Malware Analysis Report

2024-10-24 18:11

Sample ID 240629-ryapdszbmg
Target 2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat
SHA256 da4889eae0a9dcba87de468da19d5fc1ec5b16e673419eb8b9d43bed09f7e7ff
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

da4889eae0a9dcba87de468da19d5fc1ec5b16e673419eb8b9d43bed09f7e7ff

Threat Level: Known bad

The file 2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Cobalt Strike reflective loader

Cobaltstrike family

Detects Reflective DLL injection artifacts

Cobaltstrike

XMRig Miner payload

Xmrig family

UPX dump on OEP (original entry point)

xmrig

Detects Reflective DLL injection artifacts

XMRig Miner payload

UPX dump on OEP (original entry point)

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-29 14:35

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-29 14:35

Reported

2024-06-29 14:38

Platform

win7-20240508-en

Max time kernel

140s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\XFiutRe.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WAVurIN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LttLIUC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eyhCbBZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yYhkEnp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mqBMjgf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\prrQvDJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gzBZrml.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tgPobZI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rfJkERE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vgJEKpb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OsYKDPt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zKkYMut.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hVoluqX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zFVMZuG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uQwqEbT.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lfIyIvG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SGSAXhu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CtSkQTX.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pwsNBrl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RJudDAN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2128 wrote to memory of 344 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eyhCbBZ.exe
PID 2128 wrote to memory of 344 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eyhCbBZ.exe
PID 2128 wrote to memory of 344 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eyhCbBZ.exe
PID 2128 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pwsNBrl.exe
PID 2128 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pwsNBrl.exe
PID 2128 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pwsNBrl.exe
PID 2128 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yYhkEnp.exe
PID 2128 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yYhkEnp.exe
PID 2128 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yYhkEnp.exe
PID 2128 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hVoluqX.exe
PID 2128 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hVoluqX.exe
PID 2128 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hVoluqX.exe
PID 2128 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tgPobZI.exe
PID 2128 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tgPobZI.exe
PID 2128 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tgPobZI.exe
PID 2128 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RJudDAN.exe
PID 2128 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RJudDAN.exe
PID 2128 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RJudDAN.exe
PID 2128 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uQwqEbT.exe
PID 2128 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uQwqEbT.exe
PID 2128 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uQwqEbT.exe
PID 2128 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rfJkERE.exe
PID 2128 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rfJkERE.exe
PID 2128 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rfJkERE.exe
PID 2128 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zFVMZuG.exe
PID 2128 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zFVMZuG.exe
PID 2128 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zFVMZuG.exe
PID 2128 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XFiutRe.exe
PID 2128 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XFiutRe.exe
PID 2128 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XFiutRe.exe
PID 2128 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vgJEKpb.exe
PID 2128 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vgJEKpb.exe
PID 2128 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vgJEKpb.exe
PID 2128 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mqBMjgf.exe
PID 2128 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mqBMjgf.exe
PID 2128 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mqBMjgf.exe
PID 2128 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\prrQvDJ.exe
PID 2128 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\prrQvDJ.exe
PID 2128 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\prrQvDJ.exe
PID 2128 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gzBZrml.exe
PID 2128 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gzBZrml.exe
PID 2128 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gzBZrml.exe
PID 2128 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lfIyIvG.exe
PID 2128 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lfIyIvG.exe
PID 2128 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lfIyIvG.exe
PID 2128 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OsYKDPt.exe
PID 2128 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OsYKDPt.exe
PID 2128 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OsYKDPt.exe
PID 2128 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WAVurIN.exe
PID 2128 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WAVurIN.exe
PID 2128 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WAVurIN.exe
PID 2128 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SGSAXhu.exe
PID 2128 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SGSAXhu.exe
PID 2128 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SGSAXhu.exe
PID 2128 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zKkYMut.exe
PID 2128 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zKkYMut.exe
PID 2128 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zKkYMut.exe
PID 2128 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CtSkQTX.exe
PID 2128 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CtSkQTX.exe
PID 2128 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CtSkQTX.exe
PID 2128 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LttLIUC.exe
PID 2128 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LttLIUC.exe
PID 2128 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LttLIUC.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\eyhCbBZ.exe

