Malware Analysis Report

2025-03-15 08:06

Sample ID 240814-y6npjsxcnp
Target 2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat
SHA256 18977197ae619df636d1e8085a0a1def1946c7a8a824181763a6e2d5bf98cedc
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

18977197ae619df636d1e8085a0a1def1946c7a8a824181763a6e2d5bf98cedc

Threat Level: Known bad

The file 2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

Cobalt Strike reflective loader

XMRig Miner payload

Cobaltstrike

Cobaltstrike family

Xmrig family

xmrig

XMRig Miner payload

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-14 20:24

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-14 20:24

Reported

2024-08-14 20:26

Platform

win7-20240705-en

Max time kernel

140s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\bQMREtZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GbLyzll.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GxGFjaH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JhAHcAP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WvkXGgc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pcygDwh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VtuXKHv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZeBOPFs.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GKddvzZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fSRWvdp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SGJcMcv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UrXEcnV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nfWuHRl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nrJTzil.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TZBRGzv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FdtGwfN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WSeCZzP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JpALcsT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ygtYQOQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WRmZbaT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YyzRhum.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1960 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FdtGwfN.exe
PID 1960 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FdtGwfN.exe
PID 1960 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FdtGwfN.exe
PID 1960 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bQMREtZ.exe
PID 1960 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bQMREtZ.exe
PID 1960 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bQMREtZ.exe
PID 1960 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GbLyzll.exe
PID 1960 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GbLyzll.exe
PID 1960 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GbLyzll.exe
PID 1960 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VtuXKHv.exe
PID 1960 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VtuXKHv.exe
PID 1960 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VtuXKHv.exe
PID 1960 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nfWuHRl.exe
PID 1960 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nfWuHRl.exe
PID 1960 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nfWuHRl.exe
PID 1960 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WSeCZzP.exe
PID 1960 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WSeCZzP.exe
PID 1960 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WSeCZzP.exe
PID 1960 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZeBOPFs.exe
PID 1960 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZeBOPFs.exe
PID 1960 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZeBOPFs.exe
PID 1960 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nrJTzil.exe
PID 1960 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nrJTzil.exe
PID 1960 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nrJTzil.exe
PID 1960 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GxGFjaH.exe
PID 1960 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GxGFjaH.exe
PID 1960 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GxGFjaH.exe
PID 1960 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JpALcsT.exe
PID 1960 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JpALcsT.exe
PID 1960 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JpALcsT.exe
PID 1960 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ygtYQOQ.exe
PID 1960 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ygtYQOQ.exe
PID 1960 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ygtYQOQ.exe
PID 1960 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JhAHcAP.exe
PID 1960 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JhAHcAP.exe
PID 1960 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JhAHcAP.exe
PID 1960 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WRmZbaT.exe
PID 1960 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WRmZbaT.exe
PID 1960 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WRmZbaT.exe
PID 1960 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GKddvzZ.exe
PID 1960 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GKddvzZ.exe
PID 1960 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GKddvzZ.exe
PID 1960 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WvkXGgc.exe
PID 1960 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WvkXGgc.exe
PID 1960 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WvkXGgc.exe
PID 1960 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TZBRGzv.exe
PID 1960 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TZBRGzv.exe
PID 1960 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TZBRGzv.exe
PID 1960 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YyzRhum.exe
PID 1960 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YyzRhum.exe
PID 1960 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YyzRhum.exe
PID 1960 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fSRWvdp.exe
PID 1960 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fSRWvdp.exe
PID 1960 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fSRWvdp.exe
PID 1960 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SGJcMcv.exe
PID 1960 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SGJcMcv.exe
PID 1960 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SGJcMcv.exe
PID 1960 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UrXEcnV.exe
PID 1960 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UrXEcnV.exe
PID 1960 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UrXEcnV.exe
PID 1960 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pcygDwh.exe
PID 1960 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pcygDwh.exe
PID 1960 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pcygDwh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\FdtGwfN.exe

C:\Windows\System\FdtGwfN.exe

C:\Windows\System\bQMREtZ.exe

C:\Windows\System\bQMREtZ.exe

C:\Windows\System\GbLyzll.exe

C:\Windows\System\GbLyzll.exe

C:\Windows\System\VtuXKHv.exe

C:\Windows\System\VtuXKHv.exe

C:\Windows\System\nfWuHRl.exe

C:\Windows\System\nfWuHRl.exe

C:\Windows\System\WSeCZzP.exe

C:\Windows\System\WSeCZzP.exe

C:\Windows\System\ZeBOPFs.exe

C:\Windows\System\ZeBOPFs.exe

C:\Windows\System\nrJTzil.exe

C:\Windows\System\nrJTzil.exe

C:\Windows\System\GxGFjaH.exe

C:\Windows\System\GxGFjaH.exe

C:\Windows\System\JpALcsT.exe

C:\Windows\System\JpALcsT.exe

C:\Windows\System\ygtYQOQ.exe

C:\Windows\System\ygtYQOQ.exe

C:\Windows\System\JhAHcAP.exe

C:\Windows\System\JhAHcAP.exe

C:\Windows\System\WRmZbaT.exe

C:\Windows\System\WRmZbaT.exe

C:\Windows\System\GKddvzZ.exe

C:\Windows\System\GKddvzZ.exe

C:\Windows\System\WvkXGgc.exe

C:\Windows\System\WvkXGgc.exe

C:\Windows\System\TZBRGzv.exe

C:\Windows\System\TZBRGzv.exe

C:\Windows\System\YyzRhum.exe

C:\Windows\System\YyzRhum.exe

C:\Windows\System\fSRWvdp.exe

C:\Windows\System\fSRWvdp.exe

C:\Windows\System\SGJcMcv.exe

C:\Windows\System\SGJcMcv.exe

C:\Windows\System\UrXEcnV.exe

C:\Windows\System\UrXEcnV.exe

C:\Windows\System\pcygDwh.exe

C:\Windows\System\pcygDwh.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1960-0-0x000000013F550000-0x000000013F8A1000-memory.dmp

