Malware Analysis Report

2025-01-22 19:30

Sample ID 240806-n1ketsscnh
Target 2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat
SHA256 4a8c5d4cee26d5b20f65dcd4dc87dd44f7df5cd208e99fb7c1881ae43949e57c
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4a8c5d4cee26d5b20f65dcd4dc87dd44f7df5cd208e99fb7c1881ae43949e57c

Threat Level: Known bad

The file 2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

Cobaltstrike

Cobalt Strike reflective loader

xmrig

Cobaltstrike family

Xmrig family

XMRig Miner payload

XMRig Miner payload

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-06 11:51

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-06 11:51

Reported

2024-08-06 11:54

Platform

win10v2004-20240802-en

Max time kernel

144s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\PdggOue.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xEggfcW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bMeRKpF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZpeZQVX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ksYzkHd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xzFvsvK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ATHLFoJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ahPGhFp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CgschQb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ejdthVn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rohfuHy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VIsdGzN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AqDLYDK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NOKQnIi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\Ussywuc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nxFnRtv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jdpFuOY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BDoLVbH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JgfhATI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FHAmyYE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vaNRReU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3712 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xEggfcW.exe
PID 3712 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xEggfcW.exe
PID 3712 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bMeRKpF.exe
PID 3712 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bMeRKpF.exe
PID 3712 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CgschQb.exe
PID 3712 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CgschQb.exe
PID 3712 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ejdthVn.exe
PID 3712 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ejdthVn.exe
PID 3712 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rohfuHy.exe
PID 3712 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rohfuHy.exe
PID 3712 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BDoLVbH.exe
PID 3712 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BDoLVbH.exe
PID 3712 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VIsdGzN.exe
PID 3712 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VIsdGzN.exe
PID 3712 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZpeZQVX.exe
PID 3712 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZpeZQVX.exe
PID 3712 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AqDLYDK.exe
PID 3712 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AqDLYDK.exe
PID 3712 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JgfhATI.exe
PID 3712 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JgfhATI.exe
PID 3712 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NOKQnIi.exe
PID 3712 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NOKQnIi.exe
PID 3712 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PdggOue.exe
PID 3712 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PdggOue.exe
PID 3712 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ATHLFoJ.exe
PID 3712 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ATHLFoJ.exe
PID 3712 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ahPGhFp.exe
PID 3712 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ahPGhFp.exe
PID 3712 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ksYzkHd.exe
PID 3712 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ksYzkHd.exe
PID 3712 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FHAmyYE.exe
PID 3712 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FHAmyYE.exe
PID 3712 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vaNRReU.exe
PID 3712 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vaNRReU.exe
PID 3712 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xzFvsvK.exe
PID 3712 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xzFvsvK.exe
PID 3712 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Ussywuc.exe
PID 3712 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Ussywuc.exe
PID 3712 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nxFnRtv.exe
PID 3712 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nxFnRtv.exe
PID 3712 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jdpFuOY.exe
PID 3712 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jdpFuOY.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\xEggfcW.exe

C:\Windows\System\xEggfcW.exe

C:\Windows\System\bMeRKpF.exe

C:\Windows\System\bMeRKpF.exe

C:\Windows\System\CgschQb.exe

C:\Windows\System\CgschQb.exe

C:\Windows\System\ejdthVn.exe

C:\Windows\System\ejdthVn.exe

C:\Windows\System\rohfuHy.exe

C:\Windows\System\rohfuHy.exe

C:\Windows\System\BDoLVbH.exe

C:\Windows\System\BDoLVbH.exe

C:\Windows\System\VIsdGzN.exe

C:\Windows\System\VIsdGzN.exe

C:\Windows\System\ZpeZQVX.exe

C:\Windows\System\ZpeZQVX.exe

C:\Windows\System\AqDLYDK.exe

C:\Windows\System\AqDLYDK.exe

C:\Windows\System\JgfhATI.exe

C:\Windows\System\JgfhATI.exe

C:\Windows\System\NOKQnIi.exe

C:\Windows\System\NOKQnIi.exe

C:\Windows\System\PdggOue.exe

C:\Windows\System\PdggOue.exe

C:\Windows\System\ATHLFoJ.exe

C:\Windows\System\ATHLFoJ.exe

C:\Windows\System\ahPGhFp.exe

C:\Windows\System\ahPGhFp.exe

C:\Windows\System\ksYzkHd.exe

C:\Windows\System\ksYzkHd.exe

C:\Windows\System\FHAmyYE.exe

C:\Windows\System\FHAmyYE.exe

C:\Windows\System\vaNRReU.exe

C:\Windows\System\vaNRReU.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4248,i,15436195446242760253,4000484513008731869,262144 --variations-seed-version --mojo-platform-channel-handle=4308 /prefetch:8

C:\Windows\System\xzFvsvK.exe

C:\Windows\System\xzFvsvK.exe

C:\Windows\System\Ussywuc.exe

C:\Windows\System\Ussywuc.exe

C:\Windows\System\nxFnRtv.exe

C:\Windows\System\nxFnRtv.exe

C:\Windows\System\jdpFuOY.exe

C:\Windows\System\jdpFuOY.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 21.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3712-0-0x00007FF65E860000-0x00007FF65EBB1000-memory.dmp

memory/3712-1-0x000001D63D0A0000-0x000001D63D0B0000-memory.dmp

C:\Windows\System\xEggfcW.exe

MD5 c959b838d915c60a86e2e3d6cf67c563
SHA1 b98b1e718bf0fb4ab756331744bc037ebe15bb9e
SHA256 ab38d3c10d4309e7b1df49fd84df799293ef956154968f8f1cbbc27137ed2bd9
SHA512 751619a7d189ae3d6592a54a127ca441868d9e9912a9bb830c766da878ef3c23d88757f197a699c512897be4a598172e2d090e25f41998ca85eeffdf0328c9fe

