Malware Analysis Report

2025-01-22 19:22

Sample ID 240807-x5ympawdjf
Target 2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat
SHA256 e31af51f38bf9ec5f8dc945e4d75f7db8ad5b0e06922248a3998cebd4040222e
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e31af51f38bf9ec5f8dc945e4d75f7db8ad5b0e06922248a3998cebd4040222e

Threat Level: Known bad

The file 2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Xmrig family

Cobalt Strike reflective loader

Cobaltstrike family

Cobaltstrike

xmrig

XMRig Miner payload

XMRig Miner payload

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-07 19:26

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-07 19:26

Reported

2024-08-07 19:29

Platform

win7-20240729-en

Max time kernel

140s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\IxgrzQf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xuyUVKl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wutlrbi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QhpVowH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZJvsPcy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZgRQzGw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iERYzbG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OKrjwfW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dBSkTCr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qPQcQNd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qdAaHbo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kHQLqMl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HokRgGZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RGqhlix.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pupbqqd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kFdsLIN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dKPEGOl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iVNABRL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vnZDpxR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oIJkEeX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZaiJsFI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 848 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dKPEGOl.exe
PID 848 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dKPEGOl.exe
PID 848 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dKPEGOl.exe
PID 848 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OKrjwfW.exe
PID 848 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OKrjwfW.exe
PID 848 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OKrjwfW.exe
PID 848 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IxgrzQf.exe
PID 848 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IxgrzQf.exe
PID 848 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IxgrzQf.exe
PID 848 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xuyUVKl.exe
PID 848 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xuyUVKl.exe
PID 848 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xuyUVKl.exe
PID 848 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kHQLqMl.exe
PID 848 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kHQLqMl.exe
PID 848 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kHQLqMl.exe
PID 848 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dBSkTCr.exe
PID 848 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dBSkTCr.exe
PID 848 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dBSkTCr.exe
PID 848 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HokRgGZ.exe
PID 848 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HokRgGZ.exe
PID 848 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HokRgGZ.exe
PID 848 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iVNABRL.exe
PID 848 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iVNABRL.exe
PID 848 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iVNABRL.exe
PID 848 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wutlrbi.exe
PID 848 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wutlrbi.exe
PID 848 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wutlrbi.exe
PID 848 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vnZDpxR.exe
PID 848 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vnZDpxR.exe
PID 848 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vnZDpxR.exe
PID 848 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qPQcQNd.exe
PID 848 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qPQcQNd.exe
PID 848 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qPQcQNd.exe
PID 848 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QhpVowH.exe
PID 848 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QhpVowH.exe
PID 848 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QhpVowH.exe
PID 848 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oIJkEeX.exe
PID 848 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oIJkEeX.exe
PID 848 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oIJkEeX.exe
PID 848 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qdAaHbo.exe
PID 848 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qdAaHbo.exe
PID 848 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qdAaHbo.exe
PID 848 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZaiJsFI.exe
PID 848 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZaiJsFI.exe
PID 848 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZaiJsFI.exe
PID 848 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZJvsPcy.exe
PID 848 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZJvsPcy.exe
PID 848 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZJvsPcy.exe
PID 848 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZgRQzGw.exe
PID 848 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZgRQzGw.exe
PID 848 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZgRQzGw.exe
PID 848 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RGqhlix.exe
PID 848 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RGqhlix.exe
PID 848 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RGqhlix.exe
PID 848 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pupbqqd.exe
PID 848 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pupbqqd.exe
PID 848 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pupbqqd.exe
PID 848 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iERYzbG.exe
PID 848 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iERYzbG.exe
PID 848 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iERYzbG.exe
PID 848 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kFdsLIN.exe
PID 848 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kFdsLIN.exe
PID 848 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kFdsLIN.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\dKPEGOl.exe

C:\Windows\System\dKPEGOl.exe

C:\Windows\System\OKrjwfW.exe

C:\Windows\System\OKrjwfW.exe

C:\Windows\System\IxgrzQf.exe

C:\Windows\System\IxgrzQf.exe

C:\Windows\System\xuyUVKl.exe

C:\Windows\System\xuyUVKl.exe

C:\Windows\System\kHQLqMl.exe

C:\Windows\System\kHQLqMl.exe

C:\Windows\System\dBSkTCr.exe

C:\Windows\System\dBSkTCr.exe

C:\Windows\System\HokRgGZ.exe

C:\Windows\System\HokRgGZ.exe

C:\Windows\System\iVNABRL.exe

C:\Windows\System\iVNABRL.exe

C:\Windows\System\wutlrbi.exe

C:\Windows\System\wutlrbi.exe

C:\Windows\System\vnZDpxR.exe

C:\Windows\System\vnZDpxR.exe

C:\Windows\System\qPQcQNd.exe

C:\Windows\System\qPQcQNd.exe

C:\Windows\System\QhpVowH.exe

C:\Windows\System\QhpVowH.exe

C:\Windows\System\oIJkEeX.exe

C:\Windows\System\oIJkEeX.exe

C:\Windows\System\qdAaHbo.exe

C:\Windows\System\qdAaHbo.exe

C:\Windows\System\ZaiJsFI.exe

C:\Windows\System\ZaiJsFI.exe

C:\Windows\System\ZJvsPcy.exe

C:\Windows\System\ZJvsPcy.exe

C:\Windows\System\ZgRQzGw.exe

C:\Windows\System\ZgRQzGw.exe

C:\Windows\System\RGqhlix.exe

C:\Windows\System\RGqhlix.exe

C:\Windows\System\pupbqqd.exe

C:\Windows\System\pupbqqd.exe

C:\Windows\System\iERYzbG.exe

C:\Windows\System\iERYzbG.exe

C:\Windows\System\kFdsLIN.exe

C:\Windows\System\kFdsLIN.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/848-0-0x000000013FC80000-0x000000013FFD1000-memory.dmp

