Malware Analysis Report

2025-03-15 08:02

Sample ID 240814-z5ewpazdrj
Target 2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat
SHA256 0f6de8be043a6917c54b10570817dc04902e02d0d3694de38a69bfe7f8e548f9
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0f6de8be043a6917c54b10570817dc04902e02d0d3694de38a69bfe7f8e548f9

Threat Level: Known bad

The file 2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

xmrig

Cobaltstrike

Cobaltstrike family

XMRig Miner payload

Xmrig family

Cobalt Strike reflective loader

XMRig Miner payload

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-14 21:17

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-14 21:17

Reported

2024-08-14 21:20

Platform

win7-20240729-en

Max time kernel

140s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\JZoGjrN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DXwsfxg.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GpicYJJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WRtERxP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xHeYnVK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ccNLUhQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\foQYYIX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pWVmEfU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dmwNWvt.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iJBqjeU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WSmkDkl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uuUwAoE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VzMBbOQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WmFDjXW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\taPRxzr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tQsXpDy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IkqHhVT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RMzpOOb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ESRJNLd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UPcIBFX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xxpkweu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2264 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WmFDjXW.exe
PID 2264 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WmFDjXW.exe
PID 2264 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WmFDjXW.exe
PID 2264 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JZoGjrN.exe
PID 2264 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JZoGjrN.exe
PID 2264 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JZoGjrN.exe
PID 2264 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\taPRxzr.exe
PID 2264 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\taPRxzr.exe
PID 2264 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\taPRxzr.exe
PID 2264 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pWVmEfU.exe
PID 2264 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pWVmEfU.exe
PID 2264 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pWVmEfU.exe
PID 2264 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ESRJNLd.exe
PID 2264 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ESRJNLd.exe
PID 2264 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ESRJNLd.exe
PID 2264 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UPcIBFX.exe
PID 2264 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UPcIBFX.exe
PID 2264 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UPcIBFX.exe
PID 2264 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dmwNWvt.exe
PID 2264 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dmwNWvt.exe
PID 2264 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dmwNWvt.exe
PID 2264 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iJBqjeU.exe
PID 2264 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iJBqjeU.exe
PID 2264 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iJBqjeU.exe
PID 2264 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xxpkweu.exe
PID 2264 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xxpkweu.exe
PID 2264 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xxpkweu.exe
PID 2264 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DXwsfxg.exe
PID 2264 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DXwsfxg.exe
PID 2264 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DXwsfxg.exe
PID 2264 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IkqHhVT.exe
PID 2264 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IkqHhVT.exe
PID 2264 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IkqHhVT.exe
PID 2264 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WRtERxP.exe
PID 2264 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WRtERxP.exe
PID 2264 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WRtERxP.exe
PID 2264 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xHeYnVK.exe
PID 2264 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xHeYnVK.exe
PID 2264 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xHeYnVK.exe
PID 2264 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ccNLUhQ.exe
PID 2264 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ccNLUhQ.exe
PID 2264 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ccNLUhQ.exe
PID 2264 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tQsXpDy.exe
PID 2264 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tQsXpDy.exe
PID 2264 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tQsXpDy.exe
PID 2264 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\foQYYIX.exe
PID 2264 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\foQYYIX.exe
PID 2264 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\foQYYIX.exe
PID 2264 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RMzpOOb.exe
PID 2264 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RMzpOOb.exe
PID 2264 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RMzpOOb.exe
PID 2264 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WSmkDkl.exe
PID 2264 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WSmkDkl.exe
PID 2264 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WSmkDkl.exe
PID 2264 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uuUwAoE.exe
PID 2264 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uuUwAoE.exe
PID 2264 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uuUwAoE.exe
PID 2264 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GpicYJJ.exe
PID 2264 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GpicYJJ.exe
PID 2264 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GpicYJJ.exe
PID 2264 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VzMBbOQ.exe
PID 2264 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VzMBbOQ.exe
PID 2264 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VzMBbOQ.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\WmFDjXW.exe

C:\Windows\System\WmFDjXW.exe

C:\Windows\System\JZoGjrN.exe

C:\Windows\System\JZoGjrN.exe

C:\Windows\System\taPRxzr.exe

C:\Windows\System\taPRxzr.exe

C:\Windows\System\pWVmEfU.exe

C:\Windows\System\pWVmEfU.exe

C:\Windows\System\ESRJNLd.exe

C:\Windows\System\ESRJNLd.exe

C:\Windows\System\UPcIBFX.exe

C:\Windows\System\UPcIBFX.exe

C:\Windows\System\dmwNWvt.exe

C:\Windows\System\dmwNWvt.exe

C:\Windows\System\iJBqjeU.exe

C:\Windows\System\iJBqjeU.exe

C:\Windows\System\xxpkweu.exe

C:\Windows\System\xxpkweu.exe

C:\Windows\System\DXwsfxg.exe

C:\Windows\System\DXwsfxg.exe

C:\Windows\System\IkqHhVT.exe

C:\Windows\System\IkqHhVT.exe

C:\Windows\System\WRtERxP.exe

C:\Windows\System\WRtERxP.exe

C:\Windows\System\xHeYnVK.exe

C:\Windows\System\xHeYnVK.exe

C:\Windows\System\ccNLUhQ.exe

C:\Windows\System\ccNLUhQ.exe

C:\Windows\System\tQsXpDy.exe

C:\Windows\System\tQsXpDy.exe

C:\Windows\System\foQYYIX.exe

C:\Windows\System\foQYYIX.exe

C:\Windows\System\RMzpOOb.exe

C:\Windows\System\RMzpOOb.exe

C:\Windows\System\WSmkDkl.exe

C:\Windows\System\WSmkDkl.exe

C:\Windows\System\uuUwAoE.exe

C:\Windows\System\uuUwAoE.exe

C:\Windows\System\GpicYJJ.exe

C:\Windows\System\GpicYJJ.exe

C:\Windows\System\VzMBbOQ.exe

C:\Windows\System\VzMBbOQ.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2264-0-0x000000013F4C0000-0x000000013F811000-memory.dmp

