Malware Analysis Report

2025-01-22 19:17

Sample ID 240805-lre3msserm
Target 2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat
SHA256 180b178cb5b146e1930ec8a0223238a54c862a63c41b644eb96ca3c14305fd9d
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

180b178cb5b146e1930ec8a0223238a54c862a63c41b644eb96ca3c14305fd9d

Threat Level: Known bad

The file 2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Cobaltstrike

Xmrig family

XMRig Miner payload

Cobaltstrike family

Cobalt Strike reflective loader

xmrig

XMRig Miner payload

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-05 09:45

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-05 09:45

Reported

2024-08-05 09:48

Platform

win7-20240729-en

Max time kernel

140s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\JvufBYd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZbjjteR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NkrJsQy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UUDImcH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aviyzaE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jIXqBxg.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NahRwIr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kjkXHNY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IiiLJrs.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ykfqJPF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ibRhUiP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OvUeLAr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aEExSSn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LgxxUKV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XvOEmdD.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SuQpmXj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MrBcZFa.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rUFbNXu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wrLHpxD.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\doZCyUF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ChpNDZV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2716 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SuQpmXj.exe
PID 2716 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SuQpmXj.exe
PID 2716 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SuQpmXj.exe
PID 2716 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NahRwIr.exe
PID 2716 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NahRwIr.exe
PID 2716 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NahRwIr.exe
PID 2716 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MrBcZFa.exe
PID 2716 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MrBcZFa.exe
PID 2716 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MrBcZFa.exe
PID 2716 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rUFbNXu.exe
PID 2716 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rUFbNXu.exe
PID 2716 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rUFbNXu.exe
PID 2716 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ibRhUiP.exe
PID 2716 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ibRhUiP.exe
PID 2716 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ibRhUiP.exe
PID 2716 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wrLHpxD.exe
PID 2716 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wrLHpxD.exe
PID 2716 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wrLHpxD.exe
PID 2716 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kjkXHNY.exe
PID 2716 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kjkXHNY.exe
PID 2716 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kjkXHNY.exe
PID 2716 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\doZCyUF.exe
PID 2716 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\doZCyUF.exe
PID 2716 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\doZCyUF.exe
PID 2716 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JvufBYd.exe
PID 2716 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JvufBYd.exe
PID 2716 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JvufBYd.exe
PID 2716 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZbjjteR.exe
PID 2716 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZbjjteR.exe
PID 2716 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZbjjteR.exe
PID 2716 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ChpNDZV.exe
PID 2716 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ChpNDZV.exe
PID 2716 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ChpNDZV.exe
PID 2716 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LgxxUKV.exe
PID 2716 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LgxxUKV.exe
PID 2716 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LgxxUKV.exe
PID 2716 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NkrJsQy.exe
PID 2716 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NkrJsQy.exe
PID 2716 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NkrJsQy.exe
PID 2716 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UUDImcH.exe
PID 2716 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UUDImcH.exe
PID 2716 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UUDImcH.exe
PID 2716 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XvOEmdD.exe
PID 2716 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XvOEmdD.exe
PID 2716 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XvOEmdD.exe
PID 2716 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OvUeLAr.exe
PID 2716 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OvUeLAr.exe
PID 2716 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OvUeLAr.exe
PID 2716 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aviyzaE.exe
PID 2716 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aviyzaE.exe
PID 2716 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aviyzaE.exe
PID 2716 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IiiLJrs.exe
PID 2716 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IiiLJrs.exe
PID 2716 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IiiLJrs.exe
PID 2716 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ykfqJPF.exe
PID 2716 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ykfqJPF.exe
PID 2716 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ykfqJPF.exe
PID 2716 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jIXqBxg.exe
PID 2716 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jIXqBxg.exe
PID 2716 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jIXqBxg.exe
PID 2716 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aEExSSn.exe
PID 2716 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aEExSSn.exe
PID 2716 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aEExSSn.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\SuQpmXj.exe

C:\Windows\System\SuQpmXj.exe

C:\Windows\System\NahRwIr.exe

C:\Windows\System\NahRwIr.exe

C:\Windows\System\MrBcZFa.exe

C:\Windows\System\MrBcZFa.exe

C:\Windows\System\rUFbNXu.exe

C:\Windows\System\rUFbNXu.exe

C:\Windows\System\ibRhUiP.exe

C:\Windows\System\ibRhUiP.exe

C:\Windows\System\wrLHpxD.exe

C:\Windows\System\wrLHpxD.exe

C:\Windows\System\kjkXHNY.exe

C:\Windows\System\kjkXHNY.exe

C:\Windows\System\doZCyUF.exe

C:\Windows\System\doZCyUF.exe

C:\Windows\System\JvufBYd.exe

C:\Windows\System\JvufBYd.exe

C:\Windows\System\ZbjjteR.exe

C:\Windows\System\ZbjjteR.exe

C:\Windows\System\ChpNDZV.exe

C:\Windows\System\ChpNDZV.exe

C:\Windows\System\LgxxUKV.exe

C:\Windows\System\LgxxUKV.exe

C:\Windows\System\NkrJsQy.exe

C:\Windows\System\NkrJsQy.exe

C:\Windows\System\UUDImcH.exe

C:\Windows\System\UUDImcH.exe

C:\Windows\System\XvOEmdD.exe

C:\Windows\System\XvOEmdD.exe

C:\Windows\System\OvUeLAr.exe

C:\Windows\System\OvUeLAr.exe

C:\Windows\System\aviyzaE.exe

C:\Windows\System\aviyzaE.exe

C:\Windows\System\IiiLJrs.exe

C:\Windows\System\IiiLJrs.exe

C:\Windows\System\ykfqJPF.exe

C:\Windows\System\ykfqJPF.exe

C:\Windows\System\jIXqBxg.exe

C:\Windows\System\jIXqBxg.exe

C:\Windows\System\aEExSSn.exe

C:\Windows\System\aEExSSn.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2716-0-0x000000013F4B0000-0x000000013F801000-memory.dmp

