Malware Analysis Report

2025-01-22 19:22

Sample ID 240807-zgzwysteqn
Target 2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat
SHA256 237ac774ed9765035e75e8b788c8240891a0207f40f435d21f7300544c6d2eeb
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

237ac774ed9765035e75e8b788c8240891a0207f40f435d21f7300544c6d2eeb

Threat Level: Known bad

The file 2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

XMRig Miner payload

xmrig

Cobalt Strike reflective loader

Cobaltstrike

Cobaltstrike family

Xmrig family

XMRig Miner payload

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-07 20:42

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-07 20:42

Reported

2024-08-07 20:44

Platform

win7-20240704-en

Max time kernel

147s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\bOYjrgP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zPChrJZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iXdppRh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nIBpIQU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eAxBqYr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NnymmRb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HBrWbtj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LocCdgH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HbaDVdn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VJwJXcz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fMZMkcP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mCVFDvv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\USXlIkf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RkwKbLQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bsJMxbx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gKBRBDA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EVrItBL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\chyTqcD.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TrPxHSb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AgpFylb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QgPPGNC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3036 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NnymmRb.exe
PID 3036 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NnymmRb.exe
PID 3036 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NnymmRb.exe
PID 3036 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bsJMxbx.exe
PID 3036 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bsJMxbx.exe
PID 3036 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bsJMxbx.exe
PID 3036 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gKBRBDA.exe
PID 3036 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gKBRBDA.exe
PID 3036 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gKBRBDA.exe
PID 3036 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bOYjrgP.exe
PID 3036 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bOYjrgP.exe
PID 3036 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bOYjrgP.exe
PID 3036 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zPChrJZ.exe
PID 3036 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zPChrJZ.exe
PID 3036 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zPChrJZ.exe
PID 3036 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HBrWbtj.exe
PID 3036 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HBrWbtj.exe
PID 3036 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HBrWbtj.exe
PID 3036 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LocCdgH.exe
PID 3036 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LocCdgH.exe
PID 3036 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LocCdgH.exe
PID 3036 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fMZMkcP.exe
PID 3036 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fMZMkcP.exe
PID 3036 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fMZMkcP.exe
PID 3036 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mCVFDvv.exe
PID 3036 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mCVFDvv.exe
PID 3036 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mCVFDvv.exe
PID 3036 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iXdppRh.exe
PID 3036 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iXdppRh.exe
PID 3036 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iXdppRh.exe
PID 3036 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EVrItBL.exe
PID 3036 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EVrItBL.exe
PID 3036 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EVrItBL.exe
PID 3036 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\chyTqcD.exe
PID 3036 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\chyTqcD.exe
PID 3036 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\chyTqcD.exe
PID 3036 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\USXlIkf.exe
PID 3036 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\USXlIkf.exe
PID 3036 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\USXlIkf.exe
PID 3036 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RkwKbLQ.exe
PID 3036 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RkwKbLQ.exe
PID 3036 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RkwKbLQ.exe
PID 3036 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nIBpIQU.exe
PID 3036 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nIBpIQU.exe
PID 3036 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nIBpIQU.exe
PID 3036 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TrPxHSb.exe
PID 3036 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TrPxHSb.exe
PID 3036 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TrPxHSb.exe
PID 3036 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AgpFylb.exe
PID 3036 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AgpFylb.exe
PID 3036 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AgpFylb.exe
PID 3036 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QgPPGNC.exe
PID 3036 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QgPPGNC.exe
PID 3036 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QgPPGNC.exe
PID 3036 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HbaDVdn.exe
PID 3036 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HbaDVdn.exe
PID 3036 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HbaDVdn.exe
PID 3036 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eAxBqYr.exe
PID 3036 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eAxBqYr.exe
PID 3036 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eAxBqYr.exe
PID 3036 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VJwJXcz.exe
PID 3036 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VJwJXcz.exe
PID 3036 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VJwJXcz.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\NnymmRb.exe

C:\Windows\System\NnymmRb.exe

C:\Windows\System\bsJMxbx.exe

C:\Windows\System\bsJMxbx.exe

C:\Windows\System\gKBRBDA.exe

C:\Windows\System\gKBRBDA.exe

C:\Windows\System\bOYjrgP.exe

C:\Windows\System\bOYjrgP.exe

C:\Windows\System\zPChrJZ.exe

C:\Windows\System\zPChrJZ.exe

C:\Windows\System\HBrWbtj.exe

C:\Windows\System\HBrWbtj.exe

C:\Windows\System\LocCdgH.exe

C:\Windows\System\LocCdgH.exe

C:\Windows\System\fMZMkcP.exe

C:\Windows\System\fMZMkcP.exe

C:\Windows\System\mCVFDvv.exe

C:\Windows\System\mCVFDvv.exe

C:\Windows\System\iXdppRh.exe

C:\Windows\System\iXdppRh.exe

C:\Windows\System\EVrItBL.exe

C:\Windows\System\EVrItBL.exe

C:\Windows\System\chyTqcD.exe

C:\Windows\System\chyTqcD.exe

C:\Windows\System\USXlIkf.exe

C:\Windows\System\USXlIkf.exe

C:\Windows\System\RkwKbLQ.exe

C:\Windows\System\RkwKbLQ.exe

C:\Windows\System\nIBpIQU.exe

C:\Windows\System\nIBpIQU.exe

C:\Windows\System\TrPxHSb.exe

C:\Windows\System\TrPxHSb.exe

C:\Windows\System\AgpFylb.exe

C:\Windows\System\AgpFylb.exe

C:\Windows\System\QgPPGNC.exe

C:\Windows\System\QgPPGNC.exe

C:\Windows\System\HbaDVdn.exe

C:\Windows\System\HbaDVdn.exe

C:\Windows\System\eAxBqYr.exe

C:\Windows\System\eAxBqYr.exe

C:\Windows\System\VJwJXcz.exe

C:\Windows\System\VJwJXcz.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3036-0-0x000000013F4D0000-0x000000013F824000-memory.dmp

