Malware Analysis Report

2025-03-15 08:08

Sample ID 240815-mzfjtaygma
Target 2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat
SHA256 c7b4dca410e01266e143d8fd5f6428efa26ea5191c41c7b66094101e90132e13
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c7b4dca410e01266e143d8fd5f6428efa26ea5191c41c7b66094101e90132e13

Threat Level: Known bad

The file 2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Xmrig family

XMRig Miner payload

Cobaltstrike family

Cobaltstrike

Cobalt Strike reflective loader

xmrig

XMRig Miner payload

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-15 10:53

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-15 10:53

Reported

2024-08-15 10:56

Platform

win7-20240729-en

Max time kernel

141s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\fWBfgtS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RJHdMbk.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hjqilsk.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rOtKjzD.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qCooiyS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PSIcznB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oADQplM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jekxWJc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RFHmFvG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jcMBFKr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AytMoGn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dfNLfeH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bCaoNTw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MyZJzVq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GyljXva.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wAyburv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EqixWXc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GLAOVUC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uLazgSE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZUoEFiP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PBRzKea.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1316 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rOtKjzD.exe
PID 1316 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rOtKjzD.exe
PID 1316 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rOtKjzD.exe
PID 1316 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qCooiyS.exe
PID 1316 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qCooiyS.exe
PID 1316 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qCooiyS.exe
PID 1316 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EqixWXc.exe
PID 1316 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EqixWXc.exe
PID 1316 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EqixWXc.exe
PID 1316 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jcMBFKr.exe
PID 1316 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jcMBFKr.exe
PID 1316 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jcMBFKr.exe
PID 1316 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AytMoGn.exe
PID 1316 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AytMoGn.exe
PID 1316 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AytMoGn.exe
PID 1316 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PSIcznB.exe
PID 1316 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PSIcznB.exe
PID 1316 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PSIcznB.exe
PID 1316 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oADQplM.exe
PID 1316 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oADQplM.exe
PID 1316 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oADQplM.exe
PID 1316 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dfNLfeH.exe
PID 1316 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dfNLfeH.exe
PID 1316 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dfNLfeH.exe
PID 1316 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jekxWJc.exe
PID 1316 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jekxWJc.exe
PID 1316 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jekxWJc.exe
PID 1316 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fWBfgtS.exe
PID 1316 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fWBfgtS.exe
PID 1316 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fWBfgtS.exe
PID 1316 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bCaoNTw.exe
PID 1316 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bCaoNTw.exe
PID 1316 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bCaoNTw.exe
PID 1316 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MyZJzVq.exe
PID 1316 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MyZJzVq.exe
PID 1316 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MyZJzVq.exe
PID 1316 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GLAOVUC.exe
PID 1316 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GLAOVUC.exe
PID 1316 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GLAOVUC.exe
PID 1316 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uLazgSE.exe
PID 1316 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uLazgSE.exe
PID 1316 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uLazgSE.exe
PID 1316 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZUoEFiP.exe
PID 1316 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZUoEFiP.exe
PID 1316 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZUoEFiP.exe
PID 1316 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PBRzKea.exe
PID 1316 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PBRzKea.exe
PID 1316 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PBRzKea.exe
PID 1316 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RFHmFvG.exe
PID 1316 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RFHmFvG.exe
PID 1316 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RFHmFvG.exe
PID 1316 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hjqilsk.exe
PID 1316 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hjqilsk.exe
PID 1316 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hjqilsk.exe
PID 1316 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RJHdMbk.exe
PID 1316 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RJHdMbk.exe
PID 1316 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RJHdMbk.exe
PID 1316 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GyljXva.exe
PID 1316 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GyljXva.exe
PID 1316 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GyljXva.exe
PID 1316 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wAyburv.exe
PID 1316 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wAyburv.exe
PID 1316 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wAyburv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\rOtKjzD.exe

C:\Windows\System\rOtKjzD.exe

C:\Windows\System\qCooiyS.exe

C:\Windows\System\qCooiyS.exe

C:\Windows\System\EqixWXc.exe

C:\Windows\System\EqixWXc.exe

C:\Windows\System\jcMBFKr.exe

C:\Windows\System\jcMBFKr.exe

C:\Windows\System\AytMoGn.exe

C:\Windows\System\AytMoGn.exe

C:\Windows\System\PSIcznB.exe

C:\Windows\System\PSIcznB.exe

C:\Windows\System\oADQplM.exe

C:\Windows\System\oADQplM.exe

C:\Windows\System\dfNLfeH.exe

C:\Windows\System\dfNLfeH.exe

C:\Windows\System\jekxWJc.exe

C:\Windows\System\jekxWJc.exe

C:\Windows\System\fWBfgtS.exe

C:\Windows\System\fWBfgtS.exe

C:\Windows\System\bCaoNTw.exe

C:\Windows\System\bCaoNTw.exe

C:\Windows\System\MyZJzVq.exe

C:\Windows\System\MyZJzVq.exe

C:\Windows\System\GLAOVUC.exe

C:\Windows\System\GLAOVUC.exe

C:\Windows\System\uLazgSE.exe

C:\Windows\System\uLazgSE.exe

C:\Windows\System\ZUoEFiP.exe

C:\Windows\System\ZUoEFiP.exe

C:\Windows\System\PBRzKea.exe

C:\Windows\System\PBRzKea.exe

C:\Windows\System\RFHmFvG.exe

C:\Windows\System\RFHmFvG.exe

C:\Windows\System\hjqilsk.exe

C:\Windows\System\hjqilsk.exe

C:\Windows\System\RJHdMbk.exe

C:\Windows\System\RJHdMbk.exe

C:\Windows\System\GyljXva.exe

C:\Windows\System\GyljXva.exe

C:\Windows\System\wAyburv.exe

C:\Windows\System\wAyburv.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1316-0-0x000000013F6E0000-0x000000013FA31000-memory.dmp

