Malware Analysis Report

2025-03-15 08:04

Sample ID 240813-nzqv8awfql
Target 2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat
SHA256 0ded469b0368f4d680688dc69a218552931e1fc78feaa68e4a981c1b189feb4b
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0ded469b0368f4d680688dc69a218552931e1fc78feaa68e4a981c1b189feb4b

Threat Level: Known bad

The file 2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Cobaltstrike

xmrig

Cobaltstrike family

Cobalt Strike reflective loader

XMRig Miner payload

Xmrig family

XMRig Miner payload

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-13 11:50

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-13 11:50

Reported

2024-08-13 11:52

Platform

win7-20240708-en

Max time kernel

141s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\mKIbRtn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FHulRji.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ooZFHrR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LMHJYTQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FdFzDvw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FwlFsHR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nswOQON.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tFwslCX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BXeVRkd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\APETBhb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\siwHftl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BJhdyon.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oxiuALY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YsmRNOc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XHanqSi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TtcBxLZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DUHqOoM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PpsMoZW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\foXOuoi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PMINowk.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XsnDvpk.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2884 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XHanqSi.exe
PID 2884 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XHanqSi.exe
PID 2884 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XHanqSi.exe
PID 2884 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ooZFHrR.exe
PID 2884 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ooZFHrR.exe
PID 2884 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ooZFHrR.exe
PID 2884 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BXeVRkd.exe
PID 2884 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BXeVRkd.exe
PID 2884 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BXeVRkd.exe
PID 2884 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tFwslCX.exe
PID 2884 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tFwslCX.exe
PID 2884 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tFwslCX.exe
PID 2884 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LMHJYTQ.exe
PID 2884 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LMHJYTQ.exe
PID 2884 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LMHJYTQ.exe
PID 2884 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mKIbRtn.exe
PID 2884 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mKIbRtn.exe
PID 2884 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mKIbRtn.exe
PID 2884 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XsnDvpk.exe
PID 2884 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XsnDvpk.exe
PID 2884 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XsnDvpk.exe
PID 2884 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TtcBxLZ.exe
PID 2884 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TtcBxLZ.exe
PID 2884 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TtcBxLZ.exe
PID 2884 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\APETBhb.exe
PID 2884 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\APETBhb.exe
PID 2884 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\APETBhb.exe
PID 2884 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DUHqOoM.exe
PID 2884 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DUHqOoM.exe
PID 2884 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DUHqOoM.exe
PID 2884 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PpsMoZW.exe
PID 2884 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PpsMoZW.exe
PID 2884 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PpsMoZW.exe
PID 2884 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FHulRji.exe
PID 2884 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FHulRji.exe
PID 2884 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FHulRji.exe
PID 2884 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\siwHftl.exe
PID 2884 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\siwHftl.exe
PID 2884 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\siwHftl.exe
PID 2884 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FdFzDvw.exe
PID 2884 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FdFzDvw.exe
PID 2884 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FdFzDvw.exe
PID 2884 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\foXOuoi.exe
PID 2884 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\foXOuoi.exe
PID 2884 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\foXOuoi.exe
PID 2884 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BJhdyon.exe
PID 2884 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BJhdyon.exe
PID 2884 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BJhdyon.exe
PID 2884 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FwlFsHR.exe
PID 2884 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FwlFsHR.exe
PID 2884 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FwlFsHR.exe
PID 2884 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oxiuALY.exe
PID 2884 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oxiuALY.exe
PID 2884 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oxiuALY.exe
PID 2884 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nswOQON.exe
PID 2884 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nswOQON.exe
PID 2884 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nswOQON.exe
PID 2884 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YsmRNOc.exe
PID 2884 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YsmRNOc.exe
PID 2884 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YsmRNOc.exe
PID 2884 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PMINowk.exe
PID 2884 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PMINowk.exe
PID 2884 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PMINowk.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\XHanqSi.exe

C:\Windows\System\XHanqSi.exe

C:\Windows\System\ooZFHrR.exe

C:\Windows\System\ooZFHrR.exe

C:\Windows\System\BXeVRkd.exe

C:\Windows\System\BXeVRkd.exe

C:\Windows\System\tFwslCX.exe

C:\Windows\System\tFwslCX.exe

C:\Windows\System\LMHJYTQ.exe

C:\Windows\System\LMHJYTQ.exe

C:\Windows\System\mKIbRtn.exe

C:\Windows\System\mKIbRtn.exe

C:\Windows\System\XsnDvpk.exe

C:\Windows\System\XsnDvpk.exe

C:\Windows\System\TtcBxLZ.exe

C:\Windows\System\TtcBxLZ.exe

C:\Windows\System\APETBhb.exe

C:\Windows\System\APETBhb.exe

C:\Windows\System\DUHqOoM.exe

C:\Windows\System\DUHqOoM.exe

C:\Windows\System\PpsMoZW.exe

C:\Windows\System\PpsMoZW.exe

C:\Windows\System\FHulRji.exe

C:\Windows\System\FHulRji.exe

C:\Windows\System\siwHftl.exe

C:\Windows\System\siwHftl.exe

C:\Windows\System\FdFzDvw.exe

C:\Windows\System\FdFzDvw.exe

C:\Windows\System\foXOuoi.exe

C:\Windows\System\foXOuoi.exe

C:\Windows\System\BJhdyon.exe

C:\Windows\System\BJhdyon.exe

C:\Windows\System\FwlFsHR.exe

C:\Windows\System\FwlFsHR.exe

C:\Windows\System\oxiuALY.exe

C:\Windows\System\oxiuALY.exe

C:\Windows\System\nswOQON.exe

C:\Windows\System\nswOQON.exe

C:\Windows\System\YsmRNOc.exe

C:\Windows\System\YsmRNOc.exe

C:\Windows\System\PMINowk.exe

C:\Windows\System\PMINowk.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2884-0-0x000000013F700000-0x000000013FA51000-memory.dmp

