Malware Analysis Report

2025-01-22 19:21

Sample ID 240805-pnyblazcmh
Target 2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat
SHA256 8f6f8caeb1f06933503e813545c030ff319d66cafe7642a37d3ceb0af647f089
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8f6f8caeb1f06933503e813545c030ff319d66cafe7642a37d3ceb0af647f089

Threat Level: Known bad

The file 2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

XMRig Miner payload

Cobaltstrike family

xmrig

Xmrig family

Cobaltstrike

Cobalt Strike reflective loader

XMRig Miner payload

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-05 12:29

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-05 12:29

Reported

2024-08-05 12:31

Platform

win7-20240705-en

Max time kernel

141s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\gCBCqny.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KqlLZsE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xixAQpt.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PsDhrVd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yCaVxfT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zYaCeMF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xYxdeDM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OtEQVTO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qQnKgOG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FngMgsf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BVKvGVG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tcdHnUz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BXijEEe.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bZeLRGZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EIAvzAf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XFZECab.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gbCavBV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tmRIoAY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VEEDIsw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GhPjGUB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wzzwcbr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 948 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xixAQpt.exe
PID 948 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xixAQpt.exe
PID 948 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xixAQpt.exe
PID 948 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gCBCqny.exe
PID 948 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gCBCqny.exe
PID 948 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gCBCqny.exe
PID 948 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tcdHnUz.exe
PID 948 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tcdHnUz.exe
PID 948 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tcdHnUz.exe
PID 948 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VEEDIsw.exe
PID 948 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VEEDIsw.exe
PID 948 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VEEDIsw.exe
PID 948 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GhPjGUB.exe
PID 948 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GhPjGUB.exe
PID 948 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GhPjGUB.exe
PID 948 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BXijEEe.exe
PID 948 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BXijEEe.exe
PID 948 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BXijEEe.exe
PID 948 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bZeLRGZ.exe
PID 948 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bZeLRGZ.exe
PID 948 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bZeLRGZ.exe
PID 948 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PsDhrVd.exe
PID 948 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PsDhrVd.exe
PID 948 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PsDhrVd.exe
PID 948 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wzzwcbr.exe
PID 948 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wzzwcbr.exe
PID 948 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wzzwcbr.exe
PID 948 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KqlLZsE.exe
PID 948 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KqlLZsE.exe
PID 948 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KqlLZsE.exe
PID 948 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EIAvzAf.exe
PID 948 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EIAvzAf.exe
PID 948 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EIAvzAf.exe
PID 948 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XFZECab.exe
PID 948 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XFZECab.exe
PID 948 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XFZECab.exe
PID 948 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yCaVxfT.exe
PID 948 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yCaVxfT.exe
PID 948 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yCaVxfT.exe
PID 948 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zYaCeMF.exe
PID 948 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zYaCeMF.exe
PID 948 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zYaCeMF.exe
PID 948 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gbCavBV.exe
PID 948 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gbCavBV.exe
PID 948 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gbCavBV.exe
PID 948 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xYxdeDM.exe
PID 948 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xYxdeDM.exe
PID 948 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xYxdeDM.exe
PID 948 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OtEQVTO.exe
PID 948 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OtEQVTO.exe
PID 948 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OtEQVTO.exe
PID 948 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qQnKgOG.exe
PID 948 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qQnKgOG.exe
PID 948 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qQnKgOG.exe
PID 948 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FngMgsf.exe
PID 948 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FngMgsf.exe
PID 948 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FngMgsf.exe
PID 948 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tmRIoAY.exe
PID 948 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tmRIoAY.exe
PID 948 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tmRIoAY.exe
PID 948 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BVKvGVG.exe
PID 948 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BVKvGVG.exe
PID 948 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BVKvGVG.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\xixAQpt.exe

C:\Windows\System\xixAQpt.exe

C:\Windows\System\gCBCqny.exe

C:\Windows\System\gCBCqny.exe

C:\Windows\System\tcdHnUz.exe

C:\Windows\System\tcdHnUz.exe

C:\Windows\System\VEEDIsw.exe

C:\Windows\System\VEEDIsw.exe

C:\Windows\System\GhPjGUB.exe

C:\Windows\System\GhPjGUB.exe

C:\Windows\System\BXijEEe.exe

C:\Windows\System\BXijEEe.exe

C:\Windows\System\bZeLRGZ.exe

C:\Windows\System\bZeLRGZ.exe

C:\Windows\System\PsDhrVd.exe

C:\Windows\System\PsDhrVd.exe

C:\Windows\System\wzzwcbr.exe

C:\Windows\System\wzzwcbr.exe

C:\Windows\System\KqlLZsE.exe

C:\Windows\System\KqlLZsE.exe

C:\Windows\System\EIAvzAf.exe

C:\Windows\System\EIAvzAf.exe

C:\Windows\System\XFZECab.exe

C:\Windows\System\XFZECab.exe

C:\Windows\System\yCaVxfT.exe

C:\Windows\System\yCaVxfT.exe

C:\Windows\System\zYaCeMF.exe

C:\Windows\System\zYaCeMF.exe

C:\Windows\System\gbCavBV.exe

C:\Windows\System\gbCavBV.exe

C:\Windows\System\xYxdeDM.exe

C:\Windows\System\xYxdeDM.exe

C:\Windows\System\OtEQVTO.exe

C:\Windows\System\OtEQVTO.exe

C:\Windows\System\qQnKgOG.exe

C:\Windows\System\qQnKgOG.exe

C:\Windows\System\FngMgsf.exe

C:\Windows\System\FngMgsf.exe

C:\Windows\System\tmRIoAY.exe

C:\Windows\System\tmRIoAY.exe

C:\Windows\System\BVKvGVG.exe

C:\Windows\System\BVKvGVG.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/948-0-0x000000013FE70000-0x00000001401C1000-memory.dmp

