Malware Analysis Report

2025-01-22 19:29

Sample ID 240807-2nsgkayhmh
Target 2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat
SHA256 e7b597e2f3f9af63796e37df453192b6f6ff4635f6dff807b200fd62319839c3
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e7b597e2f3f9af63796e37df453192b6f6ff4635f6dff807b200fd62319839c3

Threat Level: Known bad

The file 2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Cobalt Strike reflective loader

Xmrig family

XMRig Miner payload

Cobaltstrike family

xmrig

Cobaltstrike

XMRig Miner payload

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-07 22:44

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-07 22:44

Reported

2024-08-07 22:46

Platform

win7-20240705-en

Max time kernel

140s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\SDIKXLA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NVJzjry.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AMplHAr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZoiXgQG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qppGWcB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kVlRxiV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XjDaehx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LOpvKgV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NbIaYnQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZHesqMr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VzGpsvF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MtxDFkg.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MieIMoE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FeuwWXx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bqCpuZC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SZXHHwX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gWvEkXz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aNrVtNs.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TjYPply.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LzDEnvS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dhBOXiR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2488 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TjYPply.exe
PID 2488 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TjYPply.exe
PID 2488 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TjYPply.exe
PID 2488 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LzDEnvS.exe
PID 2488 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LzDEnvS.exe
PID 2488 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LzDEnvS.exe
PID 2488 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VzGpsvF.exe
PID 2488 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VzGpsvF.exe
PID 2488 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VzGpsvF.exe
PID 2488 wrote to memory of 264 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MtxDFkg.exe
PID 2488 wrote to memory of 264 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MtxDFkg.exe
PID 2488 wrote to memory of 264 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MtxDFkg.exe
PID 2488 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MieIMoE.exe
PID 2488 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MieIMoE.exe
PID 2488 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MieIMoE.exe
PID 2488 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dhBOXiR.exe
PID 2488 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dhBOXiR.exe
PID 2488 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dhBOXiR.exe
PID 2488 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XjDaehx.exe
PID 2488 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XjDaehx.exe
PID 2488 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XjDaehx.exe
PID 2488 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NVJzjry.exe
PID 2488 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NVJzjry.exe
PID 2488 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NVJzjry.exe
PID 2488 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LOpvKgV.exe
PID 2488 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LOpvKgV.exe
PID 2488 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LOpvKgV.exe
PID 2488 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NbIaYnQ.exe
PID 2488 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NbIaYnQ.exe
PID 2488 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NbIaYnQ.exe
PID 2488 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZHesqMr.exe
PID 2488 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZHesqMr.exe
PID 2488 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZHesqMr.exe
PID 2488 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FeuwWXx.exe
PID 2488 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FeuwWXx.exe
PID 2488 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FeuwWXx.exe
PID 2488 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bqCpuZC.exe
PID 2488 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bqCpuZC.exe
PID 2488 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bqCpuZC.exe
PID 2488 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qppGWcB.exe
PID 2488 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qppGWcB.exe
PID 2488 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qppGWcB.exe
PID 2488 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SZXHHwX.exe
PID 2488 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SZXHHwX.exe
PID 2488 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SZXHHwX.exe
PID 2488 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AMplHAr.exe
PID 2488 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AMplHAr.exe
PID 2488 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AMplHAr.exe
PID 2488 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kVlRxiV.exe
PID 2488 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kVlRxiV.exe
PID 2488 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kVlRxiV.exe
PID 2488 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZoiXgQG.exe
PID 2488 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZoiXgQG.exe
PID 2488 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZoiXgQG.exe
PID 2488 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gWvEkXz.exe
PID 2488 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gWvEkXz.exe
PID 2488 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gWvEkXz.exe
PID 2488 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SDIKXLA.exe
PID 2488 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SDIKXLA.exe
PID 2488 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SDIKXLA.exe
PID 2488 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aNrVtNs.exe
PID 2488 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aNrVtNs.exe
PID 2488 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aNrVtNs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\TjYPply.exe

C:\Windows\System\TjYPply.exe

C:\Windows\System\LzDEnvS.exe

C:\Windows\System\LzDEnvS.exe

C:\Windows\System\VzGpsvF.exe

C:\Windows\System\VzGpsvF.exe

C:\Windows\System\MtxDFkg.exe

C:\Windows\System\MtxDFkg.exe

C:\Windows\System\MieIMoE.exe

C:\Windows\System\MieIMoE.exe

C:\Windows\System\dhBOXiR.exe

C:\Windows\System\dhBOXiR.exe

C:\Windows\System\XjDaehx.exe

C:\Windows\System\XjDaehx.exe

C:\Windows\System\NVJzjry.exe

C:\Windows\System\NVJzjry.exe

C:\Windows\System\LOpvKgV.exe

C:\Windows\System\LOpvKgV.exe

C:\Windows\System\NbIaYnQ.exe

C:\Windows\System\NbIaYnQ.exe

C:\Windows\System\ZHesqMr.exe

C:\Windows\System\ZHesqMr.exe

C:\Windows\System\FeuwWXx.exe

C:\Windows\System\FeuwWXx.exe

C:\Windows\System\bqCpuZC.exe

C:\Windows\System\bqCpuZC.exe

C:\Windows\System\qppGWcB.exe

C:\Windows\System\qppGWcB.exe

C:\Windows\System\SZXHHwX.exe

C:\Windows\System\SZXHHwX.exe

C:\Windows\System\AMplHAr.exe

C:\Windows\System\AMplHAr.exe

C:\Windows\System\kVlRxiV.exe

C:\Windows\System\kVlRxiV.exe

C:\Windows\System\ZoiXgQG.exe

C:\Windows\System\ZoiXgQG.exe

C:\Windows\System\gWvEkXz.exe

C:\Windows\System\gWvEkXz.exe

C:\Windows\System\SDIKXLA.exe

C:\Windows\System\SDIKXLA.exe

C:\Windows\System\aNrVtNs.exe

C:\Windows\System\aNrVtNs.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2488-0-0x000000013F840000-0x000000013FB91000-memory.dmp

