Malware Analysis Report

2025-03-15 08:06

Sample ID 240814-zkcktsybnn
Target 2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat
SHA256 da10aee97e1087049ebed91c5f8c5d0b1a502cc70d4e9547429f37eeab8fbb88
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

da10aee97e1087049ebed91c5f8c5d0b1a502cc70d4e9547429f37eeab8fbb88

Threat Level: Known bad

The file 2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

Cobaltstrike family

XMRig Miner payload

Cobalt Strike reflective loader

xmrig

Cobaltstrike

Xmrig family

XMRig Miner payload

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-14 20:46

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-14 20:46

Reported

2024-08-14 20:48

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\ULACJPe.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yEXgJaT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tyJZRBA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rEdanZP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zcaNUmo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FlXCBja.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ghHtnnr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NzHDryE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bheZHVk.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VTRSegD.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xedoIZx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DhpVMBy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\AklfKwU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UQJDshL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zOkyVEW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RtUwaJU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HMZdwiW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\smgerfY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oqSTCgy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kSlrTHi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yVSFOtj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2964 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zcaNUmo.exe
PID 2964 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zcaNUmo.exe
PID 2964 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yVSFOtj.exe
PID 2964 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yVSFOtj.exe
PID 2964 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UQJDshL.exe
PID 2964 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UQJDshL.exe
PID 2964 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zOkyVEW.exe
PID 2964 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zOkyVEW.exe
PID 2964 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ULACJPe.exe
PID 2964 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ULACJPe.exe
PID 2964 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yEXgJaT.exe
PID 2964 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yEXgJaT.exe
PID 2964 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NzHDryE.exe
PID 2964 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NzHDryE.exe
PID 2964 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AklfKwU.exe
PID 2964 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\AklfKwU.exe
PID 2964 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bheZHVk.exe
PID 2964 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bheZHVk.exe
PID 2964 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RtUwaJU.exe
PID 2964 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RtUwaJU.exe
PID 2964 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VTRSegD.exe
PID 2964 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VTRSegD.exe
PID 2964 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tyJZRBA.exe
PID 2964 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tyJZRBA.exe
PID 2964 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HMZdwiW.exe
PID 2964 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HMZdwiW.exe
PID 2964 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FlXCBja.exe
PID 2964 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FlXCBja.exe
PID 2964 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xedoIZx.exe
PID 2964 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xedoIZx.exe
PID 2964 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DhpVMBy.exe
PID 2964 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DhpVMBy.exe
PID 2964 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\smgerfY.exe
PID 2964 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\smgerfY.exe
PID 2964 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oqSTCgy.exe
PID 2964 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oqSTCgy.exe
PID 2964 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rEdanZP.exe
PID 2964 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rEdanZP.exe
PID 2964 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kSlrTHi.exe
PID 2964 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kSlrTHi.exe
PID 2964 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ghHtnnr.exe
PID 2964 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ghHtnnr.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\zcaNUmo.exe

C:\Windows\System\zcaNUmo.exe

C:\Windows\System\yVSFOtj.exe

C:\Windows\System\yVSFOtj.exe

C:\Windows\System\UQJDshL.exe

C:\Windows\System\UQJDshL.exe

C:\Windows\System\zOkyVEW.exe

C:\Windows\System\zOkyVEW.exe

C:\Windows\System\ULACJPe.exe

C:\Windows\System\ULACJPe.exe

C:\Windows\System\yEXgJaT.exe

C:\Windows\System\yEXgJaT.exe

C:\Windows\System\NzHDryE.exe

C:\Windows\System\NzHDryE.exe

C:\Windows\System\AklfKwU.exe

C:\Windows\System\AklfKwU.exe

C:\Windows\System\bheZHVk.exe

C:\Windows\System\bheZHVk.exe

C:\Windows\System\RtUwaJU.exe

C:\Windows\System\RtUwaJU.exe

C:\Windows\System\VTRSegD.exe

C:\Windows\System\VTRSegD.exe

C:\Windows\System\tyJZRBA.exe

C:\Windows\System\tyJZRBA.exe

C:\Windows\System\HMZdwiW.exe

C:\Windows\System\HMZdwiW.exe

C:\Windows\System\FlXCBja.exe

C:\Windows\System\FlXCBja.exe

C:\Windows\System\xedoIZx.exe

C:\Windows\System\xedoIZx.exe

C:\Windows\System\DhpVMBy.exe

C:\Windows\System\DhpVMBy.exe

C:\Windows\System\smgerfY.exe

C:\Windows\System\smgerfY.exe

C:\Windows\System\oqSTCgy.exe

C:\Windows\System\oqSTCgy.exe

C:\Windows\System\rEdanZP.exe

C:\Windows\System\rEdanZP.exe

C:\Windows\System\kSlrTHi.exe

C:\Windows\System\kSlrTHi.exe

C:\Windows\System\ghHtnnr.exe

C:\Windows\System\ghHtnnr.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 24.58.20.217.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 udp

