Malware Analysis Report

2025-01-22 19:30

Sample ID 240806-nywp3ssckf
Target 2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat
SHA256 7f7935b5ac5f0d8ed1a649042a7c3c6625bb9ddb648b4525ef29c42b32f87099
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7f7935b5ac5f0d8ed1a649042a7c3c6625bb9ddb648b4525ef29c42b32f87099

Threat Level: Known bad

The file 2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

xmrig

Xmrig family

XMRig Miner payload

Cobaltstrike

Cobalt Strike reflective loader

Cobaltstrike family

XMRig Miner payload

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-06 11:48

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-06 11:48

Reported

2024-08-06 11:51

Platform

win7-20240704-en

Max time kernel

145s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\ABynvRH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FozHHCZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TFkmWXG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\quPbBgr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HSPPNlP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fNSYPXo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nIzPVbM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yshLIzc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nNKYxJK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gmNNfpt.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rwxJDmc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mFnJsmJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eWlcQme.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nHKHflI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JvOsEAZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\okjSmEq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IQqTYlO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ezDzxHw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GRlVmvj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oSvjTSA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aiWfciJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2376 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ABynvRH.exe
PID 2376 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ABynvRH.exe
PID 2376 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ABynvRH.exe
PID 2376 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FozHHCZ.exe
PID 2376 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FozHHCZ.exe
PID 2376 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FozHHCZ.exe
PID 2376 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yshLIzc.exe
PID 2376 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yshLIzc.exe
PID 2376 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yshLIzc.exe
PID 2376 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nNKYxJK.exe
PID 2376 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nNKYxJK.exe
PID 2376 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nNKYxJK.exe
PID 2376 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gmNNfpt.exe
PID 2376 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gmNNfpt.exe
PID 2376 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gmNNfpt.exe
PID 2376 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IQqTYlO.exe
PID 2376 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IQqTYlO.exe
PID 2376 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IQqTYlO.exe
PID 2376 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fNSYPXo.exe
PID 2376 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fNSYPXo.exe
PID 2376 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fNSYPXo.exe
PID 2376 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TFkmWXG.exe
PID 2376 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TFkmWXG.exe
PID 2376 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TFkmWXG.exe
PID 2376 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ezDzxHw.exe
PID 2376 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ezDzxHw.exe
PID 2376 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ezDzxHw.exe
PID 2376 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rwxJDmc.exe
PID 2376 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rwxJDmc.exe
PID 2376 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rwxJDmc.exe
PID 2376 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mFnJsmJ.exe
PID 2376 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mFnJsmJ.exe
PID 2376 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mFnJsmJ.exe
PID 2376 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GRlVmvj.exe
PID 2376 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GRlVmvj.exe
PID 2376 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GRlVmvj.exe
PID 2376 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eWlcQme.exe
PID 2376 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eWlcQme.exe
PID 2376 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eWlcQme.exe
PID 2376 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oSvjTSA.exe
PID 2376 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oSvjTSA.exe
PID 2376 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oSvjTSA.exe
PID 2376 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\quPbBgr.exe
PID 2376 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\quPbBgr.exe
PID 2376 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\quPbBgr.exe
PID 2376 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nIzPVbM.exe
PID 2376 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nIzPVbM.exe
PID 2376 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nIzPVbM.exe
PID 2376 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HSPPNlP.exe
PID 2376 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HSPPNlP.exe
PID 2376 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HSPPNlP.exe
PID 2376 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nHKHflI.exe
PID 2376 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nHKHflI.exe
PID 2376 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nHKHflI.exe
PID 2376 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aiWfciJ.exe
PID 2376 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aiWfciJ.exe
PID 2376 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aiWfciJ.exe
PID 2376 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JvOsEAZ.exe
PID 2376 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JvOsEAZ.exe
PID 2376 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JvOsEAZ.exe
PID 2376 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\okjSmEq.exe
PID 2376 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\okjSmEq.exe
PID 2376 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\okjSmEq.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\ABynvRH.exe

C:\Windows\System\ABynvRH.exe

C:\Windows\System\FozHHCZ.exe

C:\Windows\System\FozHHCZ.exe

C:\Windows\System\yshLIzc.exe

C:\Windows\System\yshLIzc.exe

C:\Windows\System\nNKYxJK.exe

C:\Windows\System\nNKYxJK.exe

C:\Windows\System\gmNNfpt.exe

C:\Windows\System\gmNNfpt.exe

C:\Windows\System\IQqTYlO.exe

C:\Windows\System\IQqTYlO.exe

C:\Windows\System\fNSYPXo.exe

C:\Windows\System\fNSYPXo.exe

C:\Windows\System\TFkmWXG.exe

C:\Windows\System\TFkmWXG.exe

C:\Windows\System\ezDzxHw.exe

C:\Windows\System\ezDzxHw.exe

C:\Windows\System\rwxJDmc.exe

C:\Windows\System\rwxJDmc.exe

C:\Windows\System\mFnJsmJ.exe

C:\Windows\System\mFnJsmJ.exe

C:\Windows\System\GRlVmvj.exe

C:\Windows\System\GRlVmvj.exe

C:\Windows\System\eWlcQme.exe

C:\Windows\System\eWlcQme.exe

C:\Windows\System\oSvjTSA.exe

C:\Windows\System\oSvjTSA.exe

C:\Windows\System\quPbBgr.exe

C:\Windows\System\quPbBgr.exe

C:\Windows\System\nIzPVbM.exe

C:\Windows\System\nIzPVbM.exe

C:\Windows\System\HSPPNlP.exe

C:\Windows\System\HSPPNlP.exe

C:\Windows\System\nHKHflI.exe

C:\Windows\System\nHKHflI.exe

C:\Windows\System\aiWfciJ.exe

C:\Windows\System\aiWfciJ.exe

C:\Windows\System\JvOsEAZ.exe

C:\Windows\System\JvOsEAZ.exe

C:\Windows\System\okjSmEq.exe

C:\Windows\System\okjSmEq.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2376-0-0x000000013F1F0000-0x000000013F541000-memory.dmp

