Malware Analysis Report

2025-01-22 19:23

Sample ID 240807-zhzbtaterm
Target 2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat
SHA256 f6ead074c05299d334deca323435b92987862f1efef747ab2011a9277ccf3545
Tags
miner upx 0 xmrig cobaltstrike backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f6ead074c05299d334deca323435b92987862f1efef747ab2011a9277ccf3545

Threat Level: Known bad

The file 2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

miner upx 0 xmrig cobaltstrike backdoor trojan

Cobaltstrike

XMRig Miner payload

Cobalt Strike reflective loader

Cobaltstrike family

xmrig

Xmrig family

XMRig Miner payload

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-07 20:43

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-07 20:43

Reported

2024-08-07 20:46

Platform

win7-20240705-en

Max time kernel

142s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\SBvxVzx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MWuEwkR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jBtWjPs.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\okGEKLi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CXjTJmS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZZvxHgC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\POfRPmH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NfRRmLS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WliOoEU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CxnqFUB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MavSWKs.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZaucKlA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qwZzDJI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qZaMLRC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zOHapuq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zdlaUun.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iqPzFti.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZzPSRcg.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GRmvVFW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gWRLvBM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cPxjvPy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2124 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZzPSRcg.exe
PID 2124 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZzPSRcg.exe
PID 2124 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZzPSRcg.exe
PID 2124 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SBvxVzx.exe
PID 2124 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SBvxVzx.exe
PID 2124 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SBvxVzx.exe
PID 2124 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CxnqFUB.exe
PID 2124 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CxnqFUB.exe
PID 2124 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CxnqFUB.exe
PID 2124 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MavSWKs.exe
PID 2124 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MavSWKs.exe
PID 2124 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MavSWKs.exe
PID 2124 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GRmvVFW.exe
PID 2124 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GRmvVFW.exe
PID 2124 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GRmvVFW.exe
PID 2124 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZaucKlA.exe
PID 2124 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZaucKlA.exe
PID 2124 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZaucKlA.exe
PID 2124 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qwZzDJI.exe
PID 2124 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qwZzDJI.exe
PID 2124 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qwZzDJI.exe
PID 2124 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gWRLvBM.exe
PID 2124 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gWRLvBM.exe
PID 2124 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gWRLvBM.exe
PID 2124 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cPxjvPy.exe
PID 2124 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cPxjvPy.exe
PID 2124 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cPxjvPy.exe
PID 2124 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZZvxHgC.exe
PID 2124 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZZvxHgC.exe
PID 2124 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZZvxHgC.exe
PID 2124 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\POfRPmH.exe
PID 2124 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\POfRPmH.exe
PID 2124 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\POfRPmH.exe
PID 2124 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qZaMLRC.exe
PID 2124 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qZaMLRC.exe
PID 2124 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qZaMLRC.exe
PID 2124 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NfRRmLS.exe
PID 2124 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NfRRmLS.exe
PID 2124 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NfRRmLS.exe
PID 2124 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zOHapuq.exe
PID 2124 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zOHapuq.exe
PID 2124 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zOHapuq.exe
PID 2124 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zdlaUun.exe
PID 2124 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zdlaUun.exe
PID 2124 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zdlaUun.exe
PID 2124 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WliOoEU.exe
PID 2124 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WliOoEU.exe
PID 2124 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WliOoEU.exe
PID 2124 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iqPzFti.exe
PID 2124 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iqPzFti.exe
PID 2124 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iqPzFti.exe
PID 2124 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MWuEwkR.exe
PID 2124 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MWuEwkR.exe
PID 2124 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MWuEwkR.exe
PID 2124 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jBtWjPs.exe
PID 2124 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jBtWjPs.exe
PID 2124 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jBtWjPs.exe
PID 2124 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CXjTJmS.exe
PID 2124 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CXjTJmS.exe
PID 2124 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CXjTJmS.exe
PID 2124 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\okGEKLi.exe
PID 2124 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\okGEKLi.exe
PID 2124 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\okGEKLi.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\ZzPSRcg.exe

C:\Windows\System\ZzPSRcg.exe

C:\Windows\System\SBvxVzx.exe

C:\Windows\System\SBvxVzx.exe

C:\Windows\System\CxnqFUB.exe

C:\Windows\System\CxnqFUB.exe

C:\Windows\System\MavSWKs.exe

C:\Windows\System\MavSWKs.exe

C:\Windows\System\GRmvVFW.exe

C:\Windows\System\GRmvVFW.exe

C:\Windows\System\ZaucKlA.exe

C:\Windows\System\ZaucKlA.exe

C:\Windows\System\qwZzDJI.exe

C:\Windows\System\qwZzDJI.exe

C:\Windows\System\gWRLvBM.exe

C:\Windows\System\gWRLvBM.exe

C:\Windows\System\cPxjvPy.exe

C:\Windows\System\cPxjvPy.exe

C:\Windows\System\ZZvxHgC.exe

C:\Windows\System\ZZvxHgC.exe

C:\Windows\System\POfRPmH.exe

C:\Windows\System\POfRPmH.exe

C:\Windows\System\qZaMLRC.exe

C:\Windows\System\qZaMLRC.exe

C:\Windows\System\NfRRmLS.exe

C:\Windows\System\NfRRmLS.exe

C:\Windows\System\zOHapuq.exe

C:\Windows\System\zOHapuq.exe

C:\Windows\System\zdlaUun.exe

C:\Windows\System\zdlaUun.exe

C:\Windows\System\WliOoEU.exe

C:\Windows\System\WliOoEU.exe

C:\Windows\System\iqPzFti.exe

C:\Windows\System\iqPzFti.exe

C:\Windows\System\MWuEwkR.exe

C:\Windows\System\MWuEwkR.exe

C:\Windows\System\jBtWjPs.exe

C:\Windows\System\jBtWjPs.exe

C:\Windows\System\CXjTJmS.exe

C:\Windows\System\CXjTJmS.exe

C:\Windows\System\okGEKLi.exe

C:\Windows\System\okGEKLi.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2124-0-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