C:\Windows\System\eyhCbBZ.exe

C:\Windows\System\pwsNBrl.exe

C:\Windows\System\pwsNBrl.exe

C:\Windows\System\yYhkEnp.exe

C:\Windows\System\yYhkEnp.exe

C:\Windows\System\hVoluqX.exe

C:\Windows\System\hVoluqX.exe

C:\Windows\System\tgPobZI.exe

C:\Windows\System\tgPobZI.exe

C:\Windows\System\RJudDAN.exe

C:\Windows\System\RJudDAN.exe

C:\Windows\System\uQwqEbT.exe

C:\Windows\System\uQwqEbT.exe

C:\Windows\System\rfJkERE.exe

C:\Windows\System\rfJkERE.exe

C:\Windows\System\zFVMZuG.exe

C:\Windows\System\zFVMZuG.exe

C:\Windows\System\XFiutRe.exe

C:\Windows\System\XFiutRe.exe

C:\Windows\System\vgJEKpb.exe

C:\Windows\System\vgJEKpb.exe

C:\Windows\System\mqBMjgf.exe

C:\Windows\System\mqBMjgf.exe

C:\Windows\System\prrQvDJ.exe

C:\Windows\System\prrQvDJ.exe

C:\Windows\System\gzBZrml.exe

C:\Windows\System\gzBZrml.exe

C:\Windows\System\lfIyIvG.exe

C:\Windows\System\lfIyIvG.exe

C:\Windows\System\OsYKDPt.exe

C:\Windows\System\OsYKDPt.exe

C:\Windows\System\WAVurIN.exe

C:\Windows\System\WAVurIN.exe

C:\Windows\System\SGSAXhu.exe

C:\Windows\System\SGSAXhu.exe

C:\Windows\System\zKkYMut.exe

C:\Windows\System\zKkYMut.exe

C:\Windows\System\CtSkQTX.exe

C:\Windows\System\CtSkQTX.exe

C:\Windows\System\LttLIUC.exe

C:\Windows\System\LttLIUC.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2128-0-0x000000013F300000-0x000000013F654000-memory.dmp

memory/2128-1-0x0000000000080000-0x0000000000090000-memory.dmp

\Windows\system\eyhCbBZ.exe

MD5 59c4be5c1ff3d1145e458bec3a33335e
SHA1 bbb9f57287c1781761a985a4244a14b5668bb8c6
SHA256 e417df9a947719386aaa3bd49f8f5348ccfb20f2b93be86e62fe0c1c5fec9f80
SHA512 3c231bd30c8e86303059bb4debfa8fadb4db30f39fe1c9ee44b3c0fa3db7536b5e4f4021f55009f669598ad84eef9bcc6ed7f169de24327f0c37017bae1a5533

\Windows\system\pwsNBrl.exe

MD5 f712c5f429648f0f76fa11ed09b91719
SHA1 7a6b25ee477462274f59c5ebd835035ecd895bf4
SHA256 6c1e1a9405b2c5a30b81fb2916891ed30b018923640d4645e375210b34cb5fc8
SHA512 e79eb3664dc0c25608218895ed9f8fbbfb1c36a561d9e912b275857522dbac97ef002852d144eff458f8f7885791c75b036fb6452ececbaab0a32ec5d2439012

\Windows\system\yYhkEnp.exe

MD5 ce88959ff01b99648b309ef849c1308d
SHA1 f86e3e09b0219ede6bb05b8743c46505c93eb50e
SHA256 6493cccf6a0cd834a01c79164668fdfcc90068b72efedc1c6ec3d45e76df222f
SHA512 8deaaf99dacca6ef385ce19c89366e7254c372ca21f66a3fdd8d5dc02ff2bff94890d2bf1f18e95676172032daced2fad5ca7eaf837203b30187bd9bc2ab188a

memory/344-22-0x000000013F840000-0x000000013FB94000-memory.dmp

\Windows\system\hVoluqX.exe

MD5 06c934f618138fc3f7844854ad111b90
SHA1 27a5e9f7a6fa3e985905e2ac23c2a880bc29cacf
SHA256 d3fc7dbe97c28deff80d2d0de36ea5e3cac0fa3b58d559a386b45a544e9d6c60
SHA512 2e9d2cd82ec611bad64dc006a149f25ffb48c6967ae0b765bb4b1636652ad65de0387200ad3b779a69b9c6bc8966dc204867abe8cff54d05c8ca7f6a2ae47895

memory/1716-26-0x000000013FA80000-0x000000013FDD4000-memory.dmp

memory/2128-36-0x000000013FA30000-0x000000013FD84000-memory.dmp

memory/2128-35-0x000000013FA80000-0x000000013FDD4000-memory.dmp

C:\Windows\system\RJudDAN.exe

MD5 d3625746ea7be5b3be57a5678b685c17
SHA1 6138c22a8b246af8c23350ec92f248704297c112
SHA256 c84d880170fe8e1f32d07b0ea6876dfefa1e15a97ea35d3a4f38c54c40537fec
SHA512 b92d01f238e90a762fa0d2fcacf8d91f35a3f96c81cd767796e7bf33e163b1b42fac25d8f9d7699288e775873a8888adaa09df0e09e36589b1acca9ac34c066a

memory/2812-43-0x000000013F2E0000-0x000000013F634000-memory.dmp

C:\Windows\system\uQwqEbT.exe

MD5 fe827197bf7bc60a31acba3503d9b4ff
SHA1 c7b29596cb64413061e2b1952777e2ed2f872a23
SHA256 b5bd6bc0b34fcdbde659680c798d175c7d0571021e7588a20b5523b81d651b3f
SHA512 7a0f7225492529256b031f6c25997fb7ab7b544b165d00b120d7b693128ee13ea2e03a78527bdba282640e63b933346322b36739d2722949b7252578372ab4d6

