Malware Analysis Report

2024-10-24 18:11

Sample ID 240629-hn6veawcqn
Target 2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat
SHA256 d7f139448a4fe00f4992a8dbeb8a6f48869080091be6b203b66ba0e2b888e79b
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d7f139448a4fe00f4992a8dbeb8a6f48869080091be6b203b66ba0e2b888e79b

Threat Level: Known bad

The file 2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Cobaltstrike family

Cobalt Strike reflective loader

Cobaltstrike

xmrig

UPX dump on OEP (original entry point)

XMRig Miner payload

Detects Reflective DLL injection artifacts

Xmrig family

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

XMRig Miner payload

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-29 06:54

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-29 06:54

Reported

2024-06-29 06:56

Platform

win7-20231129-en

Max time kernel

137s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\DnvENpr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GKoLgYD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\haRHsaH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FCbOCdF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ocxPJaq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kHNzAeX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WvAlYoJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gZkqEUk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SRhnJaE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AhxZddD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OcJwozm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mXDhMDz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ybDixph.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\Pdefkxy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IEGesfe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KCBRItS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kNxfakh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FeMHIoi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qoVgFNr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ynbNDLe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bUtgNgh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1404 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qoVgFNr.exe
PID 1404 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qoVgFNr.exe
PID 1404 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qoVgFNr.exe
PID 1404 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ynbNDLe.exe
PID 1404 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ynbNDLe.exe
PID 1404 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ynbNDLe.exe
PID 1404 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ybDixph.exe
PID 1404 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ybDixph.exe
PID 1404 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ybDixph.exe
PID 1404 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bUtgNgh.exe
PID 1404 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bUtgNgh.exe
PID 1404 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bUtgNgh.exe
PID 1404 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gZkqEUk.exe
PID 1404 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gZkqEUk.exe
PID 1404 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gZkqEUk.exe
PID 1404 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Pdefkxy.exe
PID 1404 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Pdefkxy.exe
PID 1404 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Pdefkxy.exe
PID 1404 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IEGesfe.exe
PID 1404 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IEGesfe.exe
PID 1404 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IEGesfe.exe
PID 1404 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DnvENpr.exe
PID 1404 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DnvENpr.exe
PID 1404 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DnvENpr.exe
PID 1404 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SRhnJaE.exe
PID 1404 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SRhnJaE.exe
PID 1404 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SRhnJaE.exe
PID 1404 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AhxZddD.exe
PID 1404 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AhxZddD.exe
PID 1404 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AhxZddD.exe
PID 1404 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\haRHsaH.exe
PID 1404 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\haRHsaH.exe
PID 1404 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\haRHsaH.exe
PID 1404 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FCbOCdF.exe
PID 1404 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FCbOCdF.exe
PID 1404 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FCbOCdF.exe
PID 1404 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mXDhMDz.exe
PID 1404 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mXDhMDz.exe
PID 1404 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mXDhMDz.exe
PID 1404 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ocxPJaq.exe
PID 1404 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ocxPJaq.exe
PID 1404 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ocxPJaq.exe
PID 1404 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KCBRItS.exe
PID 1404 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KCBRItS.exe
PID 1404 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KCBRItS.exe
PID 1404 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kHNzAeX.exe
PID 1404 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kHNzAeX.exe
PID 1404 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kHNzAeX.exe
PID 1404 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WvAlYoJ.exe
PID 1404 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WvAlYoJ.exe
PID 1404 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WvAlYoJ.exe
PID 1404 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kNxfakh.exe
PID 1404 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kNxfakh.exe
PID 1404 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kNxfakh.exe
PID 1404 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GKoLgYD.exe
PID 1404 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GKoLgYD.exe
PID 1404 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GKoLgYD.exe
PID 1404 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OcJwozm.exe
PID 1404 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OcJwozm.exe
PID 1404 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OcJwozm.exe
PID 1404 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FeMHIoi.exe
PID 1404 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FeMHIoi.exe
PID 1404 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FeMHIoi.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\qoVgFNr.exe

C:\Windows\System\qoVgFNr.exe

C:\Windows\System\ynbNDLe.exe

C:\Windows\System\ynbNDLe.exe

C:\Windows\System\ybDixph.exe

C:\Windows\System\ybDixph.exe

C:\Windows\System\bUtgNgh.exe

C:\Windows\System\bUtgNgh.exe

C:\Windows\System\gZkqEUk.exe

C:\Windows\System\gZkqEUk.exe

C:\Windows\System\Pdefkxy.exe

C:\Windows\System\Pdefkxy.exe

C:\Windows\System\IEGesfe.exe

C:\Windows\System\IEGesfe.exe

C:\Windows\System\DnvENpr.exe

C:\Windows\System\DnvENpr.exe

C:\Windows\System\SRhnJaE.exe

C:\Windows\System\SRhnJaE.exe

C:\Windows\System\AhxZddD.exe

C:\Windows\System\AhxZddD.exe

C:\Windows\System\haRHsaH.exe

C:\Windows\System\haRHsaH.exe

C:\Windows\System\FCbOCdF.exe

C:\Windows\System\FCbOCdF.exe

C:\Windows\System\mXDhMDz.exe

C:\Windows\System\mXDhMDz.exe

C:\Windows\System\ocxPJaq.exe

C:\Windows\System\ocxPJaq.exe

C:\Windows\System\KCBRItS.exe

C:\Windows\System\KCBRItS.exe

C:\Windows\System\kHNzAeX.exe

C:\Windows\System\kHNzAeX.exe

C:\Windows\System\WvAlYoJ.exe

C:\Windows\System\WvAlYoJ.exe

C:\Windows\System\kNxfakh.exe

C:\Windows\System\kNxfakh.exe

C:\Windows\System\GKoLgYD.exe

C:\Windows\System\GKoLgYD.exe

C:\Windows\System\OcJwozm.exe

C:\Windows\System\OcJwozm.exe

C:\Windows\System\FeMHIoi.exe

C:\Windows\System\FeMHIoi.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1404-0-0x000000013F030000-0x000000013F384000-memory.dmp

