Malware Analysis Report

2025-01-22 19:22

Sample ID 240806-nnmdnaxhjk
Target 2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat
SHA256 ea2cc081aa0706a948800629fad1b276f0192e71969db3266bfa7e3d578766b1
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ea2cc081aa0706a948800629fad1b276f0192e71969db3266bfa7e3d578766b1

Threat Level: Known bad

The file 2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Cobaltstrike

xmrig

Cobaltstrike family

Cobalt Strike reflective loader

Xmrig family

XMRig Miner payload

XMRig Miner payload

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-06 11:32

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-06 11:32

Reported

2024-08-06 11:35

Platform

win7-20240705-en

Max time kernel

136s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\sLjsvhF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LWayfDH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tSWuHSi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XaphJbJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lgLPQhN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aHNTWYz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ohXotHz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mqQbfsE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BJkYkmS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RGivLrv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QkTdiEn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mmLbQAY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nALQOIC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sTaoZYw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QpmXztw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UlRNRzO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OSkGFky.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PdeYhqt.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FEHQtZp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OPBHKnw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bbbWowz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2180 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ohXotHz.exe
PID 2180 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ohXotHz.exe
PID 2180 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ohXotHz.exe
PID 2180 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mqQbfsE.exe
PID 2180 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mqQbfsE.exe
PID 2180 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mqQbfsE.exe
PID 2180 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sLjsvhF.exe
PID 2180 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sLjsvhF.exe
PID 2180 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sLjsvhF.exe
PID 2180 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OPBHKnw.exe
PID 2180 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OPBHKnw.exe
PID 2180 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OPBHKnw.exe
PID 2180 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mmLbQAY.exe
PID 2180 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mmLbQAY.exe
PID 2180 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mmLbQAY.exe
PID 2180 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bbbWowz.exe
PID 2180 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bbbWowz.exe
PID 2180 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bbbWowz.exe
PID 2180 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nALQOIC.exe
PID 2180 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nALQOIC.exe
PID 2180 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nALQOIC.exe
PID 2180 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BJkYkmS.exe
PID 2180 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BJkYkmS.exe
PID 2180 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BJkYkmS.exe
PID 2180 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FEHQtZp.exe
PID 2180 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FEHQtZp.exe
PID 2180 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FEHQtZp.exe
PID 2180 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OSkGFky.exe
PID 2180 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OSkGFky.exe
PID 2180 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OSkGFky.exe
PID 2180 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LWayfDH.exe
PID 2180 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LWayfDH.exe
PID 2180 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LWayfDH.exe
PID 2180 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PdeYhqt.exe
PID 2180 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PdeYhqt.exe
PID 2180 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PdeYhqt.exe
PID 2180 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tSWuHSi.exe
PID 2180 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tSWuHSi.exe
PID 2180 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tSWuHSi.exe
PID 2180 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sTaoZYw.exe
PID 2180 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sTaoZYw.exe
PID 2180 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sTaoZYw.exe
PID 2180 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RGivLrv.exe
PID 2180 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RGivLrv.exe
PID 2180 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RGivLrv.exe
PID 2180 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QpmXztw.exe
PID 2180 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QpmXztw.exe
PID 2180 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QpmXztw.exe
PID 2180 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XaphJbJ.exe
PID 2180 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XaphJbJ.exe
PID 2180 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XaphJbJ.exe
PID 2180 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lgLPQhN.exe
PID 2180 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lgLPQhN.exe
PID 2180 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lgLPQhN.exe
PID 2180 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UlRNRzO.exe
PID 2180 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UlRNRzO.exe
PID 2180 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UlRNRzO.exe
PID 2180 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aHNTWYz.exe
PID 2180 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aHNTWYz.exe
PID 2180 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aHNTWYz.exe
PID 2180 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QkTdiEn.exe
PID 2180 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QkTdiEn.exe
PID 2180 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QkTdiEn.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\ohXotHz.exe

C:\Windows\System\ohXotHz.exe

C:\Windows\System\mqQbfsE.exe

C:\Windows\System\mqQbfsE.exe

C:\Windows\System\sLjsvhF.exe

C:\Windows\System\sLjsvhF.exe

C:\Windows\System\OPBHKnw.exe

C:\Windows\System\OPBHKnw.exe

C:\Windows\System\mmLbQAY.exe

C:\Windows\System\mmLbQAY.exe

C:\Windows\System\bbbWowz.exe

C:\Windows\System\bbbWowz.exe

C:\Windows\System\nALQOIC.exe

C:\Windows\System\nALQOIC.exe

C:\Windows\System\BJkYkmS.exe

C:\Windows\System\BJkYkmS.exe

C:\Windows\System\FEHQtZp.exe

C:\Windows\System\FEHQtZp.exe

C:\Windows\System\OSkGFky.exe

C:\Windows\System\OSkGFky.exe

C:\Windows\System\LWayfDH.exe

C:\Windows\System\LWayfDH.exe

C:\Windows\System\PdeYhqt.exe

C:\Windows\System\PdeYhqt.exe

C:\Windows\System\tSWuHSi.exe

C:\Windows\System\tSWuHSi.exe

C:\Windows\System\sTaoZYw.exe

C:\Windows\System\sTaoZYw.exe

C:\Windows\System\RGivLrv.exe

C:\Windows\System\RGivLrv.exe

C:\Windows\System\QpmXztw.exe

C:\Windows\System\QpmXztw.exe

C:\Windows\System\XaphJbJ.exe

C:\Windows\System\XaphJbJ.exe

C:\Windows\System\lgLPQhN.exe

C:\Windows\System\lgLPQhN.exe

C:\Windows\System\UlRNRzO.exe

C:\Windows\System\UlRNRzO.exe

C:\Windows\System\aHNTWYz.exe

C:\Windows\System\aHNTWYz.exe

C:\Windows\System\QkTdiEn.exe

C:\Windows\System\QkTdiEn.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2180-0-0x000000013FAF0000-0x000000013FE44000-memory.dmp

