Malware Analysis Report

2025-03-15 08:08

Sample ID 240815-m4q64syhke
Target 2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat
SHA256 adbbbb5c503eeb2c46a67da165a78d102f44b56fdb868be6fc1dcea4cf773ed5
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

adbbbb5c503eeb2c46a67da165a78d102f44b56fdb868be6fc1dcea4cf773ed5

Threat Level: Known bad

The file 2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Cobaltstrike

Cobalt Strike reflective loader

XMRig Miner payload

Cobaltstrike family

Xmrig family

xmrig

XMRig Miner payload

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-15 11:01

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-15 11:01

Reported

2024-08-15 11:03

Platform

win7-20240705-en

Max time kernel

140s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\liDebMJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EAHOhxt.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\htLVtgj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JNwtHmE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HUZZTpg.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VWoXdjA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZxGLAbu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oJvhJIZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bqsMiXf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LMPRlSi.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QsGxZRy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FdzhmAG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LIJJLwM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\soPVOqz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LryDlZA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ggMriId.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TYVCWJl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nmQYdPN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kimnQBm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZlJcNTQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XrbEEaB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2260 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FdzhmAG.exe
PID 2260 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FdzhmAG.exe
PID 2260 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FdzhmAG.exe
PID 2260 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LIJJLwM.exe
PID 2260 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LIJJLwM.exe
PID 2260 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LIJJLwM.exe
PID 2260 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TYVCWJl.exe
PID 2260 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TYVCWJl.exe
PID 2260 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TYVCWJl.exe
PID 2260 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\soPVOqz.exe
PID 2260 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\soPVOqz.exe
PID 2260 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\soPVOqz.exe
PID 2260 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZxGLAbu.exe
PID 2260 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZxGLAbu.exe
PID 2260 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZxGLAbu.exe
PID 2260 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oJvhJIZ.exe
PID 2260 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oJvhJIZ.exe
PID 2260 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oJvhJIZ.exe
PID 2260 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bqsMiXf.exe
PID 2260 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bqsMiXf.exe
PID 2260 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bqsMiXf.exe
PID 2260 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nmQYdPN.exe
PID 2260 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nmQYdPN.exe
PID 2260 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nmQYdPN.exe
PID 2260 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JNwtHmE.exe
PID 2260 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JNwtHmE.exe
PID 2260 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JNwtHmE.exe
PID 2260 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HUZZTpg.exe
PID 2260 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HUZZTpg.exe
PID 2260 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HUZZTpg.exe
PID 2260 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LMPRlSi.exe
PID 2260 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LMPRlSi.exe
PID 2260 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LMPRlSi.exe
PID 2260 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kimnQBm.exe
PID 2260 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kimnQBm.exe
PID 2260 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kimnQBm.exe
PID 2260 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LryDlZA.exe
PID 2260 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LryDlZA.exe
PID 2260 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LryDlZA.exe
PID 2260 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QsGxZRy.exe
PID 2260 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QsGxZRy.exe
PID 2260 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QsGxZRy.exe
PID 2260 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VWoXdjA.exe
PID 2260 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VWoXdjA.exe
PID 2260 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VWoXdjA.exe
PID 2260 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\liDebMJ.exe
PID 2260 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\liDebMJ.exe
PID 2260 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\liDebMJ.exe
PID 2260 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ggMriId.exe
PID 2260 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ggMriId.exe
PID 2260 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ggMriId.exe
PID 2260 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EAHOhxt.exe
PID 2260 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EAHOhxt.exe
PID 2260 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EAHOhxt.exe
PID 2260 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\htLVtgj.exe
PID 2260 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\htLVtgj.exe
PID 2260 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\htLVtgj.exe
PID 2260 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZlJcNTQ.exe
PID 2260 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZlJcNTQ.exe
PID 2260 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZlJcNTQ.exe
PID 2260 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XrbEEaB.exe
PID 2260 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XrbEEaB.exe
PID 2260 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XrbEEaB.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\FdzhmAG.exe

C:\Windows\System\FdzhmAG.exe

C:\Windows\System\LIJJLwM.exe

C:\Windows\System\LIJJLwM.exe

C:\Windows\System\TYVCWJl.exe

C:\Windows\System\TYVCWJl.exe

C:\Windows\System\soPVOqz.exe

C:\Windows\System\soPVOqz.exe

C:\Windows\System\ZxGLAbu.exe

C:\Windows\System\ZxGLAbu.exe

C:\Windows\System\oJvhJIZ.exe

C:\Windows\System\oJvhJIZ.exe

C:\Windows\System\bqsMiXf.exe

C:\Windows\System\bqsMiXf.exe

C:\Windows\System\nmQYdPN.exe

C:\Windows\System\nmQYdPN.exe

C:\Windows\System\JNwtHmE.exe

C:\Windows\System\JNwtHmE.exe

C:\Windows\System\HUZZTpg.exe

C:\Windows\System\HUZZTpg.exe

C:\Windows\System\LMPRlSi.exe

C:\Windows\System\LMPRlSi.exe

C:\Windows\System\kimnQBm.exe

C:\Windows\System\kimnQBm.exe

C:\Windows\System\LryDlZA.exe

C:\Windows\System\LryDlZA.exe

C:\Windows\System\QsGxZRy.exe

C:\Windows\System\QsGxZRy.exe

C:\Windows\System\VWoXdjA.exe

C:\Windows\System\VWoXdjA.exe

C:\Windows\System\liDebMJ.exe

C:\Windows\System\liDebMJ.exe

C:\Windows\System\ggMriId.exe

C:\Windows\System\ggMriId.exe

C:\Windows\System\EAHOhxt.exe

C:\Windows\System\EAHOhxt.exe

C:\Windows\System\htLVtgj.exe

C:\Windows\System\htLVtgj.exe

C:\Windows\System\ZlJcNTQ.exe

C:\Windows\System\ZlJcNTQ.exe

C:\Windows\System\XrbEEaB.exe

C:\Windows\System\XrbEEaB.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2260-0-0x000000013F290000-0x000000013F5E1000-memory.dmp

