Malware Analysis Report

2025-01-22 19:24

Sample ID 240806-tv77laxfkg
Target 2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat
SHA256 d7094e004d1a3ae67bb04658830fb3b2002f966835beef1b39ff78c9d8d106e2
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d7094e004d1a3ae67bb04658830fb3b2002f966835beef1b39ff78c9d8d106e2

Threat Level: Known bad

The file 2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Cobalt Strike reflective loader

Cobaltstrike family

XMRig Miner payload

Cobaltstrike

xmrig

Xmrig family

XMRig Miner payload

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-06 16:23

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-06 16:23

Reported

2024-08-06 16:26

Platform

win7-20240704-en

Max time kernel

148s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\VRJXdNF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AhxgoMS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lrhTAcD.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TtcddND.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GjWyeIh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ozRHtMJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TCkdySb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pWnwcma.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bGmuMIM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CUDFuwl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cHCBnzL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ILCvKeg.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\crAHrOF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zDbkmkt.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oCLpDmA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tYqVAqC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZBhnRLY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AEyXjbU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tRhXWCV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ipJezDN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\loFQFGY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1900 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oCLpDmA.exe
PID 1900 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oCLpDmA.exe
PID 1900 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oCLpDmA.exe
PID 1900 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pWnwcma.exe
PID 1900 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pWnwcma.exe
PID 1900 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pWnwcma.exe
PID 1900 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bGmuMIM.exe
PID 1900 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bGmuMIM.exe
PID 1900 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bGmuMIM.exe
PID 1900 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TtcddND.exe
PID 1900 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TtcddND.exe
PID 1900 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TtcddND.exe
PID 1900 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CUDFuwl.exe
PID 1900 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CUDFuwl.exe
PID 1900 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CUDFuwl.exe
PID 1900 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cHCBnzL.exe
PID 1900 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cHCBnzL.exe
PID 1900 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cHCBnzL.exe
PID 1900 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\loFQFGY.exe
PID 1900 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\loFQFGY.exe
PID 1900 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\loFQFGY.exe
PID 1900 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ILCvKeg.exe
PID 1900 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ILCvKeg.exe
PID 1900 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ILCvKeg.exe
PID 1900 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tYqVAqC.exe
PID 1900 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tYqVAqC.exe
PID 1900 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tYqVAqC.exe
PID 1900 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZBhnRLY.exe
PID 1900 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZBhnRLY.exe
PID 1900 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZBhnRLY.exe
PID 1900 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AEyXjbU.exe
PID 1900 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AEyXjbU.exe
PID 1900 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AEyXjbU.exe
PID 1900 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GjWyeIh.exe
PID 1900 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GjWyeIh.exe
PID 1900 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GjWyeIh.exe
PID 1900 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VRJXdNF.exe
PID 1900 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VRJXdNF.exe
PID 1900 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VRJXdNF.exe
PID 1900 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tRhXWCV.exe
PID 1900 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tRhXWCV.exe
PID 1900 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tRhXWCV.exe
PID 1900 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\crAHrOF.exe
PID 1900 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\crAHrOF.exe
PID 1900 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\crAHrOF.exe
PID 1900 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AhxgoMS.exe
PID 1900 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AhxgoMS.exe
PID 1900 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AhxgoMS.exe
PID 1900 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ipJezDN.exe
PID 1900 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ipJezDN.exe
PID 1900 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ipJezDN.exe
PID 1900 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lrhTAcD.exe
PID 1900 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lrhTAcD.exe
PID 1900 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lrhTAcD.exe
PID 1900 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ozRHtMJ.exe
PID 1900 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ozRHtMJ.exe
PID 1900 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ozRHtMJ.exe
PID 1900 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TCkdySb.exe
PID 1900 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TCkdySb.exe
PID 1900 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TCkdySb.exe
PID 1900 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zDbkmkt.exe
PID 1900 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zDbkmkt.exe
PID 1900 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zDbkmkt.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\oCLpDmA.exe

C:\Windows\System\oCLpDmA.exe

C:\Windows\System\pWnwcma.exe

C:\Windows\System\pWnwcma.exe

C:\Windows\System\bGmuMIM.exe

C:\Windows\System\bGmuMIM.exe

C:\Windows\System\TtcddND.exe

C:\Windows\System\TtcddND.exe

C:\Windows\System\CUDFuwl.exe

C:\Windows\System\CUDFuwl.exe

C:\Windows\System\cHCBnzL.exe

C:\Windows\System\cHCBnzL.exe

C:\Windows\System\loFQFGY.exe

C:\Windows\System\loFQFGY.exe

C:\Windows\System\ILCvKeg.exe

C:\Windows\System\ILCvKeg.exe

C:\Windows\System\tYqVAqC.exe

C:\Windows\System\tYqVAqC.exe

C:\Windows\System\ZBhnRLY.exe

C:\Windows\System\ZBhnRLY.exe

C:\Windows\System\AEyXjbU.exe

C:\Windows\System\AEyXjbU.exe

C:\Windows\System\GjWyeIh.exe

C:\Windows\System\GjWyeIh.exe

C:\Windows\System\VRJXdNF.exe

C:\Windows\System\VRJXdNF.exe

C:\Windows\System\tRhXWCV.exe

C:\Windows\System\tRhXWCV.exe

C:\Windows\System\crAHrOF.exe

C:\Windows\System\crAHrOF.exe

C:\Windows\System\AhxgoMS.exe

C:\Windows\System\AhxgoMS.exe

C:\Windows\System\ipJezDN.exe

C:\Windows\System\ipJezDN.exe

C:\Windows\System\lrhTAcD.exe

C:\Windows\System\lrhTAcD.exe

C:\Windows\System\ozRHtMJ.exe

C:\Windows\System\ozRHtMJ.exe

C:\Windows\System\TCkdySb.exe

C:\Windows\System\TCkdySb.exe

C:\Windows\System\zDbkmkt.exe

C:\Windows\System\zDbkmkt.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1900-0-0x000000013F2F0000-0x000000013F644000-memory.dmp

