Malware Analysis Report

2025-03-15 08:08

Sample ID 240815-m2d4rsygpf
Target 2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat
SHA256 3069a6de07f662a26e2a3437fe52217c9a15adf04fe874cdb1400e2e02c424ff
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3069a6de07f662a26e2a3437fe52217c9a15adf04fe874cdb1400e2e02c424ff

Threat Level: Known bad

The file 2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Cobaltstrike family

Cobalt Strike reflective loader

xmrig

Cobaltstrike

Xmrig family

XMRig Miner payload

XMRig Miner payload

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-15 10:57

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-15 10:57

Reported

2024-08-15 10:59

Platform

win7-20240708-en

Max time kernel

141s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\GNWoxZM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NTFQvqn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kVqmrvf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\luUhgUo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xTtLUpE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BQGGxZH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lalFDbM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oFcZBQt.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PCFwlqB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DOGMxcY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eNkVRQT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RMmUTHB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ftrIOYl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nkWNVSp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WVmKyaj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NzajhiM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XJSGSzR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IiWgeOT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hEquLZM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hWDiwbW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MAzkfgj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2128 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lalFDbM.exe
PID 2128 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lalFDbM.exe
PID 2128 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lalFDbM.exe
PID 2128 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oFcZBQt.exe
PID 2128 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oFcZBQt.exe
PID 2128 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oFcZBQt.exe
PID 2128 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PCFwlqB.exe
PID 2128 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PCFwlqB.exe
PID 2128 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PCFwlqB.exe
PID 2128 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DOGMxcY.exe
PID 2128 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DOGMxcY.exe
PID 2128 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DOGMxcY.exe
PID 2128 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eNkVRQT.exe
PID 2128 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eNkVRQT.exe
PID 2128 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eNkVRQT.exe
PID 2128 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XJSGSzR.exe
PID 2128 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XJSGSzR.exe
PID 2128 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XJSGSzR.exe
PID 2128 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IiWgeOT.exe
PID 2128 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IiWgeOT.exe
PID 2128 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IiWgeOT.exe
PID 2128 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GNWoxZM.exe
PID 2128 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GNWoxZM.exe
PID 2128 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GNWoxZM.exe
PID 2128 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NTFQvqn.exe
PID 2128 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NTFQvqn.exe
PID 2128 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NTFQvqn.exe
PID 2128 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RMmUTHB.exe
PID 2128 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RMmUTHB.exe
PID 2128 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RMmUTHB.exe
PID 2128 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NzajhiM.exe
PID 2128 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NzajhiM.exe
PID 2128 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NzajhiM.exe
PID 2128 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ftrIOYl.exe
PID 2128 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ftrIOYl.exe
PID 2128 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ftrIOYl.exe
PID 2128 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nkWNVSp.exe
PID 2128 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nkWNVSp.exe
PID 2128 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nkWNVSp.exe
PID 2128 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kVqmrvf.exe
PID 2128 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kVqmrvf.exe
PID 2128 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kVqmrvf.exe
PID 2128 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hEquLZM.exe
PID 2128 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hEquLZM.exe
PID 2128 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hEquLZM.exe
PID 2128 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hWDiwbW.exe
PID 2128 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hWDiwbW.exe
PID 2128 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hWDiwbW.exe
PID 2128 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\luUhgUo.exe
PID 2128 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\luUhgUo.exe
PID 2128 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\luUhgUo.exe
PID 2128 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MAzkfgj.exe
PID 2128 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MAzkfgj.exe
PID 2128 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MAzkfgj.exe
PID 2128 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WVmKyaj.exe
PID 2128 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WVmKyaj.exe
PID 2128 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WVmKyaj.exe
PID 2128 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xTtLUpE.exe
PID 2128 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xTtLUpE.exe
PID 2128 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xTtLUpE.exe
PID 2128 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BQGGxZH.exe
PID 2128 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BQGGxZH.exe
PID 2128 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BQGGxZH.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\lalFDbM.exe

C:\Windows\System\lalFDbM.exe

C:\Windows\System\oFcZBQt.exe

C:\Windows\System\oFcZBQt.exe

C:\Windows\System\PCFwlqB.exe

C:\Windows\System\PCFwlqB.exe

C:\Windows\System\DOGMxcY.exe

C:\Windows\System\DOGMxcY.exe

C:\Windows\System\eNkVRQT.exe

C:\Windows\System\eNkVRQT.exe

C:\Windows\System\XJSGSzR.exe

C:\Windows\System\XJSGSzR.exe

C:\Windows\System\IiWgeOT.exe

C:\Windows\System\IiWgeOT.exe

C:\Windows\System\GNWoxZM.exe

C:\Windows\System\GNWoxZM.exe

C:\Windows\System\NTFQvqn.exe

C:\Windows\System\NTFQvqn.exe

C:\Windows\System\RMmUTHB.exe

C:\Windows\System\RMmUTHB.exe

C:\Windows\System\NzajhiM.exe

C:\Windows\System\NzajhiM.exe

C:\Windows\System\ftrIOYl.exe

C:\Windows\System\ftrIOYl.exe

C:\Windows\System\nkWNVSp.exe

C:\Windows\System\nkWNVSp.exe

C:\Windows\System\kVqmrvf.exe

C:\Windows\System\kVqmrvf.exe

C:\Windows\System\hEquLZM.exe

C:\Windows\System\hEquLZM.exe

C:\Windows\System\hWDiwbW.exe

C:\Windows\System\hWDiwbW.exe

C:\Windows\System\luUhgUo.exe

C:\Windows\System\luUhgUo.exe

C:\Windows\System\MAzkfgj.exe

C:\Windows\System\MAzkfgj.exe

C:\Windows\System\WVmKyaj.exe

C:\Windows\System\WVmKyaj.exe

C:\Windows\System\xTtLUpE.exe

C:\Windows\System\xTtLUpE.exe

C:\Windows\System\BQGGxZH.exe

C:\Windows\System\BQGGxZH.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2128-0-0x000000013FB70000-0x000000013FEC1000-memory.dmp

