Malware Analysis Report

2025-01-22 19:30

Sample ID 240806-n27xhssdjb
Target 2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat
SHA256 a395987f48e112b908c89dac8364840a31dae010403d2889ddf2eaddfff85c29
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a395987f48e112b908c89dac8364840a31dae010403d2889ddf2eaddfff85c29

Threat Level: Known bad

The file 2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Cobaltstrike

Xmrig family

Cobaltstrike family

xmrig

XMRig Miner payload

Cobalt Strike reflective loader

XMRig Miner payload

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-06 11:54

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-06 11:54

Reported

2024-08-06 11:57

Platform

win7-20240708-en

Max time kernel

140s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\jJxbTSz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FyJMxlT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MDQRSxT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pOjmaqa.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rOOXktf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GsKNOBR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nGLaOtH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mGznUdA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DygLeSO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PCcahrv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YdyFFpK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oFiedFK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RbVWxoS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kgMfenE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fQTpVDO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\Emropju.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ojVbzpZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZexJNCW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YQvbivR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sXmJALr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\poXinzs.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1992 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jJxbTSz.exe
PID 1992 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jJxbTSz.exe
PID 1992 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jJxbTSz.exe
PID 1992 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ojVbzpZ.exe
PID 1992 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ojVbzpZ.exe
PID 1992 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ojVbzpZ.exe
PID 1992 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GsKNOBR.exe
PID 1992 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GsKNOBR.exe
PID 1992 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GsKNOBR.exe
PID 1992 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nGLaOtH.exe
PID 1992 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nGLaOtH.exe
PID 1992 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nGLaOtH.exe
PID 1992 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FyJMxlT.exe
PID 1992 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FyJMxlT.exe
PID 1992 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FyJMxlT.exe
PID 1992 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mGznUdA.exe
PID 1992 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mGznUdA.exe
PID 1992 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mGznUdA.exe
PID 1992 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oFiedFK.exe
PID 1992 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oFiedFK.exe
PID 1992 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oFiedFK.exe
PID 1992 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MDQRSxT.exe
PID 1992 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MDQRSxT.exe
PID 1992 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MDQRSxT.exe
PID 1992 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RbVWxoS.exe
PID 1992 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RbVWxoS.exe
PID 1992 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RbVWxoS.exe
PID 1992 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kgMfenE.exe
PID 1992 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kgMfenE.exe
PID 1992 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kgMfenE.exe
PID 1992 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZexJNCW.exe
PID 1992 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZexJNCW.exe
PID 1992 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZexJNCW.exe
PID 1992 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YQvbivR.exe
PID 1992 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YQvbivR.exe
PID 1992 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YQvbivR.exe
PID 1992 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DygLeSO.exe
PID 1992 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DygLeSO.exe
PID 1992 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DygLeSO.exe
PID 1992 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fQTpVDO.exe
PID 1992 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fQTpVDO.exe
PID 1992 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fQTpVDO.exe
PID 1992 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pOjmaqa.exe
PID 1992 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pOjmaqa.exe
PID 1992 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pOjmaqa.exe
PID 1992 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Emropju.exe
PID 1992 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Emropju.exe
PID 1992 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Emropju.exe
PID 1992 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sXmJALr.exe
PID 1992 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sXmJALr.exe
PID 1992 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sXmJALr.exe
PID 1992 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PCcahrv.exe
PID 1992 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PCcahrv.exe
PID 1992 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PCcahrv.exe
PID 1992 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rOOXktf.exe
PID 1992 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rOOXktf.exe
PID 1992 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rOOXktf.exe
PID 1992 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YdyFFpK.exe
PID 1992 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YdyFFpK.exe
PID 1992 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YdyFFpK.exe
PID 1992 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\poXinzs.exe
PID 1992 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\poXinzs.exe
PID 1992 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\poXinzs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\jJxbTSz.exe

C:\Windows\System\jJxbTSz.exe

C:\Windows\System\ojVbzpZ.exe

C:\Windows\System\ojVbzpZ.exe

C:\Windows\System\GsKNOBR.exe

C:\Windows\System\GsKNOBR.exe

C:\Windows\System\nGLaOtH.exe

C:\Windows\System\nGLaOtH.exe

C:\Windows\System\FyJMxlT.exe

C:\Windows\System\FyJMxlT.exe

C:\Windows\System\mGznUdA.exe

C:\Windows\System\mGznUdA.exe

C:\Windows\System\oFiedFK.exe

C:\Windows\System\oFiedFK.exe

C:\Windows\System\MDQRSxT.exe

C:\Windows\System\MDQRSxT.exe

C:\Windows\System\RbVWxoS.exe

C:\Windows\System\RbVWxoS.exe

C:\Windows\System\kgMfenE.exe

C:\Windows\System\kgMfenE.exe

C:\Windows\System\ZexJNCW.exe

C:\Windows\System\ZexJNCW.exe

C:\Windows\System\YQvbivR.exe

C:\Windows\System\YQvbivR.exe

C:\Windows\System\DygLeSO.exe

C:\Windows\System\DygLeSO.exe

C:\Windows\System\fQTpVDO.exe

C:\Windows\System\fQTpVDO.exe

C:\Windows\System\pOjmaqa.exe

C:\Windows\System\pOjmaqa.exe

C:\Windows\System\Emropju.exe

C:\Windows\System\Emropju.exe

C:\Windows\System\sXmJALr.exe

C:\Windows\System\sXmJALr.exe

C:\Windows\System\PCcahrv.exe

C:\Windows\System\PCcahrv.exe

C:\Windows\System\rOOXktf.exe

C:\Windows\System\rOOXktf.exe

C:\Windows\System\YdyFFpK.exe

C:\Windows\System\YdyFFpK.exe

C:\Windows\System\poXinzs.exe

C:\Windows\System\poXinzs.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1992-0-0x000000013FFF0000-0x0000000140341000-memory.dmp

