Malware Analysis Report

2024-10-24 18:12

Sample ID 240629-hrev4ashle
Target 2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat
SHA256 31b4900742c7817b1772984763d0a05d4bd4f5c9580f72ba00a89a84cfbb3424
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

31b4900742c7817b1772984763d0a05d4bd4f5c9580f72ba00a89a84cfbb3424

Threat Level: Known bad

The file 2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

Cobaltstrike family

Cobalt Strike reflective loader

xmrig

Xmrig family

Cobaltstrike

XMRig Miner payload

XMRig Miner payload

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-29 06:57

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-29 06:57

Reported

2024-06-29 07:00

Platform

win10v2004-20240611-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\GPJtLrX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hyLiplr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mqbAmsP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dPBjinJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jWzHtWY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OStnhog.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lzOYTyo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zAqhync.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qNZUzVH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iFMJYAB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FSufaEp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gpZnjdO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MvVRqaw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pjSisze.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pmUkfSZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tLoqfqO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KPzbgFJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JcfxDSR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mKkYyVF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HCOkrQh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZRXPWzA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3100 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dPBjinJ.exe
PID 3100 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dPBjinJ.exe
PID 3100 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MvVRqaw.exe
PID 3100 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MvVRqaw.exe
PID 3100 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pjSisze.exe
PID 3100 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pjSisze.exe
PID 3100 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jWzHtWY.exe
PID 3100 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jWzHtWY.exe
PID 3100 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OStnhog.exe
PID 3100 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OStnhog.exe
PID 3100 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lzOYTyo.exe
PID 3100 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lzOYTyo.exe
PID 3100 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pmUkfSZ.exe
PID 3100 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pmUkfSZ.exe
PID 3100 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qNZUzVH.exe
PID 3100 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qNZUzVH.exe
PID 3100 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JcfxDSR.exe
PID 3100 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JcfxDSR.exe
PID 3100 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mKkYyVF.exe
PID 3100 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mKkYyVF.exe
PID 3100 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zAqhync.exe
PID 3100 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zAqhync.exe
PID 3100 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iFMJYAB.exe
PID 3100 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iFMJYAB.exe
PID 3100 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GPJtLrX.exe
PID 3100 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GPJtLrX.exe
PID 3100 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FSufaEp.exe
PID 3100 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FSufaEp.exe
PID 3100 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hyLiplr.exe
PID 3100 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hyLiplr.exe
PID 3100 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tLoqfqO.exe
PID 3100 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tLoqfqO.exe
PID 3100 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HCOkrQh.exe
PID 3100 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HCOkrQh.exe
PID 3100 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gpZnjdO.exe
PID 3100 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gpZnjdO.exe
PID 3100 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mqbAmsP.exe
PID 3100 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mqbAmsP.exe
PID 3100 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KPzbgFJ.exe
PID 3100 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KPzbgFJ.exe
PID 3100 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZRXPWzA.exe
PID 3100 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZRXPWzA.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\dPBjinJ.exe

C:\Windows\System\dPBjinJ.exe

C:\Windows\System\MvVRqaw.exe

C:\Windows\System\MvVRqaw.exe

C:\Windows\System\pjSisze.exe

C:\Windows\System\pjSisze.exe

C:\Windows\System\jWzHtWY.exe

C:\Windows\System\jWzHtWY.exe

C:\Windows\System\OStnhog.exe

C:\Windows\System\OStnhog.exe

C:\Windows\System\lzOYTyo.exe

C:\Windows\System\lzOYTyo.exe

C:\Windows\System\pmUkfSZ.exe

C:\Windows\System\pmUkfSZ.exe

C:\Windows\System\qNZUzVH.exe

C:\Windows\System\qNZUzVH.exe

C:\Windows\System\JcfxDSR.exe

C:\Windows\System\JcfxDSR.exe

C:\Windows\System\mKkYyVF.exe

C:\Windows\System\mKkYyVF.exe

C:\Windows\System\zAqhync.exe

C:\Windows\System\zAqhync.exe

C:\Windows\System\iFMJYAB.exe

C:\Windows\System\iFMJYAB.exe

C:\Windows\System\GPJtLrX.exe

C:\Windows\System\GPJtLrX.exe

C:\Windows\System\FSufaEp.exe

C:\Windows\System\FSufaEp.exe

C:\Windows\System\hyLiplr.exe

C:\Windows\System\hyLiplr.exe

C:\Windows\System\tLoqfqO.exe

C:\Windows\System\tLoqfqO.exe

C:\Windows\System\HCOkrQh.exe

C:\Windows\System\HCOkrQh.exe

C:\Windows\System\gpZnjdO.exe

C:\Windows\System\gpZnjdO.exe

C:\Windows\System\mqbAmsP.exe

C:\Windows\System\mqbAmsP.exe

C:\Windows\System\KPzbgFJ.exe

C:\Windows\System\KPzbgFJ.exe

C:\Windows\System\ZRXPWzA.exe

C:\Windows\System\ZRXPWzA.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=2736,i,11069752405888604640,8928124405695604965,262144 --variations-seed-version --mojo-platform-channel-handle=4188 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3100-0-0x00007FF73FC50000-0x00007FF73FFA4000-memory.dmp

