Malware Analysis Report

2025-01-22 19:22

Sample ID 240806-nkgc8sxglp
Target 2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat
SHA256 48fcee6b39d5a892949f20d02a26b9b8577d9a3e27cc45c87f288f5061965a90
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

48fcee6b39d5a892949f20d02a26b9b8577d9a3e27cc45c87f288f5061965a90

Threat Level: Known bad

The file 2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Cobaltstrike family

XMRig Miner payload

Cobalt Strike reflective loader

xmrig

Xmrig family

Cobaltstrike

XMRig Miner payload

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-06 11:27

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-06 11:27

Reported

2024-08-06 11:29

Platform

win7-20240704-en

Max time kernel

147s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\QBWeEDO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UljDTIp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VPDwgJa.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QuFaIlG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qWpOGgp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UYQsjpy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TVfkYEx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iXaYmra.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dceWQgc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EyiThXE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\olSIYdN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gKCFdoX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TrPooQU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fTQYEPd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JdjzWXi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rYgYvjH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uyWCfmz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KmylfFA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DGkPuez.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cpxguQg.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GhEGoOS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2540 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TVfkYEx.exe
PID 2540 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TVfkYEx.exe
PID 2540 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TVfkYEx.exe
PID 2540 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uyWCfmz.exe
PID 2540 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uyWCfmz.exe
PID 2540 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uyWCfmz.exe
PID 2540 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KmylfFA.exe
PID 2540 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KmylfFA.exe
PID 2540 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KmylfFA.exe
PID 2540 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VPDwgJa.exe
PID 2540 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VPDwgJa.exe
PID 2540 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VPDwgJa.exe
PID 2540 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DGkPuez.exe
PID 2540 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DGkPuez.exe
PID 2540 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DGkPuez.exe
PID 2540 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QuFaIlG.exe
PID 2540 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QuFaIlG.exe
PID 2540 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QuFaIlG.exe
PID 2540 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EyiThXE.exe
PID 2540 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EyiThXE.exe
PID 2540 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EyiThXE.exe
PID 2540 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gKCFdoX.exe
PID 2540 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gKCFdoX.exe
PID 2540 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gKCFdoX.exe
PID 2540 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iXaYmra.exe
PID 2540 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iXaYmra.exe
PID 2540 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iXaYmra.exe
PID 2540 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TrPooQU.exe
PID 2540 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TrPooQU.exe
PID 2540 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TrPooQU.exe
PID 2540 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qWpOGgp.exe
PID 2540 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qWpOGgp.exe
PID 2540 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qWpOGgp.exe
PID 2540 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QBWeEDO.exe
PID 2540 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QBWeEDO.exe
PID 2540 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QBWeEDO.exe
PID 2540 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UljDTIp.exe
PID 2540 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UljDTIp.exe
PID 2540 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UljDTIp.exe
PID 2540 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fTQYEPd.exe
PID 2540 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fTQYEPd.exe
PID 2540 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fTQYEPd.exe
PID 2540 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JdjzWXi.exe
PID 2540 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JdjzWXi.exe
PID 2540 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JdjzWXi.exe
PID 2540 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\olSIYdN.exe
PID 2540 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\olSIYdN.exe
PID 2540 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\olSIYdN.exe
PID 2540 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rYgYvjH.exe
PID 2540 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rYgYvjH.exe
PID 2540 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rYgYvjH.exe
PID 2540 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cpxguQg.exe
PID 2540 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cpxguQg.exe
PID 2540 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cpxguQg.exe
PID 2540 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GhEGoOS.exe
PID 2540 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GhEGoOS.exe
PID 2540 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GhEGoOS.exe
PID 2540 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dceWQgc.exe
PID 2540 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dceWQgc.exe
PID 2540 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dceWQgc.exe
PID 2540 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UYQsjpy.exe
PID 2540 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UYQsjpy.exe
PID 2540 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UYQsjpy.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\TVfkYEx.exe

C:\Windows\System\TVfkYEx.exe

C:\Windows\System\uyWCfmz.exe

C:\Windows\System\uyWCfmz.exe

C:\Windows\System\KmylfFA.exe

C:\Windows\System\KmylfFA.exe

C:\Windows\System\VPDwgJa.exe

C:\Windows\System\VPDwgJa.exe

C:\Windows\System\DGkPuez.exe

C:\Windows\System\DGkPuez.exe

C:\Windows\System\QuFaIlG.exe

C:\Windows\System\QuFaIlG.exe

C:\Windows\System\EyiThXE.exe

C:\Windows\System\EyiThXE.exe

C:\Windows\System\gKCFdoX.exe

C:\Windows\System\gKCFdoX.exe

C:\Windows\System\iXaYmra.exe

C:\Windows\System\iXaYmra.exe

C:\Windows\System\TrPooQU.exe

C:\Windows\System\TrPooQU.exe

C:\Windows\System\qWpOGgp.exe

C:\Windows\System\qWpOGgp.exe

C:\Windows\System\QBWeEDO.exe

C:\Windows\System\QBWeEDO.exe

C:\Windows\System\UljDTIp.exe

C:\Windows\System\UljDTIp.exe

C:\Windows\System\fTQYEPd.exe

C:\Windows\System\fTQYEPd.exe

C:\Windows\System\JdjzWXi.exe

C:\Windows\System\JdjzWXi.exe

C:\Windows\System\olSIYdN.exe

C:\Windows\System\olSIYdN.exe

C:\Windows\System\rYgYvjH.exe

C:\Windows\System\rYgYvjH.exe

C:\Windows\System\cpxguQg.exe

C:\Windows\System\cpxguQg.exe

C:\Windows\System\GhEGoOS.exe

C:\Windows\System\GhEGoOS.exe

C:\Windows\System\dceWQgc.exe

C:\Windows\System\dceWQgc.exe

C:\Windows\System\UYQsjpy.exe

C:\Windows\System\UYQsjpy.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2540-0-0x000000013F2A0000-0x000000013F5F4000-memory.dmp