memory/1960-1-0x0000000000180000-0x0000000000190000-memory.dmp

\Windows\system\FdtGwfN.exe

MD5 d217bd25cecdd00430873d3cd81d7c51
SHA1 02301acfa2743e33631a2a9b84bb99aacc908de7
SHA256 03fe2606f6fe0ecfbb44ebf961bbcb92da622d6e00efa52041a5cf6843b9664a
SHA512 13470e70cbb9c8a9450ada0b11b1394dba51a79652db38b2bef619c0a3e9b4777bff703f5aff8521a59ba6d08e2f345b03981f94e72459b09e52a27b22fbd968

memory/1960-6-0x000000013F8D0000-0x000000013FC21000-memory.dmp

memory/2412-8-0x000000013F8D0000-0x000000013FC21000-memory.dmp

\Windows\system\bQMREtZ.exe

MD5 8bd006f34a52fb64a6e9ae5a6b9a26e3
SHA1 3a6832d68696b38e2f577545a61cf513c7d03700
SHA256 ecf7624c83d0ec3ee7cf8a11db09c2524c5937d3ac07d1ee10e7fa7d907c5642
SHA512 e7eb5e4815f7ffabde268b5e34f9666f7cb18b12ef6aa455d3ce01f5fe572e6f1bbd702d4a9590f538797f2824da0c08733e3d7373f2fb5f0f601a4a71640f3e

C:\Windows\system\GbLyzll.exe

MD5 9e96192477bd78f3529dc8146bbb0b23
SHA1 4c49622c0facf95b3574feaddc34fe2d9a7e9ade
SHA256 441d9f6ee367a1c2d457efeaab8deddc2f60b00e92706ebeb95f76d9707b56ca
SHA512 9a09842a04d676989a88f13f4a18197848caeef59b99fa2fca7cb7c609b5b250cf5131ffcfc03f52f1c40c7922a2d911b684e3112fce0bfcfbf91b38638c5ed6

memory/1960-16-0x000000013FDF0000-0x0000000140141000-memory.dmp

memory/1732-23-0x000000013FDC0000-0x0000000140111000-memory.dmp

memory/1960-22-0x000000013FDC0000-0x0000000140111000-memory.dmp

memory/2536-21-0x000000013FDF0000-0x0000000140141000-memory.dmp

C:\Windows\system\WSeCZzP.exe

MD5 d82d788a49a129380ca193c5f9deea99
SHA1 f97a235017ec1b02aa728f16cef6c9afab460867
SHA256 772e90f0390cdb0a3d8e7c538d6bf9478ce5346d452090f37dee7d6eef5610df
SHA512 08d637cb16410b434535419d9840e247b2ab3b5fa5d59191cbe0d2b768522ca2905c8b39345aac7e46718ea8db6039f3085c083d7b7bc2a46184168a6bf4431d

C:\Windows\system\nfWuHRl.exe

MD5 bed7add3bb8f1f8bd3e389867e1712d0
SHA1 42e58d6cf1c669ab6e72ce045d6053bd5be09524
SHA256 78e1109e5b1b43db07d4b7fe13b5cdd69989dbe0bcdf1cbaf7052d22bdf018ef
SHA512 301f9a45ed7539db58065b3ffcd5e7894bb8b0caeb842bbc7833323121a8cc6df4dfbbe0691757126c111c0e411b8067ab662753267750ce73961b8f89974599

memory/1960-36-0x000000013FBE0000-0x000000013FF31000-memory.dmp

\Windows\system\ZeBOPFs.exe

MD5 113fa79f9281fc2ab08b80ed70c5ac6b
SHA1 2168676d761c43a7cebc318a20771b7141263b35
SHA256 03f3d7b32c3f2d52922a440faf3d1a1df66da1b7e074a4c5497ab0e1d4bebe21
SHA512 2563de55f582fad2e84f13dd6169f0ffff79956d839a908c7525f42f09055949fd685e8307c1eadd5e84e85ee1abb9da49dbe9b90a48a96b64ab8bdcfbbb9ced

memory/2772-46-0x000000013F210000-0x000000013F561000-memory.dmp

memory/1960-42-0x0000000002230000-0x0000000002581000-memory.dmp

memory/1960-50-0x000000013FFB0000-0x0000000140301000-memory.dmp

memory/2776-51-0x000000013FFB0000-0x0000000140301000-memory.dmp

memory/1960-48-0x0000000002230000-0x0000000002581000-memory.dmp

memory/1652-41-0x000000013F550000-0x000000013F8A1000-memory.dmp

memory/2276-40-0x000000013FBE0000-0x000000013FF31000-memory.dmp

C:\Windows\system\VtuXKHv.exe

MD5 e57dd81bcdf8b8a40966f854c1a2b78f
SHA1 0dd3ef15d5e82a0ec675213a637086c60b42d3e9
SHA256 13b4506f9cf8ab6b661601caec6803fd60382b81e61468d8ef0b668277249563
SHA512 4bad20683a0f7ff559b6e54d6de1c71c2ee9f30788bdb4d58f047a5cde5140f563aeec3682029d5fe842eab54ac8a1851fd554c9ae5c7db1f32395e2e8fccc27