memory/3100-1-0x0000023C47720000-0x0000023C47730000-memory.dmp

C:\Windows\System\dPBjinJ.exe

MD5 f0a06c8e5a5f1b84900b6b63ecd41a9d
SHA1 0e5a87db07b57547a510e6975b2a01258183d6da
SHA256 5be0232c00fca70d642503b0d523e618fd4256f382bff07b3329615323c6e26c
SHA512 baeebf8d3afd701914d85f1c9a312234f95134bd289570b9a4fe6ee0ce5f429493560c983bfd9426aca8e80616e419cd893049fe212c4c43ae011f17fc06a895

memory/4220-8-0x00007FF7F08C0000-0x00007FF7F0C14000-memory.dmp

C:\Windows\System\MvVRqaw.exe

MD5 558f3be622ab6913c6b3e9147bb6ae19
SHA1 6d3ed2d1f2f401eb10536df1717b43c0de7ec331
SHA256 44bd2566927fd690a6736888383d9a4960710a10ee00a2a77a763bde6daa1b28
SHA512 e9aa479dafd5a2bac968f68e9f72514d3ce07e82c8a4418ca23037e2c75a80748cef85b471e243ed08a31215e1ec62551c264620d8416d10ace196e649c03d44

C:\Windows\System\pjSisze.exe

MD5 b6276dcd064471eb48d753e6557b073e
SHA1 a148c405fd4dc2a7ca555c99f75aa9ac3f7e3641
SHA256 98fe3af1e223d714a2d6d051b33b179b5865a518e0f6d7307ec5721681a04423
SHA512 06abc93ca5c367a9e4860f28f66c20dfc7700d411a5e858f0bd40d78c03d99e9e8bd7f15dea151b0568b8b2e367727fc2e4385ea90edb7f382c111401320ef54

C:\Windows\System\jWzHtWY.exe

MD5 9a38d01e0b181e0b6079c4b39eb7deb1
SHA1 d8a75c9e6554dd047cca2264eb4d46b46a57f38d
SHA256 f0d5f37dd6b62f4f9873ce70f68494c8855fba71df02f62abcefc260c8a8cf32
SHA512 54061a2bd598cbdb06dc26ef938fdb03bea912dc33a94c74fa403bc62ed2bee53279c8dc8c60da01ee0d4b11bb93f25735f6320db6ee7c129b8c1e3a1b9d3c8f

memory/3212-22-0x00007FF60D8D0000-0x00007FF60DC24000-memory.dmp

memory/3056-28-0x00007FF62EBB0000-0x00007FF62EF04000-memory.dmp

C:\Windows\System\qNZUzVH.exe

MD5 8b6ff434545b856413505cf3c9bf8d1f
SHA1 7a509a2f415fbfa8a63c7607e764019a176574d3
SHA256 88f6cb8bd7e70d95456ec6ac9761720e9169f505f1882e0e3c58ef6317af640c
SHA512 ebdccedcc0be2ae03728a4501ddfbb1fa0458e067d3571ae5ff1573f005a5deff5b936571e9172bff815bb51a9c8e15a25914308b9a3e01a947c4068620f2c27

C:\Windows\System\JcfxDSR.exe

MD5 8ca6f1b8da065c8ceabcdc558fe27985
SHA1 96bfcc1ca7af2d373fc3bae99b7898fbf65fa74c
SHA256 6000573e4b82db82a8412329bd3f741c7ca0c92ddc96a5d0d12c346a2be546f2
SHA512 81579a6fcb71e33d4616ae5e1eae059b198b9e5bc66a4173ace283e2f5054abc52d10e4ea816e2ba19babec46fb88595faa58b875cecf160e3b086e8ad866133

C:\Windows\System\iFMJYAB.exe

MD5 915bc9276f222b8d498f332426e03998
SHA1 e229beadcc5c0dd252f177f08e5589584647bd59
SHA256 7d764e0ce3b2f06abd652c5d628b9730f735367b6f3bbb559eb6b8d070f1b931
SHA512 518532ef02523e734620436a0dc2423185f4a9cd86ca0f3461e2d841e961a91f2102ec3b2dd32aa41187ada97fb983e3c0e96e3449f657374232be80703e6061

C:\Windows\System\HCOkrQh.exe

MD5 b0eb70b552e9046438fb65e90f84533a
SHA1 7f554df4c34815684b1cfda900025d498715bdb9
SHA256 116a755fa1e68157604a0514b3d80813a3dd9963d64aa33360cd03c4e76c184d
SHA512 ea21bbc6146acdc284618cc781b934f8f51041e35b6720f9953af57c9c19cde734d413463e085b7318969174092cc580ff7529e214a6e44ad991ca4c22e89073

C:\Windows\System\ZRXPWzA.exe

MD5 9a3afb221adaad6c7ae9937523be18b0
SHA1 f10bb1b113b32d66be8a6ce33b3dff11586c7f13
SHA256 93f437530613e6bbbbc4b8df5f9aa99a9866973641dddc8f7ef298eebeaa8b36
SHA512 b79cf7d2c9ccf3649e4301ca4bbbbaa3b3758c8b0a7aab29c634c3aceea9306b480d36215310b2ccab2c952b1672be1a3b61dd70d792ccef28de7ea81a471933