memory/1404-1-0x0000000000080000-0x0000000000090000-memory.dmp

\Windows\system\qoVgFNr.exe

MD5 de5373eec9d13605217fd2de94229711
SHA1 cb996148af8401dec01d301253810bc27d213e6c
SHA256 a2427bc91389da5d07c358099d26ecb9fd0873bcdab1445d07d42c2f2b7579a6
SHA512 209ecfc3b0a5b9c6afc05930c0ad7b4a0331d11beb9cb23dd0f4bf74a94aaaf7019a3d70b637f89d5a00c70d6213a937545c2dec8e236888f62768467de8f6d1

\Windows\system\ybDixph.exe

MD5 2fcdaaddd670f36dfdeb85359364fb7c
SHA1 ff76309c52835cb73859c92036afef6db3ba3dd0
SHA256 92709d4411c142b1d8e3b63e9f6a7bfdd5c2e36134d6e4f1c40695dd41e008ac
SHA512 035a9179969e927cbc80d00ec4f7e45061d14d2bf6e01b43ba9779237f1fc4e7a03820372551c90556e9cca1f7219657856b955ac851931d982c9b13f8ea1915

memory/2164-27-0x000000013FF30000-0x0000000140284000-memory.dmp

memory/3060-28-0x000000013F400000-0x000000013F754000-memory.dmp

C:\Windows\system\ynbNDLe.exe

MD5 84b6cc9f4c634c6a959a75da61fd654d
SHA1 7b3fca6fc95c2f0dc3f9f55a9e498089de509875
SHA256 33a1109c3d0dd87c9b07fd75bd652ffdd7b23163b8c133f51c8b5a5cdf3dac15
SHA512 f1cf4bff48442acff69addbb96aa79b3d467ecbb6567dff5c5d8abc9f2852607aaea9660ed6d336852d1647176412442ec6b0580f59da6293f16fc5629b0f4a3

memory/1712-24-0x000000013F750000-0x000000013FAA4000-memory.dmp

C:\Windows\system\bUtgNgh.exe

MD5 219598b59571ad85d2eae26a700d098e
SHA1 8c8552c5fed2d9af5da03bc1f4a62af9c4ad2bdb
SHA256 0ef23139ba335f35f2b921e10d236e30ad7dd2b5eb0c7f8b38da1d3703f5b025
SHA512 3488b9676d9d81d109daef5da01e914354d696475e0f0946c34e8b614b934650c22c534b70b932a77c2c48f2ab148f66689b9d52569aa7e534aad4f2f28bf48d

memory/1404-21-0x000000013FF30000-0x0000000140284000-memory.dmp

memory/1404-18-0x000000013F400000-0x000000013F754000-memory.dmp

memory/2216-10-0x000000013F670000-0x000000013F9C4000-memory.dmp

\Windows\system\gZkqEUk.exe

MD5 3820243ca0c4dd58b300d2e9c118944b
SHA1 12b6bcc314247a413cd5c6d479f14b1eb02d1af2
SHA256 945e7a3da0d69f06f7dba438da9a4820f36d8ce16297936b4834ea1c142e4489
SHA512 bbf0ee909c0bf941e2c4b8f4df4c9b15605c78c6f556f90fac4630fdec89f5fc2b8075173af43946b8c439319d8edfc8464de3e08f31001171715074625cbfbc

C:\Windows\system\Pdefkxy.exe

MD5 751a680da80bfaaccd15580d3937ba7f
SHA1 53a8fbd8b478c42700a4e1d282ddb749ce8e7051
SHA256 fde523d6f01f713af4030035bad5d1b27c06c1590302edec4381812924fb4aa5
SHA512 32b9aec1877a7db6cdfa674c6e6ddb9307e7caca45f0a796647610de6f6b7b764556fba77870bacd4b8dcafea2651ebcf06c144106bd727dc16fb82ed03d4139

memory/2564-40-0x000000013FE50000-0x00000001401A4000-memory.dmp

memory/2600-34-0x000000013F610000-0x000000013F964000-memory.dmp

memory/1404-33-0x000000013F610000-0x000000013F964000-memory.dmp

C:\Windows\system\IEGesfe.exe

MD5 2a19ce0ba53738dd22827c44a29ec903
SHA1 641c934cdcebf8bdc0200860ea46fc4a14004e1a
SHA256 dd7988f92a90603f7a94b57fcdcf10613fc5deb7ab3116931cbc47651a46e073
SHA512 0a815499c57bb3ecb45f7888f4c845079dc560c0e46ec083d55fe104587c356258d2d573d1293ee56b9633ee90d952bd183a351d5bb9f23469c57bc1fd7ff62a