\Windows\system\nrJTzil.exe

MD5 c624326af697094d7f760c39ac8274cb
SHA1 92f52a7b5235c998ffb126182778767703f0e0ff
SHA256 96a8e05e317560b4379e283bbe332fa5f52791530cba868a43647431214cafa0
SHA512 8e90aee4856b1dc70d96a34c4f997b13023de03338fd4c0946aab5f317a2f2e809b82ccf49fd448c78513b0e220ff14dc314a6c0b0879c092057c0ab38a7d19a

memory/1960-57-0x000000013F920000-0x000000013FC71000-memory.dmp

memory/1720-58-0x000000013F920000-0x000000013FC71000-memory.dmp

memory/1960-64-0x000000013F9C0000-0x000000013FD11000-memory.dmp

memory/1992-65-0x000000013F9C0000-0x000000013FD11000-memory.dmp

C:\Windows\system\GxGFjaH.exe

MD5 57368a36ace5384fdb8bac56d92d1dd7
SHA1 fc9675e8e880f7494689c111bc801694db9b8dda
SHA256 03ae9245de3fa0587d3d10abc60ec93c5b4eba29eb1abaf42730ca898ba07c76
SHA512 a538c404de3f67ca3fddc065cfc8b4243b6f2423c64c1bc0cf147d8f278e5ab99229097d26aed3d544d3cf4452c140b4f59c9603626d0b57805e83d03cebfc48

C:\Windows\system\JpALcsT.exe

MD5 674df379d1c786e041241e45220e7404
SHA1 815a3696b3515396888c45a834f23befe48a3a35
SHA256 eb1bda47105ff98060c762f1d328e76a769aedafcdca27568501a5b400d3ee8a
SHA512 3ce82a026b4d556bf4c0f51b3fe140c700c62daa997de2dd8caa8ae3facb18251bc269ea8d53a3e3a1c6f083adecc3f975a6fa13ac679ae72fc5eae1b8255076

memory/1960-70-0x000000013F550000-0x000000013F8A1000-memory.dmp

memory/1960-72-0x0000000002230000-0x0000000002581000-memory.dmp

memory/1952-73-0x000000013F450000-0x000000013F7A1000-memory.dmp

\Windows\system\ygtYQOQ.exe

MD5 6c67dfd3cc73fb8137a557d010eb7fa0
SHA1 182d686845dee1887604e78b15d9aeb8b757f5ff
SHA256 0af2015ebd50a2dbf15845fb3051b018802b1307eb14e42a149f8da892ec2919
SHA512 9c242b15f25bc7ca5636c2a4c9a2ade76de66041893e461231f0acc4e4fa6053a3873f3d94f042afca09ac83302107c925a1260d337d0cb27e783eb59e53b0ea

memory/2360-79-0x000000013F1D0000-0x000000013F521000-memory.dmp

\Windows\system\JhAHcAP.exe

MD5 f030531ae355906bdb4a553b9ef07e10
SHA1 cb6ce122841b0128be73a06841d5f78825cb572c
SHA256 f6a3cb7016045f232bf851da1094d759c3b0b07d82d93f52c8fbf108f1a4bc49
SHA512 cede4e5ba8263d2cbb23e87b75a3de5412f620c75f4bd879f91a55fee6282a2aa02f09ab068b92c31d862ba3a77a4f1955ef6796b56ebbadbef0179cd79d1b59

memory/2536-85-0x000000013FDF0000-0x0000000140141000-memory.dmp

memory/1960-87-0x000000013F9A0000-0x000000013FCF1000-memory.dmp

\Windows\system\WRmZbaT.exe

MD5 e6f3dad1ccd0538fe2a5595227054720
SHA1 cc033aa7426010315a9f91d65067670acb9974ae
SHA256 67ab56bf0b9dd6f3d23e127434a3e6188d1799a9444c28e096eda8f13407bc2f
SHA512 358c173eeb6dce8c1c946cc6ebf10a8ee5a899727a81094a2f954b40dcbb4b5a9864df78d7bc1dc74a8a1f62503121cfa2f7de3ff021ecd68e34dbe32d4bafe6

\Windows\system\GKddvzZ.exe

MD5 d0a03fb4ffcd57500374638cba31a013
SHA1 e32a1c85763fc9423fc14d842487896875133ba9
SHA256 b0fd6a415d4c4b34e1613a2fc53b836d8d6b666e2b63047d25298ee858b26e34
SHA512 b17c99587fbb3a0436466f403b54fbb2763be28e9c19b45344257b4c2a6b8b3e36c6ed73e4a3a19f317d58bcd4489edf013c917ad24f73a9ce4977244ae9cff4

memory/1960-101-0x0000000002230000-0x0000000002581000-memory.dmp

\Windows\system\WvkXGgc.exe

MD5 73afb241c5bf3b4771bca486a560fa7c
SHA1 dcd956ad69c9a53511ce52eb5b7b2c754f36dc54
SHA256 28160097bc079944f99ffa3d49f8abecca6ddea7052e2cbb021b47769e2cd28b
SHA512 e8150e78d16f42dccd5d27ec7bbcb11accc85e4a34f8a0a59a77df458b92a4df54dd57a4e21869a502eb77dbbc6e1a18e87a900ee8bf4d96142a2d8e3b10f610