memory/2260-1-0x0000000000100000-0x0000000000110000-memory.dmp

\Windows\system\FdzhmAG.exe

MD5 2f68bfed9ff28457624cf1536187d814
SHA1 6868184d3e864a028aff2a1f7ea9518aa03497e5
SHA256 6162c1190a78d93c065b597e2a54323e7f73ced10bc1b3b4c678eaabb8b87531
SHA512 f3658ab072da001dcc2e74bf8c15235d1c5afffffa1acfa29a3344fc8053cc6c11de5aaf9b02502caebfc665c11cabf5297c668614e63d2355cd50d4ac9d98f7

memory/2756-8-0x000000013F800000-0x000000013FB51000-memory.dmp

memory/2260-6-0x000000013F800000-0x000000013FB51000-memory.dmp

C:\Windows\system\soPVOqz.exe

MD5 ab13810aaed215d22c9310493472c96d
SHA1 1d3eaeba9e1a9b650d340596373ff967f864c7ac
SHA256 87bef95158951b47b2ed4812f182a2d3caa6e0427611036f17e5a0e32eebdf4a
SHA512 d21089868e485a116651a6e72854d180b12854ae5e928058d4bca2391b79d227bd799b314f0b2d684f95eca3aaed647571618f5ed29c9f10a14b7a1623f86f46

C:\Windows\system\LIJJLwM.exe

MD5 9908fa76bc0fce9dcf5fe8d0749efddc
SHA1 457328f47be0402ce926db542f456579ebddc2b9
SHA256 23195e6808e001029eb7806e1c169b500b48e5b532f5e8c877fe4790f553b54c
SHA512 ddb1d534fc772906cb54e266fc80f8ec2d59ce4aafea6e774a5a8169d1d91496d0ea074ce95fdbaf4d64be745f2eeefd1af36614a80148523403599c52e3e1d2

memory/2260-26-0x000000013F750000-0x000000013FAA1000-memory.dmp

memory/2240-28-0x000000013F750000-0x000000013FAA1000-memory.dmp

memory/2260-25-0x0000000002200000-0x0000000002551000-memory.dmp

memory/2364-23-0x000000013F260000-0x000000013F5B1000-memory.dmp

memory/768-22-0x000000013FA80000-0x000000013FDD1000-memory.dmp

C:\Windows\system\TYVCWJl.exe

MD5 f3714aa27bbc7b0613e94073796247c8
SHA1 82301da100f1912639903bdad86635df438ccb86
SHA256 77719cd6c531fc1d7ea9bf6905658bf5b6afeb9f944241bddd845ff0376c3b1c
SHA512 f2e118cf2c6d2c248390166ab1a93295e68ad5f44a114da47bdfd89510da53969c7dadb2b69284d2c63e3d9abdd86623e147791d5f796502c375c743d72513d0

\Windows\system\oJvhJIZ.exe

MD5 332c6f9fc881899530f02cb16b6af327
SHA1 ca3c2a669a2da6cf3f4c3bf98024a2e405e38d81
SHA256 e883b7364dd797f38cea0bfcbc955c373292a8d9fbac1dc20d9052dd12636b56
SHA512 f66c3d3b76c54053cc4657f8600b28f34c5e8e56eab8c98a2eb703c5c096f2ac0da78850a55b9d3f748a363c864e717d081c0b542f62ce566d1356b396cd25e6

memory/2788-34-0x000000013F500000-0x000000013F851000-memory.dmp

memory/2720-41-0x000000013F640000-0x000000013F991000-memory.dmp

C:\Windows\system\ZxGLAbu.exe

MD5 481689e7da5a3141b1e1523755e3d2fd
SHA1 a0f6a4ab3ba8e29118c912491dbbf40f7490005c
SHA256 b5ef96df1062e0879d26b02c1b6912731112b637251a71614d0b90ed0a12eb0b
SHA512 6051b087703db121652058922c5d395b040769b5fcc24f3f78a485aa79fa6617a30a8aba47afa7c2cd7ba94480896a24c22557ecc42d7946853c431b99c40223

memory/2260-30-0x0000000002200000-0x0000000002551000-memory.dmp

memory/2260-38-0x000000013F640000-0x000000013F991000-memory.dmp

memory/2260-44-0x000000013F290000-0x000000013F5E1000-memory.dmp

memory/2756-52-0x000000013F800000-0x000000013FB51000-memory.dmp

memory/2772-51-0x000000013FFF0000-0x0000000140341000-memory.dmp

memory/768-53-0x000000013FA80000-0x000000013FDD1000-memory.dmp

memory/2260-50-0x000000013FFF0000-0x0000000140341000-memory.dmp

C:\Windows\system\bqsMiXf.exe

MD5 b5031abce8306fd1f3cc52efdc09fb72
SHA1 6cb8504766ffa6fc87b4968167dfae665d8fe080
SHA256 e05e775abc94cf20d67773fbb0e17233384d35ac37c576eabe0f0e769482388d
SHA512 f7a2ce7da2e967906ef308185b93d4dfc40e9b50af17dc470a47b216b3eac24c7185f7e4d939e338411bf4e3ee5c1f427f697cff6546948d508190b51b739104

