Malware Analysis Report

2025-03-15 08:04

Sample ID 240813-pbh15sxdjj
Target 2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat
SHA256 a0e7fdd7aa26deaac321ade82e16de068909cf1342617747ffd4e9cb9d97d026
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a0e7fdd7aa26deaac321ade82e16de068909cf1342617747ffd4e9cb9d97d026

Threat Level: Known bad

The file 2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Cobaltstrike family

Cobaltstrike

xmrig

Cobalt Strike reflective loader

Xmrig family

XMRig Miner payload

XMRig Miner payload

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-13 12:09

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-13 12:09

Reported

2024-08-13 12:11

Platform

win7-20240704-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\UGBXSJq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HAlekrH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mjgbcgO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TwIGjwV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qEanfdY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fzPtDIJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qshehft.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\toyYnod.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jZZPzCQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XLanwMr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bpEbmEt.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\WeMCWHX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\emqHUbN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XgOEPXs.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ldIkQsO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QORVmmY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DLhOLQx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XGtxCON.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FFQsmaX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kksdCQq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tiwkrkQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2284 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ldIkQsO.exe
PID 2284 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ldIkQsO.exe
PID 2284 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ldIkQsO.exe
PID 2284 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jZZPzCQ.exe
PID 2284 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jZZPzCQ.exe
PID 2284 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jZZPzCQ.exe
PID 2284 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XLanwMr.exe
PID 2284 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XLanwMr.exe
PID 2284 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XLanwMr.exe
PID 2284 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TwIGjwV.exe
PID 2284 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TwIGjwV.exe
PID 2284 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TwIGjwV.exe
PID 2284 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qEanfdY.exe
PID 2284 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qEanfdY.exe
PID 2284 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qEanfdY.exe
PID 2284 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QORVmmY.exe
PID 2284 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QORVmmY.exe
PID 2284 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QORVmmY.exe
PID 2284 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fzPtDIJ.exe
PID 2284 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fzPtDIJ.exe
PID 2284 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fzPtDIJ.exe
PID 2284 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bpEbmEt.exe
PID 2284 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bpEbmEt.exe
PID 2284 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bpEbmEt.exe
PID 2284 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qshehft.exe
PID 2284 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qshehft.exe
PID 2284 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qshehft.exe
PID 2284 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kksdCQq.exe
PID 2284 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kksdCQq.exe
PID 2284 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kksdCQq.exe
PID 2284 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tiwkrkQ.exe
PID 2284 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tiwkrkQ.exe
PID 2284 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tiwkrkQ.exe
PID 2284 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WeMCWHX.exe
PID 2284 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WeMCWHX.exe
PID 2284 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\WeMCWHX.exe
PID 2284 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\emqHUbN.exe
PID 2284 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\emqHUbN.exe
PID 2284 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\emqHUbN.exe
PID 2284 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XgOEPXs.exe
PID 2284 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XgOEPXs.exe
PID 2284 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XgOEPXs.exe
PID 2284 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\toyYnod.exe
PID 2284 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\toyYnod.exe
PID 2284 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\toyYnod.exe
PID 2284 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DLhOLQx.exe
PID 2284 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DLhOLQx.exe
PID 2284 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DLhOLQx.exe
PID 2284 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UGBXSJq.exe
PID 2284 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UGBXSJq.exe
PID 2284 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UGBXSJq.exe
PID 2284 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XGtxCON.exe
PID 2284 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XGtxCON.exe
PID 2284 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XGtxCON.exe
PID 2284 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HAlekrH.exe
PID 2284 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HAlekrH.exe
PID 2284 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HAlekrH.exe
PID 2284 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FFQsmaX.exe
PID 2284 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FFQsmaX.exe
PID 2284 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FFQsmaX.exe
PID 2284 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mjgbcgO.exe
PID 2284 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mjgbcgO.exe
PID 2284 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mjgbcgO.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\ldIkQsO.exe

C:\Windows\System\ldIkQsO.exe

C:\Windows\System\jZZPzCQ.exe

C:\Windows\System\jZZPzCQ.exe

C:\Windows\System\XLanwMr.exe

C:\Windows\System\XLanwMr.exe

C:\Windows\System\TwIGjwV.exe

C:\Windows\System\TwIGjwV.exe

C:\Windows\System\qEanfdY.exe

C:\Windows\System\qEanfdY.exe

C:\Windows\System\QORVmmY.exe

C:\Windows\System\QORVmmY.exe

C:\Windows\System\fzPtDIJ.exe

C:\Windows\System\fzPtDIJ.exe

C:\Windows\System\bpEbmEt.exe

C:\Windows\System\bpEbmEt.exe

C:\Windows\System\qshehft.exe

C:\Windows\System\qshehft.exe

C:\Windows\System\kksdCQq.exe

C:\Windows\System\kksdCQq.exe

C:\Windows\System\tiwkrkQ.exe

C:\Windows\System\tiwkrkQ.exe

C:\Windows\System\WeMCWHX.exe

C:\Windows\System\WeMCWHX.exe

C:\Windows\System\emqHUbN.exe

C:\Windows\System\emqHUbN.exe

C:\Windows\System\XgOEPXs.exe

C:\Windows\System\XgOEPXs.exe

C:\Windows\System\toyYnod.exe

C:\Windows\System\toyYnod.exe

C:\Windows\System\DLhOLQx.exe

C:\Windows\System\DLhOLQx.exe

C:\Windows\System\UGBXSJq.exe

C:\Windows\System\UGBXSJq.exe

C:\Windows\System\XGtxCON.exe

C:\Windows\System\XGtxCON.exe

C:\Windows\System\HAlekrH.exe

C:\Windows\System\HAlekrH.exe

C:\Windows\System\FFQsmaX.exe

C:\Windows\System\FFQsmaX.exe

C:\Windows\System\mjgbcgO.exe

C:\Windows\System\mjgbcgO.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2284-0-0x000000013FA10000-0x000000013FD61000-memory.dmp

