Malware Analysis Report

2025-03-15 08:00

Sample ID 240812-axhj6s1ejd
Target 2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat
SHA256 7a2754b0aa64e18ff9bc44e5bfd7f796af9c0bc5a8ae071b9b2fa50e232da11c
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7a2754b0aa64e18ff9bc44e5bfd7f796af9c0bc5a8ae071b9b2fa50e232da11c

Threat Level: Known bad

The file 2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

xmrig

XMRig Miner payload

Cobalt Strike reflective loader

Cobaltstrike

Cobaltstrike family

Xmrig family

XMRig Miner payload

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-12 00:35

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-12 00:35

Reported

2024-08-12 00:38

Platform

win10v2004-20240802-en

Max time kernel

142s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\lsrGtNK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QiaQjqZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bCoWeNX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\cKCtLhg.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ghYTzCb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RnwLFGj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CaLgmiu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AYPQJyc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ueGHIoQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vqThtyR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JmuVpIe.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\adlQkte.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\usZtvqw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZzyUHYU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eWBVoOB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QKrgFis.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OLEjaWy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MSYmpVY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tRnqjCE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FavMtBC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vUOnGvN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4268 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RnwLFGj.exe
PID 4268 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RnwLFGj.exe
PID 4268 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZzyUHYU.exe
PID 4268 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZzyUHYU.exe
PID 4268 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JmuVpIe.exe
PID 4268 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JmuVpIe.exe
PID 4268 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CaLgmiu.exe
PID 4268 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CaLgmiu.exe
PID 4268 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\adlQkte.exe
PID 4268 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\adlQkte.exe
PID 4268 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tRnqjCE.exe
PID 4268 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tRnqjCE.exe
PID 4268 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AYPQJyc.exe
PID 4268 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AYPQJyc.exe
PID 4268 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eWBVoOB.exe
PID 4268 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eWBVoOB.exe
PID 4268 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QKrgFis.exe
PID 4268 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QKrgFis.exe
PID 4268 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\usZtvqw.exe
PID 4268 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\usZtvqw.exe
PID 4268 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lsrGtNK.exe
PID 4268 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lsrGtNK.exe
PID 4268 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FavMtBC.exe
PID 4268 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FavMtBC.exe
PID 4268 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ueGHIoQ.exe
PID 4268 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ueGHIoQ.exe
PID 4268 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QiaQjqZ.exe
PID 4268 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QiaQjqZ.exe
PID 4268 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vUOnGvN.exe
PID 4268 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vUOnGvN.exe
PID 4268 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OLEjaWy.exe
PID 4268 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OLEjaWy.exe
PID 4268 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vqThtyR.exe
PID 4268 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vqThtyR.exe
PID 4268 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bCoWeNX.exe
PID 4268 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bCoWeNX.exe
PID 4268 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cKCtLhg.exe
PID 4268 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\cKCtLhg.exe
PID 4268 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ghYTzCb.exe
PID 4268 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ghYTzCb.exe
PID 4268 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MSYmpVY.exe
PID 4268 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MSYmpVY.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\RnwLFGj.exe

C:\Windows\System\RnwLFGj.exe

C:\Windows\System\ZzyUHYU.exe

C:\Windows\System\ZzyUHYU.exe

C:\Windows\System\JmuVpIe.exe

C:\Windows\System\JmuVpIe.exe

C:\Windows\System\CaLgmiu.exe

C:\Windows\System\CaLgmiu.exe

C:\Windows\System\adlQkte.exe

C:\Windows\System\adlQkte.exe

C:\Windows\System\tRnqjCE.exe

C:\Windows\System\tRnqjCE.exe

C:\Windows\System\AYPQJyc.exe

C:\Windows\System\AYPQJyc.exe

C:\Windows\System\eWBVoOB.exe

C:\Windows\System\eWBVoOB.exe

C:\Windows\System\QKrgFis.exe

C:\Windows\System\QKrgFis.exe

C:\Windows\System\usZtvqw.exe

C:\Windows\System\usZtvqw.exe

C:\Windows\System\lsrGtNK.exe

C:\Windows\System\lsrGtNK.exe

C:\Windows\System\FavMtBC.exe

C:\Windows\System\FavMtBC.exe

C:\Windows\System\ueGHIoQ.exe

C:\Windows\System\ueGHIoQ.exe

C:\Windows\System\QiaQjqZ.exe

C:\Windows\System\QiaQjqZ.exe

C:\Windows\System\vUOnGvN.exe

C:\Windows\System\vUOnGvN.exe

C:\Windows\System\OLEjaWy.exe

C:\Windows\System\OLEjaWy.exe

C:\Windows\System\vqThtyR.exe

C:\Windows\System\vqThtyR.exe

C:\Windows\System\bCoWeNX.exe

C:\Windows\System\bCoWeNX.exe

C:\Windows\System\cKCtLhg.exe

C:\Windows\System\cKCtLhg.exe

C:\Windows\System\ghYTzCb.exe

C:\Windows\System\ghYTzCb.exe

C:\Windows\System\MSYmpVY.exe

C:\Windows\System\MSYmpVY.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/4268-0-0x00007FF75A920000-0x00007FF75AC71000-memory.dmp

memory/4268-1-0x000002B8C6DA0000-0x000002B8C6DB0000-memory.dmp

C:\Windows\System\RnwLFGj.exe

MD5 5e1bb1f76ee0e6b2d5b21a46d5ba29b1
SHA1 48106c132ba165b408818603a4f071aa15824002
SHA256 36e5bf4466a208d1d172d0e44fd1f6800a5800984d55fcf5aa9941acc1dad15b
SHA512 a39c6c6dc18b989dc22f5d3a3c61056e4df456027c432bdfe174e2c39f610a0549df6a39db7d9bd4c0d26f9e7ae9aaffcdb82f2643a218874a9411b255bcb1f5