memory/2540-1-0x0000000000180000-0x0000000000190000-memory.dmp

\Windows\system\TVfkYEx.exe

MD5 6f7643015c38168fe537749319df88bc
SHA1 14cdf7dee22f6761a676418ae6bffcb880619850
SHA256 a070fc87381c0e244ee4736a99fb8f191073292491c086fb7d4d83b4e9858709
SHA512 c7f354a43e00e2df1cf02d3bf0e6c49f2cc971051637814a9d5e196309ba7fae82143af83cc7407e8a919ec2899bf9be0a11bf2426967d25804faf57a82076cf

memory/2540-6-0x00000000023A0000-0x00000000026F4000-memory.dmp

C:\Windows\system\uyWCfmz.exe

MD5 918094938594af8c01fa748854a36bdb
SHA1 15056b342f8c327d68a5f6c87390a3c3c542f85b
SHA256 01885ea70efe5c591c04dd02a7567ea72f155a41bb892030c4c6c11ec522a308
SHA512 cb7d32fb2a95bdeead8347a064e6d765d1b21675e95361b63a3858c005ade9619d96c8e4cffd667ba10a6852ee4122b63307cdb41237eb718faee7d4e5c493a1

memory/520-14-0x000000013F4A0000-0x000000013F7F4000-memory.dmp

memory/2540-15-0x00000000023A0000-0x00000000026F4000-memory.dmp

memory/2908-10-0x000000013F220000-0x000000013F574000-memory.dmp

C:\Windows\system\KmylfFA.exe

MD5 0cda67402110739498a2d772180e80e6
SHA1 49576c3ccfa36ccc8668520a5b28a7ec542e5ac2
SHA256 264fb8cd853d560716406c7807c977137f482a0415c908091e747170e000a422
SHA512 5b2a0d2845233166fd381880f8510d129749ed5f1eb32bf73cc261d30e7f28c78128fc05cefa4422d29dc60e4038b4223b454402ab4591eaf6941f7cf4258a56

memory/2540-20-0x00000000023A0000-0x00000000026F4000-memory.dmp

memory/2728-23-0x000000013F520000-0x000000013F874000-memory.dmp

\Windows\system\VPDwgJa.exe

MD5 3a70581b19cb917787593407eff53b5a
SHA1 632f671fb6b27ddb6c16c23e05174e15e6908f2d
SHA256 e1ea948831285888ce9244cba8d6895c2493d8d9ce1a43f0fe3cd83faae42465
SHA512 e78c5083041dc09ac9019c5054c781f69c00b3613f3bfe66a387dd74198a16c7a2803ac46cdf89d34f038b0c38c5d4ee977c0e13c7b03536fd7690c1ffbf2fb2

C:\Windows\system\QuFaIlG.exe

MD5 b9b0a9afdda5e33b6de93953b56895f0
SHA1 00db5cf97f506acbb09ffa2dc3b40e257e852f75
SHA256 90f58a225f1d372131deb01a40426635a7cf0616edd162b4731d7a08203fe74d
SHA512 222478b403c809a89c4a14740c52c12e2d00afe6383139e3a865814cb2dca5efe9e928d0964e248e7d42d281d43e402f8f9335b6bf7cae5378671fe763b7cd5a

memory/2540-34-0x00000000023A0000-0x00000000026F4000-memory.dmp

C:\Windows\system\DGkPuez.exe

MD5 5638ac21cd2058bd228aea05c68066ea
SHA1 1e25bd916491856717123aa9a6b52b76a26a4c62
SHA256 06ee67d9d17c323f42171743da0a01de248169cf729c5db4bcfa686a6a95df97
SHA512 026a29e11a6a49cdf76d833ccae413b9f78a0fc9940624a6ea483910d627e186091a739520d8c0b05e8b0058ad97747d5d9c23c3f00ebe942b3a832543a30844

memory/2760-42-0x000000013F1B0000-0x000000013F504000-memory.dmp

memory/2540-43-0x000000013FA80000-0x000000013FDD4000-memory.dmp

memory/2940-44-0x000000013FA80000-0x000000013FDD4000-memory.dmp

memory/2608-33-0x000000013FE10000-0x0000000140164000-memory.dmp

memory/2540-29-0x000000013FE10000-0x0000000140164000-memory.dmp

memory/2540-46-0x00000000023A0000-0x00000000026F4000-memory.dmp

memory/2908-54-0x000000013F220000-0x000000013F574000-memory.dmp

C:\Windows\system\gKCFdoX.exe

MD5 13608fe109d94f7a882b001bcb78d1dd
SHA1 652dde679a700d5915c2c2fa009f60b00307d746
SHA256 7daae6aaf89759f7bd05d299ec4683d79588cf787e8182b02890709ac9bc5767
SHA512 b0fb80286fc77fb14f84a7ecac4f2ee4ae6664a2618989d0f9c67598a4af2338389e365233705abb06f015ba11e54f7a7234654720ddc5b5cf9a8dcebbe83544