memory/3036-1-0x0000000000180000-0x0000000000190000-memory.dmp

\Windows\system\NnymmRb.exe

MD5 6a24a9ddb5039b1672584426040b5a63
SHA1 2821ac2bf44091daaf8956eb7d164d3a601f9541
SHA256 bb3accbbafa71929bb85e928c565b70f47247e69b6b16edac6dc6b2bcf9ce3ed
SHA512 0f8cdd5726a2560c2f7182b67eaed6a9d51a31dc9ebf749b2ab076b0f4a81a2626e692a163834d0e64615bc1e053954187e12edf6779f8d43f91c47733a92672

memory/3036-8-0x000000013FE10000-0x0000000140164000-memory.dmp

\Windows\system\bsJMxbx.exe

MD5 8090886a3da6d494ab8c23da2db9e031
SHA1 5f2b3c8200dcdffb21202da62159ff2f1aba0ff4
SHA256 79674ce10d73f707cb3848cf54adc2537a4695d2fb5ff3ba6089eed09ab2e1cb
SHA512 f644b6da76f027167e02a41b855f32e1a7c8668302da40cfd9e3d38b8588c14d8b67ecbe13fdf81faa29f5df4f23985f73ba099057988d4190180a2a87b5a418

C:\Windows\system\gKBRBDA.exe

MD5 aaf90ee02808e5884953055968e28757
SHA1 42be2744b23b3dbf8ebde0cd4165566ac9abadc1
SHA256 5c0335f0d62eaa7ae0a698c67651883c5f277d291231d55b89eea81e27b1b364
SHA512 e16811ef5e96c071a9db47eaf049f6f95cd411f644290cd9e2a39520a43881d637d543ec33e1924bce9ea7fc4947b0b41022f37c91c7c374061d91a21bd53e3a

memory/3036-23-0x00000000024B0000-0x0000000002804000-memory.dmp

memory/2832-36-0x000000013F100000-0x000000013F454000-memory.dmp

C:\Windows\system\HBrWbtj.exe

MD5 1fe26f9d9cc0d5fcf8442288c6eb5358
SHA1 fcfc3d886c5731c9701d55c4964dae7a6c544287
SHA256 a167e39ef447f0f15a11fdf203a8eb6e13f510a61735ec951ac80b65caebe948
SHA512 ff2c96bd4381f4cd5c3ebacdbd3afc3f52bb149a18654efc98b5dea1bb5167a0c8d302484d4d94e17a6e84bf9d2d6a2d891171770e2bdaa662ee1857fd2bd4f5

C:\Windows\system\LocCdgH.exe

MD5 cbf63c961d20a8ee6c5055c2d0bd1207
SHA1 2a77bbd246721ea48feeb354b0ac73dc4125b42a
SHA256 370423fc22b83c2e5c8148b3b1f5c624e7f1a58a9d2e8eb4df5684c7a1210194
SHA512 25cae159f73ca14968b000b465539ad74b2cea1b80512800b2df91c3224575f5db8b3de543fde9b1450c84c2f29c4a9a892a934e9d6cd5a2881636cbbbaadf6b

\Windows\system\fMZMkcP.exe

MD5 212d826126f5556d37a443fbaf9b3d8a
SHA1 99d765e5990ba89a09201e7593d7c640d3aa7466
SHA256 f0b5294687e6f903f59a5ab9ba4db3383b338ecd2978ea0a78c1e11753b8ce0d
SHA512 9edc9ed0661d67874998071c020c78c13c0071b9bd5299a6918e15dc1ccb896d57881132deb65be43afe6fb136fadb01ec7e87962f5e1dbc49ff2618bdf57a81

memory/2160-72-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

\Windows\system\chyTqcD.exe

MD5 0e83abbafd565c4f0f6754213a5f4af7
SHA1 cf8bf5f8962c2a56f2df8ac6c4cc863340f3ff2e
SHA256 724460fade7e741174001f48eadb1bad966f4d2a90428222f333f93f37d5abb7
SHA512 5dac2d4fd8027148af6acf4371bb1d62195bb3df4e5fd95a45616ffdfde46caaac8d45a34fb45b3e2ecb2a2f1a2af29abdcfe3940583ecbc73d0ada893849ed0

memory/2312-95-0x000000013F660000-0x000000013F9B4000-memory.dmp

C:\Windows\system\VJwJXcz.exe

MD5 a42ac9ca673599424e57bcd89e456751
SHA1 30f0f688713f900a36afd2596058e7ef76771f6b
SHA256 015c2d9563a3345acd2d36e53e5187cbed73020148bf189355ce706327d4182c
SHA512 e82d17b34312dca2c5eccb0d2cfcc534e80c47dacf12a266291d94b2ab6f9f9ac71fc7e31bd6fe6e8ad98173b52b9eac1537d4c6a7f8595cdca67ad40ca11f9b

