Malware Analysis Report

2025-03-15 08:00

Sample ID 240814-znw4msydqj
Target 2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat
SHA256 72133dda07b1d5344bb6caee1e0c8c44b7eb50dc28be603deae0c41367d7c68b
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

72133dda07b1d5344bb6caee1e0c8c44b7eb50dc28be603deae0c41367d7c68b

Threat Level: Known bad

The file 2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

Xmrig family

xmrig

Cobalt Strike reflective loader

Cobaltstrike family

Cobaltstrike

XMRig Miner payload

XMRig Miner payload

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-14 20:52

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-14 20:52

Reported

2024-08-14 20:55

Platform

win10v2004-20240802-en

Max time kernel

140s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\RlWwhAf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KUsDZSM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XMWdxEg.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vseJgKb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CDMQFqw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\wbvRmXr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SaOUnxN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mclAoPu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\okbDsto.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tpZQRTB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\Bhneiar.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SDVVOkp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dMfpiNW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vggzEfU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NAgHgem.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bLQvdey.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HelVvxt.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JizhngT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\Qzaylvk.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PLhUzSF.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ilTRwuh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4548 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vggzEfU.exe
PID 4548 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vggzEfU.exe
PID 4548 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XMWdxEg.exe
PID 4548 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XMWdxEg.exe
PID 4548 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vseJgKb.exe
PID 4548 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vseJgKb.exe
PID 4548 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NAgHgem.exe
PID 4548 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NAgHgem.exe
PID 4548 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bLQvdey.exe
PID 4548 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bLQvdey.exe
PID 4548 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CDMQFqw.exe
PID 4548 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CDMQFqw.exe
PID 4548 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wbvRmXr.exe
PID 4548 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\wbvRmXr.exe
PID 4548 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SaOUnxN.exe
PID 4548 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SaOUnxN.exe
PID 4548 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PLhUzSF.exe
PID 4548 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PLhUzSF.exe
PID 4548 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HelVvxt.exe
PID 4548 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HelVvxt.exe
PID 4548 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JizhngT.exe
PID 4548 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JizhngT.exe
PID 4548 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mclAoPu.exe
PID 4548 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mclAoPu.exe
PID 4548 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\okbDsto.exe
PID 4548 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\okbDsto.exe
PID 4548 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Qzaylvk.exe
PID 4548 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Qzaylvk.exe
PID 4548 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tpZQRTB.exe
PID 4548 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tpZQRTB.exe
PID 4548 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RlWwhAf.exe
PID 4548 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RlWwhAf.exe
PID 4548 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ilTRwuh.exe
PID 4548 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ilTRwuh.exe
PID 4548 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Bhneiar.exe
PID 4548 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Bhneiar.exe
PID 4548 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KUsDZSM.exe
PID 4548 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KUsDZSM.exe
PID 4548 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SDVVOkp.exe
PID 4548 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SDVVOkp.exe
PID 4548 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dMfpiNW.exe
PID 4548 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dMfpiNW.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\vggzEfU.exe

C:\Windows\System\vggzEfU.exe

C:\Windows\System\XMWdxEg.exe

C:\Windows\System\XMWdxEg.exe

C:\Windows\System\vseJgKb.exe

C:\Windows\System\vseJgKb.exe

C:\Windows\System\NAgHgem.exe

C:\Windows\System\NAgHgem.exe

C:\Windows\System\bLQvdey.exe

C:\Windows\System\bLQvdey.exe

C:\Windows\System\CDMQFqw.exe

C:\Windows\System\CDMQFqw.exe

C:\Windows\System\wbvRmXr.exe

C:\Windows\System\wbvRmXr.exe

C:\Windows\System\SaOUnxN.exe

C:\Windows\System\SaOUnxN.exe

C:\Windows\System\PLhUzSF.exe

C:\Windows\System\PLhUzSF.exe

C:\Windows\System\HelVvxt.exe

C:\Windows\System\HelVvxt.exe

C:\Windows\System\JizhngT.exe

C:\Windows\System\JizhngT.exe

C:\Windows\System\mclAoPu.exe

C:\Windows\System\mclAoPu.exe

C:\Windows\System\okbDsto.exe

C:\Windows\System\okbDsto.exe

C:\Windows\System\Qzaylvk.exe

C:\Windows\System\Qzaylvk.exe

C:\Windows\System\tpZQRTB.exe

C:\Windows\System\tpZQRTB.exe

C:\Windows\System\RlWwhAf.exe

C:\Windows\System\RlWwhAf.exe

C:\Windows\System\ilTRwuh.exe

C:\Windows\System\ilTRwuh.exe

C:\Windows\System\Bhneiar.exe

C:\Windows\System\Bhneiar.exe

C:\Windows\System\KUsDZSM.exe

C:\Windows\System\KUsDZSM.exe

C:\Windows\System\SDVVOkp.exe

C:\Windows\System\SDVVOkp.exe

C:\Windows\System\dMfpiNW.exe

C:\Windows\System\dMfpiNW.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 34.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/4548-0-0x00007FF61C8B0000-0x00007FF61CC01000-memory.dmp

memory/4548-1-0x000002214D370000-0x000002214D380000-memory.dmp

C:\Windows\System\vggzEfU.exe

MD5 112f2175076c158e6e24f92935648b57
SHA1 cbcf4426163dcbe08a7370fc7d93c5a6d777cc93
SHA256 63ee820123e7601f385ee8e9989e98d3dfcd957bf9dd8807f16e2543005b47a0
SHA512 12d2af16a9725131bf22a4b91ea6607d3807df05f0fe401131d81929797849929005681ec2fbfb813c9884a5f50b6bba4e9ac8c5e85436be80c18d1b5a8f6ec0