memory/848-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\dKPEGOl.exe

MD5 23d02a4c6b8ff0caf8cd9f13347d00bc
SHA1 c0efe7252d688ad731b2e01ec6eeaa5e89dbef91
SHA256 8a16b4ef0e37fb5be65343f92595d8246539cddc3a449821d1769c17dfa50b23
SHA512 c7fbfca6d33323a50fafde467bc7365bbbf26b964fe0e1c6d76268d48cd1680e0af9e9c7407f87dc18ab549ad0ebce6073968afd2d45b1bef8969f6e1c3e0947

memory/848-7-0x00000000022B0000-0x0000000002601000-memory.dmp

C:\Windows\system\IxgrzQf.exe

MD5 39a7eb977112156d506201987e27559b
SHA1 ddbf59db00887f5564c645c4a5baa95500ec33af
SHA256 2d49ac119dd0b2296c116a3d48ba06466b0b605967d06f2b845ec9cccd081d8a
SHA512 0b4179ab75cccde2b4d2447217b9dfd339b9cb3e7268e6e1f79776ab1aa2257aac068ec4f1ad10b837274d34b54f1cd9f454bb0a6f5d8a96a436aa5493b69ddc

memory/3024-23-0x000000013F880000-0x000000013FBD1000-memory.dmp

memory/848-21-0x00000000022B0000-0x0000000002601000-memory.dmp

memory/848-19-0x000000013F880000-0x000000013FBD1000-memory.dmp

C:\Windows\system\xuyUVKl.exe

MD5 2430cefe147cedfc9a1852df939295d9
SHA1 50ab208eeea6fbc8b461fda7d76f5c71344b3ac6
SHA256 6cb579e0eac9a12b94f518b7a360f22d2f4b16d1564277b5bbb95823b242b596
SHA512 fef6964844748d3877586261608055f0c995de17dac86195db3e0a47c28018eb71dd9b8993049265ffc7ed5229f1c23cc1c4d24795872fe88dd6d51630a548c3

C:\Windows\system\kHQLqMl.exe

MD5 a510ece376e809ff545f8ad4011dfe75
SHA1 b2ee57e60e583890f19a97253e37aaae2e0605a8
SHA256 5bd2afe89bf71b3c069c9b578e4ee50cf900b59dffa3e9ba8ec13097b365a3d3
SHA512 c73055ff2c606c1ff3b1005b9649a804c34b282a420d97e93c8a50c7d109de3c118218bcad6c51cbaa5617645b92b9841db5bee37b70de102a84c524e9d56324

memory/2840-37-0x000000013FB50000-0x000000013FEA1000-memory.dmp

memory/848-41-0x000000013F3C0000-0x000000013F711000-memory.dmp

C:\Windows\system\HokRgGZ.exe

MD5 cce87d11d5907495efa761436c1b9927
SHA1 52055f37d48baf801ea2ea276d111ae8f788000f
SHA256 b90c507e246b2236bd754bb3ba8eb8f4d5c97f6d294405010bb4e8264151b1cc
SHA512 d57b6c10ca4f23a7bf6f49eaff03bee5aada1d43a79a909d67963a80d891e41f3b41f5f50a897e74730d932db5eabdbb6f0e5e959f464b7be031f47460044bae

\Windows\system\iVNABRL.exe

MD5 d312d59086c43a8f4767785c0427af3a
SHA1 984cf786e4cd1a7b3a9c766ddd07061de6bdcc7d
SHA256 7ce3410ba303d4a947593c63435867e4a83c533251d1fce9e17c9a7fa6a4306e
SHA512 594bdb28a514e41038dc94f3aecc5948d51a0befb7b1cb88f256ec1bd6716b3d4fb81c0b8d64c3e719af973a961066025541729fa4f27499bcf3bfadc92ca661

memory/2892-57-0x000000013F170000-0x000000013F4C1000-memory.dmp

C:\Windows\system\QhpVowH.exe

MD5 d0329af70ca33e8612d63600a14360df
SHA1 479bf5831e0a556a0004fa5708b78b62e2156824
SHA256 0ad823d62cd2ab72a95e3997eaac2cda647bdd84caa7f9e423b995aa91079efd
SHA512 85e7ace687e944618063ac3bf9b509285fbb9892c647625701869f0a8cdd4fc73e30f75fa0870b8bf488b384c0c75353fed171c940fad35a8e7714158d0bddd7

memory/2128-93-0x000000013FD90000-0x00000001400E1000-memory.dmp

C:\Windows\system\vnZDpxR.exe

MD5 71a4e314d9f029574aab8e4033ff4b46
SHA1 a77c4041521470a0d7864a5f7e1fa0cea2a613c7
SHA256 61227e9ab9657dacb812c2f7e43648b64f85eb3e61da5d15bcc936d6842f2da2
SHA512 34d75543c9edb7f588957d3ae761cf2365a4995b9cac97f6121416d869c9af5f5bcccc3bed3699dd63b9d04667a29d6999c03ed99c07a25ddbd2531bb0bfe40c

memory/2732-135-0x000000013F3C0000-0x000000013F711000-memory.dmp

\Windows\system\ZJvsPcy.exe

MD5 bece7aa4c02b0a60568054b57fb2f84e
SHA1 ed3cd7f179e24671b3b3624778a6b45e4638ee47
SHA256 56f9ade9223d3092af1584b09cb24132b486732e8d5c0a3be3efd7970ceeec4b
SHA512 bb4c9260f082eb01193ec3a16563def96223bb4a422aa2832efaa07fb9d1a1fca45247655b3c5a5b31f38f9f8f194babf2e8d0c0abbf35f02bf2ed80de35c454