memory/1316-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\rOtKjzD.exe

MD5 003e0bde51281d9728e18e65b50f64dd
SHA1 24dd5027d62d69a8979beed67ffa7623ad3cadec
SHA256 cbfece501a656853a823174778a8e53544db3d82bcd62c33b732617128fbe269
SHA512 a6c48c5af05acb8333ea62e3f87b369fa8fa579c2f945bc275a4746d0ee4290e091a94f7b9bc3d0b40b74866c1496b94730ab691f3376c505eec3ec213bea29f

memory/1316-6-0x000000013FFA0000-0x00000001402F1000-memory.dmp

C:\Windows\system\qCooiyS.exe

MD5 e6bdac8945aeebde6aeea9f0eafc793a
SHA1 1de61a4ff5540a938d5f9b5e8f1d97f82cd09ae3
SHA256 cdb2e0b36802ce13aa7ab4b28ca5b39b99f8d545ce15f8bd473301ef04671779
SHA512 ed6d24b8e387806deaaea2212012f927515dfdcda63c486e86579d505c193c3b1f6e3fae866614f14ffabb65896ed839d830d52716a867bb9dcc73d735c86819

memory/2072-15-0x000000013FE70000-0x00000001401C1000-memory.dmp

memory/1316-13-0x000000013FE70000-0x00000001401C1000-memory.dmp

C:\Windows\system\EqixWXc.exe

MD5 5df813a5df1c7bda45c444f0e51a327f
SHA1 ddbe761a60190b86e15f7e42f18e754e9429b30c
SHA256 d8611cb36556ea9da110dea1de9bf5e19fc19d9bc41b1768a7879d9cfc59e7e6
SHA512 d1b87be67315ab3b897a0975f48cbc19705bc376b772cfa46b4d5009594f8cc88442a89c219310594df07662ba6db045f3cbc1db6a2717d0ca17ce19cf17a987

memory/1316-22-0x000000013F240000-0x000000013F591000-memory.dmp

memory/2796-21-0x000000013F240000-0x000000013F591000-memory.dmp

\Windows\system\jcMBFKr.exe

MD5 d215d8b6153feed6f7efe158bdbd35d6
SHA1 795ca5b24aef0e9218d7a630e9e39d7c0334230a
SHA256 710ecd24c31a8f3db2446364fef01f7fea7ea2acab698b448ca40fc085401c0e
SHA512 cdf6bb8b4ce30c5d2dd893bb50ce003d89c5c648d3e0d6b63691b7af2d9746863558ca5707cdcc6a06a5ad5a3e001983c6e97f4f8b6f34b8b1cc111fa169c7d0

memory/2888-28-0x000000013F5B0000-0x000000013F901000-memory.dmp

C:\Windows\system\AytMoGn.exe

MD5 c543fe2fd978df5c3bc98da79a2b5574
SHA1 c963fa64189640b9cf8ee7e4ba59658c94fc4bf8
SHA256 b18e5676de138d94338f84439f05d7809508151bc325b01898f4a3b447b409ab
SHA512 d8e9216d9b2fa576d38f832935f076b9156b658175aa3a0a9412bb2dda9c315a547fcf1358032c73db968636147fdd0a75edfefccff620a208dfffcb1a1fc05c

C:\Windows\system\PSIcznB.exe

MD5 d9e5c30e798531b18aff882c2d3e0940
SHA1 f4bfc1429847e57568c4e8107926ef6218135b2c
SHA256 369df291836577e15671cd5e5779ef256e84b76269b30d17235edcd7a56cc536
SHA512 542fb32cba2e1123fc99f3ab299af4730e4b63478c8da436e3ed2f525b4995f31a586a7b1675abf00994dff1c9b00d99c6fcc077c472a6715e5da1190e1f8478

memory/2884-40-0x000000013F880000-0x000000013FBD1000-memory.dmp

memory/2908-38-0x000000013F0A0000-0x000000013F3F1000-memory.dmp

\Windows\system\oADQplM.exe

MD5 6861f36dfd8f2be82b9672a879bf6005
SHA1 5036f1fb5b99e88399b48575cdb82ad94a9b0f7b
SHA256 328257df6a923601083f25ab39a08993757c3cfe856d023d708fa92fd0d9bc09
SHA512 b8267613d3cd79df579ecc4ec739df2c1eb2fe317d6142389de3c7518c22fa9d8ac0cb547618993910751b1730b52f57d8846fe7113583fa79b015a21df984a2

memory/1316-42-0x000000013F6E0000-0x000000013FA31000-memory.dmp

\Windows\system\jekxWJc.exe

MD5 f6373d5faefee29841412bb12b60ec1a
SHA1 cb689ede636105ce76c8a303a859c6f5040413de
SHA256 fa10f9612f32b95efce99077e88b146f41037dbe58e6392321f6fbe43cc6c804
SHA512 4fd6b0a8c61d7ba9d8132c038d7c99f55e0302ed0cd09d17e8c4a1c62845d797473e830821a4fce345514beb1e67d923039eaf68561347333c59379cd5703fd0