C:\Windows\System\bMeRKpF.exe

MD5 10c1d82061cb9545660d99382db27d4a
SHA1 dbf650a1a58ca12d19e938f4e57f4cc07f8f44ef
SHA256 3e888f1000ee18bf36dc1adee3fc9b06496179fb881ccdeea57893f2bf2265ed
SHA512 28f005c039133e50f502461504218e5c7d74542b40559a2e05cd4ca24f7e68a5b08c603946ddbeb82949a34a494ef74dd124a8f5dbaaf5f6508adf6b158f826b

C:\Windows\System\CgschQb.exe

MD5 bcd1cd926be376c721025d06095d29e0
SHA1 0eeb161df297421a25e7e9bf42d27c0329abcfe4
SHA256 70d9ac3e8aa7d86383fe36f25adddb430ec64c0bb4da7f363ad5f87a9a926c09
SHA512 8cc7aec0305199d45dc0329efa97e7661b39ff2695bbef17ddcf0c1a8be84f534ba6adc53848bb510421caed8617dd672e837f1e82e93e1302f1955960df6c1b

memory/4956-14-0x00007FF68CAF0000-0x00007FF68CE41000-memory.dmp

memory/4968-21-0x00007FF7DD380000-0x00007FF7DD6D1000-memory.dmp

C:\Windows\System\VIsdGzN.exe

MD5 227cf4e7d126043451418b04c9c24af4
SHA1 503fed2284947db725e70344b42004743ada6384
SHA256 1ae02b06414ba1dfea348959096e00b9c6338a31edd9e2d1f075c5f373d58034
SHA512 68160b161fc3452b33b1141b9c9a25bb0c7f4fffdeea400b94e0a4492d72f247a95add74198b74f015b0b40d9112c94354f1dee217f8b52d2ec4aa21534b0956

C:\Windows\System\NOKQnIi.exe

MD5 385dd37675cc0053eb2b525b12ddaf9a
SHA1 016974e454869447ee9e342b2cb7af08dee343a2
SHA256 1077237e7102a5adfd36ac4c6d9654e7e0034710e7671c301951a24143d77c1d
SHA512 010027c7e8f2d85a0228a69507eeb9a90627eb179491f9fe302173ea1344c953d9e49e370f17d354fb23f64f3f4d4d10e61c3d97047820675339f53e939f8c67

memory/2948-73-0x00007FF725840000-0x00007FF725B91000-memory.dmp

memory/3748-87-0x00007FF7E2390000-0x00007FF7E26E1000-memory.dmp

C:\Windows\System\FHAmyYE.exe

MD5 aaa372ee9e5a384b61789e5d96cc0bfc
SHA1 e90dd7cf11848377ba372c88b7294931e0ac6bdb
SHA256 098f4d6bde1fdcd9d12273af620f27d120d367253a037b89ba943ca0d40ad474
SHA512 8f1bc664d0281640e53b4e44847c3f986dd0714eeab10c5f200d86cc8a6e06a5f9eac64ca9f83de28c6b36ec436f5dae1e7748d0b4d35dc0eca3e0cef3393966

memory/1000-98-0x00007FF63F680000-0x00007FF63F9D1000-memory.dmp

memory/3364-97-0x00007FF630190000-0x00007FF6304E1000-memory.dmp

C:\Windows\System\ksYzkHd.exe

MD5 7b3ae4c506bdd822bdcbcb8676602d14
SHA1 d45243e18b5d5d7796ec1a1fc094e8bd0e287008
SHA256 44dccd3012eaae9bc65646fd4642d8f86008bbba7e2b85b34d62a442344649ec
SHA512 80b7dc6876c9aaa659a0e57fa69d11e8cf06834511f2a77da61b0996b3f6b21012cbc33d45a5d52a74c49f8986d7ab1f5940d76b0bf9d891f10ff6296fab19b7

memory/2636-92-0x00007FF63D270000-0x00007FF63D5C1000-memory.dmp

memory/3452-91-0x00007FF639FF0000-0x00007FF63A341000-memory.dmp

C:\Windows\System\ATHLFoJ.exe

MD5 976b4fbd635097c80058c742d540d1fe
SHA1 2afb48293a312e70def17d80ff5fe72096a09b82
SHA256 1906b14e6bc1fd4cd5d90915865cad1190e8fb9f58b12ca3df2ed89c16a5e9f6
SHA512 2efafdec2ac6452509ebae4bba26a6a78cf541c69151e4e7c94e3bcb13e084f7900ee252424fbb7c4b31fb2a1c54fc3961ea9aa4f623f1a84a5f908888a2ddb7

memory/3248-88-0x00007FF7C1DF0000-0x00007FF7C2141000-memory.dmp

memory/2268-84-0x00007FF6FDCB0000-0x00007FF6FE001000-memory.dmp

C:\Windows\System\ahPGhFp.exe

MD5 2ae52827c09d03e5a81709f2a9d7970f
SHA1 3aeb8a5fca4588e473e45a83c7e4255aa5a2b8f6
SHA256 3655abfd6660549476d13cca39267f62f29592aa4cc9efd1a572f96b00b35c5e
SHA512 67fcc89737b6fa53246fc16bdf9b5323f60943ca6ae77cc34755139abc84abeda4ed4563239e3df170bed1d1422ad3dfa7189a0d21ff25eeace1ccca53f4abc9

