Malware Analysis Report

2024-10-24 18:11

Sample ID 240629-hm96fasgqc
Target 2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat
SHA256 46db20bf6710d9377378815384347b99f0d2327e4ea9306289aff17deccef1aa
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

46db20bf6710d9377378815384347b99f0d2327e4ea9306289aff17deccef1aa

Threat Level: Known bad

The file 2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Cobaltstrike family

Cobalt Strike reflective loader

XMRig Miner payload

Xmrig family

Cobaltstrike

xmrig

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

XMRig Miner payload

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-29 06:52

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-29 06:52

Reported

2024-06-29 06:55

Platform

win7-20240221-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\oQcqWnH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WHCylDx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GHLJtmO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DjNcrsm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RmNclhF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EpQpzBa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iJgCCYz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tQNVxzF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VkhVleG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\APXyfcS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PxCuwlW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nnzBmsr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gTyxIkj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YHPdtZU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eIrFuFX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GvAmuHo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kRVUsKo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rkmlofP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mWDnVYQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nJPRxyv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jKVPDjR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2296 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oQcqWnH.exe
PID 2296 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oQcqWnH.exe
PID 2296 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oQcqWnH.exe
PID 2296 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RmNclhF.exe
PID 2296 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RmNclhF.exe
PID 2296 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RmNclhF.exe
PID 2296 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WHCylDx.exe
PID 2296 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WHCylDx.exe
PID 2296 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WHCylDx.exe
PID 2296 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YHPdtZU.exe
PID 2296 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YHPdtZU.exe
PID 2296 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YHPdtZU.exe
PID 2296 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eIrFuFX.exe
PID 2296 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eIrFuFX.exe
PID 2296 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eIrFuFX.exe
PID 2296 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EpQpzBa.exe
PID 2296 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EpQpzBa.exe
PID 2296 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EpQpzBa.exe
PID 2296 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GvAmuHo.exe
PID 2296 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GvAmuHo.exe
PID 2296 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GvAmuHo.exe
PID 2296 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GHLJtmO.exe
PID 2296 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GHLJtmO.exe
PID 2296 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GHLJtmO.exe
PID 2296 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iJgCCYz.exe
PID 2296 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iJgCCYz.exe
PID 2296 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iJgCCYz.exe
PID 2296 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\APXyfcS.exe
PID 2296 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\APXyfcS.exe
PID 2296 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\APXyfcS.exe
PID 2296 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kRVUsKo.exe
PID 2296 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kRVUsKo.exe
PID 2296 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kRVUsKo.exe
PID 2296 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rkmlofP.exe
PID 2296 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rkmlofP.exe
PID 2296 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rkmlofP.exe
PID 2296 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DjNcrsm.exe
PID 2296 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DjNcrsm.exe
PID 2296 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DjNcrsm.exe
PID 2296 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mWDnVYQ.exe
PID 2296 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mWDnVYQ.exe
PID 2296 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mWDnVYQ.exe
PID 2296 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nJPRxyv.exe
PID 2296 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nJPRxyv.exe
PID 2296 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nJPRxyv.exe
PID 2296 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PxCuwlW.exe
PID 2296 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PxCuwlW.exe
PID 2296 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PxCuwlW.exe
PID 2296 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nnzBmsr.exe
PID 2296 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nnzBmsr.exe
PID 2296 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nnzBmsr.exe
PID 2296 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gTyxIkj.exe
PID 2296 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gTyxIkj.exe
PID 2296 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gTyxIkj.exe
PID 2296 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tQNVxzF.exe
PID 2296 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tQNVxzF.exe
PID 2296 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tQNVxzF.exe
PID 2296 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jKVPDjR.exe
PID 2296 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jKVPDjR.exe
PID 2296 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jKVPDjR.exe
PID 2296 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VkhVleG.exe
PID 2296 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VkhVleG.exe
PID 2296 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VkhVleG.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\oQcqWnH.exe

C:\Windows\System\oQcqWnH.exe

C:\Windows\System\RmNclhF.exe

C:\Windows\System\RmNclhF.exe

C:\Windows\System\WHCylDx.exe

C:\Windows\System\WHCylDx.exe

C:\Windows\System\YHPdtZU.exe

C:\Windows\System\YHPdtZU.exe

C:\Windows\System\eIrFuFX.exe

C:\Windows\System\eIrFuFX.exe

C:\Windows\System\EpQpzBa.exe

C:\Windows\System\EpQpzBa.exe

C:\Windows\System\GvAmuHo.exe

C:\Windows\System\GvAmuHo.exe

C:\Windows\System\GHLJtmO.exe

C:\Windows\System\GHLJtmO.exe

C:\Windows\System\iJgCCYz.exe

C:\Windows\System\iJgCCYz.exe

C:\Windows\System\APXyfcS.exe

C:\Windows\System\APXyfcS.exe

C:\Windows\System\kRVUsKo.exe

C:\Windows\System\kRVUsKo.exe

C:\Windows\System\rkmlofP.exe

C:\Windows\System\rkmlofP.exe

C:\Windows\System\DjNcrsm.exe

C:\Windows\System\DjNcrsm.exe

C:\Windows\System\mWDnVYQ.exe

C:\Windows\System\mWDnVYQ.exe

C:\Windows\System\nJPRxyv.exe

C:\Windows\System\nJPRxyv.exe

C:\Windows\System\PxCuwlW.exe

C:\Windows\System\PxCuwlW.exe

C:\Windows\System\nnzBmsr.exe

C:\Windows\System\nnzBmsr.exe

C:\Windows\System\gTyxIkj.exe

C:\Windows\System\gTyxIkj.exe

C:\Windows\System\tQNVxzF.exe

C:\Windows\System\tQNVxzF.exe

C:\Windows\System\jKVPDjR.exe

C:\Windows\System\jKVPDjR.exe

C:\Windows\System\VkhVleG.exe

C:\Windows\System\VkhVleG.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2296-0-0x000000013F1F0000-0x000000013F544000-memory.dmp

