Malware Analysis Report

2025-01-22 19:30

Sample ID 240807-1l547syamg
Target 2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat
SHA256 decc8358c64788a64472e275f44a37e54535c98243f884874bcd39ca549ef70b
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

decc8358c64788a64472e275f44a37e54535c98243f884874bcd39ca549ef70b

Threat Level: Known bad

The file 2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

xmrig

Cobalt Strike reflective loader

Cobaltstrike

Xmrig family

XMRig Miner payload

Cobaltstrike family

XMRig Miner payload

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-07 21:45

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-07 21:45

Reported

2024-08-07 21:47

Platform

win7-20240704-en

Max time kernel

140s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\tuqgRID.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\emQmQqZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nBqYGDS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JtaVFwB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZixQKWd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OGFfQtG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AorWIyd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rUvYPBg.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HKOmGoh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KOQclam.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AOlmqjg.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wzSoKjQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kKroCcR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dVXhRZm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IgFBgHN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ComPUQW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zZMMEXY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EwPTZJd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AgmDPyE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yhzgaOi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mlglSqp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1968 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yhzgaOi.exe
PID 1968 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yhzgaOi.exe
PID 1968 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yhzgaOi.exe
PID 1968 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HKOmGoh.exe
PID 1968 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HKOmGoh.exe
PID 1968 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HKOmGoh.exe
PID 1968 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kKroCcR.exe
PID 1968 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kKroCcR.exe
PID 1968 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kKroCcR.exe
PID 1968 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nBqYGDS.exe
PID 1968 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nBqYGDS.exe
PID 1968 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nBqYGDS.exe
PID 1968 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dVXhRZm.exe
PID 1968 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dVXhRZm.exe
PID 1968 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dVXhRZm.exe
PID 1968 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tuqgRID.exe
PID 1968 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tuqgRID.exe
PID 1968 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tuqgRID.exe
PID 1968 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IgFBgHN.exe
PID 1968 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IgFBgHN.exe
PID 1968 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IgFBgHN.exe
PID 1968 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ComPUQW.exe
PID 1968 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ComPUQW.exe
PID 1968 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ComPUQW.exe
PID 1968 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wzSoKjQ.exe
PID 1968 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wzSoKjQ.exe
PID 1968 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wzSoKjQ.exe
PID 1968 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JtaVFwB.exe
PID 1968 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JtaVFwB.exe
PID 1968 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JtaVFwB.exe
PID 1968 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZixQKWd.exe
PID 1968 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZixQKWd.exe
PID 1968 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZixQKWd.exe
PID 1968 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KOQclam.exe
PID 1968 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KOQclam.exe
PID 1968 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KOQclam.exe
PID 1968 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OGFfQtG.exe
PID 1968 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OGFfQtG.exe
PID 1968 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OGFfQtG.exe
PID 1968 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zZMMEXY.exe
PID 1968 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zZMMEXY.exe
PID 1968 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zZMMEXY.exe
PID 1968 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\emQmQqZ.exe
PID 1968 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\emQmQqZ.exe
PID 1968 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\emQmQqZ.exe
PID 1968 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AorWIyd.exe
PID 1968 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AorWIyd.exe
PID 1968 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AorWIyd.exe
PID 1968 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AOlmqjg.exe
PID 1968 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AOlmqjg.exe
PID 1968 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AOlmqjg.exe
PID 1968 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EwPTZJd.exe
PID 1968 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EwPTZJd.exe
PID 1968 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EwPTZJd.exe
PID 1968 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AgmDPyE.exe
PID 1968 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AgmDPyE.exe
PID 1968 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AgmDPyE.exe
PID 1968 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mlglSqp.exe
PID 1968 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mlglSqp.exe
PID 1968 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mlglSqp.exe
PID 1968 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rUvYPBg.exe
PID 1968 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rUvYPBg.exe
PID 1968 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rUvYPBg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\yhzgaOi.exe

C:\Windows\System\yhzgaOi.exe

C:\Windows\System\HKOmGoh.exe

C:\Windows\System\HKOmGoh.exe

C:\Windows\System\kKroCcR.exe

C:\Windows\System\kKroCcR.exe

C:\Windows\System\nBqYGDS.exe

C:\Windows\System\nBqYGDS.exe

C:\Windows\System\dVXhRZm.exe

C:\Windows\System\dVXhRZm.exe

C:\Windows\System\tuqgRID.exe

C:\Windows\System\tuqgRID.exe

C:\Windows\System\IgFBgHN.exe

C:\Windows\System\IgFBgHN.exe

C:\Windows\System\ComPUQW.exe

C:\Windows\System\ComPUQW.exe

C:\Windows\System\wzSoKjQ.exe

C:\Windows\System\wzSoKjQ.exe

C:\Windows\System\JtaVFwB.exe

C:\Windows\System\JtaVFwB.exe

C:\Windows\System\ZixQKWd.exe

C:\Windows\System\ZixQKWd.exe

C:\Windows\System\KOQclam.exe

C:\Windows\System\KOQclam.exe

C:\Windows\System\OGFfQtG.exe

C:\Windows\System\OGFfQtG.exe

C:\Windows\System\zZMMEXY.exe

C:\Windows\System\zZMMEXY.exe

C:\Windows\System\emQmQqZ.exe

C:\Windows\System\emQmQqZ.exe

C:\Windows\System\AorWIyd.exe

C:\Windows\System\AorWIyd.exe

C:\Windows\System\AOlmqjg.exe

C:\Windows\System\AOlmqjg.exe

C:\Windows\System\EwPTZJd.exe

C:\Windows\System\EwPTZJd.exe

C:\Windows\System\AgmDPyE.exe

C:\Windows\System\AgmDPyE.exe

C:\Windows\System\mlglSqp.exe

C:\Windows\System\mlglSqp.exe

C:\Windows\System\rUvYPBg.exe

C:\Windows\System\rUvYPBg.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1968-0-0x00000000002F0000-0x0000000000300000-memory.dmp

