Malware Analysis Report

2025-03-15 08:02

Sample ID 240814-z1zejavdnc
Target 2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat
SHA256 b6d478b326a90461758c16bb85576639a741f7b9be17c7eed8e54438b06183ed
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b6d478b326a90461758c16bb85576639a741f7b9be17c7eed8e54438b06183ed

Threat Level: Known bad

The file 2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Cobaltstrike family

XMRig Miner payload

Cobaltstrike

xmrig

Cobalt Strike reflective loader

Xmrig family

XMRig Miner payload

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-14 21:11

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-14 21:11

Reported

2024-08-14 21:14

Platform

win7-20240705-en

Max time kernel

140s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\ZaxbJMr.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\aepgnQb.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IANylRY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kWodeQR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KrhVonl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rrokZMG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nMaBKBZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZxpKeaJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dgsbhIL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TAxRsaf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KmTlvYJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yTSqIAY.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\tRPfSUo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RehvaCx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\NggYguj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qRFBbgw.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZAhqQqT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZBdFHaW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\nIrvOZE.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GUkgLeX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\hQrCJoo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2676 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nIrvOZE.exe
PID 2676 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nIrvOZE.exe
PID 2676 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nIrvOZE.exe
PID 2676 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yTSqIAY.exe
PID 2676 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yTSqIAY.exe
PID 2676 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yTSqIAY.exe
PID 2676 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tRPfSUo.exe
PID 2676 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tRPfSUo.exe
PID 2676 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\tRPfSUo.exe
PID 2676 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rrokZMG.exe
PID 2676 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rrokZMG.exe
PID 2676 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rrokZMG.exe
PID 2676 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RehvaCx.exe
PID 2676 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RehvaCx.exe
PID 2676 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RehvaCx.exe
PID 2676 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZaxbJMr.exe
PID 2676 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZaxbJMr.exe
PID 2676 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZaxbJMr.exe
PID 2676 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aepgnQb.exe
PID 2676 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aepgnQb.exe
PID 2676 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\aepgnQb.exe
PID 2676 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nMaBKBZ.exe
PID 2676 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nMaBKBZ.exe
PID 2676 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\nMaBKBZ.exe
PID 2676 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IANylRY.exe
PID 2676 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IANylRY.exe
PID 2676 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IANylRY.exe
PID 2676 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZxpKeaJ.exe
PID 2676 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZxpKeaJ.exe
PID 2676 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZxpKeaJ.exe
PID 2676 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NggYguj.exe
PID 2676 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NggYguj.exe
PID 2676 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\NggYguj.exe
PID 2676 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dgsbhIL.exe
PID 2676 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dgsbhIL.exe
PID 2676 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dgsbhIL.exe
PID 2676 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qRFBbgw.exe
PID 2676 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qRFBbgw.exe
PID 2676 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qRFBbgw.exe
PID 2676 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZAhqQqT.exe
PID 2676 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZAhqQqT.exe
PID 2676 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZAhqQqT.exe
PID 2676 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kWodeQR.exe
PID 2676 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kWodeQR.exe
PID 2676 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kWodeQR.exe
PID 2676 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KrhVonl.exe
PID 2676 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KrhVonl.exe
PID 2676 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KrhVonl.exe
PID 2676 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hQrCJoo.exe
PID 2676 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hQrCJoo.exe
PID 2676 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\hQrCJoo.exe
PID 2676 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GUkgLeX.exe
PID 2676 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GUkgLeX.exe
PID 2676 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GUkgLeX.exe
PID 2676 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TAxRsaf.exe
PID 2676 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TAxRsaf.exe
PID 2676 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TAxRsaf.exe
PID 2676 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZBdFHaW.exe
PID 2676 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZBdFHaW.exe
PID 2676 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZBdFHaW.exe
PID 2676 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KmTlvYJ.exe
PID 2676 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KmTlvYJ.exe
PID 2676 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KmTlvYJ.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\nIrvOZE.exe

C:\Windows\System\nIrvOZE.exe

C:\Windows\System\yTSqIAY.exe

C:\Windows\System\yTSqIAY.exe

C:\Windows\System\tRPfSUo.exe

C:\Windows\System\tRPfSUo.exe

C:\Windows\System\rrokZMG.exe

C:\Windows\System\rrokZMG.exe

C:\Windows\System\RehvaCx.exe

C:\Windows\System\RehvaCx.exe

C:\Windows\System\ZaxbJMr.exe

C:\Windows\System\ZaxbJMr.exe

C:\Windows\System\aepgnQb.exe

C:\Windows\System\aepgnQb.exe

C:\Windows\System\nMaBKBZ.exe

C:\Windows\System\nMaBKBZ.exe

C:\Windows\System\IANylRY.exe

C:\Windows\System\IANylRY.exe

C:\Windows\System\ZxpKeaJ.exe

C:\Windows\System\ZxpKeaJ.exe

C:\Windows\System\NggYguj.exe

C:\Windows\System\NggYguj.exe

C:\Windows\System\dgsbhIL.exe

C:\Windows\System\dgsbhIL.exe

C:\Windows\System\qRFBbgw.exe

C:\Windows\System\qRFBbgw.exe

C:\Windows\System\ZAhqQqT.exe

C:\Windows\System\ZAhqQqT.exe

C:\Windows\System\kWodeQR.exe

C:\Windows\System\kWodeQR.exe

C:\Windows\System\KrhVonl.exe

C:\Windows\System\KrhVonl.exe

C:\Windows\System\hQrCJoo.exe

C:\Windows\System\hQrCJoo.exe

C:\Windows\System\GUkgLeX.exe

C:\Windows\System\GUkgLeX.exe

C:\Windows\System\TAxRsaf.exe

C:\Windows\System\TAxRsaf.exe

C:\Windows\System\ZBdFHaW.exe

C:\Windows\System\ZBdFHaW.exe

C:\Windows\System\KmTlvYJ.exe

C:\Windows\System\KmTlvYJ.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2676-0-0x000000013F950000-0x000000013FCA1000-memory.dmp