memory/2264-1-0x0000000000180000-0x0000000000190000-memory.dmp

\Windows\system\WmFDjXW.exe

MD5 d37bfc2aaa4b68cf405b863967dd68b4
SHA1 7661df3b97b66866781e243babeb5b66e16cd3eb
SHA256 21ea9849f914a35a1274d174c513e1ff96d69944dcbe07a6630a74c972f00e5f
SHA512 1c2d1aff5fee170c2f02497be9a76a0e7991b47068211a3e84fb1c9f037c6b580fd43754d8ca3cd343a8aa4a778fcca503eccde81bea41b6c97b02c3a797acbc

C:\Windows\system\taPRxzr.exe

MD5 920f9cb2cc8ad1dc09c760297116b5d0
SHA1 99772d0bad7a0251e41169cc90735ad087f467af
SHA256 af66fc5c2baf49dc72baa04bc501d18d8b038c007e112c8450687bd91f309c37
SHA512 aaa02042ead3b9b57d095c5cb05af416914765d21edc6425c543450ca62c95bae29aeddbdda4913ee4761eee83008d97744c213767927ae16f56d5a656efbd28

C:\Windows\system\JZoGjrN.exe

MD5 9d9ba7fedb06114e991cbf17a2233c1e
SHA1 058a655adde4b301becfdf2f4fd7841dc6879093
SHA256 04927b1f45c2f3130eba66257a00f8b5bbdf0bffe58149ab02b561b480ee20ee
SHA512 0814861749a770970bfb2d7de833397a0d7d989a9615ed528974cdb913c8a59666a4e9e951af6a8bc0fde427e8c48463e5bedfdb257168d6438585d381ac38c5

memory/2264-21-0x00000000021E0000-0x0000000002531000-memory.dmp

memory/2552-23-0x000000013F1C0000-0x000000013F511000-memory.dmp

memory/2264-22-0x00000000021E0000-0x0000000002531000-memory.dmp

memory/548-20-0x000000013F520000-0x000000013F871000-memory.dmp

\Windows\system\pWVmEfU.exe

MD5 5aa8edbfda4ed5a4696421cedc62d744
SHA1 c280506d05a6738d77e7e96d6fb939463b2416fd
SHA256 359f337a693c65547093de741408c85f1d158755d4e4ee4ef1cf3612be5fc456
SHA512 6e76e6a04e055f9cbc34a05051e827cb76040fefd018f9086b0f89e93f4086de922055bee347ebb8e12a37b19a7430dbe504464aa9dd08dff2d5102371ea5d85

memory/2204-29-0x000000013FC70000-0x000000013FFC1000-memory.dmp

\Windows\system\ESRJNLd.exe

MD5 2a1e8776053416d40848a092b0df842f
SHA1 dbef395361fcf9f4c6abf892a24ea21d7f161adb
SHA256 fe0f666dc4fcda6f614a41dd20986c32d18f8a0bde8db2bc67cda307b229f3e9
SHA512 886b305a7ff75bb6ced7abd6b0f568c8e469ae1dd3cecf38820ab172573414b1d516e12a12bf5cb4b37eb3ba9b981c4e1a0559b2ed27554c80f60c9b87f3cc8f

memory/2264-28-0x000000013FC70000-0x000000013FFC1000-memory.dmp

C:\Windows\system\UPcIBFX.exe

MD5 92aeca5591540046ebcef301880ded58
SHA1 2aa23441e6e425c46659ae54d1e0b9063da5131a
SHA256 45c8a02af70d5c125d73b0cc2e59fe537361b03be411ce6b930de66ae6f59825
SHA512 c9bb98b397fe7d2c7eb594a09dd9f9172e277842b56b898fbfe5b1c8c32c478a52c44826f6b6bbc5eccb33a3f85c2b18c2e3b59b201da3481dd228385d0515f0

C:\Windows\system\IkqHhVT.exe

MD5 a9c9082079a42f9d0711767608485b4e
SHA1 600e897401b14347ba7a6839fd78eac8be6a10c9
SHA256 29be709f443ba896af2a9f24ca5fe6b9e5f38c0eb06efbaf0384382eaf3294d8
SHA512 963b3570ade564d454b5d611f08637181ebc16e8e7e3b99f65acbbd57df49dddea24ad6daf12d74cf7e51b4e221b7d2bff360bcb94d4833ed0fd9549748d2257

C:\Windows\system\DXwsfxg.exe

MD5 ec2f0d877c2cc16c9c4b649691f6c769
SHA1 8b31301d6d666a2f2957d9af30b058b4cbc8ed64
SHA256 d9ecc063964082e91bf470e0423c6219bf4ac775e877a72f121118922b9a2d4d
SHA512 d02eb6d0f05819875e7c6fade669d6d0c9fb413431f69d07466155ea0e58320d901fccbf15fa304184424dac9f16fe86ffa4724f90152e4db04924d561c5f1d1

