Malware Analysis Report

2024-10-24 18:11

Sample ID 240630-ghfklaxfjr
Target 2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat
SHA256 250de0607d512c5ac99ec32e42f059119460410e33b4ac1f9b577a9a5d3325aa
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

250de0607d512c5ac99ec32e42f059119460410e33b4ac1f9b577a9a5d3325aa

Threat Level: Known bad

The file 2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Xmrig family

Detects Reflective DLL injection artifacts

Cobalt Strike reflective loader

Cobaltstrike

UPX dump on OEP (original entry point)

Cobaltstrike family

XMRig Miner payload

xmrig

XMRig Miner payload

UPX dump on OEP (original entry point)

Detects Reflective DLL injection artifacts

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-30 05:48

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-30 05:48

Reported

2024-06-30 05:50

Platform

win7-20240611-en

Max time kernel

141s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\urYTxdk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tHslcYK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FokpRNN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rwoRiJx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OzxenSF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iOeOkHP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BPAelOJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bxlqwNG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nBFOCfJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kbZriLR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kaVftuC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XJvrCCm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KoItgUY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\onXnVBY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\epyLJll.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dcnXTxh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UGUbgKV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HpejeBL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\izIlmov.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QEkEHdK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qSNKMMb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2056 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\urYTxdk.exe
PID 2056 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\urYTxdk.exe
PID 2056 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\urYTxdk.exe
PID 2056 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BPAelOJ.exe
PID 2056 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BPAelOJ.exe
PID 2056 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BPAelOJ.exe
PID 2056 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tHslcYK.exe
PID 2056 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tHslcYK.exe
PID 2056 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tHslcYK.exe
PID 2056 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UGUbgKV.exe
PID 2056 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UGUbgKV.exe
PID 2056 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UGUbgKV.exe
PID 2056 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HpejeBL.exe
PID 2056 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HpejeBL.exe
PID 2056 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HpejeBL.exe
PID 2056 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XJvrCCm.exe
PID 2056 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XJvrCCm.exe
PID 2056 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XJvrCCm.exe
PID 2056 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bxlqwNG.exe
PID 2056 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bxlqwNG.exe
PID 2056 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bxlqwNG.exe
PID 2056 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FokpRNN.exe
PID 2056 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FokpRNN.exe
PID 2056 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FokpRNN.exe
PID 2056 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KoItgUY.exe
PID 2056 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KoItgUY.exe
PID 2056 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KoItgUY.exe
PID 2056 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nBFOCfJ.exe
PID 2056 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nBFOCfJ.exe
PID 2056 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nBFOCfJ.exe
PID 2056 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rwoRiJx.exe
PID 2056 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rwoRiJx.exe
PID 2056 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rwoRiJx.exe
PID 2056 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kbZriLR.exe
PID 2056 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kbZriLR.exe
PID 2056 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kbZriLR.exe
PID 2056 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\izIlmov.exe
PID 2056 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\izIlmov.exe
PID 2056 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\izIlmov.exe
PID 2056 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QEkEHdK.exe
PID 2056 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QEkEHdK.exe
PID 2056 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QEkEHdK.exe
PID 2056 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qSNKMMb.exe
PID 2056 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qSNKMMb.exe
PID 2056 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qSNKMMb.exe
PID 2056 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\onXnVBY.exe
PID 2056 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\onXnVBY.exe
PID 2056 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\onXnVBY.exe
PID 2056 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\epyLJll.exe
PID 2056 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\epyLJll.exe
PID 2056 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\epyLJll.exe
PID 2056 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kaVftuC.exe
PID 2056 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kaVftuC.exe
PID 2056 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kaVftuC.exe
PID 2056 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iOeOkHP.exe
PID 2056 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iOeOkHP.exe
PID 2056 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iOeOkHP.exe
PID 2056 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dcnXTxh.exe
PID 2056 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dcnXTxh.exe
PID 2056 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dcnXTxh.exe
PID 2056 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OzxenSF.exe
PID 2056 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OzxenSF.exe
PID 2056 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OzxenSF.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\urYTxdk.exe

