Malware Analysis Report

2025-01-22 19:19

Sample ID 240806-n6y56ssejb
Target 2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat
SHA256 59277f7a8c3a688e0513533404320896462cd027bb1e6b180e750986f20e77e5
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

59277f7a8c3a688e0513533404320896462cd027bb1e6b180e750986f20e77e5

Threat Level: Known bad

The file 2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

XMRig Miner payload

Xmrig family

Cobaltstrike

Cobaltstrike family

Cobalt Strike reflective loader

xmrig

XMRig Miner payload

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-06 12:01

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-06 12:01

Reported

2024-08-06 12:03

Platform

win7-20240708-en

Max time kernel

139s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\qNGjxtq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CGBsHXX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kshUEOb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pEikerL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vJusVRJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HYmxrga.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WBRwBiE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WBivkWv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RrBBdXo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iDVIcHK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HwvSBOf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JaqqTAr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eVdwSaB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oEsHqaP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YCgeNMo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cbDRgDe.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZhlexNY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eQoqKDB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sJCGwkP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aFVqeIl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OVOwfsc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1748 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WBRwBiE.exe
PID 1748 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WBRwBiE.exe
PID 1748 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WBRwBiE.exe
PID 1748 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HwvSBOf.exe
PID 1748 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HwvSBOf.exe
PID 1748 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HwvSBOf.exe
PID 1748 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eQoqKDB.exe
PID 1748 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eQoqKDB.exe
PID 1748 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eQoqKDB.exe
PID 1748 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WBivkWv.exe
PID 1748 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WBivkWv.exe
PID 1748 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WBivkWv.exe
PID 1748 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sJCGwkP.exe
PID 1748 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sJCGwkP.exe
PID 1748 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sJCGwkP.exe
PID 1748 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JaqqTAr.exe
PID 1748 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JaqqTAr.exe
PID 1748 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JaqqTAr.exe
PID 1748 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aFVqeIl.exe
PID 1748 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aFVqeIl.exe
PID 1748 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aFVqeIl.exe
PID 1748 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eVdwSaB.exe
PID 1748 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eVdwSaB.exe
PID 1748 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eVdwSaB.exe
PID 1748 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RrBBdXo.exe
PID 1748 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RrBBdXo.exe
PID 1748 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RrBBdXo.exe
PID 1748 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OVOwfsc.exe
PID 1748 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OVOwfsc.exe
PID 1748 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OVOwfsc.exe
PID 1748 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YCgeNMo.exe
PID 1748 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YCgeNMo.exe
PID 1748 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YCgeNMo.exe
PID 1748 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cbDRgDe.exe
PID 1748 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cbDRgDe.exe
PID 1748 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cbDRgDe.exe
PID 1748 wrote to memory of 264 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZhlexNY.exe
PID 1748 wrote to memory of 264 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZhlexNY.exe
PID 1748 wrote to memory of 264 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZhlexNY.exe
PID 1748 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qNGjxtq.exe
PID 1748 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qNGjxtq.exe
PID 1748 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qNGjxtq.exe
PID 1748 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CGBsHXX.exe
PID 1748 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CGBsHXX.exe
PID 1748 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CGBsHXX.exe
PID 1748 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kshUEOb.exe
PID 1748 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kshUEOb.exe
PID 1748 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kshUEOb.exe
PID 1748 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iDVIcHK.exe
PID 1748 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iDVIcHK.exe
PID 1748 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iDVIcHK.exe
PID 1748 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vJusVRJ.exe
PID 1748 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vJusVRJ.exe
PID 1748 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vJusVRJ.exe
PID 1748 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HYmxrga.exe
PID 1748 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HYmxrga.exe
PID 1748 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HYmxrga.exe
PID 1748 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oEsHqaP.exe
PID 1748 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oEsHqaP.exe
PID 1748 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oEsHqaP.exe
PID 1748 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pEikerL.exe
PID 1748 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pEikerL.exe
PID 1748 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pEikerL.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\WBRwBiE.exe

C:\Windows\System\WBRwBiE.exe

C:\Windows\System\HwvSBOf.exe

C:\Windows\System\HwvSBOf.exe

C:\Windows\System\eQoqKDB.exe

C:\Windows\System\eQoqKDB.exe

C:\Windows\System\WBivkWv.exe

C:\Windows\System\WBivkWv.exe

C:\Windows\System\sJCGwkP.exe

C:\Windows\System\sJCGwkP.exe

C:\Windows\System\JaqqTAr.exe

C:\Windows\System\JaqqTAr.exe

C:\Windows\System\aFVqeIl.exe

C:\Windows\System\aFVqeIl.exe

C:\Windows\System\eVdwSaB.exe

C:\Windows\System\eVdwSaB.exe

C:\Windows\System\RrBBdXo.exe

C:\Windows\System\RrBBdXo.exe

C:\Windows\System\OVOwfsc.exe

C:\Windows\System\OVOwfsc.exe

C:\Windows\System\YCgeNMo.exe

C:\Windows\System\YCgeNMo.exe

C:\Windows\System\cbDRgDe.exe

C:\Windows\System\cbDRgDe.exe

C:\Windows\System\ZhlexNY.exe

C:\Windows\System\ZhlexNY.exe

C:\Windows\System\qNGjxtq.exe

C:\Windows\System\qNGjxtq.exe

C:\Windows\System\CGBsHXX.exe

C:\Windows\System\CGBsHXX.exe

C:\Windows\System\kshUEOb.exe

C:\Windows\System\kshUEOb.exe

C:\Windows\System\iDVIcHK.exe

C:\Windows\System\iDVIcHK.exe

C:\Windows\System\vJusVRJ.exe

C:\Windows\System\vJusVRJ.exe

C:\Windows\System\HYmxrga.exe

C:\Windows\System\HYmxrga.exe

C:\Windows\System\oEsHqaP.exe

C:\Windows\System\oEsHqaP.exe

C:\Windows\System\pEikerL.exe

C:\Windows\System\pEikerL.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1748-1-0x000000013F0E0000-0x000000013F434000-memory.dmp