memory/2180-1-0x0000000000080000-0x0000000000090000-memory.dmp

memory/2180-27-0x0000000002390000-0x00000000026E4000-memory.dmp

memory/2180-22-0x000000013FF50000-0x00000001402A4000-memory.dmp

\Windows\system\mmLbQAY.exe

MD5 8c16febf366b46e68cec534fec44b835
SHA1 207c265ac339b6fae9e1b2bf5200d0abe3b13c36
SHA256 2c2b8e763cacea86979d02b60a087ea758b861330c5bdaabd087fb0e5f035455
SHA512 cd6cdd937e633612619ee3c0bc9d0e0022128fffeb949c43cd1477c4197b528ff033340e9a4190439af5f2c85a402ea49a3d2d10d6ba09432a5339bf15990a56

memory/2660-42-0x000000013FD40000-0x0000000140094000-memory.dmp

memory/1344-41-0x000000013FAF0000-0x000000013FE44000-memory.dmp

memory/2776-38-0x000000013FA60000-0x000000013FDB4000-memory.dmp

memory/2412-37-0x000000013FF50000-0x00000001402A4000-memory.dmp

memory/1860-36-0x000000013F4E0000-0x000000013F834000-memory.dmp

C:\Windows\system\sLjsvhF.exe

MD5 17d2ac1f8c2ea17119e754055b586da5
SHA1 dd365770308c9f6975fd63d41924ad4597a17003
SHA256 5efeba49e74589fe9c91728f02faeafd3cfbeada06850778186c0e5b04c9c05b
SHA512 66354b8f43bdb2c88ccbdbed3514648859fa5c3d2d01299c287f9de2d40923b62b33162f5383b3366d631234ce91ee5eb6b89d804fcaec678dacdf50a0312457

memory/2180-15-0x0000000002390000-0x00000000026E4000-memory.dmp

C:\Windows\system\bbbWowz.exe

MD5 4b76acd30cf1433f004e8acca9f14df3
SHA1 ed8c26a51f7a53d396c0ba8b98280d496445906b
SHA256 001c498593a71ea78d6d635b04b71ecf905e05586c876901f68808cbe03ff238
SHA512 62e49f400e38bf383324f1f6107ab53b9bdc2706b42f26789099c71a2c0eba6db41b2dd1922f88eb4530a45fd81f021ec961dcc39cfd2c4ff3485c8a6b859138

C:\Windows\system\OPBHKnw.exe

MD5 4c1554759990403032cd3dccf5edaa2c
SHA1 367d26c9c175f48fa927ae0ed2e76b1e739547b4
SHA256 146fe4041b1974f9cfd9c4f60b669fe0f0ba36915b9a6f15d16b9c97eb96cbf4
SHA512 e763d21c3be4baba2bdc7c5718dffd119471a4c954dbd6910ea3bbb03f81b30389aa174af8a2af4add5ef9a5b7cdfd104be30428a171f34fa1458c24f5dfdcfb

C:\Windows\system\mqQbfsE.exe

MD5 620a080d3612d9a9201cef0aa5a2e74b
SHA1 3009bea1b7e92d45fa8ea4b9bfce4056c666f401
SHA256 00dfa2dc175b5b3dd1c9b75d05a7cc918b326fc5145830f84fab7fde8ca2e08a
SHA512 f86c6fff2933b52d2ef6b462cfedd021be5071d9d5ee64f585d05ac52a40fde84513c8de5bafc93538ad64c53c2291e0bba09979b1975715befcbc86cd9b6e32

memory/2180-26-0x0000000002390000-0x00000000026E4000-memory.dmp

\Windows\system\nALQOIC.exe

MD5 83349a5db80a026aae88de3dce04a725
SHA1 c88bab8bfedd93c78ae40fc71ad10262aad86f89
SHA256 c597bf6608f73657a7f21af06cadc07423029edf242c1e09d384fcd6774129de
SHA512 197ca53335ae78861dcf06f8b187c4b0ecc7f24eed452cfcc80d547631f50ac3a27211e30bd7feb8fafe9d8225747e4717cc79a3d4954138e8e74a7faf27752f

memory/2180-44-0x0000000002390000-0x00000000026E4000-memory.dmp

memory/2020-11-0x000000013F140000-0x000000013F494000-memory.dmp

memory/2180-48-0x000000013FAF0000-0x000000013FE44000-memory.dmp

memory/2948-49-0x000000013FD60000-0x00000001400B4000-memory.dmp

memory/2680-57-0x000000013F640000-0x000000013F994000-memory.dmp

memory/2180-55-0x0000000002390000-0x00000000026E4000-memory.dmp

C:\Windows\system\BJkYkmS.exe

MD5 3215ebd23f496889790fb7c79e74a5e6
SHA1 0bff4e88fc1299200ec2313daa52d8ce077190e7
SHA256 5b620326065c6e47c5ef18a479a88255adfaa131d8dd9c5664bd3d37cfd5e4e8
SHA512 e5c7dd5557d3d3e74f177d773e5be96fb88844bc1b2696fd6f07f09000caf43f450f81fd899a42d0fc37a1e66dfb2f3ea9c8928a09d01646390db0829bb8bd46

