Malware Analysis Report

2025-01-22 19:30

Sample ID 240806-n4f7ksybqp
Target 2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat
SHA256 c7f1d2ad027183698f66593d55ddc3116b0a035deb5e8d2450ff5763edd396a2
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c7f1d2ad027183698f66593d55ddc3116b0a035deb5e8d2450ff5763edd396a2

Threat Level: Known bad

The file 2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

Cobalt Strike reflective loader

Cobaltstrike

Cobaltstrike family

XMRig Miner payload

xmrig

Xmrig family

XMRig Miner payload

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-06 11:56

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-06 11:56

Reported

2024-08-06 11:59

Platform

win10v2004-20240802-en

Max time kernel

142s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\YLiZEAy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bimROGZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NnrcvDC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JJdeuwn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ovNMJGd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\esjbvZP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QXRWdLc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lueruHE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PQhgzUz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vOrpsMG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TIRnwUu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZDrxZew.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lZstcZe.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wQiyXVq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OBxmEzh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AcNWdgT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HWHOvnF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RgeWCbN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RTIuzUa.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dGkmDIM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YXqhHlp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5000 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vOrpsMG.exe
PID 5000 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vOrpsMG.exe
PID 5000 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TIRnwUu.exe
PID 5000 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TIRnwUu.exe
PID 5000 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZDrxZew.exe
PID 5000 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZDrxZew.exe
PID 5000 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bimROGZ.exe
PID 5000 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bimROGZ.exe
PID 5000 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ovNMJGd.exe
PID 5000 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ovNMJGd.exe
PID 5000 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\esjbvZP.exe
PID 5000 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\esjbvZP.exe
PID 5000 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AcNWdgT.exe
PID 5000 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AcNWdgT.exe
PID 5000 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RTIuzUa.exe
PID 5000 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RTIuzUa.exe
PID 5000 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QXRWdLc.exe
PID 5000 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QXRWdLc.exe
PID 5000 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HWHOvnF.exe
PID 5000 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HWHOvnF.exe
PID 5000 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RgeWCbN.exe
PID 5000 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RgeWCbN.exe
PID 5000 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wQiyXVq.exe
PID 5000 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wQiyXVq.exe
PID 5000 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NnrcvDC.exe
PID 5000 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NnrcvDC.exe
PID 5000 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lueruHE.exe
PID 5000 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lueruHE.exe
PID 5000 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OBxmEzh.exe
PID 5000 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OBxmEzh.exe
PID 5000 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JJdeuwn.exe
PID 5000 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JJdeuwn.exe
PID 5000 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PQhgzUz.exe
PID 5000 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PQhgzUz.exe
PID 5000 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dGkmDIM.exe
PID 5000 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dGkmDIM.exe
PID 5000 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YXqhHlp.exe
PID 5000 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YXqhHlp.exe
PID 5000 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YLiZEAy.exe
PID 5000 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YLiZEAy.exe
PID 5000 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lZstcZe.exe
PID 5000 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lZstcZe.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\vOrpsMG.exe

C:\Windows\System\vOrpsMG.exe

C:\Windows\System\TIRnwUu.exe

C:\Windows\System\TIRnwUu.exe

C:\Windows\System\ZDrxZew.exe

C:\Windows\System\ZDrxZew.exe

C:\Windows\System\bimROGZ.exe

C:\Windows\System\bimROGZ.exe

C:\Windows\System\ovNMJGd.exe

C:\Windows\System\ovNMJGd.exe

C:\Windows\System\esjbvZP.exe

C:\Windows\System\esjbvZP.exe

C:\Windows\System\AcNWdgT.exe

C:\Windows\System\AcNWdgT.exe

C:\Windows\System\RTIuzUa.exe

C:\Windows\System\RTIuzUa.exe

C:\Windows\System\QXRWdLc.exe

C:\Windows\System\QXRWdLc.exe

C:\Windows\System\HWHOvnF.exe

C:\Windows\System\HWHOvnF.exe

C:\Windows\System\RgeWCbN.exe

C:\Windows\System\RgeWCbN.exe

C:\Windows\System\wQiyXVq.exe

C:\Windows\System\wQiyXVq.exe

C:\Windows\System\NnrcvDC.exe

C:\Windows\System\NnrcvDC.exe

C:\Windows\System\lueruHE.exe

C:\Windows\System\lueruHE.exe

C:\Windows\System\OBxmEzh.exe

C:\Windows\System\OBxmEzh.exe

C:\Windows\System\JJdeuwn.exe

C:\Windows\System\JJdeuwn.exe

C:\Windows\System\PQhgzUz.exe

C:\Windows\System\PQhgzUz.exe

C:\Windows\System\dGkmDIM.exe

C:\Windows\System\dGkmDIM.exe

C:\Windows\System\YXqhHlp.exe

C:\Windows\System\YXqhHlp.exe

C:\Windows\System\YLiZEAy.exe

C:\Windows\System\YLiZEAy.exe

C:\Windows\System\lZstcZe.exe

C:\Windows\System\lZstcZe.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 71.190.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/5000-0-0x00007FF696210000-0x00007FF696564000-memory.dmp

memory/5000-1-0x0000015542C50000-0x0000015542C60000-memory.dmp

C:\Windows\System\vOrpsMG.exe

MD5 ee9e7472e76da40537bbc96bfb54de3d
SHA1 fa595f4ff2e120510f61fd2e9074a7a0bab5780f
SHA256 62c711f0d3290c9440ce0a3df9fc2247a55a1b4becd87a319d7290b43b2fe50d
SHA512 d6e769550cd28b6b07519d7e1de3d575fd75f8f9349ddc54cb6fc6e941598dd1041939a814387567c27508ace38b80d8f16acf927603721a5846ca8e9bb22b20

