Malware Analysis Report

2024-10-24 18:12

Sample ID 240630-gj4zksthlf
Target 2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat
SHA256 323140ae6707575622973ae79a6f015a2a38e63a4b9462a202fa6e2e2c0d3d19
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

323140ae6707575622973ae79a6f015a2a38e63a4b9462a202fa6e2e2c0d3d19

Threat Level: Known bad

The file 2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

UPX dump on OEP (original entry point)

xmrig

Detects Reflective DLL injection artifacts

XMRig Miner payload

Cobaltstrike family

Cobaltstrike

Cobalt Strike reflective loader

Xmrig family

Detects Reflective DLL injection artifacts

UPX dump on OEP (original entry point)

XMRig Miner payload

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-30 05:51

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-30 05:50

Reported

2024-06-30 05:53

Platform

win7-20240611-en

Max time kernel

142s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\ueirzPj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WnXYHVz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ixGgruw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NyBmulz.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZmepKAM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bGAUnqf.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OSMONhS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zPDSOdS.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ixCvjzd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sWQwijm.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\abvwOtK.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aFZXNak.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aeJXnXg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RMDDIQR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CMtfDvM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WhRGbvN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MlKnunE.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lkRHtqs.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oZzxQaR.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tNXtptD.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WOMEdeI.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2280 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ueirzPj.exe
PID 2280 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ueirzPj.exe
PID 2280 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ueirzPj.exe
PID 2280 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sWQwijm.exe
PID 2280 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sWQwijm.exe
PID 2280 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sWQwijm.exe
PID 2280 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZmepKAM.exe
PID 2280 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZmepKAM.exe
PID 2280 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZmepKAM.exe
PID 2280 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lkRHtqs.exe
PID 2280 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lkRHtqs.exe
PID 2280 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lkRHtqs.exe
PID 2280 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\abvwOtK.exe
PID 2280 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\abvwOtK.exe
PID 2280 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\abvwOtK.exe
PID 2280 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aFZXNak.exe
PID 2280 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aFZXNak.exe
PID 2280 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aFZXNak.exe
PID 2280 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aeJXnXg.exe
PID 2280 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aeJXnXg.exe
PID 2280 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aeJXnXg.exe
PID 2280 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WnXYHVz.exe
PID 2280 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WnXYHVz.exe
PID 2280 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WnXYHVz.exe
PID 2280 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bGAUnqf.exe
PID 2280 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bGAUnqf.exe
PID 2280 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bGAUnqf.exe
PID 2280 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RMDDIQR.exe
PID 2280 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RMDDIQR.exe
PID 2280 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RMDDIQR.exe
PID 2280 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oZzxQaR.exe
PID 2280 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oZzxQaR.exe
PID 2280 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oZzxQaR.exe
PID 2280 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tNXtptD.exe
PID 2280 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tNXtptD.exe
PID 2280 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tNXtptD.exe
PID 2280 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CMtfDvM.exe
PID 2280 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CMtfDvM.exe
PID 2280 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CMtfDvM.exe
PID 2280 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WhRGbvN.exe
PID 2280 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WhRGbvN.exe
PID 2280 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WhRGbvN.exe
PID 2280 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ixGgruw.exe
PID 2280 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ixGgruw.exe
PID 2280 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ixGgruw.exe
PID 2280 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OSMONhS.exe
PID 2280 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OSMONhS.exe
PID 2280 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OSMONhS.exe
PID 2280 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ixCvjzd.exe
PID 2280 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ixCvjzd.exe
PID 2280 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ixCvjzd.exe
PID 2280 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zPDSOdS.exe
PID 2280 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zPDSOdS.exe
PID 2280 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zPDSOdS.exe
PID 2280 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NyBmulz.exe
PID 2280 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NyBmulz.exe
PID 2280 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NyBmulz.exe
PID 2280 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WOMEdeI.exe
PID 2280 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WOMEdeI.exe
PID 2280 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WOMEdeI.exe
PID 2280 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MlKnunE.exe
PID 2280 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MlKnunE.exe
PID 2280 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MlKnunE.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\ueirzPj.exe