C:\Windows\system\ohXotHz.exe

MD5 e2b7c3a166a26d13785bddb2fd709cda
SHA1 783b79b0d807be2407d3fcb2e5a74e7c5fcb125f
SHA256 8217dd5d40f2be93e01bf64a14e4a2e68396f6e7ce085a1c26af72115f00a322
SHA512 e28cd346caed5bff7d359488f8f70a283709bd743ac686bc414b72abe8dc1e897a68d84d16412ddfd50ae4b1e37c22c4c26ed7a7673cb42895fc108e186fcffd

\Windows\system\FEHQtZp.exe

MD5 ae02388c87bd4a6e33b7c5f5cac899b3
SHA1 0f483fa483a070fcac3783d12dde3e11304ecab0
SHA256 009d801745fd393777d09724760ca76d637df9933293a8ef38ad200786b2188f
SHA512 467cab12624bda545afa6f777186d2de8ff77caf04e98047760ac23029adb42dae6ab3b9d0521af8e90e76c6974b5d88e8ad0520b8470859bfcffe77c8966c93

C:\Windows\system\OSkGFky.exe

MD5 dcab91ff9743f110fd8a4f5ec0f8677d
SHA1 dc25cf5d2498f27487a71f7cb22c062756fa344a
SHA256 07d3365ac154f2de4ceb7a69bc083bfb19c746f64cba4aa8fc64d0043160face
SHA512 46dc72f799b4f755b8d58b549538157e166d645d2134f71c1cf9baac8f7316f2eb1619d3f8502ec233a3e88b942ecfab4b3aeb57db9f6fc0deb05f2b1b0fb8d1

memory/2180-67-0x0000000002390000-0x00000000026E4000-memory.dmp

\Windows\system\LWayfDH.exe

MD5 185ec263cc93b2cef3b20250cb7fddab
SHA1 ff74b1aa688114430887efb28c5b9eae7a66e8c3
SHA256 5ffafa01faace256c940a0e9ddde8eb5616b45c0a4d58c9225c9308700212635
SHA512 ad3e78b49d9e70f0d5b94d855ce24711b43bde796309674c60a6e3f58502394fbf9f93b945fe1b897ea4e756e9b53a1ba04a7e1b8685523c624ffe1efb3825a8

memory/1640-69-0x000000013F9D0000-0x000000013FD24000-memory.dmp

memory/1860-73-0x000000013F4E0000-0x000000013F834000-memory.dmp

memory/2156-75-0x000000013FD50000-0x00000001400A4000-memory.dmp

C:\Windows\system\PdeYhqt.exe

MD5 9ba5606458db989104959cff00f9f2e2
SHA1 b027ac72c33f043aa4d9621cb5e04f003aeec4db
SHA256 72d3e5a7e970684b6f23f465d1b5ee6a33611a8c26476fe0c21859f76afd3a01
SHA512 a26bde574af380cd03f2ab13387290f558363c23e2b4345aceb2cd868adda1a5775d0973a142571551ea39afe38e698c4bf1b6a0604cf05508227365c9f26a92

C:\Windows\system\lgLPQhN.exe

MD5 5ccdbfcfeb15ccc3e495328785af647c
SHA1 dc6915a1781c10f6f5b6e99feef5157be233b430
SHA256 57605b283ce674a5c7c3a165bacc667fa91d38d8ab252a43a2ed4796221c62b1
SHA512 96ab7e7bca15305f3636e8b95f27eaee56a3dca17d969ddc0660b561b802ff1334d69d1ea49548540d2c27dcccbfbb7ac1452c8fadaeffe4468ccc28abd57878

C:\Windows\system\aHNTWYz.exe

MD5 e75a2799a99c17022b42f02e1537a735
SHA1 77a929c9a957f457cbded1dfa24b0f6f40153a49
SHA256 590105cad853e8f9b9a0730f170ede68d3c005254ba1d39df129279c6b84d34f
SHA512 717c0a1aac8f8804460153604b7361ef4017379249d66c6a9ea441547cc5718a9ca3a01fb90aa8a063233cac86adee1e89e1dc449d4d4d3f9e8c8d381b924fe5

C:\Windows\system\tSWuHSi.exe

MD5 771f888681d53e823992806b9a316ae8
SHA1 369033150449dd1038424d51f0d49d2f0d3a585a
SHA256 1cb092f645bb8d6999434ad2f4d19a544fe60a991261971431f4df4a1d4575cc
SHA512 e66d218fbd4f37eae866264f7794c158580e096b66add7e0b65b92d555a0c8e5ec03a25a4c8b8feff0b69b63585aa2507aad8b77edf658ded3dd03ad95d96b8d

