Malware Analysis Report

2025-08-06 02:06

Sample ID 241027-fk1g4ssle1
Target 2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat
SHA256 0f6ce4b1ea8b1d2c931d6729631fb8d058777e35ed9e2a454e5c17b6ccf29f5f
Tags
cobaltstrike xmrig 0 backdoor miner trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0f6ce4b1ea8b1d2c931d6729631fb8d058777e35ed9e2a454e5c17b6ccf29f5f

Threat Level: Known bad

The file 2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

cobaltstrike xmrig 0 backdoor miner trojan upx

Cobalt Strike reflective loader

Cobaltstrike

XMRig Miner payload

Xmrig family

Cobaltstrike family

xmrig

XMRig Miner payload

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-10-27 04:56

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-27 04:56

Reported

2024-10-27 04:59

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

Cobaltstrike family

cobaltstrike

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\iUUeLBg.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gPpDbmk.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KAnawDp.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lOhJdGm.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JdVzYaj.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oRRtTCI.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iLzYOVN.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FkqZioe.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\REtyjwN.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YBUCSmz.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WRxbUyK.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\Embmesa.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KrUakhk.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ictdtEJ.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vxEkuLR.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zVdABjv.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EPMExxR.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vAJCkaN.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UfIxVZM.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mNwxkki.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dudZkib.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2136 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oRRtTCI.exe
PID 2136 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oRRtTCI.exe
PID 2136 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Embmesa.exe
PID 2136 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Embmesa.exe
PID 2136 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KrUakhk.exe
PID 2136 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KrUakhk.exe
PID 2136 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iLzYOVN.exe
PID 2136 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iLzYOVN.exe
PID 2136 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ictdtEJ.exe
PID 2136 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ictdtEJ.exe
PID 2136 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UfIxVZM.exe
PID 2136 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UfIxVZM.exe
PID 2136 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FkqZioe.exe
PID 2136 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FkqZioe.exe
PID 2136 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\REtyjwN.exe
PID 2136 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\REtyjwN.exe
PID 2136 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mNwxkki.exe
PID 2136 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mNwxkki.exe
PID 2136 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YBUCSmz.exe
PID 2136 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YBUCSmz.exe
PID 2136 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gPpDbmk.exe
PID 2136 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gPpDbmk.exe
PID 2136 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dudZkib.exe
PID 2136 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dudZkib.exe
PID 2136 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KAnawDp.exe
PID 2136 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KAnawDp.exe
PID 2136 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vxEkuLR.exe
PID 2136 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vxEkuLR.exe
PID 2136 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iUUeLBg.exe
PID 2136 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iUUeLBg.exe
PID 2136 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zVdABjv.exe
PID 2136 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zVdABjv.exe
PID 2136 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WRxbUyK.exe
PID 2136 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WRxbUyK.exe
PID 2136 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lOhJdGm.exe
PID 2136 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lOhJdGm.exe
PID 2136 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EPMExxR.exe
PID 2136 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EPMExxR.exe
PID 2136 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vAJCkaN.exe
PID 2136 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vAJCkaN.exe
PID 2136 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JdVzYaj.exe
PID 2136 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JdVzYaj.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\oRRtTCI.exe

C:\Windows\System\oRRtTCI.exe

C:\Windows\System\Embmesa.exe

C:\Windows\System\Embmesa.exe

C:\Windows\System\KrUakhk.exe

C:\Windows\System\KrUakhk.exe

C:\Windows\System\iLzYOVN.exe

C:\Windows\System\iLzYOVN.exe

C:\Windows\System\ictdtEJ.exe

C:\Windows\System\ictdtEJ.exe

C:\Windows\System\UfIxVZM.exe

C:\Windows\System\UfIxVZM.exe

C:\Windows\System\FkqZioe.exe

C:\Windows\System\FkqZioe.exe

C:\Windows\System\REtyjwN.exe

C:\Windows\System\REtyjwN.exe

C:\Windows\System\mNwxkki.exe

C:\Windows\System\mNwxkki.exe

C:\Windows\System\YBUCSmz.exe

C:\Windows\System\YBUCSmz.exe

C:\Windows\System\gPpDbmk.exe

C:\Windows\System\gPpDbmk.exe

C:\Windows\System\dudZkib.exe

C:\Windows\System\dudZkib.exe

C:\Windows\System\KAnawDp.exe

C:\Windows\System\KAnawDp.exe

C:\Windows\System\vxEkuLR.exe

C:\Windows\System\vxEkuLR.exe

C:\Windows\System\iUUeLBg.exe

C:\Windows\System\iUUeLBg.exe

C:\Windows\System\zVdABjv.exe

C:\Windows\System\zVdABjv.exe

C:\Windows\System\WRxbUyK.exe

C:\Windows\System\WRxbUyK.exe

C:\Windows\System\lOhJdGm.exe

C:\Windows\System\lOhJdGm.exe

C:\Windows\System\EPMExxR.exe

C:\Windows\System\EPMExxR.exe

C:\Windows\System\vAJCkaN.exe

C:\Windows\System\vAJCkaN.exe

C:\Windows\System\JdVzYaj.exe

C:\Windows\System\JdVzYaj.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 104.209.201.84.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 30.73.42.20.in-addr.arpa udp