memory/2592-46-0x000000013FF30000-0x0000000140284000-memory.dmp

memory/1404-43-0x000000013FF30000-0x0000000140284000-memory.dmp

\Windows\system\DnvENpr.exe

MD5 c2794f1bf1abda254218174e15a722eb
SHA1 05bb17400b7e6efce2a3e90f8d9774bcaf3ec8f6
SHA256 2067ca1bd426072616cddde411f651520d8ed692430ac9b62c33bce302e7662e
SHA512 c532d78e6f1c87c959a63e414c70583fe86382fed2ee1be8d10d12f83dbe2f897c2952a58dbb471ec5b5873c2b73c74096ea1157bcd473f6d22c650417ac35f2

memory/1568-55-0x000000013F180000-0x000000013F4D4000-memory.dmp

memory/1404-54-0x0000000002340000-0x0000000002694000-memory.dmp

\Windows\system\SRhnJaE.exe

MD5 7dce52cd17a2b661d24bd3a4dcc8a0aa
SHA1 fe1d9611db4cb97f1877c0d8a9163602a6168676
SHA256 a1ea41ce246fe0c5acdde97a4863743d6764af93277eb111c1ce24e5fd695dda
SHA512 a657368a4b165aa3ccd7cce45b3ae61206ff9991333e471fa9e6b26718af68423238c6800e6208957ca665c810f9e7f65c6607d553147828b5f86280d023630f

memory/1404-59-0x000000013F030000-0x000000013F384000-memory.dmp

memory/2216-63-0x000000013F670000-0x000000013F9C4000-memory.dmp

memory/1904-62-0x000000013F5F0000-0x000000013F944000-memory.dmp

\Windows\system\AhxZddD.exe

MD5 9c45114be0ff39a3798fd3e9479e9f0b
SHA1 698eed1ebb6ea7b48552477b444fd0959149fe0d
SHA256 bb341d86473e3220d9ffdadb3061bd6381260bd6102ac6f4919af80b25e06db7
SHA512 b084cf7d546cab90a89968cd2c3a0f0e2a9d2ea65cda3acbc9ae321af246b517763dcfc502ece1f7a6d3a0b3057e19b229aca8511a131ca4c5a16ccf6bd52d2c

memory/1404-69-0x000000013FBC0000-0x000000013FF14000-memory.dmp

memory/2456-70-0x000000013FBC0000-0x000000013FF14000-memory.dmp

C:\Windows\system\haRHsaH.exe

MD5 41a9e45873791d2706baf20325a57833
SHA1 76bd016cbaada8c67639423ff325276cf409fb36
SHA256 99f94a063205c6042f77447ebed90a167898f6dd47459b23841bdfeef9832aa3
SHA512 09ee5af6de2df02a58534861b7fe59a38a92e5b451d682d90b62e253c1619d349a2f227c277a1e8f0867c5294fc3fdb45a804bc5b628e4885752d66f3251d66e

C:\Windows\system\FCbOCdF.exe

MD5 7ba0e187e61ce5624eda222304abcdf3
SHA1 8232901901af2304155b9ef69d5e114285c593db
SHA256 e5707ab6614fc7525b70bf3a04b91536079a8fc04e67cf7395010d42fd8861d7
SHA512 2f6912f95dc10e918a95618cf04639aab5d0e9ef1c3b67cdc2feebcc466ab6d087b1589dd26c04a951f8ae69db5ec143c21179847f6da0074e9a1265dda0ea2c

C:\Windows\system\ocxPJaq.exe

MD5 26be51fdc474cb18f6cc9b4977af8f8c
SHA1 ce46c273e7d54ffc9ec09d990056c8538f6ef612
SHA256 dcdb4d982ad2501ee94eda15626fc53d14dfd0f5be829978b3ffe56ba0f528b9
SHA512 75c247fcad226a7e500beb481b22d93e15d43c2eaddde8ad5c2c70173380af216650b0d0e6ec233944713ea32a2f53813068a7a463e13f71faeda10e5eaa834f

C:\Windows\system\kHNzAeX.exe

MD5 108f6fc4417fd998f9febf744b1184af
SHA1 f42e7562c795bff10d2d31830ff0436eb3dc3a08
SHA256 e7dcc090c47f948632e3875773fa299497acca10524c043973d9f5286d7b6580
SHA512 de70ff40c429def4cc9c10c22cf4a9f23b8bc775ca6bc2fe7233f69fd6e15748eca79afa379b288d1fa9a74df3f191018cf4e68140ac186a29940e2e1b6ea38f

C:\Windows\system\OcJwozm.exe

MD5 37e8cd6a78dee02a24c2b641787161d8
SHA1 3c4690aae048230df4a77bdfd299f4465ec92a8e
SHA256 8e1ff747eb7cc2559f54fa2c8caaa507fdd921b83dbb12dec31d37975325a0f4
SHA512 be7bfd31aefce5cfed8eadbf25f8b87d25c9222550d15143eeda369c39ad1dbd33d2532e28275427ad15b246191e032c71c61ddbeff6b6f8a5a70be0f9a92b53

memory/1404-124-0x000000013F4A0000-0x000000013F7F4000-memory.dmp

\Windows\system\FeMHIoi.exe

MD5 f5484c3a7bd2ae22b9e5d859210728b6
SHA1 387a0322eea70fa0e23a16dbf1608c4b67620fa9
SHA256 e3f01d7e96fa093980fac500cccc64e7cc7e77ebbcd0a669cfc55863a4dfbc2a
SHA512 00e9ccd5646f00d74af4abc8874ddd780e83c6154e5a1a53454ee7a053084b314778d33cad0b09a069d90249d1e2d18354868427f53a447419e855466f9778d9

