Malware Analysis Report

2025-03-15 07:59

Sample ID 240814-z1jdbazbpm
Target 2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat
SHA256 64ee0b608fe5812fc7aa29fa780e9c02cf96c6ea729664449c51cad8ec4507ec
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

64ee0b608fe5812fc7aa29fa780e9c02cf96c6ea729664449c51cad8ec4507ec

Threat Level: Known bad

The file 2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Xmrig family

Cobaltstrike family

XMRig Miner payload

Cobalt Strike reflective loader

Cobaltstrike

xmrig

XMRig Miner payload

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-14 21:10

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-14 21:10

Reported

2024-08-14 21:13

Platform

win7-20240729-en

Max time kernel

142s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\LstfOdT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BdtDDuz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CrAXMPO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FlKIRcx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CkrXHON.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CcAkuQx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kFmxryP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AYZTiwR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lWKzThU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UCCXUHQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qlTnpFi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PHXzBKK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\scBYGRH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NJNXXar.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FulppyH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZNDdNEh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QphtKOm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JkFukUh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tZiVRIU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FbaoTkB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gVYWvqz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2400 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qlTnpFi.exe
PID 2400 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qlTnpFi.exe
PID 2400 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qlTnpFi.exe
PID 2400 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CcAkuQx.exe
PID 2400 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CcAkuQx.exe
PID 2400 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CcAkuQx.exe
PID 2400 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gVYWvqz.exe
PID 2400 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gVYWvqz.exe
PID 2400 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gVYWvqz.exe
PID 2400 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QphtKOm.exe
PID 2400 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QphtKOm.exe
PID 2400 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QphtKOm.exe
PID 2400 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kFmxryP.exe
PID 2400 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kFmxryP.exe
PID 2400 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kFmxryP.exe
PID 2400 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AYZTiwR.exe
PID 2400 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AYZTiwR.exe
PID 2400 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AYZTiwR.exe
PID 2400 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JkFukUh.exe
PID 2400 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JkFukUh.exe
PID 2400 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JkFukUh.exe
PID 2400 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PHXzBKK.exe
PID 2400 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PHXzBKK.exe
PID 2400 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PHXzBKK.exe
PID 2400 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tZiVRIU.exe
PID 2400 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tZiVRIU.exe
PID 2400 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tZiVRIU.exe
PID 2400 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LstfOdT.exe
PID 2400 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LstfOdT.exe
PID 2400 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LstfOdT.exe
PID 2400 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lWKzThU.exe
PID 2400 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lWKzThU.exe
PID 2400 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lWKzThU.exe
PID 2400 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\scBYGRH.exe
PID 2400 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\scBYGRH.exe
PID 2400 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\scBYGRH.exe
PID 2400 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FbaoTkB.exe
PID 2400 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FbaoTkB.exe
PID 2400 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FbaoTkB.exe
PID 2400 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BdtDDuz.exe
PID 2400 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BdtDDuz.exe
PID 2400 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BdtDDuz.exe
PID 2400 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UCCXUHQ.exe
PID 2400 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UCCXUHQ.exe
PID 2400 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UCCXUHQ.exe
PID 2400 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NJNXXar.exe
PID 2400 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NJNXXar.exe
PID 2400 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NJNXXar.exe
PID 2400 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CrAXMPO.exe
PID 2400 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CrAXMPO.exe
PID 2400 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CrAXMPO.exe
PID 2400 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FulppyH.exe
PID 2400 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FulppyH.exe
PID 2400 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FulppyH.exe
PID 2400 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FlKIRcx.exe
PID 2400 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FlKIRcx.exe
PID 2400 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FlKIRcx.exe
PID 2400 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CkrXHON.exe
PID 2400 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CkrXHON.exe
PID 2400 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CkrXHON.exe
PID 2400 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZNDdNEh.exe
PID 2400 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZNDdNEh.exe
PID 2400 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZNDdNEh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\qlTnpFi.exe

C:\Windows\System\qlTnpFi.exe

C:\Windows\System\CcAkuQx.exe

C:\Windows\System\CcAkuQx.exe

C:\Windows\System\gVYWvqz.exe

C:\Windows\System\gVYWvqz.exe

C:\Windows\System\QphtKOm.exe

C:\Windows\System\QphtKOm.exe

C:\Windows\System\kFmxryP.exe

C:\Windows\System\kFmxryP.exe

C:\Windows\System\AYZTiwR.exe

C:\Windows\System\AYZTiwR.exe

C:\Windows\System\JkFukUh.exe

C:\Windows\System\JkFukUh.exe

C:\Windows\System\PHXzBKK.exe

C:\Windows\System\PHXzBKK.exe

C:\Windows\System\tZiVRIU.exe

C:\Windows\System\tZiVRIU.exe

C:\Windows\System\LstfOdT.exe

C:\Windows\System\LstfOdT.exe

C:\Windows\System\lWKzThU.exe

C:\Windows\System\lWKzThU.exe

C:\Windows\System\scBYGRH.exe

C:\Windows\System\scBYGRH.exe

C:\Windows\System\FbaoTkB.exe

C:\Windows\System\FbaoTkB.exe

C:\Windows\System\BdtDDuz.exe

C:\Windows\System\BdtDDuz.exe

C:\Windows\System\UCCXUHQ.exe

C:\Windows\System\UCCXUHQ.exe

C:\Windows\System\NJNXXar.exe

C:\Windows\System\NJNXXar.exe

C:\Windows\System\CrAXMPO.exe

C:\Windows\System\CrAXMPO.exe

C:\Windows\System\FulppyH.exe

C:\Windows\System\FulppyH.exe

C:\Windows\System\FlKIRcx.exe

C:\Windows\System\FlKIRcx.exe

C:\Windows\System\CkrXHON.exe

C:\Windows\System\CkrXHON.exe

C:\Windows\System\ZNDdNEh.exe

C:\Windows\System\ZNDdNEh.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2400-0-0x000000013FF90000-0x00000001402E1000-memory.dmp