Files

memory/2136-0-0x00007FF6F9BF0000-0x00007FF6F9F41000-memory.dmp

memory/2136-1-0x000001C8B2DD0000-0x000001C8B2DE0000-memory.dmp

C:\Windows\System\oRRtTCI.exe

MD5 5eab4f5dcf43bfec40f8074c16b07851
SHA1 db5bd80d105e7f1d1400d99bea6a40d058417bdd
SHA256 34c3191c3623f0f763d29b1029844bf56b9923897f34751f6092e06dcded4c55
SHA512 a22d1814fd7ee7911068fd0e02fb0f21a6e2edd3115706977548b26125e3c3127fd0638eb96acc1650a8eb818fb1e1bdedc5dd9e2364f87fff2f39b1c2886849

memory/1048-10-0x00007FF7C7840000-0x00007FF7C7B91000-memory.dmp

C:\Windows\System\KrUakhk.exe

MD5 2198cfe0ee6c551a6d54724e0a6a46d6
SHA1 37452e4c655ce78ab70bc99754f1af8ef1464b7f
SHA256 ba6ac49873d71a52f90d8609dd6dad37e8df179324279ca444d4a72c6e131ba2
SHA512 71721dee3c04bec04c53b160fbb5cc44d0bf3504133e06e59648013bd2f8c574018999aec0337d48cb0b9d0f8bacde809b44b8300ffd582c7ffb6b06cd938b65

C:\Windows\System\Embmesa.exe

MD5 0e556ec8c4b4bcb2ebca98d71594f3c4
SHA1 5c7f330c346a0d9cc4b96492cf8a306448baa526
SHA256 a2a19b3de04b80df71d1fab5e0baa4cea3f9deab6d3bbe6073394311f1da3be2
SHA512 fedc2e8e291b5ce63b1fad5e164a8e7da6811a1933b0455179ef3a0854e1c6548303dd8fb43b5dd63fb7d4c9a4aafe7e261c34e985d706c05158fb0bb8243276

memory/5036-14-0x00007FF7A26C0000-0x00007FF7A2A11000-memory.dmp

memory/2012-18-0x00007FF77F9A0000-0x00007FF77FCF1000-memory.dmp

memory/1008-24-0x00007FF7BA840000-0x00007FF7BAB91000-memory.dmp

C:\Windows\System\iLzYOVN.exe

MD5 0fd89f2fa5c4efa1e159e641de02dc83
SHA1 9ed26af9ff6edd0579f03491f72e40564407291e
SHA256 db2f515659390abec83bd948aeaaff3d4b4a2bd56af346931120351fde95b991
SHA512 f5564266de7477f3f9a64f8b7bec8617fb07a21a5d4a21b1ea074df9afd409cf4d88f917f6bfb1a80a02a64602ce6206a25d41512f277ab4737c98115f67ca6e

C:\Windows\System\ictdtEJ.exe

MD5 95225f581166c12ed95a3e80c92f85a1
SHA1 3186aa1d745526deabca19e8a3c6f985fd01a0c8
SHA256 ff6e3305f1bc6f335d826501727f43bef8850b00b229486fcdbd0a23ebf4c3e0
SHA512 8459f2a593bb88009f1b22ecb890276ab528996c9ae3cc778577bd0c31fa7d7ec836a22c423f0f555e1328f091641c2bc0e50bfc9024a2b27797456e507acc8c

C:\Windows\System\REtyjwN.exe

MD5 7c0cc1f9b82e2ce6e51b791f6262a717
SHA1 fc4035b68b0b6f83841f8273b0b4d544c2e223e6
SHA256 7ec94258e6fceb0a58e50f4c236f4cbc8a5d5c7ee429295529025de816013cc7
SHA512 908768b8fd10f3e5f6a110388a287ffdd71ca51f6ac95685bfbe60b4f3dbdb558d26ead5b40f97d4a2590f7ff6db3d03bd3cfc1824b8fb463197e82d147da6da

C:\Windows\System\FkqZioe.exe

MD5 34674eacb0e9f16914c90fa40185e6ac
SHA1 e2cd938ba22481fe740b8d5d14469b31e1eab4ff
SHA256 1a78ef9a889c55b2a5cc660a00210524dbd504644a3e39dd0ed1746d3663247b
SHA512 fb9586731c475edcef2390f8ad2f99c4b0b5cf404666237a4222fb97e4a06ed8e7e2f18ff1139d72dc047be318a33e7770de9dae96dfdbb59165cacbe130b836

memory/3088-50-0x00007FF6C3780000-0x00007FF6C3AD1000-memory.dmp

C:\Windows\System\mNwxkki.exe

MD5 425d33574ae02336a558f6189c824351
SHA1 4a86067dfaea7d25fca397ddfc1c174f48b3cbe9
SHA256 b0ee595d1545f366648a0ee442cf60adc981b56b1f69295471f38798784a3ac8
SHA512 4b065e8d8fd5b7bdf86081df07eeeaddcadcfb4759407ea956861f04ed6217ae9f63e879e208e343fe6cef328c8671f722c754aa656267aeba2fa9e5b8cd7ddd

memory/3268-54-0x00007FF775310000-0x00007FF775661000-memory.dmp

memory/2420-45-0x00007FF7344A0000-0x00007FF7347F1000-memory.dmp

memory/2264-39-0x00007FF753120000-0x00007FF753471000-memory.dmp

C:\Windows\System\UfIxVZM.exe

MD5 a1f4acd27d19a26cd71bff0ea77f5643
SHA1 c27672b17526de1c68559a06db9d4d27d0887d92
SHA256 11c89f2d846a79cb5a78d64240c83ada0119f8987d3bc2906899ae715b31a153
SHA512 c1b54bc2639e91042676e5b35a2cc2bf45a0ef0be784ea8feb523050e366f00206431f77123ac569b39b1b6b737063af5dbda2eec385d69ee2f718e8b34eeb29

