Malware Analysis Report

2025-01-22 19:22

Sample ID 240807-zjfabsxdjc
Target 2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat
SHA256 82ddcf208870b5e00846fbd3bf96f43a4447386d9919458a312420aaf72fad6a
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

82ddcf208870b5e00846fbd3bf96f43a4447386d9919458a312420aaf72fad6a

Threat Level: Known bad

The file 2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Xmrig family

Cobalt Strike reflective loader

Cobaltstrike family

Cobaltstrike

xmrig

XMRig Miner payload

XMRig Miner payload

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-07 20:44

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-07 20:44

Reported

2024-08-07 20:47

Platform

win7-20240729-en

Max time kernel

142s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\ydajkJa.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MbUNEAU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rjcEPXC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TKvMFRV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NxsvSQo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hvVJJyU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xZgfKFa.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ncCJlIN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qhspczV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\beROeQP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yVwevHM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QxPhWDp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FHGeCaI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WenaqoJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OlNLbjR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HteHcyq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YeCFDqK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vyhBERD.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HxBlOMC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gdrcXks.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YKWErmK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1464 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WenaqoJ.exe
PID 1464 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WenaqoJ.exe
PID 1464 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WenaqoJ.exe
PID 1464 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OlNLbjR.exe
PID 1464 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OlNLbjR.exe
PID 1464 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OlNLbjR.exe
PID 1464 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HteHcyq.exe
PID 1464 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HteHcyq.exe
PID 1464 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HteHcyq.exe
PID 1464 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ncCJlIN.exe
PID 1464 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ncCJlIN.exe
PID 1464 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ncCJlIN.exe
PID 1464 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vyhBERD.exe
PID 1464 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vyhBERD.exe
PID 1464 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vyhBERD.exe
PID 1464 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ydajkJa.exe
PID 1464 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ydajkJa.exe
PID 1464 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ydajkJa.exe
PID 1464 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HxBlOMC.exe
PID 1464 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HxBlOMC.exe
PID 1464 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HxBlOMC.exe
PID 1464 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MbUNEAU.exe
PID 1464 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MbUNEAU.exe
PID 1464 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MbUNEAU.exe
PID 1464 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rjcEPXC.exe
PID 1464 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rjcEPXC.exe
PID 1464 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rjcEPXC.exe
PID 1464 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gdrcXks.exe
PID 1464 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gdrcXks.exe
PID 1464 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gdrcXks.exe
PID 1464 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qhspczV.exe
PID 1464 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qhspczV.exe
PID 1464 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qhspczV.exe
PID 1464 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\beROeQP.exe
PID 1464 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\beROeQP.exe
PID 1464 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\beROeQP.exe
PID 1464 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yVwevHM.exe
PID 1464 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yVwevHM.exe
PID 1464 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yVwevHM.exe
PID 1464 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YeCFDqK.exe
PID 1464 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YeCFDqK.exe
PID 1464 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YeCFDqK.exe
PID 1464 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QxPhWDp.exe
PID 1464 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QxPhWDp.exe
PID 1464 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QxPhWDp.exe
PID 1464 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TKvMFRV.exe
PID 1464 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TKvMFRV.exe
PID 1464 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TKvMFRV.exe
PID 1464 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FHGeCaI.exe
PID 1464 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FHGeCaI.exe
PID 1464 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FHGeCaI.exe
PID 1464 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NxsvSQo.exe
PID 1464 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NxsvSQo.exe
PID 1464 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NxsvSQo.exe
PID 1464 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xZgfKFa.exe
PID 1464 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xZgfKFa.exe
PID 1464 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xZgfKFa.exe
PID 1464 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hvVJJyU.exe
PID 1464 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hvVJJyU.exe
PID 1464 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hvVJJyU.exe
PID 1464 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YKWErmK.exe
PID 1464 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YKWErmK.exe
PID 1464 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YKWErmK.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\WenaqoJ.exe

C:\Windows\System\WenaqoJ.exe

C:\Windows\System\OlNLbjR.exe

C:\Windows\System\OlNLbjR.exe

C:\Windows\System\HteHcyq.exe

C:\Windows\System\HteHcyq.exe

C:\Windows\System\ncCJlIN.exe

C:\Windows\System\ncCJlIN.exe

C:\Windows\System\vyhBERD.exe

C:\Windows\System\vyhBERD.exe

C:\Windows\System\ydajkJa.exe

C:\Windows\System\ydajkJa.exe

C:\Windows\System\HxBlOMC.exe

C:\Windows\System\HxBlOMC.exe

C:\Windows\System\MbUNEAU.exe

C:\Windows\System\MbUNEAU.exe

C:\Windows\System\rjcEPXC.exe

C:\Windows\System\rjcEPXC.exe

C:\Windows\System\gdrcXks.exe

C:\Windows\System\gdrcXks.exe

C:\Windows\System\qhspczV.exe

C:\Windows\System\qhspczV.exe

C:\Windows\System\beROeQP.exe

C:\Windows\System\beROeQP.exe

C:\Windows\System\yVwevHM.exe

C:\Windows\System\yVwevHM.exe

C:\Windows\System\YeCFDqK.exe

C:\Windows\System\YeCFDqK.exe

C:\Windows\System\QxPhWDp.exe

C:\Windows\System\QxPhWDp.exe

C:\Windows\System\TKvMFRV.exe

C:\Windows\System\TKvMFRV.exe

C:\Windows\System\FHGeCaI.exe

C:\Windows\System\FHGeCaI.exe

C:\Windows\System\NxsvSQo.exe

C:\Windows\System\NxsvSQo.exe

C:\Windows\System\xZgfKFa.exe

C:\Windows\System\xZgfKFa.exe

C:\Windows\System\hvVJJyU.exe

C:\Windows\System\hvVJJyU.exe

C:\Windows\System\YKWErmK.exe

C:\Windows\System\YKWErmK.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1464-0-0x0000000000080000-0x0000000000090000-memory.dmp