memory/2400-1-0x00000000000F0000-0x0000000000100000-memory.dmp

C:\Windows\system\qlTnpFi.exe

MD5 fe43f38ef91640eb24e32a56c7760d8a
SHA1 3304c4248d4bebf8f61336072fb73827a3dcb91b
SHA256 ce16336af0d6a1528da63181022234f279e2e3b451934eeeba899d29c896d1c4
SHA512 502a39431e7c368c28b9229a2ec868720095e281dfb87197bb9eb67452ec19f784e3bab9f968a1a6ff17362787c33692a320bc0168c40ea4ff3057992d561f6a

C:\Windows\system\CcAkuQx.exe

MD5 fba8861019e96180c2803077452bb030
SHA1 b22cbb51d1082134115de2edd799382d9cb81f3b
SHA256 d49210ec2b1462af24cf8057527907b9081fa4f14e809be20ede1a81dbe73213
SHA512 0c3fb430f45bfc657912e2a9e2f25ee551c628fa6868741dc8e731f7958522edb9d2e25957189df93d233fba7ff6c5394ad36b74260e7e1366c49871ed414bdb

memory/2400-16-0x00000000022A0000-0x00000000025F1000-memory.dmp

C:\Windows\system\gVYWvqz.exe

MD5 00b23fabb631d4dc8dc21d854b1dcedb
SHA1 ae1e480ea37f35c188d813df95fac4300da0c823
SHA256 dab61a7e1af34169edef5f36ce14d4225a733cdd08c6b5d15273e8224103d98e
SHA512 0725a9b9802420ee7bcbefdcfdb8d9d4b931d0bc0ad77906f28be571bdfd075241defd81839bc449b3b9616c7d5394a92e4be3fa0d246bb5a7b1448cb232a37b

memory/2720-23-0x000000013F390000-0x000000013F6E1000-memory.dmp

memory/2400-21-0x000000013F390000-0x000000013F6E1000-memory.dmp

C:\Windows\system\QphtKOm.exe

MD5 99619a0263be7cc59d3adc637e9fe7a4
SHA1 68dab220cd45f46b078299032aa5ec6a9c9f84c1
SHA256 f2acc29dc2aeba643a97d8ce0d93be3ab094eb67ed0280d8f28603204a21d203
SHA512 cf564a95379d22394cf0d908224e5b86f8a2418e0c0fa885191c504096a50cb827ef750d2c05dd21147fdd6bad57b4d6a102d64b28fa747c47ea535ab10f7ccd

\Windows\system\kFmxryP.exe

MD5 8fc8f80cba6ab1cb38c114179ae76c00
SHA1 4ef0c61b87e84335f68e04fa00ac9fc94c10945c
SHA256 65f49b69f6a0c56700fd0a605a4fa2c7bc2c8ce8c2a1e4a1b63ccad891b2f0e2
SHA512 f358006a70d17dba8426fa58d7a95440613019dd6a68169b4f2e256653d4700d24b92ac3ab5c561c9cac4464532402c544982df3a32cd68dd8bfccb5e8bae1e5

memory/2400-32-0x000000013F3B0000-0x000000013F701000-memory.dmp

memory/2820-29-0x000000013F430000-0x000000013F781000-memory.dmp

memory/2400-28-0x000000013F430000-0x000000013F781000-memory.dmp

memory/2332-15-0x000000013FF50000-0x00000001402A1000-memory.dmp

memory/2864-14-0x000000013F1D0000-0x000000013F521000-memory.dmp

memory/2400-13-0x000000013F1D0000-0x000000013F521000-memory.dmp

\Windows\system\AYZTiwR.exe

MD5 67dea55fa8262c276af74dbc0a181b03
SHA1 2c9cda9009b4bc71af51ee77a38dfa1f9754face
SHA256 a1e84ceddbe3b942f7eebc96e6e1df92a514de850adc7c92954636b5f4c4bd00
SHA512 27c45260c3f63fdcc5b5e4797c48dabff15e93246f1c8139170bae4634982e5c5d1c6bf406ebb616b2e348b9822b3fe75bc74ceec3fae00e2071e68aaf52d806

memory/2704-40-0x000000013F3B0000-0x000000013F701000-memory.dmp

memory/2400-42-0x000000013F9A0000-0x000000013FCF1000-memory.dmp

memory/2740-51-0x000000013F730000-0x000000013FA81000-memory.dmp

memory/2400-53-0x000000013FF90000-0x00000001402E1000-memory.dmp

\Windows\system\PHXzBKK.exe

MD5 5f40170ef5ff39ace99b16ec23f655b4
SHA1 2c0c5bca37d7265afb55a5b0ba5a6d9d30c62e68
SHA256 4e80adecf14db22e8cfdac5eec7f21f6310a3e3c9412ec6f4e51a7ae5c615770
SHA512 1054a481a7a7322d745e9d87725d3e18821addc5564b0080913efde3abb1001fde83a01f6c5f0c434a141c717d6d92288c5e703207b8dbe836bf6a426fde10e2

memory/2400-49-0x000000013F730000-0x000000013FA81000-memory.dmp

memory/2688-43-0x000000013F9A0000-0x000000013FCF1000-memory.dmp

C:\Windows\system\JkFukUh.exe

MD5 8d17eee8fc8377660207e2abc57cdb29
SHA1 2dbb855f03e182e5d83bf3ecee84a6757f66926c
SHA256 8a0c85f1625a344aee18ef4ccb76d9e74b83e89354458b1bf7321172cd5838e3
SHA512 fadf7a1329de66233857721976191579d925fa82e7e048b201a129f43c557dd83aa0c46f348438af131efbce43eab1b7a5f25611d74fbc3d723217fe8926b106

