Malware Analysis Report

2025-01-22 19:30

Sample ID 240807-2mn3rayhld
Target 2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat
SHA256 0b3d9346fe4b83bb11eb7cdc4b7890910543e175aef474505fa90f61caf8ee0b
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0b3d9346fe4b83bb11eb7cdc4b7890910543e175aef474505fa90f61caf8ee0b

Threat Level: Known bad

The file 2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Xmrig family

Cobaltstrike family

XMRig Miner payload

Cobaltstrike

xmrig

Cobalt Strike reflective loader

XMRig Miner payload

Executes dropped EXE

Loads dropped DLL

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-07 22:42

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-07 22:42

Reported

2024-08-07 22:44

Platform

win7-20240704-en

Max time kernel

141s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\zxbkqFE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FoRrNSf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dsUwTYn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TeRcIqy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AlIzeFs.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SDLvKPJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PJonXxg.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bQRiuUd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EQQjCMZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fvOYWkp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EvRJzft.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nTUwuEe.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QpnypLD.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TlYosHf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rcyeCRz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SNWJyjm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QsxdXQa.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MiMFrzR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vrSZzUj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BPFByrH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tzgxkbC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2912 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EQQjCMZ.exe
PID 2912 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EQQjCMZ.exe
PID 2912 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EQQjCMZ.exe
PID 2912 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fvOYWkp.exe
PID 2912 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fvOYWkp.exe
PID 2912 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fvOYWkp.exe
PID 2912 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SNWJyjm.exe
PID 2912 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SNWJyjm.exe
PID 2912 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SNWJyjm.exe
PID 2912 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EvRJzft.exe
PID 2912 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EvRJzft.exe
PID 2912 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EvRJzft.exe
PID 2912 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TeRcIqy.exe
PID 2912 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TeRcIqy.exe
PID 2912 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TeRcIqy.exe
PID 2912 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AlIzeFs.exe
PID 2912 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AlIzeFs.exe
PID 2912 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AlIzeFs.exe
PID 2912 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vrSZzUj.exe
PID 2912 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vrSZzUj.exe
PID 2912 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vrSZzUj.exe
PID 2912 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zxbkqFE.exe
PID 2912 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zxbkqFE.exe
PID 2912 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zxbkqFE.exe
PID 2912 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SDLvKPJ.exe
PID 2912 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SDLvKPJ.exe
PID 2912 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SDLvKPJ.exe
PID 2912 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PJonXxg.exe
PID 2912 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PJonXxg.exe
PID 2912 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PJonXxg.exe
PID 2912 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bQRiuUd.exe
PID 2912 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bQRiuUd.exe
PID 2912 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bQRiuUd.exe
PID 2912 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QpnypLD.exe
PID 2912 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QpnypLD.exe
PID 2912 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QpnypLD.exe
PID 2912 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BPFByrH.exe
PID 2912 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BPFByrH.exe
PID 2912 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BPFByrH.exe
PID 2912 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TlYosHf.exe
PID 2912 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TlYosHf.exe
PID 2912 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TlYosHf.exe
PID 2912 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FoRrNSf.exe
PID 2912 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FoRrNSf.exe
PID 2912 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FoRrNSf.exe
PID 2912 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rcyeCRz.exe
PID 2912 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rcyeCRz.exe
PID 2912 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rcyeCRz.exe
PID 2912 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nTUwuEe.exe
PID 2912 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nTUwuEe.exe
PID 2912 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nTUwuEe.exe
PID 2912 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tzgxkbC.exe
PID 2912 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tzgxkbC.exe
PID 2912 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tzgxkbC.exe
PID 2912 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QsxdXQa.exe
PID 2912 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QsxdXQa.exe
PID 2912 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QsxdXQa.exe
PID 2912 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MiMFrzR.exe
PID 2912 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MiMFrzR.exe
PID 2912 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MiMFrzR.exe
PID 2912 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dsUwTYn.exe
PID 2912 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dsUwTYn.exe
PID 2912 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dsUwTYn.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\EQQjCMZ.exe

C:\Windows\System\EQQjCMZ.exe

C:\Windows\System\fvOYWkp.exe

C:\Windows\System\fvOYWkp.exe

C:\Windows\System\SNWJyjm.exe

C:\Windows\System\SNWJyjm.exe

C:\Windows\System\EvRJzft.exe

C:\Windows\System\EvRJzft.exe

C:\Windows\System\TeRcIqy.exe

C:\Windows\System\TeRcIqy.exe

C:\Windows\System\AlIzeFs.exe

C:\Windows\System\AlIzeFs.exe

C:\Windows\System\vrSZzUj.exe

C:\Windows\System\vrSZzUj.exe

C:\Windows\System\zxbkqFE.exe

C:\Windows\System\zxbkqFE.exe

C:\Windows\System\SDLvKPJ.exe

C:\Windows\System\SDLvKPJ.exe

C:\Windows\System\PJonXxg.exe

C:\Windows\System\PJonXxg.exe

C:\Windows\System\bQRiuUd.exe

C:\Windows\System\bQRiuUd.exe

C:\Windows\System\QpnypLD.exe

C:\Windows\System\QpnypLD.exe

C:\Windows\System\BPFByrH.exe

C:\Windows\System\BPFByrH.exe

C:\Windows\System\TlYosHf.exe

C:\Windows\System\TlYosHf.exe

C:\Windows\System\FoRrNSf.exe

C:\Windows\System\FoRrNSf.exe

C:\Windows\System\rcyeCRz.exe

C:\Windows\System\rcyeCRz.exe

C:\Windows\System\nTUwuEe.exe

C:\Windows\System\nTUwuEe.exe

C:\Windows\System\tzgxkbC.exe

C:\Windows\System\tzgxkbC.exe

C:\Windows\System\QsxdXQa.exe

C:\Windows\System\QsxdXQa.exe

C:\Windows\System\MiMFrzR.exe

C:\Windows\System\MiMFrzR.exe

C:\Windows\System\dsUwTYn.exe

C:\Windows\System\dsUwTYn.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2912-0-0x000000013F990000-0x000000013FCE1000-memory.dmp