\Windows\system\nmQYdPN.exe

MD5 50915c571a4f29312240f9acfe43a49a
SHA1 c23f9ceb15d97980dd6079529fc10b65beb385a7
SHA256 a9e29a02f2b2c9b8856cb1d6a5dc866c68ccc57e9ff22075b795ac49ca4a22ac
SHA512 691f33903356b61c877cafe893fe5319af00d75ce78e49d4a0cb5d1485ed2f7eef206e58189e572bf6b7c3727b29fdd02886527276cd186416b63a434dce296b

C:\Windows\system\JNwtHmE.exe

MD5 4a7052c01373874a67a098def14ec990
SHA1 17d5c732b1a9c610b9b81739a20ddb48a2d657be
SHA256 daf1e0ad73c9ee874407d4f71e89479c7107caf3c6282bdcc1ce11534e47ceac
SHA512 5f13c2be03fd044eeda36819d971ccd2dc828a659e2b548ab8b84827f7c5323776e1b8b54da72b0ec81f903f9d5b961308ff4631776a065a88722bb33d63df63

\Windows\system\HUZZTpg.exe

MD5 24876f0a55ae02bf858e22b9c4eb77fe
SHA1 a8cb145d5293fee0051ff27c6bc336fb74613b92
SHA256 4aa355200436fd85212b274bc678ad1a027e0ac44b4515d90ee071af71c95ab6
SHA512 a19c325bc07a4bc629b0b6dfd92e9f928b58b582029e057ff0b4d5bdef6df4e072ec678496835c48855889a5ac46f48f3336def98419d85b7e7cacfee0abbd7c

memory/2364-61-0x000000013F260000-0x000000013F5B1000-memory.dmp

memory/2840-74-0x000000013F820000-0x000000013FB71000-memory.dmp

memory/2776-73-0x000000013FDB0000-0x0000000140101000-memory.dmp

memory/2608-72-0x000000013FFE0000-0x0000000140331000-memory.dmp

memory/2260-70-0x000000013FFE0000-0x0000000140331000-memory.dmp

memory/2260-69-0x000000013F820000-0x000000013FB71000-memory.dmp

memory/808-90-0x000000013FDE0000-0x0000000140131000-memory.dmp

C:\Windows\system\LryDlZA.exe

MD5 5ddfcd4ae4055e6a49ecf78ffcf57042
SHA1 37f08249a06f16e3aae49a094910f89a05f26698
SHA256 a6605933b96a2f4220a109385332cf06502ba21a4aff3df3d5d1bd183260de05
SHA512 4857072c899b41ce082bf03d57cc20b3de135c09ad9550b5adfcc673b64dbb04f2283fad179da35a2d518e169852076ef8f967d990643fa434cafa58ab03b14d

memory/2240-82-0x000000013F750000-0x000000013FAA1000-memory.dmp

\Windows\system\kimnQBm.exe

MD5 4875c466e68c52929925e1bad1f51236
SHA1 e5bfe0eeaf092bc3186032af5992ebca68ffb489
SHA256 809415abf8dd19d3eb31b4005dd7432dfd5e3fd8088f035aa3904a0dfdc48583
SHA512 b195ad964273a8b3759823248babd5a2e3c711166af3b51a6263c63fd5d2ff6ffc17a81b6cb573673ec2d9f288c9e38e85d987af40178131eb152b681cd8d2dd

memory/2268-97-0x000000013F020000-0x000000013F371000-memory.dmp

memory/2788-94-0x000000013F500000-0x000000013F851000-memory.dmp

memory/3032-93-0x000000013FFA0000-0x00000001402F1000-memory.dmp

memory/2260-92-0x000000013FFA0000-0x00000001402F1000-memory.dmp

memory/2260-88-0x0000000002200000-0x0000000002551000-memory.dmp

memory/2260-86-0x000000013FDE0000-0x0000000140131000-memory.dmp

C:\Windows\system\LMPRlSi.exe

MD5 adc337592995e3fef56e6f25cf8a312f
SHA1 5cad5316e124ad7e46c43b0d46af5c4b50a2fa66
SHA256 c55490a80338b7f856d38148e0db51c5617ca9ce96f9b8ac97de616f3dbbd103
SHA512 d941f94b228a2dafdd1269760820ac01da280a67265672af5f3e222b8c1c1e72f358171555673a9760298f3a13973f5bef4916586aa479c6b7dde8ae4180bf4a

C:\Windows\system\QsGxZRy.exe

MD5 af3306298b4c802e6d98fab488b29cb6
SHA1 0fcc6656299767564c051eb593a815ba1ed66592
SHA256 22d54aba2598f43c6bb407e1575f1f6630a543e6158ee012c959b97ff1af6293
SHA512 922983274a57290691b08fe6680a2c5b50e947461eb051ad8c9f360f64e835ae1b177b18d8e1e31356d6ffc65583563204671c339270e04f48532eceee8a46e9

memory/2720-102-0x000000013F640000-0x000000013F991000-memory.dmp

memory/2260-111-0x000000013FAA0000-0x000000013FDF1000-memory.dmp

memory/2432-109-0x000000013FF30000-0x0000000140281000-memory.dmp

memory/2260-108-0x000000013FF30000-0x0000000140281000-memory.dmp

C:\Windows\system\VWoXdjA.exe

MD5 25726e246eb92626d10ffc55824f9708
SHA1 2c24122af414da2eaf17d032035aaeb4fcdc0d13
SHA256 1ca7bac4ca09e81df4001bd1d566eb2455480824c846492c4adfc8c63e62d450
SHA512 599211b0858afa91505f7cf93720bb97702a21af853ac4a5ee220bc4723038e270ccba3702f534c20eea1ecca24b6e79cfc7ad2384024bc7701c08ce80845fcc