memory/1748-0-0x00000000001F0000-0x0000000000200000-memory.dmp

C:\Windows\system\WBRwBiE.exe

MD5 9551439504153c08bff3a74eb15b0597
SHA1 a2704f8996f38a346da2ffbfec0c7b54079b243a
SHA256 be0a8af62c05ee89e57d7caf37672d67b548b9d14f609b96e67d0466dc89397a
SHA512 68be98635be2fed41b6570388ac1c8229ee724098566b5d3fe055cf3352499f6c7c53621d92def7b619b97afa808366a98b2092453ce92da37d18cccd4869efe

memory/2044-9-0x000000013FD00000-0x0000000140054000-memory.dmp

\Windows\system\HwvSBOf.exe

MD5 50549e5a29a489146376cb3c1ba001d3
SHA1 fe28076f86f3eccfcc45b6a733c6a1c538dc80c3
SHA256 18545b355a0022c6117da765380b5ac79009e38368ec8c6a0b40d3be061b2661
SHA512 1c30090caf1ad74c8cdc0a8a56d5f8545de56eec45baec98979648f5b2bfe8b5995f4186cd3a7ce4163e493f4167986b54cf8a0769eefb7ca8481b43914ae693

C:\Windows\system\eQoqKDB.exe

MD5 9e598373ab2690b39ebd8c0ace16d4aa
SHA1 e15673aa61faa8380fefe86e7fa5e25f28375964
SHA256 4f3ce4abde3bc8bc50ac243196a09bd630fd791729f100dbc95bafe8fe005153
SHA512 4cd993eb68acfaebb840708b3a7d8f2d091dd24690443188dac5ccb66753fefb34853aeb6dfb8bbaea8fd27a0a73169eeb2224d45abb432bea5737eebe239087

memory/1748-13-0x000000013F8D0000-0x000000013FC24000-memory.dmp

memory/1748-7-0x000000013FD00000-0x0000000140054000-memory.dmp

memory/1128-23-0x000000013F670000-0x000000013F9C4000-memory.dmp

memory/1748-22-0x000000013F670000-0x000000013F9C4000-memory.dmp

C:\Windows\system\WBivkWv.exe

MD5 44cd6bced489ca8c9e2d181d02c431e7
SHA1 65fda74736f116c65a8a8a57a8c6d312122a53a9
SHA256 d610619889de99c2f2ac4802c9a503809c61d75b3c28b033e003d09a783a07e6
SHA512 eb72e0b463a21d3300e9d2ac8acc268c751543dfa362b5c0ebc442c433978bd02b664ae7771c2158e66c63c104a87442e7c6570f1708ab670b060571cfcda283

C:\Windows\system\sJCGwkP.exe

MD5 a6eae83aaa849516b3a2318f4e26dc4a
SHA1 86dcda398e3a856572f9ef43e2d3a5e1076328fd
SHA256 6bf4e43a2da2d4a476759a2a83a1739addca38bda795b1666e207dbbfb57f68f
SHA512 68046277470b70942f1ad241eece08f35f15182be4051db546aed495ddc44dccfb5cf0c16624dc9672fc7451191db412ce922c42882d4fa03ceaa13826ca7327

memory/2820-35-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

C:\Windows\system\aFVqeIl.exe

MD5 0b9487acde08ef4dfb284db14043b612
SHA1 d463dd3273a509b895c75a1f4a241aea4e8ba34c
SHA256 63788bf30429d24cbb0ec45188fb3ba20c6b7c77be6ac4505883e91e1e60e526
SHA512 896ada3e91d60c6c00543ebd1f99d53c98169a92a59338762b4dce5f249357e49ddec2c22817f702177344615c8b1a8c3f8509c2c0dde22cc34747e5e35c181e

memory/2596-41-0x000000013F600000-0x000000013F954000-memory.dmp

memory/1748-63-0x000000013F0E0000-0x000000013F434000-memory.dmp

memory/2828-64-0x000000013F560000-0x000000013F8B4000-memory.dmp

C:\Windows\system\YCgeNMo.exe

MD5 2f315d77809a9eabed45894cb03bdd7f
SHA1 7ce6111a32c081069bb3cee0d5590b391aec1888
SHA256 3e9ef11f4f9fbd4f5e44961ef96c00e9551c570d61c543a0b36576bcafad4fca
SHA512 317fb9f7b32a6549e5669a6fcd31c43fe6a8b92b12bf8e92c757473f27bd1cd9ae0c7e4cb33a3b18352297f0d7281ed7c6f9757d4721f362ca60fc1ee5ec13cc

memory/1748-86-0x000000013F670000-0x000000013F9C4000-memory.dmp

memory/1748-98-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

C:\Windows\system\kshUEOb.exe

MD5 faffc51574c1973762f9b2a405531524
SHA1 408e43361c014fed7ff6ca5c47ef80614815ef73
SHA256 91bd3347155d89369f51342fb4f9f2c007ef4d04848d7ea2ce83245e888c6dbb
SHA512 ee2b090bd97f85928a03e7a9d3ece64aeba144474c5ab9b47a372a2783592243a337e9a162997247ab62cc8c66e9854b60656168fed70767305df14cdae3f910