Files

memory/2964-0-0x00007FF6C88B0000-0x00007FF6C8C01000-memory.dmp

memory/2964-1-0x000002623A6C0000-0x000002623A6D0000-memory.dmp

C:\Windows\System\zcaNUmo.exe

MD5 9972e53bac3bb8ee1eadf7a3c3cb7b13
SHA1 94286ed279f0e2f0f05ff23632199b6b59f96b8b
SHA256 cb1b657996b7b4533d8730b6efeb8b5808fa74927ed357030f45ddd3ede65dc9
SHA512 3d964519e2bc84f6dc573af77632827f8dc372a17fd2280247ece647f45408f8a6b3ca415dcdf7e6992ade86f7f3bceb6598ababf02ae65a2eb2c8f5f37bc8a6

memory/4468-8-0x00007FF613ED0000-0x00007FF614221000-memory.dmp

C:\Windows\System\UQJDshL.exe

MD5 1242999156885f2426f5caf169388e4b
SHA1 00e879306ef4b0c36699bb83c4f890f62024e6e2
SHA256 2dd1c7867c2d0de7bfdc5dc8b13ac45c18ee013faa46a45c03bda1990312a9cc
SHA512 c0b1a379fa3160c54205236412875090d0964051f33bc130cbe91410324022215eeeb760e07d8818ef30e572f04bfce39950c8e3c4be644a3f872b47da37cb10

C:\Windows\System\yVSFOtj.exe

MD5 5eb0bb2501346fe9f8208d31ff740385
SHA1 325f6f31594a2feb76e86fd89e4ce25d82638ef3
SHA256 c09b84268c0af3c20a6505f6e4881033291b4ac4b0318e0b3e45fcd0aef1e243
SHA512 c99b8f1a4e35b86fe5aca9bcffd79fce3c437535b2d1e8b1b5d97686fd34697ef7129f1bacd01777a81c34ce5765d0f37d1954052b9e1e90abb863a3158f7708

memory/3564-22-0x00007FF62B0F0000-0x00007FF62B441000-memory.dmp

memory/3756-27-0x00007FF790080000-0x00007FF7903D1000-memory.dmp

memory/4544-34-0x00007FF776E80000-0x00007FF7771D1000-memory.dmp

C:\Windows\System\ULACJPe.exe

MD5 6f773f5117343a769d0f7b7aca1d4494
SHA1 32b3e824ea0efecaa1558f7de1aa3a416d374d07
SHA256 2b266e58155974d07d7fb1d9d23c8f64f90a56e4474bd18a297f432ffdc2deac
SHA512 fac4c665c65ee25458a3046c140904ca2d6a0ce9f0708de4e705056a9c6255e0c517966d78ea87856c54b92985fc04754adf875ff557e5083c23c6c1f2bfc058

C:\Windows\System\AklfKwU.exe

MD5 200e0832ec068392a31b632d06802a03
SHA1 065a365cdc301a24f8863eddd2eef5056bbb2281
SHA256 63e0ee9c5daac4b62be008f42b4084644173422bb6f3d1eba3401b0f190a96e8
SHA512 36a3ef8b2eae3174df6043fc4988fb576297636e39ff1db90807082b540be96691323cfa521ba0e007f8a117a7732474e167eddc09c7635fb79b26fd4ffb0931

C:\Windows\System\bheZHVk.exe

MD5 9524953868a07fd240bb113ea8aafdde
SHA1 1bd9b490e72bf60e7f7f7e90dcf0b986575de154
SHA256 576fca5919d39536ec2acac2cb0fcb650846a947c7e70cb75b4831a37654bd4d
SHA512 76427446de5bfb74602c2f1dde8c35f68f0bd9cc21e40a29b332bdaad4d963c084293d7adabaf0746d7deac2107d481f324bb669a5ab2baad88345e5671827df

C:\Windows\System\NzHDryE.exe

MD5 82b80af5a54a4100da04e66c248e09a4
SHA1 c6982893c313f089aa1134c6af76fdf88d12798f
SHA256 2d08da7decfa248a98837b9e892f05444773ccb228a51eb9bb8864dc004caa6f
SHA512 a94ed8d55b1f2a728141ae58c3176750e2f261f621049ce6d84a31790d04d9896357c983a8ddac686c5ebf61dc2ed25dbb1bdad428e4d329bcd14f03e7c3036f

C:\Windows\System\RtUwaJU.exe

MD5 5537867b41ae7b610a7b18f83d00600f
SHA1 99cc276e3a31e422ffdb09bbed4e4333e3ad47c7
SHA256 28216a1f39b56d9e2b795de195bccb917d70627b312a69f507cfb76d3a22a3b9
SHA512 88448f42f86682c3ba26481711570a446f030291e76be3b7a8729a6d26437257500a4124c6d8e428f8baa88fa1f570447bec469c7d468b5910fff77ebcee226b

C:\Windows\System\HMZdwiW.exe

MD5 0e105482c36d3c2b6842891d284894a4
SHA1 fb9b013574c61db37188789fdfe0bbbd24e7220d
SHA256 6e7c7f7351d4d2b56bc744c255a5b2220b2df610fbbd9e87cb29c2c8c2326639
SHA512 a172f6e729ae93e5957271fdcee73f25f3e6a271b925fdf9cdaed0b68902039cf1af08a1c0e9fce17884488e4b8811c08e912309de42c878d610157f11344c95