memory/2676-1-0x00000000000F0000-0x0000000000100000-memory.dmp

\Windows\system\nIrvOZE.exe

MD5 2c2427ccfbd67525c40986a50da16bfc
SHA1 7e0177f2e717126301a66ad9aba6e6be6a477c9c
SHA256 4fc03fdb70b40f63fea7b43b46a03aec9423a29aa2ef0e648bb0d3e0bcf0e521
SHA512 d31c8d391e73608e32fe5e6ea48f17a06c89d06e20378848b030ff354ad29b95ec3fe0cd1c3c2305d2fbcdecb4ee85900b5d565d57574439b93cfe83747745bb

memory/2928-9-0x000000013F8C0000-0x000000013FC11000-memory.dmp

memory/2676-8-0x00000000023D0000-0x0000000002721000-memory.dmp

memory/2676-17-0x000000013F400000-0x000000013F751000-memory.dmp

C:\Windows\system\rrokZMG.exe

MD5 f93a4b7cb0c550449d4cbe42838995bf
SHA1 f8c0f12b6280691454fde87f2d152a982b451f41
SHA256 622ec61db650d494f21a8c65c7f205f5be6f065d6f9d516c9285e390c537f605
SHA512 8e0e6f82839c0dee6c00e4eb3f4da03e9ae3e910ef75b0d3c0f2321e4f452d7be60031118bda29b38869e4c76ca49a08ed2a87e60d40b05cc32b097416566f25

memory/2680-26-0x000000013FAE0000-0x000000013FE31000-memory.dmp

C:\Windows\system\RehvaCx.exe

MD5 b75f8fe9f65186644ff360b87b094769
SHA1 7b78a2eda0150cdd1dbfda181c0362be527edf6e
SHA256 529b7d7fa37e6669aaa8111259d1185a33f19a219e4db1e102d75ef2c70c6ad7
SHA512 12edf58aac5ac5f7ba103134659427cd4cdf0319f959917f60cddc5888c222e3d965d3a0c23e4df7c4a495f5a1cc967020d40f7b22f52b5796945b3465a9db9b

C:\Windows\system\ZaxbJMr.exe

MD5 47805fc6aa5f0fe2a01e2e6c3444d66c
SHA1 5af405c7c098f023a03f9c6f4c4b806733a20652
SHA256 af1d54373a9c16fe449ffe76bc2b0421ed46a0376e7fb4b365f9bb787ca63ba0
SHA512 091d323ddba1b0a4cc8409c56e38e92af3c1731bcd87e9844531eeee3b10e34408a28430ee99954dd92b76964dde8a458d73ebffb88d3ad2b06c21c331f44bf0

C:\Windows\system\nMaBKBZ.exe

MD5 ace1530530085c7666a6a2e6e66b9379
SHA1 45ab68276a8e12a1c2f0597e235b307aefdbe708
SHA256 426689418f1dba143763db4564d1d2fe8fa00af55fa7ec1060537d0d5b580c2a
SHA512 99d37d47cc832c19c81bfeaa19f5d8234c8e6ff39070c70c5c7da90e83d73be45f8143114b9fb57f2390bea6b53086eb713ce8ad4ccc8b0d351c8335b75631b3

C:\Windows\system\ZxpKeaJ.exe

MD5 5ce7dbb16555c13dcf39b3e945440add
SHA1 60a7626f19eb2408245e6e409217c00d36a05f97
SHA256 edbf1b7b77ff71c82f10de45e380a2edf69966b42a6efe178175f792a2de6aac
SHA512 ee7f67cfa83dd6500c8c9357175e8a102583050423524345ca9d650bb2919c6b0f6c1b6dd7d28d4f0c9984ee0315afba4b034072157c91deabed98d6bb0efb9d

C:\Windows\system\NggYguj.exe

MD5 f3e36d78e249409bf71b372a75f3a620
SHA1 01b0a3e359bbba14aa3bb00206da455fbfd3fe48
SHA256 a1776b4536fdcdf197b25d1e50b2791d0610cc3d026c414a0ed4e2567dd53596
SHA512 e8bbab1af1f2a1aaa9442ab57135a241a1118a00f4cdd3a8325a0a0d68580614ac42710207618c34a334ba1f0dafc230ec262254b9776401d0d13753dc96a717

C:\Windows\system\qRFBbgw.exe

MD5 245a22b086d7682a14c87670cb39af7b
SHA1 c00cc6efa202538d3842a04370be3eefff58b62d
SHA256 9a6cda59c91ea4afbf4213d70f0113c49461c6752107d28f21443bfb047cb8c4
SHA512 6633a8d09f018cd7818c34af9c9bda32e0fda218fee84b589d614c79fa29ffb93ace0d7073a42a5e7368f9a2402406cd6b2bee4d78f633cfa3faf2d3e38f5b60

