Malware Analysis Report

2025-03-15 08:05

Sample ID 240813-n7n2lascke
Target 2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat
SHA256 93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74

Threat Level: Known bad

The file 2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

Cobaltstrike family

xmrig

Xmrig family

Cobalt Strike reflective loader

Cobaltstrike

XMRig Miner payload

XMRig Miner payload

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-13 12:02

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-13 12:02

Reported

2024-08-13 12:05

Platform

win10v2004-20240802-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\YuzaDIo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ILqAgJS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lzKXKNC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yYtUiKW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LhGXCAO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sODbcEy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TyldNye.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uESQSRM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EfPJwBy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UWpfJHg.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mSsOWyN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\djdKJYH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gESmabV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sgwAYiM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MJbwsGS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JlzRJbf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BqgSehE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wKftVLp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SuLgBuE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rGQOsCx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VtIwufQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3404 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ILqAgJS.exe
PID 3404 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ILqAgJS.exe
PID 3404 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wKftVLp.exe
PID 3404 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wKftVLp.exe
PID 3404 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lzKXKNC.exe
PID 3404 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lzKXKNC.exe
PID 3404 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UWpfJHg.exe
PID 3404 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UWpfJHg.exe
PID 3404 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mSsOWyN.exe
PID 3404 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mSsOWyN.exe
PID 3404 wrote to memory of 100 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yYtUiKW.exe
PID 3404 wrote to memory of 100 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yYtUiKW.exe
PID 3404 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\djdKJYH.exe
PID 3404 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\djdKJYH.exe
PID 3404 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SuLgBuE.exe
PID 3404 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SuLgBuE.exe
PID 3404 wrote to memory of 720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gESmabV.exe
PID 3404 wrote to memory of 720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gESmabV.exe
PID 3404 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LhGXCAO.exe
PID 3404 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LhGXCAO.exe
PID 3404 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sgwAYiM.exe
PID 3404 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sgwAYiM.exe
PID 3404 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rGQOsCx.exe
PID 3404 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rGQOsCx.exe
PID 3404 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sODbcEy.exe
PID 3404 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sODbcEy.exe
PID 3404 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YuzaDIo.exe
PID 3404 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YuzaDIo.exe
PID 3404 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TyldNye.exe
PID 3404 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TyldNye.exe
PID 3404 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uESQSRM.exe
PID 3404 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uESQSRM.exe
PID 3404 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VtIwufQ.exe
PID 3404 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VtIwufQ.exe
PID 3404 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EfPJwBy.exe
PID 3404 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EfPJwBy.exe
PID 3404 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MJbwsGS.exe
PID 3404 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MJbwsGS.exe
PID 3404 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JlzRJbf.exe
PID 3404 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JlzRJbf.exe
PID 3404 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BqgSehE.exe
PID 3404 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BqgSehE.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\ILqAgJS.exe

C:\Windows\System\ILqAgJS.exe

C:\Windows\System\wKftVLp.exe

C:\Windows\System\wKftVLp.exe

C:\Windows\System\lzKXKNC.exe

C:\Windows\System\lzKXKNC.exe

C:\Windows\System\UWpfJHg.exe

C:\Windows\System\UWpfJHg.exe

C:\Windows\System\mSsOWyN.exe

C:\Windows\System\mSsOWyN.exe

C:\Windows\System\yYtUiKW.exe

C:\Windows\System\yYtUiKW.exe

C:\Windows\System\djdKJYH.exe

C:\Windows\System\djdKJYH.exe

C:\Windows\System\SuLgBuE.exe

C:\Windows\System\SuLgBuE.exe

C:\Windows\System\gESmabV.exe

C:\Windows\System\gESmabV.exe

C:\Windows\System\LhGXCAO.exe

C:\Windows\System\LhGXCAO.exe

C:\Windows\System\sgwAYiM.exe

C:\Windows\System\sgwAYiM.exe

C:\Windows\System\rGQOsCx.exe

C:\Windows\System\rGQOsCx.exe

C:\Windows\System\sODbcEy.exe

C:\Windows\System\sODbcEy.exe

C:\Windows\System\YuzaDIo.exe

C:\Windows\System\YuzaDIo.exe

C:\Windows\System\TyldNye.exe

C:\Windows\System\TyldNye.exe

C:\Windows\System\uESQSRM.exe

C:\Windows\System\uESQSRM.exe

C:\Windows\System\VtIwufQ.exe

C:\Windows\System\VtIwufQ.exe

C:\Windows\System\EfPJwBy.exe

C:\Windows\System\EfPJwBy.exe

C:\Windows\System\MJbwsGS.exe

C:\Windows\System\MJbwsGS.exe

C:\Windows\System\JlzRJbf.exe

C:\Windows\System\JlzRJbf.exe

C:\Windows\System\BqgSehE.exe

C:\Windows\System\BqgSehE.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 52.111.227.13:443 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3404-0-0x00007FF76B650000-0x00007FF76B9A1000-memory.dmp

memory/3404-1-0x000001DC688B0000-0x000001DC688C0000-memory.dmp

C:\Windows\System\ILqAgJS.exe

MD5 93de91ede08cb2df8bcfc2c6f30ae560
SHA1 0963910b27e06235495bc40bb524565670c983d5
SHA256 f46e43d8986750dd64837b130eccb4b6dd2e1179d83f69e2d8e0d3564d5e2fed
SHA512 0368a74483ae407e43f9aed0152ac63fb030e4ae521160e684a168b5748be25f7d6c7d7f46106059141792e2a13bc80b380ae3bd65814533f5b0bcfca59f2387