memory/1464-2-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

\Windows\system\WenaqoJ.exe

MD5 c13a00d5283403ae1c1c7d360606f647
SHA1 323484f941612b3a569fca59bf89594f6636fbcc
SHA256 57c9de7748ce9a3c7e681dcd27d52a3a37690e6f202897ee3328b06db3ef5989
SHA512 859c79a952ce17c04897a8292184cdcf5e57f83684c58f18be1db3d5ec7203082c10c79ddc4dbe79c436c2ce615b6feac2955c5f6d0a72c9904136df72eacaf9

memory/576-9-0x000000013FC30000-0x000000013FF81000-memory.dmp

memory/1464-8-0x00000000023F0000-0x0000000002741000-memory.dmp

\Windows\system\OlNLbjR.exe

MD5 821ddbfe24db55c12a3e0de54e878637
SHA1 e18fd9b1473807693f2203aa787ff4379a3c33a9
SHA256 42f56463dce195fbae1468e399da44e10b9ddbec44381d3ac8a24030e96168e0
SHA512 10113178b2471ec0517c19b4d423e9c7722fac9e594f02031c63d0ddd8a52ed3ba0a8d49c41decbc43d47d36953d395cb5b04df971d749112a260e33e20da7df

memory/2332-14-0x000000013F9E0000-0x000000013FD31000-memory.dmp

C:\Windows\system\HteHcyq.exe

MD5 a9f5c8603567e49a2c1dafecbe57f8ea
SHA1 e5d1cc3f173dcc0b6fd41c31fff4e1854b8c7d98
SHA256 1ab74fdd74a4c1d03fe005ed203f4121cca5ae2c4768f73db0154ea5e1ec7668
SHA512 55ef2b267994ce572ae1887d621412a58481381d17ca388338f9cb4e18ae474bc4d5d05c31cd1101c116243f750595f05f33d83af665ef8fb01bffb87f6d7605

\Windows\system\ncCJlIN.exe

MD5 939162d3d76be8a06fc39314f60b2a85
SHA1 3f085e00f03fa5e78f00e5d7ee35997d0e6dc9b1
SHA256 3bd88b7b9154677e474603e5acc954979e79f3d439dd3c15ed4db386f9715391
SHA512 434b96db78a4ac6818f471cb93abd496371eea60c6fd1f48e5d8624b833b20712349aa975c7b4b8f00ede911534d9f8fc51d68529e56e3897bb4fc408f8c1544

memory/2240-27-0x000000013FC10000-0x000000013FF61000-memory.dmp

memory/1464-26-0x00000000023F0000-0x0000000002741000-memory.dmp

\Windows\system\vyhBERD.exe

MD5 a6eda52c2e4fa593e0fb527c71598c80
SHA1 54ff09906fe68c19bd6fe7d9dc2c6449f370f02a
SHA256 5f23eb480ff03c2f7b7febec3c6830e3f93bdc9082f859b26d0934fe237c284a
SHA512 3fd6ad3ecbfafdb8c9bdcdfab05461f966be8119c317df7d50829baf077e27024a947914d0f34d0e28fe80e2c0edb53e4eaeedac161d9a11660f91c9eb6d8689

memory/2712-33-0x000000013FB20000-0x000000013FE71000-memory.dmp

memory/2960-21-0x000000013FF70000-0x00000001402C1000-memory.dmp

memory/1464-19-0x000000013FF70000-0x00000001402C1000-memory.dmp

C:\Windows\system\ydajkJa.exe

MD5 94a732b81fb87c72206d0da10fcd8aed
SHA1 06cf190c0e5064131a8787ffbeacaab6162e4b22
SHA256 4e352def4194362ea2f540f983b9351b0ececdbfa37102f21446c4203a9cc739
SHA512 a8c37e2229abbead23c94a57b6f287a0f181d815db2194ac22338749b6f7ddbb8d8717e37c0cad1d26818a558e696e457bd537d610d860c4eb254430e64b42ac

C:\Windows\system\HxBlOMC.exe

MD5 f9bec652b04e850f236edd2fbc827317
SHA1 dc420a6dfa638ba5867a791e3b14290a4cac1291
SHA256 1f3f40d5623dee1e7d02027e490be151c8cf96763e0c21cdd7881cb0f3f5f263
SHA512 6eaf0d6d786c050cfe5ba9887fda46d1ad919df652d76a33dc8091710f5f1f5a4807838147aa3c813eb53390da46e64ae7d57db24e8f4cd6639e91e80bdaa167

