Malware Analysis Report

2025-01-22 19:22

Sample ID 240806-nw8a4ayaml
Target 2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat
SHA256 ae656088796f40c75727c41eefa410ea4c2ca7bb022d388c1e568f23c067fec2
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ae656088796f40c75727c41eefa410ea4c2ca7bb022d388c1e568f23c067fec2

Threat Level: Known bad

The file 2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Cobaltstrike

Cobaltstrike family

Cobalt Strike reflective loader

xmrig

XMRig Miner payload

Xmrig family

XMRig Miner payload

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-06 11:45

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-06 11:45

Reported

2024-08-06 11:48

Platform

win7-20240729-en

Max time kernel

142s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\PCyHBOC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cFUZtJE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mBQwnJI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EOTPeot.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iAgWLho.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WbHTuvY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LjCZPtP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sfrWApv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jbRaUcj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dkvFOrI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JCOwyPj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XcEcsnA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZNYaPSP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FLIYCOY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FyekUIN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DAYTkjN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lEbzTJu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oHHZzdz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KPkkejn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PzJoZNP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AcVZMla.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2540 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lEbzTJu.exe
PID 2540 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lEbzTJu.exe
PID 2540 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lEbzTJu.exe
PID 2540 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oHHZzdz.exe
PID 2540 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oHHZzdz.exe
PID 2540 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oHHZzdz.exe
PID 2540 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PCyHBOC.exe
PID 2540 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PCyHBOC.exe
PID 2540 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PCyHBOC.exe
PID 2540 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XcEcsnA.exe
PID 2540 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XcEcsnA.exe
PID 2540 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XcEcsnA.exe
PID 2540 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cFUZtJE.exe
PID 2540 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cFUZtJE.exe
PID 2540 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cFUZtJE.exe
PID 2540 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mBQwnJI.exe
PID 2540 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mBQwnJI.exe
PID 2540 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mBQwnJI.exe
PID 2540 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jbRaUcj.exe
PID 2540 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jbRaUcj.exe
PID 2540 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jbRaUcj.exe
PID 2540 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EOTPeot.exe
PID 2540 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EOTPeot.exe
PID 2540 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EOTPeot.exe
PID 2540 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KPkkejn.exe
PID 2540 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KPkkejn.exe
PID 2540 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KPkkejn.exe
PID 2540 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iAgWLho.exe
PID 2540 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iAgWLho.exe
PID 2540 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iAgWLho.exe
PID 2540 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZNYaPSP.exe
PID 2540 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZNYaPSP.exe
PID 2540 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZNYaPSP.exe
PID 2540 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FLIYCOY.exe
PID 2540 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FLIYCOY.exe
PID 2540 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FLIYCOY.exe
PID 2540 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WbHTuvY.exe
PID 2540 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WbHTuvY.exe
PID 2540 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WbHTuvY.exe
PID 2540 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FyekUIN.exe
PID 2540 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FyekUIN.exe
PID 2540 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FyekUIN.exe
PID 2540 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LjCZPtP.exe
PID 2540 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LjCZPtP.exe
PID 2540 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LjCZPtP.exe
PID 2540 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DAYTkjN.exe
PID 2540 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DAYTkjN.exe
PID 2540 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DAYTkjN.exe
PID 2540 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PzJoZNP.exe
PID 2540 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PzJoZNP.exe
PID 2540 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PzJoZNP.exe
PID 2540 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dkvFOrI.exe
PID 2540 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dkvFOrI.exe
PID 2540 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dkvFOrI.exe
PID 2540 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JCOwyPj.exe
PID 2540 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JCOwyPj.exe
PID 2540 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JCOwyPj.exe
PID 2540 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AcVZMla.exe
PID 2540 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AcVZMla.exe
PID 2540 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AcVZMla.exe
PID 2540 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sfrWApv.exe
PID 2540 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sfrWApv.exe
PID 2540 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sfrWApv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\lEbzTJu.exe

C:\Windows\System\lEbzTJu.exe

C:\Windows\System\oHHZzdz.exe

C:\Windows\System\oHHZzdz.exe

C:\Windows\System\PCyHBOC.exe

C:\Windows\System\PCyHBOC.exe

C:\Windows\System\XcEcsnA.exe

C:\Windows\System\XcEcsnA.exe

C:\Windows\System\cFUZtJE.exe

C:\Windows\System\cFUZtJE.exe

C:\Windows\System\mBQwnJI.exe

C:\Windows\System\mBQwnJI.exe

C:\Windows\System\jbRaUcj.exe

C:\Windows\System\jbRaUcj.exe

C:\Windows\System\EOTPeot.exe

C:\Windows\System\EOTPeot.exe

C:\Windows\System\KPkkejn.exe

C:\Windows\System\KPkkejn.exe

C:\Windows\System\iAgWLho.exe

C:\Windows\System\iAgWLho.exe

C:\Windows\System\ZNYaPSP.exe

C:\Windows\System\ZNYaPSP.exe

C:\Windows\System\FLIYCOY.exe

C:\Windows\System\FLIYCOY.exe

C:\Windows\System\WbHTuvY.exe

C:\Windows\System\WbHTuvY.exe

C:\Windows\System\FyekUIN.exe

C:\Windows\System\FyekUIN.exe

C:\Windows\System\LjCZPtP.exe

C:\Windows\System\LjCZPtP.exe

C:\Windows\System\DAYTkjN.exe

C:\Windows\System\DAYTkjN.exe

C:\Windows\System\PzJoZNP.exe

C:\Windows\System\PzJoZNP.exe

C:\Windows\System\dkvFOrI.exe

C:\Windows\System\dkvFOrI.exe

C:\Windows\System\JCOwyPj.exe

C:\Windows\System\JCOwyPj.exe

C:\Windows\System\AcVZMla.exe

C:\Windows\System\AcVZMla.exe

C:\Windows\System\sfrWApv.exe

C:\Windows\System\sfrWApv.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2540-0-0x000000013F180000-0x000000013F4D1000-memory.dmp