C:\Windows\System\urYTxdk.exe

C:\Windows\System\BPAelOJ.exe

C:\Windows\System\BPAelOJ.exe

C:\Windows\System\tHslcYK.exe

C:\Windows\System\tHslcYK.exe

C:\Windows\System\UGUbgKV.exe

C:\Windows\System\UGUbgKV.exe

C:\Windows\System\HpejeBL.exe

C:\Windows\System\HpejeBL.exe

C:\Windows\System\XJvrCCm.exe

C:\Windows\System\XJvrCCm.exe

C:\Windows\System\bxlqwNG.exe

C:\Windows\System\bxlqwNG.exe

C:\Windows\System\FokpRNN.exe

C:\Windows\System\FokpRNN.exe

C:\Windows\System\KoItgUY.exe

C:\Windows\System\KoItgUY.exe

C:\Windows\System\nBFOCfJ.exe

C:\Windows\System\nBFOCfJ.exe

C:\Windows\System\rwoRiJx.exe

C:\Windows\System\rwoRiJx.exe

C:\Windows\System\kbZriLR.exe

C:\Windows\System\kbZriLR.exe

C:\Windows\System\izIlmov.exe

C:\Windows\System\izIlmov.exe

C:\Windows\System\QEkEHdK.exe

C:\Windows\System\QEkEHdK.exe

C:\Windows\System\qSNKMMb.exe

C:\Windows\System\qSNKMMb.exe

C:\Windows\System\onXnVBY.exe

C:\Windows\System\onXnVBY.exe

C:\Windows\System\epyLJll.exe

C:\Windows\System\epyLJll.exe

C:\Windows\System\kaVftuC.exe

C:\Windows\System\kaVftuC.exe

C:\Windows\System\iOeOkHP.exe

C:\Windows\System\iOeOkHP.exe

C:\Windows\System\dcnXTxh.exe

C:\Windows\System\dcnXTxh.exe

C:\Windows\System\OzxenSF.exe

C:\Windows\System\OzxenSF.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2056-0-0x000000013F410000-0x000000013F764000-memory.dmp

memory/2056-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\urYTxdk.exe

MD5 26df69b71e06cc69f74256b3fa710687
SHA1 43b8111eaf32443b9720d5dbb1917e5c02a83e5d
SHA256 00029b9e8f79c0ef4ec02a95c177198ec78d0fcafaa0909ebadbbab4c5342e28
SHA512 b4f3d561f0068a9b1e12da4d7fcf991bf328edc2d488c7277e1e1da68f1950539f9213f933a4ed285446f7f30f097eb59628112520c47325867fc5e33484a6bb

\Windows\system\BPAelOJ.exe

MD5 d3dbf4b55a2ceed173d660c0f5b485e4
SHA1 3d4341aee01228f715ccd88e7ba322909b75a7ac
SHA256 6f302bcce9e6c7213ed3e2b64ef11bba633379281f8da8265c99283998f52901
SHA512 76658aa1b8d47c611aee1df0493a45bdd4da5bae2b14ceccb35f6250bd5fd1cd5c960db2a4b875a1f774710ce84b43b98eeb73e68f153c722d38d8a0262860b3

C:\Windows\system\UGUbgKV.exe

MD5 19f5ef6486fbb1bdfd7c4cec9b267d75
SHA1 007921b897fcca6c4e8e4c749587c0333998446e
SHA256 53b50034445532e73d803c1e0d6a24bd50e63c3a1289fac350bed78de4a72564
SHA512 57defd6f56dff4a24c99606004ca88685839654043fa7c63a91b49eb2844b97821578136a54464c93b73f7bf23fc5436e8cd6b1c15687fd7e1e29a9c1f4212dc

memory/2056-26-0x0000000002300000-0x0000000002654000-memory.dmp

memory/2056-25-0x000000013FFF0000-0x0000000140344000-memory.dmp

\Windows\system\HpejeBL.exe

MD5 bcc5808dffe6107e3761fd72275625b9
SHA1 c46071722c332e1157db7f8043257a23cb2e41d6
SHA256 a6c10f22bd66c3690e648a189f73543e7112a6cddee0d6180b2c44f99d577438
SHA512 16f3af726f115cdf4f64701feb642f3b192ab1fc06ca5807fd95210c65826e9d2a4bbf2f785845782dd7bceceae5e050da08817f8c38e2a47448f03309ca70ef

C:\Windows\system\tHslcYK.exe

MD5 dc702388fa84a533a3e3958045320fe9
SHA1 906d23f479052062d60e449a06eeda9c177ef054
SHA256 c9edb9431296fd1bfb3a9f80dad73317d44f6a8962639f607781b34a21008ffd
SHA512 577178193fa6fd68098c4545bae8a038b20f296d2a02c0d3801cbef3d4fabb7cac484e82f19b8e71918774efa0aeba11f63e5711193409cb2a92be8d28cd03e5

memory/1508-15-0x000000013FBC0000-0x000000013FF14000-memory.dmp

memory/2056-37-0x0000000002300000-0x0000000002654000-memory.dmp

\Windows\system\XJvrCCm.exe

MD5 b2d715a04232d421600c0a5ceedd548c
SHA1 1f926ee8177f7b17ac8b4312f1a9b218c6560088
SHA256 0c4ed3962fec6504a3c59998cba8e2935f78084c69ecefd839997f4130b87bf8
SHA512 ffa7b8074a35856cad43dc875ff9978c6ec3b96c651bb2c6ae9173999457b7817d28d859a176782d0c04ebd0bdb77bcbc125f767fda09368eb62d30293413531

\Windows\system\bxlqwNG.exe

MD5 5bc6ac7485f3aa6175d41ed132fd54ac
SHA1 1574189bf7a1197c9db9587b4015c458a58950aa
SHA256 40539fa92e41443f48dc8805c8cf0643b608c6cb5bcc875442930a4b1008697a
SHA512 35e8b8c0052d0312b37c908602de061c2add5bad298a4bd5f7a50eb4a42b0a3952c8bc88f70f9a019a66f51b59c65799c4e426fdd8db69afed8f5ce976d09a4f