memory/520-59-0x000000013F4A0000-0x000000013F7F4000-memory.dmp

memory/2616-60-0x000000013F370000-0x000000013F6C4000-memory.dmp

memory/2648-51-0x000000013F1A0000-0x000000013F4F4000-memory.dmp

memory/2540-50-0x000000013F2A0000-0x000000013F5F4000-memory.dmp

memory/2540-53-0x00000000023A0000-0x00000000026F4000-memory.dmp

C:\Windows\system\EyiThXE.exe

MD5 8118c567f8d92f5fe5b1dca6eeb65624
SHA1 f1a88d08164f738d0067e6687117b7bfe3c00a52
SHA256 42b28789d38bad24a42f482efcc7c4b2b0b5128e2d0048165a916b3058fe43d2
SHA512 6eb16ca14036ab42a226c54f68bb2192e3d063343919b46e161754f09ac90d2d26cefe5683a39c98bd83a0012dad743777a8f2a4c5ee5077c3af813a2789306f

C:\Windows\system\iXaYmra.exe

MD5 e2ece45be55ad3647f409f7c7e036081
SHA1 8fd4a0f0e0f27298936a8a71b50f35273a32817a
SHA256 6701d5d33464a3ff2faeabce00e047a7b8bd5cd57ac89b8ced302810d13b216e
SHA512 94c3419a9ec7a9f373a3625d6eab5045e8a515dbfe3d4d61197c91333b0d9b60b61908f8f39c89ef46f20c4271747e0f810095bb4804343318ee4a42e2211add

memory/3056-68-0x000000013F360000-0x000000013F6B4000-memory.dmp

memory/2540-65-0x00000000023A0000-0x00000000026F4000-memory.dmp

memory/2608-73-0x000000013FE10000-0x0000000140164000-memory.dmp

C:\Windows\system\TrPooQU.exe

MD5 bac6ef5f92992d4e5d7bad5a49d80d74
SHA1 ca32e204a8b058600d3e1ee0bdba02f6c5560c32
SHA256 e89b4092b3928f7fcf65967693f7f8b273f1886808372f1d5ce62c63f98989a2
SHA512 ec4b1b92dab08b15e7685c62bf09be40299d8179581f9f79b77da5fd28ce7bc58e7549fa5baa5ed6098cdd7810c3447b750cc05a383a33fa15bb70227ee197fa

memory/2088-76-0x000000013F310000-0x000000013F664000-memory.dmp

memory/2540-75-0x00000000023A0000-0x00000000026F4000-memory.dmp

\Windows\system\qWpOGgp.exe

MD5 797d565b45681d99eabcd6419aeda150
SHA1 d906d0bcf99bfe6d2016188a5a5e403dc00ee3af
SHA256 6b7b5b4f57405ed4516d90220d692c7382c9538aba802c3fa98291cd4510ff2f
SHA512 04e85129bddaccb3f8e187cc2b13d67ddb4c5bde8d9a1013c45c9030a70e6d0f131361403cd3033a7f479c8d38cc948eb7ef0ec162787d2fe229eca395d8774e

memory/1724-84-0x000000013FFD0000-0x0000000140324000-memory.dmp

memory/2760-82-0x000000013F1B0000-0x000000013F504000-memory.dmp

memory/2540-78-0x000000013FFD0000-0x0000000140324000-memory.dmp

\Windows\system\QBWeEDO.exe

MD5 089301ee841a86cc41f213e71ec35847
SHA1 ca1f1443a527a002cd9274e84ae0b2790cb136c4
SHA256 d188c5774c5882d8e21e73b6525d8ca0ea92ad095f471a73547237dad65aa2cf
SHA512 dd22005123f39b11d8524da4d2dc38aa42c959570281e434fc36e924a7e95fd47895f7506606b0f29b1c8324347d4fbb8800a2f8c294c1a1852bdfd961c6cfc8

\Windows\system\UljDTIp.exe

MD5 d405770338654d50dd12a4d83fce138e
SHA1 693d50c5be0f8c2aa1b45847c50d541ebc3d4edd
SHA256 bccf1641d3d437fa00cddf33bff501c2da223612a864de7e654f3cd3285467f9
SHA512 d6e3fc5994d009a105b55c3abb95c199ea5d7716155f2abbcfb68dc7294d06dace96b0f352442231d8da4e2fa7ae9a11db0e521bb0b072a7a8b2b1dcbe62ac96

memory/2432-98-0x000000013FB50000-0x000000013FEA4000-memory.dmp

memory/2540-93-0x000000013FB50000-0x000000013FEA4000-memory.dmp

memory/2256-105-0x000000013FF60000-0x00000001402B4000-memory.dmp

memory/2540-104-0x00000000023A0000-0x00000000026F4000-memory.dmp

memory/2560-103-0x000000013F260000-0x000000013F5B4000-memory.dmp

memory/2648-102-0x000000013F1A0000-0x000000013F4F4000-memory.dmp

C:\Windows\system\fTQYEPd.exe

MD5 65c40b78679174c01384f0041a6aa503
SHA1 17bfd515e623d88b116090311e24c99963f6186d
SHA256 c23189afdb2162c13b06bdfd6ce2afa0707f1693c8961900d9267d435b27bf9b
SHA512 e6145bae10ad0d2f5dde03b4884320f2c5ab31bbff9c8c90046865dad1e2c5e2d256d40c99564959062fceac270201a0ed7b874766d3fc8153f9e46e37c2efd1

