Malware Analysis Report

2024-10-24 18:12

Sample ID 240629-hsjwfashna
Target 2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat
SHA256 83a44075ec09125c07834729e45ef0626088249387be2c14ec9eb550619aaa68
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

83a44075ec09125c07834729e45ef0626088249387be2c14ec9eb550619aaa68

Threat Level: Known bad

The file 2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

xmrig

Cobaltstrike family

XMRig Miner payload

Cobalt Strike reflective loader

Xmrig family

Cobaltstrike

XMRig Miner payload

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-29 06:59

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-29 06:59

Reported

2024-06-29 07:02

Platform

win7-20240611-en

Max time kernel

135s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\ZFePzwc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nYFiuoj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\axfUATw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eUHRaxD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BWTbtcW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PNSreig.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HkRNWAA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NQJflob.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KPKMAiU.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KgFEujg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IZjHHur.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qjpviNe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\viNFWuu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GMhUljt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nHPGvvS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\edmqGEI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CvZYXtS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qKpWZFj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XUdbfpY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IRaXcdb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FmbcYgG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2248 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PNSreig.exe
PID 2248 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PNSreig.exe
PID 2248 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PNSreig.exe
PID 2248 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HkRNWAA.exe
PID 2248 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HkRNWAA.exe
PID 2248 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HkRNWAA.exe
PID 2248 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NQJflob.exe
PID 2248 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NQJflob.exe
PID 2248 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NQJflob.exe
PID 2248 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qjpviNe.exe
PID 2248 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qjpviNe.exe
PID 2248 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qjpviNe.exe
PID 2248 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XUdbfpY.exe
PID 2248 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XUdbfpY.exe
PID 2248 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XUdbfpY.exe
PID 2248 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\viNFWuu.exe
PID 2248 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\viNFWuu.exe
PID 2248 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\viNFWuu.exe
PID 2248 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZFePzwc.exe
PID 2248 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZFePzwc.exe
PID 2248 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZFePzwc.exe
PID 2248 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nHPGvvS.exe
PID 2248 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nHPGvvS.exe
PID 2248 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nHPGvvS.exe
PID 2248 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IRaXcdb.exe
PID 2248 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IRaXcdb.exe
PID 2248 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IRaXcdb.exe
PID 2248 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nYFiuoj.exe
PID 2248 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nYFiuoj.exe
PID 2248 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nYFiuoj.exe
PID 2248 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FmbcYgG.exe
PID 2248 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FmbcYgG.exe
PID 2248 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FmbcYgG.exe
PID 2248 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GMhUljt.exe
PID 2248 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GMhUljt.exe
PID 2248 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GMhUljt.exe
PID 2248 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\axfUATw.exe
PID 2248 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\axfUATw.exe
PID 2248 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\axfUATw.exe
PID 2248 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KgFEujg.exe
PID 2248 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KgFEujg.exe
PID 2248 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KgFEujg.exe
PID 2248 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eUHRaxD.exe
PID 2248 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eUHRaxD.exe
PID 2248 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eUHRaxD.exe
PID 2248 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\edmqGEI.exe
PID 2248 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\edmqGEI.exe
PID 2248 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\edmqGEI.exe
PID 2248 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IZjHHur.exe
PID 2248 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IZjHHur.exe
PID 2248 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IZjHHur.exe
PID 2248 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BWTbtcW.exe
PID 2248 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BWTbtcW.exe
PID 2248 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BWTbtcW.exe
PID 2248 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KPKMAiU.exe
PID 2248 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KPKMAiU.exe
PID 2248 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KPKMAiU.exe
PID 2248 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CvZYXtS.exe
PID 2248 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CvZYXtS.exe
PID 2248 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CvZYXtS.exe
PID 2248 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qKpWZFj.exe
PID 2248 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qKpWZFj.exe
PID 2248 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qKpWZFj.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\PNSreig.exe

C:\Windows\System\PNSreig.exe

C:\Windows\System\HkRNWAA.exe

C:\Windows\System\HkRNWAA.exe

C:\Windows\System\NQJflob.exe

C:\Windows\System\NQJflob.exe

C:\Windows\System\qjpviNe.exe

C:\Windows\System\qjpviNe.exe

C:\Windows\System\XUdbfpY.exe

C:\Windows\System\XUdbfpY.exe

C:\Windows\System\viNFWuu.exe

C:\Windows\System\viNFWuu.exe

C:\Windows\System\ZFePzwc.exe

C:\Windows\System\ZFePzwc.exe

C:\Windows\System\nHPGvvS.exe

C:\Windows\System\nHPGvvS.exe

C:\Windows\System\IRaXcdb.exe

C:\Windows\System\IRaXcdb.exe

C:\Windows\System\nYFiuoj.exe

C:\Windows\System\nYFiuoj.exe

C:\Windows\System\FmbcYgG.exe

C:\Windows\System\FmbcYgG.exe

C:\Windows\System\GMhUljt.exe

C:\Windows\System\GMhUljt.exe

C:\Windows\System\axfUATw.exe

C:\Windows\System\axfUATw.exe

C:\Windows\System\KgFEujg.exe

C:\Windows\System\KgFEujg.exe

C:\Windows\System\eUHRaxD.exe

C:\Windows\System\eUHRaxD.exe

C:\Windows\System\edmqGEI.exe

C:\Windows\System\edmqGEI.exe

C:\Windows\System\IZjHHur.exe

C:\Windows\System\IZjHHur.exe

C:\Windows\System\BWTbtcW.exe

C:\Windows\System\BWTbtcW.exe

C:\Windows\System\KPKMAiU.exe

C:\Windows\System\KPKMAiU.exe

C:\Windows\System\CvZYXtS.exe

C:\Windows\System\CvZYXtS.exe

C:\Windows\System\qKpWZFj.exe

C:\Windows\System\qKpWZFj.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2248-0-0x000000013FBE0000-0x000000013FF34000-memory.dmp