memory/2744-42-0x000000013F4F0000-0x000000013F844000-memory.dmp

memory/2692-35-0x000000013F2F0000-0x000000013F644000-memory.dmp

memory/2580-34-0x000000013F750000-0x000000013FAA4000-memory.dmp

memory/2024-33-0x000000013FFF0000-0x0000000140344000-memory.dmp

memory/2968-32-0x000000013F290000-0x000000013F5E4000-memory.dmp

memory/2056-31-0x0000000002300000-0x0000000002654000-memory.dmp

memory/2624-56-0x000000013F3E0000-0x000000013F734000-memory.dmp

memory/2800-78-0x000000013F110000-0x000000013F464000-memory.dmp

memory/2056-83-0x000000013F410000-0x000000013F764000-memory.dmp

C:\Windows\system\epyLJll.exe

MD5 f3c6afeb3cd897549410a1e88b618d2c
SHA1 48639dcf8d31f6ede1dc3f9d7d97f8b4cb930838
SHA256 c7bcb953253cc1b020013ee85cca71f90201b928628905c702902c8f3807f343
SHA512 015485ec8d6a99a222672e7c81f01b1eb1619168cb0839c4b7257f992645a09c2d6e8ee6ef80659131925864c4b13ce6c5072e9e257ca01dce361fcaae7d3a85

C:\Windows\system\onXnVBY.exe

MD5 f5aa52dd1ac9089b9421ce8948a91173
SHA1 6e342dff6ba55fc05ecb60b84e413dde1eafd1ab
SHA256 a58422b21fc859b9bd31abcfa05374a45527b114c1286f0fa3287108392244c8
SHA512 821db3449bfa79d3f081dd8d7acebade34850f2d7d288e6fe23949a85a0e5a72f00ccb2fa1f24b552f07a6c53c97d60acc15b47219c3c4565a369ddb4df48cf4

C:\Windows\system\dcnXTxh.exe

MD5 16ba6e151b32abbfa6328ed37cd9403d
SHA1 3ff5f0463e3f2efd186f4aeb1849d9cd85a16c67
SHA256 16cfc2c65b16ad9d2f97a2f2edbae82b28426294f64dec03b958fb2b355f517f
SHA512 ba8f3ba785c934e8a09b20f2442a09d544b13aa74654f2cdb2cb15baa7479acf0044a7ec9659cf8eb6f532e18a3e3e438bb8d92e6820978ade6cbafa13d978bc

C:\Windows\system\OzxenSF.exe

MD5 7d0cadc7edb1c4b76f079036a601eff4
SHA1 c9bd96de73526af92aea2a977185e45b498b890b
SHA256 bb49977b477b0564d6b095ebbdba1488963bbba66d04b355b1aaa0fbf4a88654
SHA512 6ec9a44c4dca9791f32373d51905f9d56b22f76cb97c4b5b17a100566ba6a573885c610103f8bba835b4fc8edf6cf86c7559eb764be22ecdfb6420759493a2dd

\Windows\system\kaVftuC.exe

MD5 f160fc30d29637ecc64c0d437d08d6ae
SHA1 ec6c19af1d8188144aa934ef9376c08d18411eea
SHA256 637ecb65206cc3cde881c26625c7c5fe2073586e5ed56638ee6d624ea6d0de5f
SHA512 362b2089dc70346b29ca6677abec976c9ddc314b2ffce0868bafa9e16ce9996c6f274b9b41ec90f649c01f607e6ecf405fbfee6c6eff1cc85b92e9c97f247a47

C:\Windows\system\iOeOkHP.exe

MD5 fa4e54d2648a99cbc618513f5d11ade5
SHA1 b3928dfabd1c6790a5ce44733cc9a8f22ae4815e
SHA256 784724129cbe2b9b4e34fbd803deeb166dfbedd477ed55339c102b016a32a867
SHA512 0b86c338c9f7c89b43646c57cd80504d9f01777b8ca9c136fc84d3aec0608d38cd317963e837cac9202afabbf71071e932ba5a5b64c59ca69e46f97b98a88135

memory/2384-108-0x000000013F400000-0x000000013F754000-memory.dmp

\Windows\system\QEkEHdK.exe

MD5 5d53d8bc037febba3268929428439cae
SHA1 a911f184daf51d1f8e5bf759f23478b22c5c2a16
SHA256 1ea2754bedd4c2087c725bfdd6aa87fb731251b4f47fb9050bf7668aa8d02208
SHA512 42e8060d79d032b9f5635a1b69a8d24313aa8318a03c00a42491931ac81d927f1fc210a0844b7b5533aac28f7fed4b32344b8f5aa2706697a232746775ef0db8

C:\Windows\system\qSNKMMb.exe

MD5 feb34df9370342533b382949c4247ef3
SHA1 54675ddc915da659a6e35df5d8310f3adca397e3
SHA256 9effc0ee47245d93d25129cacfadf4e0435932d5af5e855b55f295196fdf55b6
SHA512 c9c75dbd857e67c6ee5a1d7764cb95724c23e54b842970d0874f58c5832031654d0f32f235e35ced8413c0244a602cc5e67d9fdc0b7373ae5cd3ebf11b932259

memory/2056-97-0x0000000002300000-0x0000000002654000-memory.dmp

memory/2576-84-0x000000013FAB0000-0x000000013FE04000-memory.dmp

C:\Windows\system\kbZriLR.exe

MD5 296715622d8cf042f67e184e8682bb76
SHA1 1b2bda9c527dd3ce2d3eb505c42887d21cf75b9a
SHA256 720731c09adff9e773c4f56d83463d72b148c04ead70e291ab070b0ba05b78ae
SHA512 789002e1e2f07dddf59b00dd8ca8a35e8e7e49bad4357e3e1d4e7518526b259e27abfcffcf18a5b69b4c9d48dc8dda80af1877555a27bd2b47a9af32a084eb51