\Windows\system\KrhVonl.exe

MD5 1d2ed2e80bc0ec35413ff4ccdd1a3901
SHA1 bb478952eb855fb7b923fb053ba2e99537234c70
SHA256 84d5ba1b5ae3b4df81ac82e794468687d2094d21d3ec3c69b9ee72d738cae5e7
SHA512 c093bd1f74b604751bb52d5ef0a006966ca158b9de3d896ffaca1e43e9f224ebeb060eb030e95ccde71272438325ea6d25f91e27312c38c1ea95c480a36ef0bc

C:\Windows\system\GUkgLeX.exe

MD5 72d5e8303678505559ec331aa573bee2
SHA1 b6f41c4ffaeb8a77055af579b523d3d414bca0d1
SHA256 06700e18193019aa39f18206014ef8f230628193af506d70708116e6d1e967e4
SHA512 845873f51120d07af597ab01b84af7aeb1a22ba98c21ac9863204608fe318a4e1abbd170c54dd7d5fcb0ca2360aaaa11e9232ae5c09241c01715655789478070

\Windows\system\ZBdFHaW.exe

MD5 6fac983f9505db2e261e3e02b4f91bf7
SHA1 41dde40f68b692ed11a9c7a1ad419c28842d0e80
SHA256 5655bc3e229e50f97792499b22e2db331de1aed9492122d3b695a78bf4132e0d
SHA512 43e427f9947e1e40960f2d2f2ab15a962e6cea1e64e195532b659181b4152a48ab6ab7828b2cac355c7184c3d0eb5e86859acc9a895a37e4022d8c789fef6621

C:\Windows\system\KmTlvYJ.exe

MD5 0ce0e0c1ab7b81996b8c261094d08618
SHA1 7fe2be0bf7eb573fda170f8d8134bcf5e2f1936b
SHA256 cc60679e1e4a2a62c67bacf948bde22d340aa80a056fdcce628df4eabed594ef
SHA512 fa96f3648aeb2a8a018703b5c22084b94229cd4d45f971bae4781acf45f552f6d99273d1a21dcd180568d8e881a6c23e2d6c49f2388c0ea6971951bf9271f144

C:\Windows\system\TAxRsaf.exe

MD5 7b8dd0d3c59546647fb0e40f7f4c9eae
SHA1 023415dd5dee32fbd411a1d8d2602c2b63d87400
SHA256 e10562b5799d8479ab4dad48969391b2d33bbbc6d672a652b0b4b18168edec41
SHA512 075706ef1fbd3dc7d5e1c8b9ef8ca35f92191891ef4b54fd43cea90b0b01a6080ee8a26a748971c8f139f3fdb0fb4b12ec5f80e3a9a6790b5172d058bdf5409c

C:\Windows\system\hQrCJoo.exe

MD5 95ed36eb58b8853443d0457f696abdce
SHA1 e6579cc21fb7a29dc02c2daa4de560cdf5acd303
SHA256 d9cc406d1cd1ba3195de2d57a7b572f963593333c03f42d215a5f01b0c4e87d1
SHA512 94e0d60f31254f3fff9f224a419aab25034fef9c3db3fa6fa86be6fe05f705238b69c5a4c95f6ce9b5f5ffe0b2948578a8be15fe05a49f2790b5701691ed9840

C:\Windows\system\kWodeQR.exe

MD5 21924ff8373b0cefa26eb7787a4c150a
SHA1 48254a8b5c45449253380ba6dc92f29001c31201
SHA256 5f7d5d062c2aa85094dea330a40abcd4e49bcd77e9b8dbcf8f2b9a81aa56083f
SHA512 af5934baa06395d6c25316e46292b14c1cc49e0ced84e61dfeff012a4e07c4cc16c05cf26c4ec07c77e083a0a0af46778297aa15c8d8b457b81e233b87895555

C:\Windows\system\ZAhqQqT.exe

MD5 89497ae3f0b1955fabcdf26c7fe9a0fc
SHA1 705a375285d34a7027de884a636830da5147ed03
SHA256 83654cb78b9158755f64e18bf6b0ff56d062999d1cd257ea6d1faccd0a0ea639
SHA512 a9f3c37bd31517ead3f63a49cd6067ad7321681179fa95f22be731f8786fc7e27cef05b60dc822f10e0eb58087b7a1894a10b3b962fa4dcb15644c9cd82583d9

C:\Windows\system\dgsbhIL.exe

MD5 6517f4c20811b2ca78d6865cc7d7d7f2
SHA1 9c27ee3a3b4144a9f2d080ecf84efbb3b91af590
SHA256 3ecf2617a0407d4a19f82c2635e593ea89af05d364c55643588e09b925d5f9fa
SHA512 40eb40b98ae6f7d6ae69ef52fc0ce8c5940a1b8db03f49cf06a99a8815db910792d3524c88a18cd67731b58a3e20ed18338270d0555bc33c8b423d2b9643141b

C:\Windows\system\IANylRY.exe

MD5 149fe5a56a8cf4248028131ef721d3e5
SHA1 85a5c5294f8b494dd2d5114d94b2a1de0b0f9e6a
SHA256 b0090c7628d15effa3b48535a200863dda2d710f4ce3942476a5853bac9c5e98
SHA512 d79f053c91da89fcb015dca16839fffa76ca86d72f891e0636df1d35b631287ea65a89eb9832c93d22662376ad7c0f61373b8a4bc4c0d4024c02c56c0cb6e66c