\Windows\system\MbUNEAU.exe

MD5 7b5a32e251d08ba9baf684db50ac2cdb
SHA1 22e04771b789b53bdd1c689f7fb9dc3372440223
SHA256 f1d823107d6c9ee7fd8f42cd3c9359e36beffa137622137e409d7c3c32c75c7e
SHA512 1ae1e2422e1d0a82504d2fa1d7c0e87615f32d8fb75e3a5223b8f2a11472ac4379cb9b9bd99f6b36e0fada26d9f18673e4873baf347bb8dd3115db826995def3

memory/1464-54-0x000000013FFF0000-0x0000000140341000-memory.dmp

memory/2796-48-0x000000013F200000-0x000000013F551000-memory.dmp

memory/776-55-0x000000013FFF0000-0x0000000140341000-memory.dmp

\Windows\system\gdrcXks.exe

MD5 f12463632e80b223a352a2b6eae7d68e
SHA1 50b8451bfef16bac1a0d1f653eebe4ffd9ee1bed
SHA256 7c352fd2c24e037d16d716bd0011c12f196b238a019286a4cbc1395dc16c13cd
SHA512 10a465711f476609bd51b57d5a135956445345fcda95132a7fae8fa59b65411465c4acf39691b4bb3c23395eaac86beb7c687721a907613803b50f39ad2bb8cf

memory/1556-73-0x000000013F1F0000-0x000000013F541000-memory.dmp

memory/1464-72-0x000000013F1F0000-0x000000013F541000-memory.dmp

memory/1200-79-0x000000013F2D0000-0x000000013F621000-memory.dmp

C:\Windows\system\YeCFDqK.exe

MD5 cc943880f668b92f5a4adb18f767c8ef
SHA1 9db5d91081c876237065e716aa2bb990868efa8a
SHA256 2d0cd97a676ed84e6e3e0c6d01b29fcbc08280ef3e5b83a1492ca6a09e7b2e5f
SHA512 1c17768b3de182595f4109b12d6ed51d6e38f58752511bc6bb0414758161adcfd3ca15dbc3a744673ba26bdfac2764d80c22f833d1430cff7d440ccfc2821e97

C:\Windows\system\TKvMFRV.exe

MD5 6b25ababececbb9196d965d97a974806
SHA1 3b35f61dcbc3229cd8ba7135b1ee5d3ed484a59d
SHA256 6c361498da9af5a06a07777a9875196d4546e01a6590527ec0de8be5b3cebea8
SHA512 cb1841b22b9990296707fe928c4b151dfd02a6f3c040aafe7a660d7ae011493e1bda11af4a9f98e5ab53317ade945ebb1203d559c6e905ee825c9ae4e8d23527

C:\Windows\system\NxsvSQo.exe

MD5 1437b22845787e7de8f610e56b3ee488
SHA1 0ec10aa72545293670018bc16f48abe9400fecf3
SHA256 5a8de90c47bdaed81f60446beffc35fc8b4ffcfc9dc683708610c07330b0e6d0
SHA512 f7a1df9acef827c55c9d4ca36dee0418ef2c098e8920207e511ba4a689bb8cc65a925e90699fb529c005e51a080d067a164aa7af726bf00525a6d2a36e99f502

\Windows\system\YKWErmK.exe

MD5 fe0ec9c010600b72dceacea8d8df43af
SHA1 2011ef0f694e6e954111f378ffb126f5d75a9ba1
SHA256 888bbcfab680c1cd68b5fe94ce2116dbaa10452e53748bbe32aed9e6e865345b
SHA512 49fd1fa2b51dcd9655ff285b04c35aab861a4ebb898eb730dd908941b7f200e3321d24cf74490c39f516038c9603be674f3c1102ae89a5b02a34f98ebf169add

C:\Windows\system\hvVJJyU.exe

MD5 4286513126a21822533a7bb7145c08d4
SHA1 f8402078dfab7b4e75d52929101dafa72d71aea7
SHA256 7c3717f74e2afacd1bb52cbd100a46344e8241b61978e2255795c1de08cb00e8
SHA512 00e7defc88995f3594a76d556a162889551b090402886283ad177f46f70aee0364e5a8df158c3e5da1d0afe0fd8bf66de33425e0700bcc3513896d4be74ce524

C:\Windows\system\xZgfKFa.exe

MD5 8dc202f1d6e788fbeb8670cf576560bf
SHA1 3e269bb6a3bb0d65cfa231604d74445289f78279
SHA256 91a7368a53dc1b379af86f28e97c6a265cba8bb72afaed87e61db2b88e5f590c
SHA512 b2fc2d63bf1f949adfa3d41ad307874dff45121b2681982a1e7e282bcd912b5af6699993bddbde7d43991ca5520854314e444a3002bd9b8011415de9b7bc6e27

C:\Windows\system\FHGeCaI.exe

MD5 b7032a3e2cec44d895035e437f7db499
SHA1 67cf9615db120cfc86408a23d8c1c82729d2f2c0
SHA256 2c41d713e6db8a696bb6c7a4816cdbc845a40ecd3bfbcd9d54623167f699749f
SHA512 d7a6cc64b2529d7ecb52715db0fc505fa295ea6bd0fe58c6213c65f6bbc61e8b78b6bb244d32bbcdce867be44db0acc4df09b1b414243b216b5f2464fdd8aed0

C:\Windows\system\QxPhWDp.exe

MD5 4b183dbbd3e3cb9b6a06b46611d78a9a
SHA1 02e8397ec590a4c5fb03e066e95b83668d787639
SHA256 635092c6456f38834de46b705092e244971dc6cc167ed0680ddcf89a18ce9b2f
SHA512 6d4d47d01adaa20bc14b353d71d699f5ddd02f69d9be990a0ee5c0cd1cf9abfc4e1e8bedd52e168a0f806169384f3212523bab0e7ae83ed00062d6d8bf7682d2