memory/1900-1-0x00000000002F0000-0x0000000000300000-memory.dmp

\Windows\system\oCLpDmA.exe

MD5 ce1651641aac717e01be4cb3fb06f24a
SHA1 f3d67443ee02d8347139518061122aafc678d512
SHA256 624e49f54a03ee0bd4b5cec085ba0bf1e43baca04ba21c07408b48cb6f4d2707
SHA512 a16cfd01771fecf9f11fdbdfd630544a5c26cf56d8e8fa348a68f09d6b4d54e085b4ae96d7a88a051b388a1b77bd537c51f40962961f463621c762d4d4be83a7

\Windows\system\pWnwcma.exe

MD5 eb53c05a423a767a3115c886ee6bf71b
SHA1 1486dde1750a3e1ed0960f09cd8845d8776f9b96
SHA256 4c85b5da62accf9c3862e1b8005f302ed0e72b1052f23116d1953d3e020d410b
SHA512 0306aedbb16e21d7578406ef82583478f793ea90cd29b5df12d60d216e1af3262d43268c71aabed8cca0ce0a01866a330223cfd6ef81f85025ddaf3218712159

memory/1900-11-0x000000013FF30000-0x0000000140284000-memory.dmp

memory/2248-15-0x000000013FBE0000-0x000000013FF34000-memory.dmp

memory/2888-16-0x000000013FF30000-0x0000000140284000-memory.dmp

memory/1900-14-0x000000013FBE0000-0x000000013FF34000-memory.dmp

C:\Windows\system\bGmuMIM.exe

MD5 3218e7da94d3f05e81472bbbc127797d
SHA1 390c20120c01648fbdd9f795a845effdf1fd626d
SHA256 b89b54b51f2fa164b28ee0a1be9820cf7f2515dcdaa120f1bc681ea8d69dd7e3
SHA512 07df6481c6699856ae3c1c49244d4e8249be68a510d1d0fd41fc63d48d21711efdbe3f6a39786e4a52fed2d2ca3e54554c4c90fc83f5d98aeb7585ebc062a3fa

memory/2944-23-0x000000013F6D0000-0x000000013FA24000-memory.dmp

memory/1900-22-0x000000013F6D0000-0x000000013FA24000-memory.dmp

memory/1900-33-0x0000000002250000-0x00000000025A4000-memory.dmp

C:\Windows\system\TtcddND.exe

MD5 4214940df56cd8196147aa17d250ecd7
SHA1 07671bf8d2262ffc3481f88479c3493fb16a4ad5
SHA256 9bc0f84617da8a17d95af610ee05c2ef508f56521722fb30d2a68b13e90281ab
SHA512 5afd0c6b92460bcb9f6a8bf52c01bc388015db707998a30daacce590ca1d53f51482e5595d90645886f5b7912fb9ef1d4082df585318d6e243fe3f8c22506def

memory/1900-59-0x000000013F9D0000-0x000000013FD24000-memory.dmp

C:\Windows\system\tYqVAqC.exe

MD5 64fe76a0f11dddbf38f91d8c69a2db18
SHA1 33fb5ef58887d1f11fc526fe3c39e2e068c372af
SHA256 7c564c90ccdc0aa614138043638c173ac9b2f4608d58d3d1e6bcd132f924a985
SHA512 e99c702228bc1a517525bddab54e3dcdabbdd7b1c01b3929be8a48f6987de94f743f63e1da4a57ab26b0d4aee3bb2c92f43cc873aed5b92285d84e81309cdde9

memory/3040-44-0x000000013F640000-0x000000013F994000-memory.dmp

memory/1900-50-0x000000013F7C0000-0x000000013FB14000-memory.dmp

memory/1900-66-0x000000013FF30000-0x0000000140284000-memory.dmp

memory/2700-67-0x000000013F9D0000-0x000000013FD24000-memory.dmp

memory/1900-65-0x000000013F2F0000-0x000000013F644000-memory.dmp

\Windows\system\ZBhnRLY.exe

MD5 dbc8768472a129b6492a45f64bc0d983
SHA1 797e23db851fad6b2fa996d7410f9dd5d181bb09
SHA256 e6d66b454f2ecfaef206504fcc87d730455af00dbc965e1aec109b15112bdb90
SHA512 87752788c23aa696a761c1eb0112506043165be5b9915858ce9908f9cd502c6840510f5938aec8f503ac32219450e525eaded6a8404fe99d1b3bdd8bb4ad0c60