C:\Windows\system\oEsHqaP.exe

MD5 3351eabfeff5fbc9f34cefae9dfa6dca
SHA1 13d0667d3833a27296c11e7b6e5e35d007b2a4a6
SHA256 90ad0b7315a9ad2c52612597fc3354df468ffa2ff9a355a6d579d2e8be7d4fc3
SHA512 98ebcc9c829cb502798ff2ecad54d471529cf9ffe75d9dfceb8aec105c00ffe21cdbee6cce7cdbd283722e2a4f836a0436c38fc092e401d96938d43f7d09fd86

C:\Windows\system\pEikerL.exe

MD5 f9fced727418d8f38dcf78e04b2889e6
SHA1 0060ffd35ddf391d5934bd70d6e5ccfbb5e10ebd
SHA256 1bb072b1e9b266ace2591469ea7cd3a184f7a0bbe57964a07c983d400d411bc2
SHA512 ecda35052114be403ca287d57598354da77ea138170021f71baa2472549ff3f0de2466d0eb8df7c1d2b14e6ba68ad5799e381c9a6846108f7c21cac0fb2ea56e

C:\Windows\system\vJusVRJ.exe

MD5 5f5054d4e7fdfcfe9fe334919212570a
SHA1 7f6cc2b56f1d1254ca6bca4e3d652cc504f80fbf
SHA256 6204aee6b1b48da79770c162cbd8710e22607cf60b8e110ec5167f8e28bac92d
SHA512 e76e614e7cfcc281b3f387e8d3e693cbd9bff47e15c2366cfd58e981abafa25b0268abee91cfab3560af45b1ef4394d5237bad5d16e4c81b9e828e366d1e244b

memory/2172-119-0x000000013F670000-0x000000013F9C4000-memory.dmp

C:\Windows\system\iDVIcHK.exe

MD5 1990ed5989c857a1408e1a3d6e290178
SHA1 cbe8d65f7332f38bc49579083d7711fa10aeb6d2
SHA256 3df22c88cb4e3db7bc89f791344295d2564679de0704433be14b06fdb890acde
SHA512 fcaec985f14fa59987f823c38a4ab27a5cb013f65fc01f45abe46ddf9dc425160d86a4cc68a320de28a4a2e0026f005b1ca31e37665ff973fd7e99f9d6eba04c

C:\Windows\system\HYmxrga.exe

MD5 5e9376215b34938fe41aeedabc080132
SHA1 3c7755de9c3fe755a3510e5220f6b33a7b87e79f
SHA256 6184ca301701224cf3f57095b952931da43fcf7fd9802c9dd6a528dedfddf60d
SHA512 a9470c9cefad060a82eef4a17ebdc48c99c5509024f21b77ccc467bc92a3250167f33f722f6b8f5d43e42e59e7df028042c9c86f985dc470a10a3f1cb6be06a3

memory/2596-116-0x000000013F600000-0x000000013F954000-memory.dmp

\Windows\system\qNGjxtq.exe

MD5 d2081332dd04bbe49ff54d4c9719e511
SHA1 e553f7a4292d3f939fefb86bdb7d0dee68c44ed0
SHA256 bfa85352d121bd3eaa4f487185deb9d489c1a71b7a24c540bd39848b9410a760
SHA512 cdac9369c0189710b0f03762c106a71f8c107c7641636550ae771e881176fe720b0b7d23b1e20df4845ff8f2ffa024f45522bfccf4a2650d030f2df87893361d

memory/2924-141-0x000000013FD30000-0x0000000140084000-memory.dmp

C:\Windows\system\CGBsHXX.exe

MD5 0dd822c87ef3d91f74615e20d0f11c3b
SHA1 215efe14efcf042ddc8aceab4c73d92572989d4b
SHA256 2a215b040aef7da387a6275a2de04b3d1a2d401100fb8ee5a08fb6e93a817b7c
SHA512 3fdcc5fbe8a2653a96e7662152aca0766703c34e1ff089300b02d49efd005d4e0b98506c1b78bbf95fc39ce3fac00842c2d39f4ea12b4b5dafc86dbe95e49bac

memory/1748-103-0x000000013F670000-0x000000013F9C4000-memory.dmp

memory/1748-102-0x000000013FD10000-0x0000000140064000-memory.dmp

memory/1552-88-0x000000013FDC0000-0x0000000140114000-memory.dmp

memory/1748-87-0x000000013FDC0000-0x0000000140114000-memory.dmp

memory/2808-85-0x000000013F8D0000-0x000000013FC24000-memory.dmp

C:\Windows\system\cbDRgDe.exe

MD5 fbd849df5c2740e7beca47b3d0a1c4ff
SHA1 25e4b963db76b617a71ca102921212c781ed35a5
SHA256 0556b8e5b0c6ad97b83a93b67037ec7ca8e53d0f728a798347d50c3b0ba5736f
SHA512 5b4b299a890a31d67a30b46edd351082ed3bc1ceeee0edd294dc4d9373729241c47b6826dd6df3dfdaa93c95ed937a8a7f5917d9e6894fc966cd642944f107c6