\Windows\system\liDebMJ.exe

MD5 96bc42f648fbc84915750d39380eea06
SHA1 358f08797a6e38c46a468bbc5ed423cf4ab18fc6
SHA256 8f975b75a14f8d11b115194a89d2cef7bf6cae22afa116ca0e66114985971722
SHA512 0c22d6dfdb63267b0acec9ca54ab2271b8616afbfd30edd116c52717d39a39bde3a1a722ad3cd7000fb3744f28815942192f48f7954393bc9407c2c2971b9bc5

\Windows\system\ggMriId.exe

MD5 6535653be2b3966417a721d2567b00b5
SHA1 89a903cc33adfbf49c1e56650cd7956adafbec4f
SHA256 c680f45f7acc75fa5f02ff7c13ef35a702098516b1d60caf47b9e452252303f0
SHA512 09be0e260d5384208eb2cab57fabe9b75454552bdd68e0aabfb7d15780a019deb999c4d2e1554e596575cb98258b790fa92b223d29426d7224bd3c934b7d9d83

C:\Windows\system\EAHOhxt.exe

MD5 9b35b985d404fed84875a27fe83f9c4c
SHA1 ddf5a086b3e227f2ef02c8ce0564841e33681da8
SHA256 48b0b473cd3df094716b16ea528dc5a4adc732e170dd0985e0fffc84ec0b5a85
SHA512 bb2f602587dce62d869db5976faacb51eb26c41f1b77257416dc276fea11b9cb6c74017854956816175ada945857d28b32de2471fdd2a395599507418e4cda61

\Windows\system\htLVtgj.exe

MD5 7ff36e82e976355ccf1e506242228cc5
SHA1 7b30433465e22804d67478975df3ea1d22cb85da
SHA256 3ec094594b27aff594ad3ad6b6f759d7b2bb3e2aaf4276fc6d623c49112bc54a
SHA512 057f6e2829981860060fc82f907930aad6fa698c544aa8c98c51c8e63404641a5f3b5c56c141d0fffb1aa2fa8ae5d7428a8f16526303e8dfb918452fdecd6bef

\Windows\system\XrbEEaB.exe

MD5 526673eae56c3f3f76116870a70c58d9
SHA1 62afad2d07b07a8c3bacd804b4ec460c2508a21e
SHA256 390144807717b5d3ae793adc41ec15052c531758c6aa12e02f13b5c62725cb43
SHA512 ebabfc63a31a77571d408597f145a24e6dca4dd39fda2e645ec6fa0c86c404eaff96c703fa31dc54b12d5ffdbc5af62a53a240a6f06f78b2cd6c0b5b371b671b

\Windows\system\ZlJcNTQ.exe

MD5 6324ef9b311de918c0dced2efc7a9c41
SHA1 786e7da6ad43f8a7c05f64740ac0d9d752d47fad
SHA256 4b2bf85de276aa92ebc1956ee680896767a907c8615e8133ec6a03dad2c2132f
SHA512 06286e2db96024a35098a59947ad88e1191e33e06dfe0ce8e9bd44f73441b49e0f78aca0adebe9d9cd8efb49d336db1e60820202f9930fc5c824e02b0df68c6d

memory/2260-141-0x000000013F820000-0x000000013FB71000-memory.dmp

memory/2260-142-0x000000013FDE0000-0x0000000140131000-memory.dmp

memory/2260-143-0x0000000002200000-0x0000000002551000-memory.dmp

memory/2260-144-0x000000013F290000-0x000000013F5E1000-memory.dmp

memory/2260-147-0x000000013FFA0000-0x00000001402F1000-memory.dmp

memory/2268-153-0x000000013F020000-0x000000013F371000-memory.dmp

memory/2260-154-0x000000013FF30000-0x0000000140281000-memory.dmp

memory/2912-164-0x000000013F220000-0x000000013F571000-memory.dmp

memory/336-165-0x000000013F5A0000-0x000000013F8F1000-memory.dmp

memory/2628-163-0x000000013F050000-0x000000013F3A1000-memory.dmp

memory/1904-162-0x000000013FAA0000-0x000000013FDF1000-memory.dmp

memory/2952-166-0x000000013F730000-0x000000013FA81000-memory.dmp

memory/3016-168-0x000000013F8E0000-0x000000013FC31000-memory.dmp

memory/2892-167-0x000000013F8E0000-0x000000013FC31000-memory.dmp

memory/2260-169-0x000000013F290000-0x000000013F5E1000-memory.dmp

memory/2756-221-0x000000013F800000-0x000000013FB51000-memory.dmp

memory/768-223-0x000000013FA80000-0x000000013FDD1000-memory.dmp

memory/2364-225-0x000000013F260000-0x000000013F5B1000-memory.dmp

memory/2788-227-0x000000013F500000-0x000000013F851000-memory.dmp

memory/2240-229-0x000000013F750000-0x000000013FAA1000-memory.dmp

memory/2720-231-0x000000013F640000-0x000000013F991000-memory.dmp

memory/2772-237-0x000000013FFF0000-0x0000000140341000-memory.dmp

memory/2776-239-0x000000013FDB0000-0x0000000140101000-memory.dmp

memory/2608-241-0x000000013FFE0000-0x0000000140331000-memory.dmp

memory/2840-243-0x000000013F820000-0x000000013FB71000-memory.dmp

memory/808-249-0x000000013FDE0000-0x0000000140131000-memory.dmp

memory/3032-251-0x000000013FFA0000-0x00000001402F1000-memory.dmp

memory/2268-253-0x000000013F020000-0x000000013F371000-memory.dmp

memory/2432-259-0x000000013FF30000-0x0000000140281000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-15 11:01