memory/2796-32-0x00007FF7E5C80000-0x00007FF7E5FD1000-memory.dmp

memory/2136-60-0x00007FF6F9BF0000-0x00007FF6F9F41000-memory.dmp

C:\Windows\System\gPpDbmk.exe

MD5 d91a826b4fbafbea5a3933d23846f5c9
SHA1 86c69c602c5c7b529381b62d984a26ebe3486f64
SHA256 85dcc126bb75a5761b6c3ddb773b5bf2a6f05b2c23294160e20e4f110d02c213
SHA512 8aeda76537fa3f0f0238534fbeea252cf84f81bf612e1e8542c3367a1daa2a89377474b8bbf9ad8473419573f1d01682d8263299672272ba0576c7e113cf5215

memory/232-62-0x00007FF72E440000-0x00007FF72E791000-memory.dmp

memory/1484-69-0x00007FF6188C0000-0x00007FF618C11000-memory.dmp

C:\Windows\System\dudZkib.exe

MD5 3c54aceccd38a1d905ab0312b3eaf67f
SHA1 a4f4f19ec7f2a1025ffa11721f926406abd08465
SHA256 1edf5fede5152dd711b118095c2c2ee71324d105f87a56e88b8564b918f478e2
SHA512 0da61d1b64eaa82ffb8ea8bedef7e9abb3edd41f0dcdcf874c94cf4c3bc42c440e322086d3124831984c4a9db5a821910e49ea429fb66a55f10a57fbdc36c66c

memory/2188-76-0x00007FF6A46C0000-0x00007FF6A4A11000-memory.dmp

C:\Windows\System\KAnawDp.exe

MD5 835f32bd285f902ae57a82eb2fa1b5bf
SHA1 db41677036a49ffc6b09b4c9e17652763a7d9d6e
SHA256 e34c899f734c8430684dd888cc5ae42f5306e3b94e44ed6d4c4995f49ce4ffc3
SHA512 34489b001cc836e9ef3236549c654144e4cd7f5e086f12b5085eb3cda09d57836e8392d03b6b183b022e1577ae9291139d59c3c66a6f78264e93d0eb24115889

memory/2040-82-0x00007FF7DDFA0000-0x00007FF7DE2F1000-memory.dmp

memory/2012-81-0x00007FF77F9A0000-0x00007FF77FCF1000-memory.dmp

memory/5036-74-0x00007FF7A26C0000-0x00007FF7A2A11000-memory.dmp

C:\Windows\System\vxEkuLR.exe

MD5 93fee067550746c8e7a6d12552746847
SHA1 5141c2c2307421f9d979d2ceab7519421da00447
SHA256 63c77860c0326d0f21d5abe9cd275a0779db52bb477806f96bcc755eb4837316
SHA512 1bcb606a2f3ce2a0c6a686db4d12c3f1392afa8b56ef7a0da861be9e0943e3463b506bd5f0c3b72ab1c061b3698ee425844dde83a7fc607d6d9a2da1c9ee3b75

memory/2796-97-0x00007FF7E5C80000-0x00007FF7E5FD1000-memory.dmp

C:\Windows\System\iUUeLBg.exe

MD5 1084d995ed9b19bb30f8e116ca7d3f41
SHA1 327f57d3193fc3554cf5d025d40b53a09c2e8eed
SHA256 73e280c9c3caff31d3cc43930725ea15aa7e6adf7775ddfe1b264e8bf608b946
SHA512 aafb60d35494ead3f52d6b83db8da373e0207dd6a80f769770d8aa6aee0b301a549aa24c1a9f6f072abbfe360cc997e893a4cb4375e3752a470bf715b56542ea

C:\Windows\System\WRxbUyK.exe

MD5 fcb04ef8ac51b614bde32923491dc794
SHA1 236ed00b27fd38d31c0e2eab791f4afe0565729b
SHA256 1228ca18039cdb2159089a36f3d4fca39b5f3c0aac75852c1bb767bed485d14a
SHA512 205f0a1be1c083e525b291a0f1765fc902d1d052a37d9f01c24f563c1d8fb45453984247727b9553c45c72fdeedb1a561fc8294f42fcf5a8c90dcf58d33f5ef3

memory/2420-120-0x00007FF7344A0000-0x00007FF7347F1000-memory.dmp

memory/2204-126-0x00007FF64D150000-0x00007FF64D4A1000-memory.dmp

memory/3268-130-0x00007FF775310000-0x00007FF775661000-memory.dmp

C:\Windows\System\JdVzYaj.exe

MD5 aa8fdbb5fb52bfd1a1cafcdc6e1b3d28
SHA1 71d3336a565fbe4dd3dd55f153aba6e8a32ad111
SHA256 931434d1cf24a8f6b70b6567892afb90aaae1e7b37a4e847a933072ae660fe39
SHA512 28b2bf853055a8bff18add15439ad7243b35b0cf82f7ae9f8d0fde2950ec37aab9ba724e711f25f0efefd97b57f1f15dd9449911562906c8ab517d91d8033ed5

memory/728-136-0x00007FF7D8F60000-0x00007FF7D92B1000-memory.dmp

memory/232-135-0x00007FF72E440000-0x00007FF72E791000-memory.dmp

C:\Windows\System\vAJCkaN.exe

MD5 0647931659a2d119e0d4825e35c12ebd
SHA1 0fd6ffaaec4d548c88e5f75f1dc005f38d53b193
SHA256 94ac23713c55ef8ce9ceea96469f18fafe42eae74a8dd77277bc96e683847417
SHA512 549e600cf6d77ad5af01597fef3f482daf4741d61233a43772565e146f393483e57fc6898a6b776104ed362f5e43c94103716c5b4bf2a9583bb77286a4df7021