C:\Windows\System\FlXCBja.exe

MD5 24181455093c756b8d023ea52b7a1d6a
SHA1 503a5f5bd2b837f9c97454bb91df55169b21d614
SHA256 10aa027ff46eed13c8c71a740f3cf06e4c6029251bea6639903630387f708ae9
SHA512 de15d625b62830a83218e6a794ed332dcf825d32fa13854fe0045e18987c88f7347a2e97f132ba07b130424746bba8528ccc14adbd11718d9dfaa051b223b49c

memory/2304-84-0x00007FF690660000-0x00007FF6909B1000-memory.dmp

memory/5016-83-0x00007FF639390000-0x00007FF6396E1000-memory.dmp

memory/2436-74-0x00007FF73D580000-0x00007FF73D8D1000-memory.dmp

C:\Windows\System\tyJZRBA.exe

MD5 1659f6614cc67b09709c66ec908c7e5d
SHA1 b296c243754a5a52494d5dde53a577f915bee590
SHA256 8fd3fce23c0a419ab277d26c617fd7f36344efa8a72a8f884920bbe15c672aaf
SHA512 26bb1bd3634e61e9239e7704ca69a48ed81640005fe15ca05b73d99467af513499e1b180943a6365b62b7f66ff5f0d2c2ed4f0598599122fb62730df3e1f246b

memory/3436-71-0x00007FF6088D0000-0x00007FF608C21000-memory.dmp

memory/1064-68-0x00007FF77CBF0000-0x00007FF77CF41000-memory.dmp

memory/1396-64-0x00007FF7FB340000-0x00007FF7FB691000-memory.dmp

C:\Windows\System\VTRSegD.exe

MD5 eafbb76f4ac34bad81215f8b9dfb0b7e
SHA1 9f905e5f69f8eb49a8269450588822af4141d940
SHA256 8ee7e7b70adee0f3adcedeca2f4a7dae8fd5bce4404d13f74cf400ee855feff3
SHA512 c00c06a83b8ee7f9c7ff396f4472fb540f430368fd80b432692decd27cd26bee6773dec3aacf9bbf76e9da1e8319439e46f56c6c9d32a32dd41f02a6858f770c

memory/4512-56-0x00007FF711680000-0x00007FF7119D1000-memory.dmp

memory/3580-49-0x00007FF768AD0000-0x00007FF768E21000-memory.dmp

C:\Windows\System\yEXgJaT.exe

MD5 0eda4edb9389e5c765f262d561bc3452
SHA1 c56549bd2ddd05329b2d41ddf2a0a8465d37db86
SHA256 388a2890a67c5e7878e6020b2fc7f1b7415764580f1e996a6e175fbae6107d55
SHA512 1436fae69e9f8752842cd221505f8505856a689d83c3443ab558619aef4b46453d596f19a05f2904ee3c0719c76c76da8d19daaabb098777510ed85bd5592d5d

memory/2224-39-0x00007FF6F54B0000-0x00007FF6F5801000-memory.dmp

C:\Windows\System\zOkyVEW.exe

MD5 06f6d155f15b555ee8ccaaf2da5ece02
SHA1 aeb55b8d19e83c02702bc797c13d39d70c319913
SHA256 29425bc28097c85566d5af0ad843a1a3792d389f0e5082733677d37e171ef12c
SHA512 4198bd71d83d51aae5b36fb35ec49020b72bb362b79001a542711253aada0ba31af596bbd509ef8a2ad373dc55e53bffb04ca42b8a6103b445f343a9883d9d9c

memory/4748-15-0x00007FF778DE0000-0x00007FF779131000-memory.dmp

C:\Windows\System\xedoIZx.exe

MD5 71e130f97e66cc566618695c16b8c34f
SHA1 66d2f016f96b3499affa38bac8b1f9fc2acfa0df
SHA256 a2b8f9581f279be75949927d074af92d16394e820771539102c00d9119165cda
SHA512 d8c13e9db9d6b8263d584c5f5b08f9ceec40bfcfcd709761b74dfbd534ac5886ce05840cacc9e1ec34e365514546f0c02ff6b55a4bc166211db7be50ca6f41c7

C:\Windows\System\DhpVMBy.exe

MD5 4a8c482d44c520ab04d4deefcf3ea4c0
SHA1 45c88d23e4ddae9e10e8693b69281a020c2c1d87
SHA256 9113bd144ee533d9a39e8decab02192462cc854e9b8eb208632a900fe92f4db0
SHA512 f37ee8e85b00f0c94622e5b48cfa3c948edce9bd752d106193795c5d64347d75f46d06fc4b6ba130d87af8de238d401047a37a197738d9574bd7b752a2f9e549

C:\Windows\System\smgerfY.exe

MD5 3d4f6455d2e2ce607503b00915b314bf
SHA1 1d15a00a813cc88243b7129d542f470d78e4eafd
SHA256 ed868e0e9f57a9c6f30f13410f3e38aa82c83ec67543180a69fb0e4bedca9efa
SHA512 479e748b7053ec8d0240c519169b12db620e0ca5511ba17fdf400194a6ab238ad3f8f7e32577da52fcd6965047367ba4eab425f6aeac27c9db8f45f9bfe16b96

C:\Windows\System\kSlrTHi.exe

MD5 b715ba3b61e370397511c94dc3e87712
SHA1 36feacdd30d4d55ff2bc83a3d2f344eaa66e0da8
SHA256 caf369f4ec8af2a34c2954042df443ae5e51c4e5e83352b985f76e3063c938b3
SHA512 a54313cb113f3eb584d892d7e20c077ae3c1e8adec8e0bc4e96f3505f88d17ee00541b24833a54f56b4658102bb82e74421145a01b814210e6bba8473fcccacf

memory/3184-121-0x00007FF774430000-0x00007FF774781000-memory.dmp

C:\Windows\System\rEdanZP.exe

MD5 df4464fadd52e48ceae6ccd41aa86c27
SHA1 0f8528f07f6c8e9b556c1f963b812724a3c71299
SHA256 3e4d1557742873d0e83976dbe50421760ad8e877d1ef3bcdf0df17d8b3def7f8
SHA512 93d72bec7923f527d02e51e1291f6d71b1935fe91b0c06c5c8ce402bd885426da6b4f02200862f3678bcbba25378a4defa68dd438a0d56996af0d424f3bbd39b