memory/2128-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\lalFDbM.exe

MD5 0ac85c9015b1831333f8930d6d67fc41
SHA1 dff016e438b375e20530996da1360bd65a23a73d
SHA256 8889db95d72b510b30d7328c8a4a1e07b4fe5f5ed4b476d30cb5ca173c1b5ffa
SHA512 94d1897725c5c42611f30d977e7da459c95b85b93d3bdc9184e824b7de2c06a4703696a3e09af95ac72282d25fd78cacf916b1cdde9e32f934f6ccf6e4be8387

\Windows\system\oFcZBQt.exe

MD5 f6a94a01a488861950f04ef1220f06b2
SHA1 f7272c2f0b126d0b85b5237cac21ff2097634bfb
SHA256 ba772f78b5a685edd8efc278fb938f1debdd99b597ebc0148b86a8e8ced8ae1f
SHA512 2bf79aa34a810443ddfed69d3b74c245bd54243567bb6a109bcdd6e725575b4af8b836a0e50413cd20de526550441583678c8830976d4fd89c2419856b0c044b

C:\Windows\system\PCFwlqB.exe

MD5 6f54b2134b03341738b3685814e068c6
SHA1 0e7d17465f311f015859102718ef471cbbf990ed
SHA256 7ac1ba00e86575717cba56a3cd960c6c21faa1de6c59b880da92bd6c0a54ae51
SHA512 ddc3fb59cb9cc7aadb8afaae028d90da64abe4dbca3f68e351e554b0939b7191afc9c7ae36be270f0962263f9c194aff35152133054504438dbbddeafc66c8d9

memory/1884-23-0x000000013FEE0000-0x0000000140231000-memory.dmp

memory/2564-21-0x000000013FF70000-0x00000001402C1000-memory.dmp

\Windows\system\DOGMxcY.exe

MD5 05f640d12184bb697ebaf94e89b764f6
SHA1 cbb83dbc96a29ad894da44e37829da18726fe01b
SHA256 7f6a775c05dcb780e917ff82a9ec3bf24e359b559779df40f47ff6499688b613
SHA512 3636b84d396b639080ea5062dae154b68839d3f1a1e004e30c04a5bb2248efeceb7546ba5639f101469ef4759720c4b8228280bc8a5873bf1f0a708a7918c506

memory/2128-19-0x0000000002380000-0x00000000026D1000-memory.dmp

memory/2128-18-0x000000013FEE0000-0x0000000140231000-memory.dmp

memory/2920-17-0x000000013FD00000-0x0000000140051000-memory.dmp

memory/2128-10-0x000000013FF70000-0x00000001402C1000-memory.dmp

\Windows\system\IiWgeOT.exe

MD5 cb3d73e51741d20dc433ffdc352e1000
SHA1 b93f9b99c6bf6f17f9dfe2f5b95cb869616b17eb
SHA256 6edd77e5b9a620d85fe5d5ffff42a258a356cb5563aef1528befca7338937d65
SHA512 08ba5c3d4e148e4a918f250307feb353c90faab4269c4e7048166a7710ea98f9c5ddc75c40838c36e2627b5ec3f92f3fa6fd7e496b3ccb0aacabbd918abb1636

C:\Windows\system\eNkVRQT.exe

MD5 b42f0a88c667d8b651ec5c67a6f2bf07
SHA1 6f522f45028962a08c6a47294cdf166f11c8edac
SHA256 0d386790e223d3991bbcb11fc1f448508114b76f2647fa5fba9bdb6f01b2f403
SHA512 9bba980a2f281665bf6a74a00f1cc2cd9b17ad7abac99901ba2031642e236286b378376fda2b3e1eacf61532d8d0e2f8d103133a6cce5e6473715d93555b0ea8

memory/2148-62-0x000000013FE50000-0x00000001401A1000-memory.dmp

C:\Windows\system\RMmUTHB.exe

MD5 25a43eb12896344414671eca28c45ff7
SHA1 c03d7992bee69ed01a101a4b7bb93beecdd83014
SHA256 15e5151d9b44a486311578e67f529ab65a8a89a55b87db0962add27cc8c0d6e0
SHA512 48d33c7d7951e6af6c2355460bb1c303046b82b7eb6e589f01975267d049ed55fab47276ddb0d2659e17dd997c66980e6d2d3d6ec36938985a29a51b4b388828