memory/2296-1-0x00000000001F0000-0x0000000000200000-memory.dmp

\Windows\system\oQcqWnH.exe

MD5 1410ec25b2e3c1a0fb930bfbbe607f83
SHA1 25fff6d4440d9f71be2a9ead3f923dd7c0f33459
SHA256 458be003522a51baa2076986c7291209dcafa93445152fd21c358e3dea8418b2
SHA512 9177a6e22046005acb62ef4abd59c4b50592444505518ed17df6ac047244af2425d9dbbde1f368f470b37f1155e244714a4d4f1701967dfe9e5f4a4766683f11

memory/1796-9-0x000000013F490000-0x000000013F7E4000-memory.dmp

C:\Windows\system\RmNclhF.exe

MD5 b930756a18dd03bc5ae9b67524087106
SHA1 1d091c494081f5229df34d92b944e30b581282c4
SHA256 53903e223d97f905835664b50f713c4cdba883ac7e862813a494bbfa0c4897f8
SHA512 bd7ffd24bdc53f1397244024e63e4cbb9eaa3387a992dbcec6e34c9ce5b080316086ee0de9d195492adc2bc8c2d282f637db90be48fcc1446f768eb069bf7d7f

memory/2160-15-0x000000013F110000-0x000000013F464000-memory.dmp

memory/2296-14-0x00000000023D0000-0x0000000002724000-memory.dmp

memory/2296-8-0x00000000023D0000-0x0000000002724000-memory.dmp

C:\Windows\system\WHCylDx.exe

MD5 a02ad3dc4dd1e25cd9c684ef20b8f1e4
SHA1 c3c16367510edcdfc721cb262e1be4fb09aec7dd
SHA256 e8279b45ebc08e394316a2471cff50af2b106b5ca6282a35298c6799ea56dfff
SHA512 301fe73fbee978a0aa2730744585e421b5cb7e890d98a3e3113e281335fcfe7609ef9ed6222f77ace0b05bc591e5a0d8f36dc5cd89b7c430f50cc3bb50cc9209

C:\Windows\system\YHPdtZU.exe

MD5 522763e0247557f6f56d5e09db6b803e
SHA1 b28096f78bd1a04906a64bfddc2ecf99be9f9ba4
SHA256 5e93bfeb538ac190e516d6c035373d60254d963d6f81a1b63d65e9c0992298f4
SHA512 9cf138dedadaac7cebb9cc704f635e77ec8c782f51efba58e042bfb5b5cf2d074169f0ddc7eea0198a728a16543fd64a90fcc4f308161fc88b4b26835838ed23

memory/2296-32-0x000000013F690000-0x000000013F9E4000-memory.dmp

memory/2132-29-0x000000013F2A0000-0x000000013F5F4000-memory.dmp

memory/2296-28-0x00000000023D0000-0x0000000002724000-memory.dmp

\Windows\system\eIrFuFX.exe

MD5 e234666534f6c4b24ecf573afb9d5259
SHA1 ccf7b07caa074f7e0f1a4c2187be809d401ee87a
SHA256 ae7ed4f7d36fe4959291606111398f52cad7f13fbfb4f548101ebb3a8368ad99
SHA512 775c9c5fcdb94ad2e5bca4e4f3615d564bfe64e2f376a2e6590b0dcfca0810abe020aade06cfd5fbc4851ca6b8c15b35ba229f3ff6bfe7cf7ae4491ad8bfff5e

memory/1896-21-0x000000013F570000-0x000000013F8C4000-memory.dmp

memory/2296-20-0x000000013F570000-0x000000013F8C4000-memory.dmp

memory/2544-36-0x000000013F690000-0x000000013F9E4000-memory.dmp

C:\Windows\system\GvAmuHo.exe

MD5 f6ef56895d67142b34cc492ad628f36f
SHA1 c68450ff83dde7111b0ed3385cd8d07b5febf353
SHA256 e091c6e32b207442cfd696368bf5b31a7351d2d47c82f0fae275c50c4879f375
SHA512 9f83c5268082acb157f3e9c096813c055d450646c247722f7c761bc0492960e97a5a5333361ba2e58e37614e8c019992ea291087648c8b5881414e48c3b2b2be

\Windows\system\APXyfcS.exe

MD5 d822465a226a1be3020bdf3c78b946a0
SHA1 a3afa4efc8229c8989c3536ff2e286da6e979783
SHA256 bd91b3a07c3ad0dd209b433b08a4ef0ae096bddec90da8a53edb0c67479667ea
SHA512 1ecf19de49d0ba611cad6961cf07a375faa5ebadce74fe78024ff6ac82bd1c155233c3fe29428632d081beae48fd977ce3bcc8e032b22586b4ceed648b15352c