memory/2376-1-0x00000000000F0000-0x0000000000100000-memory.dmp

C:\Windows\system\ABynvRH.exe

MD5 5421355ffd74516e6f7679739ddab457
SHA1 ecd52f069f2aec3e40aeb131ddeaad6bbed9ddf3
SHA256 de6c76fe38523380f1b02776e17d03a3a6e4681f1d9105b29f7fec102c89eeb5
SHA512 c0753b7bbff53ec414d516345dc4a6c2c2ac0470aa556163859fae211db59ba06b4956a2fe52cb914a36da7558965b846de593dd6c015496f69f67a2b9765f2b

memory/2376-7-0x000000013FCF0000-0x0000000140041000-memory.dmp

memory/2244-9-0x000000013FCF0000-0x0000000140041000-memory.dmp

C:\Windows\system\FozHHCZ.exe

MD5 2f736b2faeac7ed758a83cb85ac7a718
SHA1 df60f35daf18738bac5ddb6587bcdebd6b579ba4
SHA256 c1b6e28d2d35ea95cdda96a46658b967367d853fae7eb793dbb4b65c6ff799f6
SHA512 7f6555329a792c6a654b03a728ad6977531377a2a6a4fe1d319311e487f0260ecf4b3faddd602425895d4c7e497194033bbe117283cb46e62f4f1243bea7277d

memory/3032-15-0x000000013F110000-0x000000013F461000-memory.dmp

memory/2376-14-0x00000000022A0000-0x00000000025F1000-memory.dmp

\Windows\system\yshLIzc.exe

MD5 34f5bb61de674e4350761199aace883b
SHA1 1498e1c5277e6e6f90fad73763e9fe6b70881ff9
SHA256 40027af1622f5c6aa40e22ccb8aa3252dec90614a930c5c0e511eaaff8ebaef2
SHA512 32bc265d467f41f7dbb62587819cbe9969fdd3ad383dee4e312d230048e9979907f1c0a06dd0be8847651373a2a52daaa808f968199ab725e8b268002e06b31e

memory/2376-22-0x000000013FFA0000-0x00000001402F1000-memory.dmp

C:\Windows\system\nNKYxJK.exe

MD5 d97dc46919d7a2e51da31e6166aad106
SHA1 b5da62931328b8e7e2d935bc0401f96eacd2a98f
SHA256 c3336f349b7bcbb21f28271fdfe155f5467570450c69b2e44a359d243056c1b4
SHA512 665e3cc6862603c3680bdae0b29bbe56716b77827b05b7a3cdb2fe8914d61105674594c671aaa107c0507c2f3f23cb5081d2214cbee4eb9bd6ded1132df99518

C:\Windows\system\gmNNfpt.exe

MD5 07950ce5852412a465733965fbf0455e
SHA1 32caad14a18c36ad17319fedc9253a11fd999892
SHA256 399dfb6bf09110dedaabc86941356bc8d889da62755acc79ee12119e867a050f
SHA512 b92c6216f00ac64cb4f82d09f285689f30c72817074829ce93cfaced6b704b02f4ec5f81b0036860366dd870239000e5732eea4693dd03b47bd08719afd5689f

C:\Windows\system\fNSYPXo.exe

MD5 3ce35dbc7475df500057f8fb11ff61c0
SHA1 74659398660f7c80ed51086ae512564179dff54b
SHA256 aef47cd235fe56a151034e59cf2438b9407b26a4b5d7f936e4237f16e67e09f1
SHA512 bd4171f259177f87ca44192cf02b964c57a243b5813501913b3ae1b6c7ceae81c6bfb4edd4cafd797432b080e425a7cd552de8b6346383833bd6368be02ec3ab

memory/2688-42-0x000000013F7C0000-0x000000013FB11000-memory.dmp

memory/2376-53-0x000000013F790000-0x000000013FAE1000-memory.dmp

\Windows\system\ezDzxHw.exe

MD5 5d3072d07b505c957015a5c4dd19355d
SHA1 9504d50919e1f6f016be6f506dac60e014a9e67d
SHA256 c0edefb55579dfb7590608428eabf0fd5d7f124f7bd3f106536417f97b900331
SHA512 24290d7a39d21e86c546055cb90358da1b086073589a80a8962cdb7c5e662a6223fcdfaa8430f62d8ae2d98f8af5247c99476c5179cb21d2e1ce82dae57edade