memory/2540-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\lEbzTJu.exe

MD5 237b4e0851dc9f92c6b1352291cbc76d
SHA1 cbcca8a957d5284c9f44748691b0d28b07db48d7
SHA256 9422f0ee421834cbce84ea7109a7912ad8882ed1f4d48a0ed5a7afd8322f53ba
SHA512 733cba2519a3f813a00655e296db3e4d51ff9cc317be3e640facc896d1bd8b00513b6c281059011b4eccd6fc0634d4f1ad9e329e98df1d5cb04709c25801c15b

\Windows\system\PCyHBOC.exe

MD5 287477a01c831e2a6a5d77e5ea95afa5
SHA1 5b4d7f6ac72899078ee74bbdedf44e7b84574e66
SHA256 56b970f8c352b00817058bb2d74d4184a011d48cdba98d3f811c376b3bf31caf
SHA512 f00e878251394adae43e045af18d079f87d8af689cc125312bce9adafb2965e88ad252c98cd5b20b5ea7396e6034c97ba17f5f6babc34ee98401372aecbb7f79

memory/2540-7-0x000000013F5B0000-0x000000013F901000-memory.dmp

memory/2696-20-0x000000013F080000-0x000000013F3D1000-memory.dmp

C:\Windows\system\oHHZzdz.exe

MD5 6746d3fa60b1533d8fd9a95db594185c
SHA1 bfc38fdde043c990091c906760261eaf9d5f996d
SHA256 bdf4ea66681a32859c01b75564ed3a61edcc56c35677ffbf6781cdbbe0754937
SHA512 7b42cadef93594697a478fab073d70b70a9263f0022ba68782d55eb4ff7f84e4a358a96421312f4ddc14a2d4fb5c108150b2c97fa995a306942e8d30462c2113

memory/1388-18-0x000000013F5E0000-0x000000013F931000-memory.dmp

memory/2892-16-0x000000013F5B0000-0x000000013F901000-memory.dmp

C:\Windows\system\XcEcsnA.exe

MD5 b1c2e9e407af5b0153f792b61f6d0556
SHA1 329fa56c9f03cdf0629d6224780af12c30c54322
SHA256 1f43095f7d3b1e0937be3fd9a6c3f9d7730a0310acd0711dba71a180a66df137
SHA512 9e0f720b630b2c6895396853f70479dfb14c178f11a98cf64bb9ce76f6f2fb5ee7f59baa9da544c6423e7905601aeee0aa25b5124f99e8463429cc291e9e4f8d

memory/2880-27-0x000000013F320000-0x000000013F671000-memory.dmp

memory/2540-26-0x0000000002270000-0x00000000025C1000-memory.dmp

memory/2540-12-0x0000000002270000-0x00000000025C1000-memory.dmp

memory/2540-30-0x000000013FEF0000-0x0000000140241000-memory.dmp

\Windows\system\cFUZtJE.exe

MD5 55885f2e4170e24c2bd67ae4ac131c16
SHA1 2e4275da6db147775906dcfef5ba5a5ced9f459b
SHA256 ba89a3f815c3cecf9a08ca74113a178985342d0f5d8c14be2b07a848f0634d28
SHA512 b0011a75f2f08ad78fc4c928372515b5757ff689284edbba37e9e938aa0ab3222e146d3935d0d8b2295c1c21be7ecf8ad7feaf464966b9604abad1566d2efcee

\Windows\system\mBQwnJI.exe

MD5 378dae981adc4ec2c6c77645163c5037
SHA1 37dc9bff210beceaf00d9f617a29a23d2a5d14af
SHA256 2abf520671ee050647bf44fa696185e818eb6f781ff30e8be9be4a96bd1fe2b4
SHA512 148deb77cf50e47b1757ed1d66c6f761dfa0533e672cfb2c0979f6b2fded9c10738b3af4e43cdaf7be87ec8857a0449ca6c541537642674802700157669f7050

memory/2748-36-0x000000013FEF0000-0x0000000140241000-memory.dmp

memory/2540-42-0x000000013F7E0000-0x000000013FB31000-memory.dmp

memory/2860-44-0x000000013F7E0000-0x000000013FB31000-memory.dmp

\Windows\system\jbRaUcj.exe

MD5 c4bf16091879d64fa33d66fbf655b9be
SHA1 9e0f0d6a24a02d7c7eb321e63d5d387e63e733e3
SHA256 7cc463f560e5d89fd25ca21052e8e53d95435ae09088b0e3dedb5d8095578385
SHA512 af71ee9c6a8a0cf3ec2525d65a7b6a42f4275b0f1c69a7f02c29cf07248855b8ee4bb60a3e93a83e2f7cc86cf4682981d083d81413c3de56fe9446e87b764af5

memory/2540-41-0x000000013F5B0000-0x000000013F901000-memory.dmp

memory/2540-38-0x000000013F180000-0x000000013F4D1000-memory.dmp

memory/2892-56-0x000000013F5B0000-0x000000013F901000-memory.dmp

memory/3016-51-0x000000013F590000-0x000000013F8E1000-memory.dmp

\Windows\system\FLIYCOY.exe

MD5 52ffc3479c8e08978b55f35c5ed11b05
SHA1 983ad6dec87685a0b379b92b2fef96c09c9342b8
SHA256 c54f9340d08bfe84fc534272a8d3add227d179ddfdb2ea631fb504097e5b7294
SHA512 4be043d69f55bc8a7de8a37698230b65c85457b5c41904c1089e1923b09a67ce7cd7e43aa4152c8759f22579f648e5583657ad5fb57fb9c297e25e938cf592d4