memory/2284-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\ldIkQsO.exe

MD5 651481c8f957d7971824ea97f2c21d8e
SHA1 6af55930081e98330c6492355db7f8b9082a8759
SHA256 e4f5b7f4c80d0af16bbad1b9fd273c55550055cf5d1c402b839f97668b29011f
SHA512 0650fba7f2786dd5e80519517e79afb3c46cbd3b124301c3b34f0efdb654281d037f82a56a64d13af92effcd14cdffc6699fdbb812270f773e9b898074f103d9

memory/2876-7-0x000000013F360000-0x000000013F6B1000-memory.dmp

memory/2284-5-0x000000013F360000-0x000000013F6B1000-memory.dmp

C:\Windows\system\jZZPzCQ.exe

MD5 137028657b2b49a8863ad550d4e2a08c
SHA1 72c24b7e934fc21d2887d1df53277f5035b6d0bf
SHA256 4f302e76ba1f3036cf4334dfe0d5aaf1c3c9cf109e77f1a16e8a830f7821902c
SHA512 69c4384befbe3cb8c459fa96a74d277b34e8e4472ffd3088a1adf0011b82fa1804c5553624de878ed712b075147e61fbea7efebca006b201793257380433aae6

memory/2360-16-0x000000013F140000-0x000000013F491000-memory.dmp

\Windows\system\XLanwMr.exe

MD5 8408a1fbd0ba2d282a6f104f87792138
SHA1 51b2200ef48a013472a6b4a93917e74969dea2d7
SHA256 2fbbed44f51f7c5cf10495da989a019b7a16d68e793d8f2c85a796ef2406e4c3
SHA512 06063f31bcf1ca73c3d1967697078cb1faa08aaa65f88b8ade2a8b395f7badf29ff355e8da30a7686f5ffcd1f5be2060a4469a4d1963e730c9d0e5bc705604f0

memory/2284-15-0x000000013F140000-0x000000013F491000-memory.dmp

memory/2740-23-0x000000013F9D0000-0x000000013FD21000-memory.dmp

\Windows\system\TwIGjwV.exe

MD5 fc481451f3b597b863cd76a63db68689
SHA1 18fa1b9d343f3e887fc70eca2b19de414501d761
SHA256 4f2da30fcb6ab2185b28ed1545a7bc240ad983c65663bf343ccb1e6053360225
SHA512 d4da7a847f0377f783146b53dbf89557d2bd1dcd94ffd72a950b44feb38de4cedda1104d0ca6ee96f1129675ea0d83588a0f55cc23abf8ad89d72b5a8ce2be7b

memory/2284-28-0x00000000023B0000-0x0000000002701000-memory.dmp

memory/2624-29-0x000000013F820000-0x000000013FB71000-memory.dmp

memory/2284-21-0x00000000023B0000-0x0000000002701000-memory.dmp

C:\Windows\system\QORVmmY.exe

MD5 b0040a993d519e8074f9cc53f0a65739
SHA1 f325f855a5ea58cf2ead24a78ef6e17e04e633f4
SHA256 d2dcd28425d24672936b6c38b874fa5064d79c6b41342fcc89ebbc13dd09adf7
SHA512 92317554d131bdd400e87e893adeb699bd8bc0da76ec7ee95962d52598adcbe566f684adba97d2e620db32b911f67cfdf3503dea9c1d83a1b3fbe755f57d03c5

memory/2364-36-0x000000013FCD0000-0x0000000140021000-memory.dmp

C:\Windows\system\qEanfdY.exe

MD5 e6e31d1af0cc8ca678f50300d6b89e0d
SHA1 6d531c514391e04389c847aa823d6e0d661f599c
SHA256 33b0fdfe46d8a3d7000ba26ca86677a7b1b4a7cc0148c9fd1d14b4397016ae73
SHA512 4f69270d7c7369c26a906c2654aa29915d4562355f97cd3e22495a910d00c9221bc3419450929307423671453025077bef286eeb5af0b84fe48e037797b9322c

memory/2284-34-0x00000000023B0000-0x0000000002701000-memory.dmp

memory/2876-56-0x000000013F360000-0x000000013F6B1000-memory.dmp

memory/568-51-0x000000013F340000-0x000000013F691000-memory.dmp

C:\Windows\system\fzPtDIJ.exe

MD5 c03e9525e9ed041a13cb60b3a5ccc0c1
SHA1 ee1fcb3a29ba4d30428d7d78f15b637e6c17dd4c
SHA256 001c6efa978db5f08c089e8e9f0519ce15fcf21936e0ea4c62c3d47a96297925
SHA512 34c74c6ad53ed819c99946ea22a4437e3e65911d51d7ef708b8e711d7b57b855b7d446991dd187175a01073d13e8366ad1e0072d3bf95356a1c5065627c08a63

memory/2284-48-0x000000013FA10000-0x000000013FD61000-memory.dmp

memory/2284-71-0x00000000023B0000-0x0000000002701000-memory.dmp

\Windows\system\qshehft.exe

MD5 4135418813dc43519510d41631f38f16
SHA1 2edcaa50580572993f331879d230dff3d49e0ea1
SHA256 79ef65cf3db5cb9fe7765b168963af260d7476e005ef6e4b292aea17dd5ac9d4
SHA512 655c46236c602edbabca65dcba14247e32d6d4e893b01bca1bfa054f35d9ae0a53b64f356a0ef7e3f06cfb9d6ece5ac3b37e33f70633a84d6534c8e5ba639bc2