memory/1968-2-0x000000013F690000-0x000000013F9E4000-memory.dmp

\Windows\system\yhzgaOi.exe

MD5 0aa373119ccce4b916891a7ed6f4a83b
SHA1 9395f2063a91c62a8972267475d11494bb42af7b
SHA256 19edc396b1f9f0d557fd3c73f01bfda681c67d70912360a31ef9fe8ba495ce4b
SHA512 91b8df4265ffa0aaab65da07a59c4fcc4c083f777e4ffbdc4b5fc822e407f6b636f5b8deb0e6f311525de20177db58e9f8e72d285cd721bfc9a06c2dbd75fa7a

memory/2336-9-0x000000013F550000-0x000000013F8A4000-memory.dmp

memory/1968-8-0x00000000024F0000-0x0000000002844000-memory.dmp

\Windows\system\HKOmGoh.exe

MD5 e120f7fc797b572ac05b65beb91a8eee
SHA1 bf064cd9b15ba96e2282ed37fa37711d092e60cd
SHA256 b09f0b6456b65a4e057ac584ed46e37f542b618fb1549e60a67893b329a76fcf
SHA512 ecd662210a4853933c1f9dbca9b8e5300867d5bbc53ef0df8643ddaeba7345dfa295b1637bdd67e927bf4203e6c0160b611baefb465632d9fbdc676405fb2fd5

memory/2856-15-0x000000013F5F0000-0x000000013F944000-memory.dmp

\Windows\system\kKroCcR.exe

MD5 a8885b02d5e6e4dae7a551c82143b23d
SHA1 a125d9dfe7d8e6cac0d44df423a6222e5708156c
SHA256 d76e0e9eb729b161649011b4e826fabf0e1f0f196c28f3b713c1c363027acbc0
SHA512 2346dd1ee96831d88bf6229f4b8e14c9eaa266c7a6b4aac321c44ef085c2acf6997fac28e30a999a0c215d1f6b629bcfb3913867bacdf535b2da4762de61f9a4

memory/2828-21-0x000000013F050000-0x000000013F3A4000-memory.dmp

memory/1968-19-0x000000013F050000-0x000000013F3A4000-memory.dmp

memory/1968-14-0x00000000024F0000-0x0000000002844000-memory.dmp

C:\Windows\system\nBqYGDS.exe

MD5 051302c668914aa3f15c1d978d43ed65
SHA1 c40f648d8cb6949f5189b260ee7c036e8aeb86a4
SHA256 150eec9d4fbc66f0bb60cd701fd7cd39f6a45b1e875eaa1f98240609fe998e66
SHA512 2ecb5d0a7a515cff34dc2d4363d4ee874bc1197b1b72a4243641a2ea7a69611940c55f2c78df34580facd16e4f1baba7cbe4d55ea868fe7a6379c03eaaba81a3

\Windows\system\dVXhRZm.exe

MD5 a3f5598cc93915039491debf90db1288
SHA1 1bb897227e85bfdcc2840afb3727837ed79a0f27
SHA256 327d77f35e11af1feb62c47d238fd38643dbd6ea8010f3087ad28b5ae17c446b
SHA512 1e20ed6c567c89ea2d5de438fa8495835628b98c6f0ab8b7b2c14972443e65ddea6f2befc7a5ff77047b1dff7b3f945a91b80f2fad71ff10c7c0694f85d24d86

\Windows\system\ComPUQW.exe

MD5 1e44f80331940770c1a2d52746152a2f
SHA1 ab9246f64109038b713030b306821e09e7a3c9aa
SHA256 547be7de27a350676927518b9fc57dbe361dacccaeffdd0157468a4996ff5d7d
SHA512 3bc4d88a852048dff59f32d6b9fce517a6afa508c0c9c4ce6742cc276efba87ce9cc46e7af812a55439f05c7ce9fa705de077a1701934da58747ca8c0df8cee0

\Windows\system\wzSoKjQ.exe

MD5 4da21f18ffef5ecbc0f8eda6612ff0f6
SHA1 901ca3a1d0b9e9d1048343e2e3b4a9b9ec939bef
SHA256 26f9f4046f9bea7616b7f162c123081a1f24f0e4bc55150638a40331bca48fb4
SHA512 fd1d88e83113518b184293728569b1541a6f97909d33d09f0e64a97b8ee4a1b56c32f297dedbb2a2ab38ecc9344caf1ce3e1c176840ff5a6be897b5cee628737