C:\Windows\system\kNxfakh.exe

MD5 9d8db93574d546a9b6517f8206f8c5d0
SHA1 3183afdf801cd7f1a234a9e0c90ad35d8cb60f9a
SHA256 54d4941e2fd996481f263c4024fbc0e243c3d6fbef85e148929c012ab5ab9eb1
SHA512 06d11bb8550fac0cf62d49039079215f772b5bdeff3599198d24ce270ff466c62132cc6a5b8b91331f3e347647498fea90d8bac79c634663c8a6d0cf18f0ce76

\Windows\system\GKoLgYD.exe

MD5 3178488a76bda55d79b77779eb83e5a0
SHA1 b78d9dbaa0e2ae14e0c795ff8feab25c388d64f8
SHA256 118aab608a94c94021231854b5dcb94d3f08c67ac03874e1a8c22644073b4ae2
SHA512 b9dcee34374eeea9263837cdfd1e760c938e5df59b94acc4796610354a7aa0c9393f06302d52674d956f20f3c7afe78ab2c1a181a7789b36e19adb9fcbbf3c8f

memory/2564-108-0x000000013FE50000-0x00000001401A4000-memory.dmp

\Windows\system\WvAlYoJ.exe

MD5 253a26298444952b43ab9878f8c541c0
SHA1 2c27cb172f863d5edf1279af9cfe7933fc8e4ded
SHA256 095f317c3f47e88429b4446a90ef27385dc406c3bbd38099b0a16fa518191c06
SHA512 fe2ef4ff07adb6bb83d5c388ae8eb398f6a5d53f2821bc938f43375f6c20e8c6aa179f3cbafa785dc53f66e83a1eb4181f5ccbbe1c3fa138d7d5906fe165e0fe

memory/2960-100-0x000000013FFD0000-0x0000000140324000-memory.dmp

C:\Windows\system\KCBRItS.exe

MD5 b2d1fca371a287532ac5359bf28e07ba
SHA1 774233e9bb34818f9fe880b3cd6af8ddfb85e756
SHA256 d12d4a0b87f9b1fe4f2bf98312d89fb8d78b3708bffe95e9cdcf61637d4aa00b
SHA512 53fb30060516700e74282796004a824451a6ef106f297a4b474869294596126a390a6af07bebbca4c03ebb6cee808ef92b0ed7ba739188d2d36149c41ed4e83a

memory/2084-112-0x000000013F680000-0x000000013F9D4000-memory.dmp

memory/1404-95-0x000000013F680000-0x000000013F9D4000-memory.dmp

memory/1404-92-0x000000013FFD0000-0x0000000140324000-memory.dmp

memory/2600-91-0x000000013F610000-0x000000013F964000-memory.dmp

memory/1404-89-0x0000000002340000-0x0000000002694000-memory.dmp

C:\Windows\system\mXDhMDz.exe

MD5 cbb0db6f8d7a126ba8ca1eb6a90ac767
SHA1 596df1f7b77027c205a2aa3c4b3406550b67cd55
SHA256 def6aa256b07be1f36f9d238dd642c3db9384006751d0ee51f073b72add29d7b
SHA512 db0f5b838d2edeb716e8872ffce5f53f412c3d5d16aed3cc1697455db2410872479c0299bd53a94c6d50e7483e76960ce3e1930ae4eb9a01bcbe15279de5361a

memory/2764-87-0x000000013F210000-0x000000013F564000-memory.dmp

memory/2516-86-0x000000013FCC0000-0x0000000140014000-memory.dmp

memory/1404-85-0x000000013FCC0000-0x0000000140014000-memory.dmp

memory/2592-135-0x000000013FF30000-0x0000000140284000-memory.dmp

memory/1404-137-0x0000000002340000-0x0000000002694000-memory.dmp

memory/1404-138-0x000000013FBC0000-0x000000013FF14000-memory.dmp

memory/1404-139-0x000000013FFD0000-0x0000000140324000-memory.dmp

memory/2216-140-0x000000013F670000-0x000000013F9C4000-memory.dmp

memory/1712-142-0x000000013F750000-0x000000013FAA4000-memory.dmp

memory/3060-141-0x000000013F400000-0x000000013F754000-memory.dmp

memory/2164-143-0x000000013FF30000-0x0000000140284000-memory.dmp

memory/2600-144-0x000000013F610000-0x000000013F964000-memory.dmp

memory/2564-145-0x000000013FE50000-0x00000001401A4000-memory.dmp

memory/2592-146-0x000000013FF30000-0x0000000140284000-memory.dmp

memory/1568-147-0x000000013F180000-0x000000013F4D4000-memory.dmp

memory/1904-148-0x000000013F5F0000-0x000000013F944000-memory.dmp

memory/2456-149-0x000000013FBC0000-0x000000013FF14000-memory.dmp

memory/2516-150-0x000000013FCC0000-0x0000000140014000-memory.dmp

memory/2764-151-0x000000013F210000-0x000000013F564000-memory.dmp

memory/2960-152-0x000000013FFD0000-0x0000000140324000-memory.dmp

memory/2084-153-0x000000013F680000-0x000000013F9D4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-29 06:54