\Windows\system\XaphJbJ.exe

MD5 6f577d2141a71657abfedd425a39dc04
SHA1 2c3538ec175bbf46ded8370759008413207d841f
SHA256 62547d53c3f5f3e6f44873c99c9cd9457d33a075e7a91def6e1594c2fc167c18
SHA512 ed6e5424543c382e72ecab4e0adf8a2ef643ec7093da99c312e63f59129c6c489afe35285eb8915221c64b6f862ddd6cb110aa9f38d65841606603b62418dbf5

\Windows\system\QkTdiEn.exe

MD5 940ce7ecad60897589f60d127ab82066
SHA1 a4655a9f78e2fffd99d99f42a9a53b5be2932da4
SHA256 abff612ffb7ece0094d6fc06ce84f57810a7a5ae197c482cd163a4b6d7c2c31b
SHA512 2beafa709fc7f362b46c0b3f598a43ea8bcad4ce1fa006920df50f03ec4f3b7ba3001d80c5e61a5c95582c428077f79c52210489b059d61e8ae46adeb593feb8

\Windows\system\UlRNRzO.exe

MD5 b5cd54ca329fc70d4acf6d88c3deefdf
SHA1 3f4da9544a28177ffc08fe3a23767e1f93e4efef
SHA256 e66a320a4dbef55ed6a363aa90423e709e7a4fd7acb67910a69141333aa7de20
SHA512 2ee9317c4a0f812d783ba8e16dc68b14ea648cb961c1d1f77f51029941db4524b90f8846125aa1c9ae27fd9d76766df48f3b4056e23875cbbda33ab88a6da56e

\Windows\system\RGivLrv.exe

MD5 a7815d55d92acc7f55d41bbb462fe8e9
SHA1 a5c4b51eb7d9ed93a359bd9f6f72f5e19bb37f61
SHA256 33173551cea1c5a3ad858a0d7c698a483e43c77fa8d720aca202d7917c4711ae
SHA512 510de29d19343b887e86ce76089d6643528b330441b62356411a4957cbe44a9528874c14a6b27a58ad3f8495434810b8da03c5080a0041d5b5c56d5462b5f9fe

C:\Windows\system\QpmXztw.exe

MD5 7152716d5e439b25bedb6be3db5100a3
SHA1 ba487bf4c70c206ad48fbb78bb619470934f1cca
SHA256 85bf59e7ee812504b776fec5f663bada8520ed6f188f5e3daead85f43da82939
SHA512 949a4cbd7edd708a059bbbb5bf9a98e7f6ca32d26cc8397c8a5b2b806ee1d1a385b6b6cca099a084664d01660c37d170397b95cc7e0de61ec122936cf54b0bdd

C:\Windows\system\sTaoZYw.exe

MD5 7ac75cd3f66f851cd444e53237710afb
SHA1 21415406be0ce65d80eb02169c6d4dd343906f03
SHA256 8d35c9d1e92ccb51f1bfac7c6512ed73c298dacdd6c5678a0d8ca16e23baaa26
SHA512 ce3355fc71e216de8aa338192009c15bf563f91064e7afcdb23688ec682cee3f4cea0411e2532121b9ca9c9c548c3598fc15477e5033b903c80f420641abb371

memory/2180-114-0x000000013F2D0000-0x000000013F624000-memory.dmp

memory/2180-113-0x000000013F5C0000-0x000000013F914000-memory.dmp

memory/2180-112-0x0000000002390000-0x00000000026E4000-memory.dmp

memory/588-87-0x000000013FB70000-0x000000013FEC4000-memory.dmp

memory/2180-81-0x0000000002390000-0x00000000026E4000-memory.dmp

memory/2180-74-0x0000000002390000-0x00000000026E4000-memory.dmp

memory/2536-62-0x000000013FCD0000-0x0000000140024000-memory.dmp

memory/2948-132-0x000000013FD60000-0x00000001400B4000-memory.dmp

memory/2536-134-0x000000013FCD0000-0x0000000140024000-memory.dmp

memory/1640-135-0x000000013F9D0000-0x000000013FD24000-memory.dmp

memory/2156-136-0x000000013FD50000-0x00000001400A4000-memory.dmp

memory/588-137-0x000000013FB70000-0x000000013FEC4000-memory.dmp

memory/2180-138-0x000000013F710000-0x000000013FA64000-memory.dmp

memory/2020-139-0x000000013F140000-0x000000013F494000-memory.dmp

memory/1344-141-0x000000013FAF0000-0x000000013FE44000-memory.dmp

memory/2412-142-0x000000013FF50000-0x00000001402A4000-memory.dmp

memory/1860-143-0x000000013F4E0000-0x000000013F834000-memory.dmp

memory/2776-140-0x000000013FA60000-0x000000013FDB4000-memory.dmp

memory/2660-144-0x000000013FD40000-0x0000000140094000-memory.dmp

memory/2680-145-0x000000013F640000-0x000000013F994000-memory.dmp

memory/2948-146-0x000000013FD60000-0x00000001400B4000-memory.dmp

memory/1640-147-0x000000013F9D0000-0x000000013FD24000-memory.dmp

memory/588-148-0x000000013FB70000-0x000000013FEC4000-memory.dmp

memory/2156-150-0x000000013FD50000-0x00000001400A4000-memory.dmp

memory/2536-149-0x000000013FCD0000-0x0000000140024000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-06 11:32