memory/2804-72-0x000000013F790000-0x000000013FAE1000-memory.dmp

memory/2624-85-0x000000013F820000-0x000000013FB71000-memory.dmp

\Windows\system\XgOEPXs.exe

MD5 2e793b56993819a71077a44489348230
SHA1 c58fc21eedfab2317af45dfd8010d1a62e38c0ef
SHA256 4d7984ec4be98b950a62764c42e3b01343ffdd013863264aa2d58ef6053fcef8
SHA512 e45a1775e292819f0e6a902e1464d23740fbaa17260d60001abbf3bb31d1cbf7e6194b0f32f8a01bf0ae150758d0f68fa5d7ce7e17b60bb9ffc1c6795008c9e3

memory/2284-101-0x000000013FE20000-0x0000000140171000-memory.dmp

memory/364-102-0x000000013FE20000-0x0000000140171000-memory.dmp

C:\Windows\system\DLhOLQx.exe

MD5 268ee41a699745798c47479882afbbe7
SHA1 e5c4e29249bab5578783729a5fdd9225280f2e4b
SHA256 a545420c95086a65b95c2d22093570eb86a95be08c2ddd04a9a3a9a7d78df722
SHA512 0384672f2274c10674164058128863e203f6482764f548985fb5dc2e901277ae579cd40d890d7425dbc666b306292e247e3a15196695f95ec85e9c404dd45b37

C:\Windows\system\XGtxCON.exe

MD5 7620eb64154e62d47fb0ef60fbf84a47
SHA1 4b1ab22860c1a433c734de4033724ad5a15be2f5
SHA256 faf49851a37a96da22d0e1a673146ad7787d6bf40a6d754e566125322e113feb
SHA512 aa2b6bedaa38b1fa675552eba5edd0cbfc982f42156bd7fd41352c9436c4021fe84c8373a419877d44266834626440d11d8e27d7fe7ff01b2fbf95e44f4ce83b

C:\Windows\system\HAlekrH.exe

MD5 0bad23bc4860a9285f5f0fc25cb7b8f9
SHA1 6f8fd9064badc0767eb50ac22cdf9999e4ba7a76
SHA256 78a2e30219605d6a83d655d2078358f95c47bfa057e7c8f82bcc5e31eb95e78a
SHA512 3f6d10c1fc9ef1ef1990730a661ea75c3927b18efbc48bb829cca35f1f7541b10ac5493ee28366975889b0ff31b874310559409ee03390552a75ae0f5eeb73e5

C:\Windows\system\FFQsmaX.exe

MD5 5ec752649eca18a769b96c020c528e8c
SHA1 6e3382659138545c26381939419e22f4ffe5b909
SHA256 7a74c46a47b740a580d31301a2ded57ba8f0dc81c0119dcbe0b596b16d8ea60b
SHA512 7b58f93feacc44f8b2c57d1dadc723e75dc4e51944a061cfd233adf33a004a835e029a57bf221dc04eef78e05b29c077752e5538bf66bad43235a2406f92a4f7

\Windows\system\mjgbcgO.exe

MD5 b4cf68d1e6611281d707c6feff293c0c
SHA1 0306b579ca8f32d097d10fb291d0f3f3b748dfbc
SHA256 fc22eba9cfa37d999e62c9b15b490b9bcb7bc0e8beeeb48970585e7de59203d7
SHA512 bbf42beeeb98dcd73ef013ec28032f3ca07c0942cb824a5547ff212709bc9cc6742a4fc83f1b47237d47f6488cf274e706226c17a1917fc0223bfb9cd3e62cbc

C:\Windows\system\UGBXSJq.exe

MD5 4d64abb35f3570866a88720913f38e78
SHA1 cff65c965953d5d923f4a612460f184186f83fb9
SHA256 8965245bf2c2765e53b0a8c1ba2f414274a1353ba6f4737cb0af0a698fbcad55
SHA512 a4c71d3e5de0195084eeae885d37d142b013fa8e89141b1699113b9faf1e493a23e52580873d200f0f3261681a48f52ddafc06a49706b9da5b22a14350851394

C:\Windows\system\toyYnod.exe

MD5 ec9453494948a6e77ae2bd5c2e9c538a
SHA1 d8e1100d6360d08ad9d97ded598f6dabcc1eb718
SHA256 86480cd806ef65d15f9a2f99d527a82c19f969f150372c007797c749ec19b216
SHA512 523057e553f41598290a16211a3c29592ec99c3fe97d2debd756747677f455580b36220f1b12cc448b89ba140a0a3a4388e0ee59c23f536adf789ae9f718c78f

memory/2284-106-0x000000013F370000-0x000000013F6C1000-memory.dmp

memory/2548-105-0x000000013F5D0000-0x000000013F921000-memory.dmp

C:\Windows\system\emqHUbN.exe

MD5 852e5e78c090eb5a47404da337a4c247
SHA1 4be0f451291369307d2f32837a35de8ab204381f
SHA256 eca6429f4b9d05dc11c2181b0ac9c7ecfdbb96dface6a195d4ed389c70d980af
SHA512 fd2a04f974aa757553b9e0da86694184b2f2df4c953c2d4c4e06227cf3c3c5aacde7cf0e59d40926ff0131779fafaf9de4c05e432ec8c0761a1ce7a559095ea7