C:\Windows\System\JgfhATI.exe

MD5 2c9d9dd50b1e8fc532b631c6b517d3d7
SHA1 d20aa4e74dd55e874fd6ee400f8c9e896cbb1302
SHA256 17b924a30f2d5594e1df978be4809548b669bbb7e9b87fe20fa1e44c6d7fa433
SHA512 dcbafcd0bb1a8933fe733175a85676340acc7cbb559e99a4b988ef18a3b751573f2ac98a5611d876880bf792fc044e44f50428586033ecb94871cd62e9b1a512

C:\Windows\System\PdggOue.exe

MD5 40d9cd0ba6a3079acb09b6f62db6669e
SHA1 6b862f8962670eec55fe271b223f98bd9400cbea
SHA256 c68a7bddb197ebd816d03b44243593cb6b217d11f1478ae6d1bb8b155259a628
SHA512 a9d3b406e3d46b0e8f37afa623f99be676bfae667423e2327b4072a730b6b26e72bbb0ce33c49741226140ee79303d8c2de5802a0842c32d0e11c746a9ffc540

memory/2772-67-0x00007FF6546C0000-0x00007FF654A11000-memory.dmp

C:\Windows\System\BDoLVbH.exe

MD5 3e73a450061d2569142a535a8ada9fa9
SHA1 8c40022d88d28173ff0d18bd84a9b50cc11a2e47
SHA256 d003460d2de545fe6a1e224693e57c124c175687fc88dcd9eef51535cd7802aa
SHA512 416bd9c2c18ab8537de6b9d5bb344700aaaf19473f2cc4d00a3c0a6512d5b02c8c548b757f8b904aaa1ae47ef80487ce71bd0fd723971f2d0584171f26eaaac8

C:\Windows\System\ZpeZQVX.exe

MD5 43a2913fa6817e08ddde42c983533ae5
SHA1 36b661338b16eb48d79475ad0248ddf12d3988e4
SHA256 a237b58dc3d1ecc130da3a536b8aa8ad8ff5d969c7370f53683f32032770749e
SHA512 48e66174006cd57100adf06b689a79ba4385618db72b7676a00b30ddcaad5db357525548e0856adf791cd5419090331502950c6179f21da28c0c24a6a97d94c0

C:\Windows\System\AqDLYDK.exe

MD5 7007655dc7bbb7a880b2a08b97a36b5f
SHA1 510dcd6e98ddc8492cf02aa92e39f05593b81740
SHA256 726aff53fba2d9f02440d64cf993289e2c93f686a86d36f7c0e9a2077d4ba5e0
SHA512 8cd57d6a4620f2ff48c15a88813ac92e4025a3074b8d4ee379b785977aab0ecc3315e5f162a10b035e5a46e826edb500dc5fb5d49897808200fa9cdfd97a14e0

memory/4760-54-0x00007FF768B70000-0x00007FF768EC1000-memory.dmp

C:\Windows\System\rohfuHy.exe

MD5 c00367c592c9ea128b09db346fd7821b
SHA1 c14a509b6f68feca11b5c22057eddba2f78b72e6
SHA256 083853e870ed12c8a00dd15e24d9aa85228a443a06731e82f9cf73a3b2164fd5
SHA512 ab0701522d9e4eab8218a00ba0075c500a747bd1e36f7b6af403d33fa52fac58281445470c90c3a104ecc4eaddeef5c926fe2c04d5e6b5a40e18f40ef52957e1

memory/4376-46-0x00007FF6CD2A0000-0x00007FF6CD5F1000-memory.dmp

memory/4832-45-0x00007FF6A3280000-0x00007FF6A35D1000-memory.dmp

memory/4072-32-0x00007FF7163F0000-0x00007FF716741000-memory.dmp

C:\Windows\System\ejdthVn.exe

MD5 9d949ad6ee13e1719597ae3dfda31713
SHA1 78f69a42c5d31586ab476f7529714903519bdf09
SHA256 3c6c69ecbf9dc006159c0779abf81cddec006d4012aa7a731aeb800811a2f515
SHA512 91d93eb763f59e3b7e6aa7b3a8e47dd698198affe7909f627656b1a283b086151e258877ea8589c14a1446b53f2de5a5a20ba2207769f15820f0b20e210072cd

memory/1084-23-0x00007FF688A10000-0x00007FF688D61000-memory.dmp

memory/3712-102-0x00007FF65E860000-0x00007FF65EBB1000-memory.dmp

C:\Windows\System\vaNRReU.exe

MD5 3e65393d8f69c25761334f7cdd6855e5
SHA1 bd46891e27c12eb642a0b54552911550fcf11e92
SHA256 cafce2fb9b92088b6e8167d561967ea21df90aec8d568e0bf4120aeb26c9ee3d
SHA512 877a92346c7eec9134ad8596ee795f0f4412e44121f82397b2653151bb61c84623f532a16b08292b2b03f6fda78cce31d184cd39112fa132a61bbbbc8a70f148

C:\Windows\System\Ussywuc.exe

MD5 668f013906f90b0d173bcd571bb5dac2
SHA1 414f919c04ca9eea0594c9c9552b5bb8ec703d56
SHA256 79b5539f448398b673b0c576c9b1c519381bbc538fbf98449c37493203332db9
SHA512 9f0ae3b006aceb468299bc7eabe6cf4cd992c7d14a636f1acda4e28960dd9d5771667e057bb624b81053e75b5e4246c5fb276e3dc6af2fb6b7e8a2e244a51471