Reported

2024-08-06 11:35

Platform

win10v2004-20240802-en

Max time kernel

141s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\clbsqPE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ygKbhct.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xlIAGyD.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HpyfZrr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aBCPOob.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NLRZISn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hrvxSUE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sJzULis.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UQWUpow.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VYfSfES.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZUabGdz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bDSXMsQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pPeRfPh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dlGKCdL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HDaPVQb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ImTsOxf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CVIWlZa.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\piGXSyC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zanGbXc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\obvYmwo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\idqPYFT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3116 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sJzULis.exe
PID 3116 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sJzULis.exe
PID 3116 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ygKbhct.exe
PID 3116 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ygKbhct.exe
PID 3116 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bDSXMsQ.exe
PID 3116 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bDSXMsQ.exe
PID 3116 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pPeRfPh.exe
PID 3116 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pPeRfPh.exe
PID 3116 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CVIWlZa.exe
PID 3116 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CVIWlZa.exe
PID 3116 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dlGKCdL.exe
PID 3116 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dlGKCdL.exe
PID 3116 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xlIAGyD.exe
PID 3116 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xlIAGyD.exe
PID 3116 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UQWUpow.exe
PID 3116 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UQWUpow.exe
PID 3116 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HpyfZrr.exe
PID 3116 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HpyfZrr.exe
PID 3116 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aBCPOob.exe
PID 3116 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aBCPOob.exe
PID 3116 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\piGXSyC.exe
PID 3116 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\piGXSyC.exe
PID 3116 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HDaPVQb.exe
PID 3116 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HDaPVQb.exe
PID 3116 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zanGbXc.exe
PID 3116 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zanGbXc.exe
PID 3116 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VYfSfES.exe
PID 3116 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VYfSfES.exe
PID 3116 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ImTsOxf.exe
PID 3116 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ImTsOxf.exe
PID 3116 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZUabGdz.exe
PID 3116 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZUabGdz.exe
PID 3116 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\obvYmwo.exe
PID 3116 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\obvYmwo.exe
PID 3116 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\idqPYFT.exe
PID 3116 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\idqPYFT.exe
PID 3116 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NLRZISn.exe
PID 3116 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NLRZISn.exe
PID 3116 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hrvxSUE.exe
PID 3116 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hrvxSUE.exe
PID 3116 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\clbsqPE.exe
PID 3116 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\clbsqPE.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\sJzULis.exe

C:\Windows\System\sJzULis.exe

C:\Windows\System\ygKbhct.exe

C:\Windows\System\ygKbhct.exe

C:\Windows\System\bDSXMsQ.exe

C:\Windows\System\bDSXMsQ.exe

C:\Windows\System\pPeRfPh.exe

C:\Windows\System\pPeRfPh.exe

C:\Windows\System\CVIWlZa.exe

C:\Windows\System\CVIWlZa.exe

C:\Windows\System\dlGKCdL.exe

C:\Windows\System\dlGKCdL.exe

C:\Windows\System\xlIAGyD.exe

C:\Windows\System\xlIAGyD.exe

C:\Windows\System\UQWUpow.exe

C:\Windows\System\UQWUpow.exe

C:\Windows\System\HpyfZrr.exe

C:\Windows\System\HpyfZrr.exe

C:\Windows\System\aBCPOob.exe

C:\Windows\System\aBCPOob.exe

C:\Windows\System\piGXSyC.exe

C:\Windows\System\piGXSyC.exe

C:\Windows\System\HDaPVQb.exe

C:\Windows\System\HDaPVQb.exe

C:\Windows\System\zanGbXc.exe

C:\Windows\System\zanGbXc.exe

C:\Windows\System\VYfSfES.exe

C:\Windows\System\VYfSfES.exe

C:\Windows\System\ImTsOxf.exe

C:\Windows\System\ImTsOxf.exe

C:\Windows\System\ZUabGdz.exe

C:\Windows\System\ZUabGdz.exe

C:\Windows\System\obvYmwo.exe

C:\Windows\System\obvYmwo.exe

C:\Windows\System\idqPYFT.exe

C:\Windows\System\idqPYFT.exe

C:\Windows\System\NLRZISn.exe

C:\Windows\System\NLRZISn.exe

C:\Windows\System\hrvxSUE.exe

C:\Windows\System\hrvxSUE.exe

C:\Windows\System\clbsqPE.exe

C:\Windows\System\clbsqPE.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3116-0-0x00007FF7BC240000-0x00007FF7BC594000-memory.dmp

memory/3116-1-0x000001E6C4960000-0x000001E6C4970000-memory.dmp

C:\Windows\System\sJzULis.exe

MD5 36a07181227420d03def6aa273ec1721
SHA1 d66f712d94d749d955fc4acbb2114261c12bf69d
SHA256 3f19369b11f8a0648098d76b5ab863442449eda40c2f3a75e81295933319ce23
SHA512 a2e29f3c6b7e14e88aea8833ad5d862b142e41385e34097845fa0d9b96b350c7a95d14d4534e236fcdaafa4fd35da8752b63aa8c5434261c8588f587228dfa4a