\Windows\system\iERYzbG.exe

MD5 694c4f6345f9d36b6a5021199070e988
SHA1 55fd2792f9da07876a984ab9125bf5978a2686ec
SHA256 85c1d772d0aca4d3488a4abe6ed0ab28f03a7a99328dbc2a74efd137094912cb
SHA512 b79526305fb1d4425c0d8191aaae17257d34ee510d41430d3cecb915eb28a953e455874f26c49152f3fd3694ea0a79e43c6d1e2c693018be2b1108b401cb89ae

\Windows\system\RGqhlix.exe

MD5 ddd34676ed055ed9063c8006efe98cf3
SHA1 45fb221780cae2b4646a566a49dcdc82f5d4d0da
SHA256 ce45915289f42b31488c0264592d02b6fcfe06a852ae96a132bc9027b902fda6
SHA512 ddca8ea412a1d8a6e68670969e61e215750356e39da207fb0ff40a83965165814cd264b2a9a350dd8b0908fc35a8bec73ee2e4a68e61db904458c0ebc0365b2a

memory/824-105-0x000000013FAD0000-0x000000013FE21000-memory.dmp

memory/848-136-0x000000013F720000-0x000000013FA71000-memory.dmp

memory/848-104-0x00000000022B0000-0x0000000002601000-memory.dmp

memory/2684-103-0x000000013FC10000-0x000000013FF61000-memory.dmp

memory/848-134-0x00000000022B0000-0x0000000002601000-memory.dmp

C:\Windows\system\kFdsLIN.exe

MD5 a2c9d24d3f3de8689dc1cf61d05cb140
SHA1 23654e57e33f20f2a927382f6839e2bb92ff9623
SHA256 2159d0643b8cda9c878bf0802386ac58465573d32b02110835e0423c257158f3
SHA512 2d0a74a4700a53f63d42b055ba1aed99cbe77b0d340b9fd5f8aa0c78cc27e7f6188ffe098ba805b2e0e5ca9a418228f2f387bcfc2d05984b4493b4ef7b70e887

C:\Windows\system\pupbqqd.exe

MD5 8d9577de1b12db50f50036fafc4a12cf
SHA1 e58e9dd0e9b8f119628cb0e3003b8c7771ee3688
SHA256 dd874a91077182a1814f7346c79a755d79e7a5f9c983131684ebef4fcc1e71f0
SHA512 b1603dfe1e4ada1f4060493b639da364593f47d32cecb1a777dbe4eb22d6261a463a5f7d273404147fd76bf7597afc4763cc2fdd3d09a0a617f0dd87b243882a

C:\Windows\system\ZgRQzGw.exe

MD5 eb7086ece612d6dc0620c4166f9ebb50
SHA1 e18c9e6a795b00c66aa3b35a171e7c0d2779bbf0
SHA256 fa959f88ae1d6e83ba15757a04752533e44b50069367b91c4df2a4ead3e78249
SHA512 2bd399fd00e590d18544a7f077296902eea0e8fe316f7bb746e46e5311c2980c808e71b307653e1354f7bb3b6ad5cb4ddbbe7f62585e9e71655a1f0f31ecb982

C:\Windows\system\ZaiJsFI.exe

MD5 c67cd8a1a3b5d613152c5ba37923d49a
SHA1 0ef1951728436b98309c1eea96ff7b0321066d40
SHA256 4915455a1530dbecd0488ae57b6b606273f0b8c82db6d902189c5c3e9076640f
SHA512 626b71b887b1f8050c05339a49b558910b3282fe87455403bc83d6d0f5a7c0877f6f9deb38a6b1546e422f8dada5f82616079add757bca91572373cab35b4ef9

C:\Windows\system\qdAaHbo.exe

MD5 35cfa6919aa1c0cc03725381d6102d8d
SHA1 20c8e458bdc08a27aaa462ee8755eb6ade322313
SHA256 2599178e83a66c03995bd336b20b12ffbc9aee33838a3eae728050c908dc36e5
SHA512 0bd2ed0a70f8934373c57e930c36e6c77aefd99187fb405175054a04032b9a7124a7727132406fd052d1dc5f2266b64460b51055febab785e122f12112ac75af

memory/2140-82-0x000000013FF10000-0x0000000140261000-memory.dmp

memory/848-81-0x000000013F480000-0x000000013F7D1000-memory.dmp

memory/2880-80-0x000000013F5F0000-0x000000013F941000-memory.dmp

memory/848-79-0x000000013F5F0000-0x000000013F941000-memory.dmp

memory/848-78-0x000000013F310000-0x000000013F661000-memory.dmp

memory/2600-77-0x000000013F480000-0x000000013F7D1000-memory.dmp

memory/848-76-0x00000000022B0000-0x0000000002601000-memory.dmp

memory/848-74-0x000000013FC80000-0x000000013FFD1000-memory.dmp

memory/2620-96-0x000000013F480000-0x000000013F7D1000-memory.dmp

memory/3024-95-0x000000013F880000-0x000000013FBD1000-memory.dmp

memory/848-92-0x00000000022B0000-0x0000000002601000-memory.dmp

memory/2860-89-0x000000013F310000-0x000000013F661000-memory.dmp

C:\Windows\system\oIJkEeX.exe

MD5 fa6b4771d53fb554637842a3b54fb237
SHA1 48a968b857bbcc22e92f4f667730f4dfbd02e9c4
SHA256 551eeee149d7b902740ed74a7b92c0b42fda487b44c06ae6025569737a933d55
SHA512 6889ca108e900518affdef25276dea978fd97d4558a3e01dd838dd10a46508e1a12889681e6883d84b921d561ab1c4e431ae58a37dbeb4c62fb2a0a2084754b3