C:\Windows\System\EPMExxR.exe

MD5 4d9659b0568feb3f43cb023f77e237c4
SHA1 7a435d048501f320b1c32c32203ca49f8376d1b4
SHA256 13ad9471df6945f07e9e4c462a4857ede81aba94db039655dc33f4c8f8f49a58
SHA512 254e764f0c7643c59ae9b66143652af13cd70a5ff4ccb276f9660d4840bb18fb8c59afddb091ef27e0d262a89a62009b9a49cb7c3ca1e666754e4d9ac797dc2b

memory/2164-127-0x00007FF767FF0000-0x00007FF768341000-memory.dmp

C:\Windows\System\lOhJdGm.exe

MD5 bb7e32b71515bbd56edd4b84f3e6b4f5
SHA1 75a6d84d7963678e50d98af5a8fb30f56224c6a8
SHA256 7a83318a2e483d426d526642fd406b257ec729cd304f3f30a14af856a6499c9c
SHA512 08a16ed7ae898349d86b01cd4b967b9abb0de392fdad32d4c8ae95e58fff2c942b64346d6a8576b3e34b3ad9ee5108a851c14c8e7eab0ee9957a21257e7067de

memory/1120-122-0x00007FF671B00000-0x00007FF671E51000-memory.dmp

memory/3088-121-0x00007FF6C3780000-0x00007FF6C3AD1000-memory.dmp

memory/4296-115-0x00007FF61F620000-0x00007FF61F971000-memory.dmp

C:\Windows\System\zVdABjv.exe

MD5 102ff6daeb52dd11bac1b0e670d96b15
SHA1 20d4b79c56cbe7ab05eb5ab154236514a480c169
SHA256 991f2e3a5b4b9a4fb0ea42654417a040901701345cb19626a077a36e8b040cd8
SHA512 dc6e10912fb55bc36c58c4f20c66da90b80eafc398da3df3c1ab1e4d9352891b8975685f47d32bf1e9b7cd0375d856d9fd6a21994dad33042efa274cb16df693

memory/1896-108-0x00007FF67A670000-0x00007FF67A9C1000-memory.dmp

memory/2264-107-0x00007FF753120000-0x00007FF753471000-memory.dmp

memory/1916-98-0x00007FF74EC80000-0x00007FF74EFD1000-memory.dmp

memory/2500-89-0x00007FF6878E0000-0x00007FF687C31000-memory.dmp

memory/1008-88-0x00007FF7BA840000-0x00007FF7BAB91000-memory.dmp

memory/1048-67-0x00007FF7C7840000-0x00007FF7C7B91000-memory.dmp

C:\Windows\System\YBUCSmz.exe

MD5 e841d30528acfe339f56cef7a4fe1bf3
SHA1 c26a4354a39f3d2748efc1df903f7dab4a760a9c
SHA256 d6a740d38641f31be8335a581fc9bc9618ad1444b2c875f3c5ce12190e66ffba
SHA512 fe37af22de9e31bc450244db52a3ec3e94c5eb09004ab911dbb6de3cdadd7e38dfe7ba2c39e8f2bebc1e12289b71adb08e5d5a8c8fb96d4afe697bd614e127a5

memory/1484-139-0x00007FF6188C0000-0x00007FF618C11000-memory.dmp

memory/2188-140-0x00007FF6A46C0000-0x00007FF6A4A11000-memory.dmp

memory/2040-142-0x00007FF7DDFA0000-0x00007FF7DE2F1000-memory.dmp

memory/2136-141-0x00007FF6F9BF0000-0x00007FF6F9F41000-memory.dmp

memory/2500-153-0x00007FF6878E0000-0x00007FF687C31000-memory.dmp

memory/4296-163-0x00007FF61F620000-0x00007FF61F971000-memory.dmp

memory/1916-162-0x00007FF74EC80000-0x00007FF74EFD1000-memory.dmp

memory/1896-160-0x00007FF67A670000-0x00007FF67A9C1000-memory.dmp

memory/1120-161-0x00007FF671B00000-0x00007FF671E51000-memory.dmp

memory/2204-164-0x00007FF64D150000-0x00007FF64D4A1000-memory.dmp

memory/2164-165-0x00007FF767FF0000-0x00007FF768341000-memory.dmp

memory/728-166-0x00007FF7D8F60000-0x00007FF7D92B1000-memory.dmp

memory/2136-167-0x00007FF6F9BF0000-0x00007FF6F9F41000-memory.dmp

memory/1048-216-0x00007FF7C7840000-0x00007FF7C7B91000-memory.dmp

memory/5036-218-0x00007FF7A26C0000-0x00007FF7A2A11000-memory.dmp

memory/2012-227-0x00007FF77F9A0000-0x00007FF77FCF1000-memory.dmp

memory/1008-229-0x00007FF7BA840000-0x00007FF7BAB91000-memory.dmp

memory/2796-231-0x00007FF7E5C80000-0x00007FF7E5FD1000-memory.dmp

memory/2264-233-0x00007FF753120000-0x00007FF753471000-memory.dmp

memory/2420-235-0x00007FF7344A0000-0x00007FF7347F1000-memory.dmp

memory/3088-237-0x00007FF6C3780000-0x00007FF6C3AD1000-memory.dmp

memory/3268-239-0x00007FF775310000-0x00007FF775661000-memory.dmp

memory/232-251-0x00007FF72E440000-0x00007FF72E791000-memory.dmp

memory/1484-253-0x00007FF6188C0000-0x00007FF618C11000-memory.dmp

memory/2188-255-0x00007FF6A46C0000-0x00007FF6A4A11000-memory.dmp

memory/2040-257-0x00007FF7DDFA0000-0x00007FF7DE2F1000-memory.dmp

memory/2500-259-0x00007FF6878E0000-0x00007FF687C31000-memory.dmp

memory/1916-261-0x00007FF74EC80000-0x00007FF74EFD1000-memory.dmp

memory/1896-263-0x00007FF67A670000-0x00007FF67A9C1000-memory.dmp

memory/4296-265-0x00007FF61F620000-0x00007FF61F971000-memory.dmp

memory/1120-268-0x00007FF671B00000-0x00007FF671E51000-memory.dmp

memory/2204-270-0x00007FF64D150000-0x00007FF64D4A1000-memory.dmp

memory/2164-272-0x00007FF767FF0000-0x00007FF768341000-memory.dmp

memory/728-274-0x00007FF7D8F60000-0x00007FF7D92B1000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-27 04:56

