Malware Analysis Report

2025-01-22 19:30

Sample ID 240807-2n6zyswakp
Target 2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat
SHA256 704131dad1674a92f450dcf24ae7279a5f743e0bd6d886bb3408ee17a529446e
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

704131dad1674a92f450dcf24ae7279a5f743e0bd6d886bb3408ee17a529446e

Threat Level: Known bad

The file 2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

xmrig

Xmrig family

Cobaltstrike family

XMRig Miner payload

Cobaltstrike

Cobalt Strike reflective loader

XMRig Miner payload

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-07 22:44

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-07 22:44

Reported

2024-08-07 22:47

Platform

win7-20240729-en

Max time kernel

138s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\tjnEMac.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ryFveAK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cLKGDvT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QlDhkGT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mMvyBqp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pgwImoi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bhHYCib.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zHUvTXO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DaXnYFU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CJSsLwb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jgEopYi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cKKyKpz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eycDneJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fKGitVm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kXbXaoo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dohHquR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OBrxPDQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KLDNxnv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yXXdRyM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gEhmlWA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mipktnB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2632 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tjnEMac.exe
PID 2632 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tjnEMac.exe
PID 2632 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tjnEMac.exe
PID 2632 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ryFveAK.exe
PID 2632 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ryFveAK.exe
PID 2632 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ryFveAK.exe
PID 2632 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OBrxPDQ.exe
PID 2632 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OBrxPDQ.exe
PID 2632 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OBrxPDQ.exe
PID 2632 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pgwImoi.exe
PID 2632 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pgwImoi.exe
PID 2632 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pgwImoi.exe
PID 2632 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cKKyKpz.exe
PID 2632 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cKKyKpz.exe
PID 2632 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cKKyKpz.exe
PID 2632 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eycDneJ.exe
PID 2632 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eycDneJ.exe
PID 2632 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eycDneJ.exe
PID 2632 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fKGitVm.exe
PID 2632 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fKGitVm.exe
PID 2632 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fKGitVm.exe
PID 2632 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KLDNxnv.exe
PID 2632 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KLDNxnv.exe
PID 2632 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KLDNxnv.exe
PID 2632 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cLKGDvT.exe
PID 2632 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cLKGDvT.exe
PID 2632 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cLKGDvT.exe
PID 2632 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QlDhkGT.exe
PID 2632 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QlDhkGT.exe
PID 2632 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QlDhkGT.exe
PID 2632 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kXbXaoo.exe
PID 2632 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kXbXaoo.exe
PID 2632 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kXbXaoo.exe
PID 2632 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yXXdRyM.exe
PID 2632 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yXXdRyM.exe
PID 2632 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yXXdRyM.exe
PID 2632 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bhHYCib.exe
PID 2632 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bhHYCib.exe
PID 2632 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bhHYCib.exe
PID 2632 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gEhmlWA.exe
PID 2632 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gEhmlWA.exe
PID 2632 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gEhmlWA.exe
PID 2632 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zHUvTXO.exe
PID 2632 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zHUvTXO.exe
PID 2632 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zHUvTXO.exe
PID 2632 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mMvyBqp.exe
PID 2632 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mMvyBqp.exe
PID 2632 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mMvyBqp.exe
PID 2632 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DaXnYFU.exe
PID 2632 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DaXnYFU.exe
PID 2632 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DaXnYFU.exe
PID 2632 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dohHquR.exe
PID 2632 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dohHquR.exe
PID 2632 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dohHquR.exe
PID 2632 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mipktnB.exe
PID 2632 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mipktnB.exe
PID 2632 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mipktnB.exe
PID 2632 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CJSsLwb.exe
PID 2632 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CJSsLwb.exe
PID 2632 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CJSsLwb.exe
PID 2632 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jgEopYi.exe
PID 2632 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jgEopYi.exe
PID 2632 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jgEopYi.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\tjnEMac.exe

C:\Windows\System\tjnEMac.exe

C:\Windows\System\ryFveAK.exe

C:\Windows\System\ryFveAK.exe

C:\Windows\System\OBrxPDQ.exe

C:\Windows\System\OBrxPDQ.exe

C:\Windows\System\pgwImoi.exe

C:\Windows\System\pgwImoi.exe

C:\Windows\System\cKKyKpz.exe

C:\Windows\System\cKKyKpz.exe

C:\Windows\System\eycDneJ.exe

C:\Windows\System\eycDneJ.exe

C:\Windows\System\fKGitVm.exe

C:\Windows\System\fKGitVm.exe

C:\Windows\System\KLDNxnv.exe

C:\Windows\System\KLDNxnv.exe

C:\Windows\System\cLKGDvT.exe

C:\Windows\System\cLKGDvT.exe

C:\Windows\System\QlDhkGT.exe

C:\Windows\System\QlDhkGT.exe

C:\Windows\System\kXbXaoo.exe

C:\Windows\System\kXbXaoo.exe

C:\Windows\System\yXXdRyM.exe

C:\Windows\System\yXXdRyM.exe

C:\Windows\System\bhHYCib.exe

C:\Windows\System\bhHYCib.exe

C:\Windows\System\gEhmlWA.exe

C:\Windows\System\gEhmlWA.exe

C:\Windows\System\zHUvTXO.exe

C:\Windows\System\zHUvTXO.exe

C:\Windows\System\mMvyBqp.exe

C:\Windows\System\mMvyBqp.exe

C:\Windows\System\DaXnYFU.exe

C:\Windows\System\DaXnYFU.exe

C:\Windows\System\dohHquR.exe

C:\Windows\System\dohHquR.exe

C:\Windows\System\mipktnB.exe

C:\Windows\System\mipktnB.exe

C:\Windows\System\CJSsLwb.exe

C:\Windows\System\CJSsLwb.exe

C:\Windows\System\jgEopYi.exe

C:\Windows\System\jgEopYi.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2632-0-0x000000013F2C0000-0x000000013F614000-memory.dmp