memory/2820-101-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

memory/264-100-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

memory/2976-94-0x000000013F030000-0x000000013F384000-memory.dmp

C:\Windows\system\ZhlexNY.exe

MD5 39e737c0e3b345220236f9c420008035
SHA1 bca57705dddc2921799a64ccc191aca8be3fa398
SHA256 e685574092778f80b073fd18e8d8e7938f2cbcb79a6d16bca39713ed78000cc7
SHA512 193b844225ddd9d300bd785c99789206702c0d22f89a7c60c01cd5118f6135c811e24703a43602f06e217f7b029eaf0635c711e9886ef623130d9999ffa3a6db

memory/1748-142-0x0000000002300000-0x0000000002654000-memory.dmp

memory/2760-79-0x000000013FB20000-0x000000013FE74000-memory.dmp

memory/1748-78-0x000000013FB20000-0x000000013FE74000-memory.dmp

memory/2768-72-0x000000013FD00000-0x0000000140054000-memory.dmp

memory/2044-71-0x000000013FD00000-0x0000000140054000-memory.dmp

memory/1748-70-0x000000013FD00000-0x0000000140054000-memory.dmp

C:\Windows\system\OVOwfsc.exe

MD5 0285628ad4fe948597209fe17878c512
SHA1 8ab24088b824eeea5a2084193f0fe3232990eb6c
SHA256 aae928a1215af19bc959b1768ddcd422527aeb1890bb2ad34ced558093d7112e
SHA512 9bbecf667c1df15adbeb00c5c2981fe582e19b68be7eece82629fa150b2317ec97b3baf9c27512505ed46951ad6e752755883d33896cd4637dde4615c7b72df9

memory/3040-57-0x000000013F0B0000-0x000000013F404000-memory.dmp

C:\Windows\system\RrBBdXo.exe

MD5 4f7557077a0e9abd9179779df49464d9
SHA1 975dccd3405afce666438455adfe5fdab523fff7
SHA256 1cbd4acd78f07a62387917008114267099f144106de9140001ccef7a11172fdf
SHA512 fee3ab45e749455b1c7dde0dded8b7dad5f17e1164b22d27a8bc7ec7a0e9dba163d4ec4694b4d866cd3113d05b4d1783b60847c97c7bd39f633d0e204451d98f

C:\Windows\system\eVdwSaB.exe

MD5 e42412f4d32a289041c75d7be0744620
SHA1 ba0e8799dddc93513adaed102c2180a3f3550c18
SHA256 e1eada12f2af29ec53dfd228e8db04af090a1ec6f987ecba688745b89e4b2c09
SHA512 5278e4748d713b1115af7d07594c9280ce2386e5a5f0d20d61bf0f628c058432a3478220e36bb1048751ef170e14e0506028af0dc5ed59706a3f85b499219406

memory/1748-55-0x0000000002300000-0x0000000002654000-memory.dmp

memory/2924-50-0x000000013FD30000-0x0000000140084000-memory.dmp

memory/1748-49-0x000000013FD30000-0x0000000140084000-memory.dmp

memory/1748-40-0x000000013F600000-0x000000013F954000-memory.dmp

C:\Windows\system\JaqqTAr.exe

MD5 eefc8894a00f4cc7d0ff22129f74dbe9
SHA1 d6f417c8ffebb6b73a345e4106e9607f7c9abd04
SHA256 0be268a6d1a06e2c75f14bb45e9887bcca5940e13c0c3fb4c56e457499c77b4b
SHA512 3404d22adc86fd653d93af651301f84056975a9d9925b97e90eec85b590e2440cfbd94626f7bd991c10ab545ed411587924a5137b88f933f67ad97c4dc3800b1

memory/1748-34-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

memory/2976-29-0x000000013F030000-0x000000013F384000-memory.dmp

memory/1748-28-0x0000000002300000-0x0000000002654000-memory.dmp

memory/2808-20-0x000000013F8D0000-0x000000013FC24000-memory.dmp

memory/1748-144-0x000000013FB20000-0x000000013FE74000-memory.dmp

memory/1748-145-0x000000013FDC0000-0x0000000140114000-memory.dmp

memory/1748-146-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

memory/1748-147-0x000000013FD10000-0x0000000140064000-memory.dmp

memory/2044-148-0x000000013FD00000-0x0000000140054000-memory.dmp

memory/1128-149-0x000000013F670000-0x000000013F9C4000-memory.dmp

memory/2808-150-0x000000013F8D0000-0x000000013FC24000-memory.dmp

memory/2924-151-0x000000013FD30000-0x0000000140084000-memory.dmp

memory/2820-153-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

memory/2596-152-0x000000013F600000-0x000000013F954000-memory.dmp

memory/2828-155-0x000000013F560000-0x000000013F8B4000-memory.dmp

memory/2976-154-0x000000013F030000-0x000000013F384000-memory.dmp

memory/2768-156-0x000000013FD00000-0x0000000140054000-memory.dmp

memory/2760-157-0x000000013FB20000-0x000000013FE74000-memory.dmp

memory/1552-158-0x000000013FDC0000-0x0000000140114000-memory.dmp

memory/264-159-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

memory/2172-160-0x000000013F670000-0x000000013F9C4000-memory.dmp

memory/3040-161-0x000000013F0B0000-0x000000013F404000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-06 12:01