\Windows\system\tZiVRIU.exe

MD5 0405dfaa3d39556c5694bc9d5ed5d5ac
SHA1 3a72d6162f9d599de9ce429d9b1738c4fe713b87
SHA256 38085b570d9a89b177d073297778b2c346723e4773d5e2d57137b99399cca2f9
SHA512 0b6b17f018449fed96306554fc3bea015fe9203e3cbf57b660ce6cec28925baa9881c59ad5cea71c28c55b2389d6a3135de316a55db2f0d74b63ac541f2ff506

memory/2040-79-0x000000013F0B0000-0x000000013F401000-memory.dmp

memory/2700-66-0x000000013F440000-0x000000013F791000-memory.dmp

\Windows\system\scBYGRH.exe

MD5 ee40ae6c9121045d087e341c06cb3460
SHA1 c8be085024fcb7f4569fee208dd7ee00c0f0f514
SHA256 05a74d172aaa99a2f5c7b165991af244cf4f2aa637dca2755464cd3a7f5afaa2
SHA512 c16fcab4e0eead9e667b7336fdf2261c6c7e528b41f8ae117488c92bf9034c56329d5e7ea91e82d72f8efebc9985a92b4e0561a51b93bb6a1f4b52e13e7df22d

memory/2400-84-0x00000000022A0000-0x00000000025F1000-memory.dmp

memory/2704-82-0x000000013F3B0000-0x000000013F701000-memory.dmp

memory/2404-81-0x000000013F4B0000-0x000000013F801000-memory.dmp

memory/2400-80-0x000000013F0B0000-0x000000013F401000-memory.dmp

memory/2820-78-0x000000013F430000-0x000000013F781000-memory.dmp

memory/2400-77-0x000000013F4B0000-0x000000013F801000-memory.dmp

memory/2720-74-0x000000013F390000-0x000000013F6E1000-memory.dmp

C:\Windows\system\lWKzThU.exe

MD5 6d432b623850fdf766af7c3b4a6eb3bf
SHA1 5cb2f79b072b3b20526e04e11b6866cbecfba8c2
SHA256 dfa75a040581770131cbdb81c10929ec3e5256801471490a14bc42834b8abfa4
SHA512 f233ccc88424323a57b6cf6c3c8d0447e64d54dfaa215d427ccd0dcd8d441448bcb0cdd1b04ee8c2c38a905202778836abeaa738a8776bd7c6503e217f177015

memory/2400-65-0x000000013F440000-0x000000013F791000-memory.dmp

C:\Windows\system\LstfOdT.exe

MD5 6f2bc5616eab7209a52dbdaae87a36fd
SHA1 8185aa2cdae81d9d4298332d423a7d9842ef0ce5
SHA256 ff82cb7ec05ffcff9ea8e5b8a962a3fbdeed39498fd6fb5ef81ea527ff78ebbd
SHA512 9806aa2ba7305f0d595a7c9685ecceaf960ee88960de32847751955f9bd0bb7820849d017e5ac401f6bc64cd30c55c9d802356dac001c89c0a889bcd342621d6

memory/2588-62-0x000000013F900000-0x000000013FC51000-memory.dmp

memory/2344-88-0x000000013FF90000-0x00000001402E1000-memory.dmp

\Windows\system\FbaoTkB.exe

MD5 5afe25bfc97e1ca3e2e2944c530f121d
SHA1 d8a09c023235e40d234e46708b22d75a2026c7f8
SHA256 81eb95367ef73ccde917fa4c2d144269470d873c9f9de7606ddba0d05038bdc2
SHA512 3a5f27f546b94ac6fdb79b60a73f1292968413dfcfa1e68e4363ed5cba4ee893430add56c9a9026c9df1a3bac05783115fdde57752cb8aaf0a4c3742896060ef

memory/2688-95-0x000000013F9A0000-0x000000013FCF1000-memory.dmp

memory/2536-96-0x000000013F500000-0x000000013F851000-memory.dmp

C:\Windows\system\BdtDDuz.exe

MD5 ce682b7f2520737f4d546386290c1577
SHA1 ff47ce89681815f734dc8c4779ff67d7e949e76b
SHA256 93a717b0e4655547b67a9a458c3b04a1275a390c85ac3c3362f3709111fd5fa6
SHA512 95611519a00d7500b4008e1c0a0b6c12d630477c6ec5ab7a4847cee22d6a87b52c33d6ad4a31e7622fd83d887af6764f1de58b6d156eb808dd1dc116c4af3886

memory/2400-103-0x000000013FB40000-0x000000013FE91000-memory.dmp

\Windows\system\UCCXUHQ.exe

MD5 45195ac466b7867df566e8d6e06c0da8
SHA1 7c53a3d304769dd23bca6cb9c2ca672898ff4399
SHA256 c92125ff2b2219992e8c40f305e39944f1bdb9c99bb06a2870a674fc14036c41
SHA512 9982ae2b5f234bc6cf191a5aa659eee92ddcc0f21d7410bd94afa438de33308a006f25730f86e43a651e7ce7766eee6d782d33291b89a266e566313f9a0c1569