C:\Windows\System\wKftVLp.exe

MD5 1ed7c6b4895d623ccc63b362a536004d
SHA1 dffd6dca689626541cde8b0e243e24df85051478
SHA256 1aa4c699f738ab29ddfcc09dbded2ae2fb99688955d2ae3d36b62bb08b84d465
SHA512 a81694ba4db9e80f1edec5fbb9c4d1113bc4e358c039fd57e6ca025ea4a7cbae62b07fada64e4ebe5613057ad07e2e459d4bde4b0dbeedf965ed7b60fce58d13

memory/468-8-0x00007FF63E380000-0x00007FF63E6D1000-memory.dmp

C:\Windows\System\lzKXKNC.exe

MD5 46fb0017c6d844df79e29bc68e048477
SHA1 da59586feea49900b435477e3c7a44ba612393e7
SHA256 17e78ee6a90007b9acab5490b825ff62985346cb1488e5eea71e10e8565e8ced
SHA512 73cbe14dcf02ec6658c12efd34b89c9627cadefdd064cd3a115a4fe5662f1037f2b197ceb36a585b8d9b0e63b46e2874a4ed3b5f8e7949d17c33235a2796bfea

memory/3872-13-0x00007FF6FA8D0000-0x00007FF6FAC21000-memory.dmp

C:\Windows\System\UWpfJHg.exe

MD5 52af2ddcb2d50cbfb9ccdebafcfea19e
SHA1 794ef3353dff058e76d923b2c534cc4df52db764
SHA256 0bf063df19d971873b5de52049cb98b35c271208aa8d0bbcf48fefb2c289d94d
SHA512 0c4a6f2fe362485cd6880ba705616e1f173c4faa672b106de7aa3ab4dd05b588487eb9ca5a27d258370a468fe0bc6485c28664f4f39cd706da707b8fb9e933bb

C:\Windows\System\mSsOWyN.exe

MD5 bfad4f7a0bc678c5fedb339de8f9cfa6
SHA1 ceed3e63a9819556c06ced86e662c65e2c8beed5
SHA256 93be91679fe8b11e6f70480908dbdee5e963f66d3403a8c2d973e16dadb0f924
SHA512 fb733b5e4f8fd1ee3e62decba79373d08dc644e5b068b3a2f5901dda88719c04577be6d37b6119e8c3a4a4ed642bdfcd9c02eefe5066dd8c73852a2f25ae6b1b

C:\Windows\System\yYtUiKW.exe

MD5 f6281fa62c14ddc27978c4e455fb3bc7
SHA1 62565d651941cc4a5f726bedcd4326d23f872f40
SHA256 0f19405f8214cd00eeb91a2dd7ae7bfcc3da27297abbef4c73a54090f79d0df1
SHA512 f2ebc4883ff628efc60c07fac1f0c617f5f7b29b76359ca4a00bc41e47be26b3acc613e10a24f38b90ebe66d533db932c1ee2446c4f6304112d9412097d4625b

C:\Windows\System\djdKJYH.exe

MD5 ccef002f6ad31e44bc94ddc6f3814571
SHA1 ea3e720af992485d1ff09ac9735e60db8fe6ca11
SHA256 44570e119c7b62fd830867bf129ad32d21ed31157d19bff830c1fec089aa1fd8
SHA512 74d1b84831e5e9d64e9a6e66251863a6136654b1587e6aaada0f8565089d2a9bc44e0fec278ec1ec99f265e3f4d07eaf691871c66be25b115e60ad3ec7243148

C:\Windows\System\LhGXCAO.exe

MD5 0f6f379ff51a316acf5b236a8fe4b76d
SHA1 8ac047477b1dec874145f6359e0ac25152b59355
SHA256 b169faa3205ccf046a53f6c9ef17805ae8e588f1b521b0b4a4b111d3a7c609d7
SHA512 8362863a139d7f4806c167f7e7422f06918765bb55f2f76b1223cd5862f5d915f8b4dc045cf6bf28ffdaa4b83e1e09e456a1048dedde0b5703e905b84b22feae

C:\Windows\System\gESmabV.exe

MD5 e335235826b8b147a413ad2523464fc2
SHA1 dfd12a777dee710676a4bfde1cfaff7dc91c0881
SHA256 b70cadb3f2df22e8196f56b5627cc13d58fefe1756c32bccc53c6c0e2c665f54
SHA512 4242fb5c38e4b4677c19232098e3e35da5dbef78b88f2cc840c007035bd89fd09e726d97bb83e31715082dcd824e8a451376fb727f2ca2a704adf8f1a40f2a1e

C:\Windows\System\sODbcEy.exe

MD5 3edeb04ed7f33db749f37bff9a495767
SHA1 59b05c054a1e2e2d0e7622fcf551e0dc3455a0e6
SHA256 fa545a18da686a981b13e3c03006684cc12c968f93aea4c0bccf3d9a116818ea
SHA512 6c93f12fcfd30939188b1caf5b275b080ab8f37de7ec978a28e551552a7a1100caa8523f1f5c065e19ac212c91a9b42273b49d8c71baa3619ef5c24f22da7e4b

C:\Windows\System\rGQOsCx.exe

MD5 ef6209178f7fbeff4c5e765231e37653
SHA1 ce4f86a288af9f7fc141a73254bf035662d8dba4
SHA256 525f76b36ff9c36d6f273ce86949c20d0c0d2256b4a530f9051846848c136014
SHA512 90c67aacbe2bae7574471bf14bf6582749a9b17404f35071db95e9131846f96831dc3be6b4aae92c69c2525d35258dd0f39c1a017c3a61de3d39bccd4fed9b04