memory/2884-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\XHanqSi.exe

MD5 86fa59ec11f939e5a9237391543b320d
SHA1 bbe175f47417a95a4dc22e67460a213de57b31d6
SHA256 dac458d9b9de03c6b0358ac0401ce973e759e90b28285109e6116e3ab3857d2b
SHA512 52e717d1272a1fa08a79f518eabeebc3df32ac17e3a22f683f01de15b31a965eb764f9ccb0e96dbe12f57ce358b189265b3efe6ce731c4dd8d19c9105a180312

memory/2884-6-0x000000013FFA0000-0x00000001402F1000-memory.dmp

memory/2728-9-0x000000013FFA0000-0x00000001402F1000-memory.dmp

C:\Windows\system\ooZFHrR.exe

MD5 7a85ba9dd1ac229b8a2b69838049111b
SHA1 55bd436d226d4df4d759aa3d48385efbcdb123d3
SHA256 374f0faa8b4c0e90c63f645b08eaed9a061e16ad2941c4fa19a7d0fa3631f68d
SHA512 fdef40676334a7c1d9bfcb7f6ac69a1efd692ec2aec1d77d9b17ca2bfd0abe1f5dfb786486deebbb330a7fd59a34f57f21e43f16f6234144226251721e852c2a

memory/2884-15-0x000000013F2E0000-0x000000013F631000-memory.dmp

C:\Windows\system\tFwslCX.exe

MD5 5623d65846c4ae92bccccef515a3c53e
SHA1 d9336f6faccb65cb38db95ef7971e8f75e56d662
SHA256 71ea8c354240fa7ac580b325fc01ff5d198147402f807edb4ee685ddbbf58db6
SHA512 b5da32e6393beab2e09ead75403a09beed871acb737caad1b2955c4556e469850c8be297690ff9263c0b3a27b1d636099c505fbf29436a2f7135d2bc5cd954cc

C:\Windows\system\BXeVRkd.exe

MD5 b94cebbcb6172568912ef4847ae14681
SHA1 e1f1b953b889b194bf63c4718d4fc068d497b6ee
SHA256 41c322e9ff44295de0edc3640ab0bafd75b145bcdceaf411cb56c96deec833b1
SHA512 01d4f61d27e0435c4a778e43423dfa4691ddc7df28ceb1b2ede1336c664b15fc4eecf1101079ea0916f65f221d2209b3f13793b053ab362344de5a7738fededd

memory/2740-27-0x000000013FD30000-0x0000000140081000-memory.dmp

C:\Windows\system\LMHJYTQ.exe

MD5 e63c7f25d4f079fa8e194ff707a17842
SHA1 2b616655c40a7c63fab84050b56d11195092e31d
SHA256 aa79d1cf5db65e058bf8e4a1c92e5f72ba1c58c99aac5f1627e5b1af196eec0f
SHA512 59bf730aa910c14fef40e079f2cf76e7d992b1df9684d7e51f7c1445cde880ac12c8f027d12346ab632e8a372f8c13bfc71852cc641a73f4ea887d112ae1ce30

C:\Windows\system\mKIbRtn.exe

MD5 c4e6459c6a6c44b38faed4e78e54dc1a
SHA1 dd6c5f89f743cac5bfcd664501f495f6cf4fdfc2
SHA256 0d4182c209c4096b4a65f53fd556265a175ab91711522253979f89d7bc7b48e3
SHA512 bdc9ccbded378ce5bb242485721923d4fedc5145306e9c5ca9b634d37824ab27b6c9a97a6a1141fdae162b6669a6936bdb71de49d6eef9043e87002c9cfb3bf0

memory/2852-19-0x000000013F2E0000-0x000000013F631000-memory.dmp

memory/2660-41-0x000000013FE80000-0x00000001401D1000-memory.dmp

memory/2884-33-0x000000013FFA0000-0x00000001402F1000-memory.dmp

memory/2908-32-0x000000013F740000-0x000000013FA91000-memory.dmp

C:\Windows\system\TtcBxLZ.exe

MD5 8c0e3fcaf469784d1ba8ff887f52d625
SHA1 069c832f21d1387d83f3488f03a153c8345bcfc5
SHA256 aa92e6f2f60017bdbb15e4a24e514520ccf7ebd6b48108807499af201b34d398
SHA512 795d16827d2ebd4ee37a721acf27af7f54034b2c6f52219f2fdcac570a2a38643ede2195205271d1c4dcbb04aa98781cbb5a94a61aeff159e787c0c91d0a43a1

memory/380-55-0x000000013F3D0000-0x000000013F721000-memory.dmp

memory/2652-49-0x000000013F3D0000-0x000000013F721000-memory.dmp

memory/2728-68-0x000000013FFA0000-0x00000001402F1000-memory.dmp

memory/852-69-0x000000013FED0000-0x0000000140221000-memory.dmp

memory/584-61-0x000000013F2F0000-0x000000013F641000-memory.dmp

memory/2060-83-0x000000013FB70000-0x000000013FEC1000-memory.dmp

memory/2884-96-0x00000000022F0000-0x0000000002641000-memory.dmp

C:\Windows\system\oxiuALY.exe

MD5 868792d988e9b34357c2ba69ede23343
SHA1 63666d568ab2354498a7f614d7ed52b3011bf876
SHA256 4c4ba5796dea8da25705c81539effe1dac12e5acf31047fdee6708747770b0d5
SHA512 f0ee3fe63041dcbbe2b2197d95bb6a3af0383e8528aba8b286634d5a025b0e18614cf6e1937b95ddba63b8575f9d62eeb63255da6f5665bca7939fa706345f04