C:\Windows\system\ccNLUhQ.exe

MD5 29f157f9792693982592da5947feace0
SHA1 be9f0336d8eed7523732b53d8d3af15cfcf06348
SHA256 e04d186cfb80150ca7571ec9acd1fe75e15d53fc14ae31f0616e3a9727759234
SHA512 bd2a2634c56f47c3e20df007725451e32dcb57b2d05ec11832968d26bea963e76f0c61479e3da012af6aac0d62046b7a71445a6bda9a3ba4b4f59ca1c3a82b55

C:\Windows\system\uuUwAoE.exe

MD5 64730a69ac38eca835e1d95b26718944
SHA1 c593b6dae7affafae4088fc219a24bcc3aca892a
SHA256 0cdbc903ed130386ce1e4beb4ec0466ac9ebedd32c722693488aab2653c4ea56
SHA512 29577b668cb95f9a27a8c68a02a8b5bbba7737a2027124a3b15fa2ad1ee7997b02e499e286c47b03d457f1a822e3f178339864d7424c49a81ea1911f291cd93f

memory/2824-123-0x000000013F1D0000-0x000000013F521000-memory.dmp

\Windows\system\GpicYJJ.exe

MD5 dd9f985763a241106afd6e87104136c7
SHA1 9875e4b467b72af59c2ecc9608296dcb55410230
SHA256 46c65d4d0e56264b19bc425e942be05c490b3184ac4bbe3c470fecefb8e78a8b
SHA512 53e958aa8c77cfdfa185ca19316b0c2954e0cb910d265027a27c7a320ee41359f574e11f8caa2c8ed72b820b7b41eab3861699822a776185a7356b67ced794fc

memory/2264-128-0x000000013FA00000-0x000000013FD51000-memory.dmp

memory/3028-127-0x000000013FD20000-0x0000000140071000-memory.dmp

memory/2264-126-0x000000013FD20000-0x0000000140071000-memory.dmp

memory/2400-125-0x000000013F390000-0x000000013F6E1000-memory.dmp

memory/2264-124-0x00000000021E0000-0x0000000002531000-memory.dmp

C:\Windows\system\RMzpOOb.exe

MD5 b2111e76667410e4717ea9b55dc5901c
SHA1 8b514980378966da7c23fab43b949f2da003e1f7
SHA256 f74f3d5ce063a62933bbddbdf58a41384a76997ae6079f8909fb44be17bd7a07
SHA512 03d4d330baee9b5d3f14eb3fce7b00bc5c1a583445dfd183b0ffea77e3a0f77e74df202c75d768d9c679aa6a2c5f4570c03484fe5bc3144c2f8524fbae7fdd27

\Windows\system\WSmkDkl.exe

MD5 cece320810fd384fbd4f608f08bb0499
SHA1 caead9aa5b00472aefe3206610118ad714de35b1
SHA256 355d14b7d4cf69568924b7b5dec24c9b174a0f4a8502bcb00f48b5b95d406789
SHA512 f2cfe8e96bc498028985cf2b0f774a4c35325ce6849ff8b464a87d5dcc75eeadc3abe016d0a856e6c5641ef1726b0ced56829175fc08b0385de046bbd5baffdc

\Windows\system\foQYYIX.exe

MD5 7e613900597eed0653195ae29c2954d0
SHA1 bdbc383ab5925c9abfc3c07ae8fa0415bfc14197
SHA256 bf81ed58f747c481c80f42da8143422989e9a6e09b757d345d355c6144880068
SHA512 5a0ae7e55480fc71bb1934c1511d5a9f2a713e05295a08c88d855cdf45b99f528756da924b4ad067dddceb9e418d7717d19f28bf8595b170ec13478b06f6cb67

memory/2264-122-0x00000000021E0000-0x0000000002531000-memory.dmp

memory/2756-121-0x000000013FEA0000-0x00000001401F1000-memory.dmp

memory/2264-120-0x000000013FEA0000-0x00000001401F1000-memory.dmp

memory/2636-119-0x000000013F0D0000-0x000000013F421000-memory.dmp

memory/2264-118-0x000000013F0D0000-0x000000013F421000-memory.dmp

memory/2884-117-0x000000013F9E0000-0x000000013FD31000-memory.dmp

memory/2264-116-0x000000013F9E0000-0x000000013FD31000-memory.dmp

memory/2724-115-0x000000013FCA0000-0x000000013FFF1000-memory.dmp

memory/2264-114-0x000000013FCA0000-0x000000013FFF1000-memory.dmp

memory/2732-113-0x000000013F970000-0x000000013FCC1000-memory.dmp

memory/2264-112-0x000000013F970000-0x000000013FCC1000-memory.dmp

memory/2804-111-0x000000013F910000-0x000000013FC61000-memory.dmp

memory/2264-110-0x000000013F910000-0x000000013FC61000-memory.dmp

C:\Windows\system\VzMBbOQ.exe

MD5 8ada81e4f5ddfacf8c11bebfd40da123
SHA1 9da6c0ef8dfa750dc9130488520428242d0a9995
SHA256 d4259716127daa19123b6b57f88ccfd6fab9bbf64ea660daea22d065e19e342a
SHA512 681004b69b5f000f83d366a8d1a31a4f74338d3ff727c0a9d43359ecfad5e0a9fd8a3e6409d09379b048a8d3d359f25a5de2370852988dd4c878b173c0bd973b