C:\Windows\System\KPzbgFJ.exe

MD5 2a525c3fcf5069268e4866ad4fe0d4d7
SHA1 fbef09c3073aebf0f964cd20abea04c4c21ccf90
SHA256 994820f4d75829ae5be8af697f15e92bb3c6d1c253631b9ad6710b7736fd600e
SHA512 381d0d706a2eee5d2040a1136e7b3af55c94ac1a86416aec4ac55509d6bd535c1b2f2f755adf2e2514286aae2a1aaed7d0cbebb6e0f1cfddb303ad089ff08e04

C:\Windows\System\mqbAmsP.exe

MD5 df08956135d699f4011016d9729e501d
SHA1 ecc27ae449be760126f8a3e1b364da5fca1f25d1
SHA256 949677cf6b0608ae4f163decfe821a47840d1a04512289661f6310d90afbe389
SHA512 4d5e88c556b9de11ece8fcbe7b5880fa2cfcc0bccc2caf4d8827c3428beeaf167cff7f22d8cbd0c6d61bbf4dfc690415b571dc520049b71cfcca28d8e7877e31

C:\Windows\System\gpZnjdO.exe

MD5 a9ea4f700074a532e8c5d9c3f7cb4b8a
SHA1 17bccee444a4f5293f253a80f78886a7ef548031
SHA256 10170adb7c3c069e4357b7b96881fcff68ceaa3016c92f2e97e3f09fda5da921
SHA512 42fba6c68eb12ddb66786a3b94ef5fc2605bed3aff1ce3b11de3795bc20d350c7ad84b2304decf768ecde23d366c8d28440035082ccc2806fed1d33690dd67bc

C:\Windows\System\tLoqfqO.exe

MD5 56da738263d4f6ec21b2a3fa8156e449
SHA1 3a5b84a9d5056bb956b95d280abd9f45522a85c3
SHA256 7b554e14634c830efe44dced703c9b03ad4e4230c51e9211d9eb31203389c72f
SHA512 59c8b9c465fbb7b8de6648c0bfa83a5e6d55f516b4a16b94dbc98c907b6f7b8a3c790b3fdb53014d7b3679017c85820ee9a4324f952efdca8893f57e1b9ab44d

C:\Windows\System\hyLiplr.exe

MD5 9b80b6af17285620c1acc91ccc691587
SHA1 403d6169040e1e8f414774e4ba963113339a5402
SHA256 5775fc3aefedbc6fc943b6a5d5a2c5074be00435dccea1c71990f5f329a232df
SHA512 3eddd501e76e95968d159ac0fd77b2ea183bc21165724438263d9b9d4b204b37fe32667680e5fe39801f1019ec530f9b0c63fa3f82a4cf8ab319dcc17bd1603b

C:\Windows\System\FSufaEp.exe

MD5 04829796693a4fe9ba67d10a042e1fe6
SHA1 09104e59b481b9c77e85e7e7a843fe8aefb50acc
SHA256 b6c936fd4ae9d9f9484af9848e43f0cdc25b5ee19c269889ead52ace3d7fafa4
SHA512 4dd3af6f2f1cc75e7dd5a02d0383aad62fe992e8d43186eab4cd45409abc5d121639f9659313a3d02933f3c24cdd09af538b6a16bdf7e2ec03c353a11d40012e

C:\Windows\System\GPJtLrX.exe

MD5 7d7fd01a061fd5a7e89753c368088b08
SHA1 4502b4ca69fc47ee61419cc59cb3c5394ce487db
SHA256 58a8f52e1eced881312ae32d539f8881698431fc7dd1b1e0f12f59879f5cabf2
SHA512 3712103971807d87a792f078932fea72c5ff47d2861e3650eee9dd24e4beffb66b9e3efd8aad3bb116714fbc542f688c3b8158a7f546a35dcfe4d3796b595759

C:\Windows\System\zAqhync.exe

MD5 3930869b2c530758aac63d3cf8cdf11b
SHA1 6315336a21b35224a2020bc24469bb484c7927bd
SHA256 10c8d2ab251bfe245c505c36ed8f818573287b65858b823c551916eee6d26dcc
SHA512 1940b32f0f53c2192e013ad6b2fd1ad349fd31993948544c99d478174cc57e267d3a0909baf8bfa9fbb5e6fae473adb3bcde2a8f35616a35ac54a9617f4ce128

C:\Windows\System\mKkYyVF.exe

MD5 36c6e7c7a978e45d320aa67e8f9e042c
SHA1 89dd36abddfee7a4224c943f1714643172c03dd3
SHA256 01eced5d3fee1110d6a6cb10d27ec36235bf12b07352065fd220a7b4f729ac9f
SHA512 9b2915c877d1824e9d48cc8fb4509efc4a7bc2ec3c085a9fbcc00304ca97765dd631ebbcd1f959135ccd99dd85457cf61b71aa54e8b893fbecf4ec9200fbb8b3

C:\Windows\System\pmUkfSZ.exe

MD5 15c77185a20361e32e46bb1ddd0e1182
SHA1 d5b9693fc5a5ab0ee2611968fa7f9a218a4c3903
SHA256 d69a8f42931bee1c90e1f119eb287a2f1d930485c6ec8ffc251d34e3219ab3f1
SHA512 6de4fee1f2b8b4a6e59658f9b8117c190b108ff950795238e3f4c8bf805e53582fce8461a1b995f5ca4e29063d2ad08955ff2a0d7732da47202c5d75e9f31cfb