C:\Windows\system\YsmRNOc.exe

MD5 e935c488f2737f1834a15ad749c92382
SHA1 b74a3c98109782c2b4846af51626cc914817166e
SHA256 c6cb01cb7f50ec38a305a69c0f67cfe8712696edf849cf1a979b913a01ba3ab0
SHA512 4a5c6df099fbfe23042f41ff917016d3959e768cfbbf93320f7bf6f0f5513fcad22e49ebdfdb9b59e4bf013ff6e37b2fce13a8240fd6e9b8fbe4e94c6c590584

\Windows\system\PMINowk.exe

MD5 9a261ac68a113f4749bd27e0e289e8c2
SHA1 5d4e7219f952d7775d80ebaf9385be2739b88361
SHA256 d656605c1078637feb0d3fdc1fbe6467297b50f180fcae0967c27d6649c1c41e
SHA512 b321318ef122627860b09671cac9136e18499d17b78fe7fd198513dedb17bb2222d4f52f8d37cf6fccf8afa79fcbfdae8a58c4ef2711ade799c83eac9ab88d65

C:\Windows\system\nswOQON.exe

MD5 85616bcad8e3c5424c65fd3f7cdedb5e
SHA1 349fbc8f2307920d7f913117c3e93163dc1a534b
SHA256 90d35535d94b52f821fd4de6f07a51d4e718d6573e9ff1dc5ba06796763373a8
SHA512 f2d56b9b8947fcff7f4d6fa2c18c8a91f6f36e7fd3a35ac87cd9ff54b8d9fac5419adf452b6e8becd555afaf4dbcf7f55bdf8281199df6b1ce131c9f921c87f8

C:\Windows\system\FwlFsHR.exe

MD5 4247d609adb3c0bed702e8720b7777f2
SHA1 447ce12363c507f2040812fd4e2dca6b0869418d
SHA256 a5522a4264c56256e06e435088d7028d870bf31419debe7c7342e15e964b2cdc
SHA512 3d4c477d816ce648522fb7d42f3914d735597e5d3bcfeba3abdc32ffb055ff48ca84efacc0fee4fa6e48671adc27ced3fbbd524f87853012491e792c4af45e35

memory/2884-104-0x00000000022F0000-0x0000000002641000-memory.dmp

memory/2908-103-0x000000013F740000-0x000000013FA91000-memory.dmp

C:\Windows\system\BJhdyon.exe

MD5 fcbdff7368d5e525560416255d70d3b4
SHA1 7b48eb5b89b2bc0a1b50dc3683dd42559602d5f9
SHA256 eea5017ca6336a117f3f12a1a831cccf1c716bb1b4d3b5a865156f72caf64753
SHA512 bf415cd9389e85476ab67d7f5c51df5cee0d1acb495657d63c902276f9c704e7652989cd206e08988bdd8bd44a6e34b960ae91624528898b18278032bc26433e

C:\Windows\system\foXOuoi.exe

MD5 085f1ed145656e6c6a290dd7896339c4
SHA1 e358058c356ba16ac85c23504b1ef2139921c677
SHA256 a4ad09356e75fc9bf061bb357b5d167b5a4bbd9bc8ee6865d796382c050526f0
SHA512 3fce46ed811a55cdd6902292f784406f48f70a339ebcd787638110b3573e303a3f26f7242d3431c62431a3cad06e13287c3315af073365636745176eed5c0813

memory/2600-136-0x000000013FFA0000-0x00000001402F1000-memory.dmp

memory/2660-135-0x000000013FE80000-0x00000001401D1000-memory.dmp

memory/2236-97-0x000000013F4A0000-0x000000013F7F1000-memory.dmp

memory/2740-95-0x000000013FD30000-0x0000000140081000-memory.dmp

memory/2700-89-0x000000013F4B0000-0x000000013F801000-memory.dmp

C:\Windows\system\siwHftl.exe

MD5 f7bf9ed0274b04887bcca70b3d58e71c
SHA1 6a4a4534744a8b844512c1c1c27bfa5d5dd3d345
SHA256 165e6bd01e9bcdf4887e8f7fac354ca82a41257cf3c4deeb538cad9172d198bd
SHA512 928c9787ac64d0117e626b43f4fb3d857ee80202c7f1ee97ed60416b8311d9f0802b44a5d9c899a077ffe6eb0eae6fcfeab4b4342ea2b89275bac367fb48be38