C:\Windows\system\tQsXpDy.exe

MD5 74058ae866a381bfae54684566f93dc9
SHA1 c9b121b92064f14af1245d41d84b4743a297a3d4
SHA256 e68aa84c7714b16b66e84d566d72ca626b9089dbf5fdc155c551a5a882367116
SHA512 0b8b31ba266f359fdcd14dd65e9a6c40f81914c0595946de616e6e6ac074a90195d34ebdae677ab51562748a2d1658bfe4274aa1bdeb29ca6546327bc3a50443

C:\Windows\system\xHeYnVK.exe

MD5 9b7dfae671512189d8cd0f31b59a0c96
SHA1 7e025a338540c586cff365ade2474b5e4d29c7b2
SHA256 7c87e8a78d87d56812e01204b64279c6a798c53dafed64ad7840e986fdcbb1ae
SHA512 536d5b43041286ef8e92755598dfdd8a328a1f0655ba44986ed6383f21f5ff8495793fbb94c82e078e97b682568601985d3bb7b3b8861611f778f68ac4083433

C:\Windows\system\WRtERxP.exe

MD5 ca98c944faf8a562b518b2868be9d220
SHA1 f4f5decbb91e58008554f93f42aa25c515dfb2f6
SHA256 e0bf99ae2de5d389ece41e44996434d02f6f9c5b7a490042b74514fe7eef85cb
SHA512 72f218ff293bd06e899e3533a578519fe0020e36521aef6c5efc8d39300cc374a55be52584895e6e32d431de76ec6fb2466cf387df8b2ea673fff8a9906cf246

C:\Windows\system\iJBqjeU.exe

MD5 d4b555de183ab5c24844b8bed9352096
SHA1 221ed22655f9b7076982d0d92b7c51dd0aa470b1
SHA256 f7006b0bea424adb604d46728f35975b260167570d692fb90d8afcdbc2e9f42e
SHA512 9560b74f86232124a65529bc0a3d3751964a02013b8b223588e765e274780e062d2df4bd81de981c6a7772ecd97680172dd309ac25c02313c53adee3b637c19a

C:\Windows\system\xxpkweu.exe

MD5 09a7f8d1738364f431d56fa510f7243d
SHA1 a2699415f5b6f7f918121552ddfd0fba1ac87386
SHA256 418a838802a0e73ed289840fdda61e038cfe3755d6bc9d2b938d94d0beca49fe
SHA512 e9ca4e051772ea8af8ebcc30a6d572e4417fc5de66ca5107a4301ed42978682d9c2eee4174ed4deb20370ff7fba2a1e9a06f2d0da707eceeab6e2ecb6fc3bfaf

C:\Windows\system\dmwNWvt.exe

MD5 4c76b34c9e2a98c167facfef04f16779
SHA1 63e3d11d10d4d90fa31abcc0e5f24839f5b5c0a1
SHA256 d0908a41f7679e5864fec262b4b4bdea64bb878930d242b4b295a9cc4df35337
SHA512 0b7ed9f20a81441167c8501d08bfb66b7c10267de991d475c24a75d984bef6c6a19debcd39664408df2658006ccc5162a0c1b36606fba2eab4140b7b76e12348

memory/2800-36-0x000000013FA70000-0x000000013FDC1000-memory.dmp

memory/2264-35-0x000000013FA70000-0x000000013FDC1000-memory.dmp

memory/2532-18-0x000000013F250000-0x000000013F5A1000-memory.dmp

memory/2264-15-0x00000000021E0000-0x0000000002531000-memory.dmp

memory/2800-141-0x000000013FA70000-0x000000013FDC1000-memory.dmp

memory/2804-142-0x000000013F910000-0x000000013FC61000-memory.dmp

memory/2060-151-0x000000013FA00000-0x000000013FD51000-memory.dmp

memory/2264-136-0x000000013F4C0000-0x000000013F811000-memory.dmp

memory/2204-140-0x000000013FC70000-0x000000013FFC1000-memory.dmp

memory/1144-155-0x000000013FA10000-0x000000013FD61000-memory.dmp

memory/1324-154-0x000000013FE10000-0x0000000140161000-memory.dmp

memory/1232-153-0x000000013FB40000-0x000000013FE91000-memory.dmp

memory/1736-156-0x000000013FC50000-0x000000013FFA1000-memory.dmp

memory/1764-157-0x000000013F840000-0x000000013FB91000-memory.dmp

memory/2264-158-0x00000000021E0000-0x0000000002531000-memory.dmp

memory/784-152-0x000000013F9E0000-0x000000013FD31000-memory.dmp

memory/2264-159-0x000000013F4C0000-0x000000013F811000-memory.dmp

memory/2532-204-0x000000013F250000-0x000000013F5A1000-memory.dmp

memory/548-206-0x000000013F520000-0x000000013F871000-memory.dmp

memory/2552-208-0x000000013F1C0000-0x000000013F511000-memory.dmp

memory/2204-210-0x000000013FC70000-0x000000013FFC1000-memory.dmp

memory/2800-212-0x000000013FA70000-0x000000013FDC1000-memory.dmp

memory/2732-214-0x000000013F970000-0x000000013FCC1000-memory.dmp

memory/2724-216-0x000000013FCA0000-0x000000013FFF1000-memory.dmp

memory/2884-218-0x000000013F9E0000-0x000000013FD31000-memory.dmp

memory/2756-220-0x000000013FEA0000-0x00000001401F1000-memory.dmp

memory/2636-222-0x000000013F0D0000-0x000000013F421000-memory.dmp

memory/2824-224-0x000000013F1D0000-0x000000013F521000-memory.dmp

memory/2400-226-0x000000013F390000-0x000000013F6E1000-memory.dmp

memory/3028-228-0x000000013FD20000-0x0000000140071000-memory.dmp

memory/2804-242-0x000000013F910000-0x000000013FC61000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-14 21:17