C:\Windows\system\ftrIOYl.exe

MD5 d339f330bac370d13248733776dd5e57
SHA1 c36bf931bd73ab191a4ad5e872c08cef66ddfb76
SHA256 36320d8c02fcab9985365b828857928cf334f6398ad5e95248ca2ea57bebdd01
SHA512 9f27ac694bbab4ef568099485b672816842a6ea6d5429fdf4d001791eaf65487c6f08d96eed90fb6456d33f04feefbcd7a4743b9ff41207c183475f373007097

memory/2220-89-0x000000013F3F0000-0x000000013F741000-memory.dmp

C:\Windows\system\hEquLZM.exe

MD5 a7f4c2e5d2f2dd4833119b9594e1b1ea
SHA1 a97ff59a06a2c51d089bcbc50bb52f3295d0019f
SHA256 0390ae47e7a14165e2080bfc1a93032d89abfdbc4c9db11aab29f871de275eed
SHA512 35623855a38a26a953388be4d697bf5ede01d1d6eee6ce315c5fa68b66362a024b042c2ec895ec85a14a0b706822180c8e8e1d2c0fa5920832bd36e7963cdb6f

memory/1868-94-0x000000013F960000-0x000000013FCB1000-memory.dmp

C:\Windows\system\hWDiwbW.exe

MD5 04289db7c5a51e7ffb79384cc5bfa19c
SHA1 f2946ee9577b9f29bf27e24d93e459c521fee402
SHA256 11d26f97123f9fcc0618fad2876b9489c22a7b453ff5b3a6d61d4b49a9398e51
SHA512 b416d0f9c8dba9dda9977615752afec3017d057097aa60a63aff32eaf1edffe3efae4f6c78eef2407251e85e06e1254c42b8b0c39b1d134a33a5ae917d43a227

C:\Windows\system\MAzkfgj.exe

MD5 9d3e6fb7ca80c26c0b7b1dd883eab9b2
SHA1 9f6b1ae247007c797b4ebd5cb79ce141c48a15ad
SHA256 b5cabaaabf07753a3f002e68e6bc437c4b54acd5ce6316f280907686fe7f8eb8
SHA512 7466577b1f1b6ad212c56d7033acebfd9c1f42ae6db5932cd2831be03c9adf8623087011ef3e7bfc15062079a8d56d73b799688705eeb2c9db46b4800e39751a

C:\Windows\system\BQGGxZH.exe

MD5 defac85e63e5ae8ed555312655e6717c
SHA1 91149770118cb2feed22062cddb0366c5378c81f
SHA256 122ea09eae384667472e271625782d24834f733c765572d3729cc78e1ddbae62
SHA512 62a49a8412796000c00b7e883718758c4aa14f91476874dbb8048a9d0f46a1de9a5db5f00681192fb05f3258851c178adc5519e455db9fadeb1c913eae08bd3d

C:\Windows\system\xTtLUpE.exe

MD5 b0d8691c5e2657eba0d388ca420e8b7f
SHA1 73453ce6efbee32150b3adbad38b7ee722b420bb
SHA256 73af223a799ccc625d3186efffa4337a28b947fe8a975d28e98d8155115b5c54
SHA512 cefabd7cea8df373a8c723139a568c209e4595dbf5ed40e2e07b99955bf67ec0bac9969c2ee2876efc1147d9ec6e46523f7ad186d35971901c5685347bd23590

C:\Windows\system\WVmKyaj.exe

MD5 a61c35041e0e05e2d40c81035b4b7d8c
SHA1 85b70a47adfea8ce294a0e19b5832d6c5dd39f9b
SHA256 3863158c1be05048f11c40222e19628c153a421961ffe9390061b65edc873e8a
SHA512 522074e840a010aa198823d835d3e94950560b415293b18a4aa01d31547f3f1567798bc4951833c2a76c513163d33074d048c0332c1f8f4f4d2cea25e23ef288

C:\Windows\system\luUhgUo.exe

MD5 54a5a29ead9eb409ab44e463580f3a07
SHA1 ec4e37cfa5c934533ff8498ed95af76b40de122c
SHA256 eb3ff8492710e39d8fa6e996cc382dddb5d5a0ee098cc08bf0dbce21399158f5
SHA512 11134891ef7f577542318836dae22287f19c98a01f98e6729ea857488a6e7b57adcc6673eb64c76b5219f404c6b294f8ac44075e776256d6b4cef4e0ab7d5602

memory/440-137-0x000000013FEE0000-0x0000000140231000-memory.dmp

memory/2128-107-0x0000000002380000-0x00000000026D1000-memory.dmp

memory/2128-106-0x000000013F080000-0x000000013F3D1000-memory.dmp

C:\Windows\system\kVqmrvf.exe

MD5 81bf4d4687dbbf86aedb7c35dece738e
SHA1 8f0255713efb784060e26315705b4a19746f7756
SHA256 24dc9faced0627ead24f17051b2d6f0eafff7be24b2cd74026c7cd79e4b1896f
SHA512 de7355e5b8c59b3c2998c7904ad90235ac1512c3feaa739efe615be3fd65833729aa65a72cc39803da7dc4b7206aa56b49e5337c42f14d23311eb3f5130d7b2d

memory/2128-88-0x000000013F3F0000-0x000000013F741000-memory.dmp

memory/2724-87-0x000000013F320000-0x000000013F671000-memory.dmp

memory/2736-86-0x000000013F080000-0x000000013F3D1000-memory.dmp

C:\Windows\system\nkWNVSp.exe

MD5 f86a67ac5052c784da0ea0a06375bbb3
SHA1 c18aa1a82bbcc6b4e015a1dbe03099438b16863c
SHA256 a50d17927023723d6359fa41b9ac829d739b59ba3eef704b57308052e46fdb58
SHA512 36d669dfb5e03270405fd0c440bfe7eaecc65bd26b2c1fc86c1e43697dddd149e0d203427bec8af9ec2eeca1b129c4b555d2de798c86def6ab53889a3e4312e1