C:\Windows\System\JmuVpIe.exe

MD5 02e20b38ab070424e60cd117aa90ca14
SHA1 31e0a46e8a473b6b91c87f1fbcf07e50ef6c6e23
SHA256 7c1705382644121a604ff3204c45e8e4b93a81e2356f20f0e9623ac0578cebe9
SHA512 0c74997f743ad8d69ccbf136f90b43c796e175ea7b00712ceb688402f853d9a01171fa7d08030dd0cbc9c200e8ecbf2083327111069e3d9356ec2167f004dad6

C:\Windows\System\ZzyUHYU.exe

MD5 bdd77893ad912817d68cd740defd2ccb
SHA1 cea6ff91da56d4c406c278851dc0c8c8fb28fc2c
SHA256 833fa5e4a65b95e3570a81378f412c5ddb964c17f9cd8e94bec496c173b930c3
SHA512 c6e1f2c0cd0bacbe0a6556ad93df9dfbc8197f890d9af8d54383d9db2e51d0915080f6d0253176c361bfa58dbe2ccd35976608bb04d8d637c4f3440adcfd2b38

memory/2388-19-0x00007FF714990000-0x00007FF714CE1000-memory.dmp

C:\Windows\System\tRnqjCE.exe

MD5 e44875a83e1606af9a9595b84427fe77
SHA1 4254c5b3b5f91b688b607734b124fd699b89b218
SHA256 993161376a200219d11b2f034fe076f798f64bffac0bf789adabd57a9f4c15e8
SHA512 23522718aff0e2d554c5759b0f048859887195d658134061084eff9639219e415dc5dc8f5ab8b43db58df7f0f190134ed78c699a0eb0c904831497d34f8c551d

C:\Windows\System\adlQkte.exe

MD5 7a41f60e9dcca4ac594935d3fce36bd9
SHA1 4f83c2068984849af656a115d5bd80768bb6d185
SHA256 d919d9dfcd17bd2341870e9e733840f4ebcd79383078418cc494bb1fc681a2e0
SHA512 54fac8b8dca6d9276a0b3ba606b6436ae8e129e62320b8d0eee1bfd4a785a7b8137f0a12bd155660bc11b9445afaae22eb1ac19a07eab5ba298dd162a2ca7773

memory/1988-40-0x00007FF78E260000-0x00007FF78E5B1000-memory.dmp

C:\Windows\System\eWBVoOB.exe

MD5 38ef816d45f6c780b64cdd07367eed69
SHA1 90c744f1938ff30715ba36010672217c4af16fd2
SHA256 1dbb5f8f7b8a14220a0c8be6a611c0989d4fe07860989726ff501ac73f6c297b
SHA512 517e641d38c06b99fb71a751bcb8392bf2585e6080aaccf3de8ca73cf1d1dbce42cafb3d91d5c06d14488503db2c445f8bcd44724ef0378087a6f514d10dc08f

C:\Windows\System\QKrgFis.exe

MD5 7b86c42b66e0805b7b55fc3070301a89
SHA1 0588937bf979d302d0709f4f0b766cac3b0a3c6c
SHA256 57bfa00a97d85343c48e544b479c5c73c0f05c4dce77102b00ae4f1528a348c5
SHA512 5a285bc36fee18cd15ebdcc108abc24389b2f6fffec27dd1f291b16d5bf996041916eb17b0996cabf10b4c8e4df0d52bcbbabc3d49167f9cd9f39b7421ca319f

memory/1904-72-0x00007FF797E00000-0x00007FF798151000-memory.dmp

C:\Windows\System\OLEjaWy.exe

MD5 98595064f722e0f9336ff45fd7497c7b
SHA1 5a791e7f0f37aa4c4869fbcef67e7724ceef28e6
SHA256 b8b9c03f5c781fd49ca357b2bc86b7283ef5d359c2b66d0e2c5b681ba49754e4
SHA512 3e507f7609b1320c56ed80211d3e406a9eed04d4facac25565ac6901968b0b1d628e6e0cc5206e440c0614fe698be46614c60dbdd1a6da22c955fb729d560f62

C:\Windows\System\QiaQjqZ.exe

MD5 9a752a9c8582227c593b454ef472b60b
SHA1 19d48e11b54e256907e090c3fac85633c3548dde
SHA256 259b8d80a8009fc3c5a582bc46cb50368eb14562cde810eb55dcf0c33b5f6232
SHA512 3ee7099f94c8032d4bd5e2aca7e3c5be8df5a4c11dd1fa13d162da77eea8bb0f692b7c26318dd4ff08ac2b646a1ee7546826622bc33faf71489c0ce8cbd0755a

memory/2064-108-0x00007FF6F5200000-0x00007FF6F5551000-memory.dmp

C:\Windows\System\MSYmpVY.exe

MD5 0e75fd02fc6a1b418068ea28c6654abf
SHA1 c300673ed50346d414887f911d6e0ed398102c9e
SHA256 714ec1023227f13bf805fd3612a2577ae3f9f23029e63ab5b2b7f41da5a3c10b
SHA512 95fe444d107f6d530297cfa05f171eabd4e2ad74859b2f2a3b07c2bdced934969e3b74f65be54409684d91674a89126fa6393e1e878a57b1a7f2325ab671be99