memory/2912-1-0x00000000002F0000-0x0000000000300000-memory.dmp

\Windows\system\EQQjCMZ.exe

MD5 e4f17b13dd0ccea5e50a47e01c0f0997
SHA1 9823c0cfa9f9d1a7221d07bd2b17a9b967706e6f
SHA256 d3168fb8faaa481c1b31d6b7856768216c6447fa2f92bb4dfa1e277fb5ef0a34
SHA512 36220f8e80b5bf184a32e4d306658f95d306d0b809842eda602e3fd2703dd47a34aaf731bd1c2c1f395a5b5253e0ac1a0a772e6b4cd82e199463f3c5e7bea9c5

memory/2720-9-0x000000013F970000-0x000000013FCC1000-memory.dmp

memory/2912-7-0x0000000002240000-0x0000000002591000-memory.dmp

\Windows\system\fvOYWkp.exe

MD5 7f550697a3a66f7f69bb4ef8adcdfbd7
SHA1 d06bc69991ef1566cecd4d8f44b5442700553940
SHA256 46486872f9bd1854a71b1f1abf16134d32b916ca7bfc2b321c49da8735db4aa0
SHA512 64e1be42e6aed2166b2d4fe92ecafc29359c7168fb3628b980538f966fa44dadce3c32496b5a84545a66c0906806e88cb8690ba7ce940879d1d93b4bd09eb5a9

C:\Windows\system\SNWJyjm.exe

MD5 087f0fc7e88f91793f45f6e86d369db6
SHA1 ab909691cbef69b9fff4965debfc077ced067303
SHA256 57cfe19b3275cce5ee32aa702ca4ef4993a739b632520186c159e6d80f5d2791
SHA512 48eed5b17666441b74bf9556b950cbd74c46fc557e234af30f990982b5938bb3498026680412229892a95fcc022ee72d7b42e1561d195c1c185eb0e6427af25e

memory/2736-27-0x000000013F310000-0x000000013F661000-memory.dmp

memory/3000-28-0x000000013FED0000-0x0000000140221000-memory.dmp

memory/2912-26-0x000000013F310000-0x000000013F661000-memory.dmp

memory/2852-23-0x000000013FF90000-0x00000001402E1000-memory.dmp

C:\Windows\system\EvRJzft.exe

MD5 5c9a1e59c738666f214bccf42bf6722a
SHA1 489c9cdc77464bf1ad783a71b30b831a650474b7
SHA256 c397f1effbca01f5fc6e022d0981809a2fefe5e685e16f9c8bf1f6c87506938a
SHA512 ef6f01f77bd2cd07d60d470b3a27f81ef3877797e9282cf621144974591f1fc2207726687bed75cb357dbe1aacd0ff924bca9ccde5871bf1462c1e9bbfa676fe

\Windows\system\TeRcIqy.exe

MD5 419f1c21a191d45279e35a88ed3a0df0
SHA1 110713ef9b37b510e94f05ba1cf4e3d44efb5b51
SHA256 d4e29d2966cff708ab9e269d6d9a9ca01d89c17ae2b8dc6cc753682a45fcad8e
SHA512 42e26b3037038c825006f5b887c48d2ba8ed50aad5bc7eb0d5153ec6f4fa26f45a4f96a0e93142468c9e39c20595afcf0450347d7d9fe3533ecb43da5866d7b7

C:\Windows\system\AlIzeFs.exe

MD5 164deb2f8ca55d21bf0375076d961106
SHA1 b990f1a779a2d629f6b932161bf4dbc5dc070343
SHA256 baff080473cae85adc9b2692d7443729aa8abe237f0ea40aee4b98cfd98a0329
SHA512 abf6476cfefa849d5f17083d5a51c6115f3f4ea9b035becb12e2c2fc332e78e1efb450806b1209597ace08e0c0d8aa0755230e527202c954732e69758aa2f9d2

memory/2912-36-0x0000000002240000-0x0000000002591000-memory.dmp

memory/2948-51-0x000000013FA50000-0x000000013FDA1000-memory.dmp

memory/2820-56-0x000000013FAE0000-0x000000013FE31000-memory.dmp

memory/2912-54-0x0000000002240000-0x0000000002591000-memory.dmp

memory/2748-53-0x000000013F730000-0x000000013FA81000-memory.dmp

C:\Windows\system\zxbkqFE.exe

MD5 b441c288bd9e67c31bdb4641559b674d
SHA1 ab8ac5a3fde08c5fc0b57fdfe485741a97fff60a
SHA256 42020401a86818ffde85efe19cc7273411068154e14f1099d904adf281be08bd
SHA512 5d14b6c83cfbc5eb29421f35bb94a35313d91721da83f7df27aa7b3355b62e393c242c8633f3f66ece54a8e36c535877e2f43b7e8503f46bb2e52450e6fec607