memory/1992-1-0x00000000001F0000-0x0000000000200000-memory.dmp

C:\Windows\system\jJxbTSz.exe

MD5 1cf65f6369e6f80f18ab8bac2e97ca5e
SHA1 fb9c8144bf590d9f05e92d9884d2c7201cbb0c1b
SHA256 c39833a822cb741c1ade099e5238b9bed924a6fd58086c3631891a95c57f919e
SHA512 754dfec7af6d199668daa465a3ff6d90e5382aa28f5908667408b8ef0fdb616691a3a7784cc6d0a948cf037082b1c69e48b177e58127da49e757cf1675f8ba77

\Windows\system\nGLaOtH.exe

MD5 a810fd829a91e91bffbd995087b83ee1
SHA1 21a35daf546f4acb79da92b4d27247fe51ec6974
SHA256 5a044410df687c8829059c57c8dd530e000c7fc27fc40cf05618e77c50752821
SHA512 2a8e7474350cb9fefa81cf9795272b930e2a85c1a55124c0a7351bde233c0737b763c423535b3c0280cd7d333b45354f693b3faa3ed6d21b34da3ed4b330f830

\Windows\system\GsKNOBR.exe

MD5 1f4bae9581cc90cafe8709885d437e38
SHA1 1fe596bf9b7f5d2437959dd879e1e06fbc87cd86
SHA256 bcb96fbc158bdf70120a689d6e3b4b7a86ace74b5b5815f867226c4885acad16
SHA512 1a7114de427efe6c78d02efc36ab6aca4409a9f6fa773c8c366bf46f46288936b514b550971c35b70635b2cae122d0a8d2f1d8f788fc834e06585d14c34e82b4

memory/2096-24-0x000000013F620000-0x000000013F971000-memory.dmp

memory/2928-35-0x000000013F170000-0x000000013F4C1000-memory.dmp

\Windows\system\mGznUdA.exe

MD5 3ee53e7819714c9cc446e4cf6801e72c
SHA1 24e56f45b11c2f5dbccb6bb944664eb37a9be8c7
SHA256 1e95b71bf1ea93e89a21c1f927ffb4e7695b9b9f886d7ad6a6651bb8eb66f09a
SHA512 b243582b0cdf20de00c9600291c9256c9ec6495ef4704852d85a107bb9061b9b4de0281233f01f0e855542df16b058430f063bb3aff021edbf4a96dabd4e3d68

memory/1992-37-0x000000013F240000-0x000000013F591000-memory.dmp

C:\Windows\system\FyJMxlT.exe

MD5 b6f037e3875e3beacedb89c51de6ee96
SHA1 ff28c65fc43259fd138cd1ed654d5d7b0119f378
SHA256 a1588d0d94df73e3ad06e8c3cc1649a942671c8ae8c0d8d469a2e58bafbfc1ea
SHA512 e1d1892442d3426ea267bcaf794ce98d8f11206809c4f1cfe077edd74e80578ec90990fbdf7ec45ae76988a6e7d4504a10c2598f44e88ca05c88659340ce2f6a

memory/2824-42-0x000000013F240000-0x000000013F591000-memory.dmp

memory/2404-33-0x000000013FE70000-0x00000001401C1000-memory.dmp

memory/2068-32-0x000000013F4D0000-0x000000013F821000-memory.dmp

C:\Windows\system\oFiedFK.exe

MD5 748e4f9701110c28bff8f3e8f608fd19
SHA1 f13be73ad7a33d2098a1032f71fa38ec3c80d664
SHA256 009678a800982e96aac9878594a2f354bcce67d45e96e967c3db7b0d32154466
SHA512 8cc10fa6ef6de6c7d87ca19312ae0f4aceb543aa02fbc9068ffb14997cd4bf1f90b7ef1a37dc8fa3341e59d04de154e61095280522d1609fc58cffdad2119b8d

memory/2764-47-0x000000013F970000-0x000000013FCC1000-memory.dmp

memory/1992-31-0x000000013F170000-0x000000013F4C1000-memory.dmp

memory/1992-27-0x000000013F4D0000-0x000000013F821000-memory.dmp

memory/1992-25-0x0000000002320000-0x0000000002671000-memory.dmp

memory/1992-16-0x000000013F620000-0x000000013F971000-memory.dmp

C:\Windows\system\ojVbzpZ.exe

MD5 69271f177c0e2703674d8c088cfd2caa
SHA1 af5762d1470bd3bcb27295e6256140f454410720
SHA256 c64ac2e06b4e912ddbb7a705f700e77320a96f91ec432bd001b76a4abc490e54
SHA512 65cc2114a8b6f7b4905a0ce28edbd66004419c916a5dc405f3dc8f103f8a38732c02326a2266739d1a36134043d7a5ade5d2ca7aa8190066d48edb722cad99a9

memory/2376-8-0x000000013FE30000-0x0000000140181000-memory.dmp

\Windows\system\MDQRSxT.exe

MD5 942f2e610fdd840ce432373bb54fa59f
SHA1 9bb738f63f32d065c0fa3026f29188e5ccac09a6
SHA256 6e96ebbf33f6b9f6f4a95572a3c74fb4ff41088412995ddf55592cee4002d131
SHA512 2b238dde67df2452a3ccfc138ce097bb1b1649fcf91a6630428c5cab691955a91a5c3dbe6344a9d8b3f94bf2780acf37ab89a7b35bc4722367edb6172e7843ed