C:\Windows\system\rfJkERE.exe

MD5 ae0d08c66058b471ae230ad1dd2b4f2f
SHA1 829b11f6ac5933bb30c6baf3e07c1e1674b2e7e6
SHA256 18617fbb07c86a4ec59e2863024f6ac4d05addfb45d91a06650b95b9e0918831
SHA512 844a7f95de1b6780329c3e8d840e56bbc4726101c807c519c5be4d9dd322da9be5ec8632b1f45b2e672572e6b1366449aee5f00cc06056bd37abf0000057be98

memory/2128-57-0x0000000002310000-0x0000000002664000-memory.dmp

\Windows\system\XFiutRe.exe

MD5 bf17e7b09de403ceab1b34ff7d35b38e
SHA1 802173d3ff363cfc6f7c20b6eff620c24dd87058
SHA256 8025f50e9853d3222aa7840daf0f1964270598cbb965112f415b3d19ecaf694f
SHA512 02e0f4984c7f256508f157dab23873baae2271a95918b37b14eede34c70f81fe5757570bf16815ace76197e49be942c5c6b508292407c4f2fccc25a8dee20409

memory/2824-72-0x000000013F2A0000-0x000000013F5F4000-memory.dmp

C:\Windows\system\mqBMjgf.exe

MD5 c941b5e703190bb18777493774748ba4
SHA1 bc57a23c14446afdee919b760e2e93645652d6f2
SHA256 76447a02a8b2bbe8ad7dfdbf8afdd76b38c878c5b01bab252b46ce39de3fee7e
SHA512 c20fccd143dcbe2cf0f22519ecab36e97623c4edbf0a24d18ec5a02c9b7034a9f2113469067cb6f44b1119d0b04f2c75903e9b57497c0e0c5e7ef86179280d54

memory/2548-93-0x000000013FAA0000-0x000000013FDF4000-memory.dmp

C:\Windows\system\OsYKDPt.exe

MD5 ad0e6b824c34f29424e82bbde3d6da8e
SHA1 32e1428f53bc0795c65b9afaa726eff0ba8c19b7
SHA256 dcf7b540c0b5fc7b68ec26ef2f3daad536a90d1ef418df86efd2947aedfa2909
SHA512 337bd69bbe38696c1a33e70e4676a52dc6fd66e3f15c676f50e656814cdb19616ccd9c1b4f0a9b763517efe688866fd32d3e4f1f6d2b30158304cc1145a8af72

C:\Windows\system\CtSkQTX.exe

MD5 b22bc8c738cbaf78568bb7e7c425ffca
SHA1 2144e6f53610fdb5d26218d8c5ed71a910512a70
SHA256 8f797006b5928be2da03358f5067036f6403b8121cf607714735906ea45b5ca5
SHA512 40eead91048ea0ccd9433c9803cbdb167ffdd444e61f69fa8b5ca7cd4210c4f95342a3f288918957e92ad37847f26102ff6435229c1818aad1f65fdcae1826f6

C:\Windows\system\LttLIUC.exe

MD5 da1394d6f085c7a0655bf192de6e5792
SHA1 662959bb76584f34fb05137dfe9d964f1ce22828
SHA256 b776411150521be9058878adb6aa4c9a0f419a4feb74bb8907d28d6624cc7ed4
SHA512 2206deaf76159bd729643a2773f92f1c1259669b6a6d343fdb2b897c596abd3a62ed8ef648be5e851f12bb33fdecbffe207fe82c4bf77ec2d5ba5ec0155db027

C:\Windows\system\zKkYMut.exe

MD5 bf517b9538e50c2fd83b6a90065bd1aa
SHA1 36882d1590a0c817468535a30cfae51af5a59ef0
SHA256 354ce775d696f33b906f787522e16d4cee65d20f08926f6f74c19f631c839a89
SHA512 84fc06c745a68dc5d40c8654c43e2672181d75e201a5154f875277bfbc4b43daffbb76a3d77c1bc0e8f71c2ca6f8318e46ee4a37fd11ecb6ef58716325b51468

C:\Windows\system\SGSAXhu.exe

MD5 441a9f512d27f55329b1e15dc6a60394
SHA1 28bb8bc1a729e20bc3dc40c8275b591d81b532c1
SHA256 9f4fbd346853fe5ad0d45108a519f224d8f61dbdac10ba06b21bead686c5317c
SHA512 7702e163f851b6e67045012505fa79bd4f98f149e23b30e6c2bf9207ee3c3f6318a69e9106a35fb8bca381ef12c86e6612cc02ae107c2552f9af169d0f4166ac

C:\Windows\system\WAVurIN.exe

MD5 50775246ae803655dd9f104d870e2987
SHA1 3d01c872fb5692ffd00641f190cb281dd4037c5d
SHA256 d9e457020cc30a80d9faf4e958e07de471c170bf58579aeb70b07e6ce9df68fc
SHA512 7f68005849b70a0bfc8617f8456553fcd9805c700225d2d21c4a6eb6d204e4a626b1bb3fb35678eadddb1c67087cc1f0066312a472bf2842c3c57f3d501836da

memory/2128-106-0x000000013FD80000-0x00000001400D4000-memory.dmp

C:\Windows\system\lfIyIvG.exe

MD5 3750ec1e9cc11da8e229d2537eaa36b0
SHA1 ee341ec7f2cdaf855c2216de33b0be5ff4066a91
SHA256 94e87ba1e0a4192436f961c3b9fdc795b94c862b8700f1bcba8cbbeacaf5b6dc
SHA512 a6c02a623c1d06393d37ac6c1b6c9cb9de6d1790336243751955b6f3ed04361c4a7f99106c1e6ece24f8a68564f0f83bd1ddbf1727d87ff500591fd66a618aa3