memory/2284-93-0x000000013FED0000-0x0000000140221000-memory.dmp

memory/2864-100-0x000000013FED0000-0x0000000140221000-memory.dmp

memory/2364-99-0x000000013FCD0000-0x0000000140021000-memory.dmp

memory/2284-145-0x000000013F0E0000-0x000000013F431000-memory.dmp

memory/2688-146-0x000000013F0E0000-0x000000013F431000-memory.dmp

memory/2284-141-0x000000013FA10000-0x000000013FD61000-memory.dmp

memory/1532-80-0x000000013F150000-0x000000013F4A1000-memory.dmp

memory/2284-79-0x000000013F150000-0x000000013F4A1000-memory.dmp

memory/2740-78-0x000000013F9D0000-0x000000013FD21000-memory.dmp

C:\Windows\system\tiwkrkQ.exe

MD5 e54d2e11e3fbe89f46aad79a98d7ab47
SHA1 c189d76d2aa0df90364fb07583310a92ac851a9e
SHA256 6479ead1a193561fa6b3a36b803fdb01942e6ce269049cfea7d37aa41f6b6f26
SHA512 e1c7d92e196e3eaa8bbcc747ae1eefc54e1cd74152444a65856faa7c50a74308d89d5c224c4375e5a82edbe6c17f7952c6f222d6a7ad0485d7a6ab50378b1242

memory/2060-87-0x000000013F110000-0x000000013F461000-memory.dmp

memory/2284-86-0x000000013F110000-0x000000013F461000-memory.dmp

C:\Windows\system\WeMCWHX.exe

MD5 d45e3d3ac0f0bd835b43567eb58cb9aa
SHA1 c77b9b456c526d05e7501b47d772e42e3418798d
SHA256 2a487ad7fcd489ced3e806078ac5272bcc4801fadd250a3e5d4571e3591bef0e
SHA512 0e134480c362ee694a05353dc5fe1c454e02aa38b50bcef15f2973e8a8cda0deda29964c3707671fd395c6226491c5780964b5129f4fd43ed3171bd4baae091e

memory/2588-65-0x000000013F570000-0x000000013F8C1000-memory.dmp

memory/2284-64-0x000000013F570000-0x000000013F8C1000-memory.dmp

C:\Windows\system\kksdCQq.exe

MD5 a747e499a0bf6525f9468337af5255f7
SHA1 762889580940873059be708ae88e8da80c73eba2
SHA256 612b94924998bda7e9eca2cba1f501cf8b31153993e08a897ea5084c3cb3c6ff
SHA512 4c24be5c3697334d7437643cd244063acc526794962f85d8e9bb70546d40ccb4f63a379dc2a4d9b02b1408b5efdb11fb5301bbdf0c650feffdbfe7dcee5d9ca2

memory/2688-58-0x000000013F0E0000-0x000000013F431000-memory.dmp

memory/2284-57-0x000000013F0E0000-0x000000013F431000-memory.dmp

memory/2864-156-0x000000013FED0000-0x0000000140221000-memory.dmp

memory/1652-160-0x000000013F0D0000-0x000000013F421000-memory.dmp

memory/2284-159-0x000000013F570000-0x000000013F8C1000-memory.dmp

memory/572-158-0x000000013F370000-0x000000013F6C1000-memory.dmp

memory/364-157-0x000000013FE20000-0x0000000140171000-memory.dmp

memory/2060-155-0x000000013F110000-0x000000013F461000-memory.dmp

memory/1532-154-0x000000013F150000-0x000000013F4A1000-memory.dmp

memory/2804-153-0x000000013F790000-0x000000013FAE1000-memory.dmp

memory/2588-152-0x000000013F570000-0x000000013F8C1000-memory.dmp

C:\Windows\system\bpEbmEt.exe

MD5 53403a7f0cc9c3b2c8e0c08ec7bcafef
SHA1 d5b85395f60fb502d202cda2fb66189c14c234de
SHA256 1f48425061526890e43258a0468a5131ab814ce2b02d54bcb4578763815bc594
SHA512 174a20f116e32855a8b9ede7cf3f64002b557edd83dfad67c33ebe93d829023f9f5154a2c2468a74f30974a78e104d2c492a030f156b4ca4b2943d72337370d5