memory/1992-55-0x000000013F7E0000-0x000000013FB31000-memory.dmp

memory/780-56-0x000000013F7E0000-0x000000013FB31000-memory.dmp

memory/1992-61-0x000000013FFF0000-0x0000000140341000-memory.dmp

memory/1992-63-0x000000013F210000-0x000000013F561000-memory.dmp

C:\Windows\system\RbVWxoS.exe

MD5 fbec11f635d5cdfa92ef9d1e6045d86f
SHA1 5e2961976b899ad0c0706f443c0a719e582c2a43
SHA256 9766b3cba12972cedba3308992c593b10097fd3171d0d10d250f846b31828156
SHA512 78723bfd6b684f5bcbec2e4405519c5450bd1d06987c7245010d6c8604c87072f76d95ef87be915df56aaf8c9c01be348c7379550ba07510ee753318adc257c4

memory/2476-64-0x000000013F210000-0x000000013F561000-memory.dmp

memory/2376-65-0x000000013FE30000-0x0000000140181000-memory.dmp

C:\Windows\system\kgMfenE.exe

MD5 46ad5cfc6cec631c94a672f4d4ccba47
SHA1 4472981b05b09790dbc05e7d9d58addf2c466f2a
SHA256 b09a2d88b02cd8a7887ceacde3c90ce1511edec695cf326ef2f60ca5e6a972c5
SHA512 73aaa6ed81a8f11e54201bb9e22ec1ed7bd84fc52f47ef43d1823de68ce7f2ccf179179778d6606c71f7dba62db812337960edb8de23b2ef8114c5836510d0c4

memory/2624-72-0x000000013F520000-0x000000013F871000-memory.dmp

memory/1992-71-0x000000013F520000-0x000000013F871000-memory.dmp

C:\Windows\system\ZexJNCW.exe

MD5 6251a36e3d33701541f84fe84b3dc689
SHA1 25ddd75f69bdb41b0ae77a192496c4c9278262a5
SHA256 e03224ee742e7ab9f90bfcb6f5d093b3844b373f3172214a832b0d810cca95a9
SHA512 1de530dd4f7dfb75cd6b935ebab5697237140f00977bd0c05ff916422e76034f1704fedabc77233a68c4e92eb9e274e90dd8bf076d035b338bfd9ff036285cce

\Windows\system\DygLeSO.exe

MD5 58101e12a412df5900c3d89445ae0de5
SHA1 5b91e4e415217ec4bba01eb96e6c1b2a56d02b35
SHA256 1b70d7cc010052ae3f59436063418343aa60d5276efc3476ad41481c53130586
SHA512 f2e35e0b3dac04cf10385676bcc647c8a11f95e0188ad176aeff2c7595750aecdc58271b347b594aef889501c638330c5e30578cca8ac4eb8d2878426e8c9755

\Windows\system\YQvbivR.exe

MD5 e519a115dcbbb7b07bbd76d20bdb4e55
SHA1 92949e7c023a8378bfef0d36fa5b54f9186b1cce
SHA256 a8b8a4b3b9f93fe3df2c2c96bcc616fbb083e1f10c02d6e103f595e2b0ee48d6
SHA512 c4fe15741abfabf2cd8f1555aea1b28ffcb264881b8c8da27f56d1da64371ed23b49e5aca2622fb0f9f4bda58ae6e143b01bbb640750d2ffd63496cba09a3670

C:\Windows\system\fQTpVDO.exe

MD5 5a81031a2f7450c99e5a31a078d9c18b
SHA1 349c28466f3fad49021455c2ca906e575923438e
SHA256 2fa22571fe22f5ec9ad67473f30a589987f654d6ece81a48b21e6f72181ad3ae
SHA512 6527cb20da03a793db03385e88975fc8871d02b731dc91f8628fca28b7e61b759775fc1b38d832c4eb9bb65538532a16639fd25a5b542ef0544eb2f947544863

memory/1992-103-0x000000013FC10000-0x000000013FF61000-memory.dmp

memory/2928-122-0x000000013F170000-0x000000013F4C1000-memory.dmp

memory/1992-125-0x000000013F0A0000-0x000000013F3F1000-memory.dmp

C:\Windows\system\pOjmaqa.exe

MD5 21c302bc7cb99c5612c3e11a5419f048
SHA1 77f3ca7776841da8ef1f02593c132fc001a419ad
SHA256 2d68b7b711e8694fd01575dfa3f78991413e7bbbb07a9632d4e1db5a8d676e24
SHA512 0ce4d0f20e5d5e79e1f529247b0e36e4095c12da5dd30893580ee1fec6ccaa716614e23fc6c82ccf565c88e92fe27c4b075cd009dca5a3f182156b076dae95fa

\Windows\system\rOOXktf.exe

MD5 d90df82ec0e6143fc673eddea478df1d
SHA1 cb6027965d4cf828c9c53b29167cfaef5b1c7914
SHA256 a3d22b110938287d08a2f2927b97ba11dea67ca31594ef0657c29e4fa5d8e82d
SHA512 4d3caafaa2038f01a0eba1dc30d97d4bbacc069d77dd606e3af246428db799ec7d5caba52e03d5aea2a2b61550e3fffe0527a2a47372d29473d4530ab00edd60