Reported

2024-08-15 11:04

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\IOTMwSz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SwsfjSk.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lThwaNh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GtBUiZj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UCZUgxk.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uGkiiwM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oWrGCQV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\uQwhfUo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LqnJnEy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aurhctJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hYviYFd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jIhdwjV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\whRiMlQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BweNqWy.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gzDRNXB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pgvyVBo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rSaVfql.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SAOPNeu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\txMcfwV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TbLijzA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jljTLla.exe C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2904 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IOTMwSz.exe
PID 2904 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IOTMwSz.exe
PID 2904 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gzDRNXB.exe
PID 2904 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gzDRNXB.exe
PID 2904 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uQwhfUo.exe
PID 2904 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uQwhfUo.exe
PID 2904 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SwsfjSk.exe
PID 2904 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SwsfjSk.exe
PID 2904 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pgvyVBo.exe
PID 2904 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pgvyVBo.exe
PID 2904 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rSaVfql.exe
PID 2904 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rSaVfql.exe
PID 2904 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lThwaNh.exe
PID 2904 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lThwaNh.exe
PID 2904 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GtBUiZj.exe
PID 2904 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GtBUiZj.exe
PID 2904 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LqnJnEy.exe
PID 2904 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LqnJnEy.exe
PID 2904 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aurhctJ.exe
PID 2904 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aurhctJ.exe
PID 2904 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hYviYFd.exe
PID 2904 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hYviYFd.exe
PID 2904 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jIhdwjV.exe
PID 2904 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jIhdwjV.exe
PID 2904 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SAOPNeu.exe
PID 2904 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SAOPNeu.exe
PID 2904 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\txMcfwV.exe
PID 2904 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\txMcfwV.exe
PID 2904 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UCZUgxk.exe
PID 2904 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UCZUgxk.exe
PID 2904 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uGkiiwM.exe
PID 2904 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\uGkiiwM.exe
PID 2904 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\whRiMlQ.exe
PID 2904 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\whRiMlQ.exe
PID 2904 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BweNqWy.exe
PID 2904 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BweNqWy.exe
PID 2904 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TbLijzA.exe
PID 2904 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TbLijzA.exe
PID 2904 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oWrGCQV.exe
PID 2904 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oWrGCQV.exe
PID 2904 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jljTLla.exe
PID 2904 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jljTLla.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-15_ddd5e6f488edeb3eee9c165ac82416da_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\IOTMwSz.exe

C:\Windows\System\IOTMwSz.exe

C:\Windows\System\gzDRNXB.exe

C:\Windows\System\gzDRNXB.exe

C:\Windows\System\uQwhfUo.exe

C:\Windows\System\uQwhfUo.exe

C:\Windows\System\SwsfjSk.exe

C:\Windows\System\SwsfjSk.exe

C:\Windows\System\pgvyVBo.exe

C:\Windows\System\pgvyVBo.exe

C:\Windows\System\rSaVfql.exe

C:\Windows\System\rSaVfql.exe

C:\Windows\System\lThwaNh.exe

C:\Windows\System\lThwaNh.exe

C:\Windows\System\GtBUiZj.exe

C:\Windows\System\GtBUiZj.exe

C:\Windows\System\LqnJnEy.exe

C:\Windows\System\LqnJnEy.exe

C:\Windows\System\aurhctJ.exe

C:\Windows\System\aurhctJ.exe

C:\Windows\System\hYviYFd.exe

C:\Windows\System\hYviYFd.exe

C:\Windows\System\jIhdwjV.exe

C:\Windows\System\jIhdwjV.exe

C:\Windows\System\SAOPNeu.exe

C:\Windows\System\SAOPNeu.exe

C:\Windows\System\txMcfwV.exe

C:\Windows\System\txMcfwV.exe

C:\Windows\System\UCZUgxk.exe

C:\Windows\System\UCZUgxk.exe

C:\Windows\System\uGkiiwM.exe

C:\Windows\System\uGkiiwM.exe

C:\Windows\System\whRiMlQ.exe

C:\Windows\System\whRiMlQ.exe

C:\Windows\System\BweNqWy.exe

C:\Windows\System\BweNqWy.exe

C:\Windows\System\TbLijzA.exe

C:\Windows\System\TbLijzA.exe

C:\Windows\System\oWrGCQV.exe

C:\Windows\System\oWrGCQV.exe

C:\Windows\System\jljTLla.exe

C:\Windows\System\jljTLla.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2904-0-0x00007FF765660000-0x00007FF7659B1000-memory.dmp

memory/2904-1-0x0000026D02C60000-0x0000026D02C70000-memory.dmp

C:\Windows\System\IOTMwSz.exe

MD5 f30b3000f85e38582f86e88cbab87d0e
SHA1 bdb14b1c58629b5e0a803551a9dd01fbf1dba01f
SHA256 c48a1168f90682d04c5ccd2cd12726ea7de3c97b7d700f2f374e78665e49af7c
SHA512 929b8b337b5f461e8c500564601f8f2098a37809a4a64465caa9e1c1d965d6c54c46aef1f019824641c1ead2769cda24e5284975b977a3dbfaecc613bf412d63