Reported

2024-08-14 21:20

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\TORkLJq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XWzxZPF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WhGwPnk.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nPtyOku.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zihzlEw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eEWYUQO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WjpmFfy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kwdMlSa.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZXhiCpP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VZYFMFO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hsUYbZh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fbUIqHV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cRqwOKv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BZvuogp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DQCjHaw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iNFYkjH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VIiGlaC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XGNBgCJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EqTqaMf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oLFcfrZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UBOEikY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2716 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZXhiCpP.exe
PID 2716 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZXhiCpP.exe
PID 2716 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VIiGlaC.exe
PID 2716 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VIiGlaC.exe
PID 2716 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cRqwOKv.exe
PID 2716 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cRqwOKv.exe
PID 2716 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XWzxZPF.exe
PID 2716 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XWzxZPF.exe
PID 2716 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UBOEikY.exe
PID 2716 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UBOEikY.exe
PID 2716 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WhGwPnk.exe
PID 2716 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WhGwPnk.exe
PID 2716 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nPtyOku.exe
PID 2716 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nPtyOku.exe
PID 2716 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BZvuogp.exe
PID 2716 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BZvuogp.exe
PID 2716 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zihzlEw.exe
PID 2716 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zihzlEw.exe
PID 2716 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XGNBgCJ.exe
PID 2716 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XGNBgCJ.exe
PID 2716 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eEWYUQO.exe
PID 2716 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eEWYUQO.exe
PID 2716 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WjpmFfy.exe
PID 2716 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WjpmFfy.exe
PID 2716 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DQCjHaw.exe
PID 2716 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DQCjHaw.exe
PID 2716 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EqTqaMf.exe
PID 2716 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EqTqaMf.exe
PID 2716 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kwdMlSa.exe
PID 2716 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kwdMlSa.exe
PID 2716 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oLFcfrZ.exe
PID 2716 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oLFcfrZ.exe
PID 2716 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iNFYkjH.exe
PID 2716 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iNFYkjH.exe
PID 2716 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TORkLJq.exe
PID 2716 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TORkLJq.exe
PID 2716 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fbUIqHV.exe
PID 2716 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fbUIqHV.exe
PID 2716 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VZYFMFO.exe
PID 2716 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VZYFMFO.exe
PID 2716 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hsUYbZh.exe
PID 2716 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hsUYbZh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\ZXhiCpP.exe

C:\Windows\System\ZXhiCpP.exe

C:\Windows\System\VIiGlaC.exe

C:\Windows\System\VIiGlaC.exe

C:\Windows\System\cRqwOKv.exe

C:\Windows\System\cRqwOKv.exe

C:\Windows\System\XWzxZPF.exe

C:\Windows\System\XWzxZPF.exe

C:\Windows\System\UBOEikY.exe

C:\Windows\System\UBOEikY.exe

C:\Windows\System\WhGwPnk.exe

C:\Windows\System\WhGwPnk.exe

C:\Windows\System\nPtyOku.exe

C:\Windows\System\nPtyOku.exe

C:\Windows\System\BZvuogp.exe

C:\Windows\System\BZvuogp.exe

C:\Windows\System\zihzlEw.exe

C:\Windows\System\zihzlEw.exe

C:\Windows\System\XGNBgCJ.exe

C:\Windows\System\XGNBgCJ.exe

C:\Windows\System\eEWYUQO.exe

C:\Windows\System\eEWYUQO.exe

C:\Windows\System\WjpmFfy.exe

C:\Windows\System\WjpmFfy.exe

C:\Windows\System\DQCjHaw.exe

C:\Windows\System\DQCjHaw.exe

C:\Windows\System\EqTqaMf.exe

C:\Windows\System\EqTqaMf.exe

C:\Windows\System\kwdMlSa.exe

C:\Windows\System\kwdMlSa.exe

C:\Windows\System\oLFcfrZ.exe

C:\Windows\System\oLFcfrZ.exe

C:\Windows\System\iNFYkjH.exe

C:\Windows\System\iNFYkjH.exe

C:\Windows\System\TORkLJq.exe

C:\Windows\System\TORkLJq.exe

C:\Windows\System\fbUIqHV.exe

C:\Windows\System\fbUIqHV.exe

C:\Windows\System\VZYFMFO.exe

C:\Windows\System\VZYFMFO.exe

C:\Windows\System\hsUYbZh.exe

C:\Windows\System\hsUYbZh.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2716-0-0x00007FF7CB310000-0x00007FF7CB661000-memory.dmp

memory/2716-1-0x0000023E69780000-0x0000023E69790000-memory.dmp

C:\Windows\System\ZXhiCpP.exe

MD5 042bfa12392a9b3172c6eb7676a6524c
SHA1 ccebe52cd3569b08948c9a9b0c05e6ab2ad52dc0
SHA256 473da72da83367923d0b9914f4116520d16290eaef2139b830d568e48ca21612
SHA512 0aa48a4f211a601febcfe460a15cad199befe81f05d9e6a269985980b8de64f6b2bcd940e4ed936b96578d4af5d2e429c6e0a6334adaeac23db1571723fb0b76