C:\Windows\System\TyldNye.exe

MD5 4ed25f84cc8b0e3fa1a54d1e0a4712a9
SHA1 c34006adc41255a5a7ad9e7c4a2809f751057e31
SHA256 69dc32a723d6d397f6ca73f8a4fc23dbd37a74e7aa3f6830e5d21bbbd5c3a76c
SHA512 bad8ed3d31786311bb06a71ce685a1c0c23249d97f181aca119d26da6a1c887ef91f014041dc048699b52f5df02ebc0590d34141f69f2b3298e4e62575d803e6

C:\Windows\System\EfPJwBy.exe

MD5 25d8df08c3993f5287f1e10423657f27
SHA1 1297eb95ac5361a1f1a3956165ed585334de3ed3
SHA256 b5e0827e3bae58fe2565fba58dd7e630caf8310b3eec246a9e57ccbaaddf513f
SHA512 5aa08d3e788b5637254fe986348b92dacf4dab6f246fd9c0fff5c1ae6cb294315b3c9b22026d7d36929785781bba6bf9c0bdba9594953f2ef779b13d19b3a0d0

C:\Windows\System\BqgSehE.exe

MD5 c3c10b73828e24b8cd2a6a9ff44999e0
SHA1 f1936cb88a3c9703289189791332bf881cee2621
SHA256 cee96a127b5b8fade65fc3dee6cf5d5456fb103d3d03756f04c2bf4001b89a22
SHA512 58f2997a08cb4d7b715cf6cbd9ed8120eb7a4f3e4e8265643e4585d35b360876495ca763474a3d737fd22af2b6ac7673130861c499ce28e3a8b9a59c14709b9c

C:\Windows\System\JlzRJbf.exe

MD5 23cc262e4193cf679284a68984397bfc
SHA1 cfa3a925c26c86dd6f166033dae69d118703a6ec
SHA256 6f5e3cb1174cef0b99dc7a218b5373e01b5066996f14caf2a39e525f03095581
SHA512 db65ac05be1b6e143b0409c2e6b2ecee6f6a9738b7d69c332da53d5ea825a2533ae6d1e7bfc14c607f02ca07c0245d1a872161740b872631691728f9bcd6bf37

C:\Windows\System\MJbwsGS.exe

MD5 fc08050aba5938e14185dd12951c7f78
SHA1 ec7f118b7f7be6560c38a75d16fe737588c2018d
SHA256 47d47cf9e4aaef04422bfb580b599927d34c47ce7ccc4538ef243187eb58912f
SHA512 ad432ac813419b358b61a6aaa4eb4642dff04fb188a712d156d4440e4c09c9e1301d8e20a5158cb069e092f895e3f8f9efcae11fcfeb82cb1757218b3505b4b3

memory/552-110-0x00007FF6D9880000-0x00007FF6D9BD1000-memory.dmp

memory/3716-107-0x00007FF7E3470000-0x00007FF7E37C1000-memory.dmp

C:\Windows\System\VtIwufQ.exe

MD5 79edc490d7b98e694752b6981a7eeec0
SHA1 4295b48d269fb3024093cdca660de07e1558fa1b
SHA256 44c0e13d92aa4eb62e762f70e3be2124b85513c28821e34956a37bf412b8b376
SHA512 7c87c11097de1a6b57ba75c45e25e491c694796f9f19ee22240893bf1abc54218eb17f8599d8eb18ba427a5fc0114133dd23fd7bfb2f6a7d5a5ec176477aa02b

memory/2708-104-0x00007FF62BCD0000-0x00007FF62C021000-memory.dmp

C:\Windows\System\uESQSRM.exe

MD5 24b2034b04dac4929f4f4d5f96bf337e
SHA1 784e2777a72b031d3e11f880b50b92a0330db702
SHA256 d667dd3b3a4f256a34a2a74f22afeca19bea9b6e8085456e466e3aeb7e311daf
SHA512 4f499e1ac24e91d9c315236f97fd8b4c4df02a4003fdf779ec1c6cc94c12bdda843b414d1cf14a0ddd27ebea961337c3c025c198db4a6e0fc16dbe846f3034b7

memory/3476-98-0x00007FF70E7A0000-0x00007FF70EAF1000-memory.dmp

memory/2060-97-0x00007FF727540000-0x00007FF727891000-memory.dmp

C:\Windows\System\YuzaDIo.exe

MD5 3b625106de90881a449a9b346b21c134
SHA1 8a883f19c98e4b97d601c36569136e5915bf6e7c
SHA256 cc62eeea44c3360b96c5add4771071dfd158e677affe1536e4dcd1321fbcf889
SHA512 f6d4bd5bd74af46bd9014fb3b32c97f340ddd4050422e8c757c3043918de1fc8cd7e4db83b2fc74f7ea76bf5f66b1588d76de6e31510a98919ff296459fa46fb

memory/3608-86-0x00007FF74AF00000-0x00007FF74B251000-memory.dmp

memory/2728-78-0x00007FF6FAA40000-0x00007FF6FAD91000-memory.dmp

C:\Windows\System\sgwAYiM.exe

MD5 313306a66202fb5b48e80c494523448f
SHA1 15f759bbbbc1a33eca172d29e966b3f821760ac5
SHA256 3a477f71df4f1ff9c0de9f63be292cfec254f1c7b163ef2eb4d7dbb340398ed6
SHA512 4da53277bbff21b03ed23fc6c47da0955d2c4a7c9a14caeeae64aff106deb2bc80f0ce2f1c0850bd4d99a86150a2071f4d8bb07ac706d32846a34285081f107e