memory/2716-1-0x0000000000100000-0x0000000000110000-memory.dmp

C:\Windows\system\SuQpmXj.exe

MD5 1d7125a80eed76acb1a00e67ce09f8cc
SHA1 f615191d7fa3c31095be7a6951848d5fee0fba58
SHA256 a484cd7facc316e41f68cb8b9b229e79cf1e9595580e07559a55b5c41d72e7d9
SHA512 f6fdf1bf7ab35c78efd5a1b0bf66e4d8fdd3de12e1f573f0cb76cbe20756188a04ca1c1b0b40d45e32a51e794e55503cdc0745a789577bb3adf6a88d16dc9d02

\Windows\system\NahRwIr.exe

MD5 dd226d744e8f9b9cda6f3bb150e05aa2
SHA1 46658032f74a49d03bf3d0780dbe1bb46588eb1e
SHA256 38c50a895019836a45b659cffd3899b5798983c078a1d57aab1424890e8dde72
SHA512 f918ba0b451782d4bce7e3b0720aeb6c4e6ae6a19ff2b8d7b75c0c899bfb5c9b12025d1251a5390fa9a20f0d2751f34a1f77e710b5f13e16be9afcc7f0412607

C:\Windows\system\MrBcZFa.exe

MD5 c0dbf8b777bea029bdaefe49fe22fdaa
SHA1 fe2614de3bad639479727bec66fc884e85c6b5e3
SHA256 73ea61e0bc2293ae50e5b73ba28d2c0caa67d60619ced5af98885fdec22bc0d0
SHA512 b8c3f8bf85d8c5a24a06d2c2c54c5a273161f783e335b881918ba60f7e2af55594c407bcdefe8be7c46e2373ec8635016571e242dc2575cf9f8acf83d556103a

memory/1924-19-0x000000013F990000-0x000000013FCE1000-memory.dmp

memory/2740-20-0x000000013F400000-0x000000013F751000-memory.dmp

memory/2716-23-0x00000000022B0000-0x0000000002601000-memory.dmp

\Windows\system\rUFbNXu.exe

MD5 2379e6c1fea894ce7812a28d74272967
SHA1 b5b48ccbc9d14c92481059dc8abd3a446227f2c6
SHA256 5656944fd37c6f43c22c08bf959b7fcfa619a5d60cf5e7d57307ada48a3d3574
SHA512 cee9f30d6aa892bae67958baf54cb9cf45984321b93e031b4e1c91d358db84d9bd549cb603332a4569078f8110ebdc683230c0dc62cccaac0e891fb985c1e566

memory/2792-22-0x000000013FE90000-0x00000001401E1000-memory.dmp

memory/2716-25-0x000000013FE00000-0x0000000140151000-memory.dmp

memory/2716-21-0x000000013FE90000-0x00000001401E1000-memory.dmp

memory/2716-17-0x000000013F990000-0x000000013FCE1000-memory.dmp

\Windows\system\ibRhUiP.exe

MD5 62d3b4b8974313570bf759bb644a196e
SHA1 1a92d408790f5c91a7acc22484fe9615659bbbdb
SHA256 dbc61904c291dbafeebcb6da55eb03cbb4b19699621b21dda51b0a9944c2ceee
SHA512 4f8efecfd405091ac3971c76b7b4869af560e453d85abe396ec812944694f834504967455d246a3f8ff42ef5b98883f6f452f193a7c04ae9b6330d488447a7f5

memory/2628-29-0x000000013FE00000-0x0000000140151000-memory.dmp

memory/2692-36-0x000000013F790000-0x000000013FAE1000-memory.dmp

\Windows\system\doZCyUF.exe

MD5 fb23325bf06c737047917e317e113d91
SHA1 d87fb69248fedb3f44c52eb3d9dee0fd7bb52542
SHA256 5c569b7ae960b2d9bcbf48526d08d95ca947e0773f169d64378cb5d70917f94a
SHA512 95f7e7689a044ba3417eec0a8acbcef5ca756b56118e5148e2a48352271a4ff1864714c10de8ef5bea3fdd5d48e1971f3bb0edd257e03ca1041e2640ee8fc5a3