memory/1480-139-0x000000013F600000-0x000000013F951000-memory.dmp

memory/2128-138-0x000000013F600000-0x000000013F951000-memory.dmp

memory/1480-81-0x000000013F600000-0x000000013F951000-memory.dmp

memory/2128-80-0x000000013F600000-0x000000013F951000-memory.dmp

memory/2128-69-0x000000013F280000-0x000000013F5D1000-memory.dmp

memory/1076-68-0x000000013F080000-0x000000013F3D1000-memory.dmp

memory/2128-67-0x000000013F080000-0x000000013F3D1000-memory.dmp

memory/440-75-0x000000013FEE0000-0x0000000140231000-memory.dmp

memory/2128-74-0x000000013FEE0000-0x0000000140231000-memory.dmp

C:\Windows\system\NzajhiM.exe

MD5 bab2b9535d4ca1d7c92d192f9209b6cc
SHA1 a5464461af9918026d248933dfbec68aa49a77a4
SHA256 d45a11d3bec2ff7ea64e901655e16cb3ddb43d3c476ee02ecb4eaebd4c99092d
SHA512 e0cf8562a5920d329a3f881bb455c43703e21e4d73398dc86cb4bac8d76faf4f607fdc6eff4aee321cd14c15f7d74e6e748c95742d3242d5a5c577c597db9a58

memory/2220-141-0x000000013F3F0000-0x000000013F741000-memory.dmp

memory/2128-140-0x000000013F3F0000-0x000000013F741000-memory.dmp

memory/2920-57-0x000000013FD00000-0x0000000140051000-memory.dmp

memory/2128-55-0x000000013FB70000-0x000000013FEC1000-memory.dmp

memory/2724-54-0x000000013F320000-0x000000013F671000-memory.dmp

memory/2736-53-0x000000013F080000-0x000000013F3D1000-memory.dmp

C:\Windows\system\GNWoxZM.exe

MD5 a1bd335dc8b87c9b43589a2aaed7a507
SHA1 6d7fada9854796f73d80fa28a6a91d0220daf386
SHA256 e37e8721befa623c06861d7fd19200731f0de65a851dddd7336ec0dd94419959
SHA512 509f30cc390f8db8662f5d8c9dbfc50738bb86eb31ef3afc8235b71dd1e588e2d8d6d0c3587f1016de4e5a87a8c505d7fb7ef12331cf9a79429759733590285c

C:\Windows\system\NTFQvqn.exe

MD5 9d6ae1b7a0bd2bb7594e4216defd69ed
SHA1 52a81ceee9e6b77e396cd1b877bf8d652b081130
SHA256 82e81300a2cbaa3eb6d12508ad3879579ae1b5d33849d4763be27fb2fc9113ef
SHA512 891647f13f60a0e56ff5f2a2faa1a8d3c748bd839ede9d9faf66bf78b5c20a8cef6d1e503e633a8290a9fc41c623f7d975ab6af624c4d0979293eb5314411ad4

C:\Windows\system\XJSGSzR.exe

MD5 8ec9fb45b7736a68c1a8894e9d9c6018
SHA1 7b0e40ef1ae286ad78c702de2700a55b2c236ffc
SHA256 38cdfa29d672cc284fca9963050093110c834af61c6dcabc431402ab136aa442
SHA512 051a9cd93051171007154e7db2bbb01df4aeded3f3f271fd6bb980e092d4e5c618227620fad7f7b68360ce60fb5cd9f470f35d9b17c578c888d40f5e8b9708e5

memory/2676-50-0x000000013F730000-0x000000013FA81000-memory.dmp

memory/2128-49-0x000000013F730000-0x000000013FA81000-memory.dmp

memory/2128-47-0x000000013F320000-0x000000013F671000-memory.dmp

memory/2128-46-0x000000013F080000-0x000000013F3D1000-memory.dmp

memory/2556-44-0x000000013FA40000-0x000000013FD91000-memory.dmp

memory/2808-29-0x000000013F280000-0x000000013F5D1000-memory.dmp

memory/2128-143-0x000000013FB70000-0x000000013FEC1000-memory.dmp

memory/1868-148-0x000000013F960000-0x000000013FCB1000-memory.dmp

memory/2724-152-0x000000013F320000-0x000000013F671000-memory.dmp

memory/2148-153-0x000000013FE50000-0x00000001401A1000-memory.dmp

memory/1076-154-0x000000013F080000-0x000000013F3D1000-memory.dmp

memory/3044-159-0x000000013FAE0000-0x000000013FE31000-memory.dmp

memory/2468-163-0x000000013FE20000-0x0000000140171000-memory.dmp

memory/1720-162-0x000000013F6C0000-0x000000013FA11000-memory.dmp

memory/2720-161-0x000000013FDD0000-0x0000000140121000-memory.dmp

memory/3036-160-0x000000013FF00000-0x0000000140251000-memory.dmp

memory/2128-164-0x0000000002380000-0x00000000026D1000-memory.dmp

memory/2876-165-0x000000013FBC0000-0x000000013FF11000-memory.dmp

memory/832-166-0x000000013F680000-0x000000013F9D1000-memory.dmp

memory/2128-167-0x000000013FB70000-0x000000013FEC1000-memory.dmp

memory/2920-216-0x000000013FD00000-0x0000000140051000-memory.dmp

memory/2564-219-0x000000013FF70000-0x00000001402C1000-memory.dmp

memory/1884-221-0x000000013FEE0000-0x0000000140231000-memory.dmp

memory/2808-232-0x000000013F280000-0x000000013F5D1000-memory.dmp

memory/2556-234-0x000000013FA40000-0x000000013FD91000-memory.dmp

memory/2676-236-0x000000013F730000-0x000000013FA81000-memory.dmp

memory/2736-238-0x000000013F080000-0x000000013F3D1000-memory.dmp

memory/440-248-0x000000013FEE0000-0x0000000140231000-memory.dmp

memory/2220-252-0x000000013F3F0000-0x000000013F741000-memory.dmp

memory/2148-250-0x000000013FE50000-0x00000001401A1000-memory.dmp

memory/1076-255-0x000000013F080000-0x000000013F3D1000-memory.dmp

memory/1868-259-0x000000013F960000-0x000000013FCB1000-memory.dmp

memory/1480-258-0x000000013F600000-0x000000013F951000-memory.dmp

memory/2724-268-0x000000013F320000-0x000000013F671000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-15 10:57