memory/2548-42-0x000000013F5D0000-0x000000013F921000-memory.dmp

memory/2284-41-0x000000013F5D0000-0x000000013F921000-memory.dmp

memory/1788-163-0x000000013FCF0000-0x0000000140041000-memory.dmp

memory/1172-165-0x000000013FBB0000-0x000000013FF01000-memory.dmp

memory/2352-164-0x000000013F6D0000-0x000000013FA21000-memory.dmp

memory/2100-162-0x000000013FA90000-0x000000013FDE1000-memory.dmp

memory/2760-161-0x000000013FC40000-0x000000013FF91000-memory.dmp

memory/2284-166-0x000000013F150000-0x000000013F4A1000-memory.dmp

memory/2284-167-0x000000013FA10000-0x000000013FD61000-memory.dmp

memory/2284-174-0x000000013F110000-0x000000013F461000-memory.dmp

memory/2284-188-0x000000013FED0000-0x0000000140221000-memory.dmp

memory/2284-191-0x000000013F370000-0x000000013F6C1000-memory.dmp

memory/2876-220-0x000000013F360000-0x000000013F6B1000-memory.dmp

memory/2360-222-0x000000013F140000-0x000000013F491000-memory.dmp

memory/2740-224-0x000000013F9D0000-0x000000013FD21000-memory.dmp

memory/2624-226-0x000000013F820000-0x000000013FB71000-memory.dmp

memory/2364-228-0x000000013FCD0000-0x0000000140021000-memory.dmp

memory/2548-230-0x000000013F5D0000-0x000000013F921000-memory.dmp

memory/568-232-0x000000013F340000-0x000000013F691000-memory.dmp

memory/2688-234-0x000000013F0E0000-0x000000013F431000-memory.dmp

memory/2588-236-0x000000013F570000-0x000000013F8C1000-memory.dmp

memory/2804-238-0x000000013F790000-0x000000013FAE1000-memory.dmp

memory/1532-240-0x000000013F150000-0x000000013F4A1000-memory.dmp

memory/2060-247-0x000000013F110000-0x000000013F461000-memory.dmp

memory/364-249-0x000000013FE20000-0x0000000140171000-memory.dmp

memory/2864-252-0x000000013FED0000-0x0000000140221000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-13 12:09

Reported

2024-08-13 12:11

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\nPMAmGW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RkZbWBl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YUgqxlX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SfVVOvC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\VNtJybB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mJvJNtQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mmqqqAv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LigrwTw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\myPjnDx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\sZINHrg.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\CodfVmo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\fKoAGiW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IbtCsVu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kXsGRbs.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SiToZwP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\paARHIo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HzDPBmu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\elmYXZH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\zvhhvtd.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BBHhwcw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YtvEbdC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2088 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SiToZwP.exe
PID 2088 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SiToZwP.exe
PID 2088 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nPMAmGW.exe
PID 2088 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nPMAmGW.exe
PID 2088 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mJvJNtQ.exe
PID 2088 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mJvJNtQ.exe
PID 2088 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CodfVmo.exe
PID 2088 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\CodfVmo.exe
PID 2088 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\paARHIo.exe
PID 2088 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\paARHIo.exe
PID 2088 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mmqqqAv.exe
PID 2088 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mmqqqAv.exe
PID 2088 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fKoAGiW.exe
PID 2088 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\fKoAGiW.exe
PID 2088 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LigrwTw.exe
PID 2088 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LigrwTw.exe
PID 2088 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\myPjnDx.exe
PID 2088 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\myPjnDx.exe
PID 2088 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sZINHrg.exe
PID 2088 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\sZINHrg.exe
PID 2088 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HzDPBmu.exe
PID 2088 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HzDPBmu.exe
PID 2088 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\elmYXZH.exe
PID 2088 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\elmYXZH.exe
PID 2088 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zvhhvtd.exe
PID 2088 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\zvhhvtd.exe
PID 2088 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RkZbWBl.exe
PID 2088 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RkZbWBl.exe
PID 2088 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IbtCsVu.exe
PID 2088 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IbtCsVu.exe
PID 2088 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BBHhwcw.exe
PID 2088 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BBHhwcw.exe
PID 2088 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YtvEbdC.exe
PID 2088 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YtvEbdC.exe
PID 2088 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YUgqxlX.exe
PID 2088 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YUgqxlX.exe
PID 2088 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kXsGRbs.exe
PID 2088 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kXsGRbs.exe
PID 2088 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SfVVOvC.exe
PID 2088 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SfVVOvC.exe
PID 2088 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VNtJybB.exe
PID 2088 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\VNtJybB.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\SiToZwP.exe

C:\Windows\System\SiToZwP.exe

C:\Windows\System\nPMAmGW.exe

C:\Windows\System\nPMAmGW.exe

C:\Windows\System\mJvJNtQ.exe

C:\Windows\System\mJvJNtQ.exe

C:\Windows\System\CodfVmo.exe

C:\Windows\System\CodfVmo.exe

C:\Windows\System\paARHIo.exe

C:\Windows\System\paARHIo.exe

C:\Windows\System\mmqqqAv.exe

C:\Windows\System\mmqqqAv.exe

C:\Windows\System\fKoAGiW.exe

C:\Windows\System\fKoAGiW.exe

C:\Windows\System\LigrwTw.exe

C:\Windows\System\LigrwTw.exe

C:\Windows\System\myPjnDx.exe

C:\Windows\System\myPjnDx.exe

C:\Windows\System\sZINHrg.exe

C:\Windows\System\sZINHrg.exe

C:\Windows\System\HzDPBmu.exe

C:\Windows\System\HzDPBmu.exe

C:\Windows\System\elmYXZH.exe

C:\Windows\System\elmYXZH.exe

C:\Windows\System\zvhhvtd.exe

C:\Windows\System\zvhhvtd.exe

C:\Windows\System\RkZbWBl.exe

C:\Windows\System\RkZbWBl.exe

C:\Windows\System\IbtCsVu.exe

C:\Windows\System\IbtCsVu.exe

C:\Windows\System\BBHhwcw.exe

C:\Windows\System\BBHhwcw.exe

C:\Windows\System\YtvEbdC.exe

C:\Windows\System\YtvEbdC.exe

C:\Windows\System\YUgqxlX.exe

C:\Windows\System\YUgqxlX.exe

C:\Windows\System\kXsGRbs.exe

C:\Windows\System\kXsGRbs.exe

C:\Windows\System\SfVVOvC.exe

C:\Windows\System\SfVVOvC.exe

C:\Windows\System\VNtJybB.exe

C:\Windows\System\VNtJybB.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 16.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 udp