memory/2912-50-0x0000000002240000-0x0000000002591000-memory.dmp

memory/2912-48-0x0000000002240000-0x0000000002591000-memory.dmp

C:\Windows\system\vrSZzUj.exe

MD5 fbb07b24e57d9be851085afbb3f5d0f6
SHA1 4861ce61ef8302f362e55e7ff0e0596dc2f697aa
SHA256 1b74ac1e5604591a4dc0343c87cdd3480ede55ac846fd759fae92e47c02912ed
SHA512 48b6eabc25219a47a252d3a293d24ec8a704797a16c84b7c398da39da3570834cbb4557cb2324891a5305c88135238ef038a30060c16d385dd3d397c84629ae2

memory/2772-40-0x000000013FAE0000-0x000000013FE31000-memory.dmp

C:\Windows\system\PJonXxg.exe

MD5 24ace37b08bd35a3673f071eeaab49c0
SHA1 be7f34be82e9cfc08e5d3ab90d78fdd4e0a0d70b
SHA256 ec917871da86acbb31d1f715a49a28273ad329239ad3d74c1c62ce4c7834cf80
SHA512 d48759e63b3b4dca39dff745702b0f5c141954c7c93a76eea90280cde96516d891b3213a4f272623b5d769a652a9884bd6ac3c1c8122ecdeb9f180e29f939d9a

memory/3040-70-0x000000013FE20000-0x0000000140171000-memory.dmp

C:\Windows\system\QpnypLD.exe

MD5 c74007b0b7949203381f22cefc469a50
SHA1 63bf78e364137f5b4b4d2661e6044e5b8a2e6ab0
SHA256 30f3edd704d1530d9b0c67993426a268245f0d1686bd9b97a8bf279411be7584
SHA512 4dc663668b029ae7c5111fe17e75f87e994c2d6978fe89afa47739ac753402adbd3f796fd1cfc91c1f22f7bc72ec2bacaf34711872caca3dfe12657d4fcf7fc0

C:\Windows\system\bQRiuUd.exe

MD5 6248a157ca46b332a4aa5e534f9cadd1
SHA1 41b033ba105739a11d7269923cd8eb96afc23f9d
SHA256 5ae3bc5cd01133ca67344e08896fb36b2ddf90818b847d390ffffbe78e079478
SHA512 671e557ff9283cc00c57431816b0f6f9387c4994f9b7e921bf6c3469c77daaf9abb1c9587cf3696566d7fb66b6799a089f31cec82cbec7ca579eff508070ad96

memory/2236-76-0x000000013F2B0000-0x000000013F601000-memory.dmp

memory/2912-75-0x000000013F990000-0x000000013FCE1000-memory.dmp

memory/1008-83-0x000000013F890000-0x000000013FBE1000-memory.dmp

memory/2720-82-0x000000013F970000-0x000000013FCC1000-memory.dmp

memory/2912-69-0x000000013FE20000-0x0000000140171000-memory.dmp

memory/3064-62-0x000000013FDF0000-0x0000000140141000-memory.dmp

memory/2912-61-0x000000013FDF0000-0x0000000140141000-memory.dmp

C:\Windows\system\SDLvKPJ.exe

MD5 cf53db964d7b56c94880a5b9641192ae
SHA1 32ad7466d0dac1c44128fa22d9de5ad0f4459403
SHA256 d35ac407432dd50f122ecd2436c04be98bd25b046a7d427d35f22ffc8807c552
SHA512 98b93c02532a2eab735e65174538474de95e8fc7bce9fb4c0c59103cc0f6977b102912a4ff56f465b7bcb6c5977f7ec3d9c4341e6a9141d7e8d762479285fb88

\Windows\system\TlYosHf.exe

MD5 6a27691a9d7d1f9df806fc37ea255327
SHA1 7097d1e947945068bc269798ccb57ed1cee55b51
SHA256 310c70c2d894e14c6bd3fb70994220aebd39231c377a63dfbd0a4f6eb56458ea
SHA512 2a1c53fa6fcc8ced789e2680e91dff23b29bcbbb52b9f290d0507f4e6c758cde78518b492212e90fd235bd8022a66374998dbf87c7e18cb006e22ba3576054aa

memory/2912-96-0x0000000002240000-0x0000000002591000-memory.dmp

\Windows\system\rcyeCRz.exe

MD5 3cf56ea146da7bf88c4056e929c6bfbc
SHA1 c479cdd2a9e0a0ba17def585cb6617a15f4f129b
SHA256 6966a8ba8e2b4715021c762ec087425149afdae3b8dcdc88f4479a948d2e2028
SHA512 1f70f38aed7dcb5fde9ebedbb5a0fe881fb44e9b9f9b80a38b2569d9ff7698c638e14a0daafe9ca09c51b411ce82f476db6e6c4505b7b0beb9b04dd0af6b8ab9

C:\Windows\system\QsxdXQa.exe

MD5 be3017df06f0226ecaa542f07d825ba6
SHA1 1af6c17e2d015fd7167ab075c0eef5779c7f9134
SHA256 ba2402d28de111992f4cba0deaa59f3eda08c2bc827aba6dd6de1488a5cb4cc5
SHA512 03772435ca17b5834ea60689fb3c9367056693ce206e6f965db8a26295a95ada4b289abb44d45b2919e72ed2807642fbcbbdab4acb70878b2be9e8d93a4b4248