C:\Windows\System\gzDRNXB.exe

MD5 28136bca68ca06f1a174a66b162f865f
SHA1 fc8101ce50eca5432fc457bf5d0c346b7cbf2bd7
SHA256 5fde3dde31e16d5de5623521180db9cf61e8008b456c2a1b55a4659101473c61
SHA512 a474a174f7be553bba69afed4bab821fcd2115eee4079da5621c2bc9ad93729b26d18dc74b065e6b23e21c92db3d074ebe631d596f4fd6d891e6d4f058e47d22

C:\Windows\System\uQwhfUo.exe

MD5 059fe3674ededa14a42a81066119929f
SHA1 f82bb502585c3db284d14be9da29fbe4caae763f
SHA256 057617d95b5d188c5502b08f5b7e348af13fa931a59c2c5c34ccac9d58b8eb5f
SHA512 c945cfa574b3e5976a83384cf03bbca1cc9fe5329c4577c2a7e083486247aa2a0bc66ccca1b58d9deb80b3353b6dc6f7ad40b932b974ccb203e60068b78746dc

C:\Windows\System\SwsfjSk.exe

MD5 2d8fd683c705478694c8085dd6ca08e5
SHA1 f1a5ff5bf807f7a0e905899da34126a24dc5b906
SHA256 31ece21d2cd0603717a1454fc325d220a31343289e059ce06994697b4990beff
SHA512 81fc54d89997e0a90cb84d660ffec0cc3525b057d2569208cda84219574059ed783e3c710e28643e21d3452203589eab0ab28dce54b15d0bcdc6f88527b8f3d7

C:\Windows\System\rSaVfql.exe

MD5 f9ecd8b47c3bee68880878d5bffa29d2
SHA1 268ecd8a364992db4bfa60c3741d99708bcb2699
SHA256 f5231403271e22a07d5ad3527ab32be9f66e07f5ba0b2fdcb8d64d35979c6e7b
SHA512 effc6810ecb74d03fcc2d489cd02df30992f673e9a6215219d5fa88e087b493add62686f7fa1b5a03b8d3fcb7944f7039fad581faf62d927fa2d18360086112e

C:\Windows\System\aurhctJ.exe

MD5 57c0bd8d01cb5cf4d4370bcd2a873dc5
SHA1 321920273500e0358eaf8d9252cf760728fc12c8
SHA256 47462799081011f3777cf201985ad0d588c0715c58bdd326161fe722309ee7d4
SHA512 bacdd6f6a1a2f44f36141e9d1f10dba9f04184a90b8572ffdd348e5b2fd6c36a4d5df3a730efc17069134de133de5ab912ac17abf3e231b148a6acc2bb2f83c2

memory/2092-71-0x00007FF605F40000-0x00007FF606291000-memory.dmp

C:\Windows\System\txMcfwV.exe

MD5 23e9da856d01bb7a59df65792aa71209
SHA1 b8b06334ef0559bb3767710ff2ddfc45345eb0c2
SHA256 2c6582467dc8d717c7c3903fb2c049a92630c6e0e4ca765ac5384f1b237d1f86
SHA512 95e9122f63a6dbb57182a185362e2ea1640dc1c724d13582671611df8e30bb30ad3bc49872bd40161a073089e0ebf28ff6c2c82d58b8b21cce41c0ec139a86fc

C:\Windows\System\uGkiiwM.exe

MD5 50211f065e4778f324d8db00e747b8c4
SHA1 a6dc2e954c0406763aaa91682d130313bfa01ad6
SHA256 3b079a88fcbf831903b8883c95d33df68bd359fe4aff79791a4619069db88e70
SHA512 fdd476ff30217043731ed86b8c3057c793a995ed190e9ef39a7f481aec5141c3207a107a11c69ad30b8d1e5cd227c3147b7992586e545bdae745efbff7ef5725

C:\Windows\System\TbLijzA.exe

MD5 2cb6d0fa0ba502ef9c5878a42f887eed
SHA1 0c73f7de65ae189f6a96f24e12bccc33601b8121
SHA256 d60fef3c83c8d65ca0af33245e6e5a400fc216cfe08f66ddf5f195b9276701f1
SHA512 f9c4c6ca8d4e21cea13d845af1e499662a0b9d4737f99944ab83d1a40dff6dac4f96ac1d987f1e9b2e5e0fd5293e6b853811da363b00d76723c9af400fba4630

C:\Windows\System\BweNqWy.exe

MD5 0a37931d7275d2b02f1dcc9cf9158a5f
SHA1 625abdae793c88ccf5b0a4f0d762b9a2e529fb64
SHA256 2a9dff795afaa3d0ddb304c3c6291cfdd2aba6d20c255e2563a3204203fa21f1
SHA512 5037d10fe6861e13bfab9274356120d08c5cd5540fa8e9ac40cff4845b4f675147f4b88c7587185a61ade41f28e2f259ade6ee2f9893cd830c516365b0905987