C:\Windows\System\ghHtnnr.exe

MD5 a3c3d134bc66977293954d549643bd13
SHA1 915b05bff8f9898be3d16e811e18f383196fc5a4
SHA256 8273cfec9d620dfd5eb699b095fc3d1757990cc93aa06613787dcfecb45e9a0b
SHA512 0343b75273ee0143c0bc2adeb62ca9747dba84390c61fced08026e075f62e44a76ef1a795b80e0a9794fddd1178f72052fbd16219fbbc0b0ae6eab03b195150d

C:\Windows\System\oqSTCgy.exe

MD5 21585babfbb242a73bc967b57337e15d
SHA1 531ad24c131222a476bd50b02cbad5a09845dd98
SHA256 d9bc8a1880108ce764d87741f2a95e1c8b4ac0660ef73eed28e7cffb2a25c1c2
SHA512 311402822a726af3c209f854bc3653d908854bfbedf74776024c83b9fb2e288ddda3eac981e4fe30c21da2b818a7e1193abc9e5a6ea62ae32279a0bd45cb4787

memory/3248-131-0x00007FF6C0260000-0x00007FF6C05B1000-memory.dmp

memory/4544-130-0x00007FF776E80000-0x00007FF7771D1000-memory.dmp

memory/2888-129-0x00007FF760AB0000-0x00007FF760E01000-memory.dmp

memory/3892-116-0x00007FF7AF3B0000-0x00007FF7AF701000-memory.dmp

memory/1500-111-0x00007FF6A8C20000-0x00007FF6A8F71000-memory.dmp

memory/4748-110-0x00007FF778DE0000-0x00007FF779131000-memory.dmp

memory/972-105-0x00007FF78C300000-0x00007FF78C651000-memory.dmp

memory/3316-104-0x00007FF6175A0000-0x00007FF6178F1000-memory.dmp

memory/4468-95-0x00007FF613ED0000-0x00007FF614221000-memory.dmp

memory/2964-94-0x00007FF6C88B0000-0x00007FF6C8C01000-memory.dmp

memory/2964-132-0x00007FF6C88B0000-0x00007FF6C8C01000-memory.dmp

memory/3580-139-0x00007FF768AD0000-0x00007FF768E21000-memory.dmp

memory/2436-144-0x00007FF73D580000-0x00007FF73D8D1000-memory.dmp

memory/2304-146-0x00007FF690660000-0x00007FF6909B1000-memory.dmp

memory/3436-142-0x00007FF6088D0000-0x00007FF608C21000-memory.dmp

memory/2224-138-0x00007FF6F54B0000-0x00007FF6F5801000-memory.dmp

memory/3756-136-0x00007FF790080000-0x00007FF7903D1000-memory.dmp

memory/3184-150-0x00007FF774430000-0x00007FF774781000-memory.dmp

memory/3892-151-0x00007FF7AF3B0000-0x00007FF7AF701000-memory.dmp

memory/1500-149-0x00007FF6A8C20000-0x00007FF6A8F71000-memory.dmp

memory/2964-154-0x00007FF6C88B0000-0x00007FF6C8C01000-memory.dmp

memory/4468-199-0x00007FF613ED0000-0x00007FF614221000-memory.dmp

memory/3564-201-0x00007FF62B0F0000-0x00007FF62B441000-memory.dmp

memory/4748-203-0x00007FF778DE0000-0x00007FF779131000-memory.dmp

memory/3756-205-0x00007FF790080000-0x00007FF7903D1000-memory.dmp

memory/4544-207-0x00007FF776E80000-0x00007FF7771D1000-memory.dmp

memory/2224-209-0x00007FF6F54B0000-0x00007FF6F5801000-memory.dmp

memory/4512-211-0x00007FF711680000-0x00007FF7119D1000-memory.dmp

memory/3580-213-0x00007FF768AD0000-0x00007FF768E21000-memory.dmp

memory/1396-217-0x00007FF7FB340000-0x00007FF7FB691000-memory.dmp

memory/1064-216-0x00007FF77CBF0000-0x00007FF77CF41000-memory.dmp

memory/2436-220-0x00007FF73D580000-0x00007FF73D8D1000-memory.dmp

memory/3436-221-0x00007FF6088D0000-0x00007FF608C21000-memory.dmp

memory/5016-225-0x00007FF639390000-0x00007FF6396E1000-memory.dmp

memory/2304-224-0x00007FF690660000-0x00007FF6909B1000-memory.dmp

memory/972-235-0x00007FF78C300000-0x00007FF78C651000-memory.dmp

memory/3316-237-0x00007FF6175A0000-0x00007FF6178F1000-memory.dmp

memory/1500-239-0x00007FF6A8C20000-0x00007FF6A8F71000-memory.dmp

memory/3184-241-0x00007FF774430000-0x00007FF774781000-memory.dmp

memory/2888-243-0x00007FF760AB0000-0x00007FF760E01000-memory.dmp

memory/3892-245-0x00007FF7AF3B0000-0x00007FF7AF701000-memory.dmp

memory/3248-247-0x00007FF6C0260000-0x00007FF6C05B1000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-14 20:46