C:\Windows\system\eAxBqYr.exe

MD5 a76f884d78337c831e1288faa9a189aa
SHA1 df479a7964ad08fccb31bea6d6233328d771c79d
SHA256 ff5717edc25f74d560e2b0a0e05b644c0dcfb42d411dc1856f19efa63d2efcc3
SHA512 3f28ae29d8711db81c2880c15ffc3cef4ffd691970c7ddf7dc2ac4c76fba0c48af9ed171ca6c51d97a7083cfeaca6c2a14b9f2c15ffdabd737c58c4b7e5cef5f

C:\Windows\system\QgPPGNC.exe

MD5 68c03a4b6e1a6262056dddbc1804680c
SHA1 563c3ed627cd03750b8ae30e8f54ead7932991f4
SHA256 b0d86edfe1b479ecffabba5ccf25ea0ccd1ce29f4587f964212154a56eba5742
SHA512 444866f136e6cde56ee36e03febaba64c4a1dd50af433db8b3b68f74f58a32f3d38bca12ce5debe32398b4b11198e61bcf55895e21581acc4864f1ca7d2193c0

C:\Windows\system\HbaDVdn.exe

MD5 52de67d53873d410cd7364e7f2472091
SHA1 01f8e7838fb8b0c5064c8e0399dd504443cd6ed9
SHA256 9b9c2fea2ab48e05fd0ddf0062bfd3b7eb5bd7943628a9e55cd531f2580386c0
SHA512 fa9f93f076a4b697018d4dc6a4a2a7af6a2c5043bbb62cee4955aa16c8545d859a13bedbc53872a6d6d9a6a8bd20eec6e2c9568f2f8aab9fde1d6ff352d2d4ef

C:\Windows\system\TrPxHSb.exe

MD5 c56d78ddf30d1ad6394300835b73c4be
SHA1 6e809bb5e412ca746d54d7b1bddf19a89c404a55
SHA256 331f8016ad219be8d3f006f227545ee32bc4d8c6bd15f2e4c6a1e9af1cc2e3c0
SHA512 5cfc74d7988148688710290072ddda8d0ed1dd08bb519394ac2400a43554a60e8609962ad0621e3dcb86e4953532fa62b489e6ad417a55db36088a496a6437ba

memory/3036-111-0x000000013FE10000-0x0000000140164000-memory.dmp

memory/2840-110-0x000000013F9C0000-0x000000013FD14000-memory.dmp

C:\Windows\system\AgpFylb.exe

MD5 1c13a296510351bb6dbfd1548282b80c
SHA1 f360ade73ef9b7a7b7083f843fcb6ed40a729479
SHA256 41572d649a3c910fc55b2678258496373c705dacbcebfa913a12cd45d88e085a
SHA512 105d2cba5b27a9ceeb8a6ec74fddd71c325e0f3744f847947e48b4df61f5f4d0eb9fe077105995274b5a7e544cae12d4dbc6bc52999d45c1cbb1381aaf98a30f

memory/2124-101-0x000000013F8E0000-0x000000013FC34000-memory.dmp

memory/3036-100-0x000000013F8E0000-0x000000013FC34000-memory.dmp

memory/2916-99-0x000000013FF10000-0x0000000140264000-memory.dmp

C:\Windows\system\nIBpIQU.exe

MD5 f516db5f81e1614df7d13f7a9d4dc38d
SHA1 115dbd7bdb1923cf03fbdc5fc9fb6844bd1529a1
SHA256 324379e6a2d507b7830143a6fd22809832bed6308e52b431a1ab7ed094b88409
SHA512 228b587fcf779c2b800ba6c202652deefe888d52d9d70429782b6d38940cff5ffdcb6113cb7b81722d1dc6a35550a4584bf56d444cfa96a22fe871247531ff84

memory/2716-140-0x000000013F1E0000-0x000000013F534000-memory.dmp

C:\Windows\system\RkwKbLQ.exe

MD5 8a4b0d9e4d43fac67bdff0e96abf94a6
SHA1 c993443a8da6429e9dd78523f5a2ea9875a0b126
SHA256 3e4c856c72ac49c096998641c6a3a74a1864957abdca29e1b756d12fde9d1df1
SHA512 321204faba3fbd9216b559c82c4d02c28c39730179c6382cbf00bd92dbad8a9f7842fb35ac2508e9c3c48ff95becf0c7ab9b7a793f9bde538ca4770b7a80a14d

memory/1188-94-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

C:\Windows\system\USXlIkf.exe

MD5 748dfac66a254fa88f3479ab45b67a25
SHA1 d032f34138178db2c727f6204853f2f344fe8b72
SHA256 805e426521243a9f90537db05600532faa3f760e5dc732157b35a9c6167bc980
SHA512 7ccc09c5081ec3bd1894a7b422ae3ec2c9a7c67768336275d2f6348441ae48ae61b3b6df91278fd794f937d5fc35fc41bb71c36870c63e760ab98f49d28cd30d

memory/3036-86-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

memory/2284-73-0x000000013F790000-0x000000013FAE4000-memory.dmp

C:\Windows\system\iXdppRh.exe

MD5 08c2e4e268c920f4b1799d7cc8f33a8d
SHA1 1b68d42a31261d1747da5ce3f751208f7552d648
SHA256 e339784564227cf238e2afa2023d0c7b1df7af5ca50b5e38da59c0834dc50fc5
SHA512 ff70b218be245f708731ee234677f4e5c56eb5b4e132e363b3fe17b4b52e3c27546d6607ed80c1a1454cfc987122bbd0f2024f664936c7036f6dc46be9e92b7d