memory/948-1-0x0000000000080000-0x0000000000090000-memory.dmp

\Windows\system\xixAQpt.exe

MD5 87e2c0fee4854875cf961783c847f81e
SHA1 9263067cdfa0bfbf99dd4f3237141bc0ca84e15d
SHA256 c3aa543351862b40b7e704112aaa3026d2795e81806b1568c557e8eced14a46b
SHA512 b85ee97429b4a21b71c6d924bd282d786d792571cf0259544542ba2572bf24d9d9741f79600cf60173f67669364a3c33e6a3fbc342f8b58e7f1d6d9a5eda002b

C:\Windows\system\tcdHnUz.exe

MD5 95cc1c56c04eada4a36b9febaa8dc2f8
SHA1 49c939faf124eccff7f49f4d71b6766ba7e8ea89
SHA256 881e06f6660667f5e52a6d55ef3c0ec1af1d2fd0401dae294df1b8884ae51b9c
SHA512 04d632757a819a4ebbb2d749037e0d751d5ab3ec486398c4ba44db49c4d8642d9fd0b24b00b7258f28aead1151885e6a7936bc488aa458c9b34f67e1d6be1614

memory/948-10-0x000000013F4B0000-0x000000013F801000-memory.dmp

C:\Windows\system\gCBCqny.exe

MD5 0ab1030470d1e9fc6f2d35a94827a496
SHA1 5dd4f9b43aa0f32f682d220dadfa75151d7f56d4
SHA256 f2a6f7542506418f13a097069895beefab8fe71933a7632d3a1ab24431add71c
SHA512 48bd63aabcd4b4cea7623e425de41f9a7335ce2201eca7a7d662fdabd07bf63e8a22596cd3eec02cc994ab04e1fa36da42842620e9e906cb3cabcf32659e0a6d

C:\Windows\system\VEEDIsw.exe

MD5 afbd701108e1c8cc095bc35ebbfc34c3
SHA1 cec13cf164fe51f92e1101c0d1855bb2020032a1
SHA256 ce6689406edf7e2474cdbc31c731f7f1b7905ccad52e6b1347b5278d9f466148
SHA512 7ba662711d835fb4e82595745958686743cf707f280d33f50ea52c3cdc14e515e2c886fab883fc8bef8670579f7f38d2447028f56271704109564044d72f834b

C:\Windows\system\GhPjGUB.exe

MD5 33f44684e20cebdd8f35d129abed7ef4
SHA1 5cdb7b0ebf4f1fe88be190eeedc3de557c83e088
SHA256 760b5e95790b8445089426f1edd574d8828f854e86db1c4350439b2e4d926170
SHA512 b0a61681e4251081ceb6804688f7965619f2d76c7c9c82f32edd0cb40f1b8aff649e6aed85010db3491dc007326090d8f21ef492139bd7bfef5df4402d07e05f

C:\Windows\system\BXijEEe.exe

MD5 9745bbc6370b0652bb9087288a1c0f48
SHA1 fb70c79951587e6c809afb7f5994a2a56d8401bb
SHA256 356c15b29ac4a41b604cb437f8bcb524e042f4545221f8d280202ea88114d40d
SHA512 330beba0353efa7eccc2d9b969daf94c8ff39b2b00a304206792572fd9349f1d0d05fb4abdf1ca08eebc98231a08be63eeb294ea647699419d91523bbe997646

C:\Windows\system\bZeLRGZ.exe

MD5 003a4981eab3cba6c6f252ea2c649bac
SHA1 9720bf3097c43ef3e48cf4e6d4a3714b09c62fbc
SHA256 0735621ba67028050af46406433ad96b0dc405441737c5683c6233303206bcba
SHA512 2efec6a0bd72e7d3a939cf556be79502c941bdfd678b5a7e5fb0161cfcdcbe6afe1fdbbc22b9f1c28dc5f972e8ad20f45c9dd50ccef37f7a099033e98ad3d91c

C:\Windows\system\PsDhrVd.exe

MD5 87b009a05d4a18ad5a217053000175a6
SHA1 5aea292db96858e4aaefcfd9edd8ad674c73b5f0
SHA256 0dc2d68ea1627b68bbebdbb3c9654f2a4de5e59198caaba8af31a0c5f78b6c64
SHA512 c879cd13dd5d515e7761947288e7fc813d28e2813ca049de5590e77b45e2d31cec4505d6b81525d87a84bca0ae8e40e13c469f4115cc658e2e3b453e3dc0dd7b

C:\Windows\system\wzzwcbr.exe

MD5 0b3292c6a442b203f264bddcce6a3ad4
SHA1 c8c456fa871a9d4d84120f839c1636c22da830fa
SHA256 86a3de30c2c9f630688b43bea9578480ba28dc3898885a60e1472c05420b5a88
SHA512 4804b3dcd703e510927c8c02d70842b89408b986e6e816d05508589dfd15b21f23434406e0d0bc44492647181361111cf862f0e12e6afe1f058e6a8409176f47