Reported

2024-06-29 06:56

Platform

win10v2004-20240508-en

Max time kernel

139s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\ybDixph.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DnvENpr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AhxZddD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FCbOCdF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kHNzAeX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FeMHIoi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bUtgNgh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SRhnJaE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\haRHsaH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WvAlYoJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kNxfakh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GKoLgYD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qoVgFNr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ynbNDLe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gZkqEUk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\Pdefkxy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ocxPJaq.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IEGesfe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mXDhMDz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KCBRItS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OcJwozm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3648 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qoVgFNr.exe
PID 3648 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qoVgFNr.exe
PID 3648 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ynbNDLe.exe
PID 3648 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ynbNDLe.exe
PID 3648 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ybDixph.exe
PID 3648 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ybDixph.exe
PID 3648 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bUtgNgh.exe
PID 3648 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bUtgNgh.exe
PID 3648 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gZkqEUk.exe
PID 3648 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gZkqEUk.exe
PID 3648 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Pdefkxy.exe
PID 3648 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Pdefkxy.exe
PID 3648 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IEGesfe.exe
PID 3648 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IEGesfe.exe
PID 3648 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DnvENpr.exe
PID 3648 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DnvENpr.exe
PID 3648 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SRhnJaE.exe
PID 3648 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SRhnJaE.exe
PID 3648 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AhxZddD.exe
PID 3648 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AhxZddD.exe
PID 3648 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\haRHsaH.exe
PID 3648 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\haRHsaH.exe
PID 3648 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FCbOCdF.exe
PID 3648 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FCbOCdF.exe
PID 3648 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mXDhMDz.exe
PID 3648 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mXDhMDz.exe
PID 3648 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ocxPJaq.exe
PID 3648 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ocxPJaq.exe
PID 3648 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KCBRItS.exe
PID 3648 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KCBRItS.exe
PID 3648 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kHNzAeX.exe
PID 3648 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kHNzAeX.exe
PID 3648 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WvAlYoJ.exe
PID 3648 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WvAlYoJ.exe
PID 3648 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kNxfakh.exe
PID 3648 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kNxfakh.exe
PID 3648 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GKoLgYD.exe
PID 3648 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GKoLgYD.exe
PID 3648 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OcJwozm.exe
PID 3648 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OcJwozm.exe
PID 3648 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FeMHIoi.exe
PID 3648 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FeMHIoi.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\qoVgFNr.exe

C:\Windows\System\qoVgFNr.exe

C:\Windows\System\ynbNDLe.exe

C:\Windows\System\ynbNDLe.exe

C:\Windows\System\ybDixph.exe

C:\Windows\System\ybDixph.exe

C:\Windows\System\bUtgNgh.exe

C:\Windows\System\bUtgNgh.exe

C:\Windows\System\gZkqEUk.exe

C:\Windows\System\gZkqEUk.exe

C:\Windows\System\Pdefkxy.exe

C:\Windows\System\Pdefkxy.exe

C:\Windows\System\IEGesfe.exe

C:\Windows\System\IEGesfe.exe

C:\Windows\System\DnvENpr.exe

C:\Windows\System\DnvENpr.exe

C:\Windows\System\SRhnJaE.exe

C:\Windows\System\SRhnJaE.exe

C:\Windows\System\AhxZddD.exe

C:\Windows\System\AhxZddD.exe

C:\Windows\System\haRHsaH.exe

C:\Windows\System\haRHsaH.exe

C:\Windows\System\FCbOCdF.exe

C:\Windows\System\FCbOCdF.exe

C:\Windows\System\mXDhMDz.exe

C:\Windows\System\mXDhMDz.exe

C:\Windows\System\ocxPJaq.exe

C:\Windows\System\ocxPJaq.exe

C:\Windows\System\KCBRItS.exe

C:\Windows\System\KCBRItS.exe

C:\Windows\System\kHNzAeX.exe

C:\Windows\System\kHNzAeX.exe

C:\Windows\System\WvAlYoJ.exe

C:\Windows\System\WvAlYoJ.exe

C:\Windows\System\kNxfakh.exe

C:\Windows\System\kNxfakh.exe

C:\Windows\System\GKoLgYD.exe

C:\Windows\System\GKoLgYD.exe

C:\Windows\System\OcJwozm.exe

C:\Windows\System\OcJwozm.exe

C:\Windows\System\FeMHIoi.exe

C:\Windows\System\FeMHIoi.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3648-0-0x00007FF797E40000-0x00007FF798194000-memory.dmp

memory/3648-1-0x0000021FA6520000-0x0000021FA6530000-memory.dmp

C:\Windows\System\qoVgFNr.exe

MD5 de5373eec9d13605217fd2de94229711
SHA1 cb996148af8401dec01d301253810bc27d213e6c
SHA256 a2427bc91389da5d07c358099d26ecb9fd0873bcdab1445d07d42c2f2b7579a6
SHA512 209ecfc3b0a5b9c6afc05930c0ad7b4a0331d11beb9cb23dd0f4bf74a94aaaf7019a3d70b637f89d5a00c70d6213a937545c2dec8e236888f62768467de8f6d1