memory/2632-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\tjnEMac.exe

MD5 214158e4261489d96ad8a102e7d88379
SHA1 47e3dc0a3e8b5562270f56ce1f2b3f602898b594
SHA256 af4d564417bd8eed2109d31da2d22995f59d8a1ebe784b4621eff3d1477bfc5b
SHA512 826da1d7cd3010af8a72090958ae94d7aa44759722bd55914cbe4dda673df1ebc8aeea09bf8f9568403ed63e677af7e625a83a6aa2c6b7de172252c978efdceb

\Windows\system\ryFveAK.exe

MD5 3fe5a1c3d3e38c29887563eeeacfb1f8
SHA1 4df014c8f8ff87c62d4ada6f6fde1ec10e0c368b
SHA256 7495c36bbce6a962a224c2e31d03fbbbc1984016e1d9231c2299449ea1c6f39a
SHA512 e68a93dd48bc23293b5c297097e9b31e2692c1d0166153bdf4ac89bbc4e61f45687523f941695ed25199e947d1cf3bddfd5f6d3b086698bcd9adb23334b86f22

memory/2632-21-0x000000013FCD0000-0x0000000140024000-memory.dmp

memory/2876-22-0x000000013FCD0000-0x0000000140024000-memory.dmp

memory/2688-20-0x000000013F5D0000-0x000000013F924000-memory.dmp

memory/2764-18-0x000000013FD70000-0x00000001400C4000-memory.dmp

C:\Windows\system\OBrxPDQ.exe

MD5 1f658eeae3d1a0bdb964c309d421e4dd
SHA1 0988e3bc5a9bc76514ebfbd7dbc5816f2fcb44c7
SHA256 a27d1bf169a3aab9eb2297a2e5cb091a7bfd122f40943f9a4dcea87ddc64274e
SHA512 4fb38144345d772cb275f69694caf11993f96d3f9a194590b20904972746d214840ca4ad66a8b74865222c73e8c57ad1322f0c90d938a0670abebed242e5245a

\Windows\system\pgwImoi.exe

MD5 735d60dbe2f1fb6cd194be6bc503af30
SHA1 af7099e5bac8ca964d90db7e3eeaaf4579d3c239
SHA256 74dcd642c1f889d7bf23550c81b679675b6aa83229a985cd1a99e581ecf43ba7
SHA512 958ee9c15888b58a4c855b6326131ed7d4022933a35b8415e57d42f7da8920625fdd61975f010cfb3cab83c37fb8712af5df452215eb246c588b2ccba0ea25f5

memory/2632-24-0x00000000023A0000-0x00000000026F4000-memory.dmp

memory/2632-12-0x00000000023A0000-0x00000000026F4000-memory.dmp

C:\Windows\system\cKKyKpz.exe

MD5 8ef90ed04ad15c9deb2af952b6a1a597
SHA1 c5c6ec3a5a3f3a6e84a7bbf4b6b93b5bc8671ac3
SHA256 d2ada8f218c2d33b8667b86deb261bf418be3352e9a9592d3d95a423ad635ed2
SHA512 9ce7ebd9e13fde1020d94e8d5500b538552adb0b6e45dbb7b3beb182de8361cae959601db73e2918bce5b818710ffd3d891026dc450f56436db0a5fc01bef139

memory/2676-35-0x000000013F560000-0x000000013F8B4000-memory.dmp

C:\Windows\system\eycDneJ.exe

MD5 5789d35707948d355efe9c60edccba9d
SHA1 23340eb05efb667b7fb48e51c231743f50e1b5a9
SHA256 549cf3e480a0099e341e4c23a05c13c5dd5e9e4e8e25cc0407bea1af75246abe
SHA512 53441c41bc9968f37988ef54f2f728a7d0d3dea85215b3823b9da58d5770f74071a159cef73c5deab6867cdcc0a29e0ec0f8ace86065ac2cb1daa2da5bd83110

C:\Windows\system\fKGitVm.exe

MD5 2a201ae27d2c87195681defe3f5d6be4
SHA1 3d5c4aecd8c43e4221e32db5853277c1859743f2
SHA256 e2996f461285dd6a5d661e3f1d359b4d3e406ce36c89adcd7c59363540825bbb
SHA512 05cf820f41b8eff62f0d00e096b149304f12aa328f386c4ca16a88f22cfe3ba2c8ac3d29af41166b019d76fdd74960b55b704c9a75ffe1dc043bea89a19fb140

memory/2632-67-0x000000013F2C0000-0x000000013F614000-memory.dmp

memory/2964-55-0x000000013F1F0000-0x000000013F544000-memory.dmp

\Windows\system\bhHYCib.exe

MD5 7b44f36b32b223e7af0a58146d308e25
SHA1 d29593f6c3a1a7832078124d3169e6ac6bdfccab
SHA256 7d259a78c70ba04c72632cfcc440780ad2913171b8166c7de1811c400c57c02b
SHA512 8997cb7a85ed358ca6e9d81f22dcae096b52d0d0e5706b6d04d626ba4fd9e4f0307c335d530c12e5d2c64ac7a00cc6ff0b62501dc67e5d8801f92a6483441100