memory/1464-106-0x000000013F040000-0x000000013F391000-memory.dmp

memory/1464-105-0x000000013F370000-0x000000013F6C1000-memory.dmp

memory/1332-103-0x000000013FB10000-0x000000013FE61000-memory.dmp

memory/2684-93-0x000000013FF80000-0x00000001402D1000-memory.dmp

C:\Windows\system\yVwevHM.exe

MD5 ff9758c3496c3670d6b0eb281e5fd8ee
SHA1 a0e70e1714ee189fdaa37ea3b20ac886386decd7
SHA256 ffc0d2808941642d28771f9457e8ef7d365b88a30de6c4fd4bfd175922599274
SHA512 4e902f57e2cd53a6589b854dacadac1a2915f8bb582a11603f920a8c6af9a507b7f8692b8665a054480e15ed20aa18ca290989856bd330d9e9a43ee198882580

memory/776-102-0x000000013FFF0000-0x0000000140341000-memory.dmp

memory/2796-97-0x000000013F200000-0x000000013F551000-memory.dmp

memory/1032-88-0x000000013FAD0000-0x000000013FE21000-memory.dmp

C:\Windows\system\qhspczV.exe

MD5 30e921ab9aa8a589c14f47ac03ad7148
SHA1 2f935f68afb2c05b2243d62740454629070cd57a
SHA256 043fefbb2c18360df1cf7b38fdf25484df1aa4faed29f0563095645a7a2e9ecf
SHA512 54b6a510c6bac1d9d9ac8700fff379cf84a0c8e97e9d028792f61354f0207fe5d105f0641fcc517102c0018b076467286ad2565162130dcf386658d022f26ff1

memory/1464-76-0x000000013F2D0000-0x000000013F621000-memory.dmp

C:\Windows\system\beROeQP.exe

MD5 0c78563b7b5c5feb77ef214ec050adb7
SHA1 b071ef0227c9a2d62535f0bb2a2b0b963e06aab9
SHA256 f1c425a6b58d46c33839f24cf9e4036f36be90a086f759e146b128a93592828a
SHA512 1c49d4ed5059acefc30b8194f29a6d4cc8ef3895f78c2f7a90b13fd1141748a1a23d25ab364f36966f8c0137f2e0e807969226a71749507cf53be0cec2543983

memory/1464-86-0x00000000023F0000-0x0000000002741000-memory.dmp

memory/2712-83-0x000000013FB20000-0x000000013FE71000-memory.dmp

memory/2748-65-0x000000013F370000-0x000000013F6C1000-memory.dmp

C:\Windows\system\rjcEPXC.exe

MD5 a570cfb690aa4fdef92b2da973a3c63e
SHA1 cf7db3f94ead7baa58e78515ba41e1ef3498654e
SHA256 e6da3873bf088e184534b4b86466b9fc45a5ab26158a9f78bcde717d94eb9b70
SHA512 fead50a3f0fa7e327e9c0583a9663952606c4fe72e2d8b5ccfca0b03bb43bb262b9689b06e5f988529ac95c883035abb7aea36a369c966ce8a97a482f30cbc55

memory/1464-60-0x000000013F370000-0x000000013F6C1000-memory.dmp

memory/2332-59-0x000000013F9E0000-0x000000013FD31000-memory.dmp

memory/2240-71-0x000000013FC10000-0x000000013FF61000-memory.dmp

memory/2960-70-0x000000013FF70000-0x00000001402C1000-memory.dmp

memory/1464-53-0x00000000023F0000-0x0000000002741000-memory.dmp

memory/1464-46-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

memory/3016-45-0x000000013FFB0000-0x0000000140301000-memory.dmp

memory/1464-44-0x000000013FFB0000-0x0000000140301000-memory.dmp

memory/1556-141-0x000000013F1F0000-0x000000013F541000-memory.dmp

memory/1464-140-0x000000013F1F0000-0x000000013F541000-memory.dmp

memory/1464-144-0x000000013F2D0000-0x000000013F621000-memory.dmp

memory/1464-142-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

memory/1200-153-0x000000013F2D0000-0x000000013F621000-memory.dmp

memory/1288-164-0x000000013FCB0000-0x0000000140001000-memory.dmp

memory/1464-166-0x00000000023F0000-0x0000000002741000-memory.dmp

memory/1656-165-0x000000013F640000-0x000000013F991000-memory.dmp

memory/1924-163-0x000000013F9B0000-0x000000013FD01000-memory.dmp

memory/2136-161-0x000000013F7F0000-0x000000013FB41000-memory.dmp

memory/2204-159-0x000000013F040000-0x000000013F391000-memory.dmp

memory/2684-157-0x000000013FF80000-0x00000001402D1000-memory.dmp

memory/1032-156-0x000000013FAD0000-0x000000013FE21000-memory.dmp

memory/2524-162-0x000000013F0E0000-0x000000013F431000-memory.dmp

memory/2280-160-0x000000013F300000-0x000000013F651000-memory.dmp

memory/1464-167-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

memory/1464-189-0x000000013F040000-0x000000013F391000-memory.dmp

memory/576-213-0x000000013FC30000-0x000000013FF81000-memory.dmp

memory/2332-221-0x000000013F9E0000-0x000000013FD31000-memory.dmp

memory/2240-223-0x000000013FC10000-0x000000013FF61000-memory.dmp

memory/2960-225-0x000000013FF70000-0x00000001402C1000-memory.dmp

memory/2712-227-0x000000013FB20000-0x000000013FE71000-memory.dmp

memory/3016-229-0x000000013FFB0000-0x0000000140301000-memory.dmp

memory/776-242-0x000000013FFF0000-0x0000000140341000-memory.dmp

memory/2796-244-0x000000013F200000-0x000000013F551000-memory.dmp

memory/2748-246-0x000000013F370000-0x000000013F6C1000-memory.dmp

memory/1556-248-0x000000013F1F0000-0x000000013F541000-memory.dmp

memory/1200-250-0x000000013F2D0000-0x000000013F621000-memory.dmp

memory/1032-252-0x000000013FAD0000-0x000000013FE21000-memory.dmp

memory/2684-254-0x000000013FF80000-0x00000001402D1000-memory.dmp

memory/1332-256-0x000000013FB10000-0x000000013FE61000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-07 20:44