C:\Windows\system\FdFzDvw.exe

MD5 0446a241958390d883907dd29dc9b0de
SHA1 2a77c8bbc47c5afece81e8d338b28239f22216c3
SHA256 99d7ab8fa333f1203cb13ce78e52866f9986db808b4b8d3007a1c6b966d17a5b
SHA512 d469ed9faaea0b5426037e4d589a2ed1a097e2eeeef17bed8d8447943eec0691bf777effb3ffb22f60b1b47fc7f94ba686c0a6647d53518020b9d4d32dbccb35

memory/2884-82-0x000000013FB70000-0x000000013FEC1000-memory.dmp

C:\Windows\system\FHulRji.exe

MD5 5ec2e4a44f00883cc26319de250503ff
SHA1 e4efa2aed60fd3baefbfd7cbf267ee42c397aad9
SHA256 c5da6c2e87ae238c60382a4315a07ae9404f1bd924ac92dbb1987ef6d1226363
SHA512 1487ec1d82c3bc2e27ffd8734a985d870f2f299dafe5b54f3e81ff0a7ef90a3aeaa47531b523bdeb2bb816ad5ba3ac80c677c5b42aca9cebc5f2010bc6aba7ad

memory/2256-75-0x000000013F550000-0x000000013F8A1000-memory.dmp

memory/2884-74-0x00000000022F0000-0x0000000002641000-memory.dmp

memory/2884-73-0x000000013F2E0000-0x000000013F631000-memory.dmp

C:\Windows\system\PpsMoZW.exe

MD5 fb16ca09448e037153066b8843d6fe37
SHA1 bdedc9eeac0640b030cf65e110f974a892997acf
SHA256 12013d26fe614db203bb7f5627d71b69e58f0ff20957dab126ead6ec26f241b0
SHA512 5ff3cc855a07befd3861e0791a106d0f4314256412c33af40ecee3a3f196112b28fc18c1f097402b56bf54df4812aea75e9cefd306b8c305c4a41438491deb5c

C:\Windows\system\APETBhb.exe

MD5 71f0940fb755c24fb20aef3c5cdc4676
SHA1 68b8bfc22233fb26f0b4cca8b27bb81351f3a92d
SHA256 fefd04710b6fe89aba19625740fa3ef9e34eb2f9969bdaa1a5b58e4ce3c72b01
SHA512 ebd849cfed228a88d6461df0ff2fcd5504fa3ad8263c1c5fc35e1cc6823a17eb69b5649a080432c1720b6145ba2c04c2c0f6b5ea7ffbec3713f65f8183cbb1d7

C:\Windows\system\DUHqOoM.exe

MD5 fa7d7ded3457cbda91d7cdde466f0dc8
SHA1 b59c48f105bf81ed6233dfd37788443ab285f505
SHA256 011c6d73002dc8a1d54336658f90c4cc1e848bd9fa9be14ae53f07130bde3264
SHA512 641bb1f1f4f6b96ca8f4fd3b75e2625576a97a47cc4644995e7ef40a7b36aca56bb564227a9b2cf4abf973024fdca8339fd347d58154d1aeaf387df2b0d74da7

memory/2884-48-0x00000000022F0000-0x0000000002641000-memory.dmp

C:\Windows\system\XsnDvpk.exe

MD5 805dfb456f6a7a40419f8e8aa6bd3748
SHA1 195fceda17426757289bd067fefd2baae4a300c3
SHA256 f5e2f5cdd550c315a9274f1b5c4dab6b680bd72f4cb0126a808efc6bb3503e4b
SHA512 3193755a0d2f0aceacb9051c5673cf6d21792c5d2b551c62ffa7e1cbd74ab907d7b19b6d5ae656a4468a083e74540ff5bbd435a41f815c4bdc2707b51ab4992b

memory/2884-54-0x000000013F700000-0x000000013FA51000-memory.dmp

memory/2884-39-0x000000013FE80000-0x00000001401D1000-memory.dmp

memory/2884-25-0x000000013FD30000-0x0000000140081000-memory.dmp

memory/2884-22-0x00000000022F0000-0x0000000002641000-memory.dmp

memory/380-137-0x000000013F3D0000-0x000000013F721000-memory.dmp

memory/2884-139-0x000000013F700000-0x000000013FA51000-memory.dmp

memory/2600-144-0x000000013FFA0000-0x00000001402F1000-memory.dmp

memory/584-148-0x000000013F2F0000-0x000000013F641000-memory.dmp

memory/2256-150-0x000000013F550000-0x000000013F8A1000-memory.dmp

memory/2236-153-0x000000013F4A0000-0x000000013F7F1000-memory.dmp

memory/2060-151-0x000000013FB70000-0x000000013FEC1000-memory.dmp

memory/2692-155-0x000000013F230000-0x000000013F581000-memory.dmp

memory/1956-160-0x000000013FB80000-0x000000013FED1000-memory.dmp

memory/1272-159-0x000000013FF80000-0x00000001402D1000-memory.dmp

memory/1268-158-0x000000013FFD0000-0x0000000140321000-memory.dmp

memory/1232-156-0x000000013F260000-0x000000013F5B1000-memory.dmp

memory/2672-154-0x000000013F9C0000-0x000000013FD11000-memory.dmp

memory/2700-152-0x000000013F4B0000-0x000000013F801000-memory.dmp

memory/1848-157-0x000000013F0B0000-0x000000013F401000-memory.dmp

memory/2884-161-0x00000000022F0000-0x0000000002641000-memory.dmp

memory/2884-162-0x000000013FB70000-0x000000013FEC1000-memory.dmp

memory/2884-163-0x000000013F700000-0x000000013FA51000-memory.dmp

memory/2728-208-0x000000013FFA0000-0x00000001402F1000-memory.dmp

memory/2852-210-0x000000013F2E0000-0x000000013F631000-memory.dmp

memory/2740-212-0x000000013FD30000-0x0000000140081000-memory.dmp

memory/2660-214-0x000000013FE80000-0x00000001401D1000-memory.dmp

memory/2908-216-0x000000013F740000-0x000000013FA91000-memory.dmp

memory/2652-218-0x000000013F3D0000-0x000000013F721000-memory.dmp

memory/380-220-0x000000013F3D0000-0x000000013F721000-memory.dmp

memory/584-222-0x000000013F2F0000-0x000000013F641000-memory.dmp

memory/852-224-0x000000013FED0000-0x0000000140221000-memory.dmp

memory/2256-239-0x000000013F550000-0x000000013F8A1000-memory.dmp

memory/2060-241-0x000000013FB70000-0x000000013FEC1000-memory.dmp

memory/2700-243-0x000000013F4B0000-0x000000013F801000-memory.dmp

memory/2236-245-0x000000013F4A0000-0x000000013F7F1000-memory.dmp

memory/2600-254-0x000000013FFA0000-0x00000001402F1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-13 11:50