C:\Windows\System\XWzxZPF.exe

MD5 b3a1311b2d026a9988c8d383884babac
SHA1 0f8ad4c4d32a7c887a25771f756da9c86145fea0
SHA256 60b05058d9e9704a36269762fdefc2e0301efd7650b5023da330d2a0acc99036
SHA512 779769cd27c6b54d0e6d9733a79fda18de1483d32230e878fbad2d0f2402f1bc53742def2fb9d9791954c69defce85d992c8dad42e6b85e2960e6dfd43cd8315

C:\Windows\System\cRqwOKv.exe

MD5 c5dc0b89b932b6bfdb368f7ace7041f4
SHA1 6639a54da8451fdb827ab278e13ec92dbc665a1e
SHA256 c09b69a85647cb35a6419d934b03cf76fdcfabe441ed016c297a79786bd91d3a
SHA512 17279a702fb7b2641c79bebc4637211f0d1fbda95c05f36a622454897491b5bc64c8bcad63d252ee4a1277600bd432d2af44dda18f4ea5dc5dc805b0b1d84ea8

C:\Windows\System\VIiGlaC.exe

MD5 3ba83b26052061c242528266363943bd
SHA1 62793415b389f03521974037c38805144bc5e773
SHA256 eb4143279f8215cf57ac0f4ba6987046b2bb5d4d4e57005cc5df578ecd9751d1
SHA512 3799c0b690a8af4200492b13a827507e02e78f9aa93863cb1e19291a95824745b3526deab1f5c6fddb41691cc6318bcf4e754313c3e7ddaedbee048d71870f58

memory/632-14-0x00007FF621570000-0x00007FF6218C1000-memory.dmp

C:\Windows\System\WhGwPnk.exe

MD5 208196b210c11667ca08a6608612d6fe
SHA1 912c3ef7dfab6d701226dfe03e35142c36f78854
SHA256 0680e02263a565b4f40061e4f8284c2e1b67bb3309d50bc8f665a4c53ba7e7cc
SHA512 a07f18219f45e22d4343f76f10a76b3d1294d51535e355d35de8792751706e1cd660525f8564a0d5d007fed91c848aadc5fdecfc3e483292f19cc19d69a6a867

C:\Windows\System\BZvuogp.exe

MD5 4c527477bf319bc89104f687fa6b3bd4
SHA1 6685ec616a8d9e6cb3e5edbefeaec00b21a8a3e4
SHA256 46a42010d6c4f70f1cb40cdf5d401348d27e452dabf4ea855e0fade613b60a8c
SHA512 bf8f9e321787db9c03ee7632d631d11b4a0965ef6dc2610f9329f17304327cb9e437c9c88d2fe74c562ea31a1f01b0d33482b86709b1a23d4d229117a11c751e

memory/2072-52-0x00007FF6DA000000-0x00007FF6DA351000-memory.dmp

C:\Windows\System\XGNBgCJ.exe

MD5 91462f5cdca58729398f7a8696e51ddb
SHA1 3927bd1780eea79069fad0317989f9bf88173ee2
SHA256 4dc710672fae5b5e06c6e7edd6aeac6200512c957329dae0a8e539f40162e87b
SHA512 682f2e10194b216b6dbc5df03daff9007fb18800cc88428bfed70d095c4680be17a3c061c6701cb1e514fbc43c461e823d0958d5d30cdc6e13279484e4f479d2

C:\Windows\System\eEWYUQO.exe

MD5 e1dfd5d6d39ea443fb451f7661e3e9aa
SHA1 b8d32fa3062156b6fb42f0fdf797d0c70c8577e4
SHA256 bb5abab78ac002c583d3ee76bd412cad82145fc8fae307879bac6ae244131097
SHA512 6fe6953d98af2e5c07671d2222c1e0a217e81d879545d3242911e2ea4fabd1950a260028f26177971c3a75aa226a247d897346f68b8293e4dcd4adec634f4dee

memory/1884-66-0x00007FF7C8510000-0x00007FF7C8861000-memory.dmp

memory/1908-63-0x00007FF7D6FC0000-0x00007FF7D7311000-memory.dmp

memory/3912-59-0x00007FF607AB0000-0x00007FF607E01000-memory.dmp

memory/4728-51-0x00007FF73FA70000-0x00007FF73FDC1000-memory.dmp

C:\Windows\System\zihzlEw.exe

MD5 4da2b0a5675c6a76591accec32363c46
SHA1 7c072b476b0ac2b2e7f2e588c9eb5bb8be3de513
SHA256 55c717c1ee400481ceeb5c4f88abf986f71a7b476049bb19104baa9d520ec791
SHA512 7392ea1da9a70e013315937f1aa83c1d42af8a861f85d90da4f7eca745607036d810c0e33279394ed3b908808161e0c43b35e543f898d412f73e51ef1045bf88

C:\Windows\System\UBOEikY.exe

MD5 eb5d3066783f9577914449fcfbb06d9c
SHA1 84f57d3acb889c7fa9fed5b4f35ed2330a9cead5
SHA256 c00f25a961d71372e5a0272566d794742cef449855191e82f283445bcd4d7e38
SHA512 f9ddb7c88e6030006fd64d0b1fbdf24d2365b7d3fed2c430a1bf5496228f967a74dd60b71235d21a34d147128ea8252922c980fe2f710bc054d2ce620491d23b