memory/2056-96-0x000000013FF60000-0x00000001402B4000-memory.dmp

memory/2960-95-0x000000013FAC0000-0x000000013FE14000-memory.dmp

memory/2056-94-0x000000013FAC0000-0x000000013FE14000-memory.dmp

C:\Windows\system\izIlmov.exe

MD5 ace0cc55def04d14c8987ef26ba2b3a4
SHA1 f91234bd6c8927fbc1dba5c558a57c8e6ca8ae36
SHA256 f8a2547fc1e5e13f1296e051954ebaed9bb0588b749b500d7d967673bc7d85fa
SHA512 e27e1b7e2291629832bd7d1ae904dca2b15e934603eff1263e1e66b5b4b6cd6db5e0cca86fb19ed50a35bcb1a9e3af9445d873f34071d3bd16fb77b94e1895a3

memory/2056-79-0x000000013FAB0000-0x000000013FE04000-memory.dmp

memory/2876-77-0x000000013FD90000-0x00000001400E4000-memory.dmp

\Windows\system\nBFOCfJ.exe

MD5 3e0258c0af37276f478d475cc8b72485
SHA1 40fc5e3eed394a18d64bd9af2593cf2861aa4779
SHA256 65a90d8ee7e53c57cb1b9d4bc2b517a47dbda0f7b35d039ed1625e6d9a8bd30b
SHA512 1bad727bd6f00a3985dc1801fd2005cb7310012cd1067394f5e1f16fe7415d16540ea72c79a1407c1c90293ecef40b8b9682d36aad29cd62344a320ff6002254

\Windows\system\FokpRNN.exe

MD5 898792cf21a74f2aed392a48d3b2ebb6
SHA1 d402ace95e4068e9fd2c83b8a01f2c85031af49d
SHA256 b4d2e909828b4f770342f07a8f5f16cbba31dd43f39dae1fc40f3c3bffde7f67
SHA512 019e19d29207d804ea919cbadf2f1fa6298663783959fff1156548a82c0b8e35f91142d498c51e279238490f338d825841865ca83b0d991a3031a98badde484d

memory/2260-70-0x000000013FA80000-0x000000013FDD4000-memory.dmp

memory/2672-67-0x000000013FF90000-0x00000001402E4000-memory.dmp

memory/2056-66-0x000000013FF90000-0x00000001402E4000-memory.dmp

memory/2056-65-0x0000000002300000-0x0000000002654000-memory.dmp

memory/2056-64-0x000000013FA80000-0x000000013FDD4000-memory.dmp

C:\Windows\system\rwoRiJx.exe

MD5 990c3d5ebf3e4e80cdadef8ce6e67ccc
SHA1 604fc9b3f03f51f7dbc2ca36725ed2939117ed17
SHA256 d5e89375c86bce46d9c3f940a864ac83cfce142a0d532eae20dab9849e29982b
SHA512 33eda170d6762acb8ad07c6743a893db54a086acd45d677b2b2aa44e85ad6d305990d3acbc324e2e6de30457292007e1277c7fb247819369c91e58c0225ce34b

C:\Windows\system\KoItgUY.exe

MD5 87ec3a92b99dae2a98ef8ec65a43f8fa
SHA1 bb86151ef824fa8a271ecbe8087ca260d7dd8dfb
SHA256 0af609251778387bd9eb251cd06ee5065a494d1a758e3903b6a51adeb2ac9955
SHA512 f20d5eb12bca0111f3a852a0e1e5d4eac2b8a658835ca980bfd385a386604e1cdfe21ea33de0a049f586b5a1f04da3552a2d7f346d8e55d4b2a793816b4ab5af

memory/2056-61-0x000000013FD90000-0x00000001400E4000-memory.dmp

memory/2056-134-0x0000000002300000-0x0000000002654000-memory.dmp

memory/2672-135-0x000000013FF90000-0x00000001402E4000-memory.dmp

memory/2260-136-0x000000013FA80000-0x000000013FDD4000-memory.dmp

memory/2056-137-0x000000013FAC0000-0x000000013FE14000-memory.dmp

memory/2056-138-0x000000013FF60000-0x00000001402B4000-memory.dmp

memory/1508-139-0x000000013FBC0000-0x000000013FF14000-memory.dmp

memory/2968-141-0x000000013F290000-0x000000013F5E4000-memory.dmp

memory/2024-140-0x000000013FFF0000-0x0000000140344000-memory.dmp

memory/2692-142-0x000000013F2F0000-0x000000013F644000-memory.dmp

memory/2580-143-0x000000013F750000-0x000000013FAA4000-memory.dmp

memory/2744-144-0x000000013F4F0000-0x000000013F844000-memory.dmp

memory/2624-145-0x000000013F3E0000-0x000000013F734000-memory.dmp

memory/2672-146-0x000000013FF90000-0x00000001402E4000-memory.dmp

memory/2260-147-0x000000013FA80000-0x000000013FDD4000-memory.dmp

memory/2800-149-0x000000013F110000-0x000000013F464000-memory.dmp

memory/2876-148-0x000000013FD90000-0x00000001400E4000-memory.dmp

memory/2576-150-0x000000013FAB0000-0x000000013FE04000-memory.dmp

memory/2960-151-0x000000013FAC0000-0x000000013FE14000-memory.dmp

memory/2384-152-0x000000013F400000-0x000000013F754000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-30 05:48