memory/2124-1-0x00000000001F0000-0x0000000000200000-memory.dmp

\Windows\system\ZzPSRcg.exe

MD5 565f05945debf33abc80126e0e2cbd42
SHA1 07146e6d88252aab96b0a50e1b2291ba0a5578f7
SHA256 9ecad043ca27e533e411e944d0ad7e849227d154e66c9eea7cb8861848c7278f
SHA512 160bba0f07577d69ab3b1fe6239310fdfd1c2b6ce653b17d94c5495f3273fb58d5972466400b7d6bea5262dc2900b2d897513cf7b85d8b0634a74374b083ee92

\Windows\system\SBvxVzx.exe

MD5 d339586cf47263de70ac981286b78bcf
SHA1 8e78c2841d265606da957168b41e1e537dd539e6
SHA256 b0081e3b05b363bdefce81de371e7319e152f9482756eace8f6629a751394b51
SHA512 c7aa8756d022336abcb1629aa46ab32e9c5d2e5ea8d83fc515165317572d1f4d8ff383851571669136f82a42eda3ead18a10f46699b6357947dbace0dbe762fc

memory/2124-20-0x00000000023D0000-0x0000000002724000-memory.dmp

memory/2124-17-0x000000013FEA0000-0x00000001401F4000-memory.dmp

\Windows\system\MavSWKs.exe

MD5 4fdf8aaad2b8e872efbbec9c915eed0d
SHA1 73eaa5a67f72e84c7e60588245771d86c7063edd
SHA256 f410d2bdb532a3ed333118e92add5fae0e8031dc338526051896e7861cb3795b
SHA512 dd068f14afeafde6aebeae4741814231efd82a316205034f625e6da37686de9e0c152f5e855af1717111e07f5cc54cbe9232a7380f85ee5646063f4de68a3e29

\Windows\system\GRmvVFW.exe

MD5 17a689f0b16ab658553e969cb0c0ae9c
SHA1 5b163fd229338ab6960513459e0d20f507b5caa1
SHA256 425452af2b79391dcdbfdb9b76665ecb68101bb9a69c31836678a0def30a8737
SHA512 0224e981f207011fbd7881df837a70c81bdd00f39cee404feb0ba4f95a580abc41e8cf48ac60645487fa689b4cba40e82b121ff17dcac935d8780ab51883bf55

\Windows\system\ZaucKlA.exe

MD5 944f346559d13277befc4dc34efdf29f
SHA1 98519aea1a7b0c7b17a22f2581c988378e68e1b1
SHA256 38470fef086830ae5faa5ef483cca3e4ae4cfc8c61cf7fb2c099f5390790565b
SHA512 c1b06a59ee152bc2a2f101626b9b2a2621983485a9e9b9aaa0f680d9fbee49fa7ffe894cd90b1735d1c5d97595bca8844d9c336a8b7eee32d710d4657f0db294

memory/2980-34-0x000000013F9D0000-0x000000013FD24000-memory.dmp

memory/2640-40-0x000000013F840000-0x000000013FB94000-memory.dmp

memory/2124-39-0x000000013F840000-0x000000013FB94000-memory.dmp

memory/2208-30-0x000000013F120000-0x000000013F474000-memory.dmp

memory/2976-29-0x000000013FEA0000-0x00000001401F4000-memory.dmp

memory/2084-28-0x000000013FD30000-0x0000000140084000-memory.dmp

memory/2124-26-0x000000013F9D0000-0x000000013FD24000-memory.dmp

C:\Windows\system\CxnqFUB.exe

MD5 1fe2ea021e732f64efe50f960b79ec7b
SHA1 92ffff05445ab732658736387bb978d658618337
SHA256 cb186c7ffd677c6946cb9264037f4931f0dc83e49bb3ca9c0d6fbc42d53ef094
SHA512 02400bc7c170c97c7a1427672e7d4944d798dcc5629a6812b32bbf1bb360d9dfb9646b4d99e4f4ff183eb4b52f24eecb523fa34face7e546abf0a902b9d3bd28

memory/1576-13-0x000000013FBD0000-0x000000013FF24000-memory.dmp

C:\Windows\system\gWRLvBM.exe

MD5 1f31b4338984cb3a3fd99cb979fe8b37
SHA1 f2d24060bfaa87e09195c1fd07ebf9939a36a438
SHA256 ec61a414fac26859afe62a93febcb4215e0f36ba0ba75faee5330b467e008464
SHA512 5abb2fda26bc39a1a895903eba683d44ed980c54658068a52975427e974c49f443b34c59e78af8a5ba082bbba30b9aed205e7922651863f64e1f5c697e8b4f95