Files

memory/2088-0-0x00007FF6F0280000-0x00007FF6F05D1000-memory.dmp

memory/2088-1-0x000001B592690000-0x000001B5926A0000-memory.dmp

C:\Windows\System\SiToZwP.exe

MD5 2892b56daae9d4e99cff0f2b8ea7c689
SHA1 160c02a3e725d3db397cd56ec762d136d4ace392
SHA256 568599c65755470079a52c155ab69a07b7caf388c21fb62abf8b403f56a1ab6c
SHA512 71cf95e4d3428cb960165364b8c945999e734c7ee3c7a15a8c87e93a79f8ff0571162411361d8e3c69cccf6df3ad6905b1777b813867b8c5a2b50cc9e5fc1d53

memory/2060-8-0x00007FF694710000-0x00007FF694A61000-memory.dmp

C:\Windows\System\nPMAmGW.exe

MD5 1354cdc3e27d1ad98ee673cecb5d18f0
SHA1 63632e3ce12999db0ffb7964f8d2a95ad5ff1e5a
SHA256 469d555165cad8cb8b6aa7ea137fddaee711a2e9daa7bf936bfc772066df3736
SHA512 5ad89ae70fd0e86544ee0d187acd9d2f76dda348f96c3511948f8d7a6f9fe22369376b7540d67975cdf6bbbc7b050fae80060c9f458b725e08864a77670cf9d3

C:\Windows\System\mJvJNtQ.exe

MD5 c4a5f7dd44d2dbdfb1d6a440dc4be0ca
SHA1 6439b41e89eaa448a41fdd93008be0c430b8d4c8
SHA256 fee4c192b38ba07bafff9293212357b778fca2f38c836dc63cacb564b48337d6
SHA512 93a2b937c1345b1059cc06662a05fdc218502d86c75bf83913189f14ab06dfa7b150cdabf08318ee493e6a8d139971837cb6723760d791b217f5cac5fc41d24b

memory/3636-15-0x00007FF7D6B90000-0x00007FF7D6EE1000-memory.dmp

memory/548-20-0x00007FF74A6A0000-0x00007FF74A9F1000-memory.dmp

C:\Windows\System\CodfVmo.exe

MD5 3abab93a5a9ce44336377b53b9a405b9
SHA1 5c2095407fa6ad6a357d91337dca305eecc85252
SHA256 8ccdba1d9fdee39b03fc02b1672a1c8504989d0a51b15d44ce1f304a95111f31
SHA512 69e825a33524d638a2e0519de4902898f9adc7ca88d8730d8d41c6fe505cb29d42de26fd3b451691554a0077e4ef7d379efeb53ac96f6461edcaa275ead31f5d

C:\Windows\System\paARHIo.exe

MD5 47dedc20477f48c3411fcf6772c9a27c
SHA1 ba04afd4cc812ce387d4ada1bd712e1b2f14c597
SHA256 6aff871b29821f17c5323e51e8509d14ddec082ad262abd44bb3a83034e995f7
SHA512 792f70610565a29a857fa4e70ae7307109a29b4bab2a3a7ceede52d8b152c3c298f4aa5f360e0afbcb34ce25d40d0fc348c0b2d690c6ec77951f3b33c8759cbf

C:\Windows\System\mmqqqAv.exe

MD5 4800d23aad2b20b1ea2bf76fddcd650d
SHA1 67fa24062cbdd25b342eab2a086ee0b2b32834b5
SHA256 ea08718c4affb34305adcfb772d5974e23287a27ef110d25f983792d5068d09a
SHA512 8d36436ea704540333680fc80e2230b2a261e8142a0194c8ac382153cc3d1ecd1755eac508613930fdbd3ba9e4c5c8f90a4e0f39d3eb2a5b0515cf01857fc29c

memory/1052-33-0x00007FF740260000-0x00007FF7405B1000-memory.dmp

memory/3660-38-0x00007FF74A890000-0x00007FF74ABE1000-memory.dmp

C:\Windows\System\fKoAGiW.exe

MD5 ee547c5619a8ff5dd784a9551712a610
SHA1 be118c4b567fce0b93457960e4d855c5a3c68b8d
SHA256 1af918c1bba2839d9b5bc102d0c6d70fd6ef07046e31c61114688d385071c758
SHA512 15a1fd505821c1c901492ee365ed4d0e930602cb69b54af2fa107948b044c9ef8ca5363b6181c54b60d477e88b1a91c9b5925b49a9e684faf32e910450bca211

C:\Windows\System\LigrwTw.exe

MD5 4b4e41128e90fa74d0228cd6feb79800
SHA1 e2385aff8fcaceab98aa8f52e01b927abcb07132
SHA256 c5f0df2f49add85147a8942d8bd84de81c2272aacde0fbae37c0333090560dc5
SHA512 61cc8565c13e17895becc7c25a08a999542183d0af00942da566d2e82392e3b898ae853bd0d873c379a2855cda3ea84c1aa7aef735122f6ae54ac237e1624792

memory/3268-44-0x00007FF709A90000-0x00007FF709DE1000-memory.dmp

memory/4404-25-0x00007FF74D170000-0x00007FF74D4C1000-memory.dmp

C:\Windows\System\myPjnDx.exe

MD5 16b4b448bac9258bf0066c375a4f349a
SHA1 306543dde915bba41cdc9c698d9ab9818d20f61c
SHA256 982e65aef8ea8fe1e8473bdd702de0aacd6bf0309676e9c36ea90679e471c565
SHA512 a05ab4a2c9fb09939f891c032fe1c68138af05e3889e47e16e63d9588e52ecabc5be0f8dad4ae105744434c0d85256bca1f00b6f1d211083b66862672e8354e1

memory/4324-54-0x00007FF672870000-0x00007FF672BC1000-memory.dmp

memory/320-50-0x00007FF6351D0000-0x00007FF635521000-memory.dmp

memory/2088-62-0x00007FF6F0280000-0x00007FF6F05D1000-memory.dmp

memory/1700-63-0x00007FF61A090000-0x00007FF61A3E1000-memory.dmp

C:\Windows\System\HzDPBmu.exe

MD5 2c4b0e2c12284d286becef2dc5604a00
SHA1 30a7f2f4777eaa971318f5b0ee8660e01afdc8c2
SHA256 72fb6b4b62043c14d8bc5285e90615765fa8f35bef4e24a24abe1f90e676a317
SHA512 653ed91e6fca35ab31d110f3020bd43eeec87721a0983752f89e4eb3c4f576cba459acb27211c477490d5518ab9383c933df63b4c7f13309dac404fb9f764e39

