Malware Analysis Report

2025-01-22 19:30

Sample ID 240806-n4wx2aybrn
Target 2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat
SHA256 d31f27a9d8ed5d4ae6f7fedac59ecffb701d213fb79c3cb0a2f22e139c4a4089
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d31f27a9d8ed5d4ae6f7fedac59ecffb701d213fb79c3cb0a2f22e139c4a4089

Threat Level: Known bad

The file 2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Cobaltstrike

Xmrig family

xmrig

Cobalt Strike reflective loader

Cobaltstrike family

XMRig Miner payload

XMRig Miner payload

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-06 11:57

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-06 11:57

Reported

2024-08-06 12:00

Platform

win7-20240729-en

Max time kernel

142s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\uktXoAP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YHEILTq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EBoEGHq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sToFiGl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lMhRQnR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NyHVvso.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\woVToyr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mZbmofy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rhnuymr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xPDvEFu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gQNyQfX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PfdQlqh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zTsHDfQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VQXwNnW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xKWUCDN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hRcbtcq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NgEkwCO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cnhVKyR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rUHHuiR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\keENkcc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hcpTeDd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1884 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mZbmofy.exe
PID 1884 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mZbmofy.exe
PID 1884 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mZbmofy.exe
PID 1884 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rhnuymr.exe
PID 1884 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rhnuymr.exe
PID 1884 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rhnuymr.exe
PID 1884 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VQXwNnW.exe
PID 1884 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VQXwNnW.exe
PID 1884 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VQXwNnW.exe
PID 1884 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uktXoAP.exe
PID 1884 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uktXoAP.exe
PID 1884 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uktXoAP.exe
PID 1884 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xKWUCDN.exe
PID 1884 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xKWUCDN.exe
PID 1884 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xKWUCDN.exe
PID 1884 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rUHHuiR.exe
PID 1884 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rUHHuiR.exe
PID 1884 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rUHHuiR.exe
PID 1884 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xPDvEFu.exe
PID 1884 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xPDvEFu.exe
PID 1884 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xPDvEFu.exe
PID 1884 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EBoEGHq.exe
PID 1884 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EBoEGHq.exe
PID 1884 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EBoEGHq.exe
PID 1884 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\keENkcc.exe
PID 1884 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\keENkcc.exe
PID 1884 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\keENkcc.exe
PID 1884 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hRcbtcq.exe
PID 1884 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hRcbtcq.exe
PID 1884 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hRcbtcq.exe
PID 1884 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sToFiGl.exe
PID 1884 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sToFiGl.exe
PID 1884 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sToFiGl.exe
PID 1884 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hcpTeDd.exe
PID 1884 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hcpTeDd.exe
PID 1884 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hcpTeDd.exe
PID 1884 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lMhRQnR.exe
PID 1884 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lMhRQnR.exe
PID 1884 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lMhRQnR.exe
PID 1884 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NyHVvso.exe
PID 1884 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NyHVvso.exe
PID 1884 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NyHVvso.exe
PID 1884 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gQNyQfX.exe
PID 1884 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gQNyQfX.exe
PID 1884 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gQNyQfX.exe
PID 1884 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\woVToyr.exe
PID 1884 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\woVToyr.exe
PID 1884 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\woVToyr.exe
PID 1884 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NgEkwCO.exe
PID 1884 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NgEkwCO.exe
PID 1884 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NgEkwCO.exe
PID 1884 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cnhVKyR.exe
PID 1884 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cnhVKyR.exe
PID 1884 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cnhVKyR.exe
PID 1884 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PfdQlqh.exe
PID 1884 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PfdQlqh.exe
PID 1884 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PfdQlqh.exe
PID 1884 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YHEILTq.exe
PID 1884 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YHEILTq.exe
PID 1884 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YHEILTq.exe
PID 1884 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zTsHDfQ.exe
PID 1884 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zTsHDfQ.exe
PID 1884 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zTsHDfQ.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\mZbmofy.exe

C:\Windows\System\mZbmofy.exe

C:\Windows\System\rhnuymr.exe

C:\Windows\System\rhnuymr.exe

C:\Windows\System\VQXwNnW.exe

C:\Windows\System\VQXwNnW.exe

C:\Windows\System\uktXoAP.exe

C:\Windows\System\uktXoAP.exe

C:\Windows\System\xKWUCDN.exe

C:\Windows\System\xKWUCDN.exe

C:\Windows\System\rUHHuiR.exe

C:\Windows\System\rUHHuiR.exe

C:\Windows\System\xPDvEFu.exe

C:\Windows\System\xPDvEFu.exe

C:\Windows\System\EBoEGHq.exe

C:\Windows\System\EBoEGHq.exe

C:\Windows\System\keENkcc.exe

C:\Windows\System\keENkcc.exe

C:\Windows\System\hRcbtcq.exe

C:\Windows\System\hRcbtcq.exe

C:\Windows\System\sToFiGl.exe

C:\Windows\System\sToFiGl.exe

C:\Windows\System\hcpTeDd.exe

C:\Windows\System\hcpTeDd.exe

C:\Windows\System\lMhRQnR.exe

C:\Windows\System\lMhRQnR.exe

C:\Windows\System\NyHVvso.exe

C:\Windows\System\NyHVvso.exe

C:\Windows\System\gQNyQfX.exe

C:\Windows\System\gQNyQfX.exe

C:\Windows\System\woVToyr.exe

C:\Windows\System\woVToyr.exe

C:\Windows\System\NgEkwCO.exe

C:\Windows\System\NgEkwCO.exe

C:\Windows\System\cnhVKyR.exe

C:\Windows\System\cnhVKyR.exe

C:\Windows\System\PfdQlqh.exe

C:\Windows\System\PfdQlqh.exe

C:\Windows\System\YHEILTq.exe

C:\Windows\System\YHEILTq.exe

C:\Windows\System\zTsHDfQ.exe

C:\Windows\System\zTsHDfQ.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1884-0-0x000000013F1D0000-0x000000013F521000-memory.dmp