C:\Windows\system\TFkmWXG.exe

MD5 fc64ffe4a7d19364eaa00385df78a045
SHA1 1c5328221a92ea9280f366f98dc9f80d0a013da8
SHA256 541b9039ec815b408b172ebd3dff27bb9a665562a96551f38a8ea244a77a0265
SHA512 9553cc52964132fb360e86e131b8409db5e23f280873f1d9119c0a3e15ff232e35395d6364755d835ae117b047eba32de4bb32fbdc37847b3a115db23706ea02

memory/2376-55-0x000000013F910000-0x000000013FC61000-memory.dmp

C:\Windows\system\rwxJDmc.exe

MD5 257612fbe2ef5e26b4c920dfe671ea19
SHA1 4dc56306154adc2de757ba16ac963d6011272190
SHA256 b51f7a61a05775d29e542a7a5b5f80f297351fd8bfdfb7c98ca85f5dc6d47ebb
SHA512 080763931ae2d91c5ed33210ac61593723733b92a5b00e030cb87180833381ead3caab9c96d509092a5578bd973edfa554b4476b1291e32c71c5a49927d7b2bc

C:\Windows\system\GRlVmvj.exe

MD5 d2e6be731842b0dafe759fc3bd32e83d
SHA1 82dc0188054f654b912c9a285020d15fba6413b8
SHA256 3331fe63ab605524bf6d3b0211db6335f6f6a10dfbcb2114cc58b3c3d0d0787e
SHA512 9f4f0ca0e6f11ab26a36d8ee910021ebf6d0d7ec2724e1a03a2239cc0156479531f8936d78c43e0ab79366c3221b0dea669c47558ac53bb02c5158f8a9dd5ce0

\Windows\system\oSvjTSA.exe

MD5 5927a95638bbec62407a1cfd0f15299b
SHA1 387f1a6af0e890c563979636e6b1df79037f5d58
SHA256 7c3dc2273c27d89aeff99fa78d2616e052caf08b8d454058c1b3bca8c2bd4d2d
SHA512 433b94e32ac108152417e16b4afed9167fd47af567b48792a67c7263ffe769e53606b4a564fde203eb1e152a118b8506d61e7b306abd83f02e26e2ebf23bf629

C:\Windows\system\nIzPVbM.exe

MD5 62c51d718719f0dcf831198575d28348
SHA1 2a750151dd7f7b6b628143cfc7f0f17d0349e142
SHA256 6266f5820496371c9d75fb0ce049e8b8283a6444a569371f9e7388cfce742ffb
SHA512 ae182b20b37f94770cbecdcb87b841adcebb759f2eb5d2ece090686a6fab14e4353b418c6fc971ceefb244dfce89a3e379e34071e9a5b45dc1e19086d05ed39a

C:\Windows\system\aiWfciJ.exe

MD5 99825fa01f6b19108e2ce338de15933e
SHA1 50ba9fce2693761eb8fed27b0321ccf6c959dbc3
SHA256 788b4dfa8c09388d0b2a970eb7311c1cfdc4e3c9dff222713b68e961218b263f
SHA512 beab920851cf946a8dd74fca4b3ca7aef1cc8eaaad6f25fc0248d69a00c14aa6575b13637533c236e25afec1c62f95f30e191c0eeca7b8a613b3b3146dedc53a

C:\Windows\system\JvOsEAZ.exe

MD5 1f2c959084326096445bcc5bf90a88bc
SHA1 a8306c795f82910ebce82c3f59a21ba4096198e6
SHA256 2985958a7b793d10c0a1d8d972cbe1653f0338ba257960ef83ead38c9cf902ed
SHA512 afe371bf459bd5fb2c890e72a7c4ace08d34e8f55aa67ccda9fb5594c1adf41f4ada5a70350925973811e26b7709116fbde3930a3f6c2b10a8151a3aae419994

C:\Windows\system\okjSmEq.exe

MD5 44eee69d917bcca63f31680e13620824
SHA1 532a4477423758f2ea834c60ad9cd57c814acd9c
SHA256 110ccdd3a033afe23c2a8034a89a35cd203e5fe6c982fb46326e1b45f0a018f6
SHA512 d210c82d6f291fef583c89e6474ecf527ab251bc036e6c5ac0c89e38da38411430980e217705259a6d67604140e243dc794db88d88430f440434fd310d61a9da

C:\Windows\system\nHKHflI.exe

MD5 7519ac17f8fb06a00c080ef4bcbdf601
SHA1 2762e51abf0360ea35e869a21d03cc16866ccdcb
SHA256 e06363e0aabddff64804eb54b640f7abe8b0ed1b3d796893e4340f68df3b8edc
SHA512 870070bc052916e136ff57acba35cbf496ec9eef0e5665e57fb72a5851861e481eff77522876e2295e1f70ff5acbb9b38934001efec9f223e77a61e87cd1b91d

C:\Windows\system\HSPPNlP.exe

MD5 3c4cc5f4339b16d7dedf69285d4d40d3
SHA1 6b43f10d257e7b143134e7a6d9514c73af0b2b2b
SHA256 2b10651d8c2952d50ed38728b6af456b5c5d242dbcf29cbdda490d963f7a83d1
SHA512 6ea1b622e18814a0b26a09d7cb3ff3ffe948ac9ee3fa69ced81620c5a0dab0aea8a1226ac3bb2040f5a0394c526011211c2b79a4afe7d1d3a501e4959df5b5f9

C:\Windows\system\quPbBgr.exe

MD5 04a974973397f8dc5bf89cd01d5d5d8e
SHA1 969747ab1699bd605dd5ed7efcd54d22f9d06d31
SHA256 59eb70f3a179031a2062b56b29a4d23fff066726b93dd39c745b6a47e0fffcea
SHA512 429e5b2409a4d34eed17050a80a1fe43a3cbfa0246dadf67a4995198c112a4c0b242eda637ef121c7fb4ba1a628537fa7c3bd34a1c21ef97bf612786cf421263