C:\Windows\System\bDSXMsQ.exe

MD5 61242b859bdfa7deafe2daf178aa36c7
SHA1 f6e0bccc4625d46815b2e72ef35d9f0df500d107
SHA256 e86c45acfff4fae9a610e91a7e635dca693b5ccf57aa56ce86b512a77d132213
SHA512 cbdefd3e162449b0ddd480d1ac1d17a8170c2391485f8a3fd82cee3fcc985b1a4a86f7a78e504a1c95c8ff56940ff9b53a4fb3f6dc027083ad45467fe367832b

C:\Windows\System\ygKbhct.exe

MD5 91430f31b9dace53fd78f315978a0fdd
SHA1 e9d698ee187eaf96416b271db8874b0204da7908
SHA256 49528fe167ee723bc1a4c7cb565fa45fa6fce61287b424484db37e6af94cc49a
SHA512 6154cc5acc38103a7d6e8db0195cfe601b71c80cba5499f21f23a4b52bd22d144d40c728617a66dd632e54b6a1c2425517011144f58ee89d2579dc1642358282

C:\Windows\System\dlGKCdL.exe

MD5 397cd6a30df905251a70e566e9f1aeae
SHA1 9b1cd85405cda8d01227fb3ebc190b6635caef42
SHA256 7d914af6ff131ffb8e76de8de1dcb7b6b0e702e95eeaa252200ed7cfa6b8d17f
SHA512 620a1505d03b3745a1145d764ffb96232f35f40b54b1957eba871104d19b3f43cb361dc19386946840f2d5d66a89767e9462cee8344b118582dd225dcaceb23c

C:\Windows\System\xlIAGyD.exe

MD5 bc75368e772f956fbd1487b6b5baadf3
SHA1 187974d6d7825c69a55d6be70ed5792d4ef8b77a
SHA256 f2dc25c967481da51e4dc6c402ba6426d95c74de4bf921864acdee95f4825258
SHA512 ed4c3fe730c59c0a9783f7b98e516e7252a3cbf2f3fd5741a38a73e759931cda85b49a49d13ee007105ecd96c5fccd2245fd1c457197aafb298e32121845c01d

memory/2436-44-0x00007FF6C2190000-0x00007FF6C24E4000-memory.dmp

memory/5108-49-0x00007FF6149C0000-0x00007FF614D14000-memory.dmp

memory/2072-50-0x00007FF683140000-0x00007FF683494000-memory.dmp

C:\Windows\System\UQWUpow.exe

MD5 8c7c7d0fdbdcba6eff08fa6a8e8f314d
SHA1 e6034c1597d68d62fd62f05fed07504aa109260f
SHA256 c7416a424ead798fd8c1e49f9650853671ce7ba35bad5fd3983f26d7fa441076
SHA512 0e2e36f790b06750ff027ae034f5be04d2bc0d36b9c1d0e78a721a81e249478d6075416e440d65bf95dc2ebb13600a999318834d52a36382bebd60b98cbb7337

memory/756-41-0x00007FF646DC0000-0x00007FF647114000-memory.dmp

C:\Windows\System\pPeRfPh.exe

MD5 cadea21cd34e9ab258ea786879a2088b
SHA1 612e9e386e58f539a02824e9ccbe2721116a6067
SHA256 6e37fa0417aee592f1ebf34ef3a2f9a32481fd64fd19781841c9bf8a6330e50f
SHA512 b57147f5190a86a58e6358c80cdd92c402cefa11e146e243556b66371e42e895928ee18af611fbec74977badf79faeae52afa47a738d3f87858989123e1f6e50

C:\Windows\System\CVIWlZa.exe

MD5 b6da10a1d9fec90fb8cd75fdc7c2baaa
SHA1 c08c1d924da637a26de8905b561b702eb0d0d529
SHA256 651147e6e4a054a81cffff794dd6db2c22fa313602660a7f376811017f9c019f
SHA512 8f12966432bd5a3612a8657f344d2d8c947861624aa9353ad81edf5f56c240e42adcae8779efaee2af5b779f829cc4067f91972e173d20eca73426ea86244d60

memory/4808-27-0x00007FF624B00000-0x00007FF624E54000-memory.dmp

memory/3140-26-0x00007FF747F40000-0x00007FF748294000-memory.dmp

memory/4732-17-0x00007FF627A40000-0x00007FF627D94000-memory.dmp

memory/3704-9-0x00007FF68BC10000-0x00007FF68BF64000-memory.dmp

C:\Windows\System\HpyfZrr.exe

MD5 3915c98ae51b88e2aa4fbdcc21492e32
SHA1 d6b51165122bf9aa270549058adf15f06d2b453f
SHA256 d50476aa575052e24e3ccf52cbcf77ab0d1148a3caae763103fc6238c42820c5
SHA512 1d33f3cb55ee0818424f1fcf942f8ae05a40899a97fe2f3213825231edb52ecde9d8bbcbe23e42ccfda0469cf878ced00b8ee9003d01fc0c560b4593b2a0b7f8