\Windows\system\TZBRGzv.exe

MD5 a806ba44a81afe00149025eec8c50c54
SHA1 85dabd7313e65875a8a19d51cf9cda67a53ec482
SHA256 e3552329c683ef3a02edc490ee849fc88f0ad5ac7c602257fb333087033d6438
SHA512 bbf649ff899808211aa06709b79f33949eb86420e47ecfec2bdec38c2b6620af772e91b9b44d58dc219cba136d5dcab59b08f43727bef409b5e1f532c5bad5b4

C:\Windows\system\YyzRhum.exe

MD5 a9eb452dc67cd09208369361836294f4
SHA1 f53f86e71414a034c2b4cbf257c23b4e9f7dde40
SHA256 9bd9435dbbec44e655fe3381edc5f813c155f3f516054ee2b6d708c7ca79c925
SHA512 2be2e004d6f0662614c06438c2b968f4f4ee9b7db35b24fb096e33007a52c35f60de1ccb22a53c411a432aaee85d2bade9d6b24ffbbd515d2c22224ef171bbc0

memory/1960-116-0x0000000002230000-0x0000000002581000-memory.dmp

memory/2880-102-0x000000013F610000-0x000000013F961000-memory.dmp

memory/1492-95-0x000000013FE10000-0x0000000140161000-memory.dmp

memory/1960-94-0x000000013FE10000-0x0000000140161000-memory.dmp

C:\Windows\system\fSRWvdp.exe

MD5 9572db163dff17493799d8f449a49e03
SHA1 274f70d589c5a4fc23182ff37a74c079d4273a04
SHA256 f5826940c7d677fa3821a3a94e6617ebb7999cb705ed15feada6093b8480d97a
SHA512 483944c0839ded02015ddff5b6a16cdd51ce2fb9403e4963a11b6402392b143740bf9fb93816e3562146e26086f65296a85c54d7105e319f9e3038e6f42a93cb

C:\Windows\system\SGJcMcv.exe

MD5 66e46ced46e867f7d7258369d03b2866
SHA1 646e0e6ed0509b1d255a7e1ae69556cd59a2aba8
SHA256 73c7b2834b88d3d6e21d2550d612cdd1748e030acd514de0dff4d23582857696
SHA512 840ca9c2106772d35106b544f97c0298cb6fb8ae27fac1b80a1c6a87e8fe36fae1aac64ff253c7ab5a55d1fd63136adeaa35a9919bbfab0562ea171b13b75fe0

\Windows\system\UrXEcnV.exe

MD5 e09930f923e056cf033b05f6131a4d0e
SHA1 d692890657e4fc7e0c498d833605d37a13cb7c58
SHA256 13c51309551a77d0d25c51f5d3bd2c8e45d6bd437ac266dc438aa60a819508a8
SHA512 e2178e7289f9dde5c80f438bda636585498d53a8888756c3575df67d737d2a116e5fe4988707ce484dd2398400cda2e978e4f96ae40fac198a19542159631717

memory/2244-88-0x000000013F9A0000-0x000000013FCF1000-memory.dmp

memory/2412-83-0x000000013F8D0000-0x000000013FC21000-memory.dmp

\Windows\system\pcygDwh.exe

MD5 ee6d9cebe33a40c03b1079ed9ae44f69
SHA1 cf7856ea2c1dc4a9533f05769a56af4c6e7cc3de
SHA256 ee786db08ed2fd3754f81edb0e7f34e490b12b079e9818c0e60c69f2a98356e8
SHA512 adcc0da544906daa48ab5de5114c640563fc10d39a47da9ce74e782797d0587c8b406bdca767798c8634e8bf4dfbbd24aca0a2286f35f37bda588f7d9f263ed4

memory/1960-146-0x0000000002230000-0x0000000002581000-memory.dmp

memory/1960-138-0x000000013F550000-0x000000013F8A1000-memory.dmp

memory/2360-150-0x000000013F1D0000-0x000000013F521000-memory.dmp

memory/2016-154-0x000000013F4B0000-0x000000013F801000-memory.dmp

memory/1068-159-0x000000013F650000-0x000000013F9A1000-memory.dmp

memory/840-160-0x000000013F930000-0x000000013FC81000-memory.dmp

memory/1960-161-0x000000013F9A0000-0x000000013FCF1000-memory.dmp

memory/1804-157-0x000000013FE70000-0x00000001401C1000-memory.dmp

memory/1872-155-0x000000013FCB0000-0x0000000140001000-memory.dmp

memory/1700-158-0x000000013FE40000-0x0000000140191000-memory.dmp

memory/2868-156-0x000000013F2D0000-0x000000013F621000-memory.dmp

memory/1960-162-0x000000013F550000-0x000000013F8A1000-memory.dmp

memory/1960-166-0x000000013FE10000-0x0000000140161000-memory.dmp

memory/2412-208-0x000000013F8D0000-0x000000013FC21000-memory.dmp

memory/2536-210-0x000000013FDF0000-0x0000000140141000-memory.dmp

memory/1732-212-0x000000013FDC0000-0x0000000140111000-memory.dmp

memory/2772-218-0x000000013F210000-0x000000013F561000-memory.dmp

memory/1652-216-0x000000013F550000-0x000000013F8A1000-memory.dmp

memory/2276-214-0x000000013FBE0000-0x000000013FF31000-memory.dmp

memory/2776-223-0x000000013FFB0000-0x0000000140301000-memory.dmp

memory/1720-225-0x000000013F920000-0x000000013FC71000-memory.dmp

memory/1992-227-0x000000013F9C0000-0x000000013FD11000-memory.dmp

memory/1952-229-0x000000013F450000-0x000000013F7A1000-memory.dmp

memory/2360-231-0x000000013F1D0000-0x000000013F521000-memory.dmp

memory/2244-235-0x000000013F9A0000-0x000000013FCF1000-memory.dmp

memory/1492-241-0x000000013FE10000-0x0000000140161000-memory.dmp

memory/2880-243-0x000000013F610000-0x000000013F961000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-14 20:24