C:\Windows\system\eWlcQme.exe

MD5 1482675a1d22c1f2159d627e0bd8fbbd
SHA1 cb30f5bf1fb0f1111938c13b72398962608a58d5
SHA256 269792d8b9a4729452fd3007e5aad8a18d71090987c929657e4bc635eef43b93
SHA512 88d28a896cc006693e1ced04ec35b059427d1e9ad7cce06c9682b2ff471512abd6198e02615d0aeccbcf98cfe012cf45022cc3d359f7c8bacaaa8ab0624ed1dd

C:\Windows\system\mFnJsmJ.exe

MD5 21b0807e061bf866ec19e2cb5363c66b
SHA1 6fda65899f910b4ae07d8dcf4619d3d783cf1413
SHA256 df6fe15f718f8b0ec3bd02015baf48b46843c70d7624ff4e40a8c1ebf1142a3b
SHA512 48bf8c7e5145f6f7d990aa9a0b45bd8bd939e488a06b9be2d18085bb7ba63e7cb4f7c2240dc0b44bd0d5e2b2c2aa0cbcc082a84cd8b0d319a3c904eb6550a62b

memory/2528-54-0x000000013F790000-0x000000013FAE1000-memory.dmp

memory/2376-41-0x000000013F7C0000-0x000000013FB11000-memory.dmp

C:\Windows\system\IQqTYlO.exe

MD5 3372792a32ac3da099a84fdb0ff19325
SHA1 2a8246c1b861b116c13283eeb559cc8f43b1e0d9
SHA256 4b6a503218af5af89d2a97009c992465e6b0300e8ed18445eda1828ce2cecf01
SHA512 3dfed10a4b36a56a6818caf022fd6a97989534466f5707edabadb0a96623ac745fdebfba19eb555fa59564558f1fae5082a41d53028175b78f42e89bf6d71615

memory/2616-37-0x000000013F810000-0x000000013FB61000-memory.dmp

memory/2376-36-0x000000013F810000-0x000000013FB61000-memory.dmp

memory/2632-29-0x000000013FA70000-0x000000013FDC1000-memory.dmp

memory/2376-27-0x000000013FA70000-0x000000013FDC1000-memory.dmp

memory/2584-26-0x000000013FFA0000-0x00000001402F1000-memory.dmp

memory/2376-123-0x000000013F1F0000-0x000000013F541000-memory.dmp

memory/2632-127-0x000000013FA70000-0x000000013FDC1000-memory.dmp

memory/3032-125-0x000000013F110000-0x000000013F461000-memory.dmp

memory/2880-131-0x000000013F910000-0x000000013FC61000-memory.dmp

memory/2688-129-0x000000013F7C0000-0x000000013FB11000-memory.dmp

memory/2168-146-0x000000013F740000-0x000000013FA91000-memory.dmp

memory/2376-145-0x000000013FE80000-0x00000001401D1000-memory.dmp

memory/2740-144-0x000000013F620000-0x000000013F971000-memory.dmp

memory/2540-143-0x000000013F970000-0x000000013FCC1000-memory.dmp

memory/828-142-0x000000013F7E0000-0x000000013FB31000-memory.dmp

memory/1004-141-0x000000013F7C0000-0x000000013FB11000-memory.dmp

memory/2028-140-0x000000013F210000-0x000000013F561000-memory.dmp

memory/1740-139-0x000000013F740000-0x000000013FA91000-memory.dmp

memory/2808-138-0x000000013F7C0000-0x000000013FB11000-memory.dmp

memory/2676-137-0x000000013FF30000-0x0000000140281000-memory.dmp

memory/1296-136-0x000000013FF60000-0x00000001402B1000-memory.dmp

memory/2752-135-0x000000013F870000-0x000000013FBC1000-memory.dmp

memory/2612-134-0x000000013FD60000-0x00000001400B1000-memory.dmp

memory/2508-133-0x000000013FE80000-0x00000001401D1000-memory.dmp

memory/2244-124-0x000000013FCF0000-0x0000000140041000-memory.dmp

memory/2880-122-0x000000013F910000-0x000000013FC61000-memory.dmp

memory/2376-147-0x000000013FD60000-0x00000001400B1000-memory.dmp

memory/2376-148-0x000000013F870000-0x000000013FBC1000-memory.dmp

memory/2376-149-0x000000013FF60000-0x00000001402B1000-memory.dmp

memory/2376-151-0x000000013F7C0000-0x000000013FB11000-memory.dmp

memory/2376-152-0x000000013F1F0000-0x000000013F541000-memory.dmp

memory/2376-153-0x000000013F970000-0x000000013FCC1000-memory.dmp

memory/2376-150-0x000000013FF30000-0x0000000140281000-memory.dmp

memory/2376-154-0x000000013F1F0000-0x000000013F541000-memory.dmp

memory/2376-158-0x00000000022A0000-0x00000000025F1000-memory.dmp

memory/2376-199-0x000000013F910000-0x000000013FC61000-memory.dmp

memory/2376-204-0x000000013F970000-0x000000013FCC1000-memory.dmp

memory/2244-207-0x000000013FCF0000-0x0000000140041000-memory.dmp

memory/2584-211-0x000000013FFA0000-0x00000001402F1000-memory.dmp

memory/3032-210-0x000000013F110000-0x000000013F461000-memory.dmp

memory/2632-213-0x000000013FA70000-0x000000013FDC1000-memory.dmp

memory/2616-215-0x000000013F810000-0x000000013FB61000-memory.dmp

memory/2528-217-0x000000013F790000-0x000000013FAE1000-memory.dmp

memory/2540-222-0x000000013F970000-0x000000013FCC1000-memory.dmp

memory/2688-220-0x000000013F7C0000-0x000000013FB11000-memory.dmp

memory/2612-225-0x000000013FD60000-0x00000001400B1000-memory.dmp

memory/2508-224-0x000000013FE80000-0x00000001401D1000-memory.dmp

memory/2752-227-0x000000013F870000-0x000000013FBC1000-memory.dmp

memory/1296-229-0x000000013FF60000-0x00000001402B1000-memory.dmp

memory/2808-231-0x000000013F7C0000-0x000000013FB11000-memory.dmp

memory/2880-244-0x000000013F910000-0x000000013FC61000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-06 11:48