C:\Windows\System\ZDrxZew.exe

MD5 950b376a5eb2410c9e55db31b5a8975e
SHA1 a893e0400fa4aed801d9365e8675c9d08b21d42c
SHA256 f064803086fb70ae5b5b30c33dd89d112ca77107781a6529bbf7bcd63ba05ac9
SHA512 27aee2e52f357640ca002bc40bd1e7c3f6364fb1a9ac186d27d46b5190d0fde6462e45f196b67c06bf0acb26c6c392ff5def1b9fd7c757f09ee6b3455191a323

C:\Windows\System\TIRnwUu.exe

MD5 7315a23db3a927a0a253eb81b91f3592
SHA1 a7efde3b384588034764b7874d2062b30aa49667
SHA256 dbf6ca9515b10a9fbd374fe3ae1dba67452c292bf69c3290fb411986a57161ae
SHA512 d020ad356d1428b7346d1477ea760bcc1fd5950189568fcfb0c32e4b7aa157b359b709e0853bf4ee3c5288fd690ed5933818399ff2edcdb0348bbd109555fd76

C:\Windows\System\ovNMJGd.exe

MD5 f4d6e972b2ec8aa065f39ea022d85fca
SHA1 47f913b9407d39105adf9c7da601bdda3015c263
SHA256 d9e907aeb0ab3c392a1b53a57de2dab40ecdcd3edcd32086e62b0e41cf823dc9
SHA512 da4b874cd03cd316db0d85ad3fe86d050052cf4cde45d61c2953c35c6736a60172eca1baeba322e48d5b04742629209b3cbc68e7723d93f6539f12f0c283ce10

memory/4052-46-0x00007FF7B8080000-0x00007FF7B83D4000-memory.dmp

C:\Windows\System\HWHOvnF.exe

MD5 8a8c3422bfc29a770f00c4f90289cd70
SHA1 b55db37e2828bd1d614f2b237620d4670fd83258
SHA256 ebc0804c7552c739daf87639f2277b5948a5a2ece89d4193c8d1d5681a35f848
SHA512 6b91e05ee778445f94629cd91f9fadf1d5e4e3d8763909a508433e12b8bbccbf2f66a8971d1e9d4be4f6f1353ef2e997b16efa77bc445a32270ab81b018c12c3

C:\Windows\System\wQiyXVq.exe

MD5 ff17dc9355b6ac10aadcf233a156e5bb
SHA1 8e33cc2e2a40a0073042a9c4ff83dfd99065e3cd
SHA256 88a57b20b1fce993d0bb1310ea5fb02eac78b9013a3b48f74ff1a36c2f3daf8c
SHA512 a11e1697e200dd01fadbbe31b1ea3b56a2c843039c0f38ccf40455a06d7b28a8ac87df4697ed21987d4e18610fd1609aef31b35bd46c8c2284ceee2c0c300eb5

C:\Windows\System\NnrcvDC.exe

MD5 fca2d8f931ae3d73ce3a2ec6c92699f0
SHA1 b1e71bf5f65de1dc493d93adca07209aacc044b8
SHA256 d413fae0cbce972cd6e9dd6ec168157e5e9b614e60d39b21545008561c9fbca1
SHA512 a4c350be5a0ab289b6c8fa674e42dbecb9d368f7fff7adbaf1283f319338475f815501f310f86432a8a0afdc396cdcf3216d16d17aef89b4eface5845777677c

C:\Windows\System\OBxmEzh.exe

MD5 aed71f971f06b648139c0e3beaabacf6
SHA1 62f1eb75bf8c663c3a8179ee355d4f64e77d0390
SHA256 9c5180aaa3260957ffa6a7363cd9b0490a06441e781b1a3bed904ff459010724
SHA512 8ab15081adc7341624ff17657e7e35b107ba31312fb9b2fd0dc4a92dbb5b426dec93e18f2d510ca20f48172a79f2356033180af1d4a3f925a371959a74922521

memory/2908-91-0x00007FF60DEE0000-0x00007FF60E234000-memory.dmp

memory/4104-101-0x00007FF6E42F0000-0x00007FF6E4644000-memory.dmp

C:\Windows\System\dGkmDIM.exe

MD5 a789fb6cf14e8ee0386930c7f27b3d09
SHA1 dc47c5a86f2895bb2493af184bb0e877b3b592aa
SHA256 25294402529b4dbef89680b875348bb9d894e1864cd10bcc18aa6e03960d6979
SHA512 9927bdc46c29426baf1a0c0d302051f18b8a53438ca7ffec7b0e2b83460939d7479f70fad57ea9a69ec2e5892581d474362ea72806fff40d89a2803d0039df05

