Malware Analysis Report

2024-10-23 18:50

Sample ID 240628-ae4dxszepb
Target 2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat
SHA256 9e06c80d196357b9186ac87ef45340436ce70bed5321980e7432fdc1ee07926c
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9e06c80d196357b9186ac87ef45340436ce70bed5321980e7432fdc1ee07926c

Threat Level: Known bad

The file 2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Cobaltstrike family

UPX dump on OEP (original entry point)

Cobalt Strike reflective loader

XMRig Miner payload

Cobaltstrike

xmrig

Detects Reflective DLL injection artifacts

Xmrig family

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

XMRig Miner payload

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-28 00:08

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-28 00:08

Reported

2024-06-28 00:11

Platform

win7-20240611-en

Max time kernel

142s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\rkPXngq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pFreTGv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BRqKtBg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QVSUDMR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GiqJURa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\luPqsVz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OcIsmgy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LALXfrU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MvwqyNI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hhAGcis.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UiWmzBl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QfzJqWC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kUkRCZu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\txqIwhB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eHQZGZn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ubSVwOv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wptfawH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IBYzrIv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bYTjfEQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zklPevg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qNjXuPB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2056 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UiWmzBl.exe
PID 2056 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UiWmzBl.exe
PID 2056 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UiWmzBl.exe
PID 2056 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QVSUDMR.exe
PID 2056 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QVSUDMR.exe
PID 2056 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QVSUDMR.exe
PID 2056 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wptfawH.exe
PID 2056 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wptfawH.exe
PID 2056 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wptfawH.exe
PID 2056 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GiqJURa.exe
PID 2056 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GiqJURa.exe
PID 2056 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GiqJURa.exe
PID 2056 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IBYzrIv.exe
PID 2056 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IBYzrIv.exe
PID 2056 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IBYzrIv.exe
PID 2056 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bYTjfEQ.exe
PID 2056 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bYTjfEQ.exe
PID 2056 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bYTjfEQ.exe
PID 2056 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zklPevg.exe
PID 2056 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zklPevg.exe
PID 2056 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zklPevg.exe
PID 2056 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\luPqsVz.exe
PID 2056 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\luPqsVz.exe
PID 2056 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\luPqsVz.exe
PID 2056 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QfzJqWC.exe
PID 2056 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QfzJqWC.exe
PID 2056 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QfzJqWC.exe
PID 2056 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kUkRCZu.exe
PID 2056 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kUkRCZu.exe
PID 2056 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kUkRCZu.exe
PID 2056 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\txqIwhB.exe
PID 2056 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\txqIwhB.exe
PID 2056 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\txqIwhB.exe
PID 2056 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eHQZGZn.exe
PID 2056 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eHQZGZn.exe
PID 2056 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eHQZGZn.exe
PID 2056 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rkPXngq.exe
PID 2056 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rkPXngq.exe
PID 2056 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rkPXngq.exe
PID 2056 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ubSVwOv.exe
PID 2056 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ubSVwOv.exe
PID 2056 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ubSVwOv.exe
PID 2056 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pFreTGv.exe
PID 2056 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pFreTGv.exe
PID 2056 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pFreTGv.exe
PID 2056 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MvwqyNI.exe
PID 2056 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MvwqyNI.exe
PID 2056 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MvwqyNI.exe
PID 2056 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OcIsmgy.exe
PID 2056 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OcIsmgy.exe
PID 2056 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OcIsmgy.exe
PID 2056 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hhAGcis.exe
PID 2056 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hhAGcis.exe
PID 2056 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hhAGcis.exe
PID 2056 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BRqKtBg.exe
PID 2056 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BRqKtBg.exe
PID 2056 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BRqKtBg.exe
PID 2056 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LALXfrU.exe
PID 2056 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LALXfrU.exe
PID 2056 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LALXfrU.exe
PID 2056 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qNjXuPB.exe
PID 2056 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qNjXuPB.exe
PID 2056 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qNjXuPB.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\UiWmzBl.exe

C:\Windows\System\UiWmzBl.exe

C:\Windows\System\QVSUDMR.exe

C:\Windows\System\QVSUDMR.exe

C:\Windows\System\wptfawH.exe

C:\Windows\System\wptfawH.exe

C:\Windows\System\GiqJURa.exe

C:\Windows\System\GiqJURa.exe

C:\Windows\System\IBYzrIv.exe

C:\Windows\System\IBYzrIv.exe

C:\Windows\System\bYTjfEQ.exe

C:\Windows\System\bYTjfEQ.exe

C:\Windows\System\zklPevg.exe

C:\Windows\System\zklPevg.exe

C:\Windows\System\luPqsVz.exe

C:\Windows\System\luPqsVz.exe

C:\Windows\System\QfzJqWC.exe

C:\Windows\System\QfzJqWC.exe

C:\Windows\System\kUkRCZu.exe

C:\Windows\System\kUkRCZu.exe

C:\Windows\System\txqIwhB.exe

C:\Windows\System\txqIwhB.exe

C:\Windows\System\eHQZGZn.exe

C:\Windows\System\eHQZGZn.exe

C:\Windows\System\rkPXngq.exe

C:\Windows\System\rkPXngq.exe

C:\Windows\System\ubSVwOv.exe

C:\Windows\System\ubSVwOv.exe

C:\Windows\System\pFreTGv.exe

C:\Windows\System\pFreTGv.exe

C:\Windows\System\MvwqyNI.exe

C:\Windows\System\MvwqyNI.exe

C:\Windows\System\OcIsmgy.exe

C:\Windows\System\OcIsmgy.exe

C:\Windows\System\hhAGcis.exe

C:\Windows\System\hhAGcis.exe

C:\Windows\System\BRqKtBg.exe

C:\Windows\System\BRqKtBg.exe

C:\Windows\System\LALXfrU.exe

C:\Windows\System\LALXfrU.exe

C:\Windows\System\qNjXuPB.exe

C:\Windows\System\qNjXuPB.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2056-0-0x000000013FB60000-0x000000013FEB4000-memory.dmp