memory/2488-1-0x00000000003F0000-0x0000000000400000-memory.dmp

\Windows\system\TjYPply.exe

MD5 316657e7ae0bab82e412c618e7f48ee7
SHA1 f04929cc4d4adb70e108c35236e31106fb998809
SHA256 df79f6cc1f26a6cb16ee16965cf6699b32ff4b320b0be9432075737ee8898f1c
SHA512 9e9555a47a6a32cbd5bc357509d9e294256cd2f71083e28e8984e8ace575b6e28f6cb5179af8c9e679c75fb75c85cf39c8844a5357318e0b48d5e71e32ff78d9

memory/2488-7-0x000000013F050000-0x000000013F3A1000-memory.dmp

\Windows\system\LzDEnvS.exe

MD5 d9d851825dacb0fa989f10f7b26e3fd6
SHA1 30d17b2b494aa172a2a7048ae819d31080b5f405
SHA256 87d7f009afde6118d247642fbc966682cb5ecec5121b3403518fe118a218ad4a
SHA512 4747701ab24e76a47cdeae89d4a72fdf0463f86591223c1d833f59908dc0fd060a5163a84eca46a338f7333af9767942ffb9a4e08c9c95ed9587739d87b5d3d5

C:\Windows\system\MieIMoE.exe

MD5 117ecf8589169cb63daff81be62bfe9f
SHA1 ab4db155a21d9d862fa6811359351d8c53b71ff7
SHA256 1d1261739cdb86482201e1db8ab2301624804e3b5259e2cbaec83972f035abfc
SHA512 c04ae094944ca05825f0b19c6085bd2aba224304d72203b6007ca6cfc4c25e5a59ef9dc8f3faa76ae927af540a5006fc4f71360aae5b9fc361ecf735b49af7db

C:\Windows\system\VzGpsvF.exe

MD5 082572d4c9180acd3dca7e56db1542e8
SHA1 1f07f666eca467bdfa37c70b5de9923373735c0a
SHA256 c0640f76c259e697e8b5a698fb95c0a6b050dccbe4f33bbe0885dd536339f3a0
SHA512 fded7ab323fc0e5ceb4476848e040d1817fe98493fd3c634ef8d83de19824b358623c56e0f5895906b1c11f0487ae85f337885a90383131e6d502b71c0fc71fd

\Windows\system\MtxDFkg.exe

MD5 4a6c887e38516af9dc322a9194bb993c
SHA1 d4fd01e47c4f7949b2f2d1ea06c95be2928376c3
SHA256 071fdb8002bece913556519a3d5c654fe8bcf70ee27ebf883c67d7ffffded4cd
SHA512 8aeb85d30857354beea5d514cdf10aa07499044cfab1f3462d8bed475691e79b5dd0a989d918f1a6471d3f22093d54f91ad05d1b470574a02a9d60c3a8d2411d

C:\Windows\system\dhBOXiR.exe

MD5 f93f08f4136c52ac8d3e59485e59de41
SHA1 4d9e9d49856ccf897c4521270b2c92b5fd86d626
SHA256 9bda99ce6ceca676298ef330bb7160ca24f3b4f82b6c5e6b5685492567183ac9
SHA512 9429774fdfbd857b0e1fb3bd08ac508bfdd0735a2eca84383634490153241d337495c9b8e70bd1dee1a6db566a2676e64bb817fe3c563aa930070d448feabd27

C:\Windows\system\XjDaehx.exe

MD5 f51a34eb4047d1b9dc9fae0b1649fb8a
SHA1 1ab4d367f37fc3e899c83ca065f5dd2c8afc7062
SHA256 686e1fc756e2d5088eacbdbaf09fdf84931db04138ce3f2856f39c5fe7c63031
SHA512 da679addc292b2f14de9778d53f9d20320f2922af3662b4c03c75b7ebe011c95f03410296098a33bf750dcf8ce689335130448d7186a3968477ccb90e8859fa9

C:\Windows\system\qppGWcB.exe

MD5 a127639a27b3479c393f73624cde5e39
SHA1 2ad3c74b2799864f10aa5cb3cb4bcc4d405b48c1
SHA256 445e67dff08f3e1b4af640ec230a558f6e9b01cd5649394743018125654bf1fd
SHA512 c8d17e30b87fc681cc6ca6d1baff9c6b75afa6ab48858554f3c860fbf1162ce0e9c2480a64175d8238da9babafcff55bd9b9fcd9b663bf6079d32f086c3671f5

C:\Windows\system\AMplHAr.exe

MD5 8b97794ad99ff970b8556fd4cde15f33
SHA1 f5eec45afa81c1770ac3ce5582bbeddba94b1662
SHA256 7c9f0737a9b3536cd734fc4ca9fa3d5c361277dc2107a4479fecec60ca1c05cf
SHA512 6715518ae87d373311bc01383b0deca86ca43631a725ac0204729aa4ff82000a0877589b2946bca08f0160eb8df99f64196835a5b7a2ad9b41c476b96eaef695