C:\Windows\system\wrLHpxD.exe

MD5 0f1850909e0014fa435be386ed3b70d0
SHA1 cd65c6eea7d45405a8c7aebc42571666079ae928
SHA256 6d7e2ee7cdebeb4e03a7af0b54242556a125ba3c13b091e6145bd31bb0bc3308
SHA512 24b4aef09f80f34829eba3036858dbf5f6406b6e7b5dbd1fb3730035d43bffbb12462de8d2ec4983d2050180b4a32c747f1cf668f490d8ba6b7bfe80faff6fdd

memory/2716-52-0x00000000022B0000-0x0000000002601000-memory.dmp

memory/2544-51-0x000000013F080000-0x000000013F3D1000-memory.dmp

memory/2776-64-0x000000013F1B0000-0x000000013F501000-memory.dmp

C:\Windows\system\ChpNDZV.exe

MD5 20e0ffe9b8f663c3ceb15117890f1211
SHA1 f402d3fbc4b353ed2283193120408a774d8cded2
SHA256 631d041cda9807b7cd7d5121e2c82283bfea06574c11b32215a756a27587ec37
SHA512 728e4bb582494343cf01a241d8b528d2c010f24c7d7b67e781353b40f7ff06ce12ab754cb3eefc48d9c208fea912c0f37fe8925b5b1f5cf30f693f1d4856925b

memory/572-78-0x000000013FE70000-0x00000001401C1000-memory.dmp

\Windows\system\LgxxUKV.exe

MD5 c057cc2ad9b6431cd6c5ba4cd0bad554
SHA1 119a8a82ef9c106219d29922bb47cb724272d83b
SHA256 e3c8c62fc898a6438f85a1437fcd5c40c6080e414eef99d61f004e25fd32211c
SHA512 499891936bff9f1ed8c04483ea4fa95573ae3cf25ff2278f1ada091360b089c62f6a1af865277e2636fd1fbca242ce9df9a69a36bc1e86c00f4d3de0494a3e04

memory/2716-80-0x00000000022B0000-0x0000000002601000-memory.dmp

memory/2716-77-0x000000013FE70000-0x00000001401C1000-memory.dmp

memory/3020-70-0x000000013F810000-0x000000013FB61000-memory.dmp

memory/2716-69-0x000000013F4B0000-0x000000013F801000-memory.dmp

memory/540-93-0x000000013F570000-0x000000013F8C1000-memory.dmp

memory/2804-100-0x000000013F4B0000-0x000000013F801000-memory.dmp

\Windows\system\ykfqJPF.exe

MD5 483fb52ca679a8df2fe0c4ad0d574eed
SHA1 8ba6f6ad3fbebedfe32f75c001120b09eb2a926e
SHA256 3513b9bc07e05a0b3c8658756a7146bffd1c2237d354088cff6b5733a8ad0da7
SHA512 ca54706a3ea15eb2189613586ad80c8e18897c4c9929c795e808f3c4ed1234f74d85c30e03202837854c77e3b37b5b241fb80ff9c72eb10d28ae63b0b5ed8f9e

\Windows\system\IiiLJrs.exe

MD5 45df1188e13f6eef184d25ee5840ed3c
SHA1 76280fad5f3715abba085c1625e7596e61928d1d
SHA256 a786795d457bc220d2126260b3c18557ed83139fd98a0e414143a579e6b9aec5
SHA512 c4d5d79f3ffa472b68b1d65d570573917903d327d9add92653ce78e58fa158328939e1f12a6c7821de494bc4f06f3249121833ac80519ce07539f416d666215a

C:\Windows\system\jIXqBxg.exe

MD5 466b88309f873dacfef4fe3a778382fe
SHA1 be8bc88643dcb938cac6d7f59338f24b92b80cb6
SHA256 2ad74eb7efe8fede1f0c54772391f8bb5da8f3a777d8b3bc938f62106a06bfcc
SHA512 7711d9a9fd5a73ededd6eff5ae9140d06d96f39e9db03aa6464c3461e156f01b82f854ebd4f05d141bae70a56f44cef023bd35d4ec963f9bec584ea9d632bb1b

C:\Windows\system\aEExSSn.exe

MD5 9fb7bb9ae5961697adf20806908322dc
SHA1 8f0c4e80efeb5553d455d2773ba24887424e7ee8
SHA256 3a3b52d19c8eb2af6bef8df3a0b5dcda0a0c707721652cf23919114bac2674bf
SHA512 ef229d7ea618bb62dd9f8431590f53873554d6c3d6c31e0ab9471e25f9261b70294a732abb39aac7cca0dc15df5b7c7d69a9c9670431fca11eb75cb6a6cff649

C:\Windows\system\OvUeLAr.exe

MD5 55dd3db75b755da295e885cdeccc5284
SHA1 a639711fe802819e08f7863bbb423410cd66e848
SHA256 b10fbc11535a79b07b47dfe9292443195a6fe19427c0ebd2d78fe5ee190b82eb
SHA512 97658c9cb6cd3504a1c48c6ab13623e88677cf6b6351f60981b633f6e8c1dfda6f2f40898533cac705396f036fa24ab3933a543035a76bbe04b99e99c4fc9ce9

C:\Windows\system\aviyzaE.exe

MD5 41095d24f50481a1504175b4833e319e
SHA1 d4d72705b60a81942726f7a001e792010e5b7f72
SHA256 caa30dea9e2e573fa69928d1060aa0e336c09e06bb8323d2f41d17d776a39593
SHA512 4e657c9bac53f84dada46de3db47707bedbe271cf4ab1be1552b7e001acbf1eedcbbe26f20e0d55c39f876a49b24076d1e9464b17c2acaef9115362eced632b0

memory/2716-108-0x000000013FAB0000-0x000000013FE01000-memory.dmp

memory/2544-107-0x000000013F080000-0x000000013F3D1000-memory.dmp

memory/2692-106-0x000000013F790000-0x000000013FAE1000-memory.dmp

C:\Windows\system\XvOEmdD.exe

MD5 bf95a84338626f53e2ccf2de4b12fa11
SHA1 ff1df333c036d03601113dcd168d68b4311a9f04
SHA256 a93e467bf5755f480173764143dae27d10920c3cfc4ab90a0826ccf329629bb8
SHA512 69238a7af5411b35916603feed0cd0b8dab4b6015c839e3f39b597b08f5861ed7f80cd41aa2b54663c30276498a71062159b7437bca333194391f4fc6b895aef