C:\Windows\System\YXqhHlp.exe

MD5 19d09261ff28ef11b78cf8f594b9f5fb
SHA1 6b8c511e83dcd57bfa58f7590e7c10acee56c63f
SHA256 8068795370b7afcfe30ccb018ba60b9ae7fa6cf7d342f16fccd497844cd0c0c0
SHA512 46b2f2795ca04ea3d3503f7dca1ca9ff750c5a00a6975af93162a713f87ade827af0c5e34f0a60028faa8432c4f4a018b0e927955f7b4ac569a3140c35bfda51

C:\Windows\System\lZstcZe.exe

MD5 aa4d46691abece6940178e17fedd2a1d
SHA1 f1f420b75e9bdc8530a4da158d0244ece1449192
SHA256 bb28997da966650c5d849ceb549997fed1d6db31f1113e1ad6f6032f62f9e06a
SHA512 5241999818dbe8f1576f3816fdbd74c848b6f198c7a843df8961bb41681dbd1ab8216157ca2772132841fe53195ffc21cd9228f6ae44da68f103a6caf3745d9a

C:\Windows\System\YLiZEAy.exe

MD5 911d08148edc09ded0b8457ee7bc0adb
SHA1 e108eef8e38ad4f9e8ef61668e80aed6dad35117
SHA256 a13eb827b0e7380067da9eb22a13e25c335f333bb995d418eb7206b2a55e16fb
SHA512 cb2d84b62bc57e1ec16f811a7e298e3a5c42b170303fe5caa9a06650127d1e48569744f3aba333f3318f0714f418d5471bcbed4ac4295f2b16df9469362939da

C:\Windows\System\PQhgzUz.exe

MD5 eb35d7012470f28b07f7f30074c787c4
SHA1 8cf5e4f479e1fa30b1311c247273079f3fae0170
SHA256 c77c6033b5dc1e42c7e7ee760b73ef91035940c712b09e00cc455932efc3000a
SHA512 3beaf188e558d2cce4acf5800dca3cf6186bd699af17aa723765f5abbecc049966375495d1564779984371f56aff02fb90f361ffcfef67d7990af9a09a1655f1

C:\Windows\System\JJdeuwn.exe

MD5 3d96b3db69d833e1a97de71ee722b535
SHA1 c4f32bf260c986b2d9ea6c2c1d9488cf0e357b82
SHA256 30b7b5c989e8e93f1547e7b2b03b9afb4512f64e13c67081f00ba4d67ac7b5c1
SHA512 d16a8ff7754b80a136db2322ce02ca90ef14bdd626d788447a228e3774cf38e90d7624c201e32d018f19a211bfa65d35a1805483afae791a6be9543f1cdd92bc

memory/3940-92-0x00007FF6E7F70000-0x00007FF6E82C4000-memory.dmp

memory/1484-90-0x00007FF79AA10000-0x00007FF79AD64000-memory.dmp

memory/3428-89-0x00007FF748170000-0x00007FF7484C4000-memory.dmp

memory/3776-88-0x00007FF75F250000-0x00007FF75F5A4000-memory.dmp

memory/2572-87-0x00007FF7991D0000-0x00007FF799524000-memory.dmp

memory/612-86-0x00007FF6D4A50000-0x00007FF6D4DA4000-memory.dmp

C:\Windows\System\lueruHE.exe

MD5 8511ca951c8921c4215cf6a4a2aec7db
SHA1 c65e7a282967ce093e8b9261b6c7ceb8cac547c6
SHA256 647fd61070a8703771042336dad20788c164d3115cccc9c3dc0f829c8e487487
SHA512 3e69f6732e7d00b969a61e25dabd4b6d2ee799b9a0fd83f84352b701e7b901c5a86ef7362a3e780bad91094c1a814d31ca30bf0e0100174e0ca6605aeb143617

memory/544-81-0x00007FF7A32C0000-0x00007FF7A3614000-memory.dmp

memory/4472-80-0x00007FF729400000-0x00007FF729754000-memory.dmp

memory/4784-77-0x00007FF7B7B00000-0x00007FF7B7E54000-memory.dmp

C:\Windows\System\RgeWCbN.exe

MD5 66faa074353cb8f06141ef11d3da5d9d
SHA1 93721ebae146a9da9392a0d9593031dfaa5b3a0b
SHA256 3807b992a3afef06da4bfdf4f7648f941d4927dc07a0bd739085e27efbeab384
SHA512 27e12578d83034f474e03e69910fabf686e3b5a1f664c43be9f358127c57d34d7ed3b2b62882a70ad7da281357840edc1fcb288731f440ca215573896a3e7d75

C:\Windows\System\QXRWdLc.exe

MD5 ec6449498347b257d9fb57b114bbf55a
SHA1 633542dbdd1adf286c016231fae2b743b11a5b7f
SHA256 d5ca09f1b6d7deb71e8901f4c5e4685062ede8130dc6e1fb36c2f5f9134be98b
SHA512 9d27b76dd98ecdd667f61218091da28864d25b0e39931b0b4ed43ffb3245dc5fefede17114556f1318e7e594dcbde5d5f1c275eba780bf676caaa6d8b3aed719

memory/1052-52-0x00007FF628B70000-0x00007FF628EC4000-memory.dmp

C:\Windows\System\RTIuzUa.exe

MD5 db0cafcd6953144e72ac77ba7b53b65f
SHA1 40d4f7b335a2ae9b429e442428f97ff218326e8c
SHA256 9aff080617571ab6d87d986d0cbce9819327ea12bd7eb4ed26bb82c45175b7bd
SHA512 ea40e869072f6eed7dde78a926177a74c35a761a2d9448f50a7c11aa4221fbf1fb5edf464906abee8a4094d99b45f8b162ff389d0646d5b35367ebf8a4e80ff6