\Windows\system\poXinzs.exe

MD5 c75392f690180727434e0170153ea57a
SHA1 582c26c7c8bb3e57f242d02efba7fd2772aee945
SHA256 67b6f7b16a9de86a1f54f424d3840b60c7cc66253a7446f1936997bdf2aed990
SHA512 2ccae5c17727ac435cdf9fc68fa1cf9349575ed1259cfda4d95b108e73599dbbca700651fe9794ecdb96be73e4e305807510934f7f403063e9d2e2cc9d4a429c

C:\Windows\system\Emropju.exe

MD5 f991e097309a9c4d9de7c6628d735e07
SHA1 fa2f583ba0041863107a2a3804939a07f2f2d266
SHA256 94c0eacbfd4dd676ed6506deda20f71a3ef7ce3aa72b27d2727a15c8de89a9a9
SHA512 ec0567ed16e83551fdd6e5ce45780fef4d0eb68cbc88dd10883c41836b7ba50779811e1def3bcf61897355eddbc8dd2f428635d7fc01e7c4c8e30b4794c3acbf

\Windows\system\sXmJALr.exe

MD5 10f0d556df8c592352af2640fb9f121f
SHA1 7a1e34e39543d2443a6bace6bb52803c935aeb7d
SHA256 5845c410bf25c3a750aca5ebfa3f336db2bcbd2954d41701860f1367816e4313
SHA512 83c7b122abe8e96c35485a33af17e998987ba1806b8ff424be8052049c57c5e5b7b71588ce5efcc7bd0fd762e7e08c3f071f525adcd2674219d9ce28e081e09f

C:\Windows\system\YdyFFpK.exe

MD5 72f7703471fad33b1b8f518a9a4e3c84
SHA1 62de07dd84cbb9ddf281ecf9b8b3c87ec64483ba
SHA256 deafc3388226bf157dc78d5900a7e478f52ee48371368020699e1f90833c8d1e
SHA512 b5d04c32964c6ec255b1e7fdf60e7bf23b1b01d561966bd0d85411508d9fafa91995643ad7a0407f8a68c324c8fa80cddbee4b69876d4ed9087e4e3f89b47c92

C:\Windows\system\PCcahrv.exe

MD5 04ff372d8eab7e06760ae3cf87699a44
SHA1 6d3e0ee4cdde2e10f57f49ab27467dcca5d21bbe
SHA256 d64bcbda9819ee306dce9d8e617b7ce56110bfea33f05e013d1892134101d78e
SHA512 5de2c05d6673cf2aabe1c03edb8c0853254c194d07bf8550312b7c9fd5ce5eec1470ec31e4b5a85236b420e4f5ff7331b2423ade28edd56c5d4ac25b2260b11b

memory/2352-121-0x000000013FC10000-0x000000013FF61000-memory.dmp

memory/1992-97-0x0000000002320000-0x0000000002671000-memory.dmp

memory/1996-96-0x000000013F090000-0x000000013F3E1000-memory.dmp

memory/2784-95-0x000000013FF40000-0x0000000140291000-memory.dmp

memory/1992-94-0x000000013F090000-0x000000013F3E1000-memory.dmp

memory/2504-87-0x000000013FF20000-0x0000000140271000-memory.dmp

memory/1992-135-0x000000013F240000-0x000000013F591000-memory.dmp

memory/2824-137-0x000000013F240000-0x000000013F591000-memory.dmp

memory/2764-138-0x000000013F970000-0x000000013FCC1000-memory.dmp

memory/1992-139-0x000000013FFF0000-0x0000000140341000-memory.dmp

memory/2504-150-0x000000013FF20000-0x0000000140271000-memory.dmp

memory/2508-155-0x000000013F980000-0x000000013FCD1000-memory.dmp

memory/1208-157-0x000000013F9A0000-0x000000013FCF1000-memory.dmp

memory/1976-160-0x000000013F1E0000-0x000000013F531000-memory.dmp

memory/1992-161-0x000000013F210000-0x000000013F561000-memory.dmp

memory/1652-159-0x000000013F850000-0x000000013FBA1000-memory.dmp

memory/636-158-0x000000013FFC0000-0x0000000140311000-memory.dmp

memory/292-156-0x000000013FE70000-0x00000001401C1000-memory.dmp

memory/2880-154-0x000000013F0A0000-0x000000013F3F1000-memory.dmp

memory/1992-162-0x000000013F520000-0x000000013F871000-memory.dmp

memory/1992-163-0x0000000002320000-0x0000000002671000-memory.dmp

memory/1992-164-0x000000013FFF0000-0x0000000140341000-memory.dmp

memory/1992-173-0x000000013F090000-0x000000013F3E1000-memory.dmp

memory/1992-174-0x000000013FC10000-0x000000013FF61000-memory.dmp

memory/1992-188-0x000000013F0A0000-0x000000013F3F1000-memory.dmp

memory/2376-213-0x000000013FE30000-0x0000000140181000-memory.dmp

memory/2096-215-0x000000013F620000-0x000000013F971000-memory.dmp

memory/2068-219-0x000000013F4D0000-0x000000013F821000-memory.dmp

memory/2404-218-0x000000013FE70000-0x00000001401C1000-memory.dmp

memory/2928-221-0x000000013F170000-0x000000013F4C1000-memory.dmp

memory/2764-224-0x000000013F970000-0x000000013FCC1000-memory.dmp

memory/2824-225-0x000000013F240000-0x000000013F591000-memory.dmp

memory/780-227-0x000000013F7E0000-0x000000013FB31000-memory.dmp

memory/2476-242-0x000000013F210000-0x000000013F561000-memory.dmp

memory/2624-244-0x000000013F520000-0x000000013F871000-memory.dmp

memory/2504-246-0x000000013FF20000-0x0000000140271000-memory.dmp

memory/2352-249-0x000000013FC10000-0x000000013FF61000-memory.dmp

memory/2784-250-0x000000013FF40000-0x0000000140291000-memory.dmp

memory/1996-252-0x000000013F090000-0x000000013F3E1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-06 11:54