memory/2164-8-0x00007FF751A00000-0x00007FF751D51000-memory.dmp

C:\Windows\System\XMWdxEg.exe

MD5 a4766afe38d3a6e0492102aba49f3f96
SHA1 41c80dac61b629cf7cf9707f227ce113b888f572
SHA256 b86c82d87e035a7e6fb2b59cbda743ef43ea58f956dbfdf54466fa8ee2a92e25
SHA512 c73c280297ed0901f136ee0d64319005ef9e793f31422220e00a3979e3d4c3567006c8ad7cfc51c7acc332bc058b747745527baf4fe6edbce4326981d7406072

memory/4788-18-0x00007FF7F99A0000-0x00007FF7F9CF1000-memory.dmp

C:\Windows\System\NAgHgem.exe

MD5 452b3599df9b2a58cb75497bafcce364
SHA1 a16f18f58811e674d72e3e31e45e19cf21f85d9a
SHA256 22794e2e6bb0f2de1d0d0660cbcc8b3ebe85e063828c4279c2b945654bed8751
SHA512 7f855beec0887e0c9fbae5e0e8d2daad0e938c5d872f5f31ee220a5ab43c42a1d00e1b1cd9dac46a9889eb337e338a862a39309ed985e72bee45e96c748269b3

C:\Windows\System\bLQvdey.exe

MD5 8e717d8990f440d4af09afb416dde7f7
SHA1 082fcf8926c47cb955bbed27756da5b1572b7424
SHA256 6c1f202bb45f20e505b25a76c6809baf90bcf2c950d5d9f4597b2db1ecbe1c2b
SHA512 b16162dbe5d862ea4c49994d1cfe79eb00ed049c0d49e49f8af161ef139c4e8170d7186c5e99d095834f755f17da8d3f936ace54c4020d955841a9071b4a48ec

memory/1448-28-0x00007FF6B2300000-0x00007FF6B2651000-memory.dmp

memory/1132-46-0x00007FF66B730000-0x00007FF66BA81000-memory.dmp

memory/768-56-0x00007FF774970000-0x00007FF774CC1000-memory.dmp

C:\Windows\System\PLhUzSF.exe

MD5 9f22adb652ca7e509577479551a33b27
SHA1 b848f518ed2773268f7d4dec8f723f65b83d3fd9
SHA256 ee6c824831e8fb2cdd09e9cd3aee991241726fee314e4f2af0f02c7b0b2e3628
SHA512 ec48e1321c342796e8230bb5f321d633d3afd504d52ddc3cb4d8f21f4b09e28591589ce8f54cbcbc563178bc796c97bc5a34c28a7c3d81e638f09bec979a65ca

memory/4512-69-0x00007FF793580000-0x00007FF7938D1000-memory.dmp

C:\Windows\System\tpZQRTB.exe

MD5 d7c9883133883601b074e9516a03c56b
SHA1 290ac4a7f0c4c144d4f961de695f2857685a808a
SHA256 6b76c89433e0166f91b49493f24d981a822b98d2543fd7a9fb6e25584125c6c2
SHA512 dd867962843de05a5ad1ea23c42f019065e0fe2a582fb21ca2ef47b8aadaf4bc4b3b34bb372e5dba5da4d618e5df875eac87b8480482d2abc977fb1bd93c7d4a

C:\Windows\System\Qzaylvk.exe

MD5 d17b39a11f719cfa3f5b776abf93622c
SHA1 782231a344b5bf63fa903f6b9195223263609e95
SHA256 d020f29e55f3072f20cc0856b04aa7dcbf27af0512449a5d99e062b78fdb66ca
SHA512 0d5d2bc9b1a84888816329efe63a8e9b94d146b22640c1cb2e8979c4c270c554f08baeec7d8da40676accdfc099bea6b748c494a134abbb57844bb8982e945c6

memory/1604-100-0x00007FF76AAE0000-0x00007FF76AE31000-memory.dmp

C:\Windows\System\ilTRwuh.exe

MD5 79fe620657f6a782f670af214cb88175
SHA1 46a823c9f9d71eca473b30e53ed342b851aa7aff
SHA256 ef03c98a579517e6cbd1a249ef63ece7ea493194af3a980e8be20605e053b84a
SHA512 dbd6368d6c296c5000c4f1281c7849e8349e7a8ae98cca6eaf85433e46137d85629d957fcaca17559e2a273e0e796286b02cbaf0e66492c824148063d6eb163d

C:\Windows\System\RlWwhAf.exe

MD5 940daf91e823e4b4c99887ed2c7b1044
SHA1 ace6dc2b325663664b450190986276b4b6b76f40
SHA256 113aac504f6e860ff0e07ba38b93650d7d66878ce58ac414db68cfd0483e43ad
SHA512 e9dd70a990eb07649dbf7dd154a70fd303451c1e74ade038f3053466292542f07bd2d401d2374b67e695c80bf66fef910b7e8dc9418e3f52f8cbde037974ce6a

memory/2028-101-0x00007FF69FD40000-0x00007FF6A0091000-memory.dmp

memory/4548-97-0x00007FF61C8B0000-0x00007FF61CC01000-memory.dmp

memory/3256-96-0x00007FF71A490000-0x00007FF71A7E1000-memory.dmp

memory/4764-89-0x00007FF66C530000-0x00007FF66C881000-memory.dmp

memory/4492-85-0x00007FF666040000-0x00007FF666391000-memory.dmp

C:\Windows\System\okbDsto.exe

MD5 be79bb72b307ab96a7cac44341b8a535
SHA1 805fd33fe670bfd8bbb12eaf42901e7605e445b1
SHA256 114cde461a6e09e923f7c217ad5665879d7bda871455408e01d50fbe63882c7f
SHA512 dda784c23317fb24bb558770aa8362928b04352a97933ea98242573922f5132f599d404afb09570805d6c29642d0a12972f76f3609a7f0a4194cd2bc9580f97c