memory/1716-90-0x000000013F730000-0x000000013FA84000-memory.dmp

C:\Windows\system\mMvyBqp.exe

MD5 658f02e1491decff0abf1c7156b839ba
SHA1 65b050628e393e8f2b1bb5c58753ccb7f480c28c
SHA256 6551ac056a68cb9a063bb387c0cb821897c8eac74908a8ee1a2b082ba1c50cfc
SHA512 6e6858f1132b80615a50dc88b3d9037d684a40302b00b299b3c5723c2e8f4226d3dbd0cfed44ecc3b8954a5ebc31706c4300a4c9dfedc6c206b9e9b2a436d592

C:\Windows\system\mipktnB.exe

MD5 9fb52e49934591af685cfe29ff6dd3ee
SHA1 74778406fddc80f1e6547f157a620836ed38af92
SHA256 b5aa3b5225907024ff37c043d3cfa9eae2c673541a06b08a763a73c86dec95ad
SHA512 564dd392e10ac0767d24d80baf518de949eb802bdf6d80811f97800c1b38d3f9627eb3e66d0523f18e463d3c673bf26609c575a51b1c6d765a4c559f3a7a4317

C:\Windows\system\jgEopYi.exe

MD5 6bb99d7c0308d7b566eb463236a0c8fa
SHA1 2554562dd84f66c40f2b81a4d2bab8614ac69c45
SHA256 002538892bc5a4c99d8cb74865ebcfc24ed499fbd5a68a0ba8abd537a28da0a0
SHA512 0fb09a7bc94d4a3e57bed73191a6e2d29e55bc8fddb2bec3231a1bc3713d6f865171715e69190ead6ccf9358d24f79f5ad085b6ff25a13e213a2360523d8b63b

C:\Windows\system\CJSsLwb.exe

MD5 5b8b9a5b7fd85d9503b1d2dd5c2aa39c
SHA1 5cae0b94a74e07eb73d6158c3ec48cc76aa3a327
SHA256 8ec4f534cfa664b7aa59013dd862135a9999dc5082ec3efe489bd9b15f2cc777
SHA512 a9d886a043a6faea2a1b75bc29b2b7250ebd5a4885bab6e62eac347ba2fc16af1256ee74a6cd8644a933c9a809514e9d0461923e1e2c3cca43f598256b0cb2e2

C:\Windows\system\dohHquR.exe

MD5 c96d86836a097a99dfa305e9d049f2c7
SHA1 88712fff56bde3d8ac94e7e8a8e17ec6f55ca0fa
SHA256 dfe5913752b55fae62e15fff18147d2b788b1ea75f6f567df5150fef3dd99039
SHA512 076813a6d81f2b74fff4b006f29fea15b1283e6fc4b7192a7f19237e621c5b41ea6e1d9154e41e38b20f41f2044a501dc6637abb0a088ad59e4812cf8ab97856

C:\Windows\system\DaXnYFU.exe

MD5 233cf985dc1e62ff6ab5dcb5aad66cf0
SHA1 4ad12506a83702c07f88ecdbd751e23c42793549
SHA256 056e26beddc0b00bfc6a872ca90093b89ec66d0c739f96f3335b0fada9616e19
SHA512 5a8d03e84fce16b7daaf9f3fc7c1d9a98892a4ac0893ff20c732f63816eafb930bddc36a5e18a5e559318b78747ed320703ff39d8dc2f9e8ed7c8d71fe50b6d7

C:\Windows\system\zHUvTXO.exe

MD5 06ef9f7c9487b50a793d0950caac23bf
SHA1 98eaff1a52c1b12d0b12698a5033c53415397a6c
SHA256 93774e8a388e727541dcfaa52ce821765068b446fa2a6f36bdfc190dbf56e305
SHA512 9735af85589f2dc13b4b71e1d9b83d998006e8c47803cef0118342a1f0c634581ce4572654d88d73bbffab62e7839dc6ec1040f9e6063d0122955a311fba3d99

memory/1684-97-0x000000013FF40000-0x0000000140294000-memory.dmp

memory/2632-96-0x000000013FF40000-0x0000000140294000-memory.dmp

memory/2872-95-0x000000013F2A0000-0x000000013F5F4000-memory.dmp

C:\Windows\system\gEhmlWA.exe

MD5 0a6e78ea64817dd4be6b7c3579796d91
SHA1 ae8f6992357261ac909c91435f524d2b2d24ef92
SHA256 3cbc70aebd65fb2f84fcfc9b717f7294ea97ce7d1f4bd57246007df85ae6fa64
SHA512 3674d8cbe585a97debcb17a9279097bdbc11e55e0275b86cd5b8b15a07783c6acc4dd1253120288981f93b771347695a142278ba27cf5161db0f62281004eb2b

memory/2632-89-0x000000013F730000-0x000000013FA84000-memory.dmp

memory/1416-84-0x000000013FF90000-0x00000001402E4000-memory.dmp

memory/1748-83-0x000000013FCB0000-0x0000000140004000-memory.dmp

C:\Windows\system\yXXdRyM.exe

MD5 ed2fb329dffcb0434902f6ca150d68ce
SHA1 b0576da60c22d4280fea9b2c2d8a2c0e3bb42851
SHA256 06b661178cb2fb53c86a634c0d1fd4ad60f676a496f15591668cb671d5cfcc5b
SHA512 e256282ec91d48678a91ee8d02fbd9f7a0b63764339ff6b2524a397c89df0f335a9d502f630d50caa19ec6885c58695caed939d88d5f21b98168e1e0e32aad06