Reported

2024-08-06 11:57

Platform

win10v2004-20240802-en

Max time kernel

142s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\wQebiKU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yqfOVvT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YqrSWdA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JHwWygI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\omTkdxC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MzzipPB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AifFnKR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mmROltr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VGosjVs.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vHennrh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NJgsEKx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JYssWgW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nVgaBlP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ISObBQO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nKBVPHw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kvOkbME.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pklsYMU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WhGHSLN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LLMldGU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vydhAxR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zeZTbil.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4120 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mmROltr.exe
PID 4120 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mmROltr.exe
PID 4120 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ISObBQO.exe
PID 4120 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ISObBQO.exe
PID 4120 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pklsYMU.exe
PID 4120 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pklsYMU.exe
PID 4120 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VGosjVs.exe
PID 4120 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VGosjVs.exe
PID 4120 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WhGHSLN.exe
PID 4120 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WhGHSLN.exe
PID 4120 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wQebiKU.exe
PID 4120 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wQebiKU.exe
PID 4120 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yqfOVvT.exe
PID 4120 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yqfOVvT.exe
PID 4120 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nKBVPHw.exe
PID 4120 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nKBVPHw.exe
PID 4120 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LLMldGU.exe
PID 4120 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LLMldGU.exe
PID 4120 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vHennrh.exe
PID 4120 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vHennrh.exe
PID 4120 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vydhAxR.exe
PID 4120 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vydhAxR.exe
PID 4120 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YqrSWdA.exe
PID 4120 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YqrSWdA.exe
PID 4120 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JHwWygI.exe
PID 4120 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JHwWygI.exe
PID 4120 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zeZTbil.exe
PID 4120 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zeZTbil.exe
PID 4120 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\omTkdxC.exe
PID 4120 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\omTkdxC.exe
PID 4120 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NJgsEKx.exe
PID 4120 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NJgsEKx.exe
PID 4120 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JYssWgW.exe
PID 4120 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JYssWgW.exe
PID 4120 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MzzipPB.exe
PID 4120 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MzzipPB.exe
PID 4120 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kvOkbME.exe
PID 4120 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kvOkbME.exe
PID 4120 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nVgaBlP.exe
PID 4120 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nVgaBlP.exe
PID 4120 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AifFnKR.exe
PID 4120 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AifFnKR.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\mmROltr.exe

C:\Windows\System\mmROltr.exe

C:\Windows\System\ISObBQO.exe

C:\Windows\System\ISObBQO.exe

C:\Windows\System\pklsYMU.exe

C:\Windows\System\pklsYMU.exe

C:\Windows\System\VGosjVs.exe

C:\Windows\System\VGosjVs.exe

C:\Windows\System\WhGHSLN.exe

C:\Windows\System\WhGHSLN.exe

C:\Windows\System\wQebiKU.exe

C:\Windows\System\wQebiKU.exe

C:\Windows\System\yqfOVvT.exe

C:\Windows\System\yqfOVvT.exe

C:\Windows\System\nKBVPHw.exe

C:\Windows\System\nKBVPHw.exe

C:\Windows\System\LLMldGU.exe

C:\Windows\System\LLMldGU.exe

C:\Windows\System\vHennrh.exe

C:\Windows\System\vHennrh.exe

C:\Windows\System\vydhAxR.exe

C:\Windows\System\vydhAxR.exe

C:\Windows\System\YqrSWdA.exe

C:\Windows\System\YqrSWdA.exe

C:\Windows\System\JHwWygI.exe

C:\Windows\System\JHwWygI.exe

C:\Windows\System\zeZTbil.exe

C:\Windows\System\zeZTbil.exe

C:\Windows\System\omTkdxC.exe

C:\Windows\System\omTkdxC.exe

C:\Windows\System\NJgsEKx.exe

C:\Windows\System\NJgsEKx.exe

C:\Windows\System\JYssWgW.exe

C:\Windows\System\JYssWgW.exe

C:\Windows\System\MzzipPB.exe

C:\Windows\System\MzzipPB.exe

C:\Windows\System\kvOkbME.exe

C:\Windows\System\kvOkbME.exe

C:\Windows\System\nVgaBlP.exe

C:\Windows\System\nVgaBlP.exe

C:\Windows\System\AifFnKR.exe

C:\Windows\System\AifFnKR.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 21.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 71.190.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 216.131.50.23.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/4120-0-0x00007FF711810000-0x00007FF711B61000-memory.dmp

memory/4120-1-0x0000025141BA0000-0x0000025141BB0000-memory.dmp

C:\Windows\System\mmROltr.exe

MD5 49d7aca535240090e420e1e2b3418974
SHA1 cb8a615df10175e4c0e4f092f1127a3a54439244
SHA256 34c0ffd25f48a338e99e2fea9feca5cd142af682f1df0f1cb958f0a4de1bf2b9
SHA512 b1f549e2c8245c9c9bb6eb9bebd5f34ea2b858aed726a2f454b656b89cda126abc358515af705c1ed2e4d0458d6649627f5432a80053b241479fef811053df93