\Windows\system\ILCvKeg.exe

MD5 54f7b0a26fa9986cf497f38cf68221aa
SHA1 e828e5e85dd4a46dadcb8378472546b373f81dfd
SHA256 c2abef924b3103704bf0a7926826c4867b0b55d76971a1a78b906820465b387b
SHA512 82f59ab67c160cfd4dc85dab00417ab3733e56f0d270ed9f47ef891e108cc3ab48541688a845cbfd0204d629558bc75b8892f8e71a8507712075e02f664c6acb

memory/2760-62-0x000000013F760000-0x000000013FAB4000-memory.dmp

memory/1900-60-0x000000013F760000-0x000000013FAB4000-memory.dmp

C:\Windows\system\cHCBnzL.exe

MD5 f41f747e5f39dd52ac02c6a205d7ea3c
SHA1 f8f5e0ecbc9b0b46e3265079bc1401ef0c51e7e3
SHA256 3c043e3de7f0a7b2046d1990511d90bba85938418d93aa3d305d8011fef53b9e
SHA512 a1d2e7f34d844c16c2319a7948769165ba7273c7e0986d74fb4d21ff9dca568eace54d3921ac5ed12de1ff3cf89fc48b319f5fb9391cefd7cecefda606b1936c

memory/2744-56-0x000000013F7C0000-0x000000013FB14000-memory.dmp

C:\Windows\system\loFQFGY.exe

MD5 c86b25bec65868b3e734c613072e20ef
SHA1 a59a58fcb3c0bc2ef6330fc842063b1c5b81fa97
SHA256 bdfc0e7eabe82804c1aea3917ed9b60bae4d840c3f47936def270c10e5f04447
SHA512 f02619d809c9b6e75394d66d2d612dc775b05dccef761fc90eec7e20f740d007cc6312454a74d83d5537d3ce25b698fffe5ab39cbab0b9eba12a30ae2422194d

memory/1900-41-0x0000000002250000-0x00000000025A4000-memory.dmp

memory/1900-39-0x000000013FDE0000-0x0000000140134000-memory.dmp

memory/2168-38-0x000000013FDE0000-0x0000000140134000-memory.dmp

memory/2976-35-0x000000013F4D0000-0x000000013F824000-memory.dmp

C:\Windows\system\CUDFuwl.exe

MD5 2c4e7be05f7b29db1bdffc7ae822858d
SHA1 65538cca132b9fe10c334940d99a6dafdcdab63a
SHA256 3daba3fc93fac31c7111e0646adcc084f3eb689329d51559d4c33274e30a9134
SHA512 d9fa43939712471846bbdaaaedcbf06da91d234f817682b4ced6769ad22c194aacb324c3f42497b9732b5d280200f7a06dacfc78559a254b8440333e28fa5147

memory/2224-71-0x000000013F2B0000-0x000000013F604000-memory.dmp

memory/2736-93-0x000000013FA80000-0x000000013FDD4000-memory.dmp

C:\Windows\system\GjWyeIh.exe

MD5 cb9fd047aa22ade886900e3a8d67929d
SHA1 07f3b5e234d8aeec2d6af2fff45a5efbba0c377e
SHA256 dc998817de316306b03def10442fc14587fb51f77bf133badeff36b47bac004a
SHA512 28ffbf93b5b8925313a085c12b626d17aa0a75f37840b39ece39df12ec88c6702102f186fbd428404a91d19c3a7a44cc73a9b7deabf9f8a03b3470bab6272a24

\Windows\system\tRhXWCV.exe

MD5 7f5f7fcf2e0748c3c3755b981b32e54d
SHA1 8bbe34263cc6ec3edd3e10b89ffe311c72e1a8a6
SHA256 02f45857e63b337032cbc6b759a629be642d21c9cdbc9225980539a467b94d1c
SHA512 b360948de0c0ba9ec5ee3a8065cc47459b796d0433fb30f203c2b0978902bf7097d990a4beca385bcd505d2a5f649bf46cc4d8488fa38763d8f95d6e966116e5

memory/2764-104-0x000000013F550000-0x000000013F8A4000-memory.dmp

\Windows\system\lrhTAcD.exe

MD5 4f8786606139384ec23a37cf8e0e161f
SHA1 70561c0faf239a396283d0eefb84bb5b82567748
SHA256 224ffb41974d1a49b96dfb602db235490d231311b13b807ffd72e29c33603754
SHA512 ab57fe5756e32ce30dd484ea28ecc3053524e16c1fab3924faac6bc86b2aac650429c6149bb1d197ead066bc1385951846b4b83c0a4b0b20404562d908a5f1ba

\Windows\system\TCkdySb.exe

MD5 44723eafae249b25a572532f0266563a
SHA1 dcc0bb3922a9797b27aa56db744c40d25de13d63
SHA256 a87905f70883b5890ab938d7c526f34bf0a7b38dd95bdd7bb305e5b9090e1188
SHA512 6922398329d257c0e1ec0a70a043109e1fea2a2e733f9ce4f7b4b06b1e2623d8aca9c2d49094dc7e2ee43569fd13eca01e8e12517af2d4681b32155237b34638

C:\Windows\system\zDbkmkt.exe

MD5 566c704909fdeaa2820d92fd640f5456
SHA1 25abdaa31f98fc5a05b7acf55c93ee1527b5339e
SHA256 e006c4c1c571a93a5d615a7685591ab61f444575373511bca5c703c385a83e2f
SHA512 7e9b37df666e6adfe1f45dccdebc166bb7d79ea619a9d9f0322d934d0babe8df7416fb743745364c84fa5a0a5a876b483cd6869b7208cf376b445e58bb99a487