memory/2224-87-0x000000013FE10000-0x0000000140161000-memory.dmp

memory/848-55-0x000000013F170000-0x000000013F4C1000-memory.dmp

C:\Windows\system\qPQcQNd.exe

MD5 72848087756fbc45f0b887153b6b42cc
SHA1 d3c0d1175b4180235e2332297a151c8647e7c5f6
SHA256 7c461a78b0b787787b4c6a6de6188484629d97881aa61a31675abe49e1b47a99
SHA512 784186c3be6ebb4c48d537821ecc976acd86b1cd66ed50d52a2765510be15a5aae925547ccee45df9ce2bea37d84f0b9b1009fb75b64a450362e2f3d7669cec2

C:\Windows\system\wutlrbi.exe

MD5 ac460159cc52616dcf69a988a8b61f79
SHA1 e8fb5a28a5bea3158589b6fe17fa123373534b06
SHA256 1acbd83f91d5e024f2664a686f5e318967a6e6c7ba6ddcbf1a980375b36d82c0
SHA512 8aee17f2059092554b67eaf820a0b6aa32ca5755dafdd4f8321b00d136854751b4130e4f6117c5cb256d11e8424fda672e476c9d67a7d58f9e1b9135a0a3d6fa

memory/2876-54-0x000000013F4B0000-0x000000013F801000-memory.dmp

memory/848-53-0x000000013F4B0000-0x000000013F801000-memory.dmp

memory/2732-42-0x000000013F3C0000-0x000000013F711000-memory.dmp

C:\Windows\system\dBSkTCr.exe

MD5 9a99768b37abf9cc5712f8dac36689d6
SHA1 6591fd4bc6de5f8e603569fa3bfb3ca19902f947
SHA256 4459f8ced756b8b39c836421fc7478b4a37923f876bcb693b7692476da155168
SHA512 0b95c97d6feb37f6628b10e10c23caca8e4cd83e396663746529bad5b44ec5f9eaad8cbd9d77da82aa270284e1a754cf5b3ef55121e7a0bc1707a0e1af7f706f

memory/848-36-0x00000000022B0000-0x0000000002601000-memory.dmp

memory/2684-29-0x000000013FC10000-0x000000013FF61000-memory.dmp

memory/848-28-0x00000000022B0000-0x0000000002601000-memory.dmp

memory/2224-17-0x000000013FE10000-0x0000000140161000-memory.dmp

memory/2140-16-0x000000013FF10000-0x0000000140261000-memory.dmp

C:\Windows\system\OKrjwfW.exe

MD5 d512b255eba2e67ec85daea110ba7dce
SHA1 098daeaffaa4a4e0ddd9fd801d004f467adde5f7
SHA256 0db441db937dd756d97621e0b6a8a202bbecb232ddbbc8c744d6257187866f20
SHA512 47f6b630907bddb59c01fb397fa7eeae655ac94e92721c7858e71c7102ef08014c7e4d9defcec29283535f1dd86b034fe8ec9f37377f1345c05d741dd4879434

memory/2892-143-0x000000013F170000-0x000000013F4C1000-memory.dmp

memory/848-144-0x000000013FC80000-0x000000013FFD1000-memory.dmp

memory/2620-156-0x000000013F480000-0x000000013F7D1000-memory.dmp

memory/2860-154-0x000000013F310000-0x000000013F661000-memory.dmp

memory/2944-165-0x000000013F6D0000-0x000000013FA21000-memory.dmp

memory/2768-164-0x000000013F760000-0x000000013FAB1000-memory.dmp

memory/2792-163-0x000000013F350000-0x000000013F6A1000-memory.dmp

memory/1056-161-0x000000013FD80000-0x00000001400D1000-memory.dmp

memory/2812-160-0x000000013FC50000-0x000000013FFA1000-memory.dmp

memory/1636-159-0x000000013F720000-0x000000013FA71000-memory.dmp

memory/2468-162-0x000000013F0D0000-0x000000013F421000-memory.dmp

memory/848-166-0x00000000022B0000-0x0000000002601000-memory.dmp

memory/848-167-0x000000013FC80000-0x000000013FFD1000-memory.dmp

memory/848-189-0x000000013F720000-0x000000013FA71000-memory.dmp

memory/2140-213-0x000000013FF10000-0x0000000140261000-memory.dmp

memory/2224-215-0x000000013FE10000-0x0000000140161000-memory.dmp

memory/3024-217-0x000000013F880000-0x000000013FBD1000-memory.dmp

memory/2840-221-0x000000013FB50000-0x000000013FEA1000-memory.dmp

memory/2684-220-0x000000013FC10000-0x000000013FF61000-memory.dmp

memory/2732-223-0x000000013F3C0000-0x000000013F711000-memory.dmp

memory/2876-225-0x000000013F4B0000-0x000000013F801000-memory.dmp

memory/2600-227-0x000000013F480000-0x000000013F7D1000-memory.dmp

memory/2892-229-0x000000013F170000-0x000000013F4C1000-memory.dmp

memory/2880-231-0x000000013F5F0000-0x000000013F941000-memory.dmp

memory/2860-245-0x000000013F310000-0x000000013F661000-memory.dmp

memory/2128-247-0x000000013FD90000-0x00000001400E1000-memory.dmp

memory/2620-249-0x000000013F480000-0x000000013F7D1000-memory.dmp

memory/824-251-0x000000013FAD0000-0x000000013FE21000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-07 19:26