C:\Windows\System\pklsYMU.exe

MD5 4b7d5c58600634875f12b5b08523e76d
SHA1 68b8a2ecdcb04c5839db8e646a34ae035734eeff
SHA256 ef658c1758fae750aeb0b94a738fb585022106a57cc45e33616cb026ddd28ecd
SHA512 5a82f7eb29e9dfeca690c10e2bf762779f39c95a3677eb377f948a5d4b11bb94e36988f3b49ae1ac796502653d00444f1476b7443e9809307a4902c44a6c52d3

C:\Windows\System\ISObBQO.exe

MD5 584d11fff8ac0a1754b914bd87d36b9c
SHA1 a2491d58a39532212c9c334fe481950d10cf41b6
SHA256 5b4dc6b779685c85cb88cadfdb7161cb5c2e56a68b0acd6f1c09e1989658fd9f
SHA512 2e7240262e26faa7d660d00bd1ea2f6222de2907f0cb8ae5c862ebbb496fd4541b64d3ac2b06d8377acf58093ba4c7ed6ef65cbef90a15492930ad7878f2566f

memory/4820-19-0x00007FF6F5790000-0x00007FF6F5AE1000-memory.dmp

C:\Windows\System\wQebiKU.exe

MD5 53e8f9ef8816aea4b2b7af66a6382074
SHA1 eb0998868d7fb4aa811a31bcd9208734a2e9c234
SHA256 d37dff07877c099cd806aff40e8b8addd14b667c00eff4957f5cc2345151ef53
SHA512 2a7bf8e45b5dbaeb994a4dfd0dbc38375f51c3395bc1f84e59bb5a569a13aeb7c55fda787cfb3a91e13adb520fe5392bfa5b60ea06a75c2262b15811de09b60b

C:\Windows\System\nKBVPHw.exe

MD5 bd745a4e816a29a7f0276cd64cec227d
SHA1 5fcb9359437af517828643bbdc261cdd74837861
SHA256 6cc97089b6e25cab6463d388c5ca51821e49aa3920b35c6497c74a5eb7f1ab86
SHA512 30900d102b82eb43e7ee0272adc0204f6b3478e4fb3804160a35a1db71c3b0a2069f4d64d41d2e0c3257f43e50a6b07642b6c1f0cd754b1ce2b884ccb7d76cfd

memory/3984-47-0x00007FF78E570000-0x00007FF78E8C1000-memory.dmp

C:\Windows\System\vydhAxR.exe

MD5 923656be8392d49121559cbd4993c429
SHA1 2e2a4e12cc13a7fc0b3a09b3f6474d783a8a5f09
SHA256 3db2e1925bed877f96cbfb5e4789a4796cddd9647c5a7d534b5c67f802622b6d
SHA512 5db6a0b5c9887dd95721924920747636269c77af84ff4f08736c02cf3e05e61270c07ffb19c6f0fdd1ebbd25cb61b61a7a8884a2121a7084c5a2cc24c9e17501

memory/1576-76-0x00007FF699B30000-0x00007FF699E81000-memory.dmp

C:\Windows\System\zeZTbil.exe

MD5 d8b4d430ff779f7d89c1ba8450add420
SHA1 f2b0eb1732f57245ec4b3e9dbea154ee8da54529
SHA256 e8aad6ba930cebe15fc18a7c4ee9988edd4b7ac6c3b2373c4b6c60abd065bf5b
SHA512 2aeb2558954e6b4782b9d3487b5e65a7981c14f83f9233ba8b4135f82830d80b64999a7c707158ad99bf3b92d7dacbd6be94a21ec3b91e76432f913cba735993

memory/1192-86-0x00007FF719560000-0x00007FF7198B1000-memory.dmp

C:\Windows\System\NJgsEKx.exe

MD5 a24032ba3234a7529689230af7f393cc
SHA1 021f62305b3436cb0e74ec760913ce65d7f2c1a6
SHA256 ee11d5c1402eb1b25fb3bf9d51fc1aafed73c02e989ccbd52c0fc69bfc9648f0
SHA512 857f867113c039614446d2618d2610d07d6234c310cb74d7f3437dcde44e909763de7239205fb12a925c0837f73499e95feae72216fab6ca5e29799b91ae6df6

memory/3512-104-0x00007FF6F6F80000-0x00007FF6F72D1000-memory.dmp

memory/2500-112-0x00007FF65A790000-0x00007FF65AAE1000-memory.dmp

memory/4968-113-0x00007FF65C590000-0x00007FF65C8E1000-memory.dmp

memory/4120-111-0x00007FF711810000-0x00007FF711B61000-memory.dmp

C:\Windows\System\JYssWgW.exe

MD5 53a8a93cc824dd90e0b052f9c067079c
SHA1 7d315f041984b072045075f9365f25b264931b43
SHA256 fc03663d3b80d7a3cc1d2a1096405967da074af4de4085ddda3c8e3fbc91aca2
SHA512 ad4903535b104aa1a8f29009b3c8277ce376514f89378bee36a2b78d522d8b800d389d7fa3f4644172e484b3a144af53607a74e32bac04afe8da391b9fcebe5a

C:\Windows\System\kvOkbME.exe

MD5 8478f04a068aec7841a39e3eca34ce8f
SHA1 b0d8c042e6753d497e3d81bb1d26d34b13c7838f
SHA256 3e0d36eb4b37bc1c1e4edc9fc8aed8b46c08a1eae5766b15dd202f3b25763024
SHA512 92fc8a0b386409cd49f98fa2536b26a19887375ad657fe21e491d93db4fed261395a34c69e582f72a7b900c948bf842e8ebe2652566a85e75597c44ee4d4a69e