\Windows\system\dsUwTYn.exe

MD5 84dd15d73d8882419257511ddb92d724
SHA1 507477b2795e5a1a2049a88bdb794d7f45956821
SHA256 69b25f06e164bc868ba9a19f26b09566b083cab7a52bd80abb6d8601b3017c9e
SHA512 3072692b202105555092cebf9599a0dd921b55f2cda5ad88e5b1d7e2a4f2fe0f272c9764a6ddfa7e5ac2ca085fbc9587c1ddd4c687d7f00cb9641de78b729682

\Windows\system\nTUwuEe.exe

MD5 6881676b414be84f743b74fa893306c4
SHA1 5e09ab20c6cf10d669fa93eccdd3e201a88965c2
SHA256 b44eb74154304ab52b9152989a62c2f7a8183f72ea45e591abafaf894cbb52f2
SHA512 d9ca79e7c78b747f07d338c29e5e0c3f92e7a4d35d09ef8b3df053703f9639695ca74b1525d799e3388905e4e0eea5958f4492436e233a84a68e0d6647640cee

memory/2912-127-0x0000000002240000-0x0000000002591000-memory.dmp

C:\Windows\system\MiMFrzR.exe

MD5 1ca3bb3e390bb2449e4d492f45e51860
SHA1 d4d1754b49012c430db9310bbc79b0c4173223b4
SHA256 284bfe00aedc17f310dd3f23fda360d0335165644e9f43da6f4365dfe73f8419
SHA512 33ad6ec2d60de34b913b73a53d95979956cdfa1e730c1f7375b7f7dbf4e8dce6111a78aefb105350e41f3f16b9f2bc2a2bae8e35a33831b5065fedb39174d0b6

C:\Windows\system\tzgxkbC.exe

MD5 d1d83db9b80e167c178fce50a89f0bdd
SHA1 43e1c5f6eec50e2e5e1805fd5854ef86b0c3aab5
SHA256 42ae6dc21202d52bbf5b94ee34de246083055fefac3a0ece638afa304bc11dde
SHA512 9530b863e7f1304287000589998e26a9a03e39f37b7fe3c5a1228e6d3898fb888827a092a71d3a58cf01e0c2d1284aa859d3269a70c293bcd5c6e71c9fc0b819

memory/1604-123-0x000000013F0C0000-0x000000013F411000-memory.dmp

C:\Windows\system\FoRrNSf.exe

MD5 210d5036b90570cb3184568dfe5ab55a
SHA1 0243a726718e42e492e5b276a291f88e57923d96
SHA256 8e8f2f0372f7cfdb509f76501bcec1d5bc50ab01bb35ac97ce7d129af0a28adb
SHA512 c1caff7eab3d29994a638b621f210034a4704ed94aae3fb4329356e8ae5845632f3f2a7313971df8f3da1b345a5fac3d66323708b44f1ce8d3a99a2019c48d35

memory/1816-97-0x000000013F8E0000-0x000000013FC31000-memory.dmp

memory/2912-101-0x000000013F0C0000-0x000000013F411000-memory.dmp

memory/2772-95-0x000000013FAE0000-0x000000013FE31000-memory.dmp

C:\Windows\system\BPFByrH.exe

MD5 186f6c9faf82852112c39f3fee8eb14b
SHA1 11be0bc2e612d16edb1adc13f0683975aaad4d6a
SHA256 fa7808db8f3353fbf494e3484b03411d97877033dc602f289a8c801c1ec2056d
SHA512 a36666d357b26a7c3b454c0dbc927c909ae1a6fbe328a04725ff4d5d99cf9d1298e3960d7fb593a2b300c3a2fb01f5b9c437f74e634f996328d3472e2d8c8f2d

memory/2912-135-0x000000013F990000-0x000000013FCE1000-memory.dmp

memory/2820-148-0x000000013FAE0000-0x000000013FE31000-memory.dmp

memory/2236-146-0x000000013F2B0000-0x000000013F601000-memory.dmp

memory/1008-147-0x000000013F890000-0x000000013FBE1000-memory.dmp

memory/3064-144-0x000000013FDF0000-0x0000000140141000-memory.dmp

memory/1600-151-0x000000013FCD0000-0x0000000140021000-memory.dmp

memory/2004-154-0x000000013F7F0000-0x000000013FB41000-memory.dmp

memory/1712-156-0x000000013F740000-0x000000013FA91000-memory.dmp

memory/2868-155-0x000000013FDC0000-0x0000000140111000-memory.dmp

memory/1964-153-0x000000013F140000-0x000000013F491000-memory.dmp

memory/2872-152-0x000000013F7B0000-0x000000013FB01000-memory.dmp

memory/2928-157-0x000000013FDF0000-0x0000000140141000-memory.dmp

memory/2912-158-0x000000013F990000-0x000000013FCE1000-memory.dmp

memory/2912-171-0x000000013F0C0000-0x000000013F411000-memory.dmp

memory/2720-206-0x000000013F970000-0x000000013FCC1000-memory.dmp

memory/2852-208-0x000000013FF90000-0x00000001402E1000-memory.dmp

memory/3000-212-0x000000013FED0000-0x0000000140221000-memory.dmp

memory/2736-211-0x000000013F310000-0x000000013F661000-memory.dmp

memory/2772-214-0x000000013FAE0000-0x000000013FE31000-memory.dmp

memory/2748-218-0x000000013F730000-0x000000013FA81000-memory.dmp

memory/2948-216-0x000000013FA50000-0x000000013FDA1000-memory.dmp

memory/2820-220-0x000000013FAE0000-0x000000013FE31000-memory.dmp

memory/3064-222-0x000000013FDF0000-0x0000000140141000-memory.dmp

memory/3040-224-0x000000013FE20000-0x0000000140171000-memory.dmp

memory/2236-226-0x000000013F2B0000-0x000000013F601000-memory.dmp

memory/1008-238-0x000000013F890000-0x000000013FBE1000-memory.dmp

memory/1604-240-0x000000013F0C0000-0x000000013F411000-memory.dmp

memory/1816-242-0x000000013F8E0000-0x000000013FC31000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-07 22:42