C:\Windows\System\HelVvxt.exe

MD5 8bcffcf26c28e8b88abf4be8f257291b
SHA1 9d1c3c1c9de470a625fd66998d5e364f871814fc
SHA256 283dc24c08b405f7655c8b8c1247bf5c19d4ba44ed6fe213edf35f2ab613b10c
SHA512 b39c17c5f62fb9491cd87ecd1130f55454719b8da3b41eafd49001d9ad0d72e901e2de201819c343f2eb79337268c713513bd3a2ec0c13ff5bd4849d2fa6b16c

memory/3020-76-0x00007FF6DD6E0000-0x00007FF6DDA31000-memory.dmp

C:\Windows\System\mclAoPu.exe

MD5 e5b7e680c1b6f482ecfa4c52e3a099f0
SHA1 e11bd106346b5824be1df42186b5f0b64e291b4d
SHA256 e00dfd0723595ccd100586764d233c829e2253acd84e0c1a07fc4209b397565c
SHA512 f5b01f2baddff03dbdbf55d4fdaa9d8e557bb2ca98cae828a1bc9d86a86db5ebb5dddf3a25b4c21a30a4ddc25820155b5c79a1f6807a986cf0130c82f59cceb3

memory/1596-68-0x00007FF6C5210000-0x00007FF6C5561000-memory.dmp

C:\Windows\System\JizhngT.exe

MD5 a023e9574dc0b6dc558b191ec6c5a675
SHA1 73f205cd7d6c6452fa869c328f0cb1a54783770b
SHA256 91280fd3d25ab882717547e0db04b071a39a0592218827be4c529f9743d9389a
SHA512 297c1754beb15800f1d5efcb4bec8279d9189871046132ed331d46bb63bbf8296d26888d6065adf5f850d0588b8e8ec875c488900d0585521323f6131f66e43b

memory/800-63-0x00007FF609DB0000-0x00007FF60A101000-memory.dmp

memory/4408-62-0x00007FF630E80000-0x00007FF6311D1000-memory.dmp

C:\Windows\System\SaOUnxN.exe

MD5 8445f115208c14231d5ea458a88ee6d7
SHA1 357062b76c410942ad409b6f92254bdc7c7b2e17
SHA256 e58d1fc3a957552ba5be71bb0fa68de6c0a3e5360461ec911ffcc314b1203d38
SHA512 7500cd1d39f5c4a8870704ec8600953218d50062018abc81afb63e89dd0cc4a0de67960f2ae942d756763738eeb363ed6fe3fc995b937771813b8b40ef0cf160

memory/3892-45-0x00007FF7D9870000-0x00007FF7D9BC1000-memory.dmp

C:\Windows\System\wbvRmXr.exe

MD5 5494db551da7d46346d6323e6e9a28d2
SHA1 fc091e071e6df9d0489273a3c0a847b15d254904
SHA256 df1f44d9facd2eee88d6f626b3ceb9f73ab5de30dfa294cd5bebccaee0f95561
SHA512 2a92a1175b99e279af838dee92d0727e694ad4991d0755d27c65caf5b5e86dec97dfe02ff72d9ad91857b01f0ea54b2c10a6127159e16369acaccb300b411759

C:\Windows\System\CDMQFqw.exe

MD5 79f5d0f0e9d8904648acd41fd223ac49
SHA1 58ad732378798add09f6321685ce4effcc8d19e0
SHA256 b6c7164585c47be123136ff603458e835407f64414a3648eaa1caaca370fe44a
SHA512 b83eddba859308d0ca0ab129dd88b111f936451498633aa2e8941ceeb8f298965769bcbdc9b47fc4fb77a88992f208e51d734445a8b33df193416ae08d29dbc3

memory/836-32-0x00007FF646010000-0x00007FF646361000-memory.dmp

C:\Windows\System\vseJgKb.exe

MD5 f836b41e4084350dbb189a49658dde50
SHA1 c38d8c34ef5f3227049fb856730fcd00cba05dfd
SHA256 6aa945672a09f16a97669e40815e4ed2114845218eea7c87f2ec314f997f4912
SHA512 20a97ed14fa9025c1366ed847d76fe08c3b7793f928215fb262532f17814947f224c2e69b884a7c8b7e7911d3af9377a2d8420bb33ffe75a5acabc55eff29a19

C:\Windows\System\Bhneiar.exe

MD5 425b1b42e61982d1e92521cefc7e4aea
SHA1 e15015fdc4906b18b37150bbecdad9b878d28040
SHA256 099c3232a42f5fd7a32491d7b037ca90c82b1b2de1ab2b30d92db045661899f0
SHA512 7447ff7daf802f54394f95a1912dfdab36c96457ded55277c1e79aa9e882886469a7cfc6cbdd2c05f26d635c14100e588ac686962e047133b31ba926944719a0