C:\Windows\system\VkhVleG.exe

MD5 ea3878f5be5c355310dfb3ee8a7d53b2
SHA1 06d81d5a86cfec3975e57d413a6ceb0dc4937e26
SHA256 817d7186bfb1ce66ca1176e64415d8b3c4010fee441220dffdec0ae1fb24d356
SHA512 c5b8f4062b70f4a264d0da4ff20adccc75a64a584eb3e99612d186e716190db5709a664b4727906c4404448374a5577d22d2be31cf76e31a42752525427a490f

memory/2296-102-0x000000013FDB0000-0x0000000140104000-memory.dmp

\Windows\system\jKVPDjR.exe

MD5 d186bd8cd6a1b9079f5482c1fc4d9142
SHA1 22cb61aeea08e1a4ed6b22019cb54ece86567e37
SHA256 ad7e00b3e932e779c2a5bc5314bdee3cdea19aadfc3c7109113fe13e7b9c892d
SHA512 e716358276034cd36d4a38dd01f080980176aadcc0f54cd7aa60cb4d7094bc27ceebaf39c5690ccac43fb2c95c39b12de42967b0c0aec7fe8943bccc7d2c3ba3

\Windows\system\gTyxIkj.exe

MD5 b8b5188ecd1e13dbd89ceb3ecd8cbc97
SHA1 c1aeb2b9d3f7ad5bb7da36238df895992fc5efea
SHA256 48835c8352aaae6fda89755aff5c7f51c2702fda5c6d133e53b4e7a3cf70be5d
SHA512 254c1b504db9d4e76877e3c80c4b3611c706c97d65db2e4e1c196ec6976b60cf25670c5eed5825f208f881b5f2535949190836e0f732b48a48abb6824b03e15c

memory/2296-81-0x000000013F590000-0x000000013F8E4000-memory.dmp

\Windows\system\PxCuwlW.exe

MD5 d7a7a7dece8a41d1152a0b5c361b3315
SHA1 0ea8bad229cac81edb317460770ea5d4b2b35d1c
SHA256 22232f9ccdd36867f0c5920206d335620bc5abe0ce3d7c28c432b72b687033bb
SHA512 57a9d34e116e9f83657f787af6acc28a9df5d2fc4ed6fed80780ef4fbe30d324ab86417411ed5dece1be776e9e0ca17297deb7d4385a0bbc3ff472396bf4bba5

\Windows\system\mWDnVYQ.exe

MD5 39c96fea199518e84e79a998424e82bd
SHA1 787b474919200c7359bce582e3d1f644b9ab3248
SHA256 0be37ff46d8de49b199d9c2ed4be296bcf0bce83b2d05c4b926d0e36be49d0cc
SHA512 1a771178809f9d8907ae8285591baff2e8ee3ecb097cac3358806dd45c1798e21e8a3b2d4ee6b660735c8bf9cf74bd477130ced82b70c0a3f2ee762f2e972fac

\Windows\system\rkmlofP.exe

MD5 443e4745472701fd4310826d528c0715
SHA1 f8e03f41d1dafdcb21284cfa74cfdb0558f0b623
SHA256 28ec6b5965b820cfd8bc388d4971567d3bbfdfd1d373edfc625e1009e5184d38
SHA512 657d365994a63d9c64926a9306afe0fd3424cfb82953925a53dcf119c88b94e0620c0f3954d601062b8269a8dac98101fc810acbfeab31ce4468427748a02a02

C:\Windows\system\tQNVxzF.exe

MD5 0aaa715eb941cd2775a8f58dab76021d
SHA1 56e5b63600c38158062800c3d05ed7a16d3b1a13
SHA256 e1f7d044d473ecbc01f25ef49f08c8d7c63fc2ff4452a254b8e306a5359e19de
SHA512 57d4f1a89e862cc31e931d9bd0123cd4858a47c9f6e1d4d62a7e7bcb8670ed024138d18be549fc566508086a51354f139e1fcabb7b3624233fc02066a6f5e943

memory/2132-132-0x000000013F2A0000-0x000000013F5F4000-memory.dmp

memory/2296-131-0x00000000023D0000-0x0000000002724000-memory.dmp

C:\Windows\system\nnzBmsr.exe

MD5 f7f886c923733518b8bf979bddafdd3b
SHA1 8719798c5c4e772b66fb00ffbe863618d2e87cb6
SHA256 566cfeca2aa4d4ec5a9f7083654c71c8c57147cb6f0041b7d7b8b1e13d7026ff
SHA512 9be67856e2898c27fb0444feedcdb12948e11dd3d8cc961ae758897e5632e01cc582c5ef6494b3459029fef66923b94933bb4fb281cb1fc08eb97fbc2ce7fdb3

C:\Windows\system\nJPRxyv.exe

MD5 d80b0f329ae6c0dd2878f5c25b27cab6
SHA1 b91396b5143393979e9e2173a03d5217f2a482ce
SHA256 4c6a99b81fec1e69f2e23ea713e1fff136326bbad008a438b3c7dbc6ec2f05c3
SHA512 d920c861a677d50ccc5a9ea88a052cb414cdf79da16af50892f64f924828895b59fc511a904af8e8115714f9d3338ef043f2edc91316d0d9cac3b9da4d1ae3a2

