Malware Analysis Report

2024-10-23 18:50

Sample ID 240628-afvheazerf
Target 2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat
SHA256 bd8c88455e79dcf2211ebe1e27ee828fa94fd189943c063dc3d172ca9e968192
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bd8c88455e79dcf2211ebe1e27ee828fa94fd189943c063dc3d172ca9e968192

Threat Level: Known bad

The file 2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Cobaltstrike family

Xmrig family

UPX dump on OEP (original entry point)

Cobalt Strike reflective loader

Detects Reflective DLL injection artifacts

xmrig

Cobaltstrike

XMRig Miner payload

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

XMRig Miner payload

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-28 00:09

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-28 00:09

Reported

2024-06-28 00:12

Platform

win7-20240611-en

Max time kernel

125s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\aUIUElm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kpAcRue.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kkrkjkt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GzqisrQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aSbnput.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fgYFgHW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kxTWSrO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xXZZWKF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RVICoaZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yvysSnB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BqcGzzk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iYSMuYU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CjfYUHx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KVYdYmF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\Teerzcr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lIgskMm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nUdYlyi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IbcNBqu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xOmTbvp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ynhKBKn.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fTLSsgV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2448 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fgYFgHW.exe
PID 2448 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fgYFgHW.exe
PID 2448 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fgYFgHW.exe
PID 2448 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fTLSsgV.exe
PID 2448 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fTLSsgV.exe
PID 2448 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fTLSsgV.exe
PID 2448 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aUIUElm.exe
PID 2448 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aUIUElm.exe
PID 2448 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aUIUElm.exe
PID 2448 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lIgskMm.exe
PID 2448 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lIgskMm.exe
PID 2448 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lIgskMm.exe
PID 2448 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BqcGzzk.exe
PID 2448 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BqcGzzk.exe
PID 2448 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BqcGzzk.exe
PID 2448 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kpAcRue.exe
PID 2448 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kpAcRue.exe
PID 2448 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kpAcRue.exe
PID 2448 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kkrkjkt.exe
PID 2448 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kkrkjkt.exe
PID 2448 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kkrkjkt.exe
PID 2448 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kxTWSrO.exe
PID 2448 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kxTWSrO.exe
PID 2448 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kxTWSrO.exe
PID 2448 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xXZZWKF.exe
PID 2448 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xXZZWKF.exe
PID 2448 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xXZZWKF.exe
PID 2448 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iYSMuYU.exe
PID 2448 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iYSMuYU.exe
PID 2448 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iYSMuYU.exe
PID 2448 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nUdYlyi.exe
PID 2448 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nUdYlyi.exe
PID 2448 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nUdYlyi.exe
PID 2448 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RVICoaZ.exe
PID 2448 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RVICoaZ.exe
PID 2448 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RVICoaZ.exe
PID 2448 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CjfYUHx.exe
PID 2448 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CjfYUHx.exe
PID 2448 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CjfYUHx.exe
PID 2448 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IbcNBqu.exe
PID 2448 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IbcNBqu.exe
PID 2448 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IbcNBqu.exe
PID 2448 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GzqisrQ.exe
PID 2448 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GzqisrQ.exe
PID 2448 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GzqisrQ.exe
PID 2448 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KVYdYmF.exe
PID 2448 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KVYdYmF.exe
PID 2448 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KVYdYmF.exe
PID 2448 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yvysSnB.exe
PID 2448 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yvysSnB.exe
PID 2448 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yvysSnB.exe
PID 2448 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xOmTbvp.exe
PID 2448 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xOmTbvp.exe
PID 2448 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xOmTbvp.exe
PID 2448 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Teerzcr.exe
PID 2448 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Teerzcr.exe
PID 2448 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Teerzcr.exe
PID 2448 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aSbnput.exe
PID 2448 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aSbnput.exe
PID 2448 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aSbnput.exe
PID 2448 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ynhKBKn.exe
PID 2448 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ynhKBKn.exe
PID 2448 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ynhKBKn.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\fgYFgHW.exe

C:\Windows\System\fgYFgHW.exe

C:\Windows\System\fTLSsgV.exe

C:\Windows\System\fTLSsgV.exe

C:\Windows\System\aUIUElm.exe

C:\Windows\System\aUIUElm.exe

C:\Windows\System\lIgskMm.exe

C:\Windows\System\lIgskMm.exe

C:\Windows\System\BqcGzzk.exe

C:\Windows\System\BqcGzzk.exe

C:\Windows\System\kpAcRue.exe

C:\Windows\System\kpAcRue.exe

C:\Windows\System\kkrkjkt.exe

C:\Windows\System\kkrkjkt.exe

C:\Windows\System\kxTWSrO.exe

C:\Windows\System\kxTWSrO.exe

C:\Windows\System\xXZZWKF.exe

C:\Windows\System\xXZZWKF.exe

C:\Windows\System\iYSMuYU.exe

C:\Windows\System\iYSMuYU.exe

C:\Windows\System\nUdYlyi.exe

C:\Windows\System\nUdYlyi.exe

C:\Windows\System\RVICoaZ.exe

C:\Windows\System\RVICoaZ.exe

C:\Windows\System\CjfYUHx.exe

C:\Windows\System\CjfYUHx.exe

C:\Windows\System\IbcNBqu.exe

C:\Windows\System\IbcNBqu.exe

C:\Windows\System\GzqisrQ.exe

C:\Windows\System\GzqisrQ.exe

C:\Windows\System\KVYdYmF.exe

C:\Windows\System\KVYdYmF.exe

C:\Windows\System\yvysSnB.exe

C:\Windows\System\yvysSnB.exe

C:\Windows\System\xOmTbvp.exe

C:\Windows\System\xOmTbvp.exe

C:\Windows\System\Teerzcr.exe

C:\Windows\System\Teerzcr.exe

C:\Windows\System\aSbnput.exe

C:\Windows\System\aSbnput.exe

C:\Windows\System\ynhKBKn.exe

C:\Windows\System\ynhKBKn.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2448-0-0x000000013FFE0000-0x0000000140334000-memory.dmp