C:\Windows\system\ZoiXgQG.exe

MD5 aee5642d4c3071eb227a2e7f7be76ef2
SHA1 36b21f58f99accebb1803fa4f990168d8efbcce4
SHA256 4e0e2668f00836e62f57e1602eed0834c9a4a51ad8a561bd813a927a13475dec
SHA512 2dc0ed191fe2b07c0c0127f74f7664a8d0fee1b9b2da41af581c44a3a010cc62ad624d501ed5d51ad1d5b8e6131f97d56420e952a67142e08cee1a4918a0a6bd

C:\Windows\system\SDIKXLA.exe

MD5 49cc05481b101da5dc978af3d7a4e011
SHA1 3f5c7cf26cfc34affd31fc3469a69f1689e096d9
SHA256 5995f7812192fce5c081a85db1bd57c663cde8a3c6de42d9a8cf359661b7d0c3
SHA512 d754acd6e02ebefb21d849af7726c0e77f1c221ef7224fb29a5e5b7fe5f0b56d742af5c65adc6f9033ab011c56059cea9f15b679e7f424e37a633ed698e61761

C:\Windows\system\aNrVtNs.exe

MD5 481993c6cf495a186ba15b7982af0706
SHA1 1676a36658c697aa2bc751d60a275a349c9fed26
SHA256 64d0d41cdc8150f8701d5a93b7792e88d6a35b3a195e2506cf2faaca2b8a2795
SHA512 48168f4b46fd9b855c65dff181307844cb8d455830e2e05b623ca9dfd9153ac1b5a6dcdcaefd2b9069638c85e8e37b8d903459ace2dacc4c3ce6352cba3677ca

C:\Windows\system\gWvEkXz.exe

MD5 74bfcb72902ab477d5157ddbc7753f6c
SHA1 b882b5f26f5b57c9037f88d8536c04b6d40960fe
SHA256 21ff480ec4e3b720a1090764cef4f19de88e8635f25b6b123de512fc1a18b6b9
SHA512 157a4d80ff15aaacf45f4385f0caf315d62f131e7ceffd93fa95af6ed99d0d7cf3abc9f0f7736cb9e294d78d63a219ced8ca4696a1d2c30bd5fe81b1b892647c

C:\Windows\system\kVlRxiV.exe

MD5 36862da966ba4b5411f889ea6410c1a3
SHA1 cec01c11cc3b0164ee4d193381a70ec873fb5a70
SHA256 c1369212e3782a84b09b738497f01dafe6357ebb49f7bc2c01bd11a270f380db
SHA512 837fdafdc1a976619909e90e22a9d2f9eb6e6153157814d7b599b12a97815ea4de92d2732a5fbda7a0c5a7cb2ae8078aafa3f168138d1c0fcd3f909eee63431f

C:\Windows\system\SZXHHwX.exe

MD5 7f08998f8bf82688754da0e07b660b8e
SHA1 48040f9595af767471d11bc22cc6949191676879
SHA256 5c2d9da8f97c8694d66d0a6246e6ae8f0b9dc0c2f8d90337ae82b09585cec2ea
SHA512 1ebd27fd20362cd2e5e2d3fa3f3430cb672a015e672032ad5efef2158de58820aeca1637c0e1f29cfbbc492abe76a1f98951a436a32b7fc658511b7c6fdb7c02

memory/2700-113-0x000000013F1A0000-0x000000013F4F1000-memory.dmp

memory/2488-112-0x000000013F1A0000-0x000000013F4F1000-memory.dmp

memory/1660-111-0x000000013F810000-0x000000013FB61000-memory.dmp

memory/2488-110-0x0000000002260000-0x00000000025B1000-memory.dmp

memory/2844-108-0x000000013FFD0000-0x0000000140321000-memory.dmp

memory/2488-105-0x000000013FFD0000-0x0000000140321000-memory.dmp

memory/2712-103-0x000000013F800000-0x000000013FB51000-memory.dmp

memory/2488-101-0x0000000002260000-0x00000000025B1000-memory.dmp

memory/264-99-0x000000013F690000-0x000000013F9E1000-memory.dmp

memory/2488-97-0x000000013F430000-0x000000013F781000-memory.dmp

memory/2488-95-0x0000000002260000-0x00000000025B1000-memory.dmp

memory/2004-94-0x000000013FD20000-0x0000000140071000-memory.dmp

memory/2488-93-0x000000013FD20000-0x0000000140071000-memory.dmp

memory/1008-91-0x000000013FA90000-0x000000013FDE1000-memory.dmp

C:\Windows\system\bqCpuZC.exe

MD5 7d4361497728b576878431168f6062b3
SHA1 a24c0cbbc367059ec591288d52dd8ee62ec3a56b
SHA256 06df7c2fa1866d1952cd7d064a2ea79a3dffba589e7d3d99b940c779d6c0da56
SHA512 80a1751c9b4b73985129238fbd6822a05d60be4c9cd3daace0bc9ee5f57cdd7f257797f17905b722267626f1b61f4a2c40f99caaf289e2eb47f77ecd1f24170d

C:\Windows\system\FeuwWXx.exe

MD5 d9578fdae0e53dc446385e77ba0ec6b0
SHA1 668775fa1912e6faaaf47e4dd2165718fefe67fa
SHA256 1c67d660e1d4ab1126c23e631f3f1c2436cc31ccf0cc0e7aa375e8cd985945a8
SHA512 4296e84e96d4c4314fb5ba5515670341a3c0355c6c2d47b925256eda82ecb705d27fabba38b96560e7dec798e7f97495d4edeae01283129db746f483bbaf3d91