memory/2160-61-0x000000013FEC0000-0x0000000140214000-memory.dmp

C:\Windows\system\cPxjvPy.exe

MD5 a7fe8b816071c093c840d3e8acf02626
SHA1 7682860f305d617aa6623b512ccb97bed1ec3ee8
SHA256 fd44920cafd3792ee98a87b1ba908fde26a1e5d2019c31d9015b2919ce0f46a8
SHA512 820612064eefa9a828e3b248d5e5e1762aa02a285b8ce172929dd1fa974aba88f925cdd21edb6a00500443d15c5c6217af7ade3079eba9c2bb0441f9acb944b3

memory/2124-62-0x00000000023D0000-0x0000000002724000-memory.dmp

memory/2644-63-0x000000013F3D0000-0x000000013F724000-memory.dmp

memory/2124-57-0x000000013FEC0000-0x0000000140214000-memory.dmp

memory/2760-52-0x000000013F040000-0x000000013F394000-memory.dmp

C:\Windows\system\ZZvxHgC.exe

MD5 7164cd980c3fb8707e14150fac8d4f56
SHA1 04cd4db8d25b075a988b961e94d01bddb5f9db8d
SHA256 239792bc3f29aac690e750dfd6d6de47c8bc9fa385753e435008a0677d00ac8a
SHA512 28bb9aeb1737d56e8c0293f30a3fbf5ee03c3626f57a10c95088d6ef1fc3fbbabae1ebb5c2a6d67f9d0225882e3c3a3fb680635901a1446211b92f2e97e64164

memory/2124-69-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

memory/2124-48-0x000000013F040000-0x000000013F394000-memory.dmp

C:\Windows\system\POfRPmH.exe

MD5 73b6d199861f613913af0ffcc13fd8ba
SHA1 9ccd41b439901e95a9df7ed207ccfd40b1df899a
SHA256 4ba541fa40b6745f5d56bd7563639aac8cad32c1628092ffddf68e4db402fca6
SHA512 19a2a2a5c2bacf261c9ee9f8b722c9a1df580ea2e36345af064ea7ec8c481c2abbace0580611ba2a5db6ac0176f7ecd109a0386ca514cb8fff93e7dd89ec79fa

C:\Windows\system\NfRRmLS.exe

MD5 99996ea791ee926cb30f47f8f40304fb
SHA1 2e353f4f5c9c6e91724c5657dcd78ee6be5b3bac
SHA256 2982d15bdefa85b0190d3ef158b3230965f3c9e9af16a1df598f00ca0e5b4310
SHA512 fd97b1db74df270c270ff30028b331543611eb25ebd790b4aceb3a6b0a1d02bb8ee94d72b8d156d8ba0abd456c1942f7184b3e2e97bf64552c7db14b0ee6ff0d

memory/2124-92-0x00000000023D0000-0x0000000002724000-memory.dmp

memory/2124-104-0x00000000023D0000-0x0000000002724000-memory.dmp

memory/2188-85-0x000000013F1B0000-0x000000013F504000-memory.dmp

C:\Windows\system\zOHapuq.exe

MD5 3a2b52cc1fedef0ff4689b4187f18e40
SHA1 2d01d5db9ac05803bccac2a60ee75c2b0be27534
SHA256 8b22c150927a8987862e2eb53ffb1fc5311cc7adf6671f5cfea8be38245efcc8
SHA512 af6ec30d45597b177c69622e411202f72d23f169bb30182a009eef1958408dc7f775e2bdc78f7461d1c9fa308d52de4a2a2806aa2df95745587937aeb012995e

\Windows\system\CXjTJmS.exe

MD5 138e96df12b20b3546137d50afeebd8c
SHA1 679c73708bf4af7089dcb5e22c722fdb7e86b227
SHA256 94cad01dc9ab07af258d591fdb1b1543704620fb0cc4fae1aba7ba10d88f1cb8
SHA512 58d923b4f2fee21c1c51f4bb51b4ff324aad2d8c4b2dfc4771a271df4bb59a3bb1977423745d86ed6984d6710d9732f8bfeff39444a098c46e02b4900623ab54

C:\Windows\system\okGEKLi.exe

MD5 f7c67aa61a1eca01758afce1aa088a7e
SHA1 89eb9c81df6afbd63858e73bc0755d4f40ac6a64
SHA256 68e3642f52b74e1b17d7786da4d7aa7d4c528c548b2841b93c2df3057fa3308f
SHA512 fa5b38b1e4b6ef816d7699b9aeb13e8e8d9575e552c4b969d4b288bc3c149ce3f8672796ca393f06a0a433b7b1a69398b5d144bab92679b01e944951d6cc8792

C:\Windows\system\MWuEwkR.exe

MD5 fe74d98a260a45c6c7a9ed9cd528a83d
SHA1 af58b131174ddbe39fc0d4a5226689e5ace88bc1
SHA256 2851b205962f1fde2da47c0aa7d97da9502fcdde9795d7e6ae1b78ed99da1eeb
SHA512 730b48206f25c27304fbbf2edf238ba94d90b78a2eb62fadc9a3e41036cd4652ca2b745436e56f504ab142711423584e93343d78c59b68a93f6372330da9d6aa