memory/1884-1-0x0000000000080000-0x0000000000090000-memory.dmp

\Windows\system\mZbmofy.exe

MD5 ea58591657c732d9e178f9b576e353f4
SHA1 e7315840abeb8618340b80e7acc3fcf88efcb691
SHA256 422124e1f138e538bccfa57070dcdcec6ca00b56dd6ccbff3b92e90bc7e63abf
SHA512 1ab73dbf2ca94f7e51790c63d3e9a96283b9eb641b28d504ce2976292128c8454596b2e003595b2b9e5b14175215272972e496e8de31cb5fcac4dffe283cceba

\Windows\system\rhnuymr.exe

MD5 8bc55cb8f92ea142558adbc95f413dde
SHA1 817fec5f0482cdadd3f6754428fb7b9e1f4f178c
SHA256 67f4d1968c99ae21134b5ad6e097e97dc5b54a3030a45013b12a0466fe5b1a4f
SHA512 8b078f96cdf6549dcac1f7a3d3c2efb13d117b55fc4c873676e5cfa6765fc18d49be0bab4a3214cdd0b948829ed9203fbdbd155853f90c8fcabd825e4d76eaf6

memory/2752-18-0x000000013F3D0000-0x000000013F721000-memory.dmp

memory/1884-22-0x00000000023E0000-0x0000000002731000-memory.dmp

memory/2676-23-0x000000013F1E0000-0x000000013F531000-memory.dmp

C:\Windows\system\uktXoAP.exe

MD5 47f2e98a10e51eb7e6c553b49a3481ae
SHA1 f92360e4979c96c17084147f24e16fb88f1a7a88
SHA256 b81634b516bad2736407b7609723eb992287543a869666c1b9f8792a5fcb8755
SHA512 238e4aec67a6be4eba55be668bacd88af14985d98ba41b0e1190da46d5d4d2dd731752e186af75699d6b4e448ae1ec71eff0e08b2ce9e567839e3ca7e1b1a249

memory/1720-29-0x000000013FB40000-0x000000013FE91000-memory.dmp

C:\Windows\system\xKWUCDN.exe

MD5 e0dfacf381ac3a643144e0514c163394
SHA1 7044f0d039098ec1169490fd30212026f1ae475f
SHA256 32afdad819d39929ece34276f40bac5b762f93481238e5d62d54470338031393
SHA512 e7babe48c530114f2854272daa3103f6b03bbc24539861117d93ac32814b450c17e4928a8ca75ea2430354955dc22b9615d58005efabe629e9aa3d55bf88d02d

memory/2576-37-0x000000013F0D0000-0x000000013F421000-memory.dmp

C:\Windows\system\rUHHuiR.exe

MD5 ed371befd9c1b5c1c7ba11ec87ebd7b4
SHA1 b4f175fdd4c815935a162db28ee7668b8a843d57
SHA256 002b52b41d978bc4a95f97518bd27b47bd13953e187273103c17b255f992b8a4
SHA512 4cec8c0f2ca1b9802d8ea0997eec8c146c1f5c86dc00f42aecbbc1e6267b421e68a9fa13dd8375128e4230dda100324d39e0f6f69d5df8d7c60484015db79c26

memory/1884-42-0x00000000023E0000-0x0000000002731000-memory.dmp

\Windows\system\keENkcc.exe

MD5 ffdc7b95ab8e591457e762a5cd055e08
SHA1 b4ea7e59c4e200b96177dd2149a69b23b8bdc5cc
SHA256 a3bde742067a1ffde51767f32169c54bc9018220cc5c1a6b13023c394667ebfe
SHA512 b6d079366baa8263ce44b1d96744ee067c4bf80c96fcef47520e71bf1581a1a12920b0c35399d763f67b833e6014caee50e4717f348052fac143182e7a9083c1

memory/1884-70-0x00000000023E0000-0x0000000002731000-memory.dmp

memory/2572-60-0x000000013FDF0000-0x0000000140141000-memory.dmp

memory/2060-75-0x000000013F150000-0x000000013F4A1000-memory.dmp

memory/1884-86-0x000000013F1D0000-0x000000013F521000-memory.dmp

C:\Windows\system\NyHVvso.exe

MD5 7866f8662c1b96c5935cb93b0075d65a
SHA1 23238fa6fa08c834773b81dc8f5e06009211d293
SHA256 81b8da5e38b77c7814cf0f88ba4d4335d7915c023f9a169e500f114e32817b7f
SHA512 e19700283322ca08dd5d6d4184606f9e427527fafec7d72c60712f7e31cc1e8427ca4edf0071571af84d852e0be8dddb3f1eae66450089de2a8a7f5ed9ead895

memory/1696-94-0x000000013F3E0000-0x000000013F731000-memory.dmp

C:\Windows\system\cnhVKyR.exe

MD5 a4433fc670e61e09acbc66a5ba9261ed
SHA1 5172bbd22673be32037a82e3cfa953a9f3406d93
SHA256 21895afd8e7c7a45e4e5715bcb1c88bcc4ab89667f88452e9fd8158c824316b0
SHA512 90d19354fb5c36047b1857da51db00e0a1d467057de902541d3fe79f65ec03e35b399858366d2ae0e20cc9bcd097030ff3021f68b1d10972a61fbaf1112fa24c