\Windows\system\AhxgoMS.exe

MD5 46222c5bdc53761a28d8788e1fe93443
SHA1 e253b22769bf29db4718022c3326333182376a4c
SHA256 9d466b3162508bb48224eaac654b9aec0abb55b07b8a8edfedcd2b8e76a0ae9a
SHA512 6ced9e8643ae0758056e3588512954ef0ee6202a529f24e811f8c84fd5d363e3dee7cc84ec63b1ea2be02759936f473f8608306a669d10dfa215127e50d8526e

memory/2760-103-0x000000013F760000-0x000000013FAB4000-memory.dmp

memory/1900-100-0x0000000002250000-0x00000000025A4000-memory.dmp

C:\Windows\system\ozRHtMJ.exe

MD5 c7e6c7634973278a8a90b3ac668e2f32
SHA1 cd137514896e78059cd319d70a2afa875e7d04d1
SHA256 218840f53b3ca0b89c0ce04e059e35317f502bfb6542d6fe1d03e0062b865b83
SHA512 90714c3fa2e98a262ddc98b2bc37c098b4f128f0c8f6fa13c6985fdbbb34b6baba5110f1861616e57ffdc9d276a83bcc85a48a9a3d2e4ca558f48985cd730b38

memory/1900-123-0x000000013FE60000-0x00000001401B4000-memory.dmp

memory/2700-122-0x000000013F9D0000-0x000000013FD24000-memory.dmp

memory/1900-99-0x000000013F760000-0x000000013FAB4000-memory.dmp

memory/3060-98-0x000000013F810000-0x000000013FB64000-memory.dmp

C:\Windows\system\ipJezDN.exe

MD5 5c53f424a4249841a72ad3fa137d6170
SHA1 4cdaddd45adfcbc440936c467a81c79913a3f045
SHA256 521a98573c579c540cfcdd2f55d0acd142e517222e6d26a1826814445d14a80f
SHA512 2f3d65380ad26826127d76cde65877b474de3d672bfb30128f927f88b7859e14c341ffe2393f8a69e1d0b9a53e2b1bf496309b0a6e76e713a038838a3800002a

C:\Windows\system\crAHrOF.exe

MD5 72642eeeef1ce6e75c07d1c9f275172c
SHA1 abe1d3eee26cefce02b05aa01855ff2e1a9ac80f
SHA256 5678a2636977ab4c0131db63bab7f9045d4aef00a1b8e6edea9889a172286668
SHA512 45e75527264ef96048df800bb06b781c32513d4500c38079187eb5e0e4829c241037e3d7410344b0368c5517681cee11069ceeb05ea1f11ce9c8bf98644f73f6

memory/2224-142-0x000000013F2B0000-0x000000013F604000-memory.dmp

memory/2168-80-0x000000013FDE0000-0x0000000140134000-memory.dmp

memory/2744-91-0x000000013F7C0000-0x000000013FB14000-memory.dmp

memory/1900-90-0x000000013FA80000-0x000000013FDD4000-memory.dmp

C:\Windows\system\VRJXdNF.exe

MD5 661700cb6a849bc0b7255d859538b535
SHA1 1a9ed2a34fd460b1b0bd8f3e199df1ea45267799
SHA256 af25b17ebdee71d7bb25f63b22d67b92062f27b4267a179f1f479a6d0e070e3f
SHA512 62de1466aeedcc62debdc6cccb0a36356615ee953e70fabb9d97cbf05a2280812b13d1bd0adc0d0be79e012ecdb2db933d81e9c73a8f81980bbc5e491eede59c

memory/1900-87-0x000000013F810000-0x000000013FB64000-memory.dmp

memory/960-83-0x000000013F570000-0x000000013F8C4000-memory.dmp

memory/1900-82-0x0000000002250000-0x00000000025A4000-memory.dmp

C:\Windows\system\AEyXjbU.exe

MD5 4513ff1e0cff506ee820ad5a1946b97c
SHA1 1e3068ebb6fee31d9ba0846ed711b0721f3f1068
SHA256 aa5a493f2c38f106de99b8f186bde8fd53a051e38e8535fefc1a42fd3ed44b39
SHA512 c8d38803e12f4528ca9279bb56933b64696b83d320c11792baf8bde6c4db9168810b6551485c8c910f196486a50cd52f93d712169f0d5d9c1e8ceb7e508b3600

memory/960-144-0x000000013F570000-0x000000013F8C4000-memory.dmp

memory/1900-143-0x0000000002250000-0x00000000025A4000-memory.dmp

memory/1900-145-0x000000013FA80000-0x000000013FDD4000-memory.dmp

memory/2736-146-0x000000013FA80000-0x000000013FDD4000-memory.dmp

memory/3060-147-0x000000013F810000-0x000000013FB64000-memory.dmp

memory/1900-148-0x0000000002250000-0x00000000025A4000-memory.dmp

memory/2248-150-0x000000013FBE0000-0x000000013FF34000-memory.dmp

memory/2888-149-0x000000013FF30000-0x0000000140284000-memory.dmp

memory/2944-151-0x000000013F6D0000-0x000000013FA24000-memory.dmp

memory/2976-152-0x000000013F4D0000-0x000000013F824000-memory.dmp

memory/2168-153-0x000000013FDE0000-0x0000000140134000-memory.dmp

memory/3040-154-0x000000013F640000-0x000000013F994000-memory.dmp

memory/2744-155-0x000000013F7C0000-0x000000013FB14000-memory.dmp

memory/2760-156-0x000000013F760000-0x000000013FAB4000-memory.dmp

memory/2700-157-0x000000013F9D0000-0x000000013FD24000-memory.dmp

memory/2224-158-0x000000013F2B0000-0x000000013F604000-memory.dmp

memory/960-159-0x000000013F570000-0x000000013F8C4000-memory.dmp

memory/2736-160-0x000000013FA80000-0x000000013FDD4000-memory.dmp

memory/2764-161-0x000000013F550000-0x000000013F8A4000-memory.dmp

memory/3060-162-0x000000013F810000-0x000000013FB64000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-06 16:23

