Malware Analysis Report

2025-01-22 19:21

Sample ID 240805-lrvs4asfjl
Target 2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat
SHA256 8036158698767316525cec7f9107b2f82928286decac024905ad5f19d14cae60
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8036158698767316525cec7f9107b2f82928286decac024905ad5f19d14cae60

Threat Level: Known bad

The file 2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Cobaltstrike family

XMRig Miner payload

Xmrig family

Cobaltstrike

xmrig

Cobalt Strike reflective loader

XMRig Miner payload

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-05 09:46

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-05 09:46

Reported

2024-08-05 09:49

Platform

win7-20240729-en

Max time kernel

141s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\YlcNpEq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cxwwkNA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JTAuIAi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ELaMwBf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HRKXwys.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PCEzZZt.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bSqzUXb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IKATang.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rfuauCS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kugQxSk.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GTYHPPj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cPafSiy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xQUIQxs.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nDngiOY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fARmlvT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TLazaic.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ULLnTUb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hMHwxDF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TXdurFF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HAKXvJy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ESIkvKa.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1916 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GTYHPPj.exe
PID 1916 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GTYHPPj.exe
PID 1916 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GTYHPPj.exe
PID 1916 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HRKXwys.exe
PID 1916 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HRKXwys.exe
PID 1916 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HRKXwys.exe
PID 1916 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hMHwxDF.exe
PID 1916 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hMHwxDF.exe
PID 1916 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hMHwxDF.exe
PID 1916 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cPafSiy.exe
PID 1916 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cPafSiy.exe
PID 1916 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cPafSiy.exe
PID 1916 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TXdurFF.exe
PID 1916 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TXdurFF.exe
PID 1916 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TXdurFF.exe
PID 1916 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PCEzZZt.exe
PID 1916 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PCEzZZt.exe
PID 1916 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PCEzZZt.exe
PID 1916 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YlcNpEq.exe
PID 1916 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YlcNpEq.exe
PID 1916 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YlcNpEq.exe
PID 1916 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xQUIQxs.exe
PID 1916 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xQUIQxs.exe
PID 1916 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xQUIQxs.exe
PID 1916 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bSqzUXb.exe
PID 1916 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bSqzUXb.exe
PID 1916 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bSqzUXb.exe
PID 1916 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nDngiOY.exe
PID 1916 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nDngiOY.exe
PID 1916 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nDngiOY.exe
PID 1916 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HAKXvJy.exe
PID 1916 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HAKXvJy.exe
PID 1916 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HAKXvJy.exe
PID 1916 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ESIkvKa.exe
PID 1916 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ESIkvKa.exe
PID 1916 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ESIkvKa.exe
PID 1916 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fARmlvT.exe
PID 1916 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fARmlvT.exe
PID 1916 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fARmlvT.exe
PID 1916 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TLazaic.exe
PID 1916 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TLazaic.exe
PID 1916 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TLazaic.exe
PID 1916 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rfuauCS.exe
PID 1916 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rfuauCS.exe
PID 1916 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rfuauCS.exe
PID 1916 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kugQxSk.exe
PID 1916 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kugQxSk.exe
PID 1916 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kugQxSk.exe
PID 1916 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IKATang.exe
PID 1916 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IKATang.exe
PID 1916 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IKATang.exe
PID 1916 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JTAuIAi.exe
PID 1916 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JTAuIAi.exe
PID 1916 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JTAuIAi.exe
PID 1916 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ELaMwBf.exe
PID 1916 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ELaMwBf.exe
PID 1916 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ELaMwBf.exe
PID 1916 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ULLnTUb.exe
PID 1916 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ULLnTUb.exe
PID 1916 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ULLnTUb.exe
PID 1916 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cxwwkNA.exe
PID 1916 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cxwwkNA.exe
PID 1916 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cxwwkNA.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\GTYHPPj.exe

C:\Windows\System\GTYHPPj.exe

C:\Windows\System\HRKXwys.exe

C:\Windows\System\HRKXwys.exe

C:\Windows\System\hMHwxDF.exe

C:\Windows\System\hMHwxDF.exe

C:\Windows\System\cPafSiy.exe

C:\Windows\System\cPafSiy.exe

C:\Windows\System\TXdurFF.exe

C:\Windows\System\TXdurFF.exe

C:\Windows\System\PCEzZZt.exe

C:\Windows\System\PCEzZZt.exe

C:\Windows\System\YlcNpEq.exe

C:\Windows\System\YlcNpEq.exe

C:\Windows\System\xQUIQxs.exe

C:\Windows\System\xQUIQxs.exe

C:\Windows\System\bSqzUXb.exe

C:\Windows\System\bSqzUXb.exe

C:\Windows\System\nDngiOY.exe

C:\Windows\System\nDngiOY.exe

C:\Windows\System\HAKXvJy.exe

C:\Windows\System\HAKXvJy.exe

C:\Windows\System\ESIkvKa.exe

C:\Windows\System\ESIkvKa.exe

C:\Windows\System\fARmlvT.exe

C:\Windows\System\fARmlvT.exe

C:\Windows\System\TLazaic.exe

C:\Windows\System\TLazaic.exe

C:\Windows\System\rfuauCS.exe

C:\Windows\System\rfuauCS.exe

C:\Windows\System\kugQxSk.exe

C:\Windows\System\kugQxSk.exe

C:\Windows\System\IKATang.exe

C:\Windows\System\IKATang.exe

C:\Windows\System\JTAuIAi.exe

C:\Windows\System\JTAuIAi.exe

C:\Windows\System\ELaMwBf.exe

C:\Windows\System\ELaMwBf.exe

C:\Windows\System\ULLnTUb.exe

C:\Windows\System\ULLnTUb.exe

C:\Windows\System\cxwwkNA.exe

C:\Windows\System\cxwwkNA.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1916-0-0x000000013FB30000-0x000000013FE81000-memory.dmp