memory/2248-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\PNSreig.exe

MD5 53fc12ec3d81efc8c79aab5669e5d64f
SHA1 5e0bed5d79ad7ad77696d62e80434097e1cea402
SHA256 ac3b54b59c916413ae68dc74e9c1b28398ea158370a01c2556ee0c4e70fba73b
SHA512 e58409ce660dfc5ad59170de331c526d1214587c19c898b8c0ebc3fb6c722850dff8a35ed1aad30d2c56976961ffa0d4a552323353fb8ca3379dd664c1b64c3c

\Windows\system\HkRNWAA.exe

MD5 4a81ab6e71f0967dae2f083a033604a2
SHA1 85e526181cfadb548e70c7ebebf430fb7783e6e5
SHA256 970f892d32305786e6dfedc164d21191eaf220aabb4c5c2589b7a2a571e4b875
SHA512 a1a4241c2c7558fae901a6f5d9d9315966b4494dacca96c292886bbedf69bd4bef0a10f68af422d9c25052360d8bd17a8f5a9cd41a6da2b8b329db347290ed3f

memory/2248-30-0x000000013F5F0000-0x000000013F944000-memory.dmp

C:\Windows\system\qjpviNe.exe

MD5 7e261d912c30f8ca89936ca095df8098
SHA1 9e22a592958e3dcd05c63558e035a974fd168652
SHA256 28cfcadcb8cae705f2c7aaefe312cb5cbc9b416e8efe217e85dbbdab30c7283a
SHA512 00bccdebb50e95505c66be60a0243d84f2d74a06afad34327978ba6db7b11d97497278849787b736be81b250c8afd61dd46020a41799855d0d184adad35df43a

memory/1532-35-0x000000013F280000-0x000000013F5D4000-memory.dmp

memory/2320-33-0x000000013F5F0000-0x000000013F944000-memory.dmp

\Windows\system\viNFWuu.exe

MD5 75eea773ac44597676c8ab00bd85374a
SHA1 4c6caf2412e2e2f02561fcba39abb14faf256401
SHA256 512d3237aed28b0a0473adf635560effb53dc1d3545e5b3bdd5432d71bb4e376
SHA512 adacbba883afda35a9c2ec173435e4ca49e45d5613bbee6b12cdfa97eebb0409db828ee713826e8991e6963c587fd178ba18a93ff9b23a57c41f3cc50a79ed11

memory/2772-42-0x000000013FA20000-0x000000013FD74000-memory.dmp

\Windows\system\axfUATw.exe

MD5 3eb7241ed876921bdc42ca398e3c647c
SHA1 36eb61b1ddb8e426eac7b228513c731c472ae6bf
SHA256 61682b9ad9c9cdc2eb2803659e367b8a767f549b7f9f3c7d1d62a55b10a125b1
SHA512 33c30af63819666e3cbc24b1a9d25f0187c7b71e627300d6cbfbb6a09e3d5e3c6a5fb1bd32b8cb247dbf6a3f6d693925477f141a0c76b2d97c4383eda3cefab3

\Windows\system\GMhUljt.exe

MD5 4251acf718104c0c0bd1e25d28952c38
SHA1 35d85b1a9221acc5f148f5ee00ecb57de23f1f46
SHA256 a3c311ebdb4375386dd03e7cb406498d7680f83d9fa33699695e74f11164e0c8
SHA512 972f9726d43317da2d50ad2754ecfdbc53d862117e163f0c9f25d713de470d48aa5c3e6ee5958c9c5bf9dcd36b354175b51efea1944bef61c6cb6757c56ed365

C:\Windows\system\edmqGEI.exe

MD5 287a483b2ac05d819cfde9813676c0a6
SHA1 97b80c407b1371a84cbfb9124dfb74bd057189ec
SHA256 9e7e1b64e4a6d3fc207c8f74bef16cc341bf45c43a9e47299ba643ee9c775b52
SHA512 748debc4ac657b8f18c7ff2689b1aed123cbc8ce3838889b97b3436499a6e14560cc2ccedc1c186550fc6f46fb197a9922f1d0fa053b9c8a82837fdcde8227e3

\Windows\system\CvZYXtS.exe

MD5 b1aadf3fc7d0e104ca4ff3ce0f2e593e
SHA1 31fd62b1dbf91ae07308e152e63d5a7ea496d41c
SHA256 3000fce3138170a33203091c3afeae784f7ad70e5b88b5ea4e64e418420e5e33
SHA512 38e02b625a737c9f1ff38910a8415f6c0817d81900bd8023b700879274ada571b715dcbb4c132f1197b02d6bb2e1137f91e8f171cd4c9710285ab3f89853214d