C:\Windows\system\EIAvzAf.exe

MD5 ae045d644386b83275e7599dabcbba44
SHA1 f23312705ee193741c42dbcf2fff2b6595eafbc5
SHA256 88360a0e64c90d4a7900b79780e2238d14ec68d1772b26265e14f89afb6a47d5
SHA512 315b2a9355b5c7f9a0532dc0e7b4a4102c858ece0b6b80ec84091d428e93d3a35f653bab7a6aca02e1f0684c74ba5ab0c22ff0cbeb2dbc518bf6d1999c4dc478

C:\Windows\system\gbCavBV.exe

MD5 f2b3233496e8f9b666a73c6f2d3f95d5
SHA1 ee2bb304eb3a96b2d7feeac56187efad751d5ffa
SHA256 7f6f9c596374589e065a9cf066de2e28b7a7b1d24a5a6ec4c36d1ee9cafad11b
SHA512 3f708caf3261740d968b7d2fc20a4449a24d16fbdf7a9d7ce8e44db8064c85c8fe3eab1bb2a4ec55d2eceadbd15f6dc8be5e95311892eaa5cf614af02cf21765

C:\Windows\system\tmRIoAY.exe

MD5 31bbf2efd4a71a89b499cd8e57f1db94
SHA1 31114a54ca664c66950208c23f8c92db324a9b76
SHA256 be473c6658b3162f305f04a7b3b00e2f6ed7a6d176a1ce3d71b0879f8ad070d3
SHA512 fd28e99836a8421ed127a6ad247c6d225bd5ec4b39c93da9ffc07823e600cfec7d8f9937d1b43464b3182649b06864a9d4346df64d4aa7b1cf3b5e5e0e8bfc2e

C:\Windows\system\BVKvGVG.exe

MD5 4aae25affe1f9596e9ace2e90002e869
SHA1 d7fb94218ea87995770557c989a2dc186c80b957
SHA256 8f241c07d3be5fbcf48beda12f0a13aa5406097faa4f07d9573bbca9fd4feaa1
SHA512 768413caed4e4dfb155cfb45362f1a7ca5a7e4b9d86ff4fdf7b3dd83b7c1ec51206410c2ea6ef807e10652a83570d3c0cdcf88a8f324077055e221ddc2ebb986

C:\Windows\system\FngMgsf.exe

MD5 43c94b650c76f75c76c7f5432501a708
SHA1 34351ecd6945426ae7a8df6c520737e48bfd3528
SHA256 47ea120b4e3de5b6109ecd0462593d8675351bf0d702cae923a0985b3258f740
SHA512 ddecea70ab3188f6a571f5647fb8db79eaab428875ed30335c0a710e261d41eccc5a698a993b45b018a5b75dd4b6bc10d608dc56b964916cb701d9f27588666a

C:\Windows\system\qQnKgOG.exe

MD5 6e7734a226382b3e1514a714442f14a8
SHA1 1e71f37d7348da159da19e60e4d497e0d1e0d0d6
SHA256 de9f0b81307bd50d3d049fe067cacbee5c4553a89e8acd3068a68f7ec5755d4b
SHA512 9eec71096948b0632d60cf08861b28cdb1ed517474ea9e5fde53ba57a3b0799eb08de7ab291831687813416f0dbfcf9f3b80665a1b85b9d2c761066794648835

memory/3000-110-0x000000013F040000-0x000000013F391000-memory.dmp

memory/948-109-0x000000013F270000-0x000000013F5C1000-memory.dmp

memory/2072-107-0x000000013F4B0000-0x000000013F801000-memory.dmp

C:\Windows\system\OtEQVTO.exe

MD5 d57aed9a184e15f29320a676bc25091a
SHA1 216f2ed657a29eab23ca067c65e3bd880409c911
SHA256 82938417934dfe1187dda7195810ed0bd3553ba931f0feacea276e79b5abcaeb
SHA512 86f21be56dd3dac606d4d80770bad4c8c35f4a637f3316578661e1637c814d6ca36e3121c96b54ed36b29b37bdfe32fe82a0a22d926ecf68c7e1d1f6866b4a38

C:\Windows\system\xYxdeDM.exe

MD5 b74909ee77ace23819fc9d2220e42e13
SHA1 5b212605de2afb4d55cd290727b3c85a053233bb
SHA256 183a5f13fe31ef9f59fdbb8628be491e5484cd06dbe68386b6a019a27518282a
SHA512 595ea5bba0eb3bbd3c82077cffc3e1e86c09310253c6537d325e0595ccfd06dae28f570421420efa53161ebf29ad149db7f6030558ece2de5dd9d52c8a7846ba

C:\Windows\system\zYaCeMF.exe

MD5 5ab8cb1e5f9a67a3497bb40eaf089fdc
SHA1 11cffc1feaa14be2579d0d8f65c60ddb13519c7a
SHA256 225e7ddf8babf14f6ef51c8a8fe284400016813e0729ff0987320dcd1e8ea3af
SHA512 782c565a359b295dd98a3fc5b7fda95a7ab7718eb8454a0e01b09d644fbf0ffce6a8523aefcf742a4a84bd6d38e777e3fe476f574e5a25f3bd82ca0e29264fe6