memory/2716-99-0x00000000022B0000-0x0000000002601000-memory.dmp

C:\Windows\system\UUDImcH.exe

MD5 711e26ee4a36602a9424bdefe6dc9e09
SHA1 ca22d21ff7d33793747d902dd392ea36d78da3fd
SHA256 e67c120431b6bb3c8661885b16ece7187f826e1a7837a5692e9fee1cf00af735
SHA512 c52d2fc21fd5dea9030bae2e217ec1e55cdd5e99cca73f8dd3b1312e3e7e6704af02a57c3c2818ec116ed9a320b90736e7f7866cac516595986d28e76403be2e

memory/2716-92-0x00000000022B0000-0x0000000002601000-memory.dmp

memory/2628-91-0x000000013FE00000-0x0000000140151000-memory.dmp

C:\Windows\system\NkrJsQy.exe

MD5 fcb1abe9abd088b5f03c882b194735ce
SHA1 aabb773fc4a1257dde81686777b46d96e70b2748
SHA256 3b046082c5126a22b42e3ca1788a076b5dcf3ffef134e49c5734218d4f825f63
SHA512 c3bb91739cac0f7e3b5d4af7d17a3edca06d27c4eb2f73b3c06c056250aa109565f720db77a8c836179ef2ffc44044bc6ce21bf5f302a46973425b2a4c4f44ac

memory/1732-85-0x000000013F6C0000-0x000000013FA11000-memory.dmp

C:\Windows\system\ZbjjteR.exe

MD5 685b868278eaa494be38ffd6fa5cf61c
SHA1 bcba9e742ae73a21779741fbc1ae14af6c78ee08
SHA256 ccd2037f27b7ad4f25460974a1824e99b0977472867b5b5d00c4bab492849eaf
SHA512 6ec4dbe85a5485f50f31f13ec7dd0c6c2b65af98557f9133bbb6c8e3af27de8e25297f36bb3b4d4e3a0d294c8365ccd9ab876e941dd1bd00ce72ecc65fdc954b

memory/1096-63-0x000000013F680000-0x000000013F9D1000-memory.dmp

memory/2540-62-0x000000013F230000-0x000000013F581000-memory.dmp

memory/2716-61-0x00000000022B0000-0x0000000002601000-memory.dmp

memory/2716-57-0x00000000022B0000-0x0000000002601000-memory.dmp

C:\Windows\system\JvufBYd.exe

MD5 7e949e6fc5bf770cde85f70472c8548c
SHA1 e63c7cb39d9fd9c26d9936ab1aee9766756a1e54
SHA256 ca9e13a5897eafb0f10488a9d257f58114c42d9015fc551614fbec0f171612fd
SHA512 d435079b8f95ae35a88ead27a45b9d458b224a86bbc4fd71f65c4d2931a1de01a474a6220ccf7b6f64945861e3dec94dd7f4e3ad6d52d64b0162e37b6a68c546

C:\Windows\system\kjkXHNY.exe

MD5 ea4ebc3dd6d634d509f50dced9f3ad21
SHA1 2d95a687dfc03bead04347fdd223d5d100d475c9
SHA256 1ac9140a62f1d3ac5c729003743388a34301fc71ed66268bbb01d8f2ad4cec32
SHA512 f65b6e95f63ca0cb30b42d0fe2a52fcc345f291c7ac0b89bbce1fd9bc70adb2ff144298b26d8494d390d396a8876050472f54b0d93ff748ebe2582111bf99653

memory/2716-34-0x00000000022B0000-0x0000000002601000-memory.dmp

memory/2716-138-0x000000013F4B0000-0x000000013F801000-memory.dmp

memory/3020-151-0x000000013F810000-0x000000013FB61000-memory.dmp

memory/444-156-0x000000013F630000-0x000000013F981000-memory.dmp

memory/2488-159-0x000000013F5D0000-0x000000013F921000-memory.dmp

memory/2824-154-0x000000013FAB0000-0x000000013FE01000-memory.dmp

memory/2024-160-0x000000013F3D0000-0x000000013F721000-memory.dmp

memory/2352-158-0x000000013F0A0000-0x000000013F3F1000-memory.dmp

memory/2332-157-0x000000013F790000-0x000000013FAE1000-memory.dmp

memory/1948-155-0x000000013F980000-0x000000013FCD1000-memory.dmp

memory/2716-161-0x000000013FE70000-0x00000001401C1000-memory.dmp

memory/2716-162-0x00000000022B0000-0x0000000002601000-memory.dmp

memory/2716-163-0x000000013F4B0000-0x000000013F801000-memory.dmp

memory/2716-185-0x000000013FAB0000-0x000000013FE01000-memory.dmp

memory/1924-210-0x000000013F990000-0x000000013FCE1000-memory.dmp

memory/2740-214-0x000000013F400000-0x000000013F751000-memory.dmp

memory/2792-213-0x000000013FE90000-0x00000001401E1000-memory.dmp

memory/2628-216-0x000000013FE00000-0x0000000140151000-memory.dmp

memory/2692-218-0x000000013F790000-0x000000013FAE1000-memory.dmp

memory/2544-220-0x000000013F080000-0x000000013F3D1000-memory.dmp

memory/2540-222-0x000000013F230000-0x000000013F581000-memory.dmp

memory/1096-224-0x000000013F680000-0x000000013F9D1000-memory.dmp

memory/2776-226-0x000000013F1B0000-0x000000013F501000-memory.dmp

memory/3020-228-0x000000013F810000-0x000000013FB61000-memory.dmp

memory/572-230-0x000000013FE70000-0x00000001401C1000-memory.dmp

memory/1732-242-0x000000013F6C0000-0x000000013FA11000-memory.dmp

memory/540-244-0x000000013F570000-0x000000013F8C1000-memory.dmp

memory/2804-246-0x000000013F4B0000-0x000000013F801000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-05 09:45