memory/2056-1-0x0000000000200000-0x0000000000210000-memory.dmp

C:\Windows\system\UiWmzBl.exe

MD5 dba1329ba470d1a6f71c29c5dc14e3b4
SHA1 8939c6746490d1041e7442eb1d479efebf56964e
SHA256 4a94eee8a10b1eb5c613a85996df119a282b26a93aea69ee1452bac6dd7fa631
SHA512 71b978a7a0c68391e6e98aeb62c2c117d2792add0093802c7f3d6133ed6f98fe64756b442664c2d4595eb64a7378fd6a2a14479884618de847219a17004eaa25

memory/2056-23-0x000000013F230000-0x000000013F584000-memory.dmp

\Windows\system\IBYzrIv.exe

MD5 1cd30cf45b4cd26c8d21d569e8c3eeb4
SHA1 79ef85bf45eb1dbf3948dd39caeb9a3535be2269
SHA256 79085577b60aa73e937d5a9bb98f375944559f874e0267024970e1e0b7cae516
SHA512 1b5f893eb3baee0ed80f48455e7cd99a9e1ff4985f50689eb222478a64f0e94a4d487644968aeb52407232178913bced8dcaeeeffbb4bec11ecdaab2c67134db

C:\Windows\system\QVSUDMR.exe

MD5 5d68642bb3c32c4dd39e366377b54327
SHA1 c8b389b1f10c4f1905902e8669e1ff18454a1d1a
SHA256 f4bee0db429b72276f59d922e32e667c50ffc9825d507288472382efada40251
SHA512 90d8aea678d1277604b1864f38924e94fde6e76e568bb550e25e89849571639007fe50d440ab3d64fe0b215fcc4b32ac448653f3d513c514932e7b460e468b2d

memory/1508-15-0x000000013F0F0000-0x000000013F444000-memory.dmp

\Windows\system\wptfawH.exe

MD5 b19d46454598ff7d7005e878e95d92a2
SHA1 4ee80073675a78e1c488d962cf1a82e37dbc6fdc
SHA256 c26b7ff49a2d05bbc5ff590a24d58009bc6fb286c1a99a41e058a7b6c1299900
SHA512 fef0b6110c54500c0c1269049f651c85d363d1dcc0320ed76312a48f573f3751fd4f3f4752f10e7f2bb0ebb4756fe69111ca6c2899eeb9ce82a242f9ce723723

memory/2056-8-0x000000013F0F0000-0x000000013F444000-memory.dmp

memory/2056-32-0x000000013F4B0000-0x000000013F804000-memory.dmp

memory/2320-36-0x000000013F9E0000-0x000000013FD34000-memory.dmp

memory/2024-34-0x000000013F230000-0x000000013F584000-memory.dmp

C:\Windows\system\bYTjfEQ.exe

MD5 b49d6c2f5d9c9df530368311f91e1452
SHA1 c620c61adbf17b30d3255cc3893bbdb556f0ee80
SHA256 13624aa95222992b6bd1733adc90b68d259c8602477bfaf5c2719253fbbba236
SHA512 787e364211e7013a18f24d49b90ad74edd44e4a38fb94ded013b53776b289b000958a69534a2ae2fe8cf7a786675cc6f222f783d0e2cde096bba29768150376a

memory/2056-71-0x000000013F110000-0x000000013F464000-memory.dmp

memory/2792-74-0x000000013F3F0000-0x000000013F744000-memory.dmp

C:\Windows\system\QfzJqWC.exe

MD5 28158159edf3651c788d9c77cd52b9b1
SHA1 e20e5be11a8e4dd270268cbcdd84cf3300719600
SHA256 9b12a40d07cc06bf4ddf13410755440b886585443cb457a21333198eba8e6273
SHA512 8cbe6f202112cb31f5464e75421e5bf6cad7dfe26db1e07194405734d128d003baf59f1535bb6057eb85f5a83ca46bcc3d4bcafc9aaef25f330fb52a7101ff94

memory/2056-83-0x000000013F350000-0x000000013F6A4000-memory.dmp

C:\Windows\system\ubSVwOv.exe

MD5 daa453b9f691d9d73b12b1b6c6b8a438
SHA1 190c94625492416e572186fe3f5169113db9b536
SHA256 324babb47c69b714e1177b13390dcb5bcac261c0256f72c80014f81f19ad0dba
SHA512 19d8256591e354979bb685dd5981bf56d562a49992edda8f0a4098f23cea0bdd4d143396ef039b254f69fef468beb8dc0e248b9fa675a60d9edfb5a462b89754