Reported

2024-08-07 19:29

Platform

win10v2004-20240802-en

Max time kernel

140s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\pupbqqd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kFdsLIN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dBSkTCr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HokRgGZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wutlrbi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vnZDpxR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QhpVowH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oIJkEeX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dKPEGOl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IxgrzQf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RGqhlix.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qPQcQNd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qdAaHbo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZJvsPcy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZgRQzGw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OKrjwfW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kHQLqMl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZaiJsFI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iERYzbG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xuyUVKl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iVNABRL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5004 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dKPEGOl.exe
PID 5004 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dKPEGOl.exe
PID 5004 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OKrjwfW.exe
PID 5004 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OKrjwfW.exe
PID 5004 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IxgrzQf.exe
PID 5004 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IxgrzQf.exe
PID 5004 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xuyUVKl.exe
PID 5004 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xuyUVKl.exe
PID 5004 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kHQLqMl.exe
PID 5004 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kHQLqMl.exe
PID 5004 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dBSkTCr.exe
PID 5004 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dBSkTCr.exe
PID 5004 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HokRgGZ.exe
PID 5004 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HokRgGZ.exe
PID 5004 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iVNABRL.exe
PID 5004 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iVNABRL.exe
PID 5004 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wutlrbi.exe
PID 5004 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wutlrbi.exe
PID 5004 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vnZDpxR.exe
PID 5004 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vnZDpxR.exe
PID 5004 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qPQcQNd.exe
PID 5004 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qPQcQNd.exe
PID 5004 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QhpVowH.exe
PID 5004 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QhpVowH.exe
PID 5004 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oIJkEeX.exe
PID 5004 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oIJkEeX.exe
PID 5004 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qdAaHbo.exe
PID 5004 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qdAaHbo.exe
PID 5004 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZaiJsFI.exe
PID 5004 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZaiJsFI.exe
PID 5004 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZJvsPcy.exe
PID 5004 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZJvsPcy.exe
PID 5004 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZgRQzGw.exe
PID 5004 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZgRQzGw.exe
PID 5004 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RGqhlix.exe
PID 5004 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RGqhlix.exe
PID 5004 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pupbqqd.exe
PID 5004 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pupbqqd.exe
PID 5004 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iERYzbG.exe
PID 5004 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iERYzbG.exe
PID 5004 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kFdsLIN.exe
PID 5004 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kFdsLIN.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\dKPEGOl.exe

C:\Windows\System\dKPEGOl.exe

C:\Windows\System\OKrjwfW.exe

C:\Windows\System\OKrjwfW.exe

C:\Windows\System\IxgrzQf.exe

C:\Windows\System\IxgrzQf.exe

C:\Windows\System\xuyUVKl.exe

C:\Windows\System\xuyUVKl.exe

C:\Windows\System\kHQLqMl.exe

C:\Windows\System\kHQLqMl.exe

C:\Windows\System\dBSkTCr.exe

C:\Windows\System\dBSkTCr.exe

C:\Windows\System\HokRgGZ.exe

C:\Windows\System\HokRgGZ.exe

C:\Windows\System\iVNABRL.exe

C:\Windows\System\iVNABRL.exe

C:\Windows\System\wutlrbi.exe

C:\Windows\System\wutlrbi.exe

C:\Windows\System\vnZDpxR.exe

C:\Windows\System\vnZDpxR.exe

C:\Windows\System\qPQcQNd.exe

C:\Windows\System\qPQcQNd.exe

C:\Windows\System\QhpVowH.exe

C:\Windows\System\QhpVowH.exe

C:\Windows\System\oIJkEeX.exe

C:\Windows\System\oIJkEeX.exe

C:\Windows\System\qdAaHbo.exe

C:\Windows\System\qdAaHbo.exe

C:\Windows\System\ZaiJsFI.exe

C:\Windows\System\ZaiJsFI.exe

C:\Windows\System\ZJvsPcy.exe

C:\Windows\System\ZJvsPcy.exe

C:\Windows\System\ZgRQzGw.exe

C:\Windows\System\ZgRQzGw.exe

C:\Windows\System\RGqhlix.exe

C:\Windows\System\RGqhlix.exe

C:\Windows\System\pupbqqd.exe

C:\Windows\System\pupbqqd.exe

C:\Windows\System\iERYzbG.exe

C:\Windows\System\iERYzbG.exe

C:\Windows\System\kFdsLIN.exe

C:\Windows\System\kFdsLIN.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
NL 52.178.17.2:443 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/5004-0-0x00007FF775FE0000-0x00007FF776331000-memory.dmp

memory/5004-1-0x0000016F00B60000-0x0000016F00B70000-memory.dmp

C:\Windows\System\dKPEGOl.exe

MD5 23d02a4c6b8ff0caf8cd9f13347d00bc
SHA1 c0efe7252d688ad731b2e01ec6eeaa5e89dbef91
SHA256 8a16b4ef0e37fb5be65343f92595d8246539cddc3a449821d1769c17dfa50b23
SHA512 c7fbfca6d33323a50fafde467bc7365bbbf26b964fe0e1c6d76268d48cd1680e0af9e9c7407f87dc18ab549ad0ebce6073968afd2d45b1bef8969f6e1c3e0947