\Windows\system\JdjzWXi.exe

MD5 51bf0999f81907f2d7b16f1c4cd56d76
SHA1 e2e50e1d6daf784a3efede1a434e115e62d8dee2
SHA256 053bacc23c8f4c56a3aae5ac4d29b7bd60755ae0d533c2e58f7ebe1bef6e1828
SHA512 2e963b0a090fd0f6f33d08d1b3578bcdbd10fca671bbb339553d800a221a8698331c161c8b98b46d375580b4e75987f793bb32a796897400dbd586eee922adea

memory/2540-112-0x000000013F950000-0x000000013FCA4000-memory.dmp

memory/2616-109-0x000000013F370000-0x000000013F6C4000-memory.dmp

\Windows\system\olSIYdN.exe

MD5 218c5ab54a4bf9b19871ae473e5b1260
SHA1 94474de2da7b05353ecf5b30288436167718ea71
SHA256 d09a2e0b91b0455314e349b2ffc8791a14aade6126cbb8b0bcd6ed2aa08c225c
SHA512 59759b788d17d61f1c2354c330e29c676650acbfe9014fae3f365226f248e6e84a61aabb13f7f7d10bbb5b9ee25889f0c5072af3d2724fa8e1b8a28fda75eaa2

C:\Windows\system\cpxguQg.exe

MD5 19b8ef00cac7a2d3723d93a5a24f598e
SHA1 63027eb8f3bcb5c5fbfe04e192e6759c566d4cfa
SHA256 7579dcd65cd3a48b7cf2acd9b45bba7fe94de79ff33366215a8993c2bd493d21
SHA512 457cd0c9095c0ef3a19252c8984834113a201283dcd9d0a014b51febcec188c6fe21c4eb193a14406f8f28470c3f6bd3d1212c85aac1dd7dbd60a2eaf2d38d47

\Windows\system\GhEGoOS.exe

MD5 303bd63832b37dfc78ebcc427e6596f9
SHA1 d89837a4d7e0de04a68e0fa0133f1e1b1b5701a4
SHA256 e54a9c900805f0e2c213c0f0afe96b516e36326fff5b2750de1cedefc6f1e8ff
SHA512 c1f6d5e85cb7aae19467a917065671a15bb17065591105c214fcc76a2c1b9db99e97f5692bc800fb1d0f64fdb497d53334f17bb14d287f8d4ab4c67a1f7f7f57

\Windows\system\rYgYvjH.exe

MD5 d9ddeef81983c665a4c19c6421cd1df6
SHA1 0e0ad1ad4d3a526b42f2942fe157a43b58e459ed
SHA256 b505ac2061b0f5aff801f7a6f7195ab6e8a8293bc6ff3101ed6f02be7b3fcb9a
SHA512 0d4a6ea9d238620f53ce2820c13e55df97775f77efc1fe5f786799ffb74a6eff8b8cf394a871e095f4c772accaccdc8ce10336d3115c2877e940ee3869561bc6

\Windows\system\dceWQgc.exe

MD5 394959eb24aabb9119911f69e54101e9
SHA1 0e24f875a56c693ab4a2c86a250a880739f1734b
SHA256 3e3a5fd8bc843f9993cad231e3b1f7dd61a397fcccc3296cc5eb31299714fc9e
SHA512 482e974ab67088917ce9e59ee90d9e119ee2b87cd42ac4d29501b65d71e5199494ba5c65b3ae74369ffe78f902591f1131ac0c61919e7270a3b68df469c5adb9

\Windows\system\UYQsjpy.exe

MD5 2532bb9b61689e2e9cc90c347203dad3
SHA1 ca9d1a42fb237cfe15ef744703b804202bfa0d87
SHA256 fb763a43ea24ad919b563c9a3e216c90fa80f5c5c898b6e9f8f61ab652e973a9
SHA512 05c3ac94bd5172941c876eaaae8562e04804e8e66c1a003b58c6f18e4f368ea3a97e068c146dbe2e434265604091eb62b4669045faefa4d68aaa521d09e679cf

memory/2540-142-0x00000000023A0000-0x00000000026F4000-memory.dmp

memory/3056-143-0x000000013F360000-0x000000013F6B4000-memory.dmp

memory/2540-144-0x00000000023A0000-0x00000000026F4000-memory.dmp

memory/2540-145-0x000000013FFD0000-0x0000000140324000-memory.dmp

memory/1724-146-0x000000013FFD0000-0x0000000140324000-memory.dmp

memory/2540-147-0x000000013FB50000-0x000000013FEA4000-memory.dmp

memory/2540-148-0x00000000023A0000-0x00000000026F4000-memory.dmp

memory/2540-149-0x000000013F950000-0x000000013FCA4000-memory.dmp

memory/2908-150-0x000000013F220000-0x000000013F574000-memory.dmp

memory/520-151-0x000000013F4A0000-0x000000013F7F4000-memory.dmp

memory/2728-152-0x000000013F520000-0x000000013F874000-memory.dmp

memory/2608-153-0x000000013FE10000-0x0000000140164000-memory.dmp

memory/2940-154-0x000000013FA80000-0x000000013FDD4000-memory.dmp

memory/2760-155-0x000000013F1B0000-0x000000013F504000-memory.dmp

memory/2648-156-0x000000013F1A0000-0x000000013F4F4000-memory.dmp

memory/2616-157-0x000000013F370000-0x000000013F6C4000-memory.dmp

memory/3056-158-0x000000013F360000-0x000000013F6B4000-memory.dmp

memory/2088-159-0x000000013F310000-0x000000013F664000-memory.dmp

memory/1724-160-0x000000013FFD0000-0x0000000140324000-memory.dmp

memory/2432-161-0x000000013FB50000-0x000000013FEA4000-memory.dmp

memory/2256-163-0x000000013FF60000-0x00000001402B4000-memory.dmp

memory/2560-162-0x000000013F260000-0x000000013F5B4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-06 11:27