C:\Windows\system\QlDhkGT.exe

MD5 63b387fc8b190c6116ef754b16c98c1b
SHA1 debf93fddf9ce461b513e791fb7425659b72cacb
SHA256 8f08a899f5eca0340a773683d739433685baae66a7976def2ba7b6732f9a4f41
SHA512 3e9576839374c45573250e522e88621615d1f3a0d313eeec20aafc851f02f88d62062a77b194da9f95fbe696f782e931a9f11c369d73d3708d01a77f8ee60462

memory/2632-80-0x000000013FF90000-0x00000001402E4000-memory.dmp

memory/2632-79-0x00000000023A0000-0x00000000026F4000-memory.dmp

memory/2368-78-0x000000013F2E0000-0x000000013F634000-memory.dmp

memory/2632-77-0x000000013FCB0000-0x0000000140004000-memory.dmp

memory/2764-76-0x000000013FD70000-0x00000001400C4000-memory.dmp

C:\Windows\system\kXbXaoo.exe

MD5 e4d37a86f660ec2ab3a5b0afc151507c
SHA1 91c41b71dd1aa4a038420379792fc0cb0224e686
SHA256 33d504fea9aa39d1d00dbbdb03671368f69f9539a3ead0548ed15392e2f45679
SHA512 64a1ebb4968a15e580d16034076ba07377c33097952475ac9678163d221f62880f123df0baaee8a4ba2e24a1e066abe2f45561e408ad5a5faa73851efafe1c48

memory/2756-125-0x000000013F860000-0x000000013FBB4000-memory.dmp

memory/2288-64-0x000000013F390000-0x000000013F6E4000-memory.dmp

memory/2632-54-0x00000000023A0000-0x00000000026F4000-memory.dmp

C:\Windows\system\KLDNxnv.exe

MD5 c5d207ef5119934c1ad939040899a34e
SHA1 c14df1ecbcc78ae0d60ebadbe78d04d9200ad9ac
SHA256 f00caf45dba9c61b7cbe55323674ede02700517150dc5e57e3e43626b46c1851
SHA512 3fc4b320565c9738f400a905d9f7d4f332e8b0ff618dd8245111e0cb60515740b309aad41988d091ce87437c1fd6e0f814aa6bbfbdc7be66912c26fcd8d7a174

memory/2632-61-0x00000000023A0000-0x00000000026F4000-memory.dmp

C:\Windows\system\cLKGDvT.exe

MD5 393ff304f0535f905c49dd6b84c563ab
SHA1 43e36f4947cb1ca3f946f7375f3dd48b1277e150
SHA256 7032ac2dca5f1d3c40cfc905c3eaeccf595e65f422854cfdb772a98541cd063a
SHA512 ad6a0a5de9a0cca5ea4a8f1ffa8b7f7d9933cc0b9bdc3fa3d7f364b5f998fb7bb2565ee0a2f8f4b13b061dfafb9c9a5c4380ce6fe80e2e018f12bd7f0b5405ce

memory/2584-48-0x000000013F040000-0x000000013F394000-memory.dmp

memory/2632-47-0x00000000023A0000-0x00000000026F4000-memory.dmp

memory/2756-41-0x000000013F860000-0x000000013FBB4000-memory.dmp

memory/2632-39-0x000000013F860000-0x000000013FBB4000-memory.dmp

memory/2632-34-0x00000000023A0000-0x00000000026F4000-memory.dmp

memory/2872-28-0x000000013F2A0000-0x000000013F5F4000-memory.dmp

memory/2632-138-0x00000000023A0000-0x00000000026F4000-memory.dmp

memory/2632-139-0x000000013FCB0000-0x0000000140004000-memory.dmp

memory/2368-140-0x000000013F2E0000-0x000000013F634000-memory.dmp

memory/1748-141-0x000000013FCB0000-0x0000000140004000-memory.dmp

memory/1416-142-0x000000013FF90000-0x00000001402E4000-memory.dmp

memory/2632-143-0x000000013F730000-0x000000013FA84000-memory.dmp

memory/1716-144-0x000000013F730000-0x000000013FA84000-memory.dmp

memory/2632-145-0x000000013FF40000-0x0000000140294000-memory.dmp

memory/1684-146-0x000000013FF40000-0x0000000140294000-memory.dmp

memory/2632-147-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

memory/2688-148-0x000000013F5D0000-0x000000013F924000-memory.dmp

memory/2764-149-0x000000013FD70000-0x00000001400C4000-memory.dmp

memory/2876-150-0x000000013FCD0000-0x0000000140024000-memory.dmp

memory/2676-151-0x000000013F560000-0x000000013F8B4000-memory.dmp

memory/2584-152-0x000000013F040000-0x000000013F394000-memory.dmp

memory/2964-153-0x000000013F1F0000-0x000000013F544000-memory.dmp

memory/2288-154-0x000000013F390000-0x000000013F6E4000-memory.dmp

memory/2756-155-0x000000013F860000-0x000000013FBB4000-memory.dmp

memory/2872-156-0x000000013F2A0000-0x000000013F5F4000-memory.dmp

memory/1748-157-0x000000013FCB0000-0x0000000140004000-memory.dmp

memory/1416-160-0x000000013FF90000-0x00000001402E4000-memory.dmp

memory/1716-159-0x000000013F730000-0x000000013FA84000-memory.dmp

memory/2368-158-0x000000013F2E0000-0x000000013F634000-memory.dmp

memory/1684-161-0x000000013FF40000-0x0000000140294000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-07 22:44