C:\Windows\System\lzOYTyo.exe

MD5 e5f000530419cb3da9e22ff850f62a86
SHA1 c1e01a8a0fe7332101a61e84b40d3b48524de9de
SHA256 29e611ec24b9278365257ac9426bed7ba0b449272abd8c9cc693fd049d5995a3
SHA512 d0ae551e3b564d0b28cf1b655ab2e48c1ba17ce9895bdb792012233b07f79b05275d145eadd2211df95524e562cebf1fc96102955cf5c0f72994b396005770e4

C:\Windows\System\OStnhog.exe

MD5 9c88bde4cd903853e890dc3ead4f1087
SHA1 366c0114a7412433aaa26313325aa74452f130f8
SHA256 3b6c30785dd1f9deb79b62d3a78884e140f4b7516d55953a71bb38cdb067c127
SHA512 0a1f67a5be5c84e1be24232fc3faca7388ef499da6d119a7ba9479c003a9a49cb3fc8324c590b12ac07f4d96b6b9e3b209e589b272db596863995cf8cff6b9e6

memory/4184-19-0x00007FF631F40000-0x00007FF632294000-memory.dmp

memory/3924-111-0x00007FF731110000-0x00007FF731464000-memory.dmp

memory/3880-112-0x00007FF691EA0000-0x00007FF6921F4000-memory.dmp

memory/5112-113-0x00007FF769520000-0x00007FF769874000-memory.dmp

memory/3184-115-0x00007FF760540000-0x00007FF760894000-memory.dmp

memory/2600-114-0x00007FF7AF0A0000-0x00007FF7AF3F4000-memory.dmp

memory/4980-117-0x00007FF787290000-0x00007FF7875E4000-memory.dmp

memory/4772-116-0x00007FF645D70000-0x00007FF6460C4000-memory.dmp

memory/2248-119-0x00007FF6A5FB0000-0x00007FF6A6304000-memory.dmp

memory/824-118-0x00007FF6E9D70000-0x00007FF6EA0C4000-memory.dmp

memory/5056-121-0x00007FF7F4180000-0x00007FF7F44D4000-memory.dmp

memory/3592-123-0x00007FF79BE00000-0x00007FF79C154000-memory.dmp

memory/4976-125-0x00007FF656A30000-0x00007FF656D84000-memory.dmp

memory/3584-127-0x00007FF6DBEE0000-0x00007FF6DC234000-memory.dmp

memory/4316-126-0x00007FF778A40000-0x00007FF778D94000-memory.dmp

memory/3008-124-0x00007FF7F7800000-0x00007FF7F7B54000-memory.dmp

memory/2476-122-0x00007FF6C3C80000-0x00007FF6C3FD4000-memory.dmp

memory/4840-120-0x00007FF6EBF80000-0x00007FF6EC2D4000-memory.dmp

memory/3100-128-0x00007FF73FC50000-0x00007FF73FFA4000-memory.dmp

memory/4220-129-0x00007FF7F08C0000-0x00007FF7F0C14000-memory.dmp

memory/4184-130-0x00007FF631F40000-0x00007FF632294000-memory.dmp

memory/3056-131-0x00007FF62EBB0000-0x00007FF62EF04000-memory.dmp

memory/4220-132-0x00007FF7F08C0000-0x00007FF7F0C14000-memory.dmp

memory/4184-133-0x00007FF631F40000-0x00007FF632294000-memory.dmp

memory/3212-134-0x00007FF60D8D0000-0x00007FF60DC24000-memory.dmp

memory/3056-135-0x00007FF62EBB0000-0x00007FF62EF04000-memory.dmp

memory/3924-136-0x00007FF731110000-0x00007FF731464000-memory.dmp

memory/5112-139-0x00007FF769520000-0x00007FF769874000-memory.dmp

memory/2600-138-0x00007FF7AF0A0000-0x00007FF7AF3F4000-memory.dmp

memory/3184-137-0x00007FF760540000-0x00007FF760894000-memory.dmp

memory/3592-145-0x00007FF79BE00000-0x00007FF79C154000-memory.dmp

memory/4316-150-0x00007FF778A40000-0x00007FF778D94000-memory.dmp

memory/4976-151-0x00007FF656A30000-0x00007FF656D84000-memory.dmp

memory/3008-149-0x00007FF7F7800000-0x00007FF7F7B54000-memory.dmp

memory/824-148-0x00007FF6E9D70000-0x00007FF6EA0C4000-memory.dmp

memory/2476-147-0x00007FF6C3C80000-0x00007FF6C3FD4000-memory.dmp

memory/2248-146-0x00007FF6A5FB0000-0x00007FF6A6304000-memory.dmp

memory/4980-144-0x00007FF787290000-0x00007FF7875E4000-memory.dmp

memory/4840-143-0x00007FF6EBF80000-0x00007FF6EC2D4000-memory.dmp

memory/4772-142-0x00007FF645D70000-0x00007FF6460C4000-memory.dmp

memory/5056-141-0x00007FF7F4180000-0x00007FF7F44D4000-memory.dmp

memory/3880-140-0x00007FF691EA0000-0x00007FF6921F4000-memory.dmp

memory/3584-152-0x00007FF6DBEE0000-0x00007FF6DC234000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-29 06:57