memory/2448-1-0x00000000001F0000-0x0000000000200000-memory.dmp

\Windows\system\fgYFgHW.exe

MD5 9b9b0b180d7deea2a9884a49e0f79438
SHA1 6f7f247454e7b20fa4a549d8c7e19b0622754fb8
SHA256 e9466a5627285b7b6a4e193d34f849aa215a612c23d1096ac698c09b5018276a
SHA512 abaa576082a9bce61ec609108d37726473ffb308e9886042a8fa628298b79426435787fced5b7dc6d946938277423ba4485bc2a2f845e5c1faef4791c83cf7f7

memory/1664-8-0x000000013F6E0000-0x000000013FA34000-memory.dmp

C:\Windows\system\fTLSsgV.exe

MD5 2f15200a753992b8cb99839c41af2677
SHA1 9819c9f2ca8e11c952f68eebecb12118ca652f7d
SHA256 b6ca8abe372b0c36a7d57cdf286972b66caf3668e6f159d9ed6a95b487ec9011
SHA512 f26b12f4cbb2efbe0069b83a5dd40f41362217bde5a2e0ec93cb7a22729985e459e4a3d09554f761398e8fec42e1bea411d6bea07403501ff93eebb10f0c64b7

C:\Windows\system\aUIUElm.exe

MD5 53e84c94c978f34d5af7ae5e39e1898b
SHA1 2a8323f910f9db1508d8638e296f29fa94a629c5
SHA256 d1132f1363d077ec1813c5b0cc7c14bbc29cc493c1ac1fb3db810687f4acca4e
SHA512 630ff20f0212dc02bb4c3660dc86aa50b8b1243abf23036cacfa15900b9b05ca3a6ce2d863832057de6edab67417a279118142773fc1a49c56adc0481709e45b

memory/1092-15-0x000000013F080000-0x000000013F3D4000-memory.dmp

memory/2448-13-0x000000013F080000-0x000000013F3D4000-memory.dmp

memory/2724-23-0x000000013F700000-0x000000013FA54000-memory.dmp

\Windows\system\lIgskMm.exe

MD5 332d98f0a33a36efb90f4a22122d009d
SHA1 f1b481394354856600256cb58186412f8f724c52
SHA256 dc3b5146c329b9637a8b307723cac216d93d370e30d97fc11f3b0898e3cb685e
SHA512 b198ac27159045022803a48eb7a25c6770a6d17a6205fbdb1957fa39c299f7a43504374dd20e3f41ef5e63745c90b1e11b30fdc71f76dc58a908bd7b2d7674c6

memory/2448-21-0x000000013F700000-0x000000013FA54000-memory.dmp

memory/2720-29-0x000000013F860000-0x000000013FBB4000-memory.dmp

memory/2448-26-0x000000013F860000-0x000000013FBB4000-memory.dmp

\Windows\system\BqcGzzk.exe

MD5 454b8cff9ed44e6c7f1a46ca9d60b8ff
SHA1 41fcb6841affc046d85438d9ac10b5f73cc7d8c9
SHA256 926de82ec15f332224139cb5c552d17b39ef7fccec4e097b6c40f51e4236e665
SHA512 640899104a74c8de954bb80bf8508d6791d2039c6f9cea448e17583a4e596cd15fd3406fc68125f790e50d3c011bd873a8a363012facb17f6f809c1b00d370df

memory/2504-35-0x000000013FAC0000-0x000000013FE14000-memory.dmp

memory/2448-33-0x000000013FAC0000-0x000000013FE14000-memory.dmp

\Windows\system\kkrkjkt.exe

MD5 a966c1bef3f6958f2e82683035f450c9
SHA1 7eb6c0ac29dfbd74eeb6b87c6f16455e73794cec
SHA256 bff7385a37836029edc01b1158842a96362d32e0ab01c4ae498349f22635a78f
SHA512 8468dcf8694410650abe75126e84eddcefe1bccf6e3213490802f33220824170daf7ca8b9a79d21f3e6770f019037ea9f443b3ac73789950606adb7bf3a9bc90

C:\Windows\system\kxTWSrO.exe

MD5 0a66d13bcab04f3048408ee7f935e66a
SHA1 3eb59e1193dc89009088afab45d00f537fd8e58e
SHA256 7806e6ddfba3f74103a6b7ef84466923e8252a317689fc35e8655a4d8d3c7cbb
SHA512 637f37be12bfb11dba571a7adc954b659d79a6695b3ae5b06ea9d8447eb6cc1f2e376bd6f9b7d52246ac0613d747bdbc7a559f8c45952f04cf602645514c1061