memory/2264-122-0x00007FF721960000-0x00007FF721CB1000-memory.dmp

memory/3448-127-0x00007FF7E9E00000-0x00007FF7EA151000-memory.dmp

memory/3320-126-0x00007FF60B8F0000-0x00007FF60BC41000-memory.dmp

memory/992-125-0x00007FF6FA700000-0x00007FF6FAA51000-memory.dmp

memory/5012-124-0x00007FF710750000-0x00007FF710AA1000-memory.dmp

memory/3456-123-0x00007FF783990000-0x00007FF783CE1000-memory.dmp

C:\Windows\System\ghYTzCb.exe

MD5 62d3d4f51d4c46d7caf62874b8cc8efe
SHA1 4e2360fbc6cf4b6788ecde845764116571135f88
SHA256 f1416838445520f25b63fa620830a70455eadfacfb163fd6641415fa04f85829
SHA512 62eff98adccf296f0485fd364efb55b3ec6fbb04102a54785bb37ae8e302ec286dee06a5d22db22269508c701dff190503b7fdb698380f1aee7b56213325a3a4

C:\Windows\System\cKCtLhg.exe

MD5 119c54b7831d2a3d35ab9c10171fb46a
SHA1 9a2b9a96b0164edb26d2e7c2035ba0fb890966c8
SHA256 f6b21708282d6be2194b690b9763f50fe1b0a5592ef8177d48efa81d7d0347b9
SHA512 c956ad38a498b4c0fa81a5ee620e5a884566a9e57c1a3da0d003b2b4de01c3f7f6db0e299abbc777899206be940b1562b3852363703c0d096b846a82ba5f8610

memory/2752-117-0x00007FF7CA410000-0x00007FF7CA761000-memory.dmp

memory/396-114-0x00007FF6D1330000-0x00007FF6D1681000-memory.dmp

memory/1780-113-0x00007FF7A2920000-0x00007FF7A2C71000-memory.dmp

C:\Windows\System\vqThtyR.exe

MD5 6dc0f35db40c2bf90a9a153e92448f27
SHA1 337736fe145762d8a989389cc40ccb90194584d4
SHA256 f8f7ede1c05f62ddfe47da73eedc7aafaa83bc4034c53a12ed53a14d1df49110
SHA512 1d1dc8c11511b6900ed0a8913c577a54bb65db3f3a53d6b68ba10c080334b66fdec127e3f9ec3fbe956d5b396de3ebdf9132c58131ee7119df7d9742aca6af44

C:\Windows\System\vUOnGvN.exe

MD5 7eb4ff88e20a91061c4f36791fbc26ef
SHA1 bed524aa0d38850bdfdb611844a41edd3e14c4f6
SHA256 e33cf3a58efa0702360940218af74585c7848541fa7fa9953c0cda808e920788
SHA512 60376c3c15c5d8de81f04aa308d12643802d2b1aedb5083972b36feb153f4a79c04a5b1aebc9e2387398560593ec75eafc5e4c91a52f345b8bcff4db23401187

memory/3924-99-0x00007FF752DD0000-0x00007FF753121000-memory.dmp

C:\Windows\System\bCoWeNX.exe

MD5 7485b2c579a6306577e8c7a26215baca
SHA1 19937408a338e774710d79b74816b45e52b89bb7
SHA256 e07a744643431da096fcf124981850c860affc00bbeeb1cc0a9f6e0a0fd19754
SHA512 444b01ac6baa6b1aa60397dfc10dcfc79e2079361c46c10a6a3ed41213fb51b6eb61abe3bc20ffc9a244f9b5c389e9f06c39b83d264a501ee88b6aea8355d442

C:\Windows\System\ueGHIoQ.exe

MD5 64956a147a31a519a97fa27b57444bef
SHA1 fb60645dd520d8e5fbe5ec3949b021d0df0612e6
SHA256 8af615925a14fa9bb3699b8413d56b2ebfe071d2f2c28f56c619b95bfdf7a9e0
SHA512 8eabbf96a518e8cfca3f9d0ecc03e0de2ffc21d11cb064d4942b3a4cfc37985931919b3aecaf6012e90168876746ff4f9607deb357174277b324082933ab8261

memory/2068-86-0x00007FF6C11F0000-0x00007FF6C1541000-memory.dmp

C:\Windows\System\FavMtBC.exe

MD5 9743c412946cfa8f9e5d2175c61d6ebd
SHA1 5f724c62aebf4cbcb894667d1c3ec0041244ac1a
SHA256 b9caf568e4394fc385679367412f80c8fcbd0e37110c1b0e7713f7242d2c31d6
SHA512 e656d708ec38d1a4048bd222009984b6c3bbeb2db8dcf4241b382576241b04b57a916b400e6b52e08b2addf82aaecd6e03e14869390982f6e69074cd463f0980