memory/2052-56-0x00007FF6672E0000-0x00007FF667634000-memory.dmp

C:\Windows\System\aBCPOob.exe

MD5 f901d576fcca048107b3dfc1b64d32e0
SHA1 90d6c6bc84109a15d0856cc63ac32112fab50580
SHA256 f597f5a3860a8144e017b533fff2db04d35426a90c6cebc3d297123d10ab20b4
SHA512 d69442ab02d9c9fe29bbfae6d8e7e82514e59ec87f483ee91911081964484b5cd1ed6fcdce563e26d417e53f2bd4d806f393c2a4c9480f967b3fb2f6e579a9b8

memory/1444-60-0x00007FF6CC8A0000-0x00007FF6CCBF4000-memory.dmp

C:\Windows\System\piGXSyC.exe

MD5 9b87fa5ca99bc4e21b61290083d30e33
SHA1 fee2f7b2be697b7cffc3ef0a16c177a275f63549
SHA256 cd4d839cebc55cdc56e869a278e225648065e2858ea695f6ed49934fd3bc02f0
SHA512 4f09ae7e671b11e9c79e247d5ab56aeeb706dd4651023577b6414c944a374c94fb01a3a12f4e1e0627610399bc94cd6f6bafcef89593ff40de142e61ab126b29

memory/4980-69-0x00007FF7836B0000-0x00007FF783A04000-memory.dmp

C:\Windows\System\HDaPVQb.exe

MD5 2a3177d798f847e64cfd8f216fae0b90
SHA1 9be04fc47f2218fa1d126d005a76e3dbd0c2e787
SHA256 7e8ec88710316482daa2176f0bb640286e453c44a2b2ab4657881d014028aa1a
SHA512 2b8f477c769a72c3ef5357e558abc73d22f1faef18fa8b215ff6606021b995312e4f75df77c7a1093d8ba135807ab03f055abe75b1ba6e0033e4a04cf055f997

memory/976-77-0x00007FF6A7510000-0x00007FF6A7864000-memory.dmp

memory/3704-76-0x00007FF68BC10000-0x00007FF68BF64000-memory.dmp

memory/3116-75-0x00007FF7BC240000-0x00007FF7BC594000-memory.dmp

C:\Windows\System\VYfSfES.exe

MD5 d7ba4e21e2c29f9609622dbb15afd6c4
SHA1 277c033e6aabbf97d2c99ce8cd53ebb4cba8bc34
SHA256 64df362e82523effc7616c6ee6156850375fc04177157d4b92b9753b0e119bff
SHA512 33577439877d516267c7919f0dd8ba0678a1678670649d5baed2f0595c9fa982e0a1883d0d9461865dd0b3abe4a5b4c1d4a7a1828026fcdd04127378c026c0eb

C:\Windows\System\ImTsOxf.exe

MD5 e6483e940751fb50fe171f7b907acc12
SHA1 cbd56f6a9fb079113fc8d3dab388ea4712f5a17d
SHA256 c3431abac25b554fb19b06f53db9ef99802cdd3791738db9feb9e91cb14b9140
SHA512 e09e0dc52a6c98a5ed33d6ef6655711fb6711793890fd16d85b82e0bfccd22b6114302babb19b7cec739ee97cc6aa03d8de65b9cc3a05b653a62fc630942b2fd

memory/4412-99-0x00007FF6887D0000-0x00007FF688B24000-memory.dmp

C:\Windows\System\obvYmwo.exe

MD5 0a2a68543703f6e58fb66d98bec0188d
SHA1 8f2ba8f73a7ad94d7b6a668049b40c0e551095d7
SHA256 344a05ff76f5f0466a3f6d7ccbce9023f911367cdb7b0a558d82eb646176ce0c
SHA512 74911956f348774dd1ec054c5d7fe2c84c8e6197c7bc2813d017edbff531d2c2f94b4bb961bb345b3da2c3fc8dfb9374e68f89a5db5bcb867e6b96dd20752691

memory/4832-107-0x00007FF7C2640000-0x00007FF7C2994000-memory.dmp

C:\Windows\System\hrvxSUE.exe

MD5 32fceb7134a730a0f8ca37df77953567
SHA1 3070c345ad6154d71b69de38fe8b61ad60c08943
SHA256 28e1b6b0e15afef5034838d8a93e0a05b706dce6be940d8297ccf607e48f2c6c
SHA512 022d89ce206c4941da6afb7583d6010cc0ad274acf119c0e8a41f4d6371c5a53f46c90dcb586708d7b7f4f2e0d2007a6dddeb2ea65ca3719944e68128291d8fd

memory/2492-118-0x00007FF7FA8E0000-0x00007FF7FAC34000-memory.dmp

C:\Windows\System\NLRZISn.exe

MD5 2114aec285769df1a57a1aee278775f6
SHA1 2053d652bec0202e417c3915240e2aa36691ea12
SHA256 b9d55a15cd466affdcfadf123153087b8eab22e22af9ca8f40944ddf0a75adbd
SHA512 2341ae47cdc54f90440a54c0dc2b10e5ee94d9e52dd97de71bab1a801941c87a3d986b402a03f86707375edd4d31999b11dad1756bba93b98bc7432454e4cc57