Reported

2024-08-13 11:52

Platform

win10v2004-20240802-en

Max time kernel

141s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\FwlFsHR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oxiuALY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PMINowk.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XHanqSi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XsnDvpk.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\APETBhb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DUHqOoM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FHulRji.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\foXOuoi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BJhdyon.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nswOQON.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BXeVRkd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YsmRNOc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mKIbRtn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TtcBxLZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FdFzDvw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tFwslCX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LMHJYTQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PpsMoZW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\siwHftl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ooZFHrR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3064 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XHanqSi.exe
PID 3064 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XHanqSi.exe
PID 3064 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ooZFHrR.exe
PID 3064 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ooZFHrR.exe
PID 3064 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BXeVRkd.exe
PID 3064 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BXeVRkd.exe
PID 3064 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tFwslCX.exe
PID 3064 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tFwslCX.exe
PID 3064 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LMHJYTQ.exe
PID 3064 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LMHJYTQ.exe
PID 3064 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mKIbRtn.exe
PID 3064 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mKIbRtn.exe
PID 3064 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XsnDvpk.exe
PID 3064 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XsnDvpk.exe
PID 3064 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TtcBxLZ.exe
PID 3064 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TtcBxLZ.exe
PID 3064 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\APETBhb.exe
PID 3064 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\APETBhb.exe
PID 3064 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DUHqOoM.exe
PID 3064 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DUHqOoM.exe
PID 3064 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PpsMoZW.exe
PID 3064 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PpsMoZW.exe
PID 3064 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FHulRji.exe
PID 3064 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FHulRji.exe
PID 3064 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\siwHftl.exe
PID 3064 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\siwHftl.exe
PID 3064 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FdFzDvw.exe
PID 3064 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FdFzDvw.exe
PID 3064 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\foXOuoi.exe
PID 3064 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\foXOuoi.exe
PID 3064 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BJhdyon.exe
PID 3064 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BJhdyon.exe
PID 3064 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FwlFsHR.exe
PID 3064 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FwlFsHR.exe
PID 3064 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oxiuALY.exe
PID 3064 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oxiuALY.exe
PID 3064 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nswOQON.exe
PID 3064 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nswOQON.exe
PID 3064 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YsmRNOc.exe
PID 3064 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YsmRNOc.exe
PID 3064 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PMINowk.exe
PID 3064 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PMINowk.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\XHanqSi.exe

C:\Windows\System\XHanqSi.exe

C:\Windows\System\ooZFHrR.exe

C:\Windows\System\ooZFHrR.exe

C:\Windows\System\BXeVRkd.exe

C:\Windows\System\BXeVRkd.exe

C:\Windows\System\tFwslCX.exe

C:\Windows\System\tFwslCX.exe

C:\Windows\System\LMHJYTQ.exe

C:\Windows\System\LMHJYTQ.exe

C:\Windows\System\mKIbRtn.exe

C:\Windows\System\mKIbRtn.exe

C:\Windows\System\XsnDvpk.exe

C:\Windows\System\XsnDvpk.exe

C:\Windows\System\TtcBxLZ.exe

C:\Windows\System\TtcBxLZ.exe

C:\Windows\System\APETBhb.exe

C:\Windows\System\APETBhb.exe

C:\Windows\System\DUHqOoM.exe

C:\Windows\System\DUHqOoM.exe

C:\Windows\System\PpsMoZW.exe

C:\Windows\System\PpsMoZW.exe

C:\Windows\System\FHulRji.exe

C:\Windows\System\FHulRji.exe

C:\Windows\System\siwHftl.exe

C:\Windows\System\siwHftl.exe

C:\Windows\System\FdFzDvw.exe

C:\Windows\System\FdFzDvw.exe

C:\Windows\System\foXOuoi.exe

C:\Windows\System\foXOuoi.exe

C:\Windows\System\BJhdyon.exe

C:\Windows\System\BJhdyon.exe

C:\Windows\System\FwlFsHR.exe

C:\Windows\System\FwlFsHR.exe

C:\Windows\System\oxiuALY.exe

C:\Windows\System\oxiuALY.exe

C:\Windows\System\nswOQON.exe

C:\Windows\System\nswOQON.exe

C:\Windows\System\YsmRNOc.exe

C:\Windows\System\YsmRNOc.exe

C:\Windows\System\PMINowk.exe

C:\Windows\System\PMINowk.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3064-0-0x00007FF610D60000-0x00007FF6110B1000-memory.dmp

memory/3064-1-0x00000198FC000000-0x00000198FC010000-memory.dmp

C:\Windows\System\XHanqSi.exe

MD5 86fa59ec11f939e5a9237391543b320d
SHA1 bbe175f47417a95a4dc22e67460a213de57b31d6
SHA256 dac458d9b9de03c6b0358ac0401ce973e759e90b28285109e6116e3ab3857d2b
SHA512 52e717d1272a1fa08a79f518eabeebc3df32ac17e3a22f683f01de15b31a965eb764f9ccb0e96dbe12f57ce358b189265b3efe6ce731c4dd8d19c9105a180312