memory/1916-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\GTYHPPj.exe

MD5 ed6d06e661602c90a1bf34e879f05178
SHA1 fac225ec457917f6b3aa513f25b161fb0e1e1f44
SHA256 56ef590839292a20a8836734a7331c0457eca19b96c7b2d86721178bda6c5aef
SHA512 1fbab0d26f876b121345b8d630d0e1b1a65b9aa22ad43cf1be5d2e3d48a28b4e67e87494ea049ce7fc77cc831e302bb9ac61e6fe809416be483f885c190145a9

\Windows\system\hMHwxDF.exe

MD5 7e07aff2ad257b529710fbc9f01d8d30
SHA1 76d5842be1f337e8ffc4bad6e552213372a2a6d4
SHA256 13f6353a55291897bcc5eea0584f02a68e89678ab49faea73f7e48056640b022
SHA512 259ea5173fbed6eeab9869d29b2d7e90907a10e5bffa9180d5f0dfeed807d7ffc528a3539dd5c42b666d76f42ec3758ab7eb51b26ce0644f3430e9bf9f33392b

memory/2392-17-0x000000013F080000-0x000000013F3D1000-memory.dmp

memory/2396-16-0x000000013F150000-0x000000013F4A1000-memory.dmp

memory/2400-23-0x000000013F500000-0x000000013F851000-memory.dmp

memory/1916-22-0x000000013F500000-0x000000013F851000-memory.dmp

memory/1916-20-0x000000013F080000-0x000000013F3D1000-memory.dmp

C:\Windows\system\HRKXwys.exe

MD5 d571a84bbb14a260223b8c7ba31c9b0f
SHA1 b23ef2db7f8b872816cf7ed0b9b456b465418ead
SHA256 4582d3d19a0bd35954242d55451d54daba43d16f6ac67da4a22641185f1b03d8
SHA512 c97bc5281041ad797beb379624d2e262f78a0d973b4c313c30ab485ad899834d615c12d676819177e4381de6a8501cda1bc7edb9111e814546846971fa7d9309

memory/1916-10-0x000000013F150000-0x000000013F4A1000-memory.dmp

C:\Windows\system\cPafSiy.exe

MD5 b98ce02fdda7a7d88c6e310c1593412f
SHA1 7b1bb0ec7eeed37ca4beff29e5f7c0757ae42741
SHA256 b56c0ea90808d832c029aecf9af991a9030bf4e2e6c3ff0ee08a9075abab2b03
SHA512 11161f9d8576f3c2c185bff77135e3811f83f3dd7de5d877c90ebe91a6404d32de3fc3716c5aea9419c8d4721bfc28abaec3567970c18fdbf70e8dc5f0a71d99

memory/1916-28-0x000000013F470000-0x000000013F7C1000-memory.dmp

C:\Windows\system\TXdurFF.exe

MD5 555ed0ae57b108ca960746f54ca792eb
SHA1 50b74ffde15267ba498f890b66dffbdcf1865784
SHA256 23c1ee7dd488199c5d37bb37f5381e44826215caf3b0b587cf2526a932d29b08
SHA512 4ee1646dcdc02fadb7eaf03e9b56263534d40b7e19f69a60882cee0080c60ba117f53aba7a6628c8812e08d1348b2f765d65f4c86ac061aaecb58698e4cea4b5

\Windows\system\YlcNpEq.exe

MD5 1bbad830c49c6bfe1e6767772c9e5c4f
SHA1 b05a4bb2559785dc644fe114765f07425ab8ae18
SHA256 97903533d8f65b43a8a227d8a8fd05091c805d656d6fd2207658831bd1d405f5
SHA512 8cc29650f5213aff1385fd92c0af3c9bedeb5596467c2fb0428f88184bbed60536e56bed248bfc9990c268c2917d40168b386e2579c197378a133cb0b3e55511

memory/1916-49-0x000000013F430000-0x000000013F781000-memory.dmp

memory/2944-56-0x000000013FA00000-0x000000013FD51000-memory.dmp

memory/2848-58-0x000000013F430000-0x000000013F781000-memory.dmp

memory/2928-57-0x000000013FD10000-0x0000000140061000-memory.dmp

memory/1916-55-0x000000013F300000-0x000000013F651000-memory.dmp

memory/1916-51-0x0000000002200000-0x0000000002551000-memory.dmp

C:\Windows\system\xQUIQxs.exe

MD5 e49cb72ce260a2fe7d3bd48baf3e449b
SHA1 82c19d2e130c5b773dfbc6921cbbff65fca32142
SHA256 8b2acf28da021be5eaa547f3c7cfe736e8b4d617bbaf7dd147c777dbdb3e2162
SHA512 0d31fdcd573af117077ea0c030fbf366972d3308bfca214e6c73fd8b6fdfa0f746e2fae56c8df119707df1685c6250217457990c7d51e9b22e280b8fa22992e2