C:\Windows\System\ueirzPj.exe

C:\Windows\System\sWQwijm.exe

C:\Windows\System\sWQwijm.exe

C:\Windows\System\ZmepKAM.exe

C:\Windows\System\ZmepKAM.exe

C:\Windows\System\lkRHtqs.exe

C:\Windows\System\lkRHtqs.exe

C:\Windows\System\abvwOtK.exe

C:\Windows\System\abvwOtK.exe

C:\Windows\System\aFZXNak.exe

C:\Windows\System\aFZXNak.exe

C:\Windows\System\aeJXnXg.exe

C:\Windows\System\aeJXnXg.exe

C:\Windows\System\WnXYHVz.exe

C:\Windows\System\WnXYHVz.exe

C:\Windows\System\bGAUnqf.exe

C:\Windows\System\bGAUnqf.exe

C:\Windows\System\RMDDIQR.exe

C:\Windows\System\RMDDIQR.exe

C:\Windows\System\oZzxQaR.exe

C:\Windows\System\oZzxQaR.exe

C:\Windows\System\tNXtptD.exe

C:\Windows\System\tNXtptD.exe

C:\Windows\System\CMtfDvM.exe

C:\Windows\System\CMtfDvM.exe

C:\Windows\System\WhRGbvN.exe

C:\Windows\System\WhRGbvN.exe

C:\Windows\System\ixGgruw.exe

C:\Windows\System\ixGgruw.exe

C:\Windows\System\OSMONhS.exe

C:\Windows\System\OSMONhS.exe

C:\Windows\System\ixCvjzd.exe

C:\Windows\System\ixCvjzd.exe

C:\Windows\System\zPDSOdS.exe

C:\Windows\System\zPDSOdS.exe

C:\Windows\System\NyBmulz.exe

C:\Windows\System\NyBmulz.exe

C:\Windows\System\WOMEdeI.exe

C:\Windows\System\WOMEdeI.exe

C:\Windows\System\MlKnunE.exe

C:\Windows\System\MlKnunE.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2280-0-0x000000013F050000-0x000000013F3A4000-memory.dmp

memory/2280-1-0x00000000001F0000-0x0000000000200000-memory.dmp

\Windows\system\ueirzPj.exe

MD5 994db2047cecd5adbaca6247f0e35456
SHA1 123f9f84a9ec6ea61613b60727b17edd29acd2ff
SHA256 9cc7f56e06bef7f5224c18da1d9bd1e9e33d7ea7fbaa8b8d4e2cde2cf35d8ad6
SHA512 47044d098279e9ebf8fca91ef1291a327522209bfea5bb23341fcb900970efb0a88b3342c5271b720b0adf83abe798fcacb5499559efae0630f3c43257b61749

memory/2420-8-0x000000013F640000-0x000000013F994000-memory.dmp

memory/2280-7-0x000000013F640000-0x000000013F994000-memory.dmp

\Windows\system\sWQwijm.exe

MD5 3190e8e1dd50ac304ccf0b8364d21684
SHA1 ca6c9a69a50cdcac6c5de1269ab589575a78e008
SHA256 51ddaa1ae3335c357b37fc8e046cffd403b7a9280bcc915c64224dcb5a511c09
SHA512 a853c94e6e36e0a669f9f346184d9bed5d9a4eba45b735f01f13730a3751641921c4dcc75206798c27902a6ac18ee9b443b153993404ec17c8e57b88f020a19f

C:\Windows\system\ZmepKAM.exe

MD5 49da1fc0bfdad7b656c944cb25f41b0e
SHA1 11935ed09688c420e374fc9ef1b5ede261995165
SHA256 fa53e24145ea58fbe5a13da02864c3a3d076712096152f1ed22086083b445c5f
SHA512 064ae47aca95ecbc8db34b52fabf2ca5015a0ecb86fd3f52ffbcb443904479f11a1538c397cb9ee958734a555038ed66b198344f82fc3a672b50ea48bf5a4773

C:\Windows\system\lkRHtqs.exe

MD5 721767b7dccc9116721a06c9573ce654
SHA1 41e2f0c1ddf1a4eabd33b0fb91765c3743918f00
SHA256 8d1806e8c22a3d1a4e3efdc562010c2f0711589f448e3293769a11a65f64f09e
SHA512 56d9a394ad443298ff02b4cf553daf0cf780049ec48714cb3e5e698e6237da596dd027ec2d4a781ee6439f4977115342ec48462e13654d2b16cf08d5d20bec3d

C:\Windows\system\abvwOtK.exe

MD5 90bfbfbc1da84c1ba4962fed51a15c55
SHA1 fe13907cb6e7b26fd689a1e17c3d44a632116860
SHA256 5ba2b595f5a8b588d357cedcf04a366bb3a394a1ee9fe1311e3a7c102b7ac4e6
SHA512 c5baf051655db5420e2c827dffff9c3f22f47f471e315c83d68a11ef42ce121911fe0ff32b003a648061bedde45cade37a4904d7b4c58a9d50840930269434db

C:\Windows\system\aFZXNak.exe

MD5 fa83c344b0d48f510687758277cb798e
SHA1 c0730f54d05a7117e45c04ac4ec54a8c26e56a6d
SHA256 8d1f2b2f71c32a1446f6a473feaf2877296c659f2f5f6c11acb57e458627091a
SHA512 1214f9fb40ce5c86d54a43f68fa727e99a917bc20d745690e4bd65118306bd0225b0b36b2a9989808a3b8b6a46fe3a845a3c167ae31e207a194e63a9f1bd26ee

C:\Windows\system\RMDDIQR.exe

MD5 4281dacdf0026027dd0b4f5ade104add
SHA1 dd49c7bf0ad9799544b91aa476d30e21da0764b4
SHA256 d0e39b6f6a2d2daa82e1b834d8390427c2f18ab60e388ee24065a595e5711e0a
SHA512 12e1aca7ab190c56e37e753cc17d2a22afb1835eabf3e7d2d338d3f28eaef355a2c86e0edf3ca7ddf45352319488b98a7b115ad7d5a1c25919f38ca5c3bea989

C:\Windows\system\CMtfDvM.exe

MD5 26be89865883e8fbda0b4168303d40d4
SHA1 14032d7439c00ade39bf5414335d614840c3959d
SHA256 38585d4141f8251c1ca107b43b8aaa45ab0cf0217536781433e816f7587ad670
SHA512 79648f020b24ee4cd33650630e3a09a923acb90792601dc9043fd9c4b73e700ad606ab12387ef45171f8906668edeb3d61e14aa624f8bc5f40e20e6d4be3e360