C:\Windows\system\yCaVxfT.exe

MD5 212c2e9aac40ad6df76d15a636e8bc52
SHA1 0651dcb0c1386ca43491b8a3aaa48b557db4167d
SHA256 df3ff15ff10d7c0f6dc8492f6a4a7d814454bbf3f7b86bf9b4811a764dc3f603
SHA512 2d245b6a3c17d1d80679b625d2dc770847c403910d73c74539ac9475c890328824e2b254ab7e808463676532174ef26cfe10a13e40f68c8eb696eaa24ccc9ef9

C:\Windows\system\XFZECab.exe

MD5 e8b40d6e487584b4dd6ed6f724812fc2
SHA1 4aef75fa33129d62c183c3d4daf5ee11d4e54547
SHA256 517cdd46eeaeb502ccb95b1a849f3421da825f819fcbc0d672e45385104f4493
SHA512 dc826d3af3a3904ab85bffcd253455696d93bd87410a72c42cab4bf169d20c008505c386cdb43b71e1523553f39e310450b8a957fded6ba53b3cbf6c2c480833

C:\Windows\system\KqlLZsE.exe

MD5 5e86d779e8d2700f5f095e7cfc719fa6
SHA1 fcc116a9e25dde38f48fd4ca59b520d2aefd37b1
SHA256 76ad69afdce29de6573bd339bacc9eb62cd1c62bd267e58a12249d1be6b9aeb4
SHA512 a6c7ab3ff575da731e956896499ab83672ec8fce004c8fb2b50927ea73436334800c6fb703a5c913295a27656fba0398d640d8e0ba2c9092ee86488bceb4e2e4

memory/948-111-0x000000013FAF0000-0x000000013FE41000-memory.dmp

memory/2776-112-0x000000013FAF0000-0x000000013FE41000-memory.dmp

memory/948-113-0x000000013F660000-0x000000013F9B1000-memory.dmp

memory/2864-114-0x000000013F660000-0x000000013F9B1000-memory.dmp

memory/948-115-0x0000000002370000-0x00000000026C1000-memory.dmp

memory/1636-116-0x000000013FFD0000-0x0000000140321000-memory.dmp

memory/872-117-0x000000013FB50000-0x000000013FEA1000-memory.dmp

memory/2936-118-0x000000013FB50000-0x000000013FEA1000-memory.dmp

memory/948-119-0x000000013F500000-0x000000013F851000-memory.dmp

memory/2684-120-0x000000013F500000-0x000000013F851000-memory.dmp

memory/948-122-0x000000013F770000-0x000000013FAC1000-memory.dmp

memory/2280-132-0x000000013F270000-0x000000013F5C1000-memory.dmp

memory/948-131-0x000000013F040000-0x000000013F391000-memory.dmp

memory/948-130-0x000000013F2C0000-0x000000013F611000-memory.dmp

memory/2712-129-0x000000013F720000-0x000000013FA71000-memory.dmp

memory/948-128-0x000000013F720000-0x000000013FA71000-memory.dmp

memory/2644-127-0x000000013F550000-0x000000013F8A1000-memory.dmp

memory/948-126-0x000000013F550000-0x000000013F8A1000-memory.dmp

memory/2704-125-0x000000013F700000-0x000000013FA51000-memory.dmp

memory/948-124-0x000000013F700000-0x000000013FA51000-memory.dmp

memory/2784-123-0x000000013F770000-0x000000013FAC1000-memory.dmp

memory/2324-121-0x000000013FE00000-0x0000000140151000-memory.dmp

memory/948-133-0x000000013FE70000-0x00000001401C1000-memory.dmp

memory/2072-134-0x000000013F4B0000-0x000000013F801000-memory.dmp

memory/2340-148-0x000000013F2C0000-0x000000013F611000-memory.dmp

memory/2396-154-0x000000013F360000-0x000000013F6B1000-memory.dmp

memory/2152-153-0x000000013F0A0000-0x000000013F3F1000-memory.dmp

memory/844-151-0x000000013F240000-0x000000013F591000-memory.dmp

memory/2896-150-0x000000013F480000-0x000000013F7D1000-memory.dmp

memory/2284-149-0x000000013F190000-0x000000013F4E1000-memory.dmp

memory/1692-152-0x000000013F3B0000-0x000000013F701000-memory.dmp

memory/948-155-0x000000013FE70000-0x00000001401C1000-memory.dmp

memory/2072-201-0x000000013F4B0000-0x000000013F801000-memory.dmp

memory/2324-227-0x000000013FE00000-0x0000000140151000-memory.dmp

memory/2776-223-0x000000013FAF0000-0x000000013FE41000-memory.dmp

memory/1636-225-0x000000013FFD0000-0x0000000140321000-memory.dmp

memory/3000-234-0x000000013F040000-0x000000013F391000-memory.dmp

memory/2712-229-0x000000013F720000-0x000000013FA71000-memory.dmp

memory/872-245-0x000000013FB50000-0x000000013FEA1000-memory.dmp

memory/2936-238-0x000000013FB50000-0x000000013FEA1000-memory.dmp

memory/2864-236-0x000000013F660000-0x000000013F9B1000-memory.dmp

memory/2644-251-0x000000013F550000-0x000000013F8A1000-memory.dmp

memory/2280-240-0x000000013F270000-0x000000013F5C1000-memory.dmp

memory/2784-248-0x000000013F770000-0x000000013FAC1000-memory.dmp

memory/2684-246-0x000000013F500000-0x000000013F851000-memory.dmp

memory/2704-241-0x000000013F700000-0x000000013FA51000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-05 12:29