Reported

2024-08-05 09:48

Platform

win10v2004-20240802-en

Max time kernel

141s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\wrLHpxD.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\doZCyUF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OvUeLAr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aEExSSn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NkrJsQy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XvOEmdD.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IiiLJrs.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SuQpmXj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ibRhUiP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JvufBYd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZbjjteR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ChpNDZV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ykfqJPF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jIXqBxg.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aviyzaE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NahRwIr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rUFbNXu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kjkXHNY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LgxxUKV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UUDImcH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MrBcZFa.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 372 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SuQpmXj.exe
PID 372 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SuQpmXj.exe
PID 372 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NahRwIr.exe
PID 372 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NahRwIr.exe
PID 372 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MrBcZFa.exe
PID 372 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MrBcZFa.exe
PID 372 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rUFbNXu.exe
PID 372 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rUFbNXu.exe
PID 372 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ibRhUiP.exe
PID 372 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ibRhUiP.exe
PID 372 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wrLHpxD.exe
PID 372 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wrLHpxD.exe
PID 372 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kjkXHNY.exe
PID 372 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kjkXHNY.exe
PID 372 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\doZCyUF.exe
PID 372 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\doZCyUF.exe
PID 372 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JvufBYd.exe
PID 372 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JvufBYd.exe
PID 372 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZbjjteR.exe
PID 372 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZbjjteR.exe
PID 372 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ChpNDZV.exe
PID 372 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ChpNDZV.exe
PID 372 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LgxxUKV.exe
PID 372 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LgxxUKV.exe
PID 372 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NkrJsQy.exe
PID 372 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NkrJsQy.exe
PID 372 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UUDImcH.exe
PID 372 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UUDImcH.exe
PID 372 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XvOEmdD.exe
PID 372 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XvOEmdD.exe
PID 372 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OvUeLAr.exe
PID 372 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OvUeLAr.exe
PID 372 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aviyzaE.exe
PID 372 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aviyzaE.exe
PID 372 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IiiLJrs.exe
PID 372 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IiiLJrs.exe
PID 372 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ykfqJPF.exe
PID 372 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ykfqJPF.exe
PID 372 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jIXqBxg.exe
PID 372 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jIXqBxg.exe
PID 372 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aEExSSn.exe
PID 372 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aEExSSn.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\SuQpmXj.exe

C:\Windows\System\SuQpmXj.exe

C:\Windows\System\NahRwIr.exe

C:\Windows\System\NahRwIr.exe

C:\Windows\System\MrBcZFa.exe

C:\Windows\System\MrBcZFa.exe

C:\Windows\System\rUFbNXu.exe

C:\Windows\System\rUFbNXu.exe

C:\Windows\System\ibRhUiP.exe

C:\Windows\System\ibRhUiP.exe

C:\Windows\System\wrLHpxD.exe

C:\Windows\System\wrLHpxD.exe

C:\Windows\System\kjkXHNY.exe

C:\Windows\System\kjkXHNY.exe

C:\Windows\System\doZCyUF.exe

C:\Windows\System\doZCyUF.exe

C:\Windows\System\JvufBYd.exe

C:\Windows\System\JvufBYd.exe

C:\Windows\System\ZbjjteR.exe

C:\Windows\System\ZbjjteR.exe

C:\Windows\System\ChpNDZV.exe

C:\Windows\System\ChpNDZV.exe

C:\Windows\System\LgxxUKV.exe

C:\Windows\System\LgxxUKV.exe

C:\Windows\System\NkrJsQy.exe

C:\Windows\System\NkrJsQy.exe

C:\Windows\System\UUDImcH.exe

C:\Windows\System\UUDImcH.exe

C:\Windows\System\XvOEmdD.exe

C:\Windows\System\XvOEmdD.exe

C:\Windows\System\OvUeLAr.exe

C:\Windows\System\OvUeLAr.exe

C:\Windows\System\aviyzaE.exe

C:\Windows\System\aviyzaE.exe

C:\Windows\System\IiiLJrs.exe

C:\Windows\System\IiiLJrs.exe

C:\Windows\System\ykfqJPF.exe

C:\Windows\System\ykfqJPF.exe

C:\Windows\System\jIXqBxg.exe

C:\Windows\System\jIXqBxg.exe

C:\Windows\System\aEExSSn.exe

C:\Windows\System\aEExSSn.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/372-0-0x00007FF696A10000-0x00007FF696D61000-memory.dmp

memory/372-1-0x000002B2025F0000-0x000002B202600000-memory.dmp

C:\Windows\System\SuQpmXj.exe

MD5 1d7125a80eed76acb1a00e67ce09f8cc
SHA1 f615191d7fa3c31095be7a6951848d5fee0fba58
SHA256 a484cd7facc316e41f68cb8b9b229e79cf1e9595580e07559a55b5c41d72e7d9
SHA512 f6fdf1bf7ab35c78efd5a1b0bf66e4d8fdd3de12e1f573f0cb76cbe20756188a04ca1c1b0b40d45e32a51e794e55503cdc0745a789577bb3adf6a88d16dc9d02