Reported

2024-08-14 20:48

Platform

win7-20240705-en

Max time kernel

140s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\FIkOTkZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rQXbGTp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MTovdVQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UdQyAZR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JONEShn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\etapbWK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DkzrRNB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uIuphof.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BgedxCb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uIcMNcG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bGcyJsv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PvyxDhm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IGjqcNb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YXEmuTi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FDFPjVc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jepWrzg.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bCoEPsi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SpJQJMq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KDLsMpA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jKNFvIi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QmdmnOS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2496 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jKNFvIi.exe
PID 2496 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jKNFvIi.exe
PID 2496 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jKNFvIi.exe
PID 2496 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PvyxDhm.exe
PID 2496 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PvyxDhm.exe
PID 2496 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PvyxDhm.exe
PID 2496 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JONEShn.exe
PID 2496 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JONEShn.exe
PID 2496 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JONEShn.exe
PID 2496 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IGjqcNb.exe
PID 2496 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IGjqcNb.exe
PID 2496 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IGjqcNb.exe
PID 2496 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rQXbGTp.exe
PID 2496 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rQXbGTp.exe
PID 2496 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rQXbGTp.exe
PID 2496 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\etapbWK.exe
PID 2496 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\etapbWK.exe
PID 2496 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\etapbWK.exe
PID 2496 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QmdmnOS.exe
PID 2496 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QmdmnOS.exe
PID 2496 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QmdmnOS.exe
PID 2496 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DkzrRNB.exe
PID 2496 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DkzrRNB.exe
PID 2496 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DkzrRNB.exe
PID 2496 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YXEmuTi.exe
PID 2496 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YXEmuTi.exe
PID 2496 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YXEmuTi.exe
PID 2496 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uIuphof.exe
PID 2496 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uIuphof.exe
PID 2496 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uIuphof.exe
PID 2496 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FDFPjVc.exe
PID 2496 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FDFPjVc.exe
PID 2496 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FDFPjVc.exe
PID 2496 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BgedxCb.exe
PID 2496 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BgedxCb.exe
PID 2496 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BgedxCb.exe
PID 2496 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jepWrzg.exe
PID 2496 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jepWrzg.exe
PID 2496 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jepWrzg.exe
PID 2496 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bCoEPsi.exe
PID 2496 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bCoEPsi.exe
PID 2496 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bCoEPsi.exe
PID 2496 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SpJQJMq.exe
PID 2496 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SpJQJMq.exe
PID 2496 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SpJQJMq.exe
PID 2496 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KDLsMpA.exe
PID 2496 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KDLsMpA.exe
PID 2496 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KDLsMpA.exe
PID 2496 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MTovdVQ.exe
PID 2496 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MTovdVQ.exe
PID 2496 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MTovdVQ.exe
PID 2496 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uIcMNcG.exe
PID 2496 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uIcMNcG.exe
PID 2496 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uIcMNcG.exe
PID 2496 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FIkOTkZ.exe
PID 2496 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FIkOTkZ.exe
PID 2496 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FIkOTkZ.exe
PID 2496 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UdQyAZR.exe
PID 2496 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UdQyAZR.exe
PID 2496 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UdQyAZR.exe
PID 2496 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bGcyJsv.exe
PID 2496 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bGcyJsv.exe
PID 2496 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bGcyJsv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\jKNFvIi.exe

C:\Windows\System\jKNFvIi.exe

C:\Windows\System\PvyxDhm.exe

C:\Windows\System\PvyxDhm.exe

C:\Windows\System\JONEShn.exe

C:\Windows\System\JONEShn.exe

C:\Windows\System\IGjqcNb.exe

C:\Windows\System\IGjqcNb.exe

C:\Windows\System\rQXbGTp.exe

C:\Windows\System\rQXbGTp.exe

C:\Windows\System\etapbWK.exe

C:\Windows\System\etapbWK.exe

C:\Windows\System\QmdmnOS.exe

C:\Windows\System\QmdmnOS.exe

C:\Windows\System\DkzrRNB.exe

C:\Windows\System\DkzrRNB.exe

C:\Windows\System\YXEmuTi.exe

C:\Windows\System\YXEmuTi.exe

C:\Windows\System\uIuphof.exe

C:\Windows\System\uIuphof.exe

C:\Windows\System\FDFPjVc.exe

C:\Windows\System\FDFPjVc.exe

C:\Windows\System\BgedxCb.exe

C:\Windows\System\BgedxCb.exe

C:\Windows\System\jepWrzg.exe

C:\Windows\System\jepWrzg.exe

C:\Windows\System\bCoEPsi.exe

C:\Windows\System\bCoEPsi.exe

C:\Windows\System\SpJQJMq.exe

C:\Windows\System\SpJQJMq.exe

C:\Windows\System\KDLsMpA.exe

C:\Windows\System\KDLsMpA.exe

C:\Windows\System\MTovdVQ.exe

C:\Windows\System\MTovdVQ.exe

C:\Windows\System\uIcMNcG.exe

C:\Windows\System\uIcMNcG.exe

C:\Windows\System\FIkOTkZ.exe

C:\Windows\System\FIkOTkZ.exe

C:\Windows\System\UdQyAZR.exe

C:\Windows\System\UdQyAZR.exe

C:\Windows\System\bGcyJsv.exe

C:\Windows\System\bGcyJsv.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2496-0-0x000000013FAC0000-0x000000013FE11000-memory.dmp

memory/2496-1-0x00000000002F0000-0x0000000000300000-memory.dmp

memory/2496-7-0x000000013F610000-0x000000013F961000-memory.dmp

\Windows\system\JONEShn.exe

MD5 ffd55bff6322360252fbaa81ecb4c976
SHA1 995220c46be2be79d45dc7534463461039a1254b
SHA256 e783d4568a1e4427091af7a185c21bff288ddf9c189200c14a2808f8bf40f60e
SHA512 ce8164a1d3eb99a21a9da6be66fdfe06cbdd41c00de154a68d54150a7adeb5bcc8dba2d346d1654857836e6888cf0ac3fc038aee813d2a8f9cfc87e65548432e