Reported

2024-08-07 20:47

Platform

win10v2004-20240802-en

Max time kernel

144s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\ZHPNJPC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LZewaqy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RayVyuD.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bEMESrx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kqkYUsQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wgCnGuY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jbGLeSG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qlFmlJt.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AuFXGrm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uTbUDxE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FdUqPVy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AjIkJVh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WQMNYvn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NkgTGsz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eiNJBKx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PdAWZSZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KtXDbou.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iygrAYr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cDWbzxb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zEIlgpV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NtYGPmQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3320 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZHPNJPC.exe
PID 3320 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZHPNJPC.exe
PID 3320 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jbGLeSG.exe
PID 3320 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jbGLeSG.exe
PID 3320 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qlFmlJt.exe
PID 3320 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qlFmlJt.exe
PID 3320 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NkgTGsz.exe
PID 3320 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NkgTGsz.exe
PID 3320 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LZewaqy.exe
PID 3320 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LZewaqy.exe
PID 3320 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AuFXGrm.exe
PID 3320 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AuFXGrm.exe
PID 3320 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RayVyuD.exe
PID 3320 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RayVyuD.exe
PID 3320 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eiNJBKx.exe
PID 3320 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eiNJBKx.exe
PID 3320 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uTbUDxE.exe
PID 3320 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uTbUDxE.exe
PID 3320 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zEIlgpV.exe
PID 3320 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zEIlgpV.exe
PID 3320 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NtYGPmQ.exe
PID 3320 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NtYGPmQ.exe
PID 3320 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bEMESrx.exe
PID 3320 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bEMESrx.exe
PID 3320 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FdUqPVy.exe
PID 3320 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FdUqPVy.exe
PID 3320 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AjIkJVh.exe
PID 3320 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AjIkJVh.exe
PID 3320 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PdAWZSZ.exe
PID 3320 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PdAWZSZ.exe
PID 3320 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kqkYUsQ.exe
PID 3320 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kqkYUsQ.exe
PID 3320 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WQMNYvn.exe
PID 3320 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WQMNYvn.exe
PID 3320 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KtXDbou.exe
PID 3320 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KtXDbou.exe
PID 3320 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iygrAYr.exe
PID 3320 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iygrAYr.exe
PID 3320 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wgCnGuY.exe
PID 3320 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wgCnGuY.exe
PID 3320 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cDWbzxb.exe
PID 3320 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cDWbzxb.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\ZHPNJPC.exe

C:\Windows\System\ZHPNJPC.exe

C:\Windows\System\jbGLeSG.exe

C:\Windows\System\jbGLeSG.exe

C:\Windows\System\qlFmlJt.exe

C:\Windows\System\qlFmlJt.exe

C:\Windows\System\NkgTGsz.exe

C:\Windows\System\NkgTGsz.exe

C:\Windows\System\LZewaqy.exe

C:\Windows\System\LZewaqy.exe

C:\Windows\System\AuFXGrm.exe

C:\Windows\System\AuFXGrm.exe

C:\Windows\System\RayVyuD.exe

C:\Windows\System\RayVyuD.exe

C:\Windows\System\eiNJBKx.exe

C:\Windows\System\eiNJBKx.exe

C:\Windows\System\uTbUDxE.exe

C:\Windows\System\uTbUDxE.exe

C:\Windows\System\zEIlgpV.exe

C:\Windows\System\zEIlgpV.exe

C:\Windows\System\NtYGPmQ.exe

C:\Windows\System\NtYGPmQ.exe

C:\Windows\System\bEMESrx.exe

C:\Windows\System\bEMESrx.exe

C:\Windows\System\FdUqPVy.exe

C:\Windows\System\FdUqPVy.exe

C:\Windows\System\AjIkJVh.exe

C:\Windows\System\AjIkJVh.exe

C:\Windows\System\PdAWZSZ.exe

C:\Windows\System\PdAWZSZ.exe

C:\Windows\System\kqkYUsQ.exe

C:\Windows\System\kqkYUsQ.exe

C:\Windows\System\WQMNYvn.exe

C:\Windows\System\WQMNYvn.exe

C:\Windows\System\KtXDbou.exe

C:\Windows\System\KtXDbou.exe

C:\Windows\System\iygrAYr.exe

C:\Windows\System\iygrAYr.exe

C:\Windows\System\wgCnGuY.exe

C:\Windows\System\wgCnGuY.exe

C:\Windows\System\cDWbzxb.exe

C:\Windows\System\cDWbzxb.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4056,i,9445584274764997943,12714240264001792460,262144 --variations-seed-version --mojo-platform-channel-handle=3896 /prefetch:8

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 35.56.20.217.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3320-0-0x00007FF790CC0000-0x00007FF791011000-memory.dmp

memory/3320-1-0x00000239783C0000-0x00000239783D0000-memory.dmp

C:\Windows\System\ZHPNJPC.exe

MD5 ee131c0f690bf0a34c6119eaf77e165a
SHA1 9d8d0cff4b715ebc9bb2d48bf2c81bad0ede4bbd
SHA256 771963d26310700fea53c647b86c90499b2d03abfe18e5513957c53f9c3fa6cb
SHA512 23e0de3a766a8456be1b291eeeba4ffd69aa85f10253b0d38d38f37ea537c69e18ead4070f108c6cff230f8f1d3f48cecc21b8c625b07f297094c54943e3303c