Reported

2024-08-07 22:44

Platform

win10v2004-20240802-en

Max time kernel

141s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\xkxHpHX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SENonPa.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MoDKqhL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jjFEgBJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HAsWVnS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yvKEsAP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vqeTyeB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wVupQgO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AAmiSAu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EUanQZJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JaxpOrr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kNOXdXt.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CCmnsfE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QHjoUml.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\baujovO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\plcLbjL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FUPBrCk.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HPVMaxt.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zeIgYLe.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BEFoHCp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\evuUUHn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3216 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HAsWVnS.exe
PID 3216 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HAsWVnS.exe
PID 3216 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zeIgYLe.exe
PID 3216 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zeIgYLe.exe
PID 3216 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BEFoHCp.exe
PID 3216 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BEFoHCp.exe
PID 3216 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\evuUUHn.exe
PID 3216 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\evuUUHn.exe
PID 3216 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kNOXdXt.exe
PID 3216 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kNOXdXt.exe
PID 3216 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CCmnsfE.exe
PID 3216 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CCmnsfE.exe
PID 3216 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FUPBrCk.exe
PID 3216 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FUPBrCk.exe
PID 3216 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SENonPa.exe
PID 3216 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SENonPa.exe
PID 3216 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MoDKqhL.exe
PID 3216 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MoDKqhL.exe
PID 3216 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jjFEgBJ.exe
PID 3216 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jjFEgBJ.exe
PID 3216 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xkxHpHX.exe
PID 3216 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xkxHpHX.exe
PID 3216 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QHjoUml.exe
PID 3216 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QHjoUml.exe
PID 3216 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HPVMaxt.exe
PID 3216 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HPVMaxt.exe
PID 3216 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vqeTyeB.exe
PID 3216 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vqeTyeB.exe
PID 3216 wrote to memory of 3760 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wVupQgO.exe
PID 3216 wrote to memory of 3760 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wVupQgO.exe
PID 3216 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AAmiSAu.exe
PID 3216 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AAmiSAu.exe
PID 3216 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EUanQZJ.exe
PID 3216 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EUanQZJ.exe
PID 3216 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yvKEsAP.exe
PID 3216 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yvKEsAP.exe
PID 3216 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JaxpOrr.exe
PID 3216 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JaxpOrr.exe
PID 3216 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\baujovO.exe
PID 3216 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\baujovO.exe
PID 3216 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\plcLbjL.exe
PID 3216 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\plcLbjL.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-07_72be44cf5b77de38af0f4a4f1d5fc27c_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\HAsWVnS.exe

C:\Windows\System\HAsWVnS.exe

C:\Windows\System\zeIgYLe.exe

C:\Windows\System\zeIgYLe.exe

C:\Windows\System\BEFoHCp.exe

C:\Windows\System\BEFoHCp.exe

C:\Windows\System\evuUUHn.exe

C:\Windows\System\evuUUHn.exe

C:\Windows\System\kNOXdXt.exe

C:\Windows\System\kNOXdXt.exe

C:\Windows\System\CCmnsfE.exe

C:\Windows\System\CCmnsfE.exe

C:\Windows\System\FUPBrCk.exe

C:\Windows\System\FUPBrCk.exe

C:\Windows\System\SENonPa.exe

C:\Windows\System\SENonPa.exe

C:\Windows\System\MoDKqhL.exe

C:\Windows\System\MoDKqhL.exe

C:\Windows\System\jjFEgBJ.exe

C:\Windows\System\jjFEgBJ.exe

C:\Windows\System\xkxHpHX.exe

C:\Windows\System\xkxHpHX.exe

C:\Windows\System\QHjoUml.exe

C:\Windows\System\QHjoUml.exe

C:\Windows\System\HPVMaxt.exe

C:\Windows\System\HPVMaxt.exe

C:\Windows\System\vqeTyeB.exe

C:\Windows\System\vqeTyeB.exe

C:\Windows\System\wVupQgO.exe

C:\Windows\System\wVupQgO.exe

C:\Windows\System\AAmiSAu.exe

C:\Windows\System\AAmiSAu.exe

C:\Windows\System\EUanQZJ.exe

C:\Windows\System\EUanQZJ.exe

C:\Windows\System\yvKEsAP.exe

C:\Windows\System\yvKEsAP.exe

C:\Windows\System\JaxpOrr.exe

C:\Windows\System\JaxpOrr.exe

C:\Windows\System\baujovO.exe

C:\Windows\System\baujovO.exe

C:\Windows\System\plcLbjL.exe

C:\Windows\System\plcLbjL.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 44.56.20.217.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3216-0-0x00007FF7BA820000-0x00007FF7BAB71000-memory.dmp

memory/3216-1-0x0000018B1E4A0000-0x0000018B1E4B0000-memory.dmp

C:\Windows\System\HAsWVnS.exe

MD5 10cb11a3dd21f814b39f2adccad2b48f
SHA1 c783527f8caf10d940b5920dd78214c5e14fab54
SHA256 d197e045d6a5a720454b805bae7c2111a9e87d0db9da0c6b75c39a7f8816dd12
SHA512 625af875c31aa3860b2be91a3334a96680a84f836ce2e84d8b1310e3879af49a1491094f3cd78b49f98d523910a30fa0bc6f401894f644f42487714af55cb360