C:\Windows\System\AcNWdgT.exe

MD5 a1dca10f43022f31c96ac73167eefbe8
SHA1 05cb4d5c79f010fc92dbe25d24f3a11473fac017
SHA256 349b66524495066e6546112460f0312b21a437ac9eec6d556c46e6cf999458b9
SHA512 a3ba6dba0fd9ac5917321e6d7bdf74e5692e829dc590d4369808a8b4489085980c8b62a19856ebab4eb3111c1ee5f213cc536317e8c1696cad8a6d6fe7597750

C:\Windows\System\esjbvZP.exe

MD5 966f4539a03ea29bf3bfbdada921efbb
SHA1 fcf9ae9670284d310edd82ba73dd72d728703110
SHA256 ecf023949ebee3a78dfdf4473648d15c804ffdfe9daab05c00e15afb01d2cf32
SHA512 decc1845dbb688838d4c8e316d40512dfb7a378e22d57e17038ac1774aa6e88f65def6ba8af4e7c086e77c59b0181cfe1600d817d0c627c65e20ced64ca72cef

C:\Windows\System\bimROGZ.exe

MD5 9d5a4941f675b993e492a799163027b1
SHA1 e2015d8742dae6819846e7cd809edf2095f5e990
SHA256 8822c6f1637ae0ea330d9c5f8e2b9f529e04fb200f81b324f591ddfc8aa14700
SHA512 875d8f9413cb1185152f17e880c4d7a9de29dd326a7481dd9a09e5fce01230eb1f42654a544ee1f16e393f485ab2698c58179b7d4073412e4027ea4d8c43bc71

memory/3936-22-0x00007FF7DFCB0000-0x00007FF7E0004000-memory.dmp

memory/3568-21-0x00007FF6BB800000-0x00007FF6BBB54000-memory.dmp

memory/2184-8-0x00007FF748690000-0x00007FF7489E4000-memory.dmp

memory/1908-123-0x00007FF67E050000-0x00007FF67E3A4000-memory.dmp

memory/3600-126-0x00007FF64BFA0000-0x00007FF64C2F4000-memory.dmp

memory/1184-125-0x00007FF787A10000-0x00007FF787D64000-memory.dmp

memory/3948-124-0x00007FF6F96C0000-0x00007FF6F9A14000-memory.dmp

memory/2748-127-0x00007FF6869C0000-0x00007FF686D14000-memory.dmp

memory/5000-128-0x00007FF696210000-0x00007FF696564000-memory.dmp

memory/2184-129-0x00007FF748690000-0x00007FF7489E4000-memory.dmp

memory/1908-130-0x00007FF67E050000-0x00007FF67E3A4000-memory.dmp

memory/4104-131-0x00007FF6E42F0000-0x00007FF6E4644000-memory.dmp

memory/3568-132-0x00007FF6BB800000-0x00007FF6BBB54000-memory.dmp

memory/3936-133-0x00007FF7DFCB0000-0x00007FF7E0004000-memory.dmp

memory/2184-134-0x00007FF748690000-0x00007FF7489E4000-memory.dmp

memory/4052-135-0x00007FF7B8080000-0x00007FF7B83D4000-memory.dmp

memory/1052-136-0x00007FF628B70000-0x00007FF628EC4000-memory.dmp

memory/1484-137-0x00007FF79AA10000-0x00007FF79AD64000-memory.dmp

memory/4784-138-0x00007FF7B7B00000-0x00007FF7B7E54000-memory.dmp

memory/4472-139-0x00007FF729400000-0x00007FF729754000-memory.dmp

memory/2908-141-0x00007FF60DEE0000-0x00007FF60E234000-memory.dmp

memory/544-142-0x00007FF7A32C0000-0x00007FF7A3614000-memory.dmp

memory/3940-140-0x00007FF6E7F70000-0x00007FF6E82C4000-memory.dmp

memory/612-143-0x00007FF6D4A50000-0x00007FF6D4DA4000-memory.dmp

memory/3776-145-0x00007FF75F250000-0x00007FF75F5A4000-memory.dmp

memory/2572-144-0x00007FF7991D0000-0x00007FF799524000-memory.dmp

memory/3428-146-0x00007FF748170000-0x00007FF7484C4000-memory.dmp

memory/3948-148-0x00007FF6F96C0000-0x00007FF6F9A14000-memory.dmp

memory/1908-149-0x00007FF67E050000-0x00007FF67E3A4000-memory.dmp

memory/4104-147-0x00007FF6E42F0000-0x00007FF6E4644000-memory.dmp

memory/1184-151-0x00007FF787A10000-0x00007FF787D64000-memory.dmp

memory/2748-150-0x00007FF6869C0000-0x00007FF686D14000-memory.dmp

memory/3600-152-0x00007FF64BFA0000-0x00007FF64C2F4000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-06 11:56