C:\Windows\System\qlFmlJt.exe

MD5 08308c8789368cb5ae0f9e3d999bbdde
SHA1 0582db3f35d89b575f84e533ec7cb5804753b871
SHA256 a4409086020be1a187ca38e3c9a4463bd32b7a2186db56847ae22fe6f7572f39
SHA512 2c79a18fdca6143decb542aabc5da4215143ccf8f9ab74156e58c688e99e5741b79bff1697ac7c11a0dd622bd0996d980f475b1f13be8a407b51038ad45b0f1a

memory/3948-8-0x00007FF660F10000-0x00007FF661261000-memory.dmp

C:\Windows\System\NkgTGsz.exe

MD5 4e1a83cee8e092bab19cb01af02434d2
SHA1 99b235c1f6554a40fe8b9a48631bd53dacd041f6
SHA256 7b6d8f58037d964554a5c0bf68ceffc80f425d59621a7b3d594e496e405f4c6e
SHA512 1168ecdbbd1aa259b0c15324e49c4d28bf207d5ccdd582a4f87222cb28e27a286e0017d7cc3c428e154b6e43bc2108c4492a1cb902cc33a4de95c3b801e714c3

C:\Windows\System\jbGLeSG.exe

MD5 9180475dc85b14a9d94040ad7378f3a2
SHA1 6f1615f35f03f78106047709b5d330d210b3d22a
SHA256 4d381a9468de0d688ecc12b2c9a688b43535f75d90c0d83c58e52cff4151aef8
SHA512 c426fc6babd786fcdb0bb3e0406c11c77fdb569f7bd81e1e134fdc1c7d8e161c8692750e90c76bd1b6bc18958d0f20b2131992d29f8f9261c9ba0f335bbd3033

memory/3680-33-0x00007FF7A1280000-0x00007FF7A15D1000-memory.dmp

memory/4128-34-0x00007FF723EF0000-0x00007FF724241000-memory.dmp

C:\Windows\System\RayVyuD.exe

MD5 5d3afc8db59d4d122416aac48a802a25
SHA1 a060888afcc54f5562f77fa192044f112fa35513
SHA256 683afcb99f53b1f83b1fe107ebcea14eb3eaf19ea1f1b6012b841fd8a39ab0f9
SHA512 9d6196b8d6b2c44b105f400e793ba742b65f9b051628fb5babce0529af1d7c47f2a4270c6053becc59ce070470d7b11d13d3420474cee1037b7c29e3b45fd534

C:\Windows\System\AuFXGrm.exe

MD5 0b98af4559cafd5941e57377fd31182b
SHA1 c3196f2f03f97aafe006ef76c80099c6b49e7e42
SHA256 d4532636dd67df286b9ba773982d21e9215e7e6eed672f4f15380942e9bdfd8b
SHA512 258139e18937eadf93d83bd598a8721ddffe07e23c44139cf9abafd7f5ffb7dfb1da499d78b0a3b621fca79e2e09b5279443818b82895a471d9967ca7133ba71

C:\Windows\System\uTbUDxE.exe

MD5 a363c661c53db3ff8369c1a2f5414204
SHA1 666e1c1ee9cd7454c2e79560307554902cfb2d8b
SHA256 a2a4d411455cd75fc030be3d0917e67125406f98736e184b7391af9171694fa9
SHA512 871c276923aa786ba810fa2a607e7e03266f8ef147a0e702b695e1db813fde7645fb5c3a3b896f8862e2ef48125c8550583896961e54a7a0126f0ebe0b036954

C:\Windows\System\NtYGPmQ.exe

MD5 61eb30d01c5de07d2d73e20c40c00e38
SHA1 6aaf9d390311fed175baa9284e7eacc9b66a66b7
SHA256 9c4bc505c8291753bbcf9e581429ab693441eaae74e81ac28c2b2c28633476eb
SHA512 4cc2465ad95d8e2550a811f0967c7f0acde9599ca0da0f33d2cdb19fbb8bcad6ade2988431d2b4c05a658a5b641acfe0dc93310415e37938d0f71a1600bd24bf

memory/1208-71-0x00007FF631CF0000-0x00007FF632041000-memory.dmp

memory/2768-81-0x00007FF7278F0000-0x00007FF727C41000-memory.dmp

memory/2576-87-0x00007FF6C16A0000-0x00007FF6C19F1000-memory.dmp

C:\Windows\System\WQMNYvn.exe

MD5 d2eb2c97fa6c40987a6e38bf7b1c100c
SHA1 94bf4762e3e43e977b3d44225ff6545461b395dc
SHA256 b177aa4837857e811354facf9d86cf4ac28448ca268b82454b357573173d178e
SHA512 f9825cbd65f09df478be20a2bcabcc1fd7664e371900ea3ab69e680437fc6758ecd188f0f1e5552c50b5e4c9b1aaf21fe0ba329cef149560e9136c3152a5b407

C:\Windows\System\cDWbzxb.exe

MD5 188b211175e19dda47f03a8508f14773
SHA1 53c1062bc40f14973a35d2e69f33859676d935ad
SHA256 f8d57827465f740fdefb2ca36dfb9fc805ee4bdc23a0980553c147dc4ae690e8
SHA512 a603ecee53d6b85a0569bb08442a49ebf378cf0db5545f83e1e0243919350891591d829cc4515ba997c52c3ede37943ffead1d9ff17d864521ea34ae703c8004