C:\Windows\System\NahRwIr.exe

MD5 dd226d744e8f9b9cda6f3bb150e05aa2
SHA1 46658032f74a49d03bf3d0780dbe1bb46588eb1e
SHA256 38c50a895019836a45b659cffd3899b5798983c078a1d57aab1424890e8dde72
SHA512 f918ba0b451782d4bce7e3b0720aeb6c4e6ae6a19ff2b8d7b75c0c899bfb5c9b12025d1251a5390fa9a20f0d2751f34a1f77e710b5f13e16be9afcc7f0412607

C:\Windows\System\MrBcZFa.exe

MD5 c0dbf8b777bea029bdaefe49fe22fdaa
SHA1 fe2614de3bad639479727bec66fc884e85c6b5e3
SHA256 73ea61e0bc2293ae50e5b73ba28d2c0caa67d60619ced5af98885fdec22bc0d0
SHA512 b8c3f8bf85d8c5a24a06d2c2c54c5a273161f783e335b881918ba60f7e2af55594c407bcdefe8be7c46e2373ec8635016571e242dc2575cf9f8acf83d556103a

C:\Windows\System\rUFbNXu.exe

MD5 2379e6c1fea894ce7812a28d74272967
SHA1 b5b48ccbc9d14c92481059dc8abd3a446227f2c6
SHA256 5656944fd37c6f43c22c08bf959b7fcfa619a5d60cf5e7d57307ada48a3d3574
SHA512 cee9f30d6aa892bae67958baf54cb9cf45984321b93e031b4e1c91d358db84d9bd549cb603332a4569078f8110ebdc683230c0dc62cccaac0e891fb985c1e566

C:\Windows\System\wrLHpxD.exe

MD5 0f1850909e0014fa435be386ed3b70d0
SHA1 cd65c6eea7d45405a8c7aebc42571666079ae928
SHA256 6d7e2ee7cdebeb4e03a7af0b54242556a125ba3c13b091e6145bd31bb0bc3308
SHA512 24b4aef09f80f34829eba3036858dbf5f6406b6e7b5dbd1fb3730035d43bffbb12462de8d2ec4983d2050180b4a32c747f1cf668f490d8ba6b7bfe80faff6fdd

C:\Windows\System\doZCyUF.exe

MD5 fb23325bf06c737047917e317e113d91
SHA1 d87fb69248fedb3f44c52eb3d9dee0fd7bb52542
SHA256 5c569b7ae960b2d9bcbf48526d08d95ca947e0773f169d64378cb5d70917f94a
SHA512 95f7e7689a044ba3417eec0a8acbcef5ca756b56118e5148e2a48352271a4ff1864714c10de8ef5bea3fdd5d48e1971f3bb0edd257e03ca1041e2640ee8fc5a3

C:\Windows\System\kjkXHNY.exe

MD5 ea4ebc3dd6d634d509f50dced9f3ad21
SHA1 2d95a687dfc03bead04347fdd223d5d100d475c9
SHA256 1ac9140a62f1d3ac5c729003743388a34301fc71ed66268bbb01d8f2ad4cec32
SHA512 f65b6e95f63ca0cb30b42d0fe2a52fcc345f291c7ac0b89bbce1fd9bc70adb2ff144298b26d8494d390d396a8876050472f54b0d93ff748ebe2582111bf99653

C:\Windows\System\JvufBYd.exe

MD5 7e949e6fc5bf770cde85f70472c8548c
SHA1 e63c7cb39d9fd9c26d9936ab1aee9766756a1e54
SHA256 ca9e13a5897eafb0f10488a9d257f58114c42d9015fc551614fbec0f171612fd
SHA512 d435079b8f95ae35a88ead27a45b9d458b224a86bbc4fd71f65c4d2931a1de01a474a6220ccf7b6f64945861e3dec94dd7f4e3ad6d52d64b0162e37b6a68c546

C:\Windows\System\LgxxUKV.exe

MD5 c057cc2ad9b6431cd6c5ba4cd0bad554
SHA1 119a8a82ef9c106219d29922bb47cb724272d83b
SHA256 e3c8c62fc898a6438f85a1437fcd5c40c6080e414eef99d61f004e25fd32211c
SHA512 499891936bff9f1ed8c04483ea4fa95573ae3cf25ff2278f1ada091360b089c62f6a1af865277e2636fd1fbca242ce9df9a69a36bc1e86c00f4d3de0494a3e04

memory/4408-76-0x00007FF66F8E0000-0x00007FF66FC31000-memory.dmp

C:\Windows\System\UUDImcH.exe

MD5 711e26ee4a36602a9424bdefe6dc9e09
SHA1 ca22d21ff7d33793747d902dd392ea36d78da3fd
SHA256 e67c120431b6bb3c8661885b16ece7187f826e1a7837a5692e9fee1cf00af735
SHA512 c52d2fc21fd5dea9030bae2e217ec1e55cdd5e99cca73f8dd3b1312e3e7e6704af02a57c3c2818ec116ed9a320b90736e7f7866cac516595986d28e76403be2e