\Windows\system\iYSMuYU.exe

MD5 d52cc562f5f662707286525b94389f6a
SHA1 7dddf12e527b47ccb0ed0658d3e95718c0da137d
SHA256 1add77a5a0c14bcce002122289c2df91b98bf7af0e4e503cfc8fa5236b3877c3
SHA512 8f42e840b1efe9fc4c0f4da1d3b949deab9fa649a6458519911dd803c2600e90a4c48d10599d47250775c4fcebf88d4fe90682b549b7b103fb1dc9fba6795d12

memory/2524-61-0x000000013F900000-0x000000013FC54000-memory.dmp

memory/2448-62-0x000000013F220000-0x000000013F574000-memory.dmp

memory/2556-63-0x000000013F610000-0x000000013F964000-memory.dmp

memory/2820-65-0x000000013F220000-0x000000013F574000-memory.dmp

memory/2692-66-0x000000013F1F0000-0x000000013F544000-memory.dmp

memory/2448-68-0x000000013F610000-0x000000013F964000-memory.dmp

memory/2492-70-0x000000013F250000-0x000000013F5A4000-memory.dmp

C:\Windows\system\xXZZWKF.exe

MD5 85f24b07f9d6e22b25da6ee54f0d9676
SHA1 ea23f7093d3a9eefd415cb971a27c68da9c63c5e
SHA256 0db6925ad7a074538815121a1da46ec16022b1caabe113597e521b9380320646
SHA512 c5715e8208f47a6eaaf477188a45e09d6e89e31221c819a2191c630d72d7b9c180eadae0863cbae110d2e2a6533ff99cf54b34028b8c701698b3164385ba8eef

\Windows\system\nUdYlyi.exe

MD5 3cf99f75aa002c4ce800079cacea39aa
SHA1 8c91ff30fb92c6bb9bea5f438cea448346b877b9
SHA256 dbe76744b77d6262ca3dfe931bb8fd7bb7f277b625017a2442efe2b86fbde224
SHA512 b452828e713be097f09be3116741ec282d4c37ad09a1b7f15791d29b8dddcd576c36b667e4bec44f384396bee4721cd89832ee1d78436fb79ce6f268a40d6798

C:\Windows\system\RVICoaZ.exe

MD5 0d0345f05bf9650cd32def2f6a99e92c
SHA1 add5378541e93f1ae2a483d0b9935514e520720d
SHA256 f9b91e9a5c078017df225f9630ed1113077e124f3bbe0e9a081166c8e8947b2d
SHA512 e95f8eafa1d77b1d16a72c00b21e6eccee1d0e3021273d0558e17a45b1060e1e4e6146545b1c83d9bcd964b0795d4a7891f42db40cf4c2136460888bb171be86

memory/568-85-0x000000013FE80000-0x00000001401D4000-memory.dmp

memory/1684-77-0x000000013FFC0000-0x0000000140314000-memory.dmp

memory/2448-74-0x00000000024F0000-0x0000000002844000-memory.dmp

memory/1092-73-0x000000013F080000-0x000000013F3D4000-memory.dmp

memory/2448-84-0x00000000024F0000-0x0000000002844000-memory.dmp

memory/1664-72-0x000000013F6E0000-0x000000013FA34000-memory.dmp

\Windows\system\IbcNBqu.exe

MD5 c3b9fa992060b26509f391510ac37dc9
SHA1 245c01c5d0988850a47ba40153a5b6508dd2f506
SHA256 5ff23bd40b1d344a4643bd8c3b7a274a94dc793483430e7a4a9ff5e99c3b0902
SHA512 9724f60fc21a4e046faa790a8fc6833eea52dd5bc8985291a094b45006713c26ff6410c3358d5dbfe28f5c735b367f3b31ec07524939a2fe6dcf9bd77c766cdc

memory/1100-99-0x000000013F3F0000-0x000000013F744000-memory.dmp

\Windows\system\ynhKBKn.exe

MD5 aed104fa2d318b7d114aebdea7645cba
SHA1 7c280f7106882987b18268cf503fe5e7ed15a480
SHA256 5ebee3520dfdfe082ae7e912ddbef8f642d5b646f8fed2cb9c793d7d60f9d235
SHA512 7ce91d3a1ef6c37ac2ecb9bc8ef9c1164f0fdef44b378ad3797a4a911d4864a9f90ede7accb11ec5dbfd211f05215fed0ea348d7ea590bef7b0f05e8098fb6e6

C:\Windows\system\aSbnput.exe

MD5 a4c93bf0e85ed7d4fb35471cf3381b1d
SHA1 b0d4e31d37eaa75bbc69e14109ca0b5cfb05dc04
SHA256 95a66afe16aea98eb58afd6d3bb12bbb156448054c4ebe49764b3574cc9f6dca
SHA512 a54a73cb31b179eceb7946a2e16316285c12269d98dc67b36f009863a3afcf1ccbb0bec23c8639ac17e5a76a7eda6dbd57ca27e5dddb9c3d208173e3544f97eb

C:\Windows\system\Teerzcr.exe

MD5 bf4a3abe2677db8635b91e7cdd2df541
SHA1 21bff9af515e09d2bc6776eb1973d02b62ada669
SHA256 f7f5e432939e842741c3c422a9aa385a192081ae9d80be2ffca08424f3c6d958
SHA512 07f070022b1caca6f20cf93042579467c65f34d78071999f54b8b0d151d5c0ccc4755c78b23c22baf48b112e8bd1d1efd032f1a06205713aac01a79825ad085f