C:\Windows\System\IxgrzQf.exe

MD5 39a7eb977112156d506201987e27559b
SHA1 ddbf59db00887f5564c645c4a5baa95500ec33af
SHA256 2d49ac119dd0b2296c116a3d48ba06466b0b605967d06f2b845ec9cccd081d8a
SHA512 0b4179ab75cccde2b4d2447217b9dfd339b9cb3e7268e6e1f79776ab1aa2257aac068ec4f1ad10b837274d34b54f1cd9f454bb0a6f5d8a96a436aa5493b69ddc

C:\Windows\System\xuyUVKl.exe

MD5 2430cefe147cedfc9a1852df939295d9
SHA1 50ab208eeea6fbc8b461fda7d76f5c71344b3ac6
SHA256 6cb579e0eac9a12b94f518b7a360f22d2f4b16d1564277b5bbb95823b242b596
SHA512 fef6964844748d3877586261608055f0c995de17dac86195db3e0a47c28018eb71dd9b8993049265ffc7ed5229f1c23cc1c4d24795872fe88dd6d51630a548c3

C:\Windows\System\kHQLqMl.exe

MD5 a510ece376e809ff545f8ad4011dfe75
SHA1 b2ee57e60e583890f19a97253e37aaae2e0605a8
SHA256 5bd2afe89bf71b3c069c9b578e4ee50cf900b59dffa3e9ba8ec13097b365a3d3
SHA512 c73055ff2c606c1ff3b1005b9649a804c34b282a420d97e93c8a50c7d109de3c118218bcad6c51cbaa5617645b92b9841db5bee37b70de102a84c524e9d56324

memory/4156-29-0x00007FF6F6150000-0x00007FF6F64A1000-memory.dmp

C:\Windows\System\dBSkTCr.exe

MD5 9a99768b37abf9cc5712f8dac36689d6
SHA1 6591fd4bc6de5f8e603569fa3bfb3ca19902f947
SHA256 4459f8ced756b8b39c836421fc7478b4a37923f876bcb693b7692476da155168
SHA512 0b95c97d6feb37f6628b10e10c23caca8e4cd83e396663746529bad5b44ec5f9eaad8cbd9d77da82aa270284e1a754cf5b3ef55121e7a0bc1707a0e1af7f706f

memory/4948-45-0x00007FF6A5CC0000-0x00007FF6A6011000-memory.dmp

memory/1172-42-0x00007FF72A080000-0x00007FF72A3D1000-memory.dmp

C:\Windows\System\HokRgGZ.exe

MD5 cce87d11d5907495efa761436c1b9927
SHA1 52055f37d48baf801ea2ea276d111ae8f788000f
SHA256 b90c507e246b2236bd754bb3ba8eb8f4d5c97f6d294405010bb4e8264151b1cc
SHA512 d57b6c10ca4f23a7bf6f49eaff03bee5aada1d43a79a909d67963a80d891e41f3b41f5f50a897e74730d932db5eabdbb6f0e5e959f464b7be031f47460044bae

C:\Windows\System\wutlrbi.exe

MD5 ac460159cc52616dcf69a988a8b61f79
SHA1 e8fb5a28a5bea3158589b6fe17fa123373534b06
SHA256 1acbd83f91d5e024f2664a686f5e318967a6e6c7ba6ddcbf1a980375b36d82c0
SHA512 8aee17f2059092554b67eaf820a0b6aa32ca5755dafdd4f8321b00d136854751b4130e4f6117c5cb256d11e8424fda672e476c9d67a7d58f9e1b9135a0a3d6fa

C:\Windows\System\qPQcQNd.exe

MD5 72848087756fbc45f0b887153b6b42cc
SHA1 d3c0d1175b4180235e2332297a151c8647e7c5f6
SHA256 7c461a78b0b787787b4c6a6de6188484629d97881aa61a31675abe49e1b47a99
SHA512 784186c3be6ebb4c48d537821ecc976acd86b1cd66ed50d52a2765510be15a5aae925547ccee45df9ce2bea37d84f0b9b1009fb75b64a450362e2f3d7669cec2

C:\Windows\System\oIJkEeX.exe

MD5 fa6b4771d53fb554637842a3b54fb237
SHA1 48a968b857bbcc22e92f4f667730f4dfbd02e9c4
SHA256 551eeee149d7b902740ed74a7b92c0b42fda487b44c06ae6025569737a933d55
SHA512 6889ca108e900518affdef25276dea978fd97d4558a3e01dd838dd10a46508e1a12889681e6883d84b921d561ab1c4e431ae58a37dbeb4c62fb2a0a2084754b3

memory/3096-78-0x00007FF7C3A20000-0x00007FF7C3D71000-memory.dmp

memory/4980-77-0x00007FF7F0E60000-0x00007FF7F11B1000-memory.dmp

memory/4864-74-0x00007FF725A70000-0x00007FF725DC1000-memory.dmp

C:\Windows\System\QhpVowH.exe

MD5 d0329af70ca33e8612d63600a14360df
SHA1 479bf5831e0a556a0004fa5708b78b62e2156824
SHA256 0ad823d62cd2ab72a95e3997eaac2cda647bdd84caa7f9e423b995aa91079efd
SHA512 85e7ace687e944618063ac3bf9b509285fbb9892c647625701869f0a8cdd4fc73e30f75fa0870b8bf488b384c0c75353fed171c940fad35a8e7714158d0bddd7

