Malware Analysis Report

2025-01-22 19:30

Sample ID 240807-2l9ytsyhkg
Target 2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat
SHA256 91d7cade90470f4bbbd6a2196d178acd9868110d6d7602499812ffb8ed943f5a
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

91d7cade90470f4bbbd6a2196d178acd9868110d6d7602499812ffb8ed943f5a

Threat Level: Known bad

The file 2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

Xmrig family

Cobalt Strike reflective loader

xmrig

Cobaltstrike family

XMRig Miner payload

Cobaltstrike

XMRig Miner payload

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-07 22:41

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-07 22:41

Reported

2024-08-07 22:43

Platform

win10v2004-20240802-en

Max time kernel

142s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\KSXMITS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cdPbIHA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DADTbER.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kktvIEP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vJHiXiM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VPBzrRC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fVfBCmg.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ycabdmf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ojzUkDS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zZCKyAM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hzujaRQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wyHbLYg.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WEIRxMZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qOFndhT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mkjTIoq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TSlEsvS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tBZYHoj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sJUxpXu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eBbwfhB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pKsVCjR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wwfZYdd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2604 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TSlEsvS.exe
PID 2604 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TSlEsvS.exe
PID 2604 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wwfZYdd.exe
PID 2604 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wwfZYdd.exe
PID 2604 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ojzUkDS.exe
PID 2604 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ojzUkDS.exe
PID 2604 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tBZYHoj.exe
PID 2604 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tBZYHoj.exe
PID 2604 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zZCKyAM.exe
PID 2604 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zZCKyAM.exe
PID 2604 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kktvIEP.exe
PID 2604 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kktvIEP.exe
PID 2604 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KSXMITS.exe
PID 2604 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KSXMITS.exe
PID 2604 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ycabdmf.exe
PID 2604 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ycabdmf.exe
PID 2604 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vJHiXiM.exe
PID 2604 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vJHiXiM.exe
PID 2604 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VPBzrRC.exe
PID 2604 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VPBzrRC.exe
PID 2604 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sJUxpXu.exe
PID 2604 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sJUxpXu.exe
PID 2604 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fVfBCmg.exe
PID 2604 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fVfBCmg.exe
PID 2604 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hzujaRQ.exe
PID 2604 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hzujaRQ.exe
PID 2604 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wyHbLYg.exe
PID 2604 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wyHbLYg.exe
PID 2604 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cdPbIHA.exe
PID 2604 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cdPbIHA.exe
PID 2604 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eBbwfhB.exe
PID 2604 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eBbwfhB.exe
PID 2604 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WEIRxMZ.exe
PID 2604 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WEIRxMZ.exe
PID 2604 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pKsVCjR.exe
PID 2604 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pKsVCjR.exe
PID 2604 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DADTbER.exe
PID 2604 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DADTbER.exe
PID 2604 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qOFndhT.exe
PID 2604 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qOFndhT.exe
PID 2604 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mkjTIoq.exe
PID 2604 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mkjTIoq.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\TSlEsvS.exe

C:\Windows\System\TSlEsvS.exe

C:\Windows\System\wwfZYdd.exe

C:\Windows\System\wwfZYdd.exe

C:\Windows\System\ojzUkDS.exe

C:\Windows\System\ojzUkDS.exe

C:\Windows\System\tBZYHoj.exe

C:\Windows\System\tBZYHoj.exe

C:\Windows\System\zZCKyAM.exe

C:\Windows\System\zZCKyAM.exe

C:\Windows\System\kktvIEP.exe

C:\Windows\System\kktvIEP.exe

C:\Windows\System\KSXMITS.exe

C:\Windows\System\KSXMITS.exe

C:\Windows\System\ycabdmf.exe

C:\Windows\System\ycabdmf.exe

C:\Windows\System\vJHiXiM.exe

C:\Windows\System\vJHiXiM.exe

C:\Windows\System\VPBzrRC.exe

C:\Windows\System\VPBzrRC.exe

C:\Windows\System\sJUxpXu.exe

C:\Windows\System\sJUxpXu.exe

C:\Windows\System\fVfBCmg.exe

C:\Windows\System\fVfBCmg.exe

C:\Windows\System\hzujaRQ.exe

C:\Windows\System\hzujaRQ.exe

C:\Windows\System\wyHbLYg.exe

C:\Windows\System\wyHbLYg.exe

C:\Windows\System\cdPbIHA.exe

C:\Windows\System\cdPbIHA.exe

C:\Windows\System\eBbwfhB.exe

C:\Windows\System\eBbwfhB.exe

C:\Windows\System\WEIRxMZ.exe

C:\Windows\System\WEIRxMZ.exe

C:\Windows\System\pKsVCjR.exe

C:\Windows\System\pKsVCjR.exe

C:\Windows\System\DADTbER.exe

C:\Windows\System\DADTbER.exe

C:\Windows\System\qOFndhT.exe

C:\Windows\System\qOFndhT.exe

C:\Windows\System\mkjTIoq.exe

C:\Windows\System\mkjTIoq.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2604-0-0x00007FF692EF0000-0x00007FF693241000-memory.dmp

memory/2604-1-0x000002AC009D0000-0x000002AC009E0000-memory.dmp

C:\Windows\System\TSlEsvS.exe

MD5 dde5fc8628c24dcaf795dcbc44d4d7d2
SHA1 0cd547d9592309dff265050dc8f2405c54a102d4
SHA256 de8e6eef312bda0f61d55106dc9b5d1caa1ee2eda3c9710fb2ee618e0da75a5b
SHA512 d74cbe43b0850745dae94b4cb001bd2b9312bb7238e0a52382825b865b41a731d08ab2b6d0d77763bd9d6468ec1121588d2edf49d06f2a83e322c63f66c2d271

