c4160bfda3a4efdbe3918880b5bce85ae7d

C:\Windows\system\LhwdWks.exe

MD5 8dbcce25e1760a6115561a19818d133e
SHA1 4e07629e6f91db7ea893c3f92ca7afaa9dde8ee3
SHA256 fd854bf338cb61a145f35f49194bc6f5b00c742425b443f1bf4736acae2cf9ef
SHA512 fb25385b86968b562ead204c9fdc6599eeeb8d6691e799eced6a2c36c48dfa5c354e23827885e3f264a814b265e48d6532fd23f90c5732c91d57d9299f82b7c7

memory/2928-101-0x000000013F420000-0x000000013F771000-memory.dmp

\Windows\system\VkwWxhT.exe

MD5 c3e61022c239e660e03bae60edfab58a
SHA1 3a9d37f3416e60c2d82bb64e385bdd58f186cdfd
SHA256 4d19dff0b28715a75a2fc63f26c5131ce46c59c2e79125e4452a7fee19e11283
SHA512 bc2600759c0466895780cf3c51310906327091bb473fc68e87c6aa6854e4d0982153bf127a4319df1e9c58af312d3a117f2a76c62259ba7ee24d12c9a4c88d1f

memory/2988-102-0x000000013FA30000-0x000000013FD81000-memory.dmp

memory/2988-93-0x000000013F420000-0x000000013F771000-memory.dmp

memory/2180-89-0x000000013F8F0000-0x000000013FC41000-memory.dmp

C:\Windows\system\FFueDxL.exe

MD5 c272101c5ceae0c1c7394a819be10179
SHA1 558b62ff8eab836c1e877556e0cda106dcaae6a3
SHA256 f7be87e6f16169711c324a79cab89bf3a13a30e22c92e41f2418d9c17451a857
SHA512 d03d961c61ea3b9216955c1c44df1395f54735b70a34736f44b946e7c468f4d9e6ff77dba0fc5809898663e71b43238270a7e3e0872e3814cb54c9fa5767a0fa

\Windows\system\ocCdYDg.exe

MD5 f67f83967db7a0502c4edd9760830eae
SHA1 85f882358255781623d090039915aeb47a5cde6d
SHA256 1022e64e2349734cca39a025e1f8ab6c56c58c9ad151d8d8aaa710834c9a185a
SHA512 667bbef0875e17f4cb62ce4cdd1ae3c829dd039d971b75411feaa4412a57e85e1a03f9c70be406a17003960555f06063887d335a2a53d99c3d385958ca47958b

\Windows\system\EuFwBsw.exe

MD5 6d8ddac73b76cc898f5e06e5f34e233e
SHA1 d579422f2aeaed3660d8a2c7edc63ac17b303ede
SHA256 f0019489287d06f803d64910666cd02712df8401c155174aef77bab66df60fca
SHA512 19e099dd01465e7bde82477681f7b91ff74cd77d411e85534be028f7ec39f9ad2eebdeff4e9c160b5142a0b958b282d6c53ef355a2baf1da3464b2da43408ef9

\Windows\system\LSOjtLS.exe

MD5 444b45a971312d872a9dd75d18ee02b3
SHA1 5cf523035c4cf4a5c82c1f514de73a08dad0ab42
SHA256 edc18c397373208216130c39f1449e7399d122df9ec4d94ce15955f92fb9ecca
SHA512 d65eaff07824d5bee9dda060b3e5e1faf59f5103f1bcd9ced0a45a4d20fb68e6aed02c732af6dc59a0117f7bf0690515bd1dde3b19863d7518575449f54d7a25