memory/2696-80-0x000000013F080000-0x000000013F3D1000-memory.dmp

memory/2540-81-0x000000013FA60000-0x000000013FDB1000-memory.dmp

\Windows\system\FyekUIN.exe

MD5 294b09b993c0ead0ca65551e9da427be
SHA1 d3cff205b010081dd06b1c8a5c019cf0a304b989
SHA256 d04d2552078ee6e24dd824b8a053e7ca368a6c8a839de8f12374bbf719beb954
SHA512 8723de2b506b2c3cac80c530d93bea1189e681d4f1ce38d42ae3ef88b9521a528cd55e8d53be4238f7a2a503d881403d2354f61ef8f20b7847b202ca1aa4f35c

C:\Windows\system\PzJoZNP.exe

MD5 9ea6f2ea5f387f02a17638189c3f8d18
SHA1 0818ebc5c660e4e667447497ee50eeff0dfe9f8b
SHA256 fd49474f433d58e2e032ca310c454346f4a6e48e38ebe22e38c68389a5b85166
SHA512 e79e088e47664125ba32b6cb5ee9f02c746cbc3136505724798a757903acb1f0c707bd4df35357a29c53f01ed568df4c16783d4944315a4ced7fb2b8a321abc0

\Windows\system\sfrWApv.exe

MD5 71ceb187522fe398eda918f82ef44712
SHA1 42a3dbb3ab2c0541867a46d05d5ec9b2295bf84f
SHA256 bd31e24c05c18fb50a82dd4083e1e150ced12862f3dba670792f9ad5d6f1aada
SHA512 275979bfbab96d4c6575ee318161eabaadc3cfff8b1badb04b53a65d64f55d672993dad363d12dcc4095a98ee9dfd7025e06aad23e1d8ad4050b09e427124bad

C:\Windows\system\AcVZMla.exe

MD5 8b708c004d1b7d26e1c2c40d35ddc8da
SHA1 c3d15d1b31b672c3185f22f3f3a1a227e1863d07
SHA256 9ff4cd1e74ce7a78efb5d4c9fdec7200bef5376e1e64e707c033f4107a942e1b
SHA512 c63269e674d7dcca0a67992a8d75dda8d03d6f860a591813a6f40411a902c795f4c879575d56f617f382954afed4f4b6f88c989890a3e45a699a36b80753b550

C:\Windows\system\JCOwyPj.exe

MD5 4a6d60a54fcd15b6a31bf0b1e0b46b04
SHA1 98713295955625c0964d27e357c191f00c64bc7b
SHA256 0f99bf7d521dc97f2bcc666f8740303857a2372e4146f37e725d3b4ec21e98d1
SHA512 706672503945daa520e15158da4cfeda46fd2bb1cf19b06fb72be6090a3347cc088be7b8e65095879b990e13df4fefe4b974a09e5d3991c49c40b5eb6ced6f48

C:\Windows\system\dkvFOrI.exe

MD5 3de65a14d3ad77ec9fc7262597b0b78b
SHA1 d04fa90edd4030c4a1c90b61741acba699ac411a
SHA256 2039bdd4a2c171762b82d66c759cacb64b753f6cfbb2978c3cc97659e24a4b3c
SHA512 d76467e14c88839c05309bdfdf30c8f67881403e28d2d5c1083f6b0173a5739eb0b4d825e00462741d7438a5949ffcb21d58d798adda31f284c2eea834de4d54

memory/1616-145-0x000000013F360000-0x000000013F6B1000-memory.dmp

memory/2540-144-0x0000000002270000-0x00000000025C1000-memory.dmp

C:\Windows\system\DAYTkjN.exe

MD5 9a2e0b40dcfd39065f15de604a932e83
SHA1 fff23ad63a98d6c8df902364ddca4bfa33144f1c
SHA256 45c467b09df4c8d26479b1c30e5ba408a82a54ad5a189c19d45945ce35a95889
SHA512 6edaaf1846d1680e8aa3a987b39e35cfa00a73fdbeeb247e8a5c66dfe59e6159c313025b504d2cddbc4fce19b72d24289dc9a4673d97cd53f93b8c0e3cb7af90

C:\Windows\system\LjCZPtP.exe

MD5 7b5dcaf72266afd9856851059e9b85f9
SHA1 b96d341ea6a7ba04d347d0cbf795c31782ac4857
SHA256 47f0ec521f477824e8ebeac75ac985fb76887722b70af68c5e747d6bd2bcfbef
SHA512 1e4300d0e434fef760da7235d766db286733efb4b8ae527ec36e0c9fcc39b1f62bbce9b2066943faff9c50da7aa06d41741afa1e745d9c87030aeadde3896b47

memory/2540-112-0x000000013FB50000-0x000000013FEA1000-memory.dmp

memory/3016-111-0x000000013F590000-0x000000013F8E1000-memory.dmp

memory/2540-110-0x000000013F590000-0x000000013F8E1000-memory.dmp

memory/2792-106-0x000000013F530000-0x000000013F881000-memory.dmp

memory/2860-105-0x000000013F7E0000-0x000000013FB31000-memory.dmp

memory/2540-100-0x000000013F7E0000-0x000000013FB31000-memory.dmp

memory/2372-96-0x000000013FA20000-0x000000013FD71000-memory.dmp

memory/2540-95-0x000000013FA20000-0x000000013FD71000-memory.dmp

memory/2748-94-0x000000013FEF0000-0x0000000140241000-memory.dmp

C:\Windows\system\WbHTuvY.exe

MD5 13cdebe31c87cd059ee0b404ce25e22f
SHA1 ee1b4266ece8e1287a74142b9da7ed1fd44c25e6
SHA256 5c4c590fac463c5dfc7e5b0ce99cef1468db55afeafcb2984a5f06d7ea095e9c
SHA512 efbc888e78c14cf945bf791e1ffe9344af12c5998a0777be792cfb4eb471f48245eea746f060e9111740ef0f9218f698599639d72073cd8c5a0fafb6ff91f1cf