C:\Windows\system\DjNcrsm.exe

MD5 7a711754d3b8de6bcb590bb55dfccdaa
SHA1 58c169584585321b191319833b919b833f8bf640
SHA256 ea2797642fcdc5579f164f93c8f819ecd766008c924e1855f63c5db451e9c7b5
SHA512 954cca87fd3afdeabe32e2504fae274ad12a25590cf55f0f45a4b6621e706a11df29cf5bab32f59620814cb7420d60e990620e8611e3542ef8172e180bf80669

C:\Windows\system\kRVUsKo.exe

MD5 54239978b418ab73d4f22577f4e98c36
SHA1 8e9a7a932d6ddcad6c9686ceceb3f9dc050dbed3
SHA256 8f78c0a64d204cc8fd4bd2e7d92b5838e74adf66f7282f08e4c501dd67e42316
SHA512 2e0c112ecebfaf1141a727dc6a3748eb42bf44ba67327867af1cea6226c39e65e7848157cb954fff22003f8bca441613b2e55e0c9d2037bc5b976efeef2d9494

memory/1896-112-0x000000013F570000-0x000000013F8C4000-memory.dmp

memory/2296-110-0x000000013FA90000-0x000000013FDE4000-memory.dmp

memory/2296-109-0x000000013FFF0000-0x0000000140344000-memory.dmp

memory/2296-108-0x000000013F880000-0x000000013FBD4000-memory.dmp

memory/2296-107-0x000000013FED0000-0x0000000140224000-memory.dmp

memory/2296-106-0x000000013FFF0000-0x0000000140344000-memory.dmp

memory/2160-105-0x000000013F110000-0x000000013F464000-memory.dmp

memory/2296-98-0x000000013FE80000-0x00000001401D4000-memory.dmp

memory/2296-96-0x00000000023D0000-0x0000000002724000-memory.dmp

memory/2480-65-0x000000013F590000-0x000000013F8E4000-memory.dmp

memory/2296-59-0x000000013F1F0000-0x000000013F544000-memory.dmp

C:\Windows\system\iJgCCYz.exe

MD5 c1337ef562233465fa4116c35f1ff8cb
SHA1 c068361acd8bcf782edb54e648aa9e221c87c4cb
SHA256 d532101733cb8f33c91fe0c002fac95fdfd1eac02351e2b62caf41a57ecd9575
SHA512 e0248e875d556536947b19b5b3c30ac491f98fa67569cef7b77000606bc65b38db17b789355b56ecaa6da2192ec79257822e9a42e0ed2183bbfc0678c9cd7f8e

memory/2544-133-0x000000013F690000-0x000000013F9E4000-memory.dmp

memory/2368-54-0x000000013F190000-0x000000013F4E4000-memory.dmp

memory/2296-53-0x00000000023D0000-0x0000000002724000-memory.dmp

C:\Windows\system\GHLJtmO.exe

MD5 f6504a6343dc30210331f9d50e99a314
SHA1 30006eee7aeee25be2d82502df1757200d8126b0
SHA256 b9918a48b99c1ecdcce6a2c7acc9ac27b80e5be9f08db7a644368308d20b8387
SHA512 d860605fef81f0bdfe5ddbdd5586f980122bc8ad84cc92c5bf9905ddc4995451989f7df0b582d915088c643273ad4670374c3706c7da22c4643abd08216cdb23

memory/2572-134-0x000000013F9F0000-0x000000013FD44000-memory.dmp

memory/2520-48-0x000000013FC00000-0x000000013FF54000-memory.dmp

memory/2296-47-0x000000013FC00000-0x000000013FF54000-memory.dmp

memory/2572-42-0x000000013F9F0000-0x000000013FD44000-memory.dmp

memory/2296-41-0x000000013F9F0000-0x000000013FD44000-memory.dmp

C:\Windows\system\EpQpzBa.exe

MD5 429b9910cf50747b1c5d181a5f8f85aa
SHA1 777abb895113aa083801cb2ad449d09ee56d05f2
SHA256 978e4d08af4b4ccb9e7bc91c9b87151a82458013c3416bef8f190d65b9bc6978
SHA512 91eafdde5c669afff8baabc435c3c9908030f40176c1122d08123f646acb12758b1768f6ea0512416cac1a7d2ed94daf7e62afb24258e65448bac68a58ac5b08

memory/2520-135-0x000000013FC00000-0x000000013FF54000-memory.dmp

memory/2480-137-0x000000013F590000-0x000000013F8E4000-memory.dmp

memory/2368-136-0x000000013F190000-0x000000013F4E4000-memory.dmp

memory/2296-143-0x000000013F590000-0x000000013F8E4000-memory.dmp

memory/2296-144-0x000000013FFF0000-0x0000000140344000-memory.dmp

memory/1796-145-0x000000013F490000-0x000000013F7E4000-memory.dmp

memory/1896-146-0x000000013F570000-0x000000013F8C4000-memory.dmp

memory/2160-147-0x000000013F110000-0x000000013F464000-memory.dmp

memory/2132-148-0x000000013F2A0000-0x000000013F5F4000-memory.dmp

memory/2368-152-0x000000013F190000-0x000000013F4E4000-memory.dmp

memory/2480-153-0x000000013F590000-0x000000013F8E4000-memory.dmp

memory/2544-151-0x000000013F690000-0x000000013F9E4000-memory.dmp

memory/2520-150-0x000000013FC00000-0x000000013FF54000-memory.dmp

memory/2572-149-0x000000013F9F0000-0x000000013FD44000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-29 06:52