\Windows\system\PvyxDhm.exe

MD5 ced9a572636024b027183a6dc84a6d06
SHA1 0e0393e656238a8e99706e69d5de993bd7dd7794
SHA256 0c86617267cf83541dfe2d1874bc4e3721c42a04499d1de52cffc3d4653261ea
SHA512 dbfa30e37830dc0048f0da46bcc25b0b24728c9603aa69379aa3d55f0fac1fada547f4a9f9c30e651ae1479242706a14fdb5706cf724e16e59a08e37af82032f

C:\Windows\system\jKNFvIi.exe

MD5 14324899999c6dd51d47d88eaaccbdd1
SHA1 7eae0f3888a84a2dfcab7f4f2e1d5f77a7997cb2
SHA256 ca47758f2022919f3bd5c55462d0fa635ca95ee553a6ad0e7e0c280ea7b6d33f
SHA512 717fa894d871b572cc30fa4c05a1320b1bfe1bf4ae4f7f8148f2bc6368f371349ee9a622ad664712e0d0e200dcc71ecb33f9724b942b882908c409a5682d3042

memory/2372-16-0x000000013F610000-0x000000013F961000-memory.dmp

memory/2972-22-0x000000013F830000-0x000000013FB81000-memory.dmp

memory/2492-20-0x000000013F880000-0x000000013FBD1000-memory.dmp

memory/2496-18-0x0000000002310000-0x0000000002661000-memory.dmp

\Windows\system\IGjqcNb.exe

MD5 5585d25b35d2b32950e7e2baeddea066
SHA1 a399f99ed2578dfdc3b5e685ef22bbd7609d793e
SHA256 d1ef87912436b1b7987dc8acf96551bf194e85879d1c8a2c2207af5f4231a80c
SHA512 1fa9d70c25a7a1b6ac39b7fd680ca3751d5572ac7a64599cfca5634b8755163c5a5efc5ee1341d9843aa3ffd14cf66809af212ab792af92d3df152a232df7c00

memory/2496-28-0x000000013F5F0000-0x000000013F941000-memory.dmp

memory/2320-38-0x000000013FAB0000-0x000000013FE01000-memory.dmp

memory/2100-41-0x000000013F5E0000-0x000000013F931000-memory.dmp

memory/2496-39-0x000000013F5E0000-0x000000013F931000-memory.dmp

C:\Windows\system\rQXbGTp.exe

MD5 fc0047c02cabec383c3747b0570d1fb4
SHA1 6e9a360c11a72b78e9217396dc5c6adcc3a3cefa
SHA256 98ff0f0e9d1ea0da0f6b32551e31645a9d72943072af21535c0def8fe223f45e
SHA512 f6c3d4449ad89e2c2f06d0c087c5fa9d6c946e06c6eda52145730d4069d1426f3ec0df0ef073cd4773926dd6d98f448917c6d9641df642ea21187b2558b1153a

memory/2476-31-0x000000013F5F0000-0x000000013F941000-memory.dmp

C:\Windows\system\etapbWK.exe

MD5 821e89734f57dfb3a2b95b1ef2fc556c
SHA1 95726620fa50b4050e93e7f8c238d6eb4b401318
SHA256 84b83cc918863e2acf4c939a03d8e4c206cb8aa7c1cbbc4ca9bb1f79bafd73c4
SHA512 609240f86699a9c9011943afbbded5eed09719b2491d93db5add9ca769544239c0268ec25cede515cd5b2ff114747385201df4fb425ec90717b305a43d499286

memory/2496-53-0x000000013F2F0000-0x000000013F641000-memory.dmp

memory/2780-54-0x000000013F2F0000-0x000000013F641000-memory.dmp

\Windows\system\YXEmuTi.exe

MD5 2da972a47e3bd6ae0e13837726f16aef
SHA1 d59a120212fd5539a2b3568355d81df879fb3bfa
SHA256 4de48c0ff934811da1a6013453d0ab784392d85508521cba214273512edfe35b
SHA512 f4ce5529fda1addd7eb7231efd4d6cc4c970aef71326b3956df43e19f4ada9aa62587bbbb854f60ee2ec7f284c993acb02268c7a270ff1e22201b27deb399417

\Windows\system\uIuphof.exe

MD5 ce3f4647c99237035e9ab0c925decc0c
SHA1 c220dfdc8c57c5c6eb5116651c7015c354fc0a00
SHA256 b1a839a495086e252bd45c1d642ed403e0ab929dc99ea365604c58ea580f40c8
SHA512 3b926857ad5bc494ad6c193bae10e70642149b9704e34934caa91933511cb423b04f29f99bf5b7615ce21da476e911f8a66cfa5e10ce715fe3306c014080483b

memory/2496-79-0x000000013F300000-0x000000013F651000-memory.dmp

memory/2496-80-0x000000013F460000-0x000000013F7B1000-memory.dmp

memory/2860-61-0x000000013FCD0000-0x0000000140021000-memory.dmp

memory/2920-85-0x000000013F300000-0x000000013F651000-memory.dmp

memory/2972-84-0x000000013F830000-0x000000013FB81000-memory.dmp

memory/2496-68-0x0000000002310000-0x0000000002661000-memory.dmp

memory/2372-67-0x000000013F610000-0x000000013F961000-memory.dmp

memory/2100-99-0x000000013F5E0000-0x000000013F931000-memory.dmp

memory/2692-93-0x000000013FEA0000-0x00000001401F1000-memory.dmp

C:\Windows\system\jepWrzg.exe

MD5 cb2aae0af7e2a062bab4d0c4e69c2058
SHA1 a6f073a8ff2d2e4a922d8cb0be9a0f3474e8659a
SHA256 795a692825521cf909a5e562f3b31862269b8948befffb02214ad27c712bf83f
SHA512 4347b94d31740577dad8f8c42ba4972f85ac8a4312f31715c3208200011d08b4bf2e04b4cbdea80478c18a96f15423f566b13c5ceeaa867fb7f0154298867ca6