memory/1916-48-0x0000000002200000-0x0000000002551000-memory.dmp

memory/2860-46-0x000000013F300000-0x000000013F651000-memory.dmp

C:\Windows\system\PCEzZZt.exe

MD5 c1927b465d2ab6bb6cb3d696452fa8df
SHA1 1088d1dc06c72b7447f56f8efec136c7a4e5c19c
SHA256 3348409aee5f7318bce5dc4a9f97767f709727beba6c200d52d1c956f40742e0
SHA512 779c99eaae5712a7bc980256cc0b5d51ff3e678ff88d098d01e14fb4f67e3c824fd9375b048135bcb183ca4c254b99f5d465455dff29918dc67ff4a749861ea9

memory/2744-36-0x000000013F470000-0x000000013F7C1000-memory.dmp

C:\Windows\system\nDngiOY.exe

MD5 9d4d66947101903cfad28b19f6db40ee
SHA1 02622dde48357c28c8cbc0033f27acb47fdb1f57
SHA256 e4f6476f57229354cc7b3716d9d09f799d630f5f6f5a16d04395a1092cbe02aa
SHA512 fb17e76892a2b104a3af822b4ceefe86ac2552ad181a4a85fee7ec2d73036ec1aa935e87305696da32a70cfd8440d65d2021e00ac52226c0ac99dcca8f34a84b

memory/1916-71-0x000000013FB30000-0x000000013FE81000-memory.dmp

memory/3000-73-0x000000013F570000-0x000000013F8C1000-memory.dmp

memory/1916-67-0x000000013F570000-0x000000013F8C1000-memory.dmp

memory/2832-64-0x000000013F0C0000-0x000000013F411000-memory.dmp

C:\Windows\system\bSqzUXb.exe

MD5 96637af91e5527d2e72e85615ab2b077
SHA1 2bac935edcfdb60fd6e4fbd0623980bf8ab0efac
SHA256 afc4ad9f061060e6d75b76a106f16bec675b4a4b1f632247ff9598e937802c03
SHA512 e6358b3f684cf11c56a86edf1e2256bdea02cc66364bbe72b61ea48900cc544b06d71110a9f3a7db7f06fcba6d546f60bea63827a28b40bbf4008e08763ce670

memory/1916-62-0x000000013F0C0000-0x000000013F411000-memory.dmp

C:\Windows\system\HAKXvJy.exe

MD5 1f0f5a4c9f2309f673ee44cb2b256f41
SHA1 eeb20457ea084cae4f4ca640f7c8ac38fbcae811
SHA256 f60a818a2cc9ad932020ffb3d3f340302914f0a3407943cee4d5f6501c105a17
SHA512 64f15002a78be2f9fb815f0d8d0d0e23e15971b03986635a990aab48226e96a40ec62273ef8908dc2fd8ebfb4adc5432dc84925959bea2e1aed98817fc188a99

memory/1640-78-0x000000013FCC0000-0x0000000140011000-memory.dmp

memory/2392-75-0x000000013F080000-0x000000013F3D1000-memory.dmp

memory/2860-80-0x000000013F300000-0x000000013F651000-memory.dmp

C:\Windows\system\ESIkvKa.exe

MD5 2a99d04ac209b15d4a08f19c46894541
SHA1 0bcd3f2cf574dc34139f5050391038c2eb747dc9
SHA256 04dcb4be5376e771191f7cf072769c621e2d95f72cf54fd4c856401425dbd23e
SHA512 67dca0748badf8a451fc635c70870959dbc1dcbd003e0c2dfbaac469b4fdcb0a81026988ead12aa3b9a5a2ca01b3d4ecc9366c15fe3d973b279d31a720b0e107

memory/1916-87-0x000000013F300000-0x000000013F651000-memory.dmp

memory/1916-88-0x000000013F690000-0x000000013F9E1000-memory.dmp

memory/752-89-0x000000013F690000-0x000000013F9E1000-memory.dmp

\Windows\system\TLazaic.exe

MD5 671b919a828e4449a82f716b47375bdf
SHA1 c3f38b49cf56daae34f53a4f9ad5b8d8bf13b36e
SHA256 d51548209f9aae471d5cd3e3bda77f39f16a9720a191e7f09e6713d7235d2d4e
SHA512 25a3a7c36ae909891355b4a5e94d820df5f33042d933676ac5af1c1c064bcc46c668d4c801a70e86e63475c57ef6ed667f3d4a2427996b148af71c167f9d6568

\Windows\system\IKATang.exe

MD5 9baa7c5fdddf3f994eeab942c679c30f
SHA1 2cecff1da4174973f5554604c01dbeb59c4bea67
SHA256 5b5c0f66d8bf7ddef1595cdfc14acdd2faf94c4f689974e0a8b3bdd2af2e6482
SHA512 82747f52cd53798755335d00d0d8651da25983d10d21653e826075f7614d1e93a1ba417870a72c3d0d9677852f53e6f01b8b625fec8d3c2b20a7ed5fb671f01a

C:\Windows\system\JTAuIAi.exe

MD5 2e62e1b455784808f08d07cc1efdd3f2
SHA1 db6aa570b9c3892c360a43a4412eb9ac9e802623
SHA256 6428f8fafe355992425888a7ea4a0706b49509108a69c85c8c14142eb0a05898
SHA512 5ddf88b77ef221c707d920a3670968b0c35928b228aecdf4e346f121334ede5a2abf63ae7239e2bbcfb48f7aed65fe5848911e6148f032e2304eb4bd460dda00