Reported

2024-08-15 10:59

Platform

win10v2004-20240802-en

Max time kernel

147s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\gkarGgw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BoVhDri.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yupbCAE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dOsXKEK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uohQmpO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jLGIUVH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fTnyuGT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MavRxau.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qusmDKR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IDmWotI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MKOdFkY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hSxugZd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\STLQWwd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BvaQCpT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RwWjnEp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oCNkWBE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YUHkCbh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PExfcIp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lvDlcLe.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lsnhxXi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MDapRlI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2652 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oCNkWBE.exe
PID 2652 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oCNkWBE.exe
PID 2652 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BoVhDri.exe
PID 2652 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BoVhDri.exe
PID 2652 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yupbCAE.exe
PID 2652 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yupbCAE.exe
PID 2652 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dOsXKEK.exe
PID 2652 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dOsXKEK.exe
PID 2652 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uohQmpO.exe
PID 2652 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uohQmpO.exe
PID 2652 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hSxugZd.exe
PID 2652 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hSxugZd.exe
PID 2652 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\STLQWwd.exe
PID 2652 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\STLQWwd.exe
PID 2652 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YUHkCbh.exe
PID 2652 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YUHkCbh.exe
PID 2652 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PExfcIp.exe
PID 2652 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PExfcIp.exe
PID 2652 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lvDlcLe.exe
PID 2652 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lvDlcLe.exe
PID 2652 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jLGIUVH.exe
PID 2652 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jLGIUVH.exe
PID 2652 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fTnyuGT.exe
PID 2652 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fTnyuGT.exe
PID 2652 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lsnhxXi.exe
PID 2652 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lsnhxXi.exe
PID 2652 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MavRxau.exe
PID 2652 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MavRxau.exe
PID 2652 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gkarGgw.exe
PID 2652 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gkarGgw.exe
PID 2652 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qusmDKR.exe
PID 2652 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qusmDKR.exe
PID 2652 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BvaQCpT.exe
PID 2652 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BvaQCpT.exe
PID 2652 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RwWjnEp.exe
PID 2652 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RwWjnEp.exe
PID 2652 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IDmWotI.exe
PID 2652 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IDmWotI.exe
PID 2652 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MDapRlI.exe
PID 2652 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MDapRlI.exe
PID 2652 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MKOdFkY.exe
PID 2652 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MKOdFkY.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\oCNkWBE.exe

C:\Windows\System\oCNkWBE.exe

C:\Windows\System\BoVhDri.exe

C:\Windows\System\BoVhDri.exe

C:\Windows\System\yupbCAE.exe

C:\Windows\System\yupbCAE.exe

C:\Windows\System\dOsXKEK.exe

C:\Windows\System\dOsXKEK.exe

C:\Windows\System\uohQmpO.exe

C:\Windows\System\uohQmpO.exe

C:\Windows\System\hSxugZd.exe

C:\Windows\System\hSxugZd.exe

C:\Windows\System\STLQWwd.exe

C:\Windows\System\STLQWwd.exe

C:\Windows\System\YUHkCbh.exe

C:\Windows\System\YUHkCbh.exe

C:\Windows\System\PExfcIp.exe

C:\Windows\System\PExfcIp.exe

C:\Windows\System\lvDlcLe.exe

C:\Windows\System\lvDlcLe.exe

C:\Windows\System\jLGIUVH.exe

C:\Windows\System\jLGIUVH.exe

C:\Windows\System\fTnyuGT.exe

C:\Windows\System\fTnyuGT.exe

C:\Windows\System\lsnhxXi.exe

C:\Windows\System\lsnhxXi.exe

C:\Windows\System\MavRxau.exe

C:\Windows\System\MavRxau.exe

C:\Windows\System\gkarGgw.exe

C:\Windows\System\gkarGgw.exe

C:\Windows\System\qusmDKR.exe

C:\Windows\System\qusmDKR.exe

C:\Windows\System\BvaQCpT.exe

C:\Windows\System\BvaQCpT.exe

C:\Windows\System\RwWjnEp.exe

C:\Windows\System\RwWjnEp.exe

C:\Windows\System\IDmWotI.exe

C:\Windows\System\IDmWotI.exe

C:\Windows\System\MDapRlI.exe

C:\Windows\System\MDapRlI.exe

C:\Windows\System\MKOdFkY.exe

C:\Windows\System\MKOdFkY.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2652-0-0x00007FF672E60000-0x00007FF6731B1000-memory.dmp

memory/2652-1-0x0000021178380000-0x0000021178390000-memory.dmp

C:\Windows\System\oCNkWBE.exe

MD5 06acda31d4318f5360a7eeb4f15a7a3f
SHA1 36afa86bc42fd46a910ebd2e03f05efd9aacff02
SHA256 461d54d60d96c23400d2083926700a64b16a8911f660ea195fd90a5204653922
SHA512 fc540a3ae7d26e71df3ea8fd8c9f6c05c4c5875bf1b5748afa9b53d83115c788ff4dfc53535cd1afe73624dcd9d8282ed7c9ec75eba9184b982969303ac22f76