C:\Windows\system\qKpWZFj.exe

MD5 0880bd1514fc25030a1086b9dda8f85a
SHA1 4c05657cf8857ae89f0da169fa319a306fc5f268
SHA256 aaedfaff188aa70596c0cfcd453062647ebceaaf6b7be1efdec351a8351b7231
SHA512 69bffb2e50408558d05138f742395b01c052f282c17f25be826d6f8d5b3625987d60267dda7474c38cb2b848fb5371767a42a452d1ea9e5fac1e9416f39b8f9c

C:\Windows\system\KPKMAiU.exe

MD5 877f18e21df0e275d9d963ffe4c6bf35
SHA1 4cc8bffc9ab7696a9184d00a79f7898469fdf799
SHA256 74de9b1eaad24a443f031e4f0e149a3cdb1a886c7da72e1d36cfe673bb31797c
SHA512 e31d2579108558fa72642a5cac3b2784e171a13ae062c24be409380dfbd446fb2e01afb87f5e25d1e56ef4c35aefd76a367d2ae5a9b07b74c659a89ea6ab1523

C:\Windows\system\BWTbtcW.exe

MD5 ceb9c97a89ea5588aecdb6dfc15aaebc
SHA1 bbb7638e1035f773bf485cbafb0af8f4c6da6219
SHA256 596d9d1788ed36cc8e4aad40189e977c55ae2421ebecfe734a25cd2fb77a0757
SHA512 805238c81742b98cffa3b460f867f1df42819fad5c49ce98bd2a74151539e946a4816d73c3f21dfd0d920486c4876bc01404694aca3ae4461a338970864d0178

C:\Windows\system\IZjHHur.exe

MD5 ef6341601d56173fd0e8538678a6a937
SHA1 07121c60ee031639e06cee5a00ee3ba318461df0
SHA256 6df9699894645ebbf07b0e189c49ed95a64f58bf4ad9acbd31eba22a65f04742
SHA512 65889d1e34d54f1664f5a2e34cf0386c7138846b31fb02ed0dad3576e6c31065a1a50f7d147b7e7282bcd05041b239ff8ce8397353be5136d981f483d8e93612

memory/2248-108-0x0000000002520000-0x0000000002874000-memory.dmp

memory/1532-107-0x000000013F280000-0x000000013F5D4000-memory.dmp

C:\Windows\system\eUHRaxD.exe

MD5 a914381b82004ec17f7ed56c7c4b4d29
SHA1 380b476a31a4514a761119528607a6628c230448
SHA256 f9ad5ad0a136602fdb2d74fcd53c092c1f0a1dc9ceb8142919725542d04695f6
SHA512 34899e89bd44784d306991eb9db4c7f1d2f453f02cec606fc8bf001a778195c7b00cc543cbf08af7e59b9e5984de9162c9188c4cc8e580dd7a7f4002d5ae7d54

memory/2040-101-0x000000013FFC0000-0x0000000140314000-memory.dmp

memory/2248-100-0x000000013F280000-0x000000013F5D4000-memory.dmp

C:\Windows\system\KgFEujg.exe

MD5 74196eac5734d9864ae560af4848502f
SHA1 bbf1f5885453cb74376373c9eed7daa33d3640d1
SHA256 123f552a7f071991606de1bdb1c42f74b7290e90371bf79f00b4d04bad3234f5
SHA512 266e48c2887bbaadef4c55b90e697912149d885fabc64bc6425b88c4aad287e3bc46061da18e076006c90ac5d0cb635b62911b0a3afc460d6ca2e04b113f0781

memory/2248-97-0x000000013FFC0000-0x0000000140314000-memory.dmp

memory/2528-96-0x000000013FF20000-0x0000000140274000-memory.dmp

memory/3016-95-0x000000013FA40000-0x000000013FD94000-memory.dmp

memory/2248-94-0x0000000002520000-0x0000000002874000-memory.dmp

C:\Windows\system\nYFiuoj.exe

MD5 203d74e3419d0f522dde656664de14fe
SHA1 d232be49d811aa116b01553ff7d3600b80274b09
SHA256 d6dd825b767e5a9e26fc704656b0315ccb2f768de912982f454b0bce82cd5f97
SHA512 ab4ac730160ea93483a673a8d02fef73e0804172e645a1ab1cc0de3ba6eb9eff65ba95bcc608d71ecd1db91ac9ea796f13f1e8054454015e9fd912e95cdea901

memory/2248-78-0x0000000002520000-0x0000000002874000-memory.dmp

memory/2628-77-0x000000013FB40000-0x000000013FE94000-memory.dmp

memory/2248-76-0x0000000002520000-0x0000000002874000-memory.dmp

memory/2720-75-0x000000013F7E0000-0x000000013FB34000-memory.dmp

memory/2708-74-0x000000013F440000-0x000000013F794000-memory.dmp

C:\Windows\system\nHPGvvS.exe

MD5 896e839e786319e512ebe6dd28002350
SHA1 aea316a8dc80752695fbfb237aa8c59ce6592a13
SHA256 d0932d619989ab8f40b21cf3f4ba980f8186bcfdf821348be4fb3b7c583b8937
SHA512 535a0513240bf3f55d987b93f552ee4520477b5aa0b760e6918b55c23baf223e21721f08633139be6da3c1959ded63111ad5a32407806544b4d7cecb91c6e777