\Windows\system\cxwwkNA.exe

MD5 c1b84739c2d5b675ded7d4deac978940
SHA1 6ce1453169c264651517241aeb2303678851c1e6
SHA256 80a49bafe5ef30df2be1a000ed91ffe9c4b9e84f97d45711324a059273c34261
SHA512 28ae74bd4866e86ae2b5a6539f3663c699a2d4e995b4f2a38cf806884bc7861011c71bb90c2748a2e0a67473e0c06de8143a380715510bf85bd06c3cfa46e9c6

\Windows\system\ELaMwBf.exe

MD5 d0cf2742bb441a086efcf0a354399b0e
SHA1 42b9f1f254a702c208a5c1b5cf08b7d047bc63e1
SHA256 0ad5ab8a5a7be26bf890c5aeb573070e162bd58a6b2742d19b3e546bc2f47668
SHA512 2959fd862295ded2b6daf6cdf903fc0dacd75e4a787f8ce8c07f6866f60feba159d923f905408742789d8657eb487e0c23dc232fb6d2e4a5a2676c763cadd521

memory/1916-133-0x0000000002200000-0x0000000002551000-memory.dmp

C:\Windows\system\rfuauCS.exe

MD5 55d4f47d72e4dc1ab5e925982ba0d88e
SHA1 ea48d94b43c7fa51c6296a361ca5ceed3bcf2187
SHA256 81448fc7bb30c0380e296794b90d0b4027eba898cbacc50de47d3e99958922d8
SHA512 1d446426b699c832a49d98133291a687f103e9ccbb984da21d3dc127b6e75e40dc9fea8babcfb66d36b9ba4d678ff25d7375987e51feb1b83fbf2961d22590bf

C:\Windows\system\ULLnTUb.exe

MD5 8ac334c5fc979054940e75932c0e97d6
SHA1 cc2e848d5f7c998cb39dedf1eb03e71954ca5ba3
SHA256 e3fca4223574312a5d1bdc0e2b7e17a839b9a8dcaa1c3d3bd78066a44076ecd3
SHA512 e712f327e9fc64f2802941a655b634234aa583b405b4770fb045a1d7689d27547475488567ff1d3feae8fa67bd482d63a23af05637e72a862894a04b606a9e4f

memory/1916-125-0x000000013F0D0000-0x000000013F421000-memory.dmp

memory/1916-124-0x000000013F660000-0x000000013F9B1000-memory.dmp

C:\Windows\system\kugQxSk.exe

MD5 1c8e23e985baabfacca429590bca8596
SHA1 dd13c90e1abec777ff960b231d5f71c60a805c37
SHA256 773fd4cb1e7e734e34a064d00a39d29f35089e7c6e43ff3a17ca5bacc1bbc5b0
SHA512 49d76a258e26fce1ae32a48293cfb54f034e45aef27e08b71cf5de88818c7cb111b308a72e8fdacf892300ab2b668b1b50362a7b8ed9ec9e2d3d793b3aef6c18

memory/1972-101-0x000000013F5A0000-0x000000013F8F1000-memory.dmp

memory/1916-96-0x000000013F5A0000-0x000000013F8F1000-memory.dmp

C:\Windows\system\fARmlvT.exe

MD5 938732f3972315fa7deed2525180c144
SHA1 17c8e5426df008c605ddfbadad86291e489f6365
SHA256 46ce5d5dbdf8e5ea1e74986fdbb14b49b156d3b4891938f72de3599ca0409e73
SHA512 c48c3c706b32559a6539c82cf60f1434aca4925aeaa27df48a710010e00eab649ae347ec824223c0697914034078f608e9a2646424b3521b572abb7df3f7a2ea

memory/2832-136-0x000000013F0C0000-0x000000013F411000-memory.dmp

memory/1916-140-0x000000013FB30000-0x000000013FE81000-memory.dmp

memory/1640-151-0x000000013FCC0000-0x0000000140011000-memory.dmp

memory/1972-153-0x000000013F5A0000-0x000000013F8F1000-memory.dmp

memory/2080-156-0x000000013F990000-0x000000013FCE1000-memory.dmp

memory/2016-154-0x000000013F660000-0x000000013F9B1000-memory.dmp

memory/2856-160-0x000000013FB00000-0x000000013FE51000-memory.dmp

memory/376-159-0x000000013F090000-0x000000013F3E1000-memory.dmp

memory/2516-158-0x000000013FDC0000-0x0000000140111000-memory.dmp

memory/2684-157-0x000000013F6C0000-0x000000013FA11000-memory.dmp

memory/1120-155-0x000000013F0D0000-0x000000013F421000-memory.dmp

memory/1988-161-0x000000013FD80000-0x00000001400D1000-memory.dmp

memory/1916-162-0x000000013FB30000-0x000000013FE81000-memory.dmp

memory/1916-172-0x000000013F690000-0x000000013F9E1000-memory.dmp

memory/1916-175-0x000000013F5A0000-0x000000013F8F1000-memory.dmp

memory/1916-186-0x000000013F660000-0x000000013F9B1000-memory.dmp

memory/2396-214-0x000000013F150000-0x000000013F4A1000-memory.dmp

memory/2392-216-0x000000013F080000-0x000000013F3D1000-memory.dmp

memory/2400-218-0x000000013F500000-0x000000013F851000-memory.dmp

memory/2744-220-0x000000013F470000-0x000000013F7C1000-memory.dmp

memory/2944-222-0x000000013FA00000-0x000000013FD51000-memory.dmp

memory/2860-224-0x000000013F300000-0x000000013F651000-memory.dmp

memory/2928-226-0x000000013FD10000-0x0000000140061000-memory.dmp

memory/2848-228-0x000000013F430000-0x000000013F781000-memory.dmp

memory/2832-230-0x000000013F0C0000-0x000000013F411000-memory.dmp

memory/3000-232-0x000000013F570000-0x000000013F8C1000-memory.dmp

memory/1640-245-0x000000013FCC0000-0x0000000140011000-memory.dmp

memory/752-247-0x000000013F690000-0x000000013F9E1000-memory.dmp

memory/1972-251-0x000000013F5A0000-0x000000013F8F1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-05 09:46