C:\Windows\system\xOmTbvp.exe

MD5 ce5f285999b239a9c6e7b6c7dce6a3e2
SHA1 688f39549619b30df0a4ec66409db15aafdf8fbb
SHA256 f4a63e4fabf9c2f3685a6b6c94703b9711dd8e3d2713d507d64619049af4e54d
SHA512 328ab147979907021eb6742ed269da12c7f9482c7a95161b0a89414ff020f4903544cbc6695071ca7dde98af238ba991f701c3cefd01a03a7eede3b81fb1779b

C:\Windows\system\yvysSnB.exe

MD5 6b8ae37ed21b350e1780be61db351ed5
SHA1 56d50241079caa360a62aa77b4991b12928c2e0b
SHA256 15e9694be6efd4ff8419149e7e1a5c838ffabeb32067eee100290c4d2ea33351
SHA512 9596f9a0f47779233ca64e4179cb27a4445beb55471903232cd842d264f3fa44ca7f08fddda237e7baf1264f835008338053f5e6f1b7a4b1afb284a4d45570bc

C:\Windows\system\KVYdYmF.exe

MD5 fb25a91ee8148571322b00972acf9e4b
SHA1 d5b2c4b69c8f20e744ad95315f48f861e868f474
SHA256 5b4c91d087d21b1d74fbe4f67e50066f7f03035a84d3e2c428a8704481418315
SHA512 682cc39d2967dc8fdbd8afb2ebd762fc6907531efebc80df097f24b4a6e0545c4e0bfbf4afd314f86082282f4b0e5a3040044943b0213e0e887c5ebaeff9fbde

memory/2448-107-0x000000013F690000-0x000000013F9E4000-memory.dmp

memory/2504-106-0x000000013FAC0000-0x000000013FE14000-memory.dmp

C:\Windows\system\GzqisrQ.exe

MD5 0b41071ab8efba71445928166350316a
SHA1 7eb3c278890521f7e68d1f615558c1a3c627b373
SHA256 8bc10a2b922be47f2b6ab1fbdc66b0619fc6ca1bd51465275858c7b2fdd69617
SHA512 73046b04c7d51b6ebc5237816a4dc8fe990630efea39d48bcd526fb8c578db10fab792413b258460e68093a9da0a8df1736658645a6359d13649e26b8454bdc3

memory/2448-98-0x000000013F3F0000-0x000000013F744000-memory.dmp

memory/2972-92-0x000000013F520000-0x000000013F874000-memory.dmp

C:\Windows\system\CjfYUHx.exe

MD5 516d0a8270ffd90b3aa04f0ff35fb0d5
SHA1 f7d9b47baf6092a53224eff55423dc1d515e66ac
SHA256 d48799fdcce7ff0b21b1577cb3447d365d0934af3fe57c042639591fdc541869
SHA512 55581a4d523f867ce099f71284290f7748860612ff6c213e93ce81039d169201d0eaf72b67f4d62636eb1040c6c27bead698ab96de90e2cbc3e543df329e61ac

memory/2448-89-0x000000013F520000-0x000000013F874000-memory.dmp

memory/2448-54-0x000000013F900000-0x000000013FC54000-memory.dmp

memory/2448-67-0x000000013F250000-0x000000013F5A4000-memory.dmp

memory/2448-64-0x000000013FFE0000-0x0000000140334000-memory.dmp

C:\Windows\system\kpAcRue.exe

MD5 6bdf10c734cb90c16630712357c19e91
SHA1 e1cd58eb99025c40e2cb8fa1123ba0eb800a7e7d
SHA256 a817e04136a9c6d7e3a04993d2b4a9f59ec1c7faefee3b270d96760896b9f990
SHA512 3fd4ce18c44dc56b977a4b664afec9e2a0fc5c72f83a7093e4d5126c887a6f4ad7a354af6db1a779bd8e2b5472b79b7a91ac0ac38408736404355eccfa7bee80

memory/2492-138-0x000000013F250000-0x000000013F5A4000-memory.dmp

memory/2448-139-0x00000000024F0000-0x0000000002844000-memory.dmp

memory/1684-140-0x000000013FFC0000-0x0000000140314000-memory.dmp

memory/568-141-0x000000013FE80000-0x00000001401D4000-memory.dmp

memory/2448-142-0x000000013F520000-0x000000013F874000-memory.dmp

memory/2972-143-0x000000013F520000-0x000000013F874000-memory.dmp

memory/2448-144-0x000000013F3F0000-0x000000013F744000-memory.dmp

memory/1100-145-0x000000013F3F0000-0x000000013F744000-memory.dmp

memory/2448-146-0x000000013F690000-0x000000013F9E4000-memory.dmp

memory/1664-147-0x000000013F6E0000-0x000000013FA34000-memory.dmp

memory/1092-148-0x000000013F080000-0x000000013F3D4000-memory.dmp

memory/2724-149-0x000000013F700000-0x000000013FA54000-memory.dmp

memory/2720-150-0x000000013F860000-0x000000013FBB4000-memory.dmp

memory/2504-151-0x000000013FAC0000-0x000000013FE14000-memory.dmp

memory/2524-152-0x000000013F900000-0x000000013FC54000-memory.dmp

memory/2692-154-0x000000013F1F0000-0x000000013F544000-memory.dmp

memory/2820-153-0x000000013F220000-0x000000013F574000-memory.dmp

memory/2556-155-0x000000013F610000-0x000000013F964000-memory.dmp

memory/1684-156-0x000000013FFC0000-0x0000000140314000-memory.dmp

memory/2492-157-0x000000013F250000-0x000000013F5A4000-memory.dmp

memory/568-158-0x000000013FE80000-0x00000001401D4000-memory.dmp

memory/2972-159-0x000000013F520000-0x000000013F874000-memory.dmp

memory/1100-160-0x000000013F3F0000-0x000000013F744000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-28 00:09