memory/2640-70-0x00007FF749120000-0x00007FF749471000-memory.dmp

C:\Windows\System\vnZDpxR.exe

MD5 71a4e314d9f029574aab8e4033ff4b46
SHA1 a77c4041521470a0d7864a5f7e1fa0cea2a613c7
SHA256 61227e9ab9657dacb812c2f7e43648b64f85eb3e61da5d15bcc936d6842f2da2
SHA512 34d75543c9edb7f588957d3ae761cf2365a4995b9cac97f6121416d869c9af5f5bcccc3bed3699dd63b9d04667a29d6999c03ed99c07a25ddbd2531bb0bfe40c

memory/3128-63-0x00007FF77E510000-0x00007FF77E861000-memory.dmp

C:\Windows\System\iVNABRL.exe

MD5 d312d59086c43a8f4767785c0427af3a
SHA1 984cf786e4cd1a7b3a9c766ddd07061de6bdcc7d
SHA256 7ce3410ba303d4a947593c63435867e4a83c533251d1fce9e17c9a7fa6a4306e
SHA512 594bdb28a514e41038dc94f3aecc5948d51a0befb7b1cb88f256ec1bd6716b3d4fb81c0b8d64c3e719af973a961066025541729fa4f27499bcf3bfadc92ca661

memory/3132-48-0x00007FF7EBFF0000-0x00007FF7EC341000-memory.dmp

memory/4428-34-0x00007FF72C430000-0x00007FF72C781000-memory.dmp

memory/3644-26-0x00007FF7B7960000-0x00007FF7B7CB1000-memory.dmp

memory/3564-25-0x00007FF76C240000-0x00007FF76C591000-memory.dmp

memory/464-13-0x00007FF783050000-0x00007FF7833A1000-memory.dmp

C:\Windows\System\OKrjwfW.exe

MD5 d512b255eba2e67ec85daea110ba7dce
SHA1 098daeaffaa4a4e0ddd9fd801d004f467adde5f7
SHA256 0db441db937dd756d97621e0b6a8a202bbecb232ddbbc8c744d6257187866f20
SHA512 47f6b630907bddb59c01fb397fa7eeae655ac94e92721c7858e71c7102ef08014c7e4d9defcec29283535f1dd86b034fe8ec9f37377f1345c05d741dd4879434

memory/4820-86-0x00007FF70EFF0000-0x00007FF70F341000-memory.dmp

C:\Windows\System\ZaiJsFI.exe

MD5 c67cd8a1a3b5d613152c5ba37923d49a
SHA1 0ef1951728436b98309c1eea96ff7b0321066d40
SHA256 4915455a1530dbecd0488ae57b6b606273f0b8c82db6d902189c5c3e9076640f
SHA512 626b71b887b1f8050c05339a49b558910b3282fe87455403bc83d6d0f5a7c0877f6f9deb38a6b1546e422f8dada5f82616079add757bca91572373cab35b4ef9

memory/1388-92-0x00007FF70AE50000-0x00007FF70B1A1000-memory.dmp

C:\Windows\System\qdAaHbo.exe

MD5 35cfa6919aa1c0cc03725381d6102d8d
SHA1 20c8e458bdc08a27aaa462ee8755eb6ade322313
SHA256 2599178e83a66c03995bd336b20b12ffbc9aee33838a3eae728050c908dc36e5
SHA512 0bd2ed0a70f8934373c57e930c36e6c77aefd99187fb405175054a04032b9a7124a7727132406fd052d1dc5f2266b64460b51055febab785e122f12112ac75af

C:\Windows\System\ZJvsPcy.exe

MD5 bece7aa4c02b0a60568054b57fb2f84e
SHA1 ed3cd7f179e24671b3b3624778a6b45e4638ee47
SHA256 56f9ade9223d3092af1584b09cb24132b486732e8d5c0a3be3efd7970ceeec4b
SHA512 bb4c9260f082eb01193ec3a16563def96223bb4a422aa2832efaa07fb9d1a1fca45247655b3c5a5b31f38f9f8f194babf2e8d0c0abbf35f02bf2ed80de35c454

memory/3644-118-0x00007FF7B7960000-0x00007FF7B7CB1000-memory.dmp

C:\Windows\System\kFdsLIN.exe

MD5 a2c9d24d3f3de8689dc1cf61d05cb140
SHA1 23654e57e33f20f2a927382f6839e2bb92ff9623
SHA256 2159d0643b8cda9c878bf0802386ac58465573d32b02110835e0423c257158f3
SHA512 2d0a74a4700a53f63d42b055ba1aed99cbe77b0d340b9fd5f8aa0c78cc27e7f6188ffe098ba805b2e0e5ca9a418228f2f387bcfc2d05984b4493b4ef7b70e887

memory/3512-127-0x00007FF7D8DC0000-0x00007FF7D9111000-memory.dmp

memory/4664-133-0x00007FF66A2F0000-0x00007FF66A641000-memory.dmp

memory/1172-131-0x00007FF72A080000-0x00007FF72A3D1000-memory.dmp

memory/4428-130-0x00007FF72C430000-0x00007FF72C781000-memory.dmp

C:\Windows\System\RGqhlix.exe

MD5 ddd34676ed055ed9063c8006efe98cf3
SHA1 45fb221780cae2b4646a566a49dcdc82f5d4d0da
SHA256 ce45915289f42b31488c0264592d02b6fcfe06a852ae96a132bc9027b902fda6
SHA512 ddca8ea412a1d8a6e68670969e61e215750356e39da207fb0ff40a83965165814cd264b2a9a350dd8b0908fc35a8bec73ee2e4a68e61db904458c0ebc0365b2a