C:\Windows\System\KUsDZSM.exe

MD5 2103b2d482b9a2102fbe342fcf2dc346
SHA1 802ba6b8711af4ce32c1dfcf93c8dd264b99e3c3
SHA256 5641d2cddc51160446b5161cd836abf2d378721fba82ffa84b9c17c74f5fc024
SHA512 7a1cbd23462d1f86e8cbf32b29d7bbaf9ebaa79971db570fc977741bdf53a137aaad48cc64b401bd533438949179cdfcfdc7245c2c0d08dfe327908019a5f1fc

memory/2164-109-0x00007FF751A00000-0x00007FF751D51000-memory.dmp

memory/3276-117-0x00007FF6B2560000-0x00007FF6B28B1000-memory.dmp

memory/3044-120-0x00007FF6B2880000-0x00007FF6B2BD1000-memory.dmp

C:\Windows\System\SDVVOkp.exe

MD5 db0d057db7440a672ff9f06f573decd4
SHA1 ff2260a3657180dd43cb2a64631ff3f709deaedc
SHA256 e64daf65538bdc557c035bf78b3755be18e5a40b3a1f76689bc01cc189e9a4a1
SHA512 cbd95e0ae9a22e34cc1886115679978dc6b692cbe600292d42599d801a0c520fdde1be60ba6e0335a7074991347dfa47fb8df96410fd8d82e052b7e3bbcf5af3

C:\Windows\System\dMfpiNW.exe

MD5 bb58815587f4526f0a888a53d90fa884
SHA1 b0976959f3f0ff49d2066b8eef471080a9aacffb
SHA256 a26d926fa22b636852c05a2043e426ec86cf48c331a7b2ec79f842cc7e3f3b8c
SHA512 1f5225c795c40d89d2c4f17a890993b8774af06d21abeeedc764fe8a5806673ee64b03995b403346c6103bd5cc4bb33b2e5f45eb5e64b279403c0e841e1bb747

memory/3892-129-0x00007FF7D9870000-0x00007FF7D9BC1000-memory.dmp

memory/836-128-0x00007FF646010000-0x00007FF646361000-memory.dmp

memory/768-130-0x00007FF774970000-0x00007FF774CC1000-memory.dmp

memory/1540-132-0x00007FF640500000-0x00007FF640851000-memory.dmp

memory/4152-131-0x00007FF6A79E0000-0x00007FF6A7D31000-memory.dmp

memory/4548-133-0x00007FF61C8B0000-0x00007FF61CC01000-memory.dmp

memory/1596-143-0x00007FF6C5210000-0x00007FF6C5561000-memory.dmp

memory/4764-147-0x00007FF66C530000-0x00007FF66C881000-memory.dmp

memory/1604-150-0x00007FF76AAE0000-0x00007FF76AE31000-memory.dmp

memory/2028-149-0x00007FF69FD40000-0x00007FF6A0091000-memory.dmp

memory/3256-148-0x00007FF71A490000-0x00007FF71A7E1000-memory.dmp

memory/4492-146-0x00007FF666040000-0x00007FF666391000-memory.dmp

memory/4512-145-0x00007FF793580000-0x00007FF7938D1000-memory.dmp

memory/800-142-0x00007FF609DB0000-0x00007FF60A101000-memory.dmp

memory/4548-155-0x00007FF61C8B0000-0x00007FF61CC01000-memory.dmp

memory/2164-201-0x00007FF751A00000-0x00007FF751D51000-memory.dmp

memory/4788-203-0x00007FF7F99A0000-0x00007FF7F9CF1000-memory.dmp

memory/1448-205-0x00007FF6B2300000-0x00007FF6B2651000-memory.dmp

memory/836-207-0x00007FF646010000-0x00007FF646361000-memory.dmp

memory/1132-211-0x00007FF66B730000-0x00007FF66BA81000-memory.dmp

memory/4408-210-0x00007FF630E80000-0x00007FF6311D1000-memory.dmp

memory/800-214-0x00007FF609DB0000-0x00007FF60A101000-memory.dmp

memory/3892-217-0x00007FF7D9870000-0x00007FF7D9BC1000-memory.dmp

memory/768-216-0x00007FF774970000-0x00007FF774CC1000-memory.dmp

memory/4492-220-0x00007FF666040000-0x00007FF666391000-memory.dmp

memory/3020-225-0x00007FF6DD6E0000-0x00007FF6DDA31000-memory.dmp

memory/4512-224-0x00007FF793580000-0x00007FF7938D1000-memory.dmp

memory/1596-222-0x00007FF6C5210000-0x00007FF6C5561000-memory.dmp

memory/2028-232-0x00007FF69FD40000-0x00007FF6A0091000-memory.dmp

memory/3256-233-0x00007FF71A490000-0x00007FF71A7E1000-memory.dmp

memory/1604-230-0x00007FF76AAE0000-0x00007FF76AE31000-memory.dmp

memory/4764-228-0x00007FF66C530000-0x00007FF66C881000-memory.dmp

memory/3276-236-0x00007FF6B2560000-0x00007FF6B28B1000-memory.dmp

memory/3044-238-0x00007FF6B2880000-0x00007FF6B2BD1000-memory.dmp

memory/4152-240-0x00007FF6A79E0000-0x00007FF6A7D31000-memory.dmp

memory/1540-242-0x00007FF640500000-0x00007FF640851000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-14 20:52