C:\Windows\System\lsrGtNK.exe

MD5 2c09787a98d6c6add0f7cfae2921ad86
SHA1 2890c287223c7b5240e6722eb3e220270df39da1
SHA256 c755f01f1604faa3b1294d9f4d079c2652fabc39c45abf833c7a28e104d5acaa
SHA512 ee3c2f22b995669271c8a2d3c75f345c053032480ba5549ea61cb0cb33205b9a2e5aace799b1591dc1650c46c52488212113f5189702b53aedefbd27e1a932e1

memory/1764-76-0x00007FF71EF90000-0x00007FF71F2E1000-memory.dmp

C:\Windows\System\usZtvqw.exe

MD5 ecd19f914cab41bc318cc4a530bc4e9c
SHA1 e486993c29d490642a2b271f3901cb44e1f95112
SHA256 6ad8670c07788cf3528841a76fcc4cf5adcd663e3bac8293e919fce88208f61b
SHA512 a0d7bac1ecb8d385b27c11c9e68ab48906ad6bd4ee14b4ecb8136ba75bac4f4f935df078c283bebe89c13c0016d5fa176c11ab0bc696a2676b9d628b05f8ea7d

memory/400-65-0x00007FF7C2B30000-0x00007FF7C2E81000-memory.dmp

memory/4068-57-0x00007FF71AA60000-0x00007FF71ADB1000-memory.dmp

memory/4792-38-0x00007FF6C7660000-0x00007FF6C79B1000-memory.dmp

C:\Windows\System\AYPQJyc.exe

MD5 bf759f30a278ac0213dc746d31d8ef35
SHA1 6fbfacd7068b04fb7642de3d7ee6bbca89253675
SHA256 12467cb567da209f8103419da0ca24c649e3486f5c831235e0c5715221fbc4ae
SHA512 05575814468f55b75144f5e55545b8f2e13cbd6803c1dbc683b27f496b07602bc358241b223fc49c632799343f91ce8a6b59dbbeec5ddd157604834ac3e1c873

C:\Windows\System\CaLgmiu.exe

MD5 7a21dbe1da32286980a3c75840628aa8
SHA1 ddac0217c9a7a24879cf6371925d47753670802f
SHA256 7c02971b8b6bb25fb729d3cbf181b0538de25f5c98c5f09dd337389c6d8fea27
SHA512 2652e83103b8d1b3736d3c5b83002395b913063728a7a90b5e1f364dd900a3ee20a24525cefc5f5089fb5f3dad1293ca68303fcc95dfd01fba1eb67b9dbce087

memory/4472-27-0x00007FF7809D0000-0x00007FF780D21000-memory.dmp

memory/4772-10-0x00007FF78E640000-0x00007FF78E991000-memory.dmp

memory/4772-129-0x00007FF78E640000-0x00007FF78E991000-memory.dmp

memory/2388-130-0x00007FF714990000-0x00007FF714CE1000-memory.dmp

memory/2068-140-0x00007FF6C11F0000-0x00007FF6C1541000-memory.dmp

memory/3924-142-0x00007FF752DD0000-0x00007FF753121000-memory.dmp

memory/1988-134-0x00007FF78E260000-0x00007FF78E5B1000-memory.dmp

memory/4792-133-0x00007FF6C7660000-0x00007FF6C79B1000-memory.dmp

memory/4472-131-0x00007FF7809D0000-0x00007FF780D21000-memory.dmp

memory/4268-128-0x00007FF75A920000-0x00007FF75AC71000-memory.dmp

memory/396-148-0x00007FF6D1330000-0x00007FF6D1681000-memory.dmp

memory/2064-144-0x00007FF6F5200000-0x00007FF6F5551000-memory.dmp

memory/4268-150-0x00007FF75A920000-0x00007FF75AC71000-memory.dmp

memory/4772-203-0x00007FF78E640000-0x00007FF78E991000-memory.dmp

memory/2388-205-0x00007FF714990000-0x00007FF714CE1000-memory.dmp

memory/4472-207-0x00007FF7809D0000-0x00007FF780D21000-memory.dmp

memory/4068-209-0x00007FF71AA60000-0x00007FF71ADB1000-memory.dmp

memory/4792-211-0x00007FF6C7660000-0x00007FF6C79B1000-memory.dmp

memory/400-214-0x00007FF7C2B30000-0x00007FF7C2E81000-memory.dmp

memory/1988-215-0x00007FF78E260000-0x00007FF78E5B1000-memory.dmp

memory/2752-217-0x00007FF7CA410000-0x00007FF7CA761000-memory.dmp

memory/1904-219-0x00007FF797E00000-0x00007FF798151000-memory.dmp

memory/1764-221-0x00007FF71EF90000-0x00007FF71F2E1000-memory.dmp

memory/2264-223-0x00007FF721960000-0x00007FF721CB1000-memory.dmp

memory/3456-225-0x00007FF783990000-0x00007FF783CE1000-memory.dmp

memory/1780-227-0x00007FF7A2920000-0x00007FF7A2C71000-memory.dmp

memory/3924-229-0x00007FF752DD0000-0x00007FF753121000-memory.dmp

memory/5012-233-0x00007FF710750000-0x00007FF710AA1000-memory.dmp

memory/2068-232-0x00007FF6C11F0000-0x00007FF6C1541000-memory.dmp

memory/2064-240-0x00007FF6F5200000-0x00007FF6F5551000-memory.dmp

memory/992-241-0x00007FF6FA700000-0x00007FF6FAA51000-memory.dmp

memory/396-243-0x00007FF6D1330000-0x00007FF6D1681000-memory.dmp

memory/3448-238-0x00007FF7E9E00000-0x00007FF7EA151000-memory.dmp

memory/3320-236-0x00007FF60B8F0000-0x00007FF60BC41000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-12 00:35