memory/4688-124-0x00007FF7F7450000-0x00007FF7F77A1000-memory.dmp

C:\Windows\System\iERYzbG.exe

MD5 694c4f6345f9d36b6a5021199070e988
SHA1 55fd2792f9da07876a984ab9125bf5978a2686ec
SHA256 85c1d772d0aca4d3488a4abe6ed0ab28f03a7a99328dbc2a74efd137094912cb
SHA512 b79526305fb1d4425c0d8191aaae17257d34ee510d41430d3cecb915eb28a953e455874f26c49152f3fd3694ea0a79e43c6d1e2c693018be2b1108b401cb89ae

memory/4108-119-0x00007FF6EC080000-0x00007FF6EC3D1000-memory.dmp

C:\Windows\System\pupbqqd.exe

MD5 8d9577de1b12db50f50036fafc4a12cf
SHA1 e58e9dd0e9b8f119628cb0e3003b8c7771ee3688
SHA256 dd874a91077182a1814f7346c79a755d79e7a5f9c983131684ebef4fcc1e71f0
SHA512 b1603dfe1e4ada1f4060493b639da364593f47d32cecb1a777dbe4eb22d6261a463a5f7d273404147fd76bf7597afc4763cc2fdd3d09a0a617f0dd87b243882a

C:\Windows\System\ZgRQzGw.exe

MD5 eb7086ece612d6dc0620c4166f9ebb50
SHA1 e18c9e6a795b00c66aa3b35a171e7c0d2779bbf0
SHA256 fa959f88ae1d6e83ba15757a04752533e44b50069367b91c4df2a4ead3e78249
SHA512 2bd399fd00e590d18544a7f077296902eea0e8fe316f7bb746e46e5311c2980c808e71b307653e1354f7bb3b6ad5cb4ddbbe7f62585e9e71655a1f0f31ecb982

memory/1692-109-0x00007FF6C3870000-0x00007FF6C3BC1000-memory.dmp

memory/3564-104-0x00007FF76C240000-0x00007FF76C591000-memory.dmp

memory/4280-102-0x00007FF7461C0000-0x00007FF746511000-memory.dmp

memory/464-98-0x00007FF783050000-0x00007FF7833A1000-memory.dmp

memory/5004-97-0x00007FF775FE0000-0x00007FF776331000-memory.dmp

memory/3132-142-0x00007FF7EBFF0000-0x00007FF7EC341000-memory.dmp

memory/4980-145-0x00007FF7F0E60000-0x00007FF7F11B1000-memory.dmp

memory/4820-148-0x00007FF70EFF0000-0x00007FF70F341000-memory.dmp

memory/3096-147-0x00007FF7C3A20000-0x00007FF7C3D71000-memory.dmp

memory/4864-146-0x00007FF725A70000-0x00007FF725DC1000-memory.dmp

memory/2640-144-0x00007FF749120000-0x00007FF749471000-memory.dmp

memory/3128-143-0x00007FF77E510000-0x00007FF77E861000-memory.dmp

memory/5004-134-0x00007FF775FE0000-0x00007FF776331000-memory.dmp

memory/4280-150-0x00007FF7461C0000-0x00007FF746511000-memory.dmp

memory/4108-152-0x00007FF6EC080000-0x00007FF6EC3D1000-memory.dmp

memory/4664-155-0x00007FF66A2F0000-0x00007FF66A641000-memory.dmp

memory/4688-153-0x00007FF7F7450000-0x00007FF7F77A1000-memory.dmp

memory/1692-151-0x00007FF6C3870000-0x00007FF6C3BC1000-memory.dmp

memory/5004-156-0x00007FF775FE0000-0x00007FF776331000-memory.dmp

memory/464-203-0x00007FF783050000-0x00007FF7833A1000-memory.dmp

memory/3564-205-0x00007FF76C240000-0x00007FF76C591000-memory.dmp

memory/4156-207-0x00007FF6F6150000-0x00007FF6F64A1000-memory.dmp

memory/4428-211-0x00007FF72C430000-0x00007FF72C781000-memory.dmp

memory/3644-213-0x00007FF7B7960000-0x00007FF7B7CB1000-memory.dmp

memory/4948-210-0x00007FF6A5CC0000-0x00007FF6A6011000-memory.dmp

memory/1172-219-0x00007FF72A080000-0x00007FF72A3D1000-memory.dmp

memory/3096-225-0x00007FF7C3A20000-0x00007FF7C3D71000-memory.dmp

memory/4980-223-0x00007FF7F0E60000-0x00007FF7F11B1000-memory.dmp

memory/2640-227-0x00007FF749120000-0x00007FF749471000-memory.dmp

memory/4864-222-0x00007FF725A70000-0x00007FF725DC1000-memory.dmp

memory/3132-218-0x00007FF7EBFF0000-0x00007FF7EC341000-memory.dmp

memory/3128-216-0x00007FF77E510000-0x00007FF77E861000-memory.dmp

memory/4820-232-0x00007FF70EFF0000-0x00007FF70F341000-memory.dmp

memory/1388-234-0x00007FF70AE50000-0x00007FF70B1A1000-memory.dmp

memory/4280-236-0x00007FF7461C0000-0x00007FF746511000-memory.dmp

memory/1692-238-0x00007FF6C3870000-0x00007FF6C3BC1000-memory.dmp

memory/4688-240-0x00007FF7F7450000-0x00007FF7F77A1000-memory.dmp

memory/4108-244-0x00007FF6EC080000-0x00007FF6EC3D1000-memory.dmp

memory/3512-243-0x00007FF7D8DC0000-0x00007FF7D9111000-memory.dmp

memory/4664-246-0x00007FF66A2F0000-0x00007FF66A641000-memory.dmp