C:\Windows\system\ZHesqMr.exe

MD5 344263a634723991eb90f1109e5e8d6f
SHA1 79bb6ff12f4a013ab853898dee7151e2f84bbf54
SHA256 81b432f811c4db2722fea3017e98e955f87e0985ab0cd334683a78deb19d2899
SHA512 e0004412a8b5f7d3245944868ef8cb5e9fc98bc49b13cde18379f3bd3089302e533e5978f475b2e73204f02799a07f79ffc1a57045a78c96019bd7fa030c62d9

C:\Windows\system\NbIaYnQ.exe

MD5 6a925f674b9522edec356f58d1a23caa
SHA1 244bc7fd6502b07c1d4fd217dd88647611bcf041
SHA256 78c1703c6a5891dd36f3c122ba58e41237e49ae63d00b1b2a0f7b98f8de44ddf
SHA512 55fe1b2dee29432d0a80b6eeb2d1621fccd441b656facc7990e9d3944401f1016102fc77c9e89b332c7a8d0d737c8b38384d2616c2c4602d23de40890151218f

C:\Windows\system\LOpvKgV.exe

MD5 92a6cdcc753d593f1149b4a4bc856d71
SHA1 cc1cc34bcd62666a28d28ed307968e9fc3cabeba
SHA256 702a8bad9dbd2b43103f9079564889f148c4268cd4cdcc6941779ad626c2c60a
SHA512 2035a860888669eee283625cc0603a42557445e14ef188080ac09e84a8aeb61ca54bc7a08d6a6d0e94945e261bcf281dc7ed6000730aac6eb1a31a668c5cfeb7

C:\Windows\system\NVJzjry.exe

MD5 6acf404ebab14cc52752b27662f7eb3f
SHA1 e83f0bce79010993218be8482924a9cc3e40b838
SHA256 22213c26f63b1bcfd20af674eb7aae5f36a16a4a5c30ce32f252ebc3755c0625
SHA512 17e86f013896a472ed8932c8ed23230ee7c90e940b993170d5727bd8e3cbf5e0d653efae4b6707b770304e2fe98f6edf895a2c310ad6b9454e6949d5fd906c10