memory/4772-8-0x00007FF6A7F50000-0x00007FF6A82A4000-memory.dmp

C:\Windows\System\ynbNDLe.exe

MD5 84b6cc9f4c634c6a959a75da61fd654d
SHA1 7b3fca6fc95c2f0dc3f9f55a9e498089de509875
SHA256 33a1109c3d0dd87c9b07fd75bd652ffdd7b23163b8c133f51c8b5a5cdf3dac15
SHA512 f1cf4bff48442acff69addbb96aa79b3d467ecbb6567dff5c5d8abc9f2852607aaea9660ed6d336852d1647176412442ec6b0580f59da6293f16fc5629b0f4a3

C:\Windows\System\ybDixph.exe

MD5 2fcdaaddd670f36dfdeb85359364fb7c
SHA1 ff76309c52835cb73859c92036afef6db3ba3dd0
SHA256 92709d4411c142b1d8e3b63e9f6a7bfdd5c2e36134d6e4f1c40695dd41e008ac
SHA512 035a9179969e927cbc80d00ec4f7e45061d14d2bf6e01b43ba9779237f1fc4e7a03820372551c90556e9cca1f7219657856b955ac851931d982c9b13f8ea1915

memory/2952-14-0x00007FF6949B0000-0x00007FF694D04000-memory.dmp

memory/3336-19-0x00007FF724480000-0x00007FF7247D4000-memory.dmp

C:\Windows\System\bUtgNgh.exe

MD5 219598b59571ad85d2eae26a700d098e
SHA1 8c8552c5fed2d9af5da03bc1f4a62af9c4ad2bdb
SHA256 0ef23139ba335f35f2b921e10d236e30ad7dd2b5eb0c7f8b38da1d3703f5b025
SHA512 3488b9676d9d81d109daef5da01e914354d696475e0f0946c34e8b614b934650c22c534b70b932a77c2c48f2ab148f66689b9d52569aa7e534aad4f2f28bf48d

memory/1552-26-0x00007FF608E30000-0x00007FF609184000-memory.dmp

C:\Windows\System\gZkqEUk.exe

MD5 3820243ca0c4dd58b300d2e9c118944b
SHA1 12b6bcc314247a413cd5c6d479f14b1eb02d1af2
SHA256 945e7a3da0d69f06f7dba438da9a4820f36d8ce16297936b4834ea1c142e4489
SHA512 bbf0ee909c0bf941e2c4b8f4df4c9b15605c78c6f556f90fac4630fdec89f5fc2b8075173af43946b8c439319d8edfc8464de3e08f31001171715074625cbfbc

memory/960-30-0x00007FF6FDDC0000-0x00007FF6FE114000-memory.dmp

C:\Windows\System\Pdefkxy.exe

MD5 751a680da80bfaaccd15580d3937ba7f
SHA1 53a8fbd8b478c42700a4e1d282ddb749ce8e7051
SHA256 fde523d6f01f713af4030035bad5d1b27c06c1590302edec4381812924fb4aa5
SHA512 32b9aec1877a7db6cdfa674c6e6ddb9307e7caca45f0a796647610de6f6b7b764556fba77870bacd4b8dcafea2651ebcf06c144106bd727dc16fb82ed03d4139

C:\Windows\System\DnvENpr.exe

MD5 c2794f1bf1abda254218174e15a722eb
SHA1 05bb17400b7e6efce2a3e90f8d9774bcaf3ec8f6
SHA256 2067ca1bd426072616cddde411f651520d8ed692430ac9b62c33bce302e7662e
SHA512 c532d78e6f1c87c959a63e414c70583fe86382fed2ee1be8d10d12f83dbe2f897c2952a58dbb471ec5b5873c2b73c74096ea1157bcd473f6d22c650417ac35f2

memory/2872-52-0x00007FF688320000-0x00007FF688674000-memory.dmp

C:\Windows\System\SRhnJaE.exe

MD5 7dce52cd17a2b661d24bd3a4dcc8a0aa
SHA1 fe1d9611db4cb97f1877c0d8a9163602a6168676
SHA256 a1ea41ce246fe0c5acdde97a4863743d6764af93277eb111c1ce24e5fd695dda
SHA512 a657368a4b165aa3ccd7cce45b3ae61206ff9991333e471fa9e6b26718af68423238c6800e6208957ca665c810f9e7f65c6607d553147828b5f86280d023630f

C:\Windows\System\IEGesfe.exe

MD5 2a19ce0ba53738dd22827c44a29ec903
SHA1 641c934cdcebf8bdc0200860ea46fc4a14004e1a
SHA256 dd7988f92a90603f7a94b57fcdcf10613fc5deb7ab3116931cbc47651a46e073
SHA512 0a815499c57bb3ecb45f7888f4c845079dc560c0e46ec083d55fe104587c356258d2d573d1293ee56b9633ee90d952bd183a351d5bb9f23469c57bc1fd7ff62a