memory/3044-82-0x000000013FA60000-0x000000013FDB1000-memory.dmp

memory/2260-90-0x000000013F540000-0x000000013F891000-memory.dmp

memory/2636-146-0x000000013F370000-0x000000013F6C1000-memory.dmp

C:\Windows\system\ZNYaPSP.exe

MD5 ff90b5642694d68494692a4630beb14d
SHA1 6b31dd6789f813a0e5624badabd9bec49d8a2373
SHA256 bc9efa03f3cabcc18bb230a446a97eadb7e6ba5325a6fa85f4f5b7372b823b39
SHA512 7846460c4b2f6637d29e5d213fcbfe55f6529af296dcf2658341ab1f6fa910f1f4269b2d158bd35e9e457e020016518f3305af92298b33a061c4e294ced08fea

memory/2540-85-0x000000013F540000-0x000000013F891000-memory.dmp

memory/2880-84-0x000000013F320000-0x000000013F671000-memory.dmp

memory/1092-73-0x000000013F5B0000-0x000000013F901000-memory.dmp

memory/2540-72-0x000000013F5B0000-0x000000013F901000-memory.dmp

memory/1388-71-0x000000013F5E0000-0x000000013F931000-memory.dmp

C:\Windows\system\iAgWLho.exe

MD5 4aa510a0b9b4153eca068ef3cc6efb8b
SHA1 b091097e7b846aed2e0007ccfdd4fe6d472410bf
SHA256 d2db97696ce01b27dd634686ab00a46cc448a1330b609b8c4b98aeab27da433a
SHA512 8b249d0713e133ebc5a6ea8b5923adbadcee1c342d1055a2fb1eddb3c248c6706d35cbd7be49b8d0e67ea856d34c9e8be28df782e8892fdb2d4e3366ceb7b7b0

memory/2636-65-0x000000013F370000-0x000000013F6C1000-memory.dmp

memory/2540-64-0x0000000002270000-0x00000000025C1000-memory.dmp

C:\Windows\system\KPkkejn.exe

MD5 f0cc01faf6aef37b7916a3d5320129fc
SHA1 5ea03c018f27fcf02d21e651f51ce69ae50f1ccd
SHA256 38745718f62a3adf11022a66db96bfeaf2593138f43cd5b0d4ff776dd8bef276
SHA512 c5d7fdb8d738cc7db4a650f649dab876438e7dd4e829516070648467095937c5b671b84502b8583b01f1e9b4c2ed8a6c5a785bd8918c5d7793d18a46374e2548

memory/2540-50-0x000000013F590000-0x000000013F8E1000-memory.dmp

memory/1616-58-0x000000013F360000-0x000000013F6B1000-memory.dmp

memory/2540-57-0x0000000002270000-0x00000000025C1000-memory.dmp

C:\Windows\system\EOTPeot.exe

MD5 232faba01c9a4845f036a8a840c9d541
SHA1 17c6ec0dd969b8bb4be1403a5169e4533341c7d8
SHA256 a88a556bcdd69aeef38797dd46d9655457a3a40534fe5d9625ee0912cfef6791
SHA512 556af97367a1ba32b3c9adf5541afebf308e2dac6a7979da1add528ed27cc5244f1a7c59bd9a4b6fab8db7ddec52ec25f2492ae448331ac83867673947340c5b