memory/1968-22-0x000000013F050000-0x000000013F3A1000-memory.dmp

memory/2692-117-0x000000013FF30000-0x0000000140281000-memory.dmp

memory/2488-116-0x000000013FF30000-0x0000000140281000-memory.dmp

memory/2584-115-0x000000013FF10000-0x0000000140261000-memory.dmp

memory/2488-114-0x000000013FF10000-0x0000000140261000-memory.dmp

memory/2392-119-0x000000013F270000-0x000000013F5C1000-memory.dmp

memory/2616-121-0x000000013FAC0000-0x000000013FE11000-memory.dmp

memory/2488-120-0x0000000002260000-0x00000000025B1000-memory.dmp

memory/2488-118-0x000000013F270000-0x000000013F5C1000-memory.dmp

memory/2668-129-0x000000013F430000-0x000000013F781000-memory.dmp

memory/2488-127-0x000000013F2D0000-0x000000013F621000-memory.dmp

memory/2772-124-0x000000013FB60000-0x000000013FEB1000-memory.dmp

memory/2488-134-0x000000013F840000-0x000000013FB91000-memory.dmp

memory/264-138-0x000000013F690000-0x000000013F9E1000-memory.dmp

memory/1008-136-0x000000013FA90000-0x000000013FDE1000-memory.dmp

memory/1968-135-0x000000013F050000-0x000000013F3A1000-memory.dmp

memory/2712-140-0x000000013F800000-0x000000013FB51000-memory.dmp

memory/2392-146-0x000000013F270000-0x000000013F5C1000-memory.dmp

memory/560-151-0x000000013F8D0000-0x000000013FC21000-memory.dmp

memory/2132-155-0x000000013F660000-0x000000013F9B1000-memory.dmp

memory/2900-154-0x000000013F850000-0x000000013FBA1000-memory.dmp

memory/2744-153-0x000000013F3C0000-0x000000013F711000-memory.dmp

memory/2536-152-0x000000013F140000-0x000000013F491000-memory.dmp

memory/2608-150-0x000000013F450000-0x000000013F7A1000-memory.dmp

memory/2872-149-0x000000013F2D0000-0x000000013F621000-memory.dmp

memory/2772-148-0x000000013FB60000-0x000000013FEB1000-memory.dmp

memory/2584-144-0x000000013FF10000-0x0000000140261000-memory.dmp

memory/1660-142-0x000000013F810000-0x000000013FB61000-memory.dmp

memory/2488-156-0x000000013F840000-0x000000013FB91000-memory.dmp

memory/2488-178-0x000000013F840000-0x000000013FB91000-memory.dmp

memory/2488-179-0x000000013F050000-0x000000013F3A1000-memory.dmp

memory/2488-180-0x000000013F270000-0x000000013F5C1000-memory.dmp

memory/1968-204-0x000000013F050000-0x000000013F3A1000-memory.dmp

memory/1008-208-0x000000013FA90000-0x000000013FDE1000-memory.dmp

memory/2004-207-0x000000013FD20000-0x0000000140071000-memory.dmp

memory/2668-229-0x000000013F430000-0x000000013F781000-memory.dmp

memory/2700-233-0x000000013F1A0000-0x000000013F4F1000-memory.dmp

memory/2844-232-0x000000013FFD0000-0x0000000140321000-memory.dmp

memory/2616-237-0x000000013FAC0000-0x000000013FE11000-memory.dmp

memory/2692-235-0x000000013FF30000-0x0000000140281000-memory.dmp

memory/264-243-0x000000013F690000-0x000000013F9E1000-memory.dmp

memory/2712-245-0x000000013F800000-0x000000013FB51000-memory.dmp

memory/2584-249-0x000000013FF10000-0x0000000140261000-memory.dmp

memory/1660-248-0x000000013F810000-0x000000013FB61000-memory.dmp

memory/2392-251-0x000000013F270000-0x000000013F5C1000-memory.dmp

memory/2772-255-0x000000013FB60000-0x000000013FEB1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-07 22:44

Reported

2024-08-07 22:46

Platform

win10v2004-20240802-en

Max time kernel

141s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\uNXvmhV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BBqROin.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FEyFqpO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vovrmFi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mtUtkAv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wHpNzGK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rpBhAZo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\csDXYsA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bQXaJAE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NGGpmso.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mHfKjkC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JexgdGT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TAmSMpo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TVfibMi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DKbgiPv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PTkylCb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PywkeKF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qQJElLd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NkjbIxm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CvyTDZw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VqldaTQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2772 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PywkeKF.exe
PID 2772 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PywkeKF.exe
PID 2772 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qQJElLd.exe
PID 2772 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qQJElLd.exe
PID 2772 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mHfKjkC.exe
PID 2772 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mHfKjkC.exe
PID 2772 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mtUtkAv.exe
PID 2772 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mtUtkAv.exe
PID 2772 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wHpNzGK.exe
PID 2772 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wHpNzGK.exe
PID 2772 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bQXaJAE.exe
PID 2772 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bQXaJAE.exe
PID 2772 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NGGpmso.exe
PID 2772 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NGGpmso.exe
PID 2772 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uNXvmhV.exe
PID 2772 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uNXvmhV.exe
PID 2772 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JexgdGT.exe
PID 2772 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JexgdGT.exe
PID 2772 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BBqROin.exe
PID 2772 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BBqROin.exe
PID 2772 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CvyTDZw.exe
PID 2772 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CvyTDZw.exe
PID 2772 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FEyFqpO.exe
PID 2772 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FEyFqpO.exe
PID 2772 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VqldaTQ.exe
PID 2772 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VqldaTQ.exe
PID 2772 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NkjbIxm.exe
PID 2772 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NkjbIxm.exe
PID 2772 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TAmSMpo.exe
PID 2772 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TAmSMpo.exe
PID 2772 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rpBhAZo.exe
PID 2772 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rpBhAZo.exe
PID 2772 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TVfibMi.exe
PID 2772 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TVfibMi.exe
PID 2772 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\csDXYsA.exe
PID 2772 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\csDXYsA.exe
PID 2772 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vovrmFi.exe
PID 2772 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vovrmFi.exe
PID 2772 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DKbgiPv.exe
PID 2772 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DKbgiPv.exe
PID 2772 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PTkylCb.exe
PID 2772 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PTkylCb.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\PywkeKF.exe

C:\Windows\System\PywkeKF.exe

C:\Windows\System\qQJElLd.exe

C:\Windows\System\qQJElLd.exe

C:\Windows\System\mHfKjkC.exe

C:\Windows\System\mHfKjkC.exe

C:\Windows\System\mtUtkAv.exe

C:\Windows\System\mtUtkAv.exe

C:\Windows\System\wHpNzGK.exe

C:\Windows\System\wHpNzGK.exe

C:\Windows\System\bQXaJAE.exe

C:\Windows\System\bQXaJAE.exe

C:\Windows\System\NGGpmso.exe

C:\Windows\System\NGGpmso.exe

C:\Windows\System\uNXvmhV.exe

C:\Windows\System\uNXvmhV.exe

C:\Windows\System\JexgdGT.exe

C:\Windows\System\JexgdGT.exe

C:\Windows\System\BBqROin.exe

C:\Windows\System\BBqROin.exe

C:\Windows\System\CvyTDZw.exe

C:\Windows\System\CvyTDZw.exe

C:\Windows\System\FEyFqpO.exe

C:\Windows\System\FEyFqpO.exe

C:\Windows\System\VqldaTQ.exe

C:\Windows\System\VqldaTQ.exe

C:\Windows\System\NkjbIxm.exe

C:\Windows\System\NkjbIxm.exe

C:\Windows\System\TAmSMpo.exe

C:\Windows\System\TAmSMpo.exe

C:\Windows\System\rpBhAZo.exe

C:\Windows\System\rpBhAZo.exe

C:\Windows\System\TVfibMi.exe

C:\Windows\System\TVfibMi.exe

C:\Windows\System\csDXYsA.exe

C:\Windows\System\csDXYsA.exe

C:\Windows\System\vovrmFi.exe

C:\Windows\System\vovrmFi.exe

C:\Windows\System\DKbgiPv.exe

C:\Windows\System\DKbgiPv.exe

C:\Windows\System\PTkylCb.exe

C:\Windows\System\PTkylCb.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 71.190.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2772-0-0x00007FF78FE50000-0x00007FF7901A1000-memory.dmp

memory/2772-1-0x0000022272510000-0x0000022272520000-memory.dmp

C:\Windows\System\PywkeKF.exe

MD5 6b72b504f71c15d354c845d6f2122e0c
SHA1 eedf720714cb39dfddd2a49da0e0786059f035db
SHA256 ba939f3ec5bb59423de7b232035e58de58816205031a0872e0c732440d2a02db
SHA512 6eb676695c887ad2056c23c53a5a9a48605b3b5c2b8d3730615010f16f47c2b5e23a5e8f69efac3b238f17e43e8993b585d38c877e8367d8913c9cfce95f590b