Reported

2024-08-06 12:03

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\EBMGFyh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jqSaWxm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aEXNoxF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bBzHMlU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\symJqGr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZmlcUBx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cfoSDxV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TbAQJxq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uOMuIHj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sFRsdpX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AyqHduc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NIPVbOE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IkzBKSK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fiCpSTK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TTMODZF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BempKlH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BYVYLxe.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zDirxdq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MjVehhD.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xcOsPkX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DxZlneT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2060 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZmlcUBx.exe
PID 2060 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZmlcUBx.exe
PID 2060 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cfoSDxV.exe
PID 2060 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cfoSDxV.exe
PID 2060 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NIPVbOE.exe
PID 2060 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NIPVbOE.exe
PID 2060 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EBMGFyh.exe
PID 2060 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EBMGFyh.exe
PID 2060 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IkzBKSK.exe
PID 2060 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IkzBKSK.exe
PID 2060 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MjVehhD.exe
PID 2060 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MjVehhD.exe
PID 2060 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jqSaWxm.exe
PID 2060 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jqSaWxm.exe
PID 2060 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xcOsPkX.exe
PID 2060 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xcOsPkX.exe
PID 2060 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TbAQJxq.exe
PID 2060 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TbAQJxq.exe
PID 2060 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aEXNoxF.exe
PID 2060 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aEXNoxF.exe
PID 2060 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uOMuIHj.exe
PID 2060 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uOMuIHj.exe
PID 2060 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bBzHMlU.exe
PID 2060 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bBzHMlU.exe
PID 2060 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fiCpSTK.exe
PID 2060 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fiCpSTK.exe
PID 2060 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TTMODZF.exe
PID 2060 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TTMODZF.exe
PID 2060 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BempKlH.exe
PID 2060 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BempKlH.exe
PID 2060 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BYVYLxe.exe
PID 2060 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BYVYLxe.exe
PID 2060 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zDirxdq.exe
PID 2060 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zDirxdq.exe
PID 2060 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sFRsdpX.exe
PID 2060 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sFRsdpX.exe
PID 2060 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\symJqGr.exe
PID 2060 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\symJqGr.exe
PID 2060 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DxZlneT.exe
PID 2060 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DxZlneT.exe
PID 2060 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AyqHduc.exe
PID 2060 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AyqHduc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\ZmlcUBx.exe

C:\Windows\System\ZmlcUBx.exe

C:\Windows\System\cfoSDxV.exe

C:\Windows\System\cfoSDxV.exe

C:\Windows\System\NIPVbOE.exe

C:\Windows\System\NIPVbOE.exe

C:\Windows\System\EBMGFyh.exe

C:\Windows\System\EBMGFyh.exe

C:\Windows\System\IkzBKSK.exe

C:\Windows\System\IkzBKSK.exe

C:\Windows\System\MjVehhD.exe

C:\Windows\System\MjVehhD.exe

C:\Windows\System\jqSaWxm.exe

C:\Windows\System\jqSaWxm.exe

C:\Windows\System\xcOsPkX.exe

C:\Windows\System\xcOsPkX.exe

C:\Windows\System\TbAQJxq.exe

C:\Windows\System\TbAQJxq.exe

C:\Windows\System\aEXNoxF.exe

C:\Windows\System\aEXNoxF.exe

C:\Windows\System\uOMuIHj.exe

C:\Windows\System\uOMuIHj.exe

C:\Windows\System\bBzHMlU.exe

C:\Windows\System\bBzHMlU.exe

C:\Windows\System\fiCpSTK.exe

C:\Windows\System\fiCpSTK.exe

C:\Windows\System\TTMODZF.exe

C:\Windows\System\TTMODZF.exe

C:\Windows\System\BempKlH.exe

C:\Windows\System\BempKlH.exe

C:\Windows\System\BYVYLxe.exe

C:\Windows\System\BYVYLxe.exe

C:\Windows\System\zDirxdq.exe

C:\Windows\System\zDirxdq.exe

C:\Windows\System\sFRsdpX.exe

C:\Windows\System\sFRsdpX.exe

C:\Windows\System\symJqGr.exe

C:\Windows\System\symJqGr.exe

C:\Windows\System\DxZlneT.exe

C:\Windows\System\DxZlneT.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4152,i,8548254608087149642,10333768245962368401,262144 --variations-seed-version --mojo-platform-channel-handle=4308 /prefetch:8

C:\Windows\System\AyqHduc.exe

C:\Windows\System\AyqHduc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 14.179.89.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2060-0-0x00007FF6580E0000-0x00007FF658434000-memory.dmp

memory/2060-1-0x0000017639840000-0x0000017639850000-memory.dmp

C:\Windows\System\ZmlcUBx.exe

MD5 7ae41d65a00a6a81d274fc6d5f6b8675
SHA1 858b7734bc98df4b8a529be6dfb49baeee61df14
SHA256 1228daf07dfe88faa106b572b87ac679d94219d4044fc96f9d84c8d5d9f02b89
SHA512 0c0fda3429a41027b15c7545ad88d5c3f3515fcbde7fd82da850cf42bc664e1afe6145f5958f66b2006b54ddb477c162d5f168f1b094b593b93cbab0c282e26a