C:\Windows\system\ixCvjzd.exe

MD5 b149652ff3fb949dec836412c2d86cb6
SHA1 8b2665ca32bc0a8adee42172d7734d7358b6fee0
SHA256 dfb708eab43533073faba041b0af3049f8cc7840ba9646fe521ff509710a6c35
SHA512 d88c0ab70ad367613d14eb1378836fc4f58d0b174acce156646799c19d6b8e10dc9151ff2bcd0e4ac844db4cda45968863bd309bb88eea31280d64c59c6850df

C:\Windows\system\NyBmulz.exe

MD5 8f6032678675b0df8fcfa15b8ac5e856
SHA1 7d9667565547cf498452a08db28ca38a14587216
SHA256 4b8be19534a14d64d17efaf249b2bdd5e933ccf2c11148d1789257ce0a19f719
SHA512 4afd2d062fb00dcdd86f940eed08f7bd73ab6d2dfc4f78ad384c4dc5786d3e325de422cf029e6cea98185ffcc1e2d3cb106b870109e6b6c89457ee7ec73cfd16

\Windows\system\MlKnunE.exe

MD5 af9e5f957641734bd6624fb448c4914e
SHA1 4d0689372672bd40ea87f19ded4c3da93f68a7e8
SHA256 282979de691f2363d5e78bdd62fe40e7f0598e2ff1537dfd300576f52cf42c7a
SHA512 73f502bd975ebb68fcbbb8a927aa4a311b3e9fe48d14884724eea54a69f6755a190b5a2822cfa1bbcd24c9d4b600fd1d6bf7edf897362d32666c0c5839a3de1b

C:\Windows\system\WOMEdeI.exe

MD5 a996b80bb2a83de0350862eee401a0e5
SHA1 25262a6e21bf79e681c02420e287a5b9e5f944f7
SHA256 b9a4a5146185c23c25900210fbbafb98aede4483d63ee29c01a7f4764f70bd43
SHA512 2b78b7ef3ba850336a48287bb04320672cda701e302350348fb793730916b82d5c3006cc82dfa89a5eac7acaf9cdc6219278095c0f70fc9167d5f60a278636ba

C:\Windows\system\zPDSOdS.exe

MD5 f49d930415b5d4ce8d5ff13b9b6d477d
SHA1 e69b4dc1841e98d3ed3314d2edd2ca453b3ab4ad
SHA256 7cbf260e71aeda00de2eeffb72ac86aef5909f6ce6979ff671f0e1cf77875ee6
SHA512 8746e695988eb992165fbc2119cefca830eb10d5f7e5569c127400a556d5396a7513558e23005a463027d5ca2f71e0294d3b2246457b7625a7147a2add64664c

C:\Windows\system\OSMONhS.exe

MD5 04e1aae67758019249c8c0b97404146f
SHA1 10c97bb00527660d7d35e4f1f9725df2ef38657d
SHA256 28c228cc8dbf2bc646c09206760c4e63432f7404590d0ee3200365ada2f6dc6c
SHA512 84613f5ee378fbabd9844342609492233fc72a1278e8205445b0f03e57820a89479c95fa6a88d07fd9d719a52f351f8a0471ef56877b73597b1355134cfe0bcd

C:\Windows\system\ixGgruw.exe

MD5 152516264ec1b5af43a201d06b1469ee
SHA1 a3676348bc1fd2116a1160014e816334ea34f64f
SHA256 b2668372047a2e0f46eed45db98f6ed42e66cce4008572e732a89de240f51851
SHA512 9d3bcf8976111dc2641ee2e6eacae65577a7875a07e12ce7546cc79664ed3c2c5da130960048b909362abcb61ce538ee34929a1724f2076d247f9953ce6d317b

C:\Windows\system\WhRGbvN.exe

MD5 1f20b7a202529b56daf200c83297f38c
SHA1 4b3e3b4c365753d74d95847a9bfe2edd9c6eb2ca
SHA256 01dcda796ed14867523e1d74cb72d532ac3b81263c7e271b6ce740ee4b12afb4
SHA512 946993375eaabf8919191ad1eafac33ff00d0c0432064e4c77c2d1ac66c816a6660b705196e4d3657fed18237bebf096211abedc61ddd6d89155c2e6411fe69e

C:\Windows\system\tNXtptD.exe

MD5 c26cd5139197d419a50c5db95be07daa
SHA1 640e070392c1cb4d3d4acda09da6c236c16998cd
SHA256 6193ad25459860792f21b13eeab028e3acbd898f5f11c98817ca344816a771d2
SHA512 c2224fe4a6fcaeb9970a2a9f97815ee674dc693d8d6a64181334e4545aa0cf5d80eb4b890e25727458ab57e35ea66a403cb0c214493cddb764f60485c623573e

C:\Windows\system\oZzxQaR.exe

MD5 801ea311d078eb99348e6b26f16acca3
SHA1 d6ced33e9fa65df8e084627fd3a8e114e954f1f3
SHA256 d01cd64a8ff705a11c09979b7cafc2196dd0b851f36ebab91ec9edb34baddb57
SHA512 acbc5431d050c9b90577cb853d29c4363ec0d977609d9a34b2e5b01c2826dd79338873686e5df288948aad82ac4393470766714a2557db0d625413c039b4a3f6