Reported

2024-08-07 22:47

Platform

win10v2004-20240802-en

Max time kernel

144s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\vkjCQZr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TideCbH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XQpwsGS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dToICxR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\slHsgOC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\onESlLv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cUUptKw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xgEkWlq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wLPjeBU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hIHqJMV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WoKVkNV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iqgkenN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\akLHyLf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\StzVItg.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XgaTHQU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ptachOT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PrHoNbj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yxSLxgu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IRvJrBX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uhMDojH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MhzDgjz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2444 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wLPjeBU.exe
PID 2444 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wLPjeBU.exe
PID 2444 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MhzDgjz.exe
PID 2444 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MhzDgjz.exe
PID 2444 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ptachOT.exe
PID 2444 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ptachOT.exe
PID 2444 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XgaTHQU.exe
PID 2444 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XgaTHQU.exe
PID 2444 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\slHsgOC.exe
PID 2444 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\slHsgOC.exe
PID 2444 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hIHqJMV.exe
PID 2444 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hIHqJMV.exe
PID 2444 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\onESlLv.exe
PID 2444 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\onESlLv.exe
PID 2444 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dToICxR.exe
PID 2444 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dToICxR.exe
PID 2444 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WoKVkNV.exe
PID 2444 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WoKVkNV.exe
PID 2444 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cUUptKw.exe
PID 2444 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cUUptKw.exe
PID 2444 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PrHoNbj.exe
PID 2444 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PrHoNbj.exe
PID 2444 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yxSLxgu.exe
PID 2444 wrote to memory of 32 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yxSLxgu.exe
PID 2444 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iqgkenN.exe
PID 2444 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iqgkenN.exe
PID 2444 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IRvJrBX.exe
PID 2444 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IRvJrBX.exe
PID 2444 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xgEkWlq.exe
PID 2444 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xgEkWlq.exe
PID 2444 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vkjCQZr.exe
PID 2444 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vkjCQZr.exe
PID 2444 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TideCbH.exe
PID 2444 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TideCbH.exe
PID 2444 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\akLHyLf.exe
PID 2444 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\akLHyLf.exe
PID 2444 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XQpwsGS.exe
PID 2444 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XQpwsGS.exe
PID 2444 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\StzVItg.exe
PID 2444 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\StzVItg.exe
PID 2444 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uhMDojH.exe
PID 2444 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uhMDojH.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\wLPjeBU.exe

C:\Windows\System\wLPjeBU.exe

C:\Windows\System\MhzDgjz.exe

C:\Windows\System\MhzDgjz.exe

C:\Windows\System\ptachOT.exe

C:\Windows\System\ptachOT.exe

C:\Windows\System\XgaTHQU.exe

C:\Windows\System\XgaTHQU.exe

C:\Windows\System\slHsgOC.exe

C:\Windows\System\slHsgOC.exe

C:\Windows\System\hIHqJMV.exe

C:\Windows\System\hIHqJMV.exe

C:\Windows\System\onESlLv.exe

C:\Windows\System\onESlLv.exe

C:\Windows\System\dToICxR.exe

C:\Windows\System\dToICxR.exe

C:\Windows\System\WoKVkNV.exe

C:\Windows\System\WoKVkNV.exe

C:\Windows\System\cUUptKw.exe

C:\Windows\System\cUUptKw.exe

C:\Windows\System\PrHoNbj.exe

C:\Windows\System\PrHoNbj.exe

C:\Windows\System\yxSLxgu.exe

C:\Windows\System\yxSLxgu.exe

C:\Windows\System\iqgkenN.exe

C:\Windows\System\iqgkenN.exe

C:\Windows\System\IRvJrBX.exe

C:\Windows\System\IRvJrBX.exe

C:\Windows\System\xgEkWlq.exe

C:\Windows\System\xgEkWlq.exe

C:\Windows\System\vkjCQZr.exe

C:\Windows\System\vkjCQZr.exe

C:\Windows\System\TideCbH.exe

C:\Windows\System\TideCbH.exe

C:\Windows\System\akLHyLf.exe

C:\Windows\System\akLHyLf.exe

C:\Windows\System\XQpwsGS.exe

C:\Windows\System\XQpwsGS.exe

C:\Windows\System\StzVItg.exe

C:\Windows\System\StzVItg.exe

C:\Windows\System\uhMDojH.exe

C:\Windows\System\uhMDojH.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
GB 2.18.27.82:443 www.bing.com tcp
US 8.8.8.8:53 82.27.18.2.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2444-0-0x00007FF70BFE0000-0x00007FF70C334000-memory.dmp

memory/2444-1-0x0000022EAF1B0000-0x0000022EAF1C0000-memory.dmp

C:\Windows\System\wLPjeBU.exe

MD5 0d73daabe81b81a850bca2690b95fc93
SHA1 86fcd89df5d31aec41117758515d83982ec3fec6
SHA256 878e18b24c69e7d9386b71185ffe0b353f633e9896b29376cfb2aa82898a4a8d
SHA512 0c7710a2e45eae7b288c67fc0a2f2e47be5c351950f436d08a638e38bdb2ebef222bb4fef6d281fdfd5fd4447f114f189681522f89b1d4d63df87c5ab4b74486