Reported

2024-08-06 11:59

Platform

win7-20240708-en

Max time kernel

139s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\NnrcvDC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JJdeuwn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YXqhHlp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TIRnwUu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\esjbvZP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AcNWdgT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HWHOvnF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wQiyXVq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lZstcZe.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZDrxZew.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RgeWCbN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OBxmEzh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dGkmDIM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YLiZEAy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PQhgzUz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vOrpsMG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ovNMJGd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RTIuzUa.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QXRWdLc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lueruHE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bimROGZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2208 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vOrpsMG.exe
PID 2208 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vOrpsMG.exe
PID 2208 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vOrpsMG.exe
PID 2208 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TIRnwUu.exe
PID 2208 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TIRnwUu.exe
PID 2208 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TIRnwUu.exe
PID 2208 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZDrxZew.exe
PID 2208 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZDrxZew.exe
PID 2208 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZDrxZew.exe
PID 2208 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bimROGZ.exe
PID 2208 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bimROGZ.exe
PID 2208 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bimROGZ.exe
PID 2208 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ovNMJGd.exe
PID 2208 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ovNMJGd.exe
PID 2208 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ovNMJGd.exe
PID 2208 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\esjbvZP.exe
PID 2208 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\esjbvZP.exe
PID 2208 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\esjbvZP.exe
PID 2208 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AcNWdgT.exe
PID 2208 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AcNWdgT.exe
PID 2208 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AcNWdgT.exe
PID 2208 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RTIuzUa.exe
PID 2208 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RTIuzUa.exe
PID 2208 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RTIuzUa.exe
PID 2208 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QXRWdLc.exe
PID 2208 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QXRWdLc.exe
PID 2208 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QXRWdLc.exe
PID 2208 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HWHOvnF.exe
PID 2208 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HWHOvnF.exe
PID 2208 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HWHOvnF.exe
PID 2208 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RgeWCbN.exe
PID 2208 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RgeWCbN.exe
PID 2208 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RgeWCbN.exe
PID 2208 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wQiyXVq.exe
PID 2208 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wQiyXVq.exe
PID 2208 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wQiyXVq.exe
PID 2208 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NnrcvDC.exe
PID 2208 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NnrcvDC.exe
PID 2208 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NnrcvDC.exe
PID 2208 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lueruHE.exe
PID 2208 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lueruHE.exe
PID 2208 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lueruHE.exe
PID 2208 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OBxmEzh.exe
PID 2208 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OBxmEzh.exe
PID 2208 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OBxmEzh.exe
PID 2208 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JJdeuwn.exe
PID 2208 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JJdeuwn.exe
PID 2208 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JJdeuwn.exe
PID 2208 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PQhgzUz.exe
PID 2208 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PQhgzUz.exe
PID 2208 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PQhgzUz.exe
PID 2208 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dGkmDIM.exe
PID 2208 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dGkmDIM.exe
PID 2208 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dGkmDIM.exe
PID 2208 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YXqhHlp.exe
PID 2208 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YXqhHlp.exe
PID 2208 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YXqhHlp.exe
PID 2208 wrote to memory of 264 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YLiZEAy.exe
PID 2208 wrote to memory of 264 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YLiZEAy.exe
PID 2208 wrote to memory of 264 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YLiZEAy.exe
PID 2208 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lZstcZe.exe
PID 2208 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lZstcZe.exe
PID 2208 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lZstcZe.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\vOrpsMG.exe

C:\Windows\System\vOrpsMG.exe

C:\Windows\System\TIRnwUu.exe

C:\Windows\System\TIRnwUu.exe

C:\Windows\System\ZDrxZew.exe

C:\Windows\System\ZDrxZew.exe

C:\Windows\System\bimROGZ.exe

C:\Windows\System\bimROGZ.exe

C:\Windows\System\ovNMJGd.exe

C:\Windows\System\ovNMJGd.exe

C:\Windows\System\esjbvZP.exe

C:\Windows\System\esjbvZP.exe

C:\Windows\System\AcNWdgT.exe

C:\Windows\System\AcNWdgT.exe

C:\Windows\System\RTIuzUa.exe

C:\Windows\System\RTIuzUa.exe

C:\Windows\System\QXRWdLc.exe

C:\Windows\System\QXRWdLc.exe

C:\Windows\System\HWHOvnF.exe

C:\Windows\System\HWHOvnF.exe

C:\Windows\System\RgeWCbN.exe

C:\Windows\System\RgeWCbN.exe

C:\Windows\System\wQiyXVq.exe

C:\Windows\System\wQiyXVq.exe

C:\Windows\System\NnrcvDC.exe

C:\Windows\System\NnrcvDC.exe

C:\Windows\System\lueruHE.exe

C:\Windows\System\lueruHE.exe

C:\Windows\System\OBxmEzh.exe

C:\Windows\System\OBxmEzh.exe

C:\Windows\System\JJdeuwn.exe

C:\Windows\System\JJdeuwn.exe

C:\Windows\System\PQhgzUz.exe

C:\Windows\System\PQhgzUz.exe

C:\Windows\System\dGkmDIM.exe

C:\Windows\System\dGkmDIM.exe

C:\Windows\System\YXqhHlp.exe

C:\Windows\System\YXqhHlp.exe

C:\Windows\System\YLiZEAy.exe

C:\Windows\System\YLiZEAy.exe

C:\Windows\System\lZstcZe.exe

C:\Windows\System\lZstcZe.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2208-0-0x000000013F490000-0x000000013F7E4000-memory.dmp

memory/2208-1-0x00000000001F0000-0x0000000000200000-memory.dmp

\Windows\system\vOrpsMG.exe

MD5 ee9e7472e76da40537bbc96bfb54de3d
SHA1 fa595f4ff2e120510f61fd2e9074a7a0bab5780f
SHA256 62c711f0d3290c9440ce0a3df9fc2247a55a1b4becd87a319d7290b43b2fe50d
SHA512 d6e769550cd28b6b07519d7e1de3d575fd75f8f9349ddc54cb6fc6e941598dd1041939a814387567c27508ace38b80d8f16acf927603721a5846ca8e9bb22b20