C:\Windows\system\bGAUnqf.exe

MD5 8aac43af33d5c314e3106552610e3432
SHA1 f2513ba9a5b148b5c5395070d2a55db043bdcddb
SHA256 63ff2c6e7a1efed818297e7360963810a1895c1117645d149cb3caf5e816618a
SHA512 b0329a0a90f08130cc9b3175d3230cfd723bac0b2d765baaac03cc12cee449b7b6162bfe55528bd2031c7c72aa22deb78f925b9d5b3864114038723ec241f2ef

C:\Windows\system\WnXYHVz.exe

MD5 153fea8b83c8e0720e60be2a65740d97
SHA1 a5b535d9170fc2c7d404068f7c06749ff847695a
SHA256 262e6a6e7ae51cf209995e309b233756b1785721ebbd53a9fe32e947a0331a43
SHA512 a6f0049efdbaacfd0d59aa80a8824a59ca05f120865dd9a7536b31909c18559b16351376dcaf6a68956d8e2e1b7c89ac2ab602ea9297681ab7b447305aae6019

C:\Windows\system\aeJXnXg.exe

MD5 40e401908756388600366f4455dd3a6a
SHA1 7d01678dc8b131c4be580f941d78c5178b1b3b43
SHA256 adeb5cddf88743cbfee1209c0704d89885a4a7666d565132dc7636587f50a679
SHA512 3e2884d06fa31f20e8e29298795c8603c4785194b1a0ddbb206abe40d08b5bd0f6d1921172d5fa739d765fcb08a799a474872e6eb9f71673766fc33a66ab92e6

memory/2280-109-0x000000013F470000-0x000000013F7C4000-memory.dmp

memory/2280-110-0x000000013F610000-0x000000013F964000-memory.dmp

memory/2748-113-0x000000013F5B0000-0x000000013F904000-memory.dmp

memory/2824-115-0x000000013F1F0000-0x000000013F544000-memory.dmp

memory/2280-118-0x000000013F650000-0x000000013F9A4000-memory.dmp

memory/2576-121-0x000000013FB40000-0x000000013FE94000-memory.dmp

memory/2860-122-0x000000013F2B0000-0x000000013F604000-memory.dmp

memory/2280-120-0x000000013FB40000-0x000000013FE94000-memory.dmp

memory/1072-119-0x000000013F650000-0x000000013F9A4000-memory.dmp

memory/2684-117-0x000000013FD40000-0x0000000140094000-memory.dmp

memory/2280-116-0x000000013FD40000-0x0000000140094000-memory.dmp

memory/2280-114-0x0000000002220000-0x0000000002574000-memory.dmp

memory/2280-112-0x000000013F5B0000-0x000000013F904000-memory.dmp

memory/2644-111-0x000000013F610000-0x000000013F964000-memory.dmp

memory/2540-125-0x000000013F6A0000-0x000000013F9F4000-memory.dmp

memory/2280-124-0x000000013F6A0000-0x000000013F9F4000-memory.dmp

memory/2704-123-0x000000013F080000-0x000000013F3D4000-memory.dmp

memory/2256-131-0x000000013F470000-0x000000013F7C4000-memory.dmp

memory/2280-130-0x000000013FEE0000-0x0000000140234000-memory.dmp

memory/1516-129-0x000000013F2F0000-0x000000013F644000-memory.dmp

memory/2908-128-0x000000013FFA0000-0x00000001402F4000-memory.dmp

memory/2280-127-0x000000013FFA0000-0x00000001402F4000-memory.dmp

memory/2584-126-0x000000013F160000-0x000000013F4B4000-memory.dmp

memory/2280-132-0x000000013F050000-0x000000013F3A4000-memory.dmp

memory/2420-133-0x000000013F640000-0x000000013F994000-memory.dmp

memory/2280-134-0x000000013F470000-0x000000013F7C4000-memory.dmp

memory/2644-135-0x000000013F610000-0x000000013F964000-memory.dmp

memory/2748-136-0x000000013F5B0000-0x000000013F904000-memory.dmp

memory/2824-137-0x000000013F1F0000-0x000000013F544000-memory.dmp

memory/2684-138-0x000000013FD40000-0x0000000140094000-memory.dmp

memory/1072-139-0x000000013F650000-0x000000013F9A4000-memory.dmp

memory/2576-140-0x000000013FB40000-0x000000013FE94000-memory.dmp

memory/2860-141-0x000000013F2B0000-0x000000013F604000-memory.dmp

memory/2704-142-0x000000013F080000-0x000000013F3D4000-memory.dmp

memory/2540-143-0x000000013F6A0000-0x000000013F9F4000-memory.dmp

memory/2908-145-0x000000013FFA0000-0x00000001402F4000-memory.dmp

memory/1516-146-0x000000013F2F0000-0x000000013F644000-memory.dmp

memory/2584-144-0x000000013F160000-0x000000013F4B4000-memory.dmp

memory/2420-147-0x000000013F640000-0x000000013F994000-memory.dmp

memory/2256-148-0x000000013F470000-0x000000013F7C4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-30 05:50