memory/2760-69-0x000000013F6B0000-0x000000013FA04000-memory.dmp

memory/3036-68-0x00000000024B0000-0x0000000002804000-memory.dmp

memory/3036-85-0x00000000024B0000-0x0000000002804000-memory.dmp

memory/2036-84-0x000000013FB80000-0x000000013FED4000-memory.dmp

memory/3036-83-0x000000013FB80000-0x000000013FED4000-memory.dmp

memory/2832-82-0x000000013F100000-0x000000013F454000-memory.dmp

C:\Windows\system\EVrItBL.exe

MD5 1310322b832ca86e97484d50bb919f2d
SHA1 d03eafc21efeb18fb49c9da5d858dea5a4caeab2
SHA256 84327f50627f41ad0c08193882408c5f05cf9139ae248d9e61f42c4d6ed1ff0a
SHA512 f89af88b9f6c95bc672f73b748cdcc50ed8c5e5f3966b26de2680d43a4ac21c93ae7487de6f11e1dad29a23f7775dcfdcea1a621846e4655a5bd52e63eef7f96

memory/2716-57-0x000000013F1E0000-0x000000013F534000-memory.dmp

memory/3036-56-0x000000013F4D0000-0x000000013F824000-memory.dmp

C:\Windows\system\mCVFDvv.exe

MD5 0bac24827eb57dcb192a42cf2a0c145e
SHA1 7b1e72dbd88c310cafdca3bf37ace33f64df5bb4
SHA256 3926140f32ce60dcc850cecd1575f9538cb816eb68d853c0d7a2f92c4dc9d005
SHA512 62bce774fdd66f7c11127fab754c096be7dfc744bb871106d8c7d9ed412b0c6b0bc8a440198d3e9a62d5807d4ac8b1bc3474ba0f85ee070b00d79a8c331546bd

memory/3036-54-0x00000000024B0000-0x0000000002804000-memory.dmp

memory/2840-47-0x000000013F9C0000-0x000000013FD14000-memory.dmp

memory/3036-46-0x000000013F9C0000-0x000000013FD14000-memory.dmp

memory/2916-41-0x000000013FF10000-0x0000000140264000-memory.dmp

memory/3036-39-0x000000013FF10000-0x0000000140264000-memory.dmp

\Windows\system\bOYjrgP.exe

MD5 727f3354d77f6e3a34c664b524069d49
SHA1 4bebbc9db3cb1a08bf9cb5d93a558090cef5b7e6
SHA256 d8b2306ee4589daf625a9f6f9fa41075098618c9fd9a85a8218f94d7301797ed
SHA512 76256ae5795964cf95262d1dbaa511648f714c8265854168d085415d594f8ff4231167ac6e46a3dde447b311875b19dc3e1b62d73772b0003aa4f1945e8ef0b7

memory/3036-33-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

memory/3036-32-0x000000013F100000-0x000000013F454000-memory.dmp

memory/2848-31-0x000000013F400000-0x000000013F754000-memory.dmp

memory/2160-30-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

memory/2964-29-0x000000013F290000-0x000000013F5E4000-memory.dmp

memory/3036-28-0x00000000024B0000-0x0000000002804000-memory.dmp

C:\Windows\system\zPChrJZ.exe

MD5 c5d659924bee2469d9e2fec6974d951d
SHA1 7ef45296cbeee6322a1235b0558c59748efad9ec
SHA256 0d1e84b12714fe185a4c95b24ca284a2da43452b69abe7dc154f717b4cfcb67a
SHA512 934b91ae8e0bf51f99d454ff42e60ba86720d02584742d0e6f4ac5481d8658a0ac01c67d4d401bb8c2ef9a8eef58e08d8e688360716feb25e1518f5f21339d9b

memory/2240-19-0x000000013FE10000-0x0000000140164000-memory.dmp

memory/3036-141-0x000000013FB80000-0x000000013FED4000-memory.dmp

memory/2036-142-0x000000013FB80000-0x000000013FED4000-memory.dmp

memory/2124-144-0x000000013F8E0000-0x000000013FC34000-memory.dmp

memory/3036-143-0x000000013F8E0000-0x000000013FC34000-memory.dmp

memory/3036-145-0x000000013FE10000-0x0000000140164000-memory.dmp

memory/2240-146-0x000000013FE10000-0x0000000140164000-memory.dmp

memory/2964-147-0x000000013F290000-0x000000013F5E4000-memory.dmp

memory/2848-148-0x000000013F400000-0x000000013F754000-memory.dmp

memory/2916-152-0x000000013FF10000-0x0000000140264000-memory.dmp

memory/2760-154-0x000000013F6B0000-0x000000013FA04000-memory.dmp

memory/2832-153-0x000000013F100000-0x000000013F454000-memory.dmp

memory/2716-151-0x000000013F1E0000-0x000000013F534000-memory.dmp

memory/2284-155-0x000000013F790000-0x000000013FAE4000-memory.dmp

memory/2840-150-0x000000013F9C0000-0x000000013FD14000-memory.dmp

memory/2160-149-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

memory/1188-157-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

memory/2312-158-0x000000013F660000-0x000000013F9B4000-memory.dmp

memory/2036-156-0x000000013FB80000-0x000000013FED4000-memory.dmp

memory/2124-159-0x000000013F8E0000-0x000000013FC34000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-07 20:42