Reported

2024-08-06 11:51

Platform

win10v2004-20240802-en

Max time kernel

140s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\jgpjezL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yjYkmmi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mErPEAh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pWWRImQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KyOdqtl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HpgHOws.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fjAiVub.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VqMXtzH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fXOLvYf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xcoYiFF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CIMdmqg.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kXwqjdl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PJdiWiH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kwltqRu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WRHbCdx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VVvLAwa.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JLJVjkH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pvqLgLw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qLbAAmu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JxgYNPu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PjIjzVF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 464 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KyOdqtl.exe
PID 464 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KyOdqtl.exe
PID 464 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HpgHOws.exe
PID 464 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HpgHOws.exe
PID 464 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qLbAAmu.exe
PID 464 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qLbAAmu.exe
PID 464 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VVvLAwa.exe
PID 464 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VVvLAwa.exe
PID 464 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kXwqjdl.exe
PID 464 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kXwqjdl.exe
PID 464 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PJdiWiH.exe
PID 464 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PJdiWiH.exe
PID 464 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JLJVjkH.exe
PID 464 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JLJVjkH.exe
PID 464 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fjAiVub.exe
PID 464 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fjAiVub.exe
PID 464 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kwltqRu.exe
PID 464 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kwltqRu.exe
PID 464 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jgpjezL.exe
PID 464 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jgpjezL.exe
PID 464 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JxgYNPu.exe
PID 464 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JxgYNPu.exe
PID 464 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yjYkmmi.exe
PID 464 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yjYkmmi.exe
PID 464 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pvqLgLw.exe
PID 464 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pvqLgLw.exe
PID 464 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VqMXtzH.exe
PID 464 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VqMXtzH.exe
PID 464 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fXOLvYf.exe
PID 464 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fXOLvYf.exe
PID 464 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PjIjzVF.exe
PID 464 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PjIjzVF.exe
PID 464 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xcoYiFF.exe
PID 464 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xcoYiFF.exe
PID 464 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mErPEAh.exe
PID 464 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mErPEAh.exe
PID 464 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pWWRImQ.exe
PID 464 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pWWRImQ.exe
PID 464 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CIMdmqg.exe
PID 464 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CIMdmqg.exe
PID 464 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WRHbCdx.exe
PID 464 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WRHbCdx.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\KyOdqtl.exe

C:\Windows\System\KyOdqtl.exe

C:\Windows\System\HpgHOws.exe

C:\Windows\System\HpgHOws.exe

C:\Windows\System\qLbAAmu.exe

C:\Windows\System\qLbAAmu.exe

C:\Windows\System\VVvLAwa.exe

C:\Windows\System\VVvLAwa.exe

C:\Windows\System\kXwqjdl.exe

C:\Windows\System\kXwqjdl.exe

C:\Windows\System\PJdiWiH.exe

C:\Windows\System\PJdiWiH.exe

C:\Windows\System\JLJVjkH.exe

C:\Windows\System\JLJVjkH.exe

C:\Windows\System\fjAiVub.exe

C:\Windows\System\fjAiVub.exe

C:\Windows\System\kwltqRu.exe

C:\Windows\System\kwltqRu.exe

C:\Windows\System\jgpjezL.exe

C:\Windows\System\jgpjezL.exe

C:\Windows\System\JxgYNPu.exe

C:\Windows\System\JxgYNPu.exe

C:\Windows\System\yjYkmmi.exe

C:\Windows\System\yjYkmmi.exe

C:\Windows\System\pvqLgLw.exe

C:\Windows\System\pvqLgLw.exe

C:\Windows\System\VqMXtzH.exe

C:\Windows\System\VqMXtzH.exe

C:\Windows\System\fXOLvYf.exe

C:\Windows\System\fXOLvYf.exe

C:\Windows\System\PjIjzVF.exe

C:\Windows\System\PjIjzVF.exe

C:\Windows\System\xcoYiFF.exe

C:\Windows\System\xcoYiFF.exe

C:\Windows\System\mErPEAh.exe

C:\Windows\System\mErPEAh.exe

C:\Windows\System\pWWRImQ.exe

C:\Windows\System\pWWRImQ.exe

C:\Windows\System\CIMdmqg.exe

C:\Windows\System\CIMdmqg.exe

C:\Windows\System\WRHbCdx.exe

C:\Windows\System\WRHbCdx.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/464-0-0x00007FF6EE710000-0x00007FF6EEA61000-memory.dmp

memory/464-1-0x000001790CC60000-0x000001790CC70000-memory.dmp

C:\Windows\System\KyOdqtl.exe

MD5 bc37172b174b78f647f2bd01772fac08
SHA1 57a2780c5cac5a940dbb99ff5d263c6dd5916964
SHA256 20a5311c9d6ffa3505f888934e2a1fc00fc4e2829cbcf411e5e25401cef5a6b8
SHA512 bd3e1347334af29952c4deb0df9348aa312147b4c33563197918583fb91c446bda25789fa99c06a433831bc6e9583dbc23a26ae006547e8dcb7f674317115bb7