C:\Windows\system\ChVPPZS.exe

MD5 3b3259c80a6aa34405f86477f311f99f
SHA1 a2c44b423864e3b9f2ab58d7275713d62c0a2ca2
SHA256 c3579ebdce8869e2830db012aafc3510d6591ad125957131bd71b94e0529703a
SHA512 f506eec7ba7447ccb599d1229f75ede039d9af2a28d47ae2ec93917bfed2c106e482af274985bf594ce485cc29068b63636658f37dc976c1c1aa19779b0a1139

memory/2988-132-0x000000013FE30000-0x0000000140181000-memory.dmp

memory/1192-133-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

memory/2988-134-0x0000000002240000-0x0000000002591000-memory.dmp

memory/2988-135-0x000000013F290000-0x000000013F5E1000-memory.dmp

memory/2988-136-0x000000013FE30000-0x0000000140181000-memory.dmp

memory/2960-148-0x000000013F750000-0x000000013FAA1000-memory.dmp

memory/332-151-0x000000013FA30000-0x000000013FD81000-memory.dmp

memory/1372-152-0x000000013FD40000-0x0000000140091000-memory.dmp

memory/1980-154-0x000000013F570000-0x000000013F8C1000-memory.dmp

memory/1184-157-0x000000013FA60000-0x000000013FDB1000-memory.dmp

memory/1524-156-0x000000013F180000-0x000000013F4D1000-memory.dmp

memory/856-155-0x000000013FB60000-0x000000013FEB1000-memory.dmp

memory/1292-153-0x000000013F9B0000-0x000000013FD01000-memory.dmp

memory/2988-158-0x000000013FE30000-0x0000000140181000-memory.dmp

memory/1320-203-0x000000013F550000-0x000000013F8A1000-memory.dmp

memory/1192-205-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

memory/2056-207-0x000000013FF30000-0x0000000140281000-memory.dmp

memory/2196-209-0x000000013FC10000-0x000000013FF61000-memory.dmp

memory/2876-213-0x000000013F290000-0x000000013F5E1000-memory.dmp

memory/2816-217-0x000000013FCC0000-0x0000000140011000-memory.dmp

memory/3000-215-0x000000013FD40000-0x0000000140091000-memory.dmp

memory/2568-212-0x000000013F300000-0x000000013F651000-memory.dmp

memory/2148-219-0x000000013F4F0000-0x000000013F841000-memory.dmp

memory/2960-221-0x000000013F750000-0x000000013FAA1000-memory.dmp

memory/2788-223-0x000000013FB30000-0x000000013FE81000-memory.dmp

memory/2716-225-0x000000013F170000-0x000000013F4C1000-memory.dmp

memory/2180-229-0x000000013F8F0000-0x000000013FC41000-memory.dmp

memory/2928-231-0x000000013F420000-0x000000013F771000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-13 11:59

Reported

2024-08-13 12:02

Platform

win10v2004-20240802-en

Max time kernel

143s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\RErTTXC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UfrNVhJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gvdxgXO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aUsrkKb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uzSHrlQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PNGAbMs.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FFueDxL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cTVQVUS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QqzzqoX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VkwWxhT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LSOjtLS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UHXTSur.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rODwLxb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MLCPKbp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LhwdWks.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ocCdYDg.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EuFwBsw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RFbrkdy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RKDgBfH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ChVPPZS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dAhWWgU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1632 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cTVQVUS.exe
PID 1632 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cTVQVUS.exe
PID 1632 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RFbrkdy.exe
PID 1632 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RFbrkdy.exe
PID 1632 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rODwLxb.exe
PID 1632 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rODwLxb.exe
PID 1632 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UHXTSur.exe
PID 1632 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UHXTSur.exe
PID 1632 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MLCPKbp.exe
PID 1632 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MLCPKbp.exe
PID 1632 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RErTTXC.exe
PID 1632 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RErTTXC.exe
PID 1632 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dAhWWgU.exe
PID 1632 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dAhWWgU.exe
PID 1632 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RKDgBfH.exe
PID 1632 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RKDgBfH.exe
PID 1632 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UfrNVhJ.exe
PID 1632 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UfrNVhJ.exe
PID 1632 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QqzzqoX.exe
PID 1632 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QqzzqoX.exe
PID 1632 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gvdxgXO.exe
PID 1632 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gvdxgXO.exe
PID 1632 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aUsrkKb.exe
PID 1632 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aUsrkKb.exe
PID 1632 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uzSHrlQ.exe
PID 1632 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uzSHrlQ.exe
PID 1632 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PNGAbMs.exe
PID 1632 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PNGAbMs.exe
PID 1632 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LhwdWks.exe
PID 1632 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LhwdWks.exe
PID 1632 wrote to memory of 488 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VkwWxhT.exe
PID 1632 wrote to memory of 488 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VkwWxhT.exe
PID 1632 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FFueDxL.exe
PID 1632 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FFueDxL.exe
PID 1632 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ocCdYDg.exe
PID 1632 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ocCdYDg.exe
PID 1632 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EuFwBsw.exe
PID 1632 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EuFwBsw.exe
PID 1632 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ChVPPZS.exe
PID 1632 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ChVPPZS.exe
PID 1632 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LSOjtLS.exe
PID 1632 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LSOjtLS.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\cTVQVUS.exe