C:\Windows\System\AhxZddD.exe

MD5 9c45114be0ff39a3798fd3e9479e9f0b
SHA1 698eed1ebb6ea7b48552477b444fd0959149fe0d
SHA256 bb341d86473e3220d9ffdadb3061bd6381260bd6102ac6f4919af80b25e06db7
SHA512 b084cf7d546cab90a89968cd2c3a0f0e2a9d2ea65cda3acbc9ae321af246b517763dcfc502ece1f7a6d3a0b3057e19b229aca8511a131ca4c5a16ccf6bd52d2c

C:\Windows\System\haRHsaH.exe

MD5 41a9e45873791d2706baf20325a57833
SHA1 76bd016cbaada8c67639423ff325276cf409fb36
SHA256 99f94a063205c6042f77447ebed90a167898f6dd47459b23841bdfeef9832aa3
SHA512 09ee5af6de2df02a58534861b7fe59a38a92e5b451d682d90b62e253c1619d349a2f227c277a1e8f0867c5294fc3fdb45a804bc5b628e4885752d66f3251d66e

memory/1600-65-0x00007FF697230000-0x00007FF697584000-memory.dmp

C:\Windows\System\FCbOCdF.exe

MD5 7ba0e187e61ce5624eda222304abcdf3
SHA1 8232901901af2304155b9ef69d5e114285c593db
SHA256 e5707ab6614fc7525b70bf3a04b91536079a8fc04e67cf7395010d42fd8861d7
SHA512 2f6912f95dc10e918a95618cf04639aab5d0e9ef1c3b67cdc2feebcc466ab6d087b1589dd26c04a951f8ae69db5ec143c21179847f6da0074e9a1265dda0ea2c

memory/2032-74-0x00007FF67E340000-0x00007FF67E694000-memory.dmp

memory/2952-73-0x00007FF6949B0000-0x00007FF694D04000-memory.dmp

memory/2028-69-0x00007FF70A4A0000-0x00007FF70A7F4000-memory.dmp

memory/3648-64-0x00007FF797E40000-0x00007FF798194000-memory.dmp

memory/4544-61-0x00007FF660270000-0x00007FF6605C4000-memory.dmp

memory/996-46-0x00007FF63C120000-0x00007FF63C474000-memory.dmp

memory/3004-40-0x00007FF7C49A0000-0x00007FF7C4CF4000-memory.dmp

C:\Windows\System\mXDhMDz.exe

MD5 cbb0db6f8d7a126ba8ca1eb6a90ac767
SHA1 596df1f7b77027c205a2aa3c4b3406550b67cd55
SHA256 def6aa256b07be1f36f9d238dd642c3db9384006751d0ee51f073b72add29d7b
SHA512 db0f5b838d2edeb716e8872ffce5f53f412c3d5d16aed3cc1697455db2410872479c0299bd53a94c6d50e7483e76960ce3e1930ae4eb9a01bcbe15279de5361a

memory/3336-81-0x00007FF724480000-0x00007FF7247D4000-memory.dmp

C:\Windows\System\ocxPJaq.exe

MD5 26be51fdc474cb18f6cc9b4977af8f8c
SHA1 ce46c273e7d54ffc9ec09d990056c8538f6ef612
SHA256 dcdb4d982ad2501ee94eda15626fc53d14dfd0f5be829978b3ffe56ba0f528b9
SHA512 75c247fcad226a7e500beb481b22d93e15d43c2eaddde8ad5c2c70173380af216650b0d0e6ec233944713ea32a2f53813068a7a463e13f71faeda10e5eaa834f

C:\Windows\System\KCBRItS.exe

MD5 b2d1fca371a287532ac5359bf28e07ba
SHA1 774233e9bb34818f9fe880b3cd6af8ddfb85e756
SHA256 d12d4a0b87f9b1fe4f2bf98312d89fb8d78b3708bffe95e9cdcf61637d4aa00b
SHA512 53fb30060516700e74282796004a824451a6ef106f297a4b474869294596126a390a6af07bebbca4c03ebb6cee808ef92b0ed7ba739188d2d36149c41ed4e83a

C:\Windows\System\kHNzAeX.exe

MD5 108f6fc4417fd998f9febf744b1184af
SHA1 f42e7562c795bff10d2d31830ff0436eb3dc3a08
SHA256 e7dcc090c47f948632e3875773fa299497acca10524c043973d9f5286d7b6580
SHA512 de70ff40c429def4cc9c10c22cf4a9f23b8bc775ca6bc2fe7233f69fd6e15748eca79afa379b288d1fa9a74df3f191018cf4e68140ac186a29940e2e1b6ea38f

memory/4640-98-0x00007FF7C4F30000-0x00007FF7C5284000-memory.dmp

memory/960-95-0x00007FF6FDDC0000-0x00007FF6FE114000-memory.dmp

memory/2432-91-0x00007FF657850000-0x00007FF657BA4000-memory.dmp

memory/3100-84-0x00007FF7C9020000-0x00007FF7C9374000-memory.dmp

memory/4200-104-0x00007FF743860000-0x00007FF743BB4000-memory.dmp

C:\Windows\System\WvAlYoJ.exe

MD5 253a26298444952b43ab9878f8c541c0
SHA1 2c27cb172f863d5edf1279af9cfe7933fc8e4ded
SHA256 095f317c3f47e88429b4446a90ef27385dc406c3bbd38099b0a16fa518191c06
SHA512 fe2ef4ff07adb6bb83d5c388ae8eb398f6a5d53f2821bc938f43375f6c20e8c6aa179f3cbafa785dc53f66e83a1eb4181f5ccbbe1c3fa138d7d5906fe165e0fe