C:\Windows\system\tuqgRID.exe

MD5 e283f2a1e5df5796d6ae93b966a36131
SHA1 0e95119d85665ab0b9e580440090722a4351a204
SHA256 0e0652e9fb2cc4ee7923a52b40db8b17be82b3137f6ffca4b98656a0c6871bf8
SHA512 b126f846fb225aec18f5bdefd2b69db37ff6b64db425c046db4cfa1dc866f44b17fa37cc4bec64ba9ac2465d3014a00693701959269e5a3dd43c1891c5f6984d

memory/1968-39-0x00000000024F0000-0x0000000002844000-memory.dmp

\Windows\system\IgFBgHN.exe

MD5 3a9b1cbf632491b4838ebd948ef6030d
SHA1 f2251efbbf01e31858776840057036a8e73e3c50
SHA256 84364ace2169489d16ad61f3199d8de8330167cf4d425e666feb5190104429ae
SHA512 1fbfb84cd1db25a8ff8a70e752f4fd87cceafcf6a73f282c67af653dcf68a7698bc4013edff4c3432413b50d0d14cbd28cf229431e71456e362db9d3fa0e2623

memory/2684-63-0x000000013F080000-0x000000013F3D4000-memory.dmp

memory/2664-61-0x000000013FED0000-0x0000000140224000-memory.dmp

memory/1968-59-0x00000000024F0000-0x0000000002844000-memory.dmp

memory/2620-58-0x000000013F500000-0x000000013F854000-memory.dmp

memory/1968-57-0x000000013F080000-0x000000013F3D4000-memory.dmp

memory/2748-56-0x000000013F510000-0x000000013F864000-memory.dmp

memory/1968-53-0x000000013FED0000-0x0000000140224000-memory.dmp

memory/2948-51-0x000000013F0B0000-0x000000013F404000-memory.dmp

C:\Windows\system\JtaVFwB.exe

MD5 3a351170d21d580db1652854869d5d2a
SHA1 414392b1c184f0568c8e00271527fca39840f79d
SHA256 d41c5d7f535565cf3989a66abb73c85b3e3239181b3e40be7e0bec4a738965ea
SHA512 57bcd1fe63d69627a01e919e4562a70323c9f9d8f1d711253d8111b05ad4d7a710dbb6048f1d4c297b38596b4dd29b01b4fba50e8f144c3dda4f69e0886f21ee

memory/1548-70-0x000000013FAD0000-0x000000013FE24000-memory.dmp

C:\Windows\system\KOQclam.exe

MD5 b21698a37650f94aeb97a2a150404ea7
SHA1 192d778e85bef8628816dfc2d1bbc01b46d122b5
SHA256 c074e68c313b868c9879369d9bcc503d74e62a4e8144d6c946aacb645447ad7c
SHA512 99e2b2a645b3553497af2606cf5b0faacd24a39ede398bab2742742d6925295906ce325f09eb2f5f77e6c07031ac736d97d0ea79cd67a28850e7501254778510

memory/1680-76-0x000000013FF30000-0x0000000140284000-memory.dmp

memory/1968-75-0x000000013F690000-0x000000013F9E4000-memory.dmp

C:\Windows\system\zZMMEXY.exe

MD5 c414c952c522fa09bbb56d1542cb34f1
SHA1 022fbcdbdeec7af0abde031b2898394510816951
SHA256 84000cff2315b39a1ee58022b174970b0b9fea92b36ba5e43cf1fce93b763826
SHA512 0181d2fd92bfcfe6291dfe30d21742bf16ab4b0241883cccf27a9c15ed846dd5595dc9f2a3663a424e59243158518180d65364dd7bc96d77c97cf6aa8dcf25c3

memory/2712-98-0x000000013F8E0000-0x000000013FC34000-memory.dmp

C:\Windows\system\AorWIyd.exe

MD5 d0e243f39e8d35e60858bf1cd36167aa
SHA1 bd526e10ed9c7a99a336d6e9270555ae3a835500
SHA256 be274a1ad7d9cad500ff919019c316cf67d08ba89b54c2f093385527525405bd
SHA512 490428dc0a3af8f9c634627a3d7c0b3e48ec8cf2f7bc22a5ce92a221b7f902e07ba6c6183e626ea50f2be2a26775ddfde11e7b31dad294a5148a21ee7e4b2bc3

C:\Windows\system\EwPTZJd.exe

MD5 1cb7602a81d5028e10841e2e41a539eb
SHA1 12afc2168e4d786e371a0a37049d18770a095517
SHA256 28c0a480b4e6bde851f97c7969637b8ea7c878d4caf090e98ce712e9d5a1bf9c
SHA512 467a2115d6cd52b8509ea65271338d6240de1cd0ca065355cbb63233841cf050fade1d7770bbd6923f2f1a57f18e7b31377a901bcce7f95c9dd423187543a9ac

\Windows\system\rUvYPBg.exe

MD5 f7a4fbabb745a689b5710adf51a410de
SHA1 26bcfe9f06bda3a4fd1d7c715c41b0d1e483f6ed
SHA256 32687f150b6740674e49dbcad46ab481dc723cad3ab7cd8bc9fa7068c909c93c
SHA512 8c811325b9df0b0baadd42ea18a095a3b2148eb62df848735b47c2394e39a5c7036eda300d8091684aa1dc57d35b083a36e89561992ee1f35225993dffc604b4