Reported

2024-08-06 16:26

Platform

win10v2004-20240802-en

Max time kernel

139s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\IoGKNvC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rOYhnpA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kguToQt.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zDSMozU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DeQvesF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GvTpRad.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RZaesAv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wjbHsVu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TLQHRvN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xKgbrBF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CjopPpx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZwpvnAo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OQsKKBI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PaxhsKl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YsqhXQu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tPGpYik.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xjQJQlP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qBrEDQT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CDYvYWU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EMPkXcL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cejUdeH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3132 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YsqhXQu.exe
PID 3132 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YsqhXQu.exe
PID 3132 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GvTpRad.exe
PID 3132 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GvTpRad.exe
PID 3132 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZwpvnAo.exe
PID 3132 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZwpvnAo.exe
PID 3132 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cejUdeH.exe
PID 3132 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cejUdeH.exe
PID 3132 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RZaesAv.exe
PID 3132 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RZaesAv.exe
PID 3132 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IoGKNvC.exe
PID 3132 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IoGKNvC.exe
PID 3132 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wjbHsVu.exe
PID 3132 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wjbHsVu.exe
PID 3132 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TLQHRvN.exe
PID 3132 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TLQHRvN.exe
PID 3132 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rOYhnpA.exe
PID 3132 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rOYhnpA.exe
PID 3132 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tPGpYik.exe
PID 3132 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tPGpYik.exe
PID 3132 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kguToQt.exe
PID 3132 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kguToQt.exe
PID 3132 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OQsKKBI.exe
PID 3132 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OQsKKBI.exe
PID 3132 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xjQJQlP.exe
PID 3132 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xjQJQlP.exe
PID 3132 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PaxhsKl.exe
PID 3132 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PaxhsKl.exe
PID 3132 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xKgbrBF.exe
PID 3132 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xKgbrBF.exe
PID 3132 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zDSMozU.exe
PID 3132 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zDSMozU.exe
PID 3132 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DeQvesF.exe
PID 3132 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DeQvesF.exe
PID 3132 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qBrEDQT.exe
PID 3132 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qBrEDQT.exe
PID 3132 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CDYvYWU.exe
PID 3132 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CDYvYWU.exe
PID 3132 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EMPkXcL.exe
PID 3132 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EMPkXcL.exe
PID 3132 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CjopPpx.exe
PID 3132 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CjopPpx.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_164b57a27e64e45b7b3d8b726ffbce65_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\YsqhXQu.exe

C:\Windows\System\YsqhXQu.exe

C:\Windows\System\GvTpRad.exe

C:\Windows\System\GvTpRad.exe

C:\Windows\System\ZwpvnAo.exe

C:\Windows\System\ZwpvnAo.exe

C:\Windows\System\cejUdeH.exe

C:\Windows\System\cejUdeH.exe

C:\Windows\System\RZaesAv.exe

C:\Windows\System\RZaesAv.exe

C:\Windows\System\IoGKNvC.exe

C:\Windows\System\IoGKNvC.exe

C:\Windows\System\wjbHsVu.exe

C:\Windows\System\wjbHsVu.exe

C:\Windows\System\TLQHRvN.exe

C:\Windows\System\TLQHRvN.exe

C:\Windows\System\rOYhnpA.exe

C:\Windows\System\rOYhnpA.exe

C:\Windows\System\tPGpYik.exe

C:\Windows\System\tPGpYik.exe

C:\Windows\System\kguToQt.exe

C:\Windows\System\kguToQt.exe

C:\Windows\System\OQsKKBI.exe

C:\Windows\System\OQsKKBI.exe

C:\Windows\System\xjQJQlP.exe

C:\Windows\System\xjQJQlP.exe

C:\Windows\System\PaxhsKl.exe

C:\Windows\System\PaxhsKl.exe

C:\Windows\System\xKgbrBF.exe

C:\Windows\System\xKgbrBF.exe

C:\Windows\System\zDSMozU.exe

C:\Windows\System\zDSMozU.exe

C:\Windows\System\DeQvesF.exe

C:\Windows\System\DeQvesF.exe

C:\Windows\System\qBrEDQT.exe

C:\Windows\System\qBrEDQT.exe

C:\Windows\System\CDYvYWU.exe

C:\Windows\System\CDYvYWU.exe

C:\Windows\System\EMPkXcL.exe

C:\Windows\System\EMPkXcL.exe

C:\Windows\System\CjopPpx.exe

C:\Windows\System\CjopPpx.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 71.190.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3132-0-0x00007FF7CBE90000-0x00007FF7CC1E4000-memory.dmp

memory/3132-1-0x0000020881EB0000-0x0000020881EC0000-memory.dmp

C:\Windows\System\YsqhXQu.exe

MD5 0b4d197c4c0f3364387715916fbe6cee
SHA1 4c1e28bb9e68a2fe519212665f2c95624970fb25
SHA256 f8acdeca8f4533cc7cf19d0b644f2654b8ff33863f690b500b1cb6e2abaa88b5
SHA512 849b1726c886526c2a2597045db0f6bf2f193b948fe45897dbed545fd7b4f6944ab362cfbd7c89fa2b7fbfdfe13ba20d12c933c953daaaa763f37f303d8e9a1f