C:\Windows\System\wwfZYdd.exe

MD5 2064faed10b4b1cb0a92b9aa456e2845
SHA1 707680385abdd8904001cdfd3537c758ab597a49
SHA256 29688225fc7be6f13740d12c1fd3126e2c5c1216408ff8894f41eb5b91829883
SHA512 52013a0afdd1d6b07298c4dc0036b5fab176e83fa85cae1d7d05bcbaf528d96c09dd7ded0de74324b9d31caf65571dc8252a7661b5d9ad059ba52eb993abf7ed

memory/4404-10-0x00007FF619160000-0x00007FF6194B1000-memory.dmp

memory/5104-13-0x00007FF6B7D20000-0x00007FF6B8071000-memory.dmp

C:\Windows\System\ojzUkDS.exe

MD5 deee0a3bb78f2d9ed693b22b46bb9285
SHA1 a5ff4325a8caa4d3c34ba0bcbfdb0b393dbca19a
SHA256 aee0e814461dd29d1a926c5fbcea52327d4cc4c64a0f054a27d98b2d487d0240
SHA512 9f099eecd62e3a3a83b729fb7cef1a5dbd8d97bffc272c708bc0415842cec7cfd548a3e024b81efa0cccf66b8de966f39f4abaa8d10d80c89c827065b07dfe45

C:\Windows\System\tBZYHoj.exe

MD5 e6c83446217a3b6519aab189ca5e7c8d
SHA1 46226ebbfb651116e247b60ca0b21e0980529fff
SHA256 5efa058e760de69d13e4533ead5fcca286d54d79af1c3264a5ae43c14e00ed6b
SHA512 45cd56c2a6690d6490d9ed5a2cd42dfcc47cfec44e0143509d07b74eddfae01f67811db9c164bd271d0b94cd06f680d948dd4b7e460ea2619ba5b182642dc667

memory/2164-22-0x00007FF643200000-0x00007FF643551000-memory.dmp

memory/4980-29-0x00007FF61FCF0000-0x00007FF620041000-memory.dmp

C:\Windows\System\kktvIEP.exe

MD5 98038545d39abb6fb1b9393fb4ea24d4
SHA1 6f4865d3b9c9240cccc40a7d3f07bb97eb0a32c3
SHA256 069fbefb6eabd96b8b9fcbfb1b2c0d7dbed7f2de0b8846d891388b92afad9e23
SHA512 b958f1731b6b4ec80da85e504c0f5edae5333a03e049d8051ba9cfc91b18674fac2509e184a4cbb4d493ef6d5146635eea2252d10416850a4549b9a3947be1ec

C:\Windows\System\KSXMITS.exe

MD5 aa1d0ddbff752a5d41245e068d000985
SHA1 060dbe2013dcd9e479e68a7a1f2d24cce7b23c5a
SHA256 f4f6b6de2986614f5239696bbff88a5af5ed050267783f87ed44cd9b04de635a
SHA512 a8e70017c135df13497c5b2d71f222018e8691b6ce2f703665365b8b2af930d4424b4a387f7c85ab1ee77648afcfe420bc2d3b9a5784bbf39124418caf186e3b

memory/1028-43-0x00007FF66CC30000-0x00007FF66CF81000-memory.dmp

memory/3688-40-0x00007FF71E130000-0x00007FF71E481000-memory.dmp

C:\Windows\System\zZCKyAM.exe

MD5 18c9feef836eed91722b75d3ef5cfcae
SHA1 5649e6cbacab469e574c44e0aaa89ddce5e0d660
SHA256 1a7b4acdae9c04ca645e6c8374a0afad199bb24a4c3c47482af80e0e0067e2c3
SHA512 7824b1345a72525fa2f61275d124071f87a386c352a4a93a288bdb202f052428a37b2c81eaa1373480dba97319838c48afd92b8c945eace89766b070c8c87c91

memory/2488-32-0x00007FF641DD0000-0x00007FF642121000-memory.dmp

C:\Windows\System\ycabdmf.exe

MD5 7ba6c62eeec492d550c4efdb13b5ac0f
SHA1 fc44ded28647344bc59367e317c1aa9e1c931045
SHA256 e3b1a64288d202e743ce390538af671aad2f98ec1ca0200ab3652cf74849c448
SHA512 8ca1457adcc04d39d4a02e49b3c683eeea32b15f896bc4c97dfbe9864b4c4fd22c2c5ed0a99e7244749abc80068bdf19607ad0d0d5ce4e65b790bfca92ac8129

memory/4656-52-0x00007FF6BBB90000-0x00007FF6BBEE1000-memory.dmp

C:\Windows\System\vJHiXiM.exe

MD5 11da90363d3091ea379c06f106d6cd78
SHA1 5e0f35e79d871353db7f6f05ff2e2c693730ae02
SHA256 5fded039ce185737d5025385ef1f518e09d2d725daaebe53b6e3a1accf10099e
SHA512 0853a0b6ffc35c7476d34f8a8cf5aada430d86b3787f65a56d0363bc47d5a176636c0929755ad56189fc9abceaafc5c6a160feba2b8b1fd6ad8c60d69a036276

C:\Windows\System\VPBzrRC.exe

MD5 9cf79aeab7e6f5af14c3921f90a5c093
SHA1 b9a379a6d59da423d0b0c2f3d98bc8e2ee47ce6c
SHA256 e159ecc0b813096783032ac18ec71a424815c76e4f5f37e424ee2659e9a84416
SHA512 44e5b5685757d8a9941a0cf0fd30423ab002d67c56a22dcac8aedd09ead5be3f2592541e2bd4c572761644d542fd69a94a31dd4f94f9858d1926c35f74d54d78