C:\Windows\system\mlglSqp.exe

MD5 e656576e0b228b56a9105046f438c09a
SHA1 3fead55752fabc2dfb0e97a11521c4b80b010be6
SHA256 3d14cb0a8777f2c2a0e801778e7058a66fb4163832f84575093056ee3df78e0e
SHA512 ce8c62df7631f5ec453ae04c461a1f193fe9953d77b0755ecd1310b957553a69c6e187ac44fd55f1c7b794d16bf2996c2cb5bf7976a7649a417bd0af881522d5

C:\Windows\system\AgmDPyE.exe

MD5 84842f9389169fd4866bad1c2cf50c86
SHA1 d7c16ce0044fcab943b9731650f8cb327164a56f
SHA256 23ae6f75a6d5a2920c7536909b5c7f3e23e69c182105ed18450db6192c558128
SHA512 4dcfa71d7a5e39d7281692f22778954c05edba6db63494c6f9015e742c0ff3620210c4e485a142074b3310338a138eb22a7be1df503915c9abba11990fb0b41e

C:\Windows\system\AOlmqjg.exe

MD5 d97464085234b0e762d2580c64fb5aeb
SHA1 ad07174aaee3e018bdc5d626d78cfb69ee040824
SHA256 bb29a13e301f9dac03b9de8198173fe07933455e936c9da91b0d4438400c9a4d
SHA512 24444af1e9e5d56db6f8f2b8ce29b688ce014588c2a7bd2123d5602d943e2d11ca7cfe7410e8a048372117c28319e18cfc2f3cf893968eeba2fd10118520b942

C:\Windows\system\emQmQqZ.exe

MD5 2a10967b33c3b5ea745c65425ec80190
SHA1 32f2b7e1be5d81072bbb1ca7c96ddf0ad0799d81
SHA256 f1167ea98334598e3a86263139e57a8e84d022ef3b2820e64b7db688c0ab3be0
SHA512 d831845c259970f5277e7db2cdbfcddc916a2192113fef04d1ab61eb024bd6dca7409ddf5b780d21dbb21f89c1fb29f237c527ef6a4c405f06ca787cdc3105f3

memory/1968-105-0x00000000024F0000-0x0000000002844000-memory.dmp

memory/1968-104-0x00000000024F0000-0x0000000002844000-memory.dmp

memory/2828-103-0x000000013F050000-0x000000013F3A4000-memory.dmp

memory/2524-91-0x000000013F690000-0x000000013F9E4000-memory.dmp

memory/1968-90-0x00000000024F0000-0x0000000002844000-memory.dmp

memory/2856-89-0x000000013F5F0000-0x000000013F944000-memory.dmp

C:\Windows\system\OGFfQtG.exe

MD5 6cce76f5394f80a27e4252c4a7471158
SHA1 45504410c2b146c90c954391f02390d660a43405
SHA256 b109292d4fb6c830f3fa258c97bbdfc05ef4ddbcd148d03f58a8838a484147d9
SHA512 1f5082453258d9bd784e0c4b6eec6546f559833cd2c89ab908e641e6c290a2df0b9fd8690af9e5024c6e25f04b952a10260f8eb882da4062b4828670a16a81bd

memory/1968-97-0x00000000024F0000-0x0000000002844000-memory.dmp

memory/2052-84-0x000000013F920000-0x000000013FC74000-memory.dmp

memory/1968-83-0x00000000024F0000-0x0000000002844000-memory.dmp

C:\Windows\system\ZixQKWd.exe

MD5 061552de92b426ac2876d23dc7e0b609
SHA1 84a270d9fce1546ba19e28343094bba533fe83e6
SHA256 52b80da22e451114d8e43d8a7efe6c5058e3f80e0e0e0bdf2f00d5163e0fc7b9
SHA512 627c3f84c7f5b83a11a2c5a4c47229160fa12e6168588928439dfe3b1044f3c75ec27b8f3ee3e0b81f1ca695f6c3fcf95b16bdec9ca75ce054885e3889de0e0c

memory/1968-69-0x000000013FAD0000-0x000000013FE24000-memory.dmp

memory/2984-35-0x000000013F940000-0x000000013FC94000-memory.dmp

memory/2684-137-0x000000013F080000-0x000000013F3D4000-memory.dmp

memory/1680-138-0x000000013FF30000-0x0000000140284000-memory.dmp

memory/1968-139-0x00000000024F0000-0x0000000002844000-memory.dmp

memory/2524-140-0x000000013F690000-0x000000013F9E4000-memory.dmp

memory/2336-141-0x000000013F550000-0x000000013F8A4000-memory.dmp

memory/2856-142-0x000000013F5F0000-0x000000013F944000-memory.dmp

memory/2984-143-0x000000013F940000-0x000000013FC94000-memory.dmp

memory/2828-144-0x000000013F050000-0x000000013F3A4000-memory.dmp

memory/2948-145-0x000000013F0B0000-0x000000013F404000-memory.dmp

memory/2748-146-0x000000013F510000-0x000000013F864000-memory.dmp

memory/2620-147-0x000000013F500000-0x000000013F854000-memory.dmp

memory/2664-148-0x000000013FED0000-0x0000000140224000-memory.dmp

memory/2684-149-0x000000013F080000-0x000000013F3D4000-memory.dmp

memory/1548-150-0x000000013FAD0000-0x000000013FE24000-memory.dmp

memory/1680-151-0x000000013FF30000-0x0000000140284000-memory.dmp

memory/2052-152-0x000000013F920000-0x000000013FC74000-memory.dmp

memory/2712-153-0x000000013F8E0000-0x000000013FC34000-memory.dmp

memory/2524-154-0x000000013F690000-0x000000013F9E4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-07 21:45