C:\Windows\System\wgCnGuY.exe

MD5 4ffd1c8e3a1c3b3c01a5cd4ac884c46a
SHA1 bdf8c52877488208203504a7d1bcd621f0d2f90b
SHA256 eabc61c3a4f4eabcfb63019a9a159460b910276259109b7ec4a06950e44abba5
SHA512 954f47f4f20b3f69000eaa1b3750d132f8f9c25b14f3dca8028568fb6cc2c45d0716d5e9518dd9abf88552bb2835857e4817ca4286540b9061375109ee23f717

C:\Windows\System\iygrAYr.exe

MD5 90c9521aff97adaa6cb3b77ce838dbfa
SHA1 d398bf100e369ea3a34564b40ebeda9f7053b94e
SHA256 29a10bd85c56d7b03983fbe997aa03ae51665d12d370ffdae5f6350b5738af86
SHA512 19bcd0a30dc35a85dbd859cb37313c35df7283e0695a51bdae01019204697f02d4257ae94f3f88bffbd11142e5fd9a4a9f288df81b1faa24da5f8d247e51fcf9

C:\Windows\System\KtXDbou.exe

MD5 e2130a192ee4addccababf4ec1fa4aac
SHA1 254c056c7ac2d57c3f3c11eb8eb37cd6414ac483
SHA256 00ab6c187f607b546fc082e66b094ce5fecdfb2ee0ed76f68f31ea8cafe33bd8
SHA512 d86c9c40feae4b8148396882ff0ad9c729ef3175d1cf51ecf4cb78d77c7afb56b418157b9c5624e312e6ecd9744c819abefe971ca020b215491286c0f4118d83

C:\Windows\System\kqkYUsQ.exe

MD5 1b2f6c220a0d78067add47cd17da681c
SHA1 cc0dae9ada470ec0bb900addd84bd20a756fffe8
SHA256 3f32b6b5f74c7fd70bae724a37aae55332f909723ed3fd2383d52d0b608b7b1c
SHA512 efdbf220c0f895c1bbb5cfedfb05b8ed9d7377e632f8ffe246f0d835c08cc91cd120aa97813e69cc7ccb4d34ce8a9adb68c780f5518eb3ae97cf0e17ca75df19

C:\Windows\System\PdAWZSZ.exe

MD5 7703a69c3e61f3ccaf2f9096311e264e
SHA1 48b999e6ff78353fc140dbfd9d6385f61869a1c1
SHA256 9b3c6868e2893b0b18e02b3f38f469cdf2f0abee191f2ec61c5102894f605022
SHA512 b44ead27ef6ade20a0b1c494d616e4ab5a9cb3854b4288570f56119822a129b2601e5531add15653a80b90cfb252b5000ce7fe5956fce60a469b25356df997bb

C:\Windows\System\AjIkJVh.exe

MD5 42da02e06bd7f8484e0f7dc3b25ce12c
SHA1 88d29d124e6a3c4ef61f25945dc74fcf4aa463ed
SHA256 a9d4d99ba7f2bb063731fefb67593485b3d2592a79c6e722172902fab072d4cc
SHA512 1014f97e7b19336051f585203a10a3f99599dffd0e8e434e01e5bcf26282ff48820f3a2b36cecc72057072f207c5b1e96f1fa080b8b2dafbd05ec4738dd64e7c

memory/1672-89-0x00007FF6C8230000-0x00007FF6C8581000-memory.dmp

memory/3320-88-0x00007FF790CC0000-0x00007FF791011000-memory.dmp

memory/952-86-0x00007FF61FD20000-0x00007FF620071000-memory.dmp

C:\Windows\System\FdUqPVy.exe

MD5 ddfc0ea6efae48bb92b28c25ddd8986b
SHA1 38acb6921f00f3229a2998f3a4a5bde29161c910
SHA256 7fbc6c6f057be30c442ad75f97335d7255ba9c38ac8e6f1bfa6e5912203828c1
SHA512 b8f29974585f8a0a4cd02c9bdb3e9cad916db507d3fb9db201fe846f8d2c5487252b97a186051c4b0d71babe6db1097810da4c7f7d484c10cb78f71c4631506a

memory/1512-80-0x00007FF668FD0000-0x00007FF669321000-memory.dmp

C:\Windows\System\bEMESrx.exe

MD5 2a915343a3b94ce5e9e08df617e80f73
SHA1 f48ab84f681f53b9ac757590abf7acffce4f1088
SHA256 6c7f3b82a2f269b8df0df3672348725602498140812c2f4e9e404ab925da79ad
SHA512 5adf48b8a2ca447217df58b6b7019fd0bebd94eb3c0a28a6d55778397540d29fb249689947ce7eeac50ce6c61cc8223c0b7a71777ffb33e7e4b686ad82308985

memory/2740-69-0x00007FF7B1DF0000-0x00007FF7B2141000-memory.dmp

memory/4884-61-0x00007FF61EDC0000-0x00007FF61F111000-memory.dmp

C:\Windows\System\zEIlgpV.exe

MD5 0e8276620e8b4ec3f12038862c322fa9
SHA1 a6415b588ad13dbdef58d865ca7bb59f77c91b42
SHA256 88edaa5ef204fa7225c8e5369ffbe6d19334d66dfe1dd87f2ae30fcefebea320
SHA512 f6c0096830020d6f487cd525ddf571193795f237ff11f7d918c6f1f5b92b2a888462b305cd3c00626485f3bf23040f0af12c7db0ec4608762a271a0aa171d597