memory/680-56-0x000000013F510000-0x000000013F861000-memory.dmp

C:\Windows\system\fWBfgtS.exe

MD5 f16d4de0c94bba35383d0114dfa0bceb
SHA1 c3d58c8aec6029837c41b6ad7bd1a04f1e0256d7
SHA256 6563956e7cb4224129c7da01ee8cd63bc49a0ff413dde36076456c1dbd633f00
SHA512 1bef3ed6559346ba569325642758dae8af03343b68f2f1e14c27bacf2f1c2cfc8512974435e93ead22585b9f32edc9df808b1ae7d2603e0f29e49d1449303d9f

memory/3068-72-0x000000013F5E0000-0x000000013F931000-memory.dmp

memory/1316-61-0x00000000021E0000-0x0000000002531000-memory.dmp

memory/2072-60-0x000000013FE70000-0x00000001401C1000-memory.dmp

memory/2908-83-0x000000013F0A0000-0x000000013F3F1000-memory.dmp

memory/2904-88-0x000000013F7A0000-0x000000013FAF1000-memory.dmp

memory/2532-79-0x000000013F570000-0x000000013F8C1000-memory.dmp

C:\Windows\system\MyZJzVq.exe

MD5 ceba380a04b1f067ad20538bc039a255
SHA1 8c6ef467c361e692efd0e3fec235f227aba923a8
SHA256 713d5a86afd6da88d7c32c51346f375941ad0674b788ef7e0a74106b256be338
SHA512 faa17628564e96657288af3087e608a69f9840dfcfe5ea73ded013f5effb3dec0c8aa93e34e42295d6d99c5b3e0559ff1a3afa2dcb2efcc6db9577f1b0a1df07

memory/552-104-0x000000013F230000-0x000000013F581000-memory.dmp

C:\Windows\system\hjqilsk.exe

MD5 72087d739a9d6a651709d79491e9812b
SHA1 af7eede590c3ce212ca84cb2f89d9e391ffe18b8
SHA256 6d5cc3397c1bcf6ba9db0c1efd372ecef170acd93f50c8afa185a9e0cb03100a
SHA512 43434a190cd9f0ad1cda0e59847ebcf73491976c562148848a5539cad1af0297bde28a8ce1b787139504a16b4aa87fc1663a1acf295ee7e3e583e8e908905655

C:\Windows\system\GyljXva.exe

MD5 6d114c8915b1b4b0e127f5100669fedb
SHA1 b08a98ccbf5debcd0010591aa7625292ae2c20e4
SHA256 026e50935b72923a1a99f0019bf4a8617100c5e9c493fb22c31f409b4efe8025
SHA512 5478df769dd077f9872122981a063741176842d5bb611c97ce949a38588fe133fc221c054a53b73aaee225aca2caaeed4a9b7d96ad7d09af3fbf948037106e7a

\Windows\system\wAyburv.exe

MD5 55b91aa7f7b39998cfce3a9cdd5b63b5
SHA1 78aeba8f49511e1b4e827f2b35d2c837a930912b
SHA256 cb83f0d95dfa8e4b73a92b35c0b864fed371b28826d0b0540d2913ce97108167
SHA512 513487ef10451d3e559baad97734af9da37cd67e97ece5f55a189eaad0b1ebe82b783396cae6780e06c395c2f27d622b498c78f479e7fd201d2c40617091eb85

C:\Windows\system\RJHdMbk.exe

MD5 468aa2e5927cf4185facb9a1d2d8f16a
SHA1 6ebf006e3de3029e3d1730d1221246dbedfa253a
SHA256 41351272b43cb2dc6c9a41dfa827a0b0c050a0f0a97bd20a76ebb7b1c919c609
SHA512 09dfa485029e87c5ef05088bae5bea7b189b03539245cd4a84df55f0f8fa379eb2c0d59e6647f6f8886b18b8f36a3f1adc436dbf6a8060eecbc7d40a5598ecb9

C:\Windows\system\RFHmFvG.exe

MD5 d4ecb459d4d29e660e736ff49eab551b
SHA1 90cab15136663f5205bccf2b1bd938a7262ed747
SHA256 cb170aecd39362c852c5166f3b0c77944d60c8e2ec006a17f1a17432657a761d
SHA512 e31b77d95aebf12dca9b48c7d20473a77a2537f8df0b667939d67dd9019a0c107dca3051aa974c0db53face9c917e95519228b3ba4b616cced121f0e8d86c870

memory/3068-143-0x000000013F5E0000-0x000000013F931000-memory.dmp

C:\Windows\system\PBRzKea.exe

MD5 fe4aa999e0b3c4af3bd52331a0d48123
SHA1 fa2c3360041eb43d1bf16606abec20bbfe38ba6d
SHA256 1610e49b13249c5161ba45d1be6073b0c391b9307f9086f0bb0d9c1d272ab8f0
SHA512 fd161c13db3de8c8dabf177b4cce79f4690b12284b3f76fac839f6ee3369737386a669c87f628f0b3063175a1b48484c3e461be8cd7e6a252df7323e97005b88

C:\Windows\system\ZUoEFiP.exe

MD5 e21c3757dd84a116c59f5b511b5253a6
SHA1 b0b7626e191734eabfc7fed6a0873fbfe5c733ca
SHA256 8065f7cff5774e5cad63c9f8fc9ef0639e856a0fdb4cb631de8ce26e75882b7a
SHA512 dad134d7437bb5aa518ded1fb5f48a9c50b6ce037fbf3c6104c1009a06625aa981d35a5ea83f04af28fe96bc1a7f2c7642240d6f83fee5f52f35ea267347c2b9

memory/1316-109-0x00000000021E0000-0x0000000002531000-memory.dmp

memory/2604-108-0x000000013FE30000-0x0000000140181000-memory.dmp

memory/1316-144-0x00000000021E0000-0x0000000002531000-memory.dmp

memory/2700-96-0x000000013F760000-0x000000013FAB1000-memory.dmp

memory/680-95-0x000000013F510000-0x000000013F861000-memory.dmp

C:\Windows\system\uLazgSE.exe

MD5 afab6261f4010913116885da92182a10
SHA1 a8b7a33c1293eaea0e843af8fe24b249cd464046
SHA256 f6d38e56930cb8f4b3b1721f222ad00206f03a2759153953a33182b7be9621ac
SHA512 9a3baa0b88430bfac2aa3ed6dea170bd26352da883acebc36b4bdbf134bf5ebf45b7579b34038ef54e64115cceaf278d96fc631959931a73a0300bfa64d274b7