memory/2400-109-0x000000013F760000-0x000000013FAB1000-memory.dmp

C:\Windows\system\CrAXMPO.exe

MD5 5f520d0716f14d7dec9cdf696a9bc928
SHA1 b5b41c314a22d363ce90f9e4024dc0d775ff90fe
SHA256 96b98cd476a3b5f565284fcc084bb8c9c5fa618ed49004cb084c187ffbf13661
SHA512 ca4014503eb589b5ec64b38cbd168c2358cda99d909cce3a8663c87f5c357365a10e16efc392ff84a214f0429a6c8e26b7be22a1f5e10cf81c7522ec7a8a6071

C:\Windows\system\FulppyH.exe

MD5 caf4fc856dc48ee5a6d8529bad6f53d8
SHA1 81531deb172600acfccc38294bac236a054fc2ab
SHA256 c9a1a22e80855b808594295772fe334aa4cd98690bb9014a8ece53925220aba1
SHA512 d65074b5ab7f6fb83499704d6c9feddbd77ee568d2c4f6edf97eb5a29dbd8982ed4b1437ada9e11659c238efc9435561fbf20f4579970e60cb872cf471c57405

C:\Windows\system\ZNDdNEh.exe

MD5 02ff15817d87bd312c2d29f9309cfca3
SHA1 0d37b9683fa019598bde967eb85c37fbc7bd83ec
SHA256 2b5d746b6443a16334ab597389c366aba3ec9b7329dcdbaa160ca3f0c61e8649
SHA512 4d0c5bb6df171112b7081ab692bff806be925388934bccd8aba1de86c9b4ed8f4f02722fe9040fb40f78fc651024dca23c81e89ce12f7b353e71aca0dd52ea83

C:\Windows\system\CkrXHON.exe

MD5 0c39311276f725ca46f396fe81b17710
SHA1 fac7e65ca069fb6264ae2fb5909842050b8819b1
SHA256 c3249398a490d5cafbfe0abd757806b4cd6e8e76c3953a211606040e2eb1041c
SHA512 5adffb1345e9f37a4b42c21c6052a900b94398831e627e1691857ba4fd900c2944926b4343311f491a2fe33a98af9cb5eb7b0f050f412f70cccbd535c79a7dbf

C:\Windows\system\FlKIRcx.exe

MD5 3deb4cfa46ea49aaf5bb8b433d2abf58
SHA1 98bf31d20b5fb6cea80e3492f2056abb932706c3
SHA256 79b29068a2739b1034049c5962ade3bd2f56a616142b83343b1c785530abddce
SHA512 2c9d0581d3a99db16e9bbf25cf52660793312927d6f24b1b80bd419295cab0cd3f96e983b437e4c8f11f12b5c999c8884ca985a49c0fab9096a452292b1af4ca

C:\Windows\system\NJNXXar.exe

MD5 4979c92edae4bf6e81ecacf6b9b9f821
SHA1 680d3f8f7f1ef52559b16b00f9ef3b407b563677
SHA256 8f4e5ceeda8d98e41dca4f33e9e122f49fdb8a5cf458fb5e948c0925ba80ca90
SHA512 c815b04d36c2fcb02af9280a6e7b105651ac0edfbbcf4fbf2879736b1a85e28d6e5b1743706cb5dfbed20b72f1d34ab2f47d7fbb6f162ea92f84d6c83f2ac471