C:\Windows\system\zTsHDfQ.exe

MD5 e04223f52cdbed43ca687d1eccf7f9b7
SHA1 e34b5bebd5c93c20834ff6c85d47fe33992be7a9
SHA256 516271e7807296298c9449b777d0b7a56e1a5b102b6be6058409e37b976e8b3e
SHA512 2f9a8458c9eb950ed88a36adee583ed2a1e1dfcc3c6e077d2a10e3e129bbfe87a6522fdb77030fd18a852a76014cdc0548c68ed7a7ec3a0fe2a48e5fb8e2d184

C:\Windows\system\YHEILTq.exe

MD5 cba3bdb56bd2a1e852cb9d40bbd078f4
SHA1 1d92c712f49952c96f77a7945d5c7c35adc185a0
SHA256 90442645e4cc2820b5f723da982074b8f5a0b469addac18e5db6944ff8881ad7
SHA512 eff983858bb768747342b4d702b2361a1754a499bce41186c46e4db84a82723c114d64101f8c0709c0bd63b8672343c757fe4aa9c2d0936d8d850f2d42dac391

C:\Windows\system\PfdQlqh.exe

MD5 f6ba636e18cc2c28a37a728b65aa9fc9
SHA1 3ac8b7a251effebe7050a2cbc747b9d9be621f32
SHA256 5839ba5e9fd7d59b0cd5c545195ddd8ab47d827fae6474c74bc23b538e364c09
SHA512 3ff48c38cb5cc9a8215514c4474d92f698408a53f220d393ef367abb1522132908fa04db9ced5c0dd51ebe7e4c4ec6b935e501ac3cd480119905ed70e51f7531

C:\Windows\system\NgEkwCO.exe

MD5 714788d28654ed2b754a80be977bc0fa
SHA1 9eeb0a0a13a264270cb272c8ac851e6e6f0407a1
SHA256 614c60b7e9bfdef9673444b95467dc3998a15bc90ae062b31defe82b42fc476c
SHA512 ddf5c7177daf008707e1ff628c6dc2bd293a713c4bfd1155dba919d682280c433c5c0bee9215935b0022e463bef0f1eb33b503e5eee2a64c7cf51b296f654b02

C:\Windows\system\woVToyr.exe

MD5 0f53f4a8e758596712b3b64ed658d81c
SHA1 5e27dfd42aad98277408a9a59fe22246dca92806
SHA256 807e5b39204042f134bf29502fa0f771d47c7e1fbedeeea0f7c0dc1d451e5224
SHA512 6184bbf43c1dfa580ebc82c7e883c0aaebdb376d9aa5fdf9138e900d0a4fd1d7668b22f580932bd8bada7b819f1cc70f99bf5b06080573cdcfdaf2a09d0c7a31

memory/1884-99-0x000000013FE60000-0x00000001401B1000-memory.dmp

C:\Windows\system\gQNyQfX.exe

MD5 56c8913ba4ef6714f246dfe7c4a2e4db
SHA1 7ddb430243c4347f4a9dd05cd58d02efe5ca1d0d
SHA256 3574e293db184fc77abfd7b80bfb034bc5e2904a76a20ee1d26fad186bd08599
SHA512 5a4b8b17afeeda4aacb820aedd5601ba5ce1c7350541af17c1fb619dd5dfdc9e9bd9ef582a91249eb27ccaac1ed0a9ac05f09142d93b9d2b3af7e50a5df8090b

memory/1884-93-0x00000000023E0000-0x0000000002731000-memory.dmp

memory/2092-88-0x000000013F840000-0x000000013FB91000-memory.dmp

memory/1720-136-0x000000013FB40000-0x000000013FE91000-memory.dmp

memory/2752-87-0x000000013F3D0000-0x000000013F721000-memory.dmp

memory/3000-81-0x000000013F770000-0x000000013FAC1000-memory.dmp

memory/1884-80-0x000000013F770000-0x000000013FAC1000-memory.dmp

C:\Windows\system\lMhRQnR.exe

MD5 847957277869ee0836dc9e71fe5ad9cb
SHA1 3887c295511ee56ead4af631bc2cea1992b444d7
SHA256 0eb438c45459bfbc486e82f291a0482096dfb2400a80d4b4eea63d850434b0b8
SHA512 cb7835b994fb89acbc5d5769e282539a90d07789d93e004cf0bf0a88e7b1292407579852eeb4b0c10d0c9cad074c19d0f969d8acb8c75b6029dae153348c4113

C:\Windows\system\hcpTeDd.exe

MD5 f347bec1b30cc87db9b80d4c605ebe04
SHA1 28663125cf6ebf48b298c56198ae7610bd3fb36d
SHA256 cdc50ad248b8cd48507c0dad8deededb4e1bfc20ed9f8c2f658fe9d6fec5df15
SHA512 9549c88c15f97f08038b5d4fc3424ad7830fe48282d57d690332536e809689986f1a010acb4e38d4100b22509a7be7f06d62dde55b3876a718c072c694b5a93a

memory/3064-74-0x000000013FDC0000-0x0000000140111000-memory.dmp

\Windows\system\hRcbtcq.exe

MD5 e6703502f7373aba234d66e812e889db
SHA1 aded1e4000e560305c4e925ff6b8890a71e9994d
SHA256 820961b824c47baeba08252ea4d024e1c11fc509a41754523f8f60607e84f84a
SHA512 d623488ecad644a60f6db4fa71576f941cb6dae36021ac61f1780d96ab44bf1414bc1ab774ae2f5f7dfaeb1637c8a44454be0935eb6c54ba457172e6bc749c05