Reported

2024-06-30 05:53

Platform

win10v2004-20240611-en

Max time kernel

142s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

Detects Reflective DLL injection artifacts

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\gpASUQV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YfSKCqV.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yCsrjTN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KkfODNM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\drssTIh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\toTjVTl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JNRrYBy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ymXkhac.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hVrVuBY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mGthZbN.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IeOUbKP.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\puIUEXc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yftzkEQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EFKwkKb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TkDZOZd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kHGHfMp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lvVLRUu.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yyInNVQ.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xLaaWBY.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xODeKqc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cXDLbzw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4892 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xODeKqc.exe
PID 4892 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xODeKqc.exe
PID 4892 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EFKwkKb.exe
PID 4892 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EFKwkKb.exe
PID 4892 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IeOUbKP.exe
PID 4892 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IeOUbKP.exe
PID 4892 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TkDZOZd.exe
PID 4892 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TkDZOZd.exe
PID 4892 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yCsrjTN.exe
PID 4892 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yCsrjTN.exe
PID 4892 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cXDLbzw.exe
PID 4892 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cXDLbzw.exe
PID 4892 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kHGHfMp.exe
PID 4892 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kHGHfMp.exe
PID 4892 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\puIUEXc.exe
PID 4892 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\puIUEXc.exe
PID 4892 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\drssTIh.exe
PID 4892 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\drssTIh.exe
PID 4892 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lvVLRUu.exe
PID 4892 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lvVLRUu.exe
PID 4892 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KkfODNM.exe
PID 4892 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KkfODNM.exe
PID 4892 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\toTjVTl.exe
PID 4892 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\toTjVTl.exe
PID 4892 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JNRrYBy.exe
PID 4892 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JNRrYBy.exe
PID 4892 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ymXkhac.exe
PID 4892 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ymXkhac.exe
PID 4892 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hVrVuBY.exe
PID 4892 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hVrVuBY.exe
PID 4892 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gpASUQV.exe
PID 4892 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gpASUQV.exe
PID 4892 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yyInNVQ.exe
PID 4892 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yyInNVQ.exe
PID 4892 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xLaaWBY.exe
PID 4892 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xLaaWBY.exe
PID 4892 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yftzkEQ.exe
PID 4892 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yftzkEQ.exe
PID 4892 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mGthZbN.exe
PID 4892 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mGthZbN.exe
PID 4892 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YfSKCqV.exe
PID 4892 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YfSKCqV.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\xODeKqc.exe

C:\Windows\System\xODeKqc.exe

C:\Windows\System\EFKwkKb.exe

C:\Windows\System\EFKwkKb.exe

C:\Windows\System\IeOUbKP.exe

C:\Windows\System\IeOUbKP.exe

C:\Windows\System\TkDZOZd.exe

C:\Windows\System\TkDZOZd.exe

C:\Windows\System\yCsrjTN.exe

C:\Windows\System\yCsrjTN.exe

C:\Windows\System\cXDLbzw.exe

C:\Windows\System\cXDLbzw.exe

C:\Windows\System\kHGHfMp.exe

C:\Windows\System\kHGHfMp.exe

C:\Windows\System\puIUEXc.exe

C:\Windows\System\puIUEXc.exe

C:\Windows\System\drssTIh.exe

C:\Windows\System\drssTIh.exe

C:\Windows\System\lvVLRUu.exe

C:\Windows\System\lvVLRUu.exe

C:\Windows\System\KkfODNM.exe

C:\Windows\System\KkfODNM.exe

C:\Windows\System\toTjVTl.exe

C:\Windows\System\toTjVTl.exe

C:\Windows\System\JNRrYBy.exe

C:\Windows\System\JNRrYBy.exe

C:\Windows\System\ymXkhac.exe

C:\Windows\System\ymXkhac.exe

C:\Windows\System\hVrVuBY.exe

C:\Windows\System\hVrVuBY.exe

C:\Windows\System\gpASUQV.exe

C:\Windows\System\gpASUQV.exe

C:\Windows\System\yyInNVQ.exe

C:\Windows\System\yyInNVQ.exe

C:\Windows\System\xLaaWBY.exe

C:\Windows\System\xLaaWBY.exe

C:\Windows\System\yftzkEQ.exe

C:\Windows\System\yftzkEQ.exe

C:\Windows\System\mGthZbN.exe

C:\Windows\System\mGthZbN.exe

C:\Windows\System\YfSKCqV.exe

C:\Windows\System\YfSKCqV.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/4892-0-0x00007FF67E020000-0x00007FF67E374000-memory.dmp

memory/4892-1-0x0000015047740000-0x0000015047750000-memory.dmp

C:\Windows\System\xODeKqc.exe

MD5 7637e66be31f60c09da33e0b097cc579
SHA1 9af8b33797441f2b9ead2eac24703860780ea896
SHA256 bd7bfb1fed76394e17266b15f2d7ad7fc4abfeaaad5c50baa5f9a9e6445bb7eb
SHA512 5ec411caebc4298736d3b9fa34e9e0ae3c19eee23a160b061c708e50cc0e8b66df6b1bcdd27b32c8dfa9e8f5d80e0e007034c6a34ef544104b4b4adfb145a082