memory/2496-109-0x0000000002310000-0x0000000002661000-memory.dmp

\Windows\system\bGcyJsv.exe

MD5 234a613ac13198bea866eca5a2b06e8d
SHA1 cae1eb0565db3233aa5aab28914a96efb05e8177
SHA256 97006cdac178e5d2a2609f1cf75ce624ada88aff43f56343685110296150837b
SHA512 5767cc7871c13b937b31331b710bfba0507529f4f536d6affd2bcf18826ed966828cb771327d0c9ead5436aaaacd7238de29d772363081f564d03cfcd321a6df

C:\Windows\system\FIkOTkZ.exe

MD5 479058f71acaa7dd2fff4b83048e45ae
SHA1 2203c4385e143e2e44fbb18a72f855036ef5654a
SHA256 172bae7e7c9d9a6d05acca5a98a70e7f33a3e7d05b2790e230ac956bd8fd9ad9
SHA512 fa52ed3b0907495e8b5302ee996f4cd8bfeab26ed793802231dd8fdd5c44e04ea96ee0f4b6bab5a5a789e82a406da8bb96b4846a2dc3f313dccd561538e7a034

C:\Windows\system\UdQyAZR.exe

MD5 2a10aaee0180de3acda10ec0fbf79e33
SHA1 02cb4dd21c5e03a8d7a7e06bd5d55f250fdad14f
SHA256 a85211f6fef5d60f8eb1407418eed6c88a3ad739c9a304e02438571a2c4cb372
SHA512 78c9cd794efe26681568b6c1b228e5725675823151e0a98e164d93db2219e77928d8e57b4c37ade43be66a96b49c0e091ddda40720c37c3760d2752801aa74fb

C:\Windows\system\MTovdVQ.exe

MD5 7d3acbc6171c8b2649e081f1a7e5e2f1
SHA1 f0371c355444de0f9a6225e460362a1db31f3afc
SHA256 1e297a0f62c3bc433efdf6ddbf9cc8e1175a1690f2c86e8894a3d57de51c4a08
SHA512 2cc68778d4be5549cd586f15d7a4550f4524b7ae0e90154b30890872535472f42238e6f3ec9ae4f5a196a0b0f64c9d974171e04c4030d0206717d3bd1409d842

C:\Windows\system\uIcMNcG.exe

MD5 9beda5b053ddf5b124a9a59bf23af665
SHA1 e0b7327078af0259eea928d7c3483826968906f7
SHA256 b924b1440c63ac4037fffc1e7d718a74306e0ef2bc39ccc8ae7b4844bf947824
SHA512 2012039293988cb6242cbba7d85e5d07d260060e7fd69596509e290dd99b99f919b0d56a07e1667f845877f699f8162fd639697af4f5478d34da00aa5d86c073

C:\Windows\system\KDLsMpA.exe

MD5 5e4e7fb8952bf9047be435e9138b28df
SHA1 98ece90e4b7920c03a95a35f06a3c43b0b68d7e2
SHA256 fcac4c02c96dba3c5fa06729e18e44f6b13156dd37e323b3f82bd2fcb2c41c4a
SHA512 db0cb3071145fb1a3224ce3a9a3bf0750bc2c0a7c17788b155405896cda6b0d686ad2197c40ffe9cbf8e2dfe7d91975f186c17b0ee10577620f6744ad682f995

memory/2712-108-0x000000013F640000-0x000000013F991000-memory.dmp

memory/2496-107-0x000000013F640000-0x000000013F991000-memory.dmp

C:\Windows\system\SpJQJMq.exe

MD5 1600300c2818bb3d19f284fde0f0f6d6
SHA1 9112d9c0a8028aecea82d46486b5bb2d150531c2
SHA256 fca8d8f05a467c91852f53cc136f2c177f5cb4d523f904057c187d7b1ae37e70
SHA512 240e7588ce066b8427ebdefdeef38cf0322d944489011da5a136ee3e4c76e0026e6d9435105d0e7f4c685fde651a2eb748ec7afc7b30ad641d07b47ab5d3360f

memory/2496-90-0x000000013FEA0000-0x00000001401F1000-memory.dmp

memory/2860-142-0x000000013FCD0000-0x0000000140021000-memory.dmp

memory/2780-141-0x000000013F2F0000-0x000000013F641000-memory.dmp

memory/2496-89-0x000000013F5F0000-0x000000013F941000-memory.dmp

memory/2060-101-0x000000013FD10000-0x0000000140061000-memory.dmp

memory/2496-100-0x0000000002310000-0x0000000002661000-memory.dmp

memory/2496-98-0x000000013F5E0000-0x000000013F931000-memory.dmp

memory/2320-97-0x000000013FAB0000-0x000000013FE01000-memory.dmp

C:\Windows\system\bCoEPsi.exe

MD5 6d5cf858d1c1a6d5e8b91a2ac5e7eb64
SHA1 ff483e6cb898d07e8bf3dbcbd00ae9fec86bf2ff
SHA256 c96ea40cc87a8100254c9b2119f7e35b45662a6b9fe06c6f6ec3d3a70665b516
SHA512 cf1a8d9db4bb02dc107b8557b00043da1906e5987079536af28499c1fc87e4b569f4da9de44d98dbbd5dc86f5fbb1545d2f2935169cecf44b1d397d2cfc68c8a