memory/2064-104-0x000000013FB40000-0x000000013FE91000-memory.dmp

memory/2400-93-0x000000013F500000-0x000000013F851000-memory.dmp

memory/2400-133-0x000000013F440000-0x000000013F791000-memory.dmp

memory/2400-141-0x000000013FF90000-0x00000001402E1000-memory.dmp

memory/2400-150-0x000000013F4B0000-0x000000013F801000-memory.dmp

memory/2344-154-0x000000013FF90000-0x00000001402E1000-memory.dmp

memory/2536-155-0x000000013F500000-0x000000013F851000-memory.dmp

memory/2972-158-0x000000013F1F0000-0x000000013F541000-memory.dmp

memory/2400-164-0x00000000022A0000-0x00000000025F1000-memory.dmp

memory/2460-162-0x000000013F790000-0x000000013FAE1000-memory.dmp

memory/2672-161-0x000000013F8F0000-0x000000013FC41000-memory.dmp

memory/2908-160-0x000000013F460000-0x000000013F7B1000-memory.dmp

memory/2668-159-0x000000013FD40000-0x0000000140091000-memory.dmp

memory/2900-157-0x000000013F760000-0x000000013FAB1000-memory.dmp

memory/2412-163-0x000000013FED0000-0x0000000140221000-memory.dmp

memory/2400-165-0x000000013FF90000-0x00000001402E1000-memory.dmp

memory/2400-174-0x000000013F500000-0x000000013F851000-memory.dmp

memory/2400-188-0x000000013FB40000-0x000000013FE91000-memory.dmp

memory/2332-221-0x000000013FF50000-0x00000001402A1000-memory.dmp

memory/2864-220-0x000000013F1D0000-0x000000013F521000-memory.dmp

memory/2720-223-0x000000013F390000-0x000000013F6E1000-memory.dmp

memory/2820-225-0x000000013F430000-0x000000013F781000-memory.dmp

memory/2704-227-0x000000013F3B0000-0x000000013F701000-memory.dmp

memory/2740-229-0x000000013F730000-0x000000013FA81000-memory.dmp

memory/2688-231-0x000000013F9A0000-0x000000013FCF1000-memory.dmp

memory/2588-238-0x000000013F900000-0x000000013FC51000-memory.dmp

memory/2404-242-0x000000013F4B0000-0x000000013F801000-memory.dmp

memory/2700-241-0x000000013F440000-0x000000013F791000-memory.dmp

memory/2040-244-0x000000013F0B0000-0x000000013F401000-memory.dmp

memory/2344-255-0x000000013FF90000-0x00000001402E1000-memory.dmp

memory/2064-258-0x000000013FB40000-0x000000013FE91000-memory.dmp

memory/2536-259-0x000000013F500000-0x000000013F851000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-14 21:10

Reported

2024-08-14 21:13

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\INCOoCF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YAeXbJT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QeAIVrD.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\otejBUs.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ABagijM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AikdlhE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gqVaDnH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KctMqqC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FjSwNNg.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VSKvxoF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oypJoDb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZxJLmWR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HIMjgsB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iBSrVcy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TlfnAYe.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rWRXKaS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kugoGIG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\Itbmddo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DlhrASY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zxShMCC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nbxrFiB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3000 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AikdlhE.exe
PID 3000 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AikdlhE.exe
PID 3000 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DlhrASY.exe
PID 3000 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DlhrASY.exe
PID 3000 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZxJLmWR.exe
PID 3000 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZxJLmWR.exe
PID 3000 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zxShMCC.exe
PID 3000 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zxShMCC.exe
PID 3000 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gqVaDnH.exe
PID 3000 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gqVaDnH.exe
PID 3000 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HIMjgsB.exe
PID 3000 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HIMjgsB.exe
PID 3000 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nbxrFiB.exe
PID 3000 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nbxrFiB.exe
PID 3000 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TlfnAYe.exe
PID 3000 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TlfnAYe.exe
PID 3000 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rWRXKaS.exe
PID 3000 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rWRXKaS.exe
PID 3000 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KctMqqC.exe
PID 3000 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KctMqqC.exe
PID 3000 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\INCOoCF.exe
PID 3000 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\INCOoCF.exe
PID 3000 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kugoGIG.exe
PID 3000 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kugoGIG.exe
PID 3000 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YAeXbJT.exe
PID 3000 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YAeXbJT.exe
PID 3000 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iBSrVcy.exe
PID 3000 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iBSrVcy.exe
PID 3000 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QeAIVrD.exe
PID 3000 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QeAIVrD.exe
PID 3000 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\otejBUs.exe
PID 3000 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\otejBUs.exe
PID 3000 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ABagijM.exe
PID 3000 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ABagijM.exe
PID 3000 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FjSwNNg.exe
PID 3000 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FjSwNNg.exe
PID 3000 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VSKvxoF.exe
PID 3000 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VSKvxoF.exe
PID 3000 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oypJoDb.exe
PID 3000 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oypJoDb.exe
PID 3000 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Itbmddo.exe
PID 3000 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Itbmddo.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\AikdlhE.exe

C:\Windows\System\AikdlhE.exe

C:\Windows\System\DlhrASY.exe

C:\Windows\System\DlhrASY.exe

C:\Windows\System\ZxJLmWR.exe

C:\Windows\System\ZxJLmWR.exe

C:\Windows\System\zxShMCC.exe

C:\Windows\System\zxShMCC.exe

C:\Windows\System\gqVaDnH.exe

C:\Windows\System\gqVaDnH.exe

C:\Windows\System\HIMjgsB.exe

C:\Windows\System\HIMjgsB.exe

C:\Windows\System\nbxrFiB.exe

C:\Windows\System\nbxrFiB.exe

C:\Windows\System\TlfnAYe.exe

C:\Windows\System\TlfnAYe.exe

C:\Windows\System\rWRXKaS.exe

C:\Windows\System\rWRXKaS.exe

C:\Windows\System\KctMqqC.exe

C:\Windows\System\KctMqqC.exe

C:\Windows\System\INCOoCF.exe

C:\Windows\System\INCOoCF.exe

C:\Windows\System\kugoGIG.exe

C:\Windows\System\kugoGIG.exe

C:\Windows\System\YAeXbJT.exe

C:\Windows\System\YAeXbJT.exe

C:\Windows\System\iBSrVcy.exe

C:\Windows\System\iBSrVcy.exe

C:\Windows\System\QeAIVrD.exe

C:\Windows\System\QeAIVrD.exe

C:\Windows\System\otejBUs.exe

C:\Windows\System\otejBUs.exe

C:\Windows\System\ABagijM.exe

C:\Windows\System\ABagijM.exe

C:\Windows\System\FjSwNNg.exe

C:\Windows\System\FjSwNNg.exe

C:\Windows\System\VSKvxoF.exe

C:\Windows\System\VSKvxoF.exe

C:\Windows\System\oypJoDb.exe

C:\Windows\System\oypJoDb.exe

C:\Windows\System\Itbmddo.exe

C:\Windows\System\Itbmddo.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 21.58.20.217.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3000-0-0x00007FF78FA00000-0x00007FF78FD51000-memory.dmp

memory/3000-1-0x0000023D8C5B0000-0x0000023D8C5C0000-memory.dmp

C:\Windows\System\AikdlhE.exe

MD5 92d8543a2a161f9e64a530651574e360
SHA1 6af2aa86d9a030124e80de1cbbe81407f5db3959
SHA256 2b267b8d5a5e3ccf57e95df0fd2276574f382d6211dfdd0a24d8279d9ba6df03
SHA512 836f699ed640acc3f023005edd4b151a412bb1c56014a56a784967e3830448f6681fc184fbb01e50fd5badbe8df2ba953c27fa2ea75a7881e6e7c58642f8f093