memory/2680-90-0x000000013F860000-0x000000013FBB4000-memory.dmp

memory/2056-89-0x000000013FA00000-0x000000013FD54000-memory.dmp

memory/2456-88-0x000000013FE50000-0x00000001401A4000-memory.dmp

memory/2248-138-0x000000013F440000-0x000000013F794000-memory.dmp

memory/2776-52-0x000000013F6C0000-0x000000013FA14000-memory.dmp

C:\Windows\system\FmbcYgG.exe

MD5 668c6d22607e1d590a2328b08d83d835
SHA1 5de20564ef2b4a56feb699db66dc586a76d70c57
SHA256 36102a2c6b958e76d740eb01d4ca5c0e17e6523c39643156cd94638d6f6d573f
SHA512 5a9533cbe0d9f6327b34ca993385c36a687afafa6a34700da524e4aba49283afff3e8cd9cba783dd629eacdc28b3526853e1bdb44ebf48da988b588495f97baa

memory/2248-139-0x0000000002520000-0x0000000002874000-memory.dmp

C:\Windows\system\IRaXcdb.exe

MD5 542b1225913261f2c251056e061e8651
SHA1 f9e870cd77e22e13dbff33b8af18842e1c4ad552
SHA256 7f272f116ddb0951acc6c2aab5ed2b0c98a968a22e82a01d6b7866d83e493562
SHA512 0f6e636a44d76dcdf2e51ddb30d8af08eaed2f1743acf3864eb581bac2e1a1958615556dcc7a494e861f85910218004091101c11e57447b03765dde0621d0f58

memory/2248-56-0x000000013F440000-0x000000013F794000-memory.dmp

memory/2248-55-0x000000013FBE0000-0x000000013FF34000-memory.dmp

memory/2248-54-0x000000013F7E0000-0x000000013FB34000-memory.dmp

memory/2248-48-0x000000013F6C0000-0x000000013FA14000-memory.dmp

C:\Windows\system\ZFePzwc.exe

MD5 a74519490abbcf83c0401d47759add30
SHA1 f73dff269f2dbb538fab94897bc45cb33c5daec5
SHA256 96a8b12b472fd70c8a7768d9781d0e6a2eccf4c94dffd81eec5b93912be6792d
SHA512 a6b5a9d90db9d7cf8a6c541d8fdec23c6d1afab9f5ea8f6d440c935900ba0b8029c8e15d8487f48e2f45c9b503ed236ca5e4c7d64e5719a7d2c8c26f1f3c012b

memory/2248-32-0x000000013F280000-0x000000013F5D4000-memory.dmp

memory/2056-14-0x000000013FA00000-0x000000013FD54000-memory.dmp

memory/2456-13-0x000000013FE50000-0x00000001401A4000-memory.dmp

C:\Windows\system\XUdbfpY.exe

MD5 a3b09bbf6f08850e574d00ee1b8e749f
SHA1 5c68c030acada055f1e1e4293555835ff86b3e85
SHA256 697a48f249923e913a13e14819e918d9e1dab6786588828344a8082e31aa753d
SHA512 a5a173e02b465851ab472f03eb764a3c1a8a18a56c94d3abcb24acd304f0b6410fe4c1d8446e2298f154e8e865fce79fa0c3bcc798fa9cb2994454ea6259f6a3

memory/2248-11-0x0000000002520000-0x0000000002874000-memory.dmp

memory/3044-28-0x000000013F4E0000-0x000000013F834000-memory.dmp

C:\Windows\system\NQJflob.exe

MD5 51ffce6f5faf27799c8c6a6661a9d2e3
SHA1 3d9748cfbf5b8015f6ab74858dc3e5460524650f
SHA256 73fce8558c22abb64462690bb808214eca2c1b57f89293213f5bfc9d924f402b
SHA512 88def8f931ffaf1e42a9162703bf80bbf2d5ea1e17a3dedc3e23bc70334d17855d453d8fd57e059967fd3ccfd49b1a0fe54411e98bbf4940b06c6a2d52cb8c3b

memory/2248-21-0x000000013F4E0000-0x000000013F834000-memory.dmp

memory/2248-140-0x000000013FFC0000-0x0000000140314000-memory.dmp

memory/2248-141-0x0000000002520000-0x0000000002874000-memory.dmp

memory/2456-142-0x000000013FE50000-0x00000001401A4000-memory.dmp

memory/2056-143-0x000000013FA00000-0x000000013FD54000-memory.dmp

memory/3044-144-0x000000013F4E0000-0x000000013F834000-memory.dmp

memory/2320-145-0x000000013F5F0000-0x000000013F944000-memory.dmp

memory/1532-146-0x000000013F280000-0x000000013F5D4000-memory.dmp

memory/2772-147-0x000000013FA20000-0x000000013FD74000-memory.dmp

memory/2776-148-0x000000013F6C0000-0x000000013FA14000-memory.dmp

memory/2708-149-0x000000013F440000-0x000000013F794000-memory.dmp

memory/2720-150-0x000000013F7E0000-0x000000013FB34000-memory.dmp

memory/2628-151-0x000000013FB40000-0x000000013FE94000-memory.dmp

memory/3016-152-0x000000013FA40000-0x000000013FD94000-memory.dmp

memory/2528-153-0x000000013FF20000-0x0000000140274000-memory.dmp

memory/2040-154-0x000000013FFC0000-0x0000000140314000-memory.dmp

memory/2680-155-0x000000013F860000-0x000000013FBB4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-29 06:59