\Windows\system\EBoEGHq.exe

MD5 95654e1f45b403b4a3b65f2ddbbd5bfb
SHA1 b45b97b7b73e5bee20e0f5207cb633d0ce0f26e5
SHA256 668a49e0dc3f62adc7e26dc78b481b9031578cab5bcbe90d19da70fd760a158d
SHA512 97e581016ff900b97b7f63b7ce5d66b407661115ed7e26247dee8adf02d53a0cb7d6f6c94262dd6a33795e618ea33a2e2d9a85ba34a9b4049c37b2b9e315eb0e

memory/1592-71-0x000000013FB70000-0x000000013FEC1000-memory.dmp

memory/1884-69-0x000000013FBE0000-0x000000013FF31000-memory.dmp

memory/1884-68-0x000000013FB70000-0x000000013FEC1000-memory.dmp

C:\Windows\system\sToFiGl.exe

MD5 2104bf8a8f28b2484508393fa7e7d836
SHA1 860f5e73507604278eeda04f3bd8f6ac19dca173
SHA256 136aa3d20977e63494be95ee3d214b73ce85b64a8b79e9f1836afad3bad84516
SHA512 a35b7f98ee7913396f95bf46373e2ec9f3bd4b6ce862228a5b0c8584eb098ecb7fa164435fbe3a589d37fd81eb4e52daf02f1724ef2422a404822c6a9627f09f

memory/2236-66-0x000000013FBE0000-0x000000013FF31000-memory.dmp

memory/1884-64-0x000000013FDC0000-0x0000000140111000-memory.dmp

C:\Windows\system\xPDvEFu.exe

MD5 fcda17b5572acc32df013264e6b10241
SHA1 db00ae4f2f2f66078026451035bd0cca6539600b
SHA256 89c9a530a97b4aada5789688b1e332d9a34f525b762bed3957c49c25ddadc860
SHA512 68e7fbc36b9a4b7379badfa80deaa70aba34ff01458b56f58aee4637389397b9bae9f3a53dc140e0de4e3e5d2c4b411d30bbb1cb216462f4f398dac4622f195e

memory/2776-43-0x000000013F4D0000-0x000000013F821000-memory.dmp

memory/1884-35-0x00000000023E0000-0x0000000002731000-memory.dmp

memory/1884-28-0x000000013FB40000-0x000000013FE91000-memory.dmp

memory/2576-137-0x000000013F0D0000-0x000000013F421000-memory.dmp

memory/2988-21-0x000000013F320000-0x000000013F671000-memory.dmp

memory/1884-19-0x00000000023E0000-0x0000000002731000-memory.dmp

memory/1884-10-0x00000000023E0000-0x0000000002731000-memory.dmp

C:\Windows\system\VQXwNnW.exe

MD5 9a4e562bcb84d06fc36fe431a48a0f16
SHA1 8cb32feb7adc92e506d87c039f20f9f3fadad1b2
SHA256 322513fee2774f9c0706820db991681324b35401a3d561676175615ad6795eda
SHA512 c6b899de59ae7d98526021ebc5bae19ba745f1535ec604a90cf32fc4f504b65ce4a3a8d8d95731d312797c178f7e23dfec471bf9edde7756c5896664ede07283

memory/2776-138-0x000000013F4D0000-0x000000013F821000-memory.dmp

memory/1884-139-0x000000013F1D0000-0x000000013F521000-memory.dmp

memory/2060-149-0x000000013F150000-0x000000013F4A1000-memory.dmp

memory/2092-152-0x000000013F840000-0x000000013FB91000-memory.dmp

memory/1592-150-0x000000013FB70000-0x000000013FEC1000-memory.dmp

memory/3000-151-0x000000013F770000-0x000000013FAC1000-memory.dmp

memory/3064-147-0x000000013FDC0000-0x0000000140111000-memory.dmp

memory/2440-160-0x000000013F5F0000-0x000000013F941000-memory.dmp

memory/2328-158-0x000000013F250000-0x000000013F5A1000-memory.dmp

memory/2780-157-0x000000013FC80000-0x000000013FFD1000-memory.dmp

memory/2612-156-0x000000013F7A0000-0x000000013FAF1000-memory.dmp

memory/1884-161-0x00000000023E0000-0x0000000002731000-memory.dmp

memory/584-155-0x000000013F990000-0x000000013FCE1000-memory.dmp

memory/2648-154-0x000000013FE60000-0x00000001401B1000-memory.dmp

memory/2840-159-0x000000013F400000-0x000000013F751000-memory.dmp

memory/1696-153-0x000000013F3E0000-0x000000013F731000-memory.dmp

memory/1884-162-0x000000013F770000-0x000000013FAC1000-memory.dmp

memory/1884-163-0x000000013F1D0000-0x000000013F521000-memory.dmp

memory/1884-185-0x000000013FE60000-0x00000001401B1000-memory.dmp

memory/2752-209-0x000000013F3D0000-0x000000013F721000-memory.dmp

memory/2988-211-0x000000013F320000-0x000000013F671000-memory.dmp

memory/2676-213-0x000000013F1E0000-0x000000013F531000-memory.dmp

memory/1720-215-0x000000013FB40000-0x000000013FE91000-memory.dmp

memory/2576-217-0x000000013F0D0000-0x000000013F421000-memory.dmp

memory/2776-236-0x000000013F4D0000-0x000000013F821000-memory.dmp

memory/2572-238-0x000000013FDF0000-0x0000000140141000-memory.dmp

memory/2236-240-0x000000013FBE0000-0x000000013FF31000-memory.dmp

memory/1592-242-0x000000013FB70000-0x000000013FEC1000-memory.dmp

memory/2092-244-0x000000013F840000-0x000000013FB91000-memory.dmp

memory/3064-251-0x000000013FDC0000-0x0000000140111000-memory.dmp

memory/1696-256-0x000000013F3E0000-0x000000013F731000-memory.dmp

memory/3000-255-0x000000013F770000-0x000000013FAC1000-memory.dmp

memory/2060-253-0x000000013F150000-0x000000013F4A1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-06 11:57