C:\Windows\System\ZxJLmWR.exe

MD5 f4f7779e228832904bd42253e320b6f6
SHA1 a99c76f75a2ba3cfd6c9b78800de5e4c34758174
SHA256 b04cd53afdf3c95b92f64c90f9ccd660e090bf1ca72abb38e2be2e68055f2a6d
SHA512 ba50d255677a937a848ccc2e75a019e6562631b94666ed99b2773de624f9085aa8ba3d1bf73792c3dd8ac229ac1574160482d2286a4149b881c12343c9832b2e

C:\Windows\System\DlhrASY.exe

MD5 1e46b7893d7e63a240d1955692e77521
SHA1 66216a0b8d3e4458fb4e8f3b255c2b7e1d49f625
SHA256 56b60e36b161c704b29a4a07d1d526f4ba8b475b1d3c9ac78a738fd34cb8dc1e
SHA512 58832daa934f560b6e765a648ce5832b0671f3e35eba3949c0b43c0d464d2d6343a090a253ae4e9271cb5cc2814631d8f14e7c345bd5f46d6195a7eef228e8d1

C:\Windows\System\zxShMCC.exe

MD5 344a54fc841c5da26d0891e9c0319501
SHA1 1fe1e7a14f71935a1a182201aa75c5a14eca7166
SHA256 cf6e569ca21ed84688fd7bf26a831b158a897143cbe0bf677021f23a7243bc41
SHA512 0983f941f27703bcef4bf92df8eb3a030a2c3a0c4c59a232355ca5e73e255d15f1ef904412c6704e47336423fdab6a36230027dc86b38f2d467ad2aa7e320bef

C:\Windows\System\gqVaDnH.exe

MD5 dff11f2bba55c33b4e2a3fdf841934f8
SHA1 773586fb08623d1d027eff68323778d224c09b82
SHA256 e6b7101367be295e63903d74ba712e5709c6c72b25ed0c0729d304e22662f25d
SHA512 bae9ae5cba1f3a1372a2a5544115d0e458e209cafdf5b53dc5f567ed113179db972bda9e737e5f11f95bf4cc176c0c5aa13a012c239766d461f47bea92fe29f4

C:\Windows\System\HIMjgsB.exe

MD5 8ec6b0c211b677d586d29563490f0ef0
SHA1 f0f6c17bfc06bcba65031088106589ec938c30c3
SHA256 eb3114953f1861051143ad9409e6297d7d9ab83da8af56f5d3463195d8eb7e51
SHA512 2b656fb76a0e9ca1f44d3e26dbbd34294f9d288c26e81ef556447cdc2ff0258b762e4de4195996af40726c886013d3b2a8c1819567755723f6cfb7b34c540099

C:\Windows\System\nbxrFiB.exe

MD5 099864b6b059cf72c4b36446b2534b0b
SHA1 750d08310a6dcb0c82765c6323e4de08354c876d
SHA256 621de712af8259b3f83910467c8ba17ca1effbe43f632c153bfc018946896d59
SHA512 8bf5693a172c327b83b6a0eeafe9357aa2ec5d4efe4e8473b9657c97fdcc19c1691e18c980e682fbfb03cf5e4ea26680411b17a2c44ba5946d604302c45bb628

memory/2744-37-0x00007FF7F6E50000-0x00007FF7F71A1000-memory.dmp

memory/1956-46-0x00007FF73DBD0000-0x00007FF73DF21000-memory.dmp

memory/3696-57-0x00007FF6FE2B0000-0x00007FF6FE601000-memory.dmp

C:\Windows\System\YAeXbJT.exe

MD5 eb683221617c26036d25f9144b256fbb
SHA1 6dcca45dc52e1098f1c923ebaea8e9f45d62894d
SHA256 f9295cd783dcc7c39d2bbdf8ab1170808ea3a61dc28a8b98d12554dada564b16
SHA512 7cecc81de3ef035c9c623e2d6c5f1ada631ce3f73164b6f596be6c446f57238fb41c5c82bef8a1fb3a8537757d90dc698a760d7dcdef0fd0b3ca4409c3f47244

C:\Windows\System\kugoGIG.exe

MD5 5944afcb16ba0be5201e786c3300396a
SHA1 b66170853733acc3c5278b4f8d1acc1d88a4f50b
SHA256 aacf581533ee45bd5ca9fa732b92c8d9159164e5d9ff6f5d9e56781972a80025
SHA512 5f2ecbe25b8bea4571b4b249f48387d247a2ca07bc05b9ccaf5e98cab61aee9c5505daf07529dcc28ecde105112fe41e4d8a069f8acba20e2ea1b307b93f385c