C:\Windows\System\nxFnRtv.exe

MD5 6e5272724566a1d9862f047f2039e6b6
SHA1 5bf4873c97de956314be988e5d913822f2ecdd51
SHA256 810ce411fa513993b7efc50123d094c4afb6f7547f3b136f7a27b30a015a9289
SHA512 45c64ab0d8965de0441b313803845ae6454845344d6d9a12d2a9c95649bb555d35130d9e2696cc79bb52298da8827fbed7287affe3bf7aea7dc4db25d54db151

C:\Windows\System\jdpFuOY.exe

MD5 1dbd55aeb4913c7ea43ec910a98a42e9
SHA1 1486ef0c29b51eec6ffef772d3226b1e2752fb63
SHA256 a7ac72c5f87b01e3e80c343626cdff00da9a09cd9d3fd26ab92677f31f235369
SHA512 9dcf103f5215d222ba4aa716cd3d9d40276358051ae09c1f2f179ef7467e7554a4253ece49739891b51852067938a59cf78d68b555d21623ccbcfb06d5904ec7

memory/368-126-0x00007FF68F020000-0x00007FF68F371000-memory.dmp

memory/3636-128-0x00007FF7A1410000-0x00007FF7A1761000-memory.dmp

memory/1084-129-0x00007FF688A10000-0x00007FF688D61000-memory.dmp

memory/3712-127-0x00007FF65E860000-0x00007FF65EBB1000-memory.dmp

C:\Windows\System\xzFvsvK.exe

MD5 14ad67b354a74a60d4550d81966b3ff2
SHA1 6cb3375f876f8acff7854b4409a17550d646bcb7
SHA256 17fcae7ab2b0d7c2cce185ced1dc6c1e837b4f63a88fa1dc19119d01a727b941
SHA512 03fa54d79ea701e4a73dd917acffb1b444a43815ac402b4afcb646e45e8b77fcf71fef71d281e90a3fa01d355b62dca66d03a04cd9b3b0a256c35b240a01620f

memory/3280-115-0x00007FF72CB60000-0x00007FF72CEB1000-memory.dmp

memory/4056-112-0x00007FF7E7770000-0x00007FF7E7AC1000-memory.dmp

memory/844-105-0x00007FF7F9270000-0x00007FF7F95C1000-memory.dmp

memory/4832-135-0x00007FF6A3280000-0x00007FF6A35D1000-memory.dmp

memory/4760-136-0x00007FF768B70000-0x00007FF768EC1000-memory.dmp

memory/844-147-0x00007FF7F9270000-0x00007FF7F95C1000-memory.dmp

memory/3364-146-0x00007FF630190000-0x00007FF6304E1000-memory.dmp

memory/2948-141-0x00007FF725840000-0x00007FF725B91000-memory.dmp

memory/2772-140-0x00007FF6546C0000-0x00007FF654A11000-memory.dmp

memory/4376-138-0x00007FF6CD2A0000-0x00007FF6CD5F1000-memory.dmp

memory/4072-133-0x00007FF7163F0000-0x00007FF716741000-memory.dmp

memory/4968-132-0x00007FF7DD380000-0x00007FF7DD6D1000-memory.dmp

memory/3712-148-0x00007FF65E860000-0x00007FF65EBB1000-memory.dmp

memory/4056-149-0x00007FF7E7770000-0x00007FF7E7AC1000-memory.dmp

memory/3280-167-0x00007FF72CB60000-0x00007FF72CEB1000-memory.dmp

memory/3636-169-0x00007FF7A1410000-0x00007FF7A1761000-memory.dmp

memory/368-168-0x00007FF68F020000-0x00007FF68F371000-memory.dmp

memory/3712-170-0x00007FF65E860000-0x00007FF65EBB1000-memory.dmp

memory/4956-193-0x00007FF68CAF0000-0x00007FF68CE41000-memory.dmp

memory/4968-195-0x00007FF7DD380000-0x00007FF7DD6D1000-memory.dmp

memory/1084-197-0x00007FF688A10000-0x00007FF688D61000-memory.dmp

memory/4072-213-0x00007FF7163F0000-0x00007FF716741000-memory.dmp

memory/4832-220-0x00007FF6A3280000-0x00007FF6A35D1000-memory.dmp

memory/3248-222-0x00007FF7C1DF0000-0x00007FF7C2141000-memory.dmp

memory/3748-224-0x00007FF7E2390000-0x00007FF7E26E1000-memory.dmp

memory/4760-231-0x00007FF768B70000-0x00007FF768EC1000-memory.dmp

memory/2636-236-0x00007FF63D270000-0x00007FF63D5C1000-memory.dmp

memory/4376-242-0x00007FF6CD2A0000-0x00007FF6CD5F1000-memory.dmp

memory/3452-240-0x00007FF639FF0000-0x00007FF63A341000-memory.dmp

memory/2948-239-0x00007FF725840000-0x00007FF725B91000-memory.dmp

memory/1000-235-0x00007FF63F680000-0x00007FF63F9D1000-memory.dmp

memory/3364-233-0x00007FF630190000-0x00007FF6304E1000-memory.dmp

memory/2268-227-0x00007FF6FDCB0000-0x00007FF6FE001000-memory.dmp

memory/2772-229-0x00007FF6546C0000-0x00007FF654A11000-memory.dmp

memory/844-244-0x00007FF7F9270000-0x00007FF7F95C1000-memory.dmp

memory/4056-246-0x00007FF7E7770000-0x00007FF7E7AC1000-memory.dmp

memory/3280-248-0x00007FF72CB60000-0x00007FF72CEB1000-memory.dmp

memory/368-250-0x00007FF68F020000-0x00007FF68F371000-memory.dmp

memory/3636-254-0x00007FF7A1410000-0x00007FF7A1761000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-06 11:51