C:\Windows\System\nPtyOku.exe

MD5 33afb174aa583cbb72bf9339093c4048
SHA1 9bef3995de00b1f77b2b706680a5763254b3cffb
SHA256 a922e8609c2b44a16c53f3298e01990beab49f3d8e384e929b3fc639a0194a95
SHA512 39071c4ef8fe8a4de5e1ac12ebea924a7aac072d01be4b37943274049e740d6dfeae062cd9701bce521d2343764759996a33662334eb2db46aa2f7c6a5736128

memory/4596-39-0x00007FF63DC00000-0x00007FF63DF51000-memory.dmp

memory/2568-34-0x00007FF7D3000000-0x00007FF7D3351000-memory.dmp

memory/2856-33-0x00007FF6C5D00000-0x00007FF6C6051000-memory.dmp

memory/2656-26-0x00007FF6BEF50000-0x00007FF6BF2A1000-memory.dmp

memory/3692-25-0x00007FF6D13B0000-0x00007FF6D1701000-memory.dmp

C:\Windows\System\WjpmFfy.exe

MD5 48fb63eadd62445a13508161368f0ca4
SHA1 52f3a34368574c9d220988040bb034cd06f73815
SHA256 749d59654b8925696e5d7ea146cfc72aa9f8245a21eba21e0bbe062f536bceb3
SHA512 377cda7440e7cf8b0e56bb4bdfec869a77984f535f24d79ad9889ad0bdeaa9720ce749267d8e62ba3ef320643687a11c8067082387d608908f75ade0e2e08ff9

memory/3624-74-0x00007FF6EFA80000-0x00007FF6EFDD1000-memory.dmp

C:\Windows\System\DQCjHaw.exe

MD5 e995c9f11d1e3bcaa80d7369c5fcb323
SHA1 7a26eb5921ec06faf0b7b80b652ae78f2cbb08ec
SHA256 b1581254b13949a888f31d3db13e8bd813ff02bd4ae76675104e7e7a66fda29d
SHA512 1d7dced79e5dfc226ce38229962c651a680b5cef4a7201a9919d0ab54dbfc67e56e22a7b0e51fbc39b98f40f9c3eac97527adad89775ff1989192f609cb43290

C:\Windows\System\EqTqaMf.exe

MD5 906e67c051a83a42b12ca6ca03f52a82
SHA1 687169b65f5b9f10cdb1800a10faf60b266760c2
SHA256 2ce95b423e71ee96174432fd03b9c050edf1b6cca002899a9660b43c1fbb21e4
SHA512 14387ee3f121b56bccb4916ab6cbb01b6a162f28b405568bded39f5da810ab5f2379193e671037d0cdb080494766a21d4b991047fa6d3616e5f4cc4f4799d39e

C:\Windows\System\kwdMlSa.exe

MD5 33f1fc723dda1ff857a9276b460b9d4c
SHA1 e008d1ab515ef7b139ece723afd4d1d05724d0d0
SHA256 472b783d851a8ed7cbb75df6b663d5f5e72db00f4f9345bd7d7b56517e4b059a
SHA512 2dbc7cbe520ed3ae51b8221cf9a28b3d62805711cf01b35dbda8a48ecc09ebcefb50ff74511ee57852abe748d3987c98185d98d239e976da08594f523ef3b30f

C:\Windows\System\oLFcfrZ.exe

MD5 fad115af8f2eb97e4c1072fb5e688add
SHA1 bac15faaed299769e655253c78da87b8233b602b
SHA256 808879bd356ce9764f4f3534f3915ee78c0fbc90ec53a821ff2cfb6d5c468680
SHA512 af9529dd44450e2d5444eba438558a0085a0ac4aca3bfbb15c9f5ba66b7ec3b59485f8df688fb371d26dfb1cfbe0e1c5873fb24728746d3f5ca7dcdefa866648

C:\Windows\System\iNFYkjH.exe

MD5 7d8e9cf88f1f546706ae4a0eb015c447
SHA1 518c11caaa36523208dad129a45545ba3862293e
SHA256 6abbe1dfec7e9c4ee4f0e1f841f5e3fb849d2b9188c5f06986100d74969af49d
SHA512 32a3270f4b8fbd6f9eb75cd5c593aeb4657027f25ab859a723677980d53a20cf4c36bb56c96f754312980435f62e6c5252b78cc9832566aa2bbffc1e8c79add8

C:\Windows\System\fbUIqHV.exe

MD5 da0f4ab5c56abc9fddcb91da366a3d8e
SHA1 253f61a5fcf71e99b23ee928ddbc8b3b4b62a713
SHA256 b28413e8d5e9c31b07d9251526ada307547d673e3f8c14f75346543cee58219a
SHA512 8412782fc5b4298b349a2f35aed1155200e7b136aafe88020ecf0318fc7e1df142b45f3fe5882fa3388739f93b9fd0e7ddbc013f1c8f6dc1767509ab2666e1a6

C:\Windows\System\TORkLJq.exe

MD5 1c064bb59121d75fcae75c59bddd5743
SHA1 5620c719216b0b5aa1b7e427c4fc53fd9d1f609f
SHA256 fa09a8f80cfca351ff76d28c2c780dc568691c0006c6dcd46e32561a4fd33181
SHA512 5c70b4ff7049d78c6e9bceeaf0da11e03438afa1d8a78565a09a094730c6749fd943411328637e5e4ab314b2b9bbd1b41969d94d85bdab5180c6d455da7f7983