C:\Windows\System\iBSrVcy.exe

MD5 c11444a303917648c5c85b802e87e861
SHA1 14aac14177a68296c9c39da64c356cfc966fa3de
SHA256 5cc32e82ef5848d157a7457b68fc76b4583c879b57f8d321a85334f5beb6f6bc
SHA512 4b2ffdbb445edd824656bd07cd3558bba1203c805a649d77ce6901dbd1935ebd5b9f0dcda10b5bd6192f1578e871d569c859d9d2db192d137c1377304509644e

memory/2968-81-0x00007FF737340000-0x00007FF737691000-memory.dmp

C:\Windows\System\QeAIVrD.exe

MD5 c33c607750787c54e0e99ba17a45623c
SHA1 c24b360a1ff3f4bcfb28d73394e30474946af0b8
SHA256 88de352b2fa97a6ed24eafb767344c9252940a792ce373fb1c7365820c998002
SHA512 a824295dfe2ec643ca2bf5255552bd216f2ced91904ceb55d205e88ad9a0fe441ff5a5d5da9329c1830aee0a5eedc40e3ea569116bceb50400cf7407c2630212

memory/1936-92-0x00007FF7A02E0000-0x00007FF7A0631000-memory.dmp

memory/3308-91-0x00007FF6FF690000-0x00007FF6FF9E1000-memory.dmp

memory/1752-88-0x00007FF68D3F0000-0x00007FF68D741000-memory.dmp

memory/5008-86-0x00007FF696F60000-0x00007FF6972B1000-memory.dmp

memory/1524-78-0x00007FF6EFBA0000-0x00007FF6EFEF1000-memory.dmp

memory/4816-77-0x00007FF77DDF0000-0x00007FF77E141000-memory.dmp

memory/2960-73-0x00007FF67B940000-0x00007FF67BC91000-memory.dmp

C:\Windows\System\INCOoCF.exe

MD5 e182c5e45f3defd6c1914438a06e7189
SHA1 fcc293ecf8ac2b03ca8c38af43dd940ee665081d
SHA256 320e566b189cec7d9e6c4c838d0ce25b0866964af0656c1b61b2d598497dc92c
SHA512 46da11dd74ec021c9feb8c06e130f594c8ee51d4b916d5425ad5db2de5ec7caf2581eb5e76992f85863cb53cfe4aa594dd3e77cbab3854275bd5bfb1d0d3e8fa

C:\Windows\System\KctMqqC.exe

MD5 eb8a4e4c6ca9d5906dbdad69ff8cad67
SHA1 2fc9e05e690576d4d6f5f32ad491735ade1989cb
SHA256 35564b54ac7eb97db007ac8d8a0da050def5f8280e00a5c8b4c15dbf48e5f635
SHA512 b5418bc1d285b0651a45d3c4865bb214f5b170a780c87fb16f8322b971ae9cd1f95d0edf3658895313b97a2527e89720b002a00a45cb69fe57990aa7aee4e7a3

C:\Windows\System\rWRXKaS.exe

MD5 dcd486581d196cca59542ff9ad67cf80
SHA1 bb640ea3f9baabba0236dc0b45e09c0a4a3e0195
SHA256 f6a6d645278935cd71f788228dbad25e98d3e47d0496488b0a32f0fce91913ad
SHA512 3df3be2b1aa6b3ab6adf7096e4f0483adb51dbb4765fd8692333bc63b2047b5489c9ca55eee575217344a8e0333e282364c3b4c86a5037443d19f327cb9b4ad1

C:\Windows\System\TlfnAYe.exe

MD5 6d66314c645d9320648db4fcb16092e3
SHA1 f4b7684299b4806510d5da41cf15668ebde74e35
SHA256 16e01ef7c298acb34dcbdcdaf61ee4550c5f17ffc03452c01b6dc55c557e7f41
SHA512 183184e54b1a0b95614b87c8940ac0062701335465287ad2b368f5faed5d4c1fb4a64d9426e082b7b622d581bdcb6825ea83fd68fd376ad1cd2a23850f6640e7

memory/2904-43-0x00007FF708C70000-0x00007FF708FC1000-memory.dmp

memory/2244-28-0x00007FF7C7550000-0x00007FF7C78A1000-memory.dmp

memory/2280-23-0x00007FF73BEF0000-0x00007FF73C241000-memory.dmp

memory/3512-16-0x00007FF681720000-0x00007FF681A71000-memory.dmp

C:\Windows\System\otejBUs.exe

MD5 7c92dcb030a350e085513ec8ec2c6555
SHA1 fa28b2f0c70fbeb482bac2fcc4c51d311cef8b43
SHA256 6eff39ed2d388e49d47e800dddda5c6331da0e8b9cca6566a1408537d7e2a937
SHA512 7affad651532ba81d4fb384d014df304156796d313cfbb4d873fe8c820a0ae3b8e3b405be3c7268dc30114c9fba6127004ea421d9d591222b18e326e707006f1

memory/3132-103-0x00007FF79F990000-0x00007FF79FCE1000-memory.dmp

C:\Windows\System\VSKvxoF.exe

MD5 5665e3568ffaccc41e7469c7efaf855e
SHA1 519b0663911829594b7333864e07c370a786513b
SHA256 44a83b08ae3e51a6c3408cf30200cb1b4f1f5cbcfadc399b80cc2403085dc819
SHA512 0b57ba3cea3f87b8f5053fe620a9d837f7e88577fd63e96426e9bbbe57fbeecf8925656ee22b9beca71f0be75d29234858313521f7dcffcaf7fea561779092cc

memory/4392-113-0x00007FF744CB0000-0x00007FF745001000-memory.dmp

memory/4008-119-0x00007FF78FC70000-0x00007FF78FFC1000-memory.dmp

C:\Windows\System\Itbmddo.exe

MD5 05616a33de4c71390530b44e2f29d753
SHA1 73cabd04176ce645d521e494f07c03d0323ba99d
SHA256 fa26a6c3b3bccfa553ad2b3b2d57c321d3f0823051cbdce9c9dd84a9ce52b015
SHA512 dc765361b8a6f6139115205097cebd135d98c02a2c7a7ff855f4bf19d691c279fc17ee1079e2678dfeb63ee7922c0c5b048ecd51f4e4cddd5be1c0abf49946ca