C:\Windows\System\qLbAAmu.exe

MD5 a270e975ee6905dd7cba70815591b011
SHA1 5aa2bacba1207d7a06f8b8da038f7170f83f759a
SHA256 679a0265a7927a6809c10bfeb5e6c69c7f064e05a15f6b45dbff62548b918314
SHA512 b9828ab08eaa2aca9af0bd9e259e24a7d4f82bd1e02cbda4c676df28558194bf0421da4fa1b3e674220403ad39d5d7566d558357dbceaeed8c9c8346e2ea6a63

memory/2524-20-0x00007FF6B1200000-0x00007FF6B1551000-memory.dmp

C:\Windows\System\VVvLAwa.exe

MD5 2df0e936be2cfd00cf1f3eba68649630
SHA1 b36d5f6a3e4770458713dedd0cafd4c6585c162c
SHA256 e396620e9e5f56316f804f19cc63b819fa3a2c5dba311e8f38f333ef2c715fb7
SHA512 81f01263b627885153818e317e294429148f9d7679ce798d6e3d6379cba596c8c59d7b718fb790739014b320fce00ac15e3407e1b84f664404851d2abb2d2efd

C:\Windows\System\kXwqjdl.exe

MD5 17405e66388c4aa4b5a0e7813befc1a8
SHA1 c15ef83e45d8fc3108bf6b816de1894f4c4e0b61
SHA256 443254e0860f60e3e12068b91e674bbdf0bfffb1194074efdc6b732ec7aa04e6
SHA512 e5fb3eef5e73e274cc86fe670887cec85d81c792f9f74c933a11e47673b16c8a3f784b95e9ae51d766f0f98c856c32590eba176983c71700c3426b9878c05f31

memory/400-32-0x00007FF77BB30000-0x00007FF77BE81000-memory.dmp

C:\Windows\System\fjAiVub.exe

MD5 7e33fe5e86767452d205bb39e901a250
SHA1 d5b11edfe089e2beb2761424897f4b2ee30789e7
SHA256 fc8f073222ea566a3cc5ddef11973908e8e52f374eb78f3cae4ac163a954aa67
SHA512 4ab3a24a4069f03483b6e040c011b0aa19baeec8a8e839794e11f406943a5a281fa799e5cc09a4a9ca49a3fce2140eda09ef498b75289d21eb413b2d0c8b5bc7

C:\Windows\System\kwltqRu.exe

MD5 8fd26746bbf05f5c5b0538a20d043a2b
SHA1 4aa965925d054648c028788294ca59076e660252
SHA256 e57291001d76766c90514655aff0478cd8f6aa32daaa2b12b38caa3c2e95d725
SHA512 766411e3a2b9547d8caf10c2935ae201f8849904daade52f5a539bc6ca12c0f7aa536c49642041af7e06da593b14a70ddce96c0b202113ff3a5be4dda612076f

C:\Windows\System\JxgYNPu.exe

MD5 4708234acee6aa7f41a524ca9f530d6d
SHA1 a8fb267dddce6d63403063ea2267f567d3eabe07
SHA256 1596f5e7fab511f7348d68a2aaf9d47bdc1eecbe7ba6758e8e329ef2481a6334
SHA512 fdc6fb53ae51f191245fdc588fcda18c822295bd1cb274db3a08229bf80b6f61ccafa5f840c1d57c92f2b33e643a070d6e97464a52cd1e9fa180eef9bb8b2576

memory/5004-60-0x00007FF7DF580000-0x00007FF7DF8D1000-memory.dmp

C:\Windows\System\jgpjezL.exe

MD5 9b01942f047f23f4cb9a8cd9fe2f5e11
SHA1 3a22c68ed19106372a668d587e556c31b1f96486
SHA256 83d292ff7d17d2078b72afa7f5b401a9eb0048eeef402087099a946ab6c1b7d5
SHA512 548efc52e6495d1069f67a4e2241e00797517be50857809db2a47ae9f1d00984188fc76470c415adc60e99082624506bc107aba9368962df21f6373001b1d0b5

memory/2028-71-0x00007FF75BF60000-0x00007FF75C2B1000-memory.dmp

C:\Windows\System\VqMXtzH.exe

MD5 28d28222c44bd0354f270daf7838c1ca
SHA1 1a65bb24e1d270627aeda07f06a95c13aab9307b
SHA256 972e32d9efa231770c3b4e185da0cf4e61359ca2cbc202e712d5821140f04983
SHA512 51632abd24ec098ed428d2455c0670306e1f03ef78cd6fc31e6cded2dc53d5a81a0d1b01418789ea5b65b9f7a33c5fb5556d546947f95cf2612fba9c847a5828

C:\Windows\System\yjYkmmi.exe

MD5 1c1b40ff38b54c18e22c635ba9457c01
SHA1 6ec318458094f7062b2a6a31a0b6b886f53b1269
SHA256 f128cf2ab7013ad7527fc0ea0b10ee88e7ef624e3b0b7d8bd0d1fe9217cbdabf
SHA512 4b7f8ffb854911ca71722c1a32cbeb0511c0a9854c865e5d7af292c0568707b810bc0a7ea6beabd057bd9b129db2aa0c22440d40df4ef0eb7ea71083edf332ac