\Windows\system\ZDrxZew.exe

MD5 950b376a5eb2410c9e55db31b5a8975e
SHA1 a893e0400fa4aed801d9365e8675c9d08b21d42c
SHA256 f064803086fb70ae5b5b30c33dd89d112ca77107781a6529bbf7bcd63ba05ac9
SHA512 27aee2e52f357640ca002bc40bd1e7c3f6364fb1a9ac186d27d46b5190d0fde6462e45f196b67c06bf0acb26c6c392ff5def1b9fd7c757f09ee6b3455191a323

memory/2752-12-0x000000013F560000-0x000000013F8B4000-memory.dmp

\Windows\system\TIRnwUu.exe

MD5 7315a23db3a927a0a253eb81b91f3592
SHA1 a7efde3b384588034764b7874d2062b30aa49667
SHA256 dbf6ca9515b10a9fbd374fe3ae1dba67452c292bf69c3290fb411986a57161ae
SHA512 d020ad356d1428b7346d1477ea760bcc1fd5950189568fcfb0c32e4b7aa157b359b709e0853bf4ee3c5288fd690ed5933818399ff2edcdb0348bbd109555fd76

memory/2828-23-0x000000013FD50000-0x00000001400A4000-memory.dmp

memory/2836-21-0x000000013F230000-0x000000013F584000-memory.dmp

memory/2208-18-0x00000000023B0000-0x0000000002704000-memory.dmp

memory/2208-17-0x000000013FD50000-0x00000001400A4000-memory.dmp

memory/2208-7-0x00000000023B0000-0x0000000002704000-memory.dmp

\Windows\system\bimROGZ.exe

MD5 9d5a4941f675b993e492a799163027b1
SHA1 e2015d8742dae6819846e7cd809edf2095f5e990
SHA256 8822c6f1637ae0ea330d9c5f8e2b9f529e04fb200f81b324f591ddfc8aa14700
SHA512 875d8f9413cb1185152f17e880c4d7a9de29dd326a7481dd9a09e5fce01230eb1f42654a544ee1f16e393f485ab2698c58179b7d4073412e4027ea4d8c43bc71

\Windows\system\ovNMJGd.exe

MD5 f4d6e972b2ec8aa065f39ea022d85fca
SHA1 47f913b9407d39105adf9c7da601bdda3015c263
SHA256 d9e907aeb0ab3c392a1b53a57de2dab40ecdcd3edcd32086e62b0e41cf823dc9
SHA512 da4b874cd03cd316db0d85ad3fe86d050052cf4cde45d61c2953c35c6736a60172eca1baeba322e48d5b04742629209b3cbc68e7723d93f6539f12f0c283ce10

memory/2208-35-0x000000013FC10000-0x000000013FF64000-memory.dmp

memory/2052-39-0x000000013FC10000-0x000000013FF64000-memory.dmp

C:\Windows\system\esjbvZP.exe

MD5 966f4539a03ea29bf3bfbdada921efbb
SHA1 fcf9ae9670284d310edd82ba73dd72d728703110
SHA256 ecf023949ebee3a78dfdf4473648d15c804ffdfe9daab05c00e15afb01d2cf32
SHA512 decc1845dbb688838d4c8e316d40512dfb7a378e22d57e17038ac1774aa6e88f65def6ba8af4e7c086e77c59b0181cfe1600d817d0c627c65e20ced64ca72cef

C:\Windows\system\AcNWdgT.exe

MD5 a1dca10f43022f31c96ac73167eefbe8
SHA1 05cb4d5c79f010fc92dbe25d24f3a11473fac017
SHA256 349b66524495066e6546112460f0312b21a437ac9eec6d556c46e6cf999458b9
SHA512 a3ba6dba0fd9ac5917321e6d7bdf74e5692e829dc590d4369808a8b4489085980c8b62a19856ebab4eb3111c1ee5f213cc536317e8c1696cad8a6d6fe7597750

memory/2632-47-0x000000013FC20000-0x000000013FF74000-memory.dmp

memory/2208-46-0x000000013F930000-0x000000013FC84000-memory.dmp

memory/2672-51-0x000000013F7B0000-0x000000013FB04000-memory.dmp

memory/2208-50-0x00000000023B0000-0x0000000002704000-memory.dmp

memory/2644-45-0x000000013F930000-0x000000013FC84000-memory.dmp

memory/2208-40-0x000000013FC20000-0x000000013FF74000-memory.dmp

\Windows\system\RTIuzUa.exe

MD5 db0cafcd6953144e72ac77ba7b53b65f
SHA1 40d4f7b335a2ae9b429e442428f97ff218326e8c
SHA256 9aff080617571ab6d87d986d0cbce9819327ea12bd7eb4ed26bb82c45175b7bd
SHA512 ea40e869072f6eed7dde78a926177a74c35a761a2d9448f50a7c11aa4221fbf1fb5edf464906abee8a4094d99b45f8b162ff389d0646d5b35367ebf8a4e80ff6