\Windows\system\FDFPjVc.exe

MD5 bb078b83699de5c9257cb1ce6f6d8d0f
SHA1 d1c30386adff0f906d8e25c249e02b663c9b1772
SHA256 f142ea7aebcf12d0ae2f01cd220208239089e99260d07a3b2e70360b1291c523
SHA512 fdb6924c5a4db15a0d93cdf6a751a215e40c49a798874211eadd9d1f4ada46940e4146f3387450e5fb057d36212e9ee32b42e4237edd5afaa888386cfad2249f

memory/2496-59-0x000000013FAC0000-0x000000013FE11000-memory.dmp

memory/2892-81-0x000000013F460000-0x000000013F7B1000-memory.dmp

C:\Windows\system\BgedxCb.exe

MD5 2f698a61f859ff212112f3accff69873
SHA1 eb6cfa7ceb336aeafb4260631c90af1c48a5a4c2
SHA256 d363d9d69c9dc5d94303652ae38651ef770320f51552efe44e2109035ccf13b3
SHA512 3d2c08e593541a96607ed6c41c1fdf448ecd00e65ce17cfb1f506e6851a9a1c17bc11db3da3ad71d16246880387e572be1e83ad69ea536d8c66d55d2a8bb6bfe

memory/2696-76-0x000000013FBD0000-0x000000013FF21000-memory.dmp

memory/2712-47-0x000000013F640000-0x000000013F991000-memory.dmp

memory/2496-46-0x000000013F640000-0x000000013F991000-memory.dmp

C:\Windows\system\QmdmnOS.exe

MD5 344db9baba30cb5b162db01707475e25
SHA1 6791d1737f815a83a1a1b09b38254ad6a5111a5d
SHA256 0a8ddaf0323600084926485c5685195b80e59c6d61e4261a6a54b01021f0e60e
SHA512 0ebcddd171be1b2d6c439eb92f2f081db8369d8e89b345b949c9367b42fe73c93bd8d033c70b0cdaf3a5f0ab2b88b9bc9495a521f2bdb0691c8b12f5f1e448ad

C:\Windows\system\DkzrRNB.exe

MD5 d71816412adc8b2607c7bd920c12396a
SHA1 d22ed5e478bc21354d691bc3fff8b7aea72b30c8
SHA256 59bbadc2e908d7b97bf3398e5789379ace9520ecbd641123141fc4bd6e7afe91
SHA512 79a8f389b51b7173c818cc7b9a3c0d6e28239d5f022d46275b41715052446dfc980986b24cc8b7ce619e127d867ce24d59e6b6d0be7a0088c5a5f6707cedfc7e

memory/2696-144-0x000000013FBD0000-0x000000013FF21000-memory.dmp

memory/2496-145-0x0000000002310000-0x0000000002661000-memory.dmp

memory/2496-146-0x000000013FAC0000-0x000000013FE11000-memory.dmp

memory/2496-160-0x000000013F460000-0x000000013F7B1000-memory.dmp

memory/2496-159-0x000000013F300000-0x000000013F651000-memory.dmp

memory/2892-158-0x000000013F460000-0x000000013F7B1000-memory.dmp

memory/2060-162-0x000000013FD10000-0x0000000140061000-memory.dmp

memory/2008-166-0x000000013F170000-0x000000013F4C1000-memory.dmp

memory/2876-169-0x000000013FF90000-0x00000001402E1000-memory.dmp

memory/1352-168-0x000000013F750000-0x000000013FAA1000-memory.dmp

memory/1792-167-0x000000013FD60000-0x00000001400B1000-memory.dmp

memory/1648-165-0x000000013F940000-0x000000013FC91000-memory.dmp

memory/2400-164-0x000000013F070000-0x000000013F3C1000-memory.dmp

memory/2004-163-0x000000013FA00000-0x000000013FD51000-memory.dmp

memory/2496-170-0x000000013FEA0000-0x00000001401F1000-memory.dmp

memory/2496-171-0x000000013FAC0000-0x000000013FE11000-memory.dmp

memory/2372-217-0x000000013F610000-0x000000013F961000-memory.dmp

memory/2492-219-0x000000013F880000-0x000000013FBD1000-memory.dmp

memory/2972-221-0x000000013F830000-0x000000013FB81000-memory.dmp

memory/2476-223-0x000000013F5F0000-0x000000013F941000-memory.dmp

memory/2100-225-0x000000013F5E0000-0x000000013F931000-memory.dmp

memory/2712-238-0x000000013F640000-0x000000013F991000-memory.dmp

memory/2780-240-0x000000013F2F0000-0x000000013F641000-memory.dmp

memory/2320-244-0x000000013FAB0000-0x000000013FE01000-memory.dmp

memory/2696-243-0x000000013FBD0000-0x000000013FF21000-memory.dmp

memory/2860-246-0x000000013FCD0000-0x0000000140021000-memory.dmp

memory/2920-248-0x000000013F300000-0x000000013F651000-memory.dmp

memory/2692-250-0x000000013FEA0000-0x00000001401F1000-memory.dmp

memory/2060-252-0x000000013FD10000-0x0000000140061000-memory.dmp

memory/2892-261-0x000000013F460000-0x000000013F7B1000-memory.dmp