\Windows\system\MvwqyNI.exe

MD5 31b2a7b4554cbd34e1990c95f54bb7d2
SHA1 1d50c759da33c1e7bb645fa793c93aaa7a60dd9e
SHA256 7670999afcd4909c543c16868e2d4abd781a5acc3ceb174d5bbb7dcf99c94fad
SHA512 d1d5f0d317430f48ddf3947e8018d5c001028a3579b424cdede7266c4e8c06933d89192c3456a1e24ae57523af1334b5da136e239ce445586fc7a17c8ac49c57

C:\Windows\system\LALXfrU.exe

MD5 4539d372448d97cc806d2231720afad9
SHA1 2ced51ef9221b8edc96516e72122eccbb1419e2d
SHA256 c3ae489a1a8f36946555e280005a5a445299673f072020e24bc889cba70be8f6
SHA512 072c0153e5c5344da043314279f4f3bfc72cb5aab3c23a33edebadb2d1dfc6b1e5d6483e2ed70c85c54b41017b9d3e2080b92132666385754799e31cfb737dc5

C:\Windows\system\qNjXuPB.exe

MD5 2916de78777b4f443f2500517331bfd3
SHA1 4a19dcd649f4d166e0c977a0cb8e33b66b5f74d1
SHA256 abd0dda5d9f969faccebd0dd1376cb46dc8a04c693ad33cafe14bbe8ed1ef26d
SHA512 d3ab86347cee7b85f13e763eec4776a0a2177423e4ca844d3ea56a8150cb27a1dded57aaae47ebde8f50d4bfdea853db6d71a5097f7b0368f176d6dff199f487

C:\Windows\system\BRqKtBg.exe

MD5 feb4f43171df5be7b2e90c8ac15d52ae
SHA1 fb8fa3f50e57af27a971fd4db41a0f90b329b0e7
SHA256 aa9067e649f043ff26a5478112002728e1d4ba4b5a44cbae53e9a3a5432e5465
SHA512 1047aff972d359fe7cde562d3528777228eb0431f603a36c2f337825740864db5d91d31e5f8da2794c34f2bf2c3e26a20b142617d030e014ee5694d34868fd25

C:\Windows\system\hhAGcis.exe

MD5 8990df7c90e62d792c71227566a9ee6b
SHA1 68dc136d916d0130f8149136cb9c5436c2229744
SHA256 f501e49ae03ae72956d53f467badc411489da886204969b7b16e5b4cce79ed03
SHA512 5ad47f09198d2373aacf5120a9f6a253303b321b1043400f0c9c6ad8b00f474b4faf7106a32cc7bcad88b4b8c0fd06bcd4291365d5d3b0713ac0722bd4cd4ffa

C:\Windows\system\OcIsmgy.exe

MD5 88227995f910c0903e6081f4618ffbe5
SHA1 9d3082f82b823574a6995d6b470a3ae0b9410cb9
SHA256 1768fa0321b827979809bf5ae1de45adc4c0b0376edda873812c0b828e855a78
SHA512 2ec9ee93391b6f614ad0969f6941f5eabed59cd47ab2b941773b6bd8763addbb341dec40828b130e93dc7edfb708e35503db6aba6868c59483dd18d3a68704e9

memory/2964-109-0x000000013FA50000-0x000000013FDA4000-memory.dmp

C:\Windows\system\pFreTGv.exe

MD5 89db638b16557b1ea7579c66070fd784
SHA1 85e6de449ebdec68c9a1fe3ed86ad7ee3a8b0efb
SHA256 0389be5da89f6766fbe9dd9006fb017aaa732d731c046ba85eb50e1c3c9b32b4
SHA512 b8e4e7c880c61d3101b1873b4975a69e6995e7842b9f070e6e405ae90acb96709b125a3cafb17cf22a18e3eccd330777267919888db4d5518ee120893cda68ed

memory/2320-135-0x000000013F9E0000-0x000000013FD34000-memory.dmp

memory/2056-98-0x0000000002380000-0x00000000026D4000-memory.dmp

memory/2504-84-0x000000013F350000-0x000000013F6A4000-memory.dmp

memory/2056-97-0x000000013F0F0000-0x000000013F444000-memory.dmp

memory/2620-96-0x000000013F2B0000-0x000000013F604000-memory.dmp

memory/2972-91-0x000000013F4B0000-0x000000013F804000-memory.dmp

memory/2056-90-0x000000013FB60000-0x000000013FEB4000-memory.dmp

C:\Windows\system\rkPXngq.exe

MD5 a9d5601544324b5f278b6ec33c8839ee
SHA1 bfad6a6d5b9d443000a5fa03dc1c8afb73dd5733
SHA256 93db643a56686bf4a60e98423afee4a9228066f8518c6268d8c61cf846f75ddd
SHA512 14b3e92acb24ce509769b2e87f31f660fd32dbebe9f85d6b5946eefbf3c986b0e80abf06e1f1dacc5ebd54e8af02ee65bef10ee9232f8e53ea645c74399584b9