memory/1092-148-0x000000013F5B0000-0x000000013F901000-memory.dmp

memory/2540-147-0x000000013F5B0000-0x000000013F901000-memory.dmp

memory/2540-150-0x000000013F180000-0x000000013F4D1000-memory.dmp

memory/3016-157-0x000000013F590000-0x000000013F8E1000-memory.dmp

memory/2540-162-0x000000013FA60000-0x000000013FDB1000-memory.dmp

memory/2372-164-0x000000013FA20000-0x000000013FD71000-memory.dmp

memory/1060-166-0x000000013FB50000-0x000000013FEA1000-memory.dmp

memory/1332-170-0x000000013F0E0000-0x000000013F431000-memory.dmp

memory/876-172-0x000000013FCC0000-0x0000000140011000-memory.dmp

memory/1524-169-0x000000013F1B0000-0x000000013F501000-memory.dmp

memory/1364-168-0x000000013FA90000-0x000000013FDE1000-memory.dmp

memory/2540-173-0x000000013F540000-0x000000013F891000-memory.dmp

memory/956-167-0x000000013F8F0000-0x000000013FC41000-memory.dmp

memory/1160-171-0x000000013FE50000-0x00000001401A1000-memory.dmp

memory/2540-174-0x000000013FA20000-0x000000013FD71000-memory.dmp

memory/2540-175-0x000000013F180000-0x000000013F4D1000-memory.dmp

memory/2540-197-0x000000013FB50000-0x000000013FEA1000-memory.dmp

memory/2892-225-0x000000013F5B0000-0x000000013F901000-memory.dmp

memory/1388-227-0x000000013F5E0000-0x000000013F931000-memory.dmp

memory/2880-231-0x000000013F320000-0x000000013F671000-memory.dmp

memory/2696-230-0x000000013F080000-0x000000013F3D1000-memory.dmp

memory/2748-233-0x000000013FEF0000-0x0000000140241000-memory.dmp

memory/2860-235-0x000000013F7E0000-0x000000013FB31000-memory.dmp

memory/1616-237-0x000000013F360000-0x000000013F6B1000-memory.dmp

memory/2636-239-0x000000013F370000-0x000000013F6C1000-memory.dmp

memory/1092-241-0x000000013F5B0000-0x000000013F901000-memory.dmp

memory/3044-243-0x000000013FA60000-0x000000013FDB1000-memory.dmp

memory/2260-245-0x000000013F540000-0x000000013F891000-memory.dmp

memory/2372-247-0x000000013FA20000-0x000000013FD71000-memory.dmp

memory/2792-258-0x000000013F530000-0x000000013F881000-memory.dmp

memory/3016-267-0x000000013F590000-0x000000013F8E1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-06 11:45

Reported

2024-08-06 11:48

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\XVELjyP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ubpeUlR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hLjOanb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gzXXviu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ubGJoiA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tgRUOjz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FlEOqwH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PMDDJhf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MzcHKBp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qtamKZG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FbqnNXl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KHnWSIz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JqJZBEo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pSukJrU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tMOKMSt.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wZFzKNK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cjXeOIK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MXMYsSQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ahRNWPO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EZzlIAU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ogveekm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2936 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ogveekm.exe
PID 2936 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ogveekm.exe
PID 2936 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JqJZBEo.exe
PID 2936 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JqJZBEo.exe
PID 2936 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qtamKZG.exe
PID 2936 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qtamKZG.exe
PID 2936 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FbqnNXl.exe
PID 2936 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FbqnNXl.exe
PID 2936 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tgRUOjz.exe
PID 2936 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tgRUOjz.exe
PID 2936 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pSukJrU.exe
PID 2936 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pSukJrU.exe
PID 2936 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tMOKMSt.exe
PID 2936 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tMOKMSt.exe
PID 2936 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XVELjyP.exe
PID 2936 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XVELjyP.exe
PID 2936 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MzcHKBp.exe
PID 2936 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MzcHKBp.exe
PID 2936 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ubpeUlR.exe
PID 2936 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ubpeUlR.exe
PID 2936 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wZFzKNK.exe
PID 2936 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wZFzKNK.exe
PID 2936 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FlEOqwH.exe
PID 2936 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FlEOqwH.exe
PID 2936 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cjXeOIK.exe
PID 2936 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cjXeOIK.exe
PID 2936 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hLjOanb.exe
PID 2936 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hLjOanb.exe
PID 2936 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KHnWSIz.exe
PID 2936 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KHnWSIz.exe
PID 2936 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MXMYsSQ.exe
PID 2936 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MXMYsSQ.exe
PID 2936 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gzXXviu.exe
PID 2936 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gzXXviu.exe
PID 2936 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ahRNWPO.exe
PID 2936 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ahRNWPO.exe
PID 2936 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ubGJoiA.exe
PID 2936 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ubGJoiA.exe
PID 2936 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PMDDJhf.exe
PID 2936 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PMDDJhf.exe
PID 2936 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EZzlIAU.exe
PID 2936 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EZzlIAU.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\ogveekm.exe

C:\Windows\System\ogveekm.exe

C:\Windows\System\JqJZBEo.exe

C:\Windows\System\JqJZBEo.exe

C:\Windows\System\qtamKZG.exe

C:\Windows\System\qtamKZG.exe

C:\Windows\System\FbqnNXl.exe

C:\Windows\System\FbqnNXl.exe

C:\Windows\System\tgRUOjz.exe

C:\Windows\System\tgRUOjz.exe

C:\Windows\System\pSukJrU.exe

C:\Windows\System\pSukJrU.exe

C:\Windows\System\tMOKMSt.exe

C:\Windows\System\tMOKMSt.exe

C:\Windows\System\XVELjyP.exe

C:\Windows\System\XVELjyP.exe

C:\Windows\System\MzcHKBp.exe

C:\Windows\System\MzcHKBp.exe

C:\Windows\System\ubpeUlR.exe

C:\Windows\System\ubpeUlR.exe

C:\Windows\System\wZFzKNK.exe

C:\Windows\System\wZFzKNK.exe

C:\Windows\System\FlEOqwH.exe

C:\Windows\System\FlEOqwH.exe

C:\Windows\System\cjXeOIK.exe

C:\Windows\System\cjXeOIK.exe

C:\Windows\System\hLjOanb.exe

C:\Windows\System\hLjOanb.exe

C:\Windows\System\KHnWSIz.exe

C:\Windows\System\KHnWSIz.exe

C:\Windows\System\MXMYsSQ.exe

C:\Windows\System\MXMYsSQ.exe

C:\Windows\System\gzXXviu.exe

C:\Windows\System\gzXXviu.exe

C:\Windows\System\ahRNWPO.exe

C:\Windows\System\ahRNWPO.exe

C:\Windows\System\ubGJoiA.exe

C:\Windows\System\ubGJoiA.exe

C:\Windows\System\PMDDJhf.exe

C:\Windows\System\PMDDJhf.exe

C:\Windows\System\EZzlIAU.exe

C:\Windows\System\EZzlIAU.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 71.190.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2936-0-0x00007FF68B9E0000-0x00007FF68BD31000-memory.dmp

memory/2936-1-0x00000228E1AE0000-0x00000228E1AF0000-memory.dmp

C:\Windows\System\ogveekm.exe

MD5 dcc5e498de15c3c325351b20c08b82c2
SHA1 7c35399a3bd70e42f784771dcd8408c11c4b20f1
SHA256 66c9d2a10f5a958f02ed0ddd30d0f7f456df55b8297d7e8498d5de348540c4de
SHA512 d808e5f6d5fca7b22ae8cf6c1c97b25e54b7dcef39d61e380134b0723216f502627aae1b0558ed533a50117ee85921f5ee165dd5ad5961b7ba76775053f81af7