memory/1716-122-0x00007FF6D1630000-0x00007FF6D1981000-memory.dmp

C:\Windows\System\oypJoDb.exe

MD5 b74e9479479167ca3b5116d692741dfe
SHA1 efde9e1e6db4d8017236ff1dab0437766300b3a7
SHA256 12aa025bc907484e501256f61d22c74ef140c6cb24a46b40b53912e0d9b1d132
SHA512 9602a78266bef37099ce404fabb21a64c7a99c2f88ce540f429b675af6019569ba66b7ade9e7021ebf8ad44ecd84748c22ef32792ee155e73ecd799e5dbbd71a

memory/908-118-0x00007FF7A30B0000-0x00007FF7A3401000-memory.dmp

C:\Windows\System\FjSwNNg.exe

MD5 97b89f99656db47133feb93f9beb70e2
SHA1 a84ce949c0eae235d1fed788ed52dff689cb352c
SHA256 84f6561416a87cb6976e2143cfec6ac7d074fc66d24f13f46ceac504d4450738
SHA512 8d0310a7a6cffc9d3c182941509463b6bdec2796e9de3ef362dd1be4aff227a6f03b43ec6436f94901dbc2f27fbd9e7784375a77a4925c703ad0cfc09625a3c6

C:\Windows\System\ABagijM.exe

MD5 d61b8b06ce4d5d3de29771efd1083371
SHA1 44cb202031ee3a58f1364d061ac3769bb5c63629
SHA256 e9f60ac597f7575a56f0be6f201e288b9cf7833e8843fcbfb393842112f32091
SHA512 c0b5621d58b643714e5b573965644a593a453f175e16fc6a8edc5491e187553b1c83181967bd041332a5f8c09a30836a0396e4d63df3f2cb2432cb32a9251a2b

memory/1160-104-0x00007FF644730000-0x00007FF644A81000-memory.dmp

memory/2744-134-0x00007FF7F6E50000-0x00007FF7F71A1000-memory.dmp

memory/2244-133-0x00007FF7C7550000-0x00007FF7C78A1000-memory.dmp

memory/2280-131-0x00007FF73BEF0000-0x00007FF73C241000-memory.dmp

memory/2904-136-0x00007FF708C70000-0x00007FF708FC1000-memory.dmp

memory/3000-145-0x00007FF78FA00000-0x00007FF78FD51000-memory.dmp

memory/3132-144-0x00007FF79F990000-0x00007FF79FCE1000-memory.dmp

memory/3000-128-0x00007FF78FA00000-0x00007FF78FD51000-memory.dmp

memory/1160-146-0x00007FF644730000-0x00007FF644A81000-memory.dmp

memory/1716-149-0x00007FF6D1630000-0x00007FF6D1981000-memory.dmp

memory/908-148-0x00007FF7A30B0000-0x00007FF7A3401000-memory.dmp

memory/4392-147-0x00007FF744CB0000-0x00007FF745001000-memory.dmp

memory/4008-150-0x00007FF78FC70000-0x00007FF78FFC1000-memory.dmp

memory/3000-151-0x00007FF78FA00000-0x00007FF78FD51000-memory.dmp

memory/3512-207-0x00007FF681720000-0x00007FF681A71000-memory.dmp

memory/1956-209-0x00007FF73DBD0000-0x00007FF73DF21000-memory.dmp

memory/2280-211-0x00007FF73BEF0000-0x00007FF73C241000-memory.dmp

memory/3696-213-0x00007FF6FE2B0000-0x00007FF6FE601000-memory.dmp

memory/2744-215-0x00007FF7F6E50000-0x00007FF7F71A1000-memory.dmp

memory/2244-217-0x00007FF7C7550000-0x00007FF7C78A1000-memory.dmp

memory/2904-220-0x00007FF708C70000-0x00007FF708FC1000-memory.dmp

memory/2960-221-0x00007FF67B940000-0x00007FF67BC91000-memory.dmp

memory/2968-224-0x00007FF737340000-0x00007FF737691000-memory.dmp

memory/4816-229-0x00007FF77DDF0000-0x00007FF77E141000-memory.dmp

memory/5008-228-0x00007FF696F60000-0x00007FF6972B1000-memory.dmp

memory/1524-226-0x00007FF6EFBA0000-0x00007FF6EFEF1000-memory.dmp

memory/3308-231-0x00007FF6FF690000-0x00007FF6FF9E1000-memory.dmp

memory/1752-233-0x00007FF68D3F0000-0x00007FF68D741000-memory.dmp

memory/1936-235-0x00007FF7A02E0000-0x00007FF7A0631000-memory.dmp

memory/3132-238-0x00007FF79F990000-0x00007FF79FCE1000-memory.dmp

memory/4392-240-0x00007FF744CB0000-0x00007FF745001000-memory.dmp

memory/1160-242-0x00007FF644730000-0x00007FF644A81000-memory.dmp

memory/1716-244-0x00007FF6D1630000-0x00007FF6D1981000-memory.dmp

memory/4008-246-0x00007FF78FC70000-0x00007FF78FFC1000-memory.dmp

memory/908-248-0x00007FF7A30B0000-0x00007FF7A3401000-memory.dmp