Reported

2024-08-05 12:31

Platform

win10v2004-20240802-en

Max time kernel

141s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\PsDhrVd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wzzwcbr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yCaVxfT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gbCavBV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BVKvGVG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VEEDIsw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GhPjGUB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BXijEEe.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XFZECab.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xYxdeDM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qQnKgOG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FngMgsf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gCBCqny.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bZeLRGZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KqlLZsE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OtEQVTO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xixAQpt.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tcdHnUz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EIAvzAf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zYaCeMF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tmRIoAY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2604 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xixAQpt.exe
PID 2604 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xixAQpt.exe
PID 2604 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gCBCqny.exe
PID 2604 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gCBCqny.exe
PID 2604 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tcdHnUz.exe
PID 2604 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tcdHnUz.exe
PID 2604 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VEEDIsw.exe
PID 2604 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VEEDIsw.exe
PID 2604 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GhPjGUB.exe
PID 2604 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GhPjGUB.exe
PID 2604 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BXijEEe.exe
PID 2604 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BXijEEe.exe
PID 2604 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bZeLRGZ.exe
PID 2604 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bZeLRGZ.exe
PID 2604 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PsDhrVd.exe
PID 2604 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PsDhrVd.exe
PID 2604 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wzzwcbr.exe
PID 2604 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wzzwcbr.exe
PID 2604 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KqlLZsE.exe
PID 2604 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KqlLZsE.exe
PID 2604 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EIAvzAf.exe
PID 2604 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EIAvzAf.exe
PID 2604 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XFZECab.exe
PID 2604 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XFZECab.exe
PID 2604 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yCaVxfT.exe
PID 2604 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yCaVxfT.exe
PID 2604 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zYaCeMF.exe
PID 2604 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zYaCeMF.exe
PID 2604 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gbCavBV.exe
PID 2604 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gbCavBV.exe
PID 2604 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xYxdeDM.exe
PID 2604 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xYxdeDM.exe
PID 2604 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OtEQVTO.exe
PID 2604 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OtEQVTO.exe
PID 2604 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qQnKgOG.exe
PID 2604 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qQnKgOG.exe
PID 2604 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FngMgsf.exe
PID 2604 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FngMgsf.exe
PID 2604 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tmRIoAY.exe
PID 2604 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tmRIoAY.exe
PID 2604 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BVKvGVG.exe
PID 2604 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BVKvGVG.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\xixAQpt.exe

C:\Windows\System\xixAQpt.exe

C:\Windows\System\gCBCqny.exe

C:\Windows\System\gCBCqny.exe

C:\Windows\System\tcdHnUz.exe

C:\Windows\System\tcdHnUz.exe

C:\Windows\System\VEEDIsw.exe

C:\Windows\System\VEEDIsw.exe

C:\Windows\System\GhPjGUB.exe

C:\Windows\System\GhPjGUB.exe

C:\Windows\System\BXijEEe.exe

C:\Windows\System\BXijEEe.exe

C:\Windows\System\bZeLRGZ.exe

C:\Windows\System\bZeLRGZ.exe

C:\Windows\System\PsDhrVd.exe

C:\Windows\System\PsDhrVd.exe

C:\Windows\System\wzzwcbr.exe

C:\Windows\System\wzzwcbr.exe

C:\Windows\System\KqlLZsE.exe

C:\Windows\System\KqlLZsE.exe

C:\Windows\System\EIAvzAf.exe

C:\Windows\System\EIAvzAf.exe

C:\Windows\System\XFZECab.exe

C:\Windows\System\XFZECab.exe

C:\Windows\System\yCaVxfT.exe

C:\Windows\System\yCaVxfT.exe

C:\Windows\System\zYaCeMF.exe

C:\Windows\System\zYaCeMF.exe

C:\Windows\System\gbCavBV.exe

C:\Windows\System\gbCavBV.exe

C:\Windows\System\xYxdeDM.exe

C:\Windows\System\xYxdeDM.exe

C:\Windows\System\OtEQVTO.exe

C:\Windows\System\OtEQVTO.exe

C:\Windows\System\qQnKgOG.exe

C:\Windows\System\qQnKgOG.exe

C:\Windows\System\FngMgsf.exe

C:\Windows\System\FngMgsf.exe

C:\Windows\System\tmRIoAY.exe

C:\Windows\System\tmRIoAY.exe

C:\Windows\System\BVKvGVG.exe

C:\Windows\System\BVKvGVG.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 52.111.229.43:443 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2604-0-0x00007FF78D790000-0x00007FF78DAE1000-memory.dmp

memory/2604-1-0x0000028892DA0000-0x0000028892DB0000-memory.dmp

C:\Windows\System\xixAQpt.exe

MD5 87e2c0fee4854875cf961783c847f81e
SHA1 9263067cdfa0bfbf99dd4f3237141bc0ca84e15d
SHA256 c3aa543351862b40b7e704112aaa3026d2795e81806b1568c557e8eced14a46b
SHA512 b85ee97429b4a21b71c6d924bd282d786d792571cf0259544542ba2572bf24d9d9741f79600cf60173f67669364a3c33e6a3fbc342f8b58e7f1d6d9a5eda002b

memory/3420-7-0x00007FF7B47E0000-0x00007FF7B4B31000-memory.dmp

C:\Windows\System\tcdHnUz.exe

MD5 95cc1c56c04eada4a36b9febaa8dc2f8
SHA1 49c939faf124eccff7f49f4d71b6766ba7e8ea89
SHA256 881e06f6660667f5e52a6d55ef3c0ec1af1d2fd0401dae294df1b8884ae51b9c
SHA512 04d632757a819a4ebbb2d749037e0d751d5ab3ec486398c4ba44db49c4d8642d9fd0b24b00b7258f28aead1151885e6a7936bc488aa458c9b34f67e1d6be1614