C:\Windows\system\eHQZGZn.exe

MD5 e810f3f2f14a67f664c6523f72de7ff5
SHA1 75c8617bd482fbd296f2ecdb084b9453772c4ece
SHA256 1fa49f6a80a98e508a45c38065cc81da23cacf9ff5384adcdf3b0b3e922c97dc
SHA512 c19b86f4ce0b42cb241b2f9a669c69de2c9c0ad76ecdb9ab47c03b49635b57219ca642169bc2dac774433afcd19b17dbe1da953534c0a2f63ec8d967b4184970

memory/2604-59-0x000000013F830000-0x000000013FB84000-memory.dmp

C:\Windows\system\luPqsVz.exe

MD5 f70f79d733a28f4d26a9223f63410fbb
SHA1 48a471a282e2b3d1662f439f934b449f345c1ebb
SHA256 d9c58fb3147021e3827abc8a770b03111cdc705b2c5bc448b60eb90fd7b5edf8
SHA512 8b32a83e56b354e2cbb69005b4cfd472ba1956c7913e21c9c93ce7b320ec9af56f88aceb815a1d424b55f15d0fe5cb5913eee4cb768f51d0ed3e01507563fb83

memory/2740-136-0x000000013FE50000-0x00000001401A4000-memory.dmp

memory/2876-76-0x000000013F110000-0x000000013F464000-memory.dmp

\Windows\system\kUkRCZu.exe

MD5 ff8398841ba29593d831476129dcbb7e
SHA1 cf782f197605e2b4ea003e70c74d986a6d2997aa
SHA256 e70084e653dcf011f34a4cbca3c78e6fe4b149529d08b5eb786f98f7e519d6bc
SHA512 0a7bb10562591a5220e175bd4571c456ae3b2f8c5374e0ebf4b141a9cb6683feeef4c5af90b0ae3de8c8153da12ab3ca1cfe9f0fac3d0f55e0d05ab590250fad

memory/2716-72-0x000000013F7D0000-0x000000013FB24000-memory.dmp

memory/2056-70-0x000000013F7D0000-0x000000013FB24000-memory.dmp

C:\Windows\system\txqIwhB.exe

MD5 3774b8848cc61b459c98fa54c7b39871
SHA1 26942471d316f2b4bdbaa67b081b49f1f55096d6
SHA256 c1b69dede3412c2b14e60e83773ada5b06d835e16fd8b338efacbe56ecaae8d6
SHA512 4239d992050d5aa2ddc6f0f8466e3ebcd114fb99bd2af6022a68bc8bed9b198bf39c46817907be08558eeac5341980b8d7d4f82277b5f52d6776388f138b3f89

memory/2056-68-0x000000013F3F0000-0x000000013F744000-memory.dmp

memory/2704-66-0x000000013F210000-0x000000013F564000-memory.dmp

memory/2056-65-0x000000013F210000-0x000000013F564000-memory.dmp

C:\Windows\system\zklPevg.exe

MD5 e6cbc78bfcc562e91b3a2acc4c5a0760
SHA1 cfd830a007e97c62facd4f6f5eea846744c92673
SHA256 70fd69cc01beca1d04cb2fbd32329f434eff50d908e2bcc15780db84be210444
SHA512 c305704cd40c7dc7b4d34b76355c1f0c6719482330376212970801a966f4c91ebbaaa7aae1e1cf6b30dbc48e2feda5bc70419e952fce83607630071e6cf75774

memory/2740-42-0x000000013FE50000-0x00000001401A4000-memory.dmp

memory/2056-41-0x0000000002380000-0x00000000026D4000-memory.dmp

C:\Windows\system\GiqJURa.exe

MD5 667354188761882bdf6fd487954c2169
SHA1 2fcadbc89a750bc65dd6e8f734b6133cf0ca75a3
SHA256 397f81359d41b90bab2b3a576aadf7fcb6ce1c3591ad5fe6ec302bcbdfa04d8c
SHA512 44354dbe90ba3d36379a42956e60ec2b45e96cc818c79d9a1d9d2036f8a50ba0d87c0488ffd83239a9bb2017c0f87fa153ad6004d7e3218d8f71bad13fe2ba39

memory/2692-31-0x000000013FB60000-0x000000013FEB4000-memory.dmp

memory/2056-29-0x0000000002380000-0x00000000026D4000-memory.dmp

memory/2972-27-0x000000013F4B0000-0x000000013F804000-memory.dmp

memory/2876-137-0x000000013F110000-0x000000013F464000-memory.dmp

memory/2056-138-0x0000000002380000-0x00000000026D4000-memory.dmp

memory/1508-139-0x000000013F0F0000-0x000000013F444000-memory.dmp

memory/2972-140-0x000000013F4B0000-0x000000013F804000-memory.dmp

memory/2692-141-0x000000013FB60000-0x000000013FEB4000-memory.dmp

memory/2024-142-0x000000013F230000-0x000000013F584000-memory.dmp

memory/2320-143-0x000000013F9E0000-0x000000013FD34000-memory.dmp

memory/2740-144-0x000000013FE50000-0x00000001401A4000-memory.dmp

memory/2604-145-0x000000013F830000-0x000000013FB84000-memory.dmp

memory/2704-146-0x000000013F210000-0x000000013F564000-memory.dmp

memory/2716-147-0x000000013F7D0000-0x000000013FB24000-memory.dmp

memory/2792-148-0x000000013F3F0000-0x000000013F744000-memory.dmp

memory/2504-149-0x000000013F350000-0x000000013F6A4000-memory.dmp

memory/2964-151-0x000000013FA50000-0x000000013FDA4000-memory.dmp

memory/2876-152-0x000000013F110000-0x000000013F464000-memory.dmp

memory/2620-150-0x000000013F2B0000-0x000000013F604000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-28 00:08