memory/2556-8-0x00007FF786720000-0x00007FF786A74000-memory.dmp

C:\Windows\System\GvTpRad.exe

MD5 9cc617c3a2c9ea5adb11315510bd8028
SHA1 3f5d682224c4b36fea023f78507c94ce2a58a7b3
SHA256 3ef8e22815536dc11c9a7991209b559bd47fb5b5fadc32aeb4d314a4ddfb6ffe
SHA512 e04af0d0c40d8e0ebbaffabe6aabd00957207e819fd3a16cbf4992ea04188af5d9052e9ef9f263f57ab534f74e668ba0071e5a1aa358ebc701dcd73ff784b3eb

C:\Windows\System\ZwpvnAo.exe

MD5 c5be568c6efcf14ae344672b5919e7d8
SHA1 843aa2f62ea5b65b4e78bb69515100bd93e233c0
SHA256 7b3e1249e429705940bfbcb4c00318909d86b1ede22ad7ec4b6acbd0c3278e89
SHA512 260dc0d0903fc505b17f1e01091e4434418f29254dc7481d299859b15a9598960b976bd95f204d66ef633e0f800cf818393099bcddcc99faf55372b09f95b9fe

memory/4584-14-0x00007FF719530000-0x00007FF719884000-memory.dmp

C:\Windows\System\cejUdeH.exe

MD5 d7f6aaa8ebeccb080035c206abe279c6
SHA1 3abd7d58b253ada30846f62e1fbd805bf74a659a
SHA256 aa73022ca70ff8fd063e3f79cf40d70e9dbc1343af9b0dd07d18c8da95657a3a
SHA512 8ddae1381adfc3cc04e5efb5ec01f76ffe44a4766d128fb26dda67d0516cc68bec48b5c0807129f0c7946bf91c0def5986dc4277cabb66ee67d1c91b1010bef3

memory/4336-26-0x00007FF7E78A0000-0x00007FF7E7BF4000-memory.dmp

C:\Windows\System\RZaesAv.exe

MD5 9eac4b46c4fc6a401a3e93cc81884918
SHA1 bf1224f65ed4e9505908239e1302f39061ad03b3
SHA256 1dca4720b30bbc5c4b80d87122aadcce3a70aa40493c4050b52ced84a608cafc
SHA512 b0bf03fa9275d28b8b14bd0c0e955fe2fb9e19aaaede4cb58a00ac794fc9b0bd799495d995a080982e08ce553b9c6500ed13f91f129a598297eca24cda834248

C:\Windows\System\IoGKNvC.exe

MD5 73dccc6b07292ceb45b43da3d0021e62
SHA1 aba461532de2d868302fbc11e7969e64d13af589
SHA256 3cf456c1df85929a9a17a8384f13d94a264c07f328ca29e81bbad02584848e8c
SHA512 17b4ca6b6ee9e66a44ea27bb60f35d9b659064dfd52c7c74c6adb8726d595bd46ff54e0a6c60c869751ff0918bad7c92ec6ff3b2afc22e1613568a2dc62965da

memory/1116-41-0x00007FF7C5490000-0x00007FF7C57E4000-memory.dmp

memory/4228-49-0x00007FF61EF00000-0x00007FF61F254000-memory.dmp

memory/2532-54-0x00007FF6EA1F0000-0x00007FF6EA544000-memory.dmp

C:\Windows\System\rOYhnpA.exe

MD5 79c5199c9a0080f8c3cdff645c83c0d8
SHA1 f4a205c66caf1078a7b2fcee9f96d4eca72066b8
SHA256 43f630e5ba83603803c4d1c706d78895a35ffd0fa96feb919c865660ee2d717d
SHA512 bd53247787b7c6aa1456211fcc2c38295e95caf1402dbfa2a1537941eb911ec3f644951e21fd630f145d27214ece801ea9f3109c9d9c1f1e520f54389af8c92a

C:\Windows\System\TLQHRvN.exe

MD5 a3b15f90a4aad7644cfa3765bbd22ce0
SHA1 74608c8ce91744b17281f9daa09ef12bfec0b645
SHA256 e112696cf1799427bd2ba12de803edb8b90b9ae8afb745e58d7b6c9a87cc45a0
SHA512 f3a1201dc7fafa71336891eb97e98f91975cb298a2e4516a0a5952c781050b4021c2773935acdadbf549882decd84f4c3d9e2842fe344891072481c3d15ae5ce

memory/3952-51-0x00007FF61ADA0000-0x00007FF61B0F4000-memory.dmp

C:\Windows\System\wjbHsVu.exe

MD5 f9d6c9dd9c31d706acf0dc79ea2cfcbd
SHA1 bcf8a7e5494995bcd57ffa733e7a487c6fd0df00
SHA256 62ba9a36a7bdfa09bed01f69bcb9e279a43791ae6aa66662f0f5f457c10bd4d9
SHA512 ada7619174b2b5ec77c3f2bad8321b87999eb8f90def8d966cd9250793b111e642bb3eb1d982d66759126cf8c8813d31aad395746e1d16cc2a1a4a380de179b4

memory/3916-33-0x00007FF78C390000-0x00007FF78C6E4000-memory.dmp

memory/2044-22-0x00007FF6C4A60000-0x00007FF6C4DB4000-memory.dmp

C:\Windows\System\tPGpYik.exe

MD5 ad42812348476a39c97a16fdfe0e94d7
SHA1 160f70e3fa1f3ac80bcab1c6286140c7e6e7a1f5
SHA256 aafe9c2b779a8bd2977122b47a577a708a22f3e933e7f3f9c780034bacdd9d51
SHA512 7db93111d02f54a16b7058776c231bafcbeb20bc54df782f58e3970af5467347779a51ac7aa4c6e6f132937a4e530384a54de77759cf56c6ef62265fc5985a67