C:\Windows\System\ptachOT.exe

MD5 8a22a6c8842f9b966ad772267c691050
SHA1 ec689494854f5bcaea75796480200a4d6680f852
SHA256 c0710a66eb9229a42655cd09602e32ca0219d6a57acff9e3df4140b47043054c
SHA512 88bbce5aedf5f9ae718ae9f35aa90ca15b0d70a699aa1a1e3c9fd85a3052887f5114aeed0216326b98ad4c5e8a3bba96bbc5278407e23a953928756209be5d6d

C:\Windows\System\MhzDgjz.exe

MD5 fef8fee649c65abda4cef58ee8fc8bb9
SHA1 222dbd3225a721ada66e7d7b294a565ebefe9f7a
SHA256 49b15e1da3c1c4953d27342422f9f679486660a6c9e19d072cf2ba678a3c7ff0
SHA512 9e75d0375903c5d26790dc7237b913f9f64956682a68701cf82dcbb48f7bb97182aac63dd1335d18b9f569e10470abc018d5270a77ba013d08e3cf47b1b4c253

memory/3776-12-0x00007FF695D90000-0x00007FF6960E4000-memory.dmp

memory/876-10-0x00007FF623DC0000-0x00007FF624114000-memory.dmp

memory/3180-22-0x00007FF7A5C20000-0x00007FF7A5F74000-memory.dmp

C:\Windows\System\XgaTHQU.exe

MD5 549e892470818e57ab0e12719670a725
SHA1 493e2f0e844074a3eeb9726c8a8643f524b3fe2e
SHA256 eb212707f5a10dbbd6707e6f80b8acbe0ae194ba84b4e8249069e18bc1fc1f03
SHA512 114de65414b6444512cef3532d1258cdffaa2feff589a64f2537f393a85fd9207d1a9e8f12d9f8ab0921ea8b6c4c01ee8ec602be3bdf2b866f800f3c28d07387

C:\Windows\System\slHsgOC.exe

MD5 d3c691aa4ebce050e2ccb8c480a066e7
SHA1 df41a547243070af2c8020dbcfda2c9f1f54ca67
SHA256 91d92d370bfd3da00675dc86c4a0917f25a9200599c912d10f60f1bcd7694660
SHA512 2737ce0fda2c05937abe39e15b527a09a4cbd29c5091632ec56d969a93660564d3361d7ad7d6a90489ed829da05a1b7412ced71c5c3e0714a4261c29f42028f4

memory/4256-29-0x00007FF78B720000-0x00007FF78BA74000-memory.dmp

memory/2892-43-0x00007FF68B6E0000-0x00007FF68BA34000-memory.dmp

C:\Windows\System\onESlLv.exe

MD5 2ac655b92eac2074bdd4d94b7938545f
SHA1 8cdf4e82340afbbde3bcbb2d0b2ed8cbb78ab060
SHA256 05417e8bb644b785902b566524644e8a0e2db10de49edd822844430c41de80fa
SHA512 a0ffc4b8e30a2df43e8955c48154afac4b4551c6e48faeb479fce3e5b71730888e78c385f3c0753e73c1e1c114b36160c92d599dcd9b10070adf8bb1330a8835

C:\Windows\System\dToICxR.exe

MD5 68c75531fc2c5cf8084d48f645d0f595
SHA1 372da3dca77b89c987df78f4b2909fac7956af9f
SHA256 b12938c287c61b1bb1d8109e4ac8e0f139e5b8b5958c6f452f2e8b26c7a806e2
SHA512 25c79ed001c474374aa4856c13e6a86d24e98076aa343915ef78e90b33c9fd7549b3aaff74884ac42ebd3c1e65298edeb33ec615a5931147b1d8d99b7723bc22

C:\Windows\System\WoKVkNV.exe

MD5 15a413bebf58d741055a8c306535c495
SHA1 8dbab51f3a92d7689ed530877b8c00f8e0f017ee
SHA256 7547b94f31f1c8f7b7d89b1bdd1b0f7102daf8fec8641365bc7b29452e970fe0
SHA512 b2c2659451258e443ca4aa2a66badf1023a98ee0b508b9bfc7ea678c9ed62aad941dd788317987fdb667096bbb3c6882d2796538c08d91d474fefbd5db35447d

memory/3000-51-0x00007FF7FB850000-0x00007FF7FBBA4000-memory.dmp

memory/4144-49-0x00007FF71F710000-0x00007FF71FA64000-memory.dmp

memory/4452-41-0x00007FF6BC110000-0x00007FF6BC464000-memory.dmp

C:\Windows\System\hIHqJMV.exe

MD5 42d67ea7811b295fa1f8babfb7879e46
SHA1 c95ac10f6b9f10307bcce9f7e2107af7e81c344e
SHA256 3ca6f28cc45d47ae55b33e036b24e962d3037b3afc7297a4744f5d2e7a7afe7b
SHA512 a97423f962e048bcf7e0ef27803681e684c2d99d9136800249877f24ff537dae0ce590bb5ab40c11310e7f8385be233bc1d0a5a11fcd338003b9d0295121421b