memory/652-70-0x00007FF7DB030000-0x00007FF7DB381000-memory.dmp

memory/1516-64-0x00007FF61D910000-0x00007FF61DC61000-memory.dmp

C:\Windows\System\SuLgBuE.exe

MD5 3d155ec1ae53d788d37e9c4900dc55d7
SHA1 141e447ccdc5c7e2eaddbbd658691ff7ad30e61b
SHA256 c97c6215d4c2400ba71c9c82464900188c3471ab22c1cf45cc5d6b5204836c83
SHA512 03b5aa47aca3512a4a1d52b4dcf64cad16aac949881c36013786da5d9a86f1239ae7206dadde7f53d54926d29c15a61b5bd0967e10fa1d935bbde7a7d1d715df

memory/720-56-0x00007FF692260000-0x00007FF6925B1000-memory.dmp

memory/4696-47-0x00007FF787050000-0x00007FF7873A1000-memory.dmp

memory/1744-45-0x00007FF782D60000-0x00007FF7830B1000-memory.dmp

memory/100-40-0x00007FF709790000-0x00007FF709AE1000-memory.dmp

memory/3484-34-0x00007FF785840000-0x00007FF785B91000-memory.dmp

memory/1964-28-0x00007FF7454C0000-0x00007FF745811000-memory.dmp

memory/436-23-0x00007FF77E0B0000-0x00007FF77E401000-memory.dmp

memory/3404-125-0x00007FF76B650000-0x00007FF76B9A1000-memory.dmp

memory/2064-126-0x00007FF700190000-0x00007FF7004E1000-memory.dmp

memory/2104-127-0x00007FF689990000-0x00007FF689CE1000-memory.dmp

memory/388-128-0x00007FF7ABC80000-0x00007FF7ABFD1000-memory.dmp

memory/1964-133-0x00007FF7454C0000-0x00007FF745811000-memory.dmp

memory/1744-136-0x00007FF782D60000-0x00007FF7830B1000-memory.dmp

memory/2060-144-0x00007FF727540000-0x00007FF727891000-memory.dmp

memory/3476-146-0x00007FF70E7A0000-0x00007FF70EAF1000-memory.dmp

memory/3608-142-0x00007FF74AF00000-0x00007FF74B251000-memory.dmp

memory/1516-140-0x00007FF61D910000-0x00007FF61DC61000-memory.dmp

memory/552-147-0x00007FF6D9880000-0x00007FF6D9BD1000-memory.dmp

memory/2728-139-0x00007FF6FAA40000-0x00007FF6FAD91000-memory.dmp

memory/652-141-0x00007FF7DB030000-0x00007FF7DB381000-memory.dmp

memory/4696-137-0x00007FF787050000-0x00007FF7873A1000-memory.dmp

memory/720-138-0x00007FF692260000-0x00007FF6925B1000-memory.dmp

memory/100-135-0x00007FF709790000-0x00007FF709AE1000-memory.dmp

memory/3404-129-0x00007FF76B650000-0x00007FF76B9A1000-memory.dmp

memory/3872-131-0x00007FF6FA8D0000-0x00007FF6FAC21000-memory.dmp

memory/468-130-0x00007FF63E380000-0x00007FF63E6D1000-memory.dmp

memory/3404-151-0x00007FF76B650000-0x00007FF76B9A1000-memory.dmp

memory/468-196-0x00007FF63E380000-0x00007FF63E6D1000-memory.dmp

memory/3872-198-0x00007FF6FA8D0000-0x00007FF6FAC21000-memory.dmp

memory/436-213-0x00007FF77E0B0000-0x00007FF77E401000-memory.dmp

memory/3484-215-0x00007FF785840000-0x00007FF785B91000-memory.dmp

memory/1964-217-0x00007FF7454C0000-0x00007FF745811000-memory.dmp

memory/100-219-0x00007FF709790000-0x00007FF709AE1000-memory.dmp

memory/1744-221-0x00007FF782D60000-0x00007FF7830B1000-memory.dmp

memory/4696-223-0x00007FF787050000-0x00007FF7873A1000-memory.dmp

memory/720-225-0x00007FF692260000-0x00007FF6925B1000-memory.dmp

memory/3608-228-0x00007FF74AF00000-0x00007FF74B251000-memory.dmp

memory/2728-231-0x00007FF6FAA40000-0x00007FF6FAD91000-memory.dmp

memory/1516-229-0x00007FF61D910000-0x00007FF61DC61000-memory.dmp

memory/2708-234-0x00007FF62BCD0000-0x00007FF62C021000-memory.dmp

memory/652-235-0x00007FF7DB030000-0x00007FF7DB381000-memory.dmp

memory/3716-237-0x00007FF7E3470000-0x00007FF7E37C1000-memory.dmp

memory/2060-240-0x00007FF727540000-0x00007FF727891000-memory.dmp

memory/552-241-0x00007FF6D9880000-0x00007FF6D9BD1000-memory.dmp

memory/3476-243-0x00007FF70E7A0000-0x00007FF70EAF1000-memory.dmp

memory/2104-248-0x00007FF689990000-0x00007FF689CE1000-memory.dmp

memory/2064-249-0x00007FF700190000-0x00007FF7004E1000-memory.dmp

memory/388-246-0x00007FF7ABC80000-0x00007FF7ABFD1000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-13 12:02