Reported

2024-08-06 12:00

Platform

win10v2004-20240802-en

Max time kernel

142s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\wWskkzT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GFvWkXC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\InwrFWK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dtLqJOT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LqeuSOM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SUKtsIF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\csfLyff.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bGmsgKN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ibnOdma.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HKgTDjW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xlmAYEq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tDFEOrF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\Zvcidul.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WUVCQuo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bdNdqMq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hAHQSLX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\siUBMnK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NjRlFTo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZBUBMoY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mWfJOhn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XXegSsr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1456 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wWskkzT.exe
PID 1456 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wWskkzT.exe
PID 1456 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\siUBMnK.exe
PID 1456 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\siUBMnK.exe
PID 1456 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NjRlFTo.exe
PID 1456 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NjRlFTo.exe
PID 1456 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\csfLyff.exe
PID 1456 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\csfLyff.exe
PID 1456 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tDFEOrF.exe
PID 1456 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tDFEOrF.exe
PID 1456 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GFvWkXC.exe
PID 1456 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GFvWkXC.exe
PID 1456 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bGmsgKN.exe
PID 1456 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bGmsgKN.exe
PID 1456 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\InwrFWK.exe
PID 1456 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\InwrFWK.exe
PID 1456 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ibnOdma.exe
PID 1456 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ibnOdma.exe
PID 1456 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZBUBMoY.exe
PID 1456 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZBUBMoY.exe
PID 1456 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HKgTDjW.exe
PID 1456 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HKgTDjW.exe
PID 1456 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Zvcidul.exe
PID 1456 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Zvcidul.exe
PID 1456 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xlmAYEq.exe
PID 1456 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xlmAYEq.exe
PID 1456 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mWfJOhn.exe
PID 1456 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mWfJOhn.exe
PID 1456 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dtLqJOT.exe
PID 1456 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dtLqJOT.exe
PID 1456 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XXegSsr.exe
PID 1456 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XXegSsr.exe
PID 1456 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LqeuSOM.exe
PID 1456 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LqeuSOM.exe
PID 1456 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bdNdqMq.exe
PID 1456 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bdNdqMq.exe
PID 1456 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WUVCQuo.exe
PID 1456 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WUVCQuo.exe
PID 1456 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SUKtsIF.exe
PID 1456 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SUKtsIF.exe
PID 1456 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hAHQSLX.exe
PID 1456 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hAHQSLX.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\wWskkzT.exe

C:\Windows\System\wWskkzT.exe

C:\Windows\System\siUBMnK.exe

C:\Windows\System\siUBMnK.exe

C:\Windows\System\NjRlFTo.exe

C:\Windows\System\NjRlFTo.exe

C:\Windows\System\csfLyff.exe

C:\Windows\System\csfLyff.exe

C:\Windows\System\tDFEOrF.exe

C:\Windows\System\tDFEOrF.exe

C:\Windows\System\GFvWkXC.exe

C:\Windows\System\GFvWkXC.exe

C:\Windows\System\bGmsgKN.exe

C:\Windows\System\bGmsgKN.exe

C:\Windows\System\InwrFWK.exe

C:\Windows\System\InwrFWK.exe

C:\Windows\System\ibnOdma.exe

C:\Windows\System\ibnOdma.exe

C:\Windows\System\ZBUBMoY.exe

C:\Windows\System\ZBUBMoY.exe

C:\Windows\System\HKgTDjW.exe

C:\Windows\System\HKgTDjW.exe

C:\Windows\System\Zvcidul.exe

C:\Windows\System\Zvcidul.exe

C:\Windows\System\xlmAYEq.exe

C:\Windows\System\xlmAYEq.exe

C:\Windows\System\mWfJOhn.exe

C:\Windows\System\mWfJOhn.exe

C:\Windows\System\dtLqJOT.exe

C:\Windows\System\dtLqJOT.exe

C:\Windows\System\XXegSsr.exe

C:\Windows\System\XXegSsr.exe

C:\Windows\System\LqeuSOM.exe

C:\Windows\System\LqeuSOM.exe

C:\Windows\System\bdNdqMq.exe

C:\Windows\System\bdNdqMq.exe

C:\Windows\System\WUVCQuo.exe

C:\Windows\System\WUVCQuo.exe

C:\Windows\System\SUKtsIF.exe

C:\Windows\System\SUKtsIF.exe

C:\Windows\System\hAHQSLX.exe

C:\Windows\System\hAHQSLX.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1456-0-0x00007FF789AE0000-0x00007FF789E31000-memory.dmp