Reported

2024-06-30 05:50

Platform

win10v2004-20240611-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\OzxenSF.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rwoRiJx.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kbZriLR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\onXnVBY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kaVftuC.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\epyLJll.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\urYTxdk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HpejeBL.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XJvrCCm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bxlqwNG.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BPAelOJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KoItgUY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nBFOCfJ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QEkEHdK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qSNKMMb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iOeOkHP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dcnXTxh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tHslcYK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UGUbgKV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FokpRNN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\izIlmov.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 232 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\urYTxdk.exe
PID 232 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\urYTxdk.exe
PID 232 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BPAelOJ.exe
PID 232 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BPAelOJ.exe
PID 232 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tHslcYK.exe
PID 232 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tHslcYK.exe
PID 232 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UGUbgKV.exe
PID 232 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UGUbgKV.exe
PID 232 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HpejeBL.exe
PID 232 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HpejeBL.exe
PID 232 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XJvrCCm.exe
PID 232 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XJvrCCm.exe
PID 232 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bxlqwNG.exe
PID 232 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bxlqwNG.exe
PID 232 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FokpRNN.exe
PID 232 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FokpRNN.exe
PID 232 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KoItgUY.exe
PID 232 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KoItgUY.exe
PID 232 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nBFOCfJ.exe
PID 232 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nBFOCfJ.exe
PID 232 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rwoRiJx.exe
PID 232 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rwoRiJx.exe
PID 232 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kbZriLR.exe
PID 232 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kbZriLR.exe
PID 232 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\izIlmov.exe
PID 232 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\izIlmov.exe
PID 232 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QEkEHdK.exe
PID 232 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QEkEHdK.exe
PID 232 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qSNKMMb.exe
PID 232 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qSNKMMb.exe
PID 232 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\onXnVBY.exe
PID 232 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\onXnVBY.exe
PID 232 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\epyLJll.exe
PID 232 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\epyLJll.exe
PID 232 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kaVftuC.exe
PID 232 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kaVftuC.exe
PID 232 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iOeOkHP.exe
PID 232 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iOeOkHP.exe
PID 232 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dcnXTxh.exe
PID 232 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dcnXTxh.exe
PID 232 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OzxenSF.exe
PID 232 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OzxenSF.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\urYTxdk.exe

C:\Windows\System\urYTxdk.exe

C:\Windows\System\BPAelOJ.exe

C:\Windows\System\BPAelOJ.exe

C:\Windows\System\tHslcYK.exe

C:\Windows\System\tHslcYK.exe

C:\Windows\System\UGUbgKV.exe

C:\Windows\System\UGUbgKV.exe

C:\Windows\System\HpejeBL.exe

C:\Windows\System\HpejeBL.exe

C:\Windows\System\XJvrCCm.exe

C:\Windows\System\XJvrCCm.exe

C:\Windows\System\bxlqwNG.exe

C:\Windows\System\bxlqwNG.exe

C:\Windows\System\FokpRNN.exe

C:\Windows\System\FokpRNN.exe

C:\Windows\System\KoItgUY.exe

C:\Windows\System\KoItgUY.exe

C:\Windows\System\nBFOCfJ.exe

C:\Windows\System\nBFOCfJ.exe

C:\Windows\System\rwoRiJx.exe

C:\Windows\System\rwoRiJx.exe

C:\Windows\System\kbZriLR.exe

C:\Windows\System\kbZriLR.exe

C:\Windows\System\izIlmov.exe

C:\Windows\System\izIlmov.exe

C:\Windows\System\QEkEHdK.exe

C:\Windows\System\QEkEHdK.exe

C:\Windows\System\qSNKMMb.exe

C:\Windows\System\qSNKMMb.exe

C:\Windows\System\onXnVBY.exe

C:\Windows\System\onXnVBY.exe

C:\Windows\System\epyLJll.exe

C:\Windows\System\epyLJll.exe

C:\Windows\System\kaVftuC.exe

C:\Windows\System\kaVftuC.exe

C:\Windows\System\iOeOkHP.exe

C:\Windows\System\iOeOkHP.exe

C:\Windows\System\dcnXTxh.exe

C:\Windows\System\dcnXTxh.exe

C:\Windows\System\OzxenSF.exe

C:\Windows\System\OzxenSF.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4304,i,5229431749694857451,16836185654682871752,262144 --variations-seed-version --mojo-platform-channel-handle=3864 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
DE 3.120.209.58:8080 tcp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/232-0-0x00007FF7BD2A0000-0x00007FF7BD5F4000-memory.dmp

memory/232-1-0x000001FE7BC70000-0x000001FE7BC80000-memory.dmp

C:\Windows\System\urYTxdk.exe

MD5 26df69b71e06cc69f74256b3fa710687
SHA1 43b8111eaf32443b9720d5dbb1917e5c02a83e5d
SHA256 00029b9e8f79c0ef4ec02a95c177198ec78d0fcafaa0909ebadbbab4c5342e28
SHA512 b4f3d561f0068a9b1e12da4d7fcf991bf328edc2d488c7277e1e1da68f1950539f9213f933a4ed285446f7f30f097eb59628112520c47325867fc5e33484a6bb