Reported

2024-08-07 20:44

Platform

win10v2004-20240802-en

Max time kernel

138s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\koPWKDN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QzarDqv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AzRHMSx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GNhEzGO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VuSmMnX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AFFJgWG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NAjEhGp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FrgxtFn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\THBlTRN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mcnoWTv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WNUqMAW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IbYVoDZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\utChYOc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mVBFHwy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UuEHRiP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mvOBSnn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pAZLPWm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fNnVRde.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LKTdldf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jkZZWgY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bbYdIsc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4176 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AFFJgWG.exe
PID 4176 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AFFJgWG.exe
PID 4176 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NAjEhGp.exe
PID 4176 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NAjEhGp.exe
PID 4176 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FrgxtFn.exe
PID 4176 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FrgxtFn.exe
PID 4176 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\THBlTRN.exe
PID 4176 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\THBlTRN.exe
PID 4176 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mvOBSnn.exe
PID 4176 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mvOBSnn.exe
PID 4176 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pAZLPWm.exe
PID 4176 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pAZLPWm.exe
PID 4176 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fNnVRde.exe
PID 4176 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fNnVRde.exe
PID 4176 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IbYVoDZ.exe
PID 4176 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IbYVoDZ.exe
PID 4176 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mcnoWTv.exe
PID 4176 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mcnoWTv.exe
PID 4176 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WNUqMAW.exe
PID 4176 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WNUqMAW.exe
PID 4176 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LKTdldf.exe
PID 4176 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LKTdldf.exe
PID 4176 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\koPWKDN.exe
PID 4176 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\koPWKDN.exe
PID 4176 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\utChYOc.exe
PID 4176 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\utChYOc.exe
PID 4176 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QzarDqv.exe
PID 4176 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QzarDqv.exe
PID 4176 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AzRHMSx.exe
PID 4176 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AzRHMSx.exe
PID 4176 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jkZZWgY.exe
PID 4176 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jkZZWgY.exe
PID 4176 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mVBFHwy.exe
PID 4176 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mVBFHwy.exe
PID 4176 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UuEHRiP.exe
PID 4176 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UuEHRiP.exe
PID 4176 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GNhEzGO.exe
PID 4176 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GNhEzGO.exe
PID 4176 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VuSmMnX.exe
PID 4176 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VuSmMnX.exe
PID 4176 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bbYdIsc.exe
PID 4176 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bbYdIsc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\AFFJgWG.exe

C:\Windows\System\AFFJgWG.exe

C:\Windows\System\NAjEhGp.exe

C:\Windows\System\NAjEhGp.exe

C:\Windows\System\FrgxtFn.exe

C:\Windows\System\FrgxtFn.exe

C:\Windows\System\THBlTRN.exe

C:\Windows\System\THBlTRN.exe

C:\Windows\System\mvOBSnn.exe

C:\Windows\System\mvOBSnn.exe

C:\Windows\System\pAZLPWm.exe

C:\Windows\System\pAZLPWm.exe

C:\Windows\System\fNnVRde.exe

C:\Windows\System\fNnVRde.exe

C:\Windows\System\IbYVoDZ.exe

C:\Windows\System\IbYVoDZ.exe

C:\Windows\System\mcnoWTv.exe

C:\Windows\System\mcnoWTv.exe

C:\Windows\System\WNUqMAW.exe

C:\Windows\System\WNUqMAW.exe

C:\Windows\System\LKTdldf.exe

C:\Windows\System\LKTdldf.exe

C:\Windows\System\koPWKDN.exe

C:\Windows\System\koPWKDN.exe

C:\Windows\System\utChYOc.exe

C:\Windows\System\utChYOc.exe

C:\Windows\System\QzarDqv.exe

C:\Windows\System\QzarDqv.exe

C:\Windows\System\AzRHMSx.exe

C:\Windows\System\AzRHMSx.exe

C:\Windows\System\jkZZWgY.exe

C:\Windows\System\jkZZWgY.exe

C:\Windows\System\mVBFHwy.exe

C:\Windows\System\mVBFHwy.exe

C:\Windows\System\UuEHRiP.exe

C:\Windows\System\UuEHRiP.exe

C:\Windows\System\GNhEzGO.exe

C:\Windows\System\GNhEzGO.exe

C:\Windows\System\VuSmMnX.exe

C:\Windows\System\VuSmMnX.exe

C:\Windows\System\bbYdIsc.exe

C:\Windows\System\bbYdIsc.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/4176-0-0x00007FF7580E0000-0x00007FF758434000-memory.dmp

memory/4176-1-0x000001F2FA1B0000-0x000001F2FA1C0000-memory.dmp

C:\Windows\System\AFFJgWG.exe

MD5 fb45ce017f9803501d56dce593f4df63
SHA1 7ba386fe2cf08a0cd6dee38f19e39a81c5a13085
SHA256 a79cff814af0908cf5c70e14fd8f16b9e3978a8619f8370804c3d1b342f56241
SHA512 d0549989ce666008e0e1cdabff70e4f9bcaa0a7a131ffaeed04dbecbc823c86fd9b8d385004fe9672aa087d6d02f10e9346d6b4764c5b9df57a81094f01733ec

memory/2596-8-0x00007FF7DCD60000-0x00007FF7DD0B4000-memory.dmp

C:\Windows\System\NAjEhGp.exe

MD5 11ca59ac2e2688102ee6af372c3c85b8
SHA1 0b106bdfb21deb36fed0747bbb87d35dda1e403f
SHA256 044844ff762dc1832bf225f292e33370c6a7eed80b6385d59323a5a31e3ce997
SHA512 9f87c282c1e4bbda7f6451bebbb4b20b44546e3025aab4e2af7f7008da0a64321e9500d0a00c12b40fd52e08d547df50efece32d4eee3aab83a6a85761554761