memory/2132-8-0x00007FF79F210000-0x00007FF79F564000-memory.dmp

C:\Windows\System\EFKwkKb.exe

MD5 3e9008a0ff2884bbb01a1723ae3709f7
SHA1 5345165cb8bf49b207e14bfa25831d1ac7469841
SHA256 23905344eeb78b13a3df0e4561199c98dd80894b90a7b1117bf015804e0c68a0
SHA512 b4c73844aaed83c0995dc7e42c835424bc782c7baf18ec920cd4dd75e4aa668761c03961373b3baeaf733287c4eca19b959fa41617408da117e8d72add167072

memory/4460-16-0x00007FF650B20000-0x00007FF650E74000-memory.dmp

C:\Windows\System\IeOUbKP.exe

MD5 4ee78a6695fe36daea9706c89f8869c7
SHA1 97fda1dc28d2c21265a1284fad975d05b66a6abe
SHA256 d4fabcce57660730cc9ddc55d81e160af1bd7956fc5dc72a5a52c7ac37f325a9
SHA512 354845704701a713b474d3875e2763b488cb1d2cbedd535921f0bb9c8d17579a621c349fb3869badf3a9f5d33348ca464745a94d7430f340a27e9d43155d13d6

C:\Windows\System\TkDZOZd.exe

MD5 4b255fd14f72ef4fb79d798757f0c562
SHA1 9bbfbbbb903447c1abdf799465d2226e97e35b69
SHA256 11ed67da9c756ae92abf2cd916d8fbc3343a2787c0967bd90fbcf6d265b7a318
SHA512 223d5b8103889defd40e7e03993ab21f1a6ed03c0099d13e99c2d0a5889202a47f6056d2e67bfdbe33d0aa06b2694ced5cf88805ba1c44a3ecd9dc42257d089e

memory/4448-26-0x00007FF6D7600000-0x00007FF6D7954000-memory.dmp

C:\Windows\System\yCsrjTN.exe

MD5 ffe1ffdf7f98a4339f952fa96156eab8
SHA1 bc993a0902d59a0ccda34c8d74a26dbab3eabbf8
SHA256 fbb5dd5224efa151e024f3e0a457792f50e874f0dda89c869fc837922f46bdd7
SHA512 549bce60e609e298eb7115edc813542bbe10ebc1926ff8d0f955c48d0778be18c8f8cc505f3ba6ef63d66d3cea9c2f45a7a95af5602725e41b5bfed4dd174551

C:\Windows\System\cXDLbzw.exe

MD5 3fdbbf62e41032def035df81a1600c7b
SHA1 31f844937ccab7bc61007bce2f687d7c2eefe136
SHA256 6a32796d04d256e548df31b302147f9463425fb04a82ca898103fc4d51c050cb
SHA512 65cac7e44392e33db3a4432530d85e47c74bf7269c920fc2250ae8662fc23e109bc93e2b3adec5c6a8083531f9cd1157d98d650e2c20a9eb32b7f76fa0b7c232

C:\Windows\System\kHGHfMp.exe

MD5 ffbf67a490846bbb346bf0210c941c5e
SHA1 47e7340ffe3af76d5ae61dbf9ca121d314e8b9a8
SHA256 ea1a4b3e851b848e6ddc4be51cb73979d765627bf284f8281dcf235554340d95
SHA512 f232a1ba84f6b38b19f8e172afa679efe8b49d4c58c8c94473a5e530b2f8780e3a0005145dd6ba3b3dd06028b0c6a3e4a5d2e0b7b720f49721227c1415d7e12e

C:\Windows\System\puIUEXc.exe

MD5 58777fdeccd47c65423be14f9b0a862b
SHA1 90cf0a1749c8c275b3382ce9d8febaeb74a79844
SHA256 71004afa9658e4cf7dc35f20dc6d4424782726d91f73cc1921335ad7e8e14b3d
SHA512 a149256271fa9fc1a11e9f84618b27c77f75f8f91be229769998f2a69832d1f2fb0a53f01c7e1023b3ec9152c1a5be20e7871bc2787b5f472a034007d64b15f2

C:\Windows\System\drssTIh.exe

MD5 485675bc7f964c11c58ae5b1bafd75a5
SHA1 7325effd29e766d35a56d697358d8ba20b714bd3
SHA256 f9276d70f86062c936e4ed83a0c3e8be62adb79724d537edc61d56094e70cf12
SHA512 dfcad59fd7a4bda357f1544ae574393a7c1fbf71006f8b3e0b08826d3bf51ee27910676cc48bf83e163207ec6fc8ebe4254ccdf6593db66614aaf191ca696bc3

memory/3120-51-0x00007FF6330D0000-0x00007FF633424000-memory.dmp

memory/4864-46-0x00007FF7DD1E0000-0x00007FF7DD534000-memory.dmp

memory/4928-36-0x00007FF7E4A10000-0x00007FF7E4D64000-memory.dmp

memory/2224-35-0x00007FF640EC0000-0x00007FF641214000-memory.dmp

memory/3976-22-0x00007FF730FB0000-0x00007FF731304000-memory.dmp

memory/5092-55-0x00007FF6F7A40000-0x00007FF6F7D94000-memory.dmp

C:\Windows\System\lvVLRUu.exe

MD5 f1c77d4e02e44a6c428c1138cc02503c
SHA1 5c35b8d288ad14447b55030d5feff11acde94041
SHA256 1802b5a2af7e2ba16f94a387af04156b74001b9ceffb15b34d649a18ce1aaf3c
SHA512 75c99b57880b679164fb9e7fd4b80ad19faa263e1008396196f83a48f8205f3ceb0748c7c495b91455d604694f95ff511771d9d2831d5ca2c0c1754c64e4f895