C:\Windows\System\cfoSDxV.exe

MD5 35375ef00178ee24b8707bb72d175d8f
SHA1 e2254da44278e0f57a82cc7e6384a9fb0df5d2e3
SHA256 979335537abdce702735a81b9ef6c375d56850783979fb6f0929e6d904cec05c
SHA512 249e15f8db9dedebe9f33e6b28cbd54e4a0a014894c5ba9ce818d87171e2c265df9184c851dc9c664c986484a8679ac4da89b69d91bea82c4361ee147f6de7a7

C:\Windows\System\NIPVbOE.exe

MD5 c09c1481ca3a327c98b408bc06ada570
SHA1 f559ed49ff4231b8306a3db2dffb1fc9d3ef3031
SHA256 dce29b8778d5ee3cb18951d0b3ffac6b11b98180ab1a61bef8dd0016379a3175
SHA512 c0b1095934d4349b7bd3cc4384af093618f1ec684ee3a89145f8e977805b99457a0cb18f30dbd8766985ef22070d16016c639c2702de921263494d6b4666d622

C:\Windows\System\EBMGFyh.exe

MD5 6158a97d88ab34f7e51c1197ec129812
SHA1 8246f1c359122c34ab9d334d819ef91037df7cc8
SHA256 2ab2394e3d4921bbe57c19a57a3c9acce898c61935a853f9f55ff88c1ae0c5e3
SHA512 39b54f4590eb1997acd6e595aca67a3e1fc1d403938eeafaa9180d211adb726a8bca06ad56314d61b3d769696a1886a9578b1d4947090af8ed1b9aec06eadb4a

memory/2592-26-0x00007FF6ECF10000-0x00007FF6ED264000-memory.dmp

memory/2724-25-0x00007FF620EE0000-0x00007FF621234000-memory.dmp

memory/5000-18-0x00007FF7005C0000-0x00007FF700914000-memory.dmp

memory/4460-6-0x00007FF715430000-0x00007FF715784000-memory.dmp

memory/1996-32-0x00007FF612EA0000-0x00007FF6131F4000-memory.dmp

C:\Windows\System\IkzBKSK.exe

MD5 797761e3b8d2c65a4a1a63572962ea18
SHA1 357899cc782c41c255317c457440bd847fa072b3
SHA256 a2ae417e54765e81e2b9637b23590316937726e469be2be78c151a6cad972ce5
SHA512 9a12f03c1fdefbb27ee081f6460c381205c09e79938758e3c1593d8c7d1b9de26f22ef6cec95adfde2d2df02037ac7f8a70dc2df4611a3ed506c6b89a028ad12

C:\Windows\System\MjVehhD.exe

MD5 43f05660bbf8f7e66b5f54fa0c0905a3
SHA1 97ff1453aca19112a0a1b833ec61ef161c2ff097
SHA256 c5643bfe3b03305f56b99799335fe2a72de0b900f3165a4aca91f8a7584159c8
SHA512 904302d10fb45be265dcdfe8df15477d62a26b0ee0c91674f90a1f9e40a2af344e497c6188f701c6cdc8cde53aef8fb2c34241929b633ae3142ab96ba4008e96

C:\Windows\System\jqSaWxm.exe

MD5 3789fee80d5bcb6c06519ccd11870b46
SHA1 4e23b47f53c2c27d0b49e305cf98d4ad8b5d4f18
SHA256 6233ba8bbe2663b94b2c8bf8688ff1949b621e004a8bcf0d68f3c2cb7a45acb7
SHA512 46e8dbd70023edac11de51a4b3f6a1763621b2dcab937329c19ff527fd2b1fc75196081d31df93cfe9f5d4483571bee8f9d98d44ad0a112b55e93c13889fd3d7

C:\Windows\System\xcOsPkX.exe

MD5 c636d1afae602b7384d3253181fd8531
SHA1 f2f548fbe58646571a5dc474ac10b79ee990d17f
SHA256 18298d8aa3eb56e061bbdf92e45930302cd6c61dc6cc3958c87b67a5b1b42ed6
SHA512 ec9b44c59e8942cb0f7d890ca141a575f2a7533d092616009e3087e91df3178802a1c2a1dff94ede2b55738b3ac29406ce17798d8b799df669cc98a80d121833

C:\Windows\System\aEXNoxF.exe

MD5 b36d6f5bcce122691ae636f1caece67a
SHA1 7edc839d466ea1d5855d71a7f7ef0dc76e41f776
SHA256 411f751226a5860d76eaa73c2b7bebed41f392c6a6e4cbf7a6cde036445ae39d
SHA512 94dc7ede29077af81aaeb9e067b60bdba6179a72294291945e182b069246753ab2f1a104fe5da6386164d085850a99a3e085b9ca31c46b7ac08182d3a789981c

C:\Windows\System\bBzHMlU.exe

MD5 87604e56c5fa79963d87eaba27b38edc
SHA1 00a8329c9d13f14615279d90b0e3d3a91327a225
SHA256 edd210579f2cbb81b8309a877d1ba2f3772fe880f75eb5976cbb01291326daa1
SHA512 059348145563aa184f65c0a713e945e46d3594347d5a8c67d5dc397b0122624aef72b0afef68e47d91eea1fada2b084f2abb34397bb5805c49eac16a1f0cb4fe