C:\Windows\System\jljTLla.exe

MD5 bda25eb108ca070faad82786a1f245ff
SHA1 2d819c59eebed30a7313eaf9efd72196a48fc0ef
SHA256 52f72bcc9bb135e93e25ef71d27ac06d93e4f157538e151184fa9ba63cfb6f1b
SHA512 5df21493db2e8d6a0afb1a6382ae606af39fe1fd03740331d0f27a054c65b2d7adcb0ba39b9a3c67600fad0d72ffe54d69bfeecb9c4e20213bf03dbc91333dce

memory/1576-120-0x00007FF6C7BC0000-0x00007FF6C7F11000-memory.dmp

memory/2524-125-0x00007FF6FFE60000-0x00007FF7001B1000-memory.dmp

memory/3464-124-0x00007FF7833F0000-0x00007FF783741000-memory.dmp

memory/1828-123-0x00007FF750F40000-0x00007FF751291000-memory.dmp

memory/2028-122-0x00007FF68A720000-0x00007FF68AA71000-memory.dmp

memory/3508-121-0x00007FF779290000-0x00007FF7795E1000-memory.dmp

memory/4436-119-0x00007FF613FB0000-0x00007FF614301000-memory.dmp

memory/3828-118-0x00007FF7C3070000-0x00007FF7C33C1000-memory.dmp

memory/3192-117-0x00007FF79A190000-0x00007FF79A4E1000-memory.dmp

memory/228-116-0x00007FF68B810000-0x00007FF68BB61000-memory.dmp

C:\Windows\System\oWrGCQV.exe

MD5 66d7287b64186e6907bd52b87d9e128d
SHA1 d4e326e7a60ba0e8b0454f9c3b6133254efe2623
SHA256 77f6638eed2fe6eabb5ad66b45fd7087e0b22f94c9e4b8c4d9167899d24f1a12
SHA512 d047e6ca84ff0812de22834cd8c69c86c9be85f1c10270a20b62af72848f14b11ca05075201c15f50ff09f52f12f8874bacbface0f7c65a21da03ee6742fe441

C:\Windows\System\whRiMlQ.exe

MD5 d6d3ec54614becad5c9ab993ff9b9f7f
SHA1 03dcf99f4824d006afd2b0ec18f7746bd47e7308
SHA256 c6a4684306d44424a664cd16631ff3413482132e9583739ba176d9ca8e0f9365
SHA512 b33f8ffda4a4cfc893edd62bf48f6d53f6e7ff477c3a81252caa6d1758223a286b0fdd5ec7e01c6f24338d13d60d7d63283cddb0409b7cb0410e123753815a0a

memory/3768-99-0x00007FF69F0C0000-0x00007FF69F411000-memory.dmp

C:\Windows\System\UCZUgxk.exe

MD5 cd250e3750ac65136d89186b597e2d1a
SHA1 811d926422cbd19aa0b08ebbb6cb7e215cbcdfb6
SHA256 b89d9ed08580c61841dd34459d9c5da679fac7f4254aba576b9cac49693a9f63
SHA512 f551ad5514579f52e6875a3497af524ac1b65e44320a11fbcc6afefda9023e5a19cc2e06e712d4657ae7d57fc905dd20bba89e3bee5614ba94f108160f66f5df

memory/3176-95-0x00007FF6D8890000-0x00007FF6D8BE1000-memory.dmp

C:\Windows\System\hYviYFd.exe

MD5 569f12fe3e6ed2d19731cc77dbc983e8
SHA1 b8467312eeb5df7bb09ea95f7e62c0675d996868
SHA256 2d44b1dc3dee7fcb6973a2961cee3401d1a3026de66562a0d1fa5858524e95b2
SHA512 f6422ff4d87eab58090c7cceddafb7b9f635902cf0b3825f7b4c535e0f2e041ed656b08dcd9c4ff131575b4e7b844b603254e91bd1c7d68fae7638e21b0763ca

C:\Windows\System\SAOPNeu.exe

MD5 7addb03f40d656d354b532e7acb2da5a
SHA1 9959cd7801fde9a93a8ea17989b22e5cee7f8990
SHA256 d1a5f69c9b04d088209cfbe3044364d10079e6c81258f0135e22adc274f49e0c
SHA512 ca1acb33022166da71b13132095d0fba98ed8283e7589d83512331748d60622705531f4745c205c8296373be6127403d5be63ea6e8c53ee16c60cbf5db51584d

C:\Windows\System\LqnJnEy.exe

MD5 fdbbefcb78561644b644df8b461d07c7
SHA1 8436298cd01c2c8d41b66f31c70409affc6cb175
SHA256 fa806330d0b9fe5540a50217f8cace6b8bfa669393f2da1b6ed79a1ba440d35d
SHA512 8f8df10ccde8e62825cd6ef20e24669b54fc77685e5a004f8ce1a529c38b89eac4855b09b852fe566b5490fa009ce53199356d98f6d9f2d343972e5d76dae0b5

C:\Windows\System\jIhdwjV.exe

MD5 ef05660d6a8a4e620ad37f74a02aacd4
SHA1 ce29c61c5bab7e576fbb6cbd449330ee974e70eb
SHA256 a340beca8c00114f26f80aae46eefbc11214aefe0f7b7d59aa0a22142ce2d546
SHA512 4511270aa2fe811ffeb8f18924284dfc00018961df108df4098e34a52a1378ca4a011939ee5b9c6664561185efac827c448d79d2d07de86409b9f77995145ff2

memory/5076-79-0x00007FF740A50000-0x00007FF740DA1000-memory.dmp

C:\Windows\System\GtBUiZj.exe

MD5 83495ce77165d5ee5fdbca298b92b9f0
SHA1 f89edb4ff902fb0ac4e8003394b751a1885845bb
SHA256 8b956e4cedd30cebf2a1b2123f60722b586de58af574b03c6ca30a6ecaf2ff8b
SHA512 d0f06c4c2f050a1f69bc2ef1f87939aa0c93ff40ef0486c17757cf9806ff551e5984e5310c86896a94bab861b0dd101e5e5ef20c15795da3e1aa9f40f81bfea9