C:\Windows\System\qtamKZG.exe

MD5 b1e1d2be7fae7293b9ff583afccd9944
SHA1 71d3fb51c0ce51537fc7284038ce39bf4edc13f8
SHA256 85326a45bb2f6fcaa19fd9d2a19986941181a770a3f3bc3462f2c7d4297d8dd2
SHA512 6d21cda569599dbaeeb578b955ab09a4cf5b34629d3282e8bcbdce1faf081a04de4e4b3165e60b652b5e69302c1edee0cae321e9647feec43644e12b687f8faf

C:\Windows\System\JqJZBEo.exe

MD5 94ae6522a0c2c45c26b3d82c92911e75
SHA1 bec8416f85f3f8554b1bac12b8671239e03810e0
SHA256 16591c750756cc2dc81726593ca315ad2aefd4b7fc70fb3c1a798aaac26f63a3
SHA512 043f932053fcb98abaf969a7f004615ae162e1c761a3865f13dd5cd3a58df6680c7310cd50338f8c550b65c1eaf3a89d2b8850d95e293def63cf604e069a7e8d

C:\Windows\System\FbqnNXl.exe

MD5 4d9e59de8d7fece243d0520114025a6d
SHA1 59f8346e0eec3cb3a0a36505e9fe3f402a4d27dd
SHA256 0121d471ffaec2416d4794dce16189973612bf32332ff3b6d1d0637be6d301c0
SHA512 3f6c597e59f3592cbb65bec99fc0cdb1c765ae60c66ddf7023dc152a5fb50bb4194e3914f7fff650f9b1e7b002d637183732e59a68f6983c9026aa44a9f1951b

memory/1512-14-0x00007FF72A1E0000-0x00007FF72A531000-memory.dmp

C:\Windows\System\pSukJrU.exe

MD5 01ab0a2a2e2d93cfc3a7d1e8cebda1ef
SHA1 ef2e1f9a2435fa6e441d9b817e479d1c7590b278
SHA256 eb75964e9011f12129475fed7ab57b64c338cfb8a08d9c4d25216c1f890f02f9
SHA512 099d6f7b41c66521d96f7ed23567bc2083bb3a7b4ce6d578bd8db3d9e15a6d50c914b225fe234e29c6663a542cdca8d83129814a271f10a69c4f89a01297127d

memory/1628-44-0x00007FF7A3050000-0x00007FF7A33A1000-memory.dmp

C:\Windows\System\tgRUOjz.exe

MD5 a6fee4b25839d4687457e2d3a4d418dc
SHA1 a3dc7d2c28fed7b30033a384a1e7a19dbbecd9f1
SHA256 1b52b1bf391f7259a58610573c2f0f46a6ec7a01bcc62ad80aa88c504c36ac55
SHA512 37434582466d8747fea53f12694f16cc9a87d286ca79b30698c91ce55e0969315472c7205a2fef99e617f8ebbf695f5ec66dd6fc7f6fa3bdbfe05d447f52d955

memory/3468-24-0x00007FF7258C0000-0x00007FF725C11000-memory.dmp

memory/904-23-0x00007FF619A30000-0x00007FF619D81000-memory.dmp

memory/3100-29-0x00007FF63DD20000-0x00007FF63E071000-memory.dmp

C:\Windows\System\XVELjyP.exe

MD5 7e31335277c6b937677ac7c7dd01186f
SHA1 9c583f1e417e97f1e938c334d8bd0d5ef3bcead1
SHA256 f89a8007ed0c0ce2a27141e664a16501f765f2dc743aa2aa14e264fa92a1e6da
SHA512 f3f25103a28fb1057ff1e2e0ea1ed11f8a52715bf5199df27d44bc01c06168488aba35dc5556e465c138b1df0c89703f318e5c38f91dee0c10a4166ba7c2afd2

memory/2608-64-0x00007FF66AB10000-0x00007FF66AE61000-memory.dmp

memory/1632-69-0x00007FF7C4FA0000-0x00007FF7C52F1000-memory.dmp

C:\Windows\System\hLjOanb.exe

MD5 7994f02efa68eba4da30aceea3602a00
SHA1 db42b39394f72b16decfcc15eeb5fbd23295566e
SHA256 fbb6587854123859c63b62b108397f25d264bdc306d35307a5d25a7c0290e0d5
SHA512 f83881cf447a681096ac45d2d869c7f4349da08737845d226bb8d15275ebddd174b86f4d92459aa169cc85914b9108eee7d6deadba48d3f3e85909c36feb02d6

memory/4668-88-0x00007FF760F20000-0x00007FF761271000-memory.dmp

C:\Windows\System\gzXXviu.exe

MD5 472ff67c04074ddd12786ae294e11d0c
SHA1 b50e1f858cfa505bb5d94bf67d5cf15504d3e644
SHA256 f0e6963dd6fdcefd0fb319abe877a58bc0e09bb808876af7fa32fbe2bf9760e4
SHA512 1f9f89bd83aa375ec446e18eddb329fdecd3269405488ff8cf96ec79da3b2a2cb706062a6ef4e443f06022b617d585cc71b406ff52e24e34a3129f8b7fc79db8