memory/1832-100-0x000000013FE20000-0x0000000140174000-memory.dmp

memory/2128-99-0x000000013FE20000-0x0000000140174000-memory.dmp

memory/2812-136-0x000000013F2E0000-0x000000013F634000-memory.dmp

C:\Windows\system\gzBZrml.exe

MD5 106474fd0e9d4a779d76244a396c6546
SHA1 989833b4f09165a6afaaddfaac5e8e88edcfb634
SHA256 e3e43922a9d5e28e9e772aa36e0cffc6a633bac65ff100267893f3d2f1d6d4c2
SHA512 04eaab507ba49430b570efdee2980a7ffa39c4c579d9ac01f39d7167b2793363c136f79895e8881807e6b1a12593dfcb6621cee27b53dff67f56fce762a17c7f

memory/2128-92-0x000000013FAA0000-0x000000013FDF4000-memory.dmp

memory/2332-86-0x000000013F850000-0x000000013FBA4000-memory.dmp

memory/2128-85-0x000000013F300000-0x000000013F654000-memory.dmp

C:\Windows\system\prrQvDJ.exe

MD5 faa6a3b5c842e291dcd9789044ac87b0
SHA1 97ea2a823578c2c4bba32531afc9292ff374baa4
SHA256 598a73dcd01d3216fdf436165cc48085141bd362b3ad77af7088d210d057882a
SHA512 51c1d8d480ef7600cdb19aec57683adec4c9a8aec5159b8685c9938678a1bfc4fa92b22585718d219edc762de4456ef0044a93a4edd0ef4c0e7ae707990e949a

memory/2500-78-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

memory/2128-77-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

C:\Windows\system\vgJEKpb.exe

MD5 0ae5b157635ff87f61e41388060df950
SHA1 60e0e27c19a8955aef96981bca73c8ddf942a368
SHA256 0278e0cef247085d88d0105abe5762a84e74309ea76064b4fa547d5787cf823c
SHA512 0332f384380ed8ba841a74eb3672d2d4e98132757dc696f454d4439c0b5eca5367cc57fa930e2fa0b8a6a4c1021c1874ea16d4d3bab417cc7fc90d13bce75a35

memory/2128-71-0x0000000002310000-0x0000000002664000-memory.dmp

memory/2700-65-0x000000013FA50000-0x000000013FDA4000-memory.dmp

memory/2128-64-0x000000013FA50000-0x000000013FDA4000-memory.dmp

memory/2696-58-0x000000013F230000-0x000000013F584000-memory.dmp

C:\Windows\system\zFVMZuG.exe

MD5 779e0f85918f4670c3631a9fc1d78396
SHA1 c7f12fc80cf91bd5bbc0e3fc9055243af9f53e5b
SHA256 b282e7b1636809a531b8c77764e90f36b9360425da2788ac0c48272f44788e07
SHA512 3d35941ece088d7759e55dc15d16efb43824bfd648b2d215fb90b26b1333adac99106e455d3cb921a31fbaa36999932aecc67007004d8c69a8dc158570c0f90f

memory/2636-51-0x000000013F610000-0x000000013F964000-memory.dmp

memory/2128-50-0x0000000002310000-0x0000000002664000-memory.dmp

memory/2128-41-0x0000000002310000-0x0000000002664000-memory.dmp

memory/2828-40-0x000000013FA30000-0x000000013FD84000-memory.dmp

memory/2448-34-0x000000013F480000-0x000000013F7D4000-memory.dmp

memory/2128-33-0x0000000002310000-0x0000000002664000-memory.dmp

memory/1992-32-0x000000013F970000-0x000000013FCC4000-memory.dmp

memory/2128-29-0x000000013F970000-0x000000013FCC4000-memory.dmp

C:\Windows\system\tgPobZI.exe

MD5 236bb6603b471cd16ca8e1bba1ae2b9b
SHA1 11c826134fc192cdaad4b47a1b5f706b76c47eb9
SHA256 1834c0d3f28b7687e512d75b8a66c640f863ff27d0c4033072c2636898c552b5
SHA512 8b2e09b785be9765606d0e7d9ff5ba95f8e889169775119e57f4562ba5f2f76e8b1129bdde0bec03b145ef137bd81b17cf39b55fdee133cadeff61b2dd4615f0

memory/2128-18-0x000000013F840000-0x000000013FB94000-memory.dmp

memory/2128-137-0x0000000002310000-0x0000000002664000-memory.dmp

memory/2128-138-0x0000000002310000-0x0000000002664000-memory.dmp

memory/2500-139-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

memory/2128-140-0x000000013FAA0000-0x000000013FDF4000-memory.dmp

memory/2128-141-0x000000013FE20000-0x0000000140174000-memory.dmp

memory/2128-142-0x000000013FD80000-0x00000001400D4000-memory.dmp

memory/344-143-0x000000013F840000-0x000000013FB94000-memory.dmp

memory/1716-144-0x000000013FA80000-0x000000013FDD4000-memory.dmp

memory/1992-145-0x000000013F970000-0x000000013FCC4000-memory.dmp

memory/2448-146-0x000000013F480000-0x000000013F7D4000-memory.dmp

memory/2828-147-0x000000013FA30000-0x000000013FD84000-memory.dmp

memory/2636-149-0x000000013F610000-0x000000013F964000-memory.dmp

memory/2812-148-0x000000013F2E0000-0x000000013F634000-memory.dmp

memory/2696-150-0x000000013F230000-0x000000013F584000-memory.dmp

memory/2700-151-0x000000013FA50000-0x000000013FDA4000-memory.dmp

memory/2824-152-0x000000013F2A0000-0x000000013F5F4000-memory.dmp

memory/2500-153-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

memory/2332-154-0x000000013F850000-0x000000013FBA4000-memory.dmp

memory/2548-155-0x000000013FAA0000-0x000000013FDF4000-memory.dmp

memory/1832-156-0x000000013FE20000-0x0000000140174000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-29 14:35