C:\Windows\System\VZYFMFO.exe

MD5 7be6034d75d7b9380c12ba76466aa3dd
SHA1 ecdf32913e89342da5e7334ba4b94353df646ffe
SHA256 1c89ef45febb2e48ab70c222066cad3b177b30e37b7feaabc925559ed9c41ebb
SHA512 ad1fea4c3f3ad79914da3bd8c9adbc60a40a37a1ace8fe2bacab18acbc8b87de867f6d826ca47359d5e372916750ff2c2ce8fcf272a4a809d200020fc932a224

memory/4728-130-0x00007FF73FA70000-0x00007FF73FDC1000-memory.dmp

C:\Windows\System\hsUYbZh.exe

MD5 3c522bf0848f2222a21af2153263533d
SHA1 b7a682c799f2cc5bf951a170656b7c2587df1d62
SHA256 efdde5d41be9cde81d27ec750bc7cfda8cf3b6ab5bfbe5b782be6a95b1bb1ae8
SHA512 52be7155d31750ef787c186d334cb50354961043bb390257b843000868fa67f10728ef434034a995eadca31bb8e31a0b0cd3c4910e3af7badcf4e9b43c124a0b

memory/4596-129-0x00007FF63DC00000-0x00007FF63DF51000-memory.dmp

memory/1424-128-0x00007FF6B8F90000-0x00007FF6B92E1000-memory.dmp

memory/4980-124-0x00007FF6957D0000-0x00007FF695B21000-memory.dmp

memory/3188-123-0x00007FF67A5D0000-0x00007FF67A921000-memory.dmp

memory/3692-117-0x00007FF6D13B0000-0x00007FF6D1701000-memory.dmp

memory/1240-115-0x00007FF7DA470000-0x00007FF7DA7C1000-memory.dmp

memory/432-114-0x00007FF688370000-0x00007FF6886C1000-memory.dmp

memory/2568-109-0x00007FF7D3000000-0x00007FF7D3351000-memory.dmp

memory/1136-107-0x00007FF6DDF60000-0x00007FF6DE2B1000-memory.dmp

memory/1272-100-0x00007FF7D4560000-0x00007FF7D48B1000-memory.dmp

memory/4332-88-0x00007FF68E4D0000-0x00007FF68E821000-memory.dmp

memory/2716-92-0x00007FF7CB310000-0x00007FF7CB661000-memory.dmp

memory/4436-84-0x00007FF70D7E0000-0x00007FF70DB31000-memory.dmp

memory/2716-133-0x00007FF7CB310000-0x00007FF7CB661000-memory.dmp

memory/3912-141-0x00007FF607AB0000-0x00007FF607E01000-memory.dmp

memory/1884-144-0x00007FF7C8510000-0x00007FF7C8861000-memory.dmp

memory/1908-143-0x00007FF7D6FC0000-0x00007FF7D7311000-memory.dmp

memory/3188-150-0x00007FF67A5D0000-0x00007FF67A921000-memory.dmp

memory/4980-153-0x00007FF6957D0000-0x00007FF695B21000-memory.dmp

memory/1424-154-0x00007FF6B8F90000-0x00007FF6B92E1000-memory.dmp

memory/1240-152-0x00007FF7DA470000-0x00007FF7DA7C1000-memory.dmp

memory/432-151-0x00007FF688370000-0x00007FF6886C1000-memory.dmp

memory/1136-149-0x00007FF6DDF60000-0x00007FF6DE2B1000-memory.dmp

memory/4332-147-0x00007FF68E4D0000-0x00007FF68E821000-memory.dmp

memory/2716-155-0x00007FF7CB310000-0x00007FF7CB661000-memory.dmp

memory/632-213-0x00007FF621570000-0x00007FF6218C1000-memory.dmp

memory/2856-215-0x00007FF6C5D00000-0x00007FF6C6051000-memory.dmp

memory/2656-217-0x00007FF6BEF50000-0x00007FF6BF2A1000-memory.dmp

memory/3692-219-0x00007FF6D13B0000-0x00007FF6D1701000-memory.dmp

memory/2568-223-0x00007FF7D3000000-0x00007FF7D3351000-memory.dmp

memory/4728-222-0x00007FF73FA70000-0x00007FF73FDC1000-memory.dmp

memory/4596-225-0x00007FF63DC00000-0x00007FF63DF51000-memory.dmp

memory/2072-227-0x00007FF6DA000000-0x00007FF6DA351000-memory.dmp

memory/1908-230-0x00007FF7D6FC0000-0x00007FF7D7311000-memory.dmp

memory/1884-233-0x00007FF7C8510000-0x00007FF7C8861000-memory.dmp

memory/3912-232-0x00007FF607AB0000-0x00007FF607E01000-memory.dmp

memory/3624-244-0x00007FF6EFA80000-0x00007FF6EFDD1000-memory.dmp

memory/4436-246-0x00007FF70D7E0000-0x00007FF70DB31000-memory.dmp

memory/4332-248-0x00007FF68E4D0000-0x00007FF68E821000-memory.dmp

memory/1272-250-0x00007FF7D4560000-0x00007FF7D48B1000-memory.dmp

memory/1136-252-0x00007FF6DDF60000-0x00007FF6DE2B1000-memory.dmp

memory/1240-255-0x00007FF7DA470000-0x00007FF7DA7C1000-memory.dmp

memory/432-256-0x00007FF688370000-0x00007FF6886C1000-memory.dmp

memory/4980-261-0x00007FF6957D0000-0x00007FF695B21000-memory.dmp

memory/3188-259-0x00007FF67A5D0000-0x00007FF67A921000-memory.dmp

memory/1424-262-0x00007FF6B8F90000-0x00007FF6B92E1000-memory.dmp