C:\Windows\System\omTkdxC.exe

MD5 34a910498bed7579538be7cab40bf06a
SHA1 1d71732bc39076b782658dc40caa4c9ab3ab9dad
SHA256 76eea15a6b33b17138b95ade49c257d625a3acca8cc773334ee1cd6bc9569bf8
SHA512 ac68d7bf17f74f63ac09d3e2003a57f2b6c033fecd2afde2129042162e705b61c7b792cec7b91b0494314e4bb850bc2bef52a6cdd36d972edf57c243a3ef16b6

C:\Windows\System\MzzipPB.exe

MD5 42e4cd109bea86ab8df5fa6bbe42b3a2
SHA1 f1ff50c010a3a1838015cbf6f74c67eb5d1056fa
SHA256 d9639f7b74a2168ee082aace589003607d1a1cc3a3eef4b1ba3180f2c302716d
SHA512 6328c4dd1023283d3258cb3cdd0f298568872b1ea927776adb3d85572626160dd7ffb547c047862c7535c32afd5fba78f4b32266d53afb5c044475ffc411bc5f

memory/1392-99-0x00007FF766D20000-0x00007FF767071000-memory.dmp

memory/3336-98-0x00007FF67DE90000-0x00007FF67E1E1000-memory.dmp

memory/880-85-0x00007FF7F6360000-0x00007FF7F66B1000-memory.dmp

C:\Windows\System\JHwWygI.exe

MD5 ee0c51359a73ab71051b3f6a8645014d
SHA1 1b88bb5a8758c0c4fd4794f933752cdc7c765d16
SHA256 01f4e584f4d4930fc7eedfd72d41a5ecaca4eac9ed460483eb6d77a4637973be
SHA512 96352b4ad18ad68cadb491b85dbb214e4dfbda1f4e4378c65c53a9c169560dc09fb19a67475048e4ed63aad357d695300990afb515b7a3ea2ffc61280b939dc3

memory/920-79-0x00007FF6A2B70000-0x00007FF6A2EC1000-memory.dmp

memory/2608-74-0x00007FF672190000-0x00007FF6724E1000-memory.dmp

C:\Windows\System\YqrSWdA.exe

MD5 979f8785319ee12c8a672aee0a85bb74
SHA1 2b56d83f2336f8f9a7cb470589ae8a631dc93ff7
SHA256 eb19346767851a7607b4c6d2df66d05baa56a0fb941044593c398afe9d562809
SHA512 c16c455a5954fe74731d39b9be205eefba242bf81497e5a56feb3dd65687492cf138471d6caace62e84076569ef42c6ae4e809958148d0e8ed78fe1b3732cd47

memory/1108-68-0x00007FF7446F0000-0x00007FF744A41000-memory.dmp

C:\Windows\System\vHennrh.exe

MD5 e651e2dc06e9b933aa789a0489e50bb9
SHA1 1e8839312685a4dd5de5e01a4b84e1bb2c5c57d7
SHA256 fabaae96f28701bff17501f12d6a567b41bc2ae3aeee93188b0a58ec705d5bf2
SHA512 cd8dfecce3eabe721412e70956fe0fd2674f311b32d2f285200f363197f851be9567ac8054d552ae804457cd3f2bb402b837d54895f4b017d2b70273ddab5d10

memory/4724-63-0x00007FF795300000-0x00007FF795651000-memory.dmp

C:\Windows\System\yqfOVvT.exe

MD5 a1811936c4ec923fe2ea89981333bf65
SHA1 78db1bccfa3985104b0b2094efe12e7873bcca39
SHA256 5e2a2bb308b74a35984c0ef6577e1c738aeb142d34ea6e54fc38cc3c5234ff04
SHA512 3f58ff9687bb602c8891b2ef862fc5e931c4707965ccff1c7ddbb2719cd61fa43251d8e37712dbcc4663792ac7563bd675021104b31085a4f070a9f6e3546c63

C:\Windows\System\LLMldGU.exe

MD5 2e3efb4b3ef8934f2930f27546e898a1
SHA1 162d60b00d7c3324dc9adaed7148ce38178e6b89
SHA256 f7426936a83fc6db1f78b6dbbf940e2f441f9f5347ac3358006c3361e70604cd
SHA512 afc8f873b8dec79667013edd54d304fb200c09ded3ab6f04a1851d0eb2a842eeda37ba381b8cde855b058077caad24a70c746aea1104d49b17650607d6d7c323

memory/1912-54-0x00007FF7C10C0000-0x00007FF7C1411000-memory.dmp

memory/1028-39-0x00007FF6B4520000-0x00007FF6B4871000-memory.dmp

C:\Windows\System\WhGHSLN.exe

MD5 75b1111610e0c4abdde8cfa5b122074c
SHA1 c91d02bb56cdc93accf0265e63a9562d04f5483a
SHA256 b69e1c306c84428056cc83f438287ee4366711b5864b811c268026498401ba3b
SHA512 66b696b56ba2e525ce6fa50dc3e30a6b7534d31b5d464b0badd0211d6c9be2aeeb524e13a79ffed0ef31204bfe28b0b8febff1487dd9a14de3b745e2537f5a14