C:\Windows\System\xcoYiFF.exe

MD5 f2798c1b401f05a9eea9c712ceda60c8
SHA1 ea42a77fec2e5beb98d242e0003b7e047fd494a2
SHA256 4ef500a2da652b5696b86966c6604ef70502c2507ed0d32688af932e05be4226
SHA512 954aa80327e4fd9a95ec9aa83444b4c943a3f4e558265dc8324985c8da5790c93d0bb32d6d614263f8e6416c0819f34fa0c60f3c1d0d878434e453a1cd32a41f

memory/2128-103-0x00007FF765880000-0x00007FF765BD1000-memory.dmp

memory/1832-107-0x00007FF6F79B0000-0x00007FF6F7D01000-memory.dmp

C:\Windows\System\mErPEAh.exe

MD5 ecf2302123d2f5b2f2cbea1908dbe828
SHA1 53e9967e6bda011479d218b0991372a95fe3b9f3
SHA256 e7c949e08b7d6e1cdb5ea29bef420c67aca68841fa93feda577ea2ffed7fc647
SHA512 03aaac9cdfa3dd8bf2cc6b5e2733e3009f8dd9dfa01d901d3dc80fd788be54eff88328559c2bea1501daa28db440ca4c97a07b586efd52fa6322deb117b03973

C:\Windows\System\pWWRImQ.exe

MD5 5be6bdf75b39246a1dcf2b01994ee6fd
SHA1 3f544b61a0e9dea18744d1872e078ab3b9f9cec7
SHA256 741eb649f286b2d5004c62db4626956473db976d7b9e72846e29883c3df65853
SHA512 f862cdd33bcac9419847daf01482ae084943d26ab5f235d4881458e6c896d621044badb9046ae679cd8b2ac4431bca5727492b6a6f9b2b9e61fc13d1ab9c4cd0

memory/684-120-0x00007FF6A50B0000-0x00007FF6A5401000-memory.dmp

C:\Windows\System\WRHbCdx.exe

MD5 0094ce5e31057948e0794154c5941a11
SHA1 3454dd8227838b219f78f0f2e9c09078bbfce98d
SHA256 80d55f9880aa1731742895ffd0241f65077e5706f678364796cac1ef2f6c6b38
SHA512 50a181a132922f2abdbd492698b5ee65c12f4d80b68b7255fb864209b8108a0a5ba33cd9da3362be9563e85e11aa685629bb1be5b6290e522f0ab7a29043f0cb

C:\Windows\System\CIMdmqg.exe

MD5 6cec71ee69287080bd5913ea195eafe4
SHA1 b82b5f4159fd28f38ca3687a2619a7c99c650638
SHA256 c7d05af819075ec678d47ec14df782542a16c202fb9a4c4ba057f0579a0e5c91
SHA512 fd7b4f0377167fb20588df697dcd5a88b2cd0badc2394e8debb5798e9020d85d30852d8880f53e969a2339b6ad3bb4cdc0c8a7a1f1c507cf34bca86d98f82597

memory/764-125-0x00007FF75F770000-0x00007FF75FAC1000-memory.dmp

memory/4928-124-0x00007FF6D5E90000-0x00007FF6D61E1000-memory.dmp

memory/2524-119-0x00007FF6B1200000-0x00007FF6B1551000-memory.dmp

memory/2944-116-0x00007FF612030000-0x00007FF612381000-memory.dmp

memory/4480-113-0x00007FF7D19D0000-0x00007FF7D1D21000-memory.dmp

memory/2464-109-0x00007FF724DE0000-0x00007FF725131000-memory.dmp

memory/1100-101-0x00007FF659EA0000-0x00007FF65A1F1000-memory.dmp

C:\Windows\System\fXOLvYf.exe

MD5 020497ab51cf1f0586729c9dae3ce919
SHA1 c893633b06f0f1c3fdf963ff903d25a4c151177e
SHA256 757de446b886ae1c1c4d535d5313d346d1a63b1b513792619eff7409df43430a
SHA512 ed698d4e0ea2c3997e89a7b8cdaed24bbfb04ddbeddf9c8f61e89a095e7a72ed6181fa80e25f0a69c5ae0d069fb3ae0df2937635e69a03267215be225d3981bb

memory/2204-93-0x00007FF666370000-0x00007FF6666C1000-memory.dmp

C:\Windows\System\PjIjzVF.exe

MD5 b8304d59024dcc007f20b8d13e879cd5
SHA1 d09a2e5b626c8b4507346071feff9a0774b6b212
SHA256 ef8a23210536333c03a8b7e36933fbb570d562944f8100edc636d720e5dcf065
SHA512 6a81acc7dbd0aff03c8a45f76a2a827dd7d41f28426631796c59b00200c03d4cca6a707699c706ed29d618a05560cff4a4558bc96baa568e9daca801349df039

memory/3076-90-0x00007FF629B70000-0x00007FF629EC1000-memory.dmp

C:\Windows\System\pvqLgLw.exe

MD5 34fb22467fda120edc2cdd929af906ab
SHA1 26428a802ac98503fd58a65b3c4c79c9d522908e
SHA256 61bf7e4fc1b848a1048489dd76de99c30e117e33295b8ef293abf289971e3347
SHA512 7087ec97af6f6a10f1d9ac2a2a3ffa2baf506c50e438c6cf836e34d36e504fe3ade47a40c654cfec976956421236ce9d374334d05112fb1d3d650e10b1b5c82d