C:\Windows\System\mHfKjkC.exe

MD5 1b06510e3ae1cdaeae3b6f88f7cb998d
SHA1 7a505681b569a5ab997eab41eb6956f28f87cf25
SHA256 dc676628c15ed520f8824824a33ef8eec5c14d6f040cc0f544de05b6ebcacaf4
SHA512 9915870f623ae7b94d1e4f6896258330babd395f26bb653ef52cd2f3a3ab941a5335a86cc11f1c0d9ea8c34953ea323988246576cb3982591fd2513f3c7264ca

memory/3608-13-0x00007FF6A4CA0000-0x00007FF6A4FF1000-memory.dmp

C:\Windows\System\qQJElLd.exe

MD5 8034cf26d5f7e15d35db81d88f2e766a
SHA1 bf6391f7f42d42659f0ceb41b4cdf89bdc2605cc
SHA256 befe586438cf0571b77ae94d900c430ef07559a409dd20dd8baa324e052a50ea
SHA512 892e7bcac5177a7688e08d8524f0eb3928796fe5bc1e3e0f60da35756d3cd7587c5c118bae0007672cd12ef83b038f5fade7f758d22661b2bbb943472ad82c8f

C:\Windows\System\mtUtkAv.exe

MD5 d7d903027a756803a493254535c5ad80
SHA1 2efbae273c25dc730d2f23e068b93e2096654b62
SHA256 272adadd94245af8243f2533853fb0b2b5f0cd0934ce023d3bdccbaad31c8897
SHA512 8ea444aee488bd2ec8092abeb233ed018c8e4cc01da4bba0c12fa54888f0ed98f2fbc65243899316c3bc1c16e525071b469cff2385b0a4ba72fe6a352a91fa28

C:\Windows\System\bQXaJAE.exe

MD5 1cefa2f1b8d2f271cd0e3eaa361bf1b3
SHA1 b99811310dba9f90bbf9ee81efc9f5e4be7c08aa
SHA256 f5c140e25540e60fd8383b89552378387f2b3004ef5eefb8e358c016bd479b30
SHA512 5547fd42d11169fc49007ff37ba8650a5fe1a373c1894865af74b8b4e5688bd4295d5722f5e9a90e08f1cc5b7d30cc508c0791bef935984249f63208596647a3

C:\Windows\System\NGGpmso.exe

MD5 7346ced0479497a7a107b52cb6845f7b
SHA1 57f14df2387ae66602c99f2ea573c05823c8a1ec
SHA256 be8f3ed90e0029164d324e7b4d5ea4b9a06d1783585224232210010b89273ac0
SHA512 8fd82575c7bcfaf0d8c71c04ed15966da79e5f37fa45e418bd2c00eb6f37214b73f64bf390d7ec2d0ffb5e37c156227017ee3c57fe11eb208f76a0df4a72f017

C:\Windows\System\uNXvmhV.exe

MD5 de25170e1fddcb630273f6256bc5fba6
SHA1 63b43aaec1160decb1ff59545e9f97d63cf9fb59
SHA256 55a8389912715e1de1c021589dd6dfb80c798cf1f0010b3e8b1b234ed5f74ba8
SHA512 cd557cf52986bca82632d4f54aacceeafe56e3a952f6794abc56ba539ad840e70a86d26253a30aee8d65c987fbee878ddde850474f0d640815b1bbe3ddfd0275

C:\Windows\System\wHpNzGK.exe

MD5 fb2eb9cb20fe008544dc43b582caa1ae
SHA1 d450d6a4c2092a1b222563e862f506d82ba64150
SHA256 8182f0158b1dad29645e701a890304ff9f547394d6ec6eeb62c903fb73365cb2
SHA512 82a931ccc4f5be8aec1a14b9cb9a25bf4df46245211797e117ae3e52832d1d89f876c4a949c0b6e4d4c731fef783645d7160e8acc8f0c53c497a9cee86cf3ed8

memory/2760-49-0x00007FF736790000-0x00007FF736AE1000-memory.dmp

C:\Windows\System\JexgdGT.exe

MD5 65d1aa973c0da8e492c1ee7db226005a
SHA1 189e1e4f8be59f4f4773226235c9f4f957d58c8a
SHA256 10a7e9c94cb23896212acfb04e4a5c009650db74366a1d543519b722ef3b5a42
SHA512 ce5c0f4644e3684fd433827e38146dcfebe33d08c311a1c04d8235a7fc50d8885c17e59665bddaea1ced15365a50cc4efdeae470d1116df178efe772efb3ecb1

memory/5096-28-0x00007FF726370000-0x00007FF7266C1000-memory.dmp

memory/4844-16-0x00007FF7D9400000-0x00007FF7D9751000-memory.dmp

memory/2568-11-0x00007FF7921B0000-0x00007FF792501000-memory.dmp

memory/1472-60-0x00007FF6908F0000-0x00007FF690C41000-memory.dmp

C:\Windows\System\CvyTDZw.exe

MD5 ee07c5d0cc50153572b5d61e6696f527
SHA1 a4d03879ab002bd5c18f974354ff23c7fb004172
SHA256 0cd42ccf224ba49cda56cf74b9b2afc12c12417c569a62f2a405029f9437e226
SHA512 b9b99bdd174c5545f35184cf386a8ea5700ef2c384b220c7e53f4c7917a8510f6d79c222759da0470dc17d4f24e69e5fabf936f7880d2a3e1a95ab8f2d4216cd