Reported

2024-08-12 00:38

Platform

win7-20240704-en

Max time kernel

146s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\sZLUDOi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tSEDwWX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CEJLOJR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FaDnZtl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hORjTVk.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WhzGuHG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xfJAZHj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LazAUFz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zCkLPnP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uTratmg.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MpACsqp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LPPHWgp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oHjbEEB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZJnPGXE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yDJTWwq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hrePzmg.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gKUvhaR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tAeeuCC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kMfQLfU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\Pjqcliq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xQsAISB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2812 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LazAUFz.exe
PID 2812 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LazAUFz.exe
PID 2812 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LazAUFz.exe
PID 2812 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sZLUDOi.exe
PID 2812 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sZLUDOi.exe
PID 2812 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sZLUDOi.exe
PID 2812 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zCkLPnP.exe
PID 2812 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zCkLPnP.exe
PID 2812 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zCkLPnP.exe
PID 2812 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tSEDwWX.exe
PID 2812 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tSEDwWX.exe
PID 2812 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tSEDwWX.exe
PID 2812 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uTratmg.exe
PID 2812 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uTratmg.exe
PID 2812 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uTratmg.exe
PID 2812 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hrePzmg.exe
PID 2812 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hrePzmg.exe
PID 2812 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hrePzmg.exe
PID 2812 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gKUvhaR.exe
PID 2812 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gKUvhaR.exe
PID 2812 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gKUvhaR.exe
PID 2812 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tAeeuCC.exe
PID 2812 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tAeeuCC.exe
PID 2812 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tAeeuCC.exe
PID 2812 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MpACsqp.exe
PID 2812 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MpACsqp.exe
PID 2812 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MpACsqp.exe
PID 2812 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Pjqcliq.exe
PID 2812 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Pjqcliq.exe
PID 2812 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Pjqcliq.exe
PID 2812 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kMfQLfU.exe
PID 2812 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kMfQLfU.exe
PID 2812 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kMfQLfU.exe
PID 2812 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FaDnZtl.exe
PID 2812 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FaDnZtl.exe
PID 2812 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FaDnZtl.exe
PID 2812 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hORjTVk.exe
PID 2812 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hORjTVk.exe
PID 2812 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hORjTVk.exe
PID 2812 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LPPHWgp.exe
PID 2812 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LPPHWgp.exe
PID 2812 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LPPHWgp.exe
PID 2812 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xQsAISB.exe
PID 2812 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xQsAISB.exe
PID 2812 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xQsAISB.exe
PID 2812 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oHjbEEB.exe
PID 2812 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oHjbEEB.exe
PID 2812 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oHjbEEB.exe
PID 2812 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WhzGuHG.exe
PID 2812 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WhzGuHG.exe
PID 2812 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WhzGuHG.exe
PID 2812 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZJnPGXE.exe
PID 2812 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZJnPGXE.exe
PID 2812 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZJnPGXE.exe
PID 2812 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yDJTWwq.exe
PID 2812 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yDJTWwq.exe
PID 2812 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yDJTWwq.exe
PID 2812 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CEJLOJR.exe
PID 2812 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CEJLOJR.exe
PID 2812 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CEJLOJR.exe
PID 2812 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xfJAZHj.exe
PID 2812 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xfJAZHj.exe
PID 2812 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xfJAZHj.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\LazAUFz.exe

C:\Windows\System\LazAUFz.exe

C:\Windows\System\sZLUDOi.exe

C:\Windows\System\sZLUDOi.exe

C:\Windows\System\zCkLPnP.exe

C:\Windows\System\zCkLPnP.exe

C:\Windows\System\tSEDwWX.exe

C:\Windows\System\tSEDwWX.exe

C:\Windows\System\uTratmg.exe

C:\Windows\System\uTratmg.exe

C:\Windows\System\hrePzmg.exe

C:\Windows\System\hrePzmg.exe

C:\Windows\System\gKUvhaR.exe

C:\Windows\System\gKUvhaR.exe

C:\Windows\System\tAeeuCC.exe

C:\Windows\System\tAeeuCC.exe

C:\Windows\System\MpACsqp.exe

C:\Windows\System\MpACsqp.exe

C:\Windows\System\Pjqcliq.exe

C:\Windows\System\Pjqcliq.exe

C:\Windows\System\kMfQLfU.exe

C:\Windows\System\kMfQLfU.exe

C:\Windows\System\FaDnZtl.exe

C:\Windows\System\FaDnZtl.exe

C:\Windows\System\hORjTVk.exe

C:\Windows\System\hORjTVk.exe

C:\Windows\System\LPPHWgp.exe

C:\Windows\System\LPPHWgp.exe

C:\Windows\System\xQsAISB.exe

C:\Windows\System\xQsAISB.exe

C:\Windows\System\oHjbEEB.exe

C:\Windows\System\oHjbEEB.exe

C:\Windows\System\WhzGuHG.exe

C:\Windows\System\WhzGuHG.exe

C:\Windows\System\ZJnPGXE.exe

C:\Windows\System\ZJnPGXE.exe

C:\Windows\System\yDJTWwq.exe

C:\Windows\System\yDJTWwq.exe

C:\Windows\System\CEJLOJR.exe

C:\Windows\System\CEJLOJR.exe

C:\Windows\System\xfJAZHj.exe

C:\Windows\System\xfJAZHj.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2812-0-0x000000013F7B0000-0x000000013FB01000-memory.dmp

memory/2812-1-0x0000000000080000-0x0000000000090000-memory.dmp

\Windows\system\LazAUFz.exe

MD5 696640ef4772242ac2e95aa8546e8e94
SHA1 6e73628c18119e5e4f28b0faa8e6a33875b617e9
SHA256 70a59e734fa52ae484f375379e1db258d026a5d748375d097bd8035f8d90667f
SHA512 dda7ed57f98081d1e4693129640aa094a3d097ec026beca7cd4e3d14601361f9f4a1e206c8bf734a60919581d2246146e675047f2d992383816e2f9c993d95db