Reported

2024-06-29 06:55

Platform

win10v2004-20240508-en

Max time kernel

144s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\DwNkIWW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gdhkthX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rBwVoOA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FzldCOB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ujozQfa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QYyOmxx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZOEFqps.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KsdnTyY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lVHkoIu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GPtoOJG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OGvdNjm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mQVxQJx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UqoHogv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rKhbUNx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mpAOBNW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YUryLVZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eyNioRW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kmfZiqB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HlBlfFj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PbJSbDf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yDDtrfW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2232 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rBwVoOA.exe
PID 2232 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rBwVoOA.exe
PID 2232 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lVHkoIu.exe
PID 2232 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lVHkoIu.exe
PID 2232 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FzldCOB.exe
PID 2232 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FzldCOB.exe
PID 2232 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GPtoOJG.exe
PID 2232 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GPtoOJG.exe
PID 2232 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ujozQfa.exe
PID 2232 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ujozQfa.exe
PID 2232 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OGvdNjm.exe
PID 2232 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OGvdNjm.exe
PID 2232 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QYyOmxx.exe
PID 2232 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QYyOmxx.exe
PID 2232 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZOEFqps.exe
PID 2232 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZOEFqps.exe
PID 2232 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kmfZiqB.exe
PID 2232 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kmfZiqB.exe
PID 2232 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UqoHogv.exe
PID 2232 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UqoHogv.exe
PID 2232 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HlBlfFj.exe
PID 2232 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HlBlfFj.exe
PID 2232 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rKhbUNx.exe
PID 2232 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rKhbUNx.exe
PID 2232 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KsdnTyY.exe
PID 2232 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KsdnTyY.exe
PID 2232 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PbJSbDf.exe
PID 2232 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PbJSbDf.exe
PID 2232 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mpAOBNW.exe
PID 2232 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mpAOBNW.exe
PID 2232 wrote to memory of 724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YUryLVZ.exe
PID 2232 wrote to memory of 724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YUryLVZ.exe
PID 2232 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DwNkIWW.exe
PID 2232 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DwNkIWW.exe
PID 2232 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mQVxQJx.exe
PID 2232 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mQVxQJx.exe
PID 2232 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eyNioRW.exe
PID 2232 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eyNioRW.exe
PID 2232 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yDDtrfW.exe
PID 2232 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yDDtrfW.exe
PID 2232 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gdhkthX.exe
PID 2232 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gdhkthX.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\rBwVoOA.exe

C:\Windows\System\rBwVoOA.exe

C:\Windows\System\lVHkoIu.exe

C:\Windows\System\lVHkoIu.exe

C:\Windows\System\FzldCOB.exe

C:\Windows\System\FzldCOB.exe

C:\Windows\System\GPtoOJG.exe

C:\Windows\System\GPtoOJG.exe

C:\Windows\System\ujozQfa.exe

C:\Windows\System\ujozQfa.exe

C:\Windows\System\OGvdNjm.exe

C:\Windows\System\OGvdNjm.exe

C:\Windows\System\QYyOmxx.exe

C:\Windows\System\QYyOmxx.exe

C:\Windows\System\ZOEFqps.exe

C:\Windows\System\ZOEFqps.exe

C:\Windows\System\kmfZiqB.exe

C:\Windows\System\kmfZiqB.exe

C:\Windows\System\UqoHogv.exe

C:\Windows\System\UqoHogv.exe

C:\Windows\System\HlBlfFj.exe

C:\Windows\System\HlBlfFj.exe

C:\Windows\System\rKhbUNx.exe

C:\Windows\System\rKhbUNx.exe

C:\Windows\System\KsdnTyY.exe

C:\Windows\System\KsdnTyY.exe

C:\Windows\System\PbJSbDf.exe

C:\Windows\System\PbJSbDf.exe

C:\Windows\System\mpAOBNW.exe

C:\Windows\System\mpAOBNW.exe

C:\Windows\System\YUryLVZ.exe

C:\Windows\System\YUryLVZ.exe

C:\Windows\System\DwNkIWW.exe

C:\Windows\System\DwNkIWW.exe

C:\Windows\System\mQVxQJx.exe

C:\Windows\System\mQVxQJx.exe

C:\Windows\System\eyNioRW.exe

C:\Windows\System\eyNioRW.exe

C:\Windows\System\yDDtrfW.exe

C:\Windows\System\yDDtrfW.exe

C:\Windows\System\gdhkthX.exe

C:\Windows\System\gdhkthX.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3884,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=3740 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2232-0-0x00007FF6E8D40000-0x00007FF6E9094000-memory.dmp

memory/2232-1-0x000002969A4D0000-0x000002969A4E0000-memory.dmp

C:\Windows\System\rBwVoOA.exe

MD5 fecf40a92437c8d2668bfbd8e4db5134
SHA1 995e231884edc0a26e3be50771adecfdcfd84f12
SHA256 97bdcdeb726dff3e63e7d161079a3b12e8bfa289e3c155968656a6018f8bbde9
SHA512 22928daf561cd9d2646ec5e7f40b64807c9d82b27a6b8bc72935fb05657307f237d81215f4cf5cfe85dcd0256f4353f12047841d00fac445942b8ee278c04841

memory/3796-6-0x00007FF7D0880000-0x00007FF7D0BD4000-memory.dmp

C:\Windows\System\lVHkoIu.exe

MD5 51ec5969ec165429cb514a6c0462e918
SHA1 d000cf6cd61d7678fa15157e71df14574e5f5e49
SHA256 e15723dd3fc82067522eaff359155033579f898a09ef18ec906ae37974c37e2b
SHA512 041fab45ff7249e335b2662c1b7243454e5b6d3e0cd4cedaeed1ab56b0cd7ce6b3c23b33c9616da7d9cfda9857be0ee4c430d799c280929564cbe0bbc34df0d4