memory/1212-37-0x00007FF7BE710000-0x00007FF7BEA64000-memory.dmp

C:\Windows\System\cUUptKw.exe

MD5 41a944b13591ebe3f209aa9a41d72e8e
SHA1 6d78031012b80fc903c87658234f61cbf08313f4
SHA256 c6136b46cb85c76fbe30116bfca0fbba2431c3723ebec1b513435942d789d599
SHA512 b1cd8dd159c8f9982dbba0316dcff2eea1ce8f7a7dc14dd9f154e38e18095fd48fee321eea2ff23cf43ba3ddf336516b68bc063ebcd086a05e36cc2fb878db46

memory/4660-62-0x00007FF7148A0000-0x00007FF714BF4000-memory.dmp

C:\Windows\System\PrHoNbj.exe

MD5 cb395c85a906c7296b34cc6d49d4a1ed
SHA1 2a32498a17554049400672eb3912d8358f698b54
SHA256 14fa3d86f88a92ff358f7342e28f00555ddd65e9bf767d5bb790f841b0f61786
SHA512 ac8a77a1858d467d45959e112c8c339fdda56fcc9dba9e22d5c14a98bba86df21b55e8714b0983cd3f0a2ac91257267064a0bfcf7db1d78c1ba1a9e628763be6

memory/4092-69-0x00007FF799840000-0x00007FF799B94000-memory.dmp

memory/2444-68-0x00007FF70BFE0000-0x00007FF70C334000-memory.dmp

C:\Windows\System\yxSLxgu.exe

MD5 357b3d8f3cf209d53dba92912e3ed133
SHA1 4d42fa7a5662a3322e70a3ac64e27f50809c4e3a
SHA256 db80966613b1fd3822a8b8e8e8986b1bd4670763ab9b9fcf0f476352336237c2
SHA512 bbfb41420d2724c1deeec81bc7ef9180ef70723c5f1e3518ab2aeaebd9ce3a20ae6536fbfc8bce6f4d4562078e00c8e0085ccaabd2a3edd1a5bd093927c5f48a

C:\Windows\System\iqgkenN.exe

MD5 b21147e24d8a00a3cf72c565a144e5f7
SHA1 2dd3b5ed807a711d80cc1376e189e5fbf00cf306
SHA256 064742ce6c4342e35d8a87f3bcfca0d201204577611aeae85f553887e45455fc
SHA512 16cff2b86c8970edb48c707e70f6b17bc8fc7cf1f9349d24ee69302cdd1c040268d9769b625a009936535e3b8f5f4074dca9a42e167b26437ec15f9ce6a600c5

memory/4632-85-0x00007FF6B7D20000-0x00007FF6B8074000-memory.dmp

memory/2036-88-0x00007FF76B2D0000-0x00007FF76B624000-memory.dmp

C:\Windows\System\xgEkWlq.exe

MD5 bb0e966335dd46f617690d96eb8fc923
SHA1 ae4c806f3c63c6c3f1ba3b5986b77a0e3d186a0a
SHA256 1108f787a71afc3e504e2195ee0032ba9f438350ce4e3440b1b9afc155b35c91
SHA512 6084d14ca9cdcf4f7cd82fea9ae3d941b826eed64b8d1d52b8406688e3171f3efc737cd1729ffe90e1bb110e4c0174c4bd250d5c8c3c51b09d1c224ec8aaa89a

memory/1116-107-0x00007FF692580000-0x00007FF6928D4000-memory.dmp

memory/4452-109-0x00007FF6BC110000-0x00007FF6BC464000-memory.dmp

C:\Windows\System\akLHyLf.exe

MD5 4ede4da8197fd27e24246c0adccb07ec
SHA1 18a3cb9f106867470b581f285106978201a4d2b8
SHA256 49834b8c0e5c6c453cc0a0dc2f37983302add7cbe508dd7ada66358a259b0b49
SHA512 9c90452299a71fccb3dad1d389af35b0ab98ba7d7c11e2a42c11c231118c103a282a933dd28c281d2dec9abddfc196a13984ec3ce3daba4d77091a0d900005c1

C:\Windows\System\TideCbH.exe

MD5 edb21be1bf7f1ee1d0352460f4481f0b
SHA1 150921974ebdaa845e981badd63ec59479f49482
SHA256 f51c6c6d22182a2bf48e7b2b5658529c9b8c6337845211fdb76dbca406248464
SHA512 07c6ee08850625bb5a386ad96b957bad965afbc2db42c8b5d36b2f1d475b128f4dea146256b9b604be13ecebac5927f3eef4861db0f04093bff6bb18939e2d7b

memory/2824-110-0x00007FF604870000-0x00007FF604BC4000-memory.dmp

memory/892-108-0x00007FF7089D0000-0x00007FF708D24000-memory.dmp

memory/4840-105-0x00007FF716EA0000-0x00007FF7171F4000-memory.dmp

memory/1212-104-0x00007FF7BE710000-0x00007FF7BEA64000-memory.dmp

C:\Windows\System\vkjCQZr.exe

MD5 10cf0e24509c74412c7876eb32c8d25f
SHA1 847b5a2dfa0d2c6efbb371da7a2cb592e83e6695
SHA256 7e9df8a5357b8a30509f7e3eccbc092e722c7333b23f365b0a318ff583ec0aee
SHA512 73ef9dc11cbb36ba28ecd328691a9cec66c02b47c042becc1ae7282e260ad149e345ee22299b787619eb4bbd60c51bf552e3c33978e8a86a30b3992881c8d428