C:\Windows\System\zeIgYLe.exe

MD5 5b519faa1529e293a8332347be48782d
SHA1 36cf33b98fc69b1ad558003105551766e7ee7b83
SHA256 6c0f7278a4fe22d209b71ecf5efbc675ef98efd745ade26a9e3d8db08947f21d
SHA512 ce8bf12c96ec4b15190b48400c5bf24c4a8e206da5a059b08e212a305a46fd1ea28ec39287342ee6b3462f9d327f37be44a060eb042d2ed52cecb987026f0e6e

memory/5100-8-0x00007FF6BD900000-0x00007FF6BDC51000-memory.dmp

C:\Windows\System\BEFoHCp.exe

MD5 6f61b1d3518887376e55a816b9771e97
SHA1 78392e0da9b12d7f5aaff40bf92e0616ce9200e2
SHA256 114ff9313137bf8fd7c9b3c7ce4fd21828a9465c80bd73b588fb378370cbb7d5
SHA512 3550d0532361186d1833cce6865ae6a4adbabc43fd49776417cf0fa8f82eb299fd19b8eb1f9ce826d4c0fe28fda184414b5fe3d32f39c2a6185aa7476ecacb16

memory/2216-20-0x00007FF68D520000-0x00007FF68D871000-memory.dmp

memory/4176-14-0x00007FF69B160000-0x00007FF69B4B1000-memory.dmp

C:\Windows\System\evuUUHn.exe

MD5 b032c121311a54ff42fe29968a25b5a3
SHA1 a7e10df02dcec2e08d0e456042da91eb33007ad9
SHA256 a166efe68ef1f24228590f7e5ec5953aa1018ecacd882188f3ee71c9c87baabe
SHA512 9b1339a2634fe83e16339aa964d608ae1081455156ca680ffc027a8dc07ec1244f5547ade0d0746532edd9f36e7e12304ee396939ae3f2e511a4482dca0bc5d7

memory/2972-31-0x00007FF7EC0F0000-0x00007FF7EC441000-memory.dmp

C:\Windows\System\kNOXdXt.exe

MD5 b61391ca2f3586df9be26ee50fc9994a
SHA1 b6f00c5487a0247f694e6958664d713645e25860
SHA256 64c0a7fb882c14fb2a93f04456a899af45abbe5b756366f559ea15a816142403
SHA512 e70d1582ca2cba4990666a2e376bddcfc24da54129b6c9c5a2af116d3ae14eca835ce9b413123100d8516d15e5af129eaa0fc26374e7aec5fd3b2a6e991fcdbf

memory/232-36-0x00007FF6DD9F0000-0x00007FF6DDD41000-memory.dmp

C:\Windows\System\CCmnsfE.exe

MD5 fb8e785a4643ff7dc6784a48b2b51975
SHA1 fccb546fbd7e89bfd32e5cce66742f140155fb20
SHA256 fef24bef5c76837627e07095998a7f760b2a3cdf1e54fb7fd5c96ee75a92537f
SHA512 af78f0a5479ae2e96147ef86921942a8a9de056b05b1a11edff7418720aea8d5341a3fb4abea4a16612a03bc17eee2b040e1b9df7db34fcfff2797c5744903f1

memory/4780-26-0x00007FF718AF0000-0x00007FF718E41000-memory.dmp

C:\Windows\System\FUPBrCk.exe

MD5 7cd51201bbad8a105f04457eded3de8f
SHA1 1d98dfdc4729f9e9d1b7aaa4cd36c51480dec096
SHA256 b8e4f47c893dc06114d696c3d40bf0446e2ca4e28f5b2d4b330e41a9a55ce104
SHA512 f6eb687afe32037b85df004ad179d88c3ad832a8b49aee6546c28b0b76e5fd6d13a34891add6c163ed9e90109abc617d53baa925c5d3e5a133c90f43068f92aa

C:\Windows\System\SENonPa.exe

MD5 44151c53552e1fd213ac72fececc7dcb
SHA1 d81503550f6dc8498cbcc888fe2372beea2d1a6e
SHA256 f1e6208a75fb8e321ecb38e1e91638c8fda31a1c97ce6fca82ea51e31d815f07
SHA512 5b2d5f8ac80cc0369bdc1ee572eafb96a0a63998363af011d104021b3a07d4a71b7be32ab7e2a938da4de2d8c94c9f9aff38f43801d4eac83007bdda84c09196

memory/5088-42-0x00007FF60EF90000-0x00007FF60F2E1000-memory.dmp

memory/2080-50-0x00007FF7B6020000-0x00007FF7B6371000-memory.dmp

C:\Windows\System\MoDKqhL.exe

MD5 a50a1ce5743f5afb171551826401337d
SHA1 0643f9b5e026d2b52059302f2bea4aae0f53afb2
SHA256 7f8f94744328f7d3d27017c1371ddea31298a3c77bc2d9fd05db524400c98e0d
SHA512 a637393cfa52232ca558744d6100c6bdc7a02efab5cf934923b7b4a67c83c26423416a6f0201f02e8c3d7ea5b0c67b82af7a54a2340391302752eec0f68f5079

memory/4756-55-0x00007FF7D2360000-0x00007FF7D26B1000-memory.dmp

memory/3216-60-0x00007FF7BA820000-0x00007FF7BAB71000-memory.dmp

C:\Windows\System\jjFEgBJ.exe

MD5 4fd1dafe73e791b222f7bad2bbb8f849
SHA1 91fd129213ed2d55bb1e8045fc0599ee6e9169c7
SHA256 27273885d6a9aba203d3f30f22daae4846fa6587b755b8b3426879a540443521
SHA512 f9739085ba0301395474293e1088fab7534e29b26cc7027189ced251e2a35efb8016aa5a181de3a2f6fb612b579bf95ee7fe59e963a045e50d4504df5ecdfda2