Reported

2024-06-29 07:00

Platform

win7-20240221-en

Max time kernel

137s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\pmUkfSZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HCOkrQh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mqbAmsP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZRXPWzA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MvVRqaw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pjSisze.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OStnhog.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lzOYTyo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iFMJYAB.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hyLiplr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gpZnjdO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dPBjinJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jWzHtWY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JcfxDSR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zAqhync.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FSufaEp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tLoqfqO.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qNZUzVH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mKkYyVF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GPJtLrX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KPzbgFJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2172 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dPBjinJ.exe
PID 2172 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dPBjinJ.exe
PID 2172 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dPBjinJ.exe
PID 2172 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MvVRqaw.exe
PID 2172 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MvVRqaw.exe
PID 2172 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MvVRqaw.exe
PID 2172 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pjSisze.exe
PID 2172 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pjSisze.exe
PID 2172 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pjSisze.exe
PID 2172 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jWzHtWY.exe
PID 2172 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jWzHtWY.exe
PID 2172 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jWzHtWY.exe
PID 2172 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OStnhog.exe
PID 2172 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OStnhog.exe
PID 2172 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OStnhog.exe
PID 2172 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lzOYTyo.exe
PID 2172 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lzOYTyo.exe
PID 2172 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lzOYTyo.exe
PID 2172 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pmUkfSZ.exe
PID 2172 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pmUkfSZ.exe
PID 2172 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pmUkfSZ.exe
PID 2172 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qNZUzVH.exe
PID 2172 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qNZUzVH.exe
PID 2172 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qNZUzVH.exe
PID 2172 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JcfxDSR.exe
PID 2172 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JcfxDSR.exe
PID 2172 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JcfxDSR.exe
PID 2172 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mKkYyVF.exe
PID 2172 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mKkYyVF.exe
PID 2172 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mKkYyVF.exe
PID 2172 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zAqhync.exe
PID 2172 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zAqhync.exe
PID 2172 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zAqhync.exe
PID 2172 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iFMJYAB.exe
PID 2172 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iFMJYAB.exe
PID 2172 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iFMJYAB.exe
PID 2172 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GPJtLrX.exe
PID 2172 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GPJtLrX.exe
PID 2172 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GPJtLrX.exe
PID 2172 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FSufaEp.exe
PID 2172 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FSufaEp.exe
PID 2172 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FSufaEp.exe
PID 2172 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hyLiplr.exe
PID 2172 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hyLiplr.exe
PID 2172 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hyLiplr.exe
PID 2172 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tLoqfqO.exe
PID 2172 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tLoqfqO.exe
PID 2172 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tLoqfqO.exe
PID 2172 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HCOkrQh.exe
PID 2172 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HCOkrQh.exe
PID 2172 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HCOkrQh.exe
PID 2172 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gpZnjdO.exe
PID 2172 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gpZnjdO.exe
PID 2172 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gpZnjdO.exe
PID 2172 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mqbAmsP.exe
PID 2172 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mqbAmsP.exe
PID 2172 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mqbAmsP.exe
PID 2172 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KPzbgFJ.exe
PID 2172 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KPzbgFJ.exe
PID 2172 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KPzbgFJ.exe
PID 2172 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZRXPWzA.exe
PID 2172 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZRXPWzA.exe
PID 2172 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZRXPWzA.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\dPBjinJ.exe

C:\Windows\System\dPBjinJ.exe

C:\Windows\System\MvVRqaw.exe

C:\Windows\System\MvVRqaw.exe

C:\Windows\System\pjSisze.exe

C:\Windows\System\pjSisze.exe

C:\Windows\System\jWzHtWY.exe

C:\Windows\System\jWzHtWY.exe

C:\Windows\System\OStnhog.exe

C:\Windows\System\OStnhog.exe

C:\Windows\System\lzOYTyo.exe

C:\Windows\System\lzOYTyo.exe

C:\Windows\System\pmUkfSZ.exe

C:\Windows\System\pmUkfSZ.exe

C:\Windows\System\qNZUzVH.exe

C:\Windows\System\qNZUzVH.exe

C:\Windows\System\JcfxDSR.exe

C:\Windows\System\JcfxDSR.exe

C:\Windows\System\mKkYyVF.exe

C:\Windows\System\mKkYyVF.exe

C:\Windows\System\zAqhync.exe

C:\Windows\System\zAqhync.exe

C:\Windows\System\iFMJYAB.exe

C:\Windows\System\iFMJYAB.exe

C:\Windows\System\GPJtLrX.exe

C:\Windows\System\GPJtLrX.exe

C:\Windows\System\FSufaEp.exe

C:\Windows\System\FSufaEp.exe

C:\Windows\System\hyLiplr.exe

C:\Windows\System\hyLiplr.exe

C:\Windows\System\tLoqfqO.exe

C:\Windows\System\tLoqfqO.exe

C:\Windows\System\HCOkrQh.exe

C:\Windows\System\HCOkrQh.exe

C:\Windows\System\gpZnjdO.exe

C:\Windows\System\gpZnjdO.exe

C:\Windows\System\mqbAmsP.exe

C:\Windows\System\mqbAmsP.exe

C:\Windows\System\KPzbgFJ.exe

C:\Windows\System\KPzbgFJ.exe

C:\Windows\System\ZRXPWzA.exe

C:\Windows\System\ZRXPWzA.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2172-0-0x00000000000F0000-0x0000000000100000-memory.dmp