C:\Windows\System\BXeVRkd.exe

MD5 b94cebbcb6172568912ef4847ae14681
SHA1 e1f1b953b889b194bf63c4718d4fc068d497b6ee
SHA256 41c322e9ff44295de0edc3640ab0bafd75b145bcdceaf411cb56c96deec833b1
SHA512 01d4f61d27e0435c4a778e43423dfa4691ddc7df28ceb1b2ede1336c664b15fc4eecf1101079ea0916f65f221d2209b3f13793b053ab362344de5a7738fededd

memory/4900-11-0x00007FF740190000-0x00007FF7404E1000-memory.dmp

C:\Windows\System\mKIbRtn.exe

MD5 c4e6459c6a6c44b38faed4e78e54dc1a
SHA1 dd6c5f89f743cac5bfcd664501f495f6cf4fdfc2
SHA256 0d4182c209c4096b4a65f53fd556265a175ab91711522253979f89d7bc7b48e3
SHA512 bdc9ccbded378ce5bb242485721923d4fedc5145306e9c5ca9b634d37824ab27b6c9a97a6a1141fdae162b6669a6936bdb71de49d6eef9043e87002c9cfb3bf0

C:\Windows\System\LMHJYTQ.exe

MD5 e63c7f25d4f079fa8e194ff707a17842
SHA1 2b616655c40a7c63fab84050b56d11195092e31d
SHA256 aa79d1cf5db65e058bf8e4a1c92e5f72ba1c58c99aac5f1627e5b1af196eec0f
SHA512 59bf730aa910c14fef40e079f2cf76e7d992b1df9684d7e51f7c1445cde880ac12c8f027d12346ab632e8a372f8c13bfc71852cc641a73f4ea887d112ae1ce30

C:\Windows\System\APETBhb.exe

MD5 71f0940fb755c24fb20aef3c5cdc4676
SHA1 68b8bfc22233fb26f0b4cca8b27bb81351f3a92d
SHA256 fefd04710b6fe89aba19625740fa3ef9e34eb2f9969bdaa1a5b58e4ce3c72b01
SHA512 ebd849cfed228a88d6461df0ff2fcd5504fa3ad8263c1c5fc35e1cc6823a17eb69b5649a080432c1720b6145ba2c04c2c0f6b5ea7ffbec3713f65f8183cbb1d7

C:\Windows\System\TtcBxLZ.exe

MD5 8c0e3fcaf469784d1ba8ff887f52d625
SHA1 069c832f21d1387d83f3488f03a153c8345bcfc5
SHA256 aa92e6f2f60017bdbb15e4a24e514520ccf7ebd6b48108807499af201b34d398
SHA512 795d16827d2ebd4ee37a721acf27af7f54034b2c6f52219f2fdcac570a2a38643ede2195205271d1c4dcbb04aa98781cbb5a94a61aeff159e787c0c91d0a43a1

C:\Windows\System\tFwslCX.exe

MD5 5623d65846c4ae92bccccef515a3c53e
SHA1 d9336f6faccb65cb38db95ef7971e8f75e56d662
SHA256 71ea8c354240fa7ac580b325fc01ff5d198147402f807edb4ee685ddbbf58db6
SHA512 b5da32e6393beab2e09ead75403a09beed871acb737caad1b2955c4556e469850c8be297690ff9263c0b3a27b1d636099c505fbf29436a2f7135d2bc5cd954cc

C:\Windows\System\XsnDvpk.exe

MD5 805dfb456f6a7a40419f8e8aa6bd3748
SHA1 195fceda17426757289bd067fefd2baae4a300c3
SHA256 f5e2f5cdd550c315a9274f1b5c4dab6b680bd72f4cb0126a808efc6bb3503e4b
SHA512 3193755a0d2f0aceacb9051c5673cf6d21792c5d2b551c62ffa7e1cbd74ab907d7b19b6d5ae656a4468a083e74540ff5bbd435a41f815c4bdc2707b51ab4992b

memory/1016-24-0x00007FF7BE750000-0x00007FF7BEAA1000-memory.dmp

memory/4076-14-0x00007FF7A5B00000-0x00007FF7A5E51000-memory.dmp

C:\Windows\System\ooZFHrR.exe

MD5 7a85ba9dd1ac229b8a2b69838049111b
SHA1 55bd436d226d4df4d759aa3d48385efbcdb123d3
SHA256 374f0faa8b4c0e90c63f645b08eaed9a061e16ad2941c4fa19a7d0fa3631f68d
SHA512 fdef40676334a7c1d9bfcb7f6ac69a1efd692ec2aec1d77d9b17ca2bfd0abe1f5dfb786486deebbb330a7fd59a34f57f21e43f16f6234144226251721e852c2a