Reported

2024-06-28 00:12

Platform

win10v2004-20240226-en

Max time kernel

140s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\eDfWmRA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jhXbILX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CUShHDE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SMbCOmg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tSTkyKO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vXuROry.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\niECUCb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RbGvbOT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mwehoFt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UkEgBdT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SubrnTR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SvzWlCP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tDQOYsi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wBjrwEL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jkYBqZj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CQKCgwc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CLhgqeN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nGOdEPQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kfpdSGF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IgeXUqX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\plXUzsP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4832 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CLhgqeN.exe
PID 4832 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CLhgqeN.exe
PID 4832 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CUShHDE.exe
PID 4832 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CUShHDE.exe
PID 4832 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nGOdEPQ.exe
PID 4832 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nGOdEPQ.exe
PID 4832 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kfpdSGF.exe
PID 4832 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kfpdSGF.exe
PID 4832 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SvzWlCP.exe
PID 4832 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SvzWlCP.exe
PID 4832 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RbGvbOT.exe
PID 4832 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RbGvbOT.exe
PID 4832 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tDQOYsi.exe
PID 4832 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tDQOYsi.exe
PID 4832 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SMbCOmg.exe
PID 4832 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SMbCOmg.exe
PID 4832 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wBjrwEL.exe
PID 4832 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wBjrwEL.exe
PID 4832 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tSTkyKO.exe
PID 4832 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tSTkyKO.exe
PID 4832 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vXuROry.exe
PID 4832 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vXuROry.exe
PID 4832 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IgeXUqX.exe
PID 4832 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IgeXUqX.exe
PID 4832 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\niECUCb.exe
PID 4832 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\niECUCb.exe
PID 4832 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\plXUzsP.exe
PID 4832 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\plXUzsP.exe
PID 4832 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jkYBqZj.exe
PID 4832 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jkYBqZj.exe
PID 4832 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eDfWmRA.exe
PID 4832 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eDfWmRA.exe
PID 4832 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CQKCgwc.exe
PID 4832 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CQKCgwc.exe
PID 4832 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mwehoFt.exe
PID 4832 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mwehoFt.exe
PID 4832 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jhXbILX.exe
PID 4832 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jhXbILX.exe
PID 4832 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UkEgBdT.exe
PID 4832 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UkEgBdT.exe
PID 4832 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SubrnTR.exe
PID 4832 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SubrnTR.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\CLhgqeN.exe

C:\Windows\System\CLhgqeN.exe

C:\Windows\System\CUShHDE.exe

C:\Windows\System\CUShHDE.exe

C:\Windows\System\nGOdEPQ.exe

C:\Windows\System\nGOdEPQ.exe

C:\Windows\System\kfpdSGF.exe

C:\Windows\System\kfpdSGF.exe

C:\Windows\System\SvzWlCP.exe

C:\Windows\System\SvzWlCP.exe

C:\Windows\System\RbGvbOT.exe

C:\Windows\System\RbGvbOT.exe

C:\Windows\System\tDQOYsi.exe

C:\Windows\System\tDQOYsi.exe

C:\Windows\System\SMbCOmg.exe

C:\Windows\System\SMbCOmg.exe

C:\Windows\System\wBjrwEL.exe

C:\Windows\System\wBjrwEL.exe

C:\Windows\System\tSTkyKO.exe

C:\Windows\System\tSTkyKO.exe

C:\Windows\System\vXuROry.exe

C:\Windows\System\vXuROry.exe

C:\Windows\System\IgeXUqX.exe

C:\Windows\System\IgeXUqX.exe

C:\Windows\System\niECUCb.exe

C:\Windows\System\niECUCb.exe

C:\Windows\System\plXUzsP.exe

C:\Windows\System\plXUzsP.exe

C:\Windows\System\jkYBqZj.exe

C:\Windows\System\jkYBqZj.exe

C:\Windows\System\eDfWmRA.exe

C:\Windows\System\eDfWmRA.exe

C:\Windows\System\CQKCgwc.exe

C:\Windows\System\CQKCgwc.exe

C:\Windows\System\mwehoFt.exe

C:\Windows\System\mwehoFt.exe

C:\Windows\System\jhXbILX.exe

C:\Windows\System\jhXbILX.exe

C:\Windows\System\UkEgBdT.exe

C:\Windows\System\UkEgBdT.exe

C:\Windows\System\SubrnTR.exe

C:\Windows\System\SubrnTR.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3816 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 20.231.121.79:80 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/4832-0-0x00007FF63F880000-0x00007FF63FBD4000-memory.dmp