C:\Windows\System\BBqROin.exe

MD5 3448327b47470edc9c7d6017dffc27f1
SHA1 86fc91ce26c95574654204fb3555d3399a7e4358
SHA256 e5c7b39ae7657058bf148af36cbee960c3a13552426e7ccbdcd504e32d0f5fd6
SHA512 af60c8348cec628caf7f4b65632e449658a5beb1a3bfc118df2ffa35964d825552835a16912544826881b7eb1299d3f520b8266d80c3641ec9840ef4d82fb35d

memory/640-71-0x00007FF63AF60000-0x00007FF63B2B1000-memory.dmp

C:\Windows\System\TAmSMpo.exe

MD5 0686d0bbe59af3e28e81c44c3de80ccc
SHA1 666530a047d4ab89e1b110feeab08eab754ac7f1
SHA256 f75d1ad6f974d8287fbeee4d6d7d5a50b4970aaccc300e191639c167c61e27e1
SHA512 ea98cf313e03db1ee4230d85a721b28d2c6696aad17c03f53e0015631baff0b9d193839d9a2226e390123caaddf229bd26b170db3db1576b38fb56a0fc47492f

C:\Windows\System\NkjbIxm.exe

MD5 7338d41d663562f7909195352a98e475
SHA1 477e7649f831f3cec6854908e27662df85bc84f2
SHA256 291d7fb4f1f95541bc5540ed5182933bcdd2e4b391da07d47f874b7ed0766dd1
SHA512 5b921b5abf23f784ab32b4a9f1c165c97c23c26f46f5986a9aec958d2c97bcd33538fa36c486b86f9631c4c564558574bfb1fefd0f2ef18892c8e026878ce17e

C:\Windows\System\TVfibMi.exe

MD5 57f2ad5d71a5a3de4a2b07e8bc50cd18
SHA1 2caf349350c57167b66b8355271ab74438ce16e0
SHA256 51cfb8d8283c909aedbab2627195d4f438819c2abf4af0aca415f61eca2eaa36
SHA512 2f32d3aa85a4f4e3a7d8d619e625f64df975ebcd0a229bbafdd9d2c70432666943803388c73c8f465f1509c0822adbf51cae107533d4da1783f78d49af5fcba1

memory/4400-104-0x00007FF684170000-0x00007FF6844C1000-memory.dmp

memory/4552-106-0x00007FF79D5F0000-0x00007FF79D941000-memory.dmp

memory/1584-108-0x00007FF711FA0000-0x00007FF7122F1000-memory.dmp

memory/4148-110-0x00007FF791520000-0x00007FF791871000-memory.dmp

memory/4016-112-0x00007FF793740000-0x00007FF793A91000-memory.dmp

C:\Windows\System\csDXYsA.exe

MD5 52e83168137301672caf0e73a5829c0e
SHA1 e3f6a5dd04c4b5b8d8a871fe08273fc683f738b2
SHA256 2b58128fc553499f80a8c42068de13780f19f251fce59b49b3b43ea7b84e21e4
SHA512 b3c6fe6c978714c8e1e90369852056702c681b9d1c3b31608ed7f3698217eefb0e7327763b71960cc74b54736f8bcbd4f40ac19473d4e196a96730f1564ce7e2

C:\Windows\System\PTkylCb.exe

MD5 e148aa85ac3ec35d0c543d5010f2b170
SHA1 73dd8927b62c954122db9d6cfa9a1258e1a9743f
SHA256 7537dc7be1bb124e24fa0f2eb95532e9a81b9cd054aec5cf67b0e61d676f620a
SHA512 72bc93cbae37b7364a93ccea107d5014e6efd8de319d7c96454b81e3b84ecac500c9afa024643a4d759fe2ae73c0b21a60a8b5a076560e684974f7462512d75e

memory/2780-125-0x00007FF72AFF0000-0x00007FF72B341000-memory.dmp

C:\Windows\System\rpBhAZo.exe

MD5 325284a047f63f563f9348c52917c115
SHA1 7ad0b4d0d03a380bfba3e9b9c5d94dcfde31b4f3
SHA256 6212b8b895abf7bbc5897ce3252dd9892ccd96bcd964d94f17dce6b5caae4eb4
SHA512 c5a5ef92faa33c3c63757d29f1f56ced87234fa17ba7abf3c023da5a4bf116dfd180c01ecba531ca4db206e658dce0664284190dcd4bbff7f4255e04d58fd4a2

C:\Windows\System\DKbgiPv.exe

MD5 45605b672574c3be59ecc00d3f92cd78
SHA1 f1ce093603798c59830adede009ca05d5c9eef0c
SHA256 b40b1547af3d8d76b4892008ef2281f21c589497a3468c29a9ddd48cfab9f666
SHA512 bb50b5d2922c703db25cad11777d7406d0188a11ba353e1c24369aba4edb08c4e7eb9d6022427f0454acf17a9d0d9df8e7c3eedd0a30234d4ff88bdb44fe8335