C:\Windows\System\zvhhvtd.exe

MD5 3e08899186c8df4658553432b58b792f
SHA1 58eb581c9864a11f91edfe7ea5f50f6821e8758b
SHA256 f32a7c98ffba6b9f9dccdef62587f975dedab86ae3f20e51f2ae9686e01efcf7
SHA512 fcb5adfa7c75e31c3d51777f20144259efc15cebfa300b40596eabce4b6c3e1e4be2a234085494ab58f1334e1b9c4ab32d773d0870b06d97466b23127adf525c

C:\Windows\System\RkZbWBl.exe

MD5 a862f5c175174405cf1ffa7f423d331e
SHA1 40f6b83915af9d5868ab7981100d1ecf4755cb2b
SHA256 3b8a2aff9c65b0811d1a057bd43cadd4dff0fc8d8ef22e1ce73eea2df3416afe
SHA512 15f56a8c26d3f2667d7f8feab738fa4c053827b4f4017dd86d69e39e940264864bebf515d427eb285a8e78b88ea849efc5cd4d7e44b28fa387564346b67dcedd

memory/4404-91-0x00007FF74D170000-0x00007FF74D4C1000-memory.dmp

memory/4476-99-0x00007FF724A80000-0x00007FF724DD1000-memory.dmp

memory/3480-101-0x00007FF6DEB90000-0x00007FF6DEEE1000-memory.dmp

C:\Windows\System\kXsGRbs.exe

MD5 08c574696267ffdde891a7c18d5b2888
SHA1 a0d4a2103ba7644d10fb3bedcb88bb61a05c541a
SHA256 7fcba61796013d2fa1a3e31d37f8c7b45bfb93563763c754522141199543af29
SHA512 7f3c3111c2cba7951d287372b8c30a1f2f20b1ab35873a2f835c0b9a65a7d1ce965a59161b2204f127e6a6dfa4e3dda051d029b33fcb8917cf36130c87be73d4

C:\Windows\System\SfVVOvC.exe

MD5 d2c6c505a377d1009acdd766206d7f14
SHA1 2d5ef41dcf183b7d0be4aa6b7f3dcb0eb6176f2a
SHA256 daa226abcabd5d0a71c5169673cbfb05ae85646c6ea1a5cf3d60481d74c8b15e
SHA512 034a945dc17faac2242fb50bba26cb7ab1f7d69f4f96d2217e1298643246fc9171589af18e88093b296831815381a033b4c227698055f2e77cae4a8b92ffb2b7

C:\Windows\System\VNtJybB.exe

MD5 73511e189de28599e46be6f54ae7ded3
SHA1 aafb2ffeb647883183b671446fad9910d5877a2c
SHA256 8e76b1181d488e13be0641e2351479585ad97b151838cc0ee8f3616e7dbff9bf
SHA512 a248fa436030fd3a3608477dee4b2a784add02fd6597e041293868a95e8e7ac50546dd7a4d21c5cc2405fdae0c875659dfe1a5a9d3f6f94132c75465ce9dcc3a

C:\Windows\System\YUgqxlX.exe

MD5 2401888dce7e7f904f1b86869111d230
SHA1 4a52cb4266524c1123f5685c6fd21f0cf2a727a4
SHA256 c79557d6ad91e9dede3b295de838cf63b2c8a1a4a2e7c243bbd2730e9e527a74
SHA512 ed4e672491d9bf3323e1f562f5004acc0bc38419f2f6e3a8fedd58fe9a00b7e90da57c7a725b77f8fdfa5f3a2dd68ab5f775c341c747f113ecd35483ccb49179

memory/3968-100-0x00007FF6F4AE0000-0x00007FF6F4E31000-memory.dmp

memory/1896-98-0x00007FF712140000-0x00007FF712491000-memory.dmp

C:\Windows\System\YtvEbdC.exe

MD5 6e9bd79758fcdb7028d436cd69538444
SHA1 6559f7654c31e665e52c99dcbbf6868552bc9d4e
SHA256 2494015a1c1246bd87d434e108f2831ff1f527631ff7c867494f676a00764cb3
SHA512 d550510580288b599d267230abda5435a25eb13315c18c0752e8ac1cf16f6e54a586532288aa7203b905bed93887f82ffbbf0ce07ab9de584f8a06fdbbe463ac

C:\Windows\System\BBHhwcw.exe

MD5 57985e853c9a510ccb1294ff1efb8bc5
SHA1 b5241d312404032252100859346da0fcf2a98fd4
SHA256 3403df77d1f232b2e303d15d4bb294b6519ca5f8b35d29b11e8ae9313e317cb1
SHA512 13621981ea3c50b27ba2a64063fea2051bc41d58624a365cba390c78b6e0e4dd544d560cd3da73ad8051e729067c94157390cef2f36319ab01d04410429e03e3