C:\Windows\system\GLAOVUC.exe

MD5 715458b1114a90a73917258cda19465f
SHA1 c9942eaf683738537bf2d3f501e9a137c419ca81
SHA256 201ec5575a03274ddbf56c98872d01881221b456729aaa56026137e497f303ee
SHA512 ed31c11a4ffc714c2446d9ce369d991d34ed0b83370e4e9c4868a98a1bf340136e5627b9c2be9b090759260fe06e6c5e3ec461d4e8d035636f267e4c5cb23611

memory/2960-92-0x000000013F7A0000-0x000000013FAF1000-memory.dmp

memory/1316-101-0x00000000021E0000-0x0000000002531000-memory.dmp

memory/1316-100-0x00000000021E0000-0x0000000002531000-memory.dmp

memory/1316-85-0x00000000021E0000-0x0000000002531000-memory.dmp

memory/2884-84-0x000000013F880000-0x000000013FBD1000-memory.dmp

C:\Windows\system\bCaoNTw.exe

MD5 a6e941ae9a6f595d01b10c919da32835
SHA1 dee2f7bace308421c1163aff2e0cd2685258987f
SHA256 555c5908ce707ad550f7b81d355454712df31cde4f5c03cb5b0ea65a1186f3bf
SHA512 5dc3de27e61c8d318d1629df2be5ccd88ae6971907388caca8ecf7a76892d073f5a09eca0c559a8665de86387aaa8527e7951ac75045292924436dec9ec9eced

memory/1316-76-0x00000000021E0000-0x0000000002531000-memory.dmp

memory/2532-145-0x000000013F570000-0x000000013F8C1000-memory.dmp

memory/1500-59-0x000000013FFA0000-0x00000001402F1000-memory.dmp

memory/2888-69-0x000000013F5B0000-0x000000013F901000-memory.dmp

memory/2604-68-0x000000013FE30000-0x0000000140181000-memory.dmp

memory/1316-65-0x00000000021E0000-0x0000000002531000-memory.dmp

memory/2960-55-0x000000013F7A0000-0x000000013FAF1000-memory.dmp

C:\Windows\system\dfNLfeH.exe

MD5 dbdfe7bfdd2f779ba18b5009702b3ddf
SHA1 ff57ff41a198752ba657777fe5a7ba2422ac85da
SHA256 681db1d7931909663283c046abbe7c0379b81a319db3e738c956208bac29a3eb
SHA512 be72213c57b5551a9f620625cacbfe9fa393e941ac4c6138af40760248f2d8f712a386fa090808989584394ea3ad21c1861d87d0024b29ebf9e2f361b5c34251

memory/1316-64-0x000000013FE70000-0x00000001401C1000-memory.dmp

memory/1316-63-0x000000013FE30000-0x0000000140181000-memory.dmp

memory/1316-45-0x00000000021E0000-0x0000000002531000-memory.dmp

memory/1316-36-0x00000000021E0000-0x0000000002531000-memory.dmp

memory/1316-146-0x00000000021E0000-0x0000000002531000-memory.dmp

memory/2904-147-0x000000013F7A0000-0x000000013FAF1000-memory.dmp

memory/2700-149-0x000000013F760000-0x000000013FAB1000-memory.dmp

memory/1316-148-0x000000013F6E0000-0x000000013FA31000-memory.dmp

memory/552-155-0x000000013F230000-0x000000013F581000-memory.dmp

memory/2144-165-0x000000013F3E0000-0x000000013F731000-memory.dmp

memory/2788-171-0x000000013F630000-0x000000013F981000-memory.dmp

memory/2328-170-0x000000013F550000-0x000000013F8A1000-memory.dmp

memory/1316-169-0x00000000021E0000-0x0000000002531000-memory.dmp

memory/2840-167-0x000000013F560000-0x000000013F8B1000-memory.dmp

memory/2852-168-0x000000013F2F0000-0x000000013F641000-memory.dmp

memory/2704-166-0x000000013FE70000-0x00000001401C1000-memory.dmp

memory/2512-172-0x000000013FD00000-0x0000000140051000-memory.dmp

memory/1316-173-0x000000013F6E0000-0x000000013FA31000-memory.dmp

memory/1500-222-0x000000013FFA0000-0x00000001402F1000-memory.dmp

memory/2072-224-0x000000013FE70000-0x00000001401C1000-memory.dmp

memory/2796-226-0x000000013F240000-0x000000013F591000-memory.dmp

memory/2888-237-0x000000013F5B0000-0x000000013F901000-memory.dmp

memory/2908-239-0x000000013F0A0000-0x000000013F3F1000-memory.dmp

memory/2884-241-0x000000013F880000-0x000000013FBD1000-memory.dmp

memory/680-244-0x000000013F510000-0x000000013F861000-memory.dmp

memory/2960-245-0x000000013F7A0000-0x000000013FAF1000-memory.dmp

memory/2604-247-0x000000013FE30000-0x0000000140181000-memory.dmp

memory/3068-249-0x000000013F5E0000-0x000000013F931000-memory.dmp

memory/2532-251-0x000000013F570000-0x000000013F8C1000-memory.dmp

memory/2904-262-0x000000013F7A0000-0x000000013FAF1000-memory.dmp

memory/2700-264-0x000000013F760000-0x000000013FAB1000-memory.dmp

memory/552-266-0x000000013F230000-0x000000013F581000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-15 10:53