memory/2560-95-0x00007FF603DC0000-0x00007FF604111000-memory.dmp

C:\Windows\System\MXMYsSQ.exe

MD5 6eeccd30c352d3e2555df82d8b689cb7
SHA1 9f78d84495e5103e06720022064c1907033e950e
SHA256 276d1287d2b484e2418896dc250bd36b494370f8dbc1fe9fa4922caf205fa3db
SHA512 171865b79f360f7d46defaece359c1fb9a7798fcf2266749157cb64c6fa30dd79d4a2a09692ff87ea0688a08c687d6a31c6d9de98335316c72aae3b31c855b25

memory/3108-92-0x00007FF6508A0000-0x00007FF650BF1000-memory.dmp

memory/4484-91-0x00007FF68C160000-0x00007FF68C4B1000-memory.dmp

C:\Windows\System\KHnWSIz.exe

MD5 0c02f770ab7b94f936a2737de35d40d4
SHA1 5e866eb3c6fa721e19e83e8b955367c537631ad7
SHA256 24d61248549fd8eb7f372a5c027fdd6642657eb4e7eb834f6487162e6433e968
SHA512 f6482d4c02d06395f4238eb3d47b3fc57fa1d2a90b9fe9936bd39fa9ff34e22cde6cb033162501f2395cef9991e6d0e775fe722a2262d862b9a5d48f4b17a427

C:\Windows\System\FlEOqwH.exe

MD5 92f97c4b8ed9f57a64ce705025e1d168
SHA1 820ded0ea58436ca8f7641c6c53a504fb63b35c3
SHA256 879ee09724928249fabbf1f67aec2eea6184126c1450718344d378c0fa504e59
SHA512 011bbf8f0ff210d781eff952fe5a6d272ee0a31b34e20b723b334f5c9f92b4fb91c8cbd09fe2b0b4970a9569a3cd4547b5b075ad1f872bb53ff003277da71526

memory/3948-82-0x00007FF7B34E0000-0x00007FF7B3831000-memory.dmp

memory/2720-81-0x00007FF79BB30000-0x00007FF79BE81000-memory.dmp

C:\Windows\System\cjXeOIK.exe

MD5 7a13183813e0e449dd610f5bcd7172a1
SHA1 7db314c408669b2f34240bb0533d2e3d85d4968a
SHA256 087e36684856e4a21975e47954e2f4c0d05e3dec59b217890efa7b7cea75b9a8
SHA512 de78a1aed6b0725336cd7645bd1340d85dcd0c66e960c426aab39ccb26cb514942c3ebdd23db3b531afef8f21322abe1352bee16189043a911438da204d3df89

C:\Windows\System\wZFzKNK.exe

MD5 51e78f04a6fe05df687c976d3b1b70e3
SHA1 e4907ae3c74b588c9d4fd4ca535d6b9a753c7927
SHA256 54f9fbbb8e45045822f6c64f5dffad111380969d03732328eaacd9dfac4f2fff
SHA512 435b31f385f379509bfe16114eaba0128c3b119abe9e03117ff487cc6e2cdb98fbebb84257e676333c19db527f592c52f6748b89762826d571c9ef015248fe02

C:\Windows\System\ubpeUlR.exe

MD5 16ab7ba766b45fdc229b0dbb398ee7e7
SHA1 9498fe029533cc97cf67a0fe37f7e75f9354a06f
SHA256 1a7d6e96e37c81f34bfd76ee5f5a7ad068954b3337889a4acc174dcf24ee3880
SHA512 c858b067d388acea7394e1d805b0e748f62d7fea94b593626406c6c882663b7f436776e2481eb6a079bf6433a4f645c61778561b795cc2d729d10da141580ffe

memory/232-70-0x00007FF741070000-0x00007FF7413C1000-memory.dmp

C:\Windows\System\MzcHKBp.exe

MD5 cb92643bd9c622813ce53f951843e171
SHA1 ee9bad76f07cd69f51256221750c76fa5040efbd
SHA256 062a290af1a8e69dc111eeeaa6fb4451dab2f3afbd6b6d5011882cfb248f2d5c
SHA512 51bc0c4a3e29821dcd468e252ae824ae5e5cb822f2c58adb6eb9d5db96886608004ac4fc6dd34251adcda08ad4759c6fceb6909ad97003edd5a23fd358863821

memory/5048-63-0x00007FF796030000-0x00007FF796381000-memory.dmp

C:\Windows\System\tMOKMSt.exe

MD5 057978985d1318ae9575de0da8ce28e0
SHA1 a9d46977466cdac6bcd89878690c83e259bdcf9a
SHA256 199bc7ebaec4629589ec0aff9ccb0cb36c44b5d8a026c2236cc2a00d7cfa34e5
SHA512 f016dafe906f743f2743828edb0c999c7c52460319442d2595f9aed26e08148753b54d0883b6654dfaad9ec0250c89ecc16d82618d289a5f62ae2617811aa5cc

memory/2460-54-0x00007FF77E2F0000-0x00007FF77E641000-memory.dmp

memory/3312-40-0x00007FF627B60000-0x00007FF627EB1000-memory.dmp

C:\Windows\System\ahRNWPO.exe

MD5 c5243d7ea54a2c343c4b60ca7fc9ff39
SHA1 0f1edb81afab95ddad4ceb7fac796b4e74e1949b
SHA256 3909fe2d0c07dd1fa43cdaa402328754eb512bd385dbd11c25629982312dc31c
SHA512 d6431a170149208f293cfa1d224693e6ac0bd415b081593a8482a83ea95cea755992f26f8cb9338ad29c3f35e00b6ba8e11f49e15508cc63bd7094eaf817c9b2