memory/4892-61-0x00007FF67E020000-0x00007FF67E374000-memory.dmp

C:\Windows\System\KkfODNM.exe

MD5 a0df513031115e5b65bbb5e3d4c4b3a6
SHA1 96c74fa9ebd5a0ef019bdf28f91feca3ad28b947
SHA256 71927b56a14fd7a7accb662e678b5ac98064b99fdf8bd93f9935b5e6b19adf16
SHA512 84503aae070143e9548079481fcff420609ceed99943e4a62ef7d45fed712cbc9429941aff96723b032e72479cc620bb669fe6d7f5c13719f982ac1268f606f8

memory/2540-71-0x00007FF783630000-0x00007FF783984000-memory.dmp

memory/4460-79-0x00007FF650B20000-0x00007FF650E74000-memory.dmp

C:\Windows\System\JNRrYBy.exe

MD5 a4c926a2f62fc8f028ae1cb49dae2b8d
SHA1 e390a6c4ea4f9dc92778b95e2334c64a39fede27
SHA256 89690248061234c7ffe61242e3c37c76db892869a3a9c4703af86f72df9205b2
SHA512 ce665830b4a27711ebf5532bb68df46840c00b02b90fc0621c760d63eb03651869c8695d6a0f26ad1b1ca72e170fa60dd8327740720817b8ea5ba35f24838ca1

memory/3976-88-0x00007FF730FB0000-0x00007FF731304000-memory.dmp

memory/2956-89-0x00007FF6568B0000-0x00007FF656C04000-memory.dmp

memory/4692-87-0x00007FF776520000-0x00007FF776874000-memory.dmp

C:\Windows\System\ymXkhac.exe

MD5 7c5ab1df3abd77a5e1ba1dbc5a9eaf7f
SHA1 fdc11dfe50fde9332d7716961800c78e35b8ea16
SHA256 c0f9876f8282affa241d6ed9420cda03a81a63f535a8e12b5f95e8ad0da75b36
SHA512 37d956b2929cefe074df6f868bcc35c8850116bfb887168a1dd854c60db15953da0002c5fe3ef1480dcf3836170560d6dc0342f5d7232c08bb95fc3ae6eaa4c2

C:\Windows\System\toTjVTl.exe

MD5 dce677021b08cccc9a905c9f019c6c2a
SHA1 ff66c11057c746393401e6f3b4cb4887c1222218
SHA256 22417e5aa389886a800c53197b3f5731303dd346a04b877fcc2ce2da2c524cc9
SHA512 cf005c302a02815e7e6f1b2b2433b554282dc28e509f7b261607311163f8f3139a21aca34048b562281f5bb531c2eefa58f88b1c8cabd30af4e090b9da0adb21

memory/1400-70-0x00007FF67F160000-0x00007FF67F4B4000-memory.dmp

memory/4140-65-0x00007FF649830000-0x00007FF649B84000-memory.dmp

C:\Windows\System\hVrVuBY.exe

MD5 ac7d5f725b89566d556b3027bc81cfc7
SHA1 a680ce0653f6ce150258640b2689123f31fc373a
SHA256 9b55c27ca255073b6042703f417ea7fa22d809cbf1799f669feac9dd72424c5f
SHA512 4fc2a648a965b484575140ffd5315dc5877aab5dbe8fb8ea02083f81a55979b0fb3cdb4572ad7337bed20b3c6ce63e990d8eab69e9feb009ece9e57e0531dc9e

C:\Windows\System\gpASUQV.exe

MD5 5e025be679ced319892c6d09c1ff5915
SHA1 a6c3021164cbd2f0e2d5b08afb1e3ba787bcc00f
SHA256 9eaf622b84e3c4f82e702f491ecd51553018965ece05f2a14d137a81506e2681
SHA512 c2f2f3a370f42ec1b7e8aed8f5df92a0aa17ba3009ea4ec450c69c9f71eee0a8c58dcb0dc18e18e0215b7afcb5359ddad4b90e26898ffc7cd843b5e82619cf8c

memory/4636-99-0x00007FF7D6380000-0x00007FF7D66D4000-memory.dmp

memory/2224-98-0x00007FF640EC0000-0x00007FF641214000-memory.dmp

memory/4448-97-0x00007FF6D7600000-0x00007FF6D7954000-memory.dmp

memory/4704-103-0x00007FF749A60000-0x00007FF749DB4000-memory.dmp

C:\Windows\System\yyInNVQ.exe

MD5 edb441dffee7093bd0f45152bae16228
SHA1 cb8df7f0ee9cd2af26f00f9d5fed939957515782
SHA256 88c05f7d4cda6b44435de110f7035373c76955f4cd78e2589e51c84e227dec09
SHA512 0062e791c30039c84762a59537f5510e2bc4e3f49301e9068e300b27f88df70f0750dd8f1f22ce7ab0ac410bf31695bf521f4ec11553a9a72a01909d0bff6d75