C:\Windows\System\GKoLgYD.exe

MD5 3178488a76bda55d79b77779eb83e5a0
SHA1 b78d9dbaa0e2ae14e0c795ff8feab25c388d64f8
SHA256 118aab608a94c94021231854b5dcb94d3f08c67ac03874e1a8c22644073b4ae2
SHA512 b9dcee34374eeea9263837cdfd1e760c938e5df59b94acc4796610354a7aa0c9393f06302d52674d956f20f3c7afe78ab2c1a181a7789b36e19adb9fcbbf3c8f

C:\Windows\System\kNxfakh.exe

MD5 9d8db93574d546a9b6517f8206f8c5d0
SHA1 3183afdf801cd7f1a234a9e0c90ad35d8cb60f9a
SHA256 54d4941e2fd996481f263c4024fbc0e243c3d6fbef85e148929c012ab5ab9eb1
SHA512 06d11bb8550fac0cf62d49039079215f772b5bdeff3599198d24ce270ff466c62132cc6a5b8b91331f3e347647498fea90d8bac79c634663c8a6d0cf18f0ce76

memory/3388-114-0x00007FF7C5800000-0x00007FF7C5B54000-memory.dmp

C:\Windows\System\OcJwozm.exe

MD5 37e8cd6a78dee02a24c2b641787161d8
SHA1 3c4690aae048230df4a77bdfd299f4465ec92a8e
SHA256 8e1ff747eb7cc2559f54fa2c8caaa507fdd921b83dbb12dec31d37975325a0f4
SHA512 be7bfd31aefce5cfed8eadbf25f8b87d25c9222550d15143eeda369c39ad1dbd33d2532e28275427ad15b246191e032c71c61ddbeff6b6f8a5a70be0f9a92b53

memory/1868-116-0x00007FF6A7BF0000-0x00007FF6A7F44000-memory.dmp

memory/5008-110-0x00007FF6C0450000-0x00007FF6C07A4000-memory.dmp

C:\Windows\System\FeMHIoi.exe

MD5 f5484c3a7bd2ae22b9e5d859210728b6
SHA1 387a0322eea70fa0e23a16dbf1608c4b67620fa9
SHA256 e3f01d7e96fa093980fac500cccc64e7cc7e77ebbcd0a669cfc55863a4dfbc2a
SHA512 00e9ccd5646f00d74af4abc8874ddd780e83c6154e5a1a53454ee7a053084b314778d33cad0b09a069d90249d1e2d18354868427f53a447419e855466f9778d9

memory/4324-126-0x00007FF7BDF70000-0x00007FF7BE2C4000-memory.dmp

memory/4652-131-0x00007FF751CF0000-0x00007FF752044000-memory.dmp

memory/2028-132-0x00007FF70A4A0000-0x00007FF70A7F4000-memory.dmp

memory/3100-133-0x00007FF7C9020000-0x00007FF7C9374000-memory.dmp

memory/5008-134-0x00007FF6C0450000-0x00007FF6C07A4000-memory.dmp

memory/3388-135-0x00007FF7C5800000-0x00007FF7C5B54000-memory.dmp

memory/1868-136-0x00007FF6A7BF0000-0x00007FF6A7F44000-memory.dmp

memory/4772-137-0x00007FF6A7F50000-0x00007FF6A82A4000-memory.dmp

memory/2952-138-0x00007FF6949B0000-0x00007FF694D04000-memory.dmp

memory/3336-139-0x00007FF724480000-0x00007FF7247D4000-memory.dmp

memory/1552-140-0x00007FF608E30000-0x00007FF609184000-memory.dmp

memory/960-141-0x00007FF6FDDC0000-0x00007FF6FE114000-memory.dmp

memory/3004-142-0x00007FF7C49A0000-0x00007FF7C4CF4000-memory.dmp

memory/996-143-0x00007FF63C120000-0x00007FF63C474000-memory.dmp

memory/2872-144-0x00007FF688320000-0x00007FF688674000-memory.dmp

memory/1600-145-0x00007FF697230000-0x00007FF697584000-memory.dmp

memory/4544-146-0x00007FF660270000-0x00007FF6605C4000-memory.dmp

memory/2032-147-0x00007FF67E340000-0x00007FF67E694000-memory.dmp

memory/2028-148-0x00007FF70A4A0000-0x00007FF70A7F4000-memory.dmp

memory/3100-149-0x00007FF7C9020000-0x00007FF7C9374000-memory.dmp

memory/2432-150-0x00007FF657850000-0x00007FF657BA4000-memory.dmp

memory/4640-151-0x00007FF7C4F30000-0x00007FF7C5284000-memory.dmp

memory/4200-152-0x00007FF743860000-0x00007FF743BB4000-memory.dmp

memory/5008-153-0x00007FF6C0450000-0x00007FF6C07A4000-memory.dmp

memory/3388-154-0x00007FF7C5800000-0x00007FF7C5B54000-memory.dmp

memory/4324-155-0x00007FF7BDF70000-0x00007FF7BE2C4000-memory.dmp

memory/1868-156-0x00007FF6A7BF0000-0x00007FF6A7F44000-memory.dmp

memory/4652-157-0x00007FF751CF0000-0x00007FF752044000-memory.dmp