C:\Windows\System\sJUxpXu.exe

MD5 271b58329ea11dc8dd84f947157cd60c
SHA1 036fbe47a9c4e1fd58ad25dfb9d3b8fe02f4093a
SHA256 15069d7c77e4958bfe4aeb667b8cb6cc04cbc57fd5b19fd175b6b8024a4d2a9b
SHA512 e4fd4c17e9520ec99c3549fcd142e4edaac3bb122fed7f01026d2abf005755cd00ca34d7bd520023bd37204de0ef8f7510570d412eb6f37c502dd8f7adb698c9

memory/2416-71-0x00007FF7BA5C0000-0x00007FF7BA911000-memory.dmp

C:\Windows\System\hzujaRQ.exe

MD5 20b8ea0a72857f3f179a33d72742bf4f
SHA1 dc4b3bc655fccfed2a16d0f7aeb15d17a7e318ee
SHA256 1879cf1ae875cd1cc2b8f18431177d6b11d84cb0c2b8a3fed07d8c26632e4171
SHA512 57839c4661e7e9e1051d0c35bcc14e815de0c8bab236975af54c5bc93f8bc5f4038417dd57a35ffd595d3ed997c77e0396bb81b874be30bf01d79d97ef16f0e8

C:\Windows\System\wyHbLYg.exe

MD5 acd059e0ba67b1fa4a18c7db6dc718a9
SHA1 53e7a55fed1f27b7e91647fe68a7dd68a02950e2
SHA256 a18e7f5f49af8eff701e73df30b086f0da77d419671663854ca16b74441a3ffe
SHA512 ff4afa5ebbee7e2a43f6274fb91611968d2de6736fe0b06a1001d65f3aecbd6cbe04c4e04b0735b7f664176e3dfdbe9c1841835779ecff272ea8301b341a267c

C:\Windows\System\cdPbIHA.exe

MD5 44eeb64c9fd3d33e9debc197643a9e5e
SHA1 b8aac120255b6f061d49f37a1237e9b839824c6d
SHA256 f0e3791141e9afc4cb8c81af1a1a4fc23921f0fa9458ba650300ce8b34122d0c
SHA512 ecbc3be8f6e7b542084329e33fa32fe5f9282899f5a0bb54dc296c72933a2c9aded865a15b82d45bd93c3f5a7969e672c1013c1e57f4df4f80fb15b13391742b

memory/4544-89-0x00007FF778D90000-0x00007FF7790E1000-memory.dmp

memory/4756-90-0x00007FF752570000-0x00007FF7528C1000-memory.dmp

memory/1092-88-0x00007FF6DD0F0000-0x00007FF6DD441000-memory.dmp

memory/3384-86-0x00007FF6B88C0000-0x00007FF6B8C11000-memory.dmp

memory/5104-85-0x00007FF6B7D20000-0x00007FF6B8071000-memory.dmp

C:\Windows\System\fVfBCmg.exe

MD5 a8c0ad1c435ce541ff6076e715c16e59
SHA1 ba892c9e2030807d446cb4848acd0b5f10bb746e
SHA256 0011264788017bb33a6f0b35ec1f79c233b90c6b482da53a393c42f47fd7af7c
SHA512 504a3206f432c50af08e9b5cb9584dcf7672003cfca6c4003ef82dcae472b11bd0723ae9b93dc0c3788cfdb54542ec855db3175c95b200d05ba5cdd0aee33a73

memory/4212-68-0x00007FF728D30000-0x00007FF729081000-memory.dmp

memory/2604-60-0x00007FF692EF0000-0x00007FF693241000-memory.dmp

memory/4012-59-0x00007FF61FFD0000-0x00007FF620321000-memory.dmp

C:\Windows\System\eBbwfhB.exe

MD5 c1650e4e54f5bffb4d6f1df0219d1a5a
SHA1 3d8334a3e53acd430df05547301025a8be242ab0
SHA256 cd81fcc80a95b500f6aa0915291666e60e48709b88fa6faf82d56713819131ff
SHA512 66148c9e099d9cf67d1c3d06b98ea696747c43d74e02a2cf7f8a7cc87187e6cf2f4f5e87057b62c4d47a23a18c61b5001e31ddda7716cd4b5ba5e8856a5e4aec

C:\Windows\System\WEIRxMZ.exe

MD5 17cdd680c7d8aed978e3406838f596b4
SHA1 e171868f7e2aad18bdbef6b41833d9ec53c0d20c
SHA256 d3941d533cd275081cfceb4612a0b6194738ef704c4d6efbbd80eb7312315bda
SHA512 d88cf1ddd279d2bcad18da37c54e18960904e353f0c578d2d6471a16e8bc2f91ae6d5974f308f1158ede20a4a00fe67aa2c182da5ac1a75a86b3aaecf9d0d6c5

C:\Windows\System\pKsVCjR.exe

MD5 aebee996a20ea1bc13cfdddb116a8a75
SHA1 80a4d34ec64e4b6db2c54fbd998fb707dd92eefe
SHA256 20d15a9c069c2a80399bd130d49b6b9cc200003306169223ea862ece05292652
SHA512 911d5115cf68c9fb404ce96c4953b81ea1744c969f9e7e5450368b073224fcf14a936ea9b3570e7cbd24f8cea7a4eec2457307a847f2917612ccd62fbc9af670