Reported

2024-08-14 20:55

Platform

win7-20240704-en

Max time kernel

144s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\uCpKApE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SkOaSRC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\Zmsrbzv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CLnrZnk.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EdIeaBd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aTXaaCx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\Kdddvdr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\MADeOAY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LkTAIwD.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nWTIAlY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hcDrYnC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uJoaOER.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\swMTlEc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mqyhChp.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zKdYqnj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vDTNutZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nsDoLCB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zlhdrJk.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NbpFTsD.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\otVTfQW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\INisaQk.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1720 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\swMTlEc.exe
PID 1720 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\swMTlEc.exe
PID 1720 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\swMTlEc.exe
PID 1720 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Kdddvdr.exe
PID 1720 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Kdddvdr.exe
PID 1720 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Kdddvdr.exe
PID 1720 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MADeOAY.exe
PID 1720 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MADeOAY.exe
PID 1720 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\MADeOAY.exe
PID 1720 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nsDoLCB.exe
PID 1720 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nsDoLCB.exe
PID 1720 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nsDoLCB.exe
PID 1720 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LkTAIwD.exe
PID 1720 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LkTAIwD.exe
PID 1720 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LkTAIwD.exe
PID 1720 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zlhdrJk.exe
PID 1720 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zlhdrJk.exe
PID 1720 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zlhdrJk.exe
PID 1720 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mqyhChp.exe
PID 1720 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mqyhChp.exe
PID 1720 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mqyhChp.exe
PID 1720 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zKdYqnj.exe
PID 1720 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zKdYqnj.exe
PID 1720 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zKdYqnj.exe
PID 1720 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NbpFTsD.exe
PID 1720 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NbpFTsD.exe
PID 1720 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NbpFTsD.exe
PID 1720 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vDTNutZ.exe
PID 1720 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vDTNutZ.exe
PID 1720 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vDTNutZ.exe
PID 1720 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nWTIAlY.exe
PID 1720 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nWTIAlY.exe
PID 1720 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nWTIAlY.exe
PID 1720 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uCpKApE.exe
PID 1720 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uCpKApE.exe
PID 1720 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uCpKApE.exe
PID 1720 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hcDrYnC.exe
PID 1720 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hcDrYnC.exe
PID 1720 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hcDrYnC.exe
PID 1720 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\otVTfQW.exe
PID 1720 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\otVTfQW.exe
PID 1720 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\otVTfQW.exe
PID 1720 wrote to memory of 236 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uJoaOER.exe
PID 1720 wrote to memory of 236 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uJoaOER.exe
PID 1720 wrote to memory of 236 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uJoaOER.exe
PID 1720 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\INisaQk.exe
PID 1720 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\INisaQk.exe
PID 1720 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\INisaQk.exe
PID 1720 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SkOaSRC.exe
PID 1720 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SkOaSRC.exe
PID 1720 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SkOaSRC.exe
PID 1720 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EdIeaBd.exe
PID 1720 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EdIeaBd.exe
PID 1720 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EdIeaBd.exe
PID 1720 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Zmsrbzv.exe
PID 1720 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Zmsrbzv.exe
PID 1720 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Zmsrbzv.exe
PID 1720 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CLnrZnk.exe
PID 1720 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CLnrZnk.exe
PID 1720 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CLnrZnk.exe
PID 1720 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aTXaaCx.exe
PID 1720 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aTXaaCx.exe
PID 1720 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aTXaaCx.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\swMTlEc.exe

C:\Windows\System\swMTlEc.exe

C:\Windows\System\Kdddvdr.exe

C:\Windows\System\Kdddvdr.exe

C:\Windows\System\MADeOAY.exe

C:\Windows\System\MADeOAY.exe

C:\Windows\System\nsDoLCB.exe

C:\Windows\System\nsDoLCB.exe

C:\Windows\System\LkTAIwD.exe

C:\Windows\System\LkTAIwD.exe

C:\Windows\System\zlhdrJk.exe

C:\Windows\System\zlhdrJk.exe

C:\Windows\System\mqyhChp.exe

C:\Windows\System\mqyhChp.exe

C:\Windows\System\zKdYqnj.exe

C:\Windows\System\zKdYqnj.exe

C:\Windows\System\NbpFTsD.exe

C:\Windows\System\NbpFTsD.exe

C:\Windows\System\vDTNutZ.exe

C:\Windows\System\vDTNutZ.exe

C:\Windows\System\nWTIAlY.exe

C:\Windows\System\nWTIAlY.exe

C:\Windows\System\uCpKApE.exe

C:\Windows\System\uCpKApE.exe

C:\Windows\System\hcDrYnC.exe

C:\Windows\System\hcDrYnC.exe

C:\Windows\System\otVTfQW.exe

C:\Windows\System\otVTfQW.exe

C:\Windows\System\uJoaOER.exe

C:\Windows\System\uJoaOER.exe

C:\Windows\System\INisaQk.exe

C:\Windows\System\INisaQk.exe

C:\Windows\System\SkOaSRC.exe

C:\Windows\System\SkOaSRC.exe

C:\Windows\System\EdIeaBd.exe

C:\Windows\System\EdIeaBd.exe

C:\Windows\System\Zmsrbzv.exe

C:\Windows\System\Zmsrbzv.exe

C:\Windows\System\CLnrZnk.exe

C:\Windows\System\CLnrZnk.exe

C:\Windows\System\aTXaaCx.exe

C:\Windows\System\aTXaaCx.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/1720-0-0x000000013F7F0000-0x000000013FB41000-memory.dmp