C:\Windows\System\BoVhDri.exe

MD5 9588c60723cd5a19e2f386e6d463bc4d
SHA1 cd72d7ced8dc6060bdd83df971804e68697d3d4d
SHA256 e06862f083e4b830ad1573e9c8bec5abb2a8be0bb6a88d75edf913b60a475539
SHA512 a6c65d133ce7e62be419e566eab7a5cf794fc839d59aed402dc977bba350dd0b7f74ecdd7ca31b71db0f3a313449b805a1f0f280e1793e2350eb9825b20b97f4

C:\Windows\System\dOsXKEK.exe

MD5 c999b7732f8fbff7d02367f05f103796
SHA1 354063e3510a63314c7182fcb2aa4788521c9964
SHA256 635f2c31df5f4df92e9cffbda002564816722629c13bf26295347d01d031b77f
SHA512 8fb7f5029378f93ddc778febc68f0089688da58f9b9bbac1b0d19ef888adea8db6712d560ea08f42f67a5e5b6a1d1dd0430d2c8dab21e6f5455352e8de53e8c1

C:\Windows\System\uohQmpO.exe

MD5 0fa76bcc972cc3b544db7272dd4bb194
SHA1 0744639e7647838b623d68bdb103db13f12a5a45
SHA256 d150dfe98f58c1e0e5713026271a4d3b348bf1af649934142b50991d77ab0ee5
SHA512 753a442f09e0cc41f6a649f08e1b2174f2127e3c5a0caf139f1e298fc870e4a5a2a503450c90015e6a74168f85ec2647cb8317a88e1fb80a8e3bccaefb3ad8db

C:\Windows\System\YUHkCbh.exe

MD5 360dbc6759109bc1fe7f076d3fac7b62
SHA1 6fc8fc848b72b5647b94d61aee8bab097fb4331b
SHA256 3c7434f9b56704b740009c451136e80e6d53f8c9bf4147da5d0cfd0598069cbe
SHA512 bed5133186a608d5fc3a5357a2cc5b6e542c16b36de67235d8585d0e0d9eb3e01d7ff00ec57e68f96c791587c851b94b2fae44df300e566d0c8214223313f677

C:\Windows\System\hSxugZd.exe

MD5 e64ccc306c451c4d1babbc252082a72d
SHA1 8e15c4f9496f81e59ff00ac8c8d3d2aeabe09b7f
SHA256 f5e3f7ed6e2f3392239d076f8277d0a0a9f13b4ae031c398b3a0eaa11e9e45a0
SHA512 1d53f3ebabdf267e7447327e4b00617adcbf360bf6703096bf2c03d1ad95d67583f4ebb93da108fca6a1a7b1d3844b23aaf3cb3496f78804ebed737dd2599911

memory/4176-27-0x00007FF6C4260000-0x00007FF6C45B1000-memory.dmp

memory/3264-22-0x00007FF66A750000-0x00007FF66AAA1000-memory.dmp

C:\Windows\System\yupbCAE.exe

MD5 d2d7e0aa27843c5005e0985bb3a92db9
SHA1 1c0020ef7d6f12f771f253952bd1a86da956bbd6
SHA256 1421db8618ae7625151a17346a5e90af0f9dfcf1fec64dd37cc3047262754736
SHA512 30de79cb922bac2d6f3dd081e3cf8a9ba4400d05aa698fd295714bec101f044f5b001ff8f505bf6f02bb13f600ce9ba7c706e85a5dd02a7d4a9832ee81cd200a

memory/4204-17-0x00007FF613C70000-0x00007FF613FC1000-memory.dmp

C:\Windows\System\lvDlcLe.exe

MD5 25e2cbab204914214a4d6fb05a6db36f
SHA1 0679ce06061424eda0d77109e64757fec474adb5
SHA256 665a335a09179296953d1ad50103b9fdee31937aaa888afc8e9c73c0224dd5f5
SHA512 122cf266ec4f5315884a46b91cc56204b8684d8b56429743fa3a402b6c0304c08bea250770415da89091805047acbab3c228edd2358fc0fe58cf2beef540f748

memory/1772-89-0x00007FF7F7500000-0x00007FF7F7851000-memory.dmp

C:\Windows\System\gkarGgw.exe

MD5 07e8f874917ac1d0486d33f0f3c8caf3
SHA1 ef68f135d39e7f35e9f00bd2969fdf1df3cf665f
SHA256 180eaaf2c3deaf05da661fc12a2b3d963261ccb4872e7d1a8b792e64555fc58f
SHA512 0e84025ab4f066ce48462e26c294eef3ba1a2783c316c3d2d4a35daf0f321fb5cab027fe76a6a7f44eda402f5c3f888dea812c06f70ccaddd42a0913df08a20e