memory/2168-57-0x000000013F140000-0x000000013F494000-memory.dmp

\Windows\system\QXRWdLc.exe

MD5 ec6449498347b257d9fb57b114bbf55a
SHA1 633542dbdd1adf286c016231fae2b743b11a5b7f
SHA256 d5ca09f1b6d7deb71e8901f4c5e4685062ede8130dc6e1fb36c2f5f9134be98b
SHA512 9d27b76dd98ecdd667f61218091da28864d25b0e39931b0b4ed43ffb3245dc5fefede17114556f1318e7e594dcbde5d5f1c275eba780bf676caaa6d8b3aed719

memory/2208-63-0x00000000023B0000-0x0000000002704000-memory.dmp

memory/2208-64-0x000000013F490000-0x000000013F7E4000-memory.dmp

memory/572-65-0x000000013F650000-0x000000013F9A4000-memory.dmp

C:\Windows\system\HWHOvnF.exe

MD5 8a8c3422bfc29a770f00c4f90289cd70
SHA1 b55db37e2828bd1d614f2b237620d4670fd83258
SHA256 ebc0804c7552c739daf87639f2277b5948a5a2ece89d4193c8d1d5681a35f848
SHA512 6b91e05ee778445f94629cd91f9fadf1d5e4e3d8763909a508433e12b8bbccbf2f66a8971d1e9d4be4f6f1353ef2e997b16efa77bc445a32270ab81b018c12c3

memory/2752-71-0x000000013F560000-0x000000013F8B4000-memory.dmp

memory/2292-73-0x000000013FA40000-0x000000013FD94000-memory.dmp

memory/2208-72-0x000000013FA40000-0x000000013FD94000-memory.dmp

memory/2208-87-0x00000000023B0000-0x0000000002704000-memory.dmp

C:\Windows\system\NnrcvDC.exe

MD5 fca2d8f931ae3d73ce3a2ec6c92699f0
SHA1 b1e71bf5f65de1dc493d93adca07209aacc044b8
SHA256 d413fae0cbce972cd6e9dd6ec168157e5e9b614e60d39b21545008561c9fbca1
SHA512 a4c350be5a0ab289b6c8fa674e42dbecb9d368f7fff7adbaf1283f319338475f815501f310f86432a8a0afdc396cdcf3216d16d17aef89b4eface5845777677c

memory/2704-80-0x000000013F3C0000-0x000000013F714000-memory.dmp

memory/2208-79-0x00000000023B0000-0x0000000002704000-memory.dmp

memory/2972-97-0x000000013FBC0000-0x000000013FF14000-memory.dmp

memory/2208-96-0x000000013FBC0000-0x000000013FF14000-memory.dmp

memory/2828-94-0x000000013FD50000-0x00000001400A4000-memory.dmp

memory/2836-78-0x000000013F230000-0x000000013F584000-memory.dmp

memory/2492-89-0x000000013F220000-0x000000013F574000-memory.dmp

memory/2208-88-0x00000000023B0000-0x0000000002704000-memory.dmp

C:\Windows\system\wQiyXVq.exe

MD5 ff17dc9355b6ac10aadcf233a156e5bb
SHA1 8e33cc2e2a40a0073042a9c4ff83dfd99065e3cd
SHA256 88a57b20b1fce993d0bb1310ea5fb02eac78b9013a3b48f74ff1a36c2f3daf8c
SHA512 a11e1697e200dd01fadbbe31b1ea3b56a2c843039c0f38ccf40455a06d7b28a8ac87df4697ed21987d4e18610fd1609aef31b35bd46c8c2284ceee2c0c300eb5

C:\Windows\system\RgeWCbN.exe

MD5 66faa074353cb8f06141ef11d3da5d9d
SHA1 93721ebae146a9da9392a0d9593031dfaa5b3a0b
SHA256 3807b992a3afef06da4bfdf4f7648f941d4927dc07a0bd739085e27efbeab384
SHA512 27e12578d83034f474e03e69910fabf686e3b5a1f664c43be9f358127c57d34d7ed3b2b62882a70ad7da281357840edc1fcb288731f440ca215573896a3e7d75

\Windows\system\lueruHE.exe

MD5 8511ca951c8921c4215cf6a4a2aec7db
SHA1 c65e7a282967ce093e8b9261b6c7ceb8cac547c6
SHA256 647fd61070a8703771042336dad20788c164d3115cccc9c3dc0f829c8e487487
SHA512 3e69f6732e7d00b969a61e25dabd4b6d2ee799b9a0fd83f84352b701e7b901c5a86ef7362a3e780bad91094c1a814d31ca30bf0e0100174e0ca6605aeb143617

C:\Windows\system\OBxmEzh.exe

MD5 aed71f971f06b648139c0e3beaabacf6
SHA1 62f1eb75bf8c663c3a8179ee355d4f64e77d0390
SHA256 9c5180aaa3260957ffa6a7363cd9b0490a06441e781b1a3bed904ff459010724
SHA512 8ab15081adc7341624ff17657e7e35b107ba31312fb9b2fd0dc4a92dbb5b426dec93e18f2d510ca20f48172a79f2356033180af1d4a3f925a371959a74922521