memory/3012-57-0x00007FF643460000-0x00007FF6437B1000-memory.dmp

C:\Windows\System\lThwaNh.exe

MD5 f77c854aba1b59a5e5f924680bc3e68f
SHA1 b020244305673190fb9f67cfd2d69ec4c6982e20
SHA256 990e9cb7bfe7d0c7645114fbd8ed7dae89c69660f5e35f2feb4baef2300e896a
SHA512 91f2b0492fb221db71b7658060db9c54d895a127ac6a8e54b5d73436ced7c0bf4f78e190f73fe6901ef3a27ff3b2c8f1f4b78e7019755973f1360e724f1d8ea9

memory/4976-47-0x00007FF6B5410000-0x00007FF6B5761000-memory.dmp

C:\Windows\System\pgvyVBo.exe

MD5 9182c85d0ec9108293dfe190bd9d056f
SHA1 9c4c7d5906f75dea80c436848fca8a62a2e6a461
SHA256 363b3458903fec8afff66f99736e7bf1406c2bf8630e637f9f8b47bb6b0695dc
SHA512 b737018fe643d48e89dde26bc56b851a176de63d1a3fd5565aec2c79642e5a465f752554d4a14de0d6312b31e8dce688f071d140871b24361b388ca3c77024bf

memory/5100-37-0x00007FF604D80000-0x00007FF6050D1000-memory.dmp

memory/1968-36-0x00007FF6E3B80000-0x00007FF6E3ED1000-memory.dmp

memory/2680-28-0x00007FF7639D0000-0x00007FF763D21000-memory.dmp

memory/2480-20-0x00007FF7EE8A0000-0x00007FF7EEBF1000-memory.dmp

memory/3056-8-0x00007FF734180000-0x00007FF7344D1000-memory.dmp

memory/5100-133-0x00007FF604D80000-0x00007FF6050D1000-memory.dmp

memory/3012-136-0x00007FF643460000-0x00007FF6437B1000-memory.dmp

memory/2904-140-0x00007FF765660000-0x00007FF7659B1000-memory.dmp

memory/3176-139-0x00007FF6D8890000-0x00007FF6D8BE1000-memory.dmp

memory/2092-137-0x00007FF605F40000-0x00007FF606291000-memory.dmp

memory/4976-134-0x00007FF6B5410000-0x00007FF6B5761000-memory.dmp

memory/2680-132-0x00007FF7639D0000-0x00007FF763D21000-memory.dmp

memory/2480-130-0x00007FF7EE8A0000-0x00007FF7EEBF1000-memory.dmp

memory/3056-129-0x00007FF734180000-0x00007FF7344D1000-memory.dmp

memory/2904-128-0x00007FF765660000-0x00007FF7659B1000-memory.dmp

memory/3828-148-0x00007FF7C3070000-0x00007FF7C33C1000-memory.dmp

memory/2524-149-0x00007FF6FFE60000-0x00007FF7001B1000-memory.dmp

memory/5076-142-0x00007FF740A50000-0x00007FF740DA1000-memory.dmp

memory/3768-144-0x00007FF69F0C0000-0x00007FF69F411000-memory.dmp

memory/2904-151-0x00007FF765660000-0x00007FF7659B1000-memory.dmp

memory/3056-199-0x00007FF734180000-0x00007FF7344D1000-memory.dmp

memory/2480-220-0x00007FF7EE8A0000-0x00007FF7EEBF1000-memory.dmp

memory/1968-222-0x00007FF6E3B80000-0x00007FF6E3ED1000-memory.dmp

memory/2680-224-0x00007FF7639D0000-0x00007FF763D21000-memory.dmp

memory/5100-226-0x00007FF604D80000-0x00007FF6050D1000-memory.dmp

memory/4976-228-0x00007FF6B5410000-0x00007FF6B5761000-memory.dmp

memory/1576-230-0x00007FF6C7BC0000-0x00007FF6C7F11000-memory.dmp

memory/3508-232-0x00007FF779290000-0x00007FF7795E1000-memory.dmp

memory/3012-234-0x00007FF643460000-0x00007FF6437B1000-memory.dmp

memory/2028-237-0x00007FF68A720000-0x00007FF68AA71000-memory.dmp

memory/2092-238-0x00007FF605F40000-0x00007FF606291000-memory.dmp

memory/3768-245-0x00007FF69F0C0000-0x00007FF69F411000-memory.dmp

memory/3176-246-0x00007FF6D8890000-0x00007FF6D8BE1000-memory.dmp

memory/1828-250-0x00007FF750F40000-0x00007FF751291000-memory.dmp

memory/5076-248-0x00007FF740A50000-0x00007FF740DA1000-memory.dmp

memory/228-243-0x00007FF68B810000-0x00007FF68BB61000-memory.dmp

memory/3192-241-0x00007FF79A190000-0x00007FF79A4E1000-memory.dmp

memory/3464-252-0x00007FF7833F0000-0x00007FF783741000-memory.dmp

memory/4436-254-0x00007FF613FB0000-0x00007FF614301000-memory.dmp

memory/2524-256-0x00007FF6FFE60000-0x00007FF7001B1000-memory.dmp

memory/3828-258-0x00007FF7C3070000-0x00007FF7C33C1000-memory.dmp