memory/1720-1-0x0000000000080000-0x0000000000090000-memory.dmp

\Windows\system\swMTlEc.exe

MD5 3d371d5dacc9012cd0d244ec5486eb66
SHA1 5757cbaea247c145cc12558e9dda63b896fb471d
SHA256 10e92552fcecfcd5eedc7cd68808c14e38aa2884fc1c2dd50ef6eaa84e87ed43
SHA512 a3eae246f2135c6046265256b600b08d1089a06d4de730805db3c63320babadf4a08b26d31045f71e802a08f1bf76079c34ac72a5fad632cd04b5ec853e48bd6

memory/2092-8-0x000000013F810000-0x000000013FB61000-memory.dmp

C:\Windows\system\Kdddvdr.exe

MD5 5d417e6ed2c264973458b9cb4748f39a
SHA1 d2aec85ec782103f499fe2209c506dce533cc924
SHA256 9d83c010bf904606ea2e8f89902efe1928b26e95cc41cab0f826d8d7abc75a9c
SHA512 236bf9ced0cd561ff3dca6d28d820742ad62cb9013fe93eb276623db581978738082ad76211b90e266a6f1b4f1d54b04199bb8891a13dd1345699d3a347b85bf

C:\Windows\system\nsDoLCB.exe

MD5 55862bfe0821e496d4520b30d8c8a7e4
SHA1 37d0318a5664cddd6814d9fbb88edbdc3ec5882b
SHA256 d355937458754d5a9e7fc76fa82901ad7ebadf9af7e5358847338bfc455e24b5
SHA512 d04f8107d817ecd45dfdb8fca6072c476e750028177e62e24515f38bbed034a4f9ca405026609a9ef739cc14cd735518e40669becdf6653fd99c54b008c946a3

C:\Windows\system\MADeOAY.exe

MD5 7c80c9d8c464e270e633fe3d9dde59a7
SHA1 b737e3f10f4e24d35ce52f6650c124754252efa7
SHA256 c9c3c04e940608c7c89a8451525f5eb9f2ee6fd2633e726ef734a7e75e8a0521
SHA512 fcdb82c8ef828143d53b53f8e6e4fd12d91864c9dafd3b2950ffc0b483ae77f295d23223be42d5c7ac59ca9360a191f60bf57e5335e94c78f5337b2686c9065b

C:\Windows\system\LkTAIwD.exe

MD5 f70e533dc1e455d5dc67c604931ef771
SHA1 e46c8b03726fb0a8b992ba2c96ace0d532b1278b
SHA256 ed4e2554339fae346a7f2c899fbf97f0333aa39684fbd61e01d16348c01d5062
SHA512 47f2c1cda2830ca37454e5c41e5da53a923fe0dbdbb8ea47200e4602a8318f7af3706c88de43e158dc51e7ade14b312d8950cb31229977327f86b104bc4b3681

C:\Windows\system\zlhdrJk.exe

MD5 d2b8d3acc627d73feb158f14b484df1b
SHA1 c8e335962c42879c57997c06134545bfd168c9cd
SHA256 515102f63b46cdebab3f3be854c5fc72cb2b421e6081fbd58a78e19c295bdc36
SHA512 e7fa339629127020587ae48db73634d2dfaf02819bb59890a6777534ac764641b9e3eec20e1891e1e9d3cece2f53eaacade89aa8dd1d5fc8a566f2cc05e27aeb

C:\Windows\system\zKdYqnj.exe

MD5 c5084f712ce9ce0b540eaa15e7cea356
SHA1 aa57ade594d38b4f242d3de21c3556c9376d7688
SHA256 8473c3ddd60dadeb0335222e9614e7c7e2c539a5ec08e5c8c92caf58ebc0f9f2
SHA512 ace3f8403aff19bec772378c5e4630bd532fc6f664f0b6e12d7567f7bc3d90b65306c6683d4efdbee130633f6b62100803e641c06e3f30ad0e8988a6f434f40e

C:\Windows\system\vDTNutZ.exe

MD5 8193de7bc54d5500413c2d9d7131519d
SHA1 2a649ac97c3f9075b4c681b3780c7bda3e155198
SHA256 65d91fd852cdbe4d2fe656d1444177efb377a0d9cdb250a706d05dcd943b7896
SHA512 3836d6e58f81639d7d0b83bb181aec8b2512ec3a755fc4e6c1a168f9afc44bfa52e9f9f8301317e2901d207cbdd712c71d5584f2239d361c5b9dfeb06401714f

memory/2780-63-0x000000013FF20000-0x0000000140271000-memory.dmp

memory/1720-62-0x000000013FF20000-0x0000000140271000-memory.dmp

\Windows\system\uCpKApE.exe

MD5 aa76f5e1bbb20f21122d4e0ace7363ad
SHA1 a572273c0f0889cd8c2f80fabaadd28706f849e7
SHA256 0cfa16fed947daae60ab15eba94fad28502da0e68144f14682b9e905ff102ac4
SHA512 ea4b0b3d0c0eb39248e78d7467f61fcbe790c66827b685e38326ec7013dd2c8c258df67abd0141eb89f80e0b7fa1f4bc4a47ddd4b298872c8227b06846c92da4

memory/2224-61-0x000000013F1D0000-0x000000013F521000-memory.dmp

memory/1720-59-0x000000013F1D0000-0x000000013F521000-memory.dmp

memory/2276-57-0x000000013F750000-0x000000013FAA1000-memory.dmp

memory/1720-55-0x00000000022E0000-0x0000000002631000-memory.dmp

memory/2560-53-0x000000013FC10000-0x000000013FF61000-memory.dmp

memory/1784-51-0x000000013F090000-0x000000013F3E1000-memory.dmp

memory/2528-50-0x000000013F280000-0x000000013F5D1000-memory.dmp

C:\Windows\system\nWTIAlY.exe

MD5 36aee9d5e2e6512b4254f9d0d93a8b37
SHA1 e92bd88c9ed30eab233833a621cce03a0e2fc2f5
SHA256 8515a92d737ec07e4e7a740bc4c2eb7e868d69e3db16f0ac37a9ced31e5d210b
SHA512 d38bb80b1381e5a1b287f43260a1a7a4d53d23a5bbe516a74715ca1a1345a59889415182946950f63d9ab146d1017a94b305179009acad8d95d1d89a489eb913