Reported

2024-06-28 00:11

Platform

win10v2004-20240508-en

Max time kernel

140s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\XTqZRbd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ehcKjPL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ptfrIlk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WoYzCtR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VScCFwL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\altAbnZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kMMUGvG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hkVuNhx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DBAmxXV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SQrgWoE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EvBhLdO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PJWYjcw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fdVbIBd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BHrmBaS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\giUUhtM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ehLPuHe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ehxXtdc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JVizWlp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\olbcXUf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eeXGkHG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mzqXjUx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2684 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XTqZRbd.exe
PID 2684 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XTqZRbd.exe
PID 2684 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kMMUGvG.exe
PID 2684 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kMMUGvG.exe
PID 2684 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ehcKjPL.exe
PID 2684 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ehcKjPL.exe
PID 2684 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\giUUhtM.exe
PID 2684 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\giUUhtM.exe
PID 2684 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hkVuNhx.exe
PID 2684 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hkVuNhx.exe
PID 2684 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ehxXtdc.exe
PID 2684 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ehxXtdc.exe
PID 2684 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JVizWlp.exe
PID 2684 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JVizWlp.exe
PID 2684 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DBAmxXV.exe
PID 2684 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DBAmxXV.exe
PID 2684 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SQrgWoE.exe
PID 2684 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SQrgWoE.exe
PID 2684 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EvBhLdO.exe
PID 2684 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EvBhLdO.exe
PID 2684 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PJWYjcw.exe
PID 2684 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PJWYjcw.exe
PID 2684 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ehLPuHe.exe
PID 2684 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ehLPuHe.exe
PID 2684 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ptfrIlk.exe
PID 2684 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ptfrIlk.exe
PID 2684 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WoYzCtR.exe
PID 2684 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WoYzCtR.exe
PID 2684 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\olbcXUf.exe
PID 2684 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\olbcXUf.exe
PID 2684 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VScCFwL.exe
PID 2684 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VScCFwL.exe
PID 2684 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fdVbIBd.exe
PID 2684 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fdVbIBd.exe
PID 2684 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eeXGkHG.exe
PID 2684 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eeXGkHG.exe
PID 2684 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mzqXjUx.exe
PID 2684 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mzqXjUx.exe
PID 2684 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\altAbnZ.exe
PID 2684 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\altAbnZ.exe
PID 2684 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BHrmBaS.exe
PID 2684 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BHrmBaS.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\XTqZRbd.exe

C:\Windows\System\XTqZRbd.exe

C:\Windows\System\kMMUGvG.exe

C:\Windows\System\kMMUGvG.exe

C:\Windows\System\ehcKjPL.exe

C:\Windows\System\ehcKjPL.exe

C:\Windows\System\giUUhtM.exe

C:\Windows\System\giUUhtM.exe

C:\Windows\System\hkVuNhx.exe

C:\Windows\System\hkVuNhx.exe

C:\Windows\System\ehxXtdc.exe

C:\Windows\System\ehxXtdc.exe

C:\Windows\System\JVizWlp.exe

C:\Windows\System\JVizWlp.exe

C:\Windows\System\DBAmxXV.exe

C:\Windows\System\DBAmxXV.exe

C:\Windows\System\SQrgWoE.exe

C:\Windows\System\SQrgWoE.exe

C:\Windows\System\EvBhLdO.exe

C:\Windows\System\EvBhLdO.exe

C:\Windows\System\PJWYjcw.exe

C:\Windows\System\PJWYjcw.exe

C:\Windows\System\ehLPuHe.exe

C:\Windows\System\ehLPuHe.exe

C:\Windows\System\ptfrIlk.exe

C:\Windows\System\ptfrIlk.exe

C:\Windows\System\WoYzCtR.exe

C:\Windows\System\WoYzCtR.exe

C:\Windows\System\olbcXUf.exe

C:\Windows\System\olbcXUf.exe

C:\Windows\System\VScCFwL.exe

C:\Windows\System\VScCFwL.exe

C:\Windows\System\fdVbIBd.exe

C:\Windows\System\fdVbIBd.exe

C:\Windows\System\eeXGkHG.exe

C:\Windows\System\eeXGkHG.exe

C:\Windows\System\mzqXjUx.exe

C:\Windows\System\mzqXjUx.exe

C:\Windows\System\altAbnZ.exe

C:\Windows\System\altAbnZ.exe

C:\Windows\System\BHrmBaS.exe

C:\Windows\System\BHrmBaS.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2684-0-0x00007FF72C4B0000-0x00007FF72C804000-memory.dmp

memory/2684-1-0x0000015C0F8A0000-0x0000015C0F8B0000-memory.dmp

C:\Windows\System\XTqZRbd.exe

MD5 c2eb6d2a28d7d2d1f4584f87894c8e06
SHA1 5c726be9d5103a4af99d4c2180751a495074bd27
SHA256 dba7c597557ca3bbe8ed13d478c0598a2d42b52a10b22d3ed24050482f19dcd7
SHA512 77eb505ba7202fd697fd461ea2f5fa6a8970dab926c99f830bd98929d59597378211e0dd8b4a7b3739789a5353cb6e8922490dc1f747c56862f83b03f95f90e8

memory/2252-8-0x00007FF72FBE0000-0x00007FF72FF34000-memory.dmp

C:\Windows\System\kMMUGvG.exe

MD5 ae207073ab90cf21cb124b741e0b1827
SHA1 86c50b8b656b05a0a926493ab2f19d93de77acc1
SHA256 2a14796ae6e188d6ae9ed750fe0157e075c57fab6cc518f65cf7a46cba8b4435
SHA512 c76178b58b1766522a0b4da0b5a2c11c14513f14ccd615a2f3b548d23385fdaa71e570846b0870d038df50816b50c47e6c35c52530ef6b4d60444d4aa8f20382