C:\Windows\System\QHjoUml.exe

MD5 801d39e8a928454c7ec0cf2bf100ca88
SHA1 9656f02c9db61dd9160ea4ff3bc4965f2e49555e
SHA256 b64f48417b9a0d90baefe938eb19129ca79122aa57967b89014d37fdfae1f34b
SHA512 74fed1cfc959e1a612d544085484080c856dfa4c27440066c81390b7140f8167689238c408c7b380d518ac27e2f3a64b6b818399c65ecba889ca3a581817bb29

memory/5100-71-0x00007FF6BD900000-0x00007FF6BDC51000-memory.dmp

C:\Windows\System\vqeTyeB.exe

MD5 b57a876dbfeb7aac58e3a20dd00e752b
SHA1 054c00ac98c30bb101e874d280be0fb1fd5e261c
SHA256 7a74030ace0ae65e736985193ef90010e9eb8dda8918b37c9a01b30ff7f6a272
SHA512 776adf52ab10d78fa4e2d0d89b0ed906ef02a9094ec312605478c9fb327b4b0788c5c57ccbbe477096b02b23381cbbed68777a106914abe6fd3eabfce7e0e13f

C:\Windows\System\HPVMaxt.exe

MD5 7a58de1d08edae1a793b0ef5e1bc67f7
SHA1 76ffb7457b357dd320891a1b804645524cf718c4
SHA256 4d64297d3f35fb9eb2717727ef67de29beccfd6a51b7e22c2beb36789ef445be
SHA512 b7269e8c19246446d0afc4e75424c2f0afbdf075678284a0946d4dab6d34943c5d122dc51cdc0fe5dcaf05f50ca895680f91b86a3cd7568f13155acbfa0ee03c

C:\Windows\System\AAmiSAu.exe

MD5 4b3b50780ccbf0ac74792d98e1889880
SHA1 33449485b635410c3962426e93916649045d6f91
SHA256 79d9528bd0fd807b391eb77ede24474e4de58ae5327d8686ca74dbf914dfc68a
SHA512 4861fb811ab4c6e336fb7d03b7552b2c727a571fb084c2f2c285cd25b0b71094304088d13ae5899bcbedc9ba5c592744b7d0161403933b6203aa6a90eb0e674a

C:\Windows\System\EUanQZJ.exe

MD5 59b1862c42a1918f69855e80d5c4b9a7
SHA1 4da5ca34eebf3a062b474430ba10b511d87a3674
SHA256 1b78f74206c3ca0a0fc701ba23ac22da872f7d2c7052f55b65c04d52ede0b513
SHA512 af7ef001e9b623d15c91d538154de688f429f339f07ed6faa0031bbd3e4e1ca35c266d07bc6eee5c5e1357ec2823c4d7abefe07535be1ca4368bf0017cb05b96

C:\Windows\System\yvKEsAP.exe

MD5 420615205d60ec790745d0776c9a540c
SHA1 ad9070ca69fea902273e35d7c1c2be60ff8f0218
SHA256 44afa26827fca4e4d1a879d163458e14769bb7ca3ff507049cff05411d9670af
SHA512 7d8ff03290195a6bf188deae49eb9dbb7a48f3737b4226d4036426952874bce9eeb4234853e8ec150d2379ebd87d84595e51781b1d0c9cb300fe02464ee1beef

memory/3424-122-0x00007FF783E10000-0x00007FF784161000-memory.dmp

memory/5088-125-0x00007FF60EF90000-0x00007FF60F2E1000-memory.dmp

C:\Windows\System\plcLbjL.exe

MD5 6f6f2fd11940f4bf3235bdcc4fccc411
SHA1 5b64d0f9681d59d742817e76de6a8e5d5186826a
SHA256 f6326140b5a3b4673c696d6b28bb33c0a62d059e06adf4aa38b57ad32c2f9b42
SHA512 ce853aec34fa1dca0ff7b7399b2aeb3f38c84808d983c986ce1766540d65d5bf1486e8c75aaa73e6446f09fec88b07ba22f3a182517b50d9cbc11d76e666d9e0

memory/3992-130-0x00007FF7BA020000-0x00007FF7BA371000-memory.dmp

memory/1572-129-0x00007FF7F04F0000-0x00007FF7F0841000-memory.dmp

C:\Windows\System\baujovO.exe

MD5 becd7c10b8efe185f891d88f017c125f
SHA1 3f3034b193a8f76be2cf976295cce85f862133b3
SHA256 daf82c47ff662c1f0760f9327861a4decdf455d56a8ff5ea1738b933676eb397
SHA512 415bb919186bb554784a06a3a0cb977bb7102eb5acdfe3d36eaecbba6a7a286ee6526496fdbc89f7e4d47f6644fb6a893da7344e0bb40ae725127c4bf81a566d