C:\Windows\System\qOFndhT.exe

MD5 8683ccde9d43a73f59de197dafe649de
SHA1 2cbcf4ae77fd0ace4e1cd57d2cab8d0f78a4e478
SHA256 4fabdb1672ac7c237a4223beec8be3f30b3e60d60ea620066bc949b20759ed72
SHA512 1d72b065e2985932be0b3b04ef44c11db39e080650256e95ee971267b968baf61bc4ec1808c6267ccfc974249dfe776cfe0fd12ba9511d14ecb3e9614ca9d4b7

C:\Windows\System\DADTbER.exe

MD5 ef726ef9f257a0606a2f7a688e94dc11
SHA1 ac650993735bc4cd281cb3f445410884b1c4a041
SHA256 727f0873f7147289f62948c40e2f678eefb9f56c456c30247895679b4465b343
SHA512 b6a24b861619b3397f3a6bb2f9d1a721c7e1fe9e0e8cc2292049fb55010041ab14cb52176d9864183e2bb56331228ca32867cddc665984efb17a946b43a8231a

memory/1028-126-0x00007FF66CC30000-0x00007FF66CF81000-memory.dmp

memory/3716-131-0x00007FF6708E0000-0x00007FF670C31000-memory.dmp

C:\Windows\System\mkjTIoq.exe

MD5 3a8138e3a36e2d674aeda9f38b7fea46
SHA1 9675abf3da30f2b1f21889040541f595838fb683
SHA256 f57ece4e192de529448f68155c1cbe48c781a97f31d04c8670ee1e70d07c0821
SHA512 b7f0dfa2b180f3a79eac1a550192069aeec9c62e62b0a710ae52b6000c5e80739038aa347e3832c16122703a3f0997bae24bda25d32cf90cbed1c45b77491497

memory/4904-134-0x00007FF6FFFA0000-0x00007FF7002F1000-memory.dmp

memory/4012-133-0x00007FF61FFD0000-0x00007FF620321000-memory.dmp

memory/2900-124-0x00007FF724580000-0x00007FF7248D1000-memory.dmp

memory/1280-122-0x00007FF7CB590000-0x00007FF7CB8E1000-memory.dmp

memory/2656-120-0x00007FF7CA180000-0x00007FF7CA4D1000-memory.dmp

memory/2488-114-0x00007FF641DD0000-0x00007FF642121000-memory.dmp

memory/4860-101-0x00007FF7200C0000-0x00007FF720411000-memory.dmp

memory/4544-147-0x00007FF778D90000-0x00007FF7790E1000-memory.dmp

memory/4756-148-0x00007FF752570000-0x00007FF7528C1000-memory.dmp

memory/4860-149-0x00007FF7200C0000-0x00007FF720411000-memory.dmp

memory/2656-154-0x00007FF7CA180000-0x00007FF7CA4D1000-memory.dmp

memory/2900-156-0x00007FF724580000-0x00007FF7248D1000-memory.dmp

memory/3716-157-0x00007FF6708E0000-0x00007FF670C31000-memory.dmp

memory/2604-150-0x00007FF692EF0000-0x00007FF693241000-memory.dmp

memory/4904-158-0x00007FF6FFFA0000-0x00007FF7002F1000-memory.dmp

memory/2604-172-0x00007FF692EF0000-0x00007FF693241000-memory.dmp

memory/4404-202-0x00007FF619160000-0x00007FF6194B1000-memory.dmp

memory/5104-204-0x00007FF6B7D20000-0x00007FF6B8071000-memory.dmp

memory/2164-213-0x00007FF643200000-0x00007FF643551000-memory.dmp

memory/4980-215-0x00007FF61FCF0000-0x00007FF620041000-memory.dmp

memory/3688-218-0x00007FF71E130000-0x00007FF71E481000-memory.dmp

memory/2488-219-0x00007FF641DD0000-0x00007FF642121000-memory.dmp

memory/1028-221-0x00007FF66CC30000-0x00007FF66CF81000-memory.dmp

memory/4656-227-0x00007FF6BBB90000-0x00007FF6BBEE1000-memory.dmp

memory/4212-229-0x00007FF728D30000-0x00007FF729081000-memory.dmp

memory/2416-231-0x00007FF7BA5C0000-0x00007FF7BA911000-memory.dmp

memory/3384-235-0x00007FF6B88C0000-0x00007FF6B8C11000-memory.dmp

memory/4012-234-0x00007FF61FFD0000-0x00007FF620321000-memory.dmp

memory/1092-240-0x00007FF6DD0F0000-0x00007FF6DD441000-memory.dmp

memory/4756-238-0x00007FF752570000-0x00007FF7528C1000-memory.dmp

memory/4544-241-0x00007FF778D90000-0x00007FF7790E1000-memory.dmp

memory/4860-250-0x00007FF7200C0000-0x00007FF720411000-memory.dmp

memory/1280-252-0x00007FF7CB590000-0x00007FF7CB8E1000-memory.dmp

memory/2656-254-0x00007FF7CA180000-0x00007FF7CA4D1000-memory.dmp

memory/2900-256-0x00007FF724580000-0x00007FF7248D1000-memory.dmp

memory/3716-258-0x00007FF6708E0000-0x00007FF670C31000-memory.dmp

memory/4904-260-0x00007FF6FFFA0000-0x00007FF7002F1000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-07 22:41