Reported

2024-06-29 07:02

Platform

win10v2004-20240508-en

Max time kernel

139s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\lArFOfs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EcIUEpr.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IDjlWPK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qLYjdyY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JBSNeDv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CfZNQnK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lgvuKXy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QOOWzPV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UjCxQIb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PUyWFKD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BxtJtHy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ibRxKGb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DIxvFTe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\udpintH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HkzGvtb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xbKyDNM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lxxLlqG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bNwsSYY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IPLRPpk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mWpRNbF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uOEPQNV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1856 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CfZNQnK.exe
PID 1856 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CfZNQnK.exe
PID 1856 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lArFOfs.exe
PID 1856 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lArFOfs.exe
PID 1856 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lxxLlqG.exe
PID 1856 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lxxLlqG.exe
PID 1856 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ibRxKGb.exe
PID 1856 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ibRxKGb.exe
PID 1856 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DIxvFTe.exe
PID 1856 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DIxvFTe.exe
PID 1856 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lgvuKXy.exe
PID 1856 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lgvuKXy.exe
PID 1856 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\udpintH.exe
PID 1856 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\udpintH.exe
PID 1856 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QOOWzPV.exe
PID 1856 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QOOWzPV.exe
PID 1856 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HkzGvtb.exe
PID 1856 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HkzGvtb.exe
PID 1856 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bNwsSYY.exe
PID 1856 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bNwsSYY.exe
PID 1856 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UjCxQIb.exe
PID 1856 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UjCxQIb.exe
PID 1856 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PUyWFKD.exe
PID 1856 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PUyWFKD.exe
PID 1856 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IPLRPpk.exe
PID 1856 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IPLRPpk.exe
PID 1856 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IDjlWPK.exe
PID 1856 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IDjlWPK.exe
PID 1856 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qLYjdyY.exe
PID 1856 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qLYjdyY.exe
PID 1856 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mWpRNbF.exe
PID 1856 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mWpRNbF.exe
PID 1856 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uOEPQNV.exe
PID 1856 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uOEPQNV.exe
PID 1856 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EcIUEpr.exe
PID 1856 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EcIUEpr.exe
PID 1856 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JBSNeDv.exe
PID 1856 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JBSNeDv.exe
PID 1856 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BxtJtHy.exe
PID 1856 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BxtJtHy.exe
PID 1856 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xbKyDNM.exe
PID 1856 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xbKyDNM.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\CfZNQnK.exe

C:\Windows\System\CfZNQnK.exe

C:\Windows\System\lArFOfs.exe

C:\Windows\System\lArFOfs.exe

C:\Windows\System\lxxLlqG.exe

C:\Windows\System\lxxLlqG.exe

C:\Windows\System\ibRxKGb.exe

C:\Windows\System\ibRxKGb.exe

C:\Windows\System\DIxvFTe.exe

C:\Windows\System\DIxvFTe.exe

C:\Windows\System\lgvuKXy.exe

C:\Windows\System\lgvuKXy.exe

C:\Windows\System\udpintH.exe

C:\Windows\System\udpintH.exe

C:\Windows\System\QOOWzPV.exe

C:\Windows\System\QOOWzPV.exe

C:\Windows\System\HkzGvtb.exe

C:\Windows\System\HkzGvtb.exe

C:\Windows\System\bNwsSYY.exe

C:\Windows\System\bNwsSYY.exe

C:\Windows\System\UjCxQIb.exe

C:\Windows\System\UjCxQIb.exe

C:\Windows\System\PUyWFKD.exe

C:\Windows\System\PUyWFKD.exe

C:\Windows\System\IPLRPpk.exe

C:\Windows\System\IPLRPpk.exe

C:\Windows\System\IDjlWPK.exe

C:\Windows\System\IDjlWPK.exe

C:\Windows\System\qLYjdyY.exe

C:\Windows\System\qLYjdyY.exe

C:\Windows\System\mWpRNbF.exe

C:\Windows\System\mWpRNbF.exe

C:\Windows\System\uOEPQNV.exe

C:\Windows\System\uOEPQNV.exe

C:\Windows\System\EcIUEpr.exe

C:\Windows\System\EcIUEpr.exe

C:\Windows\System\JBSNeDv.exe

C:\Windows\System\JBSNeDv.exe

C:\Windows\System\BxtJtHy.exe

C:\Windows\System\BxtJtHy.exe

C:\Windows\System\xbKyDNM.exe

C:\Windows\System\xbKyDNM.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1856-0-0x00007FF62B560000-0x00007FF62B8B4000-memory.dmp

memory/1856-1-0x00000220244D0000-0x00000220244E0000-memory.dmp

C:\Windows\System\CfZNQnK.exe

MD5 746425482d0f6f1dac4144e8907344aa
SHA1 beab0915691e5ff7ca3dd8fd78c4cf166958307b
SHA256 4fee7a17e99f56702983c1130d10d7b497887c57b7197e953c197806664f91ae
SHA512 daa47f0f0128b7a7572602aaab575d1cdbdf32fdc54640b5f7336a7b3efa670859048584f3dbffed12d8152592884392c9381a9fccdc8b56b2283c9906375525