C:\Windows\system\jBtWjPs.exe

MD5 5a01847bf0175084cd886354fe94e986
SHA1 277b52dd74eac983de217ba6ff90356f7ee49789
SHA256 e018fbe87b3f439492f23854d03bfcc2896cccc2e8e5a4549af628b682378766
SHA512 d8ba853d97df9d3547e522b91372a294fe5ee9ceecdbfb933a0984715842722aa998c1380e8e704327204b589743d60a1296fd85f600d680fcd9f6f5369f9fc8

C:\Windows\system\WliOoEU.exe

MD5 4099993801c402206690b85eb6c5bee5
SHA1 0dfac6aa0f5ff0df497c7f21aea3b8d43ae1b5cf
SHA256 d0e2a955c7cfc8fa5f9536f8fea08338552db0a5beab4eec2169ede8e67924cf
SHA512 728219553651af4851f8d7d68f8c0dd89ef51880d225f1224a81bcd4b129edddccb04da3890aa5f0c8e24c07a124842d620e6289e557ccaa30b9acf0b4b0413a

memory/2124-97-0x000000013FCB0000-0x0000000140004000-memory.dmp

C:\Windows\system\iqPzFti.exe

MD5 0438ae7cf080131d4b8c8e42cf9a102c
SHA1 27c1fcc2a9a6b3c5a06ebf515fffbd69e9fd741a
SHA256 b854834865a9b4241f60b1ed96f2ab4e919bd01c613d6193814a6d9d78abf5a3
SHA512 992fa6b34aa405937a62cbb4cdb9a53e6591cf92e5394b8c19c6a74d9e59236ba0024e03bafc31fcb3005237a4b65e6e60b630d8111f21bca65f29b5efdc11e6

memory/2124-84-0x00000000023D0000-0x0000000002724000-memory.dmp

memory/2300-105-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

memory/2640-137-0x000000013F840000-0x000000013FB94000-memory.dmp

C:\Windows\system\qZaMLRC.exe

MD5 192089e3adcaaa6cd4886b20dca09f8a
SHA1 6709121b981f2b1b4216a8782a43cd7c5ddea1fe
SHA256 6434fc3129ad56134a7186a74d48787c27748c41b704f6205543b955d9fc411e
SHA512 f1f6d32d7435619c231987d9029c0dac80f994874d6e021cb3cc425b53f9008014d7544652cbfd3ddd72139a43ac60976ca6557ffc905fb5bde099734276986a

memory/2980-103-0x000000013F9D0000-0x000000013FD24000-memory.dmp

C:\Windows\system\zdlaUun.exe

MD5 0027d873ab2f7d8afd194cbfa0feb5bd
SHA1 ca739d2961a7ef5c8b9e7704d32d5e68f4d17614
SHA256 bbbfce947708db221a0f1b0ec6322117003fafb94614e04fa16962081f7b5a5d
SHA512 ebb2f905bdce382c0e5dbfd88a9988c043e3b6958e9c97dfa97e913e2a02b32334286d4f6987165fa31eba17e47ced018ebef3bc3d61f616310c455822b3dec1

memory/1060-93-0x000000013F090000-0x000000013F3E4000-memory.dmp

memory/2436-79-0x000000013FFE0000-0x0000000140334000-memory.dmp

memory/2124-78-0x000000013FFE0000-0x0000000140334000-memory.dmp

memory/2536-72-0x000000013F980000-0x000000013FCD4000-memory.dmp

memory/2124-71-0x000000013FEA0000-0x00000001401F4000-memory.dmp

memory/1576-70-0x000000013FBD0000-0x000000013FF24000-memory.dmp

\Windows\system\qwZzDJI.exe

MD5 d939a1ea8cb4a1da88f882caf5c2c94f
SHA1 ac047a6b8a36fae31ebc1dd09a4a7b44d6308e59
SHA256 a3e075ee0fbd3ccd9ef88518fe32b5e0f2c4e24e72ebf77254a040d3658e1520
SHA512 d98cfeca180b0c265e8f87e5794834ece642e1f16ac1af115eb6122d140e1d753bf889a7fe7b953406ed367826b760e13b44eef78d1d4fb5b953e4c83448c0bc