Reported

2024-08-15 10:56

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\LliolhH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eaKcnhf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wmyPcpk.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lPcMCbe.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NURapao.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YsYuAxz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YhFLZOd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hNUVjQl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VrTNMrf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JcqMSld.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ylAshbW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xOGFAGq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mgVqtRq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MYVsfEY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CrHqCuJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\urWpCSw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QhqHKnq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RjnQNUN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zxKnpxv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XRgemyS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HtGquuU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1840 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\urWpCSw.exe
PID 1840 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\urWpCSw.exe
PID 1840 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LliolhH.exe
PID 1840 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LliolhH.exe
PID 1840 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eaKcnhf.exe
PID 1840 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eaKcnhf.exe
PID 1840 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JcqMSld.exe
PID 1840 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JcqMSld.exe
PID 1840 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QhqHKnq.exe
PID 1840 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QhqHKnq.exe
PID 1840 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RjnQNUN.exe
PID 1840 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RjnQNUN.exe
PID 1840 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ylAshbW.exe
PID 1840 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ylAshbW.exe
PID 1840 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wmyPcpk.exe
PID 1840 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wmyPcpk.exe
PID 1840 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lPcMCbe.exe
PID 1840 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lPcMCbe.exe
PID 1840 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zxKnpxv.exe
PID 1840 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zxKnpxv.exe
PID 1840 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xOGFAGq.exe
PID 1840 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xOGFAGq.exe
PID 1840 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MYVsfEY.exe
PID 1840 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MYVsfEY.exe
PID 1840 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NURapao.exe
PID 1840 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NURapao.exe
PID 1840 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XRgemyS.exe
PID 1840 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XRgemyS.exe
PID 1840 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YsYuAxz.exe
PID 1840 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YsYuAxz.exe
PID 1840 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YhFLZOd.exe
PID 1840 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YhFLZOd.exe
PID 1840 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hNUVjQl.exe
PID 1840 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hNUVjQl.exe
PID 1840 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mgVqtRq.exe
PID 1840 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mgVqtRq.exe
PID 1840 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CrHqCuJ.exe
PID 1840 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CrHqCuJ.exe
PID 1840 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VrTNMrf.exe
PID 1840 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VrTNMrf.exe
PID 1840 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HtGquuU.exe
PID 1840 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HtGquuU.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\urWpCSw.exe

C:\Windows\System\urWpCSw.exe

C:\Windows\System\LliolhH.exe

C:\Windows\System\LliolhH.exe

C:\Windows\System\eaKcnhf.exe

C:\Windows\System\eaKcnhf.exe

C:\Windows\System\JcqMSld.exe

C:\Windows\System\JcqMSld.exe

C:\Windows\System\QhqHKnq.exe

C:\Windows\System\QhqHKnq.exe

C:\Windows\System\RjnQNUN.exe

C:\Windows\System\RjnQNUN.exe

C:\Windows\System\ylAshbW.exe

C:\Windows\System\ylAshbW.exe

C:\Windows\System\wmyPcpk.exe

C:\Windows\System\wmyPcpk.exe

C:\Windows\System\lPcMCbe.exe

C:\Windows\System\lPcMCbe.exe

C:\Windows\System\zxKnpxv.exe

C:\Windows\System\zxKnpxv.exe

C:\Windows\System\xOGFAGq.exe

C:\Windows\System\xOGFAGq.exe

C:\Windows\System\MYVsfEY.exe

C:\Windows\System\MYVsfEY.exe

C:\Windows\System\NURapao.exe

C:\Windows\System\NURapao.exe

C:\Windows\System\XRgemyS.exe

C:\Windows\System\XRgemyS.exe

C:\Windows\System\YsYuAxz.exe

C:\Windows\System\YsYuAxz.exe

C:\Windows\System\YhFLZOd.exe

C:\Windows\System\YhFLZOd.exe

C:\Windows\System\hNUVjQl.exe

C:\Windows\System\hNUVjQl.exe

C:\Windows\System\mgVqtRq.exe

C:\Windows\System\mgVqtRq.exe

C:\Windows\System\CrHqCuJ.exe

C:\Windows\System\CrHqCuJ.exe

C:\Windows\System\VrTNMrf.exe

C:\Windows\System\VrTNMrf.exe

C:\Windows\System\HtGquuU.exe

C:\Windows\System\HtGquuU.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 52.111.227.11:443 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1840-0-0x00007FF7D26A0000-0x00007FF7D29F1000-memory.dmp

memory/1840-1-0x000001113F670000-0x000001113F680000-memory.dmp

C:\Windows\System\urWpCSw.exe

MD5 aac3403fdbc5b04a9cc76ae9cde6d09a
SHA1 40f7a0fd4dbdd6dd7e3e2ad790adbb73427e6cf9
SHA256 41522a1206fda750c725b12ed3ef1adf33075a7d1766c87f03a9e124f2c32de3
SHA512 7474388db3c0379f24bca8c9f12770c819ed68b14172325ff2d1e4a411c495576ff174f652d66e64205e9cb13b5fc9ecb7ae92b276732187d60e6aa44dad388d

memory/4888-7-0x00007FF6A64F0000-0x00007FF6A6841000-memory.dmp

C:\Windows\System\LliolhH.exe

MD5 7a6f80dec687dbeee77b27c2f9cc65c5
SHA1 2d1addfa27d83cb6bb00d629b98b34b37bfe85d7
SHA256 7cb4d874afa69145e6f23f66502c89bac9973f9be311e97fbb6d7adc6f4314ae
SHA512 b2bd011017ef05f5ec412edd039490308bb329e42f28dcedb4b3917ac54b9b3deeb20a6d95e9faf0d3d5c77edb56b6e08d1595fbd915e953a247b01e873bcc2a