C:\Windows\System\kguToQt.exe

MD5 600cb16c228d334c72943820785ab262
SHA1 11c6bd7983e0005d89a68224911aa6ff362023fe
SHA256 12892c29fe1e1181a5bc5c9dccd363825c7e3c8ea2fc15a7acb5829ad7d432a5
SHA512 825d13cb2d16d70153e8062790cede0bbcd73ade485538d46358ebb66b09ec5dfa0a1383fe06b8f06d0b7da34aeb27c742b80193c82982c6561b6c2a442b0488

memory/32-75-0x00007FF7250A0000-0x00007FF7253F4000-memory.dmp

memory/5044-73-0x00007FF75FA70000-0x00007FF75FDC4000-memory.dmp

C:\Windows\System\OQsKKBI.exe

MD5 88088ace1bf6f8af69583d8ae828b6e1
SHA1 8b8d69374ec429364d8a6db8820e2504c1666848
SHA256 57f6832611e9090386fdcf0dd69ceeec02003de3f583e98b53e47331daf4a0f9
SHA512 ec4c01f9bc20ea978e9518616e427828780a9b347f9a5a9fb12eccad937d740bee5e4c88c0f4ddd25ce5febf66cf81d0abdd672ea14752150fb6199408f6024a

memory/4696-66-0x00007FF615D40000-0x00007FF616094000-memory.dmp

memory/3132-65-0x00007FF7CBE90000-0x00007FF7CC1E4000-memory.dmp

C:\Windows\System\xjQJQlP.exe

MD5 201ae6a3cd854fbfa41056e04851b046
SHA1 fcb73540073ac13de219f4e32b52ccea04a9c362
SHA256 7fd80c9ddcfdd07be9ab204fa193ce0557cf9049be6a151563b4c472bfb1f930
SHA512 233b10b1c3bc2d5f38ad91a208d653b87375b4903c9ea8e63ed4272f389912737f505061e749db8f2e3dd67b6fbbcdb61cb455a15f16a6f84cbfab29df18a8d4

C:\Windows\System\PaxhsKl.exe

MD5 71a89f3456f2f20d489d139f98778c15
SHA1 723aafd110ff2e22ec808e10aaa508706f5a5a93
SHA256 5dddb923cc356783b66f4c8952fa6e63802999dc4603f6f59bddb788e13de86c
SHA512 5dce0e2150a80bbdc1582a5870d0cbd46724434966ae7e6cbdff3d235ff9169f0c85eeb9ee1b73ab4d3bb2bd907e80cf456cc0c0f4666869849c4fc5d4569ce7

memory/3004-80-0x00007FF7AD820000-0x00007FF7ADB74000-memory.dmp

memory/4692-89-0x00007FF6C4F90000-0x00007FF6C52E4000-memory.dmp

C:\Windows\System\xKgbrBF.exe

MD5 6cad6ac7166cfe00693df4be5360da34
SHA1 39d45aafe98e3e5ee731d8ed950fc0abdf071396
SHA256 0a3bab4fffcfadfe6149bf6f8eb5e0a11dad003ffab12694ed4c4c55ffc72888
SHA512 c68dee9f2c0af3c77b554b83fadc97e02f40973128eea90e814a730927422ba469d848a8766e5b6141984a3e1819ce87c295cbcfe957a9e2d1c88a40c55395dd

C:\Windows\System\zDSMozU.exe

MD5 61b0a6692523bd34ed07cde1630e85c4
SHA1 aca7d4f29887e5001a0b902c8fa231aa2e2dabb0
SHA256 c84212f4624a08ee930e20bebb39094781fb7ce2bc6d249ace710505868556ee
SHA512 6b758d9e395a24073e3564371a201cd3716dc89a04f92104e32e47c6468e5ee17c23ea4c95975da804ff4d1ea92bd2616cdd4e6c765cf76f88e785dcfbe65e9d

memory/3208-94-0x00007FF6731D0000-0x00007FF673524000-memory.dmp

C:\Windows\System\EMPkXcL.exe

MD5 a9cafc97e78aa078cb65b15ddbd59ca3
SHA1 660f88ce06c25132907fef7c2af199311ad8f1a7
SHA256 8ab52c72e460c803e76d003d0340e8277007ceba6dcf7865bc8e145e57524967
SHA512 dbe7ba93ae8d62bdceab526ce36c234609d98ef8ce896cc826d5b633121bb9d5096d06419d077a64e5c4f2886365c6c0afc2bba9b40ef1560645b6fb316b1caf

memory/1320-115-0x00007FF62B3A0000-0x00007FF62B6F4000-memory.dmp

memory/3952-119-0x00007FF61ADA0000-0x00007FF61B0F4000-memory.dmp

memory/536-124-0x00007FF6CA460000-0x00007FF6CA7B4000-memory.dmp

C:\Windows\System\CjopPpx.exe

MD5 640a63f4a701cfd34476d9c688483328
SHA1 254c9b7eb3d87154bea4b97e43191674853e8b92
SHA256 98c5e4ffdcb93fda7528cf4a3a7826cbd823e4df1180f77748457c23f149e9d2
SHA512 991eefe74189265b1e1f4c57fd9d3aedbefbf80ccb1b8d5041ed87d819b9c1b8a5a1ec0ed8a26dea33bcb95db5b1e15a75824fc59a36a1f3e340e9a94b7ed261