Reported

2024-08-14 20:26

Platform

win10v2004-20240802-en

Max time kernel

142s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\JpALcsT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fSRWvdp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UrXEcnV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nfWuHRl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZeBOPFs.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JhAHcAP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WvkXGgc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pcygDwh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FdtGwfN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VtuXKHv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WSeCZzP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ygtYQOQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SGJcMcv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bQMREtZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nrJTzil.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GxGFjaH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WRmZbaT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GKddvzZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TZBRGzv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YyzRhum.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GbLyzll.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2412 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FdtGwfN.exe
PID 2412 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FdtGwfN.exe
PID 2412 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bQMREtZ.exe
PID 2412 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bQMREtZ.exe
PID 2412 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GbLyzll.exe
PID 2412 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GbLyzll.exe
PID 2412 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VtuXKHv.exe
PID 2412 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VtuXKHv.exe
PID 2412 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nfWuHRl.exe
PID 2412 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nfWuHRl.exe
PID 2412 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WSeCZzP.exe
PID 2412 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WSeCZzP.exe
PID 2412 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZeBOPFs.exe
PID 2412 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZeBOPFs.exe
PID 2412 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nrJTzil.exe
PID 2412 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nrJTzil.exe
PID 2412 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GxGFjaH.exe
PID 2412 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GxGFjaH.exe
PID 2412 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JpALcsT.exe
PID 2412 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JpALcsT.exe
PID 2412 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ygtYQOQ.exe
PID 2412 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ygtYQOQ.exe
PID 2412 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JhAHcAP.exe
PID 2412 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JhAHcAP.exe
PID 2412 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WRmZbaT.exe
PID 2412 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WRmZbaT.exe
PID 2412 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GKddvzZ.exe
PID 2412 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GKddvzZ.exe
PID 2412 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WvkXGgc.exe
PID 2412 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WvkXGgc.exe
PID 2412 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TZBRGzv.exe
PID 2412 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TZBRGzv.exe
PID 2412 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YyzRhum.exe
PID 2412 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YyzRhum.exe
PID 2412 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fSRWvdp.exe
PID 2412 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fSRWvdp.exe
PID 2412 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SGJcMcv.exe
PID 2412 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SGJcMcv.exe
PID 2412 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UrXEcnV.exe
PID 2412 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UrXEcnV.exe
PID 2412 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pcygDwh.exe
PID 2412 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pcygDwh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\FdtGwfN.exe

C:\Windows\System\FdtGwfN.exe

C:\Windows\System\bQMREtZ.exe

C:\Windows\System\bQMREtZ.exe

C:\Windows\System\GbLyzll.exe

C:\Windows\System\GbLyzll.exe

C:\Windows\System\VtuXKHv.exe

C:\Windows\System\VtuXKHv.exe

C:\Windows\System\nfWuHRl.exe

C:\Windows\System\nfWuHRl.exe

C:\Windows\System\WSeCZzP.exe

C:\Windows\System\WSeCZzP.exe

C:\Windows\System\ZeBOPFs.exe

C:\Windows\System\ZeBOPFs.exe

C:\Windows\System\nrJTzil.exe

C:\Windows\System\nrJTzil.exe

C:\Windows\System\GxGFjaH.exe

C:\Windows\System\GxGFjaH.exe

C:\Windows\System\JpALcsT.exe

C:\Windows\System\JpALcsT.exe

C:\Windows\System\ygtYQOQ.exe

C:\Windows\System\ygtYQOQ.exe

C:\Windows\System\JhAHcAP.exe

C:\Windows\System\JhAHcAP.exe

C:\Windows\System\WRmZbaT.exe

C:\Windows\System\WRmZbaT.exe

C:\Windows\System\GKddvzZ.exe

C:\Windows\System\GKddvzZ.exe

C:\Windows\System\WvkXGgc.exe

C:\Windows\System\WvkXGgc.exe

C:\Windows\System\TZBRGzv.exe

C:\Windows\System\TZBRGzv.exe

C:\Windows\System\YyzRhum.exe

C:\Windows\System\YyzRhum.exe

C:\Windows\System\fSRWvdp.exe

C:\Windows\System\fSRWvdp.exe

C:\Windows\System\SGJcMcv.exe

C:\Windows\System\SGJcMcv.exe

C:\Windows\System\UrXEcnV.exe

C:\Windows\System\UrXEcnV.exe

C:\Windows\System\pcygDwh.exe

C:\Windows\System\pcygDwh.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2412-0-0x00007FF714A70000-0x00007FF714DC1000-memory.dmp

memory/2412-1-0x000002178F440000-0x000002178F450000-memory.dmp

C:\Windows\System\FdtGwfN.exe

MD5 d217bd25cecdd00430873d3cd81d7c51
SHA1 02301acfa2743e33631a2a9b84bb99aacc908de7
SHA256 03fe2606f6fe0ecfbb44ebf961bbcb92da622d6e00efa52041a5cf6843b9664a
SHA512 13470e70cbb9c8a9450ada0b11b1394dba51a79652db38b2bef619c0a3e9b4777bff703f5aff8521a59ba6d08e2f345b03981f94e72459b09e52a27b22fbd968