C:\Windows\System\FzldCOB.exe

MD5 4838cd7afe2aab943ff3a0dbdf33a8af
SHA1 11e3fbe6024be203b02ea60f0787b190914ef40e
SHA256 ddaebbe9ef02194a4555cc47ff427f668111b676713b6ed19f8fc66090860357
SHA512 940fdbfc6d1eda3ce11074965d1f5bbe9a0210c3858fba169b6349f2ddff6670d7ffcb9f2c38730f3888c5c69542cfec0cc6119527adb53c936d6fea95729c4d

memory/3808-22-0x00007FF601560000-0x00007FF6018B4000-memory.dmp

C:\Windows\System\GPtoOJG.exe

MD5 9430e3d88081745a46025820bcd9dc38
SHA1 b3f955dec83ea96214bb5b2951aeb3eff14c3379
SHA256 f3d13e13c0556a13ff154b0e8aff4ab0426c3165cff192a3cae7a16ec958d530
SHA512 f2c19f4440b114205f973fae59b93bc993f6fbb663bb487ea1fbdbbb4699ec5eba4c008ee55882fef3e1253790246e04da4644f549e7cc7b8a71951c256dd9d8

memory/3840-15-0x00007FF6C42B0000-0x00007FF6C4604000-memory.dmp

C:\Windows\System\ujozQfa.exe

MD5 581179be07588649de5ff844df00b2e8
SHA1 0dbc24bba53cad01f7043c7f7c949dd9071be5b1
SHA256 23fc83b6faf4cf1aeccf3e6f2c2bd537c230de27815ab7e6fa2c641516699159
SHA512 c8cb5148ebd1785657abb566d6b512b3ae76456830fa6749983f532f712aa270c531530465cc972946e8411c7b832844c8101e9547e1fbda932deff178e28d4c

memory/1584-28-0x00007FF60C2B0000-0x00007FF60C604000-memory.dmp

memory/3016-40-0x00007FF767440000-0x00007FF767794000-memory.dmp

memory/4996-45-0x00007FF6BE890000-0x00007FF6BEBE4000-memory.dmp

C:\Windows\System\ZOEFqps.exe

MD5 d7191d982f97e457642c82cf516290a8
SHA1 d8b8ac47f39078186223454f10a85ffc7860a392
SHA256 f091eb94eed425fc9fffeaae15eaf298d7c826b2b16f0873b7e9f74b8e961fdf
SHA512 40dfec078203e955a9baba1de274a2fe2d858bef01d15cdd7b1b9262951efab5c722c467f83aa9c0ba1bdf82696cd2dd12bca4624d03ff5401f1ca6791109c83

C:\Windows\System\QYyOmxx.exe

MD5 0c2fed6726b5d1ef9b72e072ccb8ce3b
SHA1 e0eb26a352f25b79424a0cb8725efff7d19288f6
SHA256 58906124a785576e2661f73f02ffbb927014cff46e14375d90b185f5d53ef8fd
SHA512 dd1f9d8de1f35288e0d406293eb43303dee9b3ced9fa3783d6288b471ab3444b1355e08e880685b0e86563c01ba310f80fe6bfc645eb697ab8e7587a99db6e58

memory/3800-46-0x00007FF7E3EE0000-0x00007FF7E4234000-memory.dmp

C:\Windows\System\OGvdNjm.exe

MD5 48f0748963bbddbfd95e44cbc179d646
SHA1 3ad3c6ec3f59d19c3d68e5ad25415ed5b2f8ebf0
SHA256 fc7c9e16cfe14316b673ace00c583bfb3ccc5e563d2e6dc36a1442eed13ceee1
SHA512 e1aa52de5a59f674e8af7cac9071b5de5a7f0a34de7cd8e6411a4b930de006ee45db6173e517627866ec527e336d224c868ea5200b03fdfa5fde16d04be0597b

memory/4784-33-0x00007FF7A31A0000-0x00007FF7A34F4000-memory.dmp

C:\Windows\System\kmfZiqB.exe

MD5 b125430a1ad3ae4a8e2c8febd9f55f5c
SHA1 44d4e364af9f4187b12c1577b389c4fb2746e18a
SHA256 1f81f357fcc77b675a64bd2c6b3b18792f827753e162dcd4a4c22ba61cb22cc3
SHA512 e1e5a4279175059aebd37bc98ed88fff048e5a99c81eb89994616ea89383f3c214c7ffa63f1e1e2929cf6d47c430a8fc400c69acc7889bdc6ca1e58d49129810

memory/780-55-0x00007FF6393C0000-0x00007FF639714000-memory.dmp

C:\Windows\System\UqoHogv.exe

MD5 b9fce04f88059efeb4b50538c96ae971
SHA1 a8791066e880832583617ff67dbbf1df81ec6432
SHA256 2f62f2f192458ee774ba2ca9f1c8424ef1ff0206c6a8394c795718c0fc5ebd8e
SHA512 62e4ec0b88e7518c7fff206cdc2dd7661b855ccbb1fc4b8d30b8398aca7814cec32cdcb11d572162c67b77180381b26ad3f5ec3cecf3ad27d34091ba746c619c