Reported

2024-08-13 12:05

Platform

win7-20240704-en

Max time kernel

145s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\ILqAgJS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sgwAYiM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rGQOsCx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YuzaDIo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VtIwufQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lzKXKNC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\djdKJYH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SuLgBuE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TyldNye.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EfPJwBy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BqgSehE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wKftVLp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UWpfJHg.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mSsOWyN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yYtUiKW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LhGXCAO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sODbcEy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JlzRJbf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gESmabV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uESQSRM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MJbwsGS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2568 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ILqAgJS.exe
PID 2568 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ILqAgJS.exe
PID 2568 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ILqAgJS.exe
PID 2568 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wKftVLp.exe
PID 2568 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wKftVLp.exe
PID 2568 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wKftVLp.exe
PID 2568 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lzKXKNC.exe
PID 2568 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lzKXKNC.exe
PID 2568 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lzKXKNC.exe
PID 2568 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UWpfJHg.exe
PID 2568 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UWpfJHg.exe
PID 2568 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UWpfJHg.exe
PID 2568 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mSsOWyN.exe
PID 2568 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mSsOWyN.exe
PID 2568 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mSsOWyN.exe
PID 2568 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yYtUiKW.exe
PID 2568 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yYtUiKW.exe
PID 2568 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yYtUiKW.exe
PID 2568 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\djdKJYH.exe
PID 2568 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\djdKJYH.exe
PID 2568 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\djdKJYH.exe
PID 2568 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SuLgBuE.exe
PID 2568 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SuLgBuE.exe
PID 2568 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SuLgBuE.exe
PID 2568 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gESmabV.exe
PID 2568 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gESmabV.exe
PID 2568 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gESmabV.exe
PID 2568 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LhGXCAO.exe
PID 2568 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LhGXCAO.exe
PID 2568 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LhGXCAO.exe
PID 2568 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sgwAYiM.exe
PID 2568 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sgwAYiM.exe
PID 2568 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sgwAYiM.exe
PID 2568 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rGQOsCx.exe
PID 2568 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rGQOsCx.exe
PID 2568 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rGQOsCx.exe
PID 2568 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sODbcEy.exe
PID 2568 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sODbcEy.exe
PID 2568 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sODbcEy.exe
PID 2568 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YuzaDIo.exe
PID 2568 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YuzaDIo.exe
PID 2568 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YuzaDIo.exe
PID 2568 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TyldNye.exe
PID 2568 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TyldNye.exe
PID 2568 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TyldNye.exe
PID 2568 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uESQSRM.exe
PID 2568 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uESQSRM.exe
PID 2568 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uESQSRM.exe
PID 2568 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VtIwufQ.exe
PID 2568 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VtIwufQ.exe
PID 2568 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VtIwufQ.exe
PID 2568 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EfPJwBy.exe
PID 2568 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EfPJwBy.exe
PID 2568 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EfPJwBy.exe
PID 2568 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MJbwsGS.exe
PID 2568 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MJbwsGS.exe
PID 2568 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MJbwsGS.exe
PID 2568 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JlzRJbf.exe
PID 2568 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JlzRJbf.exe
PID 2568 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JlzRJbf.exe
PID 2568 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BqgSehE.exe
PID 2568 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BqgSehE.exe
PID 2568 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BqgSehE.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\ILqAgJS.exe

C:\Windows\System\ILqAgJS.exe

C:\Windows\System\wKftVLp.exe

C:\Windows\System\wKftVLp.exe

C:\Windows\System\lzKXKNC.exe

C:\Windows\System\lzKXKNC.exe

C:\Windows\System\UWpfJHg.exe

C:\Windows\System\UWpfJHg.exe

C:\Windows\System\mSsOWyN.exe

C:\Windows\System\mSsOWyN.exe

C:\Windows\System\yYtUiKW.exe

C:\Windows\System\yYtUiKW.exe

C:\Windows\System\djdKJYH.exe

C:\Windows\System\djdKJYH.exe

C:\Windows\System\SuLgBuE.exe

C:\Windows\System\SuLgBuE.exe

C:\Windows\System\gESmabV.exe

C:\Windows\System\gESmabV.exe

C:\Windows\System\LhGXCAO.exe

C:\Windows\System\LhGXCAO.exe

C:\Windows\System\sgwAYiM.exe

C:\Windows\System\sgwAYiM.exe

C:\Windows\System\rGQOsCx.exe

C:\Windows\System\rGQOsCx.exe

C:\Windows\System\sODbcEy.exe

C:\Windows\System\sODbcEy.exe

C:\Windows\System\YuzaDIo.exe

C:\Windows\System\YuzaDIo.exe

C:\Windows\System\TyldNye.exe

C:\Windows\System\TyldNye.exe

C:\Windows\System\uESQSRM.exe

C:\Windows\System\uESQSRM.exe

C:\Windows\System\VtIwufQ.exe

C:\Windows\System\VtIwufQ.exe

C:\Windows\System\EfPJwBy.exe

C:\Windows\System\EfPJwBy.exe

C:\Windows\System\MJbwsGS.exe

C:\Windows\System\MJbwsGS.exe

C:\Windows\System\JlzRJbf.exe

C:\Windows\System\JlzRJbf.exe

C:\Windows\System\BqgSehE.exe

C:\Windows\System\BqgSehE.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2568-0-0x000000013F590000-0x000000013F8E1000-memory.dmp

memory/2568-1-0x00000000001F0000-0x0000000000200000-memory.dmp

\Windows\system\ILqAgJS.exe

MD5 93de91ede08cb2df8bcfc2c6f30ae560
SHA1 0963910b27e06235495bc40bb524565670c983d5
SHA256 f46e43d8986750dd64837b130eccb4b6dd2e1179d83f69e2d8e0d3564d5e2fed
SHA512 0368a74483ae407e43f9aed0152ac63fb030e4ae521160e684a168b5748be25f7d6c7d7f46106059141792e2a13bc80b380ae3bd65814533f5b0bcfca59f2387