Reported

2024-08-05 09:49

Platform

win10v2004-20240802-en

Max time kernel

141s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\cxwwkNA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HRKXwys.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PCEzZZt.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ESIkvKa.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fARmlvT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nDngiOY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HAKXvJy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rfuauCS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ELaMwBf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hMHwxDF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TXdurFF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xQUIQxs.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bSqzUXb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ULLnTUb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JTAuIAi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cPafSiy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TLazaic.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kugQxSk.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IKATang.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GTYHPPj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YlcNpEq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1804 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GTYHPPj.exe
PID 1804 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GTYHPPj.exe
PID 1804 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HRKXwys.exe
PID 1804 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HRKXwys.exe
PID 1804 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hMHwxDF.exe
PID 1804 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hMHwxDF.exe
PID 1804 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cPafSiy.exe
PID 1804 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cPafSiy.exe
PID 1804 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TXdurFF.exe
PID 1804 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TXdurFF.exe
PID 1804 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PCEzZZt.exe
PID 1804 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PCEzZZt.exe
PID 1804 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YlcNpEq.exe
PID 1804 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YlcNpEq.exe
PID 1804 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xQUIQxs.exe
PID 1804 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xQUIQxs.exe
PID 1804 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bSqzUXb.exe
PID 1804 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bSqzUXb.exe
PID 1804 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nDngiOY.exe
PID 1804 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nDngiOY.exe
PID 1804 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HAKXvJy.exe
PID 1804 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HAKXvJy.exe
PID 1804 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ESIkvKa.exe
PID 1804 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ESIkvKa.exe
PID 1804 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fARmlvT.exe
PID 1804 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fARmlvT.exe
PID 1804 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TLazaic.exe
PID 1804 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TLazaic.exe
PID 1804 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rfuauCS.exe
PID 1804 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rfuauCS.exe
PID 1804 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kugQxSk.exe
PID 1804 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kugQxSk.exe
PID 1804 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IKATang.exe
PID 1804 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IKATang.exe
PID 1804 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JTAuIAi.exe
PID 1804 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JTAuIAi.exe
PID 1804 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ELaMwBf.exe
PID 1804 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ELaMwBf.exe
PID 1804 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ULLnTUb.exe
PID 1804 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ULLnTUb.exe
PID 1804 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cxwwkNA.exe
PID 1804 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cxwwkNA.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\GTYHPPj.exe

C:\Windows\System\GTYHPPj.exe

C:\Windows\System\HRKXwys.exe

C:\Windows\System\HRKXwys.exe

C:\Windows\System\hMHwxDF.exe

C:\Windows\System\hMHwxDF.exe

C:\Windows\System\cPafSiy.exe

C:\Windows\System\cPafSiy.exe

C:\Windows\System\TXdurFF.exe

C:\Windows\System\TXdurFF.exe

C:\Windows\System\PCEzZZt.exe

C:\Windows\System\PCEzZZt.exe

C:\Windows\System\YlcNpEq.exe

C:\Windows\System\YlcNpEq.exe

C:\Windows\System\xQUIQxs.exe

C:\Windows\System\xQUIQxs.exe

C:\Windows\System\bSqzUXb.exe

C:\Windows\System\bSqzUXb.exe

C:\Windows\System\nDngiOY.exe

C:\Windows\System\nDngiOY.exe

C:\Windows\System\HAKXvJy.exe

C:\Windows\System\HAKXvJy.exe

C:\Windows\System\ESIkvKa.exe

C:\Windows\System\ESIkvKa.exe

C:\Windows\System\fARmlvT.exe

C:\Windows\System\fARmlvT.exe

C:\Windows\System\TLazaic.exe

C:\Windows\System\TLazaic.exe

C:\Windows\System\rfuauCS.exe

C:\Windows\System\rfuauCS.exe

C:\Windows\System\kugQxSk.exe

C:\Windows\System\kugQxSk.exe

C:\Windows\System\IKATang.exe

C:\Windows\System\IKATang.exe

C:\Windows\System\JTAuIAi.exe

C:\Windows\System\JTAuIAi.exe

C:\Windows\System\ELaMwBf.exe

C:\Windows\System\ELaMwBf.exe

C:\Windows\System\ULLnTUb.exe

C:\Windows\System\ULLnTUb.exe

C:\Windows\System\cxwwkNA.exe

C:\Windows\System\cxwwkNA.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 5.181.190.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1804-0-0x00007FF774710000-0x00007FF774A61000-memory.dmp

memory/1804-1-0x00000245D24E0000-0x00000245D24F0000-memory.dmp

C:\Windows\System\GTYHPPj.exe

MD5 ed6d06e661602c90a1bf34e879f05178
SHA1 fac225ec457917f6b3aa513f25b161fb0e1e1f44
SHA256 56ef590839292a20a8836734a7331c0457eca19b96c7b2d86721178bda6c5aef
SHA512 1fbab0d26f876b121345b8d630d0e1b1a65b9aa22ad43cf1be5d2e3d48a28b4e67e87494ea049ce7fc77cc831e302bb9ac61e6fe809416be483f885c190145a9