memory/1456-1-0x000001EC5F1A0000-0x000001EC5F1B0000-memory.dmp

C:\Windows\System\wWskkzT.exe

MD5 56d5a8c119de077208d959a008466690
SHA1 e01cb90583e68c0ae6983ae6fe3ca38130303a55
SHA256 76e922b6bf7a7f799efe3ee564025a16afee6364ba1a1fdc5354c475643a9073
SHA512 f1788242083c479958ed1a1c94dfa0f90d8e2d26badd477e8ae15361b32411b27919dd315441fcfb4ab42a87e201590b60c8b09f84d925413101af2744c479f0

memory/3840-6-0x00007FF69ACD0000-0x00007FF69B021000-memory.dmp

C:\Windows\System\siUBMnK.exe

MD5 a27b7afe5e91617f76ddbbd331fbb4f5
SHA1 41b6d57779a4eee4d256c4b08d93dc7a83738e62
SHA256 96e997cc1fe79dde5635902da71cad97330233525020d22c8b70f5a6f8a2ced5
SHA512 cee0b3a074e12921f577787cedca2a5ea38aa80d1088547ae3cc74e671460b7cee84b0d9847aa2741605d55977261cc08e48d29fd7beec16bb8a04057a494128

C:\Windows\System\NjRlFTo.exe

MD5 9f962fdc92ac16cff62f5f4e4b07c5c1
SHA1 ba8d8a73dca6e8f808863e34c21a6891beca780d
SHA256 cc47458bac56bcd500d65a8c7c7c2e45c1b1c82230d122002afe8c4ff511df49
SHA512 d8b7041c0d4fe22d2be092a3623300fda7e60c5921ed79e847ae32ad9954898d13a1592e79e0e203fae921cf80dfd31ba15216246b204e7f745332ba7ee03259

memory/3008-14-0x00007FF6B9340000-0x00007FF6B9691000-memory.dmp

C:\Windows\System\csfLyff.exe

MD5 84d5c0467dd85e6dd8e6480a262b19cd
SHA1 3967541c0e1d76b679c8da46341f8987e7380a37
SHA256 a3c4797f57e0cc7708e70e1b74e549a4e10af348c563566bd88000ff6b4b9139
SHA512 3e50ffa7d295992d52057441686d813e2f9658cc4ea1840dc829c5b136011d377a8ca7d3154cb2fbfbea7be0db3dd20349ff9ff7169b71c839201e3d54d37632

C:\Windows\System\tDFEOrF.exe

MD5 9c67c8ce436052a147cfc0273389fb5a
SHA1 e0b6a4d05e803b8448b2a370557eda379e2df3e0
SHA256 bf3593c910f73100b90423bbf5abae03347a0bc410515a86ff7b08046ea06293
SHA512 025bef18c71aab2cb3e845c2b17a709c734bb5744ff596291d96272c0af30a7b0339ba0dbcdd14cb5517a3dbe8ecadfa3e43f94dd12431bbad40188aaf6ffc7c

memory/4876-33-0x00007FF762380000-0x00007FF7626D1000-memory.dmp

C:\Windows\System\bGmsgKN.exe

MD5 be60f79e852bb467466514139831b483
SHA1 6841cfbc980f9ada63ea1569e0b81d48bcd998fe
SHA256 d33275f75b457a7512cebe8492668b278d309a7e9f96d4d2f6777dbecf9350d7
SHA512 cb9ec082936a389fb5bfce8f8082d86479c27a6633986b33644edcec37fcaaad5f9248b8fa2e21787883cd89086dd4abd4e806c7aaf638feb2631a15ad42a5fe

C:\Windows\System\HKgTDjW.exe

MD5 1ab001a617cce0b1e03a7b603a70a790
SHA1 27ff05ae18c4e22362f7c32715dea16f09473781
SHA256 19089d99579a7806952e8569d1b28a820628eb69387137f50ebdb4a8b3ef1ebb
SHA512 8e446ed2b3da714e4e36e3a7ce2a702422f42dacd9051c33da4caeb16454018b93d4c5fa12f94651aaae431e8212351f3c69b6e0a44221322c188b9f803c15ea

C:\Windows\System\xlmAYEq.exe

MD5 2acc1981c6546628c54788d1935fd9d9
SHA1 d49ad1cf84df02bb80191be0ab38dd6f7c74c666
SHA256 987ddc65f90142cbab326641628c054e23d7056ee90cceb9e62edc975ddf8b7f
SHA512 6052c3d510e62fdf99637d75da695a8544529862ffc811d6ebc76b72a057f5f84c5c9429ac35a08cb4f5524f6382fb127ad2e686c20b41d9f5b7ef1d233f6b96

C:\Windows\System\LqeuSOM.exe

MD5 0c7a4e54ce35bfc6ada7da185ea9f8e6
SHA1 0a3f41caa0a274022e6b04d0fab41d6867ab4964
SHA256 5518eb26682fdbbada0b4156567e8f3fbfa757992fd7a1e0043f94556acc4acb
SHA512 ee1b35cdadf0f1697daa5c19f18b86d87664d7bb65e13db1a96cad216aa7f4601a14a9f11610b7c114990fb9ceab4e438594c14f120714d37e1236d2cf06f142