memory/2160-139-0x000000013FEC0000-0x0000000140214000-memory.dmp

memory/2124-138-0x000000013FEC0000-0x0000000140214000-memory.dmp

memory/2124-140-0x000000013FFE0000-0x0000000140334000-memory.dmp

memory/2124-141-0x00000000023D0000-0x0000000002724000-memory.dmp

memory/2188-142-0x000000013F1B0000-0x000000013F504000-memory.dmp

memory/2124-143-0x000000013FCB0000-0x0000000140004000-memory.dmp

memory/1576-144-0x000000013FBD0000-0x000000013FF24000-memory.dmp

memory/2208-145-0x000000013F120000-0x000000013F474000-memory.dmp

memory/2084-147-0x000000013FD30000-0x0000000140084000-memory.dmp

memory/2976-146-0x000000013FEA0000-0x00000001401F4000-memory.dmp

memory/2980-148-0x000000013F9D0000-0x000000013FD24000-memory.dmp

memory/2640-149-0x000000013F840000-0x000000013FB94000-memory.dmp

memory/2760-150-0x000000013F040000-0x000000013F394000-memory.dmp

memory/2160-151-0x000000013FEC0000-0x0000000140214000-memory.dmp

memory/2536-153-0x000000013F980000-0x000000013FCD4000-memory.dmp

memory/2644-152-0x000000013F3D0000-0x000000013F724000-memory.dmp

memory/2436-154-0x000000013FFE0000-0x0000000140334000-memory.dmp

memory/2188-155-0x000000013F1B0000-0x000000013F504000-memory.dmp

memory/1060-156-0x000000013F090000-0x000000013F3E4000-memory.dmp

memory/2300-157-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-07 20:43

Reported

2024-08-07 20:46

Platform

win10v2004-20240802-en

Max time kernel

140s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\okGEKLi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZzPSRcg.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZaucKlA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cPxjvPy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZZvxHgC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jBtWjPs.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MavSWKs.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GRmvVFW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qwZzDJI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zOHapuq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WliOoEU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iqPzFti.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MWuEwkR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CXjTJmS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NfRRmLS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zdlaUun.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SBvxVzx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CxnqFUB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gWRLvBM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\POfRPmH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qZaMLRC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3252 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZzPSRcg.exe
PID 3252 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZzPSRcg.exe
PID 3252 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SBvxVzx.exe
PID 3252 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SBvxVzx.exe
PID 3252 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CxnqFUB.exe
PID 3252 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CxnqFUB.exe
PID 3252 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MavSWKs.exe
PID 3252 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MavSWKs.exe
PID 3252 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GRmvVFW.exe
PID 3252 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GRmvVFW.exe
PID 3252 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZaucKlA.exe
PID 3252 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZaucKlA.exe
PID 3252 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qwZzDJI.exe
PID 3252 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qwZzDJI.exe
PID 3252 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gWRLvBM.exe
PID 3252 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gWRLvBM.exe
PID 3252 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cPxjvPy.exe
PID 3252 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cPxjvPy.exe
PID 3252 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZZvxHgC.exe
PID 3252 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZZvxHgC.exe
PID 3252 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\POfRPmH.exe
PID 3252 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\POfRPmH.exe
PID 3252 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qZaMLRC.exe
PID 3252 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qZaMLRC.exe
PID 3252 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NfRRmLS.exe
PID 3252 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NfRRmLS.exe
PID 3252 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zOHapuq.exe
PID 3252 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zOHapuq.exe
PID 3252 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zdlaUun.exe
PID 3252 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zdlaUun.exe
PID 3252 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WliOoEU.exe
PID 3252 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WliOoEU.exe
PID 3252 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iqPzFti.exe
PID 3252 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iqPzFti.exe
PID 3252 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MWuEwkR.exe
PID 3252 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MWuEwkR.exe
PID 3252 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jBtWjPs.exe
PID 3252 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jBtWjPs.exe
PID 3252 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CXjTJmS.exe
PID 3252 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CXjTJmS.exe
PID 3252 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\okGEKLi.exe
PID 3252 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\okGEKLi.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\ZzPSRcg.exe

C:\Windows\System\ZzPSRcg.exe

C:\Windows\System\SBvxVzx.exe

C:\Windows\System\SBvxVzx.exe

C:\Windows\System\CxnqFUB.exe

C:\Windows\System\CxnqFUB.exe

C:\Windows\System\MavSWKs.exe

C:\Windows\System\MavSWKs.exe

C:\Windows\System\GRmvVFW.exe

C:\Windows\System\GRmvVFW.exe

C:\Windows\System\ZaucKlA.exe

C:\Windows\System\ZaucKlA.exe

C:\Windows\System\qwZzDJI.exe

C:\Windows\System\qwZzDJI.exe

C:\Windows\System\gWRLvBM.exe

C:\Windows\System\gWRLvBM.exe

C:\Windows\System\cPxjvPy.exe

C:\Windows\System\cPxjvPy.exe

C:\Windows\System\ZZvxHgC.exe

C:\Windows\System\ZZvxHgC.exe

C:\Windows\System\POfRPmH.exe

C:\Windows\System\POfRPmH.exe

C:\Windows\System\qZaMLRC.exe

C:\Windows\System\qZaMLRC.exe

C:\Windows\System\NfRRmLS.exe

C:\Windows\System\NfRRmLS.exe

C:\Windows\System\zOHapuq.exe

C:\Windows\System\zOHapuq.exe

C:\Windows\System\zdlaUun.exe

C:\Windows\System\zdlaUun.exe

C:\Windows\System\WliOoEU.exe

C:\Windows\System\WliOoEU.exe

C:\Windows\System\iqPzFti.exe

C:\Windows\System\iqPzFti.exe

C:\Windows\System\MWuEwkR.exe

C:\Windows\System\MWuEwkR.exe

C:\Windows\System\jBtWjPs.exe

C:\Windows\System\jBtWjPs.exe

C:\Windows\System\CXjTJmS.exe

C:\Windows\System\CXjTJmS.exe

C:\Windows\System\okGEKLi.exe

C:\Windows\System\okGEKLi.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 71.190.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3252-0-0x00007FF682390000-0x00007FF6826E4000-memory.dmp

memory/3252-1-0x000001CE2FEA0000-0x000001CE2FEB0000-memory.dmp

C:\Windows\System\ZzPSRcg.exe

MD5 565f05945debf33abc80126e0e2cbd42
SHA1 07146e6d88252aab96b0a50e1b2291ba0a5578f7
SHA256 9ecad043ca27e533e411e944d0ad7e849227d154e66c9eea7cb8861848c7278f
SHA512 160bba0f07577d69ab3b1fe6239310fdfd1c2b6ce653b17d94c5495f3273fb58d5972466400b7d6bea5262dc2900b2d897513cf7b85d8b0634a74374b083ee92