C:\Windows\System\ehcKjPL.exe

MD5 b3724161a9334ed2e2ca650f25418099
SHA1 f52b8fb07267950cbc669c4db692e6b59552dd74
SHA256 0920aebf58425887abe35de77dfd7691af8962c5ddcde5c9a21b5e39c0e8bd59
SHA512 14110fcf2836d9fd1499d45a26b949bb3637a84cc13433c8aa5c42fd6c214c1b3d8015b4bad8bdd8750fadb48a32dd2eed7a49982d4399196e58e00a413b138d

C:\Windows\System\giUUhtM.exe

MD5 43f5268d03f1336dfa9f550e18170c48
SHA1 8209399e9e9b8ab73e770554cf03db5e8a5e2cc6
SHA256 66fda77672b345d3f683f0b6d4c01c3adaa329686ac4c0156ff02fa61f93869e
SHA512 2a76139bbf43e469aa45b43509687e42d8a482cc18cbbee8421fe6348845fa3a8cf81fd87563b743c3726ae65ccdbc67662b6e4a72fb9bf7275688300d671a6b

memory/1308-26-0x00007FF748DE0000-0x00007FF749134000-memory.dmp

memory/2724-18-0x00007FF60DDE0000-0x00007FF60E134000-memory.dmp

memory/4392-15-0x00007FF66F480000-0x00007FF66F7D4000-memory.dmp

C:\Windows\System\hkVuNhx.exe

MD5 c3bd3aebf4dc56a8a83f73737ccee975
SHA1 5c57f2297e65f582bfcef948a8c19781c7cd9ee9
SHA256 aa251132c2532797c4e40a02426eb7d8d3ad63549ab3b20150d3b71042a86a91
SHA512 88c72815041a0311afcd144a65aa059c3855e55265fb0bb95c0d9f0c6b6eb2373c58fa38728abbfc2eea78fc6d17571e59df26fc63ea0de5b7ec7031e9b65d05

memory/4820-32-0x00007FF656B80000-0x00007FF656ED4000-memory.dmp

C:\Windows\System\ehxXtdc.exe

MD5 169cd7680096cfe7c7da6fb8fb2eb543
SHA1 168890a2137dfc2eee6589bef2f1c84a4bb00037
SHA256 ef00168b5e0b179ddbc3083e1b39366586657c464048aa55fcf6644cd94a5c3f
SHA512 67218a0fdf9c6e806119097d906340fdaaff19b550fd754c3d86c5b2b22314f02b8fcbdf08cbdd0c97511f48ec562ef4e4adbf4e3ea09e1a702c3e1aeb424743

memory/3488-38-0x00007FF6F19E0000-0x00007FF6F1D34000-memory.dmp

C:\Windows\System\JVizWlp.exe

MD5 b85f58c89595ad1c05d51210419e1a34
SHA1 4146ef636167a1c15f932ece44eb4cd9e06aaef8
SHA256 b88cb06bf2166868ae01fc735f4061ead11f0ef03730ae998f592f6d43ad18ab
SHA512 baad8d4eed398bf6faa93128c10bdf7324bb7f2e80ad8e4e314caf807181ad3c4650ae3679c851f9949ef403b35d7135a000296b2db698a7a7654668b2c4fc7e

memory/920-44-0x00007FF7792A0000-0x00007FF7795F4000-memory.dmp

memory/4784-50-0x00007FF6A8350000-0x00007FF6A86A4000-memory.dmp

C:\Windows\System\SQrgWoE.exe

MD5 738231c35ceacdeaecb2d5322496ccca
SHA1 3ec66f945c529533683eccbbda5c385fa5513f9e
SHA256 d7aa49c8f95aff7183ce7b6b5c794674eee5d42f99d444b324ba6b98b863bc50
SHA512 4b4dab4a5625aed016e5ca0ef6c48e4025b9c9a8a9476ad4991c39cafc582fa677181abcbd13e2951fe1337dc0ce34522871ab89e5a7be4972b697cbc36c1f39

C:\Windows\System\DBAmxXV.exe

MD5 240c350115d9d25bed9dfa9f13703b88
SHA1 86bfca4b74dd690628e7217ea07bb8343b212f4e
SHA256 70cac281eaad445824d7982e67e421741085bb9ffa363f0048acae506ff0c743
SHA512 baa82a3f1a28dfe7bb3ecda877a39de2e13e2c9cf817be0b78c849944c13efa94404878d90a782991bc5f6811290563020a2baf477ac2bcc7be94b85dfa30191

C:\Windows\System\EvBhLdO.exe

MD5 0af65ee28850fe3164ead1e5577711aa
SHA1 88e7497c6a2ff321ae95104528365c2dbcde87ec
SHA256 f76f8b312471848613e6d7eb5540b3fc8095369e2f91e71cf19381c434d4e3e3
SHA512 b6e31b8313b836ed6c9641c2083765e04e2afd78e53eacdfe9d33c2ccb9a6101b86939715066d5ca91b15612742cc42cd0afa77cd40edc96ee09be7e44f79965