memory/2812-7-0x000000013FCA0000-0x000000013FFF1000-memory.dmp

\Windows\system\sZLUDOi.exe

MD5 9eb468cb7b994a76d6c7dce15a3a882b
SHA1 b0fb30a24f3af3ebab50d37ce7027d9e4d6d5ae4
SHA256 f3b2b609b0b0a67d8e499eff6c4c28f6f942dc0d2d3e3690f74b5dcf18e99c65
SHA512 b04251775e955074ecedd454127df911044366fcaa844cf76459a429e302ab754ca62085dd53ea9470dfd66bb31eeec7b98c77b249e5d23cf079b3cd5cf72d9c

memory/2968-12-0x000000013FCA0000-0x000000013FFF1000-memory.dmp

memory/2812-14-0x0000000002220000-0x0000000002571000-memory.dmp

memory/2768-23-0x000000013F430000-0x000000013F781000-memory.dmp

memory/2812-21-0x000000013F430000-0x000000013F781000-memory.dmp

C:\Windows\system\zCkLPnP.exe

MD5 84dcc160d11987af88204ec3b6e14e63
SHA1 0a71722134bf97c4815bc066737b3b776e4c41d0
SHA256 242fdfe70bb671e59159d96a68f0057cbe7a672ea535dfd3268e2dd292c991ea
SHA512 533fa690b19926e5f77e99b2918fb0d19c4ed10864d1d7397ea0c63e338d81291c3421c6bfc77ce69d9a1a62392a70dc3ecb372fdcdb3d93c47e864d49ac8949

C:\Windows\system\tSEDwWX.exe

MD5 524e9a75a380b57bb97348a8350c64ed
SHA1 9e3268f51c524259f59527fdfd3324a3c3865539
SHA256 a73a9590099bb4747b79177a3e1497324e3990c7a7dcc78e2d2ac612498c956a
SHA512 997aca27443f270f5bd9e5c7d47d0cc486a97c26f1925b7809404a9801c9d8538f6dab00b8fb725609758a4e0bd699151adfcdce86e65853dbde4067031c8433

memory/2812-45-0x0000000002220000-0x0000000002571000-memory.dmp

C:\Windows\system\hrePzmg.exe

MD5 c718729602bdb584893e144a65f75fda
SHA1 326b6d7855f584ff9a4ad594146ee7061743e7d7
SHA256 e68eb622b465c5248c9aa1d600ead673f2a3a9f62c48260a1936d59b442a155d
SHA512 f97f1e4beb31cd2b68eb34cffe05885298317dafdb594ea8078a5912bbae0a308de2e1f2b1144836c82ecc8a9b1b6483a935f91cb8b7e40390d6adf3943b6b6c

memory/2008-48-0x000000013FE30000-0x0000000140181000-memory.dmp

\Windows\system\tAeeuCC.exe

MD5 f8733bf1e88b7b1f7a3838252746ca7b
SHA1 5126129b0100361258da1a6587bfc91acf781ec6
SHA256 784535fa3b62192881fd7641090db8af442d4c7559ed4d468b8f634e34c6c7de
SHA512 b1834450c35d13adfea6256ab09017a9115693b9277dfc60c54d1c388a36de856db93bdcc2ac067ccabeec738f73a61a4ef54c9bb88c38a348d6bb571073fed1

memory/2564-54-0x000000013FBF0000-0x000000013FF41000-memory.dmp

C:\Windows\system\Pjqcliq.exe

MD5 34e29352895eed5cd182a9c639706ea1
SHA1 9c0e63e7a4c8cfe04cbb2b243ea3507d285771ff
SHA256 7689bea922ffcabb43c8c3e08ba1601601841e89d6c95c2db2062659c60699e7
SHA512 21ecb65ea68c3e0f2b26cfea37708e43ed005b0966ae259c18b986053f361154fed87a95f1fe46315141a2eba1692baa9720a43643926bb469fe5c36b5783f4b

\Windows\system\FaDnZtl.exe

MD5 30b60055e4e8a7587cea7d0939b1ed5e
SHA1 327cf40adbe02277144fa8288d682cc7c0131ded
SHA256 49655565b2362067a7c476d2de545fa81381c63c9e95b7bc955e10bc382cc2df
SHA512 a0b26681cd8df285b015157ec1f5e622d3fbda2fd697b438441491af2f28fed3944dc32ae233cbf0d11b57a053a4df0c442d8401a33d7d243ca95701e65740eb

\Windows\system\LPPHWgp.exe

MD5 ec77e22c8025a39e35fafc01c5e1b9a5
SHA1 600ed2a0d5ae0af111fac56fc676a199d013af65
SHA256 7790f726c0fa11daefb627435622ab39a53416e646c3930ec9544ea4bda0c1d5
SHA512 91a9499c45175433c21e73aa4e793c8ef7cec0a8c4084fd165e82a4c97b8e2cfcfd350ff0d59acffff624ccc062f0bb05beab64f086e3fb911f92edab96c0540

C:\Windows\system\ZJnPGXE.exe

MD5 263c7d6bb50ed6e560be9f4ce85f102d
SHA1 4c3806c84607d9bad43c792d40229eb1fc0bbeb0
SHA256 ed9ff1442499407b0353983963754e96aa3fd216cdf4a1a2e91589c0a466549e
SHA512 25e66e7c6b19321b214e6a89cf4ce6decaddc02bcc933f168572abc56d8218b8246e67c3d3149157d50c150f06180f37d55ef91089a24f2bd9c46dee8c97bbf7