C:\Windows\System\dtLqJOT.exe

MD5 32a6fda36b934eb2bfa3a3edbe378fe4
SHA1 6b9561d4e288bc4379bb86aff2e837d6c269aa43
SHA256 0aa5116a7b3cb0f82f71b513594c7881fd8ba9b027cad243ec0d92eff2f73b75
SHA512 54786bb0f82794f2af4a87cb8cfc579b47d2b42b9d19baea4b30beb11caef49fffdf13947485a8ad3b652274a68fc31f0bb8c0843aefa86e4c56e6b6103c5ddf

memory/4544-108-0x00007FF6A1A90000-0x00007FF6A1DE1000-memory.dmp

C:\Windows\System\WUVCQuo.exe

MD5 9bdbda7fd55433fd751427eccf0d4f1b
SHA1 bf2687aea2bfdda138accc5f67fcb115c7c859a6
SHA256 71683bcfcd953933c1106b9a42f745f833362acbf0b1131b28b8db814a83fc2e
SHA512 464110b8b5c8c3a6751136465381075b0b0ca5a8d16d65145f70d1bdb2e6029243f2c2afc9ea67d1775f8225c25d3aa7ddea71f22349b91db892fa68ca398c75

memory/3840-118-0x00007FF69ACD0000-0x00007FF69B021000-memory.dmp

memory/860-117-0x00007FF77C2E0000-0x00007FF77C631000-memory.dmp

C:\Windows\System\bdNdqMq.exe

MD5 91c5816fa8df84348aac317e3d00bb9d
SHA1 af5561bb16129f9d1da9b1db38eed2fbb0a62069
SHA256 0602f5cc8d4e6ec8e810a6cbc8bf310cac30428f3c86e59cf92f4219b81ac70e
SHA512 625d4c26c7c2ec6e6092e49c392f569c456bf2f044462d1de1564fe29a484c3dd1b096c8aee322e90994a3f1fa48c47c6a1e3f1922d64df33f5862a927dff37d

memory/2768-112-0x00007FF6778C0000-0x00007FF677C11000-memory.dmp

memory/3924-109-0x00007FF73FD20000-0x00007FF740071000-memory.dmp

memory/1456-107-0x00007FF789AE0000-0x00007FF789E31000-memory.dmp

C:\Windows\System\XXegSsr.exe

MD5 7d3873b7d1997a28114965f87c350a38
SHA1 075d0a567b07d1539bdf22092946bb832fe9ac43
SHA256 245a591929fae63232bd93fc8dd1a1a8b54433d7117a732f43735f577b277eed
SHA512 86439f0f0c61c4519c9467734dc8a52333d5d70b39a804faae7616be4f9430b0e5781f6c2db1f153e2e8e37425760d811a836ba7d625e755645dd7af8f5ae4e2

memory/3884-102-0x00007FF6E91F0000-0x00007FF6E9541000-memory.dmp

C:\Windows\System\mWfJOhn.exe

MD5 33a227f0ee009f420749b182f9b725af
SHA1 923da0a3d23dfa1108c60a53ae62e78fb674cbdf
SHA256 9f912f4dab7cc969447760d0c070fdf4c777aa4bedd27dbfdb865d83eb71013d
SHA512 bb390db1b3eecc349b493012dbb6d09a26b2c71e948aff75f84f961a05c3ac7a6fe90b715352b45f12a5ffc677245630c51224cfb09176635aec99a5e61d9c39

memory/1532-93-0x00007FF6E3300000-0x00007FF6E3651000-memory.dmp

memory/4756-88-0x00007FF77D880000-0x00007FF77DBD1000-memory.dmp

memory/4136-87-0x00007FF747F80000-0x00007FF7482D1000-memory.dmp

C:\Windows\System\Zvcidul.exe

MD5 0edf27992bf935ce726985e1a236d4d2
SHA1 f5b5c0e8c59cab2d45f3f7c0e8b071851db3054a
SHA256 0c72b49eeb75971805d3735e1f983ab5e78abdcfe58142f9298695aa1d2574ee
SHA512 c0dbad055144333e1af15943850116c9990387fc8043e9bd5bd11af537489389fd26587f2770a76616939991811b0d0b5c616ce988112225e7b6c8510022d66f

memory/1356-76-0x00007FF79A910000-0x00007FF79AC61000-memory.dmp

C:\Windows\System\ZBUBMoY.exe

MD5 fadadc4f5cacc18d22df76a0928106e3
SHA1 04ad395c0e9cfd798df32eb3b9bc7a2ecdd8f5a9
SHA256 0429b6959288d97d8f2af8e61d1e23f399e15602c1679b5d5eb55d9ce6746fc2
SHA512 64b3295a8bd7363bbfb0696cac36c4ffac87272e5464dde50f6bc6647453f6b6bf2cc542346949d3574ba3565e4c91c71513691a2606e9c543c19f947cfe29e6

memory/1980-66-0x00007FF67FC60000-0x00007FF67FFB1000-memory.dmp

memory/1968-73-0x00007FF6A98B0000-0x00007FF6A9C01000-memory.dmp

C:\Windows\System\ibnOdma.exe

MD5 94e21db0195b02a0d595090dccc37869
SHA1 eb72812bf29256eb85c7dba0e8bc6d269a4f0dd1
SHA256 153ccb587d74f01d25405b2eb00ff5b2c9f5ce5272681e5be22e44587947ed73
SHA512 441d5841775d13a17515f5456a962bdfc8cfa57b54424a2cd7bab75453718719186df5ef71a3e99b0c25152baa92a4f09831378dc3ef4f76f44ee83745880b0d

memory/60-57-0x00007FF7CEB20000-0x00007FF7CEE71000-memory.dmp

C:\Windows\System\InwrFWK.exe

MD5 0ef76582912d1526999e342c227c9b73
SHA1 111813b254b869a8fb5479934dd59fb3df3474e5
SHA256 2bae85306091b343c6691ef4d60461b95fd867734f1a07cd4aa9fe81a993de16
SHA512 4a7d44ce929a8b002630177faec75557c15e9d07b7c6a117b353380e34d79068e1e2bfd0526feeaf667cfb3dcf24f5ceb5939efc0cd93745eb96f2a5308daec7