memory/2892-11-0x00007FF7EAD50000-0x00007FF7EB0A1000-memory.dmp

C:\Windows\System\HRKXwys.exe

MD5 d571a84bbb14a260223b8c7ba31c9b0f
SHA1 b23ef2db7f8b872816cf7ed0b9b456b465418ead
SHA256 4582d3d19a0bd35954242d55451d54daba43d16f6ac67da4a22641185f1b03d8
SHA512 c97bc5281041ad797beb379624d2e262f78a0d973b4c313c30ab485ad899834d615c12d676819177e4381de6a8501cda1bc7edb9111e814546846971fa7d9309

C:\Windows\System\hMHwxDF.exe

MD5 7e07aff2ad257b529710fbc9f01d8d30
SHA1 76d5842be1f337e8ffc4bad6e552213372a2a6d4
SHA256 13f6353a55291897bcc5eea0584f02a68e89678ab49faea73f7e48056640b022
SHA512 259ea5173fbed6eeab9869d29b2d7e90907a10e5bffa9180d5f0dfeed807d7ffc528a3539dd5c42b666d76f42ec3758ab7eb51b26ce0644f3430e9bf9f33392b

C:\Windows\System\cPafSiy.exe

MD5 b98ce02fdda7a7d88c6e310c1593412f
SHA1 7b1bb0ec7eeed37ca4beff29e5f7c0757ae42741
SHA256 b56c0ea90808d832c029aecf9af991a9030bf4e2e6c3ff0ee08a9075abab2b03
SHA512 11161f9d8576f3c2c185bff77135e3811f83f3dd7de5d877c90ebe91a6404d32de3fc3716c5aea9419c8d4721bfc28abaec3567970c18fdbf70e8dc5f0a71d99

memory/3660-21-0x00007FF799790000-0x00007FF799AE1000-memory.dmp

memory/2176-25-0x00007FF7B5C80000-0x00007FF7B5FD1000-memory.dmp

C:\Windows\System\YlcNpEq.exe

MD5 1bbad830c49c6bfe1e6767772c9e5c4f
SHA1 b05a4bb2559785dc644fe114765f07425ab8ae18
SHA256 97903533d8f65b43a8a227d8a8fd05091c805d656d6fd2207658831bd1d405f5
SHA512 8cc29650f5213aff1385fd92c0af3c9bedeb5596467c2fb0428f88184bbed60536e56bed248bfc9990c268c2917d40168b386e2579c197378a133cb0b3e55511

C:\Windows\System\bSqzUXb.exe

MD5 96637af91e5527d2e72e85615ab2b077
SHA1 2bac935edcfdb60fd6e4fbd0623980bf8ab0efac
SHA256 afc4ad9f061060e6d75b76a106f16bec675b4a4b1f632247ff9598e937802c03
SHA512 e6358b3f684cf11c56a86edf1e2256bdea02cc66364bbe72b61ea48900cc544b06d71110a9f3a7db7f06fcba6d546f60bea63827a28b40bbf4008e08763ce670

C:\Windows\System\nDngiOY.exe

MD5 9d4d66947101903cfad28b19f6db40ee
SHA1 02622dde48357c28c8cbc0033f27acb47fdb1f57
SHA256 e4f6476f57229354cc7b3716d9d09f799d630f5f6f5a16d04395a1092cbe02aa
SHA512 fb17e76892a2b104a3af822b4ceefe86ac2552ad181a4a85fee7ec2d73036ec1aa935e87305696da32a70cfd8440d65d2021e00ac52226c0ac99dcca8f34a84b

memory/2340-64-0x00007FF775720000-0x00007FF775A71000-memory.dmp

memory/3940-69-0x00007FF6D4D10000-0x00007FF6D5061000-memory.dmp

memory/4076-74-0x00007FF6303F0000-0x00007FF630741000-memory.dmp

memory/4568-79-0x00007FF76E820000-0x00007FF76EB71000-memory.dmp

memory/1092-80-0x00007FF69E7D0000-0x00007FF69EB21000-memory.dmp

memory/4560-78-0x00007FF752810000-0x00007FF752B61000-memory.dmp

memory/1936-77-0x00007FF7773B0000-0x00007FF777701000-memory.dmp

C:\Windows\System\fARmlvT.exe

MD5 938732f3972315fa7deed2525180c144
SHA1 17c8e5426df008c605ddfbadad86291e489f6365
SHA256 46ce5d5dbdf8e5ea1e74986fdbb14b49b156d3b4891938f72de3599ca0409e73
SHA512 c48c3c706b32559a6539c82cf60f1434aca4925aeaa27df48a710010e00eab649ae347ec824223c0697914034078f608e9a2646424b3521b572abb7df3f7a2ea

C:\Windows\System\ESIkvKa.exe

MD5 2a99d04ac209b15d4a08f19c46894541
SHA1 0bcd3f2cf574dc34139f5050391038c2eb747dc9
SHA256 04dcb4be5376e771191f7cf072769c621e2d95f72cf54fd4c856401425dbd23e
SHA512 67dca0748badf8a451fc635c70870959dbc1dcbd003e0c2dfbaac469b4fdcb0a81026988ead12aa3b9a5a2ca01b3d4ecc9366c15fe3d973b279d31a720b0e107