Reported

2024-08-07 21:47

Platform

win10v2004-20240802-en

Max time kernel

142s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\twUcmzh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ybKDqBK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\beRqKCv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QOrdMNL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TCSTLmd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VvXLRaz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BRbMtpb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VUrdOAe.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vudpxRY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UPVqkzA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dLtkLxJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JtuahZi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BVOPPmu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ctIuIXW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NJTjTfM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vDVUfpP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SRDdYxX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KpLSRAd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JUfaPZf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lOmQOQV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CODvXEw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4316 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BRbMtpb.exe
PID 4316 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BRbMtpb.exe
PID 4316 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ctIuIXW.exe
PID 4316 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ctIuIXW.exe
PID 4316 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TCSTLmd.exe
PID 4316 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TCSTLmd.exe
PID 4316 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NJTjTfM.exe
PID 4316 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NJTjTfM.exe
PID 4316 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\twUcmzh.exe
PID 4316 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\twUcmzh.exe
PID 4316 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vDVUfpP.exe
PID 4316 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vDVUfpP.exe
PID 4316 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SRDdYxX.exe
PID 4316 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SRDdYxX.exe
PID 4316 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VvXLRaz.exe
PID 4316 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VvXLRaz.exe
PID 4316 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ybKDqBK.exe
PID 4316 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ybKDqBK.exe
PID 4316 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VUrdOAe.exe
PID 4316 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VUrdOAe.exe
PID 4316 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vudpxRY.exe
PID 4316 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vudpxRY.exe
PID 4316 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KpLSRAd.exe
PID 4316 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KpLSRAd.exe
PID 4316 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UPVqkzA.exe
PID 4316 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UPVqkzA.exe
PID 4316 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\beRqKCv.exe
PID 4316 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\beRqKCv.exe
PID 4316 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dLtkLxJ.exe
PID 4316 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dLtkLxJ.exe
PID 4316 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JUfaPZf.exe
PID 4316 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JUfaPZf.exe
PID 4316 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QOrdMNL.exe
PID 4316 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QOrdMNL.exe
PID 4316 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JtuahZi.exe
PID 4316 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JtuahZi.exe
PID 4316 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lOmQOQV.exe
PID 4316 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lOmQOQV.exe
PID 4316 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BVOPPmu.exe
PID 4316 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BVOPPmu.exe
PID 4316 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CODvXEw.exe
PID 4316 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CODvXEw.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\BRbMtpb.exe

C:\Windows\System\BRbMtpb.exe

C:\Windows\System\ctIuIXW.exe

C:\Windows\System\ctIuIXW.exe

C:\Windows\System\TCSTLmd.exe

C:\Windows\System\TCSTLmd.exe

C:\Windows\System\NJTjTfM.exe

C:\Windows\System\NJTjTfM.exe

C:\Windows\System\twUcmzh.exe

C:\Windows\System\twUcmzh.exe

C:\Windows\System\vDVUfpP.exe

C:\Windows\System\vDVUfpP.exe

C:\Windows\System\SRDdYxX.exe

C:\Windows\System\SRDdYxX.exe

C:\Windows\System\VvXLRaz.exe

C:\Windows\System\VvXLRaz.exe

C:\Windows\System\ybKDqBK.exe

C:\Windows\System\ybKDqBK.exe

C:\Windows\System\VUrdOAe.exe

C:\Windows\System\VUrdOAe.exe

C:\Windows\System\vudpxRY.exe

C:\Windows\System\vudpxRY.exe

C:\Windows\System\KpLSRAd.exe

C:\Windows\System\KpLSRAd.exe

C:\Windows\System\UPVqkzA.exe

C:\Windows\System\UPVqkzA.exe

C:\Windows\System\beRqKCv.exe

C:\Windows\System\beRqKCv.exe

C:\Windows\System\dLtkLxJ.exe

C:\Windows\System\dLtkLxJ.exe

C:\Windows\System\JUfaPZf.exe

C:\Windows\System\JUfaPZf.exe

C:\Windows\System\QOrdMNL.exe

C:\Windows\System\QOrdMNL.exe

C:\Windows\System\JtuahZi.exe

C:\Windows\System\JtuahZi.exe

C:\Windows\System\lOmQOQV.exe

C:\Windows\System\lOmQOQV.exe

C:\Windows\System\BVOPPmu.exe

C:\Windows\System\BVOPPmu.exe

C:\Windows\System\CODvXEw.exe

C:\Windows\System\CODvXEw.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 21.58.20.217.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/4316-0-0x00007FF6AC6D0000-0x00007FF6ACA24000-memory.dmp

memory/4316-1-0x00000190C3270000-0x00000190C3280000-memory.dmp

C:\Windows\System\BRbMtpb.exe

MD5 980919e13763f9dcee616641f5890b48
SHA1 90619b5e41bb82c411c53cf56db4983e534c3c51
SHA256 f6c8adfa9678efc19dbb8cec1bc703fa069d9f842e62f19ac338fbf936248f18
SHA512 2a819d80dee22171de26cc1957bfc61c53e700da5ab2e4bc2c4cad706ad6f460bf354f2a362e00ebae609b14dc0bc2150b41108a27f3ad569e63241001f1cc84