memory/4832-1-0x000001C7C4AA0000-0x000001C7C4AB0000-memory.dmp

C:\Windows\System\CLhgqeN.exe

MD5 e64015da51c574193f8462893c7b9ed9
SHA1 961cce3cff7dbf3e2c8b9ff649ee74d3b4890454
SHA256 ef7c80c7ec78f283bef69a79be01501f8f76e8c3d59d1227f19250d937422852
SHA512 1509c6d094dd8a8b8fced6eedbb020e9e4600316de7289f10c6d55674485c836c1331fda9f0e2f3e68236b3dbf20fc22b16ef2f00f888a2e2675dce100b35746

memory/2600-8-0x00007FF6B7E50000-0x00007FF6B81A4000-memory.dmp

C:\Windows\System\CUShHDE.exe

MD5 5c64b95c95eec6c5f9b90b6744a12ecf
SHA1 8f8ef0b16706d6e974575c132fe695703a652f58
SHA256 b6424f123048213d5d7d1cfc640ee4421c6a494b05eceba8317e47e44fcf1b26
SHA512 7e9097d0391c8b95a1a8901e3245c4dbf93a82a2c450cd3b393c491e405152bcef684043ce228f63de24fc155d8858d07afe150d6a99fa67f3f629f886ef4bfa

memory/1432-14-0x00007FF7D58C0000-0x00007FF7D5C14000-memory.dmp

C:\Windows\System\nGOdEPQ.exe

MD5 e54b77bd47b366975b4f2400a94f4d59
SHA1 dbb7980fa9393fd6c83b5a134f8e9d10d8dbd8e4
SHA256 b7faea29d1f1b3d9a1acf72bb2eef55c290c80a2dcf05fc770c8955278fcc6a1
SHA512 cf943a25b12b42f6fbfd3ad849b99d7e6be0f327fc14897285e5f97f71aff5d7591a02afd3e478bab8a996ae08130f5a603573d080e0a85b34c235a365a8c15d

memory/2452-20-0x00007FF78BF20000-0x00007FF78C274000-memory.dmp

C:\Windows\System\kfpdSGF.exe

MD5 3568e13905e01b4b12cab1df4838808a
SHA1 51475d3561154bb28b647ae5bd2add27d78e71e9
SHA256 5fa37358a1643880206df05738a4cc140a6edb64003bd4c02774c27c9ddce432
SHA512 d7e88bc7c08ec6c8c6c21fe741d1ed0d729283eec32ac7e6423cc2b29b47be380f6b4441f0faf0cd75d7ab65516b9d849b85484162ea214a915cbaf7b5ac4f1a

memory/3184-26-0x00007FF71BE80000-0x00007FF71C1D4000-memory.dmp

C:\Windows\System\SvzWlCP.exe

MD5 4f757c994278c9c728273ffa81b80d8a
SHA1 ef68deb389ff438d3622282b9d1851f8b1f652f9
SHA256 3a520d631a769e39bf9bc614f5e19cc797396ffcdc903f03e39f574bc81bb319
SHA512 75aac85df161f7f3f7ba7eb74ce9270c924e8bffacb937b6235e17cc01503311cde28fa2f516dd4cc0e443458f09621cd2674ecbb4f3496a309d04aa05000341

memory/4180-32-0x00007FF7AA1A0000-0x00007FF7AA4F4000-memory.dmp

C:\Windows\System\RbGvbOT.exe

MD5 310f0e3417753cc23423f995abcd0fc7
SHA1 626d6ec65186d52f25686ce76e2794cfb0559606
SHA256 4e27bd1f357ada62acd78fac42451fc80db1ba60c2f069cc520b102a25272a99
SHA512 f7db990548d6e01e6b770835f90f9aa4dc1a685f70af57e0ad545c5a4bda37b30a15c1b897423877e4e8d06b5ce334b2f1f0becb57f678c2bf0d5d939516af43

memory/4512-37-0x00007FF7C07A0000-0x00007FF7C0AF4000-memory.dmp

C:\Windows\System\tDQOYsi.exe

MD5 2b380ea718021b660e39e5d92b3fe369
SHA1 aef061d3045a0a873b854684748408239665c861
SHA256 8f2a4d36b9445335dbc6925bfa10b721d592aa4c5e6196f2ef2ce8817fb47793
SHA512 2effa907071fa49292929490b2f29070ab3faf0d57e11a2e4e3e1b0965540af39f0195ce69d79859b4785d6d80988f293502caf92f80fd470621330ecc4db9c6

memory/4064-44-0x00007FF79E2E0000-0x00007FF79E634000-memory.dmp

memory/4832-50-0x00007FF63F880000-0x00007FF63FBD4000-memory.dmp

C:\Windows\System\SMbCOmg.exe

MD5 061c1db3fe31861d49ee24a3f2f920e5
SHA1 1d897ff09563dad730db12a466fb0f989cfcd167
SHA256 49b2467d841d3d2666e47b476666be763f8d573952c56d778c9be01c98a9f137
SHA512 b8a98b2d4d69cecbeaba11a46497c08276179ae08d5ce6610210c700d61882879d3b962fc1f8259ff1373961088d861f6e991a5caefb57ca74e0596fa0b314ef

memory/3216-51-0x00007FF64CAA0000-0x00007FF64CDF4000-memory.dmp

C:\Windows\System\wBjrwEL.exe

MD5 51153bc8dacb1eb0aded996c9f6585c8
SHA1 abe7e0c57d5f6615bcfa707eb8cab2187cd77dee
SHA256 84bbe8b10c2cc48ac1ce8c9450032d0c6fc6e13eba648d14e65104198c7c9d6a
SHA512 6816fe5152ac9d1ed3e05778732b619f73cd5ca5fb8e0a5972eb3f46f0651f915dc7bea87f81e34ae2d8cb4109c2fb34327b531f71e20b2415b7a264ce80f510