memory/2180-124-0x00007FF724610000-0x00007FF724961000-memory.dmp

C:\Windows\System\JaxpOrr.exe

MD5 b45c4cabb0b28e1e01daf808bad11031
SHA1 5356ba454283f244d957e9a34a29d04996352d1a
SHA256 b5a1e4dffc538c36f6c993ce98c2a594bf6593655437c6a55a36c73434f942c0
SHA512 2600db61b6724ea17b60804cdd4fcdfcba10b4aff11356e40acaf2b0b2e229dd2a484226ede151855f437c7f657b015db3db2b10fc96ce6cfe90a9ca6607bd80

memory/3152-117-0x00007FF78D830000-0x00007FF78DB81000-memory.dmp

memory/4944-104-0x00007FF695590000-0x00007FF6958E1000-memory.dmp

memory/232-103-0x00007FF6DD9F0000-0x00007FF6DDD41000-memory.dmp

memory/2972-97-0x00007FF7EC0F0000-0x00007FF7EC441000-memory.dmp

C:\Windows\System\wVupQgO.exe

MD5 d9dbcfd119b66d1b1341a6f57fbb2a87
SHA1 bd91d39c305ce005e1fb04373740a9a130659534
SHA256 9b316b55c56cfb70e53d97faa5e108c71f0f33089be94d3ab20d717f9d8b423a
SHA512 19d5eb7ac332818c5276635078abb1ba4cd10a0b81e21a600111c566f8928c41128acf3c9c1d69559a7e734fe07114565a75c546fad8b2c2557d0aca947b7af1

memory/3760-93-0x00007FF786F00000-0x00007FF787251000-memory.dmp

memory/400-87-0x00007FF7F9490000-0x00007FF7F97E1000-memory.dmp

memory/3736-83-0x00007FF7ED950000-0x00007FF7EDCA1000-memory.dmp

memory/1512-77-0x00007FF755450000-0x00007FF7557A1000-memory.dmp

memory/2584-78-0x00007FF7AA260000-0x00007FF7AA5B1000-memory.dmp

C:\Windows\System\xkxHpHX.exe

MD5 26098d4c3fc42af479bf2fa134a1a87d
SHA1 4a2cbab587fab5ccfebdeecd4df518abe7b13f76
SHA256 55eb08016737fe41edbc16d7183215d1f897850a42647a25148899e524a9b78f
SHA512 1777419ebecf19378681de2d368d24feeec4b2dd467e6381cf023f027a6b85ebc616f4eaeb633de56b688556d94948d063947e6acf758daf8a7a1a3c1d69a769

memory/2928-61-0x00007FF6D48B0000-0x00007FF6D4C01000-memory.dmp

memory/3216-133-0x00007FF7BA820000-0x00007FF7BAB71000-memory.dmp

memory/4756-143-0x00007FF7D2360000-0x00007FF7D26B1000-memory.dmp

memory/3760-149-0x00007FF786F00000-0x00007FF787251000-memory.dmp

memory/3736-147-0x00007FF7ED950000-0x00007FF7EDCA1000-memory.dmp

memory/2928-144-0x00007FF6D48B0000-0x00007FF6D4C01000-memory.dmp

memory/400-148-0x00007FF7F9490000-0x00007FF7F97E1000-memory.dmp

memory/3992-155-0x00007FF7BA020000-0x00007FF7BA371000-memory.dmp

memory/1512-145-0x00007FF755450000-0x00007FF7557A1000-memory.dmp

memory/1572-154-0x00007FF7F04F0000-0x00007FF7F0841000-memory.dmp

memory/3216-156-0x00007FF7BA820000-0x00007FF7BAB71000-memory.dmp

memory/5100-209-0x00007FF6BD900000-0x00007FF6BDC51000-memory.dmp

memory/4176-211-0x00007FF69B160000-0x00007FF69B4B1000-memory.dmp

memory/2216-213-0x00007FF68D520000-0x00007FF68D871000-memory.dmp

memory/4780-215-0x00007FF718AF0000-0x00007FF718E41000-memory.dmp

memory/2972-217-0x00007FF7EC0F0000-0x00007FF7EC441000-memory.dmp

memory/232-219-0x00007FF6DD9F0000-0x00007FF6DDD41000-memory.dmp

memory/2080-223-0x00007FF7B6020000-0x00007FF7B6371000-memory.dmp

memory/5088-222-0x00007FF60EF90000-0x00007FF60F2E1000-memory.dmp

memory/4756-231-0x00007FF7D2360000-0x00007FF7D26B1000-memory.dmp

memory/2928-233-0x00007FF6D48B0000-0x00007FF6D4C01000-memory.dmp

memory/2584-237-0x00007FF7AA260000-0x00007FF7AA5B1000-memory.dmp

memory/1512-236-0x00007FF755450000-0x00007FF7557A1000-memory.dmp

memory/3736-239-0x00007FF7ED950000-0x00007FF7EDCA1000-memory.dmp

memory/400-241-0x00007FF7F9490000-0x00007FF7F97E1000-memory.dmp

memory/3760-243-0x00007FF786F00000-0x00007FF787251000-memory.dmp

memory/4944-245-0x00007FF695590000-0x00007FF6958E1000-memory.dmp

memory/3152-247-0x00007FF78D830000-0x00007FF78DB81000-memory.dmp

memory/3424-249-0x00007FF783E10000-0x00007FF784161000-memory.dmp

memory/2180-251-0x00007FF724610000-0x00007FF724961000-memory.dmp

memory/1572-253-0x00007FF7F04F0000-0x00007FF7F0841000-memory.dmp

memory/3992-255-0x00007FF7BA020000-0x00007FF7BA371000-memory.dmp