C:\Windows\System\eiNJBKx.exe

MD5 60c2528a73238ec0a292fa0cf926b100
SHA1 a120925a6b504b3a4b81ca9a82419ce51636e172
SHA256 efbadc4e4fad1ffeea05ed8ee0aa5f2c2de25347ac22c947e6e79dc61bf61e00
SHA512 6e30e6fbbca267be481944122ab60a840f0ef76d01606c4eacd789d01d79ecaee74acf7f98842a70a4dd987e94563adeeb27e33b7026e8a44e5a00cdb4244554

memory/4480-45-0x00007FF712370000-0x00007FF7126C1000-memory.dmp

C:\Windows\System\LZewaqy.exe

MD5 c97481e16df51133685ba9168bbaa696
SHA1 81fa6ec75700ae4ef85ea8e321b4261eeff98149
SHA256 29bd6b579fb444c336ca5369d339a8d97705e51bbecac46e9f32e0e1d6686937
SHA512 edb983e9921f7dd3a54ea22fe976f576865d474be58982bd79fe3e2fef37fdadc0b444723ce3c595945d4059f0d7081775b1b2a4fe6f0687cee5ada1398d9cbc

memory/4832-38-0x00007FF6A9E20000-0x00007FF6AA171000-memory.dmp

memory/2896-25-0x00007FF654A40000-0x00007FF654D91000-memory.dmp

memory/1856-15-0x00007FF7F4540000-0x00007FF7F4891000-memory.dmp

memory/3948-124-0x00007FF660F10000-0x00007FF661261000-memory.dmp

memory/3680-127-0x00007FF7A1280000-0x00007FF7A15D1000-memory.dmp

memory/952-136-0x00007FF61FD20000-0x00007FF620071000-memory.dmp

memory/4400-138-0x00007FF7C3E90000-0x00007FF7C41E1000-memory.dmp

memory/2576-140-0x00007FF6C16A0000-0x00007FF6C19F1000-memory.dmp

memory/3216-142-0x00007FF6B9280000-0x00007FF6B95D1000-memory.dmp

memory/4240-144-0x00007FF7DE890000-0x00007FF7DEBE1000-memory.dmp

memory/4624-143-0x00007FF71C5E0000-0x00007FF71C931000-memory.dmp

memory/2916-141-0x00007FF659300000-0x00007FF659651000-memory.dmp

memory/1020-139-0x00007FF6D8CA0000-0x00007FF6D8FF1000-memory.dmp

memory/1672-137-0x00007FF6C8230000-0x00007FF6C8581000-memory.dmp

memory/4884-131-0x00007FF61EDC0000-0x00007FF61F111000-memory.dmp

memory/4480-130-0x00007FF712370000-0x00007FF7126C1000-memory.dmp

memory/4128-129-0x00007FF723EF0000-0x00007FF724241000-memory.dmp

memory/2896-126-0x00007FF654A40000-0x00007FF654D91000-memory.dmp

memory/1856-125-0x00007FF7F4540000-0x00007FF7F4891000-memory.dmp

memory/1208-135-0x00007FF631CF0000-0x00007FF632041000-memory.dmp

memory/4832-128-0x00007FF6A9E20000-0x00007FF6AA171000-memory.dmp

memory/3320-123-0x00007FF790CC0000-0x00007FF791011000-memory.dmp

memory/3320-151-0x00007FF790CC0000-0x00007FF791011000-memory.dmp

memory/3948-197-0x00007FF660F10000-0x00007FF661261000-memory.dmp

memory/1856-199-0x00007FF7F4540000-0x00007FF7F4891000-memory.dmp

memory/2896-203-0x00007FF654A40000-0x00007FF654D91000-memory.dmp

memory/4832-206-0x00007FF6A9E20000-0x00007FF6AA171000-memory.dmp

memory/4480-207-0x00007FF712370000-0x00007FF7126C1000-memory.dmp

memory/3680-201-0x00007FF7A1280000-0x00007FF7A15D1000-memory.dmp

memory/1512-210-0x00007FF668FD0000-0x00007FF669321000-memory.dmp

memory/4128-213-0x00007FF723EF0000-0x00007FF724241000-memory.dmp

memory/4884-211-0x00007FF61EDC0000-0x00007FF61F111000-memory.dmp

memory/2768-219-0x00007FF7278F0000-0x00007FF727C41000-memory.dmp

memory/952-221-0x00007FF61FD20000-0x00007FF620071000-memory.dmp

memory/2740-218-0x00007FF7B1DF0000-0x00007FF7B2141000-memory.dmp

memory/1208-216-0x00007FF631CF0000-0x00007FF632041000-memory.dmp

memory/4240-224-0x00007FF7DE890000-0x00007FF7DEBE1000-memory.dmp

memory/4400-233-0x00007FF7C3E90000-0x00007FF7C41E1000-memory.dmp

memory/2576-237-0x00007FF6C16A0000-0x00007FF6C19F1000-memory.dmp

memory/1020-236-0x00007FF6D8CA0000-0x00007FF6D8FF1000-memory.dmp

memory/2916-229-0x00007FF659300000-0x00007FF659651000-memory.dmp

memory/3216-228-0x00007FF6B9280000-0x00007FF6B95D1000-memory.dmp

memory/4624-225-0x00007FF71C5E0000-0x00007FF71C931000-memory.dmp

memory/1672-232-0x00007FF6C8230000-0x00007FF6C8581000-memory.dmp