memory/2172-2-0x000000013F610000-0x000000013F964000-memory.dmp

C:\Windows\system\dPBjinJ.exe

MD5 f0a06c8e5a5f1b84900b6b63ecd41a9d
SHA1 0e5a87db07b57547a510e6975b2a01258183d6da
SHA256 5be0232c00fca70d642503b0d523e618fd4256f382bff07b3329615323c6e26c
SHA512 baeebf8d3afd701914d85f1c9a312234f95134bd289570b9a4fe6ee0ce5f429493560c983bfd9426aca8e80616e419cd893049fe212c4c43ae011f17fc06a895

memory/2172-8-0x0000000002440000-0x0000000002794000-memory.dmp

memory/1032-9-0x000000013F6E0000-0x000000013FA34000-memory.dmp

\Windows\system\MvVRqaw.exe

MD5 558f3be622ab6913c6b3e9147bb6ae19
SHA1 6d3ed2d1f2f401eb10536df1717b43c0de7ec331
SHA256 44bd2566927fd690a6736888383d9a4960710a10ee00a2a77a763bde6daa1b28
SHA512 e9aa479dafd5a2bac968f68e9f72514d3ce07e82c8a4418ca23037e2c75a80748cef85b471e243ed08a31215e1ec62551c264620d8416d10ace196e649c03d44

C:\Windows\system\pjSisze.exe

MD5 b6276dcd064471eb48d753e6557b073e
SHA1 a148c405fd4dc2a7ca555c99f75aa9ac3f7e3641
SHA256 98fe3af1e223d714a2d6d051b33b179b5865a518e0f6d7307ec5721681a04423
SHA512 06abc93ca5c367a9e4860f28f66c20dfc7700d411a5e858f0bd40d78c03d99e9e8bd7f15dea151b0568b8b2e367727fc2e4385ea90edb7f382c111401320ef54

C:\Windows\system\jWzHtWY.exe

MD5 9a38d01e0b181e0b6079c4b39eb7deb1
SHA1 d8a75c9e6554dd047cca2264eb4d46b46a57f38d
SHA256 f0d5f37dd6b62f4f9873ce70f68494c8855fba71df02f62abcefc260c8a8cf32
SHA512 54061a2bd598cbdb06dc26ef938fdb03bea912dc33a94c74fa403bc62ed2bee53279c8dc8c60da01ee0d4b11bb93f25735f6320db6ee7c129b8c1e3a1b9d3c8f

memory/2172-23-0x0000000002440000-0x0000000002794000-memory.dmp

memory/2688-27-0x000000013F8A0000-0x000000013FBF4000-memory.dmp

memory/2632-28-0x000000013F800000-0x000000013FB54000-memory.dmp

memory/2216-20-0x000000013FD00000-0x0000000140054000-memory.dmp

\Windows\system\OStnhog.exe

MD5 9c88bde4cd903853e890dc3ead4f1087
SHA1 366c0114a7412433aaa26313325aa74452f130f8
SHA256 3b6c30785dd1f9deb79b62d3a78884e140f4b7516d55953a71bb38cdb067c127
SHA512 0a1f67a5be5c84e1be24232fc3faca7388ef499da6d119a7ba9479c003a9a49cb3fc8324c590b12ac07f4d96b6b9e3b209e589b272db596863995cf8cff6b9e6

memory/2592-34-0x000000013F290000-0x000000013F5E4000-memory.dmp

C:\Windows\system\lzOYTyo.exe

MD5 e5f000530419cb3da9e22ff850f62a86
SHA1 c1e01a8a0fe7332101a61e84b40d3b48524de9de
SHA256 29e611ec24b9278365257ac9426bed7ba0b449272abd8c9cc693fd049d5995a3
SHA512 d0ae551e3b564d0b28cf1b655ab2e48c1ba17ce9895bdb792012233b07f79b05275d145eadd2211df95524e562cebf1fc96102955cf5c0f72994b396005770e4

memory/2536-41-0x000000013F080000-0x000000013F3D4000-memory.dmp

memory/2172-40-0x000000013F080000-0x000000013F3D4000-memory.dmp

memory/2172-33-0x000000013F290000-0x000000013F5E4000-memory.dmp

\Windows\system\pmUkfSZ.exe

MD5 15c77185a20361e32e46bb1ddd0e1182
SHA1 d5b9693fc5a5ab0ee2611968fa7f9a218a4c3903
SHA256 d69a8f42931bee1c90e1f119eb287a2f1d930485c6ec8ffc251d34e3219ab3f1
SHA512 6de4fee1f2b8b4a6e59658f9b8117c190b108ff950795238e3f4c8bf805e53582fce8461a1b995f5ca4e29063d2ad08955ff2a0d7732da47202c5d75e9f31cfb

memory/2452-48-0x000000013FC70000-0x000000013FFC4000-memory.dmp

memory/2172-53-0x000000013F610000-0x000000013F964000-memory.dmp

C:\Windows\system\qNZUzVH.exe

MD5 8b6ff434545b856413505cf3c9bf8d1f
SHA1 7a509a2f415fbfa8a63c7607e764019a176574d3
SHA256 88f6cb8bd7e70d95456ec6ac9761720e9169f505f1882e0e3c58ef6317af640c
SHA512 ebdccedcc0be2ae03728a4501ddfbb1fa0458e067d3571ae5ff1573f005a5deff5b936571e9172bff815bb51a9c8e15a25914308b9a3e01a947c4068620f2c27