Reported

2024-06-29 14:38

Platform

win10v2004-20240611-en

Max time kernel

138s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\hjBhuUS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PdSwOSI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BhUbFUI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SspVFkW.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nAblNls.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WnBaPfb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mQxDXGN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kLtvLKi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RdAONPc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JflNDSa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hQRPVxt.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TbZRZhZ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EttbxQc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KvCoBTa.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jozCCVH.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IFGvxRz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XQMOKzw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\skklCNK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JHMjwyL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vAHbPJv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XCwAfFA.exe C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4996 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hjBhuUS.exe
PID 4996 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hjBhuUS.exe
PID 4996 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JflNDSa.exe
PID 4996 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JflNDSa.exe
PID 4996 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hQRPVxt.exe
PID 4996 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hQRPVxt.exe
PID 4996 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PdSwOSI.exe
PID 4996 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PdSwOSI.exe
PID 4996 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JHMjwyL.exe
PID 4996 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JHMjwyL.exe
PID 4996 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TbZRZhZ.exe
PID 4996 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TbZRZhZ.exe
PID 4996 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EttbxQc.exe
PID 4996 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EttbxQc.exe
PID 4996 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KvCoBTa.exe
PID 4996 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KvCoBTa.exe
PID 4996 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BhUbFUI.exe
PID 4996 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BhUbFUI.exe
PID 4996 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jozCCVH.exe
PID 4996 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jozCCVH.exe
PID 4996 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SspVFkW.exe
PID 4996 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SspVFkW.exe
PID 4996 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mQxDXGN.exe
PID 4996 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mQxDXGN.exe
PID 4996 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vAHbPJv.exe
PID 4996 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vAHbPJv.exe
PID 4996 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IFGvxRz.exe
PID 4996 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IFGvxRz.exe
PID 4996 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kLtvLKi.exe
PID 4996 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kLtvLKi.exe
PID 4996 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XQMOKzw.exe
PID 4996 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XQMOKzw.exe
PID 4996 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nAblNls.exe
PID 4996 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nAblNls.exe
PID 4996 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XCwAfFA.exe
PID 4996 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XCwAfFA.exe
PID 4996 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\skklCNK.exe
PID 4996 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\skklCNK.exe
PID 4996 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RdAONPc.exe
PID 4996 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RdAONPc.exe
PID 4996 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WnBaPfb.exe
PID 4996 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WnBaPfb.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\hjBhuUS.exe

C:\Windows\System\hjBhuUS.exe

C:\Windows\System\JflNDSa.exe

C:\Windows\System\JflNDSa.exe

C:\Windows\System\hQRPVxt.exe

C:\Windows\System\hQRPVxt.exe

C:\Windows\System\PdSwOSI.exe

C:\Windows\System\PdSwOSI.exe

C:\Windows\System\JHMjwyL.exe

C:\Windows\System\JHMjwyL.exe

C:\Windows\System\TbZRZhZ.exe

C:\Windows\System\TbZRZhZ.exe

C:\Windows\System\EttbxQc.exe

C:\Windows\System\EttbxQc.exe

C:\Windows\System\KvCoBTa.exe

C:\Windows\System\KvCoBTa.exe

C:\Windows\System\BhUbFUI.exe

C:\Windows\System\BhUbFUI.exe

C:\Windows\System\jozCCVH.exe

C:\Windows\System\jozCCVH.exe

C:\Windows\System\SspVFkW.exe

C:\Windows\System\SspVFkW.exe

C:\Windows\System\mQxDXGN.exe

C:\Windows\System\mQxDXGN.exe

C:\Windows\System\vAHbPJv.exe

C:\Windows\System\vAHbPJv.exe

C:\Windows\System\IFGvxRz.exe

C:\Windows\System\IFGvxRz.exe

C:\Windows\System\kLtvLKi.exe

C:\Windows\System\kLtvLKi.exe

C:\Windows\System\XQMOKzw.exe

C:\Windows\System\XQMOKzw.exe

C:\Windows\System\nAblNls.exe

C:\Windows\System\nAblNls.exe

C:\Windows\System\XCwAfFA.exe

C:\Windows\System\XCwAfFA.exe

C:\Windows\System\skklCNK.exe

C:\Windows\System\skklCNK.exe

C:\Windows\System\RdAONPc.exe

C:\Windows\System\RdAONPc.exe

C:\Windows\System\WnBaPfb.exe

C:\Windows\System\WnBaPfb.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/4996-0-0x00007FF7D4850000-0x00007FF7D4BA4000-memory.dmp

memory/4996-1-0x0000027998840000-0x0000027998850000-memory.dmp

C:\Windows\System\hjBhuUS.exe

MD5 eab4a688d410c594e2fe104027ba211e
SHA1 33c02d7027e84fe2cb6d5248dea1f3eba12f995a
SHA256 fe0ec507268f7b8d7e66e90684649c53ca541c6a839c425b7a611c8f7bc0c8e4
SHA512 94321a205c23b0866b6269aa0eb73f77c5999e538740d51e80c4a4349d19233a55801e9a1ba1ea4289a414f96cc6feb0ab9378a31aa3d8f1309b731d2ca48b9d