Reported

2024-08-06 11:29

Platform

win10v2004-20240802-en

Max time kernel

141s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\gOzthpY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vGopDvf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CcoaZPt.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WxPbWLa.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MMnoaZz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DLSbzaj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zjCmFEk.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jKPRkFD.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aHlLLVW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vHogYYH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MlLDUZc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LXCmUiC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eICnfam.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\Yisqkwp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\izPZxEn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FmRdpqL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XElxNuK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wbIjahx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OmwCdma.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SLGorqS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wvqoPZr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2596 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DLSbzaj.exe
PID 2596 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DLSbzaj.exe
PID 2596 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LXCmUiC.exe
PID 2596 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LXCmUiC.exe
PID 2596 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zjCmFEk.exe
PID 2596 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zjCmFEk.exe
PID 2596 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eICnfam.exe
PID 2596 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eICnfam.exe
PID 2596 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SLGorqS.exe
PID 2596 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SLGorqS.exe
PID 2596 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wbIjahx.exe
PID 2596 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wbIjahx.exe
PID 2596 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OmwCdma.exe
PID 2596 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OmwCdma.exe
PID 2596 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jKPRkFD.exe
PID 2596 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jKPRkFD.exe
PID 2596 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gOzthpY.exe
PID 2596 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gOzthpY.exe
PID 2596 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vGopDvf.exe
PID 2596 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vGopDvf.exe
PID 2596 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aHlLLVW.exe
PID 2596 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aHlLLVW.exe
PID 2596 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Yisqkwp.exe
PID 2596 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Yisqkwp.exe
PID 2596 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wvqoPZr.exe
PID 2596 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wvqoPZr.exe
PID 2596 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CcoaZPt.exe
PID 2596 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CcoaZPt.exe
PID 2596 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WxPbWLa.exe
PID 2596 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WxPbWLa.exe
PID 2596 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vHogYYH.exe
PID 2596 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vHogYYH.exe
PID 2596 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MMnoaZz.exe
PID 2596 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MMnoaZz.exe
PID 2596 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\izPZxEn.exe
PID 2596 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\izPZxEn.exe
PID 2596 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MlLDUZc.exe
PID 2596 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MlLDUZc.exe
PID 2596 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FmRdpqL.exe
PID 2596 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FmRdpqL.exe
PID 2596 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XElxNuK.exe
PID 2596 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XElxNuK.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\DLSbzaj.exe

C:\Windows\System\DLSbzaj.exe

C:\Windows\System\LXCmUiC.exe

C:\Windows\System\LXCmUiC.exe

C:\Windows\System\zjCmFEk.exe

C:\Windows\System\zjCmFEk.exe

C:\Windows\System\eICnfam.exe

C:\Windows\System\eICnfam.exe

C:\Windows\System\SLGorqS.exe

C:\Windows\System\SLGorqS.exe

C:\Windows\System\wbIjahx.exe

C:\Windows\System\wbIjahx.exe

C:\Windows\System\OmwCdma.exe

C:\Windows\System\OmwCdma.exe

C:\Windows\System\jKPRkFD.exe

C:\Windows\System\jKPRkFD.exe

C:\Windows\System\gOzthpY.exe

C:\Windows\System\gOzthpY.exe

C:\Windows\System\vGopDvf.exe

C:\Windows\System\vGopDvf.exe

C:\Windows\System\aHlLLVW.exe

C:\Windows\System\aHlLLVW.exe

C:\Windows\System\Yisqkwp.exe

C:\Windows\System\Yisqkwp.exe

C:\Windows\System\wvqoPZr.exe

C:\Windows\System\wvqoPZr.exe

C:\Windows\System\CcoaZPt.exe

C:\Windows\System\CcoaZPt.exe

C:\Windows\System\WxPbWLa.exe

C:\Windows\System\WxPbWLa.exe

C:\Windows\System\vHogYYH.exe

C:\Windows\System\vHogYYH.exe

C:\Windows\System\MMnoaZz.exe

C:\Windows\System\MMnoaZz.exe

C:\Windows\System\izPZxEn.exe

C:\Windows\System\izPZxEn.exe

C:\Windows\System\MlLDUZc.exe

C:\Windows\System\MlLDUZc.exe

C:\Windows\System\FmRdpqL.exe

C:\Windows\System\FmRdpqL.exe

C:\Windows\System\XElxNuK.exe

C:\Windows\System\XElxNuK.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2596-0-0x00007FF6ED250000-0x00007FF6ED5A4000-memory.dmp

memory/2596-1-0x000001FB014F0000-0x000001FB01500000-memory.dmp

C:\Windows\System\DLSbzaj.exe

MD5 20bb013139c08d59024f9e98dd31a1bc
SHA1 424bdca9b38374cb44decaa602dbabcb7c19f274
SHA256 ea90ff4f43d6a30f2ffdc62d080913857fb065cf3147bb8cf17ac5b9d9d83881
SHA512 1691d567bb2d557c3b7b234ffc66300a1a5d788783171d1425d4a1af0a7fd2eea79ced1cd680a41762ad84a3972e40b21e6624fdcae6cf2dd7e9b332a65a96b7