Reported

2024-08-06 11:54

Platform

win7-20240708-en

Max time kernel

141s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\QwcaTYs.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pqJybaE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wwmCRKj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bhlkcyj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GBweaEr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BQWObfq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HwTvOld.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zFguzmo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hVfkmrY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vzeZYDt.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UrWgsAD.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vZQPywq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yzjaiEh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LsLuWFb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YKCYHjK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KJMOKvf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dVLZRqg.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dauVPsr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ynmFQNI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kFCeIlT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tkmanyS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1992 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GBweaEr.exe
PID 1992 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GBweaEr.exe
PID 1992 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GBweaEr.exe
PID 1992 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dVLZRqg.exe
PID 1992 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dVLZRqg.exe
PID 1992 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dVLZRqg.exe
PID 1992 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vzeZYDt.exe
PID 1992 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vzeZYDt.exe
PID 1992 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vzeZYDt.exe
PID 1992 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UrWgsAD.exe
PID 1992 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UrWgsAD.exe
PID 1992 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UrWgsAD.exe
PID 1992 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vZQPywq.exe
PID 1992 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vZQPywq.exe
PID 1992 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vZQPywq.exe
PID 1992 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QwcaTYs.exe
PID 1992 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QwcaTYs.exe
PID 1992 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QwcaTYs.exe
PID 1992 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yzjaiEh.exe
PID 1992 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yzjaiEh.exe
PID 1992 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yzjaiEh.exe
PID 1992 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dauVPsr.exe
PID 1992 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dauVPsr.exe
PID 1992 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dauVPsr.exe
PID 1992 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ynmFQNI.exe
PID 1992 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ynmFQNI.exe
PID 1992 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ynmFQNI.exe
PID 1992 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BQWObfq.exe
PID 1992 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BQWObfq.exe
PID 1992 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BQWObfq.exe
PID 1992 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kFCeIlT.exe
PID 1992 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kFCeIlT.exe
PID 1992 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kFCeIlT.exe
PID 1992 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HwTvOld.exe
PID 1992 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HwTvOld.exe
PID 1992 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HwTvOld.exe
PID 1992 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LsLuWFb.exe
PID 1992 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LsLuWFb.exe
PID 1992 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LsLuWFb.exe
PID 1992 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zFguzmo.exe
PID 1992 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zFguzmo.exe
PID 1992 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zFguzmo.exe
PID 1992 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hVfkmrY.exe
PID 1992 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hVfkmrY.exe
PID 1992 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hVfkmrY.exe
PID 1992 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pqJybaE.exe
PID 1992 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pqJybaE.exe
PID 1992 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pqJybaE.exe
PID 1992 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tkmanyS.exe
PID 1992 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tkmanyS.exe
PID 1992 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tkmanyS.exe
PID 1992 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wwmCRKj.exe
PID 1992 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wwmCRKj.exe
PID 1992 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wwmCRKj.exe
PID 1992 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bhlkcyj.exe
PID 1992 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bhlkcyj.exe
PID 1992 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bhlkcyj.exe
PID 1992 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YKCYHjK.exe
PID 1992 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YKCYHjK.exe
PID 1992 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YKCYHjK.exe
PID 1992 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KJMOKvf.exe
PID 1992 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KJMOKvf.exe
PID 1992 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KJMOKvf.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\GBweaEr.exe

C:\Windows\System\GBweaEr.exe

C:\Windows\System\dVLZRqg.exe

C:\Windows\System\dVLZRqg.exe

C:\Windows\System\vzeZYDt.exe

C:\Windows\System\vzeZYDt.exe

C:\Windows\System\UrWgsAD.exe

C:\Windows\System\UrWgsAD.exe

C:\Windows\System\vZQPywq.exe

C:\Windows\System\vZQPywq.exe

C:\Windows\System\QwcaTYs.exe

C:\Windows\System\QwcaTYs.exe

C:\Windows\System\yzjaiEh.exe

C:\Windows\System\yzjaiEh.exe

C:\Windows\System\dauVPsr.exe

C:\Windows\System\dauVPsr.exe

C:\Windows\System\ynmFQNI.exe

C:\Windows\System\ynmFQNI.exe

C:\Windows\System\BQWObfq.exe

C:\Windows\System\BQWObfq.exe

C:\Windows\System\kFCeIlT.exe

C:\Windows\System\kFCeIlT.exe

C:\Windows\System\HwTvOld.exe

C:\Windows\System\HwTvOld.exe

C:\Windows\System\LsLuWFb.exe

C:\Windows\System\LsLuWFb.exe

C:\Windows\System\zFguzmo.exe

C:\Windows\System\zFguzmo.exe

C:\Windows\System\hVfkmrY.exe

C:\Windows\System\hVfkmrY.exe

C:\Windows\System\pqJybaE.exe

C:\Windows\System\pqJybaE.exe

C:\Windows\System\tkmanyS.exe

C:\Windows\System\tkmanyS.exe

C:\Windows\System\wwmCRKj.exe

C:\Windows\System\wwmCRKj.exe

C:\Windows\System\bhlkcyj.exe

C:\Windows\System\bhlkcyj.exe

C:\Windows\System\YKCYHjK.exe

C:\Windows\System\YKCYHjK.exe

C:\Windows\System\KJMOKvf.exe

C:\Windows\System\KJMOKvf.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1992-0-0x000000013F440000-0x000000013F791000-memory.dmp