C:\Windows\System\FrgxtFn.exe

MD5 39dce9b2fd44e25d1694be9d5f85d4e4
SHA1 e26d691cf7c38ea085a7e51e656521f3b7bcae43
SHA256 8061d19c5fcb0a6c599ea06f7003a0339641bb0bc2ee351b55c94eff2ca48241
SHA512 a4379e61a3eac431ef1709f1731eadd56933ac1a5d0f96de68eab5454c38a6fc03dfc9407d4c9e84e9abc814325ee043327fc781ec97439f6e0826cb7ad59a68

memory/1376-21-0x00007FF751440000-0x00007FF751794000-memory.dmp

C:\Windows\System\THBlTRN.exe

MD5 6063c376d7fc6110e6658c2a59d7ad53
SHA1 a99a99edd07876aad3153828bdc4401ba60fb608
SHA256 47d2cdff30f7089c175e12087ee77f29bec3ff194297dade8d9293e633636211
SHA512 e3126d189169e1512d46b01044dc55956be53479f7b62fbb9aabd90206039aedd697990cb9a52f7103373825dd4af6694f66bc099461f4029dc05f69f2ca2c52

C:\Windows\System\mvOBSnn.exe

MD5 1ccfd61c0b74b50ca91141edf1ea623e
SHA1 71c1f67a6538824233070b2690aafa80c0bd02be
SHA256 e3d6f39f1c1821fc55159dfd4802047fdfeb40b082b8eee7b2ce006da703e162
SHA512 bf3bd05c2352bd1ba2de274a176fcd27c1b36de83362f2fe91524ba664dfa8e41d0147ba31b72c75df89ebc6a060359f905c2e6ca52e0663011c0f86a06aba2e

memory/2480-27-0x00007FF76D140000-0x00007FF76D494000-memory.dmp

C:\Windows\System\fNnVRde.exe

MD5 f798517a533795dff250f13fcc446be8
SHA1 9bda12a41083eb8acbc89516484b37610e96caea
SHA256 891dcaa734aa3307802cd1083e298a597b90aa850084bc11fdacdfa1fc2b337c
SHA512 418587e2285a451d5f349bc0f9b9ac13ea9b4d779a61b4e675857e5675f07404d54203e364012b24f3912904a9c657676cc0dad6ba7d4418c405bd4feaf8f81d

C:\Windows\System\IbYVoDZ.exe

MD5 96547644fba1670dd398bf891f64fa74
SHA1 f33ddfcf5610f8652e0b166f84dddfe3a8c77a52
SHA256 52a4bfcc5e703a9ee412ca11146b52bd4f4d0f468fed8adb8c8c6542041e5fcb
SHA512 37fecf08765c3e71f77116846f1af10c9351ad4fea13bd9319d659052ce5e15346e173d5dfe56adb677b64b896d07584984b5c465d2ed140a0deb275ee625002

C:\Windows\System\WNUqMAW.exe

MD5 e05f3aa736af887cc6a0e7c1e93acc09
SHA1 97fe7562ebbd6d67d2e3aaacf8339457e822a087
SHA256 a19277da9141fb7d4a0555d7103594016c5fb73811287e72929c0c268fa2787d
SHA512 6171c69c4379cda268e247a5b6dcf39e296d6e7f8822aca1f8c70cfde63a1e59ccd55792e5d2e1ff8634a3a6a55402b7599f102cdaa52b6f5c9c8eb1355991e7

C:\Windows\System\mcnoWTv.exe

MD5 ea8930f1c78f31675544eb8ad6b916ad
SHA1 d4dcd88b3ca2a91e4f02858660ead6d05ae785d1
SHA256 5f8e6dd8e91c4efa329d5b720afd90ed3d846d31472a0c48bf32ac880f43c44c
SHA512 2e1d64b99959f2d15c9e760c17ff66bd6e4215024f3632be255de0171810736d98b2b5ab85a91d6760ecdd3357722b2447601f1442216768e43fe7f34f40a290

memory/2540-74-0x00007FF673E20000-0x00007FF674174000-memory.dmp

C:\Windows\System\koPWKDN.exe

MD5 1f0c6c7f8cca23eef2dba4de468ec7eb
SHA1 7ebd0f514b05700af085709a82c980a871c35447
SHA256 eac009d9b92797afd70dc8b03d564b4bcdf6b47975ed37b105b4efbb4d2ee7f4
SHA512 8fb909557836b4d776ba904b5f81372f4b710eb11e8f347cb5dc687a104a4d70db60390af643dfc391c044df15c363cb2feda9b9db42fb63321934b9ffd40976