C:\Windows\System\VGosjVs.exe

MD5 cd0436c15485cd99f1afae8a54cf69ae
SHA1 5c16c52daf358cd3b5a4ddf83249fa5e5bb234bf
SHA256 95cadd5f00834c890151e777e038cdc41d8e6bee3251ed9cc40ac0045dd0948a
SHA512 4c722323df3bbfaed59613b18b920e35712aac651505c8fa471774def4f9c76ba71d4401e782a7f9cc46d8b33cbad11fba791f1fc907581eccf5059c633e8e8f

memory/1448-25-0x00007FF67BA50000-0x00007FF67BDA1000-memory.dmp

memory/2752-23-0x00007FF6754F0000-0x00007FF675841000-memory.dmp

memory/3052-10-0x00007FF6BD420000-0x00007FF6BD771000-memory.dmp

C:\Windows\System\nVgaBlP.exe

MD5 d9dc88c0ce4318df2ca5859b0f3f08a2
SHA1 8cee8e1386907ed6717d06ceba902aefc480ae24
SHA256 dfe8c5134e7ce7ab05cc00f21a7c98aef99c3542640c364d4d841f255939c283
SHA512 9b2f3ee9f3f0532e07151ca6ef3df5b7690045bbf1b0744284b9da7ab76b8c28b4928dd02501cdb419346245128955ad4f9bd4f0963674ce8602a779a13414ec

C:\Windows\System\AifFnKR.exe

MD5 99b534a592bd9a858b8517239c21f41f
SHA1 51154dab4e05c7ae55c3b9e7265af54a6b38a720
SHA256 ebad8fe0a61b14162d68bc64e9e6ca017f824ce866d6ec6bcda5173f4d1f4977
SHA512 6ddc8dca199399c31ad85e27cd19d7df35c0905707d6079403983c2b6c9b4faa8c8044020d2a3052094cba209f8eda9b61b52fee3394a12e4fca69460add50f1

memory/2752-128-0x00007FF6754F0000-0x00007FF675841000-memory.dmp

memory/2980-127-0x00007FF7B75B0000-0x00007FF7B7901000-memory.dmp

memory/4820-124-0x00007FF6F5790000-0x00007FF6F5AE1000-memory.dmp

memory/316-130-0x00007FF65BB90000-0x00007FF65BEE1000-memory.dmp

memory/1108-141-0x00007FF7446F0000-0x00007FF744A41000-memory.dmp

memory/1912-140-0x00007FF7C10C0000-0x00007FF7C1411000-memory.dmp

memory/3984-137-0x00007FF78E570000-0x00007FF78E8C1000-memory.dmp

memory/1448-136-0x00007FF67BA50000-0x00007FF67BDA1000-memory.dmp

memory/1028-135-0x00007FF6B4520000-0x00007FF6B4871000-memory.dmp

memory/4120-131-0x00007FF711810000-0x00007FF711B61000-memory.dmp

memory/4968-149-0x00007FF65C590000-0x00007FF65C8E1000-memory.dmp

memory/3512-150-0x00007FF6F6F80000-0x00007FF6F72D1000-memory.dmp

memory/1392-148-0x00007FF766D20000-0x00007FF767071000-memory.dmp

memory/3336-146-0x00007FF67DE90000-0x00007FF67E1E1000-memory.dmp

memory/1192-145-0x00007FF719560000-0x00007FF7198B1000-memory.dmp

memory/880-144-0x00007FF7F6360000-0x00007FF7F66B1000-memory.dmp

memory/316-152-0x00007FF65BB90000-0x00007FF65BEE1000-memory.dmp

memory/4120-153-0x00007FF711810000-0x00007FF711B61000-memory.dmp

memory/3052-198-0x00007FF6BD420000-0x00007FF6BD771000-memory.dmp

memory/4820-200-0x00007FF6F5790000-0x00007FF6F5AE1000-memory.dmp

memory/1028-202-0x00007FF6B4520000-0x00007FF6B4871000-memory.dmp

memory/2752-204-0x00007FF6754F0000-0x00007FF675841000-memory.dmp

memory/3984-206-0x00007FF78E570000-0x00007FF78E8C1000-memory.dmp

memory/1912-212-0x00007FF7C10C0000-0x00007FF7C1411000-memory.dmp

memory/4724-214-0x00007FF795300000-0x00007FF795651000-memory.dmp

memory/2608-210-0x00007FF672190000-0x00007FF6724E1000-memory.dmp

memory/1448-208-0x00007FF67BA50000-0x00007FF67BDA1000-memory.dmp

memory/920-217-0x00007FF6A2B70000-0x00007FF6A2EC1000-memory.dmp

memory/1576-218-0x00007FF699B30000-0x00007FF699E81000-memory.dmp

memory/1108-222-0x00007FF7446F0000-0x00007FF744A41000-memory.dmp

memory/1192-226-0x00007FF719560000-0x00007FF7198B1000-memory.dmp

memory/2500-228-0x00007FF65A790000-0x00007FF65AAE1000-memory.dmp

memory/3336-224-0x00007FF67DE90000-0x00007FF67E1E1000-memory.dmp

memory/880-221-0x00007FF7F6360000-0x00007FF7F66B1000-memory.dmp

memory/1392-230-0x00007FF766D20000-0x00007FF767071000-memory.dmp

memory/4968-237-0x00007FF65C590000-0x00007FF65C8E1000-memory.dmp

memory/3512-239-0x00007FF6F6F80000-0x00007FF6F72D1000-memory.dmp

memory/2980-241-0x00007FF7B75B0000-0x00007FF7B7901000-memory.dmp

memory/316-243-0x00007FF65BB90000-0x00007FF65BEE1000-memory.dmp