C:\Windows\System\gCBCqny.exe

MD5 0ab1030470d1e9fc6f2d35a94827a496
SHA1 5dd4f9b43aa0f32f682d220dadfa75151d7f56d4
SHA256 f2a6f7542506418f13a097069895beefab8fe71933a7632d3a1ab24431add71c
SHA512 48bd63aabcd4b4cea7623e425de41f9a7335ce2201eca7a7d662fdabd07bf63e8a22596cd3eec02cc994ab04e1fa36da42842620e9e906cb3cabcf32659e0a6d

C:\Windows\System\VEEDIsw.exe

MD5 afbd701108e1c8cc095bc35ebbfc34c3
SHA1 cec13cf164fe51f92e1101c0d1855bb2020032a1
SHA256 ce6689406edf7e2474cdbc31c731f7f1b7905ccad52e6b1347b5278d9f466148
SHA512 7ba662711d835fb4e82595745958686743cf707f280d33f50ea52c3cdc14e515e2c886fab883fc8bef8670579f7f38d2447028f56271704109564044d72f834b

C:\Windows\System\bZeLRGZ.exe

MD5 003a4981eab3cba6c6f252ea2c649bac
SHA1 9720bf3097c43ef3e48cf4e6d4a3714b09c62fbc
SHA256 0735621ba67028050af46406433ad96b0dc405441737c5683c6233303206bcba
SHA512 2efec6a0bd72e7d3a939cf556be79502c941bdfd678b5a7e5fb0161cfcdcbe6afe1fdbbc22b9f1c28dc5f972e8ad20f45c9dd50ccef37f7a099033e98ad3d91c

memory/2328-55-0x00007FF678260000-0x00007FF6785B1000-memory.dmp

C:\Windows\System\PsDhrVd.exe

MD5 87b009a05d4a18ad5a217053000175a6
SHA1 5aea292db96858e4aaefcfd9edd8ad674c73b5f0
SHA256 0dc2d68ea1627b68bbebdbb3c9654f2a4de5e59198caaba8af31a0c5f78b6c64
SHA512 c879cd13dd5d515e7761947288e7fc813d28e2813ca049de5590e77b45e2d31cec4505d6b81525d87a84bca0ae8e40e13c469f4115cc658e2e3b453e3dc0dd7b

memory/5060-62-0x00007FF773EF0000-0x00007FF774241000-memory.dmp

memory/1552-64-0x00007FF659840000-0x00007FF659B91000-memory.dmp

memory/3312-63-0x00007FF7245E0000-0x00007FF724931000-memory.dmp

C:\Windows\System\EIAvzAf.exe

MD5 ae045d644386b83275e7599dabcbba44
SHA1 f23312705ee193741c42dbcf2fff2b6595eafbc5
SHA256 88360a0e64c90d4a7900b79780e2238d14ec68d1772b26265e14f89afb6a47d5
SHA512 315b2a9355b5c7f9a0532dc0e7b4a4102c858ece0b6b80ec84091d428e93d3a35f653bab7a6aca02e1f0684c74ba5ab0c22ff0cbeb2dbc518bf6d1999c4dc478

memory/3496-60-0x00007FF7462F0000-0x00007FF746641000-memory.dmp

C:\Windows\System\KqlLZsE.exe

MD5 5e86d779e8d2700f5f095e7cfc719fa6
SHA1 fcc116a9e25dde38f48fd4ca59b520d2aefd37b1
SHA256 76ad69afdce29de6573bd339bacc9eb62cd1c62bd267e58a12249d1be6b9aeb4
SHA512 a6c7ab3ff575da731e956896499ab83672ec8fce004c8fb2b50927ea73436334800c6fb703a5c913295a27656fba0398d640d8e0ba2c9092ee86488bceb4e2e4

memory/3900-56-0x00007FF754140000-0x00007FF754491000-memory.dmp

C:\Windows\System\wzzwcbr.exe

MD5 0b3292c6a442b203f264bddcce6a3ad4
SHA1 c8c456fa871a9d4d84120f839c1636c22da830fa
SHA256 86a3de30c2c9f630688b43bea9578480ba28dc3898885a60e1472c05420b5a88
SHA512 4804b3dcd703e510927c8c02d70842b89408b986e6e816d05508589dfd15b21f23434406e0d0bc44492647181361111cf862f0e12e6afe1f058e6a8409176f47

memory/4288-50-0x00007FF778B30000-0x00007FF778E81000-memory.dmp

C:\Windows\System\GhPjGUB.exe

MD5 33f44684e20cebdd8f35d129abed7ef4
SHA1 5cdb7b0ebf4f1fe88be190eeedc3de557c83e088
SHA256 760b5e95790b8445089426f1edd574d8828f854e86db1c4350439b2e4d926170
SHA512 b0a61681e4251081ceb6804688f7965619f2d76c7c9c82f32edd0cb40f1b8aff649e6aed85010db3491dc007326090d8f21ef492139bd7bfef5df4402d07e05f