memory/2268-57-0x00007FF6DB620000-0x00007FF6DB974000-memory.dmp

C:\Windows\System\tSTkyKO.exe

MD5 eeb35490739c0fecce7583ca1235a666
SHA1 adaf2d732f71541a564534202c56464969d830a7
SHA256 ede418d6791890aa0166ebe47f8818a84baf1973e73f9d5121cba2725f01e3a2
SHA512 1075180f72025259d18c327f4b633d5544a11462d9b74d6d4b77a218d03e582fc29cc532e7685071a57c7f70dbb0006a7f0a785a3577acfe1370654f402ce991

memory/4720-63-0x00007FF76B830000-0x00007FF76BB84000-memory.dmp

C:\Windows\System\vXuROry.exe

MD5 8641b56c29ddb9a76f437542abc16f56
SHA1 b5b2b93c19df6969612e811b3baccec64a3b8e7e
SHA256 7a4a12fc22a296b7d27dc421e2b4e152aa1b3d77aad63a2865419bc3c6255d13
SHA512 3848d806b51c4243840b2b704d9262ec583b0f821cc576acf424e26468fb19cac0fc562ab3b26473bce8207e74a721b2d5dba58f51dd1f558191f40a50c67718

memory/2600-69-0x00007FF6B7E50000-0x00007FF6B81A4000-memory.dmp

memory/2412-70-0x00007FF65EA20000-0x00007FF65ED74000-memory.dmp

memory/1432-76-0x00007FF7D58C0000-0x00007FF7D5C14000-memory.dmp

memory/440-77-0x00007FF60E4D0000-0x00007FF60E824000-memory.dmp

C:\Windows\System\IgeXUqX.exe

MD5 ff206b31d252b834c6dbfb5eb2ade946
SHA1 3500ffe5cec5c5a867e015c6c6078c5c0b1725ed
SHA256 a21ca6b3955a0d569722f4c1b9de0846005c6f4dc8e3597875565ea6d4561b12
SHA512 f4c7ba1de28ad9899017736af1ab401f03a0d13545106c6b7c71a82411659b05fb19c0e9ce015f549ececf533c138323543676bb1b74a16365a7d7aa49f25bc5

C:\Windows\System\niECUCb.exe

MD5 0fe36ebedb98afe1b61af6d0efc5018b
SHA1 5bb6d3cd0a441dd11839d64f3a1f15d6cb16c1eb
SHA256 de58873d77dc1d4221e5663fab26c3a838a60065b64fdd2fb20f70b250e75619
SHA512 225ed1cea04c99ca270a1c18259328c2cfdfe55dccd9817b1531b20c7e6ae0c26916893b4bbe58d19e7435a7102a8bb0e672c656a48906d6e856a91665f88b7a

memory/2452-83-0x00007FF78BF20000-0x00007FF78C274000-memory.dmp

memory/5000-84-0x00007FF7BB960000-0x00007FF7BBCB4000-memory.dmp

C:\Windows\System\plXUzsP.exe

MD5 bf57337649177c9f462610385292e735
SHA1 d9c19c31e676fee08162fadc3b6bbaa3ea441de9
SHA256 faa1c308b3672354c45516a9f7263dd87831a174ef4c358d5d6a281de2dda481
SHA512 5da71522fa2d4ec17659a63d0ad2fb304cd2500fec5e73668c6c80c276b4d3504f1a29e58c799f7a86f18478670dc4c53d07a150eb26b73ba6d5aea05138647c

memory/3184-90-0x00007FF71BE80000-0x00007FF71C1D4000-memory.dmp

memory/4176-91-0x00007FF7201E0000-0x00007FF720534000-memory.dmp

C:\Windows\System\jkYBqZj.exe

MD5 f1e29870bbed3996f382a9ef6f6be455
SHA1 b10099380c946fca6f50550a90fc587af1d6e2dc
SHA256 6547fb5b4d5832a4846f9f46a80a6451d7b3c6143b9d0e0ded0693e9be56ab60
SHA512 4f66df3769afaaa45ab191eabc41b4fbfa66cc50b4bcbf767ef05312b038858c07d8e5f17358ec7387b3bd38072620bc21be5ac307a081715210a951fef6d836

memory/4180-97-0x00007FF7AA1A0000-0x00007FF7AA4F4000-memory.dmp

C:\Windows\System\eDfWmRA.exe

MD5 782656c6db398648608bf6aca19ea800
SHA1 b960f681d4f8f4ad3b242bf6b6f80e4bb6667940
SHA256 9b1c41a9dbc6f789773dbe14b965ff275662353a17e8e476357bcfcaca95acac
SHA512 012f3c3473b2a437835028e25fb37a84842a804e73821cf4cdbbd1dbb49301a3de2a82e07289b5c6882dd5ed7df7c433ec686d38de13b549ce74e17c842ccfe9