Reported

2024-08-07 22:43

Platform

win7-20240708-en

Max time kernel

142s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\wyHbLYg.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pKsVCjR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qOFndhT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TSlEsvS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zZCKyAM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KSXMITS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fVfBCmg.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cdPbIHA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wwfZYdd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tBZYHoj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ycabdmf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VPBzrRC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WEIRxMZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DADTbER.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mkjTIoq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kktvIEP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vJHiXiM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sJUxpXu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eBbwfhB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ojzUkDS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hzujaRQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2088 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TSlEsvS.exe
PID 2088 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TSlEsvS.exe
PID 2088 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TSlEsvS.exe
PID 2088 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wwfZYdd.exe
PID 2088 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wwfZYdd.exe
PID 2088 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wwfZYdd.exe
PID 2088 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ojzUkDS.exe
PID 2088 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ojzUkDS.exe
PID 2088 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ojzUkDS.exe
PID 2088 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tBZYHoj.exe
PID 2088 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tBZYHoj.exe
PID 2088 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tBZYHoj.exe
PID 2088 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zZCKyAM.exe
PID 2088 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zZCKyAM.exe
PID 2088 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zZCKyAM.exe
PID 2088 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kktvIEP.exe
PID 2088 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kktvIEP.exe
PID 2088 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kktvIEP.exe
PID 2088 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KSXMITS.exe
PID 2088 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KSXMITS.exe
PID 2088 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KSXMITS.exe
PID 2088 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ycabdmf.exe
PID 2088 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ycabdmf.exe
PID 2088 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ycabdmf.exe
PID 2088 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vJHiXiM.exe
PID 2088 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vJHiXiM.exe
PID 2088 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vJHiXiM.exe
PID 2088 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VPBzrRC.exe
PID 2088 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VPBzrRC.exe
PID 2088 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VPBzrRC.exe
PID 2088 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sJUxpXu.exe
PID 2088 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sJUxpXu.exe
PID 2088 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sJUxpXu.exe
PID 2088 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fVfBCmg.exe
PID 2088 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fVfBCmg.exe
PID 2088 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fVfBCmg.exe
PID 2088 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hzujaRQ.exe
PID 2088 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hzujaRQ.exe
PID 2088 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hzujaRQ.exe
PID 2088 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wyHbLYg.exe
PID 2088 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wyHbLYg.exe
PID 2088 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wyHbLYg.exe
PID 2088 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cdPbIHA.exe
PID 2088 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cdPbIHA.exe
PID 2088 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cdPbIHA.exe
PID 2088 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eBbwfhB.exe
PID 2088 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eBbwfhB.exe
PID 2088 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eBbwfhB.exe
PID 2088 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WEIRxMZ.exe
PID 2088 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WEIRxMZ.exe
PID 2088 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WEIRxMZ.exe
PID 2088 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pKsVCjR.exe
PID 2088 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pKsVCjR.exe
PID 2088 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pKsVCjR.exe
PID 2088 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DADTbER.exe
PID 2088 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DADTbER.exe
PID 2088 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DADTbER.exe
PID 2088 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qOFndhT.exe
PID 2088 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qOFndhT.exe
PID 2088 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qOFndhT.exe
PID 2088 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mkjTIoq.exe
PID 2088 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mkjTIoq.exe
PID 2088 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mkjTIoq.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\TSlEsvS.exe

C:\Windows\System\TSlEsvS.exe

C:\Windows\System\wwfZYdd.exe

C:\Windows\System\wwfZYdd.exe

C:\Windows\System\ojzUkDS.exe

C:\Windows\System\ojzUkDS.exe

C:\Windows\System\tBZYHoj.exe

C:\Windows\System\tBZYHoj.exe

C:\Windows\System\zZCKyAM.exe

C:\Windows\System\zZCKyAM.exe

C:\Windows\System\kktvIEP.exe

C:\Windows\System\kktvIEP.exe

C:\Windows\System\KSXMITS.exe

C:\Windows\System\KSXMITS.exe

C:\Windows\System\ycabdmf.exe

C:\Windows\System\ycabdmf.exe

C:\Windows\System\vJHiXiM.exe

C:\Windows\System\vJHiXiM.exe

C:\Windows\System\VPBzrRC.exe

C:\Windows\System\VPBzrRC.exe

C:\Windows\System\sJUxpXu.exe

C:\Windows\System\sJUxpXu.exe

C:\Windows\System\fVfBCmg.exe

C:\Windows\System\fVfBCmg.exe

C:\Windows\System\hzujaRQ.exe

C:\Windows\System\hzujaRQ.exe

C:\Windows\System\wyHbLYg.exe

C:\Windows\System\wyHbLYg.exe

C:\Windows\System\cdPbIHA.exe

C:\Windows\System\cdPbIHA.exe

C:\Windows\System\eBbwfhB.exe

C:\Windows\System\eBbwfhB.exe

C:\Windows\System\WEIRxMZ.exe

C:\Windows\System\WEIRxMZ.exe

C:\Windows\System\pKsVCjR.exe

C:\Windows\System\pKsVCjR.exe

C:\Windows\System\DADTbER.exe

C:\Windows\System\DADTbER.exe

C:\Windows\System\qOFndhT.exe

C:\Windows\System\qOFndhT.exe

C:\Windows\System\mkjTIoq.exe

C:\Windows\System\mkjTIoq.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2088-0-0x00000000000F0000-0x0000000000100000-memory.dmp

memory/2088-1-0x000000013F900000-0x000000013FC51000-memory.dmp

\Windows\system\TSlEsvS.exe

MD5 dde5fc8628c24dcaf795dcbc44d4d7d2
SHA1 0cd547d9592309dff265050dc8f2405c54a102d4
SHA256 de8e6eef312bda0f61d55106dc9b5d1caa1ee2eda3c9710fb2ee618e0da75a5b
SHA512 d74cbe43b0850745dae94b4cb001bd2b9312bb7238e0a52382825b865b41a731d08ab2b6d0d77763bd9d6468ec1121588d2edf49d06f2a83e322c63f66c2d271