C:\Windows\System\PJWYjcw.exe

MD5 a96a458492d6d098fec1b6f06f37a12d
SHA1 2f9ffb2e4d889514b5d8684c8f126f42e6b4324f
SHA256 cdad48a2904c84e631bb006d8c503789815e1e0e389d35f2c4a76538278560f3
SHA512 67dbad93b89560825ccba59c946d57bb26adacf37c6155db5489960e60be8eca40631b16b923fc8ddb3a092344181da392977b12c0e13e5ea253a8dfe6d7ce25

memory/4392-73-0x00007FF66F480000-0x00007FF66F7D4000-memory.dmp

memory/2724-80-0x00007FF60DDE0000-0x00007FF60E134000-memory.dmp

memory/4816-81-0x00007FF7D4170000-0x00007FF7D44C4000-memory.dmp

C:\Windows\System\ptfrIlk.exe

MD5 6772c741e237a37c5aa36306cfd88409
SHA1 4da409b80e1f9e0dc94c4a03b07807e858239bf9
SHA256 611ecc9912140550ed355c6e9131a7c554e2958f48fa975052e2e37af2b07963
SHA512 93f82d05716a086cb482b3686d5f87ee8b593102c72224e41437d442d918c9e7f979139e0c077fde3c77ae887a2f1e7e7d5bb01bf9a6271f414d93136a41757c

memory/1780-75-0x00007FF77FA30000-0x00007FF77FD84000-memory.dmp

C:\Windows\System\ehLPuHe.exe

MD5 4f98dbdf5230cdd7fa8d35d2833bf1ed
SHA1 2e524e7b351a60cba49eb952b7f6da1e460290e3
SHA256 b580c120a0d4a1b505fcf2487dcbf273a20988a61ab1930d34a1bfd55e5953b8
SHA512 13481fd75170dfb69c4954849cb3f7649fc69e8a110b2b416c958ba1a72036a51413fbbdd82678494cca6f372f9dcf66929b39e8155a6dae10a47dd543bf15af

memory/1840-67-0x00007FF6A07A0000-0x00007FF6A0AF4000-memory.dmp

memory/2684-60-0x00007FF72C4B0000-0x00007FF72C804000-memory.dmp

memory/2420-62-0x00007FF7DE350000-0x00007FF7DE6A4000-memory.dmp

memory/2440-56-0x00007FF6AEE70000-0x00007FF6AF1C4000-memory.dmp

C:\Windows\System\WoYzCtR.exe

MD5 a23e111ade178436f1f38ca44e686640
SHA1 63d1e99991982acd0945d55436584c18d79359f6
SHA256 8589a261d3ca34e02c4ccfd58ab2c6acaf38295136cad7e70ca3133b8f05ccb5
SHA512 6763add3b7669bde6d0109b94a0a7ef8ff28734895339a6e5c9c8898b2ece8701994e8f06b9135381468077fa20f9d282c94a06ab990144f6a7c74e02c0ffb38

memory/2268-98-0x00007FF7867C0000-0x00007FF786B14000-memory.dmp

memory/3488-104-0x00007FF6F19E0000-0x00007FF6F1D34000-memory.dmp

C:\Windows\System\fdVbIBd.exe

MD5 c1064cbf8fb9573f2ac89d2b2f472cf6
SHA1 817c9ae7c1d42d826efe332071a2e830e60199a7
SHA256 35f6f5bdb3a0c3e74322d25df315125d0b0f8e77695150952e1d11435e4262d2
SHA512 2d93be12b82006737d4f2caf12811872fdc3a8c20c2ed9a404168b86adda67e4a1bcb0da29c780d9e624d1d2eb7e184cf8c30afa734e64c4259a0be2221f752e

memory/2456-106-0x00007FF6C2C30000-0x00007FF6C2F84000-memory.dmp

memory/3460-103-0x00007FF704BE0000-0x00007FF704F34000-memory.dmp

C:\Windows\System\VScCFwL.exe

MD5 94ab27a3a2fe7b5ff01827c8598efbec
SHA1 0e2c224dcb8c08bc27180ab2a16004c659a29bf3
SHA256 a427cc942f3c232c056bb5b0933d7505564304b467e94deb46bf416a6f2b6e48
SHA512 573bd24c24bcbb7ce94bcce52ff65359bbae72de7e7afd1c6f68a2c8976301746cdabaed0f71030384de7fd3b57abd94e2be1e44abdc369468630f4f391ea962