C:\Windows\system\aepgnQb.exe

MD5 3f0aab503b22bc59de1a46f73ecd6e25
SHA1 4faeb63fac452ce9630facac18abbaf746c99baf
SHA256 e8ef480ddeb5424a8ac20639044a7fa5ba6ef38f085246e035367c4d9e90b126
SHA512 304f40cf9ecebfc147b600c7dab4ab43510129b1c18ef46a2120d49fe7f2f56fad57244584c5d57821394c8c35a1e10658a5099cea541cfaf1bfa0627d1399a5

memory/2808-28-0x000000013FD10000-0x0000000140061000-memory.dmp

memory/2676-25-0x00000000023D0000-0x0000000002721000-memory.dmp

C:\Windows\system\tRPfSUo.exe

MD5 92ee36442d953fe8f3df2b0de93d8160
SHA1 3f6d0c13e9ea9000116ff459414838b92c48e303
SHA256 34f94ebf66b998c7b34633099b685aeccb5f6e60a0f8f1790937b8bb51a13360
SHA512 5ca874dbaaf9cf45f4994dcbe4d06a7ae89ba9ec1303fa7b9831ec4045f83834ee93ab1d36f269d0ae052beb48143fea50280bc914e6dec4935a5eac83f66d9c

memory/2652-21-0x000000013F400000-0x000000013F751000-memory.dmp

\Windows\system\yTSqIAY.exe

MD5 0904dadf1592c1a6e19c5d973ccad542
SHA1 4efa38e5462c7f1c2a0d292124464f949b74846a
SHA256 33f1bf94a67e6c8081923ec521f1aaa9c5a200d097dacb9955c208ed189b9127
SHA512 2e425433a7091e4bdb1eab32a9dcd83fdf9ca306936dcc26e2c1311b7a3240c5c9c43c58414706a99eeef5e500a1dcf7e45c1ab491edb2e2e6dac7ed0f449339

memory/2564-113-0x000000013F410000-0x000000013F761000-memory.dmp

memory/2676-117-0x000000013F3C0000-0x000000013F711000-memory.dmp

memory/2544-118-0x000000013F3C0000-0x000000013F711000-memory.dmp

memory/2584-120-0x000000013F160000-0x000000013F4B1000-memory.dmp

memory/1160-127-0x000000013FEB0000-0x0000000140201000-memory.dmp

memory/2424-129-0x000000013FFA0000-0x00000001402F1000-memory.dmp

memory/2384-131-0x000000013F120000-0x000000013F471000-memory.dmp

memory/2676-132-0x000000013F410000-0x000000013F761000-memory.dmp

memory/2676-130-0x000000013F120000-0x000000013F471000-memory.dmp

memory/2676-128-0x000000013FFA0000-0x00000001402F1000-memory.dmp

memory/2676-126-0x000000013FEB0000-0x0000000140201000-memory.dmp

memory/2820-125-0x000000013F130000-0x000000013F481000-memory.dmp

memory/2676-124-0x000000013F130000-0x000000013F481000-memory.dmp

memory/2360-123-0x000000013F310000-0x000000013F661000-memory.dmp

memory/2676-122-0x000000013F310000-0x000000013F661000-memory.dmp

memory/2984-121-0x000000013F640000-0x000000013F991000-memory.dmp

memory/2676-119-0x000000013F160000-0x000000013F4B1000-memory.dmp

memory/2712-116-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

memory/2676-115-0x00000000023D0000-0x0000000002721000-memory.dmp

memory/2676-133-0x000000013F950000-0x000000013FCA1000-memory.dmp

memory/2652-135-0x000000013F400000-0x000000013F751000-memory.dmp

memory/2180-150-0x000000013F150000-0x000000013F4A1000-memory.dmp

memory/2168-154-0x000000013F6D0000-0x000000013FA21000-memory.dmp

memory/2896-153-0x000000013F250000-0x000000013F5A1000-memory.dmp

memory/2308-151-0x000000013FDD0000-0x0000000140121000-memory.dmp

memory/2348-149-0x000000013F420000-0x000000013F771000-memory.dmp

memory/2632-152-0x000000013F910000-0x000000013FC61000-memory.dmp

memory/2808-137-0x000000013FD10000-0x0000000140061000-memory.dmp

memory/2936-148-0x000000013F200000-0x000000013F551000-memory.dmp

memory/2676-155-0x000000013F950000-0x000000013FCA1000-memory.dmp

memory/2676-156-0x000000013F950000-0x000000013FCA1000-memory.dmp

memory/2928-223-0x000000013F8C0000-0x000000013FC11000-memory.dmp

memory/2680-225-0x000000013FAE0000-0x000000013FE31000-memory.dmp

memory/2652-227-0x000000013F400000-0x000000013F751000-memory.dmp

memory/2712-229-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

memory/2564-231-0x000000013F410000-0x000000013F761000-memory.dmp

memory/2544-233-0x000000013F3C0000-0x000000013F711000-memory.dmp

memory/2584-235-0x000000013F160000-0x000000013F4B1000-memory.dmp

memory/2360-239-0x000000013F310000-0x000000013F661000-memory.dmp

memory/2984-237-0x000000013F640000-0x000000013F991000-memory.dmp

memory/2820-241-0x000000013F130000-0x000000013F481000-memory.dmp

memory/1160-243-0x000000013FEB0000-0x0000000140201000-memory.dmp

memory/2424-245-0x000000013FFA0000-0x00000001402F1000-memory.dmp

memory/2384-247-0x000000013F120000-0x000000013F471000-memory.dmp

memory/2808-256-0x000000013FD10000-0x0000000140061000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-14 21:11