C:\Windows\system\mSsOWyN.exe

MD5 bfad4f7a0bc678c5fedb339de8f9cfa6
SHA1 ceed3e63a9819556c06ced86e662c65e2c8beed5
SHA256 93be91679fe8b11e6f70480908dbdee5e963f66d3403a8c2d973e16dadb0f924
SHA512 fb733b5e4f8fd1ee3e62decba79373d08dc644e5b068b3a2f5901dda88719c04577be6d37b6119e8c3a4a4ed642bdfcd9c02eefe5066dd8c73852a2f25ae6b1b

C:\Windows\system\wKftVLp.exe

MD5 1ed7c6b4895d623ccc63b362a536004d
SHA1 dffd6dca689626541cde8b0e243e24df85051478
SHA256 1aa4c699f738ab29ddfcc09dbded2ae2fb99688955d2ae3d36b62bb08b84d465
SHA512 a81694ba4db9e80f1edec5fbb9c4d1113bc4e358c039fd57e6ca025ea4a7cbae62b07fada64e4ebe5613057ad07e2e459d4bde4b0dbeedf965ed7b60fce58d13

C:\Windows\system\lzKXKNC.exe

MD5 46fb0017c6d844df79e29bc68e048477
SHA1 da59586feea49900b435477e3c7a44ba612393e7
SHA256 17e78ee6a90007b9acab5490b825ff62985346cb1488e5eea71e10e8565e8ced
SHA512 73cbe14dcf02ec6658c12efd34b89c9627cadefdd064cd3a115a4fe5662f1037f2b197ceb36a585b8d9b0e63b46e2874a4ed3b5f8e7949d17c33235a2796bfea

memory/2092-17-0x000000013FFD0000-0x0000000140321000-memory.dmp

\Windows\system\UWpfJHg.exe

MD5 52af2ddcb2d50cbfb9ccdebafcfea19e
SHA1 794ef3353dff058e76d923b2c534cc4df52db764
SHA256 0bf063df19d971873b5de52049cb98b35c271208aa8d0bbcf48fefb2c289d94d
SHA512 0c4a6f2fe362485cd6880ba705616e1f173c4faa672b106de7aa3ab4dd05b588487eb9ca5a27d258370a468fe0bc6485c28664f4f39cd706da707b8fb9e933bb

C:\Windows\system\yYtUiKW.exe

MD5 f6281fa62c14ddc27978c4e455fb3bc7
SHA1 62565d651941cc4a5f726bedcd4326d23f872f40
SHA256 0f19405f8214cd00eeb91a2dd7ae7bfcc3da27297abbef4c73a54090f79d0df1
SHA512 f2ebc4883ff628efc60c07fac1f0c617f5f7b29b76359ca4a00bc41e47be26b3acc613e10a24f38b90ebe66d533db932c1ee2446c4f6304112d9412097d4625b

C:\Windows\system\djdKJYH.exe

MD5 ccef002f6ad31e44bc94ddc6f3814571
SHA1 ea3e720af992485d1ff09ac9735e60db8fe6ca11
SHA256 44570e119c7b62fd830867bf129ad32d21ed31157d19bff830c1fec089aa1fd8
SHA512 74d1b84831e5e9d64e9a6e66251863a6136654b1587e6aaada0f8565089d2a9bc44e0fec278ec1ec99f265e3f4d07eaf691871c66be25b115e60ad3ec7243148

C:\Windows\system\LhGXCAO.exe

MD5 0f6f379ff51a316acf5b236a8fe4b76d
SHA1 8ac047477b1dec874145f6359e0ac25152b59355
SHA256 b169faa3205ccf046a53f6c9ef17805ae8e588f1b521b0b4a4b111d3a7c609d7
SHA512 8362863a139d7f4806c167f7e7422f06918765bb55f2f76b1223cd5862f5d915f8b4dc045cf6bf28ffdaa4b83e1e09e456a1048dedde0b5703e905b84b22feae

C:\Windows\system\YuzaDIo.exe

MD5 3b625106de90881a449a9b346b21c134
SHA1 8a883f19c98e4b97d601c36569136e5915bf6e7c
SHA256 cc62eeea44c3360b96c5add4771071dfd158e677affe1536e4dcd1321fbcf889
SHA512 f6d4bd5bd74af46bd9014fb3b32c97f340ddd4050422e8c757c3043918de1fc8cd7e4db83b2fc74f7ea76bf5f66b1588d76de6e31510a98919ff296459fa46fb

C:\Windows\system\VtIwufQ.exe

MD5 79edc490d7b98e694752b6981a7eeec0
SHA1 4295b48d269fb3024093cdca660de07e1558fa1b
SHA256 44c0e13d92aa4eb62e762f70e3be2124b85513c28821e34956a37bf412b8b376
SHA512 7c87c11097de1a6b57ba75c45e25e491c694796f9f19ee22240893bf1abc54218eb17f8599d8eb18ba427a5fc0114133dd23fd7bfb2f6a7d5a5ec176477aa02b