memory/1992-1-0x00000000001F0000-0x0000000000200000-memory.dmp

\Windows\system\GBweaEr.exe

MD5 b810faa5bb99f40ec80baf22e704b3f5
SHA1 cd1d2d04cc229e53ec3819f90c5f3a21886b0569
SHA256 9c4aa51fe1772e9baecf4704ae0419e9d0d0511dba2b167f780937c5441870ee
SHA512 ed9960f3ac525bee1d31d47f70ec04200184d732ce44b2c312cd83135bb94ebbd83f563616950d74ead37184f9a181ef6f1cc6bd7fdda6b12243cb34f803cf42

memory/1992-6-0x000000013FAF0000-0x000000013FE41000-memory.dmp

memory/2376-8-0x000000013FAF0000-0x000000013FE41000-memory.dmp

\Windows\system\dVLZRqg.exe

MD5 5b329e876dbde0f339d56817a2260976
SHA1 a1651ac85f940810169038c3d826c5a379760121
SHA256 c6358c9754c97e13b172ad4bdafed11f82bb860906e08175a85e6f376755e3c0
SHA512 c9a63ea709d47020490b31338dd6302c7ff710586d9315dd8f8e91be7ebc0e66b78e7f4204d16f1c1bdd1a35fef49964de682b73382e16a5a4144610ded42a43

C:\Windows\system\vzeZYDt.exe

MD5 ac1f797058b38591df1f6ae337e01c10
SHA1 ed6c55686978e4e9afa0cbe2928af308e69034b9
SHA256 4110bf0adc45c3bdc19780f96e4cd4455752e4f9276be35943a9479e39922e5a
SHA512 f358d99b1fca762ee11a73d42c682035c61f721ee5e650cd04330e30a6eaadaf41af426a2a5573bdc3db1d1b4df65d3a37c36eb3e7b0b3bf0f5b25060810ac5e

C:\Windows\system\UrWgsAD.exe

MD5 cb84558d08a0902f3d1f870a3697db71
SHA1 ab09f9e82ac3726bc9ed8edfe0ff7d6510661b63
SHA256 4c702cf84391fce15897eb2d5f9d460da185422f73e9651c500766673119522a
SHA512 fc3b220ea2fe56ef72dbaec75b5f7959cfefbb04e0002232c69aaaf29193057ff594954cc94a1c733cfefad462c5ecb2eba35aac657a82c505b59d5323b50d53

C:\Windows\system\vZQPywq.exe

MD5 4c1b6f52e8df6b33ef1ef16bae5c8c1d
SHA1 d3cad2b403c171b086d916b49eb64dd6d309e450
SHA256 db742a7a6ce66bd88c6bb8c6975f2c53f7d60aafc3f813d479a64cfa2960047a
SHA512 52360fc6d288fc98309d78ddfbf86e7dd54b46a0b303bb5721f126eac524316cfaa1b7c0b224a7daf19db37c70c04023e1d50373045a4f3cf9b38dde7ff48841

C:\Windows\system\QwcaTYs.exe

MD5 cc2853bd874b6edad8091c05f986f1f5
SHA1 a1044178234abb919ed9250ff4ce27f1d017e92b
SHA256 a70d3a58b43d45ee33b47ce1f1be8bcf8684652cc9fcd1c4248a977faab00083
SHA512 ad04887ff5fa0676633797021159bbbd0db748cc27c76911acb6a6d7fb029825afd06a3c1e1bac94b518a83f6cffb2a651303f6769e78dc3ae0229fa597fef19

C:\Windows\system\yzjaiEh.exe

MD5 067a99d0cb342041a679930b4fb3ae59
SHA1 537921854c6fcba6f2b8d6cc3844f983added5da
SHA256 495a448f2159f296f4baef285fe04e736e09ad71cab01e797f6c025550edc6d9
SHA512 47a65b16dd4b37a3aed92d8ab3b51464b3a3c41bab1a9b314211e1dd5769db2594c2a6f54a026ef129d37a97fc0ca0ae6d03839a282ef2eba395e1a7af3e3abb

C:\Windows\system\ynmFQNI.exe

MD5 010ae16ad2df9e235d5f84246e10626c
SHA1 cddc60a9144cc1404f0e96f432086918c5a9241a
SHA256 cddf22b99087e53da2862f0862ba59d1d502f38ef1be59ed0259de2d937c02d2
SHA512 aa0ce9954e1ae017d90f24200c9bc40a8e8aeee9df67a327200ae73ad67d3d76309742b0d642a6499c9d541a1e7483b55e21a63669f2bd94e6ad0f4d33d7b61c

C:\Windows\system\BQWObfq.exe

MD5 889be062d8347c71897e18341dd19df1
SHA1 527117064a949b7cadcb30dd1ca662a2fb4fa29d
SHA256 02e667072d2cdbab10bfb2571e1a7bae0db84694019eded6b203b72f700f0469
SHA512 0cf3b1fd565bedce52d451d273242e28f3ad39f6aacafafef6c45b9c019b2c8ba5461125fd7f30a17f2cbd18515fe39b2c56fb968f0084db51ba1c44457dc274