C:\Windows\System\bQMREtZ.exe

MD5 8bd006f34a52fb64a6e9ae5a6b9a26e3
SHA1 3a6832d68696b38e2f577545a61cf513c7d03700
SHA256 ecf7624c83d0ec3ee7cf8a11db09c2524c5937d3ac07d1ee10e7fa7d907c5642
SHA512 e7eb5e4815f7ffabde268b5e34f9666f7cb18b12ef6aa455d3ce01f5fe572e6f1bbd702d4a9590f538797f2824da0c08733e3d7373f2fb5f0f601a4a71640f3e

C:\Windows\System\GbLyzll.exe

MD5 9e96192477bd78f3529dc8146bbb0b23
SHA1 4c49622c0facf95b3574feaddc34fe2d9a7e9ade
SHA256 441d9f6ee367a1c2d457efeaab8deddc2f60b00e92706ebeb95f76d9707b56ca
SHA512 9a09842a04d676989a88f13f4a18197848caeef59b99fa2fca7cb7c609b5b250cf5131ffcfc03f52f1c40c7922a2d911b684e3112fce0bfcfbf91b38638c5ed6

C:\Windows\System\VtuXKHv.exe

MD5 e57dd81bcdf8b8a40966f854c1a2b78f
SHA1 0dd3ef15d5e82a0ec675213a637086c60b42d3e9
SHA256 13b4506f9cf8ab6b661601caec6803fd60382b81e61468d8ef0b668277249563
SHA512 4bad20683a0f7ff559b6e54d6de1c71c2ee9f30788bdb4d58f047a5cde5140f563aeec3682029d5fe842eab54ac8a1851fd554c9ae5c7db1f32395e2e8fccc27

C:\Windows\System\GxGFjaH.exe

MD5 57368a36ace5384fdb8bac56d92d1dd7
SHA1 fc9675e8e880f7494689c111bc801694db9b8dda
SHA256 03ae9245de3fa0587d3d10abc60ec93c5b4eba29eb1abaf42730ca898ba07c76
SHA512 a538c404de3f67ca3fddc065cfc8b4243b6f2423c64c1bc0cf147d8f278e5ab99229097d26aed3d544d3cf4452c140b4f59c9603626d0b57805e83d03cebfc48

memory/1976-62-0x00007FF7FE670000-0x00007FF7FE9C1000-memory.dmp

memory/1284-72-0x00007FF65E2F0000-0x00007FF65E641000-memory.dmp

memory/2216-77-0x00007FF6F5E50000-0x00007FF6F61A1000-memory.dmp

C:\Windows\System\WRmZbaT.exe

MD5 e6f3dad1ccd0538fe2a5595227054720
SHA1 cc033aa7426010315a9f91d65067670acb9974ae
SHA256 67ab56bf0b9dd6f3d23e127434a3e6188d1799a9444c28e096eda8f13407bc2f
SHA512 358c173eeb6dce8c1c946cc6ebf10a8ee5a899727a81094a2f954b40dcbb4b5a9864df78d7bc1dc74a8a1f62503121cfa2f7de3ff021ecd68e34dbe32d4bafe6

C:\Windows\System\ygtYQOQ.exe

MD5 6c67dfd3cc73fb8137a557d010eb7fa0
SHA1 182d686845dee1887604e78b15d9aeb8b757f5ff
SHA256 0af2015ebd50a2dbf15845fb3051b018802b1307eb14e42a149f8da892ec2919
SHA512 9c242b15f25bc7ca5636c2a4c9a2ade76de66041893e461231f0acc4e4fa6053a3873f3d94f042afca09ac83302107c925a1260d337d0cb27e783eb59e53b0ea

C:\Windows\System\GKddvzZ.exe

MD5 d0a03fb4ffcd57500374638cba31a013
SHA1 e32a1c85763fc9423fc14d842487896875133ba9
SHA256 b0fd6a415d4c4b34e1613a2fc53b836d8d6b666e2b63047d25298ee858b26e34
SHA512 b17c99587fbb3a0436466f403b54fbb2763be28e9c19b45344257b4c2a6b8b3e36c6ed73e4a3a19f317d58bcd4489edf013c917ad24f73a9ce4977244ae9cff4

memory/1216-82-0x00007FF654DF0000-0x00007FF655141000-memory.dmp

memory/4104-79-0x00007FF7902A0000-0x00007FF7905F1000-memory.dmp

memory/3020-78-0x00007FF702EC0000-0x00007FF703211000-memory.dmp

memory/3480-76-0x00007FF78D190000-0x00007FF78D4E1000-memory.dmp

C:\Windows\System\JhAHcAP.exe

MD5 f030531ae355906bdb4a553b9ef07e10
SHA1 cb6ce122841b0128be73a06841d5f78825cb572c
SHA256 f6a3cb7016045f232bf851da1094d759c3b0b07d82d93f52c8fbf108f1a4bc49
SHA512 cede4e5ba8263d2cbb23e87b75a3de5412f620c75f4bd879f91a55fee6282a2aa02f09ab068b92c31d862ba3a77a4f1955ef6796b56ebbadbef0179cd79d1b59

memory/4576-69-0x00007FF7E64E0000-0x00007FF7E6831000-memory.dmp

C:\Windows\System\JpALcsT.exe

MD5 674df379d1c786e041241e45220e7404
SHA1 815a3696b3515396888c45a834f23befe48a3a35
SHA256 eb1bda47105ff98060c762f1d328e76a769aedafcdca27568501a5b400d3ee8a
SHA512 3ce82a026b4d556bf4c0f51b3fe140c700c62daa997de2dd8caa8ae3facb18251bc269ea8d53a3e3a1c6f083adecc3f975a6fa13ac679ae72fc5eae1b8255076