\Windows\system\CEJLOJR.exe

MD5 ac448ee38ff90f5ec2c33512eeed1e1e
SHA1 6ba159c6f95e8d270fcf2b3da460a82e0d0783aa
SHA256 5e67493b54edcb2075ef8efd3ea4e6057c36b3b34c0ee98e2bf4aebae539a699
SHA512 54367ee5351d849f17be4fbc1f2d6de5d2e455a2386fcef21920c5189df888854d4b93be3f4bb9d8f3b5c92000a72fe4528fc938c8f72a53bc73ea019991bf0a

C:\Windows\system\xfJAZHj.exe

MD5 c2a33bec3d38ed70034f2db8e1429dd4
SHA1 ff1f8f9c111b2b70b3823d4908e4edc8d450ea0b
SHA256 6ca4ed3a081ed1cc7b27d57654058ab1f3c68cb41230ec9f3eb8e27d6f337e02
SHA512 dcdcd4455c9d640710dce9060ab60a2d1fd01b02a0daa71457347b2c8280ee8e53e55780fa585e7de07cf9c2edec0ca1f24a481edf5088212d9a33b806b43593

C:\Windows\system\yDJTWwq.exe

MD5 1fd811f77c05d051f9413f3544052e22
SHA1 1a870353e95a87e7c6dddc8d511f3426a5a72945
SHA256 a30d3ba4a04a8de20ec7793063298d28b4a35e44cb513c08cc55d469bccfba78
SHA512 30749985ea090f1a420606b575b22f0e8b3770164fb017e9a289c6bcf53c5283f9c39040c04e510323a1b88d382aa4c54ec9149ecf3ed165ec720601e6d5bc71

memory/2420-105-0x000000013FD40000-0x0000000140091000-memory.dmp

memory/2200-96-0x000000013F6E0000-0x000000013FA31000-memory.dmp

memory/3032-128-0x000000013F900000-0x000000013FC51000-memory.dmp

memory/2812-95-0x0000000002220000-0x0000000002571000-memory.dmp

\Windows\system\oHjbEEB.exe

MD5 3d4c20022992a90095d63ded7f581611
SHA1 107b36661d6c6669e9a9e6d686099826317ea6fa
SHA256 1308ab20c4f76a43d8484cbbad806a9bdebe17a67600d839a3fecba53a4c58d0
SHA512 06b58f24ae3e3342e4b6b5b648eb9d71c430a2e25fbbe336d90d9752fc3df7a7906583e3f1057e24c1d67808030621ed9dd21524b3c0f7ccc9004490b79dc206

C:\Windows\system\WhzGuHG.exe

MD5 de8c972c42b4bde063bf40bfaf6eca39
SHA1 e04d3978dee18ef583814cd0c780d3dd724a6a3f
SHA256 f91017fe4befe92c6680e80066a80e33e7f936067a077ae2739346c3ef0184a7
SHA512 5f0967d9257e9e8ae798117fad7bd8974b9ef880cb2802cb9eff8d9140775db9db7c63248f6f843ea594b3a758847e5ea34e9eb4fa80c3fbf100fd74097ed6a5

memory/2424-80-0x000000013FCC0000-0x0000000140011000-memory.dmp

memory/2812-78-0x000000013FCC0000-0x0000000140011000-memory.dmp

C:\Windows\system\xQsAISB.exe

MD5 db3270e6e4938f03f5eb8caf77674391
SHA1 181e6b3d3963b9caf20e8592eb297c1a9164ffb3
SHA256 dd13d7f40c80a80ef2a8bc8f0689c5d45d03efb6ca16769dc8734a49e086742e
SHA512 ba656fe5a4bdb57a57c32e1f7b9e29822ff2a6b35667706e15ff0e7ac53c930fb4a084b70424711ed92ad720baf96b3c4ba59066499ebb754af789a9d2428994

C:\Windows\system\hORjTVk.exe

MD5 6f6016512187dead45cd580e9528a3c0
SHA1 33ce4578a5f34690c4528287173fdd2f7f9050ea
SHA256 2d974c14cc55413ed17ee3304e6d8cf72f402d75bc06cd9ff44d510332ef7fa2
SHA512 0fe51c46ce31a8c1600605316d1c70c267f45970efa5b34a5093cb48f0f4fc0e3458aeba90de191e27f8cc441bf21ba0d2e64ae163d64b3ef8d00c9bd423fe06

memory/2008-136-0x000000013FE30000-0x0000000140181000-memory.dmp

memory/2148-77-0x000000013FE10000-0x0000000140161000-memory.dmp

memory/1048-72-0x000000013FEC0000-0x0000000140211000-memory.dmp

memory/2812-71-0x000000013FEC0000-0x0000000140211000-memory.dmp

memory/2812-70-0x000000013FE10000-0x0000000140161000-memory.dmp

memory/2592-69-0x000000013F750000-0x000000013FAA1000-memory.dmp

C:\Windows\system\kMfQLfU.exe

MD5 7935df30b8922d24b615808a08412b42
SHA1 ea06432b67f962777e0549d6f7f243eac256a296
SHA256 1e92225cdc572ef7dcded462fc1b5095c4def825d78441ce6d990a00ae337918
SHA512 3fdcb6130c6c9b227c862cfa93ec116fdc74b11bc8b27bb7c87e7b4a69f346f51042605a8437872f1002601a009a88969dd2e786d33a3c83b5e8645791471218