memory/1552-8-0x00007FF6C4580000-0x00007FF6C48D4000-memory.dmp

C:\Windows\System\zjCmFEk.exe

MD5 088903c692d35643e5138b046287adf4
SHA1 e4e50a87e71c8f38f616a117dc781b183d0d367a
SHA256 1862f9cc5bb29239ea4a3f49108d2b6d4c575cba98065ea10295afa1c1eea700
SHA512 705fc54aba7812d5545ba456d2df7393a9ee26102771a9aa0780433dfa16ecac64717e29d99d2849193fc80978317a505da31b8f72ddf9f4b6954493378443cf

C:\Windows\System\LXCmUiC.exe

MD5 3c1732e2e0cc8ff5dea40d159e47fffd
SHA1 2d99f6fff837f58ac506614555da9852e5fb3f0c
SHA256 71592b1e5fedc662054e3a0d5bd13beb9a163bc5fa9c1c818df36c4bea0960b1
SHA512 df44efa80bae8776a1722cf6ffd723bb8e5e9c381d8ffbd9c11dc7cebae06b6d08fa9b02ad67efb045ccc0febc79e72ac717a24ae3e9325a0a2888d46fa7f9bb

memory/1664-16-0x00007FF620180000-0x00007FF6204D4000-memory.dmp

C:\Windows\System\eICnfam.exe

MD5 994ba3a0c80613b8c58741ddbc192b29
SHA1 bb9ffb781cbf50671d552037145f004c4b39df31
SHA256 4462769c20be5347761957437d60aca18fb1b168c5cccad04f01b73fe0f54cbf
SHA512 9bdc076305d15333c4bfeaa88dad15c8d2270e6a6fe1602cb26904f5f28508f5fea34550b6b9ab666bf2dedaa222325bfb6342d33320695ffb652e20c1c33251

memory/3744-20-0x00007FF651470000-0x00007FF6517C4000-memory.dmp

C:\Windows\System\SLGorqS.exe

MD5 edfd1cac706b23ff158029f3111aae7e
SHA1 c31dfe6247c8a2ab6cead17a5e6d7658b1824c9e
SHA256 3b1cd305b1d06cbcde65e5e3cb52dff95afffbacc94490b41495244cfcd891e4
SHA512 f6b736dd19745f10e0f3a512698abc7f8469c6fc2eb3ce73da876b1122a0dc8c2d3411c1926b289f3c1749468ef13036ecbf2b1d064dc2be224926abc75f83c6

C:\Windows\System\wbIjahx.exe

MD5 7b933690b0ade4c8bb701c79a38e477b
SHA1 351ddd21bb6ebea8d361e27bb83300c0a294a964
SHA256 b68e4ce41ae1ed6197aaee4d54c8ce5fe6b11de00d1b5aea0555eaf514789656
SHA512 4372af5a64585617a4f4cd42d8ade60466bb05ef32997f222faabb86bf872ca444eed25f90a2ff61b0e61b914ec83e1c06d1a788a86a97c79422223f846149e1

C:\Windows\System\OmwCdma.exe

MD5 2b68dad4e9d2f0793d277a00918336f3
SHA1 4ab465f8ef7ba49d89f4f7610ab6d92c068159b4
SHA256 25f91757149cc4a65f9908a54e69885f7194cd0afc5eb26290480c342fba73c8
SHA512 2ea8f3f3c383ffb6a63994aa89a8990883221882cb0f93044cdbc9df2581fe1d1f663da0d74b3549d9b0c6a06e8a060b5e322b404d9a95f56e03eee4e553f9d4

C:\Windows\System\jKPRkFD.exe

MD5 c752e1c62bb44ea1766f632973af9182
SHA1 62543fe5800f991d8c337ac3f0cadd147653c6f1
SHA256 d109d6e77fb9c6b69f277bddf0579c2dffb3887a02091bae6ac087a4cf6053a1
SHA512 37787af8e80bbff08051d9fc2aeb2b6b980030b27b0fdf26e46ee5f7fc50acb6439ba17d7c6e3242b71e16e5964227ad6f135b747ea9b04b4eff49fcce8f7363

C:\Windows\System\gOzthpY.exe

MD5 cb6b7b13d94b2e28fa6b674e49150b0a
SHA1 41b7ea8e0c1f89637a63d4a65225f30faaf2a210
SHA256 d068a0b4466ff01670f677c724ce7bb65908f627b9ee9794ce3c6e05d212d2c0
SHA512 d8f3bf7b3d509c798668dd10eb2ee34ec52d3ccd0c47b1b1a3e88906c2facfcfc4b0e12286cb7031b4c8a5358fafcd077330815ab94639129513133a2d63a7cb

memory/1556-54-0x00007FF679AD0000-0x00007FF679E24000-memory.dmp

memory/1200-53-0x00007FF7E99D0000-0x00007FF7E9D24000-memory.dmp

memory/2980-48-0x00007FF6B1AB0000-0x00007FF6B1E04000-memory.dmp

memory/4056-41-0x00007FF77C4A0000-0x00007FF77C7F4000-memory.dmp

memory/2560-32-0x00007FF7F7070000-0x00007FF7F73C4000-memory.dmp

memory/4840-28-0x00007FF65BD30000-0x00007FF65C084000-memory.dmp

C:\Windows\System\vGopDvf.exe

MD5 b814b1c7a35c9c298e04a1f5904d6b5c
SHA1 d9d8e0a269168ddb3e2174c68b554f163dd0a351
SHA256 efe673c4c947e51c99ae13a444a1480559573fec6279d4f9330c0d8efec8830c
SHA512 9db5a7b8f1e88ce69b0a767ed44061b822df8d880dbd99436c85917e02cc6d4f9828e1abcfbfa96e5149dac59813ccb6857ad68870f5d64b3341b6c7d5f71e26