C:\Windows\System\TCSTLmd.exe

MD5 e3de828cde67b392f7b4f4c28c0aa158
SHA1 b231987e1aedfdce6c83243d3c8c757be49b5d63
SHA256 4360338fe0b04b4c758e9aa042b209a76c3ef04a4cbd361170f684d9cadadc8c
SHA512 41ab668d6676baec71d2643b9122e5a17895e5c5e9cd3d23637ec303fd1ca7efd775f49c789d6c00446f1cd71f3de4458d5e792d1fe2ce893121a47fb6fc3a48

C:\Windows\System\ctIuIXW.exe

MD5 bb323f6136598092379ede7e3bb003fe
SHA1 732247886199768c7a651b0d481bb72da0550455
SHA256 d5428d4b0ea6906015e196639c418e025476de9aba18c6c73d7d8b69607cbdc2
SHA512 fe71981d55ff17000c0a13b62a3ef8322085428a4bb7a3de4b47afa631ad3ef3d7298e57bb2af089bd25d0bf0fe334ab5b4738daf864d44013bd5d55fa6eb54d

memory/3556-14-0x00007FF6A1640000-0x00007FF6A1994000-memory.dmp

memory/4480-7-0x00007FF621B00000-0x00007FF621E54000-memory.dmp

C:\Windows\System\NJTjTfM.exe

MD5 1e5f8efe306cd1d68af79a4178b1904f
SHA1 600afadfefdb6f3445d56b84390d410b2a9b5c63
SHA256 0b0555d08a44e6e44e7a59c9608ac86d527b7f5f430b53e8cb923319bc259b1b
SHA512 f1ab6ffe8eb650fd6b9f133f35032c73858fbfe24f554e36f14dd5b8b56f55792faf1667b22982d4832d13e55a474802269eeebce4a859f5b08a773c6e54bbf8

C:\Windows\System\twUcmzh.exe

MD5 ca5dbe170a4cbaeebee92ed400fea303
SHA1 e0092655494034651d7b6fa83ea5c069005fe8a3
SHA256 f9841547d38f097d72265e86e058fe543d727e234fc4d9f45d09576ef8925846
SHA512 cf2545ef155d3201d19bbd60e8b4ee802bd45ecaf104834b3f4067290aa144a03f2c9779cd12e382aded537fddf8e86b41de18fa48d9d4f1d158ee4492fccf3d

C:\Windows\System\SRDdYxX.exe

MD5 10617398f466a13f8a93497831187bca
SHA1 7b7161889b58e641013fee15257b1fd3d93a48ed
SHA256 cd09df08ae97b7b372050ca94d16ace3d5566bc7e0516863212f9f1483f16cd0
SHA512 c4a2348b76bb90bc8a5fdcbe34b61e4000de6cb11743fbe66c8b330c4301a9017ac946d8323dd1e67935167496906552ef412ff3490c14999b2c41ff0b8c7e00

memory/532-45-0x00007FF6D8DE0000-0x00007FF6D9134000-memory.dmp

memory/2528-51-0x00007FF681620000-0x00007FF681974000-memory.dmp

C:\Windows\System\ybKDqBK.exe

MD5 12897976e05824993ee1eb8964775d2c
SHA1 f84eed657db6accb8f78720443180dc9a536ddf4
SHA256 d523118da644538c169dd82c754c8410230ea33b14d5728f9c7ec214f0c2c491
SHA512 0eab1812e3590d79856138958f38e6eef02b5e192bb92a217ceec1a2bb0c34ce818aab5e8f8e2a106f7d51d670b050092e7f249c386e179e4fcc834f980ef1fe

C:\Windows\System\UPVqkzA.exe

MD5 7f50a7d9db680d379ad0245d8828e575
SHA1 4e4ab4db24a24c08577c942898846e67f126ac94
SHA256 111da80b07a80b24aea42c528ebfd96ba544a7d2872aa7b04df6df055f0c96df
SHA512 6c22dada0f62fd54571392df1d1ef3e17443c5444ffa310200f57cc7e32a0143a87a29222a9ef8da6e732bc7d08a1c4016f09112868a510fcc7a3042cc9ff9b4

C:\Windows\System\beRqKCv.exe

MD5 0a6e542b6fede74a754d0df98e5c13fd
SHA1 b33c000ad439cb492900099da02e551214c68ca2
SHA256 073e581be93afd71524c1ff7c5373ed0215a19be7bb10797a73719f5aa9e8632
SHA512 5182ccc5608aa7333fb053cb8fc5e7861d7d8159e2017f716a5c90cc87c6309aaa7856e52b3145f4776164514a89bcdb024cd52ee339570780c9503724640ceb