C:\Windows\System\ZeBOPFs.exe

MD5 113fa79f9281fc2ab08b80ed70c5ac6b
SHA1 2168676d761c43a7cebc318a20771b7141263b35
SHA256 03f3d7b32c3f2d52922a440faf3d1a1df66da1b7e074a4c5497ab0e1d4bebe21
SHA512 2563de55f582fad2e84f13dd6169f0ffff79956d839a908c7525f42f09055949fd685e8307c1eadd5e84e85ee1abb9da49dbe9b90a48a96b64ab8bdcfbbb9ced

memory/5068-52-0x00007FF603930000-0x00007FF603C81000-memory.dmp

C:\Windows\System\nrJTzil.exe

MD5 c624326af697094d7f760c39ac8274cb
SHA1 92f52a7b5235c998ffb126182778767703f0e0ff
SHA256 96a8e05e317560b4379e283bbe332fa5f52791530cba868a43647431214cafa0
SHA512 8e90aee4856b1dc70d96a34c4f997b13023de03338fd4c0946aab5f317a2f2e809b82ccf49fd448c78513b0e220ff14dc314a6c0b0879c092057c0ab38a7d19a

memory/2392-43-0x00007FF7A8BD0000-0x00007FF7A8F21000-memory.dmp

C:\Windows\System\nfWuHRl.exe

MD5 bed7add3bb8f1f8bd3e389867e1712d0
SHA1 42e58d6cf1c669ab6e72ce045d6053bd5be09524
SHA256 78e1109e5b1b43db07d4b7fe13b5cdd69989dbe0bcdf1cbaf7052d22bdf018ef
SHA512 301f9a45ed7539db58065b3ffcd5e7894bb8b0caeb842bbc7833323121a8cc6df4dfbbe0691757126c111c0e411b8067ab662753267750ce73961b8f89974599

memory/1156-36-0x00007FF63A8A0000-0x00007FF63ABF1000-memory.dmp

C:\Windows\System\WSeCZzP.exe

MD5 d82d788a49a129380ca193c5f9deea99
SHA1 f97a235017ec1b02aa728f16cef6c9afab460867
SHA256 772e90f0390cdb0a3d8e7c538d6bf9478ce5346d452090f37dee7d6eef5610df
SHA512 08d637cb16410b434535419d9840e247b2ab3b5fa5d59191cbe0d2b768522ca2905c8b39345aac7e46718ea8db6039f3085c083d7b7bc2a46184168a6bf4431d

memory/4336-23-0x00007FF793A90000-0x00007FF793DE1000-memory.dmp

memory/2304-22-0x00007FF6ED150000-0x00007FF6ED4A1000-memory.dmp

memory/3132-10-0x00007FF65E990000-0x00007FF65ECE1000-memory.dmp

memory/4164-93-0x00007FF6180F0000-0x00007FF618441000-memory.dmp

C:\Windows\System\fSRWvdp.exe

MD5 9572db163dff17493799d8f449a49e03
SHA1 274f70d589c5a4fc23182ff37a74c079d4273a04
SHA256 f5826940c7d677fa3821a3a94e6617ebb7999cb705ed15feada6093b8480d97a
SHA512 483944c0839ded02015ddff5b6a16cdd51ce2fb9403e4963a11b6402392b143740bf9fb93816e3562146e26086f65296a85c54d7105e319f9e3038e6f42a93cb

C:\Windows\System\pcygDwh.exe

MD5 ee6d9cebe33a40c03b1079ed9ae44f69
SHA1 cf7856ea2c1dc4a9533f05769a56af4c6e7cc3de
SHA256 ee786db08ed2fd3754f81edb0e7f34e490b12b079e9818c0e60c69f2a98356e8
SHA512 adcc0da544906daa48ab5de5114c640563fc10d39a47da9ce74e782797d0587c8b406bdca767798c8634e8bf4dfbbd24aca0a2286f35f37bda588f7d9f263ed4

C:\Windows\System\SGJcMcv.exe

MD5 66e46ced46e867f7d7258369d03b2866
SHA1 646e0e6ed0509b1d255a7e1ae69556cd59a2aba8
SHA256 73c7b2834b88d3d6e21d2550d612cdd1748e030acd514de0dff4d23582857696
SHA512 840ca9c2106772d35106b544f97c0298cb6fb8ae27fac1b80a1c6a87e8fe36fae1aac64ff253c7ab5a55d1fd63136adeaa35a9919bbfab0562ea171b13b75fe0

memory/4380-122-0x00007FF6D7F40000-0x00007FF6D8291000-memory.dmp

C:\Windows\System\UrXEcnV.exe

MD5 e09930f923e056cf033b05f6131a4d0e
SHA1 d692890657e4fc7e0c498d833605d37a13cb7c58
SHA256 13c51309551a77d0d25c51f5d3bd2c8e45d6bd437ac266dc438aa60a819508a8
SHA512 e2178e7289f9dde5c80f438bda636585498d53a8888756c3575df67d737d2a116e5fe4988707ce484dd2398400cda2e978e4f96ae40fac198a19542159631717

memory/3900-126-0x00007FF736430000-0x00007FF736781000-memory.dmp

memory/2412-125-0x00007FF714A70000-0x00007FF714DC1000-memory.dmp

memory/4596-118-0x00007FF790E50000-0x00007FF7911A1000-memory.dmp

memory/2896-115-0x00007FF6B55D0000-0x00007FF6B5921000-memory.dmp

C:\Windows\System\YyzRhum.exe

MD5 a9eb452dc67cd09208369361836294f4
SHA1 f53f86e71414a034c2b4cbf257c23b4e9f7dde40
SHA256 9bd9435dbbec44e655fe3381edc5f813c155f3f516054ee2b6d708c7ca79c925
SHA512 2be2e004d6f0662614c06438c2b968f4f4ee9b7db35b24fb096e33007a52c35f60de1ccb22a53c411a432aaee85d2bade9d6b24ffbbd515d2c22224ef171bbc0