C:\Windows\System\vovrmFi.exe

MD5 0abfa0fd58fa989ff6b33d519007201a
SHA1 75c4165c2ea30871934d14f35656d62b152c672e
SHA256 a8bc53c8079b83feaa7f47e9a2b40a86ed41e3eeb8b41aa2601f9360f5e65c79
SHA512 f8168fc439a6a74eea996e8a029e67f6c68f7f60af5a8e0196500c5b983daa3257b86246b0747feed0f94f8128195fbe51ab9128d0b12b10e0ccf4c51b5e19bb

memory/4688-113-0x00007FF766090000-0x00007FF7663E1000-memory.dmp

memory/2380-111-0x00007FF7DBA40000-0x00007FF7DBD91000-memory.dmp

memory/3964-109-0x00007FF63F2C0000-0x00007FF63F611000-memory.dmp

memory/3584-107-0x00007FF705260000-0x00007FF7055B1000-memory.dmp

memory/4044-105-0x00007FF6BFC30000-0x00007FF6BFF81000-memory.dmp

memory/4540-103-0x00007FF73ACD0000-0x00007FF73B021000-memory.dmp

memory/1620-92-0x00007FF73D4F0000-0x00007FF73D841000-memory.dmp

C:\Windows\System\VqldaTQ.exe

MD5 46aaf48d5d11e26e440ed786c311f5cf
SHA1 c305b65b0d26b99f39ae44e37b9b83843338c5c2
SHA256 3d3423cf7b8e162b5bda2386d6970018d7e1e3ebfdf1d5fe636cec2e09e1dbc0
SHA512 3c1aa73851389796e19891943845e5741a4d3c7a3cbd5623f14f5ddb232fb4e213e42b48ee8c3744ec1e1b1bc27eac866a8c43c1ade9cf9eb2bf7857050b4ae2

C:\Windows\System\FEyFqpO.exe

MD5 0f5a6d3c51427c2b7b70e6600fc3d9b9
SHA1 32115465d41503cba40809d707df5baf4fb00b2e
SHA256 ac281f23007115181d5054a36bef2efd0bc72e56ae85a3de12d0febf7ec1ee5d
SHA512 b7b1d0f0b0def9c6cb4a2b0a69a76d0bdbd13528a89386040a7926320cc2800fa8143cb74a09042839cff4601b3456847f1e91351e76ef9083829a2831c4945f

memory/4308-68-0x00007FF62C8A0000-0x00007FF62CBF1000-memory.dmp

memory/3608-130-0x00007FF6A4CA0000-0x00007FF6A4FF1000-memory.dmp

memory/2760-133-0x00007FF736790000-0x00007FF736AE1000-memory.dmp

memory/4688-144-0x00007FF766090000-0x00007FF7663E1000-memory.dmp

memory/4844-131-0x00007FF7D9400000-0x00007FF7D9751000-memory.dmp

memory/2772-128-0x00007FF78FE50000-0x00007FF7901A1000-memory.dmp

memory/3584-148-0x00007FF705260000-0x00007FF7055B1000-memory.dmp

memory/4552-147-0x00007FF79D5F0000-0x00007FF79D941000-memory.dmp

memory/2780-149-0x00007FF72AFF0000-0x00007FF72B341000-memory.dmp

memory/4044-146-0x00007FF6BFC30000-0x00007FF6BFF81000-memory.dmp

memory/4016-145-0x00007FF793740000-0x00007FF793A91000-memory.dmp

memory/2772-150-0x00007FF78FE50000-0x00007FF7901A1000-memory.dmp

memory/2772-151-0x00007FF78FE50000-0x00007FF7901A1000-memory.dmp

memory/2568-196-0x00007FF7921B0000-0x00007FF792501000-memory.dmp

memory/3608-198-0x00007FF6A4CA0000-0x00007FF6A4FF1000-memory.dmp

memory/4844-200-0x00007FF7D9400000-0x00007FF7D9751000-memory.dmp

memory/5096-202-0x00007FF726370000-0x00007FF7266C1000-memory.dmp

memory/1472-204-0x00007FF6908F0000-0x00007FF690C41000-memory.dmp

memory/4308-206-0x00007FF62C8A0000-0x00007FF62CBF1000-memory.dmp

memory/640-208-0x00007FF63AF60000-0x00007FF63B2B1000-memory.dmp

memory/1584-210-0x00007FF711FA0000-0x00007FF7122F1000-memory.dmp

memory/2760-212-0x00007FF736790000-0x00007FF736AE1000-memory.dmp

memory/1620-214-0x00007FF73D4F0000-0x00007FF73D841000-memory.dmp

memory/4540-228-0x00007FF73ACD0000-0x00007FF73B021000-memory.dmp

memory/3964-230-0x00007FF63F2C0000-0x00007FF63F611000-memory.dmp

memory/2380-234-0x00007FF7DBA40000-0x00007FF7DBD91000-memory.dmp

memory/4400-236-0x00007FF684170000-0x00007FF6844C1000-memory.dmp

memory/4148-232-0x00007FF791520000-0x00007FF791871000-memory.dmp

memory/4016-238-0x00007FF793740000-0x00007FF793A91000-memory.dmp

memory/4688-243-0x00007FF766090000-0x00007FF7663E1000-memory.dmp

memory/4552-246-0x00007FF79D5F0000-0x00007FF79D941000-memory.dmp

memory/2780-248-0x00007FF72AFF0000-0x00007FF72B341000-memory.dmp

memory/3584-245-0x00007FF705260000-0x00007FF7055B1000-memory.dmp

memory/4044-240-0x00007FF6BFC30000-0x00007FF6BFF81000-memory.dmp