Reported

2024-10-27 04:59

Platform

win7-20241010-en

Max time kernel

140s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

Cobaltstrike family

cobaltstrike

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\WRxbUyK.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EPMExxR.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KrUakhk.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iLzYOVN.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gPpDbmk.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JdVzYaj.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\REtyjwN.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KAnawDp.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vxEkuLR.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YBUCSmz.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iUUeLBg.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lOhJdGm.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\oRRtTCI.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UfIxVZM.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FkqZioe.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dudZkib.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zVdABjv.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\vAJCkaN.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\Embmesa.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ictdtEJ.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mNwxkki.exe C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3064 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oRRtTCI.exe
PID 3064 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oRRtTCI.exe
PID 3064 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\oRRtTCI.exe
PID 3064 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Embmesa.exe
PID 3064 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Embmesa.exe
PID 3064 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\Embmesa.exe
PID 3064 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KrUakhk.exe
PID 3064 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KrUakhk.exe
PID 3064 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KrUakhk.exe
PID 3064 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iLzYOVN.exe
PID 3064 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iLzYOVN.exe
PID 3064 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iLzYOVN.exe
PID 3064 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ictdtEJ.exe
PID 3064 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ictdtEJ.exe
PID 3064 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ictdtEJ.exe
PID 3064 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UfIxVZM.exe
PID 3064 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UfIxVZM.exe
PID 3064 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UfIxVZM.exe
PID 3064 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FkqZioe.exe
PID 3064 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FkqZioe.exe
PID 3064 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FkqZioe.exe
PID 3064 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\REtyjwN.exe
PID 3064 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\REtyjwN.exe
PID 3064 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\REtyjwN.exe
PID 3064 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mNwxkki.exe
PID 3064 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mNwxkki.exe
PID 3064 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mNwxkki.exe
PID 3064 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YBUCSmz.exe
PID 3064 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YBUCSmz.exe
PID 3064 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YBUCSmz.exe
PID 3064 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gPpDbmk.exe
PID 3064 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gPpDbmk.exe
PID 3064 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gPpDbmk.exe
PID 3064 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dudZkib.exe
PID 3064 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dudZkib.exe
PID 3064 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dudZkib.exe
PID 3064 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KAnawDp.exe
PID 3064 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KAnawDp.exe
PID 3064 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KAnawDp.exe
PID 3064 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vxEkuLR.exe
PID 3064 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vxEkuLR.exe
PID 3064 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vxEkuLR.exe
PID 3064 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iUUeLBg.exe
PID 3064 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iUUeLBg.exe
PID 3064 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iUUeLBg.exe
PID 3064 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zVdABjv.exe
PID 3064 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zVdABjv.exe
PID 3064 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zVdABjv.exe
PID 3064 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WRxbUyK.exe
PID 3064 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WRxbUyK.exe
PID 3064 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WRxbUyK.exe
PID 3064 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lOhJdGm.exe
PID 3064 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lOhJdGm.exe
PID 3064 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lOhJdGm.exe
PID 3064 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EPMExxR.exe
PID 3064 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EPMExxR.exe
PID 3064 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EPMExxR.exe
PID 3064 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vAJCkaN.exe
PID 3064 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vAJCkaN.exe
PID 3064 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\vAJCkaN.exe
PID 3064 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JdVzYaj.exe
PID 3064 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JdVzYaj.exe
PID 3064 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JdVzYaj.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-27_38cd60aaa9444267c2673b5c089a11bc_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\oRRtTCI.exe

C:\Windows\System\oRRtTCI.exe

C:\Windows\System\Embmesa.exe

C:\Windows\System\Embmesa.exe

C:\Windows\System\KrUakhk.exe

C:\Windows\System\KrUakhk.exe

C:\Windows\System\iLzYOVN.exe

C:\Windows\System\iLzYOVN.exe

C:\Windows\System\ictdtEJ.exe

C:\Windows\System\ictdtEJ.exe

C:\Windows\System\UfIxVZM.exe

C:\Windows\System\UfIxVZM.exe

C:\Windows\System\FkqZioe.exe

C:\Windows\System\FkqZioe.exe

C:\Windows\System\REtyjwN.exe

C:\Windows\System\REtyjwN.exe

C:\Windows\System\mNwxkki.exe

C:\Windows\System\mNwxkki.exe

C:\Windows\System\YBUCSmz.exe

C:\Windows\System\YBUCSmz.exe

C:\Windows\System\gPpDbmk.exe

C:\Windows\System\gPpDbmk.exe

C:\Windows\System\dudZkib.exe

C:\Windows\System\dudZkib.exe

C:\Windows\System\KAnawDp.exe

C:\Windows\System\KAnawDp.exe

C:\Windows\System\vxEkuLR.exe

C:\Windows\System\vxEkuLR.exe

C:\Windows\System\iUUeLBg.exe

C:\Windows\System\iUUeLBg.exe

C:\Windows\System\zVdABjv.exe

C:\Windows\System\zVdABjv.exe

C:\Windows\System\WRxbUyK.exe

C:\Windows\System\WRxbUyK.exe

C:\Windows\System\lOhJdGm.exe

C:\Windows\System\lOhJdGm.exe

C:\Windows\System\EPMExxR.exe

C:\Windows\System\EPMExxR.exe

C:\Windows\System\vAJCkaN.exe

C:\Windows\System\vAJCkaN.exe

C:\Windows\System\JdVzYaj.exe

C:\Windows\System\JdVzYaj.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3064-0-0x000000013FBB0000-0x000000013FF01000-memory.dmp