C:\Windows\system\bhlkcyj.exe

MD5 f1d6ebd75f5b9e5859c851046e031f5f
SHA1 b7309693b72eadb9a67e5aa959413249a96b3e34
SHA256 831b5979b53203eb56571d8ecfd6c9771f64fe9c68efe11e47fa50140ecb3efa
SHA512 40dc3be56fdbaf98c3ad9cb5b5b651711ffe501ae224f6935ee75bc6ade95f1768e7ed27cbe2b6e21eff463090c04b6c274d15d64f81610fd99b14fe28933a07

\Windows\system\KJMOKvf.exe

MD5 43c401ac8c1cb4693786ef3ce54a0f78
SHA1 5c73257c02edb78d7def2d94748ff0b0485dcc09
SHA256 4aabb7d1182f57ece90420eb6acc458ab6aa9fc556f8f0a4877c218fa9faf1e3
SHA512 4adfa01250ade02d919b947863262e3e02fbb6cad3227ef68fc873988be4dbd424be8beb49be25bf656f4f098a02e04fb69ac566d81b9d491198d3b8165b3fe9

C:\Windows\system\YKCYHjK.exe

MD5 f14c64af847ddf025b4440132309b478
SHA1 fb92e6d0c32410646a842ef958122cdb41644ead
SHA256 065d982c9fdcdab85e9571dfd50ab630e58e02c1cdfdf0b66a60ad277f3ee74d
SHA512 d758fa826c4befcbcb7a5e67e327e95f498bc37c65192c7623332d06f8c7491037de2691c9409052f6f86ef8417879b06ed954af0f74bf87ea7b2b46bdbc5f9d

C:\Windows\system\wwmCRKj.exe

MD5 642f1d5faa8ab06c4500a4f192b95259
SHA1 e919ce6832993e4b71989db4b34ae49e418e638f
SHA256 af40019db09c96ecf952d4defa4a893a942d61287bbc09554b374782962a008c
SHA512 b5870a9b0d2bc153392195ca4938d58bc89ca3a8baef91696bf822cec758c06df0528e26c4def292e5165f82266b4576f7f0d02ac1f50f6ec021d9e3900d5f5e

C:\Windows\system\tkmanyS.exe

MD5 97c78a1aa97a45cff15c1e1f21b1b9ef
SHA1 6e20e2076c3d9b3d4cf21785062683ca95381b3e
SHA256 fdfa406fcf840f92ca850cbdf9423a3f301151b590829f9056cddee0610cb48b
SHA512 f00fac523aae1e0e46c8512f24e6450cd6d0dbd9a63ea3b0f04508cbaf951dd2ead660f9df231ef733767d3b90d138a853f9c09c824b46cb69c34e395891023a

C:\Windows\system\pqJybaE.exe

MD5 8b7b143d01784f059bba8c317469c94f
SHA1 9f3b8680e77a7afe8e9f738198360401e2004058
SHA256 e4556d0724dee3300abf8f90f5a92333406fd486c8826ba0fba2f9878a658ae9
SHA512 86d85618a3204022fd78758ac499c3989b0d716b1f25f6d35c22e4ff74802a814bdc865c055d47f145cd4ef004362f1e7aabef5ab9876027d745f45c6f91eb07

C:\Windows\system\hVfkmrY.exe

MD5 f8eb7afd64d091c5f22ceedfa1b5124a
SHA1 6aec959f18960c62dedac8baba156e4da7a39d14
SHA256 10e387ddc23a88524cfe55d7c0cfbbf165bcf8b08916262e98446d002151a05b
SHA512 5f3e016a1b84cbdaa2da5d0d4024d5da621803a9816e762a3358e9b20200b96954be21b50042b26a6d134e04dc0f0d14787f40b7970649f769a5b11f9b689338

C:\Windows\system\zFguzmo.exe

MD5 9f54532387e8ef26f97e83447e79dd24
SHA1 23f229bab8fc975aa712b3d6fbd9401438010366
SHA256 1f5ab62fce28c8bf1c4989be27c547f6f69670d5226cc19495c5e1d507741dd8
SHA512 036b77d0260af1beb0389124636b0ba85927e56719d817b5c17e1a0585c69d394f9d51afc1e39c89fc21663ad0fe7e8295afda801cca748172bf0507532921e0

C:\Windows\system\LsLuWFb.exe

MD5 2cd1a02b88101e4dec31814c6fcc84af
SHA1 ecfc1331102fce038ecdd4dd7fd4e5cb487b81ad
SHA256 3ed190c748c191b7b26dd7775ae95cce0f60130b845b94d54722667bd568c2f8
SHA512 5e17a90083d9379119709e57b3b186fed6d720382951f4c25f7839269423b8dccd48f237fccbbb2035b02155c83c05259ada46ab9d36081c1d5cae4c90ac6534

C:\Windows\system\HwTvOld.exe

MD5 b19c67cfd39bcb2a8d74a78c6c80dbbd
SHA1 0c691c444701c8f183c08b90ea074f61464ae61b
SHA256 adcf26b5aba8c5c87649cb539aff9ec2ed4d4c0a5c407e1ec4ef6a88b23b322d
SHA512 034b3da187d1fc88c3935028c7687c96572bc57226ac8ce7528ddb6888cfc44b48893035d6e925d367c34b960df0274624bf56098dc43a2c32f19229ec9fc7df