C:\Windows\system\wwfZYdd.exe

MD5 2064faed10b4b1cb0a92b9aa456e2845
SHA1 707680385abdd8904001cdfd3537c758ab597a49
SHA256 29688225fc7be6f13740d12c1fd3126e2c5c1216408ff8894f41eb5b91829883
SHA512 52013a0afdd1d6b07298c4dc0036b5fab176e83fa85cae1d7d05bcbaf528d96c09dd7ded0de74324b9d31caf65571dc8252a7661b5d9ad059ba52eb993abf7ed

\Windows\system\tBZYHoj.exe

MD5 e6c83446217a3b6519aab189ca5e7c8d
SHA1 46226ebbfb651116e247b60ca0b21e0980529fff
SHA256 5efa058e760de69d13e4533ead5fcca286d54d79af1c3264a5ae43c14e00ed6b
SHA512 45cd56c2a6690d6490d9ed5a2cd42dfcc47cfec44e0143509d07b74eddfae01f67811db9c164bd271d0b94cd06f680d948dd4b7e460ea2619ba5b182642dc667

memory/2176-28-0x000000013F8C0000-0x000000013FC11000-memory.dmp

memory/3052-29-0x000000013F080000-0x000000013F3D1000-memory.dmp

memory/1324-15-0x000000013F050000-0x000000013F3A1000-memory.dmp

memory/2088-26-0x00000000022C0000-0x0000000002611000-memory.dmp

C:\Windows\system\ojzUkDS.exe

MD5 deee0a3bb78f2d9ed693b22b46bb9285
SHA1 a5ff4325a8caa4d3c34ba0bcbfdb0b393dbca19a
SHA256 aee0e814461dd29d1a926c5fbcea52327d4cc4c64a0f054a27d98b2d487d0240
SHA512 9f099eecd62e3a3a83b729fb7cef1a5dbd8d97bffc272c708bc0415842cec7cfd548a3e024b81efa0cccf66b8de966f39f4abaa8d10d80c89c827065b07dfe45

memory/2088-23-0x00000000022C0000-0x0000000002611000-memory.dmp

memory/2488-21-0x000000013F960000-0x000000013FCB1000-memory.dmp

memory/2812-36-0x000000013FD40000-0x0000000140091000-memory.dmp

memory/2088-35-0x000000013FD40000-0x0000000140091000-memory.dmp

C:\Windows\system\zZCKyAM.exe

MD5 18c9feef836eed91722b75d3ef5cfcae
SHA1 5649e6cbacab469e574c44e0aaa89ddce5e0d660
SHA256 1a7b4acdae9c04ca645e6c8374a0afad199bb24a4c3c47482af80e0e0067e2c3
SHA512 7824b1345a72525fa2f61275d124071f87a386c352a4a93a288bdb202f052428a37b2c81eaa1373480dba97319838c48afd92b8c945eace89766b070c8c87c91

memory/2088-10-0x000000013F050000-0x000000013F3A1000-memory.dmp

memory/2088-41-0x00000000022C0000-0x0000000002611000-memory.dmp

memory/2684-42-0x000000013F840000-0x000000013FB91000-memory.dmp

C:\Windows\system\kktvIEP.exe

MD5 98038545d39abb6fb1b9393fb4ea24d4
SHA1 6f4865d3b9c9240cccc40a7d3f07bb97eb0a32c3
SHA256 069fbefb6eabd96b8b9fcbfb1b2c0d7dbed7f2de0b8846d891388b92afad9e23
SHA512 b958f1731b6b4ec80da85e504c0f5edae5333a03e049d8051ba9cfc91b18674fac2509e184a4cbb4d493ef6d5146635eea2252d10416850a4549b9a3947be1ec

memory/2576-48-0x000000013FB50000-0x000000013FEA1000-memory.dmp

memory/2696-57-0x000000013F760000-0x000000013FAB1000-memory.dmp

memory/2088-68-0x000000013FD70000-0x00000001400C1000-memory.dmp

C:\Windows\system\fVfBCmg.exe

MD5 a8c0ad1c435ce541ff6076e715c16e59
SHA1 ba892c9e2030807d446cb4848acd0b5f10bb746e
SHA256 0011264788017bb33a6f0b35ec1f79c233b90c6b482da53a393c42f47fd7af7c
SHA512 504a3206f432c50af08e9b5cb9584dcf7672003cfca6c4003ef82dcae472b11bd0723ae9b93dc0c3788cfdb54542ec855db3175c95b200d05ba5cdd0aee33a73

C:\Windows\system\sJUxpXu.exe

MD5 271b58329ea11dc8dd84f947157cd60c
SHA1 036fbe47a9c4e1fd58ad25dfb9d3b8fe02f4093a
SHA256 15069d7c77e4958bfe4aeb667b8cb6cc04cbc57fd5b19fd175b6b8024a4d2a9b
SHA512 e4fd4c17e9520ec99c3549fcd142e4edaac3bb122fed7f01026d2abf005755cd00ca34d7bd520023bd37204de0ef8f7510570d412eb6f37c502dd8f7adb698c9

memory/1992-78-0x000000013F3B0000-0x000000013F701000-memory.dmp

memory/2924-101-0x000000013F150000-0x000000013F4A1000-memory.dmp

C:\Windows\system\cdPbIHA.exe

MD5 44eeb64c9fd3d33e9debc197643a9e5e
SHA1 b8aac120255b6f061d49f37a1237e9b839824c6d
SHA256 f0e3791141e9afc4cb8c81af1a1a4fc23921f0fa9458ba650300ce8b34122d0c
SHA512 ecbc3be8f6e7b542084329e33fa32fe5f9282899f5a0bb54dc296c72933a2c9aded865a15b82d45bd93c3f5a7969e672c1013c1e57f4df4f80fb15b13391742b