C:\Windows\System\JflNDSa.exe

MD5 fc0731bacd46d0e8bc661e831351d216
SHA1 5145b4081569b47e5671b66ec8eed8287d854db5
SHA256 f9bb3070a17a12e5ed8704a271d4f1e483d63d7497f7c5691868a3a632e881db
SHA512 5b72762f19d17ab34ce585c5f1c267c85424c38689577d9d2e7e590c95aee8ad60d476a08aab45d303229908019da284f18ce6f106bff8fa4406d6c269a998d5

memory/4960-12-0x00007FF600D60000-0x00007FF6010B4000-memory.dmp

C:\Windows\System\hQRPVxt.exe

MD5 1d47947ea2b34a937593ef1c3b295066
SHA1 85ad06b384abff4a2c55ccddc534bd2f30eea2fc
SHA256 c2ae01d698e73f5ff8bdb9240208ac36350623cdc20b9bc9803b93f41e059f89
SHA512 8a67a8b9254da68086ed001d9491e2b95396fe0b43742d9410697ecc77f95680979e5b0916e2c972fe7cf659b25ba86e713f79d516594d8e4f6085210f0cfd28

memory/4604-16-0x00007FF7621C0000-0x00007FF762514000-memory.dmp

memory/2232-20-0x00007FF792490000-0x00007FF7927E4000-memory.dmp

C:\Windows\System\PdSwOSI.exe

MD5 b8a015f853dace3516a8c8594c73dcb3
SHA1 e8f122417e926224cf9d5a0df22fbca9e5678abd
SHA256 92b0a33131493d396b89f8928665508d2b75da283b8592aa77411c1a488bb55a
SHA512 b19dc0e07a795494a6fb450f6165df646dcd342f2a6513476de8d891dc15ecdd45cc966ea3deaa7fca63259b480b4404e15e84aad41ec7314f01c7e5ba3d3e12

memory/1016-26-0x00007FF712E30000-0x00007FF713184000-memory.dmp

memory/1848-32-0x00007FF776A30000-0x00007FF776D84000-memory.dmp

C:\Windows\System\JHMjwyL.exe

MD5 4f5afa2e63e5229ebe6e444c778adc52
SHA1 be00627fda00035e06e0e44684ad210a53cba479
SHA256 c33641e6e2ac3e04af82248c5925eeb99b6845d3e7d42498fb7fde911db6f599
SHA512 89ec21651320a3dd61ffc0ed860a16e1e02ca5e5ea866af6f0a1419834b2be69fcad8c4182465eabe8177c69f015c7d60591a61d35d88e6406434d9bb7ce3a20

C:\Windows\System\TbZRZhZ.exe

MD5 1369ccf623579e93bcfe099685b671b6
SHA1 0c9f2ba698bbe43731523709adf46a734c2ec884
SHA256 8821b8599cd356334f78cbc992c860af26614659ffc62b7c70f82f083c268028
SHA512 bd332ef0297fe6b057c3b146aa6bfc1db546ee35285b3d029bad7f41eb0aefc06ab3356f0454170d6fdb8567bb2eea3ae989b3bbdcdb03096554696d96859b78

memory/4956-37-0x00007FF7D76D0000-0x00007FF7D7A24000-memory.dmp

C:\Windows\System\EttbxQc.exe

MD5 4f448d1ede7326200a8a61281ceb1512
SHA1 27bae6af7aaeaf1ad2ea4beb9e1d405e15fd8de9
SHA256 09a33e4f686bb5c4f553a4c762a1f798538da73b9507b2f31b786b34d50b04e1
SHA512 0e73d7cd12b44e8da086b33382dded8cf0acbf25e84ab8f2b8de4ccac00d27cc1f9bdd226821a57870420dfc9fcc13d5d1d377f99062c774ffe3d127e3a65817

memory/5112-42-0x00007FF64FFF0000-0x00007FF650344000-memory.dmp

C:\Windows\System\KvCoBTa.exe

MD5 5b0bf6c29baffa615af7cec51e54bb51
SHA1 6041e4e3fe6822d5331e791fea396d10b616c829
SHA256 ecbee0ea2faff48627ef9f98984e589c2ad4cdd0c98730e8fcda55e95656b99d
SHA512 c651675521050aaf3b4c9d52288c901013687f9956e23f141cdc47ab4553f35d74a497b16cb9388775596ee4a054767003d84ea3553a0dc106a8c513e9d8f375

memory/3624-54-0x00007FF698680000-0x00007FF6989D4000-memory.dmp

C:\Windows\System\jozCCVH.exe

MD5 6b48de963a1ad27e876a2ff06c2dc95e
SHA1 1f9144645de5a609fc6d7ffeb091c8df52500c7b
SHA256 eba71a18ec0718996b9fff89001ab7fe17e0c9acd73448455514fae1266cae30
SHA512 21b8d0bb3161af82179e9dbac04d21d22ded25381d577272aade2523121a1343579eed128430b22c9cfba3d684fd1baec40daa45820efdadcf239b6e39076d60