C:\Windows\System\cTVQVUS.exe

C:\Windows\System\RFbrkdy.exe

C:\Windows\System\RFbrkdy.exe

C:\Windows\System\rODwLxb.exe

C:\Windows\System\rODwLxb.exe

C:\Windows\System\UHXTSur.exe

C:\Windows\System\UHXTSur.exe

C:\Windows\System\MLCPKbp.exe

C:\Windows\System\MLCPKbp.exe

C:\Windows\System\RErTTXC.exe

C:\Windows\System\RErTTXC.exe

C:\Windows\System\dAhWWgU.exe

C:\Windows\System\dAhWWgU.exe

C:\Windows\System\RKDgBfH.exe

C:\Windows\System\RKDgBfH.exe

C:\Windows\System\UfrNVhJ.exe

C:\Windows\System\UfrNVhJ.exe

C:\Windows\System\QqzzqoX.exe

C:\Windows\System\QqzzqoX.exe

C:\Windows\System\gvdxgXO.exe

C:\Windows\System\gvdxgXO.exe

C:\Windows\System\aUsrkKb.exe

C:\Windows\System\aUsrkKb.exe

C:\Windows\System\uzSHrlQ.exe

C:\Windows\System\uzSHrlQ.exe

C:\Windows\System\PNGAbMs.exe

C:\Windows\System\PNGAbMs.exe

C:\Windows\System\LhwdWks.exe

C:\Windows\System\LhwdWks.exe

C:\Windows\System\VkwWxhT.exe

C:\Windows\System\VkwWxhT.exe

C:\Windows\System\FFueDxL.exe

C:\Windows\System\FFueDxL.exe

C:\Windows\System\ocCdYDg.exe

C:\Windows\System\ocCdYDg.exe

C:\Windows\System\EuFwBsw.exe

C:\Windows\System\EuFwBsw.exe

C:\Windows\System\ChVPPZS.exe

C:\Windows\System\ChVPPZS.exe

C:\Windows\System\LSOjtLS.exe

C:\Windows\System\LSOjtLS.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 148.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1632-0-0x00007FF7DC040000-0x00007FF7DC391000-memory.dmp

memory/1632-1-0x00000234DA010000-0x00000234DA020000-memory.dmp

C:\Windows\System\cTVQVUS.exe

MD5 ecf9ed2f46c976d3256f616d1abb7560
SHA1 2398a12ca5b8d0efd6398b5cffca4a84e745056b
SHA256 111cfd80165710cc18fc268178e6c353ec00334b7fc1c145a5dcb41d09fcac95
SHA512 85523b51fe9c950be48e3e13c18aef5829f15488c6031a83abb3ced472666021b0b46aea9619091898fd55a12c3d61b23213b3ae9ccbcdb59b4048febf8d3b87

memory/3700-7-0x00007FF76D190000-0x00007FF76D4E1000-memory.dmp

C:\Windows\System\RFbrkdy.exe

MD5 61d5165ada89e2de42a027fbf0e7460a
SHA1 c478903d5815d5dff18c1438ba24678914e45754
SHA256 27eff5905196158bd3daecdb39c2e4038eedba75f5854825139d736045f1b528
SHA512 c01fcc7b7960665ef89f19180b655aa926204b997b6d826cbc0060ac022a628154e5cdd79271ed2e664a854ed9ac4c2d188c4d494c5af02655fb476c9160609e