C:\Windows\System\BvaQCpT.exe

MD5 cff43a34836b7deb0a9450661d432c6b
SHA1 0dda0f3bda87c93d1578ce718a5f1d6f7e064231
SHA256 fb3c3d4b3775725b94d73222112fa6d4bb15434b30462da2dab1729f8c287663
SHA512 7980c9c6498ae1c17cd9f47c0ca8b3b1ffe124da8d971d4915e15a9cd93de111dd7d5abd77294ff2383f36ef3b53da281f557c647063669f29b334615785815f

memory/1240-104-0x00007FF6C6200000-0x00007FF6C6551000-memory.dmp

memory/4872-103-0x00007FF6AD170000-0x00007FF6AD4C1000-memory.dmp

memory/1968-100-0x00007FF733220000-0x00007FF733571000-memory.dmp

memory/1780-99-0x00007FF7EA1F0000-0x00007FF7EA541000-memory.dmp

memory/4136-96-0x00007FF638E50000-0x00007FF6391A1000-memory.dmp

memory/4496-95-0x00007FF65D920000-0x00007FF65DC71000-memory.dmp

C:\Windows\System\qusmDKR.exe

MD5 b4f00d2a871c1becd258dd70818f6871
SHA1 f7516e892a5eca9f79cc41792069500820180a1c
SHA256 471d682f4b72e26a509fd3db67829818519ca4198c8364bccf2b568e38f4341c
SHA512 f950601135a6b4914ed443c5761ffe395496d9bb8c79edffccb584ecea1386d0a7f7c3c177cce2b60bd890361c673aa38fd9b12b4ad9bcdfe3e1650e4eb8b776

C:\Windows\System\MavRxau.exe

MD5 fbba430ee614ae1ea720de4008c4d6ae
SHA1 99ed35ba92ff9dfe8428d837d91335cd15683269
SHA256 ec00e2fb5727e27515760dbbd72c0a0a427569766e9e3bc9195c1bea25dcfba4
SHA512 0a50d18429c0fa8c1ab548ee5fa87a8fa856d1cea926fafa5e365be99bea80cdae8932d58adfafa7f01fd98b71bed93b4ec891053d4a882166aca1649cf6a158

memory/1304-90-0x00007FF6DF340000-0x00007FF6DF691000-memory.dmp

C:\Windows\System\lsnhxXi.exe

MD5 fa02c02171a0b9b6babab30634008591
SHA1 4db2c96f526bcc7bb681403045f55e9023dfd8e8
SHA256 2c7fd792999475dea7a32379e551c5092e3a5757d1015ebc62934daa117a64f5
SHA512 4917a34d079f3b3afc1b8b4ba1005fc5a69814271ceb589b70b683cbba9df8052f627869777e72ea5e05f411b3e935ca2cbd5660ce1656090b7d908f71b1c9b8

memory/4912-82-0x00007FF790210000-0x00007FF790561000-memory.dmp

C:\Windows\System\fTnyuGT.exe

MD5 b5eab321dd9a4a88956cc63912b20932
SHA1 69df440eb07493f86fd347e19faa0ef0e12366d1
SHA256 86f18a7e9344d1370b146b70714949f2e9b996a2b0f5f38da706fa8716fe6bcc
SHA512 e8a20e5359dff7fd773c006023ff29313ac1149a1b7341e0ffd4e016cefd1b7e5e47b53b505fd5685578f65d53b9503f5744ef369ef0697ab6492c732bf233ee

C:\Windows\System\jLGIUVH.exe

MD5 f1e64619e336087f4fdeb8ff5682c759
SHA1 d4bf22c46d1b930c8a9a13f564b5f5588cf4c14e
SHA256 8ab0b81fbc094c6d41115c55b7ccaf410a079e7dce7c32fe27d01126f02865ae
SHA512 8fd3b9bd57391c3fbf9b278d7d237ce62803b5e62718faa086d38231a26271ceceb0558bb1a63e89bcb7aa6653a7b2029443c375b0b408ddd02f07c5d09af0a9

memory/3412-72-0x00007FF629F80000-0x00007FF62A2D1000-memory.dmp

memory/4080-56-0x00007FF6DB150000-0x00007FF6DB4A1000-memory.dmp

C:\Windows\System\PExfcIp.exe

MD5 621cc33da360e86a9497d5595d71e533
SHA1 b59eb3bc0c928e34569018210bc6e18997bda432
SHA256 684483266e7238bdd142f6b8d888fcf5124d7f07b2094300bb0c58dd84e1b788
SHA512 92fcc0d83db7b0eb0fdf3432544cc7de106c3e76c178585351f37d01988b84a30bb55caf35836b38564a2f6315cb6f0f24687a91963498f909854024f350b4aa

memory/2792-46-0x00007FF6B2030000-0x00007FF6B2381000-memory.dmp

memory/2400-39-0x00007FF6BEE50000-0x00007FF6BF1A1000-memory.dmp

C:\Windows\System\STLQWwd.exe

MD5 327011fcfe514d40ff1e454436e0bd7a
SHA1 bdae43883ac471347b5433b9cce4c1fa6f5ae91b
SHA256 fc64847c3a7686c81cc0b2a07818985183daa7ca1c295d344a1566962d48a67c
SHA512 462a39516b8c4471cf9ea18e45d083f4c9085012ce3af966be9d1a75fd220ed3f25e60f1d701a92689a021f5a392b50ee450fadf0fe4bdcfe84b546aa9190326

memory/2928-6-0x00007FF74B750000-0x00007FF74BAA1000-memory.dmp

C:\Windows\System\RwWjnEp.exe

MD5 e71dd5ab1b964c586ac1698c492c6e9a
SHA1 1309f906e36b8f34b0267601f0183f31976502e1
SHA256 d2b4256cf50cc2b56b106925f9174ea4b428fdd7c26df38134b69b86d006491b
SHA512 36ef12dbe4af4bde5465917e558c4b87ca62d416c62526d2e391a37efe5fbab36f309caa4db1710bc432c93246e121f1168da509374d67bee5c18e8e435d20b1