C:\Windows\System\SBvxVzx.exe

MD5 d339586cf47263de70ac981286b78bcf
SHA1 8e78c2841d265606da957168b41e1e537dd539e6
SHA256 b0081e3b05b363bdefce81de371e7319e152f9482756eace8f6629a751394b51
SHA512 c7aa8756d022336abcb1629aa46ab32e9c5d2e5ea8d83fc515165317572d1f4d8ff383851571669136f82a42eda3ead18a10f46699b6357947dbace0dbe762fc

C:\Windows\System\CxnqFUB.exe

MD5 1fe2ea021e732f64efe50f960b79ec7b
SHA1 92ffff05445ab732658736387bb978d658618337
SHA256 cb186c7ffd677c6946cb9264037f4931f0dc83e49bb3ca9c0d6fbc42d53ef094
SHA512 02400bc7c170c97c7a1427672e7d4944d798dcc5629a6812b32bbf1bb360d9dfb9646b4d99e4f4ff183eb4b52f24eecb523fa34face7e546abf0a902b9d3bd28

memory/2476-14-0x00007FF7237A0000-0x00007FF723AF4000-memory.dmp

C:\Windows\System\MavSWKs.exe

MD5 4fdf8aaad2b8e872efbbec9c915eed0d
SHA1 73eaa5a67f72e84c7e60588245771d86c7063edd
SHA256 f410d2bdb532a3ed333118e92add5fae0e8031dc338526051896e7861cb3795b
SHA512 dd068f14afeafde6aebeae4741814231efd82a316205034f625e6da37686de9e0c152f5e855af1717111e07f5cc54cbe9232a7380f85ee5646063f4de68a3e29

memory/1800-26-0x00007FF66AE20000-0x00007FF66B174000-memory.dmp

memory/2196-22-0x00007FF79B370000-0x00007FF79B6C4000-memory.dmp

memory/4716-7-0x00007FF6A10D0000-0x00007FF6A1424000-memory.dmp

C:\Windows\System\GRmvVFW.exe

MD5 17a689f0b16ab658553e969cb0c0ae9c
SHA1 5b163fd229338ab6960513459e0d20f507b5caa1
SHA256 425452af2b79391dcdbfdb9b76665ecb68101bb9a69c31836678a0def30a8737
SHA512 0224e981f207011fbd7881df837a70c81bdd00f39cee404feb0ba4f95a580abc41e8cf48ac60645487fa689b4cba40e82b121ff17dcac935d8780ab51883bf55

memory/2492-32-0x00007FF6D9570000-0x00007FF6D98C4000-memory.dmp

C:\Windows\System\ZaucKlA.exe

MD5 944f346559d13277befc4dc34efdf29f
SHA1 98519aea1a7b0c7b17a22f2581c988378e68e1b1
SHA256 38470fef086830ae5faa5ef483cca3e4ae4cfc8c61cf7fb2c099f5390790565b
SHA512 c1b06a59ee152bc2a2f101626b9b2a2621983485a9e9b9aaa0f680d9fbee49fa7ffe894cd90b1735d1c5d97595bca8844d9c336a8b7eee32d710d4657f0db294

memory/3092-36-0x00007FF660F30000-0x00007FF661284000-memory.dmp

C:\Windows\System\qwZzDJI.exe

MD5 d939a1ea8cb4a1da88f882caf5c2c94f
SHA1 ac047a6b8a36fae31ebc1dd09a4a7b44d6308e59
SHA256 a3e075ee0fbd3ccd9ef88518fe32b5e0f2c4e24e72ebf77254a040d3658e1520
SHA512 d98cfeca180b0c265e8f87e5794834ece642e1f16ac1af115eb6122d140e1d753bf889a7fe7b953406ed367826b760e13b44eef78d1d4fb5b953e4c83448c0bc

memory/220-43-0x00007FF757FA0000-0x00007FF7582F4000-memory.dmp

C:\Windows\System\gWRLvBM.exe

MD5 1f31b4338984cb3a3fd99cb979fe8b37
SHA1 f2d24060bfaa87e09195c1fd07ebf9939a36a438
SHA256 ec61a414fac26859afe62a93febcb4215e0f36ba0ba75faee5330b467e008464
SHA512 5abb2fda26bc39a1a895903eba683d44ed980c54658068a52975427e974c49f443b34c59e78af8a5ba082bbba30b9aed205e7922651863f64e1f5c697e8b4f95

C:\Windows\System\cPxjvPy.exe

MD5 a7fe8b816071c093c840d3e8acf02626
SHA1 7682860f305d617aa6623b512ccb97bed1ec3ee8
SHA256 fd44920cafd3792ee98a87b1ba908fde26a1e5d2019c31d9015b2919ce0f46a8
SHA512 820612064eefa9a828e3b248d5e5e1762aa02a285b8ce172929dd1fa974aba88f925cdd21edb6a00500443d15c5c6217af7ade3079eba9c2bb0441f9acb944b3

memory/388-50-0x00007FF708010000-0x00007FF708364000-memory.dmp

memory/3252-61-0x00007FF682390000-0x00007FF6826E4000-memory.dmp

memory/2184-62-0x00007FF692620000-0x00007FF692974000-memory.dmp

C:\Windows\System\POfRPmH.exe

MD5 73b6d199861f613913af0ffcc13fd8ba
SHA1 9ccd41b439901e95a9df7ed207ccfd40b1df899a
SHA256 4ba541fa40b6745f5d56bd7563639aac8cad32c1628092ffddf68e4db402fca6
SHA512 19a2a2a5c2bacf261c9ee9f8b722c9a1df580ea2e36345af064ea7ec8c481c2abbace0580611ba2a5db6ac0176f7ecd109a0386ca514cb8fff93e7dd89ec79fa