C:\Windows\System\OvUeLAr.exe

MD5 55dd3db75b755da295e885cdeccc5284
SHA1 a639711fe802819e08f7863bbb423410cd66e848
SHA256 b10fbc11535a79b07b47dfe9292443195a6fe19427c0ebd2d78fe5ee190b82eb
SHA512 97658c9cb6cd3504a1c48c6ab13623e88677cf6b6351f60981b633f6e8c1dfda6f2f40898533cac705396f036fa24ab3933a543035a76bbe04b99e99c4fc9ce9

C:\Windows\System\IiiLJrs.exe

MD5 45df1188e13f6eef184d25ee5840ed3c
SHA1 76280fad5f3715abba085c1625e7596e61928d1d
SHA256 a786795d457bc220d2126260b3c18557ed83139fd98a0e414143a579e6b9aec5
SHA512 c4d5d79f3ffa472b68b1d65d570573917903d327d9add92653ce78e58fa158328939e1f12a6c7821de494bc4f06f3249121833ac80519ce07539f416d666215a

C:\Windows\System\ykfqJPF.exe

MD5 483fb52ca679a8df2fe0c4ad0d574eed
SHA1 8ba6f6ad3fbebedfe32f75c001120b09eb2a926e
SHA256 3513b9bc07e05a0b3c8658756a7146bffd1c2237d354088cff6b5733a8ad0da7
SHA512 ca54706a3ea15eb2189613586ad80c8e18897c4c9929c795e808f3c4ed1234f74d85c30e03202837854c77e3b37b5b241fb80ff9c72eb10d28ae63b0b5ed8f9e

memory/1520-116-0x00007FF701FE0000-0x00007FF702331000-memory.dmp

memory/60-115-0x00007FF771150000-0x00007FF7714A1000-memory.dmp

memory/1660-114-0x00007FF6D5C60000-0x00007FF6D5FB1000-memory.dmp

memory/3784-110-0x00007FF64A560000-0x00007FF64A8B1000-memory.dmp

memory/1532-109-0x00007FF65F060000-0x00007FF65F3B1000-memory.dmp

memory/3184-108-0x00007FF7F7C70000-0x00007FF7F7FC1000-memory.dmp

C:\Windows\System\aviyzaE.exe

MD5 41095d24f50481a1504175b4833e319e
SHA1 d4d72705b60a81942726f7a001e792010e5b7f72
SHA256 caa30dea9e2e573fa69928d1060aa0e336c09e06bb8323d2f41d17d776a39593
SHA512 4e657c9bac53f84dada46de3db47707bedbe271cf4ab1be1552b7e001acbf1eedcbbe26f20e0d55c39f876a49b24076d1e9464b17c2acaef9115362eced632b0

memory/4476-103-0x00007FF7619A0000-0x00007FF761CF1000-memory.dmp

C:\Windows\System\XvOEmdD.exe

MD5 bf95a84338626f53e2ccf2de4b12fa11
SHA1 ff1df333c036d03601113dcd168d68b4311a9f04
SHA256 a93e467bf5755f480173764143dae27d10920c3cfc4ab90a0826ccf329629bb8
SHA512 69238a7af5411b35916603feed0cd0b8dab4b6015c839e3f39b597b08f5861ed7f80cd41aa2b54663c30276498a71062159b7437bca333194391f4fc6b895aef

memory/2408-94-0x00007FF6F5C70000-0x00007FF6F5FC1000-memory.dmp

memory/4560-87-0x00007FF6E0B00000-0x00007FF6E0E51000-memory.dmp

C:\Windows\System\NkrJsQy.exe

MD5 fcb1abe9abd088b5f03c882b194735ce
SHA1 aabb773fc4a1257dde81686777b46d96e70b2748
SHA256 3b046082c5126a22b42e3ca1788a076b5dcf3ffef134e49c5734218d4f825f63
SHA512 c3bb91739cac0f7e3b5d4af7d17a3edca06d27c4eb2f73b3c06c056250aa109565f720db77a8c836179ef2ffc44044bc6ce21bf5f302a46973425b2a4c4f44ac

memory/3096-84-0x00007FF6E82F0000-0x00007FF6E8641000-memory.dmp

C:\Windows\System\ChpNDZV.exe

MD5 20e0ffe9b8f663c3ceb15117890f1211
SHA1 f402d3fbc4b353ed2283193120408a774d8cded2
SHA256 631d041cda9807b7cd7d5121e2c82283bfea06574c11b32215a756a27587ec37
SHA512 728e4bb582494343cf01a241d8b528d2c010f24c7d7b67e781353b40f7ff06ce12ab754cb3eefc48d9c208fea912c0f37fe8925b5b1f5cf30f693f1d4856925b

C:\Windows\System\ZbjjteR.exe

MD5 685b868278eaa494be38ffd6fa5cf61c
SHA1 bcba9e742ae73a21779741fbc1ae14af6c78ee08
SHA256 ccd2037f27b7ad4f25460974a1824e99b0977472867b5b5d00c4bab492849eaf
SHA512 6ec4dbe85a5485f50f31f13ec7dd0c6c2b65af98557f9133bbb6c8e3af27de8e25297f36bb3b4d4e3a0d294c8365ccd9ab876e941dd1bd00ce72ecc65fdc954b