C:\Windows\System\rODwLxb.exe

MD5 2011e088a1b8ce40b59c710801ecc925
SHA1 c58c4bd3ebfeb38f710c12411809c0f54ff8a5ec
SHA256 86e345bb528bf39e3e2b1fc8576af1a263132b03f990883c7815aa4daa733749
SHA512 d58be39a841f2ddc57671d075bb78e090d29451ab6b8f67c3e832d0f71da68366555ba9a6d6743095ee444b62a50885ffba05dc4505e3ede5feeb2600a327072

memory/4020-20-0x00007FF6224C0000-0x00007FF622811000-memory.dmp

memory/4948-13-0x00007FF6BEE90000-0x00007FF6BF1E1000-memory.dmp

C:\Windows\System\UHXTSur.exe

MD5 091d4a75397d8b6f9749a7efaae1c0a5
SHA1 c06aaee3807e056537c75637eacdc5987534087d
SHA256 9116f7dd82b621ed5d55e328399703262120f5e1b05af893c5130a0079465e7f
SHA512 109f0efbadeb4dd58a55762890051d425ce8a0d4c83065d0fc548ccd95ad283b5b80b7faada90cea6620ebbe2533ac19c2b5ff048600702a359460a310384f21

C:\Windows\System\MLCPKbp.exe

MD5 881668b4e3786e6c499b4aa421a10558
SHA1 1ef70e3abca5ef45d33922b9d735d10c622df11d
SHA256 3602f1f38ac32fbd2c95ce788ecce504f57e35780427897e174c08820ffe5dc1
SHA512 7b5b54aae1cee0a0ec9e6cf5276f424e8a2a3dc74592ef4e244e9283c48c0df7bf841fe6ee9e40658a8a51f3f4d3c3a780f88e0d66a8d5153e3f8a5bc690bc81

C:\Windows\System\dAhWWgU.exe

MD5 3eced770f6cb05ba9b0eb798209d8759
SHA1 b5916790cbb6d1f5c1b87c9d9068c043231b206f
SHA256 d09f858103ac80dc88dfb1bb8051bc5d8e8c8f455329757919112937975580f2
SHA512 d5a7d8fbb593e9362774ac379184841e1ec2ddf83b4720cd2b17ba9ed3c5a3969931691be6508bf898dc299b449d199f5b8e613867188fbc3b8ffa0a77350cc7

C:\Windows\System\UfrNVhJ.exe

MD5 3cca4cc473b7e1fee792cdf0113311b8
SHA1 33ee9ac7f830787a412f5c7f642165bed64a499c
SHA256 e61463aca450338e6eee3024ec09f9458c4d7fb83646434a874df482cf493799
SHA512 91af1545e7362908430f103b3ca2707c6ef850b54f1d28c0e2a18c47ce24457acf15938eaf537a9a59a74d01c9391bb498fe64565416050fceba196e47ec1eed

memory/1820-45-0x00007FF6949D0000-0x00007FF694D21000-memory.dmp

C:\Windows\System\RKDgBfH.exe

MD5 13067b910ae200e7b637dd2972a8525b
SHA1 26a4793dc2c89a655282e1f1d46c44f8cea5bb77
SHA256 844d04efe91b17da27b7c86ebd9d8b676b8f4f235e32c61585b9ef6b55ff7c23
SHA512 14f677ceae1e6d837239d9e7d9ec7aea2c0ad7aaacbee31fd92dfe44e706e3cba261ab1731a2dfab9348d13dbaa3cee57c312be35c236809b8b76b760dedfcc5