Reported

2024-08-14 21:14

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\kfXPvyL.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mkYqGZj.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BDsAFdC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FWgBVWg.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\dGwktad.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iTFEtzG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\QBrwvjS.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UFoxNzv.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GQVbFzX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qUAHtzo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xvbLKLx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\SRwbKdR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ztLOoNs.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JrKSElV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XJTnvme.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jIppHbK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\lqDgbBq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\RQdTfSJ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KagAAKl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BTtJgEq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JYFgDFR.exe C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3868 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kfXPvyL.exe
PID 3868 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kfXPvyL.exe
PID 3868 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mkYqGZj.exe
PID 3868 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mkYqGZj.exe
PID 3868 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KagAAKl.exe
PID 3868 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KagAAKl.exe
PID 3868 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JrKSElV.exe
PID 3868 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JrKSElV.exe
PID 3868 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BDsAFdC.exe
PID 3868 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BDsAFdC.exe
PID 3868 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XJTnvme.exe
PID 3868 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XJTnvme.exe
PID 3868 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QBrwvjS.exe
PID 3868 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\QBrwvjS.exe
PID 3868 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UFoxNzv.exe
PID 3868 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UFoxNzv.exe
PID 3868 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GQVbFzX.exe
PID 3868 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GQVbFzX.exe
PID 3868 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FWgBVWg.exe
PID 3868 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FWgBVWg.exe
PID 3868 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qUAHtzo.exe
PID 3868 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qUAHtzo.exe
PID 3868 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dGwktad.exe
PID 3868 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\dGwktad.exe
PID 3868 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jIppHbK.exe
PID 3868 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jIppHbK.exe
PID 3868 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xvbLKLx.exe
PID 3868 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xvbLKLx.exe
PID 3868 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lqDgbBq.exe
PID 3868 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\lqDgbBq.exe
PID 3868 wrote to memory of 348 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BTtJgEq.exe
PID 3868 wrote to memory of 348 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BTtJgEq.exe
PID 3868 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RQdTfSJ.exe
PID 3868 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\RQdTfSJ.exe
PID 3868 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JYFgDFR.exe
PID 3868 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JYFgDFR.exe
PID 3868 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iTFEtzG.exe
PID 3868 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iTFEtzG.exe
PID 3868 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SRwbKdR.exe
PID 3868 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\SRwbKdR.exe
PID 3868 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ztLOoNs.exe
PID 3868 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ztLOoNs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\kfXPvyL.exe

C:\Windows\System\kfXPvyL.exe

C:\Windows\System\mkYqGZj.exe

C:\Windows\System\mkYqGZj.exe

C:\Windows\System\KagAAKl.exe

C:\Windows\System\KagAAKl.exe

C:\Windows\System\JrKSElV.exe

C:\Windows\System\JrKSElV.exe

C:\Windows\System\BDsAFdC.exe

C:\Windows\System\BDsAFdC.exe

C:\Windows\System\XJTnvme.exe

C:\Windows\System\XJTnvme.exe

C:\Windows\System\QBrwvjS.exe

C:\Windows\System\QBrwvjS.exe

C:\Windows\System\UFoxNzv.exe

C:\Windows\System\UFoxNzv.exe

C:\Windows\System\GQVbFzX.exe

C:\Windows\System\GQVbFzX.exe

C:\Windows\System\FWgBVWg.exe

C:\Windows\System\FWgBVWg.exe

C:\Windows\System\qUAHtzo.exe

C:\Windows\System\qUAHtzo.exe

C:\Windows\System\dGwktad.exe

C:\Windows\System\dGwktad.exe

C:\Windows\System\jIppHbK.exe

C:\Windows\System\jIppHbK.exe

C:\Windows\System\xvbLKLx.exe

C:\Windows\System\xvbLKLx.exe

C:\Windows\System\lqDgbBq.exe

C:\Windows\System\lqDgbBq.exe

C:\Windows\System\BTtJgEq.exe

C:\Windows\System\BTtJgEq.exe

C:\Windows\System\RQdTfSJ.exe

C:\Windows\System\RQdTfSJ.exe

C:\Windows\System\JYFgDFR.exe

C:\Windows\System\JYFgDFR.exe

C:\Windows\System\iTFEtzG.exe

C:\Windows\System\iTFEtzG.exe

C:\Windows\System\SRwbKdR.exe

C:\Windows\System\SRwbKdR.exe

C:\Windows\System\ztLOoNs.exe

C:\Windows\System\ztLOoNs.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/3868-0-0x00007FF6142F0000-0x00007FF614641000-memory.dmp

memory/3868-1-0x000001EB81960000-0x000001EB81970000-memory.dmp

C:\Windows\System\kfXPvyL.exe

MD5 367695ff64d62a3397a32207b8c3a3c4
SHA1 f71d9935c5850639a416a0352ac4ae76525b029f
SHA256 d84c0eba0129d8090a762b98b55531032f982020e2ff3b2c430885f5d8324c0f
SHA512 6ab32a80c94549b61bd4bf9974bd840ec7b5f6ba9247f5756175e6a8f9d34079d8892c3bbb1bb0e7d81a3e0cfca4f279161aa7c59e426fd45ae9aa7c9c622228

C:\Windows\System\KagAAKl.exe

MD5 8b87def767d515762073a3c65a348b76
SHA1 71f976ab7113346667941b8c799ab66d46de4f45
SHA256 7dd087187718e4e177816af1730efa22c8774aa7e1c4c3765cbf8173174ac1eb
SHA512 c127730f4bb5727b5a3fb41828240cb67333517ac2da1e85989141f456f3550a33d56193737ea67a027b03072551ab94b211333e8b167408358775922b1d7f71