memory/2696-6-0x00007FF706E30000-0x00007FF707184000-memory.dmp

C:\Windows\System\tHslcYK.exe

MD5 dc702388fa84a533a3e3958045320fe9
SHA1 906d23f479052062d60e449a06eeda9c177ef054
SHA256 c9edb9431296fd1bfb3a9f80dad73317d44f6a8962639f607781b34a21008ffd
SHA512 577178193fa6fd68098c4545bae8a038b20f296d2a02c0d3801cbef3d4fabb7cac484e82f19b8e71918774efa0aeba11f63e5711193409cb2a92be8d28cd03e5

C:\Windows\System\BPAelOJ.exe

MD5 d3dbf4b55a2ceed173d660c0f5b485e4
SHA1 3d4341aee01228f715ccd88e7ba322909b75a7ac
SHA256 6f302bcce9e6c7213ed3e2b64ef11bba633379281f8da8265c99283998f52901
SHA512 76658aa1b8d47c611aee1df0493a45bdd4da5bae2b14ceccb35f6250bd5fd1cd5c960db2a4b875a1f774710ce84b43b98eeb73e68f153c722d38d8a0262860b3

memory/3628-12-0x00007FF755DD0000-0x00007FF756124000-memory.dmp

memory/4884-18-0x00007FF68EE70000-0x00007FF68F1C4000-memory.dmp

C:\Windows\System\UGUbgKV.exe

MD5 19f5ef6486fbb1bdfd7c4cec9b267d75
SHA1 007921b897fcca6c4e8e4c749587c0333998446e
SHA256 53b50034445532e73d803c1e0d6a24bd50e63c3a1289fac350bed78de4a72564
SHA512 57defd6f56dff4a24c99606004ca88685839654043fa7c63a91b49eb2844b97821578136a54464c93b73f7bf23fc5436e8cd6b1c15687fd7e1e29a9c1f4212dc

C:\Windows\System\XJvrCCm.exe

MD5 b2d715a04232d421600c0a5ceedd548c
SHA1 1f926ee8177f7b17ac8b4312f1a9b218c6560088
SHA256 0c4ed3962fec6504a3c59998cba8e2935f78084c69ecefd839997f4130b87bf8
SHA512 ffa7b8074a35856cad43dc875ff9978c6ec3b96c651bb2c6ae9173999457b7817d28d859a176782d0c04ebd0bdb77bcbc125f767fda09368eb62d30293413531

C:\Windows\System\HpejeBL.exe

MD5 bcc5808dffe6107e3761fd72275625b9
SHA1 c46071722c332e1157db7f8043257a23cb2e41d6
SHA256 a6c10f22bd66c3690e648a189f73543e7112a6cddee0d6180b2c44f99d577438
SHA512 16f3af726f115cdf4f64701feb642f3b192ab1fc06ca5807fd95210c65826e9d2a4bbf2f785845782dd7bceceae5e050da08817f8c38e2a47448f03309ca70ef

C:\Windows\System\bxlqwNG.exe

MD5 5bc6ac7485f3aa6175d41ed132fd54ac
SHA1 1574189bf7a1197c9db9587b4015c458a58950aa
SHA256 40539fa92e41443f48dc8805c8cf0643b608c6cb5bcc875442930a4b1008697a
SHA512 35e8b8c0052d0312b37c908602de061c2add5bad298a4bd5f7a50eb4a42b0a3952c8bc88f70f9a019a66f51b59c65799c4e426fdd8db69afed8f5ce976d09a4f

C:\Windows\System\FokpRNN.exe

MD5 898792cf21a74f2aed392a48d3b2ebb6
SHA1 d402ace95e4068e9fd2c83b8a01f2c85031af49d
SHA256 b4d2e909828b4f770342f07a8f5f16cbba31dd43f39dae1fc40f3c3bffde7f67
SHA512 019e19d29207d804ea919cbadf2f1fa6298663783959fff1156548a82c0b8e35f91142d498c51e279238490f338d825841865ca83b0d991a3031a98badde484d

C:\Windows\System\KoItgUY.exe

MD5 87ec3a92b99dae2a98ef8ec65a43f8fa
SHA1 bb86151ef824fa8a271ecbe8087ca260d7dd8dfb
SHA256 0af609251778387bd9eb251cd06ee5065a494d1a758e3903b6a51adeb2ac9955
SHA512 f20d5eb12bca0111f3a852a0e1e5d4eac2b8a658835ca980bfd385a386604e1cdfe21ea33de0a049f586b5a1f04da3552a2d7f346d8e55d4b2a793816b4ab5af

C:\Windows\System\nBFOCfJ.exe

MD5 3e0258c0af37276f478d475cc8b72485
SHA1 40fc5e3eed394a18d64bd9af2593cf2861aa4779
SHA256 65a90d8ee7e53c57cb1b9d4bc2b517a47dbda0f7b35d039ed1625e6d9a8bd30b
SHA512 1bad727bd6f00a3985dc1801fd2005cb7310012cd1067394f5e1f16fe7415d16540ea72c79a1407c1c90293ecef40b8b9682d36aad29cd62344a320ff6002254