memory/2428-55-0x000000013FC70000-0x000000013FFC4000-memory.dmp

\Windows\system\mKkYyVF.exe

MD5 36c6e7c7a978e45d320aa67e8f9e042c
SHA1 89dd36abddfee7a4224c943f1714643172c03dd3
SHA256 01eced5d3fee1110d6a6cb10d27ec36235bf12b07352065fd220a7b4f729ac9f
SHA512 9b2915c877d1824e9d48cc8fb4509efc4a7bc2ec3c085a9fbcc00304ca97765dd631ebbcd1f959135ccd99dd85457cf61b71aa54e8b893fbecf4ec9200fbb8b3

memory/2216-77-0x000000013FD00000-0x0000000140054000-memory.dmp

memory/2172-79-0x0000000002440000-0x0000000002794000-memory.dmp

memory/2784-81-0x000000013FE10000-0x0000000140164000-memory.dmp

C:\Windows\system\zAqhync.exe

MD5 3930869b2c530758aac63d3cf8cdf11b
SHA1 6315336a21b35224a2020bc24469bb484c7927bd
SHA256 10c8d2ab251bfe245c505c36ed8f818573287b65858b823c551916eee6d26dcc
SHA512 1940b32f0f53c2192e013ad6b2fd1ad349fd31993948544c99d478174cc57e267d3a0909baf8bfa9fbb5e6fae473adb3bcde2a8f35616a35ac54a9617f4ce128

memory/1104-83-0x000000013F7E0000-0x000000013FB34000-memory.dmp

memory/2172-66-0x0000000002440000-0x0000000002794000-memory.dmp

C:\Windows\system\FSufaEp.exe

MD5 04829796693a4fe9ba67d10a042e1fe6
SHA1 09104e59b481b9c77e85e7e7a843fe8aefb50acc
SHA256 b6c936fd4ae9d9f9484af9848e43f0cdc25b5ee19c269889ead52ace3d7fafa4
SHA512 4dd3af6f2f1cc75e7dd5a02d0383aad62fe992e8d43186eab4cd45409abc5d121639f9659313a3d02933f3c24cdd09af538b6a16bdf7e2ec03c353a11d40012e

memory/2172-97-0x0000000002440000-0x0000000002794000-memory.dmp

memory/2936-90-0x000000013F0C0000-0x000000013F414000-memory.dmp

C:\Windows\system\gpZnjdO.exe

MD5 a9ea4f700074a532e8c5d9c3f7cb4b8a
SHA1 17bccee444a4f5293f253a80f78886a7ef548031
SHA256 10170adb7c3c069e4357b7b96881fcff68ceaa3016c92f2e97e3f09fda5da921
SHA512 42fba6c68eb12ddb66786a3b94ef5fc2605bed3aff1ce3b11de3795bc20d350c7ad84b2304decf768ecde23d366c8d28440035082ccc2806fed1d33690dd67bc

C:\Windows\system\KPzbgFJ.exe

MD5 2a525c3fcf5069268e4866ad4fe0d4d7
SHA1 fbef09c3073aebf0f964cd20abea04c4c21ccf90
SHA256 994820f4d75829ae5be8af697f15e92bb3c6d1c253631b9ad6710b7736fd600e
SHA512 381d0d706a2eee5d2040a1136e7b3af55c94ac1a86416aec4ac55509d6bd535c1b2f2f755adf2e2514286aae2a1aaed7d0cbebb6e0f1cfddb303ad089ff08e04

\Windows\system\ZRXPWzA.exe

MD5 9a3afb221adaad6c7ae9937523be18b0
SHA1 f10bb1b113b32d66be8a6ce33b3dff11586c7f13
SHA256 93f437530613e6bbbbc4b8df5f9aa99a9866973641dddc8f7ef298eebeaa8b36
SHA512 b79cf7d2c9ccf3649e4301ca4bbbbaa3b3758c8b0a7aab29c634c3aceea9306b480d36215310b2ccab2c952b1672be1a3b61dd70d792ccef28de7ea81a471933

C:\Windows\system\mqbAmsP.exe

MD5 df08956135d699f4011016d9729e501d
SHA1 ecc27ae449be760126f8a3e1b364da5fca1f25d1
SHA256 949677cf6b0608ae4f163decfe821a47840d1a04512289661f6310d90afbe389
SHA512 4d5e88c556b9de11ece8fcbe7b5880fa2cfcc0bccc2caf4d8827c3428beeaf167cff7f22d8cbd0c6d61bbf4dfc690415b571dc520049b71cfcca28d8e7877e31

C:\Windows\system\HCOkrQh.exe

MD5 b0eb70b552e9046438fb65e90f84533a
SHA1 7f554df4c34815684b1cfda900025d498715bdb9
SHA256 116a755fa1e68157604a0514b3d80813a3dd9963d64aa33360cd03c4e76c184d
SHA512 ea21bbc6146acdc284618cc781b934f8f51041e35b6720f9953af57c9c19cde734d413463e085b7318969174092cc580ff7529e214a6e44ad991ca4c22e89073