C:\Windows\System\eaKcnhf.exe

MD5 0fed4b25c7b63359988a989d311876a4
SHA1 55fd5df89a53dc30af2a035af212c44bd662a10e
SHA256 4c886efdb8ab0601d4fb4126fdf2cc7d783ea05ab9197c3d8a703e46fdc294b8
SHA512 bc8bf991bb3fc4c4970d1516035da356a1175cbae409c09ecb67045bb73912abf2883232ec8033c869115bfadc89d063a7ea18d7e94952cf8cbbeaa8f51d8039

memory/3232-14-0x00007FF7D2350000-0x00007FF7D26A1000-memory.dmp

C:\Windows\System\JcqMSld.exe

MD5 2814390e206534f196bbcf05878cea78
SHA1 01986a9f86c5b756988d0b8157b08c379d3d99b8
SHA256 9dd0b16337920386564fc0805fcc4f7c6e58eead582a86897f8abece479ac0df
SHA512 39b99d48261442394344c237ea976d9003f2fa642d9c716a30aff84c43ef47f053bb3831e879a2e0f7f28c86435b3cebf012f403ae999258aed433670c4d4107

memory/1896-23-0x00007FF62EF90000-0x00007FF62F2E1000-memory.dmp

memory/1816-21-0x00007FF7C6310000-0x00007FF7C6661000-memory.dmp

C:\Windows\System\QhqHKnq.exe

MD5 82208d989e97bfb6ea7aec7f0455ae30
SHA1 3d7b7ea0796d5cce37b39d27fb773025ae6f0c5c
SHA256 6cdc9b8b3ad1446ed7d95bde8bfdfa65ac5f352c2b975f078a44028b20665af1
SHA512 f7e88d411ff04fcb2b40fd55c278b284fc5a3e6a794df6a4852b6013d89a7641c1f15b449012a94914f47667062e78c30a8d4755f7f0ba3569b180d0d960a350

C:\Windows\System\RjnQNUN.exe

MD5 76e97519b3d174b20459713195f85f9d
SHA1 408af039237425e889a2a5190814fdbe33f58fb2
SHA256 64c488f8b41a5a23a1415d6fca8b897b24502c97df3bfa6675c8fbede50a78b0
SHA512 5dff318d2a8ce9e59634b699a638c743362e45fe0c6bb072b3ff40e59ffbdefb80b85c1a3834c476ab14893658d9d3361d666ec47998b4ec3272c8b5fef82703

C:\Windows\System\ylAshbW.exe

MD5 63e26d4335d8ec305905e732824ce490
SHA1 f74bd500c8772de3a0f90205d9f0ab98a920fd73
SHA256 2e79a1de04e5784b7eda1b1b49ebf0a505ece0d9de4e2a76eb253b4c6f9cad2f
SHA512 31be3bdde39cf11a8f02387a382cdb17ec7bb4998ecae574cf05b076fab4e92ea650124ec3e92bd04d697bf12dd3ea91c4a19546facf2be823d2bdef74ff2087

memory/3784-41-0x00007FF645C90000-0x00007FF645FE1000-memory.dmp

C:\Windows\System\wmyPcpk.exe

MD5 e4d320f6c423c3302af13cef21e32698
SHA1 3471d83f80deab0e849b807a7123f517d4004a9a
SHA256 4b04c477a531cb9bad76aff60642a9a57a7712ba9b6bf700f011c86a1654a935
SHA512 027cd4713339ebcc1fef983fc49f132f716d464946592a97396b192ee06782d8c1fc35ef9c9370f74c6662890d5fa0ef217a32ac53894b9d11e2643916f2346b

memory/404-54-0x00007FF696A40000-0x00007FF696D91000-memory.dmp

C:\Windows\System\lPcMCbe.exe

MD5 d0460bb2a5535bfce3f3af8070703064
SHA1 b0daa3b68a74dbbb83e42d348fe9f14fb22816a5
SHA256 8902f0bb2cf89671346963c8c86d4c8f7a80edb70d6e1651addf3a4fc7c231b7
SHA512 77766ddbfa274d8e0a5b383584baf46d4e77428b01028d5105e700bedfb5b27be45986241daca28d5a7f10c39490e49ec206caf2b14af06ad2c0983e73d9db9c

memory/4564-47-0x00007FF6857A0000-0x00007FF685AF1000-memory.dmp

memory/1284-44-0x00007FF699050000-0x00007FF6993A1000-memory.dmp

memory/1296-36-0x00007FF631830000-0x00007FF631B81000-memory.dmp

memory/1840-59-0x00007FF7D26A0000-0x00007FF7D29F1000-memory.dmp

C:\Windows\System\zxKnpxv.exe

MD5 555dca9c8ec0a146d9abc35c7f2b76f4
SHA1 4d1226589516c3082937975f0ca630a2a97daf15
SHA256 7af4b6cf135adae6f01f6cd37cbbfdb234442facf3b037a5a539ed15b2e1a5c2
SHA512 fdf3d869a88e9869932729106ac6d14e5e92ddf832035dff7cef21b64d916ef401a3bb56682222cc8fe728f939fd133bd09d1b2d7e164a654ae3f956dd9cc04a