C:\Windows\system\qOFndhT.exe

MD5 8683ccde9d43a73f59de197dafe649de
SHA1 2cbcf4ae77fd0ace4e1cd57d2cab8d0f78a4e478
SHA256 4fabdb1672ac7c237a4223beec8be3f30b3e60d60ea620066bc949b20759ed72
SHA512 1d72b065e2985932be0b3b04ef44c11db39e080650256e95ee971267b968baf61bc4ec1808c6267ccfc974249dfe776cfe0fd12ba9511d14ecb3e9614ca9d4b7

\Windows\system\mkjTIoq.exe

MD5 3a8138e3a36e2d674aeda9f38b7fea46
SHA1 9675abf3da30f2b1f21889040541f595838fb683
SHA256 f57ece4e192de529448f68155c1cbe48c781a97f31d04c8670ee1e70d07c0821
SHA512 b7f0dfa2b180f3a79eac1a550192069aeec9c62e62b0a710ae52b6000c5e80739038aa347e3832c16122703a3f0997bae24bda25d32cf90cbed1c45b77491497

C:\Windows\system\DADTbER.exe

MD5 ef726ef9f257a0606a2f7a688e94dc11
SHA1 ac650993735bc4cd281cb3f445410884b1c4a041
SHA256 727f0873f7147289f62948c40e2f678eefb9f56c456c30247895679b4465b343
SHA512 b6a24b861619b3397f3a6bb2f9d1a721c7e1fe9e0e8cc2292049fb55010041ab14cb52176d9864183e2bb56331228ca32867cddc665984efb17a946b43a8231a

C:\Windows\system\WEIRxMZ.exe

MD5 17cdd680c7d8aed978e3406838f596b4
SHA1 e171868f7e2aad18bdbef6b41833d9ec53c0d20c
SHA256 d3941d533cd275081cfceb4612a0b6194738ef704c4d6efbbd80eb7312315bda
SHA512 d88cf1ddd279d2bcad18da37c54e18960904e353f0c578d2d6471a16e8bc2f91ae6d5974f308f1158ede20a4a00fe67aa2c182da5ac1a75a86b3aaecf9d0d6c5

C:\Windows\system\pKsVCjR.exe

MD5 aebee996a20ea1bc13cfdddb116a8a75
SHA1 80a4d34ec64e4b6db2c54fbd998fb707dd92eefe
SHA256 20d15a9c069c2a80399bd130d49b6b9cc200003306169223ea862ece05292652
SHA512 911d5115cf68c9fb404ce96c4953b81ea1744c969f9e7e5450368b073224fcf14a936ea9b3570e7cbd24f8cea7a4eec2457307a847f2917612ccd62fbc9af670

C:\Windows\system\eBbwfhB.exe

MD5 c1650e4e54f5bffb4d6f1df0219d1a5a
SHA1 3d8334a3e53acd430df05547301025a8be242ab0
SHA256 cd81fcc80a95b500f6aa0915291666e60e48709b88fa6faf82d56713819131ff
SHA512 66148c9e099d9cf67d1c3d06b98ea696747c43d74e02a2cf7f8a7cc87187e6cf2f4f5e87057b62c4d47a23a18c61b5001e31ddda7716cd4b5ba5e8856a5e4aec

memory/2088-106-0x000000013FF90000-0x00000001402E1000-memory.dmp

memory/2684-137-0x000000013F840000-0x000000013FB91000-memory.dmp

memory/2088-100-0x000000013F150000-0x000000013F4A1000-memory.dmp

C:\Windows\system\wyHbLYg.exe

MD5 acd059e0ba67b1fa4a18c7db6dc718a9
SHA1 53e7a55fed1f27b7e91647fe68a7dd68a02950e2
SHA256 a18e7f5f49af8eff701e73df30b086f0da77d419671663854ca16b74441a3ffe
SHA512 ff4afa5ebbee7e2a43f6274fb91611968d2de6736fe0b06a1001d65f3aecbd6cbe04c4e04b0735b7f664176e3dfdbe9c1841835779ecff272ea8301b341a267c

memory/2308-92-0x000000013FE40000-0x0000000140191000-memory.dmp

memory/2088-91-0x000000013FE40000-0x0000000140191000-memory.dmp

C:\Windows\system\hzujaRQ.exe

MD5 20b8ea0a72857f3f179a33d72742bf4f
SHA1 dc4b3bc655fccfed2a16d0f7aeb15d17a7e318ee
SHA256 1879cf1ae875cd1cc2b8f18431177d6b11d84cb0c2b8a3fed07d8c26632e4171
SHA512 57839c4661e7e9e1051d0c35bcc14e815de0c8bab236975af54c5bc93f8bc5f4038417dd57a35ffd595d3ed997c77e0396bb81b874be30bf01d79d97ef16f0e8