C:\Windows\system\kFCeIlT.exe

MD5 62632baf7dfb012913277f10c4586406
SHA1 d3199ba1990544c7e550a829ef850078cace985a
SHA256 19f87aad2f771e1c0733fc45384e386c2e5cc586259eeca8b8d7030312df4bfa
SHA512 75d310f5cc243412d3aafee4beb59c6cba31af1a71b42c6370da5c472eb9668e57859f4a2f3c278960a5d33fad3b860611bb7d004380171336c8888c1d9b1433

C:\Windows\system\dauVPsr.exe

MD5 f7523b8c3f001c8c9242a8c97c7db9e9
SHA1 341f44ce67f50b9b0bcaaf08412d5f30a17a88bd
SHA256 bd88c8e6e9eade41d59fcd8d5d992c126cbb252ea211bdfc8a47cc3e19138aae
SHA512 257d7ee85658e72f4976b0dfe7757b1c66ca27a57ade4e9aabfe6833db80aac4a5b9b4523537b1494039922cb6469d5d68f131ac209e1d23d6a28cb671108823

memory/2404-90-0x000000013F5D0000-0x000000013F921000-memory.dmp

memory/2752-108-0x000000013F7F0000-0x000000013FB41000-memory.dmp

memory/2736-122-0x000000013F640000-0x000000013F991000-memory.dmp

memory/1992-107-0x000000013F7F0000-0x000000013FB41000-memory.dmp

memory/2908-124-0x000000013F8F0000-0x000000013FC41000-memory.dmp

memory/1992-125-0x000000013F860000-0x000000013FBB1000-memory.dmp

memory/1992-123-0x000000013F8F0000-0x000000013FC41000-memory.dmp

memory/3056-112-0x000000013F940000-0x000000013FC91000-memory.dmp

memory/2748-129-0x000000013F3C0000-0x000000013F711000-memory.dmp

memory/2852-128-0x000000013F9A0000-0x000000013FCF1000-memory.dmp

memory/1992-127-0x000000013F9A0000-0x000000013FCF1000-memory.dmp

memory/2936-126-0x000000013F860000-0x000000013FBB1000-memory.dmp

memory/1992-111-0x000000013F940000-0x000000013FC91000-memory.dmp

memory/2820-110-0x000000013FBE0000-0x000000013FF31000-memory.dmp

memory/1992-109-0x000000013FBE0000-0x000000013FF31000-memory.dmp

memory/572-104-0x000000013F1C0000-0x000000013F511000-memory.dmp

memory/2928-101-0x000000013F080000-0x000000013F3D1000-memory.dmp

memory/1992-99-0x000000013F080000-0x000000013F3D1000-memory.dmp

memory/2068-97-0x000000013F5A0000-0x000000013F8F1000-memory.dmp

memory/1992-92-0x00000000023E0000-0x0000000002731000-memory.dmp

memory/2096-89-0x000000013F6E0000-0x000000013FA31000-memory.dmp

memory/1992-130-0x000000013F440000-0x000000013F791000-memory.dmp

memory/2376-131-0x000000013FAF0000-0x000000013FE41000-memory.dmp

memory/2404-133-0x000000013F5D0000-0x000000013F921000-memory.dmp

memory/2668-145-0x000000013F440000-0x000000013F791000-memory.dmp

memory/2688-147-0x000000013FFE0000-0x0000000140331000-memory.dmp

memory/680-150-0x000000013F0F0000-0x000000013F441000-memory.dmp

memory/2784-149-0x000000013F3F0000-0x000000013F741000-memory.dmp

memory/2504-148-0x000000013F460000-0x000000013F7B1000-memory.dmp

memory/2628-146-0x000000013F220000-0x000000013F571000-memory.dmp

memory/2736-140-0x000000013F640000-0x000000013F991000-memory.dmp

memory/2820-138-0x000000013FBE0000-0x000000013FF31000-memory.dmp

memory/572-136-0x000000013F1C0000-0x000000013F511000-memory.dmp

memory/2068-134-0x000000013F5A0000-0x000000013F8F1000-memory.dmp

memory/2096-132-0x000000013F6E0000-0x000000013FA31000-memory.dmp

memory/1420-151-0x000000013F880000-0x000000013FBD1000-memory.dmp

memory/1992-152-0x000000013F440000-0x000000013F791000-memory.dmp

memory/1992-153-0x000000013F440000-0x000000013F791000-memory.dmp

memory/1992-175-0x000000013FAF0000-0x000000013FE41000-memory.dmp

memory/2376-221-0x000000013FAF0000-0x000000013FE41000-memory.dmp

memory/2928-226-0x000000013F080000-0x000000013F3D1000-memory.dmp

memory/3056-229-0x000000013F940000-0x000000013FC91000-memory.dmp

memory/2908-232-0x000000013F8F0000-0x000000013FC41000-memory.dmp

memory/2852-233-0x000000013F9A0000-0x000000013FCF1000-memory.dmp

memory/2752-227-0x000000013F7F0000-0x000000013FB41000-memory.dmp

memory/2404-223-0x000000013F5D0000-0x000000013F921000-memory.dmp

memory/2096-236-0x000000013F6E0000-0x000000013FA31000-memory.dmp

memory/572-243-0x000000013F1C0000-0x000000013F511000-memory.dmp

memory/2068-241-0x000000013F5A0000-0x000000013F8F1000-memory.dmp

memory/2748-249-0x000000013F3C0000-0x000000013F711000-memory.dmp

memory/2736-247-0x000000013F640000-0x000000013F991000-memory.dmp

memory/2820-245-0x000000013FBE0000-0x000000013FF31000-memory.dmp

memory/2936-253-0x000000013F860000-0x000000013FBB1000-memory.dmp