C:\Windows\System\CDYvYWU.exe

MD5 e71fe536daa565d4df323183df39eccf
SHA1 12896dda9b19059be58ee9635e58ed1c35d601b2
SHA256 a8c2eee4b58a0008776794fc17b1637fff26551ba518e4f495e467205a9f43a4
SHA512 2eb276ab9e40e513db3f7cb54a71e710b50dbf74ec2d3781a1ff9a6f747daa581c01f306035074c6effda6821236e390f69828cbb7903c42ce50367ad4da64fa

C:\Windows\System\qBrEDQT.exe

MD5 cc0afe78fdf904eba8bf63991ccef97e
SHA1 c23e817cf8169eb6040a03b116954f4332f45d0b
SHA256 300aabd954be745641090ed65e2753f2e427c09b449ba6f316cc34535cf8ac59
SHA512 12ef46adf4487a280a4cc7f9734902a491324f4b1d563f4910add7e56aff855c82d07f52870d25e3d6637bbdd83f97f072c058d026781cb6d8559130a5cd4cf0

memory/2256-114-0x00007FF61A0D0000-0x00007FF61A424000-memory.dmp

memory/1116-109-0x00007FF7C5490000-0x00007FF7C57E4000-memory.dmp

memory/4028-107-0x00007FF6C96F0000-0x00007FF6C9A44000-memory.dmp

C:\Windows\System\DeQvesF.exe

MD5 6cc77e8ac271b628262fcb48e6a01e2d
SHA1 b0893ed5e6bfdefbd35a4cb4690291bf2059ffa2
SHA256 a6ce321623953482d89b6dfa1ba1d72b99df8d93ab36db4651cb9a27b5b08dc0
SHA512 ea151733074b33e7d25156edcf2c34fd7ccd14c16c32f5a224aa2469e2bc14c7300853994aedbe02f267df7d1ade0b7c1b16ab9c4ed77b2872f528a80a3be526

memory/1164-129-0x00007FF7B2C40000-0x00007FF7B2F94000-memory.dmp

memory/4704-130-0x00007FF6AE5E0000-0x00007FF6AE934000-memory.dmp

memory/2532-131-0x00007FF6EA1F0000-0x00007FF6EA544000-memory.dmp

memory/5044-132-0x00007FF75FA70000-0x00007FF75FDC4000-memory.dmp

memory/3004-133-0x00007FF7AD820000-0x00007FF7ADB74000-memory.dmp

memory/2256-134-0x00007FF61A0D0000-0x00007FF61A424000-memory.dmp

memory/1320-135-0x00007FF62B3A0000-0x00007FF62B6F4000-memory.dmp

memory/536-136-0x00007FF6CA460000-0x00007FF6CA7B4000-memory.dmp

memory/1164-137-0x00007FF7B2C40000-0x00007FF7B2F94000-memory.dmp

memory/2556-138-0x00007FF786720000-0x00007FF786A74000-memory.dmp

memory/4584-139-0x00007FF719530000-0x00007FF719884000-memory.dmp

memory/2044-140-0x00007FF6C4A60000-0x00007FF6C4DB4000-memory.dmp

memory/4336-141-0x00007FF7E78A0000-0x00007FF7E7BF4000-memory.dmp

memory/3916-142-0x00007FF78C390000-0x00007FF78C6E4000-memory.dmp

memory/1116-144-0x00007FF7C5490000-0x00007FF7C57E4000-memory.dmp

memory/4228-143-0x00007FF61EF00000-0x00007FF61F254000-memory.dmp

memory/2532-146-0x00007FF6EA1F0000-0x00007FF6EA544000-memory.dmp

memory/3952-145-0x00007FF61ADA0000-0x00007FF61B0F4000-memory.dmp

memory/4696-147-0x00007FF615D40000-0x00007FF616094000-memory.dmp

memory/5044-148-0x00007FF75FA70000-0x00007FF75FDC4000-memory.dmp

memory/32-149-0x00007FF7250A0000-0x00007FF7253F4000-memory.dmp

memory/3004-150-0x00007FF7AD820000-0x00007FF7ADB74000-memory.dmp

memory/4692-151-0x00007FF6C4F90000-0x00007FF6C52E4000-memory.dmp

memory/3208-152-0x00007FF6731D0000-0x00007FF673524000-memory.dmp

memory/4028-153-0x00007FF6C96F0000-0x00007FF6C9A44000-memory.dmp

memory/1320-155-0x00007FF62B3A0000-0x00007FF62B6F4000-memory.dmp

memory/2256-154-0x00007FF61A0D0000-0x00007FF61A424000-memory.dmp

memory/1164-157-0x00007FF7B2C40000-0x00007FF7B2F94000-memory.dmp

memory/536-156-0x00007FF6CA460000-0x00007FF6CA7B4000-memory.dmp

memory/4704-158-0x00007FF6AE5E0000-0x00007FF6AE934000-memory.dmp