memory/1324-52-0x00007FF7781C0000-0x00007FF778511000-memory.dmp

memory/2900-57-0x00007FF748D80000-0x00007FF7490D1000-memory.dmp

C:\Windows\System\QqzzqoX.exe

MD5 7e7761185543b37fe4c65f0c65cd2fa0
SHA1 4d7730ed46aeb2dc06f4bfcbfe05324ea947548d
SHA256 c3c46eab60dcfcd2b966bf7e49c8b3c6f70b7f722eced74be41fe9d344c4489a
SHA512 7bbab9666dffaeb59d5dfb5f94064e9c88dd306a4fd5b360642a7e3ec825f49828497bc7fcff88d406686695a49dc43383f68e8b7b92ace9f22ecf1b0ea71b30

memory/3748-60-0x00007FF764C60000-0x00007FF764FB1000-memory.dmp

memory/4484-59-0x00007FF750C60000-0x00007FF750FB1000-memory.dmp

C:\Windows\System\RErTTXC.exe

MD5 75027e1ba2a7b7718a43f5faf01803cf
SHA1 5e8170c29d065ccf5bce490f576d16b95788884a
SHA256 eaec94936d1f986dbec794df34e488973f0652fee2867bd389ab4f11fa5f9d6e
SHA512 912814a941c3f58fd2cf05c3d12b8a13e4716d86eafa4085094ea92b5bf3093fae4da043cc2667646ba468baefedd62977fdaf20fb04f6e840a28f19d14d5e26

memory/1712-36-0x00007FF7D7070000-0x00007FF7D73C1000-memory.dmp

memory/920-27-0x00007FF73EB30000-0x00007FF73EE81000-memory.dmp

C:\Windows\System\gvdxgXO.exe

MD5 08d8c98c413a6cb9e765d9cb00719bb2
SHA1 d3aa871a74061c519d7b0b73d1e0e1993ffa1296
SHA256 7dde317d74bae535332780f47f8778ca5172d8294d85322fb3ac5f4844e1de65
SHA512 532ba0ebcd96ac7ba47073e52b361cf6f963e81c5a61b0b34d4064467f128927af6ad02348e83713e5e905f933af1bf1fe9677f03c91aaca94e471f04b21ff1c

memory/2556-68-0x00007FF66AAD0000-0x00007FF66AE21000-memory.dmp

C:\Windows\System\aUsrkKb.exe

MD5 093352fd4e55d8cdf8de534a8c5b6ac0
SHA1 f5c1a9f079f973d6b5d90c7ddbb506153afd95c3
SHA256 cc6d4af4623375957d2b62a67dfaee114956da0d25d2c5a5dd49c80d1aa72ea1
SHA512 fc597c962524343f0898814fbbc45ef302695ca6bd668ccd09f56426a8fd9d7ee27e1b92f0aa99eeccef0be2227c356115704ea95005c7d567eee00a0e63dd2d

C:\Windows\System\uzSHrlQ.exe

MD5 3253831737a5e4adf0ae366925e7dd71
SHA1 9d9556517744e57b5ebd1010e3f44435a622f27e
SHA256 b43992c51db3add51713ee86b8e98ccaa97a7095962e02aa05de9e12b6fb06f0
SHA512 ebfb3f62ab88aa5f43c0560fdad59a6da3899ddc22623a7b6418913a0161611037b3723e34523a591fa8f77c9b81d15a280407df4cc94838b936580fe00909ea

memory/1632-76-0x00007FF7DC040000-0x00007FF7DC391000-memory.dmp

memory/1532-80-0x00007FF740EB0000-0x00007FF741201000-memory.dmp

C:\Windows\System\PNGAbMs.exe

MD5 b188757be2090e607985bb405275203b
SHA1 d26b22ee429f4f3a3b45d1a018d0cd5c5754afc4
SHA256 efa9547337910f4c5fc26eae8ce139c67bfb188c6a716f459b7c6dcb7ad9cd0f
SHA512 686cb2446df14aca0b2839f033ea314f1e23c4fd0393df41ddd2e9b728963f965d3a2b0f435e77aef32ad794bcdc0c4160bfda3a4efdbe3918880b5bce85ae7d