C:\Windows\System\aHlLLVW.exe

MD5 2cf60b36953d8681b6b7ae54522ebbd9
SHA1 899fee47827ac988d19e58fc2831b9bb14e70cab
SHA256 5794af4cac0b783f3098e3b8b0f7f68ecf7209be03aea446a19c587486d1afbe
SHA512 5ce3f9ddb15e69f1e264cd701a96b4310f74019bb3c6151c3580f1ebfdd73c5d33f187cac9cacdbf9c340051371a8e77fa58a45c79bc0854542e9f53ad1b50ac

memory/3320-63-0x00007FF65F760000-0x00007FF65FAB4000-memory.dmp

memory/388-69-0x00007FF62FD30000-0x00007FF630084000-memory.dmp

memory/2596-68-0x00007FF6ED250000-0x00007FF6ED5A4000-memory.dmp

memory/1552-73-0x00007FF6C4580000-0x00007FF6C48D4000-memory.dmp

C:\Windows\System\wvqoPZr.exe

MD5 6173e2ec4b5b3854a4529d09beee71b5
SHA1 327db153313eb5c54007b04363025f3c74d64c76
SHA256 d8092996f0a373f6919db834657d2d580d25a1d2bf329944dfc30b9cf1f2c2c6
SHA512 9ddb8121ea5b40fff540f8bbfd2f09b058187735a3e6689383e22919fc010d2cb7b7abbb64b1528b37a8defb35fa7dee68f66eef915ea85b4d02b75c418a1464

C:\Windows\System\Yisqkwp.exe

MD5 85b8f4cdf5437501a9077e9ee29ed812
SHA1 2ca6bdad63dabd6ce2fab4b8ad55074840aec7ba
SHA256 13d6746955e4c4ec588445990bf6fc5f582379d3e9cfcbc011638ca5d4696842
SHA512 0501145bf54dde438217c3a969587f0b615fb01baa33044da9bdd45d48c416d801b5616d156985429e339487cab52c7be9ae526b04a8826e2096ec6f81957739

memory/2368-74-0x00007FF75F810000-0x00007FF75FB64000-memory.dmp

memory/1664-82-0x00007FF620180000-0x00007FF6204D4000-memory.dmp

memory/4804-83-0x00007FF6D2DA0000-0x00007FF6D30F4000-memory.dmp

C:\Windows\System\CcoaZPt.exe

MD5 bd05bb4abc2e833c84c2f9d4ad6c28ec
SHA1 a435a5bbf639dbd0a13fa5a93ac6586cc9662b76
SHA256 109ebd3b4e2f99de75649ef54a4fabb6c1eb21dbdfc25ff3a9eef8f6cfb6decf
SHA512 af945d94f3fc62d7c72ef0fc3a3c4bc9c1f2bae9f541a9fa7e70afdc8d32eafd612d9eecee212d16cf8dcc43017fdb156b75a6fdf5c431dea9040cca47e23565

C:\Windows\System\WxPbWLa.exe

MD5 6d23aa6a9651880b1340d280466213f8
SHA1 fe822997020ced94a1acc34b41d95b3f336e22aa
SHA256 96060e99fad6c782023b9f1ad1e002133dcb936ca8c149678bb8c8d5da55782b
SHA512 c9f03dc05bef69d08352ea48a8cd97c87d8a9abf8d5b9c9eb672975809082cf1f8eb521fce313b36474f13457fb44944b9e1657f1acb9560b501a3e1aef7f419

memory/4208-93-0x00007FF73F430000-0x00007FF73F784000-memory.dmp

memory/3520-89-0x00007FF7DEBE0000-0x00007FF7DEF34000-memory.dmp

memory/2560-100-0x00007FF7F7070000-0x00007FF7F73C4000-memory.dmp

memory/1896-106-0x00007FF796450000-0x00007FF7967A4000-memory.dmp

memory/1200-109-0x00007FF7E99D0000-0x00007FF7E9D24000-memory.dmp

C:\Windows\System\izPZxEn.exe

MD5 9948abc1d5b5aac2606f119269c5051b
SHA1 71203a4094182856dd7f1460d265c4325c2bd856
SHA256 c450a869a61ef07cbc5f709b657534b1beaf4df07ee769bc0540d6ae5977226d
SHA512 03ae36789b6fa349da44c97a3fa6626f2fbe36e58781e544f0f43d9a08fabf873b7844cfc56e4c658adcba992dca2cc6f85c568f3456a6dfc42fea9f245922c3