C:\Windows\system\PQhgzUz.exe

MD5 eb35d7012470f28b07f7f30074c787c4
SHA1 8cf5e4f479e1fa30b1311c247273079f3fae0170
SHA256 c77c6033b5dc1e42c7e7ee760b73ef91035940c712b09e00cc455932efc3000a
SHA512 3beaf188e558d2cce4acf5800dca3cf6186bd699af17aa723765f5abbecc049966375495d1564779984371f56aff02fb90f361ffcfef67d7990af9a09a1655f1

C:\Windows\system\YLiZEAy.exe

MD5 911d08148edc09ded0b8457ee7bc0adb
SHA1 e108eef8e38ad4f9e8ef61668e80aed6dad35117
SHA256 a13eb827b0e7380067da9eb22a13e25c335f333bb995d418eb7206b2a55e16fb
SHA512 cb2d84b62bc57e1ec16f811a7e298e3a5c42b170303fe5caa9a06650127d1e48569744f3aba333f3318f0714f418d5471bcbed4ac4295f2b16df9469362939da

\Windows\system\lZstcZe.exe

MD5 aa4d46691abece6940178e17fedd2a1d
SHA1 f1f420b75e9bdc8530a4da158d0244ece1449192
SHA256 bb28997da966650c5d849ceb549997fed1d6db31f1113e1ad6f6032f62f9e06a
SHA512 5241999818dbe8f1576f3816fdbd74c848b6f198c7a843df8961bb41681dbd1ab8216157ca2772132841fe53195ffc21cd9228f6ae44da68f103a6caf3745d9a

C:\Windows\system\YXqhHlp.exe

MD5 19d09261ff28ef11b78cf8f594b9f5fb
SHA1 6b8c511e83dcd57bfa58f7590e7c10acee56c63f
SHA256 8068795370b7afcfe30ccb018ba60b9ae7fa6cf7d342f16fccd497844cd0c0c0
SHA512 46b2f2795ca04ea3d3503f7dca1ca9ff750c5a00a6975af93162a713f87ade827af0c5e34f0a60028faa8432c4f4a018b0e927955f7b4ac569a3140c35bfda51

C:\Windows\system\dGkmDIM.exe

MD5 a789fb6cf14e8ee0386930c7f27b3d09
SHA1 dc47c5a86f2895bb2493af184bb0e877b3b592aa
SHA256 25294402529b4dbef89680b875348bb9d894e1864cd10bcc18aa6e03960d6979
SHA512 9927bdc46c29426baf1a0c0d302051f18b8a53438ca7ffec7b0e2b83460939d7479f70fad57ea9a69ec2e5892581d474362ea72806fff40d89a2803d0039df05

C:\Windows\system\JJdeuwn.exe

MD5 3d96b3db69d833e1a97de71ee722b535
SHA1 c4f32bf260c986b2d9ea6c2c1d9488cf0e357b82
SHA256 30b7b5c989e8e93f1547e7b2b03b9afb4512f64e13c67081f00ba4d67ac7b5c1
SHA512 d16a8ff7754b80a136db2322ce02ca90ef14bdd626d788447a228e3774cf38e90d7624c201e32d018f19a211bfa65d35a1805483afae791a6be9543f1cdd92bc

memory/2024-138-0x000000013F0C0000-0x000000013F414000-memory.dmp

memory/2208-137-0x000000013F0C0000-0x000000013F414000-memory.dmp

memory/2208-139-0x000000013FE30000-0x0000000140184000-memory.dmp

memory/2208-140-0x00000000023B0000-0x0000000002704000-memory.dmp

memory/2168-141-0x000000013F140000-0x000000013F494000-memory.dmp

memory/2208-142-0x000000013FA40000-0x000000013FD94000-memory.dmp

memory/2704-143-0x000000013F3C0000-0x000000013F714000-memory.dmp

memory/2208-144-0x000000013FBC0000-0x000000013FF14000-memory.dmp

memory/2208-145-0x000000013F0C0000-0x000000013F414000-memory.dmp

memory/2208-146-0x000000013FE30000-0x0000000140184000-memory.dmp

memory/2752-147-0x000000013F560000-0x000000013F8B4000-memory.dmp

memory/2836-148-0x000000013F230000-0x000000013F584000-memory.dmp

memory/2828-149-0x000000013FD50000-0x00000001400A4000-memory.dmp

memory/2052-150-0x000000013FC10000-0x000000013FF64000-memory.dmp

memory/2632-151-0x000000013FC20000-0x000000013FF74000-memory.dmp

memory/2644-152-0x000000013F930000-0x000000013FC84000-memory.dmp

memory/2672-153-0x000000013F7B0000-0x000000013FB04000-memory.dmp

memory/2168-154-0x000000013F140000-0x000000013F494000-memory.dmp

memory/572-155-0x000000013F650000-0x000000013F9A4000-memory.dmp

memory/2292-156-0x000000013FA40000-0x000000013FD94000-memory.dmp

memory/2704-157-0x000000013F3C0000-0x000000013F714000-memory.dmp

memory/2492-158-0x000000013F220000-0x000000013F574000-memory.dmp

memory/2972-159-0x000000013FBC0000-0x000000013FF14000-memory.dmp

memory/2024-160-0x000000013F0C0000-0x000000013F414000-memory.dmp