memory/4216-62-0x00007FF600530000-0x00007FF600884000-memory.dmp

C:\Windows\System\HlBlfFj.exe

MD5 a568c3f70baeebbca5979afd1cbca28f
SHA1 135ac08c7b8703c93d534cac4c2bf0a3c166d077
SHA256 8a087506427b8699f41df18fcec0be5e490ec57202b5b6275403c1516ac8bc00
SHA512 75d43eafb1133826e596b06f956de7766e37eb27948a82684af253b56f644c577d3ba952bdfedad6b7e7c2cf14d2621a061ee80da7529cc067374ff226c5aecb

memory/4892-70-0x00007FF727F00000-0x00007FF728254000-memory.dmp

C:\Windows\System\rKhbUNx.exe

MD5 7d3118afe26b261a9015d2a346a529aa
SHA1 643df85bec1c8683ea4d664bd59d8fd22d6119f2
SHA256 7eec7f7bca2f6a95674c4a5ab7a79bf1e792528730c0141ecf3bb8979f9f24dc
SHA512 ab51fa09dd487063b5649d132b3fd3b2b5bfb3303fd5f23a1df29753e3d3fcd80e5a55578aa809d38acfec158d253d1ba41d254a94723d44f38d9aad5ccbbd4e

C:\Windows\System\KsdnTyY.exe

MD5 cac48a2fe4c9bf1e45a8a3ef154e9e5f
SHA1 3d47e18e41a990239024bace9551d8b031c6425a
SHA256 932859cd0771e7d6d0eb855cea8e1490571fee29f6a740db192f0c73cdff0546
SHA512 e8f9e4f5cb60471482554d6894744b5693c1eb7162cff01ab4951df9fd5fecdb44cadd43c5f19409bc7482414dafb58615593c76b10d1d039ab111f503f65562

C:\Windows\System\PbJSbDf.exe

MD5 5b4bab83ca16baaa48d78539cad427f5
SHA1 c69c6860d0e522db865d54727454af28c4b2e677
SHA256 86ed7a6853e103da7171282fb98998ff8371c4d9918d178a31567194c026afcd
SHA512 ba5fbd1f8cd8de90cb9d39dab501ea25802e719e50619fc0ba994edea817b700dcded4f5c4207f78160f12b83dea5ace9c3a7fd7a5c0a11d4ca39185439eccc1

memory/1996-86-0x00007FF6D1AC0000-0x00007FF6D1E14000-memory.dmp

memory/2316-87-0x00007FF787570000-0x00007FF7878C4000-memory.dmp

memory/3840-84-0x00007FF6C42B0000-0x00007FF6C4604000-memory.dmp

memory/1788-74-0x00007FF7BEC40000-0x00007FF7BEF94000-memory.dmp

memory/3796-73-0x00007FF7D0880000-0x00007FF7D0BD4000-memory.dmp

memory/2232-68-0x00007FF6E8D40000-0x00007FF6E9094000-memory.dmp

C:\Windows\System\mpAOBNW.exe

MD5 353477ef5d18fe926cabcb7809c29722
SHA1 7f7ba1ddf39b0780ba581082ecc9915f4a350e8e
SHA256 37676bd5bb79be3e18f434869558630fd2ad1c62b8f26fc7551dd06860586be1
SHA512 7583b23e476000ca84c9e0e9e0f210fb3c469a838d57938668f58525a7d9fe59f25d25c48537fe2bd295e11d70a7c5fe3d800ef0af181beb07d20583214eab25

memory/4520-93-0x00007FF710E90000-0x00007FF7111E4000-memory.dmp

C:\Windows\System\YUryLVZ.exe

MD5 8b81efb559d43c8ca0d9d0a5b86985bc
SHA1 4745b5ebf58778dcd50a3f625799daabbeb3c623
SHA256 cb8a3ff7c38ac2288f9f5deb4fcbacfe8a16e56f8cbe3732a6eef6f1255a2933
SHA512 8bbee59ed5bf0fe50163256e3637693011a54601aa3e8660bf3e2c2e29a4b7e1b02d460d0412372cbb39fd46807774215f2b6ca88500a4fefccfc337fc9e36cd

C:\Windows\System\DwNkIWW.exe

MD5 08993f2ab8dc700537c7f67b9466d05a
SHA1 dabda4ec4946b1e36d07100610aeca3d0cfbb6bd
SHA256 71252077d596bdb453ea304dfffeaadc55e3c83ef5f13b52ab10e702eebb25ac
SHA512 8d511f43c8dd3a5f5b15fa3ed192a128043677293778e9ddec3d038d29b4fd9f7200e49b3eb627ce3fab56ab576bafa773e6358721df4ccdf4c4bc95275979be

C:\Windows\System\mQVxQJx.exe

MD5 3ca2949388d308c061b550b41e7316c4
SHA1 ded3b2d497a5217d749fba68daff45b7bfdb6c4b
SHA256 a35091262af023cae42c04a44659976cc878bff5e8760b83f79771c63d22b035
SHA512 3c6f12aaf8da81648eb6144f9f0f5263e7b312f7f5a58e5a3693cd307cb4b383dab6fffa456b3747333b7d60f8cf83fa575b233039bd274aaf06f601c908a210