C:\Windows\System\xOGFAGq.exe

MD5 58a29fbe125f168e068e8629429dd924
SHA1 907639a28032fcb83ffd71fb53175349d7494521
SHA256 381455e3f520aae1a122e7f4c21d9aefcfb19a98a95982bc54bd7da026cdc422
SHA512 ad805f2f970cdf6e63b9a636c020e19d370d91fa2b12065d8334b6ddd2b35b8c3aa7cc47a633297440b9c80d9c5fd9346b50957670f44d8e6830c1049ddef30a

memory/2196-69-0x00007FF6030B0000-0x00007FF603401000-memory.dmp

memory/3232-68-0x00007FF7D2350000-0x00007FF7D26A1000-memory.dmp

memory/1192-64-0x00007FF613FC0000-0x00007FF614311000-memory.dmp

memory/4888-62-0x00007FF6A64F0000-0x00007FF6A6841000-memory.dmp

C:\Windows\System\NURapao.exe

MD5 27b4f72476fb1bfc3c972f1583e1a806
SHA1 60d4bf53a4815e87c592a87f5767876c274c4f49
SHA256 ca14684c8b22116df2829b26c2a614eaec5c892095bd9cdd56ca2b759d1c950d
SHA512 71a54551b506ffdc7ba3b369473c42f798a1b57721e594a1d8a64f2c4704d9b542dd5ec48cbe9be7b8f4cbf222bf3c376ed2ae72d5cb06f5e2a4d7a2bfa8b6aa

memory/2568-77-0x00007FF7D9A00000-0x00007FF7D9D51000-memory.dmp

memory/1896-82-0x00007FF62EF90000-0x00007FF62F2E1000-memory.dmp

C:\Windows\System\MYVsfEY.exe

MD5 a03c1c4ac24a430aeae48055287c3687
SHA1 b8313e8c5cddf4b26a20be3ee5cbc79b3fdcd61b
SHA256 85d4e18398369a870cafd3de21410d7e54334abbeca734a48cde0932a237314a
SHA512 5df36fbb1cf3733cbb5f2082c0feee4e74a88fb592d2269c2ccc33a9962e44de20afac8c220148d0c287ca17c9cab6ede0e9427071e213edb441005863213668

C:\Windows\System\XRgemyS.exe

MD5 c5cac17b8cb931c4f3214447f1544ddb
SHA1 118d053c6735065d72aec9709b07756b7cb222ed
SHA256 f59dd5a89944cf27a3ac218a6e786e51a018ab1165e0a942aad70df87b6d65ee
SHA512 639caaeba6905b45bc12529712f1cb971197277f6e18ab3e1fededdef9021b9eb73a47654fbab4c3f50ba71b8d6eeedd9ca408898d62ce214528c7dbba051126

memory/876-87-0x00007FF79A7D0000-0x00007FF79AB21000-memory.dmp

memory/2332-84-0x00007FF70F6D0000-0x00007FF70FA21000-memory.dmp

memory/1816-75-0x00007FF7C6310000-0x00007FF7C6661000-memory.dmp

memory/4564-96-0x00007FF6857A0000-0x00007FF685AF1000-memory.dmp

memory/1284-95-0x00007FF699050000-0x00007FF6993A1000-memory.dmp

C:\Windows\System\YsYuAxz.exe

MD5 9f987f2a5c5c225d5e38ebb5bdbd3c6e
SHA1 75245d5655023532cf8c6ccedd007cfa96c7815a
SHA256 bb25ea0c879cc324b86d898771c57546c75683f26e071e01e3873169bf2b844f
SHA512 22040c24c710c60b07300a4aadb3c758856fb1d97cb28c192bbd8bc01434dc38ab8d0d669f6a406369052f16c078fe35dccef31d7b16391dfd3a314a82ae4b21

memory/3620-97-0x00007FF7F55A0000-0x00007FF7F58F1000-memory.dmp

C:\Windows\System\YhFLZOd.exe

MD5 f96666ce65504d97d51d2f57b939cbf9
SHA1 15aaf0d27b98e54e430ba8a59d4bf717e273db6d
SHA256 84bab327419c7439356d987e32c73cd51659d87d607af2375d4efc7b21825441
SHA512 bf4abe33f1848354a98cc8a140eaedf023bfe0c2cd7e91c463edefeac476fa3c88eb8fe20ac1328fdba2bcf85ec5f6b9ade9163e208ada018ab77c26f3e01ec0

memory/3264-103-0x00007FF7ACD80000-0x00007FF7AD0D1000-memory.dmp

C:\Windows\System\hNUVjQl.exe

MD5 2d85823a5546ded18d70f6131307a64e
SHA1 7ce4062a4c9dc57581de7a4a03245ce85028cbac
SHA256 faf4cb2af8158b9b41ef8cde1c342ce4f128672e02350bf62b4a15538e93e9db
SHA512 b40e430031f3fb54217b19be584588f1bef5ea9c7e7465a46c6fa2e6a02e44172615a0f249c7a4dbbba6337fd580a457f966ec80ef9d98cb941d490de554f6c4