memory/4928-107-0x00007FF7E4A10000-0x00007FF7E4D64000-memory.dmp

memory/4908-108-0x00007FF637D60000-0x00007FF6380B4000-memory.dmp

C:\Windows\System\xLaaWBY.exe

MD5 ed65866d57f09be73a6200b45a31c879
SHA1 32e325ee654aec1410fb39ebd5f570035414b910
SHA256 96f8319b07a56e84d7e19f859c6e91e7bd54a1f6f479b26c073f8e540915fdd5
SHA512 ecc5d3084158ba44f07e3c15aa150425631775bc6cfeaaa8160ecae3cd4d21ef72097933235c1ee4151eb31c257eab63857cc33b57decf91d31ba1b32b3c9206

memory/1068-116-0x00007FF719470000-0x00007FF7197C4000-memory.dmp

C:\Windows\System\yftzkEQ.exe

MD5 791710167ff561bdafca41f78641b7a6
SHA1 5cfa8275241d78dcff2ba9c1fd94cc7f16be6cdb
SHA256 10bfe28296d3208ab74b4ef369ac5caca7bc1aef10d3cf3c9db0ce864a65d883
SHA512 81c8360897ba54cf73164b5fe0409535512f6013713dd9e24f864beabf6d5a01dab03934d02c6f0817450bf4108ba59767bfbefc4ad5bb70e71d74fb20c8216f

memory/3120-122-0x00007FF6330D0000-0x00007FF633424000-memory.dmp

C:\Windows\System\mGthZbN.exe

MD5 71b0b8e2e730a916080d9f6c50822db3
SHA1 142cf7dcf83d4705e39a0ba522011aa560520fb9
SHA256 f147d07c7f4d48d292a95bd9ce117ec05c4a966e213dbb8699686877f394cab7
SHA512 3a255f3ad8695e22b9ee0b345c61492812c7110427a28dcf92c6a356994272a01cbf6811d7561a74ad79ea82b93a7e074bcb601e3bbd90f7f677bb36706f19ba

memory/3712-125-0x00007FF722810000-0x00007FF722B64000-memory.dmp

C:\Windows\System\YfSKCqV.exe

MD5 f315f29150df7b4691e0cf1698a6a94c
SHA1 d1fda091232bb440c96558f75495920b65226dc6
SHA256 829f4963ec6202ffe75fbc8c8fbc33ad22473641bd0f33f6a854dffb2ca6cbe1
SHA512 c24565076d4b7325e03223e29e5e446f6bea250e4a35ffa4ba7583c21158b282ea0b847c8192b71b661e06a8605ce547260afdd25b67d98bd3b834be33efa3ae

memory/4140-132-0x00007FF649830000-0x00007FF649B84000-memory.dmp

memory/1472-128-0x00007FF78FBC0000-0x00007FF78FF14000-memory.dmp

memory/4440-135-0x00007FF725060000-0x00007FF7253B4000-memory.dmp

memory/1400-136-0x00007FF67F160000-0x00007FF67F4B4000-memory.dmp

memory/4692-138-0x00007FF776520000-0x00007FF776874000-memory.dmp

memory/2540-137-0x00007FF783630000-0x00007FF783984000-memory.dmp

memory/4908-139-0x00007FF637D60000-0x00007FF6380B4000-memory.dmp

memory/1472-140-0x00007FF78FBC0000-0x00007FF78FF14000-memory.dmp

memory/2132-141-0x00007FF79F210000-0x00007FF79F564000-memory.dmp

memory/4460-142-0x00007FF650B20000-0x00007FF650E74000-memory.dmp

memory/3976-143-0x00007FF730FB0000-0x00007FF731304000-memory.dmp

memory/4448-144-0x00007FF6D7600000-0x00007FF6D7954000-memory.dmp

memory/2224-145-0x00007FF640EC0000-0x00007FF641214000-memory.dmp

memory/4864-147-0x00007FF7DD1E0000-0x00007FF7DD534000-memory.dmp

memory/4928-146-0x00007FF7E4A10000-0x00007FF7E4D64000-memory.dmp

memory/5092-148-0x00007FF6F7A40000-0x00007FF6F7D94000-memory.dmp

memory/3120-149-0x00007FF6330D0000-0x00007FF633424000-memory.dmp

memory/4140-150-0x00007FF649830000-0x00007FF649B84000-memory.dmp

memory/1400-151-0x00007FF67F160000-0x00007FF67F4B4000-memory.dmp

memory/2540-152-0x00007FF783630000-0x00007FF783984000-memory.dmp

memory/4692-153-0x00007FF776520000-0x00007FF776874000-memory.dmp

memory/2956-154-0x00007FF6568B0000-0x00007FF656C04000-memory.dmp

memory/4636-155-0x00007FF7D6380000-0x00007FF7D66D4000-memory.dmp

memory/4704-156-0x00007FF749A60000-0x00007FF749DB4000-memory.dmp

memory/4908-157-0x00007FF637D60000-0x00007FF6380B4000-memory.dmp

memory/1068-158-0x00007FF719470000-0x00007FF7197C4000-memory.dmp

memory/3712-159-0x00007FF722810000-0x00007FF722B64000-memory.dmp

memory/1472-160-0x00007FF78FBC0000-0x00007FF78FF14000-memory.dmp

memory/4440-161-0x00007FF725060000-0x00007FF7253B4000-memory.dmp