C:\Windows\system\JlzRJbf.exe

MD5 23cc262e4193cf679284a68984397bfc
SHA1 cfa3a925c26c86dd6f166033dae69d118703a6ec
SHA256 6f5e3cb1174cef0b99dc7a218b5373e01b5066996f14caf2a39e525f03095581
SHA512 db65ac05be1b6e143b0409c2e6b2ecee6f6a9738b7d69c332da53d5ea825a2533ae6d1e7bfc14c607f02ca07c0245d1a872161740b872631691728f9bcd6bf37

C:\Windows\system\BqgSehE.exe

MD5 c3c10b73828e24b8cd2a6a9ff44999e0
SHA1 f1936cb88a3c9703289189791332bf881cee2621
SHA256 cee96a127b5b8fade65fc3dee6cf5d5456fb103d3d03756f04c2bf4001b89a22
SHA512 58f2997a08cb4d7b715cf6cbd9ed8120eb7a4f3e4e8265643e4585d35b360876495ca763474a3d737fd22af2b6ac7673130861c499ce28e3a8b9a59c14709b9c

C:\Windows\system\MJbwsGS.exe

MD5 fc08050aba5938e14185dd12951c7f78
SHA1 ec7f118b7f7be6560c38a75d16fe737588c2018d
SHA256 47d47cf9e4aaef04422bfb580b599927d34c47ce7ccc4538ef243187eb58912f
SHA512 ad432ac813419b358b61a6aaa4eb4642dff04fb188a712d156d4440e4c09c9e1301d8e20a5158cb069e092f895e3f8f9efcae11fcfeb82cb1757218b3505b4b3

C:\Windows\system\EfPJwBy.exe

MD5 25d8df08c3993f5287f1e10423657f27
SHA1 1297eb95ac5361a1f1a3956165ed585334de3ed3
SHA256 b5e0827e3bae58fe2565fba58dd7e630caf8310b3eec246a9e57ccbaaddf513f
SHA512 5aa08d3e788b5637254fe986348b92dacf4dab6f246fd9c0fff5c1ae6cb294315b3c9b22026d7d36929785781bba6bf9c0bdba9594953f2ef779b13d19b3a0d0

C:\Windows\system\uESQSRM.exe

MD5 24b2034b04dac4929f4f4d5f96bf337e
SHA1 784e2777a72b031d3e11f880b50b92a0330db702
SHA256 d667dd3b3a4f256a34a2a74f22afeca19bea9b6e8085456e466e3aeb7e311daf
SHA512 4f499e1ac24e91d9c315236f97fd8b4c4df02a4003fdf779ec1c6cc94c12bdda843b414d1cf14a0ddd27ebea961337c3c025c198db4a6e0fc16dbe846f3034b7

C:\Windows\system\TyldNye.exe

MD5 4ed25f84cc8b0e3fa1a54d1e0a4712a9
SHA1 c34006adc41255a5a7ad9e7c4a2809f751057e31
SHA256 69dc32a723d6d397f6ca73f8a4fc23dbd37a74e7aa3f6830e5d21bbbd5c3a76c
SHA512 bad8ed3d31786311bb06a71ce685a1c0c23249d97f181aca119d26da6a1c887ef91f014041dc048699b52f5df02ebc0590d34141f69f2b3298e4e62575d803e6

C:\Windows\system\sODbcEy.exe

MD5 3edeb04ed7f33db749f37bff9a495767
SHA1 59b05c054a1e2e2d0e7622fcf551e0dc3455a0e6
SHA256 fa545a18da686a981b13e3c03006684cc12c968f93aea4c0bccf3d9a116818ea
SHA512 6c93f12fcfd30939188b1caf5b275b080ab8f37de7ec978a28e551552a7a1100caa8523f1f5c065e19ac212c91a9b42273b49d8c71baa3619ef5c24f22da7e4b

C:\Windows\system\rGQOsCx.exe

MD5 ef6209178f7fbeff4c5e765231e37653
SHA1 ce4f86a288af9f7fc141a73254bf035662d8dba4
SHA256 525f76b36ff9c36d6f273ce86949c20d0c0d2256b4a530f9051846848c136014
SHA512 90c67aacbe2bae7574471bf14bf6582749a9b17404f35071db95e9131846f96831dc3be6b4aae92c69c2525d35258dd0f39c1a017c3a61de3d39bccd4fed9b04

memory/2568-59-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

memory/1696-58-0x000000013F1F0000-0x000000013F541000-memory.dmp

memory/2568-55-0x0000000002120000-0x0000000002471000-memory.dmp

memory/1480-53-0x000000013FDB0000-0x0000000140101000-memory.dmp

memory/2016-50-0x000000013F0A0000-0x000000013F3F1000-memory.dmp

C:\Windows\system\sgwAYiM.exe

MD5 313306a66202fb5b48e80c494523448f
SHA1 15f759bbbbc1a33eca172d29e966b3f821760ac5
SHA256 3a477f71df4f1ff9c0de9f63be292cfec254f1c7b163ef2eb4d7dbb340398ed6
SHA512 4da53277bbff21b03ed23fc6c47da0955d2c4a7c9a14caeeae64aff106deb2bc80f0ce2f1c0850bd4d99a86150a2071f4d8bb07ac706d32846a34285081f107e