C:\Windows\System\TZBRGzv.exe

MD5 a806ba44a81afe00149025eec8c50c54
SHA1 85dabd7313e65875a8a19d51cf9cda67a53ec482
SHA256 e3552329c683ef3a02edc490ee849fc88f0ad5ac7c602257fb333087033d6438
SHA512 bbf649ff899808211aa06709b79f33949eb86420e47ecfec2bdec38c2b6620af772e91b9b44d58dc219cba136d5dcab59b08f43727bef409b5e1f532c5bad5b4

memory/3960-101-0x00007FF6235D0000-0x00007FF623921000-memory.dmp

memory/4356-97-0x00007FF71CEA0000-0x00007FF71D1F1000-memory.dmp

C:\Windows\System\WvkXGgc.exe

MD5 73afb241c5bf3b4771bca486a560fa7c
SHA1 dcd956ad69c9a53511ce52eb5b7b2c754f36dc54
SHA256 28160097bc079944f99ffa3d49f8abecca6ddea7052e2cbb021b47769e2cd28b
SHA512 e8150e78d16f42dccd5d27ec7bbcb11accc85e4a34f8a0a59a77df458b92a4df54dd57a4e21869a502eb77dbbc6e1a18e87a900ee8bf4d96142a2d8e3b10f610

memory/2412-129-0x00007FF714A70000-0x00007FF714DC1000-memory.dmp

memory/4336-133-0x00007FF793A90000-0x00007FF793DE1000-memory.dmp

memory/5068-136-0x00007FF603930000-0x00007FF603C81000-memory.dmp

memory/4164-144-0x00007FF6180F0000-0x00007FF618441000-memory.dmp

memory/1216-143-0x00007FF654DF0000-0x00007FF655141000-memory.dmp

memory/4104-142-0x00007FF7902A0000-0x00007FF7905F1000-memory.dmp

memory/1284-141-0x00007FF65E2F0000-0x00007FF65E641000-memory.dmp

memory/3020-140-0x00007FF702EC0000-0x00007FF703211000-memory.dmp

memory/4576-139-0x00007FF7E64E0000-0x00007FF7E6831000-memory.dmp

memory/2392-134-0x00007FF7A8BD0000-0x00007FF7A8F21000-memory.dmp

memory/3132-130-0x00007FF65E990000-0x00007FF65ECE1000-memory.dmp

memory/1976-137-0x00007FF7FE670000-0x00007FF7FE9C1000-memory.dmp

memory/2896-147-0x00007FF6B55D0000-0x00007FF6B5921000-memory.dmp

memory/4596-149-0x00007FF790E50000-0x00007FF7911A1000-memory.dmp

memory/3960-146-0x00007FF6235D0000-0x00007FF623921000-memory.dmp

memory/4380-150-0x00007FF6D7F40000-0x00007FF6D8291000-memory.dmp

memory/4356-145-0x00007FF71CEA0000-0x00007FF71D1F1000-memory.dmp

memory/2412-151-0x00007FF714A70000-0x00007FF714DC1000-memory.dmp

memory/3132-196-0x00007FF65E990000-0x00007FF65ECE1000-memory.dmp

memory/2304-198-0x00007FF6ED150000-0x00007FF6ED4A1000-memory.dmp

memory/1156-214-0x00007FF63A8A0000-0x00007FF63ABF1000-memory.dmp

memory/3480-216-0x00007FF78D190000-0x00007FF78D4E1000-memory.dmp

memory/4336-218-0x00007FF793A90000-0x00007FF793DE1000-memory.dmp

memory/2392-220-0x00007FF7A8BD0000-0x00007FF7A8F21000-memory.dmp

memory/2216-222-0x00007FF6F5E50000-0x00007FF6F61A1000-memory.dmp

memory/1976-223-0x00007FF7FE670000-0x00007FF7FE9C1000-memory.dmp

memory/4576-227-0x00007FF7E64E0000-0x00007FF7E6831000-memory.dmp

memory/5068-226-0x00007FF603930000-0x00007FF603C81000-memory.dmp

memory/1284-230-0x00007FF65E2F0000-0x00007FF65E641000-memory.dmp

memory/3020-231-0x00007FF702EC0000-0x00007FF703211000-memory.dmp

memory/4104-235-0x00007FF7902A0000-0x00007FF7905F1000-memory.dmp

memory/1216-234-0x00007FF654DF0000-0x00007FF655141000-memory.dmp

memory/4164-237-0x00007FF6180F0000-0x00007FF618441000-memory.dmp

memory/4356-239-0x00007FF71CEA0000-0x00007FF71D1F1000-memory.dmp

memory/3900-244-0x00007FF736430000-0x00007FF736781000-memory.dmp

memory/3960-245-0x00007FF6235D0000-0x00007FF623921000-memory.dmp

memory/4380-247-0x00007FF6D7F40000-0x00007FF6D8291000-memory.dmp

memory/2896-242-0x00007FF6B55D0000-0x00007FF6B5921000-memory.dmp

memory/4596-249-0x00007FF790E50000-0x00007FF7911A1000-memory.dmp