C:\Windows\System\MMnoaZz.exe

MD5 36beb86951a0477eecb446a18b407ed0
SHA1 ea46d04214093fc9d441be047c1e1a97c614f0b0
SHA256 5b48e100bcf06635eff7fa886fee7f2f6c7ccf0e62b4804111d20a0bff815a39
SHA512 37d373d12a56f9e2f67b18bf439efc646ead6f763ccbe0eb54caaefb15bb4b208453158771aff6ab2e8d5ebb948b0aec19f15a4191a42383c87d80e807386cc7

memory/2256-110-0x00007FF7E4060000-0x00007FF7E43B4000-memory.dmp

memory/2980-103-0x00007FF6B1AB0000-0x00007FF6B1E04000-memory.dmp

C:\Windows\System\vHogYYH.exe

MD5 ec69953dfdb7f0561a46fd864858afaa
SHA1 3842d55abc1b7a4ede6681008d0b445a40a32750
SHA256 71b413c200737fe19fb25b42912cd31f5e055cbdadcbe7836769801803c2d5ae
SHA512 b75c11995891dbef609404f82890d26f3be9f1c1e95567086ee8d6802dc0196889b39157b3b6763536ff555cce447cc76614a6276f21d7d57881272e41fe77c0

C:\Windows\System\MlLDUZc.exe

MD5 72627fe55f56cf9e23b85c0456991ad3
SHA1 4ae009da06eead5269ec20f1d13e688fcced7b58
SHA256 5ac74b42b6e2b66ad86d764bc8010f34e101a2f87e619c75f1336cb1cb676204
SHA512 2c317bddd832b634ba8f067f8a83677a6e0d4c8307c00b1c4e2d8d59eccb7b9fd457eca43422744fa428e94648ff15cbd163184d4144d8b80dd0348e47929d4b

C:\Windows\System\FmRdpqL.exe

MD5 205b31679628c4c1862703ae98993953
SHA1 93680ef1628ad607ecd89ee89304d33ce183072a
SHA256 1cc818bd397949724c5a3033778e57beb3fd7626cefdb40f8cf412433108826e
SHA512 b7dc79cb7f47fa67aa7e475cf7dd5f25fd131d63d104558502fc2d57a58c23acb05590097389a67286ef529cb3e208e65301c8076349e3704d7f58cc27096473

memory/2708-129-0x00007FF72E890000-0x00007FF72EBE4000-memory.dmp

C:\Windows\System\XElxNuK.exe

MD5 d9756ea534d56860a0d413bcfce570c1
SHA1 02131784112e265651035a770a06488b8a4c6548
SHA256 b75501097f2ba465307668e5104af3d160ab64b840238443a3be152576c06238
SHA512 d49dd0564f59fd733e167acd2b24b0c3f39d0a165de11dee3d9f8b5774e405a88846e628c3600ac07e1784cfeaf5a04e1e430dfeca0b37039f33d13ac1815563

memory/3176-122-0x00007FF615440000-0x00007FF615794000-memory.dmp

memory/1556-120-0x00007FF679AD0000-0x00007FF679E24000-memory.dmp

memory/4232-116-0x00007FF7377F0000-0x00007FF737B44000-memory.dmp

memory/4024-134-0x00007FF768E50000-0x00007FF7691A4000-memory.dmp

memory/2368-135-0x00007FF75F810000-0x00007FF75FB64000-memory.dmp

memory/4208-136-0x00007FF73F430000-0x00007FF73F784000-memory.dmp

memory/2256-137-0x00007FF7E4060000-0x00007FF7E43B4000-memory.dmp

memory/3176-138-0x00007FF615440000-0x00007FF615794000-memory.dmp

memory/1552-139-0x00007FF6C4580000-0x00007FF6C48D4000-memory.dmp

memory/1664-140-0x00007FF620180000-0x00007FF6204D4000-memory.dmp

memory/3744-141-0x00007FF651470000-0x00007FF6517C4000-memory.dmp

memory/4840-142-0x00007FF65BD30000-0x00007FF65C084000-memory.dmp

memory/2560-143-0x00007FF7F7070000-0x00007FF7F73C4000-memory.dmp

memory/4056-144-0x00007FF77C4A0000-0x00007FF77C7F4000-memory.dmp

memory/2980-145-0x00007FF6B1AB0000-0x00007FF6B1E04000-memory.dmp

memory/1200-146-0x00007FF7E99D0000-0x00007FF7E9D24000-memory.dmp

memory/1556-147-0x00007FF679AD0000-0x00007FF679E24000-memory.dmp

memory/3320-148-0x00007FF65F760000-0x00007FF65FAB4000-memory.dmp

memory/388-149-0x00007FF62FD30000-0x00007FF630084000-memory.dmp

memory/2368-150-0x00007FF75F810000-0x00007FF75FB64000-memory.dmp

memory/4804-151-0x00007FF6D2DA0000-0x00007FF6D30F4000-memory.dmp

memory/3520-152-0x00007FF7DEBE0000-0x00007FF7DEF34000-memory.dmp

memory/4208-153-0x00007FF73F430000-0x00007FF73F784000-memory.dmp

memory/1896-154-0x00007FF796450000-0x00007FF7967A4000-memory.dmp

memory/2256-155-0x00007FF7E4060000-0x00007FF7E43B4000-memory.dmp

memory/4232-156-0x00007FF7377F0000-0x00007FF737B44000-memory.dmp

memory/3176-157-0x00007FF615440000-0x00007FF615794000-memory.dmp

memory/2708-158-0x00007FF72E890000-0x00007FF72EBE4000-memory.dmp

memory/4024-159-0x00007FF768E50000-0x00007FF7691A4000-memory.dmp