C:\Windows\system\NbpFTsD.exe

MD5 668701a2ba64f44c2382fb76d56d71e2
SHA1 65757c53d184429cf66baf659095ab782c7acbed
SHA256 9c265621ebb32ab12c277192315ad335e1bfc644ad521e1726d8692def95bff8
SHA512 28d2e1ffd46729666d666820083179dace67b61c417d198a2c0fcedaed76f8077078a4b385b486ba0234ea0fe9a1ff46e441fa2368b26038681a5fb8954cb041

C:\Windows\system\mqyhChp.exe

MD5 887d6657e9cf3ea3fc170f3c52db5bbf
SHA1 6779680f62d48f8a0a43f3357947f4f5559a9425
SHA256 85834ff7cab427e0089ed65be7b83aef183a1fcfeb44b963cf834a75169e4b84
SHA512 57de878f3a45e75cfa106678bfcae4052863c9d0582d8c0e12806a37e8c19ef0c7f40efc645129378c3792897be45c607812bff8628db71b6cb23c9718a54958

memory/1720-16-0x000000013F280000-0x000000013F5D1000-memory.dmp

memory/1720-71-0x00000000022E0000-0x0000000002631000-memory.dmp

C:\Windows\system\hcDrYnC.exe

MD5 223b669596ed7db1ce0caa0bc1e84eba
SHA1 bd06bbe016601f35071e91b0d7e1fa616a39a3ca
SHA256 3dab33e9de8461419a7bd2e620555a51103ffbb3eca1e876d34ea4ca8ddd15e6
SHA512 7867f3cfb74894adfb39faafe7154be8e33a75fefd937a4e016db80016f1311b622d5289e1306e321f31271954e58673d64dccc1ac43bf001dfd11b537cd92aa

C:\Windows\system\uJoaOER.exe

MD5 ad2c11f72b5fb504b5953a9ee929b4b9
SHA1 22596e7f83d61453ce758fb3e7542aa86a54f0ee
SHA256 ca4832e9416658d0fa3f5e7c45bb8d569dee8e2e08aaa86f9a076772c743d512
SHA512 13f13a43503374e8993399e736e64636400012f615c86c6a80cd975a2415787f92f2b03ea4a63c902a4929446fe7e2a43cfd39e30a1149e80b8fd8393fc1d56a

C:\Windows\system\SkOaSRC.exe

MD5 c6e082fffc52549f804a2762e5c09b13
SHA1 2bd47e11f0634c89af409f299d16f9389bc16e12
SHA256 131d12fa81fd65dd7064772da5c553cb24968e63efa8dad29dc2d0393c57b486
SHA512 caee2379005f9052c2604e4d0a2d66aec2fe2232cfb4a4ef63f7f57de689fbc28f7897e8458ed9624a1d0a2db651beaa8a84467b5b70d5c118b681c34d7343a1

C:\Windows\system\CLnrZnk.exe

MD5 c6a9a25d5ab98a5eb51cb2d76172c78d
SHA1 8c0b13835f9b4893bc0dd5f3c1cfb30e0ed3b8c2
SHA256 a7cf14ff96e698f3bdca5db9f08540327cf91b9bcf493826771058bd8d88f133
SHA512 de801c54c4c264751b9abbfc997dbdb9c85df20606361bb676101f36a870ab605791028f28afffb91588d324ee05b62f184e7a96c90e3a9b3fe2300c4c9db7da

\Windows\system\aTXaaCx.exe

MD5 b3271f40cf8a0fe036f6b08c16699b81
SHA1 422533dcbc0cf90da79da7c2b7d3fdc7d7d5e9cc
SHA256 536cdb42eb38e4c0494b20fdcfc180e35892213a81aaa6feca17e8bf122b3a0b
SHA512 318634203078c5f815d74f0d2bbff132b14a36e99ba3500fdd73ec3bf0655bb7a830afc3d790df9ac4a2148443698ddcca7677ed6e72a34e71dc62112b4c514e

C:\Windows\system\Zmsrbzv.exe

MD5 ab992d3ee60957dacb9d8555de4d0e4b
SHA1 188bf37b1684ccd1ca007414cc8f299ab3108467
SHA256 020d42e88139e7693f625e6bcaf17da0e6fa3119c2000ad47ad53e21676443bd
SHA512 2bd8bcebbcc749ba7c2b6f39babe20c42fa57e14848d8fce9f599df6b74a848ae9918601bd0a2d5bb288ee0584fedff5171eff814000a16453c068fb8d599a6a