memory/1504-121-0x00007FF7310C0000-0x00007FF731414000-memory.dmp

C:\Windows\System\idqPYFT.exe

MD5 613344e94b5b89f15e03b86c35d576e7
SHA1 34515b9e6c557bf73940c1a7432d60a66d7bd72f
SHA256 2a7b5ef463911e47c2eb75cf8cfd2496a1469c8771b75ee5eb0100dd80efef6f
SHA512 e95a25d3a00dec65e979d15a797c62d500acdfa2563818331026d8436e1e186abeba211935094ce753e8bf3593e1e8ce40151fda43c4dea6e1aba068a958963b

memory/1492-116-0x00007FF7FB5F0000-0x00007FF7FB944000-memory.dmp

memory/2484-106-0x00007FF6B9500000-0x00007FF6B9854000-memory.dmp

memory/4084-103-0x00007FF77EFB0000-0x00007FF77F304000-memory.dmp

C:\Windows\System\ZUabGdz.exe

MD5 6791eff461be78b1671ee125cd6ab13b
SHA1 f3d2c62b11678fabc9127b7142ffcf3c8f93e07c
SHA256 01b8613c7af70867c918873c4cd6f08335b08e0092dfda036f60001019e9e1b4
SHA512 72be655d613413a8e7740359c97c58a053e3d541caf66a1ea0a2084d94215a1b8bd5e121724c60055b75b7a93f70da0891884727d2273b5d324d8d47b9deb17e

memory/4576-100-0x00007FF74DB00000-0x00007FF74DE54000-memory.dmp

memory/4732-93-0x00007FF627A40000-0x00007FF627D94000-memory.dmp

C:\Windows\System\zanGbXc.exe

MD5 8390e17f9e0262d63ead179eb4e958a6
SHA1 2c7118716d23b8f9a31b515709960f852a08f1f6
SHA256 db26c4612ced4886f26793a8f31ecbcd0fc3c646ab8d4f143a7f0b7da293adcd
SHA512 71313a302b2dc873b5003d37c70441fb9262d1357876bd158a906028085530c3b8dc27278c94851006a59bdd1cf817b02e45a71f8ffe7d25bc5073f6c921fded

C:\Windows\System\clbsqPE.exe

MD5 77db3141417cc233eb12047eed03298b
SHA1 7d0a48f41591b197573d2c3a5408adeb29937483
SHA256 340ebf75a97a7986274d29d78900096e55d95cf6d5ba599b91f3fb3ba91a6a18
SHA512 7c35af68abcc50eacdc82c6ea489df3c011e66d49cca06779c333edfe45542bca30cf945dc55246c396ae115ee7bb9fcafc0c195c148be43a7a1e2d811c7ca04

memory/4808-130-0x00007FF624B00000-0x00007FF624E54000-memory.dmp

memory/936-131-0x00007FF7B79D0000-0x00007FF7B7D24000-memory.dmp

memory/5108-132-0x00007FF6149C0000-0x00007FF614D14000-memory.dmp

memory/1444-133-0x00007FF6CC8A0000-0x00007FF6CCBF4000-memory.dmp

memory/1492-134-0x00007FF7FB5F0000-0x00007FF7FB944000-memory.dmp

memory/2492-135-0x00007FF7FA8E0000-0x00007FF7FAC34000-memory.dmp

memory/1504-136-0x00007FF7310C0000-0x00007FF731414000-memory.dmp

memory/3704-137-0x00007FF68BC10000-0x00007FF68BF64000-memory.dmp

memory/3140-138-0x00007FF747F40000-0x00007FF748294000-memory.dmp

memory/4732-140-0x00007FF627A40000-0x00007FF627D94000-memory.dmp

memory/756-139-0x00007FF646DC0000-0x00007FF647114000-memory.dmp

memory/4808-141-0x00007FF624B00000-0x00007FF624E54000-memory.dmp

memory/2436-142-0x00007FF6C2190000-0x00007FF6C24E4000-memory.dmp

memory/5108-143-0x00007FF6149C0000-0x00007FF614D14000-memory.dmp

memory/2072-144-0x00007FF683140000-0x00007FF683494000-memory.dmp

memory/2052-145-0x00007FF6672E0000-0x00007FF667634000-memory.dmp

memory/1444-146-0x00007FF6CC8A0000-0x00007FF6CCBF4000-memory.dmp

memory/4980-147-0x00007FF7836B0000-0x00007FF783A04000-memory.dmp

memory/976-148-0x00007FF6A7510000-0x00007FF6A7864000-memory.dmp

memory/4412-149-0x00007FF6887D0000-0x00007FF688B24000-memory.dmp

memory/4576-150-0x00007FF74DB00000-0x00007FF74DE54000-memory.dmp

memory/4084-151-0x00007FF77EFB0000-0x00007FF77F304000-memory.dmp

memory/2484-152-0x00007FF6B9500000-0x00007FF6B9854000-memory.dmp

memory/4832-153-0x00007FF7C2640000-0x00007FF7C2994000-memory.dmp

memory/1492-154-0x00007FF7FB5F0000-0x00007FF7FB944000-memory.dmp

memory/1504-155-0x00007FF7310C0000-0x00007FF731414000-memory.dmp

memory/2492-156-0x00007FF7FA8E0000-0x00007FF7FAC34000-memory.dmp

memory/936-157-0x00007FF7B79D0000-0x00007FF7B7D24000-memory.dmp