memory/1708-8-0x00007FF66EB40000-0x00007FF66EE94000-memory.dmp

C:\Windows\System\lxxLlqG.exe

MD5 40957319aff686235be5e4833a3ac793
SHA1 89460689d818c327ee21c2207ac23c29bdec8980
SHA256 c93f6b30fee28b1aa6bb31705752031b34aa6eaca62b97b443421e3c5d20fd7a
SHA512 41e24b7f2ff673c32f7120c36771be332430a1cc42491ae17bf902f1650287f2b44be40c6d1a6b64493c4495a692028c284e335da327fe783cc2c64f773fb50c

memory/216-14-0x00007FF6D6640000-0x00007FF6D6994000-memory.dmp

C:\Windows\System\lArFOfs.exe

MD5 1be78a059d107e9416e0ddeb01011846
SHA1 b220409523da2a19328fd470850e0bf9760147f2
SHA256 86d607ecc5aa9183a47298c1c5a3a71a6bfcfed20ae08471bbe297b6e1f9bba4
SHA512 793f1bf2ab29eaef6520e2768e967c79c24663fe198d067377d2c8a8bc9629080106e0b2214d7c690cb204f917cfbc4443157d46f87875f697c0184d7db66f5a

memory/4112-19-0x00007FF66A160000-0x00007FF66A4B4000-memory.dmp

C:\Windows\System\ibRxKGb.exe

MD5 874ddb311bf0a8b40ba1e334db2f3caa
SHA1 ea62cfd81c162393355419997ae264e02579ca41
SHA256 72b02642352d087164cad5d87dabc0e107659d4d827f31aaab9b9b237af38e12
SHA512 b40897c09fc4d1c5122b539fba0dea192710b1a38f2d9941ba5c43e04ffec247e3c2a69412ce86efedd5eae0671c75192519b1ded5755fce0f4abda33828d995

memory/1800-26-0x00007FF7AE740000-0x00007FF7AEA94000-memory.dmp

C:\Windows\System\lgvuKXy.exe

MD5 b33caf9da8ff13a160e83c51745899c9
SHA1 ca371fb8d595549142ec99f6dfadff7b9030b142
SHA256 da405aed8c88ab6cd430c66aa3610656d05940738074e5aac8233f2846832e92
SHA512 1a8ab02d0af928376f124030b3850f1f991bec630089342a67ce4fdbc491ff7cfdcfb715d9aea6a3ccc5edf17c882bf3a49db862c8d163ce7d509ab5b1a202f2

memory/4484-35-0x00007FF696400000-0x00007FF696754000-memory.dmp

memory/4900-37-0x00007FF747360000-0x00007FF7476B4000-memory.dmp

C:\Windows\System\DIxvFTe.exe

MD5 64ff37cc6fdfd132ba60d9c10f1725d8
SHA1 342cf2c46a81459bb57c77dbfef890899763504c
SHA256 b26183b3ee0845351f77be3f76a4ef9e86ee51eaec8b83cc7f567893a14bc9d6
SHA512 3b2005c4a8a20ce2875fd28f2064ef860ecf209f206ec59b70b34a3038a57ad24f02a8a65e10404f6938da8439f486e53ea603c46de1297f7a3dbbd5c8d5d7c0

memory/2988-45-0x00007FF66B830000-0x00007FF66BB84000-memory.dmp

C:\Windows\System\QOOWzPV.exe

MD5 715c76dfd6bbdfe2258147dbb60beee4
SHA1 3ac59cae8bb2f45333ea2e9a57513ad7760ce335
SHA256 d4c62a92588307f09b6e4b80e2d5b02c324955ce1b73d7cdd97331b666b9fa44
SHA512 b739fdfde3a66069222241c9b037a776a1e22bdf7f7ee4ac01630ba637c2199df2250c432a94462d3f0b4b77d4d4eb42e31b642a34892eb692af9a3c89b11f03

memory/696-57-0x00007FF6E1290000-0x00007FF6E15E4000-memory.dmp

memory/2380-65-0x00007FF6804C0000-0x00007FF680814000-memory.dmp

C:\Windows\System\UjCxQIb.exe

MD5 877be9d28d652cf12ecfcba7585085da
SHA1 8cb358d29d4084ea4f1ad3e7c4e63a4291b3cba5
SHA256 c5c91ff5de6d3f5bc29293e10c09059757fe82401e763ac1f239bc27f921c328
SHA512 a1589eae517f9db82c88bea773da5f411ee70bd7be7a9883bfe2cef25d50027e58dbfb8af942d7bc1ba796b8a960d4ec39551f97c92bf01167e61d273fafc7cb

memory/1708-74-0x00007FF66EB40000-0x00007FF66EE94000-memory.dmp

C:\Windows\System\IDjlWPK.exe

MD5 690813710b3b38659a56e2a6e8a63cd2
SHA1 7ffa5b6f7b87c3d76703e191a2d37bc5b1ef7083
SHA256 c6525db779992fec3ce2924d1892521b1c7a41846a4b979d8b52b6f67da76044
SHA512 d40c940fcac98e763e6613404f9930b667ae42ebb28a1498efd0fd1170ab3505351eb09130b51c552a153c633d860cb27fc2bad1a4d6c6fb06cfc218ffe6faf7

memory/216-87-0x00007FF6D6640000-0x00007FF6D6994000-memory.dmp

memory/4112-96-0x00007FF66A160000-0x00007FF66A4B4000-memory.dmp

C:\Windows\System\uOEPQNV.exe

MD5 17ea6540cb51948b148691f90be60cfc
SHA1 2f44bcef6a41ac3a388a9345014afe0f0ae78386
SHA256 5e7fb2467e0993a0f9fb6876c4cf78d3991d3b44027e8b3a880ec2ccfd2564ab
SHA512 9820fcc1fc04cc6ea122dd5cd43ebe3b792d27421c2903f8bcaca5808007c49dbd1f844298619499074c145ab613cab213c4ddd1e14b2487e3132ebbf0a047d6