C:\Windows\system\tLoqfqO.exe

MD5 56da738263d4f6ec21b2a3fa8156e449
SHA1 3a5b84a9d5056bb956b95d280abd9f45522a85c3
SHA256 7b554e14634c830efe44dced703c9b03ad4e4230c51e9211d9eb31203389c72f
SHA512 59c8b9c465fbb7b8de6648c0bfa83a5e6d55f516b4a16b94dbc98c907b6f7b8a3c790b3fdb53014d7b3679017c85820ee9a4324f952efdca8893f57e1b9ab44d

memory/2172-104-0x000000013F9E0000-0x000000013FD34000-memory.dmp

C:\Windows\system\hyLiplr.exe

MD5 9b80b6af17285620c1acc91ccc691587
SHA1 403d6169040e1e8f414774e4ba963113339a5402
SHA256 5775fc3aefedbc6fc943b6a5d5a2c5074be00435dccea1c71990f5f329a232df
SHA512 3eddd501e76e95968d159ac0fd77b2ea183bc21165724438263d9b9d4b204b37fe32667680e5fe39801f1019ec530f9b0c63fa3f82a4cf8ab319dcc17bd1603b

memory/2592-89-0x000000013F290000-0x000000013F5E4000-memory.dmp

C:\Windows\system\GPJtLrX.exe

MD5 7d7fd01a061fd5a7e89753c368088b08
SHA1 4502b4ca69fc47ee61419cc59cb3c5394ce487db
SHA256 58a8f52e1eced881312ae32d539f8881698431fc7dd1b1e0f12f59879f5cabf2
SHA512 3712103971807d87a792f078932fea72c5ff47d2861e3650eee9dd24e4beffb66b9e3efd8aad3bb116714fbc542f688c3b8158a7f546a35dcfe4d3796b595759

memory/2172-86-0x000000013F0C0000-0x000000013F414000-memory.dmp

memory/2736-98-0x000000013F2D0000-0x000000013F624000-memory.dmp

memory/2536-96-0x000000013F080000-0x000000013F3D4000-memory.dmp

memory/2904-69-0x000000013F840000-0x000000013FB94000-memory.dmp

memory/2172-80-0x000000013FE10000-0x0000000140164000-memory.dmp

memory/2172-76-0x000000013F100000-0x000000013F454000-memory.dmp

C:\Windows\system\iFMJYAB.exe

MD5 915bc9276f222b8d498f332426e03998
SHA1 e229beadcc5c0dd252f177f08e5589584647bd59
SHA256 7d764e0ce3b2f06abd652c5d628b9730f735367b6f3bbb559eb6b8d070f1b931
SHA512 518532ef02523e734620436a0dc2423185f4a9cd86ca0f3461e2d841e961a91f2102ec3b2dd32aa41187ada97fb983e3c0e96e3449f657374232be80703e6061

\Windows\system\JcfxDSR.exe

MD5 8ca6f1b8da065c8ceabcdc558fe27985
SHA1 96bfcc1ca7af2d373fc3bae99b7898fbf65fa74c
SHA256 6000573e4b82db82a8412329bd3f741c7ca0c92ddc96a5d0d12c346a2be546f2
SHA512 81579a6fcb71e33d4616ae5e1eae059b198b9e5bc66a4173ace283e2f5054abc52d10e4ea816e2ba19babec46fb88595faa58b875cecf160e3b086e8ad866133

memory/2920-74-0x000000013F100000-0x000000013F454000-memory.dmp

memory/2428-136-0x000000013FC70000-0x000000013FFC4000-memory.dmp

memory/2920-138-0x000000013F100000-0x000000013F454000-memory.dmp

memory/2172-137-0x0000000002440000-0x0000000002794000-memory.dmp

memory/2172-139-0x000000013FE10000-0x0000000140164000-memory.dmp

memory/1104-140-0x000000013F7E0000-0x000000013FB34000-memory.dmp

memory/2172-141-0x000000013F0C0000-0x000000013F414000-memory.dmp

memory/2936-142-0x000000013F0C0000-0x000000013F414000-memory.dmp

memory/2736-143-0x000000013F2D0000-0x000000013F624000-memory.dmp

memory/2172-144-0x000000013F9E0000-0x000000013FD34000-memory.dmp

memory/1032-145-0x000000013F6E0000-0x000000013FA34000-memory.dmp

memory/2216-146-0x000000013FD00000-0x0000000140054000-memory.dmp

memory/2688-147-0x000000013F8A0000-0x000000013FBF4000-memory.dmp

memory/2632-148-0x000000013F800000-0x000000013FB54000-memory.dmp

memory/2592-149-0x000000013F290000-0x000000013F5E4000-memory.dmp

memory/2452-151-0x000000013FC70000-0x000000013FFC4000-memory.dmp

memory/2536-150-0x000000013F080000-0x000000013F3D4000-memory.dmp

memory/2428-152-0x000000013FC70000-0x000000013FFC4000-memory.dmp

memory/2904-153-0x000000013F840000-0x000000013FB94000-memory.dmp

memory/2920-154-0x000000013F100000-0x000000013F454000-memory.dmp

memory/2784-155-0x000000013FE10000-0x0000000140164000-memory.dmp

memory/2936-156-0x000000013F0C0000-0x000000013F414000-memory.dmp

memory/2736-157-0x000000013F2D0000-0x000000013F624000-memory.dmp

memory/1104-158-0x000000013F7E0000-0x000000013FB34000-memory.dmp