C:\Windows\System\HAKXvJy.exe

MD5 1f0f5a4c9f2309f673ee44cb2b256f41
SHA1 eeb20457ea084cae4f4ca640f7c8ac38fbcae811
SHA256 f60a818a2cc9ad932020ffb3d3f340302914f0a3407943cee4d5f6501c105a17
SHA512 64f15002a78be2f9fb815f0d8d0d0e23e15971b03986635a990aab48226e96a40ec62273ef8908dc2fd8ebfb4adc5432dc84925959bea2e1aed98817fc188a99

memory/1536-65-0x00007FF72A540000-0x00007FF72A891000-memory.dmp

C:\Windows\System\xQUIQxs.exe

MD5 e49cb72ce260a2fe7d3bd48baf3e449b
SHA1 82c19d2e130c5b773dfbc6921cbbff65fca32142
SHA256 8b2acf28da021be5eaa547f3c7cfe736e8b4d617bbaf7dd147c777dbdb3e2162
SHA512 0d31fdcd573af117077ea0c030fbf366972d3308bfca214e6c73fd8b6fdfa0f746e2fae56c8df119707df1685c6250217457990c7d51e9b22e280b8fa22992e2

memory/4804-52-0x00007FF6FA3D0000-0x00007FF6FA721000-memory.dmp

C:\Windows\System\PCEzZZt.exe

MD5 c1927b465d2ab6bb6cb3d696452fa8df
SHA1 1088d1dc06c72b7447f56f8efec136c7a4e5c19c
SHA256 3348409aee5f7318bce5dc4a9f97767f709727beba6c200d52d1c956f40742e0
SHA512 779c99eaae5712a7bc980256cc0b5d51ff3e678ff88d098d01e14fb4f67e3c824fd9375b048135bcb183ca4c254b99f5d465455dff29918dc67ff4a749861ea9

memory/4524-36-0x00007FF6E94B0000-0x00007FF6E9801000-memory.dmp

C:\Windows\System\TXdurFF.exe

MD5 555ed0ae57b108ca960746f54ca792eb
SHA1 50b74ffde15267ba498f890b66dffbdcf1865784
SHA256 23c1ee7dd488199c5d37bb37f5381e44826215caf3b0b587cf2526a932d29b08
SHA512 4ee1646dcdc02fadb7eaf03e9b56263534d40b7e19f69a60882cee0080c60ba117f53aba7a6628c8812e08d1348b2f765d65f4c86ac061aaecb58698e4cea4b5

C:\Windows\System\TLazaic.exe

MD5 671b919a828e4449a82f716b47375bdf
SHA1 c3f38b49cf56daae34f53a4f9ad5b8d8bf13b36e
SHA256 d51548209f9aae471d5cd3e3bda77f39f16a9720a191e7f09e6713d7235d2d4e
SHA512 25a3a7c36ae909891355b4a5e94d820df5f33042d933676ac5af1c1c064bcc46c668d4c801a70e86e63475c57ef6ed667f3d4a2427996b148af71c167f9d6568

memory/2044-84-0x00007FF6F1160000-0x00007FF6F14B1000-memory.dmp

C:\Windows\System\rfuauCS.exe

MD5 55d4f47d72e4dc1ab5e925982ba0d88e
SHA1 ea48d94b43c7fa51c6296a361ca5ceed3bcf2187
SHA256 81448fc7bb30c0380e296794b90d0b4027eba898cbacc50de47d3e99958922d8
SHA512 1d446426b699c832a49d98133291a687f103e9ccbb984da21d3dc127b6e75e40dc9fea8babcfb66d36b9ba4d678ff25d7375987e51feb1b83fbf2961d22590bf

memory/3808-92-0x00007FF781B70000-0x00007FF781EC1000-memory.dmp

C:\Windows\System\kugQxSk.exe

MD5 1c8e23e985baabfacca429590bca8596
SHA1 dd13c90e1abec777ff960b231d5f71c60a805c37
SHA256 773fd4cb1e7e734e34a064d00a39d29f35089e7c6e43ff3a17ca5bacc1bbc5b0
SHA512 49d76a258e26fce1ae32a48293cfb54f034e45aef27e08b71cf5de88818c7cb111b308a72e8fdacf892300ab2b668b1b50362a7b8ed9ec9e2d3d793b3aef6c18

C:\Windows\System\IKATang.exe

MD5 9baa7c5fdddf3f994eeab942c679c30f
SHA1 2cecff1da4174973f5554604c01dbeb59c4bea67
SHA256 5b5c0f66d8bf7ddef1595cdfc14acdd2faf94c4f689974e0a8b3bdd2af2e6482
SHA512 82747f52cd53798755335d00d0d8651da25983d10d21653e826075f7614d1e93a1ba417870a72c3d0d9677852f53e6f01b8b625fec8d3c2b20a7ed5fb671f01a

C:\Windows\System\JTAuIAi.exe

MD5 2e62e1b455784808f08d07cc1efdd3f2
SHA1 db6aa570b9c3892c360a43a4412eb9ac9e802623
SHA256 6428f8fafe355992425888a7ea4a0706b49509108a69c85c8c14142eb0a05898
SHA512 5ddf88b77ef221c707d920a3670968b0c35928b228aecdf4e346f121334ede5a2abf63ae7239e2bbcfb48f7aed65fe5848911e6148f032e2304eb4bd460dda00