C:\Windows\System\CODvXEw.exe

MD5 d8a521f3ee3a2b7ca386fcf2ea8e1a26
SHA1 b594cfec628c242adcdf61b61186507d6c0f550e
SHA256 3320aee8de359197a15e71fe3bde63ea0e0b61650777d97f412dec3ad3878e41
SHA512 7d6d4144a8afcebc357ca619e91fb8d840f5bfaa6b17d535dc8e764b0c117628aedfe93074bb6776b8cd515b8026bcae1864f50dee6db6a1355fa1323332e462

C:\Windows\System\BVOPPmu.exe

MD5 218b9bff4b73bb87e15bca449744f753
SHA1 02a62c31192c5c4b6fb910d5013b6f0dd2c0aedf
SHA256 7ac60d8210fe3ff49891c968141a0b99dc09b50107af84688bd3abfc69654598
SHA512 fd89e238bd1914072441a0934d3ceabfe260f24e28287e177a95b4a4544c68b1b6bb3cf3abbb6066647a91ef03886dbb8d1668072f78daaddb9c5070263afd56

C:\Windows\System\lOmQOQV.exe

MD5 c3c3c06472fbe280e231f2cc23260c28
SHA1 c2d42e319ee6a6cb567d901c541711e7f29e51c6
SHA256 42737c7ff0e425f30603c1f24029b81d96b29094b6159c62a3db67211de45f76
SHA512 2db385a78d7f3cf2662b3d2823d975035c7a5b84db5e13784a4325bfa0f5ec07e8964422eb488e63b8b6d970ea934a04fa3ba9d5bd053bdaf59c87b07bb470c0

C:\Windows\System\JtuahZi.exe

MD5 0a101facd8a234e9ad79490fc87b39ae
SHA1 42b883befc3263cc0b304dd590dbdca94cc788e0
SHA256 1f77ef9042a064be6e4468cfd26ec0b5ef512c838fe5292c4f4c319bd4d2749e
SHA512 941c11912a07ee2eb19b74b39d66e49ff0cfb7ed24de8d6041840082c9fb15e529767a2404d73b49e785e2bdb292631b9ad52e6dab3df3c3f792544dc9c5b127

C:\Windows\System\QOrdMNL.exe

MD5 bc0146e09ce9c5d841667bfea058c23e
SHA1 98cf4e1ba734a8a9ffc859fc06235e18e090ad74
SHA256 261301dbab13a05b4f3c86ccd9b674f0b27cda7920d693fbf9e74882c109b3f5
SHA512 dc87c34f8feb5a275f201a2af23d29a1f85be9997152ab3c260ffda3daf8d67c6c0ccf04111452cdabe426ac537a2058ab1d694a96405f7dbb6840a60b6d6716

C:\Windows\System\JUfaPZf.exe

MD5 ef04b24d7ee7aa05c047dad30d32d27a
SHA1 fc79c820317e183f3c17edf4f56256281726832e
SHA256 71e1137a26ef392756856966f63b6a94c82307103f1afd032c0ce506c202fa69
SHA512 6a7f3c8ca0f9b6d13ce6800651d689dd4565ec55a9c42d2e2b403b4b79f900824f590639d3a98893d495fa8b68d977e4074596ed1d2e4317772e8250500dbe7c

C:\Windows\System\dLtkLxJ.exe

MD5 ff9cbd74538db081d4a2359673229436
SHA1 6a4b1238e5f3b6ee48bde281b7696b649b57c86f
SHA256 4b95c6d50c95d4272014a7134702532bceaba7e44a7125bb17ec0668606d9bf8
SHA512 b4cd7631f1aff3f92ef3569037a7f536448d7a3368eb3c8c118f63ee0cfa5f74a1923c2d86484796a5066ac87453dcecb9662ef0136f50c2afbcd5f4aa10a6ce

C:\Windows\System\KpLSRAd.exe

MD5 f7432bd74578be8c82b01f13eb03e170
SHA1 c9d5ab8f9787758b5f39f1a835bf10609c278748
SHA256 623c12ace32fdcaffb60fb8c66923f5773486aefd4cd56f1fa525917fb88094a
SHA512 ba78430b8cd25717a6f50adef1f0b791624ddf75309fa939e47bef81ee7419b24ede2a243e4eadd4e14821ba4e9640166c9622feb68b0f141ac587432d8811c6

C:\Windows\System\vudpxRY.exe

MD5 3b7d76ddb62aa8d8a49f3d084882f476
SHA1 258924918bb0aa67a82c4bcc2a6eff8a42b955fb
SHA256 406f95663cf2be58b7015acfe49d9cb6ebba96aaf2b0f08d326b57de7be0961f
SHA512 db87b1c1b7308a422b2321459314492b47c4fc2be82bdcbd04f9a3d726586df07d12d24331db5a6e0163ff7bd307c158f0e231286ac9c464310f0e56f7471f0e

C:\Windows\System\VUrdOAe.exe

MD5 9c8f82f4c5a78a348c19599782c8f890
SHA1 510fdbaedb8100bd5bdace2e80dd3d3b5c0a2989
SHA256 8bc061ee083cc4c1c359af3b6e14a7997521cbce2f6bfca420ca0fa40bbd0710
SHA512 a6074ca833816646f5a57e61c4324e2bd1125f61888d750c52f0f893a5734a8b2ae0fcc353f5b2d3995e3b6e6c0741e14e6a935f20d282a0ce7cd27a4640b2d1