C:\Windows\System\IbtCsVu.exe

MD5 bac6f5fd48845508cddd527f65ec087c
SHA1 f80db17255900c10cc3de06fdee69b0d73f7aa52
SHA256 1c143050246cc8f0aaddd38f0db1c35a94a9e84c6776dba751954f5eaf4acb37
SHA512 fd0bcb0bae3ab68c6086c65a42bd567c7f3923142010689fae8405f239c87cc29cb885501116818f33cc4e668054cb1fd871c2073982feb9b289a44ec67b3acb

memory/1164-86-0x00007FF7FB880000-0x00007FF7FBBD1000-memory.dmp

memory/4524-76-0x00007FF68CEB0000-0x00007FF68D201000-memory.dmp

C:\Windows\System\elmYXZH.exe

MD5 aa71061397c61db4b54a80af60b9087a
SHA1 68a4ed1a7a27e36deac633447faa4e661b2230c1
SHA256 29c76ee4e0cc7ebd799a01ad45a32e3aa7e2b8b262cd66c68df45e59b57f7283
SHA512 ee31f58c601fa73fa9623f4904cf317ac790180c2c96d8e399e6d1133e2b0984789e7fbbff96326ebb8c86c54d9c504f98f9b003fa2af9213d16248f5c467df9

memory/1752-68-0x00007FF76E380000-0x00007FF76E6D1000-memory.dmp

memory/2060-67-0x00007FF694710000-0x00007FF694A61000-memory.dmp

C:\Windows\System\sZINHrg.exe

MD5 6a033e1605f2a437c2a23b9273ebef58
SHA1 bc05f7e7d2c3f47b99a2415b6cdaf3157fd22830
SHA256 2210ad25984546710586d6bc350be2ddcdbfafe658afac311b12457148306a86
SHA512 20b41dcbff085672500d93217749a48d28949bf9244b1f444b9967e84c4a6ed1ebd6cd43debd5b38ec62cdd076748abad72afd80560119dd2296746a21a49979

memory/3432-116-0x00007FF793F40000-0x00007FF794291000-memory.dmp

memory/2500-115-0x00007FF67BBB0000-0x00007FF67BF01000-memory.dmp

memory/3976-114-0x00007FF67D4C0000-0x00007FF67D811000-memory.dmp

memory/1336-113-0x00007FF793260000-0x00007FF7935B1000-memory.dmp

memory/2088-131-0x00007FF6F0280000-0x00007FF6F05D1000-memory.dmp

memory/1752-142-0x00007FF76E380000-0x00007FF76E6D1000-memory.dmp

memory/1896-145-0x00007FF712140000-0x00007FF712491000-memory.dmp

memory/4524-143-0x00007FF68CEB0000-0x00007FF68D201000-memory.dmp

memory/4324-140-0x00007FF672870000-0x00007FF672BC1000-memory.dmp

memory/2500-151-0x00007FF67BBB0000-0x00007FF67BF01000-memory.dmp

memory/3432-152-0x00007FF793F40000-0x00007FF794291000-memory.dmp

memory/3976-150-0x00007FF67D4C0000-0x00007FF67D811000-memory.dmp

memory/3968-148-0x00007FF6F4AE0000-0x00007FF6F4E31000-memory.dmp

memory/1336-149-0x00007FF793260000-0x00007FF7935B1000-memory.dmp

memory/3480-147-0x00007FF6DEB90000-0x00007FF6DEEE1000-memory.dmp

memory/4476-146-0x00007FF724A80000-0x00007FF724DD1000-memory.dmp

memory/2088-153-0x00007FF6F0280000-0x00007FF6F05D1000-memory.dmp

memory/2060-198-0x00007FF694710000-0x00007FF694A61000-memory.dmp

memory/3636-200-0x00007FF7D6B90000-0x00007FF7D6EE1000-memory.dmp

memory/548-202-0x00007FF74A6A0000-0x00007FF74A9F1000-memory.dmp

memory/4404-204-0x00007FF74D170000-0x00007FF74D4C1000-memory.dmp

memory/1052-206-0x00007FF740260000-0x00007FF7405B1000-memory.dmp

memory/3660-208-0x00007FF74A890000-0x00007FF74ABE1000-memory.dmp

memory/3268-210-0x00007FF709A90000-0x00007FF709DE1000-memory.dmp

memory/320-216-0x00007FF6351D0000-0x00007FF635521000-memory.dmp

memory/4324-218-0x00007FF672870000-0x00007FF672BC1000-memory.dmp

memory/1700-220-0x00007FF61A090000-0x00007FF61A3E1000-memory.dmp

memory/1752-222-0x00007FF76E380000-0x00007FF76E6D1000-memory.dmp

memory/4524-224-0x00007FF68CEB0000-0x00007FF68D201000-memory.dmp

memory/1164-226-0x00007FF7FB880000-0x00007FF7FBBD1000-memory.dmp

memory/1896-236-0x00007FF712140000-0x00007FF712491000-memory.dmp

memory/4476-239-0x00007FF724A80000-0x00007FF724DD1000-memory.dmp

memory/3480-240-0x00007FF6DEB90000-0x00007FF6DEEE1000-memory.dmp

memory/3968-245-0x00007FF6F4AE0000-0x00007FF6F4E31000-memory.dmp

memory/2500-248-0x00007FF67BBB0000-0x00007FF67BF01000-memory.dmp

memory/1336-250-0x00007FF793260000-0x00007FF7935B1000-memory.dmp

memory/3976-247-0x00007FF67D4C0000-0x00007FF67D811000-memory.dmp

memory/3432-243-0x00007FF793F40000-0x00007FF794291000-memory.dmp