C:\Windows\System\DUHqOoM.exe

MD5 fa7d7ded3457cbda91d7cdde466f0dc8
SHA1 b59c48f105bf81ed6233dfd37788443ab285f505
SHA256 011c6d73002dc8a1d54336658f90c4cc1e848bd9fa9be14ae53f07130bde3264
SHA512 641bb1f1f4f6b96ca8f4fd3b75e2625576a97a47cc4644995e7ef40a7b36aca56bb564227a9b2cf4abf973024fdca8339fd347d58154d1aeaf387df2b0d74da7

memory/1316-69-0x00007FF692EE0000-0x00007FF693231000-memory.dmp

C:\Windows\System\FHulRji.exe

MD5 5ec2e4a44f00883cc26319de250503ff
SHA1 e4efa2aed60fd3baefbfd7cbf267ee42c397aad9
SHA256 c5da6c2e87ae238c60382a4315a07ae9404f1bd924ac92dbb1987ef6d1226363
SHA512 1487ec1d82c3bc2e27ffd8734a985d870f2f299dafe5b54f3e81ff0a7ef90a3aeaa47531b523bdeb2bb816ad5ba3ac80c677c5b42aca9cebc5f2010bc6aba7ad

memory/4308-72-0x00007FF680FC0000-0x00007FF681311000-memory.dmp

memory/4248-71-0x00007FF7C3910000-0x00007FF7C3C61000-memory.dmp

memory/2084-70-0x00007FF77ED20000-0x00007FF77F071000-memory.dmp

memory/880-64-0x00007FF799AF0000-0x00007FF799E41000-memory.dmp

C:\Windows\System\PpsMoZW.exe

MD5 fb16ca09448e037153066b8843d6fe37
SHA1 bdedc9eeac0640b030cf65e110f974a892997acf
SHA256 12013d26fe614db203bb7f5627d71b69e58f0ff20957dab126ead6ec26f241b0
SHA512 5ff3cc855a07befd3861e0791a106d0f4314256412c33af40ecee3a3f196112b28fc18c1f097402b56bf54df4812aea75e9cefd306b8c305c4a41438491deb5c

memory/3516-56-0x00007FF659CA0000-0x00007FF659FF1000-memory.dmp

memory/464-49-0x00007FF7E8470000-0x00007FF7E87C1000-memory.dmp

memory/660-48-0x00007FF713230000-0x00007FF713581000-memory.dmp

memory/1392-45-0x00007FF6D7890000-0x00007FF6D7BE1000-memory.dmp

C:\Windows\System\siwHftl.exe

MD5 f7bf9ed0274b04887bcca70b3d58e71c
SHA1 6a4a4534744a8b844512c1c1c27bfa5d5dd3d345
SHA256 165e6bd01e9bcdf4887e8f7fac354ca82a41257cf3c4deeb538cad9172d198bd
SHA512 928c9787ac64d0117e626b43f4fb3d857ee80202c7f1ee97ed60416b8311d9f0802b44a5d9c899a077ffe6eb0eae6fcfeab4b4342ea2b89275bac367fb48be38

C:\Windows\System\FdFzDvw.exe

MD5 0446a241958390d883907dd29dc9b0de
SHA1 2a77c8bbc47c5afece81e8d338b28239f22216c3
SHA256 99d7ab8fa333f1203cb13ce78e52866f9986db808b4b8d3007a1c6b966d17a5b
SHA512 d469ed9faaea0b5426037e4d589a2ed1a097e2eeeef17bed8d8447943eec0691bf777effb3ffb22f60b1b47fc7f94ba686c0a6647d53518020b9d4d32dbccb35

memory/1876-89-0x00007FF7A0220000-0x00007FF7A0571000-memory.dmp

C:\Windows\System\FwlFsHR.exe

MD5 4247d609adb3c0bed702e8720b7777f2
SHA1 447ce12363c507f2040812fd4e2dca6b0869418d
SHA256 a5522a4264c56256e06e435088d7028d870bf31419debe7c7342e15e964b2cdc
SHA512 3d4c477d816ce648522fb7d42f3914d735597e5d3bcfeba3abdc32ffb055ff48ca84efacc0fee4fa6e48671adc27ced3fbbd524f87853012491e792c4af45e35

C:\Windows\System\oxiuALY.exe

MD5 868792d988e9b34357c2ba69ede23343
SHA1 63666d568ab2354498a7f614d7ed52b3011bf876
SHA256 4c4ba5796dea8da25705c81539effe1dac12e5acf31047fdee6708747770b0d5
SHA512 f0ee3fe63041dcbbe2b2197d95bb6a3af0383e8528aba8b286634d5a025b0e18614cf6e1937b95ddba63b8575f9d62eeb63255da6f5665bca7939fa706345f04

C:\Windows\System\BJhdyon.exe

MD5 fcbdff7368d5e525560416255d70d3b4
SHA1 7b48eb5b89b2bc0a1b50dc3683dd42559602d5f9
SHA256 eea5017ca6336a117f3f12a1a831cccf1c716bb1b4d3b5a865156f72caf64753
SHA512 bf415cd9389e85476ab67d7f5c51df5cee0d1acb495657d63c902276f9c704e7652989cd206e08988bdd8bd44a6e34b960ae91624528898b18278032bc26433e

C:\Windows\System\nswOQON.exe

MD5 85616bcad8e3c5424c65fd3f7cdedb5e
SHA1 349fbc8f2307920d7f913117c3e93163dc1a534b
SHA256 90d35535d94b52f821fd4de6f07a51d4e718d6573e9ff1dc5ba06796763373a8
SHA512 f2d56b9b8947fcff7f4d6fa2c18c8a91f6f36e7fd3a35ac87cd9ff54b8d9fac5419adf452b6e8becd555afaf4dbcf7f55bdf8281199df6b1ce131c9f921c87f8

memory/1640-120-0x00007FF6D8060000-0x00007FF6D83B1000-memory.dmp

C:\Windows\System\YsmRNOc.exe

MD5 e935c488f2737f1834a15ad749c92382
SHA1 b74a3c98109782c2b4846af51626cc914817166e
SHA256 c6cb01cb7f50ec38a305a69c0f67cfe8712696edf849cf1a979b913a01ba3ab0
SHA512 4a5c6df099fbfe23042f41ff917016d3959e768cfbbf93320f7bf6f0f5513fcad22e49ebdfdb9b59e4bf013ff6e37b2fce13a8240fd6e9b8fbe4e94c6c590584