C:\Windows\System\VvXLRaz.exe

MD5 d41ff38f900f835773e7d99171e4e40e
SHA1 050cdb5d0a2f989297df039361991c417692b42b
SHA256 7afb291b1be9229ebba17edda084d994caff079d720839d6f9bdf370d75d7f2e
SHA512 3f97710adf99132f815bc862bbcf56d8d579f6ae596e907a7e2d24eb3b306e87eb3235f5c86482df36a2a789d5c8d3cd4524bc141dcfc2d8de8c9fdc7ded902d

memory/4484-52-0x00007FF7A91E0000-0x00007FF7A9534000-memory.dmp

memory/336-50-0x00007FF624D20000-0x00007FF625074000-memory.dmp

C:\Windows\System\vDVUfpP.exe

MD5 56ced10a8062dbfc1b8c172aa602903b
SHA1 bad63674a679f06b4dd3ae142cd9bfc12ab73ebf
SHA256 aa9d5e1ce6667c09c011f10cf53a56c9c08c6688b874edda2809fc90f26abb9f
SHA512 eeee4713fb35d434cabae2071ecc4859f10776c398927090e5ac7a4c03c5985e6462d42836e3a7115131c7e85d863512c8edd902fe8b37d2e80d50c651d5394f

memory/3832-34-0x00007FF77E7B0000-0x00007FF77EB04000-memory.dmp

memory/4044-25-0x00007FF62B970000-0x00007FF62BCC4000-memory.dmp

memory/2520-20-0x00007FF6E9430000-0x00007FF6E9784000-memory.dmp

memory/3308-116-0x00007FF7F3280000-0x00007FF7F35D4000-memory.dmp

memory/1988-118-0x00007FF768090000-0x00007FF7683E4000-memory.dmp

memory/2460-117-0x00007FF7BA3B0000-0x00007FF7BA704000-memory.dmp

memory/864-119-0x00007FF6AE210000-0x00007FF6AE564000-memory.dmp

memory/2784-120-0x00007FF70F020000-0x00007FF70F374000-memory.dmp

memory/1688-121-0x00007FF751EB0000-0x00007FF752204000-memory.dmp

memory/2252-122-0x00007FF6EECE0000-0x00007FF6EF034000-memory.dmp

memory/2224-123-0x00007FF75C600000-0x00007FF75C954000-memory.dmp

memory/4704-125-0x00007FF7654A0000-0x00007FF7657F4000-memory.dmp

memory/2592-126-0x00007FF6A07B0000-0x00007FF6A0B04000-memory.dmp

memory/692-127-0x00007FF6BB370000-0x00007FF6BB6C4000-memory.dmp

memory/2540-124-0x00007FF6C9CF0000-0x00007FF6CA044000-memory.dmp

memory/4316-128-0x00007FF6AC6D0000-0x00007FF6ACA24000-memory.dmp

memory/4480-129-0x00007FF621B00000-0x00007FF621E54000-memory.dmp

memory/3556-130-0x00007FF6A1640000-0x00007FF6A1994000-memory.dmp

memory/4044-131-0x00007FF62B970000-0x00007FF62BCC4000-memory.dmp

memory/2528-132-0x00007FF681620000-0x00007FF681974000-memory.dmp

memory/4484-133-0x00007FF7A91E0000-0x00007FF7A9534000-memory.dmp

memory/4480-134-0x00007FF621B00000-0x00007FF621E54000-memory.dmp

memory/3556-135-0x00007FF6A1640000-0x00007FF6A1994000-memory.dmp

memory/2520-136-0x00007FF6E9430000-0x00007FF6E9784000-memory.dmp

memory/4044-137-0x00007FF62B970000-0x00007FF62BCC4000-memory.dmp

memory/3832-138-0x00007FF77E7B0000-0x00007FF77EB04000-memory.dmp

memory/336-139-0x00007FF624D20000-0x00007FF625074000-memory.dmp

memory/532-140-0x00007FF6D8DE0000-0x00007FF6D9134000-memory.dmp

memory/2528-141-0x00007FF681620000-0x00007FF681974000-memory.dmp

memory/4484-142-0x00007FF7A91E0000-0x00007FF7A9534000-memory.dmp

memory/3308-145-0x00007FF7F3280000-0x00007FF7F35D4000-memory.dmp

memory/2460-144-0x00007FF7BA3B0000-0x00007FF7BA704000-memory.dmp

memory/1988-143-0x00007FF768090000-0x00007FF7683E4000-memory.dmp

memory/2224-149-0x00007FF75C600000-0x00007FF75C954000-memory.dmp

memory/2784-153-0x00007FF70F020000-0x00007FF70F374000-memory.dmp

memory/1688-152-0x00007FF751EB0000-0x00007FF752204000-memory.dmp

memory/2252-151-0x00007FF6EECE0000-0x00007FF6EF034000-memory.dmp

memory/2540-150-0x00007FF6C9CF0000-0x00007FF6CA044000-memory.dmp

memory/4704-148-0x00007FF7654A0000-0x00007FF7657F4000-memory.dmp

memory/2592-147-0x00007FF6A07B0000-0x00007FF6A0B04000-memory.dmp

memory/692-146-0x00007FF6BB370000-0x00007FF6BB6C4000-memory.dmp

memory/864-154-0x00007FF6AE210000-0x00007FF6AE564000-memory.dmp