C:\Windows\System\rwoRiJx.exe

MD5 990c3d5ebf3e4e80cdadef8ce6e67ccc
SHA1 604fc9b3f03f51f7dbc2ca36725ed2939117ed17
SHA256 d5e89375c86bce46d9c3f940a864ac83cfce142a0d532eae20dab9849e29982b
SHA512 33eda170d6762acb8ad07c6743a893db54a086acd45d677b2b2aa44e85ad6d305990d3acbc324e2e6de30457292007e1277c7fb247819369c91e58c0225ce34b

C:\Windows\System\QEkEHdK.exe

MD5 5d53d8bc037febba3268929428439cae
SHA1 a911f184daf51d1f8e5bf759f23478b22c5c2a16
SHA256 1ea2754bedd4c2087c725bfdd6aa87fb731251b4f47fb9050bf7668aa8d02208
SHA512 42e8060d79d032b9f5635a1b69a8d24313aa8318a03c00a42491931ac81d927f1fc210a0844b7b5533aac28f7fed4b32344b8f5aa2706697a232746775ef0db8

C:\Windows\System\onXnVBY.exe

MD5 f5aa52dd1ac9089b9421ce8948a91173
SHA1 6e342dff6ba55fc05ecb60b84e413dde1eafd1ab
SHA256 a58422b21fc859b9bd31abcfa05374a45527b114c1286f0fa3287108392244c8
SHA512 821db3449bfa79d3f081dd8d7acebade34850f2d7d288e6fe23949a85a0e5a72f00ccb2fa1f24b552f07a6c53c97d60acc15b47219c3c4565a369ddb4df48cf4

C:\Windows\System\kaVftuC.exe

MD5 f160fc30d29637ecc64c0d437d08d6ae
SHA1 ec6c19af1d8188144aa934ef9376c08d18411eea
SHA256 637ecb65206cc3cde881c26625c7c5fe2073586e5ed56638ee6d624ea6d0de5f
SHA512 362b2089dc70346b29ca6677abec976c9ddc314b2ffce0868bafa9e16ce9996c6f274b9b41ec90f649c01f607e6ecf405fbfee6c6eff1cc85b92e9c97f247a47

C:\Windows\System\OzxenSF.exe

MD5 7d0cadc7edb1c4b76f079036a601eff4
SHA1 c9bd96de73526af92aea2a977185e45b498b890b
SHA256 bb49977b477b0564d6b095ebbdba1488963bbba66d04b355b1aaa0fbf4a88654
SHA512 6ec9a44c4dca9791f32373d51905f9d56b22f76cb97c4b5b17a100566ba6a573885c610103f8bba835b4fc8edf6cf86c7559eb764be22ecdfb6420759493a2dd

C:\Windows\System\dcnXTxh.exe

MD5 16ba6e151b32abbfa6328ed37cd9403d
SHA1 3ff5f0463e3f2efd186f4aeb1849d9cd85a16c67
SHA256 16cfc2c65b16ad9d2f97a2f2edbae82b28426294f64dec03b958fb2b355f517f
SHA512 ba8f3ba785c934e8a09b20f2442a09d544b13aa74654f2cdb2cb15baa7479acf0044a7ec9659cf8eb6f532e18a3e3e438bb8d92e6820978ade6cbafa13d978bc

C:\Windows\System\iOeOkHP.exe

MD5 fa4e54d2648a99cbc618513f5d11ade5
SHA1 b3928dfabd1c6790a5ce44733cc9a8f22ae4815e
SHA256 784724129cbe2b9b4e34fbd803deeb166dfbedd477ed55339c102b016a32a867
SHA512 0b86c338c9f7c89b43646c57cd80504d9f01777b8ca9c136fc84d3aec0608d38cd317963e837cac9202afabbf71071e932ba5a5b64c59ca69e46f97b98a88135

C:\Windows\System\epyLJll.exe

MD5 f3c6afeb3cd897549410a1e88b618d2c
SHA1 48639dcf8d31f6ede1dc3f9d7d97f8b4cb930838
SHA256 c7bcb953253cc1b020013ee85cca71f90201b928628905c702902c8f3807f343
SHA512 015485ec8d6a99a222672e7c81f01b1eb1619168cb0839c4b7257f992645a09c2d6e8ee6ef80659131925864c4b13ce6c5072e9e257ca01dce361fcaae7d3a85

C:\Windows\System\qSNKMMb.exe

MD5 feb34df9370342533b382949c4247ef3
SHA1 54675ddc915da659a6e35df5d8310f3adca397e3
SHA256 9effc0ee47245d93d25129cacfadf4e0435932d5af5e855b55f295196fdf55b6
SHA512 c9c75dbd857e67c6ee5a1d7764cb95724c23e54b842970d0874f58c5832031654d0f32f235e35ced8413c0244a602cc5e67d9fdc0b7373ae5cd3ebf11b932259

C:\Windows\System\izIlmov.exe

MD5 ace0cc55def04d14c8987ef26ba2b3a4
SHA1 f91234bd6c8927fbc1dba5c558a57c8e6ca8ae36
SHA256 f8a2547fc1e5e13f1296e051954ebaed9bb0588b749b500d7d967673bc7d85fa
SHA512 e27e1b7e2291629832bd7d1ae904dca2b15e934603eff1263e1e66b5b4b6cd6db5e0cca86fb19ed50a35bcb1a9e3af9445d873f34071d3bd16fb77b94e1895a3