C:\Windows\System\mWpRNbF.exe

MD5 ed4b752d1a2ee16c18d4b4edc749f3c9
SHA1 01ba2b4fddda7eb7b15cf9a73ab07822b1fe7a18
SHA256 e1e2957faba04163671679560b536cc1b834ea546318b6ffe4ed14b883e384e9
SHA512 305bf186acf8f83037fa1b5b2cffc5feb5c3dbad18c918430ba98d3ae80767d45583a0b6e52347915cdd97afa7e090d6966ebe9ecbb166ff17c05063097f4917

memory/2092-102-0x00007FF647DB0000-0x00007FF648104000-memory.dmp

memory/4804-101-0x00007FF65F420000-0x00007FF65F774000-memory.dmp

C:\Windows\System\qLYjdyY.exe

MD5 faf729392db6bf3f2956ea7f477ae501
SHA1 6a73989b4d193e7287eb50207af7911a8fca65fa
SHA256 35b4aadfbc9def1847542b0255b9be0476f81320e87e73fa50a083895531f2b0
SHA512 2dfaf28a26f9ed3cfba954cd33c63d504cff1a1c4dbdec4e498d50b344d1fe41c5add107e5e7f46c1bacf10170aff252fc855a6d29b45ee1517e7b956eec2ad7

memory/4244-92-0x00007FF753080000-0x00007FF7533D4000-memory.dmp

memory/1524-91-0x00007FF7CAA70000-0x00007FF7CADC4000-memory.dmp

C:\Windows\System\IPLRPpk.exe

MD5 c5cbeeefc2734c2e10a44ed1479a15c9
SHA1 ce2e3dadf548ad724113a58b159bba19666a8cbc
SHA256 130eb43a6cdda3ce7d5be72caf81519abd3f1289f11d8ee52329038165946868
SHA512 cebd9081fe3ba3c1ca7163109c132ec4fc9a9292b7d246b55326300e992e99e0fbf8a55659df63934f0880637dddff66e63720a9db5202713b446da2128e25fb

memory/3828-79-0x00007FF6B0A10000-0x00007FF6B0D64000-memory.dmp

C:\Windows\System\PUyWFKD.exe

MD5 c653ecab3dd9b61cb7203a1a03280991
SHA1 6185d15540a34c23dcd5228d015d32dc22ff10b8
SHA256 2158cf2341b344f5e9e5efd15392235db21ff165a416c5ec245dd09093667109
SHA512 926615ae01b1042aa496f24c63c40c06d2eb851ac1b86cd0fcb6c893daf8c7ef89822af55a34875fb6ee60ee89f788e6819d20ce8dfe9075ebe0130afc981c56

memory/8-78-0x00007FF728860000-0x00007FF728BB4000-memory.dmp

memory/1856-63-0x00007FF62B560000-0x00007FF62B8B4000-memory.dmp

C:\Windows\System\bNwsSYY.exe

MD5 64a15ab9a61862fd7a7753df08561e0b
SHA1 91d51a89e99f68bb8ad027f2af08035a22ea6865
SHA256 366517ab567c9e704b953f935a138b8feaa91f943011dbada938fa7827188220
SHA512 3896ef6584a6750fea22ddaf9318055747bbcc05b59b6c1bd857fb7159f97dd1a6e1a4eecc25c03dab68f618579c8c30d010a356e9ca8602c68fa1862b1717f5

C:\Windows\System\HkzGvtb.exe

MD5 08c1139f923abedf05bbe2fccf2d9a9d
SHA1 cc1a2bd5dd35b92931f48a028a7f3fe5f3a0ba0f
SHA256 48bd0c6a7aa2b44889b8ac599a77d8bd9bbd7b98686d34b5699d531366f27777
SHA512 e507205bbf4b52d159e94de70390c024574b7f7bcc63a386781bb6279e6ac48fd13ee92492418700a6e530819596fe65efea09adb29aeb4e090c03d887dcce20

memory/3800-51-0x00007FF7B50E0000-0x00007FF7B5434000-memory.dmp

C:\Windows\System\udpintH.exe

MD5 fb7271750bf1c25cbcb23d3564bd5ba8
SHA1 e50a160eaf84073d432e5a100cb785c545704aa4
SHA256 f67a387ef520e7c57b4413ce45cb91c3d21c75d75f7f417056533f02b9a84c25
SHA512 e4cb1c2b62c115d0753ce6779d37fc21c8b9950bc44e3ef73398e894910797f6bec771bbb0d1f8b3f5a21cf6b8e5dec3ef4add4b796a819ffc2c223e95773b22

memory/1936-108-0x00007FF750510000-0x00007FF750864000-memory.dmp

C:\Windows\System\BxtJtHy.exe

MD5 dce428eb10f06dca23ff514a02b81d21
SHA1 af84974a137d1042230fcd962cfe8ea30285022b
SHA256 eb9597ae1a7cd40c7f65d95f0d1aee27d9c13cad7b5d89f4df171f79e25a5d61
SHA512 778177c73ccbec763d20fbdb6b734808009fa9d56326a8c4eadb76224992958c230714c3c221cc17a21368bff9dd41746ef0237508b008fbe477782090264517