C:\Windows\System\BhUbFUI.exe

MD5 ed5a91e831d4ca73d9203ea488048040
SHA1 e84adebd821b55a538766d01b6390b3e4e7d2f57
SHA256 0fb8ed2b1afaa2602bd4d5f627b072d98d77fd47bb20bf884a580fd4b11b64d0
SHA512 fe4eaa883dfaa09eb0159e150d82a527e42cce43ae619b11a63f6945ef009f5a4f6e80d15d1ce7477213d488fbb28ba36d19161512851a2596366e790be7dc61

memory/1808-61-0x00007FF637620000-0x00007FF637974000-memory.dmp

C:\Windows\System\SspVFkW.exe

MD5 6a789ba83776da946192018d590e0622
SHA1 7dedad4b4255bdaca3a25f0f1801680debc3b493
SHA256 af4d34b1f0c78dc836649d0ec46c3057766df3ff28e1d93fdf98d3497970ae4a
SHA512 bfca4fbb38290e77f830181b8e76e7a9ac9b39bcf17267cecc26dcede3d21941c9411363368c2b8715aaecefad62eb664cec13a2e91cceb9ce6e138e5d17cb52

memory/1932-71-0x00007FF7C8DD0000-0x00007FF7C9124000-memory.dmp

memory/3288-73-0x00007FF6B16D0000-0x00007FF6B1A24000-memory.dmp

C:\Windows\System\mQxDXGN.exe

MD5 316855076f1f3022a5305702a0521854
SHA1 8f173f1f6fc5a125c3c4aea826076c69f9e2d73b
SHA256 6550b34d3ca33914da840752047a46bc8761ddf798050fa54f44d137e5c1d1f9
SHA512 67d32c8cbbf94ea3b895d68682779d51f21b2295f4e48a86f2065b14eefc9f885b2fc0d4c63eca92e4a4588506515377305848295d84307e866c26efef853e91

memory/2204-72-0x00007FF7873B0000-0x00007FF787704000-memory.dmp

C:\Windows\System\kLtvLKi.exe

MD5 41c72768be9c40eb4e5ced0440d9c18a
SHA1 2685542d28cdd67f731260cc085d56ecfa2f6395
SHA256 90e9ca0e4dfea887ffca13bc06579b7a7004a058ff68f30b0894f36dd8b4c9a4
SHA512 5f20862e8df87a0a09b828de778fe6c7085b4e988ce5f4de3b6607051c18a1fa33d0eaa5eecc76edb2e49a971053c020bcf81575195721b187101caa0be5cf88

C:\Windows\System\XCwAfFA.exe

MD5 d8af99b747d96d482c278bad603780e4
SHA1 dd1dc57500ac4f7cb93061f5b1f93a035b0f5037
SHA256 e36695df6935eb3dcae8cb183eb10ef56d1161e56ecdca600cae88d254294c88
SHA512 b69c9647942139fcd493b1284cca3b11e1e644f707b48110ec36d49b4f5fda596d8d286ece20c0d3e4a9a9f1e3a6d5ca14fac2ff91e59eb75c52a1bfb0f791ab

C:\Windows\System\WnBaPfb.exe

MD5 14fbe87ae3cd6db04f9d7e567956390f
SHA1 eaec2e2e9970c5c063645f1c6c315f868ffa3a38
SHA256 6f7125721f83842f3f54a6ae5b674132019b5b713418e781bda32af274fa2275
SHA512 c49cd79bb8a5ea1a787ff25e2d725e0d8ea9804b16cb44348ab67a05f72ae0fd919e17d44322c145a5f8cf7b466d7bc4f04c928bbe476f0477bde8ae8854114e

C:\Windows\System\RdAONPc.exe

MD5 bf5e845af69f73c8e5e198f9b754abd9
SHA1 3b026d8f8c9e42bd4fbfaedf7f556edbb7abebbc
SHA256 0b4dcc470c4d0d889c2f80decd0b994c4f581561c1074a3df635253ff774f560
SHA512 0a3528fb47132be99ec0188c7312034112e821d180281346c5bb08e90e0af98404d3bb3e126adfee52378d4aa186692b24c40b52790aa0096398cf209977331f

C:\Windows\System\skklCNK.exe

MD5 f2b396ce7ebc4f54cffd68ee3c7da492
SHA1 2578d66d01141c748ce2cbe079086d309bf48ac9
SHA256 6fb1ef0c03235b21e865057709229d28d58a575f72fba779745a2ff57614e65e
SHA512 5847ac086873f120a6c74cfadf45a35d36dae55c143a46347e31f8105d676652b302712731e1b28e2408c56e0a02253123b1e59a5fc610cd6bcfd6ff2f37adb0

C:\Windows\System\nAblNls.exe

MD5 aec7c4990d9578e86e0603796d0e7c8c
SHA1 c1d9ec7d248c28ecbbea013e1b8bbf79e9f5661a
SHA256 1bcd45369f814075b132247059722a27ec2ab63aa62abd84e818dc19941c5f2b
SHA512 78e4b1b69756b31ceba3264aa4111d31210f010196547e167973c7291c4b01b0af1f52572cd64dad600f1f7482161b61e01a304e4f01083c20ca230e3d007818