C:\Windows\System\BXijEEe.exe

MD5 9745bbc6370b0652bb9087288a1c0f48
SHA1 fb70c79951587e6c809afb7f5994a2a56d8401bb
SHA256 356c15b29ac4a41b604cb437f8bcb524e042f4545221f8d280202ea88114d40d
SHA512 330beba0353efa7eccc2d9b969daf94c8ff39b2b00a304206792572fd9349f1d0d05fb4abdf1ca08eebc98231a08be63eeb294ea647699419d91523bbe997646

memory/4732-34-0x00007FF79B860000-0x00007FF79BBB1000-memory.dmp

memory/4292-26-0x00007FF6E3A60000-0x00007FF6E3DB1000-memory.dmp

memory/1776-20-0x00007FF7B3940000-0x00007FF7B3C91000-memory.dmp

C:\Windows\System\zYaCeMF.exe

MD5 5ab8cb1e5f9a67a3497bb40eaf089fdc
SHA1 11cffc1feaa14be2579d0d8f65c60ddb13519c7a
SHA256 225e7ddf8babf14f6ef51c8a8fe284400016813e0729ff0987320dcd1e8ea3af
SHA512 782c565a359b295dd98a3fc5b7fda95a7ab7718eb8454a0e01b09d644fbf0ffce6a8523aefcf742a4a84bd6d38e777e3fe476f574e5a25f3bd82ca0e29264fe6

C:\Windows\System\gbCavBV.exe

MD5 f2b3233496e8f9b666a73c6f2d3f95d5
SHA1 ee2bb304eb3a96b2d7feeac56187efad751d5ffa
SHA256 7f6f9c596374589e065a9cf066de2e28b7a7b1d24a5a6ec4c36d1ee9cafad11b
SHA512 3f708caf3261740d968b7d2fc20a4449a24d16fbdf7a9d7ce8e44db8064c85c8fe3eab1bb2a4ec55d2eceadbd15f6dc8be5e95311892eaa5cf614af02cf21765

C:\Windows\System\OtEQVTO.exe

MD5 d57aed9a184e15f29320a676bc25091a
SHA1 216f2ed657a29eab23ca067c65e3bd880409c911
SHA256 82938417934dfe1187dda7195810ed0bd3553ba931f0feacea276e79b5abcaeb
SHA512 86f21be56dd3dac606d4d80770bad4c8c35f4a637f3316578661e1637c814d6ca36e3121c96b54ed36b29b37bdfe32fe82a0a22d926ecf68c7e1d1f6866b4a38

C:\Windows\System\xYxdeDM.exe

MD5 b74909ee77ace23819fc9d2220e42e13
SHA1 5b212605de2afb4d55cd290727b3c85a053233bb
SHA256 183a5f13fe31ef9f59fdbb8628be491e5484cd06dbe68386b6a019a27518282a
SHA512 595ea5bba0eb3bbd3c82077cffc3e1e86c09310253c6537d325e0595ccfd06dae28f570421420efa53161ebf29ad149db7f6030558ece2de5dd9d52c8a7846ba

memory/3600-115-0x00007FF6680F0000-0x00007FF668441000-memory.dmp

C:\Windows\System\BVKvGVG.exe

MD5 4aae25affe1f9596e9ace2e90002e869
SHA1 d7fb94218ea87995770557c989a2dc186c80b957
SHA256 8f241c07d3be5fbcf48beda12f0a13aa5406097faa4f07d9573bbca9fd4feaa1
SHA512 768413caed4e4dfb155cfb45362f1a7ca5a7e4b9d86ff4fdf7b3dd83b7c1ec51206410c2ea6ef807e10652a83570d3c0cdcf88a8f324077055e221ddc2ebb986

C:\Windows\System\tmRIoAY.exe

MD5 31bbf2efd4a71a89b499cd8e57f1db94
SHA1 31114a54ca664c66950208c23f8c92db324a9b76
SHA256 be473c6658b3162f305f04a7b3b00e2f6ed7a6d176a1ce3d71b0879f8ad070d3
SHA512 fd28e99836a8421ed127a6ad247c6d225bd5ec4b39c93da9ffc07823e600cfec7d8f9937d1b43464b3182649b06864a9d4346df64d4aa7b1cf3b5e5e0e8bfc2e

memory/1828-120-0x00007FF6D0C10000-0x00007FF6D0F61000-memory.dmp

C:\Windows\System\qQnKgOG.exe

MD5 6e7734a226382b3e1514a714442f14a8
SHA1 1e71f37d7348da159da19e60e4d497e0d1e0d0d6
SHA256 de9f0b81307bd50d3d049fe067cacbee5c4553a89e8acd3068a68f7ec5755d4b
SHA512 9eec71096948b0632d60cf08861b28cdb1ed517474ea9e5fde53ba57a3b0799eb08de7ab291831687813416f0dbfcf9f3b80665a1b85b9d2c761066794648835