C:\Windows\System\eyNioRW.exe

MD5 435f1d15f5e672f9464739de9ecbf0f4
SHA1 372216f89d60dbd0150645b3e21ea337ceeec829
SHA256 e77bca6bef807fbdd0ef6aa32725579b76eead9667de9f59372e3f5e6591fc72
SHA512 2e18aa81ecba8ca1314a41adc3844f833ac71da5e96e37c20f199b9810572abf0d7da5de58a924d502797e357a427c695fb4e4c0efea80863791baaef61948d8

memory/1080-116-0x00007FF79B910000-0x00007FF79BC64000-memory.dmp

memory/1944-106-0x00007FF6A61A0000-0x00007FF6A64F4000-memory.dmp

memory/4784-105-0x00007FF7A31A0000-0x00007FF7A34F4000-memory.dmp

memory/724-103-0x00007FF60ECA0000-0x00007FF60EFF4000-memory.dmp

C:\Windows\System\yDDtrfW.exe

MD5 ec04335931b849983e2b31caa2612f60
SHA1 90b0c54425f41dc75bec9b87c8325d9511bc5a12
SHA256 cdf3f62fb65045e98f9d1d6e38e18cc45b3b5435e1e384c680af5901ad82e35f
SHA512 f6a3d12839472b2dec72e39e91ca1ce2328b2af7cd3bc5bf58d97719cf6f01519f3150e43e3c70f09c95bb3a048720e6a3cc5b0986fca2f5b13bd66e80e0b96a

memory/4996-126-0x00007FF6BE890000-0x00007FF6BEBE4000-memory.dmp

memory/3800-130-0x00007FF7E3EE0000-0x00007FF7E4234000-memory.dmp

C:\Windows\System\gdhkthX.exe

MD5 ee1216742feb4c37ca339c6da9cc978f
SHA1 0a0c2ff03cf5317a4e1efc621793957f36290115
SHA256 f623517d7a3d92286800a6595a22daa45d68f6b38047eca342df978fc905db3c
SHA512 fbf7e2587c9f89f760dc76b2b4754c79b28b152d4e7280e644814b96875e26d68a9202a29821ce4428fae83e73b06d307041951d7263ffdfa2386c45a514e1cf

memory/3220-132-0x00007FF77FC70000-0x00007FF77FFC4000-memory.dmp

memory/780-134-0x00007FF6393C0000-0x00007FF639714000-memory.dmp

memory/4120-133-0x00007FF6E9D50000-0x00007FF6EA0A4000-memory.dmp

memory/1564-131-0x00007FF6514E0000-0x00007FF651834000-memory.dmp

memory/1788-135-0x00007FF7BEC40000-0x00007FF7BEF94000-memory.dmp

memory/2316-136-0x00007FF787570000-0x00007FF7878C4000-memory.dmp

memory/4520-137-0x00007FF710E90000-0x00007FF7111E4000-memory.dmp

memory/724-138-0x00007FF60ECA0000-0x00007FF60EFF4000-memory.dmp

memory/1944-139-0x00007FF6A61A0000-0x00007FF6A64F4000-memory.dmp

memory/1080-140-0x00007FF79B910000-0x00007FF79BC64000-memory.dmp

memory/3796-141-0x00007FF7D0880000-0x00007FF7D0BD4000-memory.dmp

memory/3808-142-0x00007FF601560000-0x00007FF6018B4000-memory.dmp

memory/3840-143-0x00007FF6C42B0000-0x00007FF6C4604000-memory.dmp

memory/1584-144-0x00007FF60C2B0000-0x00007FF60C604000-memory.dmp

memory/4784-145-0x00007FF7A31A0000-0x00007FF7A34F4000-memory.dmp

memory/3016-146-0x00007FF767440000-0x00007FF767794000-memory.dmp

memory/3800-148-0x00007FF7E3EE0000-0x00007FF7E4234000-memory.dmp

memory/4996-147-0x00007FF6BE890000-0x00007FF6BEBE4000-memory.dmp

memory/780-149-0x00007FF6393C0000-0x00007FF639714000-memory.dmp

memory/4216-150-0x00007FF600530000-0x00007FF600884000-memory.dmp

memory/4892-151-0x00007FF727F00000-0x00007FF728254000-memory.dmp

memory/1788-152-0x00007FF7BEC40000-0x00007FF7BEF94000-memory.dmp

memory/1996-153-0x00007FF6D1AC0000-0x00007FF6D1E14000-memory.dmp

memory/2316-154-0x00007FF787570000-0x00007FF7878C4000-memory.dmp

memory/4520-155-0x00007FF710E90000-0x00007FF7111E4000-memory.dmp

memory/724-156-0x00007FF60ECA0000-0x00007FF60EFF4000-memory.dmp

memory/1944-157-0x00007FF6A61A0000-0x00007FF6A64F4000-memory.dmp

memory/1564-159-0x00007FF6514E0000-0x00007FF651834000-memory.dmp

memory/1080-158-0x00007FF79B910000-0x00007FF79BC64000-memory.dmp

memory/3220-160-0x00007FF77FC70000-0x00007FF77FFC4000-memory.dmp

memory/4120-161-0x00007FF6E9D50000-0x00007FF6EA0A4000-memory.dmp