C:\Windows\System\qZaMLRC.exe

MD5 192089e3adcaaa6cd4886b20dca09f8a
SHA1 6709121b981f2b1b4216a8782a43cd7c5ddea1fe
SHA256 6434fc3129ad56134a7186a74d48787c27748c41b704f6205543b955d9fc411e
SHA512 f1f6d32d7435619c231987d9029c0dac80f994874d6e021cb3cc425b53f9008014d7544652cbfd3ddd72139a43ac60976ca6557ffc905fb5bde099734276986a

memory/4980-73-0x00007FF713A10000-0x00007FF713D64000-memory.dmp

memory/3724-74-0x00007FF685C80000-0x00007FF685FD4000-memory.dmp

memory/4716-72-0x00007FF6A10D0000-0x00007FF6A1424000-memory.dmp

C:\Windows\System\ZZvxHgC.exe

MD5 7164cd980c3fb8707e14150fac8d4f56
SHA1 04cd4db8d25b075a988b961e94d01bddb5f9db8d
SHA256 239792bc3f29aac690e750dfd6d6de47c8bc9fa385753e435008a0677d00ac8a
SHA512 28bb9aeb1737d56e8c0293f30a3fbf5ee03c3626f57a10c95088d6ef1fc3fbbabae1ebb5c2a6d67f9d0225882e3c3a3fb680635901a1446211b92f2e97e64164

memory/3744-57-0x00007FF770A20000-0x00007FF770D74000-memory.dmp

C:\Windows\System\NfRRmLS.exe

MD5 99996ea791ee926cb30f47f8f40304fb
SHA1 2e353f4f5c9c6e91724c5657dcd78ee6be5b3bac
SHA256 2982d15bdefa85b0190d3ef158b3230965f3c9e9af16a1df598f00ca0e5b4310
SHA512 fd97b1db74df270c270ff30028b331543611eb25ebd790b4aceb3a6b0a1d02bb8ee94d72b8d156d8ba0abd456c1942f7184b3e2e97bf64552c7db14b0ee6ff0d

C:\Windows\System\zOHapuq.exe

MD5 3a2b52cc1fedef0ff4689b4187f18e40
SHA1 2d01d5db9ac05803bccac2a60ee75c2b0be27534
SHA256 8b22c150927a8987862e2eb53ffb1fc5311cc7adf6671f5cfea8be38245efcc8
SHA512 af6ec30d45597b177c69622e411202f72d23f169bb30182a009eef1958408dc7f775e2bdc78f7461d1c9fa308d52de4a2a2806aa2df95745587937aeb012995e

C:\Windows\System\zdlaUun.exe

MD5 0027d873ab2f7d8afd194cbfa0feb5bd
SHA1 ca739d2961a7ef5c8b9e7704d32d5e68f4d17614
SHA256 bbbfce947708db221a0f1b0ec6322117003fafb94614e04fa16962081f7b5a5d
SHA512 ebb2f905bdce382c0e5dbfd88a9988c043e3b6958e9c97dfa97e913e2a02b32334286d4f6987165fa31eba17e47ced018ebef3bc3d61f616310c455822b3dec1

memory/4504-94-0x00007FF6F6C60000-0x00007FF6F6FB4000-memory.dmp

memory/1172-98-0x00007FF74AF50000-0x00007FF74B2A4000-memory.dmp

C:\Windows\System\iqPzFti.exe

MD5 0438ae7cf080131d4b8c8e42cf9a102c
SHA1 27c1fcc2a9a6b3c5a06ebf515fffbd69e9fd741a
SHA256 b854834865a9b4241f60b1ed96f2ab4e919bd01c613d6193814a6d9d78abf5a3
SHA512 992fa6b34aa405937a62cbb4cdb9a53e6591cf92e5394b8c19c6a74d9e59236ba0024e03bafc31fcb3005237a4b65e6e60b630d8111f21bca65f29b5efdc11e6

C:\Windows\System\MWuEwkR.exe

MD5 fe74d98a260a45c6c7a9ed9cd528a83d
SHA1 af58b131174ddbe39fc0d4a5226689e5ace88bc1
SHA256 2851b205962f1fde2da47c0aa7d97da9502fcdde9795d7e6ae1b78ed99da1eeb
SHA512 730b48206f25c27304fbbf2edf238ba94d90b78a2eb62fadc9a3e41036cd4652ca2b745436e56f504ab142711423584e93343d78c59b68a93f6372330da9d6aa