memory/3432-81-0x00007FF67E700000-0x00007FF67EA51000-memory.dmp

memory/1384-77-0x00007FF71B780000-0x00007FF71BAD1000-memory.dmp

memory/464-66-0x00007FF6EE710000-0x00007FF6EEA61000-memory.dmp

memory/2136-54-0x00007FF635B00000-0x00007FF635E51000-memory.dmp

memory/1236-46-0x00007FF6628B0000-0x00007FF662C01000-memory.dmp

C:\Windows\System\JLJVjkH.exe

MD5 c17d14e0a68fa356a85bf61179ed5c0c
SHA1 fe1153b42e7a7d92ac18e6641c86ed4ff6e24466
SHA256 77b9d0f52917141c0d21719f688addf81d78c4962b21cbbfa732e5a11e8a609b
SHA512 dc2e7c8c599d3e09220185868540d673d719db0a0ef6d5488aeed466cd86ad98a6d5cd49e2aa38b63cc1b402becbd0359bbeaff1d2e3ab61b1058ee5ffa1fd51

C:\Windows\System\PJdiWiH.exe

MD5 a0ac01548be1258a9713dd41253b51ab
SHA1 a8af64b93e3739065ba32107cb09bb04b657acfc
SHA256 5067afc8bbd84283385667d8b1140c9c077d852c783086d36e99a65205eb5476
SHA512 118e3fbe437e654282a27432838997a537f46781314559c9cac5ab18f2ccf002a627ec9914a297e781e5b4bec5a65247542dc6ae8fbecc7a1ef51c5801689f8e

memory/3768-36-0x00007FF68DF40000-0x00007FF68E291000-memory.dmp

memory/4928-25-0x00007FF6D5E90000-0x00007FF6D61E1000-memory.dmp

memory/5092-133-0x00007FF740C10000-0x00007FF740F61000-memory.dmp

memory/400-132-0x00007FF77BB30000-0x00007FF77BE81000-memory.dmp

memory/1100-14-0x00007FF659EA0000-0x00007FF65A1F1000-memory.dmp

C:\Windows\System\HpgHOws.exe

MD5 ebfe0f9a69db3f2130654b38cffced3a
SHA1 638484ae47c74f7ede8b774a22e8b644c4df3827
SHA256 8f01f2f7cbaeff75aa3ff5a3807a0fad783a5732a577a2c0f1c31c0a978d1db5
SHA512 4f2b6912a9aa1b6ddf1467b18345cd6621e0e966b1ca34d974445c56060233e44e9973956634daf700baf506c1386fee92aa4b7bb6f4187482fe23a92775872c

memory/3432-8-0x00007FF67E700000-0x00007FF67EA51000-memory.dmp

memory/464-134-0x00007FF6EE710000-0x00007FF6EEA61000-memory.dmp

memory/1384-145-0x00007FF71B780000-0x00007FF71BAD1000-memory.dmp

memory/2204-149-0x00007FF666370000-0x00007FF6666C1000-memory.dmp

memory/2028-144-0x00007FF75BF60000-0x00007FF75C2B1000-memory.dmp

memory/3768-140-0x00007FF68DF40000-0x00007FF68E291000-memory.dmp

memory/3076-146-0x00007FF629B70000-0x00007FF629EC1000-memory.dmp

memory/5004-143-0x00007FF7DF580000-0x00007FF7DF8D1000-memory.dmp

memory/764-154-0x00007FF75F770000-0x00007FF75FAC1000-memory.dmp

memory/464-156-0x00007FF6EE710000-0x00007FF6EEA61000-memory.dmp

memory/3432-203-0x00007FF67E700000-0x00007FF67EA51000-memory.dmp

memory/1100-205-0x00007FF659EA0000-0x00007FF65A1F1000-memory.dmp

memory/2524-207-0x00007FF6B1200000-0x00007FF6B1551000-memory.dmp

memory/4928-209-0x00007FF6D5E90000-0x00007FF6D61E1000-memory.dmp

memory/400-211-0x00007FF77BB30000-0x00007FF77BE81000-memory.dmp

memory/3768-213-0x00007FF68DF40000-0x00007FF68E291000-memory.dmp

memory/1236-215-0x00007FF6628B0000-0x00007FF662C01000-memory.dmp

memory/2136-217-0x00007FF635B00000-0x00007FF635E51000-memory.dmp

memory/5004-219-0x00007FF7DF580000-0x00007FF7DF8D1000-memory.dmp

memory/2028-221-0x00007FF75BF60000-0x00007FF75C2B1000-memory.dmp

memory/1384-223-0x00007FF71B780000-0x00007FF71BAD1000-memory.dmp

memory/1832-225-0x00007FF6F79B0000-0x00007FF6F7D01000-memory.dmp

memory/3076-227-0x00007FF629B70000-0x00007FF629EC1000-memory.dmp

memory/2464-231-0x00007FF724DE0000-0x00007FF725131000-memory.dmp

memory/2128-230-0x00007FF765880000-0x00007FF765BD1000-memory.dmp

memory/2944-234-0x00007FF612030000-0x00007FF612381000-memory.dmp

memory/2204-236-0x00007FF666370000-0x00007FF6666C1000-memory.dmp

memory/4480-237-0x00007FF7D19D0000-0x00007FF7D1D21000-memory.dmp

memory/684-239-0x00007FF6A50B0000-0x00007FF6A5401000-memory.dmp

memory/764-243-0x00007FF75F770000-0x00007FF75FAC1000-memory.dmp

memory/5092-242-0x00007FF740C10000-0x00007FF740F61000-memory.dmp