memory/1464-65-0x00007FF63B4F0000-0x00007FF63B841000-memory.dmp

memory/3384-60-0x00007FF77AF50000-0x00007FF77B2A1000-memory.dmp

memory/512-53-0x00007FF714EC0000-0x00007FF715211000-memory.dmp

memory/3020-52-0x00007FF61A1D0000-0x00007FF61A521000-memory.dmp

C:\Windows\System\ibRhUiP.exe

MD5 62d3b4b8974313570bf759bb644a196e
SHA1 1a92d408790f5c91a7acc22484fe9615659bbbdb
SHA256 dbc61904c291dbafeebcb6da55eb03cbb4b19699621b21dda51b0a9944c2ceee
SHA512 4f8efecfd405091ac3971c76b7b4869af560e453d85abe396ec812944694f834504967455d246a3f8ff42ef5b98883f6f452f193a7c04ae9b6330d488447a7f5

memory/2148-39-0x00007FF743E50000-0x00007FF7441A1000-memory.dmp

memory/2092-27-0x00007FF697E90000-0x00007FF6981E1000-memory.dmp

memory/4028-21-0x00007FF7A4EB0000-0x00007FF7A5201000-memory.dmp

memory/2844-9-0x00007FF72F8B0000-0x00007FF72FC01000-memory.dmp

C:\Windows\System\jIXqBxg.exe

MD5 466b88309f873dacfef4fe3a778382fe
SHA1 be8bc88643dcb938cac6d7f59338f24b92b80cb6
SHA256 2ad74eb7efe8fede1f0c54772391f8bb5da8f3a777d8b3bc938f62106a06bfcc
SHA512 7711d9a9fd5a73ededd6eff5ae9140d06d96f39e9db03aa6464c3461e156f01b82f854ebd4f05d141bae70a56f44cef023bd35d4ec963f9bec584ea9d632bb1b

C:\Windows\System\aEExSSn.exe

MD5 9fb7bb9ae5961697adf20806908322dc
SHA1 8f0c4e80efeb5553d455d2773ba24887424e7ee8
SHA256 3a3b52d19c8eb2af6bef8df3a0b5dcda0a0c707721652cf23919114bac2674bf
SHA512 ef229d7ea618bb62dd9f8431590f53873554d6c3d6c31e0ab9471e25f9261b70294a732abb39aac7cca0dc15df5b7c7d69a9c9670431fca11eb75cb6a6cff649

memory/1432-126-0x00007FF61D540000-0x00007FF61D891000-memory.dmp

memory/3948-121-0x00007FF6C0F80000-0x00007FF6C12D1000-memory.dmp

memory/4028-130-0x00007FF7A4EB0000-0x00007FF7A5201000-memory.dmp

memory/4408-140-0x00007FF66F8E0000-0x00007FF66FC31000-memory.dmp

memory/1532-145-0x00007FF65F060000-0x00007FF65F3B1000-memory.dmp

memory/1464-139-0x00007FF63B4F0000-0x00007FF63B841000-memory.dmp

memory/3948-148-0x00007FF6C0F80000-0x00007FF6C12D1000-memory.dmp

memory/3020-134-0x00007FF61A1D0000-0x00007FF61A521000-memory.dmp

memory/2092-132-0x00007FF697E90000-0x00007FF6981E1000-memory.dmp

memory/2148-131-0x00007FF743E50000-0x00007FF7441A1000-memory.dmp

memory/2844-129-0x00007FF72F8B0000-0x00007FF72FC01000-memory.dmp

memory/372-128-0x00007FF696A10000-0x00007FF696D61000-memory.dmp

memory/372-149-0x00007FF696A10000-0x00007FF696D61000-memory.dmp

memory/1432-150-0x00007FF61D540000-0x00007FF61D891000-memory.dmp

memory/372-151-0x00007FF696A10000-0x00007FF696D61000-memory.dmp

memory/2844-210-0x00007FF72F8B0000-0x00007FF72FC01000-memory.dmp

memory/4028-212-0x00007FF7A4EB0000-0x00007FF7A5201000-memory.dmp

memory/2092-214-0x00007FF697E90000-0x00007FF6981E1000-memory.dmp

memory/2148-216-0x00007FF743E50000-0x00007FF7441A1000-memory.dmp

memory/3096-218-0x00007FF6E82F0000-0x00007FF6E8641000-memory.dmp

memory/3020-220-0x00007FF61A1D0000-0x00007FF61A521000-memory.dmp

memory/3384-222-0x00007FF77AF50000-0x00007FF77B2A1000-memory.dmp

memory/512-224-0x00007FF714EC0000-0x00007FF715211000-memory.dmp

memory/4560-226-0x00007FF6E0B00000-0x00007FF6E0E51000-memory.dmp

memory/4408-237-0x00007FF66F8E0000-0x00007FF66FC31000-memory.dmp

memory/1464-240-0x00007FF63B4F0000-0x00007FF63B841000-memory.dmp

memory/4476-242-0x00007FF7619A0000-0x00007FF761CF1000-memory.dmp

memory/1532-246-0x00007FF65F060000-0x00007FF65F3B1000-memory.dmp

memory/1520-244-0x00007FF701FE0000-0x00007FF702331000-memory.dmp

memory/2408-239-0x00007FF6F5C70000-0x00007FF6F5FC1000-memory.dmp

memory/3784-235-0x00007FF64A560000-0x00007FF64A8B1000-memory.dmp

memory/3184-233-0x00007FF7F7C70000-0x00007FF7F7FC1000-memory.dmp

memory/1660-231-0x00007FF6D5C60000-0x00007FF6D5FB1000-memory.dmp

memory/60-229-0x00007FF771150000-0x00007FF7714A1000-memory.dmp

memory/3948-250-0x00007FF6C0F80000-0x00007FF6C12D1000-memory.dmp

memory/1432-252-0x00007FF61D540000-0x00007FF61D891000-memory.dmp