C:\Windows\System\olbcXUf.exe

MD5 baa7e1df3626790a5fb77a46567e9743
SHA1 bc25204d8b925a9ba68f50161a806b9ac20a93cb
SHA256 9d7ab9fd2ba7c10e199771c1af84945aea5d167af8ab2fdc61c03f0ebdbb19b1
SHA512 206e4abe8e07d2474cc3f4331d9adf5779c1d34c8b8d395a3b845ece4c5bf8079cfc031f85506c3553125d53d4e342c7251ea2b4fc3a01489e630041209362fb

memory/2396-91-0x00007FF7BC920000-0x00007FF7BCC74000-memory.dmp

C:\Windows\System\eeXGkHG.exe

MD5 82305a62cacb133c0bcfb974e3984847
SHA1 c0a14011723635a7fcf1018eed23ec51f0653cd4
SHA256 e855f093af9d366027337ece7b8af2a3c831cb910732bef40564d2290875aad1
SHA512 695f302b1b1fa6a2a986beae853f15e37d8ed736f7f7d0eda8abf3717fe68163d04a38cbe0094d6cc16e94254b07739f09bcf4d752ecf9a8083d7be02777a12f

memory/2440-118-0x00007FF6AEE70000-0x00007FF6AF1C4000-memory.dmp

C:\Windows\System\altAbnZ.exe

MD5 c72666611562a0ef9feebbd81d6dd6ac
SHA1 6b9cb741eba718fb8f84c376a91eb2da2eb55209
SHA256 d72edaab1e27625a55e09beccb8599959289d806f910d3d0ca8ba6829d6d08a3
SHA512 3083d0411c947ee45c646e78f3e6526e2148222371c9917c501c88695b569232fa89d0858c832791b61f8ad6b40847f2fa3e43df3982f4d2de96917b4869e961

C:\Windows\System\BHrmBaS.exe

MD5 0ead6f38c827671e7c2e6c32ed7073a3
SHA1 077e1854a271bf25d995e016fdb331f6387b409b
SHA256 25a9877fc8c318bf4ca2a223dba60c182ca6f764f9f486385cd59996e34beb94
SHA512 754fb520fff5dbe757ee0eb3d2b310b5f1e4ab4b3b902a75a33e6a5048fe23057c199e91085917202116d7ecc29e23bccf6ffc881f9873e8678947ac4c960220

memory/2592-134-0x00007FF6EFD70000-0x00007FF6F00C4000-memory.dmp

memory/1840-133-0x00007FF6A07A0000-0x00007FF6A0AF4000-memory.dmp

memory/3928-129-0x00007FF6E1380000-0x00007FF6E16D4000-memory.dmp

memory/2420-127-0x00007FF7DE350000-0x00007FF7DE6A4000-memory.dmp

C:\Windows\System\mzqXjUx.exe

MD5 939d7fe664770819f5fcf1f7947f8314
SHA1 4823624aa3cef9eb621b2cf2809b7ec53a3da678
SHA256 5a48f2766e6d0bba9309e547ff917490339f479c15a2da70ebc23b6c30bec979
SHA512 4af031d83a7f2276c917db757eaea67c271a3edf6804c91d0ba8857117983fe0c663e498800f057e9aa246b2b8957db7e5739351dd253e0ac5c0616e14f35c17

memory/4348-119-0x00007FF6CE070000-0x00007FF6CE3C4000-memory.dmp

memory/1952-112-0x00007FF649E50000-0x00007FF64A1A4000-memory.dmp

memory/4816-135-0x00007FF7D4170000-0x00007FF7D44C4000-memory.dmp

memory/3460-136-0x00007FF704BE0000-0x00007FF704F34000-memory.dmp

memory/2456-137-0x00007FF6C2C30000-0x00007FF6C2F84000-memory.dmp

memory/1952-138-0x00007FF649E50000-0x00007FF64A1A4000-memory.dmp

memory/4348-139-0x00007FF6CE070000-0x00007FF6CE3C4000-memory.dmp

memory/2252-140-0x00007FF72FBE0000-0x00007FF72FF34000-memory.dmp

memory/4392-141-0x00007FF66F480000-0x00007FF66F7D4000-memory.dmp

memory/2724-142-0x00007FF60DDE0000-0x00007FF60E134000-memory.dmp

memory/1308-143-0x00007FF748DE0000-0x00007FF749134000-memory.dmp

memory/4820-144-0x00007FF656B80000-0x00007FF656ED4000-memory.dmp

memory/3488-145-0x00007FF6F19E0000-0x00007FF6F1D34000-memory.dmp

memory/920-146-0x00007FF7792A0000-0x00007FF7795F4000-memory.dmp

memory/4784-147-0x00007FF6A8350000-0x00007FF6A86A4000-memory.dmp

memory/2440-148-0x00007FF6AEE70000-0x00007FF6AF1C4000-memory.dmp

memory/2420-149-0x00007FF7DE350000-0x00007FF7DE6A4000-memory.dmp

memory/1780-150-0x00007FF77FA30000-0x00007FF77FD84000-memory.dmp

memory/1840-151-0x00007FF6A07A0000-0x00007FF6A0AF4000-memory.dmp

memory/4816-152-0x00007FF7D4170000-0x00007FF7D44C4000-memory.dmp

memory/2396-153-0x00007FF7BC920000-0x00007FF7BCC74000-memory.dmp

memory/2268-154-0x00007FF7867C0000-0x00007FF786B14000-memory.dmp

memory/3460-155-0x00007FF704BE0000-0x00007FF704F34000-memory.dmp

memory/2456-156-0x00007FF6C2C30000-0x00007FF6C2F84000-memory.dmp

memory/1952-157-0x00007FF649E50000-0x00007FF64A1A4000-memory.dmp

memory/4348-158-0x00007FF6CE070000-0x00007FF6CE3C4000-memory.dmp

memory/3928-159-0x00007FF6E1380000-0x00007FF6E16D4000-memory.dmp

memory/2592-160-0x00007FF6EFD70000-0x00007FF6F00C4000-memory.dmp