C:\Windows\System\LKTdldf.exe

MD5 10f20988ea62e7f20b58d9e17c8a6940
SHA1 a4b637f6b19f7934b44383fe32546c8b227b9027
SHA256 b884aacafbe3a64628fdb16552c6793149f93ac9aacfdcc1f3cd151d8e8fd4ad
SHA512 886c6cc14244b86a0501e0daead0188ca406eef57a4023772dd3b9d46291d4310dda0609b675ca23162e012406d85b0ea30108acea148b4b5e8be25f0b071961

memory/1160-69-0x00007FF71E780000-0x00007FF71EAD4000-memory.dmp

memory/4916-66-0x00007FF6438A0000-0x00007FF643BF4000-memory.dmp

memory/952-65-0x00007FF75EA70000-0x00007FF75EDC4000-memory.dmp

memory/3688-56-0x00007FF6F54A0000-0x00007FF6F57F4000-memory.dmp

memory/3736-50-0x00007FF601C10000-0x00007FF601F64000-memory.dmp

C:\Windows\System\pAZLPWm.exe

MD5 3f301689a78ff7b3f7600da69a28bf3f
SHA1 e27b0cd40c74d0deb017e1519ee7943cc91cab1d
SHA256 928f17770e80ad9ec6a42887e4a4d3217cb5e2fceed2919c4784fb2b65aac618
SHA512 f98feb0940918ccc890a54b354b74fc0e1a7962eb6f309cf3ab1b66ea0e0c9b3bc832418389060b0ac00e811f0d9cdc4b6b792a2b8a648969c7fcd2775c98659

memory/1616-39-0x00007FF6B1300000-0x00007FF6B1654000-memory.dmp

memory/3276-36-0x00007FF6CFCE0000-0x00007FF6D0034000-memory.dmp

memory/4400-16-0x00007FF6BFC90000-0x00007FF6BFFE4000-memory.dmp

C:\Windows\System\utChYOc.exe

MD5 cd7d7a210a52205b73c96a7f5148c7ff
SHA1 66cdd4bd8d0102b710e461aa70156e497f798628
SHA256 4d5a1149e826faffaf2810bfab0eea2a6ef8c500a935dabbf28d4d3aff313ffb
SHA512 91c990be6117b3941111d69876a63ff415485552e4847a3b59d0bbc97f9f6b4cb3144f992a203eef40cae2a74cb21b4588f3794fe48d082e960cfad0dd22103f

memory/3356-83-0x00007FF7E48B0000-0x00007FF7E4C04000-memory.dmp

C:\Windows\System\QzarDqv.exe

MD5 59c23adc328b46cd0fc9fc04614eb5d0
SHA1 9441f4672897bbda56b9aec23c65f89dd2c76657
SHA256 f44f711948282a664332b99f9411dde4a399a303665d1b5961107b3458aa8c18
SHA512 791a892b88464340d567b191d7abf40e4a687fb5e09e2363164319d86b3a9b519616f17baf805ff6cdfdf565c6acedf0e368d97a250029c1a2695b6a5e70325c

C:\Windows\System\AzRHMSx.exe

MD5 12aad2539e2e720ce40b4ca2710cc29d
SHA1 007791fd07b218a784ee51382f340f3f4bb7fa66
SHA256 e35cc4c0b6dbf7dda9f047dceb538179fb91febc01adde1ec9267aba58afc737
SHA512 c9993a52143b0ff28316ce9565aef68a4f046732c8a1512ea1205546f9259f43cfb84f81661e970aa7b2afb6e15ab1dcc9e88bacd1d4c9756d5de7e3511df6e5

memory/4176-80-0x00007FF7580E0000-0x00007FF758434000-memory.dmp

C:\Windows\System\jkZZWgY.exe

MD5 99d8dcb89430593fad4ba2d563509da4
SHA1 9865ca289c693bfa103e0137946906b05002c7e1
SHA256 5ad3ccdda216f05a0d823a3c6a2d41006b8d35a2a97f6d7a14dd04699daef0c2
SHA512 a7f4a10e5745404d8db32c0c0254a80df1511d5a51ec7292018212e6f31e961941d09655dfb99f3f7e5c56560b1862c5f767a7aa7c4e4faa7de34a6411f0c68e

C:\Windows\System\mVBFHwy.exe

MD5 85c23c610a1081e66b2eef36592f725a
SHA1 c7cefef2e1f5db363e80628c4490a3ad9bcceb6f
SHA256 31c86cc94a03329b5fe9deb8e6044f5ade912c7df46d33ab400060feb52c7af7
SHA512 1a4897b4557f013fe6d3badbd70c85a59fdad4fe8eb9579e742b44880bc384402a32354c157da38a157fbe1e99e15bb7862e2405fc0c443f73240962bdfc041a

C:\Windows\System\VuSmMnX.exe

MD5 5c1450bdbe278b979402546c44ee6532
SHA1 dcc02982b4f6f5f6ceefee26e1d3256460070673
SHA256 cd9ec3f374dd6298c084d77852fa80be7d80f5236fc780cc9da1ca87e4692cc3
SHA512 e507a585e14841cf1577895538f2c133c9ebfaff2d587c156691214b63b2a92e8bb803b1ae8225a5284f113968e7c1cd4b9fef67311bf2d39304d7f059340bbc