memory/3880-68-0x00007FF7BD6B0000-0x00007FF7BDA04000-memory.dmp

C:\Windows\System\fiCpSTK.exe

MD5 2c282fe33d4e21597d344f335a5b73f0
SHA1 4f9585844b5f2755a7f641117faf5fdb756434c0
SHA256 40e99a2c73c6f011b35263fbcc56e312ab3d4c89c481b14ed9651ef4dab7fe4e
SHA512 259854d1ad8df3db61508204b185668489c6778efcfd2b2c8f2636d05017648b5395c0df24f82ed85bac33cfa471035c1c999e98eda91ffc9f61df4d51896501

memory/2724-85-0x00007FF620EE0000-0x00007FF621234000-memory.dmp

C:\Windows\System\TTMODZF.exe

MD5 29476cdcd1c50e143c0b93a4f6a03470
SHA1 b9ce833a57937246613b337f68fde8f450683587
SHA256 1d97b32f203b5a33f14f06d99e507b57173747d6adedc688c567bbf3f70efb84
SHA512 91e512b9ed18243e219454abc2d67e248250f3b10f4eed79aa10db94c39495db2b1b57c0f143792d83eea9bd5f3249fbbaf44ec86fb8800ef1f674c44a39ddad

memory/1644-86-0x00007FF74FBA0000-0x00007FF74FEF4000-memory.dmp

memory/4720-108-0x00007FF7F27C0000-0x00007FF7F2B14000-memory.dmp

C:\Windows\System\DxZlneT.exe

MD5 0698153eaffb9245b1894c453f3ef673
SHA1 8bf8a6507d1722f16f8f69ad0c8c6f3fff446f08
SHA256 317ea763ee2706d5bb6e9c47a725e90446b89c567a0365c6ec9915054014c5df
SHA512 2a72340afa76d0f6605ec2b95c57776a266cd75b06848140b6bc129172227994d66c6acdeb38688433859e6c2b7d5b2a03f872bee99851ebd4f770f7058da967

memory/4900-119-0x00007FF728CC0000-0x00007FF729014000-memory.dmp

C:\Windows\System\symJqGr.exe

MD5 3f1856f3ccc56def17ff4896203de3bf
SHA1 e7573e89e735e01bdf9220868fda44580b8c5f45
SHA256 8f2434050617511e6f1b806eb4ab93d2505e3bda7c6c3f50d28996c5e6f4858f
SHA512 6b3854bbb906e3c0b489a1db8d9f95af785ffdbe5f0f631f65412316a44f46fe44169a42aef49efb3d3250ff30548b4a95b8165ebb07eeb32e8a756ab773aac3

C:\Windows\System\sFRsdpX.exe

MD5 6ea4ddcad7b18cb2f36e06028df07a53
SHA1 d0bbbbc3d948d8f3648301c73d1e9352186887cb
SHA256 203f09f279a549eec405d2e7068dd1281b3aa8315ca140a69db00272fea6c5d2
SHA512 c70fc7cb5b24c7ba31bc2b8c8f9b4c83a66b2afe93a4c962f5366b33fe87819459c08a4a49b9e2b5dcb3022a065eae94177752b196af0601d5975c9f777b1a5f

C:\Windows\System\BempKlH.exe

MD5 fc20f89b567e76d1a491eca6c6a240a8
SHA1 989fb3f5b7f416343229e19661490ce1ada3ed51
SHA256 afd66f6498113b47d5dc2fc35fc08256f78a18421820eee4fcf5bd6bdf7d39ed
SHA512 89db0b52538b6001b033ab79bc3213e1d3dc4d265cd5f4efcac10617095fb6c4994df8bbefaa8cbc37f244df89d7a469284c3db284f0925f7543a4def125e914

C:\Windows\System\zDirxdq.exe

MD5 0b7323f12578919310a84841c3ef8c12
SHA1 5f83204f79cbc8de0bc302509e9675b4abb56e2a
SHA256 b35482e58221a7c253d9386922031565be7019d3f5137163f201643653e08278
SHA512 474af29a76814562019f893963454212211a5a5701af4296ec4685337e0941839bd548ccf4df7c56f5c332a2a66eb9e18d137e205ed60076e784fe0e62c26a94

C:\Windows\System\BYVYLxe.exe

MD5 a7cb21d7866eef307ed83ce357e6e949
SHA1 8f72ecaec50118571c5db01b2262d0308b12f93d
SHA256 39db5df12ca7ea8a5abb125a8ac97991f6b00abad6981e36fe46f33059be3f4f
SHA512 d57c2ed60e3c5710f9766439c1c9ff8812cb2c191c0fb2ca87374ccb8b073d22bdf664b2527e88055731a7694b76e7d688dbe855ff97d7e5f24bba64ada9ba13

memory/3840-112-0x00007FF6993A0000-0x00007FF6996F4000-memory.dmp

memory/3128-111-0x00007FF76D5B0000-0x00007FF76D904000-memory.dmp

memory/4292-110-0x00007FF7578D0000-0x00007FF757C24000-memory.dmp

memory/820-109-0x00007FF787C10000-0x00007FF787F64000-memory.dmp

memory/3364-84-0x00007FF621BF0000-0x00007FF621F44000-memory.dmp

memory/5000-82-0x00007FF7005C0000-0x00007FF700914000-memory.dmp

memory/4460-81-0x00007FF715430000-0x00007FF715784000-memory.dmp

C:\Windows\System\uOMuIHj.exe

MD5 5661e8ae1604ebc940882b926371ba82
SHA1 5af78804c80f91025811f36adcb6005f0cd2717c
SHA256 93c7150c0171f8b7726dd20c954760ba99ec34737ea5a66d2b82b49458ea6d16
SHA512 1a5629009d6e18bdf6f0277aee8911194c702c3aee45515b716f6d40602afff104d1c81e4d26615592b86cc66f3a5e9680ca86933ebae0f0520d406b9db66cb7