memory/964-89-0x00007FF73DC80000-0x00007FF73DFD1000-memory.dmp

memory/4948-91-0x00007FF6BEE90000-0x00007FF6BF1E1000-memory.dmp

memory/3356-94-0x00007FF7F8460000-0x00007FF7F87B1000-memory.dmp

C:\Windows\System\VkwWxhT.exe

MD5 c3e61022c239e660e03bae60edfab58a
SHA1 3a9d37f3416e60c2d82bb64e385bdd58f186cdfd
SHA256 4d19dff0b28715a75a2fc63f26c5131ce46c59c2e79125e4452a7fee19e11283
SHA512 bc2600759c0466895780cf3c51310906327091bb473fc68e87c6aa6854e4d0982153bf127a4319df1e9c58af312d3a117f2a76c62259ba7ee24d12c9a4c88d1f

memory/488-103-0x00007FF628D00000-0x00007FF629051000-memory.dmp

C:\Windows\System\FFueDxL.exe

MD5 c272101c5ceae0c1c7394a819be10179
SHA1 558b62ff8eab836c1e877556e0cda106dcaae6a3
SHA256 f7be87e6f16169711c324a79cab89bf3a13a30e22c92e41f2418d9c17451a857
SHA512 d03d961c61ea3b9216955c1c44df1395f54735b70a34736f44b946e7c468f4d9e6ff77dba0fc5809898663e71b43238270a7e3e0872e3814cb54c9fa5767a0fa

memory/4316-104-0x00007FF6775C0000-0x00007FF677911000-memory.dmp

memory/2344-95-0x00007FF7C9000000-0x00007FF7C9351000-memory.dmp

C:\Windows\System\LhwdWks.exe

MD5 8dbcce25e1760a6115561a19818d133e
SHA1 4e07629e6f91db7ea893c3f92ca7afaa9dde8ee3
SHA256 fd854bf338cb61a145f35f49194bc6f5b00c742425b443f1bf4736acae2cf9ef
SHA512 fb25385b86968b562ead204c9fdc6599eeeb8d6691e799eced6a2c36c48dfa5c354e23827885e3f264a814b265e48d6532fd23f90c5732c91d57d9299f82b7c7

memory/3700-81-0x00007FF76D190000-0x00007FF76D4E1000-memory.dmp

C:\Windows\System\ocCdYDg.exe

MD5 f67f83967db7a0502c4edd9760830eae
SHA1 85f882358255781623d090039915aeb47a5cde6d
SHA256 1022e64e2349734cca39a025e1f8ab6c56c58c9ad151d8d8aaa710834c9a185a
SHA512 667bbef0875e17f4cb62ce4cdd1ae3c829dd039d971b75411feaa4412a57e85e1a03f9c70be406a17003960555f06063887d335a2a53d99c3d385958ca47958b

C:\Windows\System\EuFwBsw.exe

MD5 6d8ddac73b76cc898f5e06e5f34e233e
SHA1 d579422f2aeaed3660d8a2c7edc63ac17b303ede
SHA256 f0019489287d06f803d64910666cd02712df8401c155174aef77bab66df60fca
SHA512 19e099dd01465e7bde82477681f7b91ff74cd77d411e85534be028f7ec39f9ad2eebdeff4e9c160b5142a0b958b282d6c53ef355a2baf1da3464b2da43408ef9

memory/5060-124-0x00007FF7827A0000-0x00007FF782AF1000-memory.dmp

memory/1324-118-0x00007FF7781C0000-0x00007FF778511000-memory.dmp

C:\Windows\System\ChVPPZS.exe

MD5 3b3259c80a6aa34405f86477f311f99f
SHA1 a2c44b423864e3b9f2ab58d7275713d62c0a2ca2
SHA256 c3579ebdce8869e2830db012aafc3510d6591ad125957131bd71b94e0529703a
SHA512 f506eec7ba7447ccb599d1229f75ede039d9af2a28d47ae2ec93917bfed2c106e482af274985bf594ce485cc29068b63636658f37dc976c1c1aa19779b0a1139