C:\Windows\system\gESmabV.exe

MD5 e335235826b8b147a413ad2523464fc2
SHA1 dfd12a777dee710676a4bfde1cfaff7dc91c0881
SHA256 b70cadb3f2df22e8196f56b5627cc13d58fefe1756c32bccc53c6c0e2c665f54
SHA512 4242fb5c38e4b4677c19232098e3e35da5dbef78b88f2cc840c007035bd89fd09e726d97bb83e31715082dcd824e8a451376fb727f2ca2a704adf8f1a40f2a1e

C:\Windows\system\SuLgBuE.exe

MD5 3d155ec1ae53d788d37e9c4900dc55d7
SHA1 141e447ccdc5c7e2eaddbbd658691ff7ad30e61b
SHA256 c97c6215d4c2400ba71c9c82464900188c3471ab22c1cf45cc5d6b5204836c83
SHA512 03b5aa47aca3512a4a1d52b4dcf64cad16aac949881c36013786da5d9a86f1239ae7206dadde7f53d54926d29c15a61b5bd0967e10fa1d935bbde7a7d1d715df

memory/2568-12-0x000000013FDB0000-0x0000000140101000-memory.dmp

memory/2192-115-0x000000013FAD0000-0x000000013FE21000-memory.dmp

memory/2640-140-0x000000013F580000-0x000000013F8D1000-memory.dmp

memory/2568-148-0x000000013FBC0000-0x000000013FF11000-memory.dmp

memory/932-147-0x000000013F280000-0x000000013F5D1000-memory.dmp

memory/2568-146-0x000000013F1F0000-0x000000013F541000-memory.dmp

memory/2568-145-0x000000013FAD0000-0x000000013FE21000-memory.dmp

memory/1540-144-0x000000013F6E0000-0x000000013FA31000-memory.dmp

memory/2692-143-0x000000013F590000-0x000000013F8E1000-memory.dmp

memory/2628-142-0x000000013FBC0000-0x000000013FF11000-memory.dmp

memory/2568-138-0x0000000002120000-0x0000000002471000-memory.dmp

memory/2176-135-0x000000013FEB0000-0x0000000140201000-memory.dmp

memory/2568-133-0x000000013FEB0000-0x0000000140201000-memory.dmp

memory/2892-131-0x000000013F160000-0x000000013F4B1000-memory.dmp

memory/2568-129-0x000000013F160000-0x000000013F4B1000-memory.dmp

memory/2908-127-0x000000013FB20000-0x000000013FE71000-memory.dmp

memory/2568-125-0x000000013FB20000-0x000000013FE71000-memory.dmp

memory/2780-124-0x000000013FE90000-0x00000001401E1000-memory.dmp

memory/2568-122-0x000000013FE90000-0x00000001401E1000-memory.dmp

memory/1560-119-0x000000013F8E0000-0x000000013FC31000-memory.dmp

memory/1928-118-0x000000013F030000-0x000000013F381000-memory.dmp

memory/1484-117-0x000000013F1F0000-0x000000013F541000-memory.dmp

memory/2176-111-0x000000013FEB0000-0x0000000140201000-memory.dmp

memory/2224-106-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

memory/1696-104-0x000000013F1F0000-0x000000013F541000-memory.dmp

memory/2016-103-0x000000013F0A0000-0x000000013F3F1000-memory.dmp

memory/2092-101-0x000000013FFD0000-0x0000000140321000-memory.dmp

memory/2568-100-0x000000013F590000-0x000000013F8E1000-memory.dmp

memory/2224-99-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

memory/1480-151-0x000000013FDB0000-0x0000000140101000-memory.dmp

memory/2568-149-0x000000013F590000-0x000000013F8E1000-memory.dmp

memory/1696-153-0x000000013F1F0000-0x000000013F541000-memory.dmp

memory/2908-157-0x000000013FB20000-0x000000013FE71000-memory.dmp

memory/2224-155-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

memory/1028-165-0x000000013FB00000-0x000000013FE51000-memory.dmp

memory/1560-170-0x000000013F8E0000-0x000000013FC31000-memory.dmp

memory/3056-169-0x000000013FB00000-0x000000013FE51000-memory.dmp

memory/1928-168-0x000000013F030000-0x000000013F381000-memory.dmp

memory/2024-167-0x000000013F8E0000-0x000000013FC31000-memory.dmp

memory/2568-171-0x000000013F590000-0x000000013F8E1000-memory.dmp

memory/2568-193-0x000000013FB20000-0x000000013FE71000-memory.dmp

memory/2092-208-0x000000013FFD0000-0x0000000140321000-memory.dmp

memory/2016-210-0x000000013F0A0000-0x000000013F3F1000-memory.dmp

memory/932-212-0x000000013F280000-0x000000013F5D1000-memory.dmp

memory/2640-218-0x000000013F580000-0x000000013F8D1000-memory.dmp

memory/2892-216-0x000000013F160000-0x000000013F4B1000-memory.dmp

memory/2780-214-0x000000013FE90000-0x00000001401E1000-memory.dmp

memory/2692-233-0x000000013F590000-0x000000013F8E1000-memory.dmp

memory/1480-239-0x000000013FDB0000-0x0000000140101000-memory.dmp

memory/1696-241-0x000000013F1F0000-0x000000013F541000-memory.dmp

memory/2908-246-0x000000013FB20000-0x000000013FE71000-memory.dmp

memory/1540-251-0x000000013F6E0000-0x000000013FA31000-memory.dmp

memory/2628-250-0x000000013FBC0000-0x000000013FF11000-memory.dmp

memory/2176-247-0x000000013FEB0000-0x0000000140201000-memory.dmp

memory/2224-243-0x000000013FBA0000-0x000000013FEF1000-memory.dmp