memory/1112-107-0x00007FF7663E0000-0x00007FF766734000-memory.dmp

memory/3092-105-0x00007FF660F30000-0x00007FF661284000-memory.dmp

C:\Windows\System\WliOoEU.exe

MD5 4099993801c402206690b85eb6c5bee5
SHA1 0dfac6aa0f5ff0df497c7f21aea3b8d43ae1b5cf
SHA256 d0e2a955c7cfc8fa5f9536f8fea08338552db0a5beab4eec2169ede8e67924cf
SHA512 728219553651af4851f8d7d68f8c0dd89ef51880d225f1224a81bcd4b129edddccb04da3890aa5f0c8e24c07a124842d620e6289e557ccaa30b9acf0b4b0413a

memory/684-93-0x00007FF7A6F90000-0x00007FF7A72E4000-memory.dmp

memory/4460-85-0x00007FF71F8A0000-0x00007FF71FBF4000-memory.dmp

memory/2476-82-0x00007FF7237A0000-0x00007FF723AF4000-memory.dmp

memory/4008-116-0x00007FF628490000-0x00007FF6287E4000-memory.dmp

C:\Windows\System\CXjTJmS.exe

MD5 138e96df12b20b3546137d50afeebd8c
SHA1 679c73708bf4af7089dcb5e22c722fdb7e86b227
SHA256 94cad01dc9ab07af258d591fdb1b1543704620fb0cc4fae1aba7ba10d88f1cb8
SHA512 58d923b4f2fee21c1c51f4bb51b4ff324aad2d8c4b2dfc4771a271df4bb59a3bb1977423745d86ed6984d6710d9732f8bfeff39444a098c46e02b4900623ab54

C:\Windows\System\okGEKLi.exe

MD5 f7c67aa61a1eca01758afce1aa088a7e
SHA1 89eb9c81df6afbd63858e73bc0755d4f40ac6a64
SHA256 68e3642f52b74e1b17d7786da4d7aa7d4c528c548b2841b93c2df3057fa3308f
SHA512 fa5b38b1e4b6ef816d7699b9aeb13e8e8d9575e552c4b969d4b288bc3c149ce3f8672796ca393f06a0a433b7b1a69398b5d144bab92679b01e944951d6cc8792

memory/3060-124-0x00007FF69B830000-0x00007FF69BB84000-memory.dmp

C:\Windows\System\jBtWjPs.exe

MD5 5a01847bf0175084cd886354fe94e986
SHA1 277b52dd74eac983de217ba6ff90356f7ee49789
SHA256 e018fbe87b3f439492f23854d03bfcc2896cccc2e8e5a4549af628b682378766
SHA512 d8ba853d97df9d3547e522b91372a294fe5ee9ceecdbfb933a0984715842722aa998c1380e8e704327204b589743d60a1296fd85f600d680fcd9f6f5369f9fc8

memory/220-114-0x00007FF757FA0000-0x00007FF7582F4000-memory.dmp

memory/4848-131-0x00007FF7797D0000-0x00007FF779B24000-memory.dmp

memory/2184-133-0x00007FF692620000-0x00007FF692974000-memory.dmp

memory/4484-132-0x00007FF6CF2E0000-0x00007FF6CF634000-memory.dmp

memory/3724-134-0x00007FF685C80000-0x00007FF685FD4000-memory.dmp

memory/4504-135-0x00007FF6F6C60000-0x00007FF6F6FB4000-memory.dmp

memory/1172-136-0x00007FF74AF50000-0x00007FF74B2A4000-memory.dmp

memory/1112-137-0x00007FF7663E0000-0x00007FF766734000-memory.dmp

memory/4716-138-0x00007FF6A10D0000-0x00007FF6A1424000-memory.dmp

memory/2476-139-0x00007FF7237A0000-0x00007FF723AF4000-memory.dmp

memory/2196-140-0x00007FF79B370000-0x00007FF79B6C4000-memory.dmp

memory/1800-141-0x00007FF66AE20000-0x00007FF66B174000-memory.dmp

memory/2492-142-0x00007FF6D9570000-0x00007FF6D98C4000-memory.dmp

memory/3092-143-0x00007FF660F30000-0x00007FF661284000-memory.dmp

memory/220-144-0x00007FF757FA0000-0x00007FF7582F4000-memory.dmp

memory/388-145-0x00007FF708010000-0x00007FF708364000-memory.dmp

memory/3744-146-0x00007FF770A20000-0x00007FF770D74000-memory.dmp

memory/2184-147-0x00007FF692620000-0x00007FF692974000-memory.dmp

memory/4980-148-0x00007FF713A10000-0x00007FF713D64000-memory.dmp

memory/3724-149-0x00007FF685C80000-0x00007FF685FD4000-memory.dmp

memory/4460-150-0x00007FF71F8A0000-0x00007FF71FBF4000-memory.dmp

memory/684-151-0x00007FF7A6F90000-0x00007FF7A72E4000-memory.dmp

memory/4504-152-0x00007FF6F6C60000-0x00007FF6F6FB4000-memory.dmp

memory/1172-153-0x00007FF74AF50000-0x00007FF74B2A4000-memory.dmp

memory/1112-154-0x00007FF7663E0000-0x00007FF766734000-memory.dmp

memory/4008-155-0x00007FF628490000-0x00007FF6287E4000-memory.dmp

memory/3060-156-0x00007FF69B830000-0x00007FF69BB84000-memory.dmp

memory/4848-157-0x00007FF7797D0000-0x00007FF779B24000-memory.dmp

memory/4484-158-0x00007FF6CF2E0000-0x00007FF6CF634000-memory.dmp