C:\Windows\System\LSOjtLS.exe

MD5 444b45a971312d872a9dd75d18ee02b3
SHA1 5cf523035c4cf4a5c82c1f514de73a08dad0ab42
SHA256 edc18c397373208216130c39f1449e7399d122df9ec4d94ce15955f92fb9ecca
SHA512 d65eaff07824d5bee9dda060b3e5e1faf59f5103f1bcd9ced0a45a4d20fb68e6aed02c732af6dc59a0117f7bf0690515bd1dde3b19863d7518575449f54d7a25

memory/2832-131-0x00007FF6F6350000-0x00007FF6F66A1000-memory.dmp

memory/3748-130-0x00007FF764C60000-0x00007FF764FB1000-memory.dmp

memory/4348-127-0x00007FF6B86F0000-0x00007FF6B8A41000-memory.dmp

memory/4796-121-0x00007FF78B7C0000-0x00007FF78BB11000-memory.dmp

memory/2556-133-0x00007FF66AAD0000-0x00007FF66AE21000-memory.dmp

memory/1632-134-0x00007FF7DC040000-0x00007FF7DC391000-memory.dmp

memory/964-146-0x00007FF73DC80000-0x00007FF73DFD1000-memory.dmp

memory/4316-152-0x00007FF6775C0000-0x00007FF677911000-memory.dmp

memory/2832-156-0x00007FF6F6350000-0x00007FF6F66A1000-memory.dmp

memory/1632-157-0x00007FF7DC040000-0x00007FF7DC391000-memory.dmp

memory/3700-207-0x00007FF76D190000-0x00007FF76D4E1000-memory.dmp

memory/4948-209-0x00007FF6BEE90000-0x00007FF6BF1E1000-memory.dmp

memory/4020-211-0x00007FF6224C0000-0x00007FF622811000-memory.dmp

memory/920-213-0x00007FF73EB30000-0x00007FF73EE81000-memory.dmp

memory/1712-215-0x00007FF7D7070000-0x00007FF7D73C1000-memory.dmp

memory/1820-217-0x00007FF6949D0000-0x00007FF694D21000-memory.dmp

memory/2900-219-0x00007FF748D80000-0x00007FF7490D1000-memory.dmp

memory/1324-221-0x00007FF7781C0000-0x00007FF778511000-memory.dmp

memory/4484-223-0x00007FF750C60000-0x00007FF750FB1000-memory.dmp

memory/3748-225-0x00007FF764C60000-0x00007FF764FB1000-memory.dmp

memory/2556-228-0x00007FF66AAD0000-0x00007FF66AE21000-memory.dmp

memory/1532-230-0x00007FF740EB0000-0x00007FF741201000-memory.dmp

memory/3356-232-0x00007FF7F8460000-0x00007FF7F87B1000-memory.dmp

memory/2344-234-0x00007FF7C9000000-0x00007FF7C9351000-memory.dmp

memory/488-236-0x00007FF628D00000-0x00007FF629051000-memory.dmp

memory/964-238-0x00007FF73DC80000-0x00007FF73DFD1000-memory.dmp

memory/4316-240-0x00007FF6775C0000-0x00007FF677911000-memory.dmp

memory/4796-242-0x00007FF78B7C0000-0x00007FF78BB11000-memory.dmp

memory/5060-244-0x00007FF7827A0000-0x00007FF782AF1000-memory.dmp

memory/2832-246-0x00007FF6F6350000-0x00007FF6F66A1000-memory.dmp

memory/4348-248-0x00007FF6B86F0000-0x00007FF6B8A41000-memory.dmp