memory/3892-44-0x00007FF684080000-0x00007FF6843D1000-memory.dmp

memory/2104-41-0x00007FF7BFCF0000-0x00007FF7C0041000-memory.dmp

memory/2520-39-0x00007FF652A90000-0x00007FF652DE1000-memory.dmp

C:\Windows\System\GFvWkXC.exe

MD5 034cd8e88d24bcdaa0270dd3a77f6cad
SHA1 e254b40671bdd5d0c02412adce7b79f230bcb8d8
SHA256 866e07f955053721f365ddd2b66cb258dc17cfcf5b2cafccf72199d97f3bac3c
SHA512 717df78bbed4926fd14b7d88d6a63ce85cc88739992833ebb5fc95ed87099b49949bee5814e1189e1d9eba51aaf303e1c768d5fc5af835a7d64bcf61c0a27fc1

memory/4964-24-0x00007FF754D00000-0x00007FF755051000-memory.dmp

C:\Windows\System\SUKtsIF.exe

MD5 e7b7d722af668a8f23950a2a2930a4d2
SHA1 40c2263c1e7c1b85eb3e7cc99bf5d4f624bb2308
SHA256 dd8165ae8464bfa0d2094d5ea04463386ebb3b1f81ec5102b0180b37f8828088
SHA512 366e03c7628198c17a260673a48cd9fe407cc1505b07f8a6010c6ba1a48625a39419461345a4658674f338c8d82a382ac24031a64d7ced34f6aa5d4e0b48c009

C:\Windows\System\hAHQSLX.exe

MD5 2feb4beec71001d3767d45cf84bf4b13
SHA1 40a5216ef47ad49e7c96235aeb0d086ea6a41b4d
SHA256 78ec365a2c5b4337268c2a98e24dc74122e1de91767795843dd0d0dc771bce2f
SHA512 06b5b1c71c01a87fe09997a5123ef98eda13421c6edda4ea6fabebfff58c81ec1dd2983c811a3338065553e655e5ad6815f5801d7072c72053d383098a739334

memory/4964-124-0x00007FF754D00000-0x00007FF755051000-memory.dmp

memory/4876-129-0x00007FF762380000-0x00007FF7626D1000-memory.dmp

memory/456-127-0x00007FF7EBE90000-0x00007FF7EC1E1000-memory.dmp

memory/5032-131-0x00007FF7FC3B0000-0x00007FF7FC701000-memory.dmp

memory/1980-141-0x00007FF67FC60000-0x00007FF67FFB1000-memory.dmp

memory/3892-139-0x00007FF684080000-0x00007FF6843D1000-memory.dmp

memory/1532-147-0x00007FF6E3300000-0x00007FF6E3651000-memory.dmp

memory/3884-149-0x00007FF6E91F0000-0x00007FF6E9541000-memory.dmp

memory/1356-145-0x00007FF79A910000-0x00007FF79AC61000-memory.dmp

memory/860-150-0x00007FF77C2E0000-0x00007FF77C631000-memory.dmp

memory/1968-143-0x00007FF6A98B0000-0x00007FF6A9C01000-memory.dmp

memory/1456-132-0x00007FF789AE0000-0x00007FF789E31000-memory.dmp

memory/2768-151-0x00007FF6778C0000-0x00007FF677C11000-memory.dmp

memory/1456-154-0x00007FF789AE0000-0x00007FF789E31000-memory.dmp

memory/3840-202-0x00007FF69ACD0000-0x00007FF69B021000-memory.dmp

memory/3008-204-0x00007FF6B9340000-0x00007FF6B9691000-memory.dmp

memory/4964-206-0x00007FF754D00000-0x00007FF755051000-memory.dmp

memory/4876-208-0x00007FF762380000-0x00007FF7626D1000-memory.dmp

memory/2520-210-0x00007FF652A90000-0x00007FF652DE1000-memory.dmp

memory/2104-212-0x00007FF7BFCF0000-0x00007FF7C0041000-memory.dmp

memory/3892-214-0x00007FF684080000-0x00007FF6843D1000-memory.dmp

memory/60-216-0x00007FF7CEB20000-0x00007FF7CEE71000-memory.dmp

memory/1980-218-0x00007FF67FC60000-0x00007FF67FFB1000-memory.dmp

memory/4136-220-0x00007FF747F80000-0x00007FF7482D1000-memory.dmp

memory/4756-223-0x00007FF77D880000-0x00007FF77DBD1000-memory.dmp

memory/1968-224-0x00007FF6A98B0000-0x00007FF6A9C01000-memory.dmp

memory/1356-226-0x00007FF79A910000-0x00007FF79AC61000-memory.dmp

memory/1532-230-0x00007FF6E3300000-0x00007FF6E3651000-memory.dmp

memory/4544-229-0x00007FF6A1A90000-0x00007FF6A1DE1000-memory.dmp

memory/3924-232-0x00007FF73FD20000-0x00007FF740071000-memory.dmp

memory/860-241-0x00007FF77C2E0000-0x00007FF77C631000-memory.dmp

memory/3884-239-0x00007FF6E91F0000-0x00007FF6E9541000-memory.dmp

memory/2768-242-0x00007FF6778C0000-0x00007FF677C11000-memory.dmp

memory/456-244-0x00007FF7EBE90000-0x00007FF7EC1E1000-memory.dmp

memory/5032-246-0x00007FF7FC3B0000-0x00007FF7FC701000-memory.dmp