C:\Windows\System\mkYqGZj.exe

MD5 3da5c520a8846cef60134beb8c424b62
SHA1 c818da4af630ce3e87ebc680a5deb5babb24405c
SHA256 88af0c574bc57e830e029a696e0b9abf3d04fe9ead8be161643cd9d6dd0659b4
SHA512 8ccce6030a4976697049192093e35023c33a3fd26d2fa5355e65b9346ca1e213d3915023c1325d5c03e6ea874d907e2a0ef695dd1a25e8064c8b826e335bebe1

C:\Windows\System\BDsAFdC.exe

MD5 189f52ed8d3766a7656a8fc6e8e69124
SHA1 6c0945aa78643efbc66f646018d07336d56ddc51
SHA256 1f01341150a4e567240356556aa09bb8d5a8411c39b6ab901d1be947c8399d4a
SHA512 a268e813f30fe1cc73a98a47dda4deb8bcb4da12ce436cc9832bc5131f7ff69ad15e3105d5ae64b8ed0585babb56b415f2c6f1b59464ed429ae3426c275cfae3

C:\Windows\System\JrKSElV.exe

MD5 ba321372c240c2ef09b94b630288b714
SHA1 ff4121b73787434b4d43806281c0107c5e62f5c8
SHA256 9f814bb6dad7102e465a3acd63367c13241d1383e6e38bfa4dfc7fb01c48bb5e
SHA512 74fc0957dd8c6a03acf788dc3cc5533ee3357315647d75ea25e6eb7582714a97bc6f1ce8004d8517566cdb8427400df38e5cafb0890d0a983ff0802066befceb

C:\Windows\System\XJTnvme.exe

MD5 db6f763cef2261907f99135798348671
SHA1 d8432bbdfe7b92bccee8b88c8fec77ec75ca457c
SHA256 277f40304cab5bfe3316a1e20fcc33e46adba6441c66c0ff2fdd37b9b49cd0b1
SHA512 c6530d6869ed3247da504a5769fafb7cc2eb6fec4f054e2123fa8145423a5885b801646adf736367d1288f103253d1dc0f271a3a5086d182bc522664c6b18ad0

C:\Windows\System\FWgBVWg.exe

MD5 238e7df5668f23fe87fefdda770d0e28
SHA1 3203473fbcd2a7e17b7c728c3349c236e14ff372
SHA256 df26e8b50ac4f4370bdb606a86c0e35995cd5a0e63cc8af79e9c802119d0a7c8
SHA512 71886ae1e6fb36e834833c4319b24fc80c680351a3d50e379bccf5b23920409cb8eaf8fc8df401c9601f69c9f72131e344d0f795c1f31462e4909b69ecced59a

C:\Windows\System\qUAHtzo.exe

MD5 3871422ad1d817c576bc0c2fb9d1358b
SHA1 3b9557f303cb84e7aa421fcfd2c0acd8745a43be
SHA256 57815be41c3ed69d746b3d130180977e72e8cb52947d1fa4f3f401be9e3bb97a
SHA512 e416fafd4c9bebecf40b327abad3f97542840446b1fb012a013a9b73279fbfed4b656a6dc7b8636ac2253e560bd665c82a95bbd7302a68638daca56dcb26b989

memory/3244-79-0x00007FF603790000-0x00007FF603AE1000-memory.dmp

memory/2204-82-0x00007FF7EC5F0000-0x00007FF7EC941000-memory.dmp

C:\Windows\System\xvbLKLx.exe

MD5 0a42f4e3fb331b7eba12b2a61c8bbade
SHA1 f3fa5c4d06b8f0576948e6c70b99566d47208c4b
SHA256 a32e71cad19e99a2b7ce639a580d1ec72bc37bff88fee5d9f5e4959bae9901b0
SHA512 7b35e324a335f9f214b5900f20c8555bcbd2a8b421d4b97502f197acdb2fea516029846a576f1cd1e3d7446306cd70fc6a8dded5b0c130556b595d842e361aec

C:\Windows\System\jIppHbK.exe

MD5 c10b5f1fd59969c5a407ee04a37d7019
SHA1 abaa4cb1b7303703a9545fdccdeabdbc680fa62e
SHA256 85ee31a130214de04eda00f6c232d7f8ac4518e36a6c0cfc5f8e4007c4075f4d
SHA512 f21f82344d928f57edf2bbfa6d8d9bf989ae20b4ce0a30e6c1f035a4b5ff30384dc122ff91437c1efc16115c8c9e4d02d3d01403e287baa0d7acd0497cc7a80e

memory/2432-81-0x00007FF654110000-0x00007FF654461000-memory.dmp

memory/4872-80-0x00007FF7A9440000-0x00007FF7A9791000-memory.dmp

memory/2184-78-0x00007FF61D990000-0x00007FF61DCE1000-memory.dmp

memory/3144-77-0x00007FF70C700000-0x00007FF70CA51000-memory.dmp

memory/2064-70-0x00007FF783160000-0x00007FF7834B1000-memory.dmp

C:\Windows\System\dGwktad.exe

MD5 b4e8e587cc1dc73b6c6eb4248d00f031
SHA1 61e1fe84d9558d16117159d0b1b9e7e86160e352
SHA256 76672c4494743b1bf07ecd65b20fb95080781f4734a8129bfe3c785fabff3925
SHA512 521ada4cbd44ffbcde5c2d4a5240eebfbece534ed2b0ad79c7b0078d6c685310da7f4c0fc157a2f485244d146867e416dce39b1ebca8eb879447a500d115f698