memory/3064-1-0x0000000001B20000-0x0000000001B30000-memory.dmp

memory/3064-7-0x0000000002100000-0x0000000002451000-memory.dmp

C:\Windows\system\oRRtTCI.exe

MD5 5eab4f5dcf43bfec40f8074c16b07851
SHA1 db5bd80d105e7f1d1400d99bea6a40d058417bdd
SHA256 34c3191c3623f0f763d29b1029844bf56b9923897f34751f6092e06dcded4c55
SHA512 a22d1814fd7ee7911068fd0e02fb0f21a6e2edd3115706977548b26125e3c3127fd0638eb96acc1650a8eb818fb1e1bdedc5dd9e2364f87fff2f39b1c2886849

C:\Windows\system\Embmesa.exe

MD5 0e556ec8c4b4bcb2ebca98d71594f3c4
SHA1 5c7f330c346a0d9cc4b96492cf8a306448baa526
SHA256 a2a19b3de04b80df71d1fab5e0baa4cea3f9deab6d3bbe6073394311f1da3be2
SHA512 fedc2e8e291b5ce63b1fad5e164a8e7da6811a1933b0455179ef3a0854e1c6548303dd8fb43b5dd63fb7d4c9a4aafe7e261c34e985d706c05158fb0bb8243276

C:\Windows\system\KrUakhk.exe

MD5 2198cfe0ee6c551a6d54724e0a6a46d6
SHA1 37452e4c655ce78ab70bc99754f1af8ef1464b7f
SHA256 ba6ac49873d71a52f90d8609dd6dad37e8df179324279ca444d4a72c6e131ba2
SHA512 71721dee3c04bec04c53b160fbb5cc44d0bf3504133e06e59648013bd2f8c574018999aec0337d48cb0b9d0f8bacde809b44b8300ffd582c7ffb6b06cd938b65

\Windows\system\iLzYOVN.exe

MD5 0fd89f2fa5c4efa1e159e641de02dc83
SHA1 9ed26af9ff6edd0579f03491f72e40564407291e
SHA256 db2f515659390abec83bd948aeaaff3d4b4a2bd56af346931120351fde95b991
SHA512 f5564266de7477f3f9a64f8b7bec8617fb07a21a5d4a21b1ea074df9afd409cf4d88f917f6bfb1a80a02a64602ce6206a25d41512f277ab4737c98115f67ca6e

C:\Windows\system\UfIxVZM.exe

MD5 a1f4acd27d19a26cd71bff0ea77f5643
SHA1 c27672b17526de1c68559a06db9d4d27d0887d92
SHA256 11c89f2d846a79cb5a78d64240c83ada0119f8987d3bc2906899ae715b31a153
SHA512 c1b54bc2639e91042676e5b35a2cc2bf45a0ef0be784ea8feb523050e366f00206431f77123ac569b39b1b6b737063af5dbda2eec385d69ee2f718e8b34eeb29

C:\Windows\system\REtyjwN.exe

MD5 7c0cc1f9b82e2ce6e51b791f6262a717
SHA1 fc4035b68b0b6f83841f8273b0b4d544c2e223e6
SHA256 7ec94258e6fceb0a58e50f4c236f4cbc8a5d5c7ee429295529025de816013cc7
SHA512 908768b8fd10f3e5f6a110388a287ffdd71ca51f6ac95685bfbe60b4f3dbdb558d26ead5b40f97d4a2590f7ff6db3d03bd3cfc1824b8fb463197e82d147da6da

\Windows\system\zVdABjv.exe

MD5 102ff6daeb52dd11bac1b0e670d96b15
SHA1 20d4b79c56cbe7ab05eb5ab154236514a480c169
SHA256 991f2e3a5b4b9a4fb0ea42654417a040901701345cb19626a077a36e8b040cd8
SHA512 dc6e10912fb55bc36c58c4f20c66da90b80eafc398da3df3c1ab1e4d9352891b8975685f47d32bf1e9b7cd0375d856d9fd6a21994dad33042efa274cb16df693

C:\Windows\system\EPMExxR.exe

MD5 4d9659b0568feb3f43cb023f77e237c4
SHA1 7a435d048501f320b1c32c32203ca49f8376d1b4
SHA256 13ad9471df6945f07e9e4c462a4857ede81aba94db039655dc33f4c8f8f49a58
SHA512 254e764f0c7643c59ae9b66143652af13cd70a5ff4ccb276f9660d4840bb18fb8c59afddb091ef27e0d262a89a62009b9a49cb7c3ca1e666754e4d9ac797dc2b

C:\Windows\system\vAJCkaN.exe

MD5 0647931659a2d119e0d4825e35c12ebd
SHA1 0fd6ffaaec4d548c88e5f75f1dc005f38d53b193
SHA256 94ac23713c55ef8ce9ceea96469f18fafe42eae74a8dd77277bc96e683847417
SHA512 549e600cf6d77ad5af01597fef3f482daf4741d61233a43772565e146f393483e57fc6898a6b776104ed362f5e43c94103716c5b4bf2a9583bb77286a4df7021