C:\Windows\System\kbZriLR.exe

MD5 296715622d8cf042f67e184e8682bb76
SHA1 1b2bda9c527dd3ce2d3eb505c42887d21cf75b9a
SHA256 720731c09adff9e773c4f56d83463d72b148c04ead70e291ab070b0ba05b78ae
SHA512 789002e1e2f07dddf59b00dd8ca8a35e8e7e49bad4357e3e1d4e7518526b259e27abfcffcf18a5b69b4c9d48dc8dda80af1877555a27bd2b47a9af32a084eb51

memory/1964-52-0x00007FF7D8CB0000-0x00007FF7D9004000-memory.dmp

memory/2500-42-0x00007FF7DB0D0000-0x00007FF7DB424000-memory.dmp

memory/2704-34-0x00007FF69DB00000-0x00007FF69DE54000-memory.dmp

memory/3324-29-0x00007FF656250000-0x00007FF6565A4000-memory.dmp

memory/1684-26-0x00007FF610FB0000-0x00007FF611304000-memory.dmp

memory/4256-117-0x00007FF78D1C0000-0x00007FF78D514000-memory.dmp

memory/408-118-0x00007FF66A0A0000-0x00007FF66A3F4000-memory.dmp

memory/1140-119-0x00007FF6DD0B0000-0x00007FF6DD404000-memory.dmp

memory/4416-116-0x00007FF7AD510000-0x00007FF7AD864000-memory.dmp

memory/2672-115-0x00007FF6C2D70000-0x00007FF6C30C4000-memory.dmp

memory/2680-120-0x00007FF626A30000-0x00007FF626D84000-memory.dmp

memory/4968-121-0x00007FF6633B0000-0x00007FF663704000-memory.dmp

memory/3356-122-0x00007FF6E07E0000-0x00007FF6E0B34000-memory.dmp

memory/1944-123-0x00007FF60ED10000-0x00007FF60F064000-memory.dmp

memory/3388-125-0x00007FF772FF0000-0x00007FF773344000-memory.dmp

memory/2440-126-0x00007FF69FC00000-0x00007FF69FF54000-memory.dmp

memory/4640-124-0x00007FF65ED00000-0x00007FF65F054000-memory.dmp

memory/4124-127-0x00007FF7B85B0000-0x00007FF7B8904000-memory.dmp

memory/232-128-0x00007FF7BD2A0000-0x00007FF7BD5F4000-memory.dmp

memory/2696-129-0x00007FF706E30000-0x00007FF707184000-memory.dmp

memory/3628-130-0x00007FF755DD0000-0x00007FF756124000-memory.dmp

memory/4884-131-0x00007FF68EE70000-0x00007FF68F1C4000-memory.dmp

memory/3324-132-0x00007FF656250000-0x00007FF6565A4000-memory.dmp

memory/2704-133-0x00007FF69DB00000-0x00007FF69DE54000-memory.dmp

memory/2500-134-0x00007FF7DB0D0000-0x00007FF7DB424000-memory.dmp

memory/2696-135-0x00007FF706E30000-0x00007FF707184000-memory.dmp

memory/3628-136-0x00007FF755DD0000-0x00007FF756124000-memory.dmp

memory/1684-137-0x00007FF610FB0000-0x00007FF611304000-memory.dmp

memory/4884-138-0x00007FF68EE70000-0x00007FF68F1C4000-memory.dmp

memory/3324-139-0x00007FF656250000-0x00007FF6565A4000-memory.dmp

memory/2672-141-0x00007FF6C2D70000-0x00007FF6C30C4000-memory.dmp

memory/2500-140-0x00007FF7DB0D0000-0x00007FF7DB424000-memory.dmp

memory/2704-143-0x00007FF69DB00000-0x00007FF69DE54000-memory.dmp

memory/1964-142-0x00007FF7D8CB0000-0x00007FF7D9004000-memory.dmp

memory/4968-145-0x00007FF6633B0000-0x00007FF663704000-memory.dmp

memory/2440-151-0x00007FF69FC00000-0x00007FF69FF54000-memory.dmp

memory/3388-154-0x00007FF772FF0000-0x00007FF773344000-memory.dmp

memory/4640-153-0x00007FF65ED00000-0x00007FF65F054000-memory.dmp

memory/4416-152-0x00007FF7AD510000-0x00007FF7AD864000-memory.dmp

memory/4124-150-0x00007FF7B85B0000-0x00007FF7B8904000-memory.dmp

memory/4256-149-0x00007FF78D1C0000-0x00007FF78D514000-memory.dmp

memory/1140-147-0x00007FF6DD0B0000-0x00007FF6DD404000-memory.dmp

memory/2680-146-0x00007FF626A30000-0x00007FF626D84000-memory.dmp

memory/408-148-0x00007FF66A0A0000-0x00007FF66A3F4000-memory.dmp

memory/3356-144-0x00007FF6E07E0000-0x00007FF6E0B34000-memory.dmp

memory/1944-155-0x00007FF60ED10000-0x00007FF60F064000-memory.dmp