C:\Windows\System\PMINowk.exe

MD5 9a261ac68a113f4749bd27e0e289e8c2
SHA1 5d4e7219f952d7775d80ebaf9385be2739b88361
SHA256 d656605c1078637feb0d3fdc1fbe6467297b50f180fcae0967c27d6649c1c41e
SHA512 b321318ef122627860b09671cac9136e18499d17b78fe7fd198513dedb17bb2222d4f52f8d37cf6fccf8afa79fcbfdae8a58c4ef2711ade799c83eac9ab88d65

memory/1208-125-0x00007FF62AEB0000-0x00007FF62B201000-memory.dmp

memory/4548-124-0x00007FF768130000-0x00007FF768481000-memory.dmp

memory/4036-114-0x00007FF61AF90000-0x00007FF61B2E1000-memory.dmp

memory/4660-113-0x00007FF7DB350000-0x00007FF7DB6A1000-memory.dmp

memory/4076-105-0x00007FF7A5B00000-0x00007FF7A5E51000-memory.dmp

memory/3064-101-0x00007FF610D60000-0x00007FF6110B1000-memory.dmp

memory/3188-99-0x00007FF695710000-0x00007FF695A61000-memory.dmp

memory/1808-97-0x00007FF6FAB80000-0x00007FF6FAED1000-memory.dmp

C:\Windows\System\foXOuoi.exe

MD5 085f1ed145656e6c6a290dd7896339c4
SHA1 e358058c356ba16ac85c23504b1ef2139921c677
SHA256 a4ad09356e75fc9bf061bb357b5d167b5a4bbd9bc8ee6865d796382c050526f0
SHA512 3fce46ed811a55cdd6902292f784406f48f70a339ebcd787638110b3573e303a3f26f7242d3431c62431a3cad06e13287c3315af073365636745176eed5c0813

memory/3508-88-0x00007FF65A940000-0x00007FF65AC91000-memory.dmp

memory/1016-133-0x00007FF7BE750000-0x00007FF7BEAA1000-memory.dmp

memory/3064-130-0x00007FF610D60000-0x00007FF6110B1000-memory.dmp

memory/3516-139-0x00007FF659CA0000-0x00007FF659FF1000-memory.dmp

memory/4308-142-0x00007FF680FC0000-0x00007FF681311000-memory.dmp

memory/1808-145-0x00007FF6FAB80000-0x00007FF6FAED1000-memory.dmp

memory/4036-148-0x00007FF61AF90000-0x00007FF61B2E1000-memory.dmp

memory/4660-147-0x00007FF7DB350000-0x00007FF7DB6A1000-memory.dmp

memory/1208-150-0x00007FF62AEB0000-0x00007FF62B201000-memory.dmp

memory/3188-146-0x00007FF695710000-0x00007FF695A61000-memory.dmp

memory/1640-149-0x00007FF6D8060000-0x00007FF6D83B1000-memory.dmp

memory/4548-151-0x00007FF768130000-0x00007FF768481000-memory.dmp

memory/3064-152-0x00007FF610D60000-0x00007FF6110B1000-memory.dmp

memory/4900-211-0x00007FF740190000-0x00007FF7404E1000-memory.dmp

memory/4076-213-0x00007FF7A5B00000-0x00007FF7A5E51000-memory.dmp

memory/1016-215-0x00007FF7BE750000-0x00007FF7BEAA1000-memory.dmp

memory/1392-219-0x00007FF6D7890000-0x00007FF6D7BE1000-memory.dmp

memory/660-218-0x00007FF713230000-0x00007FF713581000-memory.dmp

memory/464-221-0x00007FF7E8470000-0x00007FF7E87C1000-memory.dmp

memory/4248-223-0x00007FF7C3910000-0x00007FF7C3C61000-memory.dmp

memory/1316-231-0x00007FF692EE0000-0x00007FF693231000-memory.dmp

memory/4308-233-0x00007FF680FC0000-0x00007FF681311000-memory.dmp

memory/880-230-0x00007FF799AF0000-0x00007FF799E41000-memory.dmp

memory/2084-226-0x00007FF77ED20000-0x00007FF77F071000-memory.dmp

memory/3516-228-0x00007FF659CA0000-0x00007FF659FF1000-memory.dmp

memory/3508-241-0x00007FF65A940000-0x00007FF65AC91000-memory.dmp

memory/1876-243-0x00007FF7A0220000-0x00007FF7A0571000-memory.dmp

memory/1808-245-0x00007FF6FAB80000-0x00007FF6FAED1000-memory.dmp

memory/3188-247-0x00007FF695710000-0x00007FF695A61000-memory.dmp

memory/4660-249-0x00007FF7DB350000-0x00007FF7DB6A1000-memory.dmp

memory/4036-252-0x00007FF61AF90000-0x00007FF61B2E1000-memory.dmp

memory/1640-253-0x00007FF6D8060000-0x00007FF6D83B1000-memory.dmp

memory/4548-257-0x00007FF768130000-0x00007FF768481000-memory.dmp

memory/1208-255-0x00007FF62AEB0000-0x00007FF62B201000-memory.dmp