C:\Windows\System\bbYdIsc.exe

MD5 ec7e4ff94c18239bf2ee2d893db67f60
SHA1 adf4aa2922f126b78cace79f6b66d1ab033d63c1
SHA256 a372a64a204e51cc6b86664caed628fccb46e5a2d676b3cc77e34adef2f0369d
SHA512 73ec6306c576ee212ee7eefda00985c6964be8b6b74bcc2330ca035c7bdb66f38cdae75fda8cb0e1d82372e57b2798d4ad3ce67f6b58311eb8f1568aa61b8910

memory/2700-123-0x00007FF7C9F80000-0x00007FF7CA2D4000-memory.dmp

memory/1616-127-0x00007FF6B1300000-0x00007FF6B1654000-memory.dmp

memory/4136-126-0x00007FF786070000-0x00007FF7863C4000-memory.dmp

memory/1524-125-0x00007FF72F0E0000-0x00007FF72F434000-memory.dmp

memory/3276-121-0x00007FF6CFCE0000-0x00007FF6D0034000-memory.dmp

memory/2480-117-0x00007FF76D140000-0x00007FF76D494000-memory.dmp

memory/2372-116-0x00007FF6F1120000-0x00007FF6F1474000-memory.dmp

C:\Windows\System\GNhEzGO.exe

MD5 aafdb4aa24b2d8cc5c270b87bb46a33e
SHA1 c38f04a1765a47eb2b57d3206abe636b9ef54546
SHA256 31ffc5ed0350ead5839f2b678b3f088e9a0b6d1ff6147ba933fc91fa631f6be3
SHA512 772eaa327db0a3b33aadcf4db39e3a724daf8413aa11275251e9f39efbe68d0d3faebed4600532c57f7f53ccff4bb862900c37f5956ca2c474459c5634c0c96b

memory/4068-112-0x00007FF6A60C0000-0x00007FF6A6414000-memory.dmp

C:\Windows\System\UuEHRiP.exe

MD5 9951fd045f286a37d46b5b9b466e84a0
SHA1 895f045965c8e12bc58465b593535786d61cc062
SHA256 3f9bbc7b4b17dbc7cfb1abf3378b84c41b90d8b7bf1ab65f441031999a2e8b1f
SHA512 96d368a16f7ec25ccbf418df67188a93286d36652d16d4e9f6b83bee3396c6897653acf4d2e252a1f906e702fe0b1c1ecb3760d95618c75fb1813cd870690c91

memory/456-104-0x00007FF6414D0000-0x00007FF641824000-memory.dmp

memory/4664-95-0x00007FF792490000-0x00007FF7927E4000-memory.dmp

memory/1724-92-0x00007FF6F9640000-0x00007FF6F9994000-memory.dmp

memory/3736-132-0x00007FF601C10000-0x00007FF601F64000-memory.dmp

memory/3688-133-0x00007FF6F54A0000-0x00007FF6F57F4000-memory.dmp

memory/4916-134-0x00007FF6438A0000-0x00007FF643BF4000-memory.dmp

memory/2540-135-0x00007FF673E20000-0x00007FF674174000-memory.dmp

memory/4664-136-0x00007FF792490000-0x00007FF7927E4000-memory.dmp

memory/456-137-0x00007FF6414D0000-0x00007FF641824000-memory.dmp

memory/4068-138-0x00007FF6A60C0000-0x00007FF6A6414000-memory.dmp

memory/2700-139-0x00007FF7C9F80000-0x00007FF7CA2D4000-memory.dmp

memory/1524-140-0x00007FF72F0E0000-0x00007FF72F434000-memory.dmp

memory/2596-141-0x00007FF7DCD60000-0x00007FF7DD0B4000-memory.dmp

memory/4400-142-0x00007FF6BFC90000-0x00007FF6BFFE4000-memory.dmp

memory/1376-143-0x00007FF751440000-0x00007FF751794000-memory.dmp

memory/2480-144-0x00007FF76D140000-0x00007FF76D494000-memory.dmp

memory/3276-145-0x00007FF6CFCE0000-0x00007FF6D0034000-memory.dmp

memory/3736-146-0x00007FF601C10000-0x00007FF601F64000-memory.dmp

memory/952-147-0x00007FF75EA70000-0x00007FF75EDC4000-memory.dmp

memory/3688-149-0x00007FF6F54A0000-0x00007FF6F57F4000-memory.dmp

memory/1616-148-0x00007FF6B1300000-0x00007FF6B1654000-memory.dmp

memory/1160-150-0x00007FF71E780000-0x00007FF71EAD4000-memory.dmp

memory/4916-152-0x00007FF6438A0000-0x00007FF643BF4000-memory.dmp

memory/2540-151-0x00007FF673E20000-0x00007FF674174000-memory.dmp

memory/3356-153-0x00007FF7E48B0000-0x00007FF7E4C04000-memory.dmp

memory/1724-154-0x00007FF6F9640000-0x00007FF6F9994000-memory.dmp

memory/4664-156-0x00007FF792490000-0x00007FF7927E4000-memory.dmp

memory/456-155-0x00007FF6414D0000-0x00007FF641824000-memory.dmp

memory/2372-157-0x00007FF6F1120000-0x00007FF6F1474000-memory.dmp

memory/4136-159-0x00007FF786070000-0x00007FF7863C4000-memory.dmp

memory/4068-158-0x00007FF6A60C0000-0x00007FF6A6414000-memory.dmp

memory/2700-160-0x00007FF7C9F80000-0x00007FF7CA2D4000-memory.dmp

memory/1524-161-0x00007FF72F0E0000-0x00007FF72F434000-memory.dmp