C:\Windows\System\ULLnTUb.exe

MD5 8ac334c5fc979054940e75932c0e97d6
SHA1 cc2e848d5f7c998cb39dedf1eb03e71954ca5ba3
SHA256 e3fca4223574312a5d1bdc0e2b7e17a839b9a8dcaa1c3d3bd78066a44076ecd3
SHA512 e712f327e9fc64f2802941a655b634234aa583b405b4770fb045a1d7689d27547475488567ff1d3feae8fa67bd482d63a23af05637e72a862894a04b606a9e4f

C:\Windows\System\ELaMwBf.exe

MD5 d0cf2742bb441a086efcf0a354399b0e
SHA1 42b9f1f254a702c208a5c1b5cf08b7d047bc63e1
SHA256 0ad5ab8a5a7be26bf890c5aeb573070e162bd58a6b2742d19b3e546bc2f47668
SHA512 2959fd862295ded2b6daf6cdf903fc0dacd75e4a787f8ce8c07f6866f60feba159d923f905408742789d8657eb487e0c23dc232fb6d2e4a5a2676c763cadd521

C:\Windows\System\cxwwkNA.exe

MD5 c1b84739c2d5b675ded7d4deac978940
SHA1 6ce1453169c264651517241aeb2303678851c1e6
SHA256 80a49bafe5ef30df2be1a000ed91ffe9c4b9e84f97d45711324a059273c34261
SHA512 28ae74bd4866e86ae2b5a6539f3663c699a2d4e995b4f2a38cf806884bc7861011c71bb90c2748a2e0a67473e0c06de8143a380715510bf85bd06c3cfa46e9c6

memory/2176-127-0x00007FF7B5C80000-0x00007FF7B5FD1000-memory.dmp

memory/4632-126-0x00007FF60FF20000-0x00007FF610271000-memory.dmp

memory/3660-120-0x00007FF799790000-0x00007FF799AE1000-memory.dmp

memory/848-119-0x00007FF66A610000-0x00007FF66A961000-memory.dmp

memory/1804-115-0x00007FF774710000-0x00007FF774A61000-memory.dmp

memory/2100-113-0x00007FF677A30000-0x00007FF677D81000-memory.dmp

memory/3152-105-0x00007FF68E6E0000-0x00007FF68EA31000-memory.dmp

memory/5012-100-0x00007FF649080000-0x00007FF6493D1000-memory.dmp

memory/4524-133-0x00007FF6E94B0000-0x00007FF6E9801000-memory.dmp

memory/1804-130-0x00007FF774710000-0x00007FF774A61000-memory.dmp

memory/2340-138-0x00007FF775720000-0x00007FF775A71000-memory.dmp

memory/1536-139-0x00007FF72A540000-0x00007FF72A891000-memory.dmp

memory/892-141-0x00007FF762650000-0x00007FF7629A1000-memory.dmp

memory/2044-147-0x00007FF6F1160000-0x00007FF6F14B1000-memory.dmp

memory/3940-145-0x00007FF6D4D10000-0x00007FF6D5061000-memory.dmp

memory/1804-148-0x00007FF774710000-0x00007FF774A61000-memory.dmp

memory/2100-158-0x00007FF677A30000-0x00007FF677D81000-memory.dmp

memory/4632-160-0x00007FF60FF20000-0x00007FF610271000-memory.dmp

memory/848-159-0x00007FF66A610000-0x00007FF66A961000-memory.dmp

memory/1804-170-0x00007FF774710000-0x00007FF774A61000-memory.dmp

memory/2892-200-0x00007FF7EAD50000-0x00007FF7EB0A1000-memory.dmp

memory/3660-202-0x00007FF799790000-0x00007FF799AE1000-memory.dmp

memory/2176-206-0x00007FF7B5C80000-0x00007FF7B5FD1000-memory.dmp

memory/4524-205-0x00007FF6E94B0000-0x00007FF6E9801000-memory.dmp

memory/4076-214-0x00007FF6303F0000-0x00007FF630741000-memory.dmp

memory/2340-213-0x00007FF775720000-0x00007FF775A71000-memory.dmp

memory/4560-210-0x00007FF752810000-0x00007FF752B61000-memory.dmp

memory/1936-209-0x00007FF7773B0000-0x00007FF777701000-memory.dmp

memory/4804-216-0x00007FF6FA3D0000-0x00007FF6FA721000-memory.dmp

memory/1092-220-0x00007FF69E7D0000-0x00007FF69EB21000-memory.dmp

memory/4568-224-0x00007FF76E820000-0x00007FF76EB71000-memory.dmp

memory/1536-222-0x00007FF72A540000-0x00007FF72A891000-memory.dmp

memory/3940-219-0x00007FF6D4D10000-0x00007FF6D5061000-memory.dmp

memory/2044-229-0x00007FF6F1160000-0x00007FF6F14B1000-memory.dmp

memory/3808-231-0x00007FF781B70000-0x00007FF781EC1000-memory.dmp

memory/5012-233-0x00007FF649080000-0x00007FF6493D1000-memory.dmp

memory/3152-235-0x00007FF68E6E0000-0x00007FF68EA31000-memory.dmp

memory/2100-237-0x00007FF677A30000-0x00007FF677D81000-memory.dmp

memory/848-239-0x00007FF66A610000-0x00007FF66A961000-memory.dmp

memory/4632-241-0x00007FF60FF20000-0x00007FF610271000-memory.dmp

memory/892-243-0x00007FF762650000-0x00007FF7629A1000-memory.dmp