C:\Windows\System\IRvJrBX.exe

MD5 97418fffe22167955270099d7813f1ec
SHA1 32da1750d3eb7c6112a9daf42d86643c9f87d9fc
SHA256 e2fa9df3a14cec7eb5c73f7131d7dfa64657aeef66b30397b0257b119136c6b6
SHA512 aa9b3b398bf213d76e40cc8cf19055e13ad475eee697db78edb79cf2148b57fcf187556df3f23d8385edde33264ac05430611d4eab8ac1d262f0ab1aa16d16b2

memory/3776-83-0x00007FF695D90000-0x00007FF6960E4000-memory.dmp

memory/32-80-0x00007FF779130000-0x00007FF779484000-memory.dmp

C:\Windows\System\XQpwsGS.exe

MD5 22b12108c4a830cd626ceaba394b1f5f
SHA1 ef1d832e31df2c361d64e72f7bfb14f6c2991d29
SHA256 0cf7031ada24e0a41e535542d8d70005fd2a8a45f038e4af667a6c0aab06094d
SHA512 ee681199436bc65e54cffd8fb3fb98fccedf00d8f10ed0cb060987bbd50a8a12f388afcae84e29f2ba7152d59814183db8c97949486871ef8461930ef0c76107

C:\Windows\System\StzVItg.exe

MD5 d4a1c5ac1560418138548914c35401ea
SHA1 3001b68124278e8f04a843cb61035bd24c971285
SHA256 135859db75b3369f59c9eb1d15c4c27cdf63170613dab597dcfe7a25dc01cf71
SHA512 c5431e4e5a24a7eda322263c80e046c5b8914abadacc29b372f430c4ff9aed33e265d3247a29e51f6c38500f3ec404bffdb2ada32be2fd96d1717fe4c14e1765

C:\Windows\System\uhMDojH.exe

MD5 341cf39c3a2e202c74e41ee28c5fca7f
SHA1 3525fe1c15fa8ac025f1edeaa91392c499e037b3
SHA256 b761e7e7e24ccc75a6796c555ee50f2153bea89bcb29f32c7d5a5040ae423c6d
SHA512 f587dbed29b6bb07dc81d65328b56b8ecdec30237f5d6a2f8209bf0984cff3550cafe19d3a40d3e924c0bb80910f01294fbdfb30582d51657e7ee246297438c9

memory/952-129-0x00007FF669C30000-0x00007FF669F84000-memory.dmp

memory/3396-130-0x00007FF7B7AD0000-0x00007FF7B7E24000-memory.dmp

memory/772-131-0x00007FF676060000-0x00007FF6763B4000-memory.dmp

memory/2892-132-0x00007FF68B6E0000-0x00007FF68BA34000-memory.dmp

memory/4144-133-0x00007FF71F710000-0x00007FF71FA64000-memory.dmp

memory/3000-134-0x00007FF7FB850000-0x00007FF7FBBA4000-memory.dmp

memory/2036-135-0x00007FF76B2D0000-0x00007FF76B624000-memory.dmp

memory/892-136-0x00007FF7089D0000-0x00007FF708D24000-memory.dmp

memory/2824-137-0x00007FF604870000-0x00007FF604BC4000-memory.dmp

memory/876-138-0x00007FF623DC0000-0x00007FF624114000-memory.dmp

memory/3776-139-0x00007FF695D90000-0x00007FF6960E4000-memory.dmp

memory/3180-140-0x00007FF7A5C20000-0x00007FF7A5F74000-memory.dmp

memory/4256-141-0x00007FF78B720000-0x00007FF78BA74000-memory.dmp

memory/1212-142-0x00007FF7BE710000-0x00007FF7BEA64000-memory.dmp

memory/4452-143-0x00007FF6BC110000-0x00007FF6BC464000-memory.dmp

memory/3000-144-0x00007FF7FB850000-0x00007FF7FBBA4000-memory.dmp

memory/2892-145-0x00007FF68B6E0000-0x00007FF68BA34000-memory.dmp

memory/4144-146-0x00007FF71F710000-0x00007FF71FA64000-memory.dmp

memory/4660-147-0x00007FF7148A0000-0x00007FF714BF4000-memory.dmp

memory/4092-148-0x00007FF799840000-0x00007FF799B94000-memory.dmp

memory/32-149-0x00007FF779130000-0x00007FF779484000-memory.dmp

memory/4632-150-0x00007FF6B7D20000-0x00007FF6B8074000-memory.dmp

memory/2036-151-0x00007FF76B2D0000-0x00007FF76B624000-memory.dmp

memory/4840-152-0x00007FF716EA0000-0x00007FF7171F4000-memory.dmp

memory/1116-153-0x00007FF692580000-0x00007FF6928D4000-memory.dmp

memory/892-155-0x00007FF7089D0000-0x00007FF708D24000-memory.dmp

memory/2824-154-0x00007FF604870000-0x00007FF604BC4000-memory.dmp

memory/952-156-0x00007FF669C30000-0x00007FF669F84000-memory.dmp

memory/3396-157-0x00007FF7B7AD0000-0x00007FF7B7E24000-memory.dmp

memory/772-158-0x00007FF676060000-0x00007FF6763B4000-memory.dmp