C:\Windows\System\ubGJoiA.exe

MD5 869dda48f42f9b4ed307a40fdd6e8ad5
SHA1 88778cb7c1ee71c84296a0d54f418a266db345bf
SHA256 3d2403ede52705ab096724341fa7b478cbab78af62b70e65eefa656e26338d21
SHA512 b20d1e9cfd2a1bf03b1caae4e7e3d5b362f7858cd592fbda86f8de4a0701ebb03da766c5663498fd9208092b3d278335dbd4e83a9337423f1ef4d0a7cb672112

memory/3840-124-0x00007FF659110000-0x00007FF659461000-memory.dmp

C:\Windows\System\EZzlIAU.exe

MD5 0313b04e84e05e6bf38577659404c5bd
SHA1 83a6fccedcbfc4b143635bb06d5a6eddf083086f
SHA256 b7ac86f76d0a0d6abe01daf623c2f8ed15de7ad40f3855669d4cd1d38623e235
SHA512 ef21b69d55645905106b04b62d631e456fc9bb45065f1f1974538bb30198b26f5387887cd3017b748197c3136acf0bff1ca3bec1592d25db9d8bb33226e2180b

memory/2936-118-0x00007FF68B9E0000-0x00007FF68BD31000-memory.dmp

C:\Windows\System\PMDDJhf.exe

MD5 83ad9a03189e5a0e933e78f1a45c5333
SHA1 d3a7acce2ba5f03844d2d1f60470742f11807bc1
SHA256 5e4f58718c8708486c3dafb098f8c8e27027b8aedb3af2ecf760b4c6ad5cc302
SHA512 03fafd202092fdcb05f44f1424f4adc32a17f222993ce2a67125b1ab4cffac1757f85f33ca717ff97957fbdcc03a7cb661302b7b6e4d0c3586d9b953f5e89ac3

memory/4020-111-0x00007FF613FC0000-0x00007FF614311000-memory.dmp

memory/4748-127-0x00007FF7685D0000-0x00007FF768921000-memory.dmp

memory/904-128-0x00007FF619A30000-0x00007FF619D81000-memory.dmp

memory/1508-129-0x00007FF658960000-0x00007FF658CB1000-memory.dmp

memory/2936-130-0x00007FF68B9E0000-0x00007FF68BD31000-memory.dmp

memory/1628-137-0x00007FF7A3050000-0x00007FF7A33A1000-memory.dmp

memory/3312-135-0x00007FF627B60000-0x00007FF627EB1000-memory.dmp

memory/4668-144-0x00007FF760F20000-0x00007FF761271000-memory.dmp

memory/3108-147-0x00007FF6508A0000-0x00007FF650BF1000-memory.dmp

memory/4484-146-0x00007FF68C160000-0x00007FF68C4B1000-memory.dmp

memory/2560-145-0x00007FF603DC0000-0x00007FF604111000-memory.dmp

memory/232-143-0x00007FF741070000-0x00007FF7413C1000-memory.dmp

memory/3948-142-0x00007FF7B34E0000-0x00007FF7B3831000-memory.dmp

memory/2720-140-0x00007FF79BB30000-0x00007FF79BE81000-memory.dmp

memory/2460-139-0x00007FF77E2F0000-0x00007FF77E641000-memory.dmp

memory/3468-134-0x00007FF7258C0000-0x00007FF725C11000-memory.dmp

memory/1632-141-0x00007FF7C4FA0000-0x00007FF7C52F1000-memory.dmp

memory/3100-133-0x00007FF63DD20000-0x00007FF63E071000-memory.dmp

memory/4020-148-0x00007FF613FC0000-0x00007FF614311000-memory.dmp

memory/3840-149-0x00007FF659110000-0x00007FF659461000-memory.dmp

memory/2936-152-0x00007FF68B9E0000-0x00007FF68BD31000-memory.dmp

memory/2936-170-0x00007FF68B9E0000-0x00007FF68BD31000-memory.dmp

memory/1512-200-0x00007FF72A1E0000-0x00007FF72A531000-memory.dmp

memory/904-202-0x00007FF619A30000-0x00007FF619D81000-memory.dmp

memory/3100-204-0x00007FF63DD20000-0x00007FF63E071000-memory.dmp

memory/5048-206-0x00007FF796030000-0x00007FF796381000-memory.dmp

memory/3468-208-0x00007FF7258C0000-0x00007FF725C11000-memory.dmp

memory/2608-211-0x00007FF66AB10000-0x00007FF66AE61000-memory.dmp

memory/3312-212-0x00007FF627B60000-0x00007FF627EB1000-memory.dmp

memory/1628-214-0x00007FF7A3050000-0x00007FF7A33A1000-memory.dmp

memory/2460-216-0x00007FF77E2F0000-0x00007FF77E641000-memory.dmp

memory/4668-227-0x00007FF760F20000-0x00007FF761271000-memory.dmp

memory/2720-228-0x00007FF79BB30000-0x00007FF79BE81000-memory.dmp

memory/3948-232-0x00007FF7B34E0000-0x00007FF7B3831000-memory.dmp

memory/4484-238-0x00007FF68C160000-0x00007FF68C4B1000-memory.dmp

memory/1632-234-0x00007FF7C4FA0000-0x00007FF7C52F1000-memory.dmp

memory/2560-237-0x00007FF603DC0000-0x00007FF604111000-memory.dmp

memory/3108-231-0x00007FF6508A0000-0x00007FF650BF1000-memory.dmp

memory/4748-246-0x00007FF7685D0000-0x00007FF768921000-memory.dmp

memory/4020-248-0x00007FF613FC0000-0x00007FF614311000-memory.dmp

memory/1508-243-0x00007FF658960000-0x00007FF658CB1000-memory.dmp

memory/232-241-0x00007FF741070000-0x00007FF7413C1000-memory.dmp

memory/3840-245-0x00007FF659110000-0x00007FF659461000-memory.dmp