C:\Windows\system\JdVzYaj.exe

MD5 aa8fdbb5fb52bfd1a1cafcdc6e1b3d28
SHA1 71d3336a565fbe4dd3dd55f153aba6e8a32ad111
SHA256 931434d1cf24a8f6b70b6567892afb90aaae1e7b37a4e847a933072ae660fe39
SHA512 28b2bf853055a8bff18add15439ad7243b35b0cf82f7ae9f8d0fde2950ec37aab9ba724e711f25f0efefd97b57f1f15dd9449911562906c8ab517d91d8033ed5

C:\Windows\system\lOhJdGm.exe

MD5 bb7e32b71515bbd56edd4b84f3e6b4f5
SHA1 75a6d84d7963678e50d98af5a8fb30f56224c6a8
SHA256 7a83318a2e483d426d526642fd406b257ec729cd304f3f30a14af856a6499c9c
SHA512 08a16ed7ae898349d86b01cd4b967b9abb0de392fdad32d4c8ae95e58fff2c942b64346d6a8576b3e34b3ad9ee5108a851c14c8e7eab0ee9957a21257e7067de

memory/3064-96-0x000000013F4F0000-0x000000013F841000-memory.dmp

memory/3064-95-0x000000013FFB0000-0x0000000140301000-memory.dmp

memory/2884-94-0x000000013FFF0000-0x0000000140341000-memory.dmp

memory/3064-93-0x000000013FFF0000-0x0000000140341000-memory.dmp

memory/1200-92-0x000000013F0A0000-0x000000013F3F1000-memory.dmp

memory/3064-90-0x000000013F0A0000-0x000000013F3F1000-memory.dmp

C:\Windows\system\vxEkuLR.exe

MD5 93fee067550746c8e7a6d12552746847
SHA1 5141c2c2307421f9d979d2ceab7519421da00447
SHA256 63c77860c0326d0f21d5abe9cd275a0779db52bb477806f96bcc755eb4837316
SHA512 1bcb606a2f3ce2a0c6a686db4d12c3f1392afa8b56ef7a0da861be9e0943e3463b506bd5f0c3b72ab1c061b3698ee425844dde83a7fc607d6d9a2da1c9ee3b75

C:\Windows\system\WRxbUyK.exe

MD5 fcb04ef8ac51b614bde32923491dc794
SHA1 236ed00b27fd38d31c0e2eab791f4afe0565729b
SHA256 1228ca18039cdb2159089a36f3d4fca39b5f3c0aac75852c1bb767bed485d14a
SHA512 205f0a1be1c083e525b291a0f1765fc902d1d052a37d9f01c24f563c1d8fb45453984247727b9553c45c72fdeedb1a561fc8294f42fcf5a8c90dcf58d33f5ef3

C:\Windows\system\iUUeLBg.exe

MD5 1084d995ed9b19bb30f8e116ca7d3f41
SHA1 327f57d3193fc3554cf5d025d40b53a09c2e8eed
SHA256 73e280c9c3caff31d3cc43930725ea15aa7e6adf7775ddfe1b264e8bf608b946
SHA512 aafb60d35494ead3f52d6b83db8da373e0207dd6a80f769770d8aa6aee0b301a549aa24c1a9f6f072abbfe360cc997e893a4cb4375e3752a470bf715b56542ea

C:\Windows\system\KAnawDp.exe

MD5 835f32bd285f902ae57a82eb2fa1b5bf
SHA1 db41677036a49ffc6b09b4c9e17652763a7d9d6e
SHA256 e34c899f734c8430684dd888cc5ae42f5306e3b94e44ed6d4c4995f49ce4ffc3
SHA512 34489b001cc836e9ef3236549c654144e4cd7f5e086f12b5085eb3cda09d57836e8392d03b6b183b022e1577ae9291139d59c3c66a6f78264e93d0eb24115889

C:\Windows\system\dudZkib.exe

MD5 3c54aceccd38a1d905ab0312b3eaf67f
SHA1 a4f4f19ec7f2a1025ffa11721f926406abd08465
SHA256 1edf5fede5152dd711b118095c2c2ee71324d105f87a56e88b8564b918f478e2
SHA512 0da61d1b64eaa82ffb8ea8bedef7e9abb3edd41f0dcdcf874c94cf4c3bc42c440e322086d3124831984c4a9db5a821910e49ea429fb66a55f10a57fbdc36c66c

C:\Windows\system\gPpDbmk.exe

MD5 d91a826b4fbafbea5a3933d23846f5c9
SHA1 86c69c602c5c7b529381b62d984a26ebe3486f64
SHA256 85dcc126bb75a5761b6c3ddb773b5bf2a6f05b2c23294160e20e4f110d02c213
SHA512 8aeda76537fa3f0f0238534fbeea252cf84f81bf612e1e8542c3367a1daa2a89377474b8bbf9ad8473419573f1d01682d8263299672272ba0576c7e113cf5215

C:\Windows\system\YBUCSmz.exe

MD5 e841d30528acfe339f56cef7a4fe1bf3
SHA1 c26a4354a39f3d2748efc1df903f7dab4a760a9c
SHA256 d6a740d38641f31be8335a581fc9bc9618ad1444b2c875f3c5ce12190e66ffba
SHA512 fe37af22de9e31bc450244db52a3ec3e94c5eb09004ab911dbb6de3cdadd7e38dfe7ba2c39e8f2bebc1e12289b71adb08e5d5a8c8fb96d4afe697bd614e127a5