C:\Windows\System\GQVbFzX.exe

MD5 a2bf11a6bda8987cb7417b811ddca03e
SHA1 d3e08048cf7352b5d2bfe8833826a35280ce7057
SHA256 d76525d545d2eea9f78aa9ca5c4d6a046d8f9f18ea161421f18b1934c626051a
SHA512 16fc5decb273dcae8c184c02f28d5b0489d4515f9a9d1182abf2d59001c0c4d3ab7a5faae7c7aaa7747cf71adc83979457b0941818e03cbb391e3e64e71b54c2

C:\Windows\System\UFoxNzv.exe

MD5 46c77bf00fd7b82d957a9fef3fbab9b2
SHA1 fedac4481a1b77a1320804329b9f6ea504084c0b
SHA256 aee3fea143046ac6a0945ea7bcba54caa71446e8d0fda76054a094aeea086dcb
SHA512 ff08a2ccdc8765a4391f02b54eff6770bd741680670dbf6c0499b638a2e4c7a5f5401de00804f749d5795be6bf4f666ed58a6ec69751558d0a72315bca7e309f

memory/2644-55-0x00007FF6BF7D0000-0x00007FF6BFB21000-memory.dmp

C:\Windows\System\QBrwvjS.exe

MD5 38942547cbf8051397efbab7f2705682
SHA1 3c03bcaba809ca38ce75ce878abbb2f84c6bfa8d
SHA256 d9c5a4335217e212d95a8db0852ea2ec9d70fcb670743f7d4085e3847b17a886
SHA512 f75182e1150a5a77c331076f5846cbf6b1ba387d9769f157c8a72c78107583060fa0f01ec10dbbee54ac1d55675d62c2edc16e921684860590e29bb4ec60d1f0

memory/4304-50-0x00007FF798060000-0x00007FF7983B1000-memory.dmp

memory/4640-48-0x00007FF616750000-0x00007FF616AA1000-memory.dmp

memory/2900-38-0x00007FF754F90000-0x00007FF7552E1000-memory.dmp

memory/4596-35-0x00007FF7111A0000-0x00007FF7114F1000-memory.dmp

memory/940-18-0x00007FF6C1CA0000-0x00007FF6C1FF1000-memory.dmp

memory/4708-6-0x00007FF62D480000-0x00007FF62D7D1000-memory.dmp

C:\Windows\System\lqDgbBq.exe

MD5 7f26e83ea5c0a8e6c2ff6a1040ba28be
SHA1 4999127c74acdc6861e6f7187264c1736e25208d
SHA256 794e5be904664dfc4b78eb6e7a4d68b10ed03fec343a854d75fd2c01c2c733cd
SHA512 4d5979267cfd5259adfc13f7dd0eb08aca62e1ef953fa4d893475ca99b9b50d5dec4d9a1aed1f206503c5e3992b2f47c7b54207bdf176f472b60d61d5324a4b2

memory/348-96-0x00007FF6E1C00000-0x00007FF6E1F51000-memory.dmp

C:\Windows\System\BTtJgEq.exe

MD5 594645a1e8923c25ccf48f91302821ca
SHA1 1ae37f573324e5a90dea2809596a522faeb67c9e
SHA256 7f54475af91c63ab73cf52ae81bb03252fa27fc7de1fccb67eb4c43eb0579527
SHA512 9f51fe5c6be2e4a47e545ae774939c9e77a0c08a093648893a37f024a37ff9524f0ba10000651584787dba571f2cf95b5659957eae7703343ce781b405853b2f

C:\Windows\System\RQdTfSJ.exe

MD5 ebdeecef29860a22e7f0dde85ddbd030
SHA1 148308b838f9d1791401ac73d03b1b41bb47075c
SHA256 fcebbc676e023ac34b992d549f2bdbbd0ea72726c84da750a26accdaf8d2af36
SHA512 9a79a07b772ce1cb7ec92a8e140ff417b7d6ab3f72ee1a8de03df9ecb308a78f936a82544cefc0a5ae215893ba411450d5ba31a5eea99c1daf6ce4c4d7ae03fe

C:\Windows\System\JYFgDFR.exe

MD5 fe5514b7ab83937d01539b5ae752c0a3
SHA1 481bdd7cc2999415852406ec3aafb96075e0b19c
SHA256 9422d20927cb4444ff020f1a78824a4629c905ba7549b89be90f6fd2aa8c6a25
SHA512 d7763c2244c61e1d9defa33e852ae7ad6c66891a74ad4f5e9bee520dff2e99ef5515cb58a47f112902d41d2c6dc96e41ef7f540bb36137fa7dde2d455dc60eeb

memory/4216-102-0x00007FF6FBFB0000-0x00007FF6FC301000-memory.dmp

memory/4908-106-0x00007FF716F90000-0x00007FF7172E1000-memory.dmp

memory/3936-90-0x00007FF6AE260000-0x00007FF6AE5B1000-memory.dmp

C:\Windows\System\iTFEtzG.exe

MD5 4890d90ed2e99539c0d2dc64b1cc4007
SHA1 851e806c838c29cc7600bb2e6c617bed09fa43b8
SHA256 bbd6013fe726d4b0abdfeef9332c89d94b6320232411b3c7a9a23d3836da5fd6
SHA512 88469e896efd3a228a5fc731bc13c9472b8611ea85b73858bd39b732cdf970f01e80597b0fda7eaad96a4c737ddb145abe0d05280964e500c8384e5a4bc45236