C:\Windows\System\mgVqtRq.exe

MD5 cd01f3cc5895789b15201608abc436e5
SHA1 a79baf72b6bf22e3992fb8660613e0e0c23b8f9d
SHA256 d2b45647760247eda46af8056d1c871e23fe31e07c7aae6f3635f115c699d8b9
SHA512 6a62c21cd401531e898ab6bb53f0d784dc98656a5825f9e4f52114bd64168cf64bd51f3d34303f31ddc1f74c34244bdaaa8b68c19052cfc15082aaf655f2405d

memory/1080-115-0x00007FF6A6F50000-0x00007FF6A72A1000-memory.dmp

memory/404-111-0x00007FF696A40000-0x00007FF696D91000-memory.dmp

memory/3936-124-0x00007FF730AC0000-0x00007FF730E11000-memory.dmp

memory/224-129-0x00007FF610B50000-0x00007FF610EA1000-memory.dmp

memory/772-132-0x00007FF677430000-0x00007FF677781000-memory.dmp

C:\Windows\System\VrTNMrf.exe

MD5 d949c769b0124a5121c6de5aefbecd0f
SHA1 21ef1dcb88a44ccf27ec952fa914f5317abf843a
SHA256 d50cf604bced86223356cd5729efccc68f931f8316d53dde7ff7c04c8253fe2b
SHA512 fce38b71ffd4807bb1c7d715a8d5687f0ec0846d37d8ac130000154179f704fe52ffca7f1bebab566fbed3894c1f902f28a93cccead098a081f9ed6b097fa3bd

C:\Windows\System\CrHqCuJ.exe

MD5 fc5808f9e6bfb79f708d91b6cc2e254e
SHA1 84103c07d170f2ebcfc1a5a576a7e7538d9487f9
SHA256 d870ca3b446ee851ae639b691b704a9eb09cadea76d5c78944f31401cda93d27
SHA512 ccd8d9cfd31e2707f11dce1d1f3337f00ce9d47a55dccb1159b42ab7b0873bd605d34575deff60dc8228105355d4b840ca1efd18b329d929324923cc61c10c89

C:\Windows\System\HtGquuU.exe

MD5 322994dac57a530b5c42444025de163d
SHA1 c206f0800d4c26b05ec67870984957e6fada4243
SHA256 655ee3327fc5cf0a4d810227b2ee65aada22e27b314296e2ec21c3209043b5a1
SHA512 85679468a52f728646e9fe26976030940bb0350eae5572c25487b5c65889b345b802c5d177044a8ef35556ecf739ad88023eb7d038b58335ebb74b6498fe5179

memory/3544-122-0x00007FF636A40000-0x00007FF636D91000-memory.dmp

memory/1840-137-0x00007FF7D26A0000-0x00007FF7D29F1000-memory.dmp

memory/2196-136-0x00007FF6030B0000-0x00007FF603401000-memory.dmp

memory/2568-143-0x00007FF7D9A00000-0x00007FF7D9D51000-memory.dmp

memory/2332-149-0x00007FF70F6D0000-0x00007FF70FA21000-memory.dmp

memory/876-150-0x00007FF79A7D0000-0x00007FF79AB21000-memory.dmp

memory/3620-155-0x00007FF7F55A0000-0x00007FF7F58F1000-memory.dmp

memory/3264-156-0x00007FF7ACD80000-0x00007FF7AD0D1000-memory.dmp

memory/3936-161-0x00007FF730AC0000-0x00007FF730E11000-memory.dmp

memory/1080-160-0x00007FF6A6F50000-0x00007FF6A72A1000-memory.dmp

memory/3544-162-0x00007FF636A40000-0x00007FF636D91000-memory.dmp

memory/224-166-0x00007FF610B50000-0x00007FF610EA1000-memory.dmp

memory/772-165-0x00007FF677430000-0x00007FF677781000-memory.dmp

memory/1840-167-0x00007FF7D26A0000-0x00007FF7D29F1000-memory.dmp

memory/4888-217-0x00007FF6A64F0000-0x00007FF6A6841000-memory.dmp

memory/3232-219-0x00007FF7D2350000-0x00007FF7D26A1000-memory.dmp

memory/1816-221-0x00007FF7C6310000-0x00007FF7C6661000-memory.dmp

memory/1896-223-0x00007FF62EF90000-0x00007FF62F2E1000-memory.dmp

memory/1296-228-0x00007FF631830000-0x00007FF631B81000-memory.dmp

memory/3784-230-0x00007FF645C90000-0x00007FF645FE1000-memory.dmp

memory/1284-235-0x00007FF699050000-0x00007FF6993A1000-memory.dmp

memory/4564-237-0x00007FF6857A0000-0x00007FF685AF1000-memory.dmp

memory/404-239-0x00007FF696A40000-0x00007FF696D91000-memory.dmp

memory/1192-243-0x00007FF613FC0000-0x00007FF614311000-memory.dmp

memory/2196-245-0x00007FF6030B0000-0x00007FF603401000-memory.dmp

memory/2568-249-0x00007FF7D9A00000-0x00007FF7D9D51000-memory.dmp

memory/876-251-0x00007FF79A7D0000-0x00007FF79AB21000-memory.dmp

memory/2332-253-0x00007FF70F6D0000-0x00007FF70FA21000-memory.dmp

memory/3620-262-0x00007FF7F55A0000-0x00007FF7F58F1000-memory.dmp

memory/3264-264-0x00007FF7ACD80000-0x00007FF7AD0D1000-memory.dmp

memory/1080-266-0x00007FF6A6F50000-0x00007FF6A72A1000-memory.dmp

memory/3544-268-0x00007FF636A40000-0x00007FF636D91000-memory.dmp

memory/3936-270-0x00007FF730AC0000-0x00007FF730E11000-memory.dmp

memory/224-272-0x00007FF610B50000-0x00007FF610EA1000-memory.dmp

memory/772-274-0x00007FF677430000-0x00007FF677781000-memory.dmp