C:\Windows\system\mNwxkki.exe

MD5 425d33574ae02336a558f6189c824351
SHA1 4a86067dfaea7d25fca397ddfc1c174f48b3cbe9
SHA256 b0ee595d1545f366648a0ee442cf60adc981b56b1f69295471f38798784a3ac8
SHA512 4b065e8d8fd5b7bdf86081df07eeeaddcadcfb4759407ea956861f04ed6217ae9f63e879e208e343fe6cef328c8671f722c754aa656267aeba2fa9e5b8cd7ddd

C:\Windows\system\FkqZioe.exe

MD5 34674eacb0e9f16914c90fa40185e6ac
SHA1 e2cd938ba22481fe740b8d5d14469b31e1eab4ff
SHA256 1a78ef9a889c55b2a5cc660a00210524dbd504644a3e39dd0ed1746d3663247b
SHA512 fb9586731c475edcef2390f8ad2f99c4b0b5cf404666237a4222fb97e4a06ed8e7e2f18ff1139d72dc047be318a33e7770de9dae96dfdbb59165cacbe130b836

C:\Windows\system\ictdtEJ.exe

MD5 95225f581166c12ed95a3e80c92f85a1
SHA1 3186aa1d745526deabca19e8a3c6f985fd01a0c8
SHA256 ff6e3305f1bc6f335d826501727f43bef8850b00b229486fcdbd0a23ebf4c3e0
SHA512 8459f2a593bb88009f1b22ecb890276ab528996c9ae3cc778577bd0c31fa7d7ec836a22c423f0f555e1328f091641c2bc0e50bfc9024a2b27797456e507acc8c

memory/2332-27-0x000000013FB00000-0x000000013FE51000-memory.dmp

memory/2616-25-0x000000013FC40000-0x000000013FF91000-memory.dmp

memory/2960-116-0x000000013F4F0000-0x000000013F841000-memory.dmp

memory/3064-117-0x0000000002100000-0x0000000002451000-memory.dmp

memory/3008-118-0x000000013F960000-0x000000013FCB1000-memory.dmp

memory/3064-121-0x000000013F120000-0x000000013F471000-memory.dmp

memory/3064-123-0x0000000002100000-0x0000000002451000-memory.dmp

memory/3000-122-0x000000013F120000-0x000000013F471000-memory.dmp

memory/2928-126-0x000000013F260000-0x000000013F5B1000-memory.dmp

memory/3064-125-0x000000013F260000-0x000000013F5B1000-memory.dmp

memory/3064-129-0x000000013FF70000-0x00000001402C1000-memory.dmp

memory/2752-130-0x000000013FF70000-0x00000001402C1000-memory.dmp

memory/2472-135-0x000000013FFB0000-0x0000000140301000-memory.dmp

memory/3064-134-0x0000000002100000-0x0000000002451000-memory.dmp

memory/3064-133-0x0000000002100000-0x0000000002451000-memory.dmp

memory/2712-132-0x000000013F9F0000-0x000000013FD41000-memory.dmp

memory/3064-131-0x0000000002100000-0x0000000002451000-memory.dmp

memory/2836-128-0x000000013F040000-0x000000013F391000-memory.dmp

memory/3064-127-0x000000013F040000-0x000000013F391000-memory.dmp

memory/2860-124-0x000000013FBB0000-0x000000013FF01000-memory.dmp

memory/2804-120-0x000000013FE80000-0x00000001401D1000-memory.dmp

memory/3064-119-0x0000000002100000-0x0000000002451000-memory.dmp

memory/3064-136-0x000000013FBB0000-0x000000013FF01000-memory.dmp

memory/2616-137-0x000000013FC40000-0x000000013FF91000-memory.dmp

memory/2036-156-0x000000013FA10000-0x000000013FD61000-memory.dmp

memory/1900-157-0x000000013FB70000-0x000000013FEC1000-memory.dmp

memory/2596-155-0x000000013F0C0000-0x000000013F411000-memory.dmp

memory/1008-153-0x000000013F8B0000-0x000000013FC01000-memory.dmp

memory/2772-151-0x000000013FDF0000-0x0000000140141000-memory.dmp

memory/1072-154-0x000000013FC10000-0x000000013FF61000-memory.dmp

memory/1268-152-0x000000013FBF0000-0x000000013FF41000-memory.dmp

memory/3064-158-0x000000013FBB0000-0x000000013FF01000-memory.dmp

memory/3064-159-0x000000013F4F0000-0x000000013F841000-memory.dmp

memory/3064-160-0x000000013FBB0000-0x000000013FF01000-memory.dmp

memory/2616-212-0x000000013FC40000-0x000000013FF91000-memory.dmp

memory/2332-214-0x000000013FB00000-0x000000013FE51000-memory.dmp

memory/2884-216-0x000000013FFF0000-0x0000000140341000-memory.dmp

memory/1200-218-0x000000013F0A0000-0x000000013F3F1000-memory.dmp

memory/2472-237-0x000000013FFB0000-0x0000000140301000-memory.dmp

memory/3000-241-0x000000013F120000-0x000000013F471000-memory.dmp

memory/2860-245-0x000000013FBB0000-0x000000013FF01000-memory.dmp

memory/2928-247-0x000000013F260000-0x000000013F5B1000-memory.dmp

memory/2712-253-0x000000013F9F0000-0x000000013FD41000-memory.dmp

memory/2752-251-0x000000013FF70000-0x00000001402C1000-memory.dmp

memory/2836-249-0x000000013F040000-0x000000013F391000-memory.dmp

memory/2804-243-0x000000013FE80000-0x00000001401D1000-memory.dmp

memory/2960-230-0x000000013F4F0000-0x000000013F841000-memory.dmp

memory/3008-239-0x000000013F960000-0x000000013FCB1000-memory.dmp