memory/2124-67-0x000000013F830000-0x000000013FB81000-memory.dmp

memory/2812-66-0x0000000002220000-0x0000000002571000-memory.dmp

memory/2968-59-0x000000013FCA0000-0x000000013FFF1000-memory.dmp

C:\Windows\system\MpACsqp.exe

MD5 b2ebebe62c5d8a2f17b8a23d089b1659
SHA1 16c4f01d9a6c0e78be58c7e37f0c630ac16ff1e1
SHA256 4343d703c357d363d1c8eac0ffef14c7d6bfbcb9a5a0c4e2274d6bf6a182fab6
SHA512 4734e9c8fadb89589fcc8a71b89e1b2edf3fe906d1e2fd622e89d2a78e97134976cffc89bd394745e66f37c1df9701b4f9c15f8c7bfc4d968e7fedd2f97524a2

memory/2124-143-0x000000013F830000-0x000000013FB81000-memory.dmp

memory/2564-142-0x000000013FBF0000-0x000000013FF41000-memory.dmp

memory/2812-137-0x000000013F7B0000-0x000000013FB01000-memory.dmp

memory/2812-53-0x000000013F7B0000-0x000000013FB01000-memory.dmp

memory/3032-46-0x000000013F900000-0x000000013FC51000-memory.dmp

memory/2812-44-0x000000013FE30000-0x0000000140181000-memory.dmp

C:\Windows\system\gKUvhaR.exe

MD5 0c54cabed2d1f87345b4c65411c94092
SHA1 49788cd5127eaaacd5f6d660719110efa34080e0
SHA256 9f3485656a401644e723fe66c124b38ca894002dd30fc5e1942c1226d103eb9d
SHA512 3fe41478f5dfb4b7dfcc88e12ecb77c0234c51d78b37cadccd954a78d9e130d5eff4884fd638a023b87f7f25a9ec8698f01a30e87dadd99564f38d70aa1318f7

memory/2616-42-0x000000013F740000-0x000000013FA91000-memory.dmp

C:\Windows\system\uTratmg.exe

MD5 cc0a7903080ced857152f6406039106b
SHA1 a47be9d302f01773f0504e018355786049383892
SHA256 ce8a56ed58d309eb813562e66748e9b2d7f4f67095d9e18c73181fe47ba0545b
SHA512 dc60ee6bea323e8210937f8236e68ea5341c682e0d83b209b64b008027ddb689e14ea77f5b13e7381a360fa096d7e52365cb5e4fae96d8ca04c5411c05d3929b

memory/2696-30-0x000000013F470000-0x000000013F7C1000-memory.dmp

memory/2812-29-0x0000000002220000-0x0000000002571000-memory.dmp

memory/2592-19-0x000000013F750000-0x000000013FAA1000-memory.dmp

memory/2148-149-0x000000013FE10000-0x0000000140161000-memory.dmp

memory/3032-146-0x000000013F900000-0x000000013FC51000-memory.dmp

memory/1048-150-0x000000013FEC0000-0x0000000140211000-memory.dmp

memory/2108-153-0x000000013F7A0000-0x000000013FAF1000-memory.dmp

memory/596-160-0x000000013F490000-0x000000013F7E1000-memory.dmp

memory/2812-161-0x000000013FE10000-0x0000000140161000-memory.dmp

memory/2172-159-0x000000013F620000-0x000000013F971000-memory.dmp

memory/1772-158-0x000000013F970000-0x000000013FCC1000-memory.dmp

memory/2512-157-0x000000013F9E0000-0x000000013FD31000-memory.dmp

memory/588-156-0x000000013F190000-0x000000013F4E1000-memory.dmp

memory/2828-155-0x000000013F960000-0x000000013FCB1000-memory.dmp

memory/2420-154-0x000000013FD40000-0x0000000140091000-memory.dmp

memory/2200-152-0x000000013F6E0000-0x000000013FA31000-memory.dmp

memory/2424-151-0x000000013FCC0000-0x0000000140011000-memory.dmp

memory/2812-162-0x000000013F7B0000-0x000000013FB01000-memory.dmp

memory/2812-184-0x0000000002220000-0x0000000002571000-memory.dmp

memory/2812-190-0x000000013FD40000-0x0000000140091000-memory.dmp

memory/2968-212-0x000000013FCA0000-0x000000013FFF1000-memory.dmp

memory/2592-214-0x000000013F750000-0x000000013FAA1000-memory.dmp

memory/2768-216-0x000000013F430000-0x000000013F781000-memory.dmp

memory/2696-218-0x000000013F470000-0x000000013F7C1000-memory.dmp

memory/2616-220-0x000000013F740000-0x000000013FA91000-memory.dmp

memory/2124-237-0x000000013F830000-0x000000013FB81000-memory.dmp

memory/2148-241-0x000000013FE10000-0x0000000140161000-memory.dmp

memory/2008-235-0x000000013FE30000-0x0000000140181000-memory.dmp

memory/3032-243-0x000000013F900000-0x000000013FC51000-memory.dmp

memory/2420-250-0x000000013FD40000-0x0000000140091000-memory.dmp

memory/1048-246-0x000000013FEC0000-0x0000000140211000-memory.dmp

memory/2424-244-0x000000013FCC0000-0x0000000140011000-memory.dmp

memory/2564-238-0x000000013FBF0000-0x000000013FF41000-memory.dmp

memory/2200-248-0x000000013F6E0000-0x000000013FA31000-memory.dmp