C:\Windows\System\XQMOKzw.exe

MD5 24705da84a98ece1c106eb37edd9bf93
SHA1 2c6083df431f1a60cca7d28efda3f1a7dd0e5299
SHA256 46e1f57022238cc8826f3d1668e686e28be86620d754e6157182654dfeb4efd5
SHA512 7e7d5f8e8360715b27a966c2cf868a0b0e076a8cf12544b355b3f026d221ba1b14cce6e4858cdf6a2c7ce602434c5aa2bb920cfc2067ae178142d6bec563423a

C:\Windows\System\IFGvxRz.exe

MD5 e528d1f30571a20d46b677184c20bff0
SHA1 524658b2e1eada8718c96087414312716cf5157f
SHA256 a4ac0429d6e9a32c1a59c00eb348174a7bd08cd10fc59ca13184dd94ca5c29e5
SHA512 1fc2199aa8e3c4bfe0da8e9e587f3232e0120055d123dad4f2e807a3bcb3fe95a0e89a059e6e3076eff450b3a7936c61499764a0fa19e67c35da500a1ff916e2

C:\Windows\System\vAHbPJv.exe

MD5 82ef9229b2af660ed6ef4c3f852c1eb5
SHA1 fff060377239add2190190a1ded972b630e91c45
SHA256 1f4d3818072206840254986010ba33ddbfd65baab7046b4d6851f614cd6edf6f
SHA512 50bfc13b3219918bbf0bfdf5c78b0f79902556068826a985e185314ea18167467f5a92f350c1146a072b4b4f41016b300d6279a3cb20c018d971fafc0389e6b1

memory/4996-69-0x00007FF7D4850000-0x00007FF7D4BA4000-memory.dmp

memory/4604-120-0x00007FF7621C0000-0x00007FF762514000-memory.dmp

memory/4352-121-0x00007FF770000000-0x00007FF770354000-memory.dmp

memory/2176-122-0x00007FF7E3C00000-0x00007FF7E3F54000-memory.dmp

memory/5032-123-0x00007FF600220000-0x00007FF600574000-memory.dmp

memory/4364-125-0x00007FF71BDA0000-0x00007FF71C0F4000-memory.dmp

memory/3280-126-0x00007FF7522C0000-0x00007FF752614000-memory.dmp

memory/1688-124-0x00007FF7745C0000-0x00007FF774914000-memory.dmp

memory/1212-127-0x00007FF752060000-0x00007FF7523B4000-memory.dmp

memory/2460-128-0x00007FF6A3460000-0x00007FF6A37B4000-memory.dmp

memory/2992-129-0x00007FF6100C0000-0x00007FF610414000-memory.dmp

memory/2232-130-0x00007FF792490000-0x00007FF7927E4000-memory.dmp

memory/1016-131-0x00007FF712E30000-0x00007FF713184000-memory.dmp

memory/4956-132-0x00007FF7D76D0000-0x00007FF7D7A24000-memory.dmp

memory/5112-133-0x00007FF64FFF0000-0x00007FF650344000-memory.dmp

memory/3288-134-0x00007FF6B16D0000-0x00007FF6B1A24000-memory.dmp

memory/4960-135-0x00007FF600D60000-0x00007FF6010B4000-memory.dmp

memory/4604-136-0x00007FF7621C0000-0x00007FF762514000-memory.dmp

memory/2232-137-0x00007FF792490000-0x00007FF7927E4000-memory.dmp

memory/1016-138-0x00007FF712E30000-0x00007FF713184000-memory.dmp

memory/1848-139-0x00007FF776A30000-0x00007FF776D84000-memory.dmp

memory/4956-140-0x00007FF7D76D0000-0x00007FF7D7A24000-memory.dmp

memory/5112-141-0x00007FF64FFF0000-0x00007FF650344000-memory.dmp

memory/3624-142-0x00007FF698680000-0x00007FF6989D4000-memory.dmp

memory/1808-143-0x00007FF637620000-0x00007FF637974000-memory.dmp

memory/1932-144-0x00007FF7C8DD0000-0x00007FF7C9124000-memory.dmp

memory/2204-145-0x00007FF7873B0000-0x00007FF787704000-memory.dmp

memory/3288-146-0x00007FF6B16D0000-0x00007FF6B1A24000-memory.dmp

memory/4352-147-0x00007FF770000000-0x00007FF770354000-memory.dmp

memory/2176-148-0x00007FF7E3C00000-0x00007FF7E3F54000-memory.dmp

memory/5032-149-0x00007FF600220000-0x00007FF600574000-memory.dmp

memory/1688-150-0x00007FF7745C0000-0x00007FF774914000-memory.dmp

memory/4364-151-0x00007FF71BDA0000-0x00007FF71C0F4000-memory.dmp

memory/3280-152-0x00007FF7522C0000-0x00007FF752614000-memory.dmp

memory/2992-154-0x00007FF6100C0000-0x00007FF610414000-memory.dmp

memory/1212-153-0x00007FF752060000-0x00007FF7523B4000-memory.dmp

memory/2460-155-0x00007FF6A3460000-0x00007FF6A37B4000-memory.dmp