memory/4512-104-0x00007FF7C07A0000-0x00007FF7C0AF4000-memory.dmp

memory/2172-105-0x00007FF779690000-0x00007FF7799E4000-memory.dmp

memory/4000-103-0x00007FF6A2730000-0x00007FF6A2A84000-memory.dmp

C:\Windows\System\CQKCgwc.exe

MD5 c0385d4f1ed2a2cc6f0ee6223f8101eb
SHA1 d0ee132698fed8c9a461a77348fe7eb9394f2dfb
SHA256 541f985ec654c807c4ddd2e2078c16950413cb4990cd36cf46ef0ddf3719a012
SHA512 09aa3e44a24a4e93638d700dbd40fb38f018304e599acc90bbdb6ac50bf926f46ecc16e132b57cf72ffd161e1334eecff80daf7715bf3b8d529cd3d2ce93968a

memory/4560-111-0x00007FF6F5920000-0x00007FF6F5C74000-memory.dmp

C:\Windows\System\mwehoFt.exe

MD5 7fd9721d654f496c56b6af7aab599d36
SHA1 daef7d1c872384e81430c645ddd1bcdf301e153e
SHA256 6123fa1d8402b3cbfeb965eeffdd1677937d3f7c486ae0e555021473b6be30d7
SHA512 fa3a2aaab2243e58906ca344482b29053c8d3120009b719da9512a9f80729830db806021eb81a1131a1d8997affc389f6dee892f7599d34c087f80a61bc720d5

memory/4308-117-0x00007FF7748A0000-0x00007FF774BF4000-memory.dmp

C:\Windows\System\UkEgBdT.exe

MD5 d2cdcb1024973b172cb764537e14bdba
SHA1 deb254369c8419a5ef4e1c23af97b17cfb1a645d
SHA256 2241bd870802951fafe93c24ebd15cd729cd46802ca37002fdf39a3b5a7075a8
SHA512 620f502d77658f8778cadd99d0631214f573a912859e8242e525813a540daeb8e12f07fa1e28a5081bff1c4a1eafc46efddb801b594957ddc94c968d5a731ede

memory/2268-122-0x00007FF6DB620000-0x00007FF6DB974000-memory.dmp

C:\Windows\System\SubrnTR.exe

MD5 372f7beeb36195da5bb65836b9cd025a
SHA1 a0df11690b224b942bda1dad45a5114d01df7c6e
SHA256 7a7ed19dffe56abf47e997a9af97cf5636cb9b6cb5b38dfcafd5e7e0b2576936
SHA512 279159d84ec2ab32a247548391bf5ac322c81df852abcfe0453e771ab6c175c6ebd34c00642e6a559a99d95e4b83e0b899282a611a4aedf4157be959642f4b07

memory/4720-131-0x00007FF76B830000-0x00007FF76BB84000-memory.dmp

memory/3100-126-0x00007FF7C2570000-0x00007FF7C28C4000-memory.dmp

C:\Windows\System\jhXbILX.exe

MD5 716746c1c98b6eaa7a33740b95c6ba54
SHA1 72551143c6ca792a25cefe9ce72543f15c6f399a
SHA256 90ae3e50e7b791ee5240a671a2e7c488bc168353e10b73446f89f2aff7f1f3ee
SHA512 fc12d969919f257cb50eee372bc8ed6115a864992af58f601e1a0df82fa701db43d49026c98ac73c8a8ae68df8a805b3ac3e57fee9cf4b98a1c125fae078ccf6

memory/3328-135-0x00007FF6468F0000-0x00007FF646C44000-memory.dmp

memory/5040-136-0x00007FF6C03E0000-0x00007FF6C0734000-memory.dmp

memory/2600-137-0x00007FF6B7E50000-0x00007FF6B81A4000-memory.dmp

memory/1432-138-0x00007FF7D58C0000-0x00007FF7D5C14000-memory.dmp

memory/2452-139-0x00007FF78BF20000-0x00007FF78C274000-memory.dmp

memory/3184-140-0x00007FF71BE80000-0x00007FF71C1D4000-memory.dmp

memory/4180-141-0x00007FF7AA1A0000-0x00007FF7AA4F4000-memory.dmp

memory/4512-142-0x00007FF7C07A0000-0x00007FF7C0AF4000-memory.dmp

memory/4064-143-0x00007FF79E2E0000-0x00007FF79E634000-memory.dmp

memory/3216-144-0x00007FF64CAA0000-0x00007FF64CDF4000-memory.dmp

memory/2268-145-0x00007FF6DB620000-0x00007FF6DB974000-memory.dmp

memory/4720-146-0x00007FF76B830000-0x00007FF76BB84000-memory.dmp

memory/2412-147-0x00007FF65EA20000-0x00007FF65ED74000-memory.dmp

memory/440-148-0x00007FF60E4D0000-0x00007FF60E824000-memory.dmp

memory/5000-149-0x00007FF7BB960000-0x00007FF7BBCB4000-memory.dmp

memory/4176-150-0x00007FF7201E0000-0x00007FF720534000-memory.dmp

memory/4000-151-0x00007FF6A2730000-0x00007FF6A2A84000-memory.dmp

memory/2172-152-0x00007FF779690000-0x00007FF7799E4000-memory.dmp

memory/4560-153-0x00007FF6F5920000-0x00007FF6F5C74000-memory.dmp

memory/4308-154-0x00007FF7748A0000-0x00007FF774BF4000-memory.dmp

memory/3100-155-0x00007FF7C2570000-0x00007FF7C28C4000-memory.dmp

memory/3328-156-0x00007FF6468F0000-0x00007FF646C44000-memory.dmp

memory/5040-157-0x00007FF6C03E0000-0x00007FF6C0734000-memory.dmp