memory/1324-77-0x000000013F050000-0x000000013F3A1000-memory.dmp

memory/2088-76-0x000000013F900000-0x000000013FC51000-memory.dmp

memory/1632-86-0x000000013F0D0000-0x000000013F421000-memory.dmp

memory/2088-85-0x000000013F0D0000-0x000000013F421000-memory.dmp

memory/2488-84-0x000000013F960000-0x000000013FCB1000-memory.dmp

memory/2672-69-0x000000013FD70000-0x00000001400C1000-memory.dmp

memory/2576-138-0x000000013FB50000-0x000000013FEA1000-memory.dmp

C:\Windows\system\VPBzrRC.exe

MD5 9cf79aeab7e6f5af14c3921f90a5c093
SHA1 b9a379a6d59da423d0b0c2f3d98bc8e2ee47ce6c
SHA256 e159ecc0b813096783032ac18ec71a424815c76e4f5f37e424ee2659e9a84416
SHA512 44e5b5685757d8a9941a0cf0fd30423ab002d67c56a22dcac8aedd09ead5be3f2592541e2bd4c572761644d542fd69a94a31dd4f94f9858d1926c35f74d54d78

memory/2560-62-0x000000013F740000-0x000000013FA91000-memory.dmp

memory/2088-61-0x00000000022C0000-0x0000000002611000-memory.dmp

C:\Windows\system\vJHiXiM.exe

MD5 11da90363d3091ea379c06f106d6cd78
SHA1 5e0f35e79d871353db7f6f05ff2e2c693730ae02
SHA256 5fded039ce185737d5025385ef1f518e09d2d725daaebe53b6e3a1accf10099e
SHA512 0853a0b6ffc35c7476d34f8a8cf5aada430d86b3787f65a56d0363bc47d5a176636c0929755ad56189fc9abceaafc5c6a160feba2b8b1fd6ad8c60d69a036276

memory/2088-56-0x00000000022C0000-0x0000000002611000-memory.dmp

memory/2088-47-0x00000000022C0000-0x0000000002611000-memory.dmp

C:\Windows\system\KSXMITS.exe

MD5 aa1d0ddbff752a5d41245e068d000985
SHA1 060dbe2013dcd9e479e68a7a1f2d24cce7b23c5a
SHA256 f4f6b6de2986614f5239696bbff88a5af5ed050267783f87ed44cd9b04de635a
SHA512 a8e70017c135df13497c5b2d71f222018e8691b6ce2f703665365b8b2af930d4424b4a387f7c85ab1ee77648afcfe420bc2d3b9a5784bbf39124418caf186e3b

C:\Windows\system\ycabdmf.exe

MD5 7ba6c62eeec492d550c4efdb13b5ac0f
SHA1 fc44ded28647344bc59367e317c1aa9e1c931045
SHA256 e3b1a64288d202e743ce390538af671aad2f98ec1ca0200ab3652cf74849c448
SHA512 8ca1457adcc04d39d4a02e49b3c683eeea32b15f896bc4c97dfbe9864b4c4fd22c2c5ed0a99e7244749abc80068bdf19607ad0d0d5ce4e65b790bfca92ac8129

memory/2088-139-0x000000013F900000-0x000000013FC51000-memory.dmp

memory/2560-148-0x000000013F740000-0x000000013FA91000-memory.dmp

memory/2672-149-0x000000013FD70000-0x00000001400C1000-memory.dmp

memory/1992-151-0x000000013F3B0000-0x000000013F701000-memory.dmp

memory/2088-150-0x00000000022C0000-0x0000000002611000-memory.dmp

memory/2648-156-0x000000013F350000-0x000000013F6A1000-memory.dmp

memory/2452-157-0x000000013F480000-0x000000013F7D1000-memory.dmp

memory/1216-155-0x000000013FF90000-0x00000001402E1000-memory.dmp

memory/2308-153-0x000000013FE40000-0x0000000140191000-memory.dmp

memory/1632-152-0x000000013F0D0000-0x000000013F421000-memory.dmp

memory/2748-158-0x000000013FD90000-0x00000001400E1000-memory.dmp

memory/1740-161-0x000000013F8E0000-0x000000013FC31000-memory.dmp

memory/2460-159-0x000000013F260000-0x000000013F5B1000-memory.dmp

memory/2024-160-0x000000013F580000-0x000000013F8D1000-memory.dmp

memory/2088-162-0x000000013F0D0000-0x000000013F421000-memory.dmp

memory/2088-163-0x000000013F900000-0x000000013FC51000-memory.dmp

memory/2088-185-0x000000013F150000-0x000000013F4A1000-memory.dmp

memory/2088-186-0x000000013FF90000-0x00000001402E1000-memory.dmp

memory/1324-211-0x000000013F050000-0x000000013F3A1000-memory.dmp

memory/2488-213-0x000000013F960000-0x000000013FCB1000-memory.dmp

memory/2176-217-0x000000013F8C0000-0x000000013FC11000-memory.dmp

memory/3052-216-0x000000013F080000-0x000000013F3D1000-memory.dmp

memory/2812-219-0x000000013FD40000-0x0000000140091000-memory.dmp

memory/2684-221-0x000000013F840000-0x000000013FB91000-memory.dmp

memory/2576-223-0x000000013FB50000-0x000000013FEA1000-memory.dmp

memory/2696-238-0x000000013F760000-0x000000013FAB1000-memory.dmp

memory/2560-240-0x000000013F740000-0x000000013FA91000-memory.dmp

memory/2672-242-0x000000013FD70000-0x00000001400C1000-memory.dmp

memory/1992-244-0x000000013F3B0000-0x000000013F701000-memory.dmp

memory/1632-246-0x000000013F0D0000-0x000000013F421000-memory.dmp

memory/2308-248-0x000000013FE40000-0x0000000140191000-memory.dmp

memory/2924-250-0x000000013F150000-0x000000013F4A1000-memory.dmp