memory/2344-108-0x00007FF706CA0000-0x00007FF706FF1000-memory.dmp

C:\Windows\System\IDmWotI.exe

MD5 4f31fd033c074032cfaddd137a64c17e
SHA1 fcb356ee031352eccb294d16eebb04db2dbc9d59
SHA256 b8f3d3f5ee2045f0b94f04b9fbb671df658bf04208645f6580a3585d442f296b
SHA512 faaa9436cec1f0923a3108d2b8ea426785ecf74a5292f0022c01ffa3da34ee85f9f54feef961e8b62eb75046fba8e946e2880bfdbd6bf9559192f69457dd4217

memory/920-119-0x00007FF7146E0000-0x00007FF714A31000-memory.dmp

C:\Windows\System\MDapRlI.exe

MD5 3d5ae9eddcf417760b9bdad29c397419
SHA1 c8006fb53c6beb01003b8db85656ff2b1d521314
SHA256 98127849c55aa25e96b340de2a26a17148273426d1e9e67311f20b19cbdaca1b
SHA512 cb92db0393312c09114424289cce0a4c221a4beda723df7bde85b49e30c7759a5f25d4f034a3817e7dfb3f7bc688f1283de1d8a08a96a55016dbde987e057cec

C:\Windows\System\MKOdFkY.exe

MD5 3e12fb64f3bdb280be5f2e63cb52b6ee
SHA1 e575097103e34d9f6d3f6b2fba40c7e48ecad8ca
SHA256 26ad7fa0574940d317e1dd55349f43a0a91a86c7acd7ecec94a9ea4ffc1edc3f
SHA512 c8b4a91f3e18dd7e288d997b0ddca8fbf995bafda67b8627252b0cd97c379cbb814f5c7bd95ab3a9c673148d2833ce569e5f8083f1e76f7b34b8b9706576f1e5

memory/3420-121-0x00007FF6DA6B0000-0x00007FF6DAA01000-memory.dmp

memory/2652-126-0x00007FF672E60000-0x00007FF6731B1000-memory.dmp

memory/1104-128-0x00007FF6F4920000-0x00007FF6F4C71000-memory.dmp

memory/2652-129-0x00007FF672E60000-0x00007FF6731B1000-memory.dmp

memory/2928-130-0x00007FF74B750000-0x00007FF74BAA1000-memory.dmp

memory/3264-132-0x00007FF66A750000-0x00007FF66AAA1000-memory.dmp

memory/2400-134-0x00007FF6BEE50000-0x00007FF6BF1A1000-memory.dmp

memory/4496-145-0x00007FF65D920000-0x00007FF65DC71000-memory.dmp

memory/2344-147-0x00007FF706CA0000-0x00007FF706FF1000-memory.dmp

memory/1304-143-0x00007FF6DF340000-0x00007FF6DF691000-memory.dmp

memory/1772-142-0x00007FF7F7500000-0x00007FF7F7851000-memory.dmp

memory/4912-141-0x00007FF790210000-0x00007FF790561000-memory.dmp

memory/4080-138-0x00007FF6DB150000-0x00007FF6DB4A1000-memory.dmp

memory/4176-133-0x00007FF6C4260000-0x00007FF6C45B1000-memory.dmp

memory/3412-139-0x00007FF629F80000-0x00007FF62A2D1000-memory.dmp

memory/3420-149-0x00007FF6DA6B0000-0x00007FF6DAA01000-memory.dmp

memory/2652-151-0x00007FF672E60000-0x00007FF6731B1000-memory.dmp

memory/2928-213-0x00007FF74B750000-0x00007FF74BAA1000-memory.dmp

memory/4204-215-0x00007FF613C70000-0x00007FF613FC1000-memory.dmp

memory/3264-217-0x00007FF66A750000-0x00007FF66AAA1000-memory.dmp

memory/4176-219-0x00007FF6C4260000-0x00007FF6C45B1000-memory.dmp

memory/2792-221-0x00007FF6B2030000-0x00007FF6B2381000-memory.dmp

memory/2400-223-0x00007FF6BEE50000-0x00007FF6BF1A1000-memory.dmp

memory/4080-225-0x00007FF6DB150000-0x00007FF6DB4A1000-memory.dmp

memory/4136-227-0x00007FF638E50000-0x00007FF6391A1000-memory.dmp

memory/1780-229-0x00007FF7EA1F0000-0x00007FF7EA541000-memory.dmp

memory/1968-239-0x00007FF733220000-0x00007FF733571000-memory.dmp

memory/3412-238-0x00007FF629F80000-0x00007FF62A2D1000-memory.dmp

memory/4912-235-0x00007FF790210000-0x00007FF790561000-memory.dmp

memory/1772-234-0x00007FF7F7500000-0x00007FF7F7851000-memory.dmp

memory/1304-241-0x00007FF6DF340000-0x00007FF6DF691000-memory.dmp

memory/4496-243-0x00007FF65D920000-0x00007FF65DC71000-memory.dmp

memory/4872-246-0x00007FF6AD170000-0x00007FF6AD4C1000-memory.dmp

memory/1240-247-0x00007FF6C6200000-0x00007FF6C6551000-memory.dmp

memory/2344-252-0x00007FF706CA0000-0x00007FF706FF1000-memory.dmp

memory/920-254-0x00007FF7146E0000-0x00007FF714A31000-memory.dmp

memory/3420-256-0x00007FF6DA6B0000-0x00007FF6DAA01000-memory.dmp

memory/1104-258-0x00007FF6F4920000-0x00007FF6F4C71000-memory.dmp