C:\Windows\System\xbKyDNM.exe

MD5 a6135aab6a9e90f2d7d34d9e3dc4eb1c
SHA1 8b466218bab68b465b905d915888eb903b345638
SHA256 6180107b22b850b149f72dff61b630e37ce11d60c1f50d346830f7238b375de6
SHA512 62bf40910bcdb901b6040bfec3209f51a4fe788925875036665d9e3d0df92443609f44b180c246bf7b3655887dc67cf3af32b0862ddde573458664e207b59135

C:\Windows\System\JBSNeDv.exe

MD5 18dadf48f67244adcbc9cea9244334cb
SHA1 2c8547d614251206d502a86e91efb0c317931d90
SHA256 4385338f440520ad8b92e8e618c534a739839637fe371f193ace438c5c1f89b5
SHA512 d560c1a3678ab46da888e6f51eb9385d94ea184654b82d60b4e0acc9f829f58cdd369e2ebd933152f6390f96af0f8ddb3d7df24039d67140f54dd7d25ce36d29

C:\Windows\System\EcIUEpr.exe

MD5 ac1a8b03921cbfc1adeae62b33459a0f
SHA1 99e12a35fafb7a08a6af7cc0efd8ac7741f11828
SHA256 bb8f3723e6c85bf4b163350f03a6a31235fb35d1622fd20563480fe6948655d5
SHA512 66c93acd34836ab33e2cacf9e37a406e4e99266c944412437ab65539fd8325bb962a214d1e71595137903192665b155a59f61195d9569b4beee69f92fd4ed5ab

memory/852-115-0x00007FF7ED8F0000-0x00007FF7EDC44000-memory.dmp

memory/4900-112-0x00007FF747360000-0x00007FF7476B4000-memory.dmp

memory/4836-131-0x00007FF6A6230000-0x00007FF6A6584000-memory.dmp

memory/696-134-0x00007FF6E1290000-0x00007FF6E15E4000-memory.dmp

memory/3800-133-0x00007FF7B50E0000-0x00007FF7B5434000-memory.dmp

memory/684-132-0x00007FF7D8460000-0x00007FF7D87B4000-memory.dmp

memory/3672-130-0x00007FF64E9C0000-0x00007FF64ED14000-memory.dmp

memory/3828-135-0x00007FF6B0A10000-0x00007FF6B0D64000-memory.dmp

memory/4804-136-0x00007FF65F420000-0x00007FF65F774000-memory.dmp

memory/2092-137-0x00007FF647DB0000-0x00007FF648104000-memory.dmp

memory/852-138-0x00007FF7ED8F0000-0x00007FF7EDC44000-memory.dmp

memory/1708-139-0x00007FF66EB40000-0x00007FF66EE94000-memory.dmp

memory/216-140-0x00007FF6D6640000-0x00007FF6D6994000-memory.dmp

memory/4112-141-0x00007FF66A160000-0x00007FF66A4B4000-memory.dmp

memory/1800-144-0x00007FF7AE740000-0x00007FF7AEA94000-memory.dmp

memory/4484-143-0x00007FF696400000-0x00007FF696754000-memory.dmp

memory/4900-142-0x00007FF747360000-0x00007FF7476B4000-memory.dmp

memory/2988-145-0x00007FF66B830000-0x00007FF66BB84000-memory.dmp

memory/3800-146-0x00007FF7B50E0000-0x00007FF7B5434000-memory.dmp

memory/2380-147-0x00007FF6804C0000-0x00007FF680814000-memory.dmp

memory/696-148-0x00007FF6E1290000-0x00007FF6E15E4000-memory.dmp

memory/8-149-0x00007FF728860000-0x00007FF728BB4000-memory.dmp

memory/3828-150-0x00007FF6B0A10000-0x00007FF6B0D64000-memory.dmp

memory/1524-151-0x00007FF7CAA70000-0x00007FF7CADC4000-memory.dmp

memory/4244-152-0x00007FF753080000-0x00007FF7533D4000-memory.dmp

memory/4804-153-0x00007FF65F420000-0x00007FF65F774000-memory.dmp

memory/1936-154-0x00007FF750510000-0x00007FF750864000-memory.dmp

memory/2092-155-0x00007FF647DB0000-0x00007FF648104000-memory.dmp

memory/852-156-0x00007FF7ED8F0000-0x00007FF7EDC44000-memory.dmp

memory/684-158-0x00007FF7D8460000-0x00007FF7D87B4000-memory.dmp

memory/3672-157-0x00007FF64E9C0000-0x00007FF64ED14000-memory.dmp

memory/4836-159-0x00007FF6A6230000-0x00007FF6A6584000-memory.dmp