memory/1960-117-0x00007FF6ED6F0000-0x00007FF6EDA41000-memory.dmp

memory/3868-116-0x00007FF6142F0000-0x00007FF614641000-memory.dmp

C:\Windows\System\SRwbKdR.exe

MD5 11dd75ccc4c96697281b8651e3c23906
SHA1 96e7c04c37b3f306e7ea81acaf4cb31f5bf904f3
SHA256 b6fc5b72b2b6cdc23f61c7db18aff691665356633e30446bcb6fd1b27624d34a
SHA512 0b3f95a04bc18e5818efa0f0280cb1b8d5deb5ce2e7adeb50d83cd66122aab25ad8734fc7b751ed3518598c10bf47a18dc021c621178d6e40ae33103a279b9bb

memory/4708-121-0x00007FF62D480000-0x00007FF62D7D1000-memory.dmp

memory/4640-127-0x00007FF616750000-0x00007FF616AA1000-memory.dmp

memory/400-131-0x00007FF708BD0000-0x00007FF708F21000-memory.dmp

memory/2064-130-0x00007FF783160000-0x00007FF7834B1000-memory.dmp

C:\Windows\System\ztLOoNs.exe

MD5 07f4648e0e12551e4ce701dfbddb8f11
SHA1 35905ca6d3fe0a84d606e74ed8a69eabc5d224a2
SHA256 4f507d9d841c3d60d28460a4a6890659a48671e01d142b5fbb6430cb8b3d9d71
SHA512 c4577b071f217fdeba480b98a4bf5f7996655c3b391e7f85ea4951db0ac8cc22742cc747b6a45fed83563a6f8e28b5d0d2568d1de383e88d1c7ac8459936742b

memory/2644-129-0x00007FF6BF7D0000-0x00007FF6BFB21000-memory.dmp

memory/4596-126-0x00007FF7111A0000-0x00007FF7114F1000-memory.dmp

memory/940-125-0x00007FF6C1CA0000-0x00007FF6C1FF1000-memory.dmp

memory/4308-124-0x00007FF628F90000-0x00007FF6292E1000-memory.dmp

memory/3868-135-0x00007FF6142F0000-0x00007FF614641000-memory.dmp

memory/2900-139-0x00007FF754F90000-0x00007FF7552E1000-memory.dmp

memory/4304-144-0x00007FF798060000-0x00007FF7983B1000-memory.dmp

memory/3936-150-0x00007FF6AE260000-0x00007FF6AE5B1000-memory.dmp

memory/2204-148-0x00007FF7EC5F0000-0x00007FF7EC941000-memory.dmp

memory/2432-149-0x00007FF654110000-0x00007FF654461000-memory.dmp

memory/4908-153-0x00007FF716F90000-0x00007FF7172E1000-memory.dmp

memory/4308-155-0x00007FF628F90000-0x00007FF6292E1000-memory.dmp

memory/4216-152-0x00007FF6FBFB0000-0x00007FF6FC301000-memory.dmp

memory/348-151-0x00007FF6E1C00000-0x00007FF6E1F51000-memory.dmp

memory/3868-156-0x00007FF6142F0000-0x00007FF614641000-memory.dmp

memory/400-172-0x00007FF708BD0000-0x00007FF708F21000-memory.dmp

memory/4708-208-0x00007FF62D480000-0x00007FF62D7D1000-memory.dmp

memory/940-210-0x00007FF6C1CA0000-0x00007FF6C1FF1000-memory.dmp

memory/4596-212-0x00007FF7111A0000-0x00007FF7114F1000-memory.dmp

memory/3144-214-0x00007FF70C700000-0x00007FF70CA51000-memory.dmp

memory/4640-216-0x00007FF616750000-0x00007FF616AA1000-memory.dmp

memory/2900-218-0x00007FF754F90000-0x00007FF7552E1000-memory.dmp

memory/2644-222-0x00007FF6BF7D0000-0x00007FF6BFB21000-memory.dmp

memory/4304-226-0x00007FF798060000-0x00007FF7983B1000-memory.dmp

memory/3244-225-0x00007FF603790000-0x00007FF603AE1000-memory.dmp

memory/2184-221-0x00007FF61D990000-0x00007FF61DCE1000-memory.dmp

memory/2064-234-0x00007FF783160000-0x00007FF7834B1000-memory.dmp

memory/4872-232-0x00007FF7A9440000-0x00007FF7A9791000-memory.dmp

memory/2204-231-0x00007FF7EC5F0000-0x00007FF7EC941000-memory.dmp

memory/2432-229-0x00007FF654110000-0x00007FF654461000-memory.dmp

memory/3936-237-0x00007FF6AE260000-0x00007FF6AE5B1000-memory.dmp

memory/348-239-0x00007FF6E1C00000-0x00007FF6E1F51000-memory.dmp

memory/4908-241-0x00007FF716F90000-0x00007FF7172E1000-memory.dmp

memory/4216-243-0x00007FF6FBFB0000-0x00007FF6FC301000-memory.dmp

memory/1960-247-0x00007FF6ED6F0000-0x00007FF6EDA41000-memory.dmp

memory/4308-249-0x00007FF628F90000-0x00007FF6292E1000-memory.dmp

memory/400-251-0x00007FF708BD0000-0x00007FF708F21000-memory.dmp