C:\Windows\System\FngMgsf.exe

MD5 43c94b650c76f75c76c7f5432501a708
SHA1 34351ecd6945426ae7a8df6c520737e48bfd3528
SHA256 47ea120b4e3de5b6109ecd0462593d8675351bf0d702cae923a0985b3258f740
SHA512 ddecea70ab3188f6a571f5647fb8db79eaab428875ed30335c0a710e261d41eccc5a698a993b45b018a5b75dd4b6bc10d608dc56b964916cb701d9f27588666a

memory/4492-111-0x00007FF62C8B0000-0x00007FF62CC01000-memory.dmp

memory/3136-104-0x00007FF66BD80000-0x00007FF66C0D1000-memory.dmp

memory/1152-98-0x00007FF7CAFB0000-0x00007FF7CB301000-memory.dmp

memory/4792-91-0x00007FF6F22F0000-0x00007FF6F2641000-memory.dmp

C:\Windows\System\yCaVxfT.exe

MD5 212c2e9aac40ad6df76d15a636e8bc52
SHA1 0651dcb0c1386ca43491b8a3aaa48b557db4167d
SHA256 df3ff15ff10d7c0f6dc8492f6a4a7d814454bbf3f7b86bf9b4811a764dc3f603
SHA512 2d245b6a3c17d1d80679b625d2dc770847c403910d73c74539ac9475c890328824e2b254ab7e808463676532174ef26cfe10a13e40f68c8eb696eaa24ccc9ef9

C:\Windows\System\XFZECab.exe

MD5 e8b40d6e487584b4dd6ed6f724812fc2
SHA1 4aef75fa33129d62c183c3d4daf5ee11d4e54547
SHA256 517cdd46eeaeb502ccb95b1a849f3421da825f819fcbc0d672e45385104f4493
SHA512 dc826d3af3a3904ab85bffcd253455696d93bd87410a72c42cab4bf169d20c008505c386cdb43b71e1523553f39e310450b8a957fded6ba53b3cbf6c2c480833

memory/4904-76-0x00007FF6F56A0000-0x00007FF6F59F1000-memory.dmp

memory/4592-125-0x00007FF6405F0000-0x00007FF640941000-memory.dmp

memory/3916-126-0x00007FF6EF850000-0x00007FF6EFBA1000-memory.dmp

memory/4024-127-0x00007FF77A1F0000-0x00007FF77A541000-memory.dmp

memory/2604-128-0x00007FF78D790000-0x00007FF78DAE1000-memory.dmp

memory/1552-138-0x00007FF659840000-0x00007FF659B91000-memory.dmp

memory/3900-136-0x00007FF754140000-0x00007FF754491000-memory.dmp

memory/2328-135-0x00007FF678260000-0x00007FF6785B1000-memory.dmp

memory/4904-140-0x00007FF6F56A0000-0x00007FF6F59F1000-memory.dmp

memory/3496-139-0x00007FF7462F0000-0x00007FF746641000-memory.dmp

memory/4732-132-0x00007FF79B860000-0x00007FF79BBB1000-memory.dmp

memory/1776-130-0x00007FF7B3940000-0x00007FF7B3C91000-memory.dmp

memory/3420-129-0x00007FF7B47E0000-0x00007FF7B4B31000-memory.dmp

memory/4292-131-0x00007FF6E3A60000-0x00007FF6E3DB1000-memory.dmp

memory/3136-145-0x00007FF66BD80000-0x00007FF66C0D1000-memory.dmp

memory/1828-146-0x00007FF6D0C10000-0x00007FF6D0F61000-memory.dmp

memory/2604-150-0x00007FF78D790000-0x00007FF78DAE1000-memory.dmp

memory/3420-195-0x00007FF7B47E0000-0x00007FF7B4B31000-memory.dmp

memory/1776-197-0x00007FF7B3940000-0x00007FF7B3C91000-memory.dmp

memory/4292-199-0x00007FF6E3A60000-0x00007FF6E3DB1000-memory.dmp

memory/5060-201-0x00007FF773EF0000-0x00007FF774241000-memory.dmp

memory/4732-203-0x00007FF79B860000-0x00007FF79BBB1000-memory.dmp

memory/4288-205-0x00007FF778B30000-0x00007FF778E81000-memory.dmp

memory/3312-207-0x00007FF7245E0000-0x00007FF724931000-memory.dmp

memory/3496-215-0x00007FF7462F0000-0x00007FF746641000-memory.dmp

memory/1552-218-0x00007FF659840000-0x00007FF659B91000-memory.dmp

memory/3900-219-0x00007FF754140000-0x00007FF754491000-memory.dmp

memory/4904-223-0x00007FF6F56A0000-0x00007FF6F59F1000-memory.dmp

memory/2328-222-0x00007FF678260000-0x00007FF6785B1000-memory.dmp

memory/1152-226-0x00007FF7CAFB0000-0x00007FF7CB301000-memory.dmp

memory/4792-229-0x00007FF6F22F0000-0x00007FF6F2641000-memory.dmp

memory/4492-227-0x00007FF62C8B0000-0x00007FF62CC01000-memory.dmp

memory/3600-231-0x00007FF6680F0000-0x00007FF668441000-memory.dmp

memory/4592-233-0x00007FF6405F0000-0x00007FF640941000-memory.dmp

memory/3916-238-0x00007FF6EF850000-0x00007FF6EFBA1000-memory.dmp

memory/3136-241-0x00007FF66BD80000-0x00007FF66C0D1000-memory.dmp

memory/1828-240-0x00007FF6D0C10000-0x00007FF6D0F61000-memory.dmp

memory/4024-236-0x00007FF77A1F0000-0x00007FF77A541000-memory.dmp