C:\Windows\system\EdIeaBd.exe

MD5 3db7e624ed8e2d3c2ae7c5f39cf82dee
SHA1 e125f368406d976bb57259cfb26cef2e4b9de6e4
SHA256 332a39d4df92df944213877ce32c23c880ecdcdcd3758af0d558861fdbb28b68
SHA512 8f20752d311d0c150f2e861c0b7a52295657784e351d0e8c6cb8584f2925ac96d9d91e8ef6fe5f4e1559fe8ff88aeff502c931800f86c5b79b03389d4834953a

C:\Windows\system\INisaQk.exe

MD5 2a1a08434155dba32bd9b03c1d582de3
SHA1 ad63aaf6c5691584d682a3435eda99c623b52a97
SHA256 db7665aa06f2803307ea83877f1b8d3ea84aa69d565d75adec10e40f7b417b3b
SHA512 e5c4880807d6bfd71da88bedf08df4185aed875a9c6b1270de32e03271bf7576361b1e433252f3540e25f2f58bdfd396e06903d5efe8b2979d72ec39f21126c7

C:\Windows\system\otVTfQW.exe

MD5 202edfa4746e8504aec556e780d753db
SHA1 c791da56238b3df18fb59d1b432bbd029a77f4ed
SHA256 b0e796201fe184f683e748e2cd3ff665dbbbbe3b4ffbc1ef81c9b6a43e130ae5
SHA512 9ee6a3fed2cf88c98bd45b3618b970d64cbb5e90e82c12756b6a07a158ce41ec8fcfdc36fccdb619799db25e7a0f63cb30879745ab33cb5fbe4a70ced30ec826

memory/2176-119-0x000000013F2C0000-0x000000013F611000-memory.dmp

memory/1720-118-0x000000013F2C0000-0x000000013F611000-memory.dmp

memory/2892-115-0x000000013F310000-0x000000013F661000-memory.dmp

memory/1720-112-0x000000013F310000-0x000000013F661000-memory.dmp

memory/2908-110-0x000000013FA90000-0x000000013FDE1000-memory.dmp

memory/1720-109-0x000000013F7F0000-0x000000013FB41000-memory.dmp

memory/2528-127-0x000000013F280000-0x000000013F5D1000-memory.dmp

memory/1720-126-0x00000000022E0000-0x0000000002631000-memory.dmp

memory/2224-131-0x000000013F1D0000-0x000000013F521000-memory.dmp

memory/1784-128-0x000000013F090000-0x000000013F3E1000-memory.dmp

memory/2560-129-0x000000013FC10000-0x000000013FF61000-memory.dmp

memory/1960-142-0x000000013F3E0000-0x000000013F731000-memory.dmp

memory/1720-145-0x000000013FC10000-0x000000013FF61000-memory.dmp

memory/1720-144-0x000000013F090000-0x000000013F3E1000-memory.dmp

memory/1720-141-0x000000013F3E0000-0x000000013F731000-memory.dmp

memory/756-140-0x000000013FF30000-0x0000000140281000-memory.dmp

memory/1720-139-0x000000013FF30000-0x0000000140281000-memory.dmp

memory/2664-138-0x000000013FAE0000-0x000000013FE31000-memory.dmp

memory/2640-137-0x000000013F630000-0x000000013F981000-memory.dmp

memory/1804-149-0x000000013F640000-0x000000013F991000-memory.dmp

memory/2960-154-0x000000013F1C0000-0x000000013F511000-memory.dmp

memory/2860-153-0x000000013F230000-0x000000013F581000-memory.dmp

memory/2852-152-0x000000013F1C0000-0x000000013F511000-memory.dmp

memory/2848-151-0x000000013F370000-0x000000013F6C1000-memory.dmp

memory/2724-150-0x000000013F7F0000-0x000000013FB41000-memory.dmp

memory/236-148-0x000000013F770000-0x000000013FAC1000-memory.dmp

memory/1720-155-0x000000013F7F0000-0x000000013FB41000-memory.dmp

memory/1720-177-0x000000013F7F0000-0x000000013FB41000-memory.dmp

memory/1720-184-0x000000013F280000-0x000000013F5D1000-memory.dmp

memory/1720-192-0x000000013F310000-0x000000013F661000-memory.dmp

memory/1720-193-0x000000013F2C0000-0x000000013F611000-memory.dmp

memory/1720-204-0x000000013FC10000-0x000000013FF61000-memory.dmp

memory/1720-203-0x000000013F090000-0x000000013F3E1000-memory.dmp

memory/2092-207-0x000000013F810000-0x000000013FB61000-memory.dmp

memory/1784-209-0x000000013F090000-0x000000013F3E1000-memory.dmp

memory/2276-212-0x000000013F750000-0x000000013FAA1000-memory.dmp

memory/2892-215-0x000000013F310000-0x000000013F661000-memory.dmp

memory/2640-217-0x000000013F630000-0x000000013F981000-memory.dmp

memory/2780-214-0x000000013FF20000-0x0000000140271000-memory.dmp

memory/2528-223-0x000000013F280000-0x000000013F5D1000-memory.dmp

memory/2908-225-0x000000013FA90000-0x000000013FDE1000-memory.dmp

memory/2176-227-0x000000013F2C0000-0x000000013F611000-memory.dmp

memory/2224-221-0x000000013F1D0000-0x000000013F521000-memory.dmp

memory/2560-219-0x000000013FC10000-0x000000013FF61000-memory.dmp

memory/1960-242-0x000000013F3E0000-0x000000013F731000-memory.dmp

memory/2664-245-0x000000013FAE0000-0x000000013FE31000-memory.dmp

memory/756-247-0x000000013FF30000-0x0000000140281000-memory.dmp