memory/5036-69-0x00007FF6EEC10000-0x00007FF6EEF64000-memory.dmp

memory/228-67-0x00007FF79E210000-0x00007FF79E564000-memory.dmp

memory/2060-66-0x00007FF6580E0000-0x00007FF658434000-memory.dmp

memory/2948-60-0x00007FF72F740000-0x00007FF72FA94000-memory.dmp

C:\Windows\System\TbAQJxq.exe

MD5 50990b1d0d11ef7ab9f97c8bfe9a256c
SHA1 97a6458e3b165b6fe34eeab1667db9df66d66d4e
SHA256 fb14e01f58bbaa6f90b2f35fcd872b4d9e0d946143d522f40f383dc65361a9aa
SHA512 60855e25f8a556c22dd03caff00a9a34bf8e6057af0273fcebde5b057e734e95e4a0593b8242e4cec1139af1e666c4f49980c91731d385b55c027afca97e3c3c

memory/3644-47-0x00007FF6C3D70000-0x00007FF6C40C4000-memory.dmp

memory/4280-43-0x00007FF7B3260000-0x00007FF7B35B4000-memory.dmp

memory/1896-40-0x00007FF63ED00000-0x00007FF63F054000-memory.dmp

C:\Windows\System\AyqHduc.exe

MD5 dcdc06b109a8cc7de99da4ec07538a5d
SHA1 9a45edadf29f9670ab0385e49042c01c5eb4b7dd
SHA256 57624ad9cfa8d4d5ee61484fb14d02f3ed2497e8cc1470aa66ea960c2a2dcdc1
SHA512 01981d28dcf904b875207b38c2c380920d31a32b34e4dd9416d52370f92bf64c7f3a4d483941ad6f566e6295e13b8518d8ae7fe8010485808dfd3ee75f4f532c

memory/4124-131-0x00007FF7787C0000-0x00007FF778B14000-memory.dmp

memory/4280-132-0x00007FF7B3260000-0x00007FF7B35B4000-memory.dmp

memory/3644-133-0x00007FF6C3D70000-0x00007FF6C40C4000-memory.dmp

memory/228-134-0x00007FF79E210000-0x00007FF79E564000-memory.dmp

memory/5036-136-0x00007FF6EEC10000-0x00007FF6EEF64000-memory.dmp

memory/3364-137-0x00007FF621BF0000-0x00007FF621F44000-memory.dmp

memory/3880-135-0x00007FF7BD6B0000-0x00007FF7BDA04000-memory.dmp

memory/1644-138-0x00007FF74FBA0000-0x00007FF74FEF4000-memory.dmp

memory/4720-139-0x00007FF7F27C0000-0x00007FF7F2B14000-memory.dmp

memory/4292-141-0x00007FF7578D0000-0x00007FF757C24000-memory.dmp

memory/3840-143-0x00007FF6993A0000-0x00007FF6996F4000-memory.dmp

memory/4900-144-0x00007FF728CC0000-0x00007FF729014000-memory.dmp

memory/3128-142-0x00007FF76D5B0000-0x00007FF76D904000-memory.dmp

memory/820-140-0x00007FF787C10000-0x00007FF787F64000-memory.dmp

memory/4460-145-0x00007FF715430000-0x00007FF715784000-memory.dmp

memory/5000-146-0x00007FF7005C0000-0x00007FF700914000-memory.dmp

memory/2724-147-0x00007FF620EE0000-0x00007FF621234000-memory.dmp

memory/2592-148-0x00007FF6ECF10000-0x00007FF6ED264000-memory.dmp

memory/1996-149-0x00007FF612EA0000-0x00007FF6131F4000-memory.dmp

memory/1896-150-0x00007FF63ED00000-0x00007FF63F054000-memory.dmp

memory/2948-151-0x00007FF72F740000-0x00007FF72FA94000-memory.dmp

memory/3644-152-0x00007FF6C3D70000-0x00007FF6C40C4000-memory.dmp

memory/4280-153-0x00007FF7B3260000-0x00007FF7B35B4000-memory.dmp

memory/5036-155-0x00007FF6EEC10000-0x00007FF6EEF64000-memory.dmp

memory/228-154-0x00007FF79E210000-0x00007FF79E564000-memory.dmp

memory/3880-156-0x00007FF7BD6B0000-0x00007FF7BDA04000-memory.dmp

memory/1644-157-0x00007FF74FBA0000-0x00007FF74FEF4000-memory.dmp

memory/3364-158-0x00007FF621BF0000-0x00007FF621F44000-memory.dmp

memory/4720-159-0x00007FF7F27C0000-0x00007FF7F2B14000-memory.dmp

memory/4292-163-0x00007FF7578D0000-0x00007FF757C24000-memory.dmp

memory/4900-162-0x00007FF728CC0000-0x00007FF729014000-memory.dmp

memory/3840-164-0x00007FF6993A0000-0x00007FF6996F4000-memory.dmp

memory/820-160-0x00007FF787C10000-0x00007FF787F64000-memory.dmp

memory/3128-161-0x00007FF76D5B0000-0x00007FF76D904000